misc_pterodactyl-panel/app/Http/Controllers/Api/Remote/SftpAuthenticationController.php

113 lines
4 KiB
PHP
Raw Normal View History

<?php
2018-01-20 01:58:57 +00:00
namespace Pterodactyl\Http\Controllers\Api\Remote;
use Illuminate\Http\Request;
use Illuminate\Http\JsonResponse;
use Pterodactyl\Models\Permission;
use Pterodactyl\Http\Controllers\Controller;
use Illuminate\Foundation\Auth\ThrottlesLogins;
use Pterodactyl\Repositories\Eloquent\UserRepository;
use Pterodactyl\Exceptions\Http\HttpForbiddenException;
use Pterodactyl\Repositories\Eloquent\ServerRepository;
use Pterodactyl\Services\Servers\GetUserPermissionsService;
use Symfony\Component\HttpKernel\Exception\NotFoundHttpException;
2018-01-20 02:01:56 +00:00
use Pterodactyl\Http\Requests\Api\Remote\SftpAuthenticationFormRequest;
use Symfony\Component\HttpKernel\Exception\TooManyRequestsHttpException;
2019-12-08 00:14:04 +00:00
class SftpAuthenticationController extends Controller
{
use ThrottlesLogins;
2021-03-05 17:03:12 +00:00
private UserRepository $userRepository;
private ServerRepository $serverRepository;
private GetUserPermissionsService $permissionsService;
/**
2021-03-05 17:03:12 +00:00
* SftpAuthenticationController constructor.
*/
public function __construct(
UserRepository $userRepository,
2021-03-05 17:03:12 +00:00
ServerRepository $serverRepository,
GetUserPermissionsService $permissionsService
) {
$this->userRepository = $userRepository;
$this->serverRepository = $serverRepository;
$this->permissionsService = $permissionsService;
}
/**
* Authenticate a set of credentials and return the associated server details
* for a SFTP connection on the daemon.
*
* @throws \Pterodactyl\Exceptions\Repository\RecordNotFoundException
*/
2019-12-08 00:14:04 +00:00
public function __invoke(SftpAuthenticationFormRequest $request): JsonResponse
{
2019-12-08 00:14:04 +00:00
// Reverse the string to avoid issues with usernames that contain periods.
$parts = explode('.', strrev($request->input('username')), 2);
2019-12-08 00:14:04 +00:00
// Unreverse the strings after parsing them apart.
$connection = [
'username' => strrev(array_get($parts, 1)),
'server' => strrev(array_get($parts, 0)),
];
if ($this->hasTooManyLoginAttempts($request)) {
$seconds = $this->limiter()->availableIn($this->throttleKey($request));
2021-01-23 20:33:34 +00:00
throw new TooManyRequestsHttpException($seconds, "Too many login attempts for this account, please try again in {$seconds} seconds.");
}
/** @var \Pterodactyl\Models\Node $node */
$node = $request->attributes->get('node');
if (empty($connection['server'])) {
2021-01-23 20:33:34 +00:00
throw new NotFoundHttpException();
}
/** @var \Pterodactyl\Models\User $user */
$user = $this->userRepository->findFirstWhere([
['username', '=', $connection['username']],
]);
if ($request->input('type') === 'publicKey') {
$verified = true;
} else {
$verified = password_verify($request->input('password'), $user->password);
}
$server = $this->serverRepository->getByUuid($connection['server'] ?? '');
if (!$verified || $server->node_id !== $node->id) {
$this->incrementLoginAttempts($request);
2021-01-23 20:33:34 +00:00
throw new HttpForbiddenException('Authorization credentials were not correct, please try again.');
}
2021-01-23 20:33:34 +00:00
if (!$user->root_admin && $server->owner_id !== $user->id) {
$permissions = $this->permissionsService->handle($server, $user);
2021-01-23 20:33:34 +00:00
if (!in_array(Permission::ACTION_FILE_SFTP, $permissions)) {
throw new HttpForbiddenException('You do not have permission to access SFTP for this server.');
}
}
$server->validateCurrentState();
return new JsonResponse([
'ssh_keys' => $user->sshKeys->pluck('public_key')->toArray(),
'server' => $server->uuid,
'permissions' => $permissions ?? ['*'],
]);
}
/**
* Get the throttle key for the given request.
*/
protected function throttleKey(Request $request): string
{
2019-12-08 00:14:04 +00:00
$username = explode('.', strrev($request->input('username', '')));
return strtolower(strrev($username[0] ?? '') . '|' . $request->ip());
}
}