Add ApiKey service, cleanup old API key methods

https://zube.io/pterodactyl/panel/c/525
This commit is contained in:
Dane Everitt 2017-06-25 15:31:50 -05:00
parent 2235481765
commit 4ee9d38ad1
No known key found for this signature in database
GPG key ID: EEA66103B3D71F53
10 changed files with 569 additions and 85 deletions

View file

@ -25,22 +25,48 @@
namespace Pterodactyl\Http\Controllers\Base;
use Log;
use Alert;
use Illuminate\Http\Request;
use Pterodactyl\Models\APIKey;
use Prologue\Alerts\AlertsMessageBag;
use Pterodactyl\Models\APIPermission;
use Pterodactyl\Repositories\APIRepository;
use Pterodactyl\Exceptions\DisplayException;
use Pterodactyl\Services\ApiKeyService;
use Pterodactyl\Http\Controllers\Controller;
use Pterodactyl\Exceptions\DisplayValidationException;
use Pterodactyl\Http\Requests\ApiKeyRequest;
class APIController extends Controller
{
/**
* @var \Prologue\Alerts\AlertsMessageBag
*/
protected $alert;
/**
* @var \Pterodactyl\Models\APIKey
*/
protected $model;
/**
* @var \Pterodactyl\Services\ApiKeyService
*/
protected $service;
/**
* APIController constructor.
*
* @param \Prologue\Alerts\AlertsMessageBag $alert
* @param \Pterodactyl\Services\ApiKeyService $service
*/
public function __construct(AlertsMessageBag $alert, ApiKeyService $service, APIKey $model)
{
$this->alert = $alert;
$this->model = $model;
$this->service = $service;
}
/**
* Display base API index page.
*
* @param \Illuminate\Http\Request $request
* @param \Illuminate\Http\Request $request
* @return \Illuminate\View\View
*/
public function index(Request $request)
@ -53,15 +79,14 @@ class APIController extends Controller
/**
* Display API key creation page.
*
* @param \Illuminate\Http\Request $request
* @return \Illuminate\View\View
*/
public function create(Request $request)
public function create()
{
return view('base.api.new', [
'permissions' => [
'user' => collect(APIPermission::permissions())->pull('_user'),
'admin' => collect(APIPermission::permissions())->except('_user')->toArray(),
'user' => collect(APIPermission::PERMISSIONS)->pull('_user'),
'admin' => collect(APIPermission::PERMISSIONS)->except('_user')->toArray(),
],
]);
}
@ -69,52 +94,46 @@ class APIController extends Controller
/**
* Handle saving new API key.
*
* @param \Illuminate\Http\Request $request
* @param \Pterodactyl\Http\Requests\ApiKeyRequest $request
* @return \Illuminate\Http\RedirectResponse
*
* @throws \Exception
* @throws \Pterodactyl\Exceptions\Model\DataValidationException
*/
public function store(Request $request)
public function store(ApiKeyRequest $request)
{
try {
$repo = new APIRepository($request->user());
$secret = $repo->create($request->intersect([
'memo', 'allowed_ips',
'admin_permissions', 'permissions',
]));
Alert::success('An API Key-Pair has successfully been generated. The API secret for this public key is shown below and will not be shown again.<br /><br /><code>' . $secret . '</code>')->flash();
return redirect()->route('account.api');
} catch (DisplayValidationException $ex) {
return redirect()->route('account.api.new')->withErrors(json_decode($ex->getMessage()))->withInput();
} catch (DisplayException $ex) {
Alert::danger($ex->getMessage())->flash();
} catch (\Exception $ex) {
Log::error($ex);
Alert::danger('An unhandled exception occured while attempting to add this API key.')->flash();
$adminPermissions = [];
if ($request->user()->isRootAdmin()) {
$adminPermissions = $request->input('admin_permissions') ?? [];
}
return redirect()->route('account.api.new')->withInput();
$secret = $this->service->create([
'user_id' => $request->user()->id,
'allowed_ips' => $request->input('allowed_ips'),
'memo' => $request->input('memo'),
], $request->input('permissions') ?? [], $adminPermissions);
$this->alert->success('An API Key-Pair has successfully been generated. The API secret for this public key is shown below and will not be shown again.<br /><br /><code>' . $secret . '</code>')->flash();
return redirect()->route('account.api');
}
/**
* Handle revoking API key.
*
* @param \Illuminate\Http\Request $request
* @param string $key
* @return \Illuminate\Http\JsonResponse|\Illuminate\Http\Response
* @return \Illuminate\Http\Response
*
* @throws \Exception
*/
public function revoke(Request $request, $key)
{
try {
$repo = new APIRepository($request->user());
$repo->revoke($key);
$key = $this->model->newQuery()
->where('user_id', $request->user()->id)
->where('public', $key)
->firstOrFail();
return response('', 204);
} catch (\Exception $ex) {
Log::error($ex);
$this->service->revoke($key);
return response()->json([
'error' => 'An error occured while attempting to remove this key.',
], 503);
}
return response('', 204);
}
}

