Skynet/misc_pterodactyl-panel
7
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Initial pass at deleting as much removed logic as possible; still need to migrate old keys and permissions over

Browse source
This commit is contained in:
Dane Everitt 2021-07-28 21:23:10 -07:00
parent dfff8ad667
commit b47d262ee0
No known key found for this signature in database
GPG key ID: EEA66103B3D71F53
19 changed files with 4 additions and 1036 deletions
Download patch file Download diff file Expand all files Collapse all files

29
app/Contracts/Repository/ApiKeyRepositoryInterface.php
View file

@ -1,29 +0,0 @@
<?php
namespace Pterodactyl\Contracts\Repository;
use Pterodactyl\Models\User;
use Illuminate\Support\Collection;
interface ApiKeyRepositoryInterface extends RepositoryInterface
{
/**
* Get all of the account API keys that exist for a specific user.
*/
public function getAccountKeys(User $user): Collection;
/**
* Get all of the application API keys that exist for a specific user.
*/
public function getApplicationKeys(User $user): Collection;
/**
* Delete an account API key from the panel for a specific user.
*/
public function deleteAccountKey(User $user, string $identifier): int;
/**
* Delete an application API key from the panel for a specific user.
*/
public function deleteApplicationKey(User $user, string $identifier): int;
}

27
app/Http/Controllers/Api/Client/ApiKeyController.php
View file

@ -3,40 +3,13 @@
namespace Pterodactyl\Http\Controllers\Api\Client;
use Illuminate\Http\Response;
use Pterodactyl\Models\ApiKey;
use Pterodactyl\Exceptions\DisplayException;
use Illuminate\Contracts\Encryption\Encrypter;
use Pterodactyl\Services\Api\KeyCreationService;
use Pterodactyl\Repositories\Eloquent\ApiKeyRepository;
use Pterodactyl\Http\Requests\Api\Client\ClientApiRequest;
use Pterodactyl\Transformers\Api\Client\ApiKeyTransformer;
use Symfony\Component\HttpKernel\Exception\NotFoundHttpException;
use Pterodactyl\Http\Requests\Api\Client\Account\StoreApiKeyRequest;
use Pterodactyl\Transformers\Api\Client\PersonalAccessTokenTransformer;
class ApiKeyController extends ClientApiController
{
private Encrypter $encrypter;
private ApiKeyRepository $repository;
private KeyCreationService $keyCreationService;
/**
* ApiKeyController constructor.
*/
public function __construct(
Encrypter $encrypter,
ApiKeyRepository $repository,
KeyCreationService $keyCreationService
) {
parent::__construct();
$this->encrypter = $encrypter;
$this->repository = $repository;
$this->keyCreationService = $keyCreationService;
}
/**
* Returns all of the API keys that exist for the given client.
*

