Merge pull request src-d#214 from camathieu/1.2.1

1.2.1

Author: Charles-Antoine Mathieu

README.md

@@ -173,15 +173,17 @@ Suitable for distributed / High Availability deployment.
 ### Authentication
 
 Plik can authenticate users using Google and/or OVH API. 
-Once authenticated the only call Plik will ever make to those API is get the user ID, name and email. 
+Once authenticated the only call Plik will ever make to those API is to get the user ID, name and email. 
 Plik will never forward any upload data or metadata to any third party.   
 If source IP address restriction is enabled, user accounts can only be created from trusted IPs. But then 
-authenticated users can upload files without source IP restriction.   
+authenticated users can upload files without source IP restriction.
+It is also possible to deny unauthenticated uploads totally.
 
    - **Google** :
       - You'll need to create a new application in the [Google Developper Console](https://console.developers.google.com)
       - You'll be handed a Google API ClientID and a Google API ClientSecret that you'll need to put in the plikd.cfg file.
       - Do not forget to whitelist valid origin and redirect url ( https://yourdomain/auth/google/callback ) for your domain.
+      - It is possible to whitelist only one or more email domains.
 
    - **OVH** :
       - You'll need to create a new application in the OVH API : https://eu.api.ovh.com/createApp/

server/common/config.go

@@ -41,11 +41,14 @@ import (
 
 // Configuration object
 type Configuration struct {
-	LogLevel         string `json:"-"`
-	ListenAddress    string `json:"-"`
-	ListenPort       int    `json:"-"`
-	MaxFileSize      int64  `json:"maxFileSize"`
-	MaxFilePerUpload int    `json:"maxFilePerUpload"`
+	LogLevel string `json:"-"`
+
+	ListenAddress string `json:"-"`
+	ListenPort    int    `json:"-"`
+	Path          string `json:"-"`
+
+	MaxFileSize      int64 `json:"maxFileSize"`
+	MaxFilePerUpload int   `json:"maxFilePerUpload"`
 
 	DefaultTTL int `json:"defaultTTL"`
 	MaxTTL     int `json:"maxTTL"`
@@ -65,13 +68,15 @@ type Configuration struct {
 	SourceIPHeader  string   `json:"-"`
 	UploadWhitelist []string `json:"-"`
 
-	Authentication       bool   `json:"authentication"`
-	GoogleAuthentication bool   `json:"googleAuthentication"`
-	GoogleAPISecret      string `json:"-"`
-	GoogleAPIClientID    string `json:"-"`
-	OvhAuthentication    bool   `json:"ovhAuthentication"`
-	OvhAPIKey            string `json:"-"`
-	OvhAPISecret         string `json:"-"`
+	Authentication       bool     `json:"authentication"`
+	NoAnonymousUploads   bool     `json:"-"`
+	GoogleAuthentication bool     `json:"googleAuthentication"`
+	GoogleAPISecret      string   `json:"-"`
+	GoogleAPIClientID    string   `json:"-"`
+	GoogleValidDomains   []string `json:"-"`
+	OvhAuthentication    bool     `json:"ovhAuthentication"`
+	OvhAPIKey            string   `json:"-"`
+	OvhAPISecret         string   `json:"-"`
 
 	MetadataBackend       string                 `json:"-"`
 	MetadataBackendConfig map[string]interface{} `json:"-"`
@@ -103,8 +108,6 @@ func NewConfiguration() (config *Configuration) {
 	config.DefaultTTL = 2592000 // 30 days
 	config.MaxTTL = 0
 	config.SslEnabled = false
-	config.SslCert = ""
-	config.SslKey = ""
 	config.StreamMode = true
 	return
 }
@@ -114,6 +117,7 @@ func NewConfiguration() (config *Configuration) {
 // override default params
 func LoadConfiguration(file string) {
 	Config = NewConfiguration()
+
 	if _, err := toml.DecodeFile(file, Config); err != nil {
 		Logger().Fatalf("Unable to load config file %s : %s", file, err)
 	}
@@ -125,6 +129,8 @@ func LoadConfiguration(file string) {
 		Logger().SetFlags(logger.Fdate | logger.Flevel | logger.FfixedSizeLevel)
 	}
 