View file

@ -24,7 +24,6 @@
namespace Pterodactyl\Http\Requests\Admin;
use Pterodactyl\Models\User;
use Illuminate\Foundation\Http\FormRequest;
abstract class AdminFormRequest extends FormRequest
@ -37,7 +36,7 @@ abstract class AdminFormRequest extends FormRequest
*/
public function authorize()
{
if (! $this->user() instanceof User) {
if (is_null($this->user())) {
return false;
}

View file

@ -0,0 +1,89 @@
<?php
/*
* Pterodactyl - Panel
* Copyright (c) 2015 - 2017 Dane Everitt <dane@daneeveritt.com>.
*
* Permission is hereby granted, free of charge, to any person obtaining a copy
* of this software and associated documentation files (the "Software"), to deal
* in the Software without restriction, including without limitation the rights
* to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
* copies of the Software, and to permit persons to whom the Software is
* furnished to do so, subject to the following conditions:
*
* The above copyright notice and this permission notice shall be included in all
* copies or substantial portions of the Software.
*
* THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
* IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
* FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
* AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
* LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
* OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
* SOFTWARE.
*/
namespace Pterodactyl\Http\Requests;
use IPTools\Network;
class ApiKeyRequest extends BaseFormRequest
{
/**
* Rules applied to data passed in this request.
*
* @return array
*/
public function rules()
{
$this->parseAllowedIntoArray();
return [
'memo' => 'required|nullable|string|max:500',
'permissions' => 'sometimes|present|array',
'admin_permissions' => 'sometimes|present|array',
'allowed_ips' => 'present',
'allowed_ips.*' => 'sometimes|string',
];
}
/**
* Parse the string of allowed IPs into an array.
*/
protected function parseAllowedIntoArray()
{
$loop = [];
if (! empty($this->input('allowed_ips'))) {
foreach (explode(PHP_EOL, $this->input('allowed_ips')) as $ip) {
$loop[] = trim($ip);
}
}
$this->merge(['allowed_ips' => $loop], $this->except('allowed_ips'));
}
/**
* Run additional validation rules on the request to ensure all of the data is good.
*
* @param \Illuminate\Validation\Validator $validator
*/
public function withValidator($validator)
{
$validator->after(function ($validator) {
if (empty($this->input('permissions')) && empty($this->input('admin_permissions'))) {
$validator->errors()->add('permissions', 'At least one permission must be selected.');
}
});
$validator->after(function ($validator) {
foreach ($this->input('allowed_ips') as $ip) {
$ip = trim($ip);
try {
Network::parse($ip);
} catch (\Exception $ex) {
$validator->errors()->add('allowed_ips', 'Could not parse IP ' . $ip . ' because it is in an invalid format.');
}
}
});
}
}

View file

@ -0,0 +1,53 @@
<?php
/*
* Pterodactyl - Panel
* Copyright (c) 2015 - 2017 Dane Everitt <dane@daneeveritt.com>.
*
* Permission is hereby granted, free of charge, to any person obtaining a copy
* of this software and associated documentation files (the "Software"), to deal
* in the Software without restriction, including without limitation the rights
* to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
* copies of the Software, and to permit persons to whom the Software is
* furnished to do so, subject to the following conditions:
*
* The above copyright notice and this permission notice shall be included in all
* copies or substantial portions of the Software.
*
* THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
* IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
* FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
* AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
* LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
* OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
* SOFTWARE.
*/
namespace Pterodactyl\Http\Requests;
use Illuminate\Foundation\Http\FormRequest;
class BaseFormRequest extends FormRequest
{
/**
* Determine if a user is authorized to access this endpoint.
*
* @return bool
*/
public function authorize()
{
return ! is_null($this->user());
}
/**
* Return only the fields that we are interested in from the request.
* This will include empty fields as a null value.
*
* @return array
*/
public function normalize()
{
return $this->only(
array_keys($this->rules())
);
}
}

