Revoke JWT JTIs when modifying a subuser's permissions
This commit is contained in:
Dane Everitt
parent
c4df534722
commit
009f9c297d
3 changed files with 69 additions and 13 deletions
|
|
@ -3,15 +3,16 @@
|
||||||
namespace Pterodactyl\Http\Controllers\Api\Client\Servers;
|
namespace Pterodactyl\Http\Controllers\Api\Client\Servers;
|
||||||
|
|
||||||
use Illuminate\Http\Request;
|
use Illuminate\Http\Request;
|
||||||
use Pterodactyl\Models\User;
|
|
||||||
use Pterodactyl\Models\Server;
|
use Pterodactyl\Models\Server;
|
||||||
use Pterodactyl\Models\Subuser;
|
|
||||||
use Illuminate\Http\JsonResponse;
|
use Illuminate\Http\JsonResponse;
|
||||||
use Pterodactyl\Models\Permission;
|
use Pterodactyl\Models\Permission;
|
||||||
|
use Illuminate\Support\Facades\Log;
|
||||||
use Pterodactyl\Repositories\Eloquent\SubuserRepository;
|
use Pterodactyl\Repositories\Eloquent\SubuserRepository;
|
||||||
use Pterodactyl\Services\Subusers\SubuserCreationService;
|
use Pterodactyl\Services\Subusers\SubuserCreationService;
|
||||||
|
use Pterodactyl\Repositories\Wings\DaemonServerRepository;
|
||||||
use Pterodactyl\Transformers\Api\Client\SubuserTransformer;
|
use Pterodactyl\Transformers\Api\Client\SubuserTransformer;
|
||||||
use Pterodactyl\Http\Controllers\Api\Client\ClientApiController;
|
use Pterodactyl\Http\Controllers\Api\Client\ClientApiController;
|
||||||
|
use Pterodactyl\Exceptions\Http\Connection\DaemonConnectionException;
|
||||||
use Pterodactyl\Http\Requests\Api\Client\Servers\Subusers\GetSubuserRequest;
|
use Pterodactyl\Http\Requests\Api\Client\Servers\Subusers\GetSubuserRequest;
|
||||||
use Pterodactyl\Http\Requests\Api\Client\Servers\Subusers\StoreSubuserRequest;
|
use Pterodactyl\Http\Requests\Api\Client\Servers\Subusers\StoreSubuserRequest;
|
||||||
use Pterodactyl\Http\Requests\Api\Client\Servers\Subusers\DeleteSubuserRequest;
|
use Pterodactyl\Http\Requests\Api\Client\Servers\Subusers\DeleteSubuserRequest;
|
||||||
|
|
@ -29,20 +30,28 @@ class SubuserController extends ClientApiController
|
||||||
*/
|
*/
|
||||||
private $creationService;
|
private $creationService;
|
||||||
|
|
||||||
|
/**
|
||||||
|
* @var \Pterodactyl\Repositories\Wings\DaemonServerRepository
|
||||||
|
*/
|
||||||
|
private $serverRepository;
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* SubuserController constructor.
|
* SubuserController constructor.
|
||||||
*
|
*
|
||||||
* @param \Pterodactyl\Repositories\Eloquent\SubuserRepository $repository
|
* @param \Pterodactyl\Repositories\Eloquent\SubuserRepository $repository
|
||||||
* @param \Pterodactyl\Services\Subusers\SubuserCreationService $creationService
|
* @param \Pterodactyl\Services\Subusers\SubuserCreationService $creationService
|
||||||
|
* @param \Pterodactyl\Repositories\Wings\DaemonServerRepository $serverRepository
|
||||||
*/
|
*/
|
||||||
public function __construct(
|
public function __construct(
|
||||||
SubuserRepository $repository,
|
SubuserRepository $repository,
|
||||||
SubuserCreationService $creationService
|
SubuserCreationService $creationService,
|
||||||
|
DaemonServerRepository $serverRepository
|
||||||
) {
|
) {
|
||||||
parent::__construct();
|
parent::__construct();
|
||||||
|
|
||||||
$this->repository = $repository;
|
$this->repository = $repository;
|
||||||
$this->creationService = $creationService;
|
$this->creationService = $creationService;
|
||||||
|
$this->serverRepository = $serverRepository;
|
||||||
}
|
}
|
||||||
|
|
||||||
/**
|
/**
|
||||||
|
|
@ -101,20 +110,39 @@ class SubuserController extends ClientApiController
|
||||||
* Update a given subuser in the system for the server.
