add roles

Fixes #837

Signed-off-by: Nicola Murino <nicola.murino@gmail.com>

Dockerfile.alpine

@@ -35,10 +35,6 @@ RUN apk add --update --no-cache ca-certificates tzdata mailcap
 
 RUN if [ "${INSTALL_OPTIONAL_PACKAGES}" = "true" ]; then apk add --update --no-cache jq git rsync; fi
 
-# set up nsswitch.conf for Go's "netgo" implementation
-# https://github.com/gliderlabs/docker-alpine/issues/367#issuecomment-424546457
-RUN test ! -e /etc/nsswitch.conf && echo 'hosts: files dns' > /etc/nsswitch.conf
-
 RUN mkdir -p /etc/sftpgo /var/lib/sftpgo /usr/share/sftpgo /srv/sftpgo/data /srv/sftpgo/backups
 
 RUN addgroup -g 1000 -S sftpgo && \

README.md

@@ -64,6 +64,7 @@ If you report an invalid issue or ask for step-by-step support, your issue will
 - Per-user authentication methods.
 - [Two-factor authentication](./docs/howto/two-factor-authentication.md) based on time-based one time passwords (RFC 6238) which works with Authy, Google Authenticator and other compatible apps.
 - Simplified user administrations using [groups](./docs/groups.md).
+- [Roles](./docs/roles.md) allow you to create limited administrators who can only create and manage users with their role.
 - Custom authentication via [external programs/HTTP API](./docs/external-auth.md).
 - Web Client and Web Admin user interfaces support [OpenID Connect](https://openid.net/connect/) authentication and so they can be integrated with identity providers such as [Keycloak](https://www.keycloak.org/). You can find more details [here](./docs/oidc.md).
 - [Data At Rest Encryption](./docs/dare.md).
@@ -134,7 +135,7 @@ APT and YUM repositories are [available](./docs/repo.md).
 SFTPGo is also available on some marketplaces:
 
 - [AWS Marketplace](https://aws.amazon.com/marketplace/seller-profile?id=6e849ab8-70a6-47de-9a43-13c3fa849335)
-- [Azure Marketplace](https://azuremarketplace.microsoft.com/en-us/marketplace/apps/prasselsrl1645470739547.sftpgo_linux)
+- [Azure Marketplace](https://azuremarketplace.microsoft.com/en-us/marketplace/apps/eliamarzia1667381463185.sftpgo_linux)
 - [Elest.io](https://elest.io/open-source/sftpgo)
 
 Purchasing from there will help keep SFTPGo a long-term sustainable project.

README.zh_CN.md

@@ -125,7 +125,7 @@ SFTPGo 基于 Linux 开发和创建。在每一次提交之后，代码会自动
 
 </details>
 
-SFTPGo 在 [AWS Marketplace](https://aws.amazon.com/marketplace/seller-profile?id=6e849ab8-70a6-47de-9a43-13c3fa849335) 和 [Azure Marketplace](https://azuremarketplace.microsoft.com/en-us/marketplace/apps/prasselsrl1645470739547.sftpgo_linux) 同样可用，在此付费可以帮助 SFTPGo 成为一个可持续发展的长期项目。
+SFTPGo 在 [AWS Marketplace](https://aws.amazon.com/marketplace/seller-profile?id=6e849ab8-70a6-47de-9a43-13c3fa849335) 和 [Azure Marketplace](https://azuremarketplace.microsoft.com/en-us/marketplace/apps/eliamarzia1667381463185.sftpgo_linux) 同样可用，在此付费可以帮助 SFTPGo 成为一个可持续发展的长期项目。
 
 <details><summary>Windows 包</summary>
 

docker/README.md

@@ -4,12 +4,12 @@ SFTPGo provides an official Docker image, it is available on both [Docker Hub](h
 
 ## Supported tags and respective Dockerfile links
 
-- [v2.4.0, v2.4, v2, latest](https://github.com/drakkan/sftpgo/blob/v2.4.0/Dockerfile)
-- [v2.4.0-plugins, v2.4-plugins, v2-plugins, plugins](https://github.com/drakkan/sftpgo/blob/v2.4.0/Dockerfile)
-- [v2.4.0-alpine, v2.4-alpine, v2-alpine, alpine](https://github.com/drakkan/sftpgo/blob/v2.4.0/Dockerfile.alpine)
-- [v2.4.0-slim, v2.4-slim, v2-slim, slim](https://github.com/drakkan/sftpgo/blob/v2.4.0/Dockerfile)
-- [v2.4.0-alpine-slim, v2.4-alpine-slim, v2-alpine-slim, alpine-slim](https://github.com/drakkan/sftpgo/blob/v2.4.0/Dockerfile.alpine)
-- [v2.4.0-distroless-slim, v2.4-distroless-slim, v2-distroless-slim, distroless-slim](https://github.com/drakkan/sftpgo/blob/v2.4.0/Dockerfile.distroless)
+- [v2.4.1, v2.4, v2, latest](https://github.com/drakkan/sftpgo/blob/v2.4.1/Dockerfile)
+- [v2.4.1-plugins, v2.4-plugins, v2-plugins, plugins](https://github.com/drakkan/sftpgo/blob/v2.4.1/Dockerfile)
+- [v2.4.1-alpine, v2.4-alpine, v2-alpine, alpine](https://github.com/drakkan/sftpgo/blob/v2.4.1/Dockerfile.alpine)
+- [v2.4.1-slim, v2.4-slim, v2-slim, slim](https://github.com/drakkan/sftpgo/blob/v2.4.1/Dockerfile)
+- [v2.4.1-alpine-slim, v2.4-alpine-slim, v2-alpine-slim, alpine-slim](https://github.com/drakkan/sftpgo/blob/v2.4.1/Dockerfile.alpine)
+- [v2.4.1-distroless-slim, v2.4-distroless-slim, v2-distroless-slim, distroless-slim](https://github.com/drakkan/sftpgo/blob/v2.4.1/Dockerfile.distroless)
 - [edge](../Dockerfile)
 - [edge-plugins](../Dockerfile)
 - [edge-alpine](../Dockerfile.alpine)

docs/full-configuration.md

@@ -65,7 +65,7 @@ The configuration file contains the following sections:
     - `hook`, string. Absolute path to the command to execute or HTTP URL to notify.
   - `setstat_mode`, integer. 0 means "normal mode": requests for changing permissions, owner/group and access/modification times are executed. 1 means "ignore mode": requests for changing permissions, owner/group and access/modification times are silently ignored. 2 means "ignore mode if not supported": requests for changing permissions and owner/group are silently ignored for cloud filesystems and executed for local/SFTP filesystem. Requests for changing modification times are always executed for local/SFTP filesystems and are executed for cloud based filesystems if the target is a file and there is a metadata plugin available. A metadata plugin can be found [here](https://github.com/sftpgo/sftpgo-plugin-metadata).
   - `temp_path`, string. Defines the path for temporary files such as those used for atomic uploads or file pipes. If you set this option you must make sure that the defined path exists, is accessible for writing by the user running SFTPGo, and is on the same filesystem as the users home directories otherwise the renaming for atomic uploads will become a copy and therefore may take a long time. The temporary files are not namespaced. The default is generally fine. Leave empty for the default.
-  - `proxy_protocol`, integer. Support for [HAProxy PROXY protocol](https://www.haproxy.org/download/1.8/doc/proxy-protocol.txt). If you are running SFTPGo behind a proxy server such as HAProxy, AWS ELB or NGINX, you can enable the proxy protocol. It provides a convenient way to safely transport connection information such as a client's address across multiple layers of NAT or TCP proxies to get the real client IP address instead of the proxy IP. Both protocol versions 1 and 2 are supported. If the proxy protocol is enabled in SFTPGo then you have to enable the protocol in your proxy configuration too. For example, for HAProxy, add `send-proxy` or `send-proxy-v2` to each server configuration line. The following modes are supported:
+  - `proxy_protocol`, integer. Support for [HAProxy PROXY protocol](https://www.haproxy.org/download/1.8/doc/proxy-protocol.txt). If you are running SFTPGo behind a proxy server such as HAProxy, AWS ELB or NGINX, you can enable the proxy protocol. It provides a convenient way to safely transport connection information such as a client's address across multiple layers of NAT or TCP proxies to get the real client IP address instead of the proxy IP. Both protocol versions 1 and 2 are supported. If the proxy protocol is enabled in SFTPGo then you have to enable the protocol in your proxy configuration too. For example, for HAProxy, add `send-proxy` or `send-proxy-v2` to each server configuration line. The PROXY protocol is supported for SSH/SFTP and FTP/S. The following modes are supported:
     - 0, disabled
     - 1, enabled. If the upstream IP is not allowed to send a proxy header the header be ignored. Using this mode does not mean that we can accept connections with and without the proxy header. We always try to read the proxy header and we ignore it if the upstream IP is not allowed to send a proxy header
     - 2, required. If the upstream IP is not allowed to send a proxy header the connection will be rejected

docs/roles.md

@@ -0,0 +1,13 @@
+# Roles
+
+Roles can be assigned to users and administrators. Admins with a role are limited administrators, they can only view and manage users with their own role and they cannot have the following permissions:
+
+- manage_admins
+- manage_system
+- manage_event_rules
+- manage_roles
+- view_events
+
+Users created by role administrators automatically inherit their role.
+
+Admins without a role are global administrators and can manage all users (with and without a role) and assign a specific role to users.

examples/convertusers/README.md

@@ -47,3 +47,5 @@ python convertusers proftpd.passwd proftpd pro_users.json
 The generated json file can be used as input for the `loaddata` REST API.
 
 Please note that when importing Linux/Unix users the input file is not required: `/etc/passwd` and `/etc/shadow` are automatically parsed. `/etc/shadow` read permission is typically granted to the `root` user only, so you need to execute `convertusers` as `root`.
+
+:warning: SFTPGo does not currently support `yescrypt` hashed passwords.

go.mod

@@ -3,21 +3,21 @@ module github.com/drakkan/sftpgo/v2
 go 1.19
 
 require (
-	cloud.google.com/go/storage v1.27.0
+	cloud.google.com/go/storage v1.28.0
 	github.com/Azure/azure-sdk-for-go/sdk/azcore v1.2.0
 	github.com/Azure/azure-sdk-for-go/sdk/storage/azblob v0.5.1
 	github.com/GehirnInc/crypt v0.0.0-20200316065508-bb7000b8a962
 	github.com/alexedwards/argon2id v0.0.0-20211130144151-3585854a6387
 	github.com/aws/aws-sdk-go-v2 v1.17.1
-	github.com/aws/aws-sdk-go-v2/config v1.17.10
-	github.com/aws/aws-sdk-go-v2/credentials v1.12.23
+	github.com/aws/aws-sdk-go-v2/config v1.18.0
+	github.com/aws/aws-sdk-go-v2/credentials v1.13.0
 	github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.12.19
-	github.com/aws/aws-sdk-go-v2/feature/s3/manager v1.11.37
-	github.com/aws/aws-sdk-go-v2/service/marketplacemetering v1.13.21
-	github.com/aws/aws-sdk-go-v2/service/s3 v1.29.1
-	github.com/aws/aws-sdk-go-v2/service/secretsmanager v1.16.4
-	github.com/aws/aws-sdk-go-v2/service/sts v1.17.1
-	github.com/cockroachdb/cockroach-go/v2 v2.2.16
+	github.com/aws/aws-sdk-go-v2/feature/s3/manager v1.11.39
+	github.com/aws/aws-sdk-go-v2/service/marketplacemetering v1.13.22
+	github.com/aws/aws-sdk-go-v2/service/s3 v1.29.2
+	github.com/aws/aws-sdk-go-v2/service/secretsmanager v1.16.5
+	github.com/aws/aws-sdk-go-v2/service/sts v1.17.2
+	github.com/cockroachdb/cockroach-go/v2 v2.2.18
 	github.com/coreos/go-oidc/v3 v3.4.0
 	github.com/drakkan/webdav v0.0.0-20221101181759-17ed21f9337b
 	github.com/eikenb/pipeat v0.0.0-20210730190139-06b3e6902001
@@ -25,62 +25,62 @@ require (
 	github.com/fclairamb/go-log v0.4.1
 	github.com/go-acme/lego/v4 v4.9.0
 	github.com/go-chi/chi/v5 v5.0.8-0.20221018120124-e5529d9db4d3
-	github.com/go-chi/jwtauth/v5 v5.0.2
+	github.com/go-chi/jwtauth/v5 v5.1.0
 	github.com/go-chi/render v1.0.2
 	github.com/go-sql-driver/mysql v1.6.0
 	github.com/golang/mock v1.6.0
 	github.com/google/shlex v0.0.0-20191202100458-e7afc7fbc510
 	github.com/google/uuid v1.3.0
 	github.com/hashicorp/go-hclog v1.3.1
-	github.com/hashicorp/go-plugin v1.4.5
+	github.com/hashicorp/go-plugin v1.4.6
 	github.com/hashicorp/go-retryablehttp v0.7.1
-	github.com/jackc/pgx/v5 v5.0.4
+	github.com/jackc/pgx/v5 v5.1.0
 	github.com/jlaffaye/ftp v0.0.0-20201112195030-9aae4d151126
 	github.com/klauspost/compress v1.15.12
-	github.com/lestrrat-go/jwx v1.2.25
+	github.com/lestrrat-go/jwx/v2 v2.0.7
 	github.com/lithammer/shortuuid/v3 v3.0.7
 	github.com/mattn/go-sqlite3 v1.14.16
 	github.com/mhale/smtpd v0.8.0
 	github.com/minio/sio v0.3.0
-	github.com/otiai10/copy v1.7.0
+	github.com/otiai10/copy v1.9.0
 	github.com/pires/go-proxyproto v0.6.2
 	github.com/pkg/sftp v1.13.6-0.20221020054726-e4133ab7e9bd
 	github.com/pquerna/otp v1.3.0
-	github.com/prometheus/client_golang v1.13.1
+	github.com/prometheus/client_golang v1.14.0
 	github.com/robfig/cron/v3 v3.0.1
 	github.com/rs/cors v1.8.3-0.20220619195839-da52b0701de5
 	github.com/rs/xid v1.4.0
 	github.com/rs/zerolog v1.28.0
-	github.com/sftpgo/sdk v0.1.3-0.20221105153737-bae9afc6b356
+	github.com/sftpgo/sdk v0.1.3-0.20221116180328-3fc64e926700
 	github.com/shirou/gopsutil/v3 v3.22.10
-	github.com/spf13/afero v1.9.2
+	github.com/spf13/afero v1.9.3
 	github.com/spf13/cobra v1.6.1
-	github.com/spf13/viper v1.13.0
+	github.com/spf13/viper v1.14.0
 	github.com/stretchr/testify v1.8.1
-	github.com/studio-b12/gowebdav v0.0.0-20221102155456-200a600c0272
+	github.com/studio-b12/gowebdav v0.0.0-20221109171924-60ec5ad56012
 	github.com/subosito/gotenv v1.4.1
 	github.com/unrolled/secure v1.13.0
 	github.com/wagslane/go-password-validator v0.3.0
-	github.com/xhit/go-simple-mail/v2 v2.12.0
+	github.com/xhit/go-simple-mail/v2 v2.13.0
 	github.com/yl2chen/cidranger v1.0.3-0.20210928021809-d1cb2c52f37a
 	go.etcd.io/bbolt v1.3.6
 	go.uber.org/automaxprocs v1.5.1
 	gocloud.dev v0.27.0
-	golang.org/x/crypto v0.1.0
-	golang.org/x/net v0.1.0
-	golang.org/x/oauth2 v0.1.0
-	golang.org/x/sys v0.1.0
-	golang.org/x/time v0.1.0
-	google.golang.org/api v0.102.0
+	golang.org/x/crypto v0.2.0
+	golang.org/x/net v0.2.0
+	golang.org/x/oauth2 v0.2.0
+	golang.org/x/sys v0.2.0
+	golang.org/x/time v0.2.0
+	google.golang.org/api v0.103.0
 	gopkg.in/natefinch/lumberjack.v2 v2.0.0
 )
 
 require (
-	cloud.google.com/go v0.105.0 // indirect
+	cloud.google.com/go v0.107.0 // indirect
 	cloud.google.com/go/compute v1.12.1 // indirect
 	cloud.google.com/go/compute/metadata v0.2.1 // indirect
 	cloud.google.com/go/iam v0.7.0 // indirect
-	github.com/Azure/azure-sdk-for-go/sdk/internal v1.0.1 // indirect
+	github.com/Azure/azure-sdk-for-go/sdk/internal v1.1.1 // indirect
 	github.com/ajg/form v1.5.1 // indirect
 	github.com/aws/aws-sdk-go-v2/aws/protocol/eventstream v1.4.9 // indirect
 	github.com/aws/aws-sdk-go-v2/internal/configsources v1.1.25 // indirect
@@ -98,7 +98,7 @@ require (
 	github.com/boombuler/barcode v1.0.1 // indirect
 	github.com/cenkalti/backoff/v4 v4.1.3 // indirect
 	github.com/cespare/xxhash/v2 v2.1.2 // indirect
-	github.com/coreos/go-systemd/v22 v22.4.0 // indirect
+	github.com/coreos/go-systemd/v22 v22.5.0 // indirect
 	github.com/cpuguy83/go-md2man/v2 v2.0.2 // indirect
 	github.com/davecgh/go-spew v1.1.1 // indirect
 	github.com/decred/dcrd/dcrec/secp256k1/v4 v4.1.0 // indirect
@@ -119,11 +119,11 @@ require (
 	github.com/jackc/pgpassfile v1.0.0 // indirect
 	github.com/jackc/pgservicefile v0.0.0-20200714003250-2b9c44734f2b // indirect
 	github.com/jmespath/go-jmespath v0.4.0 // indirect
-	github.com/klauspost/cpuid/v2 v2.1.2 // indirect
+	github.com/klauspost/cpuid/v2 v2.2.1 // indirect
 	github.com/kr/fs v0.1.0 // indirect
-	github.com/lestrrat-go/backoff/v2 v2.0.8 // indirect
 	github.com/lestrrat-go/blackmagic v1.0.1 // indirect
 	github.com/lestrrat-go/httpcc v1.0.1 // indirect
+	github.com/lestrrat-go/httprc v1.0.4 // indirect
 	github.com/lestrrat-go/iter v1.0.2 // indirect
 	github.com/lestrrat-go/option v1.0.0 // indirect
 	github.com/lib/pq v1.10.7 // indirect
@@ -139,7 +139,6 @@ require (
 	github.com/oklog/run v1.1.0 // indirect
 	github.com/pelletier/go-toml v1.9.5 // indirect
 	github.com/pelletier/go-toml/v2 v2.0.5 // indirect
-	github.com/pkg/errors v0.9.1 // indirect
 	github.com/pmezard/go-difflib v1.0.0 // indirect
 	github.com/power-devops/perfstat v0.0.0-20220216144756-c35f1ee13d7c // indirect
 	github.com/prometheus/client_model v0.3.0 // indirect
@@ -149,17 +148,17 @@ require (
 	github.com/spf13/cast v1.5.0 // indirect
 	github.com/spf13/jwalterweatherman v1.1.0 // indirect
 	github.com/spf13/pflag v1.0.5 // indirect
-	github.com/tklauser/go-sysconf v0.3.10 // indirect
-	github.com/tklauser/numcpus v0.5.0 // indirect
+	github.com/tklauser/go-sysconf v0.3.11 // indirect
+	github.com/tklauser/numcpus v0.6.0 // indirect
 	github.com/toorop/go-dkim v0.0.0-20201103131630-e1cd1a0a5208 // indirect
 	github.com/yusufpapurcu/wmi v1.2.2 // indirect
 	go.opencensus.io v0.24.0 // indirect
-	golang.org/x/mod v0.6.0 // indirect
+	golang.org/x/mod v0.7.0 // indirect
 	golang.org/x/text v0.4.0 // indirect
-	golang.org/x/tools v0.2.0 // indirect
+	golang.org/x/tools v0.3.0 // indirect
 	golang.org/x/xerrors v0.0.0-20220907171357-04be3eba64a2 // indirect
 	google.golang.org/appengine v1.6.7 // indirect
-	google.golang.org/genproto v0.0.0-20221027153422-115e99e71e1c // indirect
+	google.golang.org/genproto v0.0.0-20221114212237-e4508ebdbee1 // indirect
 	google.golang.org/grpc v1.50.1 // indirect
 	google.golang.org/protobuf v1.28.1 // indirect
 	gopkg.in/ini.v1 v1.67.0 // indirect

