From 287fd608916bcf9c830c843ef45b978cfdb2903c Mon Sep 17 00:00:00 2001 From: DaneEveritt Date: Sun, 29 May 2022 18:48:35 -0400 Subject: [PATCH] Log activity when modifying account details --- .../Api/Client/AccountController.php | 11 +++- .../Api/Client/ApiKeyController.php | 57 +++++-------------- .../Api/Client/SSHKeyController.php | 15 ++++- .../Api/Client/TwoFactorController.php | 5 ++ .../Remote/Backups/BackupStatusController.php | 2 +- app/Http/Controllers/Auth/LoginController.php | 2 +- .../Middleware/AccountActivitySubject.php | 22 +++++++ ...vityLogs.php => ServerActivitySubject.php} | 2 +- app/Listeners/Auth/AuthenticationListener.php | 2 +- app/Listeners/Auth/PasswordResetListener.php | 2 +- app/Listeners/Auth/TwoFactorListener.php | 2 +- app/Models/User.php | 2 +- app/Providers/AppServiceProvider.php | 4 ++ app/Services/Activity/ActivityLogService.php | 7 ++- routes/api-client.php | 7 ++- 15 files changed, 85 insertions(+), 57 deletions(-) create mode 100644 app/Http/Middleware/AccountActivitySubject.php rename app/Http/Middleware/{ServerActivityLogs.php => ServerActivitySubject.php} (96%) diff --git a/app/Http/Controllers/Api/Client/AccountController.php b/app/Http/Controllers/Api/Client/AccountController.php index 963c01374..9551bf690 100644 --- a/app/Http/Controllers/Api/Client/AccountController.php +++ b/app/Http/Controllers/Api/Client/AccountController.php @@ -6,6 +6,7 @@ use Illuminate\Http\Request; use Illuminate\Http\Response; use Illuminate\Auth\AuthManager; use Illuminate\Http\JsonResponse; +use Pterodactyl\Facades\Activity; use Pterodactyl\Services\Users\UserUpdateService; use Pterodactyl\Transformers\Api\Client\AccountTransformer; use Pterodactyl\Http\Requests\Api\Client\Account\UpdateEmailRequest; @@ -43,14 +44,16 @@ class AccountController extends ClientApiController /** * Update the authenticated user's email address. - * - * @throws \Pterodactyl\Exceptions\Model\DataValidationException - * @throws \Pterodactyl\Exceptions\Repository\RecordNotFoundException */ public function updateEmail(UpdateEmailRequest $request): JsonResponse { + $original = $request->user()->email; $this->updateService->handle($request->user(), $request->validated()); + Activity::event('user:account.email-changed') + ->property(['old' => $original, 'new' => $request->input('email')]) + ->log(); + return new JsonResponse([], Response::HTTP_NO_CONTENT); } @@ -76,6 +79,8 @@ class AccountController extends ClientApiController $guard->logoutOtherDevices($request->input('password')); } + Activity::event('user:account.password-changed')->log(); + return new JsonResponse([], Response::HTTP_NO_CONTENT); } } diff --git a/app/Http/Controllers/Api/Client/ApiKeyController.php b/app/Http/Controllers/Api/Client/ApiKeyController.php index 427c353a5..5e888e91d 100644 --- a/app/Http/Controllers/Api/Client/ApiKeyController.php +++ b/app/Http/Controllers/Api/Client/ApiKeyController.php @@ -4,47 +4,14 @@ namespace Pterodactyl\Http\Controllers\Api\Client; use Pterodactyl\Models\ApiKey; use Illuminate\Http\JsonResponse; +use Pterodactyl\Facades\Activity; use Pterodactyl\Exceptions\DisplayException; -use Illuminate\Contracts\Encryption\Encrypter; -use Pterodactyl\Services\Api\KeyCreationService; -use Pterodactyl\Repositories\Eloquent\ApiKeyRepository; use Pterodactyl\Http\Requests\Api\Client\ClientApiRequest; use Pterodactyl\Transformers\Api\Client\ApiKeyTransformer; -use Symfony\Component\HttpKernel\Exception\NotFoundHttpException; use Pterodactyl\Http\Requests\Api\Client\Account\StoreApiKeyRequest; class ApiKeyController extends ClientApiController { - /** - * @var \Pterodactyl\Services\Api\KeyCreationService - */ - private $keyCreationService; - - /** - * @var \Illuminate\Contracts\Encryption\Encrypter - */ - private $encrypter; - - /** - * @var \Pterodactyl\Repositories\Eloquent\ApiKeyRepository - */ - private $repository; - - /** - * ApiKeyController