|
* Update a given subuser in the system for the server.
|
||||||
*
|
*
|
||||||
* @param \Pterodactyl\Http\Requests\Api\Client\Servers\Subusers\UpdateSubuserRequest $request
|
* @param \Pterodactyl\Http\Requests\Api\Client\Servers\Subusers\UpdateSubuserRequest $request
|
||||||
|
* @param \Pterodactyl\Models\Server $server
|
||||||
* @return array
|
* @return array
|
||||||
*
|
*
|
||||||
* @throws \Pterodactyl\Exceptions\Model\DataValidationException
|
* @throws \Pterodactyl\Exceptions\Model\DataValidationException
|
||||||
* @throws \Pterodactyl\Exceptions\Repository\RecordNotFoundException
|
* @throws \Pterodactyl\Exceptions\Repository\RecordNotFoundException
|
||||||
*/
|
*/
|
||||||
public function update(UpdateSubuserRequest $request): array
|
public function update(UpdateSubuserRequest $request, Server $server): array
|
||||||
{
|
{
|
||||||
/** @var \Pterodactyl\Models\Subuser $subuser */
|
/** @var \Pterodactyl\Models\Subuser $subuser */
|
||||||
$subuser = $request->attributes->get('subuser');
|
$subuser = $request->attributes->get('subuser');
|
||||||
|
|
||||||
|
$permissions = $this->getDefaultPermissions($request);
|
||||||
|
$current = $subuser->permissions;
|
||||||
|
|
||||||
|
sort($permissions);
|
||||||
|
sort($current);
|
||||||
|
|
||||||
|
// Only update the database and hit up the Wings instance to invalidate JTI's if the permissions
|
||||||
|
// have actually changed for the user.
|
||||||
|
if ($permissions !== $current) {
|
||||||
$this->repository->update($subuser->id, [
|
$this->repository->update($subuser->id, [
|
||||||
'permissions' => $this->getDefaultPermissions($request),
|
'permissions' => $this->getDefaultPermissions($request),
|
||||||
]);
|
]);
|
||||||
|
|
||||||
|
try {
|
||||||
|
$this->serverRepository->setServer($server)->revokeJTIs([md5($subuser->user_id . $server->uuid)]);
|
||||||
|
} catch (DaemonConnectionException $exception) {
|
||||||
|
// Don't block this request if we can't connect to the Wings instance. Chances are it is
|
||||||
|
// offline in this event and the token will be invalid anyways once Wings boots back.
|
||||||
|
Log::warning($exception, ['user_id' => $subuser->user_id, 'server_id' => $server->id]);
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
return $this->fractal->item($subuser->refresh())
|
return $this->fractal->item($subuser->refresh())
|
||||||
->transformWith($this->getTransformer(SubuserTransformer::class))
|
->transformWith($this->getTransformer(SubuserTransformer::class))
|
||||||
->toArray();
|
->toArray();
|
||||||
|
|
@ -124,15 +152,23 @@ class SubuserController extends ClientApiController
|
||||||
* Removes a subusers from a server's assignment.
|
* Removes a subusers from a server's assignment.