go.sum

@@ -36,8 +36,8 @@ cloud.google.com/go v0.100.2/go.mod h1:4Xra9TjzAeYHrl5+oeLlzbM2k3mjVhZh4UqTZ//w9
 cloud.google.com/go v0.102.0/go.mod h1:oWcCzKlqJ5zgHQt9YsaeTY9KzIvjyy0ArmiBUgpQ+nc=
 cloud.google.com/go v0.102.1/go.mod h1:XZ77E9qnTEnrgEOvr4xzfdX5TRo7fB4T2F4O6+34hIU=
 cloud.google.com/go v0.103.0/go.mod h1:vwLx1nqLrzLX/fpwSMOXmFIqBOyHsvHbnAdbGSJ+mKk=
-cloud.google.com/go v0.105.0 h1:DNtEKRBAAzeS4KyIory52wWHuClNaXJ5x1F7xa4q+5Y=
-cloud.google.com/go v0.105.0/go.mod h1:PrLgOJNe5nfE9UMxKxgXj4mD3voiP+YQ6gdt6KMFOKM=
+cloud.google.com/go v0.107.0 h1:qkj22L7bgkl6vIeZDlOY2po43Mx/TIa2Wsa7VR+PEww=
+cloud.google.com/go v0.107.0/go.mod h1:wpc2eNrD7hXUTy8EKS10jkxpZBjASrORK7goS+3YX2I=
 cloud.google.com/go/bigquery v1.0.1/go.mod h1:i/xbL2UlR5RvWAURpBYZTtm/cXjCha9lbfbpx4poX+o=
 cloud.google.com/go/bigquery v1.3.0/go.mod h1:PjpwJnslEMmckchkHFfq+HTD2DmtT67aNFKH1/VBDHE=
 cloud.google.com/go/bigquery v1.4.0/go.mod h1:S8dzgnTigyfTmLBfrtrhyYhwRxG72rYxvftPBK2Dvzc=
@@ -63,8 +63,8 @@ cloud.google.com/go/iam v0.3.0/go.mod h1:XzJPvDayI+9zsASAFO68Hk07u3z+f+JrT2xXNdp
 cloud.google.com/go/iam v0.7.0 h1:k4MuwOsS7zGJJ+QfZ5vBK8SgHBAvYN/23BWsiihJ1vs=
 cloud.google.com/go/iam v0.7.0/go.mod h1:H5Br8wRaDGNc8XP3keLc4unfUUZeyH3Sfl9XpQEYOeg=
 cloud.google.com/go/kms v1.4.0/go.mod h1:fajBHndQ+6ubNw6Ss2sSd+SWvjL26RNo/dr7uxsnnOA=
-cloud.google.com/go/kms v1.5.0 h1:uc58n3b/n/F2yDMJzHMbXORkJSh3fzO4/+jju6eR7Zg=
-cloud.google.com/go/longrunning v0.1.1 h1:y50CXG4j0+qvEukslYFBCrzaXX0qpFbBzc3PchSu/LE=
+cloud.google.com/go/kms v1.6.0 h1:OWRZzrPmOZUzurjI2FBGtgY2mB1WaJkqhw6oIwSj0Yg=
+cloud.google.com/go/longrunning v0.3.0 h1:NjljC+FYPV3uh5/OwWT6pVU+doBqMg2x/rZlE+CamDs=
 cloud.google.com/go/monitoring v1.1.0/go.mod h1:L81pzz7HKn14QCMaCs6NTQkdBnE87TElyanS95vIcl4=
 cloud.google.com/go/monitoring v1.5.0/go.mod h1:/o9y8NYX5j91JjD/JvGLYbi86kL11OjyJXq2XziLJu4=
 cloud.google.com/go/pubsub v1.0.1/go.mod h1:R0Gpsv3s54REJCy4fxDixWD93lHJMoZTyQ2kNxGRt3I=
@@ -82,8 +82,8 @@ cloud.google.com/go/storage v1.14.0/go.mod h1:GrKmX003DSIwi9o29oFT7YDnHYwZoctc3f
 cloud.google.com/go/storage v1.22.1/go.mod h1:S8N1cAStu7BOeFfE8KAQzmyyLkK8p/vmRq6kuBTW58Y=
 cloud.google.com/go/storage v1.23.0/go.mod h1:vOEEDNFnciUMhBeT6hsJIn3ieU5cFRmzeLgDvXzfIXc=
 cloud.google.com/go/storage v1.24.0/go.mod h1:3xrJEFMXBsQLgxwThyjuD3aYlroL0TMRec1ypGUQ0KE=
-cloud.google.com/go/storage v1.27.0 h1:YOO045NZI9RKfCj1c5A/ZtuuENUc8OAW+gHdGnDgyMQ=
-cloud.google.com/go/storage v1.27.0/go.mod h1:x9DOL8TK/ygDUMieqwfhdpQryTeEkhGKMi80i/iqR2s=
+cloud.google.com/go/storage v1.28.0 h1:DLrIZ6xkeZX6K70fU/boWx5INJumt6f+nwwWSHXzzGY=
+cloud.google.com/go/storage v1.28.0/go.mod h1:qlgZML35PXA3zoEnIkiPLY4/TOkUleufRlu6qmcf7sI=
 cloud.google.com/go/trace v1.0.0/go.mod h1:4iErSByzxkyHWzzlAj63/Gmjz0NH1ASqhJguHpGcr6A=
 cloud.google.com/go/trace v1.2.0/go.mod h1:Wc8y/uYyOhPy12KEnXG9XGrvfMz5F5SrYecQlbW1rwM=
 code.cloudfoundry.org/clock v0.0.0-20180518195852-02e53af36e6c/go.mod h1:QD9Lzhd/ux6eNQVUDVRJX/RKTigpewimNYBi7ivZKY8=
@@ -108,8 +108,8 @@ github.com/Azure/azure-sdk-for-go/sdk/azidentity v1.0.0/go.mod h1:+6sju8gk8FRmSa
 github.com/Azure/azure-sdk-for-go/sdk/azidentity v1.1.0 h1:QkAcEIAKbNL4KoFr4SathZPhDhF4mVwpBMFlYjyAqy8=
 github.com/Azure/azure-sdk-for-go/sdk/internal v0.7.0/go.mod h1:yqy467j36fJxcRV2TzfVZ1pCb5vxm4BtZPUdYWe/Xo8=
 github.com/Azure/azure-sdk-for-go/sdk/internal v1.0.0/go.mod h1:eWRD7oawr1Mu1sLCawqVc0CUiF43ia3qQMxLscsKQ9w=
-github.com/Azure/azure-sdk-for-go/sdk/internal v1.0.1 h1:XUNQ4mw+zJmaA2KXzP9JlQiecy1SI+Eog7xVkPiqIbg=
-github.com/Azure/azure-sdk-for-go/sdk/internal v1.0.1/go.mod h1:eWRD7oawr1Mu1sLCawqVc0CUiF43ia3qQMxLscsKQ9w=
+github.com/Azure/azure-sdk-for-go/sdk/internal v1.1.1 h1:Oj853U9kG+RLTCQXpjvOnrv0WaZHxgmZz1TlLywgOPY=
+github.com/Azure/azure-sdk-for-go/sdk/internal v1.1.1/go.mod h1:eWRD7oawr1Mu1sLCawqVc0CUiF43ia3qQMxLscsKQ9w=
 github.com/Azure/azure-sdk-for-go/sdk/messaging/azservicebus v1.0.2/go.mod h1:LH9XQnMr2ZYxQdVdCrzLO9mxeDyrDFa6wbSI3x5zCZk=
 github.com/Azure/azure-sdk-for-go/sdk/storage/azblob v0.4.1/go.mod h1:eZ4g6GUvXiGulfIbbhh1Xr4XwUYaYaWMqzGD/284wCA=
 github.com/Azure/azure-sdk-for-go/sdk/storage/azblob v0.5.1 h1:BMTdr+ib5ljLa9MxTJK8x/Ds0MbBb4MfuW5BL0zMJnI=
@@ -233,17 +233,17 @@ github.com/aws/aws-sdk-go-v2/aws/protocol/eventstream v1.4.3/go.mod h1:gNsR5CaXK
 github.com/aws/aws-sdk-go-v2/aws/protocol/eventstream v1.4.9 h1:RKci2D7tMwpvGpDNZnGQw9wk6v7o/xSwFcUAuNPoB8k=
 github.com/aws/aws-sdk-go-v2/aws/protocol/eventstream v1.4.9/go.mod h1:vCmV1q1VK8eoQJ5+aYE7PkK1K6v41qJ5pJdK3ggCDvg=
 github.com/aws/aws-sdk-go-v2/config v1.15.15/go.mod h1:A1Lzyy/o21I5/s2FbyX5AevQfSVXpvvIDCoVFD0BC4E=
-github.com/aws/aws-sdk-go-v2/config v1.17.10 h1:zBy5QQ/mkvHElM1rygHPAzuH+sl8nsdSaxSWj0+rpdE=
-github.com/aws/aws-sdk-go-v2/config v1.17.10/go.mod h1:/4np+UiJJKpWHN7Q+LZvqXYgyjgeXm5+lLfDI6TPZao=
+github.com/aws/aws-sdk-go-v2/config v1.18.0 h1:ULASZmfhKR/QE9UeZ7mzYjUzsnIydy/K1YMT6uH1KC0=
+github.com/aws/aws-sdk-go-v2/config v1.18.0/go.mod h1:H13DRX9Nv5tAcQvPABrE3dm5XnLp1RC7fVSM3OWiLvA=
 github.com/aws/aws-sdk-go-v2/credentials v1.12.10/go.mod h1:g5eIM5XRs/OzIIK81QMBl+dAuDyoLN0VYaLP+tBqEOk=
-github.com/aws/aws-sdk-go-v2/credentials v1.12.23 h1:LctvcJMIb8pxvk5hQhChpCu0WlU6oKQmcYb1HA4IZSA=
-github.com/aws/aws-sdk-go-v2/credentials v1.12.23/go.mod h1:0awX9iRr/+UO7OwRQFpV1hNtXxOVuehpjVEzrIAYNcA=
+github.com/aws/aws-sdk-go-v2/credentials v1.13.0 h1:W5f73j1qurASap+jdScUo4aGzSXxaC7wq1i7CiwhvU8=
+github.com/aws/aws-sdk-go-v2/credentials v1.13.0/go.mod h1:prZpUfBu1KZLBLVX482Sq4DpDXGugAre08TPEc21GUg=
 github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.12.9/go.mod h1:KDCCm4ONIdHtUloDcFvK2+vshZvx4Zmj7UMDfusuz5s=
 github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.12.19 h1:E3PXZSI3F2bzyj6XxUXdTIfvp425HHhwKsFvmzBwHgs=
 github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.12.19/go.mod h1:VihW95zQpeKQWVPGkwT+2+WJNQV8UXFfMTWdU6VErL8=
 github.com/aws/aws-sdk-go-v2/feature/s3/manager v1.11.21/go.mod h1:iIYPrQ2rYfZiB/iADYlhj9HHZ9TTi6PqKQPAqygohbE=
-github.com/aws/aws-sdk-go-v2/feature/s3/manager v1.11.37 h1:e1VtTBo+cLNjres0wTlMkmwCGGRjDEkkrz3frxxcaCs=
-github.com/aws/aws-sdk-go-v2/feature/s3/manager v1.11.37/go.mod h1:kdAV1UMnCkyG6tZJUC4mHbPoRjPA3dIK0L8mnsHERiM=
+github.com/aws/aws-sdk-go-v2/feature/s3/manager v1.11.39 h1:Fz/t08vTFdz63ZnlrQBLOMgBCNqdKmMQWE/XjKm1jt4=
+github.com/aws/aws-sdk-go-v2/feature/s3/manager v1.11.39/go.mod h1:763L1Xloj/mjT0do5k9d0qh0vEAVuomDPn1iOG2AdB4=
 github.com/aws/aws-sdk-go-v2/internal/configsources v1.1.15/go.mod h1:pWrr2OoHlT7M/Pd2y4HV3gJyPb3qj5qMmnPkKSNPYK4=
 github.com/aws/aws-sdk-go-v2/internal/configsources v1.1.25 h1:nBO/RFxeq/IS5G9Of+ZrgucRciie2qpLy++3UGZ+q2E=
 github.com/aws/aws-sdk-go-v2/internal/configsources v1.1.25/go.mod h1:Zb29PYkf42vVYQY6pvSyJCJcFHlPIiY+YKdPtwnvMkY=
@@ -269,14 +269,14 @@ github.com/aws/aws-sdk-go-v2/service/internal/s3shared v1.13.9/go.mod h1:Rc5+wn2
 github.com/aws/aws-sdk-go-v2/service/internal/s3shared v1.13.19 h1:piDBAaWkaxkkVV3xJJbTehXCZRXYs49kvpi/LG6LR2o=
 github.com/aws/aws-sdk-go-v2/service/internal/s3shared v1.13.19/go.mod h1:BmQWRVkLTmyNzYPFAZgon53qKLWBNSvonugD1MrSWUs=
 github.com/aws/aws-sdk-go-v2/service/kms v1.18.1/go.mod h1:4PZMUkc9rXHWGVB5J9vKaZy3D7Nai79ORworQ3ASMiM=
-github.com/aws/aws-sdk-go-v2/service/marketplacemetering v1.13.21 h1:LpIut7TpOhp8RuTD72PBj8ksPy3+RelT3LPwGgQ8+Hg=
-github.com/aws/aws-sdk-go-v2/service/marketplacemetering v1.13.21/go.mod h1:mRGY+k3s1yt7yQA3AfzJhnr68OCs1xDfQfIABFUk+ek=
+github.com/aws/aws-sdk-go-v2/service/marketplacemetering v1.13.22 h1:abXVcIh8pjiuWdPBk8vZYwxO5yZCmRHR8grHf6ZqCdY=
+github.com/aws/aws-sdk-go-v2/service/marketplacemetering v1.13.22/go.mod h1:mRGY+k3s1yt7yQA3AfzJhnr68OCs1xDfQfIABFUk+ek=
 github.com/aws/aws-sdk-go-v2/service/s3 v1.27.2/go.mod h1:u+566cosFI+d+motIz3USXEh6sN8Nq4GrNXSg2RXVMo=
-github.com/aws/aws-sdk-go-v2/service/s3 v1.29.1 h1:/EMdFPW/Ppieh0WUtQf1+qCGNLdsq5UWUyevBQ6vMVc=
-github.com/aws/aws-sdk-go-v2/service/s3 v1.29.1/go.mod h1:/NHbqPRiwxSPVOB2Xr+StDEH+GWV/64WwnUjv4KYzV0=
+github.com/aws/aws-sdk-go-v2/service/s3 v1.29.2 h1:l29X5biLks99HzZzQgC78plJpwiMv/pGNhmaTM2z62A=
+github.com/aws/aws-sdk-go-v2/service/s3 v1.29.2/go.mod h1:/NHbqPRiwxSPVOB2Xr+StDEH+GWV/64WwnUjv4KYzV0=
 github.com/aws/aws-sdk-go-v2/service/secretsmanager v1.15.14/go.mod h1:xakbH8KMsQQKqzX87uyyzTHshc/0/Df8bsTneTS5pFU=
-github.com/aws/aws-sdk-go-v2/service/secretsmanager v1.16.4 h1:Hx79EGrkKNJya2iz2U5A7nyr7DjOu/TGTRefThfBZ1w=
-github.com/aws/aws-sdk-go-v2/service/secretsmanager v1.16.4/go.mod h1:k6CPuxyzO247nYEM1baEwHH1kRtosRCvgahAepaaShw=
+github.com/aws/aws-sdk-go-v2/service/secretsmanager v1.16.5 h1:De+sGzRmk6+/lzKqZXa6RdC1ZVGLPHI1nvjOxw4ooj0=
+github.com/aws/aws-sdk-go-v2/service/secretsmanager v1.16.5/go.mod h1:k6CPuxyzO247nYEM1baEwHH1kRtosRCvgahAepaaShw=
 github.com/aws/aws-sdk-go-v2/service/sns v1.17.10/go.mod h1:uITsRNVMeCB3MkWpXxXw0eDz8pW4TYLzj+eyQtbhSxM=
 github.com/aws/aws-sdk-go-v2/service/sqs v1.19.1/go.mod h1:A94o564Gj+Yn+7QO1eLFeI7UVv3riy/YBFOfICVqFvU=
 github.com/aws/aws-sdk-go-v2/service/ssm v1.27.6/go.mod h1:fiFzQgj4xNOg4/wqmAiPvzgDMXPD+cUEplX/CYn+0j0=
@@ -286,8 +286,8 @@ github.com/aws/aws-sdk-go-v2/service/sso v1.11.25/go.mod h1:IARHuzTXmj1C0KS35vbo
 github.com/aws/aws-sdk-go-v2/service/ssooidc v1.13.8 h1:jcw6kKZrtNfBPJkaHrscDOZoe5gvi9wjudnxvozYFJo=
 github.com/aws/aws-sdk-go-v2/service/ssooidc v1.13.8/go.mod h1:er2JHN+kBY6FcMfcBBKNGCT3CarImmdFzishsqBmSRI=
 github.com/aws/aws-sdk-go-v2/service/sts v1.16.10/go.mod h1:cftkHYN6tCDNfkSasAmclSfl4l7cySoay8vz7p/ce0E=
-github.com/aws/aws-sdk-go-v2/service/sts v1.17.1 h1:KRAix/KHvjGODaHAMXnxRk9t0D+4IJVUuS/uwXxngXk=
-github.com/aws/aws-sdk-go-v2/service/sts v1.17.1/go.mod h1:bXcN3koeVYiJcdDU89n3kCYILob7Y34AeLopUbZgLT4=
+github.com/aws/aws-sdk-go-v2/service/sts v1.17.2 h1:tpwEMRdMf2UsplengAOnmSIRdvAxf75oUFR+blBr92I=
+github.com/aws/aws-sdk-go-v2/service/sts v1.17.2/go.mod h1:bXcN3koeVYiJcdDU89n3kCYILob7Y34AeLopUbZgLT4=
 github.com/aws/smithy-go v1.12.0/go.mod h1:Tg+OJXh4MB2R/uN61Ko2f6hTZwB/ZYGOtib8J3gBHzA=
 github.com/aws/smithy-go v1.13.4 h1:/RN2z1txIJWeXeOkzX+Hk/4Uuvv7dWtCjbmVJcrskyk=
 github.com/aws/smithy-go v1.13.4/go.mod h1:Tg+OJXh4MB2R/uN61Ko2f6hTZwB/ZYGOtib8J3gBHzA=
@@ -358,8 +358,8 @@ github.com/cncf/xds/go v0.0.0-20211001041855-01bcc9b48dfe/go.mod h1:eXthEFrGJvWH
 github.com/cncf/xds/go v0.0.0-20211011173535-cb28da3451f1/go.mod h1:eXthEFrGJvWHgFFCl3hGmgk+/aYT6PnTQLykKQRLhEs=
 github.com/cncf/xds/go v0.0.0-20220314180256-7f1daf1720fc/go.mod h1:eXthEFrGJvWHgFFCl3hGmgk+/aYT6PnTQLykKQRLhEs=
 github.com/cockroachdb/apd v1.1.0/go.mod h1:8Sl8LxpKi29FqWXR16WEFZRNSz3SoPzUzeMeY4+DwBQ=
-github.com/cockroachdb/cockroach-go/v2 v2.2.16 h1:t9dmZuC9J2W8IDQDSIGXmP+fBuEJSsrGXxWQz4cYqBY=
-github.com/cockroachdb/cockroach-go/v2 v2.2.16/go.mod h1:xZ2VHjUEb/cySv0scXBx7YsBnHtLHkR1+w/w73b5i3M=
+github.com/cockroachdb/cockroach-go/v2 v2.2.18 h1:bRNZWqzRSZesVYFjDAl1jgFb1jhIFIEreWIC2kPbcdY=
+github.com/cockroachdb/cockroach-go/v2 v2.2.18/go.mod h1:mzlIDDBALQfEjv/7DU12fb2AfQ/MUYTlychcMpWp9QI=
 github.com/cockroachdb/datadriven v0.0.0-20190809214429-80d97fb3cbaa/go.mod h1:zn76sxSg3SzpJ0PPJaLDCu+Bu0Lg3sKTORVIj19EIF8=
 github.com/cockroachdb/datadriven v0.0.0-20200714090401-bf6692d28da5/go.mod h1:h6jFvWxBdQXxjopDMZyH2UVceIRfR84bdzbkoKrsWNo=
 github.com/cockroachdb/errors v1.2.4/go.mod h1:rQD95gz6FARkaKkQXUksEje/d9a6wBJoCr5oaCLELYA=
@@ -480,8 +480,8 @@ github.com/coreos/go-systemd/v22 v22.0.0/go.mod h1:xO0FLkIi5MaZafQlIrOotqXZ90ih+
 github.com/coreos/go-systemd/v22 v22.1.0/go.mod h1:xO0FLkIi5MaZafQlIrOotqXZ90ih+1atmu1JpKERPPk=
 github.com/coreos/go-systemd/v22 v22.3.2/go.mod h1:Y58oyj3AT4RCenI/lSvhwexgC+NSVTIJ3seZv2GcEnc=
 github.com/coreos/go-systemd/v22 v22.3.3-0.20220203105225-a9a7ef127534/go.mod h1:Y58oyj3AT4RCenI/lSvhwexgC+NSVTIJ3seZv2GcEnc=
-github.com/coreos/go-systemd/v22 v22.4.0 h1:y9YHcjnjynCd/DVbg5j9L/33jQM3MxJlbj/zWskzfGU=
-github.com/coreos/go-systemd/v22 v22.4.0/go.mod h1:Y58oyj3AT4RCenI/lSvhwexgC+NSVTIJ3seZv2GcEnc=
+github.com/coreos/go-systemd/v22 v22.5.0 h1:RrqgGjYQKalulkV8NGVIfkXQf6YYmOyiJKk8iXXhfZs=
+github.com/coreos/go-systemd/v22 v22.5.0/go.mod h1:Y58oyj3AT4RCenI/lSvhwexgC+NSVTIJ3seZv2GcEnc=
 github.com/coreos/pkg v0.0.0-20160727233714-3ac0863d7acf/go.mod h1:E3G3o1h8I7cfcXa63jLwjI0eiQQMgzzUDFVpN/nH/eA=
 github.com/coreos/pkg v0.0.0-20180928190104-399ea9e2e55f/go.mod h1:E3G3o1h8I7cfcXa63jLwjI0eiQQMgzzUDFVpN/nH/eA=
 github.com/cpuguy83/go-md2man/v2 v2.0.0-20190314233015-f79a8a8ca69d/go.mod h1:maD7wRr/U5Z6m/iR4s+kqSMx2CaBsrgA7czyZG/E6dU=
@@ -501,7 +501,6 @@ github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSs
 github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c=
 github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
 github.com/decred/dcrd/crypto/blake256 v1.0.0/go.mod h1:sQl2p6Y26YV+ZOcSTP6thNdn47hh8kt6rqSlvmrXFAc=
-github.com/decred/dcrd/dcrec/secp256k1/v4 v4.0.0-20210816181553-5444fa50b93d/go.mod h1:tmAIfUFEirG/Y8jhZ9M+h36obRZAk/1fcSpXwAVlfqE=
 github.com/decred/dcrd/dcrec/secp256k1/v4 v4.1.0 h1:HbphB4TFFXpv7MNrT52FGrrgVXF1owhMVTHFZIlnvd4=
 github.com/decred/dcrd/dcrec/secp256k1/v4 v4.1.0/go.mod h1:DZGJHZMqrU4JJqFAWUS2UO1+lbSKsdiOoYi9Zzey7Fc=
 github.com/denisenkom/go-mssqldb v0.12.2/go.mod h1:lnIw1mZukFRZDJYQ0Pb833QS2IaC3l5HkEfra2LJ+sk=
@@ -608,11 +607,10 @@ github.com/gin-gonic/gin v1.6.3/go.mod h1:75u5sXoLsGZoRN5Sgbi1eraJ4GU3++wFwWzhwv
 github.com/gin-gonic/gin v1.7.7/go.mod h1:axIBovoeJpVj8S3BwE0uPMTeReE4+AfFtqpqaZ1qq1U=
 github.com/go-acme/lego/v4 v4.9.0 h1:8Hjj44IqRS7cigshMyFQ+0pIZvwgkG/+9A0UnNh7G8A=
 github.com/go-acme/lego/v4 v4.9.0/go.mod h1:g3JRUyWS3L/VObpp4bCxzJftKyf/Wba8QrSSnoiqjg4=
-github.com/go-chi/chi/v5 v5.0.4/go.mod h1:DslCQbL2OYiznFReuXYUmQ2hGd1aDpCnlMNITLSKoi8=
 github.com/go-chi/chi/v5 v5.0.8-0.20221018120124-e5529d9db4d3 h1:qzwVVqrbdP93ZaSHy0yWQRYnig+t+j1OxnVtEs8SFuQ=
 github.com/go-chi/chi/v5 v5.0.8-0.20221018120124-e5529d9db4d3/go.mod h1:DslCQbL2OYiznFReuXYUmQ2hGd1aDpCnlMNITLSKoi8=
-github.com/go-chi/jwtauth/v5 v5.0.2 h1:CSKtr+b6Jnfy5T27sMaiBPxaVE/bjnjS3ramFQ0526w=
-github.com/go-chi/jwtauth/v5 v5.0.2/go.mod h1:TeA7vmPe3uYThvHw8O8W13HOOpOd4MTgToxL41gZyjs=
+github.com/go-chi/jwtauth/v5 v5.1.0 h1:wJyf2YZ/ohPvNJBwPOzZaQbyzwgMZZceE1m8FOzXLeA=
+github.com/go-chi/jwtauth/v5 v5.1.0/go.mod h1:MA93hc1au3tAQwCKry+fI4LqJ5MIVN4XSsglOo+lSc8=
 github.com/go-chi/render v1.0.2 h1:4ER/udB0+fMWB2Jlf15RV3F4A2FDuYi/9f+lFttR/Lg=
 github.com/go-chi/render v1.0.2/go.mod h1:/gr3hVkmYR0YlEy3LxCuVRFzEu9Ruok+gFqbIofjao0=
 github.com/go-gl/glfw v0.0.0-20190409004039-e6da0acd62b1/go.mod h1:vR7hzQXu2zJy9AVAgeJqvqgH9Q5CA+iKCZ2gyEVpxRU=
@@ -712,8 +710,6 @@ github.com/gobuffalo/syncx v0.0.0-20190224160051-33c29581e754/go.mod h1:HhnNqWY9
 github.com/gobwas/httphead v0.0.0-20180130184737-2c6c146eadee/go.mod h1:L0fX3K22YWvt/FAX9NnzrNzcI4wNYi9Yku4O0LKYflo=
 github.com/gobwas/pool v0.2.0/go.mod h1:q8bcK0KcYlCgd9e7WYLm9LpyS+YeLd8JVDW6WezmKEw=
 github.com/gobwas/ws v1.0.2/go.mod h1:szmBTxLgaFppYjEmNtny/v3w89xOydFnnZMcgRRu/EM=
-github.com/goccy/go-json v0.7.6/go.mod h1:6MelG93GURQebXPDq3khkgXZkazVtN9CRI+MGFi0w8I=
-github.com/goccy/go-json v0.9.7/go.mod h1:6MelG93GURQebXPDq3khkgXZkazVtN9CRI+MGFi0w8I=
 github.com/goccy/go-json v0.9.11 h1:/pAaQDLHEoCq/5FFmSKBswWmK6H0e8g4159Kc/X/nqk=
 github.com/goccy/go-json v0.9.11/go.mod h1:6MelG93GURQebXPDq3khkgXZkazVtN9CRI+MGFi0w8I=
 github.com/goccy/go-yaml v1.9.5/go.mod h1:U/jl18uSupI5rdI2jmuCswEA2htH9eXfferR3KfscvA=
@@ -923,8 +919,8 @@ github.com/hashicorp/go-multierror v0.0.0-20161216184304-ed905158d874/go.mod h1:
 github.com/hashicorp/go-multierror v1.0.0/go.mod h1:dHtQlpGsu+cZNNAkkCN/P3hoUDHhCYQXV3UM06sGGrk=
 github.com/hashicorp/go-multierror v1.1.0/go.mod h1:spPvp8C1qA32ftKqdAHm4hHTbPw+vmowP0z+KUhOZdA=
 github.com/hashicorp/go-multierror v1.1.1/go.mod h1:iw975J/qwKPdAO1clOe2L8331t/9/fmwbPZ6JB6eMoM=
-github.com/hashicorp/go-plugin v1.4.5 h1:oTE/oQR4eghggRg8VY7PAz3dr++VwDNBGCcOfIvHpBo=
-github.com/hashicorp/go-plugin v1.4.5/go.mod h1:viDMjcLJuDui6pXb8U4HVfb8AamCWhHGUjr2IrTF67s=
+github.com/hashicorp/go-plugin v1.4.6 h1:MDV3UrKQBM3du3G7MApDGvOsMYy3JQJ4exhSoKBAeVA=
+github.com/hashicorp/go-plugin v1.4.6/go.mod h1:viDMjcLJuDui6pXb8U4HVfb8AamCWhHGUjr2IrTF67s=
 github.com/hashicorp/go-retryablehttp v0.5.3/go.mod h1:9B5zBasrRhHXnJnui7y6sL7es7NDiJgTc6Er0maI1Xs=
 github.com/hashicorp/go-retryablehttp v0.7.1 h1:sUiuQAnLlbvmExtFQs72iFW/HXeUn8Z1aJLQ4LJJbTQ=
 github.com/hashicorp/go-retryablehttp v0.7.1/go.mod h1:vAew36LZh98gCBJNLH42IQ1ER/9wtLZZ8meHqQvEYWY=
@@ -1013,8 +1009,8 @@ github.com/jackc/pgx/v4 v4.0.0-pre1.0.20190824185557-6972a5742186/go.mod h1:X+GQ
 github.com/jackc/pgx/v4 v4.12.1-0.20210724153913-640aa07df17c/go.mod h1:1QD0+tgSXP7iUjYm9C1NxKhny7lq6ee99u/z+IHFcgs=
 github.com/jackc/pgx/v4 v4.16.0/go.mod h1:N0A9sFdWzkw/Jy1lwoiB64F2+ugFZi987zRxcPez/wI=
 github.com/jackc/pgx/v4 v4.16.1/go.mod h1:SIhx0D5hoADaiXZVyv+3gSm3LCIIINTVO0PficsvWGQ=
-github.com/jackc/pgx/v5 v5.0.4 h1:r5O6y84qHX/z/HZV40JBdx2obsHz7/uRj5b+CcYEdeY=
-github.com/jackc/pgx/v5 v5.0.4/go.mod h1:U0ynklHtgg43fue9Ly30w3OCSTDPlXjig9ghrNGaguQ=
+github.com/jackc/pgx/v5 v5.1.0 h1:Z7pLKUb65HK6m18No8GGKT87K34NhIIEHa86rRdjxbU=
+github.com/jackc/pgx/v5 v5.1.0/go.mod h1:Ptn7zmohNsWEsdxRawMzk3gaKma2obW+NWTnKa0S4nk=
 github.com/jackc/puddle v0.0.0-20190413234325-e4ced69a3a2b/go.mod h1:m4B5Dj62Y0fbyuIc15OsIqK0+JU8nkqQjsgx7dvjSWk=
 github.com/jackc/puddle v0.0.0-20190608224051-11cab39313c9/go.mod h1:m4B5Dj62Y0fbyuIc15OsIqK0+JU8nkqQjsgx7dvjSWk=
 github.com/jackc/puddle v1.1.3/go.mod h1:m4B5Dj62Y0fbyuIc15OsIqK0+JU8nkqQjsgx7dvjSWk=
@@ -1063,8 +1059,9 @@ github.com/klauspost/compress v1.15.1/go.mod h1:/3/Vjq9QcHkK5uEr5lBEmyoZ1iFhe47e
 github.com/klauspost/compress v1.15.12 h1:YClS/PImqYbn+UILDnqxQCZ3RehC9N318SU3kElDUEM=
 github.com/klauspost/compress v1.15.12/go.mod h1:QPwzmACJjUTFsnSHH934V6woptycfrDDJnH7hvFVbGM=
 github.com/klauspost/cpuid/v2 v2.0.4/go.mod h1:FInQzS24/EEf25PyTYn52gqo7WaD8xa0213Md/qVLRg=
-github.com/klauspost/cpuid/v2 v2.1.2 h1:XhdX4fqAJUA0yj+kUwMavO0hHrSPAecYdYf1ZmxHvak=
 github.com/klauspost/cpuid/v2 v2.1.2/go.mod h1:RVVoqg1df56z8g3pUjL/3lE5UfnlrJX8tyFgg4nqhuY=
+github.com/klauspost/cpuid/v2 v2.2.1 h1:U33DW0aiEj633gHYw3LoDNfkDiYnE5Q8M/TKJn2f2jI=
+github.com/klauspost/cpuid/v2 v2.2.1/go.mod h1:RVVoqg1df56z8g3pUjL/3lE5UfnlrJX8tyFgg4nqhuY=
 github.com/kolo/xmlrpc v0.0.0-20201022064351-38db28db192b/go.mod h1:pcaDhQK0/NJZEvtCO0qQPPropqV0sJOJ6YW7X+9kRwM=
 github.com/konsorten/go-windows-terminal-sequences v1.0.1/go.mod h1:T0+1ngSBFLxvqU3pZ+m/2kptfBszLMUkC4ZK/EgS/cQ=
 github.com/konsorten/go-windows-terminal-sequences v1.0.2/go.mod h1:T0+1ngSBFLxvqU3pZ+m/2kptfBszLMUkC4ZK/EgS/cQ=
@@ -1087,21 +1084,16 @@ github.com/kylelemons/godebug v0.0.0-20170820004349-d65d576e9348/go.mod h1:B69LE
 github.com/kylelemons/godebug v1.1.0 h1:RPNrshWIDI6G2gRW9EHilWtl7Z6Sb1BR0xunSBf0SNc=
 github.com/kylelemons/godebug v1.1.0/go.mod h1:9/0rRGxNHcop5bhtWyNeEfOS8JIWk580+fNqagV/RAw=
 github.com/leodido/go-urn v1.2.0/go.mod h1:+8+nEpDfqqsY+g338gtMEUOtuK+4dEMhiQEgxpxOKII=
-github.com/lestrrat-go/backoff/v2 v2.0.8 h1:oNb5E5isby2kiro9AgdHLv5N5tint1AnDVVf2E2un5A=
-github.com/lestrrat-go/backoff/v2 v2.0.8/go.mod h1:rHP/q/r9aT27n24JQLa7JhSQZCKBBOiM/uP402WwN8Y=
-github.com/lestrrat-go/blackmagic v1.0.0/go.mod h1:TNgH//0vYSs8VXDCfkZLgIrVTTXQELZffUV0tz3MtdQ=
 github.com/lestrrat-go/blackmagic v1.0.1 h1:lS5Zts+5HIC/8og6cGHb0uCcNCa3OUt1ygh3Qz2Fe80=
 github.com/lestrrat-go/blackmagic v1.0.1/go.mod h1:UrEqBzIR2U6CnzVyUtfM6oZNMt/7O7Vohk2J0OGSAtU=
-github.com/lestrrat-go/codegen v1.0.1/go.mod h1:JhJw6OQAuPEfVKUCLItpaVLumDGWQznd1VaXrBk9TdM=
-github.com/lestrrat-go/httpcc v1.0.0/go.mod h1:tGS/u00Vh5N6FHNkExqGGNId8e0Big+++0Gf8MBnAvE=
 github.com/lestrrat-go/httpcc v1.0.1 h1:ydWCStUeJLkpYyjLDHihupbn2tYmZ7m22BGkcvZZrIE=
 github.com/lestrrat-go/httpcc v1.0.1/go.mod h1:qiltp3Mt56+55GPVCbTdM9MlqhvzyuL6W/NMDA8vA5E=
-github.com/lestrrat-go/iter v1.0.1/go.mod h1:zIdgO1mRKhn8l9vrZJZz9TUMMFbQbLeTsbqPDrJ/OJc=
+github.com/lestrrat-go/httprc v1.0.4 h1:bAZymwoZQb+Oq8MEbyipag7iSq6YIga8Wj6GOiJGdI8=
+github.com/lestrrat-go/httprc v1.0.4/go.mod h1:mwwz3JMTPBjHUkkDv/IGJ39aALInZLrhBp0X7KGUZlo=
 github.com/lestrrat-go/iter v1.0.2 h1:gMXo1q4c2pHmC3dn8LzRhJfP1ceCbgSiT9lUydIzltI=
 github.com/lestrrat-go/iter v1.0.2/go.mod h1:Momfcq3AnRlRjI5b5O8/G5/BvpzrhoFTZcn06fEOPt4=
-github.com/lestrrat-go/jwx v1.2.6/go.mod h1:tJuGuAI3LC71IicTx82Mz1n3w9woAs2bYJZpkjJQ5aU=
-github.com/lestrrat-go/jwx v1.2.25 h1:tAx93jN2SdPvFn08fHNAhqFJazn5mBBOB8Zli0g0otA=
-github.com/lestrrat-go/jwx v1.2.25/go.mod h1:zoNuZymNl5lgdcu6P7K6ie2QRll5HVfF4xwxBBK1NxY=
+github.com/lestrrat-go/jwx/v2 v2.0.7 h1:vNh7cA5pKS/1muWYpM1GeUHBCf/r1UFxYN60iv7LFRA=
+github.com/lestrrat-go/jwx/v2 v2.0.7/go.mod h1:zLxnyv9rTlEvOUHbc48FAfIL8iYu2hHvIRaTFGc8mT0=
 github.com/lestrrat-go/option v1.0.0 h1:WqAWL8kh8VcSoD6xjSH34/1m8yxluXQbDeKNfvFeEO4=
 github.com/lestrrat-go/option v1.0.0/go.mod h1:5ZHFbivi4xwXxhxY9XHDe2FHo6/Z7WWmtT7T5nBBp3I=
 github.com/lib/pq v1.0.0/go.mod h1:5WUZQaWbwv1U+lTReE5YruASi9Al49XbQIvNi/34Woo=
@@ -1304,13 +1296,13 @@ github.com/openzipkin-contrib/zipkin-go-opentracing v0.4.5/go.mod h1:/wsWhb9smxS
 github.com/openzipkin/zipkin-go v0.1.6/go.mod h1:QgAqvLzwWbR/WpD4A3cGpPtJrZXNIiJc5AZX7/PBEpw=
 github.com/openzipkin/zipkin-go v0.2.1/go.mod h1:NaW6tEwdmWMaCDZzg8sh+IBNOxHMPnhQw8ySjnjRyN4=
 github.com/openzipkin/zipkin-go v0.2.2/go.mod h1:NaW6tEwdmWMaCDZzg8sh+IBNOxHMPnhQw8ySjnjRyN4=
-github.com/otiai10/copy v1.7.0 h1:hVoPiN+t+7d2nzzwMiDHPSOogsWAStewq3TwU05+clE=
-github.com/otiai10/copy v1.7.0/go.mod h1:rmRl6QPdJj6EiUqXQ/4Nn2lLXoNQjFCQbbNrxgc/t3U=
+github.com/otiai10/copy v1.9.0 h1:7KFNiCgZ91Ru4qW4CWPf/7jqtxLagGRmIxWldPP9VY4=
+github.com/otiai10/copy v1.9.0/go.mod h1:hsfX19wcn0UWIHUQ3/4fHuehhk2UyArQ9dVFAn3FczI=
 github.com/otiai10/curr v0.0.0-20150429015615-9b4961190c95/go.mod h1:9qAhocn7zKJG+0mI8eUu6xqkFDYS2kb2saOteoSB3cE=
 github.com/otiai10/curr v1.0.0/go.mod h1:LskTG5wDwr8Rs+nNQ+1LlxRjAtTZZjtJW4rMXl6j4vs=
 github.com/otiai10/mint v1.3.0/go.mod h1:F5AjcsTsWUqX+Na9fpHb52P8pcRX2CI6A3ctIT91xUo=
-github.com/otiai10/mint v1.3.3 h1:7JgpsBaN0uMkyju4tbYHu0mnM55hNKVYLsXmwr15NQI=
-github.com/otiai10/mint v1.3.3/go.mod h1:/yxELlJQ0ufhjUwhshSj+wFjZ78CnZ48/1wtmBH1OTc=
+github.com/otiai10/mint v1.4.0 h1:umwcf7gbpEwf7WFzqmWwSv0CzbeMsae2u9ZvpP8j2q4=
+github.com/otiai10/mint v1.4.0/go.mod h1:gifjb2MYOoULtKLqUAEILUG/9KONW6f7YsJ6vQLTlFI=
 github.com/pact-foundation/pact-go v1.0.4/go.mod h1:uExwJY4kCzNPcHRj+hCR/HBbOOIwwtUjcrb0b5/5kLM=
 github.com/pascaldekloe/goe v0.0.0-20180627143212-57f6aae5913c/go.mod h1:lzWF7FIEvWOWxwDKqyGYQf6ZUaNfKdP144TG7ZOy1lc=
 github.com/pascaldekloe/goe v0.1.0/go.mod h1:lzWF7FIEvWOWxwDKqyGYQf6ZUaNfKdP144TG7ZOy1lc=
@@ -1367,8 +1359,8 @@ github.com/prometheus/client_golang v1.7.1/go.mod h1:PY5Wy2awLA44sXw4AOSfFBetzPP
 github.com/prometheus/client_golang v1.11.0/go.mod h1:Z6t4BnS23TR94PD6BsDNk8yVqroYurpAkEiz0P2BEV0=
 github.com/prometheus/client_golang v1.12.1/go.mod h1:3Z9XVyYiZYEO+YQWt3RD2R3jrbd179Rt297l4aS6nDY=
 github.com/prometheus/client_golang v1.12.2/go.mod h1:3Z9XVyYiZYEO+YQWt3RD2R3jrbd179Rt297l4aS6nDY=
-github.com/prometheus/client_golang v1.13.1 h1:3gMjIY2+/hzmqhtUC/aQNYldJA6DtH3CgQvwS+02K1c=
-github.com/prometheus/client_golang v1.13.1/go.mod h1:vTeo+zgvILHsnnj/39Ou/1fPN5nJFOEMgftOUOmlvYQ=
+github.com/prometheus/client_golang v1.14.0 h1:nJdhIvne2eSX/XRAFV9PcvFFRbrjbcTUj0VP62TMhnw=
+github.com/prometheus/client_golang v1.14.0/go.mod h1:8vpkKitgIVNcqrRBWh1C4TIUQgYNtG/XQE4E/Zae36Y=
 github.com/prometheus/client_model v0.0.0-20171117100541-99fa1f4be8e5/go.mod h1:MbSGuTsp3dbXC40dX6PRTWyKYBIrTGTE9sqQNg2J8bo=
 github.com/prometheus/client_model v0.0.0-20180712105110-5c3871d89910/go.mod h1:MbSGuTsp3dbXC40dX6PRTWyKYBIrTGTE9sqQNg2J8bo=
 github.com/prometheus/client_model v0.0.0-20190115171406-56726106282f/go.mod h1:MbSGuTsp3dbXC40dX6PRTWyKYBIrTGTE9sqQNg2J8bo=
@@ -1453,8 +1445,8 @@ github.com/sean-/seed v0.0.0-20170313163322-e2103e2c3529/go.mod h1:DxrIzT+xaE7yg
 github.com/seccomp/libseccomp-golang v0.9.1/go.mod h1:GbW5+tmTXfcxTToHLXlScSlAvWlF4P2Ca7zGrPiEpWo=
 github.com/seccomp/libseccomp-golang v0.9.2-0.20210429002308-3879420cc921/go.mod h1:JA8cRccbGaA1s33RQf7Y1+q9gHmZX1yB/z9WDN1C6fg=
 github.com/secsy/goftp v0.0.0-20200609142545-aa2de14babf4 h1:PT+ElG/UUFMfqy5HrxJxNzj3QBOf7dZwupeVC+mG1Lo=
-github.com/sftpgo/sdk v0.1.3-0.20221105153737-bae9afc6b356 h1:VwFpy5W/pP0X+082xKU2yu4OAwuk8Qqa8j2ofImJ1bM=
-github.com/sftpgo/sdk v0.1.3-0.20221105153737-bae9afc6b356/go.mod h1:Giy5vj7Gmju0nGlmBNd28DwPo0G0o1nr9XkE+vu3i+o=
+github.com/sftpgo/sdk v0.1.3-0.20221116180328-3fc64e926700 h1:hfUjwmNPMqE9o5oIBxDQZE0FJ8IqlJwVVhATQYwe2Ao=
+github.com/sftpgo/sdk v0.1.3-0.20221116180328-3fc64e926700/go.mod h1:Giy5vj7Gmju0nGlmBNd28DwPo0G0o1nr9XkE+vu3i+o=
 github.com/shirou/gopsutil/v3 v3.22.10 h1:4KMHdfBRYXGF9skjDWiL4RA2N+E8dRdodU/bOZpPoVg=
 github.com/shirou/gopsutil/v3 v3.22.10/go.mod h1:QNza6r4YQoydyCfo6rH0blGfKahgibh4dQmV5xdFkQk=
 github.com/shopspring/decimal v0.0.0-20180709203117-cd690d0c9e24/go.mod h1:M+9NzErvs504Cn4c5DxATwIqPbtswREoFCre64PpcG4=
@@ -1483,8 +1475,8 @@ github.com/spf13/afero v1.1.2/go.mod h1:j4pytiNVoe2o6bmDsKpLACNPDBIoEAkihy7loJ1B
 github.com/spf13/afero v1.2.2/go.mod h1:9ZxEEn6pIJ8Rxe320qSDBk6AsU0r9pR7Q4OcevTdifk=
 github.com/spf13/afero v1.3.3/go.mod h1:5KUK8ByomD5Ti5Artl0RtHeI5pTF7MIDuXL3yY520V4=
 github.com/spf13/afero v1.6.0/go.mod h1:Ai8FlHk4v/PARR026UzYexafAt9roJ7LcLMAmO6Z93I=
-github.com/spf13/afero v1.9.2 h1:j49Hj62F0n+DaZ1dDCvhABaPNSGNkt32oRFxI33IEMw=
-github.com/spf13/afero v1.9.2/go.mod h1:iUV7ddyEEZPO5gA3zD4fJt6iStLlL+Lg4m2cihcDf8Y=
+github.com/spf13/afero v1.9.3 h1:41FoI0fD7OR7mGcKE/aOiLkGreyf8ifIOQmJANWogMk=
+github.com/spf13/afero v1.9.3/go.mod h1:iUV7ddyEEZPO5gA3zD4fJt6iStLlL+Lg4m2cihcDf8Y=
 github.com/spf13/cast v1.3.0/go.mod h1:Qx5cxh0v+4UWYiBimWS+eyWzqEqokIECu5etghLkUJE=
 github.com/spf13/cast v1.3.1/go.mod h1:Qx5cxh0v+4UWYiBimWS+eyWzqEqokIECu5etghLkUJE=
 github.com/spf13/cast v1.5.0 h1:rj3WzYc11XZaIZMPKmwP96zkFEnnAmV8s6XbB2aY32w=
@@ -1506,8 +1498,8 @@ github.com/spf13/pflag v1.0.5 h1:iy+VFUOCP1a+8yFto/drg2CJ5u0yRoB7fZw3DKv/JXA=
 github.com/spf13/pflag v1.0.5/go.mod h1:McXfInJRrz4CZXVZOBLb0bTZqETkiAhM9Iw0y3An2Bg=
 github.com/spf13/viper v1.4.0/go.mod h1:PTJ7Z/lr49W6bUbkmS1V3by4uWynFiR9p7+dSq/yZzE=
 github.com/spf13/viper v1.7.0/go.mod h1:8WkrPz2fc9jxqZNCJI/76HCieCp4Q8HaLFoCha5qpdg=
-github.com/spf13/viper v1.13.0 h1:BWSJ/M+f+3nmdz9bxB+bWX28kkALN2ok11D0rSo8EJU=
-github.com/spf13/viper v1.13.0/go.mod h1:Icm2xNL3/8uyh/wFuB1jI7TiTNKp8632Nwegu+zgdYw=
+github.com/spf13/viper v1.14.0 h1:Rg7d3Lo706X9tHsJMUjdiwMpHB7W8WnSVOssIY+JElU=
+github.com/spf13/viper v1.14.0/go.mod h1:WT//axPky3FdvXHzGw33dNdXXXfFQqmEalje+egj8As=
 github.com/stefanberger/go-pkcs11uri v0.0.0-20201008174630-78d3cae3a980/go.mod h1:AO3tvPzVZ/ayst6UlUKUv6rcPQInYe3IknH3jYhAKu8=
 github.com/stoewer/go-strcase v1.2.0/go.mod h1:IBiWB2sKIp3wVVQ3Y035++gc+knqhUQag1KpM8ahLw8=
 github.com/streadway/amqp v0.0.0-20190404075320-75d898a42a94/go.mod h1:AZpEONHx3DKn8O/DFsRAY58/XVQiIPMTMB1SddzLXVw=
@@ -1532,8 +1524,8 @@ github.com/stretchr/testify v1.7.5/go.mod h1:yNjHg4UonilssWZ8iaSj1OCr/vHnekPRkoO
 github.com/stretchr/testify v1.8.0/go.mod h1:yNjHg4UonilssWZ8iaSj1OCr/vHnekPRkoO+kdMU+MU=
 github.com/stretchr/testify v1.8.1 h1:w7B6lhMri9wdJUVmEZPGGhZzrYTPvgJArz7wNPgYKsk=
 github.com/stretchr/testify v1.8.1/go.mod h1:w2LPCIKwWwSfY2zedu0+kehJoqGctiVI29o6fzry7u4=
-github.com/studio-b12/gowebdav v0.0.0-20221102155456-200a600c0272 h1:dXbdJSdxf0EnR4SkcsfRNuGCvoEk9lavXbSCFXN2gJc=
-github.com/studio-b12/gowebdav v0.0.0-20221102155456-200a600c0272/go.mod h1:bHA7t77X/QFExdeAnDzK6vKM34kEZAcE1OX4MfiwjkE=
+github.com/studio-b12/gowebdav v0.0.0-20221109171924-60ec5ad56012 h1:ZC+dlnsjxqrcB68nEFbIEfo4iXsog3Sg8FlXKytAjhY=
+github.com/studio-b12/gowebdav v0.0.0-20221109171924-60ec5ad56012/go.mod h1:bHA7t77X/QFExdeAnDzK6vKM34kEZAcE1OX4MfiwjkE=
 github.com/subosito/gotenv v1.2.0/go.mod h1:N0PQaV/YGNqwC0u51sEeR/aUtSLEXKX9iv69rRypqCw=
 github.com/subosito/gotenv v1.4.1 h1:jyEFiXpy21Wm81FBN71l9VoMMV8H8jG+qIK3GCpY6Qs=
 github.com/subosito/gotenv v1.4.1/go.mod h1:ayKnFf/c6rvx/2iiLrJUk1e6plDbT3edrFNGqEflhK0=
@@ -1543,11 +1535,12 @@ github.com/syndtr/gocapability v0.0.0-20200815063812-42c35b437635/go.mod h1:hkRG
 github.com/tchap/go-patricia v2.2.6+incompatible/go.mod h1:bmLyhP68RS6kStMGxByiQ23RP/odRBOTVjwp2cDyi6I=
 github.com/tedsuo/ifrit v0.0.0-20180802180643-bea94bb476cc/go.mod h1:eyZnKCc955uh98WQvzOm0dgAeLnf2O0Rz0LPoC5ze+0=
 github.com/tidwall/pretty v1.0.0/go.mod h1:XNkn88O1ChpSDQmQeStsy+sBenx6DDtFZJxhVysOjyk=
-github.com/tklauser/go-sysconf v0.3.10 h1:IJ1AZGZRWbY8T5Vfk04D9WOA5WSejdflXxP03OUqALw=
 github.com/tklauser/go-sysconf v0.3.10/go.mod h1:C8XykCvCb+Gn0oNCWPIlcb0RuglQTYaQ2hGm7jmxEFk=
+github.com/tklauser/go-sysconf v0.3.11 h1:89WgdJhk5SNwJfu+GKyYveZ4IaJ7xAkecBo+KdJV0CM=
+github.com/tklauser/go-sysconf v0.3.11/go.mod h1:GqXfhXY3kiPa0nAXPDIQIWzJbMCB7AmcWpGR8lSZfqI=
 github.com/tklauser/numcpus v0.4.0/go.mod h1:1+UI3pD8NW14VMwdgJNJ1ESk2UnwhAnz5hMwiKKqXCQ=
-github.com/tklauser/numcpus v0.5.0 h1:ooe7gN0fg6myJ0EKoTAf5hebTZrH52px3New/D9iJ+A=
-github.com/tklauser/numcpus v0.5.0/go.mod h1:OGzpTxpcIMNGYQdit2BYL1pvk/dSOaJWjKoflh+RQjo=
+github.com/tklauser/numcpus v0.6.0 h1:kebhY2Qt+3U6RNK7UqpYNA+tJ23IBEGKkB7JQBfDYms=
+github.com/tklauser/numcpus v0.6.0/go.mod h1:FEZLMke0lhOUG6w2JadTzp0a+Nl8PF/GFkQ5UVIcaL4=
 github.com/tmc/grpc-websocket-proxy v0.0.0-20170815181823-89b8d40f7ca8/go.mod h1:ncp9v5uamzpCO7NfCPTXjqaC+bZgJeR0sMTm6dMHP7U=
 github.com/tmc/grpc-websocket-proxy v0.0.0-20190109142713-0ad062ec5ee5/go.mod h1:ncp9v5uamzpCO7NfCPTXjqaC+bZgJeR0sMTm6dMHP7U=
 github.com/tmc/grpc-websocket-proxy v0.0.0-20201229170055-e5319fda7802/go.mod h1:ncp9v5uamzpCO7NfCPTXjqaC+bZgJeR0sMTm6dMHP7U=
@@ -1583,8 +1576,8 @@ github.com/xdg-go/stringprep v1.0.2/go.mod h1:8F9zXuvzgwmyT5DUm4GUfZGDdT3W+LCvS6
 github.com/xeipuuv/gojsonpointer v0.0.0-20180127040702-4e3ac2762d5f/go.mod h1:N2zxlSyiKSe5eX1tZViRH5QA0qijqEDrYZiPEAiq3wU=
 github.com/xeipuuv/gojsonreference v0.0.0-20180127040603-bd5ef7bd5415/go.mod h1:GwrjFmJcFw6At/Gs6z4yjiIwzuJ1/+UwLxMQDVQXShQ=
 github.com/xeipuuv/gojsonschema v0.0.0-20180618132009-1d523034197f/go.mod h1:5yf86TLmAcydyeJq5YvxkGPE2fm/u4myDekKRoLuqhs=
-github.com/xhit/go-simple-mail/v2 v2.12.0 h1:KweA6NO8Z6fZyeckMPNpvElU6QDIyBShlpce1sYUZgg=
-github.com/xhit/go-simple-mail/v2 v2.12.0/go.mod h1:b7P5ygho6SYE+VIqpxA6QkYfv4teeyG4MKqB3utRu98=
+github.com/xhit/go-simple-mail/v2 v2.13.0 h1:OANWU9jHZrVfBkNkvLf8Ww0fexwpQVF/v/5f96fFTLI=
+github.com/xhit/go-simple-mail/v2 v2.13.0/go.mod h1:b7P5ygho6SYE+VIqpxA6QkYfv4teeyG4MKqB3utRu98=
 github.com/xiang90/probing v0.0.0-20190116061207-43a291ad63a2/go.mod h1:UETIi67q53MR2AWcXfiuqkDkRtnGDLqkBTpCHuJHxtU=
 github.com/xlab/treeprint v1.1.0/go.mod h1:gj5Gd3gPdKtR1ikdDK6fnFLdmIS0X30kTTuNd/WEJu0=
 github.com/xordataexchange/crypt v0.0.3-0.20170626215501-b2862e3d0a77/go.mod h1:aYKd//L2LvnjZzWKhF00oedf4jCCReLcmhLdhm1A27Q=
@@ -1741,8 +1734,8 @@ golang.org/x/mod v0.5.0/go.mod h1:5OXOZSfqPIIbmVBIIKWRFfZjPR0E5r58TLhUjH0a2Ro=
 golang.org/x/mod v0.5.1/go.mod h1:5OXOZSfqPIIbmVBIIKWRFfZjPR0E5r58TLhUjH0a2Ro=
 golang.org/x/mod v0.6.0-dev.0.20220106191415-9b9b3d81d5e3/go.mod h1:3p9vT2HGsQu2K1YbXdKPJLVgG5VJdoTa1poYQBtP1AY=
 golang.org/x/mod v0.6.0-dev.0.20220419223038-86c51ed26bb4/go.mod h1:jJ57K6gSWd91VN4djpZkiMVwK6gcyfeH4XE8wZrZaV4=
-golang.org/x/mod v0.6.0 h1:b9gGHsz9/HhJ3HF5DHQytPpuwocVTChQJK3AvoLRD5I=
-golang.org/x/mod v0.6.0/go.mod h1:4mET923SAdbXp2ki8ey+zGs1SLqsuM2Y0uvdZR/fUNI=
+golang.org/x/mod v0.7.0 h1:LapD9S96VoQRhi/GrNTqeBJFrUjs5UHCAtTlgwA5oZA=
+golang.org/x/mod v0.7.0/go.mod h1:iBbtSCu2XBx23ZKBPSOrRkjjQPZFPuis4dIYUhu/chs=
 golang.org/x/net v0.0.0-20180724234803-3673e40ba225/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
 golang.org/x/net v0.0.0-20180826012351-8a410e7b638d/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
 golang.org/x/net v0.0.0-20180906233101-161cd47e91fd/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
@@ -1819,8 +1812,9 @@ golang.org/x/net v0.0.0-20220624214902-1bab6f366d9e/go.mod h1:XRhObCWvk6IyKnWLug
 golang.org/x/net v0.0.0-20220722155237-a158d28d115b/go.mod h1:XRhObCWvk6IyKnWLug+ECip1KBveYUHfp+8e9klMJ9c=
 golang.org/x/net v0.0.0-20220802222814-0bcc04d9c69b/go.mod h1:YDH+HFinaLZZlnHAfSS6ZXJJ9M9t4Dl22yv3iI2vPwk=
 golang.org/x/net v0.0.0-20220826154423-83b083e8dc8b/go.mod h1:YDH+HFinaLZZlnHAfSS6ZXJJ9M9t4Dl22yv3iI2vPwk=
-golang.org/x/net v0.1.0 h1:hZ/3BUoy5aId7sCpA/Tc5lt8DkFgdVS2onTpJsZ/fl0=
 golang.org/x/net v0.1.0/go.mod h1:Cx3nUiGt4eDBEyega/BKRp+/AlGL8hYe7U9odMt2Cco=
+golang.org/x/net v0.2.0 h1:sZfSu1wtKLGlWI4ZZayP0ck9Y73K1ynO6gqzTdBVdPU=
+golang.org/x/net v0.2.0/go.mod h1:KqCZLdyyvdV855qA2rE3GC2aiw5xGR5TEjj8smXukLY=
 golang.org/x/oauth2 v0.0.0-20180821212333-d2e6202438be/go.mod h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U=
 golang.org/x/oauth2 v0.0.0-20190226205417-e64efc72b421/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw=
 golang.org/x/oauth2 v0.0.0-20190604053449-0f29369cfe45/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw=
@@ -1847,8 +1841,8 @@ golang.org/x/oauth2 v0.0.0-20220622183110-fd043fe589d2/go.mod h1:jaDAt6Dkxork7Lm
 golang.org/x/oauth2 v0.0.0-20220628200809-02e64fa58f26/go.mod h1:jaDAt6Dkxork7LmZnYtzbRWj0W47D86a3TGe0YHBvmE=
 golang.org/x/oauth2 v0.0.0-20220722155238-128564f6959c/go.mod h1:h4gKUeWbJ4rQPri7E0u6Gs4e9Ri2zaLxzw5DI5XGrYg=
 golang.org/x/oauth2 v0.0.0-20220822191816-0ebed06d0094/go.mod h1:h4gKUeWbJ4rQPri7E0u6Gs4e9Ri2zaLxzw5DI5XGrYg=
-golang.org/x/oauth2 v0.1.0 h1:isLCZuhj4v+tYv7eskaN4v/TM+A1begWWgyVJDdl1+Y=
-golang.org/x/oauth2 v0.1.0/go.mod h1:G9FE4dLTsbXUu90h/Pf85g4w1D+SSAgR+q46nJZ8M4A=
+golang.org/x/oauth2 v0.2.0 h1:GtQkldQ9m7yvzCL1V+LrYow3Khe0eJH0w7RbX/VbaIU=
+golang.org/x/oauth2 v0.2.0/go.mod h1:Cwn6afJ8jrQwYMxQDTpISoXmXW9I6qF6vDeuuoX3Ibs=
 golang.org/x/sync v0.0.0-20180314180146-1d60e4601c6f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20181108010431-42b317875d0f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20181221193216-37e7f081c4d4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
@@ -2004,19 +1998,21 @@ golang.org/x/sys v0.0.0-20220615213510-4f61da869c0c/go.mod h1:oPkhp1MJrh7nUepCBc
 golang.org/x/sys v0.0.0-20220624220833-87e55d714810/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20220627191245-f75cf1eec38b/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20220704084225-05e143d24a9e/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/sys v0.0.0-20220715151400-c0bba94af5f8/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20220722155257-8c9f86f7a55f/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20220728004956-3c1f35247d10/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20220731174439-a90be440212d/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20220811171246-fbc7d0a398ab/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20220908164124-27713097b956/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.1.0 h1:kunALQeHf1/185U1i0GOB/fy1IPRDDpuoOOqRReG57U=
 golang.org/x/sys v0.1.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/sys v0.2.0 h1:ljd4t30dBnAvMZaQCevtY0xLLD0A+bRZXbgLMLU1F/A=
+golang.org/x/sys v0.2.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo=
 golang.org/x/term v0.0.0-20210220032956-6a3ed077a48d/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo=
 golang.org/x/term v0.0.0-20210615171337-6886f2dfbf5b/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8=
 golang.org/x/term v0.0.0-20210927222741-03fcf44c2211/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8=
-golang.org/x/term v0.1.0 h1:g6Z6vPFA9dYBAF7DWcH6sCcOntplXsDKcliusYijMlw=
 golang.org/x/term v0.1.0/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8=
+golang.org/x/term v0.2.0 h1:z85xZCsEl7bi/KwbNADeBYoOP0++7W1ipu+aGnpwzRM=
 golang.org/x/text v0.0.0-20170915032832-14c0d48ead0c/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
 golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
 golang.org/x/text v0.3.1-0.20180807135948-17ff2d5776d2/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
@@ -2040,8 +2036,8 @@ golang.org/x/time v0.0.0-20220210224613-90d013bbcef8/go.mod h1:tRJNPiyCQ0inRvYxb
 golang.org/x/time v0.0.0-20220224211638-0e9765cccd65/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
 golang.org/x/time v0.0.0-20220609170525-579cf78fd858/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
 golang.org/x/time v0.0.0-20220722155302-e5dcc9cfc0b9/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
-golang.org/x/time v0.1.0 h1:xYY+Bajn2a7VBmTM5GikTmnK8ZuX8YgnQCqZpbBNtmA=
-golang.org/x/time v0.1.0/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
+golang.org/x/time v0.2.0 h1:52I/1L54xyEQAYdtcSuxtiT84KGYTBGXwayxmIpNJhE=
+golang.org/x/time v0.2.0/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
 golang.org/x/tools v0.0.0-20180221164845-07fd8470d635/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
 golang.org/x/tools v0.0.0-20180828015842-6cd1fcedba52/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
 golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
@@ -2108,7 +2104,6 @@ golang.org/x/tools v0.0.0-20200804011535-6c149bb5ef0d/go.mod h1:njjCfa9FT2d7l9Bc
 golang.org/x/tools v0.0.0-20200825202427-b303f430e36d/go.mod h1:njjCfa9FT2d7l9Bc6FUM5FLjQPp3cFF28FI3qnDFljA=
 golang.org/x/tools v0.0.0-20200904185747-39188db58858/go.mod h1:Cj7w3i3Rnn0Xh82ur9kSqwfTHTeVxaDqrfMjpcNT6bE=
 golang.org/x/tools v0.0.0-20200916195026-c9a70fc28ce3/go.mod h1:z6u4i615ZeAfBE4XtMziQW1fSVJXACjjbWkB/mvPzlU=
-golang.org/x/tools v0.0.0-20200918232735-d647fc253266/go.mod h1:z6u4i615ZeAfBE4XtMziQW1fSVJXACjjbWkB/mvPzlU=
 golang.org/x/tools v0.0.0-20201110124207-079ba7bd75cd/go.mod h1:emZCQorbCU4vsT4fOWvOPXz4eW1wZW4PmDk9uLelYpA=
 golang.org/x/tools v0.0.0-20201201161351-ac6f37ff4c2a/go.mod h1:emZCQorbCU4vsT4fOWvOPXz4eW1wZW4PmDk9uLelYpA=
 golang.org/x/tools v0.0.0-20201208233053-a543418bbed2/go.mod h1:emZCQorbCU4vsT4fOWvOPXz4eW1wZW4PmDk9uLelYpA=
@@ -2116,7 +2111,6 @@ golang.org/x/tools v0.0.0-20201224043029-2b0845dc783e/go.mod h1:emZCQorbCU4vsT4f
 golang.org/x/tools v0.0.0-20210105154028-b0ab187a4818/go.mod h1:emZCQorbCU4vsT4fOWvOPXz4eW1wZW4PmDk9uLelYpA=
 golang.org/x/tools v0.0.0-20210106214847-113979e3529a/go.mod h1:emZCQorbCU4vsT4fOWvOPXz4eW1wZW4PmDk9uLelYpA=
 golang.org/x/tools v0.0.0-20210108195828-e2f9c7f1fc8e/go.mod h1:emZCQorbCU4vsT4fOWvOPXz4eW1wZW4PmDk9uLelYpA=
-golang.org/x/tools v0.0.0-20210114065538-d78b04bdf963/go.mod h1:emZCQorbCU4vsT4fOWvOPXz4eW1wZW4PmDk9uLelYpA=
 golang.org/x/tools v0.1.0/go.mod h1:xkSsbof2nBLbhDlRMhhhyNLN/zl3eTqcnHD5viDpcZ0=
 golang.org/x/tools v0.1.1/go.mod h1:o0xws9oXOQQZyjljx8fwUC0k7L1pTE6eaCbjGeHmOkk=
 golang.org/x/tools v0.1.2/go.mod h1:o0xws9oXOQQZyjljx8fwUC0k7L1pTE6eaCbjGeHmOkk=
@@ -2128,8 +2122,8 @@ golang.org/x/tools v0.1.9/go.mod h1:nABZi5QlRsZVlzPpHl034qft6wpY4eDcsTt5AaioBiU=
 golang.org/x/tools v0.1.10/go.mod h1:Uh6Zz+xoGYZom868N8YTex3t7RhtHDBrE8Gzo9bV56E=
 golang.org/x/tools v0.1.11/go.mod h1:SgwaegtQh8clINPpECJMqnxLv9I09HLqnW3RMqW0CA4=
 golang.org/x/tools v0.1.12/go.mod h1:hNGJHUnrk76NpqgfD5Aqm5Crs+Hm0VOH/i9J2+nxYbc=
-golang.org/x/tools v0.2.0 h1:G6AHpWxTMGY1KyEYoAQ5WTtIekUUvDNjan3ugu60JvE=
-golang.org/x/tools v0.2.0/go.mod h1:y4OqIKeOV/fWJetJ8bXPU1sEVniLMIyDAZWeHdV+NTA=
+golang.org/x/tools v0.3.0 h1:SrNbZl6ECOS1qFzgTdQfWXZM9XBkiA6tkFrH9YSTPHM=
+golang.org/x/tools v0.3.0/go.mod h1:/rWhSS2+zyEVwoJf8YAX6L2f0ntZ7Kn/mGgAWcipA5k=
 golang.org/x/xerrors v0.0.0-20190410155217-1f06c39b4373/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 golang.org/x/xerrors v0.0.0-20190513163551-3ee3066db522/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
@@ -2189,8 +2183,8 @@ google.golang.org/api v0.85.0/go.mod h1:AqZf8Ep9uZ2pyTvgL+x0D3Zt0eoT9b5E8fmzfu6F
 google.golang.org/api v0.86.0/go.mod h1:+Sem1dnrKlrXMR/X0bPnMWyluQe4RsNoYfmNLhOIkzw=
 google.golang.org/api v0.90.0/go.mod h1:+Sem1dnrKlrXMR/X0bPnMWyluQe4RsNoYfmNLhOIkzw=
 google.golang.org/api v0.91.0/go.mod h1:+Sem1dnrKlrXMR/X0bPnMWyluQe4RsNoYfmNLhOIkzw=
-google.golang.org/api v0.102.0 h1:JxJl2qQ85fRMPNvlZY/enexbxpCjLwGhZUtgfGeQ51I=
-google.golang.org/api v0.102.0/go.mod h1:3VFl6/fzoA+qNuS1N1/VfXY4LjoXN/wzeIp7TweWwGo=
+google.golang.org/api v0.103.0 h1:9yuVqlu2JCvcLg9p8S3fcFLZij8EPSyvODIY1rkMizQ=
+google.golang.org/api v0.103.0/go.mod h1:hGtW6nK1AC+d9si/UBhw8Xli+QMOf6xyNAyJw4qU9w0=
 google.golang.org/appengine v1.1.0/go.mod h1:EbEs0AVv82hx2wNQdGPgUI5lhzA/G0D9YwlJXL52JkM=
 google.golang.org/appengine v1.2.0/go.mod h1:xpcJRLb0r/rnEns0DIKYYv+WjYCduHsrkT7/EB5XEv4=
 google.golang.org/appengine v1.4.0/go.mod h1:xpcJRLb0r/rnEns0DIKYYv+WjYCduHsrkT7/EB5XEv4=
@@ -2301,8 +2295,8 @@ google.golang.org/genproto v0.0.0-20220617124728-180714bec0ad/go.mod h1:KEWEmljW
 google.golang.org/genproto v0.0.0-20220624142145-8cd45d7dbd1f/go.mod h1:KEWEmljWE5zPzLBa/oHl6DaEt9LmfH6WtH1OHIvleBA=
 google.golang.org/genproto v0.0.0-20220628213854-d9e0b6570c03/go.mod h1:KEWEmljWE5zPzLBa/oHl6DaEt9LmfH6WtH1OHIvleBA=
 google.golang.org/genproto v0.0.0-20220802133213-ce4fa296bf78/go.mod h1:iHe1svFLAZg9VWz891+QbRMwUv9O/1Ww+/mngYeThbc=
-google.golang.org/genproto v0.0.0-20221027153422-115e99e71e1c h1:QgY/XxIAIeccR+Ca/rDdKubLIU9rcJ3xfy1DC/Wd2Oo=
-google.golang.org/genproto v0.0.0-20221027153422-115e99e71e1c/go.mod h1:CGI5F/G+E5bKwmfYo09AXuVN4dD894kIKUFmVbP2/Fo=
+google.golang.org/genproto v0.0.0-20221114212237-e4508ebdbee1 h1:jCw9YRd2s40X9Vxi4zKsPRvSPlHWNqadVkpbMsCPzPQ=
+google.golang.org/genproto v0.0.0-20221114212237-e4508ebdbee1/go.mod h1:rZS5c/ZVYMaOGBfO68GWtjOw/eLaZM1X6iVtgjZ+EWg=
 google.golang.org/grpc v0.0.0-20160317175043-d3ddb4469d5a/go.mod h1:yo6s7OP7yaDglbqo1J04qKzAhqBH6lvTonzMVmEdcZw=
 google.golang.org/grpc v1.17.0/go.mod h1:6QZJwpn2B+Zp71q/5VxRsJ6NXXVCE5NRUHRo+f3cWCs=
 google.golang.org/grpc v1.19.0/go.mod h1:mqu4LbDTu4XGKhr4mRzUsmM4RtVoemTSY81AxZiDr8c=

internal/cmd/initprovider.go

@@ -65,6 +65,12 @@ Please take a look at the usage below to customize the options.`,
 				logger.ErrorToConsole("Unable to initialize KMS: %v", err)
 				os.Exit(1)
 			}
+			mfaConfig := config.GetMFAConfig()
+			err = mfaConfig.Initialize()
+			if err != nil {
+				logger.ErrorToConsole("Unable to initialize MFA: %v", err)
+				os.Exit(1)
+			}
 			providerConf := config.GetProviderConf()
 			// ignore actions
 			providerConf.Actions.Hook = ""

internal/cmd/resetprovider.go

@@ -56,7 +56,7 @@ Please take a look at the usage below to customize the options.`,
 			}
 			providerConf := config.GetProviderConf()
 			if !resetProviderForce {
-				logger.WarnToConsole("You are about to delete all the SFTPGo data for provider %#v, config file: %#v",
+				logger.WarnToConsole("You are about to delete all the SFTPGo data for provider %q, config file: %q",
 					providerConf.Driver, viper.ConfigFileUsed())
 				logger.WarnToConsole("Are you sure? (Y/n)")
 				reader := bufio.NewReader(os.Stdin)
@@ -70,7 +70,7 @@ Please take a look at the usage below to customize the options.`,
 					os.Exit(1)
 				}
 			}
-			logger.InfoToConsole("Resetting provider: %#v, config file: %#v", providerConf.Driver, viper.ConfigFileUsed())
+			logger.InfoToConsole("Resetting provider: %q, config file: %q", providerConf.Driver, viper.ConfigFileUsed())
 			err = dataprovider.ResetDatabase(providerConf, configDir)
 			if err != nil {
 				logger.WarnToConsole("Error resetting provider: %v", err)

internal/cmd/revertprovider.go

@@ -40,8 +40,8 @@ Please take a look at the usage below to customize the options.`,
 		Run: func(_ *cobra.Command, _ []string) {
 			logger.DisableLogger()
 			logger.EnableConsoleLogger(zerolog.DebugLevel)
-			if revertProviderTargetVersion != 19 {
-				logger.WarnToConsole("Unsupported target version, 19 is the only supported one")
+			if revertProviderTargetVersion != 23 {
+				logger.WarnToConsole("Unsupported target version, 23 is the only supported one")
 				os.Exit(1)
 			}
 			configDir = util.CleanDirInput(configDir)
@@ -57,7 +57,7 @@ Please take a look at the usage below to customize the options.`,
 				os.Exit(1)
 			}
 			providerConf := config.GetProviderConf()
-			logger.InfoToConsole("Reverting provider: %#v config file: %#v target version %v", providerConf.Driver,
+			logger.InfoToConsole("Reverting provider: %q config file: %q target version %d", providerConf.Driver,
 				viper.ConfigFileUsed(), revertProviderTargetVersion)
 			err = dataprovider.RevertDatabase(providerConf, configDir, revertProviderTargetVersion)
 			if err != nil {
@@ -71,7 +71,7 @@ Please take a look at the usage below to customize the options.`,
 
 func init() {
 	addConfigFlags(revertProviderCmd)
-	revertProviderCmd.Flags().IntVar(&revertProviderTargetVersion, "to-version", 19, `19 means the version supported in v2.3.x`)
+	revertProviderCmd.Flags().IntVar(&revertProviderTargetVersion, "to-version", 23, `23 means the version supported in v2.4.x`)
 
 	rootCmd.AddCommand(revertProviderCmd)
 }

internal/cmd/startsubsys.go

@@ -137,7 +137,7 @@ Command-line flags should be specified in the Subsystem declaration.
 				logger.Error(logSender, connectionID, "unable to initialize commands configuration: %v", err)
 				os.Exit(1)
 			}
-			user, err := dataprovider.UserExists(username)
+			user, err := dataprovider.UserExists(username, "")
 			if err == nil {
 				if user.HomeDir != filepath.Clean(homedir) && !preserveHomeDir {
 					// update the user

internal/common/common.go

@@ -417,6 +417,7 @@ type ActiveTransfer interface {
 type ActiveConnection interface {
 	GetID() string
 	GetUsername() string
+	GetRole() string
 	GetMaxSessions() int
 	GetLocalAddress() string
 	GetRemoteAddress() string
@@ -945,7 +946,7 @@ func (conns *ActiveConnections) Remove(connectionID string) {
 
 // Close closes an active connection.
 // It returns true on success
-func (conns *ActiveConnections) Close(connectionID string) bool {
+func (conns *ActiveConnections) Close(connectionID, role string) bool {
 	conns.RLock()
 
 	var result bool
@@ -953,11 +954,13 @@ func (conns *ActiveConnections) Close(connectionID string) bool {
 	if idx, ok := conns.mapping[connectionID]; ok {
 		c := conns.connections[idx]
 
-		defer func(conn ActiveConnection) {
-			err := conn.Disconnect()
-			logger.Debug(conn.GetProtocol(), conn.GetID(), "close connection requested, close err: %v", err)
-		}(c)
-		result = true
+		if role == "" || c.GetRole() == role {
+			defer func(conn ActiveConnection) {
+				err := conn.Disconnect()
+				logger.Debug(conn.GetProtocol(), conn.GetID(), "close connection requested, close err: %v", err)
+			}(c)
+			result = true
+		}
 	}
 
 	conns.RUnlock()
@@ -1161,26 +1164,28 @@ func (conns *ActiveConnections) IsNewConnectionAllowed(ipAddr string) error {
 }
 
 // GetStats returns stats for active connections
-func (conns *ActiveConnections) GetStats() []ConnectionStatus {
+func (conns *ActiveConnections) GetStats(role string) []ConnectionStatus {
 	conns.RLock()
 	defer conns.RUnlock()
 
 	stats := make([]ConnectionStatus, 0, len(conns.connections))
 	node := dataprovider.GetNodeName()
 	for _, c := range conns.connections {
-		stat := ConnectionStatus{
-			Username:       c.GetUsername(),
-			ConnectionID:   c.GetID(),
-			ClientVersion:  c.GetClientVersion(),
-			RemoteAddress:  c.GetRemoteAddress(),
-			ConnectionTime: util.GetTimeAsMsSinceEpoch(c.GetConnectionTime()),
-			LastActivity:   util.GetTimeAsMsSinceEpoch(c.GetLastActivity()),
-			Protocol:       c.GetProtocol(),
-			Command:        c.GetCommand(),
-			Transfers:      c.GetTransfers(),
-			Node:           node,
+		if role == "" || c.GetRole() == role {
+			stat := ConnectionStatus{
+				Username:       c.GetUsername(),
+				ConnectionID:   c.GetID(),
+				ClientVersion:  c.GetClientVersion(),
+				RemoteAddress:  c.GetRemoteAddress(),
+				ConnectionTime: util.GetTimeAsMsSinceEpoch(c.GetConnectionTime()),
+				LastActivity:   util.GetTimeAsMsSinceEpoch(c.GetLastActivity()),
+				Protocol:       c.GetProtocol(),
+				Command:        c.GetCommand(),
+				Transfers:      c.GetTransfers(),
+				Node:           node,
+			}
+			stats = append(stats, stat)
 		}
-		stats = append(stats, stat)
 	}
 	return stats
 }
@@ -1253,7 +1258,8 @@ type ActiveQuotaScan struct {
 	// Username to which the quota scan refers
 	Username string `json:"username"`
 	// quota scan start time as unix timestamp in milliseconds
-	StartTime int64 `json:"start_time"`
+	StartTime int64  `json:"start_time"`
+	Role      string `json:"-"`
 }
 
 // ActiveVirtualFolderQuotaScan defines an active quota scan for a virtual folder
@@ -1272,18 +1278,26 @@ type ActiveScans struct {
 }
 
 // GetUsersQuotaScans returns the active users quota scans
-func (s *ActiveScans) GetUsersQuotaScans() []ActiveQuotaScan {
+func (s *ActiveScans) GetUsersQuotaScans(role string) []ActiveQuotaScan {
 	s.RLock()
 	defer s.RUnlock()
 
-	scans := make([]ActiveQuotaScan, len(s.UserScans))
-	copy(scans, s.UserScans)
+	scans := make([]ActiveQuotaScan, 0, len(s.UserScans))
+	for _, scan := range s.UserScans {
+		if role == "" || role == scan.Role {
+			scans = append(scans, ActiveQuotaScan{
+				Username:  scan.Username,
+				StartTime: scan.StartTime,
+			})
+		}
+	}
+
 	return scans
 }
 
 // AddUserQuotaScan adds a user to the ones with active quota scans.
 // Returns false if the user has a quota scan already running
-func (s *ActiveScans) AddUserQuotaScan(username string) bool {
+func (s *ActiveScans) AddUserQuotaScan(username, role string) bool {
 	s.Lock()
 	defer s.Unlock()
 
@@ -1295,6 +1309,7 @@ func (s *ActiveScans) AddUserQuotaScan(username string) bool {
 	s.UserScans = append(s.UserScans, ActiveQuotaScan{
 		Username:  username,
 		StartTime: util.GetTimeAsMsSinceEpoch(time.Now()),
+		Role:      role,
 	})
 	return true
 }
@@ -1367,7 +1382,8 @@ type MetadataCheck struct {
 	// Username to which the metadata check refers
 	Username string `json:"username"`
 	// check start time as unix timestamp in milliseconds
-	StartTime int64 `json:"start_time"`
+	StartTime int64  `json:"start_time"`
+	Role      string `json:"-"`
 }
 
 // MetadataChecks holds the active metadata checks
@@ -1377,19 +1393,26 @@ type MetadataChecks struct {
 }
 
 // Get returns the active metadata checks
-func (c *MetadataChecks) Get() []MetadataCheck {
+func (c *MetadataChecks) Get(role string) []MetadataCheck {
 	c.RLock()
 	defer c.RUnlock()
 
-	checks := make([]MetadataCheck, len(c.checks))
-	copy(checks, c.checks)
+	checks := make([]MetadataCheck, 0, len(c.checks))
+	for _, check := range c.checks {
+		if role == "" || role == check.Role {
+			checks = append(checks, MetadataCheck{
+				Username:  check.Username,
+				StartTime: check.StartTime,
+			})
+		}
+	}
 
 	return checks
 }
 
 // Add adds a user to the ones with active metadata checks.
 // Return false if a metadata check is already active for the specified user
-func (c *MetadataChecks) Add(username string) bool {
+func (c *MetadataChecks) Add(username, role string) bool {
 	c.Lock()
 	defer c.Unlock()
 
@@ -1402,6 +1425,7 @@ func (c *MetadataChecks) Add(username string) bool {
 	c.checks = append(c.checks, MetadataCheck{
 		Username:  username,
 		StartTime: util.GetTimeAsMsSinceEpoch(time.Now()),
+		Role:      role,
 	})
 
 	return true

internal/common/common_test.go

@@ -540,7 +540,7 @@ func TestUserMaxSessions(t *testing.T) {
 	Connections.Lock()
 	Connections.removeUserConnection(userTestUsername)
 	Connections.Unlock()
-	assert.Len(t, Connections.GetStats(), 0)
+	assert.Len(t, Connections.GetStats(""), 0)
 }
 
 func TestMaxConnections(t *testing.T) {
@@ -562,12 +562,12 @@ func TestMaxConnections(t *testing.T) {
 	}
 	err := Connections.Add(fakeConn)
 	assert.NoError(t, err)
-	assert.Len(t, Connections.GetStats(), 1)
+	assert.Len(t, Connections.GetStats(""), 1)
 	assert.Error(t, Connections.IsNewConnectionAllowed(ipAddr))
 
-	res := Connections.Close(fakeConn.GetID())
+	res := Connections.Close(fakeConn.GetID(), "")
 	assert.True(t, res)
-	assert.Eventually(t, func() bool { return len(Connections.GetStats()) == 0 }, 300*time.Millisecond, 50*time.Millisecond)
+	assert.Eventually(t, func() bool { return len(Connections.GetStats("")) == 0 }, 300*time.Millisecond, 50*time.Millisecond)
 
 	assert.NoError(t, Connections.IsNewConnectionAllowed(ipAddr))
 	Connections.AddClientConnection(ipAddr)
@@ -580,6 +580,33 @@ func TestMaxConnections(t *testing.T) {
 	Config.MaxTotalConnections = oldValue
 }
 
+func TestConnectionRoles(t *testing.T) {
+	username := "testUsername"
+	role1 := "testRole1"
+	role2 := "testRole2"
+	c := NewBaseConnection("id", ProtocolSFTP, "", "", dataprovider.User{
+		BaseUser: sdk.BaseUser{
+			Username: username,
+			Role:     role1,
+		},
+	})
+	fakeConn := &fakeConnection{
+		BaseConnection: c,
+	}
+	err := Connections.Add(fakeConn)
+	assert.NoError(t, err)
+	assert.Len(t, Connections.GetStats(""), 1)
+	assert.Len(t, Connections.GetStats(role1), 1)
+	assert.Len(t, Connections.GetStats(role2), 0)
+
+	res := Connections.Close(fakeConn.GetID(), role2)
+	assert.False(t, res)
+	assert.Len(t, Connections.GetStats(""), 1)
+	res = Connections.Close(fakeConn.GetID(), role1)
+	assert.True(t, res)
+	assert.Eventually(t, func() bool { return len(Connections.GetStats("")) == 0 }, 300*time.Millisecond, 50*time.Millisecond)
+}
+
 func TestMaxConnectionPerHost(t *testing.T) {
 	oldValue := Config.MaxPerHostConnections
 
@@ -660,7 +687,7 @@ func TestIdleConnections(t *testing.T) {
 	err = Connections.Add(fakeConn)
 	assert.NoError(t, err)
 	assert.Equal(t, Connections.GetActiveSessions(username), 2)
-	assert.Len(t, Connections.GetStats(), 3)
+	assert.Len(t, Connections.GetStats(""), 3)
 	Connections.RLock()
 	assert.Len(t, Connections.sshConnections, 2)
 	Connections.RUnlock()
@@ -673,12 +700,12 @@ func TestIdleConnections(t *testing.T) {
 		return len(Connections.sshConnections) == 1
 	}, 1*time.Second, 200*time.Millisecond)
 	stopEventScheduler()
-	assert.Len(t, Connections.GetStats(), 2)
+	assert.Len(t, Connections.GetStats(""), 2)
 	c.lastActivity.Store(time.Now().Add(-24 * time.Hour).UnixNano())
 	cFTP.lastActivity.Store(time.Now().Add(-24 * time.Hour).UnixNano())
 	sshConn2.lastActivity.Store(c.lastActivity.Load())
 	startPeriodicChecks(100 * time.Millisecond)
-	assert.Eventually(t, func() bool { return len(Connections.GetStats()) == 0 }, 2*time.Second, 200*time.Millisecond)
+	assert.Eventually(t, func() bool { return len(Connections.GetStats("")) == 0 }, 2*time.Second, 200*time.Millisecond)
 	assert.Eventually(t, func() bool {
 		Connections.RLock()
 		defer Connections.RUnlock()
@@ -700,11 +727,11 @@ func TestCloseConnection(t *testing.T) {
 	assert.NoError(t, Connections.IsNewConnectionAllowed("127.0.0.1"))
 	err := Connections.Add(fakeConn)
 	assert.NoError(t, err)
-	assert.Len(t, Connections.GetStats(), 1)
-	res := Connections.Close(fakeConn.GetID())
+	assert.Len(t, Connections.GetStats(""), 1)
+	res := Connections.Close(fakeConn.GetID(), "")
 	assert.True(t, res)
-	assert.Eventually(t, func() bool { return len(Connections.GetStats()) == 0 }, 300*time.Millisecond, 50*time.Millisecond)
-	res = Connections.Close(fakeConn.GetID())
+	assert.Eventually(t, func() bool { return len(Connections.GetStats("")) == 0 }, 300*time.Millisecond, 50*time.Millisecond)
+	res = Connections.Close(fakeConn.GetID(), "")
 	assert.False(t, res)
 	Connections.Remove(fakeConn.GetID())
 }
@@ -716,8 +743,8 @@ func TestSwapConnection(t *testing.T) {
 	}
 	err := Connections.Add(fakeConn)
 	assert.NoError(t, err)
-	if assert.Len(t, Connections.GetStats(), 1) {
-		assert.Equal(t, "", Connections.GetStats()[0].Username)
+	if assert.Len(t, Connections.GetStats(""), 1) {
+		assert.Equal(t, "", Connections.GetStats("")[0].Username)
 	}
 	c = NewBaseConnection("id", ProtocolFTP, "", "", dataprovider.User{
 		BaseUser: sdk.BaseUser{
@@ -743,12 +770,12 @@ func TestSwapConnection(t *testing.T) {
 	Connections.Remove(fakeConn1.ID)
 	err = Connections.Swap(fakeConn)
 	assert.NoError(t, err)
-	if assert.Len(t, Connections.GetStats(), 1) {
-		assert.Equal(t, userTestUsername, Connections.GetStats()[0].Username)
+	if assert.Len(t, Connections.GetStats(""), 1) {
+		assert.Equal(t, userTestUsername, Connections.GetStats("")[0].Username)
 	}
-	res := Connections.Close(fakeConn.GetID())
+	res := Connections.Close(fakeConn.GetID(), "")
 	assert.True(t, res)
-	assert.Eventually(t, func() bool { return len(Connections.GetStats()) == 0 }, 300*time.Millisecond, 50*time.Millisecond)
+	assert.Eventually(t, func() bool { return len(Connections.GetStats("")) == 0 }, 300*time.Millisecond, 50*time.Millisecond)
 	err = Connections.Swap(fakeConn)
 	assert.Error(t, err)
 }
@@ -800,7 +827,7 @@ func TestConnectionStatus(t *testing.T) {
 	err = Connections.Add(fakeConn3)
 	assert.NoError(t, err)
 
-	stats := Connections.GetStats()
+	stats := Connections.GetStats("")
 	assert.Len(t, stats, 3)
 	for _, stat := range stats {
 		assert.Equal(t, stat.Username, username)
@@ -838,24 +865,24 @@ func TestConnectionStatus(t *testing.T) {
 	assert.Error(t, err)
 