+	Config.Path = strings.TrimSuffix(Config.Path, "/")
+
 	// Do user specified a ApiKey and ApiSecret for Yubikey
 	if Config.YubikeyEnabled {
 		yubiAuth, err := yubigo.NewYubiAuth(Config.YubikeyAPIKey, Config.YubikeyAPISecret)
@@ -165,10 +171,12 @@ func LoadConfiguration(file string) {
 
 	if !Config.GoogleAuthentication && !Config.OvhAuthentication {
 		Config.Authentication = false
+		Config.NoAnonymousUploads = false
 	}
 
 	if Config.MetadataBackend == "file" {
 		Config.Authentication = false
+		Config.NoAnonymousUploads = false
 	}
 
 	if Config.DownloadDomain != "" {

server/common/context.go

@@ -145,10 +145,36 @@ func Fail(ctx *juliet.Context, req *http.Request, resp http.ResponseWriter, mess
 			}
 		}
 		if redirect {
-			http.Redirect(resp, req, fmt.Sprintf("/#!/?err=%s&errcode=%d&uri=%s", message, status, req.RequestURI), 301)
+			http.Redirect(resp, req, fmt.Sprintf("%s/#!/?err=%s&errcode=%d&uri=%s", Config.Path, message, status, req.RequestURI), 301)
 			return
 		}
 	}
 
 	http.Error(resp, NewResult(message, nil).ToJSONString(), status)
 }
+
+// StripPrefix returns a handler that serves HTTP requests
+// removing the given prefix from the request URL's Path
+// It differs from http.StripPrefix by defaulting to "/" and not ""
+func StripPrefix(prefix string, handler http.Handler) http.Handler {
+	if prefix == "" || prefix == "/" {
+		return handler
+	}
+	return http.HandlerFunc(func(resp http.ResponseWriter, req *http.Request) {
+		// Relative paths to javascript, css, ... imports won't work without a tailing slash
+		if req.URL.Path == prefix {
+			http.Redirect(resp, req, prefix+"/", 301)
+			return
+		}
+		if p := strings.TrimPrefix(req.URL.Path, prefix); len(p) < len(req.URL.Path) {
+			req.URL.Path = p
+		} else {
+			http.NotFound(resp, req)
+			return
+		}
+		if !strings.HasPrefix(req.URL.Path, "/") {
+			req.URL.Path = "/" + req.URL.Path
+		}
+		handler.ServeHTTP(resp, req)
+	})
+}

server/handlers/addFile.go

@@ -57,6 +57,16 @@ func AddFile(ctx *juliet.Context, resp http.ResponseWriter, req *http.Request) {
 		return
 	}
 
+	// Check anonymous user uploads
+	if common.Config.NoAnonymousUploads {
+		user := common.GetUser(ctx)
+		if user == nil {
+			log.Warning("Unable to add file from anonymous user")
+			common.Fail(ctx, req, resp, "Unable to add file from anonymous user. Please login or use a cli token.", 403)
+			return
+		}
+	}
+
 	// Check authorization
 	if !upload.IsAdmin {
 		log.Warningf("Unable to add file : unauthorized")

server/handlers/createUpload.go

@@ -47,10 +47,16 @@ func CreateUpload(ctx *juliet.Context, resp http.ResponseWriter, req *http.Reque
 	log := common.GetLogger(ctx)
 
 	user := common.GetUser(ctx)
-	if user == nil && !common.IsWhitelisted(ctx) {
-		log.Warning("Unable to create upload from untrusted source IP address")
-		common.Fail(ctx, req, resp, "Unable to create upload from untrusted source IP address. Please login or use a cli token.", 403)
-		return
+	if user == nil {
+		if common.Config.NoAnonymousUploads {
+			log.Warning("Unable to create upload from anonymous user")
+			common.Fail(ctx, req, resp, "Unable to create upload from anonymous user. Please login or use a cli token.", 403)
+			return
+		} else if !common.IsWhitelisted(ctx) {
+			log.Warning("Unable to create upload from untrusted source IP address")
+			common.Fail(ctx, req, resp, "Unable to create upload from untrusted source IP address. Please login or use a cli token.", 403)
+			return
+		}
 	}
 
 	upload := common.NewUpload()

server/handlers/google.go

@@ -32,6 +32,7 @@ package handlers
 import (
 	"fmt"
 	"net/http"
+	"strings"
 	"time"
 
 	"github.com/dgrijalva/jwt-go"
@@ -63,7 +64,7 @@ func GoogleLogin(ctx *juliet.Context, resp http.ResponseWriter, req *http.Reques
 	origin := req.Header.Get("referer")
 	if origin == "" {
 		log.Warning("Missing referer header")
-		common.Fail(ctx, req, resp, "Missing referer herader", 400)
+		common.Fail(ctx, req, resp, "Missing referer header", 400)
 		return
 	}
 