20
app/Http/Kernel.php
View file

@ -2,7 +2,6 @@
namespace Pterodactyl\Http;
use Pterodactyl\Models\ApiKey;
use Illuminate\Auth\Middleware\Authorize;
use Illuminate\Auth\Middleware\Authenticate;
use Pterodactyl\Http\Middleware\TrimStrings;
@ -16,21 +15,17 @@ use Pterodactyl\Http\Middleware\AdminAuthenticate;
use Illuminate\Routing\Middleware\ThrottleRequests;
use Pterodactyl\Http\Middleware\LanguageMiddleware;
use Illuminate\Foundation\Http\Kernel as HttpKernel;
use Pterodactyl\Http\Middleware\Api\AuthenticateKey;
use Illuminate\Routing\Middleware\SubstituteBindings;
use Pterodactyl\Http\Middleware\Api\SetSessionDriver;
use Illuminate\Session\Middleware\AuthenticateSession;
use Illuminate\View\Middleware\ShareErrorsFromSession;
use Pterodactyl\Http\Middleware\MaintenanceMiddleware;
use Pterodactyl\Http\Middleware\RedirectIfAuthenticated;
use Illuminate\Auth\Middleware\AuthenticateWithBasicAuth;
use Pterodactyl\Http\Middleware\Api\AuthenticateIPAccess;
use Pterodactyl\Http\Middleware\Api\ApiSubstituteBindings;
use Illuminate\Foundation\Http\Middleware\ValidatePostSize;
use Illuminate\Cookie\Middleware\AddQueuedCookiesToResponse;
use Pterodactyl\Http\Middleware\Api\Daemon\DaemonAuthenticate;
use Pterodactyl\Http\Middleware\RequireTwoFactorAuthentication;
use Illuminate\Foundation\Http\Middleware\CheckForMaintenanceMode;
use Illuminate\Foundation\Http\Middleware\ConvertEmptyStringsToNull;
use Laravel\Sanctum\Http\Middleware\EnsureFrontendRequestsAreStateful;
use Pterodactyl\Http\Middleware\Api\Client\SubstituteClientApiBindings;
@ -71,24 +66,16 @@ class Kernel extends HttpKernel
],
'api' => [
IsValidJson::class,
ApiSubstituteBindings::class,
EnsureFrontendRequestsAreStateful::class,
// SetSessionDriver::class,
// 'api..key:' . ApiKey::TYPE_APPLICATION,
'auth:sanctum',
ApiSubstituteBindings::class,
AuthenticateApplicationUser::class,
// AuthenticateIPAccess::class,
],
'client-api' => [
// StartSession::class,
// SetSessionDriver::class,
// AuthenticateSession::class,
IsValidJson::class,
EnsureFrontendRequestsAreStateful::class,
'auth:sanctum',
// 'throttle:api',
SubstituteClientApiBindings::class,
// 'api..key:' . ApiKey::TYPE_ACCOUNT,
// AuthenticateIPAccess::class,
// This is perhaps a little backwards with the Client API, but logically you'd be unable
// to create/get an API key without first enabling 2FA on the account, so I suppose in the
// end it makes sense.
@ -118,8 +105,5 @@ class Kernel extends HttpKernel
'bindings' => SubstituteBindings::class,
'recaptcha' => VerifyReCaptcha::class,
'node.maintenance' => MaintenanceMiddleware::class,
// API Specific Middleware
'api..key' => AuthenticateKey::class,
];
}

38
app/Http/Middleware/Api/AuthenticateIPAccess.php
View file

@ -1,38 +0,0 @@
<?php
namespace Pterodactyl\Http\Middleware\Api;
use Closure;
use IPTools\IP;
use IPTools\Range;
use Illuminate\Http\Request;
use Symfony\Component\HttpKernel\Exception\AccessDeniedHttpException;
class AuthenticateIPAccess
{
/**
* Determine if a request IP has permission to access the API.
*
* @return mixed
*
* @throws \Exception
* @throws \Symfony\Component\HttpKernel\Exception\AccessDeniedHttpException
*/
public function handle(Request $request, Closure $next)
{
$model = $request->attributes->get('api_key');
if (is_null($model->allowed_ips) || empty($model->allowed_ips)) {
return $next($request);
}
$find = new IP($request->ip());
foreach ($model->allowed_ips as $ip) {
if (Range::parse($ip)->contains($find)) {
return $next($request);
}
}
throw new AccessDeniedHttpException('This IP address (' . $request->ip() . ') does not have permission to access the API using these credentials.');
}
}