constructor. - */ - public function __construct( - Encrypter $encrypter, - KeyCreationService $keyCreationService, - ApiKeyRepository $repository - ) { - parent::__construct(); - - $this->encrypter = $encrypter; - $this->keyCreationService = $keyCreationService; - $this->repository = $repository; - } - /** * Returns all of the API keys that exist for the given client. * @@ -75,6 +42,11 @@ class ApiKeyController extends ClientApiController $request->input('allowed_ips') ); + Activity::event('user:api-key.create') + ->subject($token->accessToken) + ->property('identifier', $token->accessToken->identifier) + ->log(); + return $this->fractal->item($token->accessToken) ->transformWith($this->getTransformer(ApiKeyTransformer::class)) ->addMeta(['secret_token' => $token->plainTextToken]) @@ -88,15 +60,16 @@ class ApiKeyController extends ClientApiController */ public function delete(ClientApiRequest $request, string $identifier) { - $response = $this->repository->deleteWhere([ - 'key_type' => ApiKey::TYPE_ACCOUNT, - 'user_id' => $request->user()->id, - 'identifier' => $identifier, - ]); + $key = $request->user()->apiKeys() + ->where('key_type', ApiKey::TYPE_ACCOUNT) + ->where('identifier', $identifier) + ->first(); - if (!$response) { - throw new NotFoundHttpException(); - } + Activity::event('user:api-key.delete') + ->property('identifer', $key->identifer) + ->log(); + + $key->delete(); return new JsonResponse([], JsonResponse::HTTP_NO_CONTENT); } diff --git a/app/Http/Controllers/Api/Client/SSHKeyController.php b/app/Http/Controllers/Api/Client/SSHKeyController.php index 80ea6dda7..6af36827e 100644 --- a/app/Http/Controllers/Api/Client/SSHKeyController.php +++ b/app/Http/Controllers/Api/Client/SSHKeyController.php @@ -3,6 +3,7 @@ namespace Pterodactyl\Http\Controllers\Api\Client; use Illuminate\Http\JsonResponse; +use Pterodactyl\Facades\Activity; use Pterodactyl\Http\Requests\Api\Client\ClientApiRequest; use Pterodactyl\Transformers\Api\Client\UserSSHKeyTransformer; use Pterodactyl\Http\Requests\Api\Client\Account\StoreSSHKeyRequest; @@ -31,6 +32,11 @@ class SSHKeyController extends ClientApiController 'fingerprint' => $request->getKeyFingerprint(), ]); + Activity::event('user:ssh-key.create') + ->subject($model) + ->property('fingerprint', $request->getKeyFingerprint()) + ->log(); + return $this->fractal->item($model) ->transformWith($this->getTransformer(UserSSHKeyTransformer::class)) ->toArray(); @@ -41,7 +47,14 @@ class SSHKeyController extends ClientApiController */ public function delete(ClientApiRequest $request, string $identifier): JsonResponse { - $request->user()->sshKeys()->where('fingerprint', $identifier)->delete(); + $key = $request->user()->sshKeys()->where('fingerprint', $identifier)->firstOrFail(); + + $key->delete(); + + Activity::event('user:ssh-key.delete') + ->subject($key) + ->property('fingerprint', $key->fingerprint) + ->log(); return new JsonResponse([], JsonResponse::HTTP_NO_CONTENT); } diff --git a/app/Http/Controllers/Api/Client/TwoFactorController.php b/app/Http/Controllers/Api/Client/TwoFactorController.php index b14f9d4bc..40b5479cb 100644 --- a/app/Http/Controllers/Api/Client/TwoFactorController.php +++ b/app/Http/Controllers/Api/Client/TwoFactorController.php @@ -6,6 +6,7 @@ use Carbon\Carbon; use Illuminate\Http\Request; use Illuminate\Http\Response; use Illuminate\Http\JsonResponse; +use Pterodactyl\Facades\Activity; use Illuminate\Contracts\Validation\Factory; use Illuminate\Validation\ValidationException; use Pterodactyl\Services\Users\TwoFactorSetupService; @@ -89,6 +90,8 @@ class TwoFactorController extends ClientApiController $tokens = $this->toggleTwoFactorService->handle($request->user(), $request->input('code'), true); + Activity::event('user:two-factor.create')->log(); + return new JsonResponse([ 'object' => 'recovery_tokens', 'attributes' => [ @@ -117,6 +120,8 @@ class