Implement Panel changes to support internal SFTP subsystem on Daemon (#703)

2017-10-25 00:35:25 -04:00 · 2017-10-25 00:35:25 -04:00 · 058e490ec4
commit 058e490ec4
parent 57db949a9c
23 changed files with 484 additions and 247 deletions
--- a/app/Http/Controllers/API/Remote/SftpController.php
+++ b/app/Http/Controllers/API/Remote/SftpController.php
@ -0,0 +1,85 @@
+<?php
+
+namespace Pterodactyl\Http\Controllers\API\Remote;
+
+use Illuminate\Http\Request;
+use Illuminate\Http\JsonResponse;
+use Illuminate\Auth\AuthenticationException;
+use Pterodactyl\Http\Controllers\Controller;
+use Illuminate\Foundation\Auth\ThrottlesLogins;
+use Pterodactyl\Exceptions\Repository\RecordNotFoundException;
+use Pterodactyl\Services\Sftp\AuthenticateUsingPasswordService;
+use Pterodactyl\Http\Requests\API\Remote\SftpAuthenticationFormRequest;
+
+class SftpController extends Controller
+{
+    use ThrottlesLogins;
+
+    /**
+     * @var \Pterodactyl\Services\Sftp\AuthenticateUsingPasswordService
+     */
+    private $authenticationService;
+
+    /**
+     * SftpController constructor.
+     *
+     * @param \Pterodactyl\Services\Sftp\AuthenticateUsingPasswordService $authenticationService
+     */
+    public function __construct(AuthenticateUsingPasswordService $authenticationService)
+    {
+        $this->authenticationService = $authenticationService;
+    }
+
+    /**
+     * Authenticate a set of credentials and return the associated server details
+     * for a SFTP connection on the daemon.
+     *
+     * @param \Pterodactyl\Http\Requests\API\Remote\SftpAuthenticationFormRequest $request
+     * @return \Illuminate\Http\JsonResponse
+     *
+     * @throws \Pterodactyl\Exceptions\Model\DataValidationException
+     */
+    public function index(SftpAuthenticationFormRequest $request): JsonResponse
+    {
+        $connection = explode('.', $request->input('username'));
+        $this->incrementLoginAttempts($request);
+
+        if ($this->hasTooManyLoginAttempts($request)) {
+            return response()->json([
+                'error' => 'Logins throttled.',
+            ], 429);
+        }
+
+        try {
+            $data = $this->authenticationService->handle(
+                array_get($connection, 0),
+                $request->input('password'),
+                object_get($request->attributes->get('node'), 'id', 0),
+                array_get($connection, 1)
+            );
+
+            $this->clearLoginAttempts($request);
+        } catch (AuthenticationException $exception) {
+            return response()->json([
+                'error' => 'Invalid credentials.',
+            ], 403);
+        } catch (RecordNotFoundException $exception) {
+            return response()->json([
+                'error' => 'Invalid server.',
+            ], 404);
+        }
+
+        return response()->json($data);
+    }
+
+    /**
+     * Get the throttle key for the given request.
+     *
+     * @param \Illuminate\Http\Request $request
+     * @return string
+     */
+    protected function throttleKey(Request $request)
+    {
+        return strtolower(array_get(explode('.', $request->input('username')), 0) . '|' . $request->ip());
+    }
+}
--- a/app/Http/Controllers/Server/Settings/SftpController.php
+++ b/app/Http/Controllers/Server/Settings/SftpController.php
@ -0,0 +1,26 @@
+<?php
+
+namespace Pterodactyl\Http\Controllers\Server\Settings;
+
+use Illuminate\View\View;
+use Illuminate\Http\Request;
+use Pterodactyl\Http\Controllers\Controller;
+use Pterodactyl\Traits\Controllers\JavascriptInjection;
+
+class SftpController extends Controller
+{
+    use JavascriptInjection;
+
+    /**
+     * Render the server SFTP settings page.
+     *
+     * @param \Illuminate\Http\Request $request
+     * @return \Illuminate\View\View
+     */
+    public function index(Request $request): View
+    {
+        $this->setRequest($request)->injectJavascript();
+
+        return view('server.settings.sftp');
+    }
+}
--- a/app/Http/Middleware/Daemon/DaemonAuthenticate.php
+++ b/app/Http/Middleware/Daemon/DaemonAuthenticate.php
@ -75,7 +75,7 @@ class DaemonAuthenticate
            throw new HttpException(403);
        }