95
app/Http/Middleware/Api/AuthenticateKey.php
View file

@ -1,95 +0,0 @@
<?php
namespace Pterodactyl\Http\Middleware\Api;
use Closure;
use Carbon\CarbonImmutable;
use Illuminate\Http\Request;
use Pterodactyl\Models\User;
use Pterodactyl\Models\ApiKey;
use Illuminate\Auth\AuthManager;
use Illuminate\Contracts\Encryption\Encrypter;
use Symfony\Component\HttpKernel\Exception\HttpException;
use Pterodactyl\Exceptions\Repository\RecordNotFoundException;
use Pterodactyl\Contracts\Repository\ApiKeyRepositoryInterface;
use Symfony\Component\HttpKernel\Exception\AccessDeniedHttpException;
class AuthenticateKey
{
private AuthManager $auth;
private Encrypter $encrypter;
private ApiKeyRepositoryInterface $repository;
/**
* AuthenticateKey constructor.
*/
public function __construct(ApiKeyRepositoryInterface $repository, AuthManager $auth, Encrypter $encrypter)
{
$this->auth = $auth;
$this->encrypter = $encrypter;
$this->repository = $repository;
}
/**
* Handle an API request by verifying that the provided API key
* is in a valid format and exists in the database.
*
* @return mixed
*
* @throws \Pterodactyl\Exceptions\Model\DataValidationException
* @throws \Pterodactyl\Exceptions\Repository\RecordNotFoundException
*/
public function handle(Request $request, Closure $next, int $keyType)
{
if (is_null($request->bearerToken()) && is_null($request->user())) {
throw new HttpException(401, null, null, ['WWW-Authenticate' => 'Bearer']);
}
$raw = $request->bearerToken();
// This is a request coming through using cookies, we have an authenticated user not using
// an API key. Make some fake API key models and continue on through the process.
if (empty($raw) && $request->user() instanceof User) {
$model = (new ApiKey())->forceFill([
'user_id' => $request->user()->id,
'key_type' => ApiKey::TYPE_ACCOUNT,
]);
} else {
$model = $this->authenticateApiKey($raw, $keyType);
$this->auth->guard()->loginUsingId($model->user_id);
}
$request->attributes->set('api_key', $model);
return $next($request);
}
/**
* Authenticate an API key.
*
* @throws \Pterodactyl\Exceptions\Model\DataValidationException
* @throws \Pterodactyl\Exceptions\Repository\RecordNotFoundException
*/
protected function authenticateApiKey(string $key, int $keyType): ApiKey
{
$identifier = substr($key, 0, ApiKey::IDENTIFIER_LENGTH);
$token = substr($key, ApiKey::IDENTIFIER_LENGTH);
try {
$model = $this->repository->findFirstWhere([
['identifier', '=', $identifier],
['key_type', '=', $keyType],
]);
} catch (RecordNotFoundException $exception) {
throw new AccessDeniedHttpException();
}
if (!hash_equals($this->encrypter->decrypt($model->token), $token)) {
throw new AccessDeniedHttpException();
}
$this->repository->withoutFreshModel()->update($model->id, ['last_used_at' => CarbonImmutable::now()]);
return $model;
}
}

35
app/Http/Middleware/Api/SetSessionDriver.php
View file

@ -1,35 +0,0 @@
<?php
namespace Pterodactyl\Http\Middleware\Api;
use Closure;
use Illuminate\Http\Request;
use Illuminate\Contracts\Config\Repository as ConfigRepository;
class SetSessionDriver
{
/**
* @var \Illuminate\Contracts\Config\Repository
*/
private $config;
/**
* SetSessionDriver constructor.
*/
public function __construct(ConfigRepository $config)
{
$this->config = $config;
}
/**
* Set the session for API calls to only last for the one request.
*
* @return mixed
*/
public function handle(Request $request, Closure $next)
{
$this->config->set('session.driver', 'array');
return $next($request);
}
}

6
app/Http/Requests/Api/Client/Account/StoreApiKeyRequest.php
View file

@ -2,17 +2,15 @@
namespace Pterodactyl\Http\Requests\Api\Client\Account;
use Pterodactyl\Models\ApiKey;
use Pterodactyl\Models\PersonalAccessToken;
use Pterodactyl\Http\Requests\Api\Client\ClientApiRequest;
class StoreApiKeyRequest extends ClientApiRequest
{
public function rules(): array
{
$rules = ApiKey::getRules();
return [
'description' => $rules['memo'],
'description' => PersonalAccessToken::getRules()['description'],
];
}
}

