Skynet/misc_pterodactyl-panel
6
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Revoke JWT JTIs when modifying a subuser's permissions

Browse source
This commit is contained in:
Dane Everitt 2020-11-03 21:01:15 -08:00
parent c4df534722
commit 009f9c297d
No known key found for this signature in database
GPG key ID: EEA66103B3D71F53
3 changed files with 69 additions and 13 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

52
app/Http/Controllers/Api/Client/Servers/SubuserController.php
View file

@ -3,15 +3,16 @@
namespace Pterodactyl\Http\Controllers\Api\Client\Servers; namespace Pterodactyl\Http\Controllers\Api\Client\Servers;
use Illuminate\Http\Request; use Illuminate\Http\Request;
use Pterodactyl\Models\User;
use Pterodactyl\Models\Server; use Pterodactyl\Models\Server;
use Pterodactyl\Models\Subuser;
use Illuminate\Http\JsonResponse; use Illuminate\Http\JsonResponse;
use Pterodactyl\Models\Permission; use Pterodactyl\Models\Permission;
use Illuminate\Support\Facades\Log;
use Pterodactyl\Repositories\Eloquent\SubuserRepository; use Pterodactyl\Repositories\Eloquent\SubuserRepository;
use Pterodactyl\Services\Subusers\SubuserCreationService; use Pterodactyl\Services\Subusers\SubuserCreationService;
use Pterodactyl\Repositories\Wings\DaemonServerRepository;
use Pterodactyl\Transformers\Api\Client\SubuserTransformer; use Pterodactyl\Transformers\Api\Client\SubuserTransformer;
use Pterodactyl\Http\Controllers\Api\Client\ClientApiController; use Pterodactyl\Http\Controllers\Api\Client\ClientApiController;
use Pterodactyl\Exceptions\Http\Connection\DaemonConnectionException;
use Pterodactyl\Http\Requests\Api\Client\Servers\Subusers\GetSubuserRequest; use Pterodactyl\Http\Requests\Api\Client\Servers\Subusers\GetSubuserRequest;
use Pterodactyl\Http\Requests\Api\Client\Servers\Subusers\StoreSubuserRequest; use Pterodactyl\Http\Requests\Api\Client\Servers\Subusers\StoreSubuserRequest;
use Pterodactyl\Http\Requests\Api\Client\Servers\Subusers\DeleteSubuserRequest; use Pterodactyl\Http\Requests\Api\Client\Servers\Subusers\DeleteSubuserRequest;
@ -29,20 +30,28 @@ class SubuserController extends ClientApiController
*/ */
private $creationService; private $creationService;
/**
* @var \Pterodactyl\Repositories\Wings\DaemonServerRepository
*/
private $serverRepository;
/** /**
* SubuserController constructor. * SubuserController constructor.
* *
* @param \Pterodactyl\Repositories\Eloquent\SubuserRepository $repository * @param \Pterodactyl\Repositories\Eloquent\SubuserRepository $repository
* @param \Pterodactyl\Services\Subusers\SubuserCreationService $creationService * @param \Pterodactyl\Services\Subusers\SubuserCreationService $creationService
* @param \Pterodactyl\Repositories\Wings\DaemonServerRepository $serverRepository
*/ */
public function __construct( public function __construct(
SubuserRepository $repository, SubuserRepository $repository,
SubuserCreationService $creationService SubuserCreationService $creationService,
DaemonServerRepository $serverRepository
) { ) {
parent::__construct(); parent::__construct();
$this->repository = $repository; $this->repository = $repository;
$this->creationService = $creationService; $this->creationService = $creationService;
$this->serverRepository = $serverRepository;
} }
/** /**
@ -101,19 +110,38 @@ class SubuserController extends ClientApiController
* Update a given subuser in the system for the server. * Update a given subuser in the system for the server.
* *
* @param \Pterodactyl\Http\Requests\Api\Client\Servers\Subusers\UpdateSubuserRequest $request * @param \Pterodactyl\Http\Requests\Api\Client\Servers\Subusers\UpdateSubuserRequest $request
* @param \Pterodactyl\Models\Server $server
* @return array * @return array
* *
* @throws \Pterodactyl\Exceptions\Model\DataValidationException * @throws \Pterodactyl\Exceptions\Model\DataValidationException
* @throws \Pterodactyl\Exceptions\Repository\RecordNotFoundException * @throws \Pterodactyl\Exceptions\Repository\RecordNotFoundException
*/ */
public function update(UpdateSubuserRequest $request): array public function update(UpdateSubuserRequest $request, Server $server): array
{ {
/** @var \Pterodactyl\Models\Subuser $subuser */ /** @var \Pterodactyl\Models\Subuser $subuser */
$subuser = $request->attributes->get('subuser'); $subuser = $request->attributes->get('subuser');
$this->repository->update($subuser->id, [ $permissions = $this->getDefaultPermissions($request);
'permissions' => $this->getDefaultPermissions($request), $current = $subuser->permissions;
]);
sort($permissions);
sort($current);
// Only update the database and hit up the Wings instance to invalidate JTI's if the permissions
// have actually changed for the user.
if ($permissions !== $current) {
$this->repository->update($subuser->id, [
'permissions' => $this->getDefaultPermissions($request),
]);
try {
$this->serverRepository->setServer($server)->revokeJTIs([md5($subuser->user_id . $server->uuid)]);
} catch (DaemonConnectionException $exception) {
// Don't block this request if we can't connect to the Wings instance. Chances are it is
// offline in this event and the token will be invalid anyways once Wings boots back.
Log::warning($exception, ['user_id' => $subuser->user_id, 'server_id' => $server->id]);
}
}
return $this->fractal->item($subuser->refresh()) return $this->fractal->item($subuser->refresh())
->transformWith($this->getTransformer(SubuserTransformer::class)) ->transformWith($this->getTransformer(SubuserTransformer::class))
@ -124,15 +152,23 @@ class SubuserController extends ClientApiController
* Removes a subusers from a server's assignment. * Removes a subusers from a server's assignment.
* *
* @param \Pterodactyl\Http\Requests\Api\Client\Servers\Subusers\DeleteSubuserRequest $request * @param \Pterodactyl\Http\Requests\Api\Client\Servers\Subusers\DeleteSubuserRequest $request
* @param \Pterodactyl\Models\Server $server
* @return \Illuminate\Http\JsonResponse * @return \Illuminate\Http\JsonResponse
*/ */
public function delete(DeleteSubuserRequest $request) public function delete(DeleteSubuserRequest $request, Server $server)
{ {
/** @var \Pterodactyl\Models\Subuser $subuser */ /** @var \Pterodactyl\Models\Subuser $subuser */
$subuser = $request->attributes->get('subuser'); $subuser = $request->attributes->get('subuser');
$this->repository->delete($subuser->id); $this->repository->delete($subuser->id);
try {
$this->serverRepository->revokeJTIs([md5($subuser->user_id . $server->uuid)]);
} catch (DaemonConnectionException $exception) {
// Don't block this request if we can't connect to the Wings instance.
Log::warning($exception, ['user_id' => $subuser->user_id, 'server_id' => $server->id]);
}
return new JsonResponse([], JsonResponse::HTTP_NO_CONTENT); return new JsonResponse([], JsonResponse::HTTP_NO_CONTENT);
} }