 	Connections.Remove(fakeConn1.GetID())
-	stats = Connections.GetStats()
+	stats = Connections.GetStats("")
 	assert.Len(t, stats, 2)
 	assert.Equal(t, fakeConn3.GetID(), stats[0].ConnectionID)
 	assert.Equal(t, fakeConn2.GetID(), stats[1].ConnectionID)
 	Connections.Remove(fakeConn2.GetID())
-	stats = Connections.GetStats()
+	stats = Connections.GetStats("")
 	assert.Len(t, stats, 1)
 	assert.Equal(t, fakeConn3.GetID(), stats[0].ConnectionID)
 	Connections.Remove(fakeConn3.GetID())
-	stats = Connections.GetStats()
+	stats = Connections.GetStats("")
 	assert.Len(t, stats, 0)
 }
 
 func TestQuotaScans(t *testing.T) {
 	username := "username"
-	assert.True(t, QuotaScans.AddUserQuotaScan(username))
-	assert.False(t, QuotaScans.AddUserQuotaScan(username))
-	usersScans := QuotaScans.GetUsersQuotaScans()
+	assert.True(t, QuotaScans.AddUserQuotaScan(username, ""))
+	assert.False(t, QuotaScans.AddUserQuotaScan(username, ""))
+	usersScans := QuotaScans.GetUsersQuotaScans("")
 	if assert.Len(t, usersScans, 1) {
 		assert.Equal(t, usersScans[0].Username, username)
 		assert.Equal(t, QuotaScans.UserScans[0].StartTime, usersScans[0].StartTime)
@@ -865,7 +892,7 @@ func TestQuotaScans(t *testing.T) {
 
 	assert.True(t, QuotaScans.RemoveUserQuotaScan(username))
 	assert.False(t, QuotaScans.RemoveUserQuotaScan(username))
-	assert.Len(t, QuotaScans.GetUsersQuotaScans(), 0)
+	assert.Len(t, QuotaScans.GetUsersQuotaScans(""), 0)
 	assert.Len(t, usersScans, 1)
 
 	folderName := "folder"
@@ -880,6 +907,24 @@ func TestQuotaScans(t *testing.T) {
 	assert.Len(t, QuotaScans.GetVFoldersQuotaScans(), 0)
 }
 
+func TestQuotaScansRole(t *testing.T) {
+	username := "u"
+	role1 := "r1"
+	role2 := "r2"
+	assert.True(t, QuotaScans.AddUserQuotaScan(username, role1))
+	assert.False(t, QuotaScans.AddUserQuotaScan(username, ""))
+	usersScans := QuotaScans.GetUsersQuotaScans("")
+	assert.Len(t, usersScans, 1)
+	assert.Empty(t, usersScans[0].Role)
+	usersScans = QuotaScans.GetUsersQuotaScans(role1)
+	assert.Len(t, usersScans, 1)
+	usersScans = QuotaScans.GetUsersQuotaScans(role2)
+	assert.Len(t, usersScans, 0)
+	assert.True(t, QuotaScans.RemoveUserQuotaScan(username))
+	assert.False(t, QuotaScans.RemoveUserQuotaScan(username))
+	assert.Len(t, QuotaScans.GetUsersQuotaScans(""), 0)
+}
+
 func TestProxyProtocolVersion(t *testing.T) {
 	c := Configuration{
 		ProxyProtocol: 0,
@@ -1342,13 +1387,13 @@ func TestUpdateTransferTimestamps(t *testing.T) {
 
 	err = dataprovider.UpdateUserTransferTimestamps(username, true)
 	assert.NoError(t, err)
-	userGet, err := dataprovider.UserExists(username)
+	userGet, err := dataprovider.UserExists(username, "")
 	assert.NoError(t, err)
 	assert.Greater(t, userGet.FirstUpload, int64(0))
 	assert.Equal(t, int64(0), user.FirstDownload)
 	err = dataprovider.UpdateUserTransferTimestamps(username, false)
 	assert.NoError(t, err)
-	userGet, err = dataprovider.UserExists(username)
+	userGet, err = dataprovider.UserExists(username, "")
 	assert.NoError(t, err)
 	assert.Greater(t, userGet.FirstUpload, int64(0))
 	assert.Greater(t, userGet.FirstDownload, int64(0))
@@ -1358,23 +1403,40 @@ func TestUpdateTransferTimestamps(t *testing.T) {
 	err = dataprovider.UpdateUserTransferTimestamps(username, false)
 	assert.Error(t, err)
 	// cleanup
-	err = dataprovider.DeleteUser(username, "", "")
+	err = dataprovider.DeleteUser(username, "", "", "")
 	assert.NoError(t, err)
 }
 
 func TestMetadataAPI(t *testing.T) {
 	username := "metadatauser"
 	require.False(t, ActiveMetadataChecks.Remove(username))
-	require.True(t, ActiveMetadataChecks.Add(username))
-	require.False(t, ActiveMetadataChecks.Add(username))
-	checks := ActiveMetadataChecks.Get()
+	require.True(t, ActiveMetadataChecks.Add(username, ""))
+	require.False(t, ActiveMetadataChecks.Add(username, ""))
+	checks := ActiveMetadataChecks.Get("")
 	require.Len(t, checks, 1)
 	checks[0].Username = username + "a"
-	checks = ActiveMetadataChecks.Get()
+	checks = ActiveMetadataChecks.Get("")
 	require.Len(t, checks, 1)
 	require.Equal(t, username, checks[0].Username)
 	require.True(t, ActiveMetadataChecks.Remove(username))
-	require.Len(t, ActiveMetadataChecks.Get(), 0)
+	require.Len(t, ActiveMetadataChecks.Get(""), 0)
+}
+
+func TestMetadataAPIRole(t *testing.T) {
+	username := "muser"
+	role1 := "r1"
+	role2 := "r2"
+	require.True(t, ActiveMetadataChecks.Add(username, role2))
+	require.False(t, ActiveMetadataChecks.Add(username, ""))
+	checks := ActiveMetadataChecks.Get("")
+	require.Len(t, checks, 1)
+	assert.Empty(t, checks[0].Role)
+	checks = ActiveMetadataChecks.Get(role1)
+	require.Len(t, checks, 0)
+	checks = ActiveMetadataChecks.Get(role2)
+	require.Len(t, checks, 1)
+	require.True(t, ActiveMetadataChecks.Remove(username))
+	require.Len(t, ActiveMetadataChecks.Get(""), 0)
 }
 
 func BenchmarkBcryptHashing(b *testing.B) {

internal/common/connection.go

@@ -98,6 +98,11 @@ func (c *BaseConnection) GetUsername() string {
 	return c.User.Username
 }
 
+// GetRole returns the role for the user associated with this connection
+func (c *BaseConnection) GetRole() string {
+	return c.User.Role
+}
+
 // GetMaxSessions returns the maximum number of concurrent sessions allowed
 func (c *BaseConnection) GetMaxSessions() int {
 	return c.User.MaxSessions

internal/common/dataretention.go

@@ -62,23 +62,25 @@ type ActiveRetentionChecks struct {
 }
 
 // Get returns the active retention checks
-func (c *ActiveRetentionChecks) Get() []RetentionCheck {
+func (c *ActiveRetentionChecks) Get(role string) []RetentionCheck {
 	c.RLock()
 	defer c.RUnlock()
 
 	checks := make([]RetentionCheck, 0, len(c.Checks))
 	for _, check := range c.Checks {
-		foldersCopy := make([]dataprovider.FolderRetention, len(check.Folders))
-		copy(foldersCopy, check.Folders)
-		notificationsCopy := make([]string, len(check.Notifications))
-		copy(notificationsCopy, check.Notifications)
-		checks = append(checks, RetentionCheck{
-			Username:      check.Username,
-			StartTime:     check.StartTime,
-			Notifications: notificationsCopy,
-			Email:         check.Email,
-			Folders:       foldersCopy,
-		})
+		if role == "" || role == check.Role {
+			foldersCopy := make([]dataprovider.FolderRetention, len(check.Folders))
+			copy(foldersCopy, check.Folders)
+			notificationsCopy := make([]string, len(check.Notifications))
+			copy(notificationsCopy, check.Notifications)
+			checks = append(checks, RetentionCheck{
+				Username:      check.Username,
+				StartTime:     check.StartTime,
+				Notifications: notificationsCopy,
+				Email:         check.Email,
+				Folders:       foldersCopy,
+			})
+		}
 	}
 	return checks
 }
@@ -100,6 +102,7 @@ func (c *ActiveRetentionChecks) Add(check RetentionCheck, user *dataprovider.Use
 	conn.SetProtocol(ProtocolDataRetention)
 	conn.ID = fmt.Sprintf("data_retention_%v", user.Username)
 	check.Username = user.Username
+	check.Role = user.Role
 	check.StartTime = util.GetTimeAsMsSinceEpoch(time.Now())
 	check.conn = conn
 	check.updateUserPermissions()
@@ -148,6 +151,7 @@ type RetentionCheck struct {
 	Notifications []RetentionCheckNotification `json:"notifications,omitempty"`
 	// email to use if the notification method is set to email
 	Email string `json:"email,omitempty"`
+	Role  string `json:"-"`
 	// Cleanup results
 	results []folderRetentionCheckResult `json:"-"`
 	conn    *BaseConnection

internal/common/dataretention_test.go

@@ -316,7 +316,7 @@ func TestRetentionCheckAddRemove(t *testing.T) {
 		Notifications: []RetentionCheckNotification{RetentionCheckNotificationHook},
 	}
 	assert.NotNil(t, RetentionChecks.Add(check, &user))
-	checks := RetentionChecks.Get()
+	checks := RetentionChecks.Get("")
 	require.Len(t, checks, 1)
 	assert.Equal(t, username, checks[0].Username)
 	assert.Greater(t, checks[0].StartTime, int64(0))
@@ -328,10 +328,45 @@ func TestRetentionCheckAddRemove(t *testing.T) {
 
 	assert.Nil(t, RetentionChecks.Add(check, &user))
 	assert.True(t, RetentionChecks.remove(username))
-	require.Len(t, RetentionChecks.Get(), 0)
+	require.Len(t, RetentionChecks.Get(""), 0)
 	assert.False(t, RetentionChecks.remove(username))
 }
 
+func TestRetentionCheckRole(t *testing.T) {
+	username := "retuser"
+	role1 := "retrole1"
+	role2 := "retrole2"
+	user := dataprovider.User{
+		BaseUser: sdk.BaseUser{
+			Username: username,
+			Role:     role1,
+		},
+	}
+	user.Permissions = make(map[string][]string)
+	user.Permissions["/"] = []string{dataprovider.PermAny}
+	check := RetentionCheck{
+		Folders: []dataprovider.FolderRetention{
+			{
+				Path:      "/",
+				Retention: 48,
+			},
+		},
+		Notifications: []RetentionCheckNotification{RetentionCheckNotificationHook},
+	}
+	assert.NotNil(t, RetentionChecks.Add(check, &user))
+	checks := RetentionChecks.Get("")
+	require.Len(t, checks, 1)
+	assert.Empty(t, checks[0].Role)
+	checks = RetentionChecks.Get(role1)
+	require.Len(t, checks, 1)
+	checks = RetentionChecks.Get(role2)
+	require.Len(t, checks, 0)
+	user.Role = ""
+	assert.Nil(t, RetentionChecks.Add(check, &user))
+	assert.True(t, RetentionChecks.remove(username))
+	require.Len(t, RetentionChecks.Get(""), 0)
+}
+
 func TestCleanupErrors(t *testing.T) {
 	user := dataprovider.User{
 		BaseUser: sdk.BaseUser{

internal/common/eventmanager.go

@@ -531,7 +531,7 @@ func (p *EventParams) getUserFromSender() (dataprovider.User, error) {
 			},
 		}, nil
 	}
-	user, err := dataprovider.UserExists(p.sender)
+	user, err := dataprovider.UserExists(p.sender, "")
 	if err != nil {
 		eventManagerLog(logger.LevelError, "unable to get user %q: %+v", p.sender, err)
 		return user, fmt.Errorf("error getting user %q", p.sender)
@@ -1652,7 +1652,7 @@ func executeQuotaResetForUser(user dataprovider.User) error {
 			user.Username, err)
 		return err
 	}
-	if !QuotaScans.AddUserQuotaScan(user.Username) {
+	if !QuotaScans.AddUserQuotaScan(user.Username, user.Role) {
 		eventManagerLog(logger.LevelError, "another quota scan is already in progress for user %q", user.Username)
 		return fmt.Errorf("another quota scan is in progress for user %q", user.Username)
 	}
@@ -1874,7 +1874,7 @@ func executeMetadataCheckForUser(user dataprovider.User) error {
 			user.Username, err)
 		return err
 	}
-	if !ActiveMetadataChecks.Add(user.Username) {
+	if !ActiveMetadataChecks.Add(user.Username, user.Role) {
 		eventManagerLog(logger.LevelError, "another metadata check is already in progress for user %q", user.Username)
 		return fmt.Errorf("another metadata check is in progress for user %q", user.Username)
 	}

internal/common/eventmanager_test.go

@@ -645,12 +645,12 @@ func TestEventRuleActions(t *testing.T) {
 		},
 	})
 	assert.NoError(t, err)
-	userGet, err := dataprovider.UserExists(username1)
+	userGet, err := dataprovider.UserExists(username1, "")
 	assert.NoError(t, err)
 	assert.Equal(t, 1, userGet.UsedQuotaFiles)
 	assert.Equal(t, int64(4), userGet.UsedQuotaSize)
 	// simulate another quota scan in progress
-	assert.True(t, QuotaScans.AddUserQuotaScan(username1))
+	assert.True(t, QuotaScans.AddUserQuotaScan(username1, ""))
 	err = executeRuleAction(action, &EventParams{}, dataprovider.ConditionOptions{
 		Names: []dataprovider.ConditionPattern{
 			{
@@ -694,7 +694,7 @@ func TestEventRuleActions(t *testing.T) {
 	})
 	assert.NoError(t, err)
 	// simulate another metadata check in progress
-	assert.True(t, ActiveMetadataChecks.Add(username1))
+	assert.True(t, ActiveMetadataChecks.Add(username1, ""))
 	err = executeRuleAction(action, &EventParams{}, dataprovider.ConditionOptions{
 		Names: []dataprovider.ConditionPattern{
 			{
@@ -850,7 +850,7 @@ func TestEventRuleActions(t *testing.T) {
 		},
 	})
 	assert.NoError(t, err)
-	userGet, err = dataprovider.UserExists(username1)
+	userGet, err = dataprovider.UserExists(username1, "")
 	assert.NoError(t, err)
 	assert.Equal(t, int64(0), userGet.UsedDownloadDataTransfer)
 	assert.Equal(t, int64(0), userGet.UsedUploadDataTransfer)
@@ -948,9 +948,9 @@ func TestEventRuleActions(t *testing.T) {
 	assert.Error(t, err)
 	assert.Contains(t, getErrorString(err), "no file/folder compressed")
 
-	err = dataprovider.DeleteUser(username1, "", "")
+	err = dataprovider.DeleteUser(username1, "", "", "")
 	assert.NoError(t, err)
-	err = dataprovider.DeleteUser(username2, "", "")
+	err = dataprovider.DeleteUser(username2, "", "", "")
 	assert.NoError(t, err)
 	// test folder quota reset
 	foldername1 := "f1"
@@ -1085,7 +1085,7 @@ func TestEventRuleActionsNoGroupMatching(t *testing.T) {
 		assert.Contains(t, err.Error(), "no retention check executed")
 	}
 
-	err = dataprovider.DeleteUser(username, "", "")
+	err = dataprovider.DeleteUser(username, "", "", "")
 	assert.NoError(t, err)
 	err = os.RemoveAll(user.GetHomeDir())
 	assert.NoError(t, err)
@@ -1147,7 +1147,7 @@ func TestGetFileContent(t *testing.T) {
 	_, err = getMailAttachments(user, []string{"/file.txt"}, replacer)
 	assert.Error(t, err)
 
-	err = dataprovider.DeleteUser(username, "", "")
+	err = dataprovider.DeleteUser(username, "", "", "")
 	assert.NoError(t, err)
 	err = os.RemoveAll(user.GetHomeDir())
 	assert.NoError(t, err)
@@ -1232,7 +1232,7 @@ func TestFilesystemActionErrors(t *testing.T) {
 	assert.Error(t, err)
 	user.FsConfig.Provider = sdk.LocalFilesystemProvider
 	user.Permissions["/"] = []string{dataprovider.PermUpload}
-	err = dataprovider.DeleteUser(username, "", "")
+	err = dataprovider.DeleteUser(username, "", "", "")
 	assert.NoError(t, err)
 	err = dataprovider.AddUser(&user, "", "")
 	assert.NoError(t, err)
@@ -1344,7 +1344,7 @@ func TestFilesystemActionErrors(t *testing.T) {
 		assert.Contains(t, getErrorString(err), "is outside base dir")
 	}
 
-	err = dataprovider.DeleteUser(username, "", "")
+	err = dataprovider.DeleteUser(username, "", "", "")
 	assert.NoError(t, err)
 	err = os.RemoveAll(user.GetHomeDir())
 	assert.NoError(t, err)
@@ -1400,7 +1400,7 @@ func TestQuotaActionsWithQuotaTrackDisabled(t *testing.T) {
 
 	err = os.RemoveAll(user.GetHomeDir())
 	assert.NoError(t, err)
-	err = dataprovider.DeleteUser(username, "", "")
+	err = dataprovider.DeleteUser(username, "", "", "")
 	assert.NoError(t, err)
 
 	foldername := "f1"

internal/common/protocol_test.go

@@ -3067,7 +3067,7 @@ func TestUserPasswordHashing(t *testing.T) {
 	err = dataprovider.Initialize(providerConf, configDir, true)
 	assert.NoError(t, err)
 
-	currentUser, err := dataprovider.UserExists(user.Username)
+	currentUser, err := dataprovider.UserExists(user.Username, "")
 	assert.NoError(t, err)
 	assert.True(t, strings.HasPrefix(currentUser.Password, "$2a$"))
 
@@ -3088,7 +3088,7 @@ func TestUserPasswordHashing(t *testing.T) {
 	user, _, err = httpdtest.AddUser(u, http.StatusCreated)
 	assert.NoError(t, err)
 
-	currentUser, err = dataprovider.UserExists(user.Username)
+	currentUser, err = dataprovider.UserExists(user.Username, "")
 	assert.NoError(t, err)
 	assert.True(t, strings.HasPrefix(currentUser.Password, "$argon2id$"))
 
@@ -3193,7 +3193,7 @@ func TestDelayedQuotaUpdater(t *testing.T) {
 	assert.Equal(t, int64(100), ulSize)
 	assert.Equal(t, int64(200), dlSize)
 
-	userGet, err := dataprovider.UserExists(user.Username)
+	userGet, err := dataprovider.UserExists(user.Username, "")
 	assert.NoError(t, err)
 	assert.Equal(t, 0, userGet.UsedQuotaFiles)
 	assert.Equal(t, int64(0), userGet.UsedQuotaSize)
@@ -3211,7 +3211,7 @@ func TestDelayedQuotaUpdater(t *testing.T) {
 	assert.Equal(t, int64(100), ulSize)
 	assert.Equal(t, int64(200), dlSize)
 
-	userGet, err = dataprovider.UserExists(user.Username)
+	userGet, err = dataprovider.UserExists(user.Username, "")
 	assert.NoError(t, err)
 	assert.Equal(t, 10, userGet.UsedQuotaFiles)
 	assert.Equal(t, int64(6000), userGet.UsedQuotaSize)
@@ -5609,7 +5609,7 @@ func TestEventRuleIPBlocked(t *testing.T) {
 	assert.NoError(t, err)
 	err = dataprovider.DeleteEventAction(action2.Name, "", "")
 	assert.NoError(t, err)
-	err = dataprovider.DeleteUser(user.Username, "", "")
+	err = dataprovider.DeleteUser(user.Username, "", "", "")
 	assert.NoError(t, err)
 	err = os.RemoveAll(user.GetHomeDir())
 	assert.NoError(t, err)
@@ -5815,7 +5815,7 @@ func TestRetentionAPI(t *testing.T) {
 		assert.NoError(t, err)
 
 		assert.Eventually(t, func() bool {
-			return len(common.RetentionChecks.Get()) == 0
+			return len(common.RetentionChecks.Get("")) == 0
 		}, 1000*time.Millisecond, 50*time.Millisecond)
 
 		_, err = client.Stat(uploadPath)
@@ -5828,7 +5828,7 @@ func TestRetentionAPI(t *testing.T) {
 		assert.NoError(t, err)
 
 		assert.Eventually(t, func() bool {
-			return len(common.RetentionChecks.Get()) == 0
+			return len(common.RetentionChecks.Get("")) == 0
 		}, 1000*time.Millisecond, 50*time.Millisecond)
 
 		_, err = client.Stat(uploadPath)
@@ -5850,7 +5850,7 @@ func TestRetentionAPI(t *testing.T) {
 		assert.NoError(t, err)
 
 		assert.Eventually(t, func() bool {
-			return len(common.RetentionChecks.Get()) == 0
+			return len(common.RetentionChecks.Get("")) == 0
 		}, 1000*time.Millisecond, 50*time.Millisecond)
 
 		_, err = client.Stat(uploadPath)
@@ -5905,7 +5905,7 @@ func TestRetentionAPI(t *testing.T) {
 		assert.NoError(t, err)
 
 		assert.Eventually(t, func() bool {
-			return len(common.RetentionChecks.Get()) == 0
+			return len(common.RetentionChecks.Get("")) == 0
 		}, 1000*time.Millisecond, 50*time.Millisecond)
 
 		_, err = client.Stat(uploadPath)
@@ -5918,7 +5918,7 @@ func TestRetentionAPI(t *testing.T) {
 		assert.NoError(t, err)
 
 		assert.Eventually(t, func() bool {
-			return len(common.RetentionChecks.Get()) == 0
+			return len(common.RetentionChecks.Get("")) == 0
 		}, 1000*time.Millisecond, 50*time.Millisecond)
 
 		_, err = client.Stat(uploadPath)
@@ -5940,7 +5940,7 @@ func TestRetentionAPI(t *testing.T) {
 		assert.NoError(t, err)
 
 		assert.Eventually(t, func() bool {
-			return len(common.RetentionChecks.Get()) == 0
+			return len(common.RetentionChecks.Get("")) == 0
 		}, 1000*time.Millisecond, 50*time.Millisecond)
 
 		_, err = client.Stat(innerUploadFilePath)
@@ -5975,7 +5975,7 @@ func TestRetentionAPI(t *testing.T) {
 		assert.NoError(t, err)
 
 		assert.Eventually(t, func() bool {
-			return len(common.RetentionChecks.Get()) == 0
+			return len(common.RetentionChecks.Get("")) == 0
 		}, 1000*time.Millisecond, 50*time.Millisecond)
 
 		err = os.Chmod(dirPath, 0555)
@@ -5985,7 +5985,7 @@ func TestRetentionAPI(t *testing.T) {
 		assert.NoError(t, err)
 
 		assert.Eventually(t, func() bool {
-			return len(common.RetentionChecks.Get()) == 0
+			return len(common.RetentionChecks.Get("")) == 0
 		}, 1000*time.Millisecond, 50*time.Millisecond)
 
 		err = os.Chmod(dirPath, os.ModePerm)
@@ -5995,7 +5995,7 @@ func TestRetentionAPI(t *testing.T) {
 		assert.NoError(t, err)
 
 		assert.Eventually(t, func() bool {
-			return len(common.RetentionChecks.Get()) == 0
+			return len(common.RetentionChecks.Get("")) == 0
 		}, 1000*time.Millisecond, 50*time.Millisecond)
 
 		assert.NoDirExists(t, dirPath)

internal/common/transferschecker_test.go

@@ -83,7 +83,7 @@ func TestTransfersCheckerDiskQuota(t *testing.T) {
 	assert.Equal(t, int64(120), group.UserSettings.QuotaSize)
 	err = dataprovider.AddUser(&user, "", "")
 	assert.NoError(t, err)
-	user, err = dataprovider.GetUserWithGroupSettings(username)
+	user, err = dataprovider.GetUserWithGroupSettings(username, "")
 	assert.NoError(t, err)
 
 	connID1 := xid.New().String()
@@ -243,10 +243,10 @@ func TestTransfersCheckerDiskQuota(t *testing.T) {
 	Connections.Remove(fakeConn3.GetID())
 	Connections.Remove(fakeConn4.GetID())
 	Connections.Remove(fakeConn5.GetID())
-	stats := Connections.GetStats()
+	stats := Connections.GetStats("")
 	assert.Len(t, stats, 0)
 
-	err = dataprovider.DeleteUser(user.Username, "", "")
+	err = dataprovider.DeleteUser(user.Username, "", "", "")
 	assert.NoError(t, err)
 	err = os.RemoveAll(user.GetHomeDir())
 	assert.NoError(t, err)
@@ -366,10 +366,10 @@ func TestTransferCheckerTransferQuota(t *testing.T) {
 
 	Connections.Remove(fakeConn3.GetID())
 	Connections.Remove(fakeConn4.GetID())
-	stats := Connections.GetStats()
+	stats := Connections.GetStats("")
 	assert.Len(t, stats, 0)
 
-	err = dataprovider.DeleteUser(user.Username, "", "")
+	err = dataprovider.DeleteUser(user.Username, "", "", "")
 	assert.NoError(t, err)
 	err = os.RemoveAll(user.GetHomeDir())
 	assert.NoError(t, err)
@@ -671,7 +671,7 @@ func TestGetUsersForQuotaCheck(t *testing.T) {
 	}
 
 	for i := 0; i < 40; i++ {
-		err = dataprovider.DeleteUser(fmt.Sprintf("user%v", i), "", "")
+		err = dataprovider.DeleteUser(fmt.Sprintf("user%v", i), "", "", "")
 		assert.NoError(t, err)
 		err = dataprovider.DeleteFolder(fmt.Sprintf("f%v", i), "", "")
 		assert.NoError(t, err)

internal/dataprovider/actions.go

@@ -50,6 +50,7 @@ const (
 	actionObjectShare       = "share"
 	actionObjectEventAction = "event_action"
 	actionObjectEventRule   = "event_rule"
+	actionObjectRole        = "role"
 )
 
 var (

internal/dataprovider/admin.go

@@ -56,6 +56,7 @@ const (
 	PermAdminMetadataChecks   = "metadata_checks"
 	PermAdminViewEvents       = "view_events"
 	PermAdminManageEventRules = "manage_event_rules"
+	PermAdminManageRoles      = "manage_roles"
 )
 
 const (
@@ -70,9 +71,11 @@ const (
 var (
 	validAdminPerms = []string{PermAdminAny, PermAdminAddUsers, PermAdminChangeUsers, PermAdminDeleteUsers,
 		PermAdminViewUsers, PermAdminManageGroups, PermAdminViewConnections, PermAdminCloseConnections,
-		PermAdminViewServerStatus, PermAdminManageAdmins, PermAdminManageAPIKeys, PermAdminQuotaScans,
-		PermAdminManageSystem, PermAdminManageDefender, PermAdminViewDefender, PermAdminRetentionChecks,
-		PermAdminMetadataChecks, PermAdminViewEvents}
+		PermAdminViewServerStatus, PermAdminManageAdmins, PermAdminManageRoles, PermAdminManageEventRules,
+		PermAdminManageAPIKeys, PermAdminQuotaScans, PermAdminManageSystem, PermAdminManageDefender,
+		PermAdminViewDefender, PermAdminRetentionChecks, PermAdminMetadataChecks, PermAdminViewEvents}
+	forbiddenPermsForRoleAdmins = []string{PermAdminAny, PermAdminManageAdmins, PermAdminManageSystem,
+		PermAdminManageEventRules, PermAdminManageRoles, PermAdminViewEvents}
 )
 
 // AdminTOTPConfig defines the time-based one time password configuration
@@ -255,6 +258,14 @@ type Admin struct {
 	UpdatedAt int64 `json:"updated_at"`
 	// Last login as unix timestamp in milliseconds
 	LastLogin int64 `json:"last_login"`
+	// Role name. If set the admin can only administer users with the same role.
+	// Role admins cannot have the following permissions:
+	// - manage_admins
+	// - manage_apikeys
+	// - manage_system
+	// - manage_event_rules
+	// - manage_roles
+	Role string `json:"role,omitempty"`
 }
 
 // CountUnusedRecoveryCodes returns the number of unused recovery codes
@@ -322,7 +333,13 @@ func (a *Admin) validatePermissions() error {
 	}
 	for _, perm := range a.Permissions {
 		if !util.Contains(validAdminPerms, perm) {
-			return util.NewValidationError(fmt.Sprintf("invalid permission: %#v", perm))
+			return util.NewValidationError(fmt.Sprintf("invalid permission: %q", perm))
+		}
+		if a.Role != "" {
+			if util.Contains(forbiddenPermsForRoleAdmins, perm) {
+				return util.NewValidationError(fmt.Sprintf("a role admin cannot have the following permissions: %q",
+					strings.Join(forbiddenPermsForRoleAdmins, ",")))
+			}
 		}
 	}
 	return nil
@@ -604,6 +621,7 @@ func (a *Admin) getACopy() Admin {
 		LastLogin:      a.LastLogin,
 		CreatedAt:      a.CreatedAt,
 		UpdatedAt:      a.UpdatedAt,
+		Role:           a.Role,
 	}
 }
 

internal/dataprovider/apikey.go

@@ -165,7 +165,7 @@ func (k *APIKey) validate() error {
 		k.Admin = ""
 	}
 	if k.User != "" {
-		_, err := provider.userExists(k.User)
+		_, err := provider.userExists(k.User, "")
 		if err != nil {
 			return util.NewValidationError(fmt.Sprintf("unable to check API key user %v: %v", k.User, err))
 		}

internal/dataprovider/bolt.go

@@ -35,7 +35,7 @@ import (
 )
 
 const (
-	boltDatabaseVersion = 23
+	boltDatabaseVersion = 24
 )
 
 var (
@@ -47,10 +47,11 @@ var (
 	sharesBucket    = []byte("shares")
 	actionsBucket   = []byte("events_actions")
 	rulesBucket     = []byte("events_rules")
+	rolesBucket     = []byte("roles")
 	dbVersionBucket = []byte("db_version")
 	dbVersionKey    = []byte("version")
 	boltBuckets     = [][]byte{usersBucket, groupsBucket, foldersBucket, adminsBucket, apiKeysBucket,
-		sharesBucket, actionsBucket, rulesBucket, dbVersionBucket}
+		sharesBucket, actionsBucket, rulesBucket, rolesBucket, dbVersionBucket}
 )
 
 // BoltProvider defines the auth provider for bolt key/value store
@@ -105,7 +106,7 @@ func (p *BoltProvider) validateUserAndTLSCert(username, protocol string, tlsCert
 	if tlsCert == nil {
 		return user, errors.New("TLS certificate cannot be null or empty")
 	}
-	user, err := p.userExists(username)
+	user, err := p.userExists(username, "")
 	if err != nil {
 		providerLog(logger.LevelWarn, "error authenticating user %#v: %v", username, err)
 		return user, err
@@ -114,7 +115,7 @@ func (p *BoltProvider) validateUserAndTLSCert(username, protocol string, tlsCert
 }
 
 func (p *BoltProvider) validateUserAndPass(username, password, ip, protocol string) (User, error) {
-	user, err := p.userExists(username)
+	user, err := p.userExists(username, "")
 	if err != nil {
 		providerLog(logger.LevelWarn, "error authenticating user %#v: %v", username, err)
 		return user, err
@@ -137,7 +138,7 @@ func (p *BoltProvider) validateUserAndPubKey(username string, pubKey []byte, isS
 	if len(pubKey) == 0 {
 		return user, "", errors.New("credentials cannot be null or empty")
 	}
-	user, err := p.userExists(username)
+	user, err := p.userExists(username, "")
 	if err != nil {
 		providerLog(logger.LevelWarn, "error authenticating user %#v: %v", username, err)
 		return user, "", err
@@ -336,7 +337,7 @@ func (p *BoltProvider) updateQuota(username string, filesAdd int, sizeAdd int64,
 }
 
 func (p *BoltProvider) getUsedQuota(username string) (int, int64, int64, int64, error) {
-	user, err := p.userExists(username)
+	user, err := p.userExists(username, "")
 	if err != nil {
 		providerLog(logger.LevelError, "unable to get quota for user %v error: %v", username, err)
 		return 0, 0, 0, 0, err
@@ -376,8 +377,12 @@ func (p *BoltProvider) addAdmin(admin *Admin) error {
 		if err != nil {
 			return err
 		}
+		rolesBucket, err := p.getRolesBucket(tx)
+		if err != nil {
+			return err
+		}
 		if a := bucket.Get([]byte(admin.Username)); a != nil {
-			return fmt.Errorf("admin %v already exists", admin.Username)
+			return fmt.Errorf("admin %q already exists", admin.Username)
 		}
 		id, err := bucket.NextSequence()
 		if err != nil {
@@ -393,6 +398,10 @@ func (p *BoltProvider) addAdmin(admin *Admin) error {
 				return err
 			}
 		}
+		if err = p.addAdminToRole(admin.Username, admin.Role, rolesBucket); err != nil {
+			return err
+		}
+
 		buf, err := json.Marshal(admin)
 		if err != nil {
 			return err
@@ -415,6 +424,10 @@ func (p *BoltProvider) updateAdmin(admin *Admin) error {
 		if err != nil {
 			return err
 		}
+		rolesBucket, err := p.getRolesBucket(tx)
+		if err != nil {
+			return err
+		}
 		var a []byte
 		if a = bucket.Get([]byte(admin.Username)); a == nil {
 			return util.NewRecordNotFoundError(fmt.Sprintf("admin %v does not exist", admin.Username))
@@ -425,12 +438,18 @@ func (p *BoltProvider) updateAdmin(admin *Admin) error {
 			return err
 		}
 
+		if err = p.removeAdminFromRole(oldAdmin.Username, oldAdmin.Role, rolesBucket); err != nil {
+			return err
+		}
 		for idx := range oldAdmin.Groups {
 			err = p.removeAdminFromGroupMapping(oldAdmin.Username, oldAdmin.Groups[idx].Name, groupBucket)
 			if err != nil {
 				return err
 			}
 		}
+		if err = p.addAdminToRole(admin.Username, admin.Role, rolesBucket); err != nil {
+			return err
+		}
 		for idx := range admin.Groups {
 			err = p.addAdminToGroupMapping(admin.Username, admin.Groups[idx].Name, groupBucket)
 			if err != nil {
@@ -477,6 +496,15 @@ func (p *BoltProvider) deleteAdmin(admin Admin) error {
 				}
 			}
 		}
+		if oldAdmin.Role != "" {
+			rolesBucket, err := p.getRolesBucket(tx)
+			if err != nil {
+				return err
+			}
+			if err = p.removeAdminFromRole(oldAdmin.Username, oldAdmin.Role, rolesBucket); err != nil {
+				return err
+			}
+		}
 
 		if err := p.deleteRelatedAPIKey(tx, admin.Username, APIKeyScopeAdmin); err != nil {
 			return err
@@ -560,7 +588,7 @@ func (p *BoltProvider) dumpAdmins() ([]Admin, error) {
 	return admins, err
 }
 
-func (p *BoltProvider) userExists(username string) (User, error) {
+func (p *BoltProvider) userExists(username, role string) (User, error) {
 	var user User
 	err := p.dbHandle.View(func(tx *bolt.Tx) error {
 		bucket, err := p.getUsersBucket(tx)
@@ -569,14 +597,20 @@ func (p *BoltProvider) userExists(username string) (User, error) {
 		}
 		u := bucket.Get([]byte(username))
 		if u == nil {
-			return util.NewRecordNotFoundError(fmt.Sprintf("username %#v does not exist", username))
+			return util.NewRecordNotFoundError(fmt.Sprintf("username %q does not exist", username))
 		}
 		foldersBucket, err := p.getFoldersBucket(tx)
 		if err != nil {
 			return err
 		}
 		user, err = p.joinUserAndFolders(u, foldersBucket)
-		return err
+		if err != nil {
+			return err
+		}
+		if !user.hasRole(role) {
+			return util.NewRecordNotFoundError(fmt.Sprintf("username %q does not exist", username))
+		}
+		return nil
 	})
 	return user, err
 }
@@ -599,6 +633,10 @@ func (p *BoltProvider) addUser(user *User) error {
 		if err != nil {
 			return err
 		}
+		rolesBucket, err := p.getRolesBucket(tx)
+		if err != nil {
+			return err
+		}
 		if u := bucket.Get([]byte(user.Username)); u != nil {
 			return fmt.Errorf("username %v already exists", user.Username)
 		}
@@ -617,6 +655,9 @@ func (p *BoltProvider) addUser(user *User) error {
 		user.FirstUpload = 0
 		user.CreatedAt = util.GetTimeAsMsSinceEpoch(time.Now())
 		user.UpdatedAt = util.GetTimeAsMsSinceEpoch(time.Now())
+		if err := p.addUserToRole(user.Username, user.Role, rolesBucket); err != nil {
+			return err
+		}
 		for idx := range user.VirtualFolders {
 			err = p.addRelationToFolderMapping(&user.VirtualFolders[idx].BaseVirtualFolder, user, nil, foldersBucket)
 			if err != nil {
@@ -689,6 +730,18 @@ func (p *BoltProvider) deleteUser(user User, softDelete bool) error {
 		if err != nil {
 			return err
 		}
+		foldersBucket, err := p.getFoldersBucket(tx)
+		if err != nil {
+			return err
+		}
+		groupBucket, err := p.getGroupsBucket(tx)
+		if err != nil {
+			return err
+		}
+		rolesBucket, err := p.getRolesBucket(tx)
+		if err != nil {
+			return err
+		}
 		var u []byte
 		if u = bucket.Get([]byte(user.Username)); u == nil {
 			return util.NewRecordNotFoundError(fmt.Sprintf("username %q does not exist", user.Username))
@@ -698,30 +751,20 @@ func (p *BoltProvider) deleteUser(user User, softDelete bool) error {
 		if err != nil {
 			return err
 		}
-
-		if len(oldUser.VirtualFolders) > 0 {
-			foldersBucket, err := p.getFoldersBucket(tx)
+		if err := p.removeUserFromRole(oldUser.Username, oldUser.Role, rolesBucket); err != nil {
+			return err
+		}
+		for idx := range oldUser.VirtualFolders {
+			err = p.removeRelationFromFolderMapping(oldUser.VirtualFolders[idx], oldUser.Username, "", foldersBucket)
 			if err != nil {
 				return err
 			}
-			for idx := range oldUser.VirtualFolders {
-				err = p.removeRelationFromFolderMapping(oldUser.VirtualFolders[idx], oldUser.Username, "", foldersBucket)
-				if err != nil {
-					return err
-				}
-			}
 		}
-		if len(oldUser.Groups) > 0 {
-			groupBucket, err := p.getGroupsBucket(tx)
+		for idx := range oldUser.Groups {
+			err = p.removeUserFromGroupMapping(oldUser.Username, oldUser.Groups[idx].Name, groupBucket)
 			if err != nil {
 				return err
 			}
-			for idx := range oldUser.Groups {
-				err = p.removeUserFromGroupMapping(oldUser.Username, oldUser.Groups[idx].Name, groupBucket)
-				if err != nil {
-					return err
-				}
-			}
 		}
 		if err := p.deleteRelatedAPIKey(tx, user.Username, APIKeyScopeUser); err != nil {
 			return err
@@ -901,7 +944,7 @@ func (p *BoltProvider) getUsersForQuotaCheck(toFetch map[string]bool) ([]User, e
 	return users, err
 }
 
-func (p *BoltProvider) getUsers(limit int, offset int, order string) ([]User, error) {
+func (p *BoltProvider) getUsers(limit int, offset int, order, role string) ([]User, error) {
 	users := make([]User, 0, limit)
 	var err error
 	if limit <= 0 {
@@ -928,6 +971,9 @@ func (p *BoltProvider) getUsers(limit int, offset int, order string) ([]User, er
 				if err != nil {
 					return err
 				}
+				if !user.hasRole(role) {
+					continue
+				}
 				user.PrepareForRendering()
 				users = append(users, user)
 				if len(users) >= limit {
@@ -944,6 +990,9 @@ func (p *BoltProvider) getUsers(limit int, offset int, order string) ([]User, er
 				if err != nil {
 					return err
 				}
+				if !user.hasRole(role) {
+					continue
+				}
 				user.PrepareForRendering()
 				users = append(users, user)
 				if len(users) >= limit {
@@ -2519,6 +2568,187 @@ func (*BoltProvider) cleanupNodes() error {
 	return ErrNotImplemented
 }
 
+func (p *BoltProvider) roleExists(name string) (Role, error) {
+	var role Role
+	err := p.dbHandle.View(func(tx *bolt.Tx) error {
+		bucket, err := p.getRolesBucket(tx)
+		if err != nil {
+			return err
+		}
+		r := bucket.Get([]byte(name))
+		if r == nil {
+			return util.NewRecordNotFoundError(fmt.Sprintf("role %q does not exist", name))
+		}
+		return json.Unmarshal(r, &role)
+	})
+	return role, err
+}
+
+func (p *BoltProvider) addRole(role *Role) error {
+	if err := role.validate(); err != nil {
+		return err
+	}
+	return p.dbHandle.Update(func(tx *bolt.Tx) error {
+		bucket, err := p.getRolesBucket(tx)
+		if err != nil {
+			return err
+		}
+		if r := bucket.Get([]byte(role.Name)); r != nil {
+			return fmt.Errorf("role %q already exists", role.Name)
+		}
+		id, err := bucket.NextSequence()
+		if err != nil {
+			return err
+		}
+		role.ID = int64(id)
+		role.CreatedAt = util.GetTimeAsMsSinceEpoch(time.Now())
+		role.UpdatedAt = util.GetTimeAsMsSinceEpoch(time.Now())
+		role.Users = nil
+		role.Admins = nil
+		buf, err := json.Marshal(role)
+		if err != nil {
+			return err
+		}
+		return bucket.Put([]byte(role.Name), buf)
+	})
+}
+
+func (p *BoltProvider) updateRole(role *Role) error {
+	if err := role.validate(); err != nil {
+		return err
+	}
+	return p.dbHandle.Update(func(tx *bolt.Tx) error {
+		bucket, err := p.getRolesBucket(tx)
+		if err != nil {
+			return err
+		}
+		var r []byte
+		if r = bucket.Get([]byte(role.Name)); r == nil {
+			return fmt.Errorf("role %q does not exist", role.Name)
+		}
+		var oldRole Role
+		err = json.Unmarshal(r, &oldRole)
+		if err != nil {
+			return err
+		}
+		role.ID = oldRole.ID
+		role.CreatedAt = oldRole.CreatedAt
+		role.UpdatedAt = util.GetTimeAsMsSinceEpoch(time.Now())
+		role.Users = oldRole.Users
+		role.Admins = oldRole.Admins
+		buf, err := json.Marshal(role)
+		if err != nil {
+			return err
+		}
+		return bucket.Put([]byte(role.Name), buf)
+	})
+}
+
+func (p *BoltProvider) deleteRole(role Role) error {
+	return p.dbHandle.Update(func(tx *bolt.Tx) error {
+		bucket, err := p.getRolesBucket(tx)
+		if err != nil {
+			return err
+		}
+		var r []byte
+		if r = bucket.Get([]byte(role.Name)); r == nil {
+			return fmt.Errorf("role %q does not exist", role.Name)
+		}
+		var oldRole Role
+		err = json.Unmarshal(r, &oldRole)
+		if err != nil {
+			return err
+		}
+		if len(oldRole.Admins) > 0 {
+			return util.NewValidationError(fmt.Sprintf("the role %q is referenced, it cannot be removed", oldRole.Name))
+		}
+		if len(oldRole.Users) > 0 {
+			bucket, err := p.getUsersBucket(tx)
+			if err != nil {
+				return err
+			}
+			for _, username := range oldRole.Users {
+				if err := p.removeRoleFromUser(username, oldRole.Name, bucket); err != nil {
+					return err
+				}
+			}
+		}
+
+		return bucket.Delete([]byte(role.Name))
+	})
+}
+
+func (p *BoltProvider) getRoles(limit int, offset int, order string, minimal bool) ([]Role, error) {
+	roles := make([]Role, 0, limit)
+	if limit <= 0 {
+		return roles, nil
+	}
+	err := p.dbHandle.View(func(tx *bolt.Tx) error {
+		bucket, err := p.getRolesBucket(tx)
+		if err != nil {
+			return err
+		}
+		cursor := bucket.Cursor()
+		itNum := 0
+		if order == OrderASC {
+			for k, v := cursor.First(); k != nil; k, v = cursor.Next() {
+				itNum++
+				if itNum <= offset {
+					continue
+				}
+				var role Role
+				err = json.Unmarshal(v, &role)
+				if err != nil {
+					return err
+				}
+				roles = append(roles, role)
+				if len(roles) >= limit {
+					break
+				}
+			}
+		} else {
+			for k, v := cursor.Last(); k != nil; k, v = cursor.Prev() {
+				itNum++
+				if itNum <= offset {
+					continue
+				}
+				var role Role
+				err = json.Unmarshal(v, &role)
+				if err != nil {
+					return err
+				}
+				roles = append(roles, role)
+				if len(roles) >= limit {
+					break
+				}
+			}
+		}
+		return nil
+	})
+	return roles, err
+}
+
+func (p *BoltProvider) dumpRoles() ([]Role, error) {
+	roles := make([]Role, 0, 10)
+	err := p.dbHandle.View(func(tx *bolt.Tx) error {
+		bucket, err := p.getRolesBucket(tx)
+		if err != nil {
+			return err
+		}
+		cursor := bucket.Cursor()
+		for k, v := cursor.First(); k != nil; k, v = cursor.Next() {
+			var role Role
+			err = json.Unmarshal(v, &role)
+			if err != nil {
+				return err
+			}
+			roles = append(roles, role)
+		}
+		return err
+	})
+	return roles, err
+}
+
 func (p *BoltProvider) setFirstDownloadTimestamp(username string) error {
 	return p.dbHandle.Update(func(tx *bolt.Tx) error {
 		bucket, err := p.getUsersBucket(tx)
@@ -2603,6 +2833,10 @@ func (p *BoltProvider) migrateDatabase() error {
 		providerLog(logger.LevelError, "%v", err)
 		logger.ErrorToConsole("%v", err)
 		return err
+	case version == 23:
+		logger.InfoToConsole(fmt.Sprintf("updating database schema version: %d -> 24", version))
+		providerLog(logger.LevelInfo, "updating database schema version: %d -> 24", version)
+		return updateBoltDatabaseVersion(p.dbHandle, 24)
 	default:
 		if version > boltDatabaseVersion {
 			providerLog(logger.LevelError, "database schema version %d is newer than the supported one: %d", version,
@@ -2624,6 +2858,44 @@ func (p *BoltProvider) revertDatabase(targetVersion int) error {
 		return errors.New("current version match target version, nothing to do")
 	}
 	switch dbVersion.Version {
+	case 24:
+		logger.InfoToConsole("downgrading database schema version: %d -> 23", dbVersion.Version)
+		providerLog(logger.LevelInfo, "downgrading database schema version: %d -> 23", dbVersion.Version)
+		err := p.dbHandle.Update(func(tx *bolt.Tx) error {
+			roles, err := p.dumpRoles()
+			if err != nil {
+				return err
+			}
+			adminsBucket, err := p.getAdminsBucket(tx)
+			if err != nil {
+				return err
+			}
+			usersBucket, err := p.getUsersBucket(tx)
+			if err != nil {
+				return err
+			}
+			for _, role := range roles {
+				for _, admin := range role.Admins {
+					if err := p.removeRoleFromAdmin(admin, role.Name, adminsBucket); err != nil {
+						return err
+					}
+				}
+				for _, user := range role.Users {
+					if err := p.removeRoleFromUser(user, role.Name, usersBucket); err != nil {
+						return err
+					}
+				}
+			}
+			err = tx.DeleteBucket(rolesBucket)
+			if err != nil && !errors.Is(err, bolt.ErrBucketNotFound) {
+				return err
+			}
+			return nil
+		})
+		if err != nil {
+			return err
+		}
+		return updateBoltDatabaseVersion(p.dbHandle, 23)
 	default:
 		return fmt.Errorf("database schema version not handled: %v", dbVersion.Version)
 	}
@@ -2748,6 +3020,163 @@ func (p *BoltProvider) addFolderInternal(folder vfs.BaseVirtualFolder, bucket *b
 	return bucket.Put([]byte(folder.Name), buf)
 }
 
+func (p *BoltProvider) removeRoleFromUser(username, role string, bucket *bolt.Bucket) error {
+	u := bucket.Get([]byte(username))
+	if u == nil {
+		providerLog(logger.LevelWarn, "user %q does not exist, cannot remove role %q", username, role)
+		return nil
+	}
+	var user User
+	err := json.Unmarshal(u, &user)
+	if err != nil {
+		return err
+	}
+	if user.Role == role {
+		user.Role = ""
+		buf, err := json.Marshal(user)
+		if err != nil {
+			return err
+		}
+		return bucket.Put([]byte(user.Username), buf)
+	}
+	providerLog(logger.LevelError, "user %q does not have the expected role %q, actual %q", username, role, user.Role)
+	return nil
+}
+
+func (p *BoltProvider) removeRoleFromAdmin(username, role string, bucket *bolt.Bucket) error {
+	a := bucket.Get([]byte(username))
+	if a == nil {
+		providerLog(logger.LevelWarn, "admin %q does not exist, cannot remove role %q", username, role)
+		return nil
+	}
+	var admin Admin
+	err := json.Unmarshal(a, &admin)
+	if err != nil {
+		return err
+	}
+	if admin.Role == role {
+		admin.Role = ""
+		buf, err := json.Marshal(admin)
+		if err != nil {
+			return err
+		}
+		return bucket.Put([]byte(admin.Username), buf)
+	}
+	providerLog(logger.LevelError, "admin %q does not have the expected role %q, actual %q", username, role, admin.Role)
+	return nil
+}
+
+func (p *BoltProvider) addAdminToRole(username, roleName string, bucket *bolt.Bucket) error {
+	if roleName == "" {
+		return nil
+	}
+	r := bucket.Get([]byte(roleName))
+	if r == nil {
+		return util.NewGenericError(fmt.Sprintf("role %q does not exist", roleName))
+	}
+	var role Role
+	err := json.Unmarshal(r, &role)
+	if err != nil {
+		return err
+	}
+	if !util.Contains(role.Admins, username) {
+		role.Admins = append(role.Admins, username)
+		buf, err := json.Marshal(role)
+		if err != nil {
+			return err
+		}
+		return bucket.Put([]byte(role.Name), buf)
+	}
+	return nil
+}
+
+func (p *BoltProvider) removeAdminFromRole(username, roleName string, bucket *bolt.Bucket) error {
+	if roleName == "" {
+		return nil
+	}
+	r := bucket.Get([]byte(roleName))
+	if r == nil {
+		providerLog(logger.LevelWarn, "role %q does not exist, cannot remove admin %q", roleName, username)
+		return nil
+	}
+	var role Role
+	err := json.Unmarshal(r, &role)
+	if err != nil {
+		return err
+	}
+	if util.Contains(role.Admins, username) {
+		var admins []string
+		for _, admin := range role.Admins {
+			if admin != username {
+				admins = append(admins, admin)
+			}
+		}
+		role.Admins = util.RemoveDuplicates(admins, false)
+		buf, err := json.Marshal(role)
+		if err != nil {
+			return err
+		}
+		return bucket.Put([]byte(role.Name), buf)
+	}
+	return nil
+}
+
+func (p *BoltProvider) addUserToRole(username, roleName string, bucket *bolt.Bucket) error {
+	if roleName == "" {
+		return nil
+	}
+	r := bucket.Get([]byte(roleName))
+	if r == nil {
+		return util.NewGenericError(fmt.Sprintf("role %q does not exist", roleName))
+	}
+	var role Role
+	err := json.Unmarshal(r, &role)
+	if err != nil {
+		return err
+	}
+	if !util.Contains(role.Users, username) {
+		role.Users = append(role.Users, username)
+		buf, err := json.Marshal(role)
+		if err != nil {
+			return err
+		}
+		return bucket.Put([]byte(role.Name), buf)
+	}
+	return nil
+}
+
+func (p *BoltProvider) removeUserFromRole(username, roleName string, bucket *bolt.Bucket) error {
+	if roleName == "" {
+		return nil
+	}
+	r := bucket.Get([]byte(roleName))
+	if r == nil {
+		providerLog(logger.LevelWarn, "role %q does not exist, cannot remove admin %q", roleName, username)
+		return nil
+	}
+	var role Role
+	err := json.Unmarshal(r, &role)
+	if err != nil {
+		return err
+	}
+	if util.Contains(role.Users, username) {
+		var users []string
+		for _, user := range role.Users {
+			if user != username {
+				users = append(users, user)
+			}
+		}
+		users = util.RemoveDuplicates(users, false)
+		role.Users = users
+		buf, err := json.Marshal(role)
+		if err != nil {
+			return err
+		}
+		return bucket.Put([]byte(role.Name), buf)
+	}
+	return nil
+}
+
 func (p *BoltProvider) addRuleToActionMapping(ruleName, actionName string, bucket *bolt.Bucket) error {
 	a := bucket.Get([]byte(actionName))
 	if a == nil {
@@ -3000,7 +3429,11 @@ func (p *BoltProvider) updateUserRelations(tx *bolt.Tx, user *User, oldUser User
 	if err != nil {
 		return err
 	}
-	groupBucket, err := p.getGroupsBucket(tx)
+	groupsBucket, err := p.getGroupsBucket(tx)
+	if err != nil {
+		return err
+	}
+	rolesBucket, err := p.getRolesBucket(tx)
 	if err != nil {
 		return err
 	}
@@ -3011,11 +3444,14 @@ func (p *BoltProvider) updateUserRelations(tx *bolt.Tx, user *User, oldUser User
 		}
 	}
 	for idx := range oldUser.Groups {
-		err = p.removeUserFromGroupMapping(user.Username, oldUser.Groups[idx].Name, groupBucket)
+		err = p.removeUserFromGroupMapping(user.Username, oldUser.Groups[idx].Name, groupsBucket)
 		if err != nil {
 			return err
 		}
 	}
+	if err = p.removeUserFromRole(oldUser.Username, oldUser.Role, rolesBucket); err != nil {
+		return err
+	}
 	for idx := range user.VirtualFolders {
 		err = p.addRelationToFolderMapping(&user.VirtualFolders[idx].BaseVirtualFolder, user, nil, foldersBucket)
 		if err != nil {
@@ -3023,12 +3459,12 @@ func (p *BoltProvider) updateUserRelations(tx *bolt.Tx, user *User, oldUser User
 		}
 	}
 	for idx := range user.Groups {
-		err = p.addUserToGroupMapping(user.Username, user.Groups[idx].Name, groupBucket)
+		err = p.addUserToGroupMapping(user.Username, user.Groups[idx].Name, groupsBucket)
 		if err != nil {
 			return err
 		}
 	}
-	return nil
+	return p.addUserToRole(user.Username, user.Role, rolesBucket)
 }
 
 func (p *BoltProvider) adminExistsInternal(tx *bolt.Tx, username string) error {
@@ -3163,6 +3599,15 @@ func (p *BoltProvider) getGroupsBucket(tx *bolt.Tx) (*bolt.Bucket, error) {
 	return bucket, err
 }
 
+func (p *BoltProvider) getRolesBucket(tx *bolt.Tx) (*bolt.Bucket, error) {
+	var err error
+	bucket := tx.Bucket(rolesBucket)
+	if bucket == nil {
+		err = fmt.Errorf("unable to find roles bucket, bolt database structure not correcly defined")
+	}
+	return bucket, err
+}
+
 func (p *BoltProvider) getFoldersBucket(tx *bolt.Tx) (*bolt.Bucket, error) {
 	var err error
 	bucket := tx.Bucket(foldersBucket)
@@ -3209,7 +3654,7 @@ func getBoltDatabaseVersion(dbHandle *bolt.DB) (schemaVersion, error) {
 	return dbVersion, err
 }
 
