cangui/shelfy-v2
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
2952846354
shelfy-v2/main.go
cangui 2952846354 up
2025-08-17 15:39:20 +02:00

286 lines
8.0 KiB
Go
Raw Blame History

package main
import (
"canguidev/shelfy/internal/db"
"canguidev/shelfy/internal/routes"
"canguidev/shelfy/internal/utils"
"crypto/ed25519"
"crypto/rand"
"crypto/rsa"
"crypto/x509"
"encoding/pem"
"fmt"
"io"
"log"
"net"
"os"
"path/filepath"
"strings"
"time"
"github.com/gin-gonic/gin"
"github.com/pkg/sftp"
"golang.org/x/crypto/ssh"
)
// --------- CONFIG À ADAPTER ----------
var (
// Dossier racine SFTP (tu montes déjà ton volume ici dans Docker)
SFTPBaseDir = "upload"
// Identifiants standards (utilisés si IP non autorisée)
LoginUser = "cangui2089"
LoginPass = "GHT30k7!"
// IP(s) autorisées pour connexion SANS mot de passe
AllowedIPs = []string{
"82.65.73.115",
}
)
// -------------------------------------
func loadOrCreateHostKey(path string) (ssh.Signer, error) {
if _, err := os.Stat(path); err == nil {
b, err := os.ReadFile(path)
if err != nil {
return nil, err
}
return ssh.ParsePrivateKey(b)
}
_, priv, err := ed25519.GenerateKey(rand.Reader)
if err != nil {
return nil, err
}
pkcs8, err := x509.MarshalPKCS8PrivateKey(priv)
if err != nil {
return nil, err
}
block := &pem.Block{Type: "PRIVATE KEY", Bytes: pkcs8}
pemBytes := pem.EncodeToMemory(block)
if err := os.WriteFile(path, pemBytes, 0o600); err != nil {
return nil, err
}
return ssh.ParsePrivateKey(pemBytes)
}
func ipAllowed(addr string) bool {
host, _, err := net.SplitHostPort(addr)
if err != nil {
host = addr
}
for _, allow := range AllowedIPs {
if host == allow {
return true
}
}
return false
}
func startSFTPServer(base string) {
// --- helpers locaux pour charger/générer les clés hôte ---
loadOrCreateEd25519 := func(path string) (ssh.Signer, error) {
if _, err := os.Stat(path); err == nil {
b, err := os.ReadFile(path)
if err != nil { return nil, err }
return ssh.ParsePrivateKey(b)
}
_, priv, err := ed25519.GenerateKey(rand.Reader)
if err != nil { return nil, err }
pkcs8, err := x509.MarshalPKCS8PrivateKey(priv)
if err != nil { return nil, err }
pemBytes := pem.EncodeToMemory(&pem.Block{Type: "PRIVATE KEY", Bytes: pkcs8})
if err := os.WriteFile(path, pemBytes, 0o600); err != nil { return nil, err }
return ssh.ParsePrivateKey(pemBytes)
}
loadOrCreateRSA := func(path string) (ssh.Signer, error) {
if _, err := os.Stat(path); err == nil {
b, err := os.ReadFile(path)
if err != nil { return nil, err }
return ssh.ParsePrivateKey(b)
}
priv, err := rsa.GenerateKey(rand.Reader, 2048)
if err != nil { return nil, err }
pkcs1 := x509.MarshalPKCS1PrivateKey(priv)
pemBytes := pem.EncodeToMemory(&pem.Block{Type: "RSA PRIVATE KEY", Bytes: pkcs1})
if err := os.WriteFile(path, pemBytes, 0o600); err != nil { return nil, err }
return ssh.ParsePrivateKey(pemBytes)
}
ipAllowed := func(addr string) bool {
host, _, err := net.SplitHostPort(addr)
if err != nil { host = addr }
for _, allow := range AllowedIPs {
if host == allow { return true }
}
return false
}
// --- vérifications et "ancrage" dans le dossier upload ---
absBase, _ := filepath.Abs(base)
if fi, err := os.Stat(absBase); err != nil || !fi.IsDir() {
log.Fatalf("[SFTP] Le dossier %s est manquant ou invalide: %v", absBase, err)
}
if err := os.Chdir(absBase); err != nil {
log.Fatalf("[SFTP] Chdir(%s): %v", absBase, err)
}
// --- clés hôte : ed25519 (moderne) + RSA (compat) ---
signerED, err := loadOrCreateEd25519("sftp_host_ed25519.pem")
if err != nil { log.Fatalf("[SFTP] Host key ed25519 error: %v", err) }
signerRSA, err := loadOrCreateRSA("sftp_host_rsa.pem")
if err != nil { log.Fatalf("[SFTP] Host key RSA error: %v", err) }
// --- config SSH avec auth IP-allowlist et user/pass ---
cfg := &ssh.ServerConfig{
PasswordCallback: func(meta ssh.ConnMetadata, pass []byte) (*ssh.Permissions, error) {
