Add front-end support for adding and deleting API keys.

This commit is contained in:
Dane Everitt 2016-10-20 18:20:58 -04:00
parent dfeed013ba
commit 53ec2c55ec
No known key found for this signature in database
GPG key ID: EEA66103B3D71F53
8 changed files with 379 additions and 225 deletions

View file

@ -25,9 +25,12 @@
namespace Pterodactyl\Http\Controllers\Base;
use Alert;
use Log;
use Pterodactyl\Models;
use Pterodactyl\Repositories\APIRepository;
use Pterodactyl\Exceptions\DisplayValidationException;
use Pterodactyl\Exceptions\DisplayException;
use Pterodactyl\Http\Controllers\Controller;
@ -45,7 +48,6 @@ class APIController extends Controller
return view('base.api.index', [
'keys' => $keys
]);
}
public function new(Request $request)
@ -55,6 +57,32 @@ class APIController extends Controller
public function save(Request $request)
{
try {
$repo = new APIRepository($request->user());
$secret = $repo->new($request->except(['_token']));
Alert::success('An API Keypair has successfully been generated. The API secret for this public key is shown below and will not be shown again.<br /><br /><code>' . $secret . '</code>')->flash();
return redirect()->route('account.api');
} catch (DisplayValidationException $ex) {
return redirect()->route('account.api.new')->withErrors(json_decode($ex->getMessage()))->withInput();
} catch (DisplayException $ex) {
Alert::danger($ex->getMessage())->flash();
} catch (\Exception $ex) {
Log::error($ex);
Alert::danger('An unhandled exception occured while attempting to add this API key.')->flash();
}
return redirect()->route('account.api.new')->withInput();
}
public function revoke(Request $request, $key)
{
try {
$repo = new APIRepository($request->user());
$repo->revoke($key);
return response('', 204);
} catch (\Exception $ex) {
return response()->json([
'error' => 'An error occured while attempting to remove this key.'
], 503);
}
}
}

View file

@ -34,7 +34,7 @@ class APIRoutes
$api = app('Dingo\Api\Routing\Router');
$api->version('v1', ['prefix' => 'api/me', 'middleware' => 'api.auth'], function ($api) {
$api->get('/', [
'as' => 'api.user',
'as' => 'api.user.me',
'uses' => 'Pterodactyl\Http\Controllers\API\User\InfoController@me'
]);

View file

@ -88,6 +88,10 @@ class BaseRoutes {
$router->post('/new', [
'uses' => 'Base\APIController@save'
]);
$router->delete('/revoke/{key}', [
'uses' => 'Base\APIController@revoke'
]);
});
// TOTP Routes