View file

@ -24,16 +24,14 @@
namespace Pterodactyl\Models;
use Sofa\Eloquence\Eloquence;
use Sofa\Eloquence\Validable;
use Illuminate\Database\Eloquent\Model;
use Sofa\Eloquence\Contracts\Validable as ValidableContract;
class APIKey extends Model
class APIKey extends Model implements ValidableContract
{
/**
* Public key defined length used in verification methods.
*
* @var int
*/
const PUBLIC_KEY_LEN = 16;
use Eloquence, Validable;
/**
* The table associated with the model.
@ -65,6 +63,32 @@ class APIKey extends Model
*/
protected $guarded = ['id', 'created_at', 'updated_at'];
/**
* Rules defining what fields must be passed when making a model.
*
* @var array
*/
protected static $applicationRules = [
'memo' => 'required',
'user_id' => 'required',
'secret' => 'required',
'public' => 'required',
];
/**
* Rules to protect aganist invalid data entry to DB.
*
* @var array
*/
protected static $dataIntegrityRules = [
'user_id' => 'exists:users,id',
'public' => 'string|size:16',
'secret' => 'string',
'memo' => 'nullable|string|max:500',
'allowed_ips' => 'nullable|json',
'expires_at' => 'nullable|datetime',
];
/**
* Gets the permissions associated with a key.
*

View file

@ -24,46 +24,19 @@
namespace Pterodactyl\Models;
use Sofa\Eloquence\Eloquence;
use Sofa\Eloquence\Validable;
use Illuminate\Database\Eloquent\Model;
use Sofa\Eloquence\Contracts\Validable as ValidableContract;
class APIPermission extends Model
class APIPermission extends Model implements ValidableContract
{
/**
* The table associated with the model.
*
* @var string
*/
protected $table = 'api_permissions';
/**
* Fields that are not mass assignable.
*
* @var array
*/
protected $guarded = ['id'];
/**
* Cast values to correct type.
*
* @var array
*/
protected $casts = [
'key_id' => 'integer',
];
/**
* Disable timestamps for this table.
*
* @var bool
*/
public $timestamps = false;
use Eloquence, Validable;
/**
* List of permissions available for the API.
*
* @var array
*/
protected static $permissions = [
const PERMISSIONS = [
// Items within this block are available to non-adminitrative users.
'_user' => [
'server' => [
@ -119,13 +92,49 @@ class APIPermission extends Model
],
];
/**
* The table associated with the model.
*
* @var string
*/
protected $table = 'api_permissions';
/**
* Fields that are not mass assignable.
*
* @var array
*/
protected $guarded = ['id'];
/**
* Cast values to correct type.
*
* @var array
*/
protected $casts = [
'key_id' => 'integer',
];
protected static $dataIntegrityRules = [
'key_id' => 'required|numeric',
'permission' => 'required|string|max:200',
];
/**
* Disable timestamps for this table.
*
* @var bool
*/
public $timestamps = false;
/**
* Return permissions for API.
*
* @return array
* @deprecated
*/
public static function permissions()
{
return self::$permissions;
return [];
}
}

View file

@ -0,0 +1,153 @@
<?php
/*
* Pterodactyl - Panel
* Copyright (c) 2015 - 2017 Dane Everitt <dane@daneeveritt.com>.
*
* Permission is hereby granted, free of charge, to any person obtaining a copy
* of this software and associated documentation files (the "Software"), to deal
* in the Software without restriction, including without limitation the rights
* to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
* copies of the Software, and to permit persons to whom the Software is
* furnished to do so, subject to the following conditions:
*
* The above copyright notice and this permission notice shall be included in all
* copies or substantial portions of the Software.
*
* THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
* IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
* FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
* AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
* LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
* OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
* SOFTWARE.
*/
namespace Pterodactyl\Services;
use Pterodactyl\Models\APIKey;
use Illuminate\Database\Connection;
use Illuminate\Contracts\Encryption\Encrypter;
use Pterodactyl\Exceptions\Model\DataValidationException;
class ApiKeyService
{
const PUB_CRYPTO_BYTES = 8;
const PRIV_CRYPTO_BYTES = 32;
/**
* @var \Illuminate\Contracts\Encryption\Encrypter
*/
protected $encrypter;
/**
* @var \Pterodactyl\Models\APIKey
*/
protected $model;
/**
* @var \Pterodactyl\Services\ApiPermissionService
*/
protected $permissionService;
/**
* ApiKeyService constructor.
*
* @param \Pterodactyl\Models\APIKey $model
* @param \Illuminate\Database\Connection $database
* @param \Illuminate\Contracts\Encryption\Encrypter $encrypter
* @param \Pterodactyl\Services\ApiPermissionService $permissionService
*/
public function __construct(
APIKey $model,
Connection $database,
Encrypter $encrypter,
ApiPermissionService $permissionService
) {
$this->database = $database;
$this->encrypter = $encrypter;
$this->model = $model;
$this->permissionService = $permissionService;
}
/**
* Create a new API Key on the system with the given permissions.
*
* @param array $data
* @param array $permissions
* @param array $administrative
* @return string
*
* @throws \Exception
* @throws \Pterodactyl\Exceptions\Model\DataValidationException
*/
public function create(array $data, array $permissions, array $administrative = [])
{
$publicKey = bin2hex(random_bytes(self::PUB_CRYPTO_BYTES));
$secretKey = bin2hex(random_bytes(self::PRIV_CRYPTO_BYTES));
// Start a Transaction
$this->database->beginTransaction();
$instance = $this->model->newInstance($data);
$instance->public = $publicKey;
$instance->secret = $this->encrypter->encrypt($secretKey);
if (! $instance->save()) {
$this->database->rollBack();
throw new DataValidationException($instance->getValidator());
}
$key = $instance->fresh();
$nodes = $this->permissionService->getPermissions();
foreach ($permissions as $permission) {
@list($block, $search) = explode('-', $permission);
if (
(empty($block) || empty($search)) ||
! array_key_exists($block, $nodes['_user']) ||
! in_array($search, $nodes['_user'][$block])
) {
continue;
}
$this->permissionService->create($key->id, sprintf('user.%s', $permission));
}
foreach ($administrative as $permission) {
@list($block, $search) = explode('-', $permission);
if (
(empty($block) || empty($search)) ||
! array_key_exists($block, $nodes) ||
! in_array($search, $nodes[$block])
) {
continue;
}
$this->permissionService->create($key->id, $permission);
}
$this->database->commit();
return $secretKey;
}
/**
* Delete the API key and associated permissions from the database.
*
* @param int|\Pterodactyl\Models\APIKey $key
* @return bool|null
*
* @throws \Exception
* @throws \Illuminate\Database\Eloquent\ModelNotFoundException
*/
public function revoke($key)
{
if (! $key instanceof APIKey) {
$key = $this->model->findOrFail($key);
}
return $key->delete();
}
}