-        $request->attributes->set('node.model', $node);
+        $request->attributes->set('node', $node);

        return $next($request);
    }
--- a/app/Http/Requests/API/Remote/SftpAuthenticationFormRequest.php
+++ b/app/Http/Requests/API/Remote/SftpAuthenticationFormRequest.php
@ -0,0 +1,44 @@
+<?php
+
+namespace Pterodactyl\Http\Requests\API\Remote;
+
+use Pterodactyl\Http\Requests\Request;
+
+class SftpAuthenticationFormRequest extends Request
+{
+    /**
+     * Authenticate the request.
+     *
+     * @return bool
+     */
+    public function authorize()
+    {
+        return true;
+    }
+
+    /**
+     * Rules to apply to the request.
+     *
+     * @return array
+     */
+    public function rules()
+    {
+        return [
+            'username' => 'required|string',
+            'password' => 'required|string',
+        ];
+    }
+
+    /**
+     * Return only the fields that we are interested in from the request.
+     * This will include empty fields as a null value.
+     *
+     * @return array
+     */
+    public function normalize()
+    {
+        return $this->only(
+            array_keys($this->rules())
+        );
+    }
+}
--- a/app/Models/Node.php
+++ b/app/Models/Node.php
@ -144,13 +144,23 @@ class Node extends Model implements CleansAttributes, ValidableContract
                ],
            ],
            'docker' => [
+                'container' => [
+                    'user' => null,
+                ],
+                'network' => [
+                    'name' => 'pterodactyl_nw',
+                ],
                'socket' => '/var/run/docker.sock',
                'autoupdate_images' => true,
            ],
            'sftp' => [
                'path' => $this->daemonBase,
+                'ip' => '0.0.0.0',
                'port' => $this->daemonSFTP,
-                'container' => 'ptdl-sftp',
+                'keypair' => [
+                    'bits' => 2048,
+                    'e' => 65537,
+                ],
            ],
            'logger' => [
                'path' => 'logs/',
--- a/app/Models/Server.php
+++ b/app/Models/Server.php
@ -29,19 +29,12 @@ class Server extends Model implements CleansAttributes, ValidableContract
     */
    protected $table = 'servers';

-    /**
-     * The attributes excluded from the model's JSON form.
-     *
-     * @var array
-     */
-    protected $hidden = ['sftp_password'];
-
    /**
     * The attributes that should be mutated to dates.
     *
     * @var array
     */
-    protected $dates = ['deleted_at'];
+    protected $dates = [self::CREATED_AT, self::UPDATED_AT, 'deleted_at'];

    /**
     * Always eager load these relationships on the model.
@ -55,7 +48,7 @@ class Server extends Model implements CleansAttributes, ValidableContract
     *
     * @var array
     */
-    protected $guarded = ['id', 'installed', 'created_at', 'updated_at', 'deleted_at'];
+    protected $guarded = ['id', 'installed', self::CREATED_AT, self::UPDATED_AT, 'deleted_at'];

    /**
     * @var array
@ -73,8 +66,6 @@ class Server extends Model implements CleansAttributes, ValidableContract
        'node_id' => 'required',
        'allocation_id' => 'required',
        'pack_id' => 'sometimes',
-        'auto_deploy' => 'sometimes',
-        'custom_id' => 'sometimes',
        'skip_scripts' => 'sometimes',
    ];