View file

@ -23,6 +23,7 @@
*/
namespace Pterodactyl\Repositories;
use Auth;
use DB;
use Crypt;
use Validator;
@ -40,38 +41,51 @@ class APIRepository
* @var array
*/
protected $permissions = [
'admin' => [
'*',
// User Management Routes
'api.users.list',
'api.users.create',
'api.users.view',
'api.users.update',
'api.users.delete',
'users.list',
'users.create',
'users.view',
'users.update',
'users.delete',
// Server Manaement Routes
'api.servers.list',
'api.servers.create',
'api.servers.view',
'api.servers.config',
'api.servers.build',
'api.servers.suspend',
'api.servers.unsuspend',
'api.servers.delete',
'servers.list',
'servers.create',
'servers.view',
'servers.config',
'servers.build',
'servers.suspend',
'servers.unsuspend',
'servers.delete',
// Node Management Routes
'api.nodes.list',
'api.nodes.create',
'api.nodes.list',
'api.nodes.allocations',
'api.nodes.delete',
'nodes.list',
'nodes.create',
'nodes.list',
'nodes.allocations',
'nodes.delete',
// Service Routes
'api.services.list',
'api.services.view',
'services.list',
'services.view',
// Location Routes
'api.locations.list',
'locations.list',
],
'user' => [
'*',
// Informational
'me',
// Server Control
'server',
'server.power',
],
];
/**
@ -80,12 +94,17 @@ class APIRepository
*/
protected $allowed = [];
protected $user;
/**
* Constructor
*/
public function __construct()
public function __construct(Models\User $user = null)
{
//
$this->user = is_null($user) ? Auth::user() : $user;
if (is_null($this->user)) {
throw new \Exception('Cannot access API Repository without passing a user to __construct().');
}
}
/**
@ -101,7 +120,9 @@ class APIRepository
public function new(array $data)
{
$validator = Validator::make($data, [
'permissions' => 'required|array'
'memo' => 'string|max:500',
'permissions' => 'sometimes|required|array',
'adminPermissions' => 'sometimes|required|array'
]);
$validator->after(function($validator) use ($data) {
@ -125,31 +146,53 @@ class APIRepository
}
DB::beginTransaction();
try {
$secretKey = str_random(16) . '.' . str_random(15);
$secretKey = str_random(16) . '.' . str_random(7) . '.' . str_random(7);
$key = new Models\APIKey;
$key->fill([
'user' => $this->user->id,
'public' => str_random(16),
'secret' => Crypt::encrypt($secretKey),
'allowed_ips' => empty($this->allowed) ? null : json_encode($this->allowed)
'allowed_ips' => empty($this->allowed) ? null : json_encode($this->allowed),
'memo' => $data['memo'],
'expires_at' => null
]);
$key->save();
foreach($data['permissions'] as $permission) {
if (in_array($permission, $this->permissions)) {
foreach($data['permissions'] as $permNode) {
if (!strpos($permNode, ':')) continue;
list($toss, $permission) = explode(':', $permNode);
if (in_array('api.user.' . $permission, $this->permissions['user'])) {
$model = new Models\APIPermission;
$model->fill([
'key_id' => $key->id,
'permission' => $permission
'permission' => 'api.user.' . $permission
]);
$model->save();
}
}
if ($this->user->root_admin === 1) {
foreach($data['permissions'] as $permNode) {
if (!strpos($permNode, ':')) continue;
list($toss, $permission) = explode(':', $permNode);
if (in_array('api.admin.' . $permission, $this->permissions['admin'])) {
$model = new Models\APIPermission;
$model->fill([
'key_id' => $key->id,
'permission' => 'api.admin.' . $permission
]);
$model->save();
}
}
}
DB::commit();
return $secretKey;
} catch (\Exception $ex) {
DB::rollBack();
throw $ex;
}
@ -169,7 +212,7 @@ class APIRepository
DB::beginTransaction();
try {
$model = Models\APIKey::where('public', $key)->firstOrFail();
$model = Models\APIKey::where('public', $key)->where('user', $this->user->id)->firstOrFail();
$permissions = Models\APIPermission::where('key_id', $model->id)->delete();
$model->delete();

View file

@ -267,3 +267,7 @@ li.btn.btn-default.pill:active,li.btn.btn-default.pill:focus,li.btn.btn-default.
.fuelux .wizard .step-content > .alert {
margin-bottom: 0 !important;
}
.fuelux .wizard .steps-container {
background-color: #eee;
}

View file

@ -24,6 +24,12 @@
@section('sidebar-server')
@endsection
@section('scripts')
@parent
{!! Theme::css('css/vendor/sweetalert/sweetalert.min.css') !!}
{!! Theme::js('js/vendor/sweetalert/sweetalert.min.js') !!}
@endsection
@section('content')
<div class="col-md-12">
<table class="table table-bordered table-hover">
@ -61,6 +67,43 @@
<script>
$(document).ready(function () {
$('#sidebar_links').find('a[href="/account/api"]').addClass('active');
$('[data-action="delete"]').click(function (event) {
var self = $(this);
event.preventDefault();
swal({
type: 'error',
title: 'Revoke API Key',
text: 'Once this API key is revoked any applications currently using it will stop working.',
showCancelButton: true,
allowOutsideClick: true,
closeOnConfirm: false,
confirmButtonText: 'Revoke',
confirmButtonColor: '#d9534f',
showLoaderOnConfirm: true
}, function () {
$.ajax({
method: 'DELETE',
url: '{{ route('account.api') }}/revoke/' + self.data('attr'),
headers: {
'X-CSRF-TOKEN': '{{ csrf_token() }}'
}
}).done(function (data) {
swal({
type: 'success',
title: '',
text: 'API Key has been revoked.'
});
self.parent().parent().slideUp();
}).fail(function (jqXHR) {
console.error(jqXHR);
swal({
type: 'error',
title: 'Whoops!',
text: 'An error occured while attempting to revoke this key.'
});
});
});
});
});
</script>
@endsection