View file

@ -0,0 +1,79 @@
<?php
/*
* Pterodactyl - Panel
* Copyright (c) 2015 - 2017 Dane Everitt <dane@daneeveritt.com>.
*
* Permission is hereby granted, free of charge, to any person obtaining a copy
* of this software and associated documentation files (the "Software"), to deal
* in the Software without restriction, including without limitation the rights
* to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
* copies of the Software, and to permit persons to whom the Software is
* furnished to do so, subject to the following conditions:
*
* The above copyright notice and this permission notice shall be included in all
* copies or substantial portions of the Software.
*
* THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
* IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
* FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
* AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
* LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
* OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
* SOFTWARE.
*/
namespace Pterodactyl\Services;
use Pterodactyl\Models\APIPermission;
use Pterodactyl\Exceptions\Model\DataValidationException;
class ApiPermissionService
{
/**
* @var \Pterodactyl\Models\APIPermission
*/
protected $model;
/**
* ApiPermissionService constructor.
*
* @param \Pterodactyl\Models\APIPermission $model
*/
public function __construct(APIPermission $model)
{
$this->model = $model;
}
/**
* Store a permission key in the database.
*
* @param string $key
* @param string $permission
* @return bool
*
* @throws \Pterodactyl\Exceptions\Model\DataValidationException
*/
public function create($key, $permission)
{
$instance = $this->model->newInstance([
'key_id' => $key,
'permission' => $permission,
]);
if (! $instance->save()) {
throw new DataValidationException($instance->getValidator());
}
return true;
}
/**
* Return all of the permissions available for an API Key.
*
* @return array
*/
public function getPermissions()
{
return APIPermission::PERMISSIONS;
}
}

View file

@ -0,0 +1,23 @@
<?php
/*
* Pterodactyl - Panel
* Copyright (c) 2015 - 2017 Dane Everitt <dane@daneeveritt.com>.
*
* Permission is hereby granted, free of charge, to any person obtaining a copy
* of this software and associated documentation files (the "Software"), to deal
* in the Software without restriction, including without limitation the rights
* to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
* copies of the Software, and to permit persons to whom the Software is
* furnished to do so, subject to the following conditions:
*
* The above copyright notice and this permission notice shall be included in all
* copies or substantial portions of the Software.
*
* THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
* IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
* FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
* AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
* LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
* OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
* SOFTWARE.
*/

View file

@ -0,0 +1,36 @@
<?php
use Illuminate\Support\Facades\Schema;
use Illuminate\Database\Schema\Blueprint;
use Illuminate\Database\Migrations\Migration;
class ChangeForeignKeyToBeOnCascadeDelete extends Migration
{
/**
* Run the migrations.
*
* @return void
*/
public function up()
{
Schema::table('api_permissions', function (Blueprint $table) {
$table->dropForeign(['key_id']);
$table->foreign('key_id')->references('id')->on('api_keys')->onDelete('cascade');
});
}
/**
* Reverse the migrations.
*
* @return void
*/
public function down()
{
Schema::table('api_permissions', function (Blueprint $table) {
$table->dropForeign(['key_id']);
$table->foreign('key_id')->references('id')->on('api_keys');
});
}
}