-/*func updateBoltDatabaseVersion(dbHandle *bolt.DB, version int) error {
+func updateBoltDatabaseVersion(dbHandle *bolt.DB, version int) error {
 	err := dbHandle.Update(func(tx *bolt.Tx) error {
 		bucket := tx.Bucket(dbVersionBucket)
 		if bucket == nil {
@@ -3225,4 +3670,4 @@ func getBoltDatabaseVersion(dbHandle *bolt.DB) (schemaVersion, error) {
 		return bucket.Put(dbVersionKey, buf)
 	})
 	return err
-}*/
+}

internal/dataprovider/dataprovider.go

@@ -87,7 +87,7 @@ const (
 	CockroachDataProviderName = "cockroachdb"
 	// DumpVersion defines the version for the dump.
 	// For restore/load we support the current version and the previous one
-	DumpVersion = 13
+	DumpVersion = 14
 
 	argonPwdPrefix            = "$argon2id$"
 	bcryptPwdPrefix           = "$2a$"
@@ -190,6 +190,7 @@ var (
 	sqlTableRulesActionsMapping  string
 	sqlTableTasks                string
 	sqlTableNodes                string
+	sqlTableRoles                string
 	sqlTableSchemaVersion        string
 	argon2Params                 *argon2id.Params
 	lastLoginMinDelay            = 10 * time.Minute
@@ -221,6 +222,7 @@ func initSQLTables() {
 	sqlTableRulesActionsMapping = "rules_actions_mapping"
 	sqlTableTasks = "tasks"
 	sqlTableNodes = "nodes"
+	sqlTableRoles = "roles"
 	sqlTableSchemaVersion = "schema_version"
 }
 
@@ -660,6 +662,7 @@ type BackupData struct {
 	Shares       []Share                 `json:"shares"`
 	EventActions []BaseEventAction       `json:"event_actions"`
 	EventRules   []EventRule             `json:"event_rules"`
+	Roles        []Role                  `json:"roles"`
 	Version      int                     `json:"version"`
 }
 
@@ -706,12 +709,12 @@ type Provider interface {
 	updateQuota(username string, filesAdd int, sizeAdd int64, reset bool) error
 	updateTransferQuota(username string, uploadSize, downloadSize int64, reset bool) error
 	getUsedQuota(username string) (int, int64, int64, int64, error)
-	userExists(username string) (User, error)
+	userExists(username, role string) (User, error)
 	addUser(user *User) error
 	updateUser(user *User) error
 	deleteUser(user User, softDelete bool) error
 	updateUserPassword(username, password string) error
-	getUsers(limit int, offset int, order string) ([]User, error)
+	getUsers(limit int, offset int, order, role string) ([]User, error)
 	dumpUsers() ([]User, error)
 	getRecentlyUpdatedUsers(after int64) ([]User, error)
 	getUsersForQuotaCheck(toFetch map[string]bool) ([]User, error)
@@ -796,6 +799,12 @@ type Provider interface {
 	getNodes() ([]Node, error)
 	updateNodeTimestamp() error
 	cleanupNodes() error
+	roleExists(name string) (Role, error)
+	addRole(role *Role) error
+	updateRole(role *Role) error
+	deleteRole(role Role) error
+	getRoles(limit int, offset int, order string, minimal bool) ([]Role, error)
+	dumpRoles() ([]Role, error)
 	checkAvailability() error
 	close() error
 	reloadConfig() error
@@ -974,16 +983,17 @@ func validateSQLTablesPrefix() error {
 		sqlTableRulesActionsMapping = config.SQLTablesPrefix + sqlTableRulesActionsMapping
 		sqlTableTasks = config.SQLTablesPrefix + sqlTableTasks
 		sqlTableNodes = config.SQLTablesPrefix + sqlTableNodes
+		sqlTableRoles = config.SQLTablesPrefix + sqlTableRoles
 		sqlTableSchemaVersion = config.SQLTablesPrefix + sqlTableSchemaVersion
 		providerLog(logger.LevelDebug, "sql table for users %q, folders %q users folders mapping %q admins %q "+
 			"api keys %q shares %q defender hosts %q defender events %q transfers %q  groups %q "+
 			"users groups mapping %q admins groups mapping %q groups folders mapping %q shared sessions %q "+
-			"schema version %q events actions %q events rules %q rules actions mapping %q tasks %q nodes %q",
+			"schema version %q events actions %q events rules %q rules actions mapping %q tasks %q nodes %q roles %q",
 			sqlTableUsers, sqlTableFolders, sqlTableUsersFoldersMapping, sqlTableAdmins, sqlTableAPIKeys,
 			sqlTableShares, sqlTableDefenderHosts, sqlTableDefenderEvents, sqlTableActiveTransfers, sqlTableGroups,
 			sqlTableUsersGroupsMapping, sqlTableAdminsGroupsMapping, sqlTableGroupsFoldersMapping, sqlTableSharedSessions,
 			sqlTableSchemaVersion, sqlTableEventsActions, sqlTableEventsRules, sqlTableRulesActionsMapping,
-			sqlTableTasks, sqlTableNodes)
+			sqlTableTasks, sqlTableNodes, sqlTableRoles)
 	}
 	return nil
 }
@@ -1158,7 +1168,7 @@ func CheckUserBeforeTLSAuth(username, ip, protocol string, tlsCert *x509.Certifi
 		err = user.LoadAndApplyGroupSettings()
 		return user, err
 	}
-	user, err := UserExists(username)
+	user, err := UserExists(username, "")
 	if err != nil {
 		return user, err
 	}
@@ -1261,7 +1271,7 @@ func CheckKeyboardInteractiveAuth(username, authHook string, client ssh.Keyboard
 	} else if config.PreLoginHook != "" {
 		user, err = executePreLoginHook(username, SSHLoginMethodKeyboardInteractive, ip, protocol, nil)
 	} else {
-		user, err = provider.userExists(username)
+		user, err = provider.userExists(username, "")
 	}
 	if err != nil {
 		return user, err
@@ -1279,7 +1289,7 @@ func GetFTPPreAuthUser(username, ip string) (User, error) {
 	if config.PreLoginHook != "" {
 		user, err = executePreLoginHook(username, "", ip, protocolFTP, nil)
 	} else {
-		user, err = UserExists(username)
+		user, err = UserExists(username, "")
 	}
 	if err != nil {
 		return user, err
@@ -1298,7 +1308,7 @@ func GetUserAfterIDPAuth(username, ip, protocol string, oidcTokenFields *map[str
 	if config.PreLoginHook != "" {
 		user, err = executePreLoginHook(username, LoginMethodIDP, ip, protocol, oidcTokenFields)
 	} else {
-		user, err = UserExists(username)
+		user, err = UserExists(username, "")
 	}
 	if err != nil {
 		return user, err
@@ -1532,6 +1542,57 @@ func ShareExists(shareID, username string) (Share, error) {
 	return provider.shareExists(shareID, username)
 }
 
+// AddRole adds a new role
+func AddRole(role *Role, executor, ipAddress string) error {
+	role.Name = config.convertName(role.Name)
+	err := provider.addRole(role)
+	if err == nil {
+		executeAction(operationAdd, executor, ipAddress, actionObjectRole, role.Name, role)
+	}
+	return err
+}
+
+// UpdateRole updates an existing Role
+func UpdateRole(role *Role, executor, ipAddress string) error {
+	err := provider.updateRole(role)
+	if err == nil {
+		executeAction(operationUpdate, executor, ipAddress, actionObjectRole, role.Name, role)
+	}
+	return err
+}
+
+// DeleteRole deletes an existing Role
+func DeleteRole(name string, executor, ipAddress string) error {
+	name = config.convertName(name)
+	role, err := provider.roleExists(name)
+	if err != nil {
+		return err
+	}
+	if len(role.Admins) > 0 {
+		errorString := fmt.Sprintf("the role %q is referenced, it cannot be removed", role.Name)
+		return util.NewValidationError(errorString)
+	}
+	err = provider.deleteRole(role)
+	if err == nil {
+		executeAction(operationDelete, executor, ipAddress, actionObjectRole, role.Name, &role)
+		for _, user := range role.Users {
+			provider.setUpdatedAt(user)
+			u, err := provider.userExists(user, "")
+			if err == nil {
+				webDAVUsersCache.swap(&u)
+				executeAction(operationUpdate, executor, ipAddress, actionObjectUser, u.Username, &u)
+			}
+		}
+	}
+	return err
+}
+
+// RoleExists returns the Role with the given name if it exists
+func RoleExists(name string) (Role, error) {
+	name = config.convertName(name)
+	return provider.roleExists(name)
+}
+
 // AddGroup adds a new group
 func AddGroup(group *Group, executor, ipAddress string) error {
 	group.Name = config.convertName(group.Name)
@@ -1548,7 +1609,7 @@ func UpdateGroup(group *Group, users []string, executor, ipAddress string) error
 	if err == nil {
 		for _, user := range users {
 			provider.setUpdatedAt(user)
-			u, err := provider.userExists(user)
+			u, err := provider.userExists(user, "")
 			if err == nil {
 				webDAVUsersCache.swap(&u)
 				executeAction(operationUpdate, executor, ipAddress, actionObjectUser, u.Username, &u)
@@ -1569,14 +1630,14 @@ func DeleteGroup(name string, executor, ipAddress string) error {
 		return err
 	}
 	if len(group.Users) > 0 {
-		errorString := fmt.Sprintf("the group %#v is referenced, it cannot be removed", group.Name)
+		errorString := fmt.Sprintf("the group %q is referenced, it cannot be removed", group.Name)
 		return util.NewValidationError(errorString)
 	}
 	err = provider.deleteGroup(group)
 	if err == nil {
 		for _, user := range group.Users {
 			provider.setUpdatedAt(user)
-			u, err := provider.userExists(user)
+			u, err := provider.userExists(user, "")
 			if err == nil {
 				executeAction(operationUpdate, executor, ipAddress, actionObjectUser, u.Username, &u)
 			}
@@ -1840,16 +1901,16 @@ func AdminExists(username string) (Admin, error) {
 }
 
 // UserExists checks if the given SFTPGo username exists, returns an error if no match is found
-func UserExists(username string) (User, error) {
+func UserExists(username, role string) (User, error) {
 	username = config.convertName(username)
-	return provider.userExists(username)
+	return provider.userExists(username, role)
 }
 
 // GetUserWithGroupSettings tries to return the user with the specified username
 // loading also the group settings
-func GetUserWithGroupSettings(username string) (User, error) {
+func GetUserWithGroupSettings(username, role string) (User, error) {
 	username = config.convertName(username)
-	user, err := provider.userExists(username)
+	user, err := provider.userExists(username, role)
 	if err != nil {
 		return user, err
 	}
@@ -1859,9 +1920,9 @@ func GetUserWithGroupSettings(username string) (User, error) {
 
 // GetUserVariants tries to return the user with the specified username with and without
 // group settings applied
-func GetUserVariants(username string) (User, User, error) {
+func GetUserVariants(username, role string) (User, User, error) {
 	username = config.convertName(username)
-	user, err := provider.userExists(username)
+	user, err := provider.userExists(username, role)
 	if err != nil {
 		return user, User{}, err
 	}
@@ -1872,10 +1933,6 @@ func GetUserVariants(username string) (User, User, error) {
 
 // AddUser adds a new SFTPGo user.
 func AddUser(user *User, executor, ipAddress string) error {
-	user.Filters.RecoveryCodes = nil
-	user.Filters.TOTPConfig = UserTOTPConfig{
-		Enabled: false,
-	}
 	user.Username = config.convertName(user.Username)
 	err := provider.addUser(user)
 	if err == nil {
@@ -1914,9 +1971,9 @@ func UpdateUser(user *User, executor, ipAddress string) error {
 }
 
 // DeleteUser deletes an existing SFTPGo user.
-func DeleteUser(username, executor, ipAddress string) error {
+func DeleteUser(username, executor, ipAddress, role string) error {
 	username = config.convertName(username)
-	user, err := provider.userExists(username)
+	user, err := provider.userExists(username, role)
 	if err != nil {
 		return err
 	}
@@ -2028,14 +2085,19 @@ func GetAdmins(limit, offset int, order string) ([]Admin, error) {
 	return provider.getAdmins(limit, offset, order)
 }
 
+// GetRoles returns an array of roles respecting limit and offset
+func GetRoles(limit, offset int, order string, minimal bool) ([]Role, error) {
+	return provider.getRoles(limit, offset, order, minimal)
+}
+
 // GetGroups returns an array of groups respecting limit and offset
 func GetGroups(limit, offset int, order string, minimal bool) ([]Group, error) {
 	return provider.getGroups(limit, offset, order, minimal)
 }
 
 // GetUsers returns an array of users respecting limit and offset
-func GetUsers(limit, offset int, order string) ([]User, error) {
-	return provider.getUsers(limit, offset, order)
+func GetUsers(limit, offset int, order, role string) ([]User, error) {
+	return provider.getUsers(limit, offset, order, role)
 }
 
 // GetUsersForQuotaCheck returns the users with the fields required for a quota check
@@ -2067,7 +2129,7 @@ func UpdateFolder(folder *vfs.BaseVirtualFolder, users []string, groups []string
 		}
 		for _, user := range users {
 			provider.setUpdatedAt(user)
-			u, err := provider.userExists(user)
+			u, err := provider.userExists(user, "")
 			if err == nil {
 				webDAVUsersCache.swap(&u)
 				executeAction(operationUpdate, executor, ipAddress, actionObjectUser, u.Username, &u)
@@ -2099,7 +2161,7 @@ func DeleteFolder(folderName, executor, ipAddress string) error {
 		}
 		for _, user := range users {
 			provider.setUpdatedAt(user)
-			u, err := provider.userExists(user)
+			u, err := provider.userExists(user, "")
 			if err == nil {
 				executeAction(operationUpdate, executor, ipAddress, actionObjectUser, u.Username, &u)
 			}
@@ -2166,6 +2228,10 @@ func DumpData() (BackupData, error) {
 	if err != nil {
 		return data, err
 	}
+	roles, err := provider.dumpRoles()
+	if err != nil {
+		return data, err
+	}
 	data.Users = users
 	data.Groups = groups
 	data.Folders = folders
@@ -2174,6 +2240,7 @@ func DumpData() (BackupData, error) {
 	data.Shares = shares
 	data.EventActions = actions
 	data.EventRules = rules
+	data.Roles = roles
 	data.Version = DumpVersion
 	return data, err
 }
@@ -2749,7 +2816,7 @@ func validateBaseParams(user *User) error {
 		return util.NewValidationError(fmt.Sprintf("email %#v is not valid", user.Email))
 	}
 	if config.NamingRules&1 == 0 && !usernameRegex.MatchString(user.Username) {
-		return util.NewValidationError(fmt.Sprintf("username %#v is not valid, the following characters are allowed: a-zA-Z0-9-_.~",
+		return util.NewValidationError(fmt.Sprintf("username %q is not valid, the following characters are allowed: a-zA-Z0-9-_.~",
 			user.Username))
 	}
 	if user.hasRedactedSecret() {
@@ -2821,7 +2888,7 @@ func ValidateFolder(folder *vfs.BaseVirtualFolder) error {
 		return util.NewValidationError("folder name is mandatory")
 	}
 	if config.NamingRules&1 == 0 && !usernameRegex.MatchString(folder.Name) {
-		return util.NewValidationError(fmt.Sprintf("folder name %#v is not valid, the following characters are allowed: a-zA-Z0-9-_.~",
+		return util.NewValidationError(fmt.Sprintf("folder name %q is not valid, the following characters are allowed: a-zA-Z0-9-_.~",
 			folder.Name))
 	}
 	if folder.FsConfig.Provider == sdk.LocalFilesystemProvider || folder.FsConfig.Provider == sdk.CryptedFilesystemProvider ||
@@ -3671,7 +3738,7 @@ func executePreLoginHook(username, loginMethod, ip, protocol string, oidcTokenFi
 	}
 	providerLog(logger.LevelDebug, "user %#v added/updated from pre-login hook response, id: %v", username, userID)
 	if userID == 0 {
-		return provider.userExists(username)
+		return provider.userExists(username, "")
 	}
 	return u, nil
 }
@@ -3875,7 +3942,7 @@ func doExternalAuth(username, password string, pubKey []byte, keyboardInteractiv
 	// returns "user" in both cases, so we use the username returned from
 	// external auth and not the one used to login
 	if user.Username != username {
-		u, err = provider.userExists(user.Username)
+		u, err = provider.userExists(user.Username, "")
 	}
 	if u.ID > 0 && err == nil {
 		user.ID = u.ID
@@ -3903,7 +3970,7 @@ func doExternalAuth(username, password string, pubKey []byte, keyboardInteractiv
 	if err != nil {
 		return user, err
 	}
-	return provider.userExists(user.Username)
+	return provider.userExists(user.Username, "")
 }
 
 func doPluginAuth(username, password string, pubKey []byte, ip, protocol string,
@@ -3975,11 +4042,11 @@ func doPluginAuth(username, password string, pubKey []byte, ip, protocol string,
 	if err != nil {
 		return user, err
 	}
-	return provider.userExists(user.Username)
+	return provider.userExists(user.Username, "")
 }
 
 func getUserForHook(username string, oidcTokenFields *map[string]any) (User, User, error) {
-	u, err := provider.userExists(username)
+	u, err := provider.userExists(username, "")
 	if err != nil {
 		if _, ok := err.(*util.RecordNotFoundError); !ok {
 			return u, u, err

internal/dataprovider/group.go

@@ -138,7 +138,7 @@ func (g *Group) validate() error {
 		return util.NewValidationError("name is mandatory")
 	}
 	if config.NamingRules&1 == 0 && !usernameRegex.MatchString(g.Name) {
-		return util.NewValidationError(fmt.Sprintf("name %#v is not valid, the following characters are allowed: a-zA-Z0-9-_.~", g.Name))
+		return util.NewValidationError(fmt.Sprintf("name %q is not valid, the following characters are allowed: a-zA-Z0-9-_.~", g.Name))
 	}
 	if g.hasRedactedSecret() {
 		return util.NewValidationError("cannot save a user with a redacted secret")

internal/dataprovider/memory.go

@@ -70,6 +70,10 @@ type memoryProviderHandle struct {
 	rules map[string]EventRule
 	// slice with ordered rules
 	rulesNames []string
+	// map for roles, name is the key
+	roles map[string]Role
+	// slice with ordered roles
+	roleNames []string
 }
 
 // MemoryProvider defines the auth provider for a memory store
@@ -104,6 +108,8 @@ func initializeMemoryProvider(basePath string) {
 			actionsNames:    []string{},
 			rules:           make(map[string]EventRule),
 			rulesNames:      []string{},
+			roles:           map[string]Role{},
+			roleNames:       []string{},
 			configFile:      configFile,
 		},
 	}
@@ -137,7 +143,7 @@ func (p *MemoryProvider) validateUserAndTLSCert(username, protocol string, tlsCe
 	if tlsCert == nil {
 		return user, errors.New("TLS certificate cannot be null or empty")
 	}
-	user, err := p.userExists(username)
+	user, err := p.userExists(username, "")
 	if err != nil {
 		providerLog(logger.LevelWarn, "error authenticating user %#v: %v", username, err)
 		return user, err
@@ -146,7 +152,7 @@ func (p *MemoryProvider) validateUserAndTLSCert(username, protocol string, tlsCe
 }
 
 func (p *MemoryProvider) validateUserAndPass(username, password, ip, protocol string) (User, error) {
-	user, err := p.userExists(username)
+	user, err := p.userExists(username, "")
 	if err != nil {
 		providerLog(logger.LevelWarn, "error authenticating user %#v: %v", username, err)
 		return user, err
@@ -159,7 +165,7 @@ func (p *MemoryProvider) validateUserAndPubKey(username string, pubKey []byte, i
 	if len(pubKey) == 0 {
 		return user, "", errors.New("credentials cannot be null or empty")
 	}
-	user, err := p.userExists(username)
+	user, err := p.userExists(username, "")
 	if err != nil {
 		providerLog(logger.LevelWarn, "error authenticating user %#v: %v", username, err)
 		return user, "", err
@@ -317,7 +323,7 @@ func (p *MemoryProvider) addUser(user *User) error {
 
 	_, err = p.userExistsInternal(user.Username)
 	if err == nil {
-		return fmt.Errorf("username %#v already exists", user.Username)
+		return fmt.Errorf("username %q already exists", user.Username)
 	}
 	user.ID = p.getNextID()
 	user.LastQuotaUpdate = 0
@@ -330,6 +336,9 @@ func (p *MemoryProvider) addUser(user *User) error {
 	user.FirstDownload = 0
 	user.CreatedAt = util.GetTimeAsMsSinceEpoch(time.Now())
 	user.UpdatedAt = util.GetTimeAsMsSinceEpoch(time.Now())
+	if err := p.addUserToRole(user.Username, user.Role); err != nil {
+		return err
+	}
 	var mappedGroups []string
 	for idx := range user.Groups {
 		if err = p.addUserToGroupMapping(user.Username, user.Groups[idx].Name); err != nil {
@@ -366,6 +375,15 @@ func (p *MemoryProvider) updateUser(user *User) error {
 	if err != nil {
 		return err
 	}
+	p.removeUserFromRole(u.Username, u.Role)
+	if err := p.addUserToRole(user.Username, user.Role); err != nil {
+		// try ro add old role
+		if errRollback := p.addUserToRole(u.Username, u.Role); errRollback != nil {
+			providerLog(logger.LevelError, "unable to rollback old role %q for user %q, error: %v",
+				u.Role, u.Username, errRollback)
+		}
+		return err
+	}
 	for idx := range u.Groups {
 		p.removeUserFromGroupMapping(u.Username, u.Groups[idx].Name)
 	}
@@ -412,6 +430,7 @@ func (p *MemoryProvider) deleteUser(user User, softDelete bool) error {
 	if err != nil {
 		return err
 	}
+	p.removeUserFromRole(u.Username, u.Role)
 	for _, oldFolder := range u.VirtualFolders {
 		p.removeRelationFromFolderMapping(oldFolder.Name, u.Username, "")
 	}
@@ -546,7 +565,7 @@ func (p *MemoryProvider) getUsersForQuotaCheck(toFetch map[string]bool) ([]User,
 	return users, nil
 }
 
-func (p *MemoryProvider) getUsers(limit int, offset int, order string) ([]User, error) {
+func (p *MemoryProvider) getUsers(limit int, offset int, order, role string) ([]User, error) {
 	users := make([]User, 0, limit)
 	var err error
 	p.dbHandle.Lock()
@@ -566,6 +585,9 @@ func (p *MemoryProvider) getUsers(limit int, offset int, order string) ([]User,
 			}
 			u := p.dbHandle.users[username]
 			user := u.getACopy()
+			if !user.hasRole(role) {
+				continue
+			}
 			p.addVirtualFoldersToUser(&user)
 			user.PrepareForRendering()
 			users = append(users, user)
@@ -582,6 +604,9 @@ func (p *MemoryProvider) getUsers(limit int, offset int, order string) ([]User,
 			username := p.dbHandle.usernames[i]
 			u := p.dbHandle.users[username]
 			user := u.getACopy()
+			if !user.hasRole(role) {
+				continue
+			}
 			p.addVirtualFoldersToUser(&user)
 			user.PrepareForRendering()
 			users = append(users, user)
@@ -593,7 +618,7 @@ func (p *MemoryProvider) getUsers(limit int, offset int, order string) ([]User,
 	return users, err
 }
 
-func (p *MemoryProvider) userExists(username string) (User, error) {
+func (p *MemoryProvider) userExists(username, role string) (User, error) {
 	p.dbHandle.Lock()
 	defer p.dbHandle.Unlock()
 	if p.dbHandle.isClosed {
@@ -603,6 +628,9 @@ func (p *MemoryProvider) userExists(username string) (User, error) {
 	if err != nil {
 		return user, err
 	}
+	if !user.hasRole(role) {
+		return User{}, util.NewRecordNotFoundError(fmt.Sprintf("username %q does not exist", username))
+	}
 	p.addVirtualFoldersToUser(&user)
 	return user, nil
 }
@@ -635,6 +663,13 @@ func (p *MemoryProvider) ruleExistsInternal(name string) (EventRule, error) {
 	return EventRule{}, util.NewRecordNotFoundError(fmt.Sprintf("event rule %q does not exist", name))
 }
 
+func (p *MemoryProvider) roleExistsInternal(name string) (Role, error) {
+	if val, ok := p.dbHandle.roles[name]; ok {
+		return val.getACopy(), nil
+	}
+	return Role{}, util.NewRecordNotFoundError(fmt.Sprintf("role %q does not exist", name))
+}
+
 func (p *MemoryProvider) addAdmin(admin *Admin) error {
 	p.dbHandle.Lock()
 	defer p.dbHandle.Unlock()
@@ -653,6 +688,9 @@ func (p *MemoryProvider) addAdmin(admin *Admin) error {
 	admin.CreatedAt = util.GetTimeAsMsSinceEpoch(time.Now())
 	admin.UpdatedAt = util.GetTimeAsMsSinceEpoch(time.Now())
 	admin.LastLogin = 0
+	if err := p.addAdminToRole(admin.Username, admin.Role); err != nil {
+		return err
+	}
 	var mappedAdmins []string
 	for idx := range admin.Groups {
 		if err = p.addAdminToGroupMapping(admin.Username, admin.Groups[idx].Name); err != nil {
@@ -684,6 +722,15 @@ func (p *MemoryProvider) updateAdmin(admin *Admin) error {
 	if err != nil {
 		return err
 	}
+	p.removeAdminFromRole(a.Username, a.Role)
+	if err := p.addAdminToRole(admin.Username, admin.Role); err != nil {
+		// try ro add old role
+		if errRollback := p.addAdminToRole(a.Username, a.Role); errRollback != nil {
+			providerLog(logger.LevelError, "unable to rollback old role %q for admin %q, error: %v",
+				a.Role, a.Username, errRollback)
+		}
+		return err
+	}
 	for idx := range a.Groups {
 		p.removeAdminFromGroupMapping(a.Username, a.Groups[idx].Name)
 	}
@@ -717,6 +764,7 @@ func (p *MemoryProvider) deleteAdmin(admin Admin) error {
 	if err != nil {
 		return err
 	}
+	p.removeAdminFromRole(a.Username, a.Role)
 	for idx := range a.Groups {
 		p.removeAdminFromGroupMapping(a.Username, a.Groups[idx].Name)
 	}
@@ -1183,6 +1231,74 @@ func (p *MemoryProvider) removeUserFromGroupMapping(username, groupname string)
 	p.dbHandle.groups[groupname] = g
 }
 
+func (p *MemoryProvider) addAdminToRole(username, role string) error {
+	if role == "" {
+		return nil
+	}
+	r, err := p.roleExistsInternal(role)
+	if err != nil {
+		return util.NewGenericError(fmt.Sprintf("role %q does not exist", role))
+	}
+	if !util.Contains(r.Admins, username) {
+		r.Admins = append(r.Admins, username)
+		p.dbHandle.roles[role] = r
+	}
+	return nil
+}
+
+func (p *MemoryProvider) removeAdminFromRole(username, role string) {
+	if role == "" {
+		return
+	}
+	r, err := p.roleExistsInternal(role)
+	if err != nil {
+		providerLog(logger.LevelWarn, "role %q does not exist, cannot remove admin %q", role, username)
+		return
+	}
+	var admins []string
+	for _, a := range r.Admins {
+		if a != username {
+			admins = append(admins, a)
+		}
+	}
+	r.Admins = admins
+	p.dbHandle.roles[role] = r
+}
+
+func (p *MemoryProvider) addUserToRole(username, role string) error {
+	if role == "" {
+		return nil
+	}
+	r, err := p.roleExistsInternal(role)
+	if err != nil {
+		return util.NewGenericError(fmt.Sprintf("role %q does not exist", role))
+	}
+	if !util.Contains(r.Users, username) {
+		r.Users = append(r.Users, username)
+		p.dbHandle.roles[role] = r
+	}
+	return nil
+}
+
+func (p *MemoryProvider) removeUserFromRole(username, role string) {
+	if role == "" {
+		return
+	}
+	r, err := p.roleExistsInternal(role)
+	if err != nil {
+		providerLog(logger.LevelWarn, "role %q does not exist, cannot remove user %q", role, username)
+		return
+	}
+	var users []string
+	for _, u := range r.Users {
+		if u != username {
+			users = append(users, u)
+		}
+	}
+	r.Users = users
+	p.dbHandle.roles[role] = r
+}
+
 func (p *MemoryProvider) joinUserVirtualFoldersFields(user *User) []vfs.VirtualFolder {
 	var folders []vfs.VirtualFolder
 	for idx := range user.VirtualFolders {
@@ -1714,7 +1830,7 @@ func (p *MemoryProvider) addShare(share *Share) error {
 
 	_, err = p.shareExistsInternal(share.ShareID, share.Username)
 	if err == nil {
-		return fmt.Errorf("share %#v already exists", share.ShareID)
+		return fmt.Errorf("share %q already exists", share.ShareID)
 	}
 	if _, err := p.userExistsInternal(share.Username); err != nil {
 		return util.NewValidationError(fmt.Sprintf("related user %#v does not exists", share.Username))
@@ -1753,7 +1869,7 @@ func (p *MemoryProvider) updateShare(share *Share) error {
 		return err
 	}
 	if _, err := p.userExistsInternal(share.Username); err != nil {
-		return util.NewValidationError(fmt.Sprintf("related user %#v does not exists", share.Username))
+		return util.NewValidationError(fmt.Sprintf("related user %q does not exists", share.Username))
 	}
 	share.ID = s.ID
 	share.ShareID = s.ShareID
@@ -2322,6 +2438,158 @@ func (*MemoryProvider) cleanupNodes() error {
 	return ErrNotImplemented
 }
 
+func (p *MemoryProvider) roleExists(name string) (Role, error) {
+	p.dbHandle.Lock()
+	defer p.dbHandle.Unlock()
+	if p.dbHandle.isClosed {
+		return Role{}, errMemoryProviderClosed
+	}
+	role, err := p.roleExistsInternal(name)
+	if err != nil {
+		return role, err
+	}
+	return role, nil
+}
+
+func (p *MemoryProvider) addRole(role *Role) error {
+	if err := role.validate(); err != nil {
+		return err
+	}
+	p.dbHandle.Lock()
+	defer p.dbHandle.Unlock()
+	if p.dbHandle.isClosed {
+		return errMemoryProviderClosed
+	}
+
+	_, err := p.roleExistsInternal(role.Name)
+	if err == nil {
+		return fmt.Errorf("role %q already exists", role.Name)
+	}
+	role.ID = p.getNextRoleID()
+	role.CreatedAt = util.GetTimeAsMsSinceEpoch(time.Now())
+	role.UpdatedAt = util.GetTimeAsMsSinceEpoch(time.Now())
+	role.Users = nil
+	role.Admins = nil
+	p.dbHandle.roles[role.Name] = role.getACopy()
+	p.dbHandle.roleNames = append(p.dbHandle.roleNames, role.Name)
+	sort.Strings(p.dbHandle.roleNames)
+	return nil
+}
+
+func (p *MemoryProvider) updateRole(role *Role) error {
+	if err := role.validate(); err != nil {
+		return err
+	}
+	p.dbHandle.Lock()
+	defer p.dbHandle.Unlock()
+	if p.dbHandle.isClosed {
+		return errMemoryProviderClosed
+	}
+	oldRole, err := p.roleExistsInternal(role.Name)
+	if err != nil {
+		return err
+	}
+	role.ID = oldRole.ID
+	role.CreatedAt = oldRole.CreatedAt
+	role.UpdatedAt = util.GetTimeAsMsSinceEpoch(time.Now())
+	role.Users = oldRole.Users
+	role.Admins = oldRole.Admins
+	p.dbHandle.roles[role.Name] = role.getACopy()
+	return nil
+}
+
+func (p *MemoryProvider) deleteRole(role Role) error {
+	p.dbHandle.Lock()
+	defer p.dbHandle.Unlock()
+	if p.dbHandle.isClosed {
+		return errMemoryProviderClosed
+	}
+	oldRole, err := p.roleExistsInternal(role.Name)
+	if err != nil {
+		return err
+	}
+	if len(oldRole.Admins) > 0 {
+		return util.NewValidationError(fmt.Sprintf("the role %q is referenced, it cannot be removed", oldRole.Name))
+	}
+	for _, username := range oldRole.Users {
+		user, err := p.userExistsInternal(username)
+		if err != nil {
+			continue
+		}
+		if user.Role == role.Name {
+			user.Role = ""
+			p.dbHandle.users[username] = user
+		} else {
+			providerLog(logger.LevelError, "user %q does not have the expected role %q, actual %q", username, role.Name, user.Role)
+		}
+	}
+	delete(p.dbHandle.roles, role.Name)
+	p.dbHandle.roleNames = make([]string, 0, len(p.dbHandle.roles))
+	for name := range p.dbHandle.roles {
+		p.dbHandle.roleNames = append(p.dbHandle.roleNames, name)
+	}
+	sort.Strings(p.dbHandle.roleNames)
+	return nil
+}
+
+func (p *MemoryProvider) getRoles(limit int, offset int, order string, minimal bool) ([]Role, error) {
+	p.dbHandle.Lock()
+	defer p.dbHandle.Unlock()
+
+	if p.dbHandle.isClosed {
+		return nil, errMemoryProviderClosed
+	}
+	if limit <= 0 {
+		return nil, nil
+	}
+	roles := make([]Role, 0, 10)
+	itNum := 0
+	if order == OrderASC {
+		for _, name := range p.dbHandle.roleNames {
+			itNum++
+			if itNum <= offset {
+				continue
+			}
+			r := p.dbHandle.roles[name]
+			role := r.getACopy()
+			roles = append(roles, role)
+			if len(roles) >= limit {
+				break
+			}
+		}
+	} else {
+		for i := len(p.dbHandle.roleNames) - 1; i >= 0; i-- {
+			itNum++
+			if itNum <= offset {
+				continue
+			}
+			name := p.dbHandle.roleNames[i]
+			r := p.dbHandle.roles[name]
+			role := r.getACopy()
+			roles = append(roles, role)
+			if len(roles) >= limit {
+				break
+			}
+		}
+	}
+	return roles, nil
+}
+
+func (p *MemoryProvider) dumpRoles() ([]Role, error) {
+	p.dbHandle.Lock()
+	defer p.dbHandle.Unlock()
+	if p.dbHandle.isClosed {
+		return nil, errMemoryProviderClosed
+	}
+
+	roles := make([]Role, 0, len(p.dbHandle.roles))
+	for _, name := range p.dbHandle.roleNames {
+		r := p.dbHandle.roles[name]
+		roles = append(roles, r.getACopy())
+	}
+	return roles, nil
+}
+
 func (p *MemoryProvider) setFirstDownloadTimestamp(username string) error {
 	p.dbHandle.Lock()
 	defer p.dbHandle.Unlock()
@@ -2333,7 +2601,7 @@ func (p *MemoryProvider) setFirstDownloadTimestamp(username string) error {
 		return err
 	}
 	if user.FirstDownload > 0 {
-		return util.NewGenericError(fmt.Sprintf("first download already set to %v",
+		return util.NewGenericError(fmt.Sprintf("first download already set to %s",
 			util.GetTimeFromMsecSinceEpoch(user.FirstDownload)))
 	}
 	user.FirstDownload = util.GetTimeAsMsSinceEpoch(time.Now())
@@ -2352,7 +2620,7 @@ func (p *MemoryProvider) setFirstUploadTimestamp(username string) error {
 		return err
 	}
 	if user.FirstUpload > 0 {
-		return util.NewGenericError(fmt.Sprintf("first upload already set to %v",
+		return util.NewGenericError(fmt.Sprintf("first upload already set to %s",
 			util.GetTimeFromMsecSinceEpoch(user.FirstUpload)))
 	}
 	user.FirstUpload = util.GetTimeAsMsSinceEpoch(time.Now())
@@ -2420,11 +2688,24 @@ func (p *MemoryProvider) getNextRuleID() int64 {
 	return nextID
 }
 
+func (p *MemoryProvider) getNextRoleID() int64 {
+	nextID := int64(1)
+	for _, r := range p.dbHandle.roles {
+		if r.ID >= nextID {
+			nextID = r.ID + 1
+		}
+	}
+	return nextID
+}
+
 func (p *MemoryProvider) clear() {
 	p.dbHandle.Lock()
 	defer p.dbHandle.Unlock()
+
 	p.dbHandle.usernames = []string{}
 	p.dbHandle.users = make(map[string]User)
+	p.dbHandle.groupnames = []string{}
+	p.dbHandle.groups = map[string]Group{}
 	p.dbHandle.vfoldersNames = []string{}
 	p.dbHandle.vfolders = make(map[string]vfs.BaseVirtualFolder)
 	p.dbHandle.admins = make(map[string]Admin)
@@ -2433,6 +2714,12 @@ func (p *MemoryProvider) clear() {
 	p.dbHandle.apiKeysIDs = []string{}
 	p.dbHandle.shares = make(map[string]Share)
 	p.dbHandle.sharesIDs = []string{}
+	p.dbHandle.actions = map[string]BaseEventAction{}
+	p.dbHandle.actionsNames = []string{}
+	p.dbHandle.rules = map[string]EventRule{}
+	p.dbHandle.rulesNames = []string{}
+	p.dbHandle.roles = map[string]Role{}
+	p.dbHandle.roleNames = []string{}
 }
 
 func (p *MemoryProvider) reloadConfig() error {
@@ -2466,8 +2753,16 @@ func (p *MemoryProvider) reloadConfig() error {
 		providerLog(logger.LevelError, "error loading dump: %v", err)
 		return err
 	}
+	return p.restoreDump(dump)
+}
+
+func (p *MemoryProvider) restoreDump(dump BackupData) error {
 	p.clear()
 
+	if err := p.restoreRoles(dump); err != nil {
+		return err
+	}
+
 	if err := p.restoreFolders(dump); err != nil {
 		return err
 	}
@@ -2619,6 +2914,31 @@ func (p *MemoryProvider) restoreAdmins(dump BackupData) error {
 	return nil
 }
 
+func (p *MemoryProvider) restoreRoles(dump BackupData) error {
+	for _, role := range dump.Roles {
+		role := role // pin
+		role.Name = config.convertName(role.Name)
+		r, err := p.roleExists(role.Name)
+		if err == nil {
+			role.ID = r.ID
+			err = UpdateRole(&role, ActionExecutorSystem, "")
+			if err != nil {
+				providerLog(logger.LevelError, "error updating role %q: %v", role.Name, err)
+				return err
+			}
+		} else {
+			role.Admins = nil
+			role.Users = nil
+			err = AddRole(&role, ActionExecutorSystem, "")
+			if err != nil {
+				providerLog(logger.LevelError, "error adding role %q: %v", role.Name, err)
+				return err
+			}
+		}
+	}
+	return nil
+}
+
 func (p *MemoryProvider) restoreGroups(dump BackupData) error {
 	for _, group := range dump.Groups {
 		group := group // pin
@@ -2671,7 +2991,7 @@ func (p *MemoryProvider) restoreUsers(dump BackupData) error {
 	for _, user := range dump.Users {
 		user := user // pin
 		user.Username = config.convertName(user.Username)
-		u, err := p.userExists(user.Username)
+		u, err := p.userExists(user.Username, "")
 		if err == nil {
 			user.ID = u.ID
 			err = UpdateUser(&user, ActionExecutorSystem, "")

internal/dataprovider/mysql.go

@@ -57,6 +57,7 @@ const (
 		"DROP TABLE IF EXISTS `{{events_rules}}` CASCADE;" +
 		"DROP TABLE IF EXISTS `{{tasks}}` CASCADE;" +
 		"DROP TABLE IF EXISTS `{{nodes}}` CASCADE;" +
+		"DROP TABLE IF EXISTS `{{roles}}` CASCADE;" +
 		"DROP TABLE IF EXISTS `{{schema_version}}` CASCADE;"
 	mysqlInitialSQL = "CREATE TABLE `{{schema_version}}` (`id` integer AUTO_INCREMENT NOT NULL PRIMARY KEY, `version` integer NOT NULL);" +
 		"CREATE TABLE `{{admins}}` (`id` integer AUTO_INCREMENT NOT NULL PRIMARY KEY, `username` varchar(255) NOT NULL UNIQUE, " +
@@ -171,6 +172,17 @@ const (
 		"CREATE INDEX `{{prefix}}events_rules_trigger_idx` ON `{{events_rules}}` (`trigger`);" +
 		"CREATE INDEX `{{prefix}}rules_actions_mapping_order_idx` ON `{{rules_actions_mapping}}` (`order`);" +
 		"INSERT INTO {{schema_version}} (version) VALUES (23);"
+	mysqlV24SQL = "CREATE TABLE `{{roles}}` (`id` integer AUTO_INCREMENT NOT NULL PRIMARY KEY, `name` varchar(255) NOT NULL UNIQUE, " +
+		"`description` varchar(512) NULL, `created_at` bigint NOT NULL, `updated_at` bigint NOT NULL);" +
+		"ALTER TABLE `{{admins}}` ADD COLUMN `role_id` integer NULL , " +
+		"ADD CONSTRAINT `{{prefix}}admins_role_id_fk_roles_id` FOREIGN KEY (`role_id`) REFERENCES `{{roles}}`(`id`) ON DELETE NO ACTION;" +
+		"ALTER TABLE `{{users}}` ADD COLUMN `role_id` integer NULL , " +
+		"ADD CONSTRAINT `{{prefix}}users_role_id_fk_roles_id` FOREIGN KEY (`role_id`) REFERENCES `{{roles}}`(`id`) ON DELETE SET NULL;"
+	mysqlV24DownSQL = "ALTER TABLE `{{users}}` DROP FOREIGN KEY `{{prefix}}users_role_id_fk_roles_id`;" +
+		"ALTER TABLE `{{admins}}` DROP FOREIGN KEY `{{prefix}}admins_role_id_fk_roles_id`;" +
+		"ALTER TABLE `{{users}}` DROP COLUMN `role_id`;" +
+		"ALTER TABLE `{{admins}}` DROP COLUMN `role_id`;" +
+		"DROP TABLE `{{roles}}` CASCADE;"
 )
 
 // MySQLProvider defines the auth provider for MySQL/MariaDB database
@@ -312,8 +324,8 @@ func (p *MySQLProvider) updateAdminLastLogin(username string) error {
 	return sqlCommonUpdateAdminLastLogin(username, p.dbHandle)
 }
 
-func (p *MySQLProvider) userExists(username string) (User, error) {
-	return sqlCommonGetUserByUsername(username, p.dbHandle)
+func (p *MySQLProvider) userExists(username, role string) (User, error) {
+	return sqlCommonGetUserByUsername(username, role, p.dbHandle)
 }
 
 func (p *MySQLProvider) addUser(user *User) error {
@@ -340,8 +352,8 @@ func (p *MySQLProvider) getRecentlyUpdatedUsers(after int64) ([]User, error) {
 	return sqlCommonGetRecentlyUpdatedUsers(after, p.dbHandle)
 }
 
-func (p *MySQLProvider) getUsers(limit int, offset int, order string) ([]User, error) {
-	return sqlCommonGetUsers(limit, offset, order, p.dbHandle)
+func (p *MySQLProvider) getUsers(limit int, offset int, order, role string) ([]User, error) {
+	return sqlCommonGetUsers(limit, offset, order, role, p.dbHandle)
 }
 
 func (p *MySQLProvider) getUsersForQuotaCheck(toFetch map[string]bool) ([]User, error) {
@@ -654,6 +666,30 @@ func (p *MySQLProvider) cleanupNodes() error {
 	return sqlCommonCleanupNodes(p.dbHandle)
 }
 
+func (p *MySQLProvider) roleExists(name string) (Role, error) {
+	return sqlCommonGetRoleByName(name, p.dbHandle)
+}
+
+func (p *MySQLProvider) addRole(role *Role) error {
+	return sqlCommonAddRole(role, p.dbHandle)
+}
+
+func (p *MySQLProvider) updateRole(role *Role) error {
+	return sqlCommonUpdateRole(role, p.dbHandle)
+}
+
+func (p *MySQLProvider) deleteRole(role Role) error {
+	return sqlCommonDeleteRole(role, p.dbHandle)
+}
+
+func (p *MySQLProvider) getRoles(limit int, offset int, order string, minimal bool) ([]Role, error) {
+	return sqlCommonGetRoles(limit, offset, order, minimal, p.dbHandle)
+}
+
+func (p *MySQLProvider) dumpRoles() ([]Role, error) {
+	return sqlCommonDumpRoles(p.dbHandle)
+}
+
 func (p *MySQLProvider) setFirstDownloadTimestamp(username string) error {
 	return sqlCommonSetFirstDownloadTimestamp(username, p.dbHandle)
 }
@@ -701,6 +737,8 @@ func (p *MySQLProvider) migrateDatabase() error { //nolint:dupl
 		providerLog(logger.LevelError, "%v", err)
 		logger.ErrorToConsole("%v", err)
 		return err
+	case version == 23:
+		return updateMySQLDatabaseFromV23(p.dbHandle)
 	default:
 		if version > sqlDatabaseVersion {
 			providerLog(logger.LevelError, "database schema version %d is newer than the supported one: %d", version,
@@ -723,6 +761,8 @@ func (p *MySQLProvider) revertDatabase(targetVersion int) error {
 	}
 
 	switch dbVersion.Version {
+	case 24:
+		return downgradeMySQLDatabaseFromV24(p.dbHandle)
 	default:
 		return fmt.Errorf("database schema version not handled: %d", dbVersion.Version)
 	}
@@ -732,3 +772,31 @@ func (p *MySQLProvider) resetDatabase() error {
 	sql := sqlReplaceAll(mysqlResetSQL)
 	return sqlCommonExecSQLAndUpdateDBVersion(p.dbHandle, strings.Split(sql, ";"), 0, false)
 }
+
+func updateMySQLDatabaseFromV23(dbHandle *sql.DB) error {
+	return updateMySQLDatabaseFrom23To24(dbHandle)
+}
+
+func downgradeMySQLDatabaseFromV24(dbHandle *sql.DB) error {
+	return downgradeMySQLDatabaseFrom24To23(dbHandle)
+}
+
+func updateMySQLDatabaseFrom23To24(dbHandle *sql.DB) error {
+	logger.InfoToConsole("updating database schema version: 23 -> 24")
+	providerLog(logger.LevelInfo, "updating database schema version: 23 -> 24")
+	sql := strings.ReplaceAll(mysqlV24SQL, "{{roles}}", sqlTableRoles)
+	sql = strings.ReplaceAll(sql, "{{admins}}", sqlTableAdmins)
+	sql = strings.ReplaceAll(sql, "{{users}}", sqlTableUsers)
+	sql = strings.ReplaceAll(sql, "{{prefix}}", config.SQLTablesPrefix)
+	return sqlCommonExecSQLAndUpdateDBVersion(dbHandle, strings.Split(sql, ";"), 24, true)
+}
+
+func downgradeMySQLDatabaseFrom24To23(dbHandle *sql.DB) error {
+	logger.InfoToConsole("downgrading database schema version: 24 -> 23")
+	providerLog(logger.LevelInfo, "downgrading database schema version: 24 -> 23")
+	sql := strings.ReplaceAll(mysqlV24DownSQL, "{{roles}}", sqlTableRoles)
+	sql = strings.ReplaceAll(sql, "{{admins}}", sqlTableAdmins)
+	sql = strings.ReplaceAll(sql, "{{users}}", sqlTableUsers)
+	sql = strings.ReplaceAll(sql, "{{prefix}}", config.SQLTablesPrefix)
+	return sqlCommonExecSQLAndUpdateDBVersion(dbHandle, strings.Split(sql, ";"), 23, false)
+}

internal/dataprovider/node.go

@@ -25,8 +25,8 @@ import (
 	"strings"
 	"time"
 
-	"github.com/lestrrat-go/jwx/jwa"
-	"github.com/lestrrat-go/jwx/jwt"
+	"github.com/lestrrat-go/jwx/v2/jwa"
+	"github.com/lestrrat-go/jwx/v2/jwt"
 	"github.com/rs/xid"
 
 	"github.com/drakkan/sftpgo/v2/internal/httpclient"
@@ -120,27 +120,33 @@ func (n *Node) validate() error {
 	return n.Data.validate()
 }
 
-func (n *Node) authenticate(token string) (string, error) {
+func (n *Node) authenticate(token string) (string, string, error) {
 	if err := n.Data.Key.TryDecrypt(); err != nil {
 		providerLog(logger.LevelError, "unable to decrypt node key: %v", err)
-		return "", err
+		return "", "", err
 	}
 	if token == "" {
-		return "", ErrInvalidCredentials
+		return "", "", ErrInvalidCredentials
 	}
-	t, err := jwt.Parse([]byte(token), jwt.WithVerify(jwa.HS256, []byte(n.Data.Key.GetPayload())))
+	t, err := jwt.Parse([]byte(token), jwt.WithKey(jwa.HS256, []byte(n.Data.Key.GetPayload())), jwt.WithValidate(true))
 	if err != nil {
-		return "", fmt.Errorf("unable to parse token: %v", err)
-	}
-	if err := jwt.Validate(t); err != nil {
-		return "", fmt.Errorf("unable to validate token: %v", err)
+		return "", "", fmt.Errorf("unable to parse and validate token: %v", err)
 	}
+	var adminUsername, role string
 	if admin, ok := t.Get("admin"); ok {
 		if val, ok := admin.(string); ok && val != "" {
-			return val, nil
+			adminUsername = val
 		}
 	}
-	return "", errors.New("no admin username associated with node token")
+	if adminUsername == "" {
+		return "", "", errors.New("no admin username associated with node token")
+	}
+	if r, ok := t.Get("role"); ok {
+		if val, ok := r.(string); ok && val != "" {
+			role = val
+		}
+	}
+	return adminUsername, role, nil
 }
 
 // getBaseURL returns the base URL for this node
@@ -157,7 +163,7 @@ func (n *Node) getBaseURL() string {
 }
 
 // generateAuthToken generates a new auth token
-func (n *Node) generateAuthToken(username string) (string, error) {
+func (n *Node) generateAuthToken(username, role string) (string, error) {
 	if err := n.Data.Key.TryDecrypt(); err != nil {
 		return "", fmt.Errorf("unable to decrypt node key: %w", err)
 	}
@@ -165,18 +171,19 @@ func (n *Node) generateAuthToken(username string) (string, error) {
 
 	t := jwt.New()
 	t.Set("admin", username)                          //nolint:errcheck
+	t.Set("role", role)                               //nolint:errcheck
 	t.Set(jwt.JwtIDKey, xid.New().String())           //nolint:errcheck
 	t.Set(jwt.NotBeforeKey, now.Add(-30*time.Second)) //nolint:errcheck
 	t.Set(jwt.ExpirationKey, now.Add(1*time.Minute))  //nolint:errcheck
 
-	payload, err := jwt.Sign(t, jwa.HS256, []byte(n.Data.Key.GetPayload()))
+	payload, err := jwt.Sign(t, jwt.WithKey(jwa.HS256, []byte(n.Data.Key.GetPayload())))
 	if err != nil {
 		return "", fmt.Errorf("unable to sign authentication token: %w", err)
 	}
 	return string(payload), nil
 }
 
-func (n *Node) prepareRequest(ctx context.Context, username, relativeURL, method string,
+func (n *Node) prepareRequest(ctx context.Context, username, role, relativeURL, method string,
 	body io.Reader,
 ) (*http.Request, error) {
 	url := fmt.Sprintf("%s%s", n.getBaseURL(), relativeURL)
@@ -184,7 +191,7 @@ func (n *Node) prepareRequest(ctx context.Context, username, relativeURL, method
 	if err != nil {
 		return nil, err
 	}
-	token, err := n.generateAuthToken(username)
+	token, err := n.generateAuthToken(username, role)
 	if err != nil {
 		return nil, err
 	}
@@ -194,11 +201,11 @@ func (n *Node) prepareRequest(ctx context.Context, username, relativeURL, method
 
 // SendGetRequest sends an HTTP GET request to this node.
 // The responseHolder must be a pointer
-func (n *Node) SendGetRequest(username, relativeURL string, responseHolder any) error {
+func (n *Node) SendGetRequest(username, role, relativeURL string, responseHolder any) error {
 	ctx, cancel := context.WithTimeout(context.Background(), nodeReqTimeout)
 	defer cancel()
 
-	req, err := n.prepareRequest(ctx, username, relativeURL, http.MethodGet, nil)
+	req, err := n.prepareRequest(ctx, username, role, relativeURL, http.MethodGet, nil)
 	if err != nil {
 		return err
 	}
@@ -222,11 +229,11 @@ func (n *Node) SendGetRequest(username, relativeURL string, responseHolder any)
 }
 
 // SendDeleteRequest sends an HTTP DELETE request to this node
-func (n *Node) SendDeleteRequest(username, relativeURL string) error {
+func (n *Node) SendDeleteRequest(username, role, relativeURL string) error {
 	ctx, cancel := context.WithTimeout(context.Background(), nodeReqTimeout)
 	defer cancel()
 
-	req, err := n.prepareRequest(ctx, username, relativeURL, http.MethodDelete, nil)
+	req, err := n.prepareRequest(ctx, username, role, relativeURL, http.MethodDelete, nil)
 	if err != nil {
 		return err
 	}
@@ -246,9 +253,9 @@ func (n *Node) SendDeleteRequest(username, relativeURL string) error {
 }
 
 // AuthenticateNodeToken check the validity of the provided token
-func AuthenticateNodeToken(token string) (string, error) {
+func AuthenticateNodeToken(token string) (string, string, error) {
 	if currentNode == nil {
-		return "", errNoClusterNodes
+		return "", "", errNoClusterNodes
 	}
 	return currentNode.authenticate(token)
 }

internal/dataprovider/pgsql.go

@@ -23,6 +23,7 @@ import (
 	"database/sql"
 	"errors"
 	"fmt"
+	"strings"
 	"time"
 
 	// we import pgx here to be able to disable PostgreSQL support using a build tag
@@ -54,6 +55,7 @@ DROP TABLE IF EXISTS "{{events_actions}}" CASCADE;
 DROP TABLE IF EXISTS "{{events_rules}}" CASCADE;
 DROP TABLE IF EXISTS "{{tasks}}" CASCADE;
 DROP TABLE IF EXISTS "{{nodes}}" CASCADE;
+DROP TABLE IF EXISTS "{{roles}}" CASCADE;
 DROP TABLE IF EXISTS "{{schema_version}}" CASCADE;
 `
 	pgsqlInitial = `CREATE TABLE "{{schema_version}}" ("id" serial NOT NULL PRIMARY KEY, "version" integer NOT NULL);
@@ -178,6 +180,19 @@ CREATE INDEX "{{prefix}}rules_actions_mapping_order_idx" ON "{{rules_actions_map
 CREATE INDEX "{{prefix}}admins_groups_mapping_admin_id_idx" ON "{{admins_groups_mapping}}" ("admin_id");
 CREATE INDEX "{{prefix}}admins_groups_mapping_group_id_idx" ON "{{admins_groups_mapping}}" ("group_id");
 INSERT INTO {{schema_version}} (version) VALUES (23);
+`
+	pgsqlV24SQL = `CREATE TABLE "{{roles}}" ("id" serial NOT NULL PRIMARY KEY, "name" varchar(255) NOT NULL UNIQUE,
+"description" varchar(512) NULL, "created_at" bigint NOT NULL, "updated_at" bigint NOT NULL);
+ALTER TABLE "{{admins}}" ADD COLUMN "role_id" integer NULL CONSTRAINT "{{prefix}}admins_role_id_fk_roles_id"
+REFERENCES "{{roles}}"("id") ON DELETE NO ACTION;
+ALTER TABLE "{{users}}" ADD COLUMN "role_id" integer NULL CONSTRAINT "{{prefix}}users_role_id_fk_roles_id"
+REFERENCES "{{roles}}"("id") ON DELETE SET NULL;
+CREATE INDEX "{{prefix}}admins_role_id_idx" ON "{{admins}}" ("role_id");
+CREATE INDEX "{{prefix}}users_role_id_idx" ON "{{users}}" ("role_id");
+`
+	pgsqlV24DownSQL = `ALTER TABLE "{{users}}" DROP COLUMN "role_id" CASCADE;
+ALTER TABLE "{{admins}}" DROP COLUMN "role_id" CASCADE;
+DROP TABLE "{{roles}}" CASCADE;
 `
 )
 