View file

@ -41,10 +41,6 @@
<span class="badge">3</span>Security
<span class="chevron"></span>
</li>
<li data-step="4" data-name="ips">
<span class="badge">4</span>Finish
<span class="chevron"></span>
</li>
</ul>
</div>
<div class="actions">
@ -54,16 +50,50 @@
<span class="fa fa-arrow-right"></span>
</button>
</div>
<form action="{{ route('account.api.new') }}" method="POST" id="perms_form">
<div class="step-content">
{{-- <form action="{{ route('admin.api.admin.new') }}" method="POST" id="perms_form"> --}}
<div class="step-pane active alert" data-step="1"></div>
<div class="step-pane active alert" data-step="1">
<div class="well">Any servers that you are a subuser for will be accessible through this API with the same permissions that you currently have.</div>
<div class="row">
<div class="col-md-6 fuelux">
<h4>Base Information</h4><hr />
<div class="checkbox highlight">
<label class="checkbox-custom highlight" data-initialize="checkbox">
<input class="sr-only" name="permissions[]" type="checkbox" value="user:*"> <strong>User:*</strong>
<p class="text-muted"><small><span class="label label-danger">Danger</span> Allows performing any action aganist the User API.</small><p>
</label>
</div>
<div class="checkbox highlight">
<label class="checkbox-custom highlight" data-initialize="checkbox">
<input class="sr-only" name="permissions[]" type="checkbox" value="user:me"> <strong><span class="label label-default">GET</span> Base Information</strong>
<p class="text-muted"><small>Returns a listing of all servers that this account has access to.</small><p>
</label>
</div>
</div>
<div class="col-md-6 fuelux">
<h4>Server Management</h4><hr />
<div class="checkbox highlight">
<label class="checkbox-custom highlight" data-initialize="checkbox">
<input class="sr-only" name="permissions[]" type="checkbox" value="user:server"> <strong><span class="label label-default">GET</span> Server Info</strong>
<p class="text-muted"><small>Allows access to viewing information about a single server including current stats and allocations.</small><p>
</label>
</div>
<div class="checkbox highlight">
<label class="checkbox-custom highlight" data-initialize="checkbox">
<input class="sr-only" name="permissions[]" type="checkbox" value="user:server.power"> <strong><span class="label label-default">PUT</span> Server Power</strong>
<p class="text-muted"><small>Allows access to control server power status.</small><p>
</label>
</div>
</div>
</div>
</div>
<div class="step-pane alert" data-step="2">
<div class="row">
<div class="col-md-12 fuelux">
<div class="checkbox highlight">
<label class="checkbox-custom highlight" data-initialize="checkbox">
<input class="sr-only" name="adminPermissions[]" type="checkbox" value="*"> <strong>*</strong>
<p class="text-muted"><small><span class="label label-danger">Danger</span> Allows performing any action aganist the api.admin.</small><p>
<input class="sr-only" name="adminPermissions[]" type="checkbox" value="admin:*"> <strong>Admin:*</strong>
<p class="text-muted"><small><span class="label label-danger">Danger</span> Allows performing any action aganist the Admin API.</small><p>
</label>
</div>
</div>
@ -73,31 +103,31 @@
<h4>User Management</h4><hr />
<div class="checkbox highlight">
<label class="checkbox-custom highlight" data-initialize="checkbox">
<input class="sr-only" name="adminPermissions[]" type="checkbox" value="api.admin.users.list"> <strong><span class="label label-default">GET</span> /users</strong>
<input class="sr-only" name="adminPermissions[]" type="checkbox" value="admin:users.list"> <strong><span class="label label-default">GET</span> List Users</strong>
<p class="text-muted"><small>Allows listing of all users currently on the system.</small><p>
</label>
</div>
<div class="checkbox highlight">
<label class="checkbox-custom highlight" data-initialize="checkbox">
<input class="sr-only" name="adminPermissions[]" type="checkbox" value="api.admin.users.create"> <strong><span class="label label-default">POST</span> /users</strong>
<input class="sr-only" name="adminPermissions[]" type="checkbox" value="admin:users.create"> <strong><span class="label label-default">POST</span> Create User</strong>
