filters: we can now set allowed and denied files extensions

scripts/sftpgo_api_cli.py

@@ -76,7 +76,8 @@ class SFTPGoApiRequests:
 					status=1, expiration_date=0, allowed_ip=[], denied_ip=[], fs_provider='local', s3_bucket='',
 					s3_region='', s3_access_key='', s3_access_secret='', s3_endpoint='', s3_storage_class='',
 					s3_key_prefix='', gcs_bucket='', gcs_key_prefix='', gcs_storage_class='', gcs_credentials_file='',
-					gcs_automatic_credentials='automatic', denied_login_methods=[], virtual_folders=[]):
+					gcs_automatic_credentials='automatic', denied_login_methods=[], virtual_folders=[],
+					denied_extensions=[], allowed_extensions=[]):
 		user = {'id':user_id, 'username':username, 'uid':uid, 'gid':gid,
 			'max_sessions':max_sessions, 'quota_size':quota_size, 'quota_files':quota_files,
 			'upload_bandwidth':upload_bandwidth, 'download_bandwidth':download_bandwidth,
@@ -94,8 +95,9 @@ class SFTPGoApiRequests:
 			user.update({'permissions':permissions})
 		if virtual_folders:
 			user.update({'virtual_folders':self.buildVirtualFolders(virtual_folders)})
-		if allowed_ip or denied_ip or denied_login_methods:
-			user.update({'filters':self.buildFilters(allowed_ip, denied_ip, denied_login_methods)})
+		if allowed_ip or denied_ip or denied_login_methods or allowed_extensions or denied_extensions:
+			user.update({'filters':self.buildFilters(allowed_ip, denied_ip, denied_login_methods, denied_extensions,
+													allowed_extensions)})
 		user.update({'filesystem':self.buildFsConfig(fs_provider, s3_bucket, s3_region, s3_access_key, s3_access_secret,
 													s3_endpoint, s3_storage_class, s3_key_prefix, gcs_bucket,
 													gcs_key_prefix, gcs_storage_class, gcs_credentials_file,
@@ -133,7 +135,7 @@ class SFTPGoApiRequests:
 					permissions.update({directory:values})
 		return permissions
 
-	def buildFilters(self, allowed_ip, denied_ip, denied_login_methods):
+	def buildFilters(self, allowed_ip, denied_ip, denied_login_methods, denied_extensions, allowed_extensions):
 		filters = {}
 		if allowed_ip:
 			if len(allowed_ip) == 1 and not allowed_ip[0]:
@@ -150,6 +152,54 @@ class SFTPGoApiRequests:
 				filters.update({'denied_login_methods':[]})
 			else:
 				filters.update({'denied_login_methods':denied_login_methods})
+		extensions_filter = []
+		extensions_denied = []
+		extensions_allowed = []
+		if denied_extensions:
+			for e in denied_extensions:
+				if '::' in e:
+					directory = None
+					values = []
+					for value in e.split('::'):
+						if directory is None:
+							directory = value
+						else:
+							values = [v.strip() for v in value.split(',') if v.strip()]
+					if directory:
+						extensions_denied.append({'path':directory, 'denied_extensions':values,
+												'allowed_extensions':[]})
+		if allowed_extensions:
+			for e in allowed_extensions:
+				if '::' in e:
+					directory = None
+					values = []
+					for value in e.split('::'):
+						if directory is None:
+							directory = value
+						else:
+							values = [v.strip() for v in value.split(',') if v.strip()]
+					if directory:
+						extensions_allowed.append({'path':directory, 'allowed_extensions':values,
+												'denied_extensions':[]})
+		if extensions_allowed and extensions_denied:
+			for allowed in extensions_allowed:
+				for denied in extensions_denied:
+					if allowed.get('path') == denied.get('path'):
+						allowed.update({'denied_extensions':denied.get('denied_extensions')})
+				extensions_filter.append(allowed)
+			for denied in extensions_denied:
+				found = False
+				for allowed in extensions_allowed:
+					if allowed.get('path') == denied.get('path'):
+						found = True
+				if not found:
+					extensions_filter.append(denied)
+		elif extensions_allowed:
+			extensions_filter = extensions_allowed
+		elif extensions_denied:
+			extensions_filter = extensions_denied
+		if allowed_extensions or denied_extensions:
+			filters.update({'file_extensions':extensions_filter})
 		return filters
 
 	def buildFsConfig(self, fs_provider, s3_bucket, s3_region, s3_access_key, s3_access_secret, s3_endpoint,
@@ -188,12 +238,13 @@ class SFTPGoApiRequests:
 			subdirs_permissions=[], allowed_ip=[], denied_ip=[], fs_provider='local', s3_bucket='', s3_region='',
 			s3_access_key='', s3_access_secret='', s3_endpoint='', s3_storage_class='', s3_key_prefix='', gcs_bucket='',
 			gcs_key_prefix='', gcs_storage_class='', gcs_credentials_file='', gcs_automatic_credentials='automatic',
-			denied_login_methods=[], virtual_folders=[]):
+			denied_login_methods=[], virtual_folders=[], denied_extensions=[], allowed_extensions=[]):
 		u = self.buildUserObject(0, username, password, public_keys, home_dir, uid, gid, max_sessions,
 			quota_size, quota_files, self.buildPermissions(perms, subdirs_permissions), upload_bandwidth, download_bandwidth,
 			status, expiration_date, allowed_ip, denied_ip, fs_provider, s3_bucket, s3_region, s3_access_key,
 			s3_access_secret, s3_endpoint, s3_storage_class, s3_key_prefix, gcs_bucket, gcs_key_prefix, gcs_storage_class,
-			gcs_credentials_file, gcs_automatic_credentials, denied_login_methods, virtual_folders)
+			gcs_credentials_file, gcs_automatic_credentials, denied_login_methods, virtual_folders, denied_extensions,
+			allowed_extensions)
 		r = requests.post(self.userPath, json=u, auth=self.auth, verify=self.verify)
 		self.printResponse(r)
 