@@ -207,6 +208,26 @@ func GoogleCallback(ctx *juliet.Context, resp http.ResponseWriter, req *http.Req
 			user.Login = userInfo.Email
 			user.Name = userInfo.Name
 			user.Email = userInfo.Email
+			components := strings.Split(user.Email, "@")
+
+			// Accepted user domain checking
+			goodDomain := false
+			if len(common.Config.GoogleValidDomains) > 0 {
+				for _, validDomain := range common.Config.GoogleValidDomains {
+					if strings.Compare(components[1], validDomain) == 0 {
+						goodDomain = true
+					}
+				}
+			} else {
+				goodDomain = true
+			}
+
+			if !goodDomain {
+				// User not from accepted google domains list
+				log.Warningf("Unacceptable user domain : %s", components[1])
+				common.Fail(ctx, req, resp, fmt.Sprintf("Authentification error : Unauthorized dommain %s", components[1]), 403)
+				return
+			}
 
 			// Save user to metadata backend
 			err = metadataBackend.GetMetaDataBackend().SaveUser(ctx, user)
@@ -263,5 +284,5 @@ func GoogleCallback(ctx *juliet.Context, resp http.ResponseWriter, req *http.Req
 	xsrfCookie.Path = "/"
 	http.SetCookie(resp, xsrfCookie)
 
-	http.Redirect(resp, req, "/#!/login", 301)
+	http.Redirect(resp, req, common.Config.Path+"/#!/login", 301)
 }

server/handlers/ovh.go

@@ -107,7 +107,7 @@ func OvhLogin(ctx *juliet.Context, resp http.ResponseWriter, req *http.Request)
 	origin := req.Header.Get("referer")
 	if origin == "" {
 		log.Warning("Missing referer header")
-		common.Fail(ctx, req, resp, "Missing referer herader", 400)
+		common.Fail(ctx, req, resp, "Missing referer header", 400)
 		return
 	}
 
@@ -377,5 +377,5 @@ func OvhCallback(ctx *juliet.Context, resp http.ResponseWriter, req *http.Reques
 	xsrfCookie.Path = "/"
 	http.SetCookie(resp, xsrfCookie)
 
-	http.Redirect(resp, req, "/#!/login", 301)
+	http.Redirect(resp, req, common.Config.Path+"/#!/login", 301)
 }

server/plik.go

@@ -97,39 +97,42 @@ func main() {
 	getFileChain := juliet.NewChain(middleware.Upload, middleware.Yubikey, middleware.File)
 