<p class="text-muted"><small>Allows creating a new user on the system.</small><p>
</label>
</div>
<div class="checkbox highlight">
<label class="checkbox-custom highlight" data-initialize="checkbox">
<input class="sr-only" name="adminPermissions[]" type="checkbox" value="api.admin.users.view"> <strong><span class="label label-default">GET</span> /users/{id}</strong>
<input class="sr-only" name="adminPermissions[]" type="checkbox" value="admin:users.view"> <strong><span class="label label-default">GET</span> List Single User</strong>
<p class="text-muted"><small>Allows viewing details about a specific user including active services.</small><p>
</label>
</div>
<div class="checkbox highlight">
<label class="checkbox-custom highlight" data-initialize="checkbox">
<input class="sr-only" name="adminPermissions[]" type="checkbox" value="api.admin.users.update"> <strong><span class="label label-default">PATCH</span> /users/{id}</strong>
<input class="sr-only" name="adminPermissions[]" type="checkbox" value="admin:users.update"> <strong><span class="label label-default">PATCH</span> Update User</strong>
<p class="text-muted"><small>Allows modifying user details (email, password, TOTP information).</small><p>
</label>
</div>
<div class="checkbox highlight">
<label class="checkbox-custom highlight" data-initialize="checkbox">
<input class="sr-only" name="adminPermissions[]" type="checkbox" value="api.admin.users.delete"> <strong><span class="label label-danger">DELETE</span> /users/{id}</strong>
<input class="sr-only" name="adminPermissions[]" type="checkbox" value="admin:users.delete"> <strong><span class="label label-danger">DELETE</span> Delete User</strong>
<p class="text-muted"><small>Allows deleting a user.</small><p>
</label>
</div>
@ -106,49 +136,49 @@
<h4>Server Management</h4><hr />
<div class="checkbox highlight">
<label class="checkbox-custom highlight" data-initialize="checkbox">
<input class="sr-only" name="adminPermissions[]" type="checkbox" value="api.admin.servers.list"> <strong><span class="label label-default">GET</span> /servers</strong>
<input class="sr-only" name="adminPermissions[]" type="checkbox" value="admin:servers.list"> <strong><span class="label label-default">GET</span> List Servers</strong>
<p class="text-muted"><small>Allows listing of all servers currently on the system.</small><p>
</label>
</div>
<div class="checkbox highlight">
<label class="checkbox-custom highlight" data-initialize="checkbox">
<input class="sr-only" name="adminPermissions[]" type="checkbox" value="api.admin.servers.create"> <strong><span class="label label-default">POST</span> /servers</strong>
<input class="sr-only" name="adminPermissions[]" type="checkbox" value="admin:servers.create"> <strong><span class="label label-default">POST</span> Create Server</strong>
<p class="text-muted"><small>Allows creating a new server on the system.</small><p>
</label>
</div>
<div class="checkbox highlight">
<label class="checkbox-custom highlight" data-initialize="checkbox">
<input class="sr-only" name="adminPermissions[]" type="checkbox" value="api.admin.servers.view"> <strong><span class="label label-default">GET</span> /servers/{id}</strong>
<input class="sr-only" name="adminPermissions[]" type="checkbox" value="admin:servers.view"> <strong><span class="label label-default">GET</span> List Single Server</strong>
<p class="text-muted"><small><span class="label label-danger">Danger</span> Allows viewing details about a specific server including the <code>daemon_token</code> as current process information.</small><p>
</label>
</div>
<div class="checkbox highlight">
<label class="checkbox-custom highlight" data-initialize="checkbox">
<input class="sr-only" name="adminPermissions[]" type="checkbox" value="api.admin.servers.config"> <strong><span class="label label-default">PATCH</span> /servers/{id}/config</strong>
<input class="sr-only" name="adminPermissions[]" type="checkbox" value="admin:servers.config"> <strong><span class="label label-default">PATCH</span> Update Configuration</strong>
<p class="text-muted"><small>Allows modifying server config (name, owner, and access token).</small><p>
</label>
</div>
<div class="checkbox highlight">