@ -95,10 +86,7 @@ class Server extends Model implements CleansAttributes, ValidableContract
        'nest_id' => 'exists:nests,id',
        'egg_id' => 'exists:eggs,id',
        'pack_id' => 'nullable|numeric|min:0',
-        'custom_container' => 'nullable|string',
        'startup' => 'nullable|string',
-        'auto_deploy' => 'accepted',
-        'custom_id' => 'numeric|unique:servers,id',
        'skip_scripts' => 'boolean',
    ];

@ -132,7 +120,6 @@ class Server extends Model implements CleansAttributes, ValidableContract
     */
    protected $searchableColumns = [
        'name' => 10,
-        'username' => 10,
        'uuidShort' => 9,
        'uuid' => 8,
        'pack.name' => 7,
--- a/app/Services/Servers/ServerCreationService.php
+++ b/app/Services/Servers/ServerCreationService.php
@ -63,11 +63,6 @@ class ServerCreationService
     */
    protected $userRepository;

-    /**
-     * @var \Pterodactyl\Services\Servers\UsernameGenerationService
-     */
-    protected $usernameService;
-
    /**
     * @var \Pterodactyl\Services\Servers\VariableValidatorService
     */
@ -84,7 +79,6 @@ class ServerCreationService
     * @param \Pterodactyl\Contracts\Repository\ServerRepositoryInterface         $repository
     * @param \Pterodactyl\Contracts\Repository\ServerVariableRepositoryInterface $serverVariableRepository
     * @param \Pterodactyl\Contracts\Repository\UserRepositoryInterface           $userRepository
-     * @param \Pterodactyl\Services\Servers\UsernameGenerationService             $usernameService
     * @param \Pterodactyl\Services\Servers\VariableValidatorService              $validatorService
     */
    public function __construct(
@ -96,7 +90,6 @@ class ServerCreationService
        ServerRepositoryInterface $repository,
        ServerVariableRepositoryInterface $serverVariableRepository,
        UserRepositoryInterface $userRepository,
-        UsernameGenerationService $usernameService,
        VariableValidatorService $validatorService
    ) {
        $this->allocationRepository = $allocationRepository;
@ -107,7 +100,6 @@ class ServerCreationService
        $this->repository = $repository;
        $this->serverVariableRepository = $serverVariableRepository;
        $this->userRepository = $userRepository;
-        $this->usernameService = $usernameService;
        $this->validatorService = $validatorService;
    }

@ -151,8 +143,6 @@ class ServerCreationService
            'startup' => $data['startup'],
            'daemonSecret' => str_random(NodeCreationService::DAEMON_SECRET_LENGTH),
            'image' => $data['docker_image'],
-            'username' => $this->usernameService->generate($data['name'], $uniqueShort),
-            'sftp_password' => null,
        ]);