83
app/Models/ApiKey.php
View file

@ -6,38 +6,11 @@ use Pterodactyl\Services\Acl\Api\AdminAcl;
class ApiKey extends Model
{
/**
* The resource name for this model when it is transformed into an
* API representation using fractal.
*/
public const RESOURCE_NAME = 'api_key';
/**
* Different API keys that can exist on the system.
*/
public const TYPE_NONE = 0;
public const TYPE_ACCOUNT = 1;
public const TYPE_APPLICATION = 2;
public const TYPE_DAEMON_USER = 3;
public const TYPE_DAEMON_APPLICATION = 4;
/**
* The length of API key identifiers.
*/
public const IDENTIFIER_LENGTH = 16;
/**
* The length of the actual API key that is encrypted and stored
* in the database.
*/
public const KEY_LENGTH = 32;
/**
* The table associated with the model.
*
* @var string
*/
protected $table = 'api_keys';
/**
* Cast values to correct type.
@ -58,60 +31,4 @@ class ApiKey extends Model
'r_' . AdminAcl::RESOURCE_SERVERS => 'int',
'r_' . AdminAcl::RESOURCE_ROLES => 'int',
];
/**
* Fields that are mass assignable.
*
* @var array
*/
protected $fillable = [
'identifier',
'token',
'allowed_ips',
'memo',
'last_used_at',
];
/**
* Fields that should not be included when calling toArray() or toJson()
* on this model.
*
* @var array
*/
protected $hidden = ['token'];
/**
* Rules to protect against invalid data entry to DB.
*
* @var array
*/
public static array $validationRules = [
'user_id' => 'required|exists:users,id',
'key_type' => 'present|integer|min:0|max:4',
'identifier' => 'required|string|size:16|unique:api_keys,identifier',
'token' => 'required|string',
'memo' => 'required|nullable|string|max:500',
'allowed_ips' => 'nullable|array',
'allowed_ips.*' => 'string',
'last_used_at' => 'nullable|date',
'r_' . AdminAcl::RESOURCE_USERS => 'integer|min:0|max:3',
'r_' . AdminAcl::RESOURCE_ALLOCATIONS => 'integer|min:0|max:3',
'r_' . AdminAcl::RESOURCE_DATABASE_HOSTS => 'integer|min:0|max:3',
'r_' . AdminAcl::RESOURCE_SERVER_DATABASES => 'integer|min:0|max:3',
'r_' . AdminAcl::RESOURCE_EGGS => 'integer|min:0|max:3',
'r_' . AdminAcl::RESOURCE_LOCATIONS => 'integer|min:0|max:3',
'r_' . AdminAcl::RESOURCE_NESTS => 'integer|min:0|max:3',
'r_' . AdminAcl::RESOURCE_NODES => 'integer|min:0|max:3',
'r_' . AdminAcl::RESOURCE_SERVERS => 'integer|min:0|max:3',
'r_' . AdminAcl::RESOURCE_ROLES => 'integer|min:0|max:3',
];
/**
* @var array
*/
protected $dates = [
self::CREATED_AT,
self::UPDATED_AT,
'last_used_at',
];
}

6
app/Models/User.php
View file

@ -201,12 +201,6 @@ class User extends Model implements
return $this->hasOne(AdminRole::class, 'id', 'admin_role_id');
}
public function apiKeys(): HasMany
{
return $this->hasMany(ApiKey::class)
->where('key_type', ApiKey::TYPE_ACCOUNT);
}
public function servers(): HasMany
{
return $this->hasMany(Server::class, 'owner_id');

3
app/Providers/RepositoryServiceProvider.php
View file

@ -8,7 +8,6 @@ use Pterodactyl\Repositories\Eloquent\NestRepository;
use Pterodactyl\Repositories\Eloquent\NodeRepository;
use Pterodactyl\Repositories\Eloquent\TaskRepository;
use Pterodactyl\Repositories\Eloquent\UserRepository;
use Pterodactyl\Repositories\Eloquent\ApiKeyRepository;
use Pterodactyl\Repositories\Eloquent\ServerRepository;
use Pterodactyl\Repositories\Eloquent\SessionRepository;
use Pterodactyl\Repositories\Eloquent\SubuserRepository;
@ -24,7 +23,6 @@ use Pterodactyl\Contracts\Repository\NodeRepositoryInterface;
use Pterodactyl\Contracts\Repository\TaskRepositoryInterface;
use Pterodactyl\Contracts\Repository\UserRepositoryInterface;
use Pterodactyl\Repositories\Eloquent\DatabaseHostRepository;
use Pterodactyl\Contracts\Repository\ApiKeyRepositoryInterface;
use Pterodactyl\Contracts\Repository\ServerRepositoryInterface;
use Pterodactyl\Repositories\Eloquent\ServerVariableRepository;
use Pterodactyl\Contracts\Repository\SessionRepositoryInterface;
@ -47,7 +45,6 @@ class RepositoryServiceProvider extends ServiceProvider
{
// Eloquent Repositories
$this->app->bind(AllocationRepositoryInterface::class, AllocationRepository::class);
$this->app->bind(ApiKeyRepositoryInterface::class, ApiKeyRepository::class);
$this->app->bind(DatabaseRepositoryInterface::class, DatabaseRepository::class);
$this->app->bind(DatabaseHostRepositoryInterface::class, DatabaseHostRepository::class);
$this->app->bind(EggRepositoryInterface::class, EggRepository::class);