@@ -279,8 +294,8 @@ func (p *PGSQLProvider) updateAdminLastLogin(username string) error {
 	return sqlCommonUpdateAdminLastLogin(username, p.dbHandle)
 }
 
-func (p *PGSQLProvider) userExists(username string) (User, error) {
-	return sqlCommonGetUserByUsername(username, p.dbHandle)
+func (p *PGSQLProvider) userExists(username, role string) (User, error) {
+	return sqlCommonGetUserByUsername(username, role, p.dbHandle)
 }
 
 func (p *PGSQLProvider) addUser(user *User) error {
@@ -307,8 +322,8 @@ func (p *PGSQLProvider) getRecentlyUpdatedUsers(after int64) ([]User, error) {
 	return sqlCommonGetRecentlyUpdatedUsers(after, p.dbHandle)
 }
 
-func (p *PGSQLProvider) getUsers(limit int, offset int, order string) ([]User, error) {
-	return sqlCommonGetUsers(limit, offset, order, p.dbHandle)
+func (p *PGSQLProvider) getUsers(limit int, offset int, order, role string) ([]User, error) {
+	return sqlCommonGetUsers(limit, offset, order, role, p.dbHandle)
 }
 
 func (p *PGSQLProvider) getUsersForQuotaCheck(toFetch map[string]bool) ([]User, error) {
@@ -621,6 +636,30 @@ func (p *PGSQLProvider) cleanupNodes() error {
 	return sqlCommonCleanupNodes(p.dbHandle)
 }
 
+func (p *PGSQLProvider) roleExists(name string) (Role, error) {
+	return sqlCommonGetRoleByName(name, p.dbHandle)
+}
+
+func (p *PGSQLProvider) addRole(role *Role) error {
+	return sqlCommonAddRole(role, p.dbHandle)
+}
+
+func (p *PGSQLProvider) updateRole(role *Role) error {
+	return sqlCommonUpdateRole(role, p.dbHandle)
+}
+
+func (p *PGSQLProvider) deleteRole(role Role) error {
+	return sqlCommonDeleteRole(role, p.dbHandle)
+}
+
+func (p *PGSQLProvider) getRoles(limit int, offset int, order string, minimal bool) ([]Role, error) {
+	return sqlCommonGetRoles(limit, offset, order, minimal, p.dbHandle)
+}
+
+func (p *PGSQLProvider) dumpRoles() ([]Role, error) {
+	return sqlCommonDumpRoles(p.dbHandle)
+}
+
 func (p *PGSQLProvider) setFirstDownloadTimestamp(username string) error {
 	return sqlCommonSetFirstDownloadTimestamp(username, p.dbHandle)
 }
@@ -668,6 +707,8 @@ func (p *PGSQLProvider) migrateDatabase() error { //nolint:dupl
 		providerLog(logger.LevelError, "%v", err)
 		logger.ErrorToConsole("%v", err)
 		return err
+	case version == 23:
+		return updatePgSQLDatabaseFromV23(p.dbHandle)
 	default:
 		if version > sqlDatabaseVersion {
 			providerLog(logger.LevelError, "database schema version %d is newer than the supported one: %d", version,
@@ -690,6 +731,8 @@ func (p *PGSQLProvider) revertDatabase(targetVersion int) error {
 	}
 
 	switch dbVersion.Version {
+	case 24:
+		return downgradePgSQLDatabaseFromV24(p.dbHandle)
 	default:
 		return fmt.Errorf("database schema version not handled: %d", dbVersion.Version)
 	}
@@ -699,3 +742,31 @@ func (p *PGSQLProvider) resetDatabase() error {
 	sql := sqlReplaceAll(pgsqlResetSQL)
 	return sqlCommonExecSQLAndUpdateDBVersion(p.dbHandle, []string{sql}, 0, false)
 }
+
+func updatePgSQLDatabaseFromV23(dbHandle *sql.DB) error {
+	return updatePgSQLDatabaseFrom23To24(dbHandle)
+}
+
+func downgradePgSQLDatabaseFromV24(dbHandle *sql.DB) error {
+	return downgradePgSQLDatabaseFrom24To23(dbHandle)
+}
+
+func updatePgSQLDatabaseFrom23To24(dbHandle *sql.DB) error {
+	logger.InfoToConsole("updating database schema version: 23 -> 24")
+	providerLog(logger.LevelInfo, "updating database schema version: 23 -> 24")
+	sql := strings.ReplaceAll(pgsqlV24SQL, "{{roles}}", sqlTableRoles)
+	sql = strings.ReplaceAll(sql, "{{admins}}", sqlTableAdmins)
+	sql = strings.ReplaceAll(sql, "{{users}}", sqlTableUsers)
+	sql = strings.ReplaceAll(sql, "{{prefix}}", config.SQLTablesPrefix)
+	return sqlCommonExecSQLAndUpdateDBVersion(dbHandle, []string{sql}, 24, true)
+}
+
+func downgradePgSQLDatabaseFrom24To23(dbHandle *sql.DB) error {
+	logger.InfoToConsole("downgrading database schema version: 24 -> 23")
+	providerLog(logger.LevelInfo, "downgrading database schema version: 24 -> 23")
+	sql := strings.ReplaceAll(pgsqlV24DownSQL, "{{roles}}", sqlTableRoles)
+	sql = strings.ReplaceAll(sql, "{{admins}}", sqlTableAdmins)
+	sql = strings.ReplaceAll(sql, "{{users}}", sqlTableUsers)
+	sql = strings.ReplaceAll(sql, "{{prefix}}", config.SQLTablesPrefix)
+	return sqlCommonExecSQLAndUpdateDBVersion(dbHandle, []string{sql}, 23, false)
+}

internal/dataprovider/role.go

@@ -0,0 +1,94 @@
+// Copyright (C) 2019-2022  Nicola Murino
+//
+// This program is free software: you can redistribute it and/or modify
+// it under the terms of the GNU Affero General Public License as published
+// by the Free Software Foundation, version 3.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+// GNU Affero General Public License for more details.
+//
+// You should have received a copy of the GNU Affero General Public License
+// along with this program.  If not, see <https://www.gnu.org/licenses/>.
+
+package dataprovider
+
+import (
+	"encoding/json"
+	"fmt"
+	"strings"
+
+	"github.com/drakkan/sftpgo/v2/internal/logger"
+	"github.com/drakkan/sftpgo/v2/internal/util"
+)
+
+// Role defines an SFTPGo role.
+type Role struct {
+	// Data provider unique identifier
+	ID int64 `json:"id"`
+	// Role name
+	Name string `json:"name"`
+	// optional description
+	Description string `json:"description,omitempty"`
+	// Creation time as unix timestamp in milliseconds
+	CreatedAt int64 `json:"created_at"`
+	// last update time as unix timestamp in milliseconds
+	UpdatedAt int64 `json:"updated_at"`
+	// list of admins associated with this role
+	Admins []string `json:"admins,omitempty"`
+	// list of usernames associated with this role
+	Users []string `json:"users,omitempty"`
+}
+
+// RenderAsJSON implements the renderer interface used within plugins
+func (r *Role) RenderAsJSON(reload bool) ([]byte, error) {
+	if reload {
+		role, err := provider.roleExists(r.Name)
+		if err != nil {
+			providerLog(logger.LevelError, "unable to reload role before rendering as json: %v", err)
+			return nil, err
+		}
+		return json.Marshal(role)
+	}
+	return json.Marshal(r)
+}
+
+func (r *Role) validate() error {
+	if r.Name == "" {
+		return util.NewValidationError("name is mandatory")
+	}
+	if config.NamingRules&1 == 0 && !usernameRegex.MatchString(r.Name) {
+		return util.NewValidationError(fmt.Sprintf("name %q is not valid, the following characters are allowed: a-zA-Z0-9-_.~", r.Name))
+	}
+	return nil
+}
+
+func (r *Role) getACopy() Role {
+	users := make([]string, len(r.Users))
+	copy(users, r.Users)
+	admins := make([]string, len(r.Admins))
+	copy(admins, r.Admins)
+
+	return Role{
+		ID:          r.ID,
+		Name:        r.Name,
+		Description: r.Description,
+		CreatedAt:   r.CreatedAt,
+		UpdatedAt:   r.UpdatedAt,
+		Users:       users,
+		Admins:      admins,
+	}
+}
+
+// GetMembersAsString returns a string representation for the role members
+func (r *Role) GetMembersAsString() string {
+	var sb strings.Builder
+	if len(r.Users) > 0 {
+		sb.WriteString(fmt.Sprintf("Users: %d. ", len(r.Users)))
+	}
+	if len(r.Admins) > 0 {
+		sb.WriteString(fmt.Sprintf("Admins: %d. ", len(r.Admins)))
+	}
+	return sb.String()
+}

internal/dataprovider/sqlcommon.go

@@ -34,7 +34,7 @@ import (
 )
 
 const (
-	sqlDatabaseVersion     = 23
+	sqlDatabaseVersion     = 24
 	defaultSQLQueryTimeout = 10 * time.Second
 	longSQLQueryTimeout    = 60 * time.Second
 )
@@ -78,6 +78,7 @@ func sqlReplaceAll(sql string) string {
 	sql = strings.ReplaceAll(sql, "{{rules_actions_mapping}}", sqlTableRulesActionsMapping)
 	sql = strings.ReplaceAll(sql, "{{tasks}}", sqlTableTasks)
 	sql = strings.ReplaceAll(sql, "{{nodes}}", sqlTableNodes)
+	sql = strings.ReplaceAll(sql, "{{roles}}", sqlTableRoles)
 	sql = strings.ReplaceAll(sql, "{{prefix}}", config.SQLTablesPrefix)
 	return sql
 }
@@ -105,7 +106,7 @@ func sqlCommonAddShare(share *Share, dbHandle *sql.DB) error {
 		return err
 	}
 
-	user, err := provider.userExists(share.Username)
+	user, err := provider.userExists(share.Username, "")
 	if err != nil {
 		return util.NewValidationError(fmt.Sprintf("unable to validate user %#v", share.Username))
 	}
@@ -165,7 +166,7 @@ func sqlCommonUpdateShare(share *Share, dbHandle *sql.DB) error {
 		}
 	}
 
-	user, err := provider.userExists(share.Username)
+	user, err := provider.userExists(share.Username, "")
 	if err != nil {
 		return util.NewValidationError(fmt.Sprintf("unable to validate user %#v", share.Username))
 	}
@@ -431,10 +432,10 @@ func sqlCommonAddAdmin(admin *Admin, dbHandle *sql.DB) error {
 	defer cancel()
 
 	return sqlCommonExecuteTx(ctx, dbHandle, func(tx *sql.Tx) error {
-		q := getAddAdminQuery()
+		q := getAddAdminQuery(admin.Role)
 		_, err = tx.ExecContext(ctx, q, admin.Username, admin.Password, admin.Status, admin.Email, string(perms),
 			string(filters), admin.AdditionalInfo, admin.Description, util.GetTimeAsMsSinceEpoch(time.Now()),
-			util.GetTimeAsMsSinceEpoch(time.Now()))
+			util.GetTimeAsMsSinceEpoch(time.Now()), admin.Role)
 		if err != nil {
 			return err
 		}
@@ -462,9 +463,9 @@ func sqlCommonUpdateAdmin(admin *Admin, dbHandle *sql.DB) error {
 	defer cancel()
 
 	return sqlCommonExecuteTx(ctx, dbHandle, func(tx *sql.Tx) error {
-		q := getUpdateAdminQuery()
+		q := getUpdateAdminQuery(admin.Role)
 		_, err = tx.ExecContext(ctx, q, admin.Password, admin.Status, admin.Email, string(perms), string(filters),
-			admin.AdditionalInfo, admin.Description, util.GetTimeAsMsSinceEpoch(time.Now()), admin.Username)
+			admin.AdditionalInfo, admin.Description, util.GetTimeAsMsSinceEpoch(time.Now()), admin.Role, admin.Username)
 		if err != nil {
 			return err
 		}
@@ -537,6 +538,122 @@ func sqlCommonDumpAdmins(dbHandle sqlQuerier) ([]Admin, error) {
 	return getAdminsWithGroups(ctx, admins, dbHandle)
 }
 
+func sqlCommonGetRoleByName(name string, dbHandle sqlQuerier) (Role, error) {
+	ctx, cancel := context.WithTimeout(context.Background(), defaultSQLQueryTimeout)
+	defer cancel()
+
+	q := getRoleByNameQuery()
+	row := dbHandle.QueryRowContext(ctx, q, name)
+	role, err := getRoleFromDbRow(row)
+	if err != nil {
+		return role, err
+	}
+	role, err = getRoleWithUsers(ctx, role, dbHandle)
+	if err != nil {
+		return role, err
+	}
+	return getRoleWithAdmins(ctx, role, dbHandle)
+}
+
+func sqlCommonDumpRoles(dbHandle sqlQuerier) ([]Role, error) {
+	roles := make([]Role, 0, 10)
+	ctx, cancel := context.WithTimeout(context.Background(), longSQLQueryTimeout)
+	defer cancel()
+
+	q := getDumpRolesQuery()
+
+	rows, err := dbHandle.QueryContext(ctx, q)
+	if err != nil {
+		return roles, err
+	}
+	defer rows.Close()
+
+	for rows.Next() {
+		role, err := getRoleFromDbRow(rows)
+		if err != nil {
+			return roles, err
+		}
+		roles = append(roles, role)
+	}
+	return roles, rows.Err()
+}
+
+func sqlCommonGetRoles(limit int, offset int, order string, minimal bool, dbHandle sqlQuerier) ([]Role, error) {
+	ctx, cancel := context.WithTimeout(context.Background(), defaultSQLQueryTimeout)
+	defer cancel()
+
+	q := getRolesQuery(order, minimal)
+
+	roles := make([]Role, 0, limit)
+	rows, err := dbHandle.QueryContext(ctx, q, limit, offset)
+	if err != nil {
+		return roles, err
+	}
+	defer rows.Close()
+
+	for rows.Next() {
+		var role Role
+		if minimal {
+			err = rows.Scan(&role.ID, &role.Name)
+		} else {
+			role, err = getRoleFromDbRow(rows)
+		}
+		if err != nil {
+			return roles, err
+		}
+		roles = append(roles, role)
+	}
+	err = rows.Err()
+	if err != nil {
+		return roles, err
+	}
+	if minimal {
+		return roles, nil
+	}
+	roles, err = getRolesWithUsers(ctx, roles, dbHandle)
+	if err != nil {
+		return roles, err
+	}
+	return getRolesWithAdmins(ctx, roles, dbHandle)
+}
+
+func sqlCommonAddRole(role *Role, dbHandle *sql.DB) error {
+	if err := role.validate(); err != nil {
+		return err
+	}
+	ctx, cancel := context.WithTimeout(context.Background(), defaultSQLQueryTimeout)
+	defer cancel()
+
+	q := getAddRoleQuery()
+	_, err := dbHandle.ExecContext(ctx, q, role.Name, role.Description, util.GetTimeAsMsSinceEpoch(time.Now()),
+		util.GetTimeAsMsSinceEpoch(time.Now()))
+	return err
+}
+
+func sqlCommonUpdateRole(role *Role, dbHandle *sql.DB) error {
+	if err := role.validate(); err != nil {
+		return err
+	}
+	ctx, cancel := context.WithTimeout(context.Background(), defaultSQLQueryTimeout)
+	defer cancel()
+
+	q := getUpdateRoleQuery()
+	_, err := dbHandle.ExecContext(ctx, q, role.Description, util.GetTimeAsMsSinceEpoch(time.Now()), role.Name)
+	return err
+}
+
+func sqlCommonDeleteRole(role Role, dbHandle *sql.DB) error {
+	ctx, cancel := context.WithTimeout(context.Background(), defaultSQLQueryTimeout)
+	defer cancel()
+
+	q := getDeleteRoleQuery()
+	res, err := dbHandle.ExecContext(ctx, q, role.Name)
+	if err != nil {
+		return err
+	}
+	return sqlCommonRequireRowAffected(res)
+}
+
 func sqlCommonGetGroupByName(name string, dbHandle sqlQuerier) (Group, error) {
 	ctx, cancel := context.WithTimeout(context.Background(), defaultSQLQueryTimeout)
 	defer cancel()
@@ -756,12 +873,16 @@ func sqlCommonDeleteGroup(group Group, dbHandle *sql.DB) error {
 	return sqlCommonRequireRowAffected(res)
 }
 
-func sqlCommonGetUserByUsername(username string, dbHandle sqlQuerier) (User, error) {
+func sqlCommonGetUserByUsername(username, role string, dbHandle sqlQuerier) (User, error) {
 	ctx, cancel := context.WithTimeout(context.Background(), defaultSQLQueryTimeout)
 	defer cancel()
 
-	q := getUserByUsernameQuery()
-	row := dbHandle.QueryRowContext(ctx, q, username)
+	q := getUserByUsernameQuery(role)
+	args := []any{username}
+	if role != "" {
+		args = append(args, role)
+	}
+	row := dbHandle.QueryRowContext(ctx, q, args...)
 	user, err := getUserFromDbRow(row)
 	if err != nil {
 		return user, err
@@ -774,7 +895,7 @@ func sqlCommonGetUserByUsername(username string, dbHandle sqlQuerier) (User, err
 }
 
 func sqlCommonValidateUserAndPass(username, password, ip, protocol string, dbHandle *sql.DB) (User, error) {
-	user, err := sqlCommonGetUserByUsername(username, dbHandle)
+	user, err := sqlCommonGetUserByUsername(username, "", dbHandle)
 	if err != nil {
 		providerLog(logger.LevelWarn, "error authenticating user %#v: %v", username, err)
 		return user, err
@@ -787,7 +908,7 @@ func sqlCommonValidateUserAndTLSCertificate(username, protocol string, tlsCert *
 	if tlsCert == nil {
 		return user, errors.New("TLS certificate cannot be null or empty")
 	}
-	user, err := sqlCommonGetUserByUsername(username, dbHandle)
+	user, err := sqlCommonGetUserByUsername(username, "", dbHandle)
 	if err != nil {
 		providerLog(logger.LevelWarn, "error authenticating user %#v: %v", username, err)
 		return user, err
@@ -800,7 +921,7 @@ func sqlCommonValidateUserAndPubKey(username string, pubKey []byte, isSSHCert bo
 	if len(pubKey) == 0 {
 		return user, "", errors.New("credentials cannot be null or empty")
 	}
-	user, err := sqlCommonGetUserByUsername(username, dbHandle)
+	user, err := sqlCommonGetUserByUsername(username, "", dbHandle)
 	if err != nil {
 		providerLog(logger.LevelWarn, "error authenticating user %#v: %v", username, err)
 		return user, "", err
@@ -993,12 +1114,12 @@ func sqlCommonAddUser(user *User, dbHandle *sql.DB) error {
 				return err
 			}
 		}
-		q := getAddUserQuery()
+		q := getAddUserQuery(user.Role)
 		_, err := tx.ExecContext(ctx, q, user.Username, user.Password, string(publicKeys), user.HomeDir, user.UID, user.GID,
 			user.MaxSessions, user.QuotaSize, user.QuotaFiles, string(permissions), user.UploadBandwidth,
 			user.DownloadBandwidth, user.Status, user.ExpirationDate, string(filters), string(fsConfig), user.AdditionalInfo,
 			user.Description, user.Email, util.GetTimeAsMsSinceEpoch(time.Now()), util.GetTimeAsMsSinceEpoch(time.Now()),
-			user.UploadDataTransfer, user.DownloadDataTransfer, user.TotalDataTransfer)
+			user.UploadDataTransfer, user.DownloadDataTransfer, user.TotalDataTransfer, user.Role)
 		if err != nil {
 			return err
 		}
@@ -1044,12 +1165,12 @@ func sqlCommonUpdateUser(user *User, dbHandle *sql.DB) error {
 	defer cancel()
 
 	return sqlCommonExecuteTx(ctx, dbHandle, func(tx *sql.Tx) error {
-		q := getUpdateUserQuery()
+		q := getUpdateUserQuery(user.Role)
 		_, err := tx.ExecContext(ctx, q, user.Password, string(publicKeys), user.HomeDir, user.UID, user.GID, user.MaxSessions,
 			user.QuotaSize, user.QuotaFiles, string(permissions), user.UploadBandwidth, user.DownloadBandwidth, user.Status,
 			user.ExpirationDate, string(filters), string(fsConfig), user.AdditionalInfo, user.Description, user.Email,
 			util.GetTimeAsMsSinceEpoch(time.Now()), user.UploadDataTransfer, user.DownloadDataTransfer, user.TotalDataTransfer,
-			user.ID)
+			user.Role, user.ID)
 		if err != nil {
 			return err
 		}
@@ -1264,19 +1385,17 @@ func sqlCommonGetUsersRangeForQuotaCheck(usernames []string, dbHandle sqlQuerier
 
 	for rows.Next() {
 		var user User
-		var filters sql.NullString
+		var filters []byte
 		err = rows.Scan(&user.ID, &user.Username, &user.QuotaSize, &user.UsedQuotaSize, &user.TotalDataTransfer,
 			&user.UploadDataTransfer, &user.DownloadDataTransfer, &user.UsedUploadDataTransfer,
 			&user.UsedDownloadDataTransfer, &filters)
 		if err != nil {
 			return users, err
 		}
-		if filters.Valid {
-			var userFilters UserFilters
-			err = json.Unmarshal([]byte(filters.String), &userFilters)
-			if err == nil {
-				user.Filters = userFilters
-			}
+		var userFilters UserFilters
+		err = json.Unmarshal(filters, &userFilters)
+		if err == nil {
+			user.Filters = userFilters
 		}
 		users = append(users, user)
 	}
@@ -1353,13 +1472,19 @@ func sqlCommonGetActiveTransfers(from time.Time, dbHandle sqlQuerier) ([]ActiveT
 	return transfers, rows.Err()
 }
 
-func sqlCommonGetUsers(limit int, offset int, order string, dbHandle sqlQuerier) ([]User, error) {
+func sqlCommonGetUsers(limit int, offset int, order, role string, dbHandle sqlQuerier) ([]User, error) {
 	users := make([]User, 0, limit)
 	ctx, cancel := context.WithTimeout(context.Background(), defaultSQLQueryTimeout)
 	defer cancel()
 
-	q := getUsersQuery(order)
-	rows, err := dbHandle.QueryContext(ctx, q, limit, offset)
+	q := getUsersQuery(order, role)
+	var args []any
+	if role == "" {
+		args = append(args, limit, offset)
+	} else {
+		args = append(args, role, limit, offset)
+	}
+	rows, err := dbHandle.QueryContext(ctx, q, args...)
 	if err != nil {
 		return users, err
 	}
@@ -1593,7 +1718,8 @@ func sqlCommonCleanupDefenderEvents(from int64, dbHandle *sql.DB) error {
 
 func getShareFromDbRow(row sqlScanner) (Share, error) {
 	var share Share
-	var description, password, allowFrom, paths sql.NullString
+	var description, password sql.NullString
+	var allowFrom, paths []byte
 
 	err := row.Scan(&share.ShareID, &share.Name, &description, &share.Scope,
 		&paths, &share.Username, &share.CreatedAt, &share.UpdatedAt,
@@ -1605,28 +1731,22 @@ func getShareFromDbRow(row sqlScanner) (Share, error) {
 		}
 		return share, err
 	}
-	if paths.Valid {
-		var list []string
-		err = json.Unmarshal([]byte(paths.String), &list)
-		if err != nil {
-			return share, err
-		}
-		share.Paths = list
-	} else {
-		return share, errors.New("unable to decode shared paths")
+	var list []string
+	err = json.Unmarshal(paths, &list)
+	if err != nil {
+		return share, err
 	}
+	share.Paths = list
 	if description.Valid {
 		share.Description = description.String
 	}
 	if password.Valid {
 		share.Password = password.String
 	}
-	if allowFrom.Valid {
-		var list []string
-		err = json.Unmarshal([]byte(allowFrom.String), &list)
-		if err == nil {
-			share.AllowFrom = list
-		}
+	list = nil
+	err = json.Unmarshal(allowFrom, &list)
+	if err == nil {
+		share.AllowFrom = list
 	}
 	return share, nil
 }
@@ -1661,10 +1781,11 @@ func getAPIKeyFromDbRow(row sqlScanner) (APIKey, error) {
 
 func getAdminFromDbRow(row sqlScanner) (Admin, error) {
 	var admin Admin
-	var email, filters, additionalInfo, permissions, description sql.NullString
+	var email, additionalInfo, description, role sql.NullString
+	var permissions, filters []byte
 
 	err := row.Scan(&admin.ID, &admin.Username, &admin.Password, &admin.Status, &email, &permissions,
-		&filters, &additionalInfo, &description, &admin.CreatedAt, &admin.UpdatedAt, &admin.LastLogin)
+		&filters, &additionalInfo, &description, &admin.CreatedAt, &admin.UpdatedAt, &admin.LastLogin, &role)
 
 	if err != nil {
 		if errors.Is(err, sql.ErrNoRows) {
@@ -1673,24 +1794,21 @@ func getAdminFromDbRow(row sqlScanner) (Admin, error) {
 		return admin, err
 	}
 
-	if permissions.Valid {
-		var perms []string
-		err = json.Unmarshal([]byte(permissions.String), &perms)
-		if err != nil {
-			return admin, err
-		}
-		admin.Permissions = perms
+	var perms []string
+	err = json.Unmarshal(permissions, &perms)
+	if err != nil {
+		return admin, err
 	}
+	admin.Permissions = perms
 
 	if email.Valid {
 		admin.Email = email.String
 	}
-	if filters.Valid {
-		var adminFilters AdminFilters
-		err = json.Unmarshal([]byte(filters.String), &adminFilters)
-		if err == nil {
-			admin.Filters = adminFilters
-		}
+
+	var adminFilters AdminFilters
+	err = json.Unmarshal(filters, &adminFilters)
+	if err == nil {
+		admin.Filters = adminFilters
 	}
 	if additionalInfo.Valid {
 		admin.AdditionalInfo = additionalInfo.String
@@ -1698,6 +1816,9 @@ func getAdminFromDbRow(row sqlScanner) (Admin, error) {
 	if description.Valid {
 		admin.Description = description.String
 	}
+	if role.Valid {
+		admin.Role = role.String
+	}
 
 	admin.SetEmptySecretsIfNil()
 	return admin, nil
@@ -1718,11 +1839,10 @@ func getEventActionFromDbRow(row sqlScanner) (BaseEventAction, error) {
 	if description.Valid {
 		action.Description = description.String
 	}
-	if len(options) > 0 {
-		err = json.Unmarshal(options, &action.Options)
-		if err != nil {
-			return action, err
-		}
+	var actionOptions BaseEventActionOptions
+	err = json.Unmarshal(options, &actionOptions)
+	if err == nil {
+		action.Options = actionOptions
 	}
 	return action, nil
 }
@@ -1740,21 +1860,40 @@ func getEventRuleFromDbRow(row sqlScanner) (EventRule, error) {
 		}
 		return rule, err
 	}
-	if len(conditions) > 0 {
-		err = json.Unmarshal(conditions, &rule.Conditions)
-		if err != nil {
-			return rule, err
-		}
+	var ruleConditions EventConditions
+	err = json.Unmarshal(conditions, &ruleConditions)
+	if err == nil {
+		rule.Conditions = ruleConditions
 	}
+
 	if description.Valid {
 		rule.Description = description.String
 	}
 	return rule, nil
 }
 
+func getRoleFromDbRow(row sqlScanner) (Role, error) {
+	var role Role
+	var description sql.NullString
+
+	err := row.Scan(&role.ID, &role.Name, &description, &role.CreatedAt, &role.UpdatedAt)
+	if err != nil {
+		if errors.Is(err, sql.ErrNoRows) {
+			return role, util.NewRecordNotFoundError(err.Error())
+		}
+		return role, err
+	}
+	if description.Valid {
+		role.Description = description.String
+	}
+
+	return role, nil
+}
+
 func getGroupFromDbRow(row sqlScanner) (Group, error) {
 	var group Group
-	var userSettings, description sql.NullString
+	var description sql.NullString
+	var userSettings []byte
 
 	err := row.Scan(&group.ID, &group.Name, &description, &group.CreatedAt, &group.UpdatedAt, &userSettings)
 	if err != nil {
@@ -1766,12 +1905,11 @@ func getGroupFromDbRow(row sqlScanner) (Group, error) {
 	if description.Valid {
 		group.Description = description.String
 	}
-	if userSettings.Valid {
-		var settings GroupUserSettings
-		err = json.Unmarshal([]byte(userSettings.String), &settings)
-		if err == nil {
-			group.UserSettings = settings
-		}
+
+	var settings GroupUserSettings
+	err = json.Unmarshal(userSettings, &settings)
+	if err == nil {
+		group.UserSettings = settings
 	}
 
 	return group, nil
@@ -1779,19 +1917,16 @@ func getGroupFromDbRow(row sqlScanner) (Group, error) {
 
 func getUserFromDbRow(row sqlScanner) (User, error) {
 	var user User
-	var permissions sql.NullString
 	var password sql.NullString
-	var publicKey sql.NullString
-	var filters sql.NullString
-	var fsConfig sql.NullString
-	var additionalInfo, description, email sql.NullString
+	var permissions, publicKey, filters, fsConfig []byte
+	var additionalInfo, description, email, role sql.NullString
 
 	err := row.Scan(&user.ID, &user.Username, &password, &publicKey, &user.HomeDir, &user.UID, &user.GID, &user.MaxSessions,
 		&user.QuotaSize, &user.QuotaFiles, &permissions, &user.UsedQuotaSize, &user.UsedQuotaFiles, &user.LastQuotaUpdate,
 		&user.UploadBandwidth, &user.DownloadBandwidth, &user.ExpirationDate, &user.LastLogin, &user.Status, &filters, &fsConfig,
 		&additionalInfo, &description, &email, &user.CreatedAt, &user.UpdatedAt, &user.UploadDataTransfer, &user.DownloadDataTransfer,
 		&user.TotalDataTransfer, &user.UsedUploadDataTransfer, &user.UsedDownloadDataTransfer, &user.DeletedAt, &user.FirstDownload,
-		&user.FirstUpload)
+		&user.FirstUpload, &role)
 	if err != nil {
 		if errors.Is(err, sql.ErrNoRows) {
 			return user, util.NewRecordNotFoundError(err.Error())
@@ -1801,38 +1936,30 @@ func getUserFromDbRow(row sqlScanner) (User, error) {
 	if password.Valid {
 		user.Password = password.String
 	}
+	perms := make(map[string][]string)
+	err = json.Unmarshal(permissions, &perms)
+	if err != nil {
+		providerLog(logger.LevelError, "unable to deserialize permissions for user %#v: %v", user.Username, err)
+		return user, fmt.Errorf("unable to deserialize permissions for user %#v: %v", user.Username, err)
+	}
+	user.Permissions = perms
 	// we can have a empty string or an invalid json in null string
 	// so we do a relaxed test if the field is optional, for example we
 	// populate public keys only if unmarshal does not return an error
-	if publicKey.Valid {
-		var list []string
-		err = json.Unmarshal([]byte(publicKey.String), &list)
-		if err == nil {
-			user.PublicKeys = list
-		}
+	var pKeys []string
+	err = json.Unmarshal(publicKey, &pKeys)
+	if err == nil {
+		user.PublicKeys = pKeys
 	}
-	if permissions.Valid {
-		perms := make(map[string][]string)
-		err = json.Unmarshal([]byte(permissions.String), &perms)
-		if err != nil {
-			providerLog(logger.LevelError, "unable to deserialize permissions for user %#v: %v", user.Username, err)
-			return user, fmt.Errorf("unable to deserialize permissions for user %#v: %v", user.Username, err)
-		}
-		user.Permissions = perms
+	var userFilters UserFilters
+	err = json.Unmarshal(filters, &userFilters)
+	if err == nil {
+		user.Filters = userFilters
 	}
-	if filters.Valid {
-		var userFilters UserFilters
-		err = json.Unmarshal([]byte(filters.String), &userFilters)
-		if err == nil {
-			user.Filters = userFilters
-		}
-	}
-	if fsConfig.Valid {
-		var fs vfs.Filesystem
-		err = json.Unmarshal([]byte(fsConfig.String), &fs)
-		if err == nil {
-			user.FsConfig = fs
-		}
+	var fs vfs.Filesystem
+	err = json.Unmarshal(fsConfig, &fs)
+	if err == nil {
+		user.FsConfig = fs
 	}
 	if additionalInfo.Valid {
 		user.AdditionalInfo = additionalInfo.String
@@ -1843,6 +1970,9 @@ func getUserFromDbRow(row sqlScanner) (User, error) {
 	if email.Valid {
 		user.Email = email.String
 	}
+	if role.Valid {
+		user.Role = role.String
+	}
 	user.SetEmptySecretsIfNil()
 	return user, nil
 }
@@ -1851,7 +1981,8 @@ func sqlCommonGetFolder(ctx context.Context, name string, dbHandle sqlQuerier) (
 	var folder vfs.BaseVirtualFolder
 	q := getFolderByNameQuery()
 	row := dbHandle.QueryRowContext(ctx, q, name)
-	var mappedPath, description, fsConfig sql.NullString
+	var mappedPath, description sql.NullString
+	var fsConfig []byte
 	err := row.Scan(&folder.ID, &mappedPath, &folder.UsedQuotaSize, &folder.UsedQuotaFiles, &folder.LastQuotaUpdate,
 		&folder.Name, &description, &fsConfig)
 	if err != nil {
@@ -1866,12 +1997,10 @@ func sqlCommonGetFolder(ctx context.Context, name string, dbHandle sqlQuerier) (
 	if description.Valid {
 		folder.Description = description.String
 	}
-	if fsConfig.Valid {
-		var fs vfs.Filesystem
-		err = json.Unmarshal([]byte(fsConfig.String), &fs)
-		if err == nil {
-			folder.FsConfig = fs
-		}
+	var fs vfs.Filesystem
+	err = json.Unmarshal(fsConfig, &fs)
+	if err == nil {
+		folder.FsConfig = fs
 	}
 	return folder, err
 }
@@ -1971,7 +2100,8 @@ func sqlCommonDumpFolders(dbHandle sqlQuerier) ([]vfs.BaseVirtualFolder, error)
 	defer rows.Close()
 	for rows.Next() {
 		var folder vfs.BaseVirtualFolder
-		var mappedPath, description, fsConfig sql.NullString
+		var mappedPath, description sql.NullString
+		var fsConfig []byte
 		err = rows.Scan(&folder.ID, &mappedPath, &folder.UsedQuotaSize, &folder.UsedQuotaFiles,
 			&folder.LastQuotaUpdate, &folder.Name, &description, &fsConfig)
 		if err != nil {
@@ -1983,12 +2113,10 @@ func sqlCommonDumpFolders(dbHandle sqlQuerier) ([]vfs.BaseVirtualFolder, error)
 		if description.Valid {
 			folder.Description = description.String
 		}
-		if fsConfig.Valid {
-			var fs vfs.Filesystem
-			err = json.Unmarshal([]byte(fsConfig.String), &fs)
-			if err == nil {
-				folder.FsConfig = fs
-			}
+		var fs vfs.Filesystem
+		err = json.Unmarshal(fsConfig, &fs)
+		if err == nil {
+			folder.FsConfig = fs
 		}
 		folders = append(folders, folder)
 	}
@@ -2014,7 +2142,8 @@ func sqlCommonGetFolders(limit, offset int, order string, minimal bool, dbHandle
 				return folders, err
 			}
 		} else {
-			var mappedPath, description, fsConfig sql.NullString
+			var mappedPath, description sql.NullString
+			var fsConfig []byte
 			err = rows.Scan(&folder.ID, &mappedPath, &folder.UsedQuotaSize, &folder.UsedQuotaFiles,
 				&folder.LastQuotaUpdate, &folder.Name, &description, &fsConfig)
 			if err != nil {
@@ -2026,12 +2155,10 @@ func sqlCommonGetFolders(limit, offset int, order string, minimal bool, dbHandle
 			if description.Valid {
 				folder.Description = description.String
 			}
-			if fsConfig.Valid {
-				var fs vfs.Filesystem
-				err = json.Unmarshal([]byte(fsConfig.String), &fs)
-				if err == nil {
-					folder.FsConfig = fs
-				}
+			var fs vfs.Filesystem
+			err = json.Unmarshal(fsConfig, &fs)
+			if err == nil {
+				folder.FsConfig = fs
 			}
 		}
 		folder.PrepareForRendering()
@@ -2297,7 +2424,8 @@ func getUsersWithVirtualFolders(ctx context.Context, users []User, dbHandle sqlQ
 	for rows.Next() {
 		var folder vfs.VirtualFolder
 		var userID int64
-		var mappedPath, fsConfig, description sql.NullString
+		var mappedPath, description sql.NullString
+		var fsConfig []byte
 		err = rows.Scan(&folder.ID, &folder.Name, &mappedPath, &folder.UsedQuotaSize, &folder.UsedQuotaFiles,
 			&folder.LastQuotaUpdate, &folder.VirtualPath, &folder.QuotaSize, &folder.QuotaFiles, &userID, &fsConfig,
 			&description)
@@ -2310,12 +2438,10 @@ func getUsersWithVirtualFolders(ctx context.Context, users []User, dbHandle sqlQ
 		if description.Valid {
 			folder.Description = description.String
 		}
-		if fsConfig.Valid {
-			var fs vfs.Filesystem
-			err = json.Unmarshal([]byte(fsConfig.String), &fs)
-			if err == nil {
-				folder.FsConfig = fs
-			}
+		var fs vfs.Filesystem
+		err = json.Unmarshal(fsConfig, &fs)
+		if err == nil {
+			folder.FsConfig = fs
 		}
 		usersVirtualFolders[userID] = append(usersVirtualFolders[userID], folder)
 	}
@@ -2390,6 +2516,28 @@ func getGroupWithUsers(ctx context.Context, group Group, dbHandle sqlQuerier) (G
 	return groups[0], err
 }
 
+func getRoleWithUsers(ctx context.Context, role Role, dbHandle sqlQuerier) (Role, error) {
+	roles, err := getRolesWithUsers(ctx, []Role{role}, dbHandle)
+	if err != nil {
+		return role, err
+	}
+	if len(roles) == 0 {
+		return role, errors.New("unable to associate users with role")
+	}
+	return roles[0], err
+}
+
+func getRoleWithAdmins(ctx context.Context, role Role, dbHandle sqlQuerier) (Role, error) {
+	roles, err := getRolesWithAdmins(ctx, []Role{role}, dbHandle)
+	if err != nil {
+		return role, err
+	}
+	if len(roles) == 0 {
+		return role, errors.New("unable to associate admins with role")
+	}
+	return roles[0], err
+}
+
 func getGroupWithAdmins(ctx context.Context, group Group, dbHandle sqlQuerier) (Group, error) {
 	groups, err := getGroupsWithAdmins(ctx, []Group{group}, dbHandle)
 	if err != nil {
@@ -2427,7 +2575,8 @@ func getGroupsWithVirtualFolders(ctx context.Context, groups []Group, dbHandle s
 	for rows.Next() {
 		var groupID int64
 		var folder vfs.VirtualFolder
-		var mappedPath, fsConfig, description sql.NullString
+		var mappedPath, description sql.NullString
+		var fsConfig []byte
 		err = rows.Scan(&folder.ID, &folder.Name, &mappedPath, &folder.UsedQuotaSize, &folder.UsedQuotaFiles,
 			&folder.LastQuotaUpdate, &folder.VirtualPath, &folder.QuotaSize, &folder.QuotaFiles, &groupID, &fsConfig,
 			&description)
@@ -2440,12 +2589,10 @@ func getGroupsWithVirtualFolders(ctx context.Context, groups []Group, dbHandle s
 		if description.Valid {
 			folder.Description = description.String
 		}
-		if fsConfig.Valid {
-			var fs vfs.Filesystem
-			err = json.Unmarshal([]byte(fsConfig.String), &fs)
-			if err == nil {
-				folder.FsConfig = fs
-			}
+		var fs vfs.Filesystem
+		err = json.Unmarshal(fsConfig, &fs)
+		if err == nil {
+			folder.FsConfig = fs
 		}
 		groupsVirtualFolders[groupID] = append(groupsVirtualFolders[groupID], folder)
 	}
@@ -2498,6 +2645,71 @@ func getGroupsWithUsers(ctx context.Context, groups []Group, dbHandle sqlQuerier
 	return groups, err
 }
 
+func getRolesWithUsers(ctx context.Context, roles []Role, dbHandle sqlQuerier) ([]Role, error) {
+	if len(roles) == 0 {
+		return roles, nil
+	}
+	rows, err := dbHandle.QueryContext(ctx, getUsersWithRolesQuery(roles))
+	if err != nil {
+		return nil, err
+	}
+	defer rows.Close()
+
+	rolesUsers := make(map[int64][]string)
+	for rows.Next() {
+		var roleID int64
+		var username string
+		err = rows.Scan(&roleID, &username)
+		if err != nil {
+			return roles, err
+		}
+		rolesUsers[roleID] = append(rolesUsers[roleID], username)
+	}
+	err = rows.Err()
+	if err != nil {
+		return roles, err
+	}
+	if len(rolesUsers) > 0 {
+		for idx := range roles {
+			ref := &roles[idx]
+			ref.Users = rolesUsers[ref.ID]
+		}
+	}
+	return roles, nil
+}
+
+func getRolesWithAdmins(ctx context.Context, roles []Role, dbHandle sqlQuerier) ([]Role, error) {
+	if len(roles) == 0 {
+		return roles, nil
+	}
+	rows, err := dbHandle.QueryContext(ctx, getAdminsWithRolesQuery(roles))
+	if err != nil {
+		return nil, err
+	}
+	defer rows.Close()
+
+	rolesAdmins := make(map[int64][]string)
+	for rows.Next() {
+		var roleID int64
+		var username string
+		err = rows.Scan(&roleID, &username)
+		if err != nil {
+			return roles, err
+		}
+		rolesAdmins[roleID] = append(rolesAdmins[roleID], username)
+	}
+	if err = rows.Err(); err != nil {
+		return roles, err
+	}
+	if len(rolesAdmins) > 0 {
+		for idx := range roles {
+			ref := &roles[idx]
+			ref.Admins = rolesAdmins[ref.ID]
+		}
+	}
+	return roles, nil
+}
+
 func getGroupsWithAdmins(ctx context.Context, groups []Group, dbHandle sqlQuerier) ([]Group, error) {
 	if len(groups) == 0 {
 		return groups, nil
@@ -2701,7 +2913,7 @@ func getRelatedValuesForAPIKeys(ctx context.Context, apiKeys []APIKey, dbHandle
 func sqlCommonGetAPIKeyRelatedIDs(apiKey *APIKey) (sql.NullInt64, sql.NullInt64, error) {
 	var userID, adminID sql.NullInt64
 	if apiKey.User != "" {
-		u, err := provider.userExists(apiKey.User)
+		u, err := provider.userExists(apiKey.User, "")
 		if err != nil {
 			return userID, adminID, util.NewValidationError(fmt.Sprintf("unable to validate user %v", apiKey.User))
 		}

internal/dataprovider/sqlite.go

@@ -24,6 +24,7 @@ import (
 	"errors"
 	"fmt"
 	"path/filepath"
+	"strings"
 	"time"
 
 	// we import go-sqlite3 here to be able to disable SQLite support using a build tag
@@ -55,6 +56,7 @@ DROP TABLE IF EXISTS "{{rules_actions_mapping}}";
 DROP TABLE IF EXISTS "{{events_rules}}";
 DROP TABLE IF EXISTS "{{events_actions}}";
 DROP TABLE IF EXISTS "{{tasks}}";
+DROP TABLE IF EXISTS "{{roles}}";
 DROP TABLE IF EXISTS "{{schema_version}}";
 `
 	sqliteInitialSQL = `CREATE TABLE "{{schema_version}}" ("id" integer NOT NULL PRIMARY KEY AUTOINCREMENT, "version" integer NOT NULL);
@@ -159,6 +161,19 @@ CREATE INDEX "{{prefix}}rules_actions_mapping_order_idx" ON "{{rules_actions_map
 CREATE INDEX "{{prefix}}admins_groups_mapping_admin_id_idx" ON "{{admins_groups_mapping}}" ("admin_id");
 CREATE INDEX "{{prefix}}admins_groups_mapping_group_id_idx" ON "{{admins_groups_mapping}}" ("group_id");
 INSERT INTO {{schema_version}} (version) VALUES (23);
+`
+	sqliteV24SQL = `CREATE TABLE "{{roles}}" ("id" integer NOT NULL PRIMARY KEY AUTOINCREMENT, "name" varchar(255) NOT NULL UNIQUE,
+"description" varchar(512) NULL, "created_at" bigint NOT NULL, "updated_at" bigint NOT NULL);
+ALTER TABLE "{{users}}" ADD COLUMN "role_id" integer NULL REFERENCES "{{roles}}" ("id") ON DELETE SET NULL;
+ALTER TABLE "{{admins}}" ADD COLUMN "role_id" integer NULL REFERENCES "{{roles}}" ("id") ON DELETE NO ACTION;
+CREATE INDEX "{{prefix}}users_role_id_idx" ON "{{users}}" ("role_id");
+CREATE INDEX "{{prefix}}admins_role_id_idx" ON "{{admins}}" ("role_id");
+`
+	sqliteV24DownSQL = `DROP INDEX "{{prefix}}users_role_id_idx";
+DROP INDEX "{{prefix}}admins_role_id_idx";
+ALTER TABLE "{{users}}" DROP COLUMN role_id;
+ALTER TABLE "{{admins}}" DROP COLUMN role_id;
+DROP TABLE "{{roles}}";
 `
 )
 
@@ -239,8 +254,8 @@ func (p *SQLiteProvider) updateAdminLastLogin(username string) error {
 	return sqlCommonUpdateAdminLastLogin(username, p.dbHandle)
 }
 
-func (p *SQLiteProvider) userExists(username string) (User, error) {
-	return sqlCommonGetUserByUsername(username, p.dbHandle)
+func (p *SQLiteProvider) userExists(username, role string) (User, error) {
+	return sqlCommonGetUserByUsername(username, role, p.dbHandle)
 }
 
 func (p *SQLiteProvider) addUser(user *User) error {
@@ -267,8 +282,8 @@ func (p *SQLiteProvider) getRecentlyUpdatedUsers(after int64) ([]User, error) {
 	return sqlCommonGetRecentlyUpdatedUsers(after, p.dbHandle)
 }
 
-func (p *SQLiteProvider) getUsers(limit int, offset int, order string) ([]User, error) {
-	return sqlCommonGetUsers(limit, offset, order, p.dbHandle)
+func (p *SQLiteProvider) getUsers(limit int, offset int, order, role string) ([]User, error) {
+	return sqlCommonGetUsers(limit, offset, order, role, p.dbHandle)
 }
 
 func (p *SQLiteProvider) getUsersForQuotaCheck(toFetch map[string]bool) ([]User, error) {
@@ -581,6 +596,30 @@ func (*SQLiteProvider) cleanupNodes() error {
 	return ErrNotImplemented
 }
 
+func (p *SQLiteProvider) roleExists(name string) (Role, error) {
+	return sqlCommonGetRoleByName(name, p.dbHandle)
+}
+
+func (p *SQLiteProvider) addRole(role *Role) error {
+	return sqlCommonAddRole(role, p.dbHandle)
+}
+
+func (p *SQLiteProvider) updateRole(role *Role) error {
+	return sqlCommonUpdateRole(role, p.dbHandle)
+}
+
+func (p *SQLiteProvider) deleteRole(role Role) error {
+	return sqlCommonDeleteRole(role, p.dbHandle)
+}
+
+func (p *SQLiteProvider) getRoles(limit int, offset int, order string, minimal bool) ([]Role, error) {
+	return sqlCommonGetRoles(limit, offset, order, minimal, p.dbHandle)
+}
+
+func (p *SQLiteProvider) dumpRoles() ([]Role, error) {
+	return sqlCommonDumpRoles(p.dbHandle)
+}
+
 func (p *SQLiteProvider) setFirstDownloadTimestamp(username string) error {
 	return sqlCommonSetFirstDownloadTimestamp(username, p.dbHandle)
 }
@@ -628,6 +667,8 @@ func (p *SQLiteProvider) migrateDatabase() error { //nolint:dupl
 		providerLog(logger.LevelError, "%v", err)
 		logger.ErrorToConsole("%v", err)
 		return err
+	case version == 23:
+		return updateSQLiteDatabaseFromV23(p.dbHandle)
 	default:
 		if version > sqlDatabaseVersion {
 			providerLog(logger.LevelError, "database schema version %d is newer than the supported one: %d", version,
@@ -650,6 +691,8 @@ func (p *SQLiteProvider) revertDatabase(targetVersion int) error {
 	}
 
 	switch dbVersion.Version {
+	case 24:
+		return downgradeSQLiteDatabaseFromV24(p.dbHandle)
 	default:
 		return fmt.Errorf("database schema version not handled: %d", dbVersion.Version)
 	}
@@ -660,6 +703,34 @@ func (p *SQLiteProvider) resetDatabase() error {
 	return sqlCommonExecSQLAndUpdateDBVersion(p.dbHandle, []string{sql}, 0, false)
 }
 
+func updateSQLiteDatabaseFromV23(dbHandle *sql.DB) error {
+	return updateSQLiteDatabaseFrom23To24(dbHandle)
+}
+
+func downgradeSQLiteDatabaseFromV24(dbHandle *sql.DB) error {
+	return downgradeSQLiteDatabaseFrom24To23(dbHandle)
+}
+
+func updateSQLiteDatabaseFrom23To24(dbHandle *sql.DB) error {
+	logger.InfoToConsole("updating database schema version: 23 -> 24")
+	providerLog(logger.LevelInfo, "updating database schema version: 23 -> 24")
+	sql := strings.ReplaceAll(sqliteV24SQL, "{{roles}}", sqlTableRoles)
+	sql = strings.ReplaceAll(sql, "{{admins}}", sqlTableAdmins)
+	sql = strings.ReplaceAll(sql, "{{users}}", sqlTableUsers)
+	sql = strings.ReplaceAll(sql, "{{prefix}}", config.SQLTablesPrefix)
+	return sqlCommonExecSQLAndUpdateDBVersion(dbHandle, []string{sql}, 24, true)
+}
+
+func downgradeSQLiteDatabaseFrom24To23(dbHandle *sql.DB) error {
+	logger.InfoToConsole("downgrading database schema version: 24 -> 23")
+	providerLog(logger.LevelInfo, "downgrading database schema version: 24 -> 23")
+	sql := strings.ReplaceAll(sqliteV24DownSQL, "{{roles}}", sqlTableRoles)
+	sql = strings.ReplaceAll(sql, "{{admins}}", sqlTableAdmins)
+	sql = strings.ReplaceAll(sql, "{{users}}", sqlTableUsers)
+	sql = strings.ReplaceAll(sql, "{{prefix}}", config.SQLTablesPrefix)
+	return sqlCommonExecSQLAndUpdateDBVersion(dbHandle, []string{sql}, 23, false)
+}
+
 /*func setPragmaFK(dbHandle *sql.DB, value string) error {
 	ctx, cancel := context.WithTimeout(context.Background(), longSQLQueryTimeout)
 	defer cancel()

internal/dataprovider/sqlqueries.go

@@ -23,17 +23,19 @@ import (
 )
 
 const (
-	selectUserFields = "id,username,password,public_keys,home_dir,uid,gid,max_sessions,quota_size,quota_files,permissions,used_quota_size," +
-		"used_quota_files,last_quota_update,upload_bandwidth,download_bandwidth,expiration_date,last_login,status,filters,filesystem," +
-		"additional_info,description,email,created_at,updated_at,upload_data_transfer,download_data_transfer,total_data_transfer," +
-		"used_upload_data_transfer,used_download_data_transfer,deleted_at,first_download,first_upload"
+	selectUserFields = "u.id,u.username,u.password,u.public_keys,u.home_dir,u.uid,u.gid,u.max_sessions,u.quota_size,u.quota_files," +
+		"u.permissions,u.used_quota_size,u.used_quota_files,u.last_quota_update,u.upload_bandwidth,u.download_bandwidth," +
+		"u.expiration_date,u.last_login,u.status,u.filters,u.filesystem,u.additional_info,u.description,u.email,u.created_at," +
+		"u.updated_at,u.upload_data_transfer,u.download_data_transfer,u.total_data_transfer," +
+		"u.used_upload_data_transfer,u.used_download_data_transfer,u.deleted_at,u.first_download,u.first_upload,r.name"
 	selectFolderFields = "id,path,used_quota_size,used_quota_files,last_quota_update,name,description,filesystem"
-	selectAdminFields  = "id,username,password,status,email,permissions,filters,additional_info,description,created_at,updated_at,last_login"
+	selectAdminFields  = "a.id,a.username,a.password,a.status,a.email,a.permissions,a.filters,a.additional_info,a.description,a.created_at,a.updated_at,a.last_login,r.name"
 	selectAPIKeyFields = "key_id,name,api_key,scope,created_at,updated_at,last_use_at,expires_at,description,user_id,admin_id"
 	selectShareFields  = "s.share_id,s.name,s.description,s.scope,s.paths,u.username,s.created_at,s.updated_at,s.last_use_at," +
 		"s.expires_at,s.password,s.max_tokens,s.used_tokens,s.allow_from"
 	selectGroupFields       = "id,name,description,created_at,updated_at,user_settings"
 	selectEventActionFields = "id,name,description,type,options"
+	selectRoleFields        = "id,name,description,created_at,updated_at"
 	selectMinimalFields     = "id,name"
 )
 
@@ -65,6 +67,13 @@ func getSelectEventRuleFields() string {
 	return `id,name,description,created_at,updated_at,"trigger",conditions,deleted_at`
 }
 
+func getCoalesceDefaultForRole(role string) string {
+	if role != "" {
+		return "0"
+	}
+	return "NULL"
+}
+
 func getAddSessionQuery() string {
 	if config.Driver == MySQLDataProviderName {
 		return fmt.Sprintf("INSERT INTO %s (`key`,`data`,`type`,`timestamp`) VALUES (%s,%s,%s,%s) "+
@@ -170,6 +179,75 @@ func getDefenderEventsCleanupQuery() string {
 	return fmt.Sprintf(`DELETE FROM %s WHERE date_time < %s`, sqlTableDefenderEvents, sqlPlaceholders[0])
 }
 