remote := meta.RemoteAddr().String()
user := meta.User()
// IP autorisée → on accepte même mot de passe vide
if ipAllowed(remote) {
log.Printf("[SFTP] Auth IP-allowlist OK from=%s user=%s (mdp vide accepté)", remote, user)
return nil, nil
}
// Sinon, exige user+pass
if user == LoginUser && string(pass) == LoginPass {
log.Printf("[SFTP] Auth OK from=%s user=%s", remote, user)
return nil, nil
}
log.Printf("[SFTP] Auth FAIL from=%s user=%s", remote, user)
return nil, fmt.Errorf("auth failed")
},
}
cfg.AddHostKey(signerED)
cfg.AddHostKey(signerRSA)
// (option compat avancée) : décommente seulement si un client antique échoue encore
// cfg.Config = ssh.Config{
// KeyExchanges: []string{
// "curve25519-sha256", "curve25519-sha256@libssh.org",
// "diffie-hellman-group14-sha1",
// },
// Ciphers: []string{
// "chacha20-poly1305@openssh.com",
// "aes128-ctr","aes192-ctr","aes256-ctr",
// "aes128-cbc",
// },
// MACs: []string{"hmac-sha2-256","hmac-sha2-512","hmac-sha1"},
// }
// --- listener TCP avec keep-alive agressif ---
ln, err := net.Listen("tcp", ":2222")
if err != nil { log.Fatalf("[SFTP] Listen: %v", err) }
log.Printf("[SFTP] Écoute sur sftp://%s@0.0.0.0:2222 (root=%s)", LoginUser, absBase)
log.Printf("[SFTP] IP sans mot de passe autorisées: %v", AllowedIPs)
for {
nConn, err := ln.Accept()
if err != nil {
log.Printf("[SFTP] Accept err: %v", err)
continue
}
if tc, ok := nConn.(*net.TCPConn); ok {
_ = tc.SetKeepAlive(true)
_ = tc.SetKeepAlivePeriod(15 * time.Second)
}
go func(conn net.Conn) {
sshConn, chans, reqs, err := ssh.NewServerConn(conn, cfg)
if err != nil {
log.Printf("[SFTP] Handshake err: %v", err)
_ = conn.Close()
return
}
log.Printf("[SFTP] Client connecté: %s (%s)", sshConn.RemoteAddr(), sshConn.ClientVersion())
go ssh.DiscardRequests(reqs)
for newCh := range chans {
if newCh.ChannelType() != "session" {
newCh.Reject(ssh.UnknownChannelType, "only session channels are allowed")
continue
}
ch, reqs, err := newCh.Accept()
if err != nil {
log.Printf("[SFTP] Accept channel: %v", err)
continue
}
go func(in <-chan *ssh.Request) {
for req := range in {
switch req.Type {
case "subsystem":
// payload = uint32(len) + "sftp"
if len(req.Payload) >= 4 && string(req.Payload[4:]) == "sftp" {
server, err := sftp.NewServer(ch) // API minimale
if err != nil {
log.Printf("[SFTP] init error: %v", err)
_, _ = ch.Stderr().Write([]byte("sftp init error\n"))
_ = ch.Close()
return
}
_ = req.Reply(true, nil)
if err := server.Serve(); err == io.EOF {
_ = server.Close()
} else if err != nil {
log.Printf("[SFTP] serve error: %v", err)
}
return
}
_ = req.Reply(false, nil)
default:
_ = req.Reply(false, nil)
}
}
}(reqs)
}
}(nConn)
}
}
// ---------- HTTP (Gin) ----------
func startHTTP() {
bd := db.InitDB()
app := gin.Default()
api := app.Group("/api/v1")
routes.AddRoutes(api, bd)
utils.CreateDefaultFolder(bd)
app.Static("/static", "./web")
app.NoRoute(func(c *gin.Context) {
if strings.HasPrefix(c.Request.URL.Path, "/api/") {
c.JSON(404, gin.H{"error": "Not found"})
return
}
c.File("./web/index.html")
})
log.Println("[HTTP] Serveur Gin sur http://0.0.0.0:8080")
_ = app.Run(":8080")
}
func main() {
// SFTP sur 2222 (root = ./upload)
go startSFTPServer(SFTPBaseDir)
// HTTP normal
startHTTP()
}
func loadOrCreateRSAHostKey(path string) (ssh.Signer, error) {
if _, err := os.Stat(path); err == nil {
b, err := os.ReadFile(path)
if err != nil { return nil, err }
return ssh.ParsePrivateKey(b)
}
// Génère une clé RSA 2048
priv, err := rsa.GenerateKey(rand.Reader, 2048)
if err != nil { return nil, err }
// Encode en PEM "RSA PRIVATE KEY" (PKCS#1)
pkcs1 := x509.MarshalPKCS1PrivateKey(priv)
pemBytes := pem.EncodeToMemory(&pem.Block{Type: "RSA PRIVATE KEY", Bytes: pkcs1})
if err := os.WriteFile(path, pemBytes, 0o600); err != nil { return nil, err }
return ssh.ParsePrivateKey(pemBytes)
}
Reference in New Issue View Git Blame Copy Permalink