@@ -202,12 +253,14 @@ class SFTPGoApiRequests:
 				expiration_date=0, subdirs_permissions=[], allowed_ip=[], denied_ip=[], fs_provider='local',
 				s3_bucket='', s3_region='', s3_access_key='', s3_access_secret='', s3_endpoint='', s3_storage_class='',
 				s3_key_prefix='', gcs_bucket='', gcs_key_prefix='', gcs_storage_class='', gcs_credentials_file='',
-				gcs_automatic_credentials='automatic', denied_login_methods=[], virtual_folders=[]):
+				gcs_automatic_credentials='automatic', denied_login_methods=[], virtual_folders=[], denied_extensions=[],
+				allowed_extensions=[]):
 		u = self.buildUserObject(user_id, username, password, public_keys, home_dir, uid, gid, max_sessions,
 			quota_size, quota_files, self.buildPermissions(perms, subdirs_permissions), upload_bandwidth, download_bandwidth,
 			status, expiration_date, allowed_ip, denied_ip, fs_provider, s3_bucket, s3_region, s3_access_key,
 			s3_access_secret, s3_endpoint, s3_storage_class, s3_key_prefix, gcs_bucket, gcs_key_prefix, gcs_storage_class,
-			gcs_credentials_file, gcs_automatic_credentials, denied_login_methods, virtual_folders)
+			gcs_credentials_file, gcs_automatic_credentials, denied_login_methods, virtual_folders, denied_extensions,
+			allowed_extensions)
 		r = requests.put(urlparse.urljoin(self.userPath, 'user/' + str(user_id)), json=u, auth=self.auth, verify=self.verify)
 		self.printResponse(r)
 
@@ -466,6 +519,13 @@ def addCommonUserArguments(parser):
 					help='Allowed IP/Mask in CIDR notation. For example "192.168.2.0/24" or "2001:db8::/32". Default: %(default)s')
 	parser.add_argument('-N', '--denied-ip', type=str, nargs='+', default=[],
 					help='Denied IP/Mask in CIDR notation. For example "192.168.2.0/24" or "2001:db8::/32". Default: %(default)s')
+	parser.add_argument('--denied-extensions', type=str, nargs='*', default=[], help='Denied file extensions case insensitive. '
+					+'The format is /dir::ext1,ext2. For example: "/somedir::.jpg,.png" "/otherdir/subdir::.zip,.rar". ' +
+					'You have to set both denied and allowed extensions to update existing values or none to preserve them.' +
+					' If you only set allowed or denied extensions the missing one is assumed to be an empty list. Default: %(default)s')
+	parser.add_argument('--allowed-extensions', type=str, nargs='*', default=[], help='Allowed file extensions case insensitive. '
+					+'The format is /dir::ext1,ext2. For example: "/somedir::.jpg,.png" "/otherdir/subdir::.zip,.rar". ' +
+					'Default: %(default)s')
 	parser.add_argument('--fs', type=str, default='local', choices=['local', 'S3', 'GCS'],
 					help='Filesystem provider. Default: %(default)s')
 	parser.add_argument('--s3-bucket', type=str, default='', help='Default: %(default)s')
@@ -596,7 +656,7 @@ if __name__ == '__main__':
 				args.denied_ip, args.fs, args.s3_bucket, args.s3_region, args.s3_access_key, args.s3_access_secret,
 				args.s3_endpoint, args.s3_storage_class, args.s3_key_prefix, args.gcs_bucket, args.gcs_key_prefix,
 				args.gcs_storage_class, args.gcs_credentials_file, args.gcs_automatic_credentials,
-				args.denied_login_methods, args.virtual_folders)
+				args.denied_login_methods, args.virtual_folders, args.denied_extensions, args.allowed_extensions)
 	elif args.command == 'update-user':
 		api.updateUser(args.id, args.username, args.password, args.public_keys, args.home_dir, args.uid, args.gid,
 					args.max_sessions, args.quota_size, args.quota_files, args.permissions, args.upload_bandwidth,
@@ -605,7 +665,7 @@ if __name__ == '__main__':
 					args.s3_access_key, args.s3_access_secret, args.s3_endpoint, args.s3_storage_class,
 					args.s3_key_prefix, args.gcs_bucket, args.gcs_key_prefix, args.gcs_storage_class,
 					args.gcs_credentials_file, args.gcs_automatic_credentials, args.denied_login_methods,
-					args.virtual_folders)
+					args.virtual_folders, args.denied_extensions, args.allowed_extensions)
 	elif args.command == 'delete-user':
 		api.deleteUser(args.id)
 	elif args.command == 'get-users':