|
||||||
*
|
*
|
||||||
* @param \Pterodactyl\Http\Requests\Api\Client\Servers\Subusers\DeleteSubuserRequest $request
|
* @param \Pterodactyl\Http\Requests\Api\Client\Servers\Subusers\DeleteSubuserRequest $request
|
||||||
|
* @param \Pterodactyl\Models\Server $server
|
||||||
* @return \Illuminate\Http\JsonResponse
|
* @return \Illuminate\Http\JsonResponse
|
||||||
*/
|
*/
|
||||||
public function delete(DeleteSubuserRequest $request)
|
public function delete(DeleteSubuserRequest $request, Server $server)
|
||||||
{
|
{
|
||||||
/** @var \Pterodactyl\Models\Subuser $subuser */
|
/** @var \Pterodactyl\Models\Subuser $subuser */
|
||||||
$subuser = $request->attributes->get('subuser');
|
$subuser = $request->attributes->get('subuser');
|
||||||
|
|
||||||
$this->repository->delete($subuser->id);
|
$this->repository->delete($subuser->id);
|
||||||
|
|
||||||
|
try {
|
||||||
|
$this->serverRepository->revokeJTIs([md5($subuser->user_id . $server->uuid)]);
|
||||||
|
} catch (DaemonConnectionException $exception) {
|
||||||
|
// Don't block this request if we can't connect to the Wings instance.
|
||||||
|
Log::warning($exception, ['user_id' => $subuser->user_id, 'server_id' => $server->id]);
|
||||||
|
}
|
||||||
|
|
||||||
return new JsonResponse([], JsonResponse::HTTP_NO_CONTENT);
|
return new JsonResponse([], JsonResponse::HTTP_NO_CONTENT);
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
|
||||||
|
|
@ -59,7 +59,7 @@ class WebsocketController extends ClientApiController
|
||||||
}
|
}
|
||||||
|
|
||||||
$token = $this->jwtService
|
$token = $this->jwtService
|
||||||
->setExpiresAt(CarbonImmutable::now()->addMinutes(15))
|
->setExpiresAt(CarbonImmutable::now()->addMinutes(10))
|
||||||
->setClaims([
|
->setClaims([
|
||||||
'user_id' => $request->user()->id,
|
'user_id' => $request->user()->id,
|
||||||
'server_uuid' => $server->uuid,
|
'server_uuid' => $server->uuid,
|
||||||
|
|
|
||||||
|
|
@ -126,11 +126,10 @@ class DaemonServerRepository extends DaemonRepository
|
||||||
}
|
}
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* Requests the daemon to create a full archive of the server.
|
* Requests the daemon to create a full archive of the server. Once the daemon is finished
|
||||||
* Once the daemon is finished they will send a POST request to
|
* they will send a POST request to "/api/remote/servers/{uuid}/archive" with a boolean.
|
||||||
* "/api/remote/servers/{uuid}/archive" with a boolean.
|
|
||||||
*
|
*
|
||||||
* @throws DaemonConnectionException
|
* @throws \Pterodactyl\Exceptions\Http\Connection\DaemonConnectionException
|
||||||
*/
|
*/
|
||||||
public function requestArchive(): void
|
public function requestArchive(): void
|
||||||
{
|
{
|
||||||
|
|
@ -144,4 +143,25 @@ class DaemonServerRepository extends DaemonRepository
|
||||||
throw new DaemonConnectionException($exception);
|
throw new DaemonConnectionException($exception);
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Revokes an array of JWT JTI's by marking any token generated before the current time on
|
||||||
|
* the Wings instance as being invalid.
|
||||||
|
*
|
||||||
|
* @param array $jtis
|
||||||
|
* @throws \Pterodactyl\Exceptions\Http\Connection\DaemonConnectionException
|
||||||
|
*/
|
||||||
|
public function revokeJTIs(array $jtis): void
|
||||||
|
{
|
||||||
|
Assert::isInstanceOf($this->server, Server::class);
|
||||||
|
|
||||||
|
try {
|
||||||
|
$this->getHttpClient()
|
||||||
|
->post(sprintf('/api/servers/%s/ws/deny', $this->server->uuid), [
|
||||||
|
'json' => ['jtis' => $jtis],
|
||||||
|
]);
|
||||||
|
} catch (TransferException $exception) {
|
||||||
|
throw new DaemonConnectionException($exception);
|
||||||
|
}
|
||||||
|
}
|
||||||
}
|
}
|
||||||
|
|
|
||||||
Loading…
Reference in a new issue