63
app/Repositories/Eloquent/ApiKeyRepository.php
View file

@ -1,63 +0,0 @@
<?php
namespace Pterodactyl\Repositories\Eloquent;
use Pterodactyl\Models\User;
use Pterodactyl\Models\ApiKey;
use Illuminate\Support\Collection;
use Pterodactyl\Contracts\Repository\ApiKeyRepositoryInterface;
class ApiKeyRepository extends EloquentRepository implements ApiKeyRepositoryInterface
{
/**
* Return the model backing this repository.
*
* @return string
*/
public function model()
{
return ApiKey::class;
}
/**
* Get all of the account API keys that exist for a specific user.
*/
public function getAccountKeys(User $user): Collection
{
return $this->getBuilder()->where('user_id', $user->id)
->where('key_type', ApiKey::TYPE_ACCOUNT)
->get($this->getColumns());
}
/**
* Get all of the application API keys that exist for a specific user.
*/
public function getApplicationKeys(User $user): Collection
{
return $this->getBuilder()->where('user_id', $user->id)
->where('key_type', ApiKey::TYPE_APPLICATION)
->get($this->getColumns());
}
/**
* Delete an account API key from the panel for a specific user.
*/
public function deleteAccountKey(User $user, string $identifier): int
{
return $this->getBuilder()->where('user_id', $user->id)
->where('key_type', ApiKey::TYPE_ACCOUNT)
->where('identifier', $identifier)
->delete();
}
/**
* Delete an application API key from the panel for a specific user.
*/
public function deleteApplicationKey(User $user, string $identifier): int
{
return $this->getBuilder()->where('user_id', $user->id)
->where('key_type', ApiKey::TYPE_APPLICATION)
->where('identifier', $identifier)
->delete();
}
}

69
app/Services/Api/KeyCreationService.php
View file

@ -1,69 +0,0 @@
<?php
namespace Pterodactyl\Services\Api;
use Pterodactyl\Models\ApiKey;
use Illuminate\Contracts\Encryption\Encrypter;
use Pterodactyl\Contracts\Repository\ApiKeyRepositoryInterface;
class KeyCreationService
{
/**
* @var \Illuminate\Contracts\Encryption\Encrypter
*/
private $encrypter;
/**
* @var int
*/
private $keyType = ApiKey::TYPE_NONE;
/**
* @var \Pterodactyl\Contracts\Repository\ApiKeyRepositoryInterface
*/
private $repository;
/**
* ApiKeyService constructor.
*/
public function __construct(ApiKeyRepositoryInterface $repository, Encrypter $encrypter)
{
$this->encrypter = $encrypter;
$this->repository = $repository;
}
/**
* Set the type of key that should be created. By default an orphaned key will be
* created. These keys cannot be used for anything, and will not render in the UI.
*
* @return \Pterodactyl\Services\Api\KeyCreationService
*/
public function setKeyType(int $type)
{
$this->keyType = $type;
return $this;
}
/**
* Create a new API key for the Panel using the permissions passed in the data request.
* This will automatically generate an identifier and an encrypted token that are
* stored in the database.
*
* @throws \Pterodactyl\Exceptions\Model\DataValidationException
*/
public function handle(array $data, array $permissions = []): ApiKey
{
$data = array_merge($data, [
'key_type' => $this->keyType,
'identifier' => str_random(ApiKey::IDENTIFIER_LENGTH),
'token' => $this->encrypter->encrypt(str_random(ApiKey::KEY_LENGTH)),
]);
if ($this->keyType === ApiKey::TYPE_APPLICATION) {
$data = array_merge($data, $permissions);
}
return $this->repository->create($data, true, true);
}
}

32
app/Transformers/Api/Client/ApiKeyTransformer.php
View file

@ -1,32 +0,0 @@
<?php
namespace Pterodactyl\Transformers\Api\Client;
use Pterodactyl\Models\ApiKey;
class ApiKeyTransformer extends BaseClientTransformer
{
/**
* {@inheritdoc}
*/
public function getResourceName(): string
{
return ApiKey::RESOURCE_NAME;
}
/**
* Transform this model into a representation that can be consumed by a client.
*
* @return array
*/
public function transform(ApiKey $model)
{
return [
'identifier' => $model->identifier,
'description' => $model->memo,
'allowed_ips' => $model->allowed_ips,
'last_used_at' => $model->last_used_at ? $model->last_used_at->toIso8601String() : null,
'created_at' => $model->created_at->toIso8601String(),
];
}
}