+func getRoleByNameQuery() string {
+	return fmt.Sprintf(`SELECT %s FROM %s WHERE name = %s`, selectRoleFields, sqlTableRoles,
+		sqlPlaceholders[0])
+}
+
+func getRolesQuery(order string, minimal bool) string {
+	var fieldSelection string
+	if minimal {
+		fieldSelection = selectMinimalFields
+	} else {
+		fieldSelection = selectRoleFields
+	}
+	return fmt.Sprintf(`SELECT %s FROM %s ORDER BY name %s LIMIT %s OFFSET %s`, fieldSelection,
+		sqlTableRoles, order, sqlPlaceholders[0], sqlPlaceholders[1])
+}
+
+func getUsersWithRolesQuery(roles []Role) string {
+	var sb strings.Builder
+	for _, r := range roles {
+		if sb.Len() == 0 {
+			sb.WriteString("(")
+		} else {
+			sb.WriteString(",")
+		}
+		sb.WriteString(strconv.FormatInt(r.ID, 10))
+	}
+	if sb.Len() > 0 {
+		sb.WriteString(")")
+	}
+	return fmt.Sprintf(`SELECT r.id, u.username FROM %s u INNER JOIN %s r ON u.role_id = r.id WHERE u.role_id IN %s`,
+		sqlTableUsers, sqlTableRoles, sb.String())
+}
+
+func getAdminsWithRolesQuery(roles []Role) string {
+	var sb strings.Builder
+	for _, r := range roles {
+		if sb.Len() == 0 {
+			sb.WriteString("(")
+		} else {
+			sb.WriteString(",")
+		}
+		sb.WriteString(strconv.FormatInt(r.ID, 10))
+	}
+	if sb.Len() > 0 {
+		sb.WriteString(")")
+	}
+	return fmt.Sprintf(`SELECT r.id, a.username FROM %s a INNER JOIN %s r ON a.role_id = r.id WHERE a.role_id IN %s`,
+		sqlTableAdmins, sqlTableRoles, sb.String())
+}
+
+func getDumpRolesQuery() string {
+	return fmt.Sprintf(`SELECT %s FROM %s`, selectRoleFields, sqlTableRoles)
+}
+
+func getAddRoleQuery() string {
+	return fmt.Sprintf(`INSERT INTO %s (name,description,created_at,updated_at)
+		VALUES (%s,%s,%s,%s)`, sqlTableRoles, sqlPlaceholders[0], sqlPlaceholders[1],
+		sqlPlaceholders[2], sqlPlaceholders[3])
+}
+
+func getUpdateRoleQuery() string {
+	return fmt.Sprintf(`UPDATE %s SET description=%s,updated_at=%s
+		WHERE name = %s`, sqlTableRoles, sqlPlaceholders[0], sqlPlaceholders[1], sqlPlaceholders[2])
+}
+
+func getDeleteRoleQuery() string {
+	return fmt.Sprintf(`DELETE FROM %s WHERE name = %s`, sqlTableRoles, sqlPlaceholders[0])
+}
+
 func getGroupByNameQuery() string {
 	return fmt.Sprintf(`SELECT %s FROM %s WHERE name = %s`, selectGroupFields, getSQLQuotedName(sqlTableGroups),
 		sqlPlaceholders[0])
@@ -244,29 +322,33 @@ func getDeleteGroupQuery() string {
 }
 
 func getAdminByUsernameQuery() string {
-	return fmt.Sprintf(`SELECT %s FROM %s WHERE username = %s`, selectAdminFields, sqlTableAdmins, sqlPlaceholders[0])
+	return fmt.Sprintf(`SELECT %s FROM %s a LEFT JOIN %s r on r.id = a.role_id WHERE a.username = %s`,
+		selectAdminFields, sqlTableAdmins, sqlTableRoles, sqlPlaceholders[0])
 }
 
 func getAdminsQuery(order string) string {
-	return fmt.Sprintf(`SELECT %s FROM %s ORDER BY username %s LIMIT %s OFFSET %s`, selectAdminFields, sqlTableAdmins,
-		order, sqlPlaceholders[0], sqlPlaceholders[1])
+	return fmt.Sprintf(`SELECT %s FROM %s a LEFT JOIN %s r on r.id = a.role_id ORDER BY a.username %s LIMIT %s OFFSET %s`,
+		selectAdminFields, sqlTableAdmins, sqlTableRoles, order, sqlPlaceholders[0], sqlPlaceholders[1])
 }
 
 func getDumpAdminsQuery() string {
-	return fmt.Sprintf(`SELECT %s FROM %s`, selectAdminFields, sqlTableAdmins)
+	return fmt.Sprintf(`SELECT %s FROM %s a LEFT JOIN %s r on r.id = a.role_id`,
+		selectAdminFields, sqlTableAdmins, sqlTableRoles)
 }
 
-func getAddAdminQuery() string {
-	return fmt.Sprintf(`INSERT INTO %s (username,password,status,email,permissions,filters,additional_info,description,created_at,updated_at,last_login)
-		VALUES (%s,%s,%s,%s,%s,%s,%s,%s,%s,%s,0)`, sqlTableAdmins, sqlPlaceholders[0], sqlPlaceholders[1],
-		sqlPlaceholders[2], sqlPlaceholders[3], sqlPlaceholders[4], sqlPlaceholders[5], sqlPlaceholders[6], sqlPlaceholders[7],
-		sqlPlaceholders[8], sqlPlaceholders[9])
+func getAddAdminQuery(role string) string {
+	return fmt.Sprintf(`INSERT INTO %s (username,password,status,email,permissions,filters,additional_info,description,created_at,updated_at,last_login,role_id)
+		VALUES (%s,%s,%s,%s,%s,%s,%s,%s,%s,%s,0,COALESCE((SELECT id from %s WHERE name = %s),%s))`,
+		sqlTableAdmins, sqlPlaceholders[0], sqlPlaceholders[1], sqlPlaceholders[2], sqlPlaceholders[3], sqlPlaceholders[4],
+		sqlPlaceholders[5], sqlPlaceholders[6], sqlPlaceholders[7], sqlPlaceholders[8], sqlPlaceholders[9],
+		sqlTableRoles, sqlPlaceholders[10], getCoalesceDefaultForRole(role))
 }
 
-func getUpdateAdminQuery() string {
-	return fmt.Sprintf(`UPDATE %s SET password=%s,status=%s,email=%s,permissions=%s,filters=%s,additional_info=%s,description=%s,updated_at=%s
-		WHERE username = %s`, sqlTableAdmins, sqlPlaceholders[0], sqlPlaceholders[1], sqlPlaceholders[2],
-		sqlPlaceholders[3], sqlPlaceholders[4], sqlPlaceholders[5], sqlPlaceholders[6], sqlPlaceholders[7], sqlPlaceholders[8])
+func getUpdateAdminQuery(role string) string {
+	return fmt.Sprintf(`UPDATE %s SET password=%s,status=%s,email=%s,permissions=%s,filters=%s,additional_info=%s,description=%s,updated_at=%s,
+		role_id=COALESCE((SELECT id from %s WHERE name = %s),%s) WHERE username = %s`, sqlTableAdmins, sqlPlaceholders[0],
+		sqlPlaceholders[1], sqlPlaceholders[2], sqlPlaceholders[3], sqlPlaceholders[4], sqlPlaceholders[5], sqlPlaceholders[6],
+		sqlPlaceholders[7], sqlTableRoles, sqlPlaceholders[8], getCoalesceDefaultForRole(role), sqlPlaceholders[9])
 }
 
 func getDeleteAdminQuery() string {
@@ -393,14 +475,25 @@ func getRelatedAdminsForAPIKeysQuery(apiKeys []APIKey) string {
 	return fmt.Sprintf(`SELECT id,username FROM %s WHERE id IN %s`, sqlTableAdmins, sb.String())
 }
 
-func getUserByUsernameQuery() string {
-	return fmt.Sprintf(`SELECT %s FROM %s WHERE username = %s AND deleted_at = 0`,
-		selectUserFields, sqlTableUsers, sqlPlaceholders[0])
+func getUserByUsernameQuery(role string) string {
+	if role == "" {
+		return fmt.Sprintf(`SELECT %s FROM %s u LEFT JOIN %s r on r.id = u.role_id WHERE u.username = %s AND u.deleted_at = 0`,
+			selectUserFields, sqlTableUsers, sqlTableRoles, sqlPlaceholders[0])
+	}
+	return fmt.Sprintf(`SELECT %s FROM %s u LEFT JOIN %s r on r.id = u.role_id WHERE u.username = %s AND u.deleted_at = 0
+		AND u.role_id is NOT NULL AND r.name = %s`,
+		selectUserFields, sqlTableUsers, sqlTableRoles, sqlPlaceholders[0], sqlPlaceholders[1])
 }
 
-func getUsersQuery(order string) string {
-	return fmt.Sprintf(`SELECT %s FROM %s WHERE deleted_at = 0 ORDER BY username %s LIMIT %s OFFSET %s`,
-		selectUserFields, sqlTableUsers, order, sqlPlaceholders[0], sqlPlaceholders[1])
+func getUsersQuery(order, role string) string {
+	if role == "" {
+		return fmt.Sprintf(`SELECT %s FROM %s u LEFT JOIN %s r on r.id = u.role_id WHERE
+			u.deleted_at = 0 ORDER BY u.username %s LIMIT %s OFFSET %s`,
+			selectUserFields, sqlTableUsers, sqlTableRoles, order, sqlPlaceholders[0], sqlPlaceholders[1])
+	}
+	return fmt.Sprintf(`SELECT %s FROM %s u LEFT JOIN %s r on r.id = u.role_id WHERE
+		u.deleted_at = 0 AND u.role_id is NOT NULL AND r.name = %s ORDER BY u.username %s LIMIT %s OFFSET %s`,
+		selectUserFields, sqlTableUsers, sqlTableRoles, sqlPlaceholders[0], order, sqlPlaceholders[1], sqlPlaceholders[2])
 }
 
 func getUsersForQuotaCheckQuery(numArgs int) string {
@@ -422,12 +515,13 @@ func getUsersForQuotaCheckQuery(numArgs int) string {
 }
 
 func getRecentlyUpdatedUsersQuery() string {
-	return fmt.Sprintf(`SELECT %s FROM %s WHERE updated_at >= %s OR deleted_at > 0`,
-		selectUserFields, sqlTableUsers, sqlPlaceholders[0])
+	return fmt.Sprintf(`SELECT %s FROM %s u LEFT JOIN %s r on r.id = u.role_id WHERE u.updated_at >= %s OR u.deleted_at > 0`,
+		selectUserFields, sqlTableUsers, sqlTableRoles, sqlPlaceholders[0])
 }
 
 func getDumpUsersQuery() string {
-	return fmt.Sprintf(`SELECT %s FROM %s WHERE deleted_at = 0`, selectUserFields, sqlTableUsers)
+	return fmt.Sprintf(`SELECT %s FROM %s u LEFT JOIN %s r on r.id = u.role_id WHERE u.deleted_at = 0`,
+		selectUserFields, sqlTableUsers, sqlTableRoles)
 }
 
 func getDumpFoldersQuery() string {
@@ -490,29 +584,32 @@ func getQuotaQuery() string {
 		sqlTableUsers, sqlPlaceholders[0])
 }
 
-func getAddUserQuery() string {
+func getAddUserQuery(role string) string {
 	return fmt.Sprintf(`INSERT INTO %s (username,password,public_keys,home_dir,uid,gid,max_sessions,quota_size,quota_files,permissions,
 		used_quota_size,used_quota_files,last_quota_update,upload_bandwidth,download_bandwidth,status,last_login,expiration_date,filters,
 		filesystem,additional_info,description,email,created_at,updated_at,upload_data_transfer,download_data_transfer,total_data_transfer,
-		used_upload_data_transfer,used_download_data_transfer,deleted_at,first_download,first_upload)
-		VALUES (%s,%s,%s,%s,%s,%s,%s,%s,%s,%s,0,0,0,%s,%s,%s,0,%s,%s,%s,%s,%s,%s,%s,%s,%s,%s,%s,0,0,0,0,0)`,
+		used_upload_data_transfer,used_download_data_transfer,deleted_at,first_download,first_upload,role_id)
+		VALUES (%s,%s,%s,%s,%s,%s,%s,%s,%s,%s,0,0,0,%s,%s,%s,0,%s,%s,%s,%s,%s,%s,%s,%s,%s,%s,%s,0,0,0,0,0,
+		COALESCE((SELECT id from %s WHERE name=%s),%s))`,
 		sqlTableUsers, sqlPlaceholders[0], sqlPlaceholders[1], sqlPlaceholders[2], sqlPlaceholders[3], sqlPlaceholders[4],
 		sqlPlaceholders[5], sqlPlaceholders[6], sqlPlaceholders[7], sqlPlaceholders[8], sqlPlaceholders[9],
 		sqlPlaceholders[10], sqlPlaceholders[11], sqlPlaceholders[12], sqlPlaceholders[13], sqlPlaceholders[14],
 		sqlPlaceholders[15], sqlPlaceholders[16], sqlPlaceholders[17], sqlPlaceholders[18], sqlPlaceholders[19],
-		sqlPlaceholders[20], sqlPlaceholders[21], sqlPlaceholders[22], sqlPlaceholders[23])
+		sqlPlaceholders[20], sqlPlaceholders[21], sqlPlaceholders[22], sqlPlaceholders[23], sqlTableRoles,
+		sqlPlaceholders[24], getCoalesceDefaultForRole(role))
 }
 
-func getUpdateUserQuery() string {
+func getUpdateUserQuery(role string) string {
 	return fmt.Sprintf(`UPDATE %s SET password=%s,public_keys=%s,home_dir=%s,uid=%s,gid=%s,max_sessions=%s,quota_size=%s,
 		quota_files=%s,permissions=%s,upload_bandwidth=%s,download_bandwidth=%s,status=%s,expiration_date=%s,filters=%s,filesystem=%s,
 		additional_info=%s,description=%s,email=%s,updated_at=%s,upload_data_transfer=%s,download_data_transfer=%s,
-		total_data_transfer=%s WHERE id = %s`,
+		total_data_transfer=%s,role_id=COALESCE((SELECT id from %s WHERE name=%s),%s) WHERE id = %s`,
 		sqlTableUsers, sqlPlaceholders[0], sqlPlaceholders[1], sqlPlaceholders[2], sqlPlaceholders[3], sqlPlaceholders[4],
 		sqlPlaceholders[5], sqlPlaceholders[6], sqlPlaceholders[7], sqlPlaceholders[8], sqlPlaceholders[9],
 		sqlPlaceholders[10], sqlPlaceholders[11], sqlPlaceholders[12], sqlPlaceholders[13], sqlPlaceholders[14],
 		sqlPlaceholders[15], sqlPlaceholders[16], sqlPlaceholders[17], sqlPlaceholders[18], sqlPlaceholders[19],
-		sqlPlaceholders[20], sqlPlaceholders[21], sqlPlaceholders[22])
+		sqlPlaceholders[20], sqlPlaceholders[21], sqlTableRoles, sqlPlaceholders[22], getCoalesceDefaultForRole(role),
+		sqlPlaceholders[23])
 }
 
 func getUpdateUserPasswordQuery() string {

internal/dataprovider/user.go

@@ -390,7 +390,7 @@ func (u *User) setAnonymousSettings() {
 // RenderAsJSON implements the renderer interface used within plugins
 func (u *User) RenderAsJSON(reload bool) ([]byte, error) {
 	if reload {
-		user, err := provider.userExists(u.Username)
+		user, err := provider.userExists(u.Username, "")
 		if err != nil {
 			providerLog(logger.LevelError, "unable to reload user before rendering as json: %v", err)
 			return nil, err
@@ -500,7 +500,7 @@ func (u *User) getForbiddenSFTPSelfUsers(username string) ([]string, error) {
 	if allowSelfConnections == 0 {
 		return nil, nil
 	}
-	sftpUser, err := UserExists(username)
+	sftpUser, err := UserExists(username, "")
 	if err == nil {
 		err = sftpUser.LoadAndApplyGroupSettings()
 	}
@@ -1825,6 +1825,13 @@ func (u *User) removeDuplicatesAfterGroupMerge() {
 	u.groupSettingsApplied = true
 }
 
+func (u *User) hasRole(role string) bool {
+	if role == "" {
+		return true
+	}
+	return role == u.Role
+}
+
 func (u *User) getACopy() User {
 	u.SetEmptySecretsIfNil()
 	pubKeys := make([]string, len(u.PublicKeys))
@@ -1899,6 +1906,7 @@ func (u *User) getACopy() User {
 			Description:              u.Description,
 			CreatedAt:                u.CreatedAt,
 			UpdatedAt:                u.UpdatedAt,
+			Role:                     u.Role,
 		},
 		Filters:              filters,
 		VirtualFolders:       virtualFolders,

internal/ftpd/cryptfs_test.go

@@ -43,7 +43,7 @@ func TestBasicFTPHandlingCryptFs(t *testing.T) {
 	assert.NoError(t, err)
 	client, err := getFTPClient(user, true, nil)
 	if assert.NoError(t, err) {
-		assert.Len(t, common.Connections.GetStats(), 1)
+		assert.Len(t, common.Connections.GetStats(""), 1)
 		testFilePath := filepath.Join(homeBasePath, testFileName)
 		testFileSize := int64(65535)
 		encryptedFileSize, err := getEncryptedFileSize(testFileSize)
@@ -131,7 +131,7 @@ func TestBasicFTPHandlingCryptFs(t *testing.T) {
 	assert.NoError(t, err)
 	err = os.RemoveAll(user.GetHomeDir())
 	assert.NoError(t, err)
-	assert.Eventually(t, func() bool { return len(common.Connections.GetStats()) == 0 }, 1*time.Second, 50*time.Millisecond)
+	assert.Eventually(t, func() bool { return len(common.Connections.GetStats("")) == 0 }, 1*time.Second, 50*time.Millisecond)
 	assert.Eventually(t, func() bool { return common.Connections.GetClientConnections() == 0 }, 1000*time.Millisecond,
 		50*time.Millisecond)
 }

internal/ftpd/ftpd_test.go

@@ -519,9 +519,9 @@ func TestBasicFTPHandling(t *testing.T) {
 		client, err := getFTPClient(user, true, nil)
 		if assert.NoError(t, err) {
 			if user.Username == defaultUsername {
-				assert.Len(t, common.Connections.GetStats(), 1)
+				assert.Len(t, common.Connections.GetStats(""), 1)
 			} else {
-				assert.Len(t, common.Connections.GetStats(), 2)
+				assert.Len(t, common.Connections.GetStats(""), 2)
 			}
 			testFilePath := filepath.Join(homeBasePath, testFileName)
 			testFileSize := int64(65535)
@@ -619,7 +619,7 @@ func TestBasicFTPHandling(t *testing.T) {
 	assert.NoError(t, err)
 	err = os.RemoveAll(localUser.GetHomeDir())
 	assert.NoError(t, err)
-	assert.Eventually(t, func() bool { return len(common.Connections.GetStats()) == 0 }, 1*time.Second, 50*time.Millisecond)
+	assert.Eventually(t, func() bool { return len(common.Connections.GetStats("")) == 0 }, 1*time.Second, 50*time.Millisecond)
 	assert.Eventually(t, func() bool { return common.Connections.GetClientConnections() == 0 }, 1000*time.Millisecond,
 		50*time.Millisecond)
 }
@@ -663,7 +663,7 @@ func TestHTTPFs(t *testing.T) {
 	assert.NoError(t, err)
 	err = os.RemoveAll(user.GetHomeDir())
 	assert.NoError(t, err)
-	assert.Eventually(t, func() bool { return len(common.Connections.GetStats()) == 0 }, 1*time.Second, 50*time.Millisecond)
+	assert.Eventually(t, func() bool { return len(common.Connections.GetStats("")) == 0 }, 1*time.Second, 50*time.Millisecond)
 	assert.Eventually(t, func() bool { return common.Connections.GetClientConnections() == 0 }, 1000*time.Millisecond,
 		50*time.Millisecond)
 }
@@ -1623,7 +1623,7 @@ func TestMaxConnections(t *testing.T) {
 		err = client.Quit()
 		assert.NoError(t, err)
 	}
-	err = dataprovider.DeleteUser(user.Username, "", "")
+	err = dataprovider.DeleteUser(user.Username, "", "", "")
 	assert.NoError(t, err)
 	err = os.RemoveAll(user.GetHomeDir())
 	assert.NoError(t, err)
@@ -1653,7 +1653,7 @@ func TestMaxPerHostConnections(t *testing.T) {
 		err = client.Quit()
 		assert.NoError(t, err)
 	}
-	err = dataprovider.DeleteUser(user.Username, "", "")
+	err = dataprovider.DeleteUser(user.Username, "", "", "")
 	assert.NoError(t, err)
 	err = os.RemoveAll(user.GetHomeDir())
 	assert.NoError(t, err)
@@ -1710,7 +1710,7 @@ func TestRateLimiter(t *testing.T) {
 		assert.Contains(t, err.Error(), "banned client IP")
 	}
 
-	err = dataprovider.DeleteUser(user.Username, "", "")
+	err = dataprovider.DeleteUser(user.Username, "", "", "")
 	assert.NoError(t, err)
 	err = os.RemoveAll(user.GetHomeDir())
 	assert.NoError(t, err)
@@ -1752,7 +1752,7 @@ func TestDefender(t *testing.T) {
 		assert.Contains(t, err.Error(), "banned client IP")
 	}
 
-	err = dataprovider.DeleteUser(user.Username, "", "")
+	err = dataprovider.DeleteUser(user.Username, "", "", "")
 	assert.NoError(t, err)
 	err = os.RemoveAll(user.GetHomeDir())
 	assert.NoError(t, err)
@@ -2387,10 +2387,10 @@ func TestClientClose(t *testing.T) {
 	if assert.NoError(t, err) {
 		err = checkBasicFTP(client)
 		assert.NoError(t, err)
-		stats := common.Connections.GetStats()
+		stats := common.Connections.GetStats("")
 		if assert.Len(t, stats, 1) {
-			common.Connections.Close(stats[0].ConnectionID)
-			assert.Eventually(t, func() bool { return len(common.Connections.GetStats()) == 0 },
+			common.Connections.Close(stats[0].ConnectionID, "")
+			assert.Eventually(t, func() bool { return len(common.Connections.GetStats("")) == 0 },
 				1*time.Second, 50*time.Millisecond)
 		}
 	}
@@ -3671,7 +3671,7 @@ func TestNestedVirtualFolders(t *testing.T) {
 	assert.NoError(t, err)
 	err = os.RemoveAll(localUser.GetHomeDir())
 	assert.NoError(t, err)
-	assert.Eventually(t, func() bool { return len(common.Connections.GetStats()) == 0 }, 1*time.Second, 50*time.Millisecond)
+	assert.Eventually(t, func() bool { return len(common.Connections.GetStats("")) == 0 }, 1*time.Second, 50*time.Millisecond)
 	assert.Eventually(t, func() bool { return common.Connections.GetClientConnections() == 0 }, 1000*time.Millisecond,
 		50*time.Millisecond)
 }
@@ -3818,7 +3818,7 @@ func waitTCPListening(address string) {
 
 func waitNoConnections() {
 	time.Sleep(50 * time.Millisecond)
-	for len(common.Connections.GetStats()) > 0 {
+	for len(common.Connections.GetStats("")) > 0 {
 		time.Sleep(50 * time.Millisecond)
 	}
 }

internal/ftpd/internal_test.go

@@ -620,12 +620,12 @@ func TestClientVersion(t *testing.T) {
 	}
 	err := common.Connections.Add(connection)
 	assert.NoError(t, err)
-	stats := common.Connections.GetStats()
+	stats := common.Connections.GetStats("")
 	if assert.Len(t, stats, 1) {
 		assert.Equal(t, "mock version", stats[0].ClientVersion)
 		common.Connections.Remove(connection.GetID())
 	}
-	assert.Len(t, common.Connections.GetStats(), 0)
+	assert.Len(t, common.Connections.GetStats(""), 0)
 }
 
 func TestDriverMethodsNotImplemented(t *testing.T) {

internal/httpd/api_admin.go

@@ -147,6 +147,10 @@ func updateAdmin(w http.ResponseWriter, r *http.Request) {
 			sendAPIResponse(w, r, errors.New("you cannot disable yourself"), "", http.StatusBadRequest)
 			return
 		}
+		if admin.Role != claims.Role {
+			sendAPIResponse(w, r, errors.New("you cannot add/change your role"), "", http.StatusBadRequest)
+			return
+		}
 	}
 	admin.ID = adminID
 	admin.Username = username

internal/httpd/api_http_user.go

@@ -40,7 +40,7 @@ func getUserConnection(w http.ResponseWriter, r *http.Request) (*Connection, err
 		sendAPIResponse(w, r, err, "Invalid token claims", http.StatusBadRequest)
 		return nil, fmt.Errorf("invalid token claims %w", err)
 	}
-	user, err := dataprovider.GetUserWithGroupSettings(claims.Username)
+	user, err := dataprovider.GetUserWithGroupSettings(claims.Username, "")
 	if err != nil {
 		sendAPIResponse(w, r, nil, "Unable to retrieve your user", getRespStatus(err))
 		return nil, err
@@ -405,7 +405,7 @@ func getUserProfile(w http.ResponseWriter, r *http.Request) {
 		sendAPIResponse(w, r, err, "Invalid token claims", http.StatusBadRequest)
 		return
 	}
-	user, err := dataprovider.UserExists(claims.Username)
+	user, err := dataprovider.UserExists(claims.Username, "")
 	if err != nil {
 		sendAPIResponse(w, r, err, "", getRespStatus(err))
 		return
@@ -434,7 +434,7 @@ func updateUserProfile(w http.ResponseWriter, r *http.Request) {
 		sendAPIResponse(w, r, err, "", http.StatusBadRequest)
 		return
 	}
-	user, userMerged, err := dataprovider.GetUserVariants(claims.Username)
+	user, userMerged, err := dataprovider.GetUserVariants(claims.Username, "")
 	if err != nil {
 		sendAPIResponse(w, r, err, "", getRespStatus(err))
 		return

internal/httpd/api_maintenance.go

@@ -180,6 +180,10 @@ func restoreBackup(content []byte, inputFile string, scanQuota, mode int, execut
 		return util.NewValidationError(fmt.Sprintf("unable to parse backup content: %v", err))
 	}
 
+	if err = RestoreRoles(dump.Roles, inputFile, mode, executor, ipAddress); err != nil {
+		return err
+	}
+
 	if err = RestoreFolders(dump.Folders, inputFile, mode, scanQuota, executor, ipAddress); err != nil {
 		return err
 	}
@@ -404,6 +408,30 @@ func RestoreAdmins(admins []dataprovider.Admin, inputFile string, mode int, exec
 	return nil
 }
 
+// RestoreRoles restores the specified roles
+func RestoreRoles(roles []dataprovider.Role, inputFile string, mode int, executor, ipAddress string) error {
+	for _, role := range roles {
+		role := role // pin
+		r, err := dataprovider.RoleExists(role.Name)
+		if err == nil {
+			if mode == 1 {
+				logger.Debug(logSender, "", "loaddata mode 1, existing role %q not updated", r.Name)
+				continue
+			}
+			role.ID = r.ID
+			err = dataprovider.UpdateRole(&role, executor, ipAddress)
+			logger.Debug(logSender, "", "restoring existing role: %q, dump file: %#v, error: %v", role.Name, inputFile, err)
+		} else {
+			err = dataprovider.AddRole(&role, executor, ipAddress)
+			logger.Debug(logSender, "", "adding new role: %q, dump file: %q, error: %v", role.Name, inputFile, err)
+		}
+		if err != nil {
+			return fmt.Errorf("unable to restore role %#v: %w", role.Name, err)
+		}
+	}
+	return nil
+}
+
 // RestoreGroups restores the specified groups
 func RestoreGroups(groups []dataprovider.Group, inputFile string, mode int, executor, ipAddress string) error {
 	for _, group := range groups {
@@ -433,7 +461,7 @@ func RestoreGroups(groups []dataprovider.Group, inputFile string, mode int, exec
 func RestoreUsers(users []dataprovider.User, inputFile string, mode, scanQuota int, executor, ipAddress string) error {
 	for _, user := range users {
 		user := user // pin
-		u, err := dataprovider.UserExists(user.Username)
+		u, err := dataprovider.UserExists(user.Username, "")
 		if err == nil {
 			if mode == 1 {
 				logger.Debug(logSender, "", "loaddata mode 1, existing user %#v not updated", u.Username)
@@ -454,7 +482,7 @@ func RestoreUsers(users []dataprovider.User, inputFile string, mode, scanQuota i
 			return fmt.Errorf("unable to restore user %#v: %w", user.Username, err)
 		}
 		if scanQuota == 1 || (scanQuota == 2 && user.HasQuotaRestrictions()) {
-			if common.QuotaScans.AddUserQuotaScan(user.Username) {
+			if common.QuotaScans.AddUserQuotaScan(user.Username, user.Role) {
 				logger.Debug(logSender, "", "starting quota scan for restored user: %#v", user.Username)
 				go doUserQuotaScan(user) //nolint:errcheck
 			}

internal/httpd/api_metadata.go

@@ -27,18 +27,28 @@ import (
 
 func getMetadataChecks(w http.ResponseWriter, r *http.Request) {
 	r.Body = http.MaxBytesReader(w, r.Body, maxRequestSize)
-	render.JSON(w, r, common.ActiveMetadataChecks.Get())
+	claims, err := getTokenClaims(r)
+	if err != nil || claims.Username == "" {
+		sendAPIResponse(w, r, err, "Invalid token claims", http.StatusBadRequest)
+		return
+	}
+	render.JSON(w, r, common.ActiveMetadataChecks.Get(claims.Role))
 }
 
 func startMetadataCheck(w http.ResponseWriter, r *http.Request) {
 	r.Body = http.MaxBytesReader(w, r.Body, maxRequestSize)
+	claims, err := getTokenClaims(r)
+	if err != nil || claims.Username == "" {
+		sendAPIResponse(w, r, err, "Invalid token claims", http.StatusBadRequest)
+		return
+	}
 
-	user, err := dataprovider.GetUserWithGroupSettings(getURLParam(r, "username"))
+	user, err := dataprovider.GetUserWithGroupSettings(getURLParam(r, "username"), claims.Role)
 	if err != nil {
 		sendAPIResponse(w, r, err, "", getRespStatus(err))
 		return
 	}
-	if !common.ActiveMetadataChecks.Add(user.Username) {
+	if !common.ActiveMetadataChecks.Add(user.Username, user.Role) {
 		sendAPIResponse(w, r, err, fmt.Sprintf("Another check is already in progress for user %#v", user.Username),
 			http.StatusConflict)
 		return

internal/httpd/api_mfa.go

@@ -152,7 +152,7 @@ func getRecoveryCodes(w http.ResponseWriter, r *http.Request) {
 	recoveryCodes := make([]recoveryCode, 0, 12)
 	var accountRecoveryCodes []dataprovider.RecoveryCode
 	if claims.hasUserAudience() {
-		user, err := dataprovider.UserExists(claims.Username)
+		user, err := dataprovider.UserExists(claims.Username, "")
 		if err != nil {
 			sendAPIResponse(w, r, err, "", getRespStatus(err))
 			return
@@ -203,7 +203,7 @@ func generateRecoveryCodes(w http.ResponseWriter, r *http.Request) {
 		accountRecoveryCodes = append(accountRecoveryCodes, dataprovider.RecoveryCode{Secret: kms.NewPlainSecret(code)})
 	}
 	if claims.hasUserAudience() {
-		user, err := dataprovider.UserExists(claims.Username)
+		user, err := dataprovider.UserExists(claims.Username, "")
 		if err != nil {
 			sendAPIResponse(w, r, err, "", getRespStatus(err))
 			return
@@ -242,7 +242,7 @@ func getNewRecoveryCode() string {
 }
 
 func saveUserTOTPConfig(username string, r *http.Request, recoveryCodes []dataprovider.RecoveryCode) error {
-	user, err := dataprovider.UserExists(username)
+	user, err := dataprovider.UserExists(username, "")
 	if err != nil {
 		return err
 	}

internal/httpd/api_quota.go

@@ -44,7 +44,12 @@ type transferQuotaUsage struct {
 
 func getUsersQuotaScans(w http.ResponseWriter, r *http.Request) {
 	r.Body = http.MaxBytesReader(w, r.Body, maxRequestSize)
-	render.JSON(w, r, common.QuotaScans.GetUsersQuotaScans())
+	claims, err := getTokenClaims(r)
+	if err != nil || claims.Username == "" {
+		sendAPIResponse(w, r, err, "Invalid token claims", http.StatusBadRequest)
+		return
+	}
+	render.JSON(w, r, common.QuotaScans.GetUsersQuotaScans(claims.Role))
 }
 
 func getFoldersQuotaScans(w http.ResponseWriter, r *http.Request) {
@@ -86,8 +91,13 @@ func startFolderQuotaScan(w http.ResponseWriter, r *http.Request) {
 
 func updateUserTransferQuotaUsage(w http.ResponseWriter, r *http.Request) {
 	r.Body = http.MaxBytesReader(w, r.Body, maxRequestSize)
+	claims, err := getTokenClaims(r)
+	if err != nil || claims.Username == "" {
+		sendAPIResponse(w, r, err, "Invalid token claims", http.StatusBadRequest)
+		return
+	}
 	var usage transferQuotaUsage
-	err := render.DecodeJSON(r.Body, &usage)
+	err = render.DecodeJSON(r.Body, &usage)
 	if err != nil {
 		sendAPIResponse(w, r, err, "", http.StatusBadRequest)
 		return
@@ -102,7 +112,7 @@ func updateUserTransferQuotaUsage(w http.ResponseWriter, r *http.Request) {
 		sendAPIResponse(w, r, err, "", http.StatusBadRequest)
 		return
 	}
-	user, err := dataprovider.GetUserWithGroupSettings(getURLParam(r, "username"))
+	user, err := dataprovider.GetUserWithGroupSettings(getURLParam(r, "username"), claims.Role)
 	if err != nil {
 		sendAPIResponse(w, r, err, "", getRespStatus(err))
 		return
@@ -122,6 +132,11 @@ func updateUserTransferQuotaUsage(w http.ResponseWriter, r *http.Request) {
 }
 
 func doUpdateUserQuotaUsage(w http.ResponseWriter, r *http.Request, username string, usage quotaUsage) {
+	claims, err := getTokenClaims(r)
+	if err != nil || claims.Username == "" {
+		sendAPIResponse(w, r, err, "Invalid token claims", http.StatusBadRequest)
+		return
+	}
 	if usage.UsedQuotaFiles < 0 || usage.UsedQuotaSize < 0 {
 		sendAPIResponse(w, r, errors.New("invalid used quota parameters, negative values are not allowed"),
 			"", http.StatusBadRequest)
@@ -132,7 +147,7 @@ func doUpdateUserQuotaUsage(w http.ResponseWriter, r *http.Request, username str
 		sendAPIResponse(w, r, err, "", http.StatusBadRequest)
 		return
 	}
-	user, err := dataprovider.GetUserWithGroupSettings(username)
+	user, err := dataprovider.GetUserWithGroupSettings(username, claims.Role)
 	if err != nil {
 		sendAPIResponse(w, r, err, "", getRespStatus(err))
 		return
@@ -142,7 +157,7 @@ func doUpdateUserQuotaUsage(w http.ResponseWriter, r *http.Request, username str
 			"", http.StatusBadRequest)
 		return
 	}
-	if !common.QuotaScans.AddUserQuotaScan(user.Username) {
+	if !common.QuotaScans.AddUserQuotaScan(user.Username, user.Role) {
 		sendAPIResponse(w, r, err, "A quota scan is in progress for this user", http.StatusConflict)
 		return
 	}
@@ -189,12 +204,17 @@ func doStartUserQuotaScan(w http.ResponseWriter, r *http.Request, username strin
 		sendAPIResponse(w, r, nil, "Quota tracking is disabled!", http.StatusForbidden)
 		return
 	}
-	user, err := dataprovider.GetUserWithGroupSettings(username)
+	claims, err := getTokenClaims(r)
+	if err != nil || claims.Username == "" {
+		sendAPIResponse(w, r, err, "Invalid token claims", http.StatusBadRequest)
+		return
+	}
+	user, err := dataprovider.GetUserWithGroupSettings(username, claims.Role)
 	if err != nil {
 		sendAPIResponse(w, r, err, "", getRespStatus(err))
 		return
 	}
-	if !common.QuotaScans.AddUserQuotaScan(user.Username) {
+	if !common.QuotaScans.AddUserQuotaScan(user.Username, user.Role) {
 		sendAPIResponse(w, r, nil, fmt.Sprintf("Another scan is already in progress for user %#v", username),
 			http.StatusConflict)
 		return

internal/httpd/api_retention.go

@@ -26,13 +26,23 @@ import (
 
 func getRetentionChecks(w http.ResponseWriter, r *http.Request) {
 	r.Body = http.MaxBytesReader(w, r.Body, maxRequestSize)
-	render.JSON(w, r, common.RetentionChecks.Get())
+	claims, err := getTokenClaims(r)
+	if err != nil || claims.Username == "" {
+		sendAPIResponse(w, r, err, "Invalid token claims", http.StatusBadRequest)
+		return
+	}
+	render.JSON(w, r, common.RetentionChecks.Get(claims.Role))
 }
 
 func startRetentionCheck(w http.ResponseWriter, r *http.Request) {
 	r.Body = http.MaxBytesReader(w, r.Body, maxRequestSize)
+	claims, err := getTokenClaims(r)
+	if err != nil || claims.Username == "" {
+		sendAPIResponse(w, r, err, "Invalid token claims", http.StatusBadRequest)
+		return
+	}
 	username := getURLParam(r, "username")
-	user, err := dataprovider.GetUserWithGroupSettings(username)
+	user, err := dataprovider.GetUserWithGroupSettings(username, claims.Role)
 	if err != nil {
 		sendAPIResponse(w, r, err, "", getRespStatus(err))
 		return
@@ -48,11 +58,6 @@ func startRetentionCheck(w http.ResponseWriter, r *http.Request) {
 	check.Notifications = getCommaSeparatedQueryParam(r, "notifications")
 	for _, notification := range check.Notifications {
 		if notification == common.RetentionCheckNotificationEmail {
-			claims, err := getTokenClaims(r)
-			if err != nil {
-				sendAPIResponse(w, r, err, "Invalid token claims", http.StatusBadRequest)
-				return
-			}
 			admin, err := dataprovider.AdminExists(claims.Username)
 			if err != nil {
 				sendAPIResponse(w, r, err, "", getRespStatus(err))

internal/httpd/api_role.go

@@ -0,0 +1,129 @@
+// Copyright (C) 2019-2022  Nicola Murino
+//
+// This program is free software: you can redistribute it and/or modify
+// it under the terms of the GNU Affero General Public License as published
+// by the Free Software Foundation, version 3.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+// GNU Affero General Public License for more details.
+//
+// You should have received a copy of the GNU Affero General Public License
+// along with this program.  If not, see <https://www.gnu.org/licenses/>.
+
+package httpd
+
+import (
+	"context"
+	"net/http"
+
+	"github.com/go-chi/render"
+
+	"github.com/drakkan/sftpgo/v2/internal/dataprovider"
+	"github.com/drakkan/sftpgo/v2/internal/util"
+)
+
+func getRoles(w http.ResponseWriter, r *http.Request) {
+	r.Body = http.MaxBytesReader(w, r.Body, maxRequestSize)
+	limit, offset, order, err := getSearchFilters(w, r)
+	if err != nil {
+		return
+	}
+
+	roles, err := dataprovider.GetRoles(limit, offset, order, false)
+	if err != nil {
+		sendAPIResponse(w, r, err, "", http.StatusInternalServerError)
+		return
+	}
+	render.JSON(w, r, roles)
+}
+
+func addRole(w http.ResponseWriter, r *http.Request) {
+	r.Body = http.MaxBytesReader(w, r.Body, maxRequestSize)
+
+	claims, err := getTokenClaims(r)
+	if err != nil || claims.Username == "" {
+		sendAPIResponse(w, r, err, "Invalid token claims", http.StatusBadRequest)
+		return
+	}
+	var role dataprovider.Role
+	err = render.DecodeJSON(r.Body, &role)
+	if err != nil {
+		sendAPIResponse(w, r, err, "", http.StatusBadRequest)
+		return
+	}
+	err = dataprovider.AddRole(&role, claims.Username, util.GetIPFromRemoteAddress(r.RemoteAddr))
+	if err != nil {
+		sendAPIResponse(w, r, err, "", getRespStatus(err))
+		return
+	}
+	renderRole(w, r, role.Name, http.StatusCreated)
+}
+
+func updateRole(w http.ResponseWriter, r *http.Request) {
+	r.Body = http.MaxBytesReader(w, r.Body, maxRequestSize)
+	claims, err := getTokenClaims(r)
+	if err != nil || claims.Username == "" {
+		sendAPIResponse(w, r, err, "Invalid token claims", http.StatusBadRequest)
+		return
+	}
+
+	name := getURLParam(r, "name")
+	role, err := dataprovider.RoleExists(name)
+	if err != nil {
+		sendAPIResponse(w, r, err, "", getRespStatus(err))
+		return
+	}
+	roleID := role.ID
+	name = role.Name
+	err = render.DecodeJSON(r.Body, &role)
+	if err != nil {
+		sendAPIResponse(w, r, err, "", http.StatusBadRequest)
+		return
+	}
+	role.ID = roleID
+	role.Name = name
+	err = dataprovider.UpdateRole(&role, claims.Username, util.GetIPFromRemoteAddress(r.RemoteAddr))
+	if err != nil {
+		sendAPIResponse(w, r, err, "", getRespStatus(err))
+		return
+	}
+	sendAPIResponse(w, r, nil, "Role updated", http.StatusOK)
+}
+
+func renderRole(w http.ResponseWriter, r *http.Request, name string, status int) {
+	role, err := dataprovider.RoleExists(name)
+	if err != nil {
+		sendAPIResponse(w, r, err, "", getRespStatus(err))
+		return
+	}
+	if status != http.StatusOK {
+		ctx := context.WithValue(r.Context(), render.StatusCtxKey, status)
+		render.JSON(w, r.WithContext(ctx), role)
+	} else {
+		render.JSON(w, r, role)
+	}
+}
+
+func getRoleByName(w http.ResponseWriter, r *http.Request) {
+	r.Body = http.MaxBytesReader(w, r.Body, maxRequestSize)
+	name := getURLParam(r, "name")
+	renderRole(w, r, name, http.StatusOK)
+}
+
+func deleteRole(w http.ResponseWriter, r *http.Request) {
+	r.Body = http.MaxBytesReader(w, r.Body, maxRequestSize)
+	claims, err := getTokenClaims(r)
+	if err != nil || claims.Username == "" {
+		sendAPIResponse(w, r, err, "Invalid token claims", http.StatusBadRequest)
+		return
+	}
+	name := getURLParam(r, "name")
+	err = dataprovider.DeleteRole(name, claims.Username, util.GetIPFromRemoteAddress(r.RemoteAddr))
+	if err != nil {
+		sendAPIResponse(w, r, err, "", getRespStatus(err))
+		return
+	}
+	sendAPIResponse(w, r, err, "Role deleted", http.StatusOK)
+}

internal/httpd/api_shares.go

@@ -79,7 +79,7 @@ func addShare(w http.ResponseWriter, r *http.Request) {
 		sendAPIResponse(w, r, err, "Invalid token claims", http.StatusBadRequest)
 		return
 	}
-	user, err := dataprovider.GetUserWithGroupSettings(claims.Username)
+	user, err := dataprovider.GetUserWithGroupSettings(claims.Username, "")
 	if err != nil {
 		sendAPIResponse(w, r, err, "Unable to retrieve your user", getRespStatus(err))
 		return
@@ -461,7 +461,7 @@ func (s *httpdServer) checkPublicShare(w http.ResponseWriter, r *http.Request, v
 }
 
 func getUserForShare(share dataprovider.Share) (dataprovider.User, error) {
-	user, err := dataprovider.GetUserWithGroupSettings(share.Username)
+	user, err := dataprovider.GetUserWithGroupSettings(share.Username, "")
 	if err != nil {
 		return user, err
 	}

internal/httpd/api_user.go

@@ -38,8 +38,13 @@ func getUsers(w http.ResponseWriter, r *http.Request) {
 	if err != nil {
 		return
 	}
+	claims, err := getTokenClaims(r)
+	if err != nil || claims.Username == "" {
+		sendAPIResponse(w, r, err, "Invalid token claims", http.StatusBadRequest)
+		return
+	}
 
-	users, err := dataprovider.GetUsers(limit, offset, order)
+	users, err := dataprovider.GetUsers(limit, offset, order, claims.Role)
 	if err == nil {
 		render.JSON(w, r, users)
 	} else {
@@ -49,12 +54,17 @@ func getUsers(w http.ResponseWriter, r *http.Request) {
 
 func getUserByUsername(w http.ResponseWriter, r *http.Request) {
 	r.Body = http.MaxBytesReader(w, r.Body, maxRequestSize)
+	claims, err := getTokenClaims(r)
+	if err != nil || claims.Username == "" {
+		sendAPIResponse(w, r, err, "Invalid token claims", http.StatusBadRequest)
+		return
+	}
 	username := getURLParam(r, "username")
-	renderUser(w, r, username, http.StatusOK)
+	renderUser(w, r, username, claims.Role, http.StatusOK)
 }
 
-func renderUser(w http.ResponseWriter, r *http.Request, username string, status int) {
-	user, err := dataprovider.UserExists(username)
+func renderUser(w http.ResponseWriter, r *http.Request, username, role string, status int) {
+	user, err := dataprovider.UserExists(username, role)
 	if err != nil {
 		sendAPIResponse(w, r, err, "", getRespStatus(err))
 		return
@@ -90,12 +100,19 @@ func addUser(w http.ResponseWriter, r *http.Request) {
 		sendAPIResponse(w, r, err, "", http.StatusBadRequest)
 		return
 	}
+	if claims.Role != "" {
+		user.Role = claims.Role
+	}
+	user.Filters.RecoveryCodes = nil
+	user.Filters.TOTPConfig = dataprovider.UserTOTPConfig{
+		Enabled: false,
+	}
 	err = dataprovider.AddUser(&user, claims.Username, util.GetIPFromRemoteAddress(r.RemoteAddr))
 	if err != nil {
 		sendAPIResponse(w, r, err, "", getRespStatus(err))
 		return
 	}
-	renderUser(w, r, user.Username, http.StatusCreated)
+	renderUser(w, r, user.Username, claims.Role, http.StatusCreated)
 }
 
 func disableUser2FA(w http.ResponseWriter, r *http.Request) {
@@ -106,7 +123,7 @@ func disableUser2FA(w http.ResponseWriter, r *http.Request) {
 		return
 	}
 	username := getURLParam(r, "username")
-	user, err := dataprovider.UserExists(username)
+	user, err := dataprovider.UserExists(username, claims.Role)
 	if err != nil {
 		sendAPIResponse(w, r, err, "", getRespStatus(err))
 		return
@@ -140,7 +157,7 @@ func updateUser(w http.ResponseWriter, r *http.Request) {
 			return
 		}
 	}
-	user, err := dataprovider.UserExists(username)
+	user, err := dataprovider.UserExists(username, claims.Role)
 	if err != nil {
 		sendAPIResponse(w, r, err, "", getRespStatus(err))
 		return
@@ -188,6 +205,9 @@ func updateUser(w http.ResponseWriter, r *http.Request) {
 	updateEncryptedSecrets(&user.FsConfig, currentS3AccessSecret, currentAzAccountKey, currentAzSASUrl,
 		currentGCSCredentials, currentCryptoPassphrase, currentSFTPPassword, currentSFTPKey, currentSFTPKeyPassphrase,
 		currentHTTPPassword, currentHTTPAPIKey)
+	if claims.Role != "" {
+		user.Role = claims.Role
+	}
 	err = dataprovider.UpdateUser(&user, claims.Username, util.GetIPFromRemoteAddress(r.RemoteAddr))
 	if err != nil {
 		sendAPIResponse(w, r, err, "", getRespStatus(err))
@@ -207,7 +227,7 @@ func deleteUser(w http.ResponseWriter, r *http.Request) {
 		return
 	}
 	username := getURLParam(r, "username")
-	err = dataprovider.DeleteUser(username, claims.Username, util.GetIPFromRemoteAddress(r.RemoteAddr))
+	err = dataprovider.DeleteUser(username, claims.Username, util.GetIPFromRemoteAddress(r.RemoteAddr), claims.Role)
 	if err != nil {
 		sendAPIResponse(w, r, err, "", getRespStatus(err))
 		return
@@ -251,9 +271,9 @@ func resetUserPassword(w http.ResponseWriter, r *http.Request) {
 }
 
 func disconnectUser(username string) {
-	for _, stat := range common.Connections.GetStats() {
+	for _, stat := range common.Connections.GetStats("") {
 		if stat.Username == username {
-			common.Connections.Close(stat.ConnectionID)
+			common.Connections.Close(stat.ConnectionID, "")
 		}
 	}
 }

internal/httpd/api_utils.go

@@ -160,9 +160,9 @@ func getActiveConnections(w http.ResponseWriter, r *http.Request) {
 		sendAPIResponse(w, r, err, "Invalid token claims", http.StatusBadRequest)
 		return
 	}
-	stats := common.Connections.GetStats()
+	stats := common.Connections.GetStats(claims.Role)
 	if claims.NodeID == "" {
-		stats = append(stats, getNodesConnections(claims.Username)...)
+		stats = append(stats, getNodesConnections(claims.Username, claims.Role)...)
 	}
 	render.JSON(w, r, stats)
 }
@@ -181,7 +181,7 @@ func handleCloseConnection(w http.ResponseWriter, r *http.Request) {
 	}
 	node := r.URL.Query().Get("node")
 	if node == "" || node == dataprovider.GetNodeName() {
-		if common.Connections.Close(connectionID) {
+		if common.Connections.Close(connectionID, claims.Role) {
 			sendAPIResponse(w, r, nil, "Connection closed", http.StatusOK)
 		} else {
 			sendAPIResponse(w, r, nil, "Not Found", http.StatusNotFound)
@@ -195,7 +195,7 @@ func handleCloseConnection(w http.ResponseWriter, r *http.Request) {
 		sendAPIResponse(w, r, nil, http.StatusText(status), status)
 		return
 	}
-	if err := n.SendDeleteRequest(claims.Username, fmt.Sprintf("%s/%s", activeConnectionsPath, connectionID)); err != nil {
+	if err := n.SendDeleteRequest(claims.Username, claims.Role, fmt.Sprintf("%s/%s", activeConnectionsPath, connectionID)); err != nil {
 		logger.Warn(logSender, "", "unable to delete connection id %q from node %q: %v", connectionID, n.Name, err)
 		sendAPIResponse(w, r, nil, "Not Found", http.StatusNotFound)
 		return
@@ -205,7 +205,7 @@ func handleCloseConnection(w http.ResponseWriter, r *http.Request) {
 
 // getNodesConnections returns the active connections from other nodes.
 // Errors are silently ignored
-func getNodesConnections(admin string) []common.ConnectionStatus {
+func getNodesConnections(admin, role string) []common.ConnectionStatus {
 	nodes, err := dataprovider.GetNodes()
 	if err != nil || len(nodes) == 0 {
 		return nil
@@ -221,7 +221,7 @@ func getNodesConnections(admin string) []common.ConnectionStatus {
 			defer wg.Done()
 
 			var stats []common.ConnectionStatus
-			if err := node.SendGetRequest(admin, activeConnectionsPath, &stats); err != nil {
+			if err := node.SendGetRequest(admin, role, activeConnectionsPath, &stats); err != nil {
 				logger.Warn(logSender, "", "unable to get connections from node %s: %v", node.Name, err)
 				return
 			}
@@ -647,7 +647,7 @@ func handleForgotPassword(r *http.Request, username string, isAdmin bool) error
 		email = admin.Email
 		subject = fmt.Sprintf("Email Verification Code for admin %#v", username)
 	} else {
-		user, err = dataprovider.GetUserWithGroupSettings(username)
+		user, err = dataprovider.GetUserWithGroupSettings(username, "")
 		email = user.Email
 		subject = fmt.Sprintf("Email Verification Code for user %#v", username)
 		if err == nil {
@@ -719,7 +719,7 @@ func handleResetPassword(r *http.Request, code, newPassword string, isAdmin bool
 		err = resetCodesMgr.Delete(code)
 		return &admin, &user, err
 	}
-	user, err = dataprovider.GetUserWithGroupSettings(resetCode.Username)
+	user, err = dataprovider.GetUserWithGroupSettings(resetCode.Username, "")
 	if err != nil {
 		return &admin, &user, util.NewValidationError("Unable to associate the confirmation code with an existing user")
 	}

internal/httpd/auth_utils.go

@@ -21,7 +21,7 @@ import (
 	"time"
 
 	"github.com/go-chi/jwtauth/v5"
-	"github.com/lestrrat-go/jwx/jwt"
+	"github.com/lestrrat-go/jwx/v2/jwt"
 	"github.com/rs/xid"
 
 	"github.com/drakkan/sftpgo/v2/internal/dataprovider"
@@ -51,6 +51,7 @@ const (
 const (
 	claimUsernameKey                = "username"
 	claimPermissionsKey             = "permissions"
+	claimRole                       = "role"
 	claimAPIKey                     = "api_key"
 	claimNodeID                     = "node_id"
 	claimMustSetSecondFactorKey     = "2fa_required"
@@ -72,6 +73,7 @@ var (
 type jwtTokenClaims struct {
 	Username                   string
 	Permissions                []string
+	Role                       string
 	Signature                  string
 	Audience                   []string
 	APIKeyID                   string
@@ -96,6 +98,9 @@ func (c *jwtTokenClaims) asMap() map[string]any {
 
 	claims[claimUsernameKey] = c.Username
 	claims[claimPermissionsKey] = c.Permissions
+	if c.Role != "" {
+		claims[claimRole] = c.Role
+	}
 	if c.APIKeyID != "" {
 		claims[claimAPIKey] = c.APIKeyID
 	}
@@ -169,6 +174,13 @@ func (c *jwtTokenClaims) Decode(token map[string]any) {
 		}
 	}
 
+	if val, ok := token[claimRole]; ok {
+		switch v := val.(type) {
+		case string:
+			c.Role = v
+		}
+	}
+
 	permissions := token[claimPermissionsKey]
 	c.Permissions = c.decodeSliceString(permissions)
 
@@ -350,6 +362,7 @@ func getAdminFromToken(r *http.Request) *dataprovider.Admin {
 	admin.Username = tokenClaims.Username
 	admin.Permissions = tokenClaims.Permissions
 	admin.Filters.Preferences.HideUserPageSections = tokenClaims.HideUserPageSections
+	admin.Role = tokenClaims.Role
 	return admin
 }
 

internal/httpd/httpd.go

@@ -32,7 +32,7 @@ import (
 
 	"github.com/go-chi/chi/v5"
 	"github.com/go-chi/jwtauth/v5"
-	"github.com/lestrrat-go/jwx/jwa"
+	"github.com/lestrrat-go/jwx/v2/jwa"
 