<label class="checkbox-custom highlight" data-initialize="checkbox">
<input class="sr-only" name="adminPermissions[]" type="checkbox" value="api.admin.servers.build"> <strong><span class="label label-default">PATCH</span> /servers/{id}/build</strong>
<input class="sr-only" name="adminPermissions[]" type="checkbox" value="admin:servers.build"> <strong><span class="label label-default">PATCH</span> Update Build</strong>
<p class="text-muted"><small>Allows modifying a server's build parameters such as memory, CPU, and disk space along with assigned and default IPs.</small><p>
</label>
</div>
<div class="checkbox highlight">
<label class="checkbox-custom highlight" data-initialize="checkbox">
<input class="sr-only" name="adminPermissions[]" type="checkbox" value="api.admin.servers.suspend"> <strong><span class="label label-default">POST</span> /servers/{id}/suspend</strong>
<input class="sr-only" name="adminPermissions[]" type="checkbox" value="admin:servers.suspend"> <strong><span class="label label-default">POST</span> Suspend</strong>
<p class="text-muted"><small>Allows suspending a server instance.</small><p>
</label>
</div>
<div class="checkbox highlight">
<label class="checkbox-custom highlight" data-initialize="checkbox">
<input class="sr-only" name="adminPermissions[]" type="checkbox" value="api.admin.servers.unsuspend"> <strong><span class="label label-default">POST</span> /servers/{id}/unsuspend</strong>
<input class="sr-only" name="adminPermissions[]" type="checkbox" value="admin:servers.unsuspend"> <strong><span class="label label-default">POST</span> Unsuspend</strong>
<p class="text-muted"><small>Allows unsuspending a server instance.</small><p>
</label>
</div>
<div class="checkbox highlight">
<label class="checkbox-custom highlight" data-initialize="checkbox">
<input class="sr-only" name="adminPermissions[]" type="checkbox" value="api.admin.servers.delete"> <strong><span class="label label-danger">DELETE</span> /servers/{id}</strong>
<input class="sr-only" name="adminPermissions[]" type="checkbox" value="admin:servers.delete"> <strong><span class="label label-danger">DELETE</span> Delete Server</strong>
<p class="text-muted"><small>Allows deleting a server.</small><p>
</label>
</div>
@ -159,31 +189,31 @@
<h4>Node Management</h4><hr />
<div class="checkbox highlight">
<label class="checkbox-custom highlight" data-initialize="checkbox">
<input class="sr-only" name="adminPermissions[]" type="checkbox" value="api.admin.nodes.list"> <strong><span class="label label-default">GET</span> /nodes</strong>
<input class="sr-only" name="adminPermissions[]" type="checkbox" value="admin:nodes.list"> <strong><span class="label label-default">GET</span> List Nodes</strong>
<p class="text-muted"><small>Allows listing of all nodes currently on the system.</small><p>
</label>
</div>
<div class="checkbox highlight">
<label class="checkbox-custom highlight" data-initialize="checkbox">
<input class="sr-only" name="adminPermissions[]" type="checkbox" value="api.admin.nodes.create"> <strong><span class="label label-default">POST</span> /nodes</strong>
<input class="sr-only" name="adminPermissions[]" type="checkbox" value="admin:nodes.create"> <strong><span class="label label-default">POST</span> Create Node</strong>
<p class="text-muted"><small>Allows creating a new node on the system.</small><p>
</label>
</div>
<div class="checkbox highlight">
<label class="checkbox-custom highlight" data-initialize="checkbox">
<input class="sr-only" name="adminPermissions[]" type="checkbox" value="api.admin.nodes.view"> <strong><span class="label label-default">GET</span> /nodes/{id}</strong>
<input class="sr-only" name="adminPermissions[]" type="checkbox" value="admin:nodes.view"> <strong><span class="label label-default">GET</span> List Single Node</strong>
<p class="text-muted"><small>Allows viewing details about a specific node including active services.</small><p>
</label>
</div>
<div class="checkbox highlight">
<label class="checkbox-custom highlight" data-initialize="checkbox">
<input class="sr-only" name="adminPermissions[]" type="checkbox" value="api.admin.nodes.allocations"> <strong><span class="label label-default">GET</span> /nodes/allocations</strong>