        // Process allocations and assign them to the server in the database.
--- a/app/Services/Servers/UsernameGenerationService.php
+++ b/app/Services/Servers/UsernameGenerationService.php
@ -1,40 +0,0 @@
-<?php
-/**
- * Pterodactyl - Panel
- * Copyright (c) 2015 - 2017 Dane Everitt <dane@daneeveritt.com>.
- *
- * This software is licensed under the terms of the MIT license.
- * https://opensource.org/licenses/MIT
- */
-
-namespace Pterodactyl\Services\Servers;
-
-class UsernameGenerationService
-{
-    /**
-     * Generate a unique username to be used for SFTP connections and identification
-     * of the server docker container on the host system.
-     *
-     * @param string $name
-     * @param null   $identifier
-     * @return string
-     */
-    public function generate($name, $identifier = null)
-    {
-        if (is_null($identifier) || ! ctype_alnum($identifier)) {
-            $unique = str_random(8);
-        } else {
-            if (strlen($identifier) < 8) {
-                $unique = $identifier . str_random((8 - strlen($identifier)));
-            } else {
-                $unique = substr($identifier, 0, 8);
-            }
-        }
-
-        // Filter the Server Name
-        $name = trim(preg_replace('/[^A-Za-z0-9]+/', '', $name), '_');
-        $name = (strlen($name) < 1) ? str_random(6) : $name;
-
-        return strtolower(substr($name, 0, 6) . '_' . $unique);
-    }
-}
--- a/app/Services/Sftp/AuthenticateUsingPasswordService.php
+++ b/app/Services/Sftp/AuthenticateUsingPasswordService.php
@ -0,0 +1,90 @@
+<?php
+
+namespace Pterodactyl\Services\Sftp;
+
+use Illuminate\Auth\AuthenticationException;
+use Pterodactyl\Contracts\Repository\UserRepositoryInterface;
+use Pterodactyl\Services\DaemonKeys\DaemonKeyProviderService;
+use Pterodactyl\Exceptions\Repository\RecordNotFoundException;
+use Pterodactyl\Contracts\Repository\ServerRepositoryInterface;
+
+class AuthenticateUsingPasswordService
+{
+    /**
+     * @var \Pterodactyl\Services\DaemonKeys\DaemonKeyProviderService
+     */
+    private $keyProviderService;
+
+    /**
+     * @var \Pterodactyl\Contracts\Repository\ServerRepositoryInterface
+     */
+    private $repository;
+
+    /**
+     * @var \Pterodactyl\Contracts\Repository\UserRepositoryInterface
+     */
+    private $userRepository;
+
+    /**
+     * AuthenticateUsingPasswordService constructor.
+     *
+     * @param \Pterodactyl\Services\DaemonKeys\DaemonKeyProviderService   $keyProviderService
+     * @param \Pterodactyl\Contracts\Repository\ServerRepositoryInterface $repository
+     * @param \Pterodactyl\Contracts\Repository\UserRepositoryInterface   $userRepository
+     */
+    public function __construct(
+        DaemonKeyProviderService $keyProviderService,
+        ServerRepositoryInterface $repository,
+        UserRepositoryInterface $userRepository
+    ) {
+        $this->keyProviderService = $keyProviderService;
+        $this->repository = $repository;
+        $this->userRepository = $userRepository;
+    }
+
+    /**
+     * Attempt to authenticate a provded username and password and determine if they
+     * have permission to access a given server. This function does not account for
+     * subusers currently. Only administrators and server owners can login to access
+     * their files at this time.
+     *
+     * Server must exist on the node that the API call is being made from in order for a
+     * valid response to be provided.
+     *
+     * @param string      $username
+     * @param string      $password
+     * @param string|null $server
+     * @param int         $node
+     * @return array
+     *
+     * @throws \Illuminate\Auth\AuthenticationException
+     * @throws \Pterodactyl\Exceptions\Model\DataValidationException
+     * @throws \Pterodactyl\Exceptions\Repository\RecordNotFoundException
+     */
+    public function handle(string $username, string $password, int $node, string $server = null): array
+    {
+        if (is_null($server)) {
+            throw new RecordNotFoundException;
+        }
+
+        try {
+            $user = $this->userRepository->withColumns(['id', 'root_admin', 'password'])->findFirstWhere([['username', '=', $username]]);
+
+            if (! password_verify($password, $user->password)) {
+                throw new AuthenticationException;
+            }
+        } catch (RecordNotFoundException $exception) {
+            throw new AuthenticationException;
+        }
+
+        $server = $this->repository->withColumns(['id', 'node_id', 'owner_id', 'uuid'])->getByUuid($server);
+        if ($server->node_id !== $node || (! $user->root_admin && $server->owner_id !== $user->id)) {
+            throw new RecordNotFoundException;
+        }
+
+        return [
+            'server' => $server->uuid,
+            'token' => $this->keyProviderService->handle($server->id, $user->id),
+        ];
+    }
+}
--- a/app/Traits/Controllers/JavascriptInjection.php
+++ b/app/Traits/Controllers/JavascriptInjection.php
@ -50,7 +50,6 @@ trait JavascriptInjection
                'uuid' => $server->uuid,
                'uuidShort' => $server->uuidShort,
                'daemonSecret' => $token,
-                'username' => $server->username,
            ],
            'node' => [
                'fqdn' => $server->node->fqdn,