sftpgo_external_auth_hook: refactor

2024-03-14 12:05:57 +00:00 · 2024-03-14 12:05:57 +00:00 · c7c2785ad8
commit c7c2785ad8
parent 4c1a7fc910
1 changed files with 33 additions and 27 deletions
--- a/hosts/by-name/servo/services/export/sftpgo_external_auth_hook
+++ b/hosts/by-name/servo/services/export/sftpgo_external_auth_hook
@ -42,7 +42,25 @@ import os

 authFail = dict(username="")

-def mkAuthOk(username: str) -> dict:
+PERM_RO = [ "list", "download" ]
+PERM_RW = [
+  # read-only:
+  "list",
+  "download",
+  # write:
+  "upload",
+  "overwrite",
+  "delete",
+  "rename",
+  "create_dirs",
+  "create_symlinks",
+  # intentionally omitted:
+  # "chmod",
+  # "chown",
+  # "chtimes",
+]
+
+def mkAuthOk(username: str, permissions: dict[str, list[str]]) -> dict:
  return dict(
    status = 1,
    username = username,
@ -60,25 +78,7 @@ def mkAuthOk(username: str) -> dict:
    # quota_*: 0 means to not use SFTP's quota system
    quota_size = 0,
    quota_files = 0,
-    permissions = {
-      "/": [ "list", "download" ],
-      "/playground": [
-        # read-only:
-        "list",
-        "download",
-        # write:
-        "upload",
-        "overwrite",
-        "delete",
-        "rename",
-        "create_dirs",
-        "create_symlinks",
-        # intentionally omitted:
-        # "chmod",
-        # "chown",
-        # "chtimes",
-      ],
-    },
+    permissions = permissions,
    upload_bandwidth = 0,
    download_bandwidth = 0,
    filters = dict(
@ -100,7 +100,7 @@ def isLan(ip: str) -> bool:
 def isWireguard(ip: str) -> bool:
  return ip.startswith("10.0.10.")

-def getAuthResponse(username: str, ip: str) -> dict:
+def getAuthResponse(ip: str, username: str) -> dict:
  """
  return a sftpgo auth response either denying the user or approving them
  with a set of permissions.
@ -108,17 +108,23 @@ def getAuthResponse(username: str, ip: str) -> dict:
  if isLan(ip):
    if username == "anonymous":
      # allow anonymous users on the LAN
-      return mkAuthOk("anonymous")
+      return mkAuthOk("anonymous", permissions = {
+        "/": PERM_RO,
+        "/playground": PERM_RW,
+      })
  if isWireguard(ip):
-      # allow any user from wireguard
-      return mkAuthOk(username)
+    # allow any user from wireguard
+    return mkAuthOk(username, permissions = {
+      "/": PERM_RW,
+      "/playground": PERM_RW,
+    })

  return authFail

 def main():
-  username = os.environ.get("SFTPGO_AUTHD_USERNAME")
-  ip = os.environ.get("SFTPGO_AUTHD_IP")
-  resp = getAuthResponse(username, ip)
+  ip = os.environ.get("SFTPGO_AUTHD_IP", "")
+  username = os.environ.get("SFTPGO_AUTHD_USERNAME", "")
+  resp = getAuthResponse(ip, username)
  print(json.dumps(resp))

 if __name__ == "__main__":