2
app/Http/Controllers/Api/Client/Servers/WebsocketController.php
View file

@ -59,7 +59,7 @@ class WebsocketController extends ClientApiController
} }
$token = $this->jwtService $token = $this->jwtService
->setExpiresAt(CarbonImmutable::now()->addMinutes(15)) ->setExpiresAt(CarbonImmutable::now()->addMinutes(10))
->setClaims([ ->setClaims([
'user_id' => $request->user()->id, 'user_id' => $request->user()->id,
'server_uuid' => $server->uuid, 'server_uuid' => $server->uuid,

28
app/Repositories/Wings/DaemonServerRepository.php
View file

@ -126,11 +126,10 @@ class DaemonServerRepository extends DaemonRepository
} }
/** /**
* Requests the daemon to create a full archive of the server. * Requests the daemon to create a full archive of the server. Once the daemon is finished
* Once the daemon is finished they will send a POST request to * they will send a POST request to "/api/remote/servers/{uuid}/archive" with a boolean.
* "/api/remote/servers/{uuid}/archive" with a boolean.
* *
* @throws DaemonConnectionException * @throws \Pterodactyl\Exceptions\Http\Connection\DaemonConnectionException
*/ */
public function requestArchive(): void public function requestArchive(): void
{ {
@ -144,4 +143,25 @@ class DaemonServerRepository extends DaemonRepository
throw new DaemonConnectionException($exception); throw new DaemonConnectionException($exception);
} }
} }
/**
* Revokes an array of JWT JTI's by marking any token generated before the current time on
* the Wings instance as being invalid.
*
* @param array $jtis
* @throws \Pterodactyl\Exceptions\Http\Connection\DaemonConnectionException
*/
public function revokeJTIs(array $jtis): void
{
Assert::isInstanceOf($this->server, Server::class);
try {
$this->getHttpClient()
->post(sprintf('/api/servers/%s/ws/deny', $this->server->uuid), [
'json' => ['jtis' => $jtis],
]);
} catch (TransferException $exception) {
throw new DaemonConnectionException($exception);
}
}
} }