<input class="sr-only" name="adminPermissions[]" type="checkbox" value="admin:nodes.allocations"> <strong><span class="label label-default">GET</span> List Allocations</strong>
<p class="text-muted"><small>Allows viewing all allocations on the panel for all nodes.</small><p>
</label>
</div>
<div class="checkbox highlight">
<label class="checkbox-custom highlight" data-initialize="checkbox">
<input class="sr-only" name="adminPermissions[]" type="checkbox" value="api.admin.nodes.delete"> <strong><span class="label label-danger">DELETE</span> /nodes/{id}</strong>
<input class="sr-only" name="adminPermissions[]" type="checkbox" value="admin:nodes.delete"> <strong><span class="label label-danger">DELETE</span> Delete Node</strong>
<p class="text-muted"><small>Allows deleting a node.</small><p>
</label>
</div>
@ -192,20 +222,20 @@
<h4>Service Management</h4><hr />
<div class="checkbox highlight">
<label class="checkbox-custom highlight" data-initialize="checkbox">
<input class="sr-only" name="adminPermissions[]" type="checkbox" value="api.admin.services.list"> <strong><span class="label label-default">GET</span> /services</strong>
<input class="sr-only" name="adminPermissions[]" type="checkbox" value="admin:services.list"> <strong><span class="label label-default">GET</span> List Services</strong>
<p class="text-muted"><small>Allows listing of all services configured on the system.</small><p>
</label>
</div>
<div class="checkbox highlight">
<label class="checkbox-custom highlight" data-initialize="checkbox">
<input class="sr-only" name="adminPermissions[]" type="checkbox" value="api.admin.services.view"> <strong><span class="label label-default">GET</span> /services/{id}</strong>
<input class="sr-only" name="adminPermissions[]" type="checkbox" value="admin:services.view"> <strong><span class="label label-default">GET</span> List Single Service</strong>
<p class="text-muted"><small>Allows listing details about each service on the system including service options and variables.</small><p>
</label>
</div>
<h4>Location Management</h4><hr />
<div class="checkbox highlight">
<label class="checkbox-custom highlight" data-initialize="checkbox">
<input class="sr-only" name="adminPermissions[]" type="checkbox" value="api.admin.locations.list"> <strong><span class="label label-default">GET</span> /locations</strong>
<input class="sr-only" name="adminPermissions[]" type="checkbox" value="admin:locations.list"> <strong><span class="label label-default">GET</span> List Locations</strong>
<p class="text-muted"><small>Allows listing all locations and thier associated nodes.</small><p>
</label>
</div>
@ -213,6 +243,13 @@
</div>
</div>
<div class="step-pane alert" data-step="3">
<div class="form-group">
<label for="allowed_ips" class="control-label">Descriptive Memo</label>
<div>
<input type="text" name="memo" class="form-control" value="{{ old('memo') }}" />
<p class="text-muted">Enter a breif description of what this API key will be used for.</p>
</div>
</div>
<div class="form-group">
<label for="allowed_ips" class="control-label">Allowed IPs</label>
<div>
@ -221,18 +258,17 @@
</div>
</div>
</div>
<div class="step-pane bg-danger alert" data-step="4">
Whoa
</div>
{!! csrf_field() !!}
</form>
</div>
</div>
{{-- </form> --}}
</div>
<script>
$(document).ready(function () {
$('#sidebar_links').find('a[href="/account/api"]').addClass('active');
$('#apiWizard').on('finished.fu.wizard', function (evt, data) {
$('#perms_form').submit();
});
});
</script>
@endsection

View file

@ -260,7 +260,6 @@
<div class="col-md-9">
<div class="row">
<div class="col-md-12" id="tpl_messages">
@section('resp-errors')
@if (count($errors) > 0)
<div class="alert alert-danger">
<button type="button" class="close" data-dismiss="alert" aria-label="Close"><span aria-hidden="true">&times;</span></button>
@ -272,8 +271,6 @@
</ul>
</div>
@endif
@show
@section('resp-alerts')
@foreach (Alert::getMessages() as $type => $messages)
@foreach ($messages as $message)
<div class="alert alert-{{ $type }} alert-dismissable" role="alert">
@ -282,7 +279,6 @@
</div>
@endforeach
@endforeach
@show
</div>
</div>
<div class="row">