TwoFactorController extends ClientApiController 'use_totp' => false, ]); + Activity::event('user:two-factor.delete')->log(); + return new JsonResponse([], Response::HTTP_NO_CONTENT); } } diff --git a/app/Http/Controllers/Api/Remote/Backups/BackupStatusController.php b/app/Http/Controllers/Api/Remote/Backups/BackupStatusController.php index 17f62329f..7b96f1ba7 100644 --- a/app/Http/Controllers/Api/Remote/Backups/BackupStatusController.php +++ b/app/Http/Controllers/Api/Remote/Backups/BackupStatusController.php @@ -45,7 +45,7 @@ class BackupStatusController extends Controller throw new BadRequestHttpException('Cannot update the status of a backup that is already marked as completed.'); } - $action = $request->boolean('successful') ? 'server:backup.complete' : 'server:backup.failed'; + $action = $request->boolean('successful') ? 'server:backup.complete' : 'server:backup.fail'; $log = Activity::event($action)->subject($model, $model->server)->property('name', $model->name); $log->transaction(function () use ($model, $request) { diff --git a/app/Http/Controllers/Auth/LoginController.php b/app/Http/Controllers/Auth/LoginController.php index f26e53849..18cc8815c 100644 --- a/app/Http/Controllers/Auth/LoginController.php +++ b/app/Http/Controllers/Auth/LoginController.php @@ -72,7 +72,7 @@ class LoginController extends AbstractLoginController return $this->sendLoginResponse($user, $request); } - Activity::event('login.checkpoint')->withRequestMetadata()->subject($user)->log(); + Activity::event('auth:checkpoint')->withRequestMetadata()->subject($user)->log(); $request->session()->put('auth_confirmation_token', [ 'user_id' => $user->id, diff --git a/app/Http/Middleware/AccountActivitySubject.php b/app/Http/Middleware/AccountActivitySubject.php new file mode 100644 index 000000000..d35a5a645 --- /dev/null +++ b/app/Http/Middleware/AccountActivitySubject.php @@ -0,0 +1,22 @@ +user()); + LogTarget::setSubject($request->user()); + + return $next($request); + } +} diff --git a/app/Http/Middleware/ServerActivityLogs.php b/app/Http/Middleware/ServerActivitySubject.php similarity index 96% rename from app/Http/Middleware/ServerActivityLogs.php rename to app/Http/Middleware/ServerActivitySubject.php index 6d3c408aa..344ec0f6e 100644 --- a/app/Http/Middleware/ServerActivityLogs.php +++ b/app/Http/Middleware/ServerActivitySubject.php @@ -7,7 +7,7 @@ use Illuminate\Http\Request; use Pterodactyl\Models\Server; use Pterodactyl\Facades\LogTarget; -class ServerActivityLogs +class ServerActivitySubject { /** * Attempts to automatically scope all of the activity log events registered diff --git a/app/Listeners/Auth/AuthenticationListener.php b/app/Listeners/Auth/AuthenticationListener.php index e19c828ff..50f6f4d65 100644 --- a/app/Listeners/Auth/AuthenticationListener.php +++ b/app/Listeners/Auth/AuthenticationListener.php @@ -29,7 +29,7 @@ class AuthenticationListener implements SubscribesToEvents } } - $activity->event($event instanceof Failed ? 'login.failed' : 'login.success')->log(); + $activity->event($event instanceof Failed ? 'auth:fail' : 'auth:success')->log(); } public function subscribe(Dispatcher $events): void diff --git a/app/Listeners/Auth/PasswordResetListener.php b/app/Listeners/Auth/PasswordResetListener.php index 54acbc0cf..7521a689b 100644 --- a/app/Listeners/Auth/PasswordResetListener.php +++ b/app/Listeners/Auth/PasswordResetListener.php @@ -17,7 +17,7 @@ class PasswordResetListener public function handle(PasswordReset $event) { - Activity::event('login.password-reset') + Activity::event('event:password-reset') ->withRequestMetadata() ->subject($event->user) ->log(); diff --git a/app/Listeners/Auth/TwoFactorListener.php b/app/Listeners/Auth/TwoFactorListener.php index 468c5da8d..b9ab4c19a 100644 --- a/app/Listeners/Auth/TwoFactorListener.php +++ b/app/Listeners/Auth/TwoFactorListener.php @@ -9,7 +9,7 @@ class TwoFactorListener { public function handle(ProvidedAuthenticationToken $event) { - Activity::event($event->recovery ? 