 	"github.com/drakkan/sftpgo/v2/internal/common"
 	"github.com/drakkan/sftpgo/v2/internal/dataprovider"
@@ -91,6 +91,7 @@ const (
 	sharesPath                            = "/api/v2/shares"
 	eventActionsPath                      = "/api/v2/eventactions"
 	eventRulesPath                        = "/api/v2/eventrules"
+	rolesPath                             = "/api/v2/roles"
 	healthzPath                           = "/healthz"
 	robotsTxtPath                         = "/robots.txt"
 	webRootPathDefault                    = "/"
@@ -128,6 +129,8 @@ const (
 	webAdminEventRulePathDefault          = "/web/admin/eventrule"
 	webAdminEventActionsPathDefault       = "/web/admin/eventactions"
 	webAdminEventActionPathDefault        = "/web/admin/eventaction"
+	webAdminRolesPathDefault              = "/web/admin/roles"
+	webAdminRolePathDefault               = "/web/admin/role"
 	webAdminTOTPGeneratePathDefault       = "/web/admin/totp/generate"
 	webAdminTOTPValidatePathDefault       = "/web/admin/totp/validate"
 	webAdminTOTPSavePathDefault           = "/web/admin/totp/save"
@@ -211,6 +214,8 @@ var (
 	webAdminEventRulePath          string
 	webAdminEventActionsPath       string
 	webAdminEventActionPath        string
+	webAdminRolesPath              string
+	webAdminRolePath               string
 	webAdminTOTPGeneratePath       string
 	webAdminTOTPValidatePath       string
 	webAdminTOTPSavePath           string
@@ -1010,6 +1015,8 @@ func updateWebAdminURLs(baseURL string) {
 	webAdminEventRulePath = path.Join(baseURL, webAdminEventRulePathDefault)
 	webAdminEventActionsPath = path.Join(baseURL, webAdminEventActionsPathDefault)
 	webAdminEventActionPath = path.Join(baseURL, webAdminEventActionPathDefault)
+	webAdminRolesPath = path.Join(baseURL, webAdminRolesPathDefault)
+	webAdminRolePath = path.Join(baseURL, webAdminRolePathDefault)
 	webAdminTOTPGeneratePath = path.Join(baseURL, webAdminTOTPGeneratePathDefault)
 	webAdminTOTPValidatePath = path.Join(baseURL, webAdminTOTPValidatePathDefault)
 	webAdminTOTPSavePath = path.Join(baseURL, webAdminTOTPSavePathDefault)

internal/httpd/internal_test.go

@@ -40,8 +40,8 @@ import (
 	"github.com/go-chi/chi/v5/middleware"
 	"github.com/go-chi/jwtauth/v5"
 	"github.com/klauspost/compress/zip"
-	"github.com/lestrrat-go/jwx/jwa"
-	"github.com/lestrrat-go/jwx/jwt"
+	"github.com/lestrrat-go/jwx/v2/jwa"
+	"github.com/lestrrat-go/jwx/v2/jwt"
 	"github.com/rs/xid"
 	"github.com/sftpgo/sdk"
 	"github.com/stretchr/testify/assert"
@@ -686,6 +686,86 @@ func TestInvalidToken(t *testing.T) {
 	assert.Equal(t, http.StatusBadRequest, rr.Code)
 	assert.Contains(t, rr.Body.String(), "Invalid token claims")
 
+	rr = httptest.NewRecorder()
+	getMetadataChecks(rr, req)
+	assert.Equal(t, http.StatusBadRequest, rr.Code)
+	assert.Contains(t, rr.Body.String(), "Invalid token claims")
+
+	rr = httptest.NewRecorder()
+	startMetadataCheck(rr, req)
+	assert.Equal(t, http.StatusBadRequest, rr.Code)
+	assert.Contains(t, rr.Body.String(), "Invalid token claims")
+
+	rr = httptest.NewRecorder()
+	getUsersQuotaScans(rr, req)
+	assert.Equal(t, http.StatusBadRequest, rr.Code)
+	assert.Contains(t, rr.Body.String(), "Invalid token claims")
+
+	rr = httptest.NewRecorder()
+	updateUserTransferQuotaUsage(rr, req)
+	assert.Equal(t, http.StatusBadRequest, rr.Code)
+	assert.Contains(t, rr.Body.String(), "Invalid token claims")
+
+	rr = httptest.NewRecorder()
+	doUpdateUserQuotaUsage(rr, req, "", quotaUsage{})
+	assert.Equal(t, http.StatusBadRequest, rr.Code)
+	assert.Contains(t, rr.Body.String(), "Invalid token claims")
+
+	rr = httptest.NewRecorder()
+	doStartUserQuotaScan(rr, req, "")
+	assert.Equal(t, http.StatusBadRequest, rr.Code)
+	assert.Contains(t, rr.Body.String(), "Invalid token claims")
+
+	rr = httptest.NewRecorder()
+	getRetentionChecks(rr, req)
+	assert.Equal(t, http.StatusBadRequest, rr.Code)
+	assert.Contains(t, rr.Body.String(), "Invalid token claims")
+
+	rr = httptest.NewRecorder()
+	addRole(rr, req)
+	assert.Equal(t, http.StatusBadRequest, rr.Code)
+	assert.Contains(t, rr.Body.String(), "Invalid token claims")
+
+	rr = httptest.NewRecorder()
+	updateRole(rr, req)
+	assert.Equal(t, http.StatusBadRequest, rr.Code)
+	assert.Contains(t, rr.Body.String(), "Invalid token claims")
+
+	rr = httptest.NewRecorder()
+	deleteRole(rr, req)
+	assert.Equal(t, http.StatusBadRequest, rr.Code)
+	assert.Contains(t, rr.Body.String(), "Invalid token claims")
+
+	rr = httptest.NewRecorder()
+	getUsers(rr, req)
+	assert.Equal(t, http.StatusBadRequest, rr.Code)
+	assert.Contains(t, rr.Body.String(), "Invalid token claims")
+
+	rr = httptest.NewRecorder()
+	getUserByUsername(rr, req)
+	assert.Equal(t, http.StatusBadRequest, rr.Code)
+	assert.Contains(t, rr.Body.String(), "Invalid token claims")
+
+	rr = httptest.NewRecorder()
+	server.handleGetWebUsers(rr, req)
+	assert.Equal(t, http.StatusBadRequest, rr.Code)
+	assert.Contains(t, rr.Body.String(), "invalid token claims")
+
+	rr = httptest.NewRecorder()
+	server.handleWebUpdateUserGet(rr, req)
+	assert.Equal(t, http.StatusBadRequest, rr.Code)
+	assert.Contains(t, rr.Body.String(), "invalid token claims")
+
+	rr = httptest.NewRecorder()
+	server.handleWebUpdateRolePost(rr, req)
+	assert.Equal(t, http.StatusBadRequest, rr.Code)
+	assert.Contains(t, rr.Body.String(), "invalid token claims")
+
+	rr = httptest.NewRecorder()
+	server.handleWebAddRolePost(rr, req)
+	assert.Equal(t, http.StatusBadRequest, rr.Code)
+	assert.Contains(t, rr.Body.String(), "invalid token claims")
+
 	rr = httptest.NewRecorder()
 	server.handleWebAddAdminPost(rr, req)
 	assert.Equal(t, http.StatusBadRequest, rr.Code)
@@ -806,7 +886,7 @@ func TestRetentionInvalidTokenClaims(t *testing.T) {
 	assert.Equal(t, http.StatusBadRequest, rr.Code)
 	assert.Contains(t, rr.Body.String(), "Invalid token claims")
 
-	err = dataprovider.DeleteUser(username, "", "")
+	err = dataprovider.DeleteUser(username, "", "", "")
 	assert.NoError(t, err)
 }
 
@@ -1030,6 +1110,13 @@ func TestCreateTokenError(t *testing.T) {
 	assert.Equal(t, http.StatusOK, rr.Code, rr.Body.String())
 	assert.Contains(t, rr.Body.String(), "invalid URL escape")
 
+	req, _ = http.NewRequest(http.MethodPost, webAdminRolePath+"?a=a%C3%AO%JE", bytes.NewBuffer([]byte(form.Encode())))
+	req.Header.Set("Content-Type", "application/x-www-form-urlencoded")
+	rr = httptest.NewRecorder()
+	server.handleWebAddRolePost(rr, req)
+	assert.Equal(t, http.StatusOK, rr.Code, rr.Body.String())
+	assert.Contains(t, rr.Body.String(), "invalid URL escape")
+
 	req, _ = http.NewRequest(http.MethodPost, webClientResetPwdPath+"?a=a%C3%AO%JD", bytes.NewBuffer([]byte(form.Encode())))
 	req.Header.Set("Content-Type", "application/x-www-form-urlencoded")
 	rr = httptest.NewRecorder()
@@ -1074,7 +1161,7 @@ func TestCreateTokenError(t *testing.T) {
 	err = authenticateUserWithAPIKey(username, "", server.tokenAuth, req)
 	assert.Error(t, err)
 
-	err = dataprovider.DeleteUser(username, "", "")
+	err = dataprovider.DeleteUser(username, "", "", "")
 	assert.NoError(t, err)
 	err = os.RemoveAll(user.HomeDir)
 	assert.NoError(t, err)
@@ -1341,13 +1428,13 @@ func TestCookieExpiration(t *testing.T) {
 	cookie = rr.Header().Get("Set-Cookie")
 	assert.Empty(t, cookie)
 
-	user, err = dataprovider.UserExists(user.Username)
+	user, err = dataprovider.UserExists(user.Username, "")
 	assert.NoError(t, err)
 	user.Filters.AllowedIP = []string{"172.16.4.0/24"}
 	err = dataprovider.UpdateUser(&user, "", "")
 	assert.NoError(t, err)
 
-	user, err = dataprovider.UserExists(user.Username)
+	user, err = dataprovider.UserExists(user.Username, "")
 	assert.NoError(t, err)
 	claims = make(map[string]any)
 	claims[claimUsernameKey] = user.Username
@@ -1372,7 +1459,7 @@ func TestCookieExpiration(t *testing.T) {
 	cookie = rr.Header().Get("Set-Cookie")
 	assert.NotEmpty(t, cookie)
 
-	err = dataprovider.DeleteUser(user.Username, "", "")
+	err = dataprovider.DeleteUser(user.Username, "", "", "")
 	assert.NoError(t, err)
 }
 
@@ -1451,7 +1538,7 @@ func TestQuotaScanInvalidFs(t *testing.T) {
 			Provider: sdk.S3FilesystemProvider,
 		},
 	}
-	common.QuotaScans.AddUserQuotaScan(user.Username)
+	common.QuotaScans.AddUserQuotaScan(user.Username, "")
 	err := doUserQuotaScan(user)
 	assert.Error(t, err)
 }
@@ -2437,21 +2524,28 @@ func TestMetadataAPI(t *testing.T) {
 	err := dataprovider.AddUser(&user, "", "")
 	assert.NoError(t, err)
 
-	assert.True(t, common.ActiveMetadataChecks.Add(username))
+	assert.True(t, common.ActiveMetadataChecks.Add(username, ""))
 
+	tokenAuth := jwtauth.New(jwa.HS256.String(), util.GenerateRandomBytes(32), nil)
+	claims := make(map[string]any)
+	claims["username"] = defaultAdminUsername
+	claims[jwt.ExpirationKey] = time.Now().UTC().Add(1 * time.Hour)
+	token, _, err := tokenAuth.Encode(claims)
+	assert.NoError(t, err)
 	req, err := http.NewRequest(http.MethodPost, path.Join(metadataBasePath, username, "check"), nil)
 	assert.NoError(t, err)
 	rctx := chi.NewRouteContext()
 	rctx.URLParams.Add("username", username)
 	req = req.WithContext(context.WithValue(req.Context(), chi.RouteCtxKey, rctx))
+	req = req.WithContext(context.WithValue(req.Context(), jwtauth.TokenCtxKey, token))
 
 	rr := httptest.NewRecorder()
 	startMetadataCheck(rr, req)
-	assert.Equal(t, http.StatusConflict, rr.Code)
+	assert.Equal(t, http.StatusConflict, rr.Code, rr.Body.String())
 
 	assert.True(t, common.ActiveMetadataChecks.Remove(username))
-	assert.Len(t, common.ActiveMetadataChecks.Get(), 0)
-	err = dataprovider.DeleteUser(username, "", "")
+	assert.Len(t, common.ActiveMetadataChecks.Get(""), 0)
+	err = dataprovider.DeleteUser(username, "", "", "")
 	assert.NoError(t, err)
 
 	user.FsConfig.Provider = sdk.AzureBlobFilesystemProvider

internal/httpd/middleware.go

@@ -21,7 +21,7 @@ import (
 	"strings"
 
 	"github.com/go-chi/jwtauth/v5"
-	"github.com/lestrrat-go/jwx/jwt"
+	"github.com/lestrrat-go/jwx/v2/jwt"
 	"github.com/rs/xid"
 	"github.com/sftpgo/sdk"
 
@@ -320,7 +320,7 @@ func checkNodeToken(tokenAuth *jwtauth.JWTAuth) func(next http.Handler) http.Han
 			if len(token) > 7 && strings.ToUpper(token[0:6]) == "BEARER" {
 				token = token[7:]
 			}
-			admin, err := dataprovider.AuthenticateNodeToken(token)
+			admin, role, err := dataprovider.AuthenticateNodeToken(token)
 			if err != nil {
 				logger.Debug(logSender, "", "unable to authenticate node token %q: %v", token, err)
 				sendAPIResponse(w, r, fmt.Errorf("the provided token cannot be authenticated"), "", http.StatusUnauthorized)
@@ -330,6 +330,7 @@ func checkNodeToken(tokenAuth *jwtauth.JWTAuth) func(next http.Handler) http.Han
 				Username:    admin,
 				Permissions: []string{dataprovider.PermAdminViewConnections, dataprovider.PermAdminCloseConnections},
 				NodeID:      dataprovider.GetNodeName(),
+				Role:        role,
 			}
 			resp, err := c.createTokenResponse(tokenAuth, tokenAudienceAPI, util.GetIPFromRemoteAddress(r.RemoteAddr))
 			if err != nil {
@@ -468,7 +469,7 @@ func authenticateUserWithAPIKey(username, keyID string, tokenAuth *jwtauth.JWTAu
 	if err := common.Config.ExecutePostConnectHook(ipAddr, protocol); err != nil {
 		return err
 	}
-	user, err := dataprovider.GetUserWithGroupSettings(username)
+	user, err := dataprovider.GetUserWithGroupSettings(username, "")
 	if err != nil {
 		updateLoginMetrics(&dataprovider.User{BaseUser: sdk.BaseUser{Username: username}},
 			dataprovider.LoginMethodPassword, ipAddr, err)

internal/httpd/oidc.go

@@ -205,6 +205,7 @@ type oidcToken struct {
 	Username             string          `json:"username"`
 	Permissions          []string        `json:"permissions"`
 	HideUserPageSections int             `json:"hide_user_page_sections,omitempty"`
+	AdminRole            string          `json:"admin_role,omitempty"`
 	Role                 any             `json:"role"`
 	CustomFields         *map[string]any `json:"custom_fields,omitempty"`
 	Cookie               string          `json:"cookie"`
@@ -389,10 +390,11 @@ func (t *oidcToken) refreshUser(r *http.Request) error {
 			return err
 		}
 		t.Permissions = admin.Permissions
+		t.AdminRole = admin.Role
 		t.HideUserPageSections = admin.Filters.Preferences.HideUserPageSections
 		return nil
 	}
-	user, err := dataprovider.GetUserWithGroupSettings(t.Username)
+	user, err := dataprovider.GetUserWithGroupSettings(t.Username, "")
 	if err != nil {
 		return err
 	}
@@ -416,6 +418,7 @@ func (t *oidcToken) getUser(r *http.Request) error {
 			return err
 		}
 		t.Permissions = admin.Permissions
+		t.AdminRole = admin.Role
 		t.HideUserPageSections = admin.Filters.Preferences.HideUserPageSections
 		dataprovider.UpdateAdminLastLogin(&admin)
 		return nil
@@ -515,6 +518,7 @@ func (s *httpdServer) oidcTokenAuthenticator(audience tokenAudience) func(next h
 			jwtTokenClaims := jwtTokenClaims{
 				Username:             token.Username,
 				Permissions:          token.Permissions,
+				Role:                 token.AdminRole,
 				HideUserPageSections: token.HideUserPageSections,
 			}
 			_, tokenString, err := jwtTokenClaims.createToken(s.tokenAuth, audience, util.GetIPFromRemoteAddress(r.RemoteAddr))

internal/httpd/oidc_test.go

@@ -32,7 +32,7 @@ import (
 
 	"github.com/coreos/go-oidc/v3/oidc"
 	"github.com/go-chi/jwtauth/v5"
-	"github.com/lestrrat-go/jwx/jwa"
+	"github.com/lestrrat-go/jwx/v2/jwa"
 	"github.com/rs/xid"
 	"github.com/sftpgo/sdk"
 	"github.com/stretchr/testify/assert"
@@ -521,7 +521,7 @@ func TestOIDCLoginLogout(t *testing.T) {
 
 	err = os.RemoveAll(user.GetHomeDir())
 	assert.NoError(t, err)
-	err = dataprovider.DeleteUser(username, "", "")
+	err = dataprovider.DeleteUser(username, "", "", "")
 	assert.NoError(t, err)
 }
 
@@ -706,7 +706,7 @@ func TestOIDCRefreshUser(t *testing.T) {
 	if assert.Error(t, err) {
 		assert.Contains(t, err.Error(), "is disabled")
 	}
-	user, err = dataprovider.UserExists(username)
+	user, err = dataprovider.UserExists(username, "")
 	assert.NoError(t, err)
 	user.Status = 1
 	err = dataprovider.UpdateUser(&user, "", "")
@@ -723,7 +723,7 @@ func TestOIDCRefreshUser(t *testing.T) {
 	assert.NoError(t, err)
 	assert.Equal(t, user.Filters.WebClient, token.Permissions)
 
-	err = dataprovider.DeleteUser(username, "", "")
+	err = dataprovider.DeleteUser(username, "", "", "")
 	assert.NoError(t, err)
 }
 
@@ -877,7 +877,7 @@ func TestOIDCToken(t *testing.T) {
 	if assert.Error(t, err) {
 		assert.Contains(t, err.Error(), "is disabled")
 	}
-	user, err = dataprovider.UserExists(username)
+	user, err = dataprovider.UserExists(username, "")
 	assert.NoError(t, err)
 	user.Status = 1
 	user.Password = "np"
@@ -916,7 +916,7 @@ func TestOIDCToken(t *testing.T) {
 
 	err = os.RemoveAll(user.GetHomeDir())
 	assert.NoError(t, err)
-	err = dataprovider.DeleteUser(username, "", "")
+	err = dataprovider.DeleteUser(username, "", "", "")
 	assert.NoError(t, err)
 }
 
@@ -1039,7 +1039,7 @@ func TestOIDCImplicitRoles(t *testing.T) {
 
 	err = os.RemoveAll(user.GetHomeDir())
 	assert.NoError(t, err)
-	err = dataprovider.DeleteUser(username, "", "")
+	err = dataprovider.DeleteUser(username, "", "", "")
 	assert.NoError(t, err)
 }
 
@@ -1164,7 +1164,7 @@ func TestOIDCPreLoginHook(t *testing.T) {
 	assert.NoError(t, err)
 	server.initializeRouter()
 
-	_, err = dataprovider.UserExists(username)
+	_, err = dataprovider.UserExists(username, "")
 	_, ok = err.(*util.RecordNotFoundError)
 	assert.True(t, ok)
 	// now login with OIDC
@@ -1197,10 +1197,10 @@ func TestOIDCPreLoginHook(t *testing.T) {
 	server.router.ServeHTTP(rr, r)
 	assert.Equal(t, http.StatusFound, rr.Code)
 	assert.Equal(t, webClientFilesPath, rr.Header().Get("Location"))
-	_, err = dataprovider.UserExists(username)
+	_, err = dataprovider.UserExists(username, "")
 	assert.NoError(t, err)
 
-	err = dataprovider.DeleteUser(username, "", "")
+	err = dataprovider.DeleteUser(username, "", "", "")
 	assert.NoError(t, err)
 	err = os.RemoveAll(u.HomeDir)
 	assert.NoError(t, err)
@@ -1225,7 +1225,7 @@ func TestOIDCPreLoginHook(t *testing.T) {
 	server.router.ServeHTTP(rr, r)
 	assert.Equal(t, http.StatusFound, rr.Code)
 	assert.Equal(t, webClientLoginPath, rr.Header().Get("Location"))
-	_, err = dataprovider.UserExists(username)
+	_, err = dataprovider.UserExists(username, "")
 	_, ok = err.(*util.RecordNotFoundError)
 	assert.True(t, ok)
 	if assert.Len(t, oidcMgr.tokens, 1) {

internal/httpd/server.go

@@ -31,7 +31,7 @@ import (
 	"github.com/go-chi/chi/v5/middleware"
 	"github.com/go-chi/jwtauth/v5"
 	"github.com/go-chi/render"
-	"github.com/lestrrat-go/jwx/jwa"
+	"github.com/lestrrat-go/jwx/v2/jwa"
 	"github.com/rs/cors"
 	"github.com/rs/xid"
 	"github.com/sftpgo/sdk"
@@ -329,7 +329,7 @@ func (s *httpdServer) handleWebClientTwoFactorRecoveryPost(w http.ResponseWriter
 		s.renderClientTwoFactorRecoveryPage(w, err.Error(), ipAddr)
 		return
 	}
-	user, userMerged, err := dataprovider.GetUserVariants(username)
+	user, userMerged, err := dataprovider.GetUserVariants(username, "")
 	if err != nil {
 		s.renderClientTwoFactorRecoveryPage(w, "Invalid credentials", ipAddr)
 		return
@@ -386,7 +386,7 @@ func (s *httpdServer) handleWebClientTwoFactorPost(w http.ResponseWriter, r *htt
 		s.renderClientTwoFactorPage(w, err.Error(), ipAddr)
 		return
 	}
-	user, err := dataprovider.GetUserWithGroupSettings(username)
+	user, err := dataprovider.GetUserWithGroupSettings(username, "")
 	if err != nil {
 		s.renderClientTwoFactorPage(w, "Invalid credentials", ipAddr)
 		return
@@ -719,6 +719,7 @@ func (s *httpdServer) loginAdmin(
 	c := jwtTokenClaims{
 		Username:             admin.Username,
 		Permissions:          admin.Permissions,
+		Role:                 admin.Role,
 		Signature:            admin.GetSignature(),
 		HideUserPageSections: admin.Filters.Preferences.HideUserPageSections,
 	}
@@ -901,6 +902,7 @@ func (s *httpdServer) generateAndSendToken(w http.ResponseWriter, r *http.Reques
 	c := jwtTokenClaims{
 		Username:    admin.Username,
 		Permissions: admin.Permissions,
+		Role:        admin.Role,
 		Signature:   admin.GetSignature(),
 	}
 
@@ -939,7 +941,7 @@ func (s *httpdServer) checkCookieExpiration(w http.ResponseWriter, r *http.Reque
 }
 
 func (s *httpdServer) refreshClientToken(w http.ResponseWriter, r *http.Request, tokenClaims jwtTokenClaims) {
-	user, err := dataprovider.GetUserWithGroupSettings(tokenClaims.Username)
+	user, err := dataprovider.GetUserWithGroupSettings(tokenClaims.Username, "")
 	if err != nil {
 		return
 	}
@@ -976,6 +978,7 @@ func (s *httpdServer) refreshAdminToken(w http.ResponseWriter, r *http.Request,
 		return
 	}
 	tokenClaims.Permissions = admin.Permissions
+	tokenClaims.Role = admin.Role
 	tokenClaims.HideUserPageSections = admin.Filters.Preferences.HideUserPageSections
 	logger.Debug(logSender, "", "cookie refreshed for admin %#v", admin.Username)
 	tokenClaims.createAndSetCookie(w, r, s.tokenAuth, tokenAudienceWebAdmin, ipAddr) //nolint:errcheck
@@ -1294,6 +1297,11 @@ func (s *httpdServer) initializeRouter() {
 			router.With(s.checkPerm(dataprovider.PermAdminManageEventRules)).Post(eventRulesPath, addEventRule)
 			router.With(s.checkPerm(dataprovider.PermAdminManageEventRules)).Put(eventRulesPath+"/{name}", updateEventRule)
 			router.With(s.checkPerm(dataprovider.PermAdminManageEventRules)).Delete(eventRulesPath+"/{name}", deleteEventRule)
+			router.With(s.checkPerm(dataprovider.PermAdminManageRoles)).Get(rolesPath, getRoles)
+			router.With(s.checkPerm(dataprovider.PermAdminManageRoles)).Get(rolesPath+"/{name}", getRoleByName)
+			router.With(s.checkPerm(dataprovider.PermAdminManageRoles)).Post(rolesPath, addRole)
+			router.With(s.checkPerm(dataprovider.PermAdminManageRoles)).Put(rolesPath+"/{name}", updateRole)
+			router.With(s.checkPerm(dataprovider.PermAdminManageRoles)).Delete(rolesPath+"/{name}", deleteRole)
 		})
 
 		s.router.Get(userTokenPath, s.getUserToken)
@@ -1640,6 +1648,17 @@ func (s *httpdServer) setupWebAdminRoutes() {
 				s.handleWebUpdateEventRulePost)
 			router.With(s.checkPerm(dataprovider.PermAdminManageEventRules), verifyCSRFHeader).
 				Delete(webAdminEventRulePath+"/{name}", deleteEventRule)
+			router.With(s.checkPerm(dataprovider.PermAdminManageRoles), s.refreshCookie).
+				Get(webAdminRolesPath, s.handleWebGetRoles)
+			router.With(s.checkPerm(dataprovider.PermAdminManageRoles), s.refreshCookie).
+				Get(webAdminRolePath, s.handleWebAddRoleGet)
+			router.With(s.checkPerm(dataprovider.PermAdminManageRoles)).Post(webAdminRolePath, s.handleWebAddRolePost)
+			router.With(s.checkPerm(dataprovider.PermAdminManageRoles), s.refreshCookie).
+				Get(webAdminRolePath+"/{name}", s.handleWebUpdateRoleGet)
+			router.With(s.checkPerm(dataprovider.PermAdminManageRoles)).Post(webAdminRolePath+"/{name}",
+				s.handleWebUpdateRolePost)
+			router.With(s.checkPerm(dataprovider.PermAdminManageRoles), verifyCSRFHeader).
+				Delete(webAdminRolePath+"/{name}", deleteRole)
 		})
 	}
 }

internal/httpd/webadmin.go

@@ -84,6 +84,8 @@ const (
 	templateEventRule        = "eventrule.html"
 	templateEventActions     = "eventactions.html"
 	templateEventAction      = "eventaction.html"
+	templateRoles            = "roles.html"
+	templateRole             = "role.html"
 	templateMessage          = "message.html"
 	templateStatus           = "status.html"
 	templateLogin            = "login.html"
@@ -101,6 +103,7 @@ const (
 	pageGroupsTitle          = "Groups"
 	pageEventRulesTitle      = "Event rules"
 	pageEventActionsTitle    = "Event actions"
+	pageRolesTitle           = "Roles"
 	pageProfileTitle         = "My profile"
 	pageChangePwdTitle       = "Change password"
 	pageMaintenanceTitle     = "Maintenance"
@@ -140,6 +143,8 @@ type basePage struct {
 	EventRuleURL       string
 	EventActionsURL    string
 	EventActionURL     string
+	RolesURL           string
+	RoleURL            string
 	FolderQuotaScanURL string
 	StatusURL          string
 	MaintenanceURL     string
@@ -151,6 +156,7 @@ type basePage struct {
 	GroupsTitle        string
 	EventRulesTitle    string
 	EventActionsTitle  string
+	RolesTitle         string
 	StatusTitle        string
 	MaintenanceTitle   string
 	DefenderTitle      string
@@ -183,6 +189,11 @@ type groupsPage struct {
 	Groups []dataprovider.Group
 }
 
+type rolesPage struct {
+	basePage
+	Roles []dataprovider.Role
+}
+
 type eventRulesPage struct {
 	basePage
 	Rules []dataprovider.EventRule
@@ -226,6 +237,7 @@ type userPage struct {
 	Mode               userPageMode
 	VirtualFolders     []vfs.BaseVirtualFolder
 	Groups             []dataprovider.Group
+	Roles              []dataprovider.Role
 	CanImpersonate     bool
 	FsWrapper          fsWrapper
 }
@@ -234,6 +246,7 @@ type adminPage struct {
 	basePage
 	Admin  *dataprovider.Admin
 	Groups []dataprovider.Group
+	Roles  []dataprovider.Role
 	Error  string
 	IsAdd  bool
 }
@@ -304,6 +317,13 @@ type groupPage struct {
 	FsWrapper          fsWrapper
 }
 
+type rolePage struct {
+	basePage
+	Role  *dataprovider.Role
+	Error string
+	Mode  genericPageMode
+}
+
 type eventActionPage struct {
 	basePage
 	Action         dataprovider.BaseEventAction
@@ -475,6 +495,16 @@ func loadAdminTemplates(templatesPath string) {
 		filepath.Join(templatesPath, templateCommonDir, templateCommonCSS),
 		filepath.Join(templatesPath, templateCommonDir, templateResetPassword),
 	}
+	rolesPaths := []string{
+		filepath.Join(templatesPath, templateCommonDir, templateCommonCSS),
+		filepath.Join(templatesPath, templateAdminDir, templateBase),
+		filepath.Join(templatesPath, templateAdminDir, templateRoles),
+	}
+	rolePaths := []string{
+		filepath.Join(templatesPath, templateCommonDir, templateCommonCSS),
+		filepath.Join(templatesPath, templateAdminDir, templateBase),
+		filepath.Join(templatesPath, templateAdminDir, templateRole),
+	}
 
 	fsBaseTpl := template.New("fsBaseTemplate").Funcs(template.FuncMap{
 		"ListFSProviders": func() []sdk.FilesystemProvider {
@@ -511,6 +541,8 @@ func loadAdminTemplates(templatesPath string) {
 	setupTmpl := util.LoadTemplate(nil, setupPaths...)
 	forgotPwdTmpl := util.LoadTemplate(nil, forgotPwdPaths...)
 	resetPwdTmpl := util.LoadTemplate(nil, resetPwdPaths...)
+	rolesTmpl := util.LoadTemplate(nil, rolesPaths...)
+	roleTmpl := util.LoadTemplate(nil, rolePaths...)
 
 	adminTemplates[templateUsers] = usersTmpl
 	adminTemplates[templateUser] = userTmpl
@@ -538,6 +570,8 @@ func loadAdminTemplates(templatesPath string) {
 	adminTemplates[templateSetup] = setupTmpl
 	adminTemplates[templateForgotPassword] = forgotPwdTmpl
 	adminTemplates[templateResetPassword] = resetPwdTmpl
+	adminTemplates[templateRoles] = rolesTmpl
+	adminTemplates[templateRole] = roleTmpl
 }
 
 func isEventManagerResource(currentURL string) bool {
@@ -583,6 +617,8 @@ func (s *httpdServer) getBasePageData(title, currentURL string, r *http.Request)
 		EventRuleURL:       webAdminEventRulePath,
 		EventActionsURL:    webAdminEventActionsPath,
 		EventActionURL:     webAdminEventActionPath,
+		RolesURL:           webAdminRolesPath,
+		RoleURL:            webAdminRolePath,
 		QuotaScanURL:       webQuotaScanPath,
 		ConnectionsURL:     webConnectionsPath,
 		StatusURL:          webStatusPath,
@@ -596,6 +632,7 @@ func (s *httpdServer) getBasePageData(title, currentURL string, r *http.Request)
 		GroupsTitle:        pageGroupsTitle,
 		EventRulesTitle:    pageEventRulesTitle,
 		EventActionsTitle:  pageEventActionsTitle,
+		RolesTitle:         pageRolesTitle,
 		StatusTitle:        pageStatusTitle,
 		MaintenanceTitle:   pageMaintenanceTitle,
 		DefenderTitle:      pageDefenderTitle,
@@ -774,6 +811,10 @@ func (s *httpdServer) renderAddUpdateAdminPage(w http.ResponseWriter, r *http.Re
 	if err != nil {
 		return
 	}
+	roles, err := s.getWebRoles(w, r, 10, true)
+	if err != nil {
+		return
+	}
 	currentURL := webAdminPath
 	title := "Add a new admin"
 	if !isAdd {
@@ -784,6 +825,7 @@ func (s *httpdServer) renderAddUpdateAdminPage(w http.ResponseWriter, r *http.Re
 		basePage: s.getBasePageData(title, currentURL, r),
 		Admin:    admin,
 		Groups:   groups,
+		Roles:    roles,
 		Error:    error,
 		IsAdd:    isAdd,
 	}
@@ -791,18 +833,7 @@ func (s *httpdServer) renderAddUpdateAdminPage(w http.ResponseWriter, r *http.Re
 	renderAdminTemplate(w, templateAdmin, data)
 }
 
-func (s *httpdServer) renderUserPage(w http.ResponseWriter, r *http.Request, user *dataprovider.User,
-	mode userPageMode, error string, admin *dataprovider.Admin,
-) {
-	folders, err := s.getWebVirtualFolders(w, r, defaultQueryLimit, true)
-	if err != nil {
-		return
-	}
-	groups, err := s.getWebGroups(w, r, defaultQueryLimit, true)
-	if err != nil {
-		return
-	}
-	user.SetEmptySecretsIfNil()
+func (s *httpdServer) getUserPageTitleAndURL(mode userPageMode, username string) (string, string) {
 	var title, currentURL string
 	switch mode {
 	case userPageModeAdd:
@@ -810,11 +841,19 @@ func (s *httpdServer) renderUserPage(w http.ResponseWriter, r *http.Request, use
 		currentURL = webUserPath
 	case userPageModeUpdate:
 		title = "Update user"
-		currentURL = fmt.Sprintf("%v/%v", webUserPath, url.PathEscape(user.Username))
+		currentURL = fmt.Sprintf("%v/%v", webUserPath, url.PathEscape(username))
 	case userPageModeTemplate:
 		title = "User template"
 		currentURL = webTemplateUser
 	}
+	return title, currentURL
+}
+
+func (s *httpdServer) renderUserPage(w http.ResponseWriter, r *http.Request, user *dataprovider.User,
+	mode userPageMode, errorString string, admin *dataprovider.Admin,
+) {
+	user.SetEmptySecretsIfNil()
+	title, currentURL := s.getUserPageTitleAndURL(mode, user.Username)
 	if user.Password != "" && user.IsPasswordHashed() {
 		switch mode {
 		case userPageModeUpdate:
@@ -833,10 +872,26 @@ func (s *httpdServer) renderUserPage(w http.ResponseWriter, r *http.Request, use
 			})
 		}
 	}
+	var roles []dataprovider.Role
+	if basePage.LoggedAdmin.Role == "" {
+		var err error
+		roles, err = s.getWebRoles(w, r, 10, true)
+		if err != nil {
+			return
+		}
+	}
+	folders, err := s.getWebVirtualFolders(w, r, defaultQueryLimit, true)
+	if err != nil {
+		return
+	}
+	groups, err := s.getWebGroups(w, r, defaultQueryLimit, true)
+	if err != nil {
+		return
+	}
 	data := userPage{
 		basePage:           basePage,
 		Mode:               mode,
-		Error:              error,
+		Error:              errorString,
 		User:               user,
 		ValidPerms:         dataprovider.ValidPerms,
 		ValidLoginMethods:  dataprovider.ValidLoginMethods,
@@ -846,6 +901,7 @@ func (s *httpdServer) renderUserPage(w http.ResponseWriter, r *http.Request, use
 		RootDirPerms:       user.GetPermissionsForPath("/"),
 		VirtualFolders:     folders,
 		Groups:             groups,
+		Roles:              roles,
 		CanImpersonate:     os.Getuid() == 0,
 		FsWrapper: fsWrapper{
 			Filesystem:      user.FsConfig,
@@ -859,6 +915,27 @@ func (s *httpdServer) renderUserPage(w http.ResponseWriter, r *http.Request, use
 	renderAdminTemplate(w, templateUser, data)
 }
 
+func (s *httpdServer) renderRolePage(w http.ResponseWriter, r *http.Request, role dataprovider.Role,
+	mode genericPageMode, error string,
+) {
+	var title, currentURL string
+	switch mode {
+	case genericPageModeAdd:
+		title = "Add a new role"
+		currentURL = webAdminRolePath
+	case genericPageModeUpdate:
+		title = "Update role"
+		currentURL = fmt.Sprintf("%s/%s", webAdminRolePath, url.PathEscape(role.Name))
+	}
+	data := rolePage{
+		basePage: s.getBasePageData(title, currentURL, r),
+		Error:    error,
+		Role:     &role,
+		Mode:     mode,
+	}
+	renderAdminTemplate(w, templateRole, data)
+}
+
 func (s *httpdServer) renderGroupPage(w http.ResponseWriter, r *http.Request, group dataprovider.Group,
 	mode genericPageMode, error string,
 ) {
@@ -1577,6 +1654,7 @@ func getAdminFromPostFields(r *http.Request) (dataprovider.Admin, error) {
 	admin.Permissions = r.Form["permissions"]
 	admin.Email = r.Form.Get("email")
 	admin.Status = status
+	admin.Role = r.Form.Get("role")
 	admin.Filters.AllowList = getSliceFromDelimitedValues(r.Form.Get("allowed_ip"), ",")
 	admin.Filters.AllowAPIKeyAuth = r.Form.Get("allow_api_key_auth") != ""
 	admin.AdditionalInfo = r.Form.Get("additional_info")
@@ -1843,6 +1921,7 @@ func getUserFromPostFields(r *http.Request) (dataprovider.User, error) {
 			ExpirationDate:       expirationDateMillis,
 			AdditionalInfo:       r.Form.Get("additional_info"),
 			Description:          r.Form.Get("description"),
+			Role:                 r.Form.Get("role"),
 		},
 		Filters: dataprovider.UserFilters{
 			BaseUserFilters: filters,
@@ -2223,6 +2302,18 @@ func getEventRuleFromPostFields(r *http.Request) (dataprovider.EventRule, error)
 	return rule, nil
 }
 
+func getRoleFromPostFields(r *http.Request) (dataprovider.Role, error) {
+	err := r.ParseForm()
+	if err != nil {
+		return dataprovider.Role{}, err
+	}
+
+	return dataprovider.Role{
+		Name:        r.Form.Get("name"),
+		Description: r.Form.Get("description"),
+	}, nil
+}
+
 func (s *httpdServer) handleWebAdminForgotPwd(w http.ResponseWriter, r *http.Request) {
 	r.Body = http.MaxBytesReader(w, r.Body, maxRequestSize)
 	if !smtp.IsEnabled() {
@@ -2515,10 +2606,14 @@ func (s *httpdServer) handleWebUpdateAdminPost(w http.ResponseWriter, r *http.Re
 			s.renderAddUpdateAdminPage(w, r, &updatedAdmin, "You cannot disable yourself", false)
 			return
 		}
+		if updatedAdmin.Role != claims.Role {
+			s.renderAddUpdateAdminPage(w, r, &updatedAdmin, "You cannot add/change your role", false)
+			return
+		}
 	}
 	err = dataprovider.UpdateAdmin(&updatedAdmin, claims.Username, ipAddr)
 	if err != nil {
-		s.renderAddUpdateAdminPage(w, r, &admin, err.Error(), false)
+		s.renderAddUpdateAdminPage(w, r, &updatedAdmin, err.Error(), false)
 		return
 	}
 	http.Redirect(w, r, webAdminsPath, http.StatusSeeOther)
@@ -2536,6 +2631,11 @@ func (s *httpdServer) handleWebDefenderPage(w http.ResponseWriter, r *http.Reque
 
 func (s *httpdServer) handleGetWebUsers(w http.ResponseWriter, r *http.Request) {
 	r.Body = http.MaxBytesReader(w, r.Body, maxRequestSize)
+	claims, err := getTokenClaims(r)
+	if err != nil || claims.Username == "" {
+		s.renderBadRequestPage(w, r, errors.New("invalid token claims"))
+		return
+	}
 	var limit int
 	if _, ok := r.URL.Query()["qlimit"]; ok {
 		var err error
@@ -2548,7 +2648,7 @@ func (s *httpdServer) handleGetWebUsers(w http.ResponseWriter, r *http.Request)
 	}
 	users := make([]dataprovider.User, 0, limit)
 	for {
-		u, err := dataprovider.GetUsers(limit, len(users), dataprovider.OrderASC)
+		u, err := dataprovider.GetUsers(limit, len(users), dataprovider.OrderASC, claims.Role)
 		if err != nil {
 			s.renderInternalServerErrorPage(w, r, err)
 			return
@@ -2657,7 +2757,7 @@ func (s *httpdServer) handleWebTemplateUserGet(w http.ResponseWriter, r *http.Re
 	}
 	if r.URL.Query().Get("from") != "" {
 		username := r.URL.Query().Get("from")
-		user, err := dataprovider.UserExists(username)
+		user, err := dataprovider.UserExists(username, admin.Role)
 		if err == nil {
 			user.SetEmptySecrets()
 			user.PublicKeys = nil
@@ -2715,6 +2815,8 @@ func (s *httpdServer) handleWebTemplateUserPost(w http.ResponseWriter, r *http.R
 				http.StatusBadRequest, err, "")
 			return
 		}
+		// to create a template the "manage_system" permission is required, so role admins cannot use
+		// this method, we don't need to force the role
 		dump.Users = append(dump.Users, u)
 		for _, folder := range u.VirtualFolders {
 			if !dump.HasFolder(folder.Name) {
@@ -2764,8 +2866,13 @@ func (s *httpdServer) handleWebAddUserGet(w http.ResponseWriter, r *http.Request
 
 func (s *httpdServer) handleWebUpdateUserGet(w http.ResponseWriter, r *http.Request) {
 	r.Body = http.MaxBytesReader(w, r.Body, maxRequestSize)
+	claims, err := getTokenClaims(r)
+	if err != nil || claims.Username == "" {
+		s.renderBadRequestPage(w, r, errors.New("invalid token claims"))
+		return
+	}
 	username := getURLParam(r, "username")
-	user, err := dataprovider.UserExists(username)
+	user, err := dataprovider.UserExists(username, claims.Role)
 	if err == nil {
 		s.renderUserPage(w, r, &user, userPageModeUpdate, "", nil)
 	} else if _, ok := err.(*util.RecordNotFoundError); ok {
@@ -2797,6 +2904,13 @@ func (s *httpdServer) handleWebAddUserPost(w http.ResponseWriter, r *http.Reques
 		Password:   user.Password,
 		PublicKeys: user.PublicKeys,
 	})
+	if claims.Role != "" {
+		user.Role = claims.Role
+	}
+	user.Filters.RecoveryCodes = nil
+	user.Filters.TOTPConfig = dataprovider.UserTOTPConfig{
+		Enabled: false,
+	}
 	err = dataprovider.AddUser(&user, claims.Username, ipAddr)
 	if err != nil {
 		s.renderUserPage(w, r, &user, userPageModeAdd, err.Error(), nil)
@@ -2813,7 +2927,7 @@ func (s *httpdServer) handleWebUpdateUserPost(w http.ResponseWriter, r *http.Req
 		return
 	}
 	username := getURLParam(r, "username")
-	user, err := dataprovider.UserExists(username)
+	user, err := dataprovider.UserExists(username, claims.Role)
 	if _, ok := err.(*util.RecordNotFoundError); ok {
 		s.renderNotFoundPage(w, r, err)
 		return
@@ -2849,6 +2963,9 @@ func (s *httpdServer) handleWebUpdateUserPost(w http.ResponseWriter, r *http.Req
 		Password:   updatedUser.Password,
 		PublicKeys: updatedUser.PublicKeys,
 	})
+	if claims.Role != "" {
+		updatedUser.Role = claims.Role
+	}
 
 	err = dataprovider.UpdateUser(&updatedUser, claims.Username, ipAddr)
 	if err != nil {
@@ -2877,8 +2994,8 @@ func (s *httpdServer) handleWebGetConnections(w http.ResponseWriter, r *http.Req
 		s.renderBadRequestPage(w, r, errors.New("invalid token claims"))
 		return
 	}
-	connectionStats := common.Connections.GetStats()
-	connectionStats = append(connectionStats, getNodesConnections(claims.Username)...)
+	connectionStats := common.Connections.GetStats(claims.Role)
+	connectionStats = append(connectionStats, getNodesConnections(claims.Username, claims.Role)...)
 	data := connectionsPage{
 		basePage:    s.getBasePageData(pageConnectionsTitle, webConnectionsPath, r),
 		Connections: connectionStats,
@@ -3400,3 +3517,110 @@ func (s *httpdServer) handleWebUpdateEventRulePost(w http.ResponseWriter, r *htt
 	}
 	http.Redirect(w, r, webAdminEventRulesPath, http.StatusSeeOther)
 }
+
+func (s *httpdServer) getWebRoles(w http.ResponseWriter, r *http.Request, limit int, minimal bool) ([]dataprovider.Role, error) {
+	roles := make([]dataprovider.Role, 0, limit)
+	for {
+		res, err := dataprovider.GetRoles(limit, len(roles), dataprovider.OrderASC, minimal)
+		if err != nil {
+			s.renderInternalServerErrorPage(w, r, err)
+			return roles, err
+		}
+		roles = append(roles, res...)
+		if len(res) < limit {
+			break
+		}
+	}
+	return roles, nil
+}
+
+func (s *httpdServer) handleWebGetRoles(w http.ResponseWriter, r *http.Request) {
+	r.Body = http.MaxBytesReader(w, r.Body, maxRequestSize)
+	roles, err := s.getWebRoles(w, r, 10, false)
+	if err != nil {
+		return
+	}
+	data := rolesPage{
+		basePage: s.getBasePageData(pageRolesTitle, webAdminRolesPath, r),
+		Roles:    roles,
+	}
+	renderAdminTemplate(w, templateRoles, data)
+}
+
+func (s *httpdServer) handleWebAddRoleGet(w http.ResponseWriter, r *http.Request) {
+	r.Body = http.MaxBytesReader(w, r.Body, maxRequestSize)
+	s.renderRolePage(w, r, dataprovider.Role{}, genericPageModeAdd, "")
+}
+
+func (s *httpdServer) handleWebAddRolePost(w http.ResponseWriter, r *http.Request) {
+	r.Body = http.MaxBytesReader(w, r.Body, maxRequestSize)
+	role, err := getRoleFromPostFields(r)
+	if err != nil {
+		s.renderRolePage(w, r, role, genericPageModeAdd, err.Error())
+		return
+	}
+	claims, err := getTokenClaims(r)
+	if err != nil || claims.Username == "" {
+		s.renderBadRequestPage(w, r, errors.New("invalid token claims"))
+		return
+	}
+	ipAddr := util.GetIPFromRemoteAddress(r.RemoteAddr)
+	if err := verifyCSRFToken(r.Form.Get(csrfFormToken), ipAddr); err != nil {
+		s.renderForbiddenPage(w, r, err.Error())
+		return
+	}
+	err = dataprovider.AddRole(&role, claims.Username, ipAddr)
+	if err != nil {
+		s.renderRolePage(w, r, role, genericPageModeAdd, err.Error())
+		return
+	}
+	http.Redirect(w, r, webAdminRolesPath, http.StatusSeeOther)
+}
+
+func (s *httpdServer) handleWebUpdateRoleGet(w http.ResponseWriter, r *http.Request) {
+	r.Body = http.MaxBytesReader(w, r.Body, maxRequestSize)
+	role, err := dataprovider.RoleExists(getURLParam(r, "name"))
+	if err == nil {
+		s.renderRolePage(w, r, role, genericPageModeUpdate, "")
+	} else if _, ok := err.(*util.RecordNotFoundError); ok {
+		s.renderNotFoundPage(w, r, err)
+	} else {
+		s.renderInternalServerErrorPage(w, r, err)
+	}
+}
+
+func (s *httpdServer) handleWebUpdateRolePost(w http.ResponseWriter, r *http.Request) {
+	r.Body = http.MaxBytesReader(w, r.Body, maxRequestSize)
+	claims, err := getTokenClaims(r)
+	if err != nil || claims.Username == "" {
+		s.renderBadRequestPage(w, r, errors.New("invalid token claims"))
+		return
+	}
+	role, err := dataprovider.RoleExists(getURLParam(r, "name"))
+	if _, ok := err.(*util.RecordNotFoundError); ok {
+		s.renderNotFoundPage(w, r, err)
+		return
+	} else if err != nil {
+		s.renderInternalServerErrorPage(w, r, err)
+		return
+	}
+
+	updatedRole, err := getRoleFromPostFields(r)
+	if err != nil {
+		s.renderRolePage(w, r, role, genericPageModeAdd, err.Error())
+		return
+	}
+	ipAddr := util.GetIPFromRemoteAddress(r.RemoteAddr)
+	if err := verifyCSRFToken(r.Form.Get(csrfFormToken), ipAddr); err != nil {
+		s.renderForbiddenPage(w, r, err.Error())
+		return
+	}
+	updatedRole.ID = role.ID
+	updatedRole.Name = role.Name
+	err = dataprovider.UpdateRole(&updatedRole, claims.Username, ipAddr)
+	if err != nil {
+		s.renderRolePage(w, r, updatedRole, genericPageModeUpdate, err.Error())
+		return
+	}
+	http.Redirect(w, r, webAdminRolesPath, http.StatusSeeOther)
+}

internal/httpd/webclient.go

@@ -472,7 +472,7 @@ func (s *httpdServer) renderClientMFAPage(w http.ResponseWriter, r *http.Request
 		RecCodesURL:     webClientRecoveryCodesPath,
 		Protocols:       dataprovider.MFAProtocols,
 	}
-	user, err := dataprovider.UserExists(data.LoggedUser.Username)
+	user, err := dataprovider.UserExists(data.LoggedUser.Username, "")
 	if err != nil {
 		s.renderInternalServerErrorPage(w, r, err)
 		return
@@ -590,7 +590,7 @@ func (s *httpdServer) renderClientProfilePage(w http.ResponseWriter, r *http.Req
 		baseClientPage: s.getBaseClientPageData(pageClientProfileTitle, webClientProfilePath, r),
 		Error:          error,
 	}
-	user, userMerged, err := dataprovider.GetUserVariants(data.LoggedUser.Username)
+	user, userMerged, err := dataprovider.GetUserVariants(data.LoggedUser.Username, "")
 	if err != nil {
 		s.renderClientInternalServerErrorPage(w, r, err)
 		return
@@ -620,7 +620,7 @@ func (s *httpdServer) handleWebClientDownloadZip(w http.ResponseWriter, r *http.
 		return
 	}
 
-	user, err := dataprovider.GetUserWithGroupSettings(claims.Username)
+	user, err := dataprovider.GetUserWithGroupSettings(claims.Username, "")
 	if err != nil {
 		s.renderClientMessagePage(w, r, "Unable to retrieve your user", "", getRespStatus(err), nil, "")
 		return
@@ -820,7 +820,7 @@ func (s *httpdServer) handleClientGetDirContents(w http.ResponseWriter, r *http.
 		return
 	}
 
-	user, err := dataprovider.GetUserWithGroupSettings(claims.Username)
+	user, err := dataprovider.GetUserWithGroupSettings(claims.Username, "")
 	if err != nil {
 		sendAPIResponse(w, r, nil, "Unable to retrieve your user", getRespStatus(err))
 		return
@@ -897,7 +897,7 @@ func (s *httpdServer) handleClientGetFiles(w http.ResponseWriter, r *http.Reques
 		return
 	}
 
-	user, err := dataprovider.GetUserWithGroupSettings(claims.Username)
+	user, err := dataprovider.GetUserWithGroupSettings(claims.Username, "")
 	if err != nil {
 		s.renderClientMessagePage(w, r, "Unable to retrieve your user", "", getRespStatus(err), nil, "")
 		return
@@ -956,7 +956,7 @@ func (s *httpdServer) handleClientEditFile(w http.ResponseWriter, r *http.Reques
 		return
 	}
 
-	user, err := dataprovider.GetUserWithGroupSettings(claims.Username)
+	user, err := dataprovider.GetUserWithGroupSettings(claims.Username, "")
 	if err != nil {
 		s.renderClientMessagePage(w, r, "Unable to retrieve your user", "", getRespStatus(err), nil, "")
 		return
@@ -1025,7 +1025,7 @@ func (s *httpdServer) handleClientAddShareGet(w http.ResponseWriter, r *http.Req
 		s.renderClientForbiddenPage(w, r, "Invalid token claims")
 		return
 	}
-	user, err := dataprovider.GetUserWithGroupSettings(claims.Username)
+	user, err := dataprovider.GetUserWithGroupSettings(claims.Username, "")
 	if err != nil {
 		s.renderClientMessagePage(w, r, "Unable to retrieve your user", "", getRespStatus(err), nil, "")
 		return
@@ -1218,7 +1218,7 @@ func (s *httpdServer) handleWebClientProfilePost(w http.ResponseWriter, r *http.
 		s.renderClientForbiddenPage(w, r, "Invalid token claims")
 		return
 	}
-	user, userMerged, err := dataprovider.GetUserVariants(claims.Username)
+	user, userMerged, err := dataprovider.GetUserVariants(claims.Username, "")
 	if err != nil {
 		s.renderClientProfilePage(w, r, err.Error())
 		return
@@ -1368,7 +1368,7 @@ func (s *httpdServer) handleClientGetPDF(w http.ResponseWriter, r *http.Request)
 		return
 	}
 	name = util.CleanPath(name)
-	user, err := dataprovider.GetUserWithGroupSettings(claims.Username)
+	user, err := dataprovider.GetUserWithGroupSettings(claims.Username, "")
 	if err != nil {
 		s.renderClientMessagePage(w, r, "Unable to retrieve your user", "", getRespStatus(err), nil, "")
 		return

internal/httpdtest/httpdtest.go

@@ -62,6 +62,7 @@ const (
 	retentionChecksPath   = "/api/v2/retention/users/checks"
 	eventActionsPath      = "/api/v2/eventactions"
 	eventRulesPath        = "/api/v2/eventrules"
+	rolesPath             = "/api/v2/roles"
 )
 
 const (
@@ -368,6 +369,115 @@ func GetGroups(limit, offset int64, expectedStatusCode int) ([]dataprovider.Grou
 	return groups, body, err
 }
 
+// AddRole adds a new role and checks the received HTTP Status code against expectedStatusCode.
+func AddRole(role dataprovider.Role, expectedStatusCode int) (dataprovider.Role, []byte, error) {
+	var newRole dataprovider.Role
+	var body []byte
+	asJSON, _ := json.Marshal(role)
+	resp, err := sendHTTPRequest(http.MethodPost, buildURLRelativeToBase(rolesPath), bytes.NewBuffer(asJSON),
+		"application/json", getDefaultToken())
+	if err != nil {
+		return newRole, body, err
+	}
+	defer resp.Body.Close()
+	err = checkResponse(resp.StatusCode, expectedStatusCode)
+	if expectedStatusCode != http.StatusCreated {
+		body, _ = getResponseBody(resp)
+		return newRole, body, err
+	}
+	if err == nil {
+		err = render.DecodeJSON(resp.Body, &newRole)
+	} else {
+		body, _ = getResponseBody(resp)
+	}
+	if err == nil {
+		err = checkRole(role, newRole)
+	}
+	return newRole, body, err
+}
+
+// UpdateRole updates an existing role and checks the received HTTP Status code against expectedStatusCode
+func UpdateRole(role dataprovider.Role, expectedStatusCode int) (dataprovider.Role, []byte, error) {
+	var newRole dataprovider.Role
+	var body []byte
+
+	asJSON, _ := json.Marshal(role)
+	resp, err := sendHTTPRequest(http.MethodPut, buildURLRelativeToBase(rolesPath, url.PathEscape(role.Name)),
+		bytes.NewBuffer(asJSON), "application/json", getDefaultToken())
+	if err != nil {
+		return newRole, body, err
+	}
+	defer resp.Body.Close()
+	body, _ = getResponseBody(resp)
+	err = checkResponse(resp.StatusCode, expectedStatusCode)
+	if expectedStatusCode != http.StatusOK {
+		return newRole, body, err
+	}
+	if err == nil {
+		newRole, body, err = GetRoleByName(role.Name, expectedStatusCode)
+	}
+	if err == nil {
+		err = checkRole(role, newRole)
+	}
+	return newRole, body, err
+}
+
+// RemoveRole removes an existing role and checks the received HTTP Status code against expectedStatusCode.
+func RemoveRole(role dataprovider.Role, expectedStatusCode int) ([]byte, error) {
+	var body []byte
+	resp, err := sendHTTPRequest(http.MethodDelete, buildURLRelativeToBase(rolesPath, url.PathEscape(role.Name)),
+		nil, "", getDefaultToken())
+	if err != nil {
+		return body, err
+	}
+	defer resp.Body.Close()
+	body, _ = getResponseBody(resp)
+	return body, checkResponse(resp.StatusCode, expectedStatusCode)
+}
+
+// GetRoleByName gets a role by name and checks the received HTTP Status code against expectedStatusCode.
+func GetRoleByName(name string, expectedStatusCode int) (dataprovider.Role, []byte, error) {
+	var role dataprovider.Role
+	var body []byte
+	resp, err := sendHTTPRequest(http.MethodGet, buildURLRelativeToBase(rolesPath, url.PathEscape(name)),
+		nil, "", getDefaultToken())
+	if err != nil {
+		return role, body, err
+	}
+	defer resp.Body.Close()
+	err = checkResponse(resp.StatusCode, expectedStatusCode)
+	if err == nil && expectedStatusCode == http.StatusOK {
+		err = render.DecodeJSON(resp.Body, &role)
+	} else {
+		body, _ = getResponseBody(resp)
+	}
+	return role, body, err
+}
+
+// GetRoles returns a list of roles and checks the received HTTP Status code against expectedStatusCode.
+// The number of results can be limited specifying a limit.
+// Some results can be skipped specifying an offset.
+func GetRoles(limit, offset int64, expectedStatusCode int) ([]dataprovider.Role, []byte, error) {
+	var roles []dataprovider.Role
+	var body []byte
+	url, err := addLimitAndOffsetQueryParams(buildURLRelativeToBase(rolesPath), limit, offset)
+	if err != nil {
+		return roles, body, err
+	}
+	resp, err := sendHTTPRequest(http.MethodGet, url.String(), nil, "", getDefaultToken())
+	if err != nil {
+		return roles, body, err
+	}
+	defer resp.Body.Close()
+	err = checkResponse(resp.StatusCode, expectedStatusCode)
+	if err == nil && expectedStatusCode == http.StatusOK {
+		err = render.DecodeJSON(resp.Body, &roles)
+	} else {
+		body, _ = getResponseBody(resp)
+	}
+	return roles, body, err
+}
+
 // AddAdmin adds a new admin and checks the received HTTP Status code against expectedStatusCode.
 func AddAdmin(admin dataprovider.Admin, expectedStatusCode int) (dataprovider.Admin, []byte, error) {
 	var newAdmin dataprovider.Admin
@@ -1503,6 +1613,31 @@ func checkEventRule(expected, actual dataprovider.EventRule) error {
 	return checkEventRuleActions(expected.Actions, actual.Actions)
 }
 