 	// HTTP Api routes configuration
-	r := mux.NewRouter()
-	r.Handle("/config", stdChain.Then(handlers.GetConfiguration)).Methods("GET")
-	r.Handle("/version", stdChain.Then(handlers.GetVersion)).Methods("GET")
-	r.Handle("/upload", tokenChain.Then(handlers.CreateUpload)).Methods("POST")
-	r.Handle("/upload/{uploadID}", authChain.Append(middleware.Upload).Then(handlers.GetUpload)).Methods("GET")
-	r.Handle("/upload/{uploadID}", authChain.Append(middleware.Upload).Then(handlers.RemoveUpload)).Methods("DELETE")
-	r.Handle("/file/{uploadID}", tokenChain.Append(middleware.Upload).Then(handlers.AddFile)).Methods("POST")
-	r.Handle("/file/{uploadID}/{fileID}/{filename}", tokenChain.Append(middleware.Upload, middleware.File).Then(handlers.AddFile)).Methods("POST")
-	r.Handle("/file/{uploadID}/{fileID}/{filename}", authChain.Append(middleware.Upload, middleware.File).Then(handlers.RemoveFile)).Methods("DELETE")
-	r.Handle("/file/{uploadID}/{fileID}/{filename}", authChainWithRedirect.AppendChain(getFileChain).Then(handlers.GetFile)).Methods("HEAD", "GET")
-	r.Handle("/file/{uploadID}/{fileID}/{filename}/yubikey/{yubikey}", authChainWithRedirect.AppendChain(getFileChain).Then(handlers.GetFile)).Methods("HEAD", "GET")
-	r.Handle("/stream/{uploadID}/{fileID}/{filename}", tokenChain.Append(middleware.Upload, middleware.File).Then(handlers.AddFile)).Methods("POST")
-	r.Handle("/stream/{uploadID}/{fileID}/{filename}", authChain.Append(middleware.Upload, middleware.File).Then(handlers.RemoveFile)).Methods("DELETE")
-	r.Handle("/stream/{uploadID}/{fileID}/{filename}", authChainWithRedirect.AppendChain(getFileChain).Then(handlers.GetFile)).Methods("HEAD", "GET")
-	r.Handle("/stream/{uploadID}/{fileID}/{filename}/yubikey/{yubikey}", authChainWithRedirect.AppendChain(getFileChain).Then(handlers.GetFile)).Methods("HEAD", "GET")
-	r.Handle("/archive/{uploadID}/{filename}", authChainWithRedirect.Append(middleware.Upload, middleware.Yubikey).Then(handlers.GetArchive)).Methods("HEAD", "GET")
-	r.Handle("/archive/{uploadID}/{filename}/yubikey/{yubikey}", authChainWithRedirect.Append(middleware.Upload, middleware.Yubikey).Then(handlers.GetArchive)).Methods("HEAD", "GET")
-	r.Handle("/auth/google/login", authChain.Then(handlers.GoogleLogin)).Methods("GET")
-	r.Handle("/auth/google/callback", stdChainWithRedirect.Then(handlers.GoogleCallback)).Methods("GET")
-	r.Handle("/auth/ovh/login", authChain.Then(handlers.OvhLogin)).Methods("GET")
-	r.Handle("/auth/ovh/callback", stdChainWithRedirect.Then(handlers.OvhCallback)).Methods("GET")
-	r.Handle("/auth/logout", authChain.Then(handlers.Logout)).Methods("GET")
-	r.Handle("/me", authChain.Then(handlers.UserInfo)).Methods("GET")
-	r.Handle("/me", authChain.Then(handlers.DeleteAccount)).Methods("DELETE")
-	r.Handle("/me/token", authChain.Then(handlers.CreateToken)).Methods("POST")
-	r.Handle("/me/token/{token}", authChain.Then(handlers.RevokeToken)).Methods("DELETE")
-	r.Handle("/me/uploads", authChain.Then(handlers.GetUserUploads)).Methods("GET")
-	r.Handle("/me/uploads", authChain.Then(handlers.RemoveUserUploads)).Methods("DELETE")
-	r.Handle("/qrcode", stdChain.Then(handlers.GetQrCode)).Methods("GET")
-	r.PathPrefix("/clients/").Handler(http.StripPrefix("/clients/", http.FileServer(http.Dir("../clients"))))
-	r.PathPrefix("/changelog/").Handler(http.StripPrefix("/changelog/", http.FileServer(http.Dir("../changelog"))))
-	r.PathPrefix("/").Handler(http.FileServer(http.Dir("./public/")))
-	http.Handle("/", r)
+	router := mux.NewRouter()
+	router.Handle("/config", stdChain.Then(handlers.GetConfiguration)).Methods("GET")
+	router.Handle("/version", stdChain.Then(handlers.GetVersion)).Methods("GET")
+	router.Handle("/upload", tokenChain.Then(handlers.CreateUpload)).Methods("POST")
+	router.Handle("/upload/{uploadID}", authChain.Append(middleware.Upload).Then(handlers.GetUpload)).Methods("GET")
+	router.Handle("/upload/{uploadID}", authChain.Append(middleware.Upload).Then(handlers.RemoveUpload)).Methods("DELETE")
+	router.Handle("/file/{uploadID}", tokenChain.Append(middleware.Upload).Then(handlers.AddFile)).Methods("POST")
+	router.Handle("/file/{uploadID}/{fileID}/{filename}", tokenChain.Append(middleware.Upload, middleware.File).Then(handlers.AddFile)).Methods("POST")
+	router.Handle("/file/{uploadID}/{fileID}/{filename}", authChain.Append(middleware.Upload, middleware.File).Then(handlers.RemoveFile)).Methods("DELETE")
+	router.Handle("/file/{uploadID}/{fileID}/{filename}", authChainWithRedirect.AppendChain(getFileChain).Then(handlers.GetFile)).Methods("HEAD", "GET")
+	router.Handle("/file/{uploadID}/{fileID}/{filename}/yubikey/{yubikey}", authChainWithRedirect.AppendChain(getFileChain).Then(handlers.GetFile)).Methods("HEAD", "GET")
+	router.Handle("/stream/{uploadID}/{fileID}/{filename}", tokenChain.Append(middleware.Upload, middleware.File).Then(handlers.AddFile)).Methods("POST")
+	router.Handle("/stream/{uploadID}/{fileID}/{filename}", authChain.Append(middleware.Upload, middleware.File).Then(handlers.RemoveFile)).Methods("DELETE")
+	router.Handle("/stream/{uploadID}/{fileID}/{filename}", authChainWithRedirect.AppendChain(getFileChain).Then(handlers.GetFile)).Methods("HEAD", "GET")
+	router.Handle("/stream/{uploadID}/{fileID}/{filename}/yubikey/{yubikey}", authChainWithRedirect.AppendChain(getFileChain).Then(handlers.GetFile)).Methods("HEAD", "GET")
+	router.Handle("/archive/{uploadID}/{filename}", authChainWithRedirect.Append(middleware.Upload, middleware.Yubikey).Then(handlers.GetArchive)).Methods("HEAD", "GET")
+	router.Handle("/archive/{uploadID}/{filename}/yubikey/{yubikey}", authChainWithRedirect.Append(middleware.Upload, middleware.Yubikey).Then(handlers.GetArchive)).Methods("HEAD", "GET")
+	router.Handle("/auth/google/login", authChain.Then(handlers.GoogleLogin)).Methods("GET")
+	router.Handle("/auth/google/callback", stdChainWithRedirect.Then(handlers.GoogleCallback)).Methods("GET")
+	router.Handle("/auth/ovh/login", authChain.Then(handlers.OvhLogin)).Methods("GET")
+	router.Handle("/auth/ovh/callback", stdChainWithRedirect.Then(handlers.OvhCallback)).Methods("GET")
+	router.Handle("/auth/logout", authChain.Then(handlers.Logout)).Methods("GET")
+	router.Handle("/me", authChain.Then(handlers.UserInfo)).Methods("GET")
+	router.Handle("/me", authChain.Then(handlers.DeleteAccount)).Methods("DELETE")
+	router.Handle("/me/token", authChain.Then(handlers.CreateToken)).Methods("POST")
+	router.Handle("/me/token/{token}", authChain.Then(handlers.RevokeToken)).Methods("DELETE")
+	router.Handle("/me/uploads", authChain.Then(handlers.GetUserUploads)).Methods("GET")
+	router.Handle("/me/uploads", authChain.Then(handlers.RemoveUserUploads)).Methods("DELETE")
+	router.Handle("/qrcode", stdChain.Then(handlers.GetQrCode)).Methods("GET")
+	router.PathPrefix("/clients/").Handler(http.StripPrefix("/clients/", http.FileServer(http.Dir("../clients"))))
+	router.PathPrefix("/changelog/").Handler(http.StripPrefix("/changelog/", http.FileServer(http.Dir("../changelog"))))
+	router.PathPrefix("/").Handler(http.FileServer(http.Dir("./public/")))
+
+	handler := common.StripPrefix(common.Config.Path, router)
+
+	http.Handle("/", handler)
 