'login.recovery-token' : 'login.token') + Activity::event($event->recovery ? 'auth:recovery-token' : 'auth:token') ->withRequestMetadata() ->subject($event->user) ->log(); diff --git a/app/Models/User.php b/app/Models/User.php index 0570bbf31..b75039819 100644 --- a/app/Models/User.php +++ b/app/Models/User.php @@ -216,7 +216,7 @@ class User extends Model implements */ public function sendPasswordResetNotification($token) { - Activity::event('login.reset-password') + Activity::event('auth:reset-password') ->withRequestMetadata() ->subject($this) ->log('sending password reset email'); diff --git a/app/Providers/AppServiceProvider.php b/app/Providers/AppServiceProvider.php index a55aa297e..5b335f9a5 100644 --- a/app/Providers/AppServiceProvider.php +++ b/app/Providers/AppServiceProvider.php @@ -8,6 +8,8 @@ use Illuminate\Support\Str; use Pterodactyl\Models\User; use Pterodactyl\Models\Server; use Pterodactyl\Models\Backup; +use Pterodactyl\Models\ApiKey; +use Pterodactyl\Models\UserSSHKey; use Illuminate\Support\Facades\URL; use Illuminate\Pagination\Paginator; use Illuminate\Support\Facades\Schema; @@ -39,8 +41,10 @@ class AppServiceProvider extends ServiceProvider } Relation::enforceMorphMap([ + 'api_key' => ApiKey::class, 'backup' => Backup::class, 'server' => Server::class, + 'ssh_key' => UserSSHKey::class, 'user' => User::class, ]); } diff --git a/app/Services/Activity/ActivityLogService.php b/app/Services/Activity/ActivityLogService.php index 41011e836..9726b657f 100644 --- a/app/Services/Activity/ActivityLogService.php +++ b/app/Services/Activity/ActivityLogService.php @@ -5,8 +5,8 @@ namespace Pterodactyl\Services\Activity; use Illuminate\Support\Arr; use Webmozart\Assert\Assert; use Illuminate\Support\Collection; -use Pterodactyl\Models\ActivityLog; use Illuminate\Support\Facades\Log; +use Pterodactyl\Models\ActivityLog; use Illuminate\Contracts\Auth\Factory; use Illuminate\Database\Eloquent\Model; use Illuminate\Support\Facades\Request; @@ -148,6 +148,11 @@ class ActivityLogService try { return $this->save(); } catch (\Throwable|\Exception $exception) { + if (config('app.env') !== 'production') { + /* @noinspection PhpUnhandledExceptionInspection */ + throw $exception; + } + Log::error($exception); } diff --git a/routes/api-client.php b/routes/api-client.php index b592ea420..3099ea0d8 100644 --- a/routes/api-client.php +++ b/routes/api-client.php @@ -2,7 +2,8 @@ use Illuminate\Support\Facades\Route; use Pterodactyl\Http\Controllers\Api\Client; -use Pterodactyl\Http\Middleware\ServerActivityLogs; +use Pterodactyl\Http\Middleware\ServerActivitySubject; +use Pterodactyl\Http\Middleware\AccountActivitySubject; use Pterodactyl\Http\Middleware\RequireTwoFactorAuthentication; use Pterodactyl\Http\Middleware\Api\Client\Server\ResourceBelongsToServer; use Pterodactyl\Http\Middleware\Api\Client\Server\AuthenticateServerAccess; @@ -18,7 +19,7 @@ use Pterodactyl\Http\Middleware\Api\Client\Server\AuthenticateServerAccess; Route::get('/', [Client\ClientController::class, 'index'])->name('api:client.index'); Route::get('/permissions', [Client\ClientController::class, 'permissions']); -Route::group(['prefix' => '/account'], function () { +Route::prefix('/account')->middleware(AccountActivitySubject::class)->group(function () { Route::prefix('/')->withoutMiddleware(RequireTwoFactorAuthentication::class)->group(function () { Route::get('/', [Client\AccountController::class, 'index'])->name('api:client.account'); Route::get('/two-factor', [Client\TwoFactorController::class, 'index']); @@ -51,7 +52,7 @@ Route::group(['prefix' => '/account'], function () { Route::group([ 'prefix' => '/servers/{server}', 'middleware' => [ - ServerActivityLogs::class, + ServerActivitySubject::class, AuthenticateServerAccess::class, ResourceBelongsToServer::class, ],