+func checkRole(expected, actual dataprovider.Role) error {
+	if expected.ID <= 0 {
+		if actual.ID <= 0 {
+			return errors.New("actual role ID must be > 0")
+		}
+	} else {
+		if actual.ID != expected.ID {
+			return errors.New("role ID mismatch")
+		}
+	}
+	if dataprovider.ConvertName(expected.Name) != actual.Name {
+		return errors.New("name mismatch")
+	}
+	if expected.Description != actual.Description {
+		return errors.New("description mismatch")
+	}
+	if actual.CreatedAt == 0 {
+		return errors.New("created_at unset")
+	}
+	if actual.UpdatedAt == 0 {
+		return errors.New("updated_at unset")
+	}
+	return nil
+}
+
 func checkGroup(expected, actual dataprovider.Group) error {
 	if expected.ID <= 0 {
 		if actual.ID <= 0 {
@@ -1667,6 +1802,9 @@ func compareAdminEqualFields(expected *dataprovider.Admin, actual *dataprovider.
 	if expected.AdditionalInfo != actual.AdditionalInfo {
 		return errors.New("additional info mismatch")
 	}
+	if expected.Role != actual.Role {
+		return errors.New("role mismatch")
+	}
 	return nil
 }
 
@@ -2491,6 +2629,9 @@ func compareEqualsUserFields(expected *dataprovider.User, actual *dataprovider.U
 	if expected.Description != actual.Description {
 		return errors.New("description mismatch")
 	}
+	if expected.Role != actual.Role {
+		return errors.New("role mismatch")
+	}
 	return compareQuotaUserFields(expected, actual)
 }
 

internal/service/service.go

@@ -350,7 +350,11 @@ func (s *Service) LoadInitialData() error {
 }
 
 func (s *Service) restoreDump(dump *dataprovider.BackupData) error {
-	err := httpd.RestoreFolders(dump.Folders, s.LoadDataFrom, s.LoadDataMode, s.LoadDataQuotaScan, dataprovider.ActionExecutorSystem, "")
+	err := httpd.RestoreRoles(dump.Roles, s.LoadDataFrom, s.LoadDataMode, dataprovider.ActionExecutorSystem, "")
+	if err != nil {
+		return fmt.Errorf("unable to restore roles from file %#v: %v", s.LoadDataFrom, err)
+	}
+	err = httpd.RestoreFolders(dump.Folders, s.LoadDataFrom, s.LoadDataMode, s.LoadDataQuotaScan, dataprovider.ActionExecutorSystem, "")
 	if err != nil {
 		return fmt.Errorf("unable to restore folders from file %#v: %v", s.LoadDataFrom, err)
 	}

internal/sftpd/internal_test.go

@@ -2088,7 +2088,7 @@ func TestRecoverer(t *testing.T) {
 	}
 	err = scpCmd.handle()
 	assert.EqualError(t, err, common.ErrGenericFailure.Error())
-	assert.Len(t, common.Connections.GetStats(), 0)
+	assert.Len(t, common.Connections.GetStats(""), 0)
 }
 
 func TestListernerAcceptErrors(t *testing.T) {
@@ -2241,7 +2241,7 @@ func TestMaxUserSessions(t *testing.T) {
 		assert.Contains(t, err.Error(), "too many open sessions")
 	}
 	common.Connections.Remove(connection.GetID())
-	assert.Len(t, common.Connections.GetStats(), 0)
+	assert.Len(t, common.Connections.GetStats(""), 0)
 }
 
 func TestCanReadSymlink(t *testing.T) {

internal/sftpd/server.go

@@ -237,7 +237,7 @@ func (c *Configuration) getServerConfig() *ssh.ServerConfig {
 		},
 		NextAuthMethodsCallback: func(conn ssh.ConnMetadata) []string {
 			var nextMethods []string
-			user, err := dataprovider.GetUserWithGroupSettings(conn.User())
+			user, err := dataprovider.GetUserWithGroupSettings(conn.User(), "")
 			if err == nil {
 				nextMethods = user.GetNextAuthMethods(conn.PartialSuccessMethods(), c.PasswordAuthentication)
 			}

internal/sftpd/sftpd_test.go

@@ -985,7 +985,7 @@ func TestDefender(t *testing.T) {
 	_, _, err = getSftpClient(user, usePubKey)
 	assert.Error(t, err)
 
-	err = dataprovider.DeleteUser(user.Username, "", "")
+	err = dataprovider.DeleteUser(user.Username, "", "", "")
 	assert.NoError(t, err)
 	err = os.RemoveAll(user.GetHomeDir())
 	assert.NoError(t, err)
@@ -1144,7 +1144,7 @@ func TestConcurrency(t *testing.T) {
 		for {
 			servedReqs := closedConns.Load()
 			if servedReqs > 0 {
-				stats := common.Connections.GetStats()
+				stats := common.Connections.GetStats("")
 				if len(stats) > maxConns {
 					maxConns = len(stats)
 				}
@@ -1178,7 +1178,7 @@ func TestConcurrency(t *testing.T) {
 	}, 1*time.Second, 50*time.Millisecond)
 
 	assert.Eventually(t, func() bool {
-		return len(common.Connections.GetStats()) == 0
+		return len(common.Connections.GetStats("")) == 0
 	}, 1*time.Second, 50*time.Millisecond)
 
 	err = os.Remove(testFilePath)
@@ -4284,7 +4284,7 @@ func TestMaxConnections(t *testing.T) {
 		err = conn.Close()
 		assert.NoError(t, err)
 	}
-	err = dataprovider.DeleteUser(user.Username, "", "")
+	err = dataprovider.DeleteUser(user.Username, "", "", "")
 	assert.NoError(t, err)
 	err = os.RemoveAll(user.GetHomeDir())
 	assert.NoError(t, err)
@@ -4319,7 +4319,7 @@ func TestMaxPerHostConnections(t *testing.T) {
 		err = conn.Close()
 		assert.NoError(t, err)
 	}
-	err = dataprovider.DeleteUser(user.Username, "", "")
+	err = dataprovider.DeleteUser(user.Username, "", "", "")
 	assert.NoError(t, err)
 	err = os.RemoveAll(user.GetHomeDir())
 	assert.NoError(t, err)
@@ -4603,12 +4603,12 @@ func TestQuotaScan(t *testing.T) {
 }
 
 func TestMultipleQuotaScans(t *testing.T) {
-	res := common.QuotaScans.AddUserQuotaScan(defaultUsername)
+	res := common.QuotaScans.AddUserQuotaScan(defaultUsername, "")
 	assert.True(t, res)
-	res = common.QuotaScans.AddUserQuotaScan(defaultUsername)
+	res = common.QuotaScans.AddUserQuotaScan(defaultUsername, "")
 	assert.False(t, res, "add quota must fail if another scan is already active")
 	assert.True(t, common.QuotaScans.RemoveUserQuotaScan(defaultUsername))
-	activeScans := common.QuotaScans.GetUsersQuotaScans()
+	activeScans := common.QuotaScans.GetUsersQuotaScans("")
 	assert.Equal(t, 0, len(activeScans))
 	assert.False(t, common.QuotaScans.RemoveUserQuotaScan(defaultUsername))
 }
@@ -4866,13 +4866,13 @@ func TestBandwidthAndConnections(t *testing.T) {
 		waitForActiveTransfers(t)
 		time.Sleep(100 * time.Millisecond)
 
-		for _, stat := range common.Connections.GetStats() {
-			common.Connections.Close(stat.ConnectionID)
+		for _, stat := range common.Connections.GetStats("") {
+			common.Connections.Close(stat.ConnectionID, "")
 		}
 		err = <-c
 		assert.Error(t, err, "connection closed while uploading: the upload must fail")
 		assert.Eventually(t, func() bool {
-			return len(common.Connections.GetStats()) == 0
+			return len(common.Connections.GetStats("")) == 0
 		}, 10*time.Second, 200*time.Millisecond)
 		err = os.Remove(testFilePath)
 		assert.NoError(t, err)
@@ -7242,7 +7242,7 @@ func TestHashedPasswords(t *testing.T) {
 		user.Password = ""
 		userGetInitial, _, err := httpdtest.UpdateUser(user, http.StatusOK, "")
 		assert.NoError(t, err)
-		user, err = dataprovider.UserExists(user.Username)
+		user, err = dataprovider.UserExists(user.Username, "")
 		assert.NoError(t, err)
 		assert.Equal(t, pwd, user.Password)
 		user.Password = clearPwd
@@ -7259,7 +7259,7 @@ func TestHashedPasswords(t *testing.T) {
 			conn.Close()
 		}
 		// the password must converted to bcrypt and we should still be able to login
-		user, err = dataprovider.UserExists(user.Username)
+		user, err = dataprovider.UserExists(user.Username, "")
 		assert.NoError(t, err)
 		assert.True(t, strings.HasPrefix(user.Password, "$2a$"))
 		// update the user to invalidate the cached password and force a new check
@@ -10576,7 +10576,7 @@ func TestSCPErrors(t *testing.T) {
 	time.Sleep(100 * time.Millisecond)
 	err = cmd.Process.Kill()
 	assert.NoError(t, err)
-	assert.Eventually(t, func() bool { return len(common.Connections.GetStats()) == 0 }, 2*time.Second, 100*time.Millisecond)
+	assert.Eventually(t, func() bool { return len(common.Connections.GetStats("")) == 0 }, 2*time.Second, 100*time.Millisecond)
 	cmd = getScpUploadCommand(testFilePath, remoteUpPath, false, false)
 	go func() {
 		err := cmd.Run()
@@ -10588,7 +10588,7 @@ func TestSCPErrors(t *testing.T) {
 	time.Sleep(100 * time.Millisecond)
 	err = cmd.Process.Kill()
 	assert.NoError(t, err)
-	assert.Eventually(t, func() bool { return len(common.Connections.GetStats()) == 0 }, 2*time.Second, 100*time.Millisecond)
+	assert.Eventually(t, func() bool { return len(common.Connections.GetStats("")) == 0 }, 2*time.Second, 100*time.Millisecond)
 	err = os.Remove(testFilePath)
 	assert.NoError(t, err)
 	os.Remove(localPath)
@@ -11076,7 +11076,7 @@ func computeHashForFile(hasher hash.Hash, path string) (string, error) {
 
 func waitForActiveTransfers(t *testing.T) {
 	assert.Eventually(t, func() bool {
-		for _, stat := range common.Connections.GetStats() {
+		for _, stat := range common.Connections.GetStats("") {
 			if len(stat.Transfers) > 0 {
 				return true
 			}

internal/smtp/smtp.go

@@ -181,6 +181,7 @@ func SendEmail(to []string, subject, body string, contentType EmailContentType,
 	}
 
 	email := mail.NewMSG()
+	email.AllowDuplicateAddress = true
 	if from != "" {
 		email.SetFrom(from)
 	} else {

internal/util/util.go

@@ -617,8 +617,8 @@ func GetSSHPublicKeyAsString(pubKey []byte) (string, error) {
 	return string(ssh.MarshalAuthorizedKey(k)), nil
 }
 
-// GetRealIP returns the ip address as result of parsing either the
-// X-Real-IP header or the X-Forwarded-For header
+// GetRealIP returns the ip address as result of parsing the specified
+// header and using the specified depth
 func GetRealIP(r *http.Request, header string, depth int) string {
 	if header == "" {
 		return ""

internal/version/version.go

@@ -17,7 +17,7 @@ package version
 
 import "strings"
 
-const version = "2.4.0-dev"
+const version = "2.4.1-dev"
 
 var (
 	commit = ""

internal/webdavd/internal_test.go

@@ -937,7 +937,7 @@ func TestTransferSeek(t *testing.T) {
 	assert.True(t, fs.IsNotExist(err))
 	assert.Equal(t, int64(0), res)
 
-	assert.Len(t, common.Connections.GetStats(), 0)
+	assert.Len(t, common.Connections.GetStats(""), 0)
 
 	err = os.Remove(testFilePath)
 	assert.NoError(t, err)
@@ -959,7 +959,7 @@ func TestBasicUsersCache(t *testing.T) {
 	u.Permissions["/"] = []string{dataprovider.PermAny}
 	err := dataprovider.AddUser(&u, "", "")
 	assert.NoError(t, err)
-	user, err := dataprovider.UserExists(u.Username)
+	user, err := dataprovider.UserExists(u.Username, "")
 	assert.NoError(t, err)
 
 	c := &Configuration{
@@ -1054,7 +1054,7 @@ func TestBasicUsersCache(t *testing.T) {
 	_, ok = dataprovider.GetCachedWebDAVUser(username)
 	assert.True(t, ok)
 	// cache is invalidated after user deletion
-	err = dataprovider.DeleteUser(user.Username, "", "")
+	err = dataprovider.DeleteUser(user.Username, "", "", "")
 	assert.NoError(t, err)
 	_, ok = dataprovider.GetCachedWebDAVUser(username)
 	assert.False(t, ok)
@@ -1090,7 +1090,7 @@ func TestCachedUserWithFolders(t *testing.T) {
 	})
 	err := dataprovider.AddUser(&u, "", "")
 	assert.NoError(t, err)
-	user, err := dataprovider.UserExists(u.Username)
+	user, err := dataprovider.UserExists(u.Username, "")
 	assert.NoError(t, err)
 
 	c := &Configuration{
@@ -1177,7 +1177,7 @@ func TestCachedUserWithFolders(t *testing.T) {
 		assert.False(t, cachedUser.IsExpired())
 	}
 
-	err = dataprovider.DeleteUser(user.Username, "", "")
+	err = dataprovider.DeleteUser(user.Username, "", "", "")
 	assert.NoError(t, err)
 	_, ok = dataprovider.GetCachedWebDAVUser(username)
 	assert.False(t, ok)
@@ -1205,25 +1205,25 @@ func TestUsersCacheSizeAndExpiration(t *testing.T) {
 	u.Permissions["/"] = []string{dataprovider.PermAny}
 	err := dataprovider.AddUser(&u, "", "")
 	assert.NoError(t, err)
-	user1, err := dataprovider.UserExists(u.Username)
+	user1, err := dataprovider.UserExists(u.Username, "")
 	assert.NoError(t, err)
 	u.Username = username + "2"
 	u.Password = password + "2"
 	err = dataprovider.AddUser(&u, "", "")
 	assert.NoError(t, err)
-	user2, err := dataprovider.UserExists(u.Username)
+	user2, err := dataprovider.UserExists(u.Username, "")
 	assert.NoError(t, err)
 	u.Username = username + "3"
 	u.Password = password + "3"
 	err = dataprovider.AddUser(&u, "", "")
 	assert.NoError(t, err)
-	user3, err := dataprovider.UserExists(u.Username)
+	user3, err := dataprovider.UserExists(u.Username, "")
 	assert.NoError(t, err)
 	u.Username = username + "4"
 	u.Password = password + "4"
 	err = dataprovider.AddUser(&u, "", "")
 	assert.NoError(t, err)
-	user4, err := dataprovider.UserExists(u.Username)
+	user4, err := dataprovider.UserExists(u.Username, "")
 	assert.NoError(t, err)
 
 	c := &Configuration{
@@ -1385,13 +1385,13 @@ func TestUsersCacheSizeAndExpiration(t *testing.T) {
 	_, ok = dataprovider.GetCachedWebDAVUser(user4.Username)
 	assert.True(t, ok)
 
-	err = dataprovider.DeleteUser(user1.Username, "", "")
+	err = dataprovider.DeleteUser(user1.Username, "", "", "")
 	assert.NoError(t, err)
-	err = dataprovider.DeleteUser(user2.Username, "", "")
+	err = dataprovider.DeleteUser(user2.Username, "", "", "")
 	assert.NoError(t, err)
-	err = dataprovider.DeleteUser(user3.Username, "", "")
+	err = dataprovider.DeleteUser(user3.Username, "", "", "")
 	assert.NoError(t, err)
-	err = dataprovider.DeleteUser(user4.Username, "", "")
+	err = dataprovider.DeleteUser(user4.Username, "", "", "")
 	assert.NoError(t, err)
 
 	err = os.RemoveAll(u.GetHomeDir())
@@ -1415,7 +1415,7 @@ func TestUserCacheIsolation(t *testing.T) {
 	u.Permissions["/"] = []string{dataprovider.PermAny}
 	err := dataprovider.AddUser(&u, "", "")
 	assert.NoError(t, err)
-	user, err := dataprovider.UserExists(u.Username)
+	user, err := dataprovider.UserExists(u.Username, "")
 	assert.NoError(t, err)
 	cachedUser := &dataprovider.CachedUser{
 		User:       user,
@@ -1449,7 +1449,7 @@ func TestUserCacheIsolation(t *testing.T) {
 		assert.False(t, cachedUser.User.FsConfig.S3Config.AccessSecret.IsEncrypted())
 	}
 
-	err = dataprovider.DeleteUser(username, "", "")
+	err = dataprovider.DeleteUser(username, "", "", "")
 	assert.NoError(t, err)
 	_, ok = dataprovider.GetCachedWebDAVUser(username)
 	assert.False(t, ok)

internal/webdavd/webdavd_test.go

@@ -620,7 +620,7 @@ func TestBasicHandling(t *testing.T) {
 	assert.NoError(t, err)
 	err = os.RemoveAll(localUser.GetHomeDir())
 	assert.NoError(t, err)
-	assert.Eventually(t, func() bool { return len(common.Connections.GetStats()) == 0 },
+	assert.Eventually(t, func() bool { return len(common.Connections.GetStats("")) == 0 },
 		1*time.Second, 100*time.Millisecond)
 	status := webdavd.GetStatus()
 	assert.True(t, status.IsActive)
@@ -702,7 +702,7 @@ func TestBasicHandlingCryptFs(t *testing.T) {
 	assert.NoError(t, err)
 	err = os.RemoveAll(user.GetHomeDir())
 	assert.NoError(t, err)
-	assert.Eventually(t, func() bool { return len(common.Connections.GetStats()) == 0 },
+	assert.Eventually(t, func() bool { return len(common.Connections.GetStats("")) == 0 },
 		1*time.Second, 100*time.Millisecond)
 }
 
@@ -929,7 +929,7 @@ func TestPropPatch(t *testing.T) {
 	assert.NoError(t, err)
 	err = os.RemoveAll(localUser.GetHomeDir())
 	assert.NoError(t, err)
-	assert.Eventually(t, func() bool { return len(common.Connections.GetStats()) == 0 },
+	assert.Eventually(t, func() bool { return len(common.Connections.GetStats("")) == 0 },
 		1*time.Second, 100*time.Millisecond)
 }
 
@@ -1311,7 +1311,7 @@ func TestPreDownloadHook(t *testing.T) {
 	assert.NoError(t, err)
 	err = os.RemoveAll(user.GetHomeDir())
 	assert.NoError(t, err)
-	assert.Eventually(t, func() bool { return len(common.Connections.GetStats()) == 0 },
+	assert.Eventually(t, func() bool { return len(common.Connections.GetStats("")) == 0 },
 		1*time.Second, 100*time.Millisecond)
 
 	common.Config.Actions.ExecuteOn = []string{common.OperationPreDownload}
@@ -1361,7 +1361,7 @@ func TestPreUploadHook(t *testing.T) {
 	assert.NoError(t, err)
 	err = os.RemoveAll(user.GetHomeDir())
 	assert.NoError(t, err)
-	assert.Eventually(t, func() bool { return len(common.Connections.GetStats()) == 0 },
+	assert.Eventually(t, func() bool { return len(common.Connections.GetStats("")) == 0 },
 		1*time.Second, 100*time.Millisecond)
 
 	common.Config.Actions.ExecuteOn = oldExecuteOn
@@ -1424,7 +1424,7 @@ func TestMaxConnections(t *testing.T) {
 	assert.NoError(t, err)
 	err = os.RemoveAll(user.GetHomeDir())
 	assert.NoError(t, err)
-	assert.Eventually(t, func() bool { return len(common.Connections.GetStats()) == 0 },
+	assert.Eventually(t, func() bool { return len(common.Connections.GetStats("")) == 0 },
 		1*time.Second, 100*time.Millisecond)
 
 	common.Config.MaxTotalConnections = oldValue
@@ -1456,7 +1456,7 @@ func TestMaxPerHostConnections(t *testing.T) {
 	assert.NoError(t, err)
 	err = os.RemoveAll(user.GetHomeDir())
 	assert.NoError(t, err)
-	assert.Eventually(t, func() bool { return len(common.Connections.GetStats()) == 0 },
+	assert.Eventually(t, func() bool { return len(common.Connections.GetStats("")) == 0 },
 		1*time.Second, 100*time.Millisecond)
 
 	common.Config.MaxPerHostConnections = oldValue
@@ -1482,7 +1482,7 @@ func TestMaxSessions(t *testing.T) {
 	assert.NoError(t, err)
 	err = os.RemoveAll(user.GetHomeDir())
 	assert.NoError(t, err)
-	assert.Eventually(t, func() bool { return len(common.Connections.GetStats()) == 0 },
+	assert.Eventually(t, func() bool { return len(common.Connections.GetStats("")) == 0 },
 		1*time.Second, 100*time.Millisecond)
 }
 
@@ -1894,7 +1894,7 @@ func TestClientClose(t *testing.T) {
 		}()
 
 		assert.Eventually(t, func() bool {
-			for _, stat := range common.Connections.GetStats() {
+			for _, stat := range common.Connections.GetStats("") {
 				if len(stat.Transfers) > 0 {
 					return true
 				}
@@ -1902,16 +1902,16 @@ func TestClientClose(t *testing.T) {
 			return false
 		}, 1*time.Second, 50*time.Millisecond)
 
-		for _, stat := range common.Connections.GetStats() {
-			common.Connections.Close(stat.ConnectionID)
+		for _, stat := range common.Connections.GetStats("") {
+			common.Connections.Close(stat.ConnectionID, "")
 		}
 		wg.Wait()
 		// for the sftp user a stat is done after the failed upload and
 		// this triggers a new connection
-		for _, stat := range common.Connections.GetStats() {
-			common.Connections.Close(stat.ConnectionID)
+		for _, stat := range common.Connections.GetStats("") {
+			common.Connections.Close(stat.ConnectionID, "")
 		}
-		assert.Eventually(t, func() bool { return len(common.Connections.GetStats()) == 0 },
+		assert.Eventually(t, func() bool { return len(common.Connections.GetStats("")) == 0 },
 			1*time.Second, 100*time.Millisecond)
 
 		err = os.Remove(testFilePath)
@@ -1929,7 +1929,7 @@ func TestClientClose(t *testing.T) {
 		}()
 
 		assert.Eventually(t, func() bool {
-			for _, stat := range common.Connections.GetStats() {
+			for _, stat := range common.Connections.GetStats("") {
 				if len(stat.Transfers) > 0 {
 					return true
 				}
@@ -1937,11 +1937,11 @@ func TestClientClose(t *testing.T) {
 			return false
 		}, 1*time.Second, 50*time.Millisecond)
 
-		for _, stat := range common.Connections.GetStats() {
-			common.Connections.Close(stat.ConnectionID)
+		for _, stat := range common.Connections.GetStats("") {
+			common.Connections.Close(stat.ConnectionID, "")
 		}
 		wg.Wait()
-		assert.Eventually(t, func() bool { return len(common.Connections.GetStats()) == 0 },
+		assert.Eventually(t, func() bool { return len(common.Connections.GetStats("")) == 0 },
 			1*time.Second, 100*time.Millisecond)
 
 		err = os.Remove(localDownloadPath)
@@ -2964,7 +2964,7 @@ func TestNestedVirtualFolders(t *testing.T) {
 	assert.NoError(t, err)
 	err = os.RemoveAll(localUser.GetHomeDir())
 	assert.NoError(t, err)
-	assert.Eventually(t, func() bool { return len(common.Connections.GetStats()) == 0 },
+	assert.Eventually(t, func() bool { return len(common.Connections.GetStats("")) == 0 },
 		1*time.Second, 100*time.Millisecond)
 }
 

openapi/openapi.yaml

@@ -10,6 +10,7 @@ tags:
   - name: quota
   - name: folders
   - name: groups
+  - name: roles
   - name: users
   - name: data retention
   - name: events
@@ -27,7 +28,7 @@ info:
     SFTPGo supports groups to simplify the administration of multiple accounts by letting you assign settings once to a group, instead of multiple times to each individual user.
     The SFTPGo WebClient allows end users to change their credentials, browse and manage their files in the browser and setup two-factor authentication which works with Authy, Google Authenticator and other compatible apps.
     From the WebClient each authorized user can also create HTTP/S links to externally share files and folders securely, by setting limits to the number of downloads/uploads, protecting the share with a password, limiting access by source IP address, setting an automatic expiration date.
-  version: 2.4.0-dev
+  version: 2.4.1-dev
   contact:
     name: API support
     url: 'https://github.com/drakkan/sftpgo'
@@ -1666,6 +1667,181 @@ paths:
           $ref: '#/components/responses/InternalServerError'
         default:
           $ref: '#/components/responses/DefaultResponse'
+  /roles:
+    get:
+      tags:
+        - roles
+      summary: Get roles
+      description: Returns an array with one or more roles
+      operationId: get_roles
+      parameters:
+        - in: query
+          name: offset
+          schema:
+            type: integer
+            minimum: 0
+            default: 0
+          required: false
+        - in: query
+          name: limit
+          schema:
+            type: integer
+            minimum: 1
+            maximum: 500
+            default: 100
+          required: false
+          description: 'The maximum number of items to return. Max value is 500, default is 100'
+        - in: query
+          name: order
+          required: false
+          description: Ordering groups by name. Default ASC
+          schema:
+            type: string
+            enum:
+              - ASC
+              - DESC
+            example: ASC
+      responses:
+        '200':
+          description: successful operation
+          content:
+            application/json:
+              schema:
+                type: array
+                items:
+                  $ref: '#/components/schemas/Role'
+        '400':
+          $ref: '#/components/responses/BadRequest'
+        '401':
+          $ref: '#/components/responses/Unauthorized'
+        '403':
+          $ref: '#/components/responses/Forbidden'
+        '500':
+          $ref: '#/components/responses/InternalServerError'
+        default:
+          $ref: '#/components/responses/DefaultResponse'
+    post:
+      tags:
+        - roles
+      summary: Add role
+      operationId: add_role
+      description: Adds a new role
+      requestBody:
+        required: true
+        content:
+          application/json:
+            schema:
+              $ref: '#/components/schemas/Role'
+      responses:
+        '201':
+          description: successful operation
+          content:
+            application/json:
+              schema:
+                $ref: '#/components/schemas/Role'
+        '400':
+          $ref: '#/components/responses/BadRequest'
+        '401':
+          $ref: '#/components/responses/Unauthorized'
+        '403':
+          $ref: '#/components/responses/Forbidden'
+        '500':
+          $ref: '#/components/responses/InternalServerError'
+        default:
+          $ref: '#/components/responses/DefaultResponse'
+  '/roles/{name}':
+    parameters:
+      - name: name
+        in: path
+        description: role name
+        required: true
+        schema:
+          type: string
+    get:
+      tags:
+        - roles
+      summary: Find roles by name
+      description: Returns the role with the given name if it exists.
+      operationId: get_role_by_name
+      responses:
+        '200':
+          description: successful operation
+          content:
+            application/json:
+              schema:
+                $ref: '#/components/schemas/Role'
+        '400':
+          $ref: '#/components/responses/BadRequest'
+        '401':
+          $ref: '#/components/responses/Unauthorized'
+        '403':
+          $ref: '#/components/responses/Forbidden'
+        '404':
+          $ref: '#/components/responses/NotFound'
+        '500':
+          $ref: '#/components/responses/InternalServerError'
+        default:
+          $ref: '#/components/responses/DefaultResponse'
+    put:
+      tags:
+        - roles
+      summary: Update role
+      description: Updates an existing role
+      operationId: update_role
+      requestBody:
+        required: true
+        content:
+          application/json:
+            schema:
+              $ref: '#/components/schemas/Role'
+      responses:
+        '200':
+          description: successful operation
+          content:
+            application/json:
+              schema:
+                $ref: '#/components/schemas/ApiResponse'
+              example:
+                message: Group updated
+        '400':
+          $ref: '#/components/responses/BadRequest'
+        '401':
+          $ref: '#/components/responses/Unauthorized'
+        '403':
+          $ref: '#/components/responses/Forbidden'
+        '404':
+          $ref: '#/components/responses/NotFound'
+        '500':
+          $ref: '#/components/responses/InternalServerError'
+        default:
+          $ref: '#/components/responses/DefaultResponse'
+    delete:
+      tags:
+        - roles
+      summary: Delete role
+      description: Deletes an existing role
+      operationId: delete_role
+      responses:
+        '200':
+          description: successful operation
+          content:
+            application/json:
+              schema:
+                $ref: '#/components/schemas/ApiResponse'
+              example:
+                message: Group deleted
+        '400':
+          $ref: '#/components/responses/BadRequest'
+        '401':
+          $ref: '#/components/responses/Unauthorized'
+        '403':
+          $ref: '#/components/responses/Forbidden'
+        '404':
+          $ref: '#/components/responses/NotFound'
+        '500':
+          $ref: '#/components/responses/InternalServerError'
+        default:
+          $ref: '#/components/responses/DefaultResponse'
   /eventactions:
     get:
       tags:
@@ -4269,6 +4445,7 @@ components:
         - close_conns
         - view_status
         - manage_admins
+        - manage_groups
         - manage_apikeys
         - quota_scans
         - manage_system
@@ -4278,6 +4455,7 @@ components:
         - metadata_checks
         - view_events
         - manage_event_rules
+        - manager_roles
       description: |
         Admin permissions:
           * `*` - all permissions are granted
@@ -4289,6 +4467,7 @@ components:
           * `close_conns` - close active connections is allowed
           * `view_status` - view the server status is allowed
           * `manage_admins` - manage other admins is allowed
+          * `manage_groups` - manage groups is allowed
           * `manage_apikeys` - manage API keys is allowed
           * `quota_scans` - view and start quota scans is allowed
           * `manage_system` - backups and restores are allowed
@@ -4298,6 +4477,7 @@ components:
           * `metadata_checks` - view and start metadata checks is allowed
           * `view_events` - view and search filesystem and provider events is allowed
           * `manage_event_rules` - manage event actions and rules is allowed
+          * `manager_roles` - manage roles is allowed
     FsProviders:
       type: integer
       enum:
@@ -4538,6 +4718,7 @@ components:
         - share
         - event_action
         - event_rule
+        - role
     SSHAuthentications:
       type: string
       enum:
@@ -5211,6 +5392,8 @@ components:
           type: object
           additionalProperties: true
           description: 'This field is passed to the pre-login hook if custom OIDC token fields have been configured. Field values can be of any type (this is a free form object) and depend on the type of the configured OIDC token fields'
+        role:
+          type: string
     AdminPreferences:
       type: object
       properties:
@@ -5297,6 +5480,9 @@ components:
           type: integer
           format: int64
           description: Last user login as unix timestamp in milliseconds. It is saved at most once every 10 minutes
+        role:
+          type: string
+          description: 'If set the admin can only administer users with the same role. Role admins cannot have the following permissions: "manage_admins", "manage_apikeys", "manage_system", "manage_event_rules", "manage_roles", "view_events"'
     AdminProfile:
       type: object
       properties:
@@ -5840,6 +6026,37 @@ components:
           description: 'Maximum total data transfer as MB'
         filters:
           $ref: '#/components/schemas/BaseUserFilters'
+    Role:
+      type: object
+      properties:
+        id:
+          type: integer
+          format: int32
+          minimum: 1
+        name:
+          type: string
+          description: name is unique
+        description:
+          type: string
+          description: 'optional description'
+        created_at:
+          type: integer
+          format: int64
+          description: creation time as unix timestamp in milliseconds
+        updated_at:
+          type: integer
+          format: int64
+          description: last update time as unix timestamp in milliseconds
+        users:
+          type: array
+          items:
+            type: string
+          description: list of usernames associated with this group
+        admins:
+          type: array
+          items:
+            type: string
+          description: list of admins usernames associated with this group
     Group:
       type: object
       properties:
@@ -5942,6 +6159,18 @@ components:
           type: array
           items:
             $ref: '#/components/schemas/Share'
+        event_actions:
+          type: array
+          items:
+            $ref: '#/components/schemas/EventAction'
+        event_rules:
+          type: array
+          items:
+            $ref: '#/components/schemas/EventRule'
+        roles:
+          type: array
+          items:
+            $ref: '#/components/schemas/Role'
         version:
           type: integer
     PwdChange:

pkgs/build.sh

@@ -1,6 +1,6 @@
 #!/bin/bash
 
-NFPM_VERSION=2.21.0
+NFPM_VERSION=2.22.0
 NFPM_ARCH=${NFPM_ARCH:-amd64}
 if [ -z ${SFTPGO_VERSION} ]
 then

pkgs/choco/sftpgo.nuspec

@@ -3,17 +3,17 @@
 <package xmlns="http://schemas.microsoft.com/packaging/2015/06/nuspec.xsd">
 	<metadata>
 		<id>sftpgo</id>
-		<version>2.4.0</version>
+		<version>2.4.1</version>
 		<packageSourceUrl>https://github.com/drakkan/sftpgo/tree/main/pkgs/choco</packageSourceUrl>
 		<owners>asheroto</owners>
 		<title>SFTPGo</title>
 		<authors>Nicola Murino</authors>
 		<projectUrl>https://github.com/drakkan/sftpgo</projectUrl>
-		<iconUrl>https://cdn.statically.io/gh/drakkan/sftpgo/v2.4.0/static/img/logo.png</iconUrl>
+		<iconUrl>https://cdn.statically.io/gh/drakkan/sftpgo/v2.4.1/static/img/logo.png</iconUrl>
 		<licenseUrl>https://github.com/drakkan/sftpgo/blob/main/LICENSE</licenseUrl>
 		<requireLicenseAcceptance>false</requireLicenseAcceptance>
 		<projectSourceUrl>https://github.com/drakkan/sftpgo</projectSourceUrl>
-		<docsUrl>https://github.com/drakkan/sftpgo/tree/v2.4.0/docs</docsUrl>
+		<docsUrl>https://github.com/drakkan/sftpgo/tree/v2.4.1/docs</docsUrl>
 		<bugTrackerUrl>https://github.com/drakkan/sftpgo/issues</bugTrackerUrl>
 		<tags>sftp sftp-server ftp webdav s3 azure-blob google-cloud-storage cloud-storage scp data-at-rest-encryption multi-factor-authentication multi-step-authentication</tags>
 		<summary>Fully featured and highly configurable SFTP server with optional HTTP/S,FTP/S and WebDAV support.</summary>
@@ -32,7 +32,7 @@ You can find more info [here](https://github.com/drakkan/sftpgo).
 
 * This package installs SFTPGo as Windows Service.
 * After the first installation please take a look at the [Getting Started Guide](https://github.com/drakkan/sftpgo/blob/main/docs/howto/getting-started.md).</description>
-		<releaseNotes>https://github.com/drakkan/sftpgo/releases/tag/v2.4.0</releaseNotes>
+		<releaseNotes>https://github.com/drakkan/sftpgo/releases/tag/v2.4.1</releaseNotes>
 	</metadata>
 	<files>
 		<file src="**" exclude="**\*.md;**\icon.png;**\icon.jpg;**\icon.svg" />

pkgs/choco/tools/ChocolateyInstall.ps1

@@ -1,8 +1,8 @@
 $ErrorActionPreference  = 'Stop'
 $packageName    = 'sftpgo'
 $softwareName   = 'SFTPGo'
-$url            = 'https://github.com/drakkan/sftpgo/releases/download/v2.4.0/sftpgo_v2.4.0_windows_x86_64.exe'
-$checksum       = 'D8503BF3C5F606C3445D1286C8C5CA54476EC751E2CE0D4EAAE5EB4903C09412'
+$url            = 'https://github.com/drakkan/sftpgo/releases/download/v2.4.1/sftpgo_v2.4.1_windows_x86_64.exe'
+$checksum       = 'AC199E8DE1F90ACE0B310FA2DEB4D84F5A8E1D592CB11F8C79DA3F4C9AC8517E'
 $silentArgs     = '/VERYSILENT'
 $validExitCodes = @(0)
 
@@ -47,8 +47,8 @@ Write-Output ""
 Write-Output "General information (README) location:"
 Write-Output "`thttps://github.com/drakkan/sftpgo"
 Write-Output "Getting started guide location:"
-Write-Output "`thttps://github.com/drakkan/sftpgo/blob/v2.4.0/docs/howto/getting-started.md"
+Write-Output "`thttps://github.com/drakkan/sftpgo/blob/v2.4.1/docs/howto/getting-started.md"
 Write-Output "Detailed information (docs folder) location:"
-Write-Output "`thttps://github.com/drakkan/sftpgo/tree/v2.4.0/docs"
+Write-Output "`thttps://github.com/drakkan/sftpgo/tree/v2.4.1/docs"
 Write-Output ""
 Write-Output "---------------------------"

pkgs/debian/changelog

@@ -1,3 +1,9 @@
+sftpgo (2.4.1-1ppa1) bionic; urgency=medium
+
+  * New upstream release
+
+ -- Nicola Murino <nicola.murino@gmail.com>  Sun, 13 Nov 2022 07:34:04 +0100
+
 sftpgo (2.4.0-1ppa1) bionic; urgency=medium
 
   * New upstream release

templates/webadmin/admin.html

@@ -96,6 +96,26 @@ along with this program.  If not, see <https://www.gnu.org/licenses/>.
                 </div>
             </div>
 
+            <div class="card bg-light mb-3">
+                <div class="card-header">
+                    <b>Role</b>
+                </div>
+                <div class="card-body">
+                    <h6 class="card-title mb-4">Setting a role limit the administrator to only manage users with the same role. Role administrators cannot have the following permissions: "manage_admins", "manage_roles", "manage_event_rules", "manage_apikeys", "manage_system"</h6>
+                    <div class="form-group row">
+                        <label for="idRole" class="col-sm-2 col-form-label">Role</label>
+                        <div class="col-sm-10">
+                            <select class="form-control selectpicker" data-live-search="true" id="idRole" name="role">
+                                <option value=""></option>
+                                {{- range .Roles}}
+                                <option value="{{.Name}}" {{if eq $.Admin.Role .Name}}selected{{end}}>{{.Name}}</option>
+                                {{- end}}
+                            </select>
+                        </div>
+                    </div>
+                </div>
+            </div>
+
             <div class="card bg-light mb-3">
                 <div class="card-header">
                     <b>Groups for users</b>

templates/webadmin/admins.html

@@ -55,6 +55,7 @@ along with this program.  If not, see <https://www.gnu.org/licenses/>.
                         <th>Email</th>
                         <th>Description</th>
                         <th>Groups for users</th>
+                        <th>Role</th>
                     </tr>
                 </thead>
                 <tbody>
@@ -70,6 +71,7 @@ along with this program.  If not, see <https://www.gnu.org/licenses/>.
                         <td>{{.Email}}</td>
                         <td>{{.Description}}</td>
                         <td>{{.GetGroupsAsString}}</td>
+                        <td>{{.Role}}</td>
                     </tr>
                     {{end}}
 
@@ -233,7 +235,7 @@ along with this program.  If not, see <https://www.gnu.org/licenses/>.
                     "visible": false,
                 },
                 {
-                    "targets": [5,7,8],
+                    "targets": [5,7,8,10],
                     "visible": false,
                 },
                 {

templates/webadmin/base.html

@@ -121,6 +121,14 @@ along with this program.  If not, see <https://www.gnu.org/licenses/>.
             </li>
             {{end}}
 
+            {{ if .LoggedAdmin.HasPermission "manage_roles"}}
+            <li class="nav-item {{if eq .CurrentURL .RolesURL}}active{{end}}">
+                <a class="nav-link" href="{{.RolesURL}}">
+                    <i class="fas fa-user-lock"></i>
+                    <span>{{.RolesTitle}}</span></a>
+            </li>
+            {{end}}
+
             {{ if .LoggedAdmin.HasPermission "manage_admins"}}
             <li class="nav-item {{if eq .CurrentURL .AdminsURL}}active{{end}}">
                 <a class="nav-link" href="{{.AdminsURL}}">

templates/webadmin/role.html

@@ -0,0 +1,62 @@
+<!--
+Copyright (C) 2019-2022  Nicola Murino
+
+This program is free software: you can redistribute it and/or modify
+it under the terms of the GNU Affero General Public License as published
+by the Free Software Foundation, version 3.
+
+This program is distributed in the hope that it will be useful,
+but WITHOUT ANY WARRANTY; without even the implied warranty of
+MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+GNU Affero General Public License for more details.
+
+You should have received a copy of the GNU Affero General Public License
+along with this program.  If not, see <https://www.gnu.org/licenses/>.
+-->
+{{template "base" .}}
+
+{{define "title"}}{{.Title}}{{end}}
+
+{{define "extra_css"}}
+<link href="{{.StaticURL}}/vendor/bootstrap-select/css/bootstrap-select.min.css" rel="stylesheet">
+{{end}}
+
+{{define "page_body"}}
+<!-- Page Heading -->
+<div class="card shadow mb-4">
+    <div class="card-header py-3">
+        <h6 class="m-0 font-weight-bold text-primary">{{.Title}}</h6>
+    </div>
+    <div class="card-body">
+        {{if .Error}}
+        <div class="card mb-4 border-left-warning">
+            <div class="card-body text-form-error">{{.Error}}</div>
+        </div>
+        {{end}}
+        <form id="role_form" action="{{.CurrentURL}}" method="POST" autocomplete="off">
+            <div class="form-group row">
+                <label for="idRoleName" class="col-sm-2 col-form-label">Name</label>
+                <div class="col-sm-10">
+                    <input type="text" class="form-control" id="idRoleName" name="name" placeholder=""
+                        value="{{.Role.Name}}" maxlength="255" autocomplete="nope" required {{if eq .Mode 2}}readonly{{end}}>
+                </div>
+            </div>
+            <div class="form-group row">
+                <label for="idDescription" class="col-sm-2 col-form-label">Description</label>
+                <div class="col-sm-10">
+                    <input type="text" class="form-control" id="idDescription" name="description" placeholder=""
+                        value="{{.Role.Description}}" maxlength="255" aria-describedby="descriptionHelpBlock">
+                    <small id="descriptionHelpBlock" class="form-text text-muted">
+                        Optional description
+                    </small>
+                </div>
+            </div>
+
+            <input type="hidden" name="_form_token" value="{{.CSRFToken}}">
+            <div class="col-sm-12 text-right px-0">
+                <button type="submit" class="btn btn-primary mt-3 ml-3 px-5" name="form_action" value="submit">Submit</button>
+            </div>
+        </form>
+    </div>
+</div>
+{{end}}

templates/webadmin/roles.html

@@ -0,0 +1,222 @@
+<!--
+Copyright (C) 2019-2022  Nicola Murino
+
+This program is free software: you can redistribute it and/or modify
+it under the terms of the GNU Affero General Public License as published
+by the Free Software Foundation, version 3.
+
+This program is distributed in the hope that it will be useful,
+but WITHOUT ANY WARRANTY; without even the implied warranty of
+MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+GNU Affero General Public License for more details.
+
+You should have received a copy of the GNU Affero General Public License
+along with this program.  If not, see <https://www.gnu.org/licenses/>.
+-->
+{{template "base" .}}
+
+{{define "title"}}{{.Title}}{{end}}
+
+{{define "extra_css"}}
+<link href="{{.StaticURL}}/vendor/datatables/dataTables.bootstrap4.min.css" rel="stylesheet">
+<link href="{{.StaticURL}}/vendor/datatables/buttons.bootstrap4.min.css" rel="stylesheet">
+<link href="{{.StaticURL}}/vendor/datatables/fixedHeader.bootstrap4.min.css" rel="stylesheet">
+<link href="{{.StaticURL}}/vendor/datatables/responsive.bootstrap4.min.css" rel="stylesheet">
+<link href="{{.StaticURL}}/vendor/datatables/select.bootstrap4.min.css" rel="stylesheet">
+{{end}}
+
+{{define "page_body"}}
+<div id="errorMsg" class="card mb-4 border-left-warning" style="display: none;">
+    <div id="errorTxt" class="card-body text-form-error"></div>
+</div>
+
+<div class="card shadow mb-4">
+    <div class="card-header py-3">
+        <h6 class="m-0 font-weight-bold text-primary">View and manage roles</h6>
+    </div>
+    <div class="card-body">
+        <div class="table-responsive">
+            <table class="table table-hover nowrap" id="dataTable" width="100%" cellspacing="0">
+                <thead>
+                    <tr>
+                        <th>Name</th>
+                        <th>Description</th>
+                        <th>Members</th>
+                    </tr>
+                </thead>
+                <tbody>
+                    {{range .Roles}}
+                    <tr>
+                        <td>{{.Name}}</td>
+                        <td>{{.Description}}</td>
+                        <td>{{.GetMembersAsString}}</td>
+                    </tr>
+                    {{end}}
+                </tbody>
+            </table>
+        </div>
+    </div>
+</div>
+{{end}}
+
+{{define "dialog"}}
+<div class="modal fade" id="deleteModal" tabindex="-1" role="dialog" aria-labelledby="deleteModalLabel"
+    aria-hidden="true">
+    <div class="modal-dialog" role="document">
+        <div class="modal-content">
+            <div class="modal-header">
+                <h5 class="modal-title" id="deleteModalLabel">
+                    Confirmation required
+                </h5>
+                <button class="close" type="button" data-dismiss="modal" aria-label="Close">
+                    <span aria-hidden="true">&times;</span>
+                </button>
+            </div>
+            <div class="modal-body">Do you want to delete the selected role? It is not possible to remove a role that does contain administrators</div>
+            <div class="modal-footer">
+                <button class="btn btn-secondary" type="button" data-dismiss="modal">
+                    Cancel
+                </button>
+                <a class="btn btn-warning" href="#" onclick="deleteAction()">
+                    Delete
+                </a>
+            </div>
+        </div>
+    </div>
+</div>
+{{end}}
+
+{{define "extra_js"}}
+<script src="{{.StaticURL}}/vendor/datatables/jquery.dataTables.min.js"></script>
+<script src="{{.StaticURL}}/vendor/datatables/dataTables.bootstrap4.min.js"></script>
+<script src="{{.StaticURL}}/vendor/datatables/dataTables.buttons.min.js"></script>
+<script src="{{.StaticURL}}/vendor/datatables/buttons.bootstrap4.min.js"></script>
+<script src="{{.StaticURL}}/vendor/datatables/buttons.colVis.min.js"></script>
+<script src="{{.StaticURL}}/vendor/datatables/dataTables.fixedHeader.min.js"></script>
+<script src="{{.StaticURL}}/vendor/datatables/dataTables.responsive.min.js"></script>
+<script src="{{.StaticURL}}/vendor/datatables/responsive.bootstrap4.min.js"></script>
+<script src="{{.StaticURL}}/vendor/datatables/dataTables.select.min.js"></script>
+<script src="{{.StaticURL}}/vendor/datatables/ellipsis.js"></script>
+<script type="text/javascript">
+
+    function deleteAction() {
+        var table = $('#dataTable').DataTable();
+        table.button('delete:name').enable(false);
+        var roleName = table.row({ selected: true }).data()[0];
+        var path = '{{.RoleURL}}' + "/" + fixedEncodeURIComponent(roleName);
+        $('#deleteModal').modal('hide');
+        $.ajax({
+            url: path,
+            type: 'DELETE',
+            dataType: 'json',
+            headers: {'X-CSRF-TOKEN' : '{{.CSRFToken}}'},
+            timeout: 15000,
+            success: function (result) {
+                window.location.href = '{{.RolesURL}}';
+            },
+            error: function ($xhr, textStatus, errorThrown) {
+                var txt = "Unable to delete the selected role";
+                if ($xhr) {
+                    var json = $xhr.responseJSON;
+                    if (json) {
+                        if (json.message){
+                            txt += ": " + json.message;
+                        } else {
+                            txt += ": " + json.error;
+                        }
+                    }
+                }
+                $('#errorTxt').text(txt);
+                $('#errorMsg').show();
+                setTimeout(function () {
+                    $('#errorMsg').hide();
+                }, 5000);
+            }
+        });
+    }
+
+    $(document).ready(function () {
+        $.fn.dataTable.ext.buttons.add = {
+            text: '<i class="fas fa-plus"></i>',
+            name: 'add',
+            titleAttr: "Add",
+            action: function (e, dt, node, config) {
+                window.location.href = '{{.RoleURL}}';
+            }
+        };
+
+        $.fn.dataTable.ext.buttons.edit = {
+            text: '<i class="fas fa-pen"></i>',
+            name: 'edit',
+            titleAttr: "Edit",
+            action: function (e, dt, node, config) {
+                var roleName = table.row({ selected: true }).data()[0];
+                var path = '{{.RoleURL}}' + "/" + fixedEncodeURIComponent(roleName);
+                window.location.href = path;
+            },
+            enabled: false
+        };
+
+        $.fn.dataTable.ext.buttons.delete = {
+            text: '<i class="fas fa-trash"></i>',
+            name: 'delete',
+            titleAttr: "Delete",
+            action: function (e, dt, node, config) {
+                $('#deleteModal').modal('show');
+            },
+            enabled: false
+        };
+
+        var table = $('#dataTable').DataTable({
+            "select": {
+                "style": "single",
+                "blurable": true
+            },
+            "stateSave": true,
+            "stateDuration": 0,
+            "buttons": [
+                {
+                    "text": "Column visibility",
+                    "extend": "colvis",
+                    "columns": ":not(.noVis)"
+                }
+            ],
+            "columnDefs": [
+                {
+                    "targets": [0],
+                    "className": "noVis"
+                },
+                {
+                    "targets": [2],
+                    "render": $.fn.dataTable.render.ellipsis(100, true)
+                },
+            ],
+            "scrollX": false,
+            "scrollY": false,
+            "responsive": true,
+            "language": {
+                "emptyTable": "No role defined"
+            },
+            "order": [[0, 'asc']]
+        });
+
+        new $.fn.dataTable.FixedHeader( table );
+
+        {{if .LoggedAdmin.HasPermission "manage_roles"}}
+        table.button().add(0,'delete');
+        table.button().add(0,'edit');
+        table.button().add(0,'add');
+
+        table.buttons().container().appendTo('.col-md-6:eq(0)', table.table().container());
+
+        table.on('select deselect', function () {
+            var selectedRows = table.rows({ selected: true }).count();
+            table.button('delete:name').enable(selectedRows == 1);
+            table.button('edit:name').enable(selectedRows == 1);
+        });
+        {{end}}
+
+    });
+
+</script>
+{{end}}

templates/webadmin/user.html

@@ -104,6 +104,23 @@ along with this program.  If not, see <https://www.gnu.org/licenses/>.
             </div>
             {{end}}
 
+            {{if .Roles}}
+            <div class="form-group row">
+                <label for="idRole" class="col-sm-2 col-form-label">Role</label>
+                <div class="col-sm-10">
+                    <select class="form-control selectpicker" data-live-search="true" id="idRole" name="role" aria-describedby="roleHelpBlock">
+                        <option value=""></option>
+                        {{- range .Roles}}
+                        <option value="{{.Name}}" {{if eq $.User.Role .Name}}selected{{end}}>{{.Name}}</option>
+                        {{- end}}
+                    </select>
+                    <small id="roleHelpBlock" class="form-text text-muted">
+                        Users with a role can be managed by global administrators and administrators with the same role
+                    </small>
+                </div>
+            </div>
+            {{end}}
+
             {{if ne .Mode 3}}
             <div class="form-group row">
                 <label for="idPassword" class="col-sm-2 col-form-label">Password</label>

templates/webadmin/users.html

@@ -56,6 +56,7 @@ along with this program.  If not, see <https://www.gnu.org/licenses/>.
                         <th>MFA</th>
                         <th>Bandwidth</th>
                         <th>Quota</th>
+                        <th>Role</th>
                         <th>Other</th>
                         <th></th>
                     </tr>
@@ -74,6 +75,7 @@ along with this program.  If not, see <https://www.gnu.org/licenses/>.
                         <td>{{.GetMFAStatusAsString}}</td>
                         <td>{{.GetBandwidthAsString}}</td>
                         <td>{{.GetQuotaSummary}}</td>
+                        <td>{{.Role}}</td>
                         <td>{{.GetInfoString}}</td>
                         <td>{{.GetLastQuotaUpdateAsString}}</td>
                     </tr>
@@ -281,7 +283,7 @@ along with this program.  If not, see <https://www.gnu.org/licenses/>.
             ],
             "columnDefs": [
                 {
-                    "targets": [0,12],
+                    "targets": [0,13],
                     "visible": false,
                     "searchable": false,
                     "className": "noVis"
@@ -295,7 +297,7 @@ along with this program.  If not, see <https://www.gnu.org/licenses/>.
                     "render": $.fn.dataTable.render.datetime()
                 },
                 {
-                    "targets": [4,5,8],
+                    "targets": [4,5,8,11],
                     "visible": false
                 },
                 {
@@ -325,7 +327,7 @@ along with this program.  If not, see <https://www.gnu.org/licenses/>.
                     }
                 },
                 {
-                    "targets": [11],
+                    "targets": [12],
                     "visible": false,
                     "render": $.fn.dataTable.render.ellipsis(100, true)
                 }
@@ -349,7 +351,7 @@ along with this program.  If not, see <https://www.gnu.org/licenses/>.
         table.button().add(0,'delete');
         {{end}}
 
-        {{if .LoggedAdmin.HasPermission "add_users"}}
+        {{if .LoggedAdmin.HasPermission "manage_system"}}
         table.button().add(0,'template');
         {{end}}