 	go UploadsCleaningRoutine()
 
@@ -150,10 +153,10 @@ func main() {
 		}
 
 		tlsConfig := &tls.Config{MinVersion: tls.VersionTLS10, Certificates: []tls.Certificate{cert}}
-		server = &http.Server{Addr: address, Handler: r, TLSConfig: tlsConfig}
+		server = &http.Server{Addr: address, Handler: handler, TLSConfig: tlsConfig}
 	} else {
 		proto = "http"
-		server = &http.Server{Addr: address, Handler: r}
+		server = &http.Server{Addr: address, Handler: handler}
 	}
 
 	log.Infof("Starting http server at %s://%s", proto, address)

server/plikd.cfg

@@ -8,8 +8,11 @@
 #
 
 LogLevel            = "INFO"        # Other levels : DEBUG, INFO, WARNING, CRITICAL, FATAL
-ListenPort          = 8080
-ListenAddress       = "0.0.0.0"
+
+ListenPort          = 8080          # Port the HTTP server will listen on
+ListenAddress       = "0.0.0.0"     # Address the HTTP server will bind on
+Path                = "/"           # Root path for the HTTP server
+
 MaxFileSize         = 10737418240   # 10GB
 MaxFilePerUpload    = 1000
 
@@ -29,8 +32,10 @@ SourceIpHeader      = ""            # If behind reverse proxy (expl: X-FORWARDED
 UploadWhitelist     = []            # Restrict upload to one or more ip range
 
 Authentication      = false         # Enable authentication
+NoAnonymousUploads  = false
 GoogleApiClientID   = ""            # Google api client ID
 GoogleApiSecret     = ""            # Google api client secret
+GoogleValidDomains  = []            # List of acceptable email domains for users
 OvhApiKey           = ""            # OVH api application key
 OvhApiSecret	    = ""            # OVH api application secret