Merge branch 'develop' into permissions
This commit is contained in:
Dane Everitt
GitHub
commit
802f88fc78
21 changed files with 181 additions and 57 deletions
|
|
@ -6,6 +6,7 @@ use Carbon\CarbonImmutable;
|
|||
use Illuminate\Http\Response;
|
||||
use Pterodactyl\Models\Server;
|
||||
use Illuminate\Http\JsonResponse;
|
||||
use Illuminate\Support\Collection;
|
||||
use Pterodactyl\Services\Nodes\NodeJWTService;
|
||||
use Illuminate\Contracts\Routing\ResponseFactory;
|
||||
use Pterodactyl\Repositories\Wings\DaemonFileRepository;
|
||||
|
|
@ -70,7 +71,7 @@ class FileController extends ClientApiController
|
|||
{
|
||||
$contents = $this->fileRepository
|
||||
->setServer($server)
|
||||
->getDirectory(urlencode(urldecode($request->get('directory') ?? '/')));
|
||||
->getDirectory($this->encode($request->get('directory') ?? '/'));
|
||||
|
||||
return $this->fractal->collection($contents)
|
||||
->transformWith($this->getTransformer(FileObjectTransformer::class))
|
||||
|
|
@ -91,7 +92,7 @@ class FileController extends ClientApiController
|
|||
{
|
||||
return new Response(
|
||||
$this->fileRepository->setServer($server)->getContent(
|
||||
urlencode(urldecode($request->get('file'))), config('pterodactyl.files.max_edit_size')
|
||||
$this->encode($request->get('file')), config('pterodactyl.files.max_edit_size')
|
||||
),
|
||||
Response::HTTP_OK,
|
||||
['Content-Type' => 'text/plain']
|
||||
|
|
@ -113,7 +114,7 @@ class FileController extends ClientApiController
|
|||
$token = $this->jwtService
|
||||
->setExpiresAt(CarbonImmutable::now()->addMinutes(15))
|
||||
->setClaims([
|
||||
'file_path' => $request->get('file'),
|
||||
'file_path' => rawurldecode($request->get('file')),
|
||||
'server_uuid' => $server->uuid,
|
||||
])
|
||||
->handle($server->node, $request->user()->id . $server->uuid);
|
||||
|
|
@ -142,7 +143,7 @@ class FileController extends ClientApiController
|
|||
public function write(WriteFileContentRequest $request, Server $server): JsonResponse
|
||||
{
|
||||
$this->fileRepository->setServer($server)->putContent(
|
||||
$request->get('file'),
|
||||
$this->encode($request->get('file')),
|
||||
$request->getContent()
|
||||
);
|
||||
|
||||
|
|
@ -261,4 +262,18 @@ class FileController extends ClientApiController
|
|||
|
||||
return new JsonResponse([], Response::HTTP_NO_CONTENT);
|
||||
}
|
||||
|
||||
/**
|
||||
* Encodes a given file name & path in a format that should work for a good majority
|
||||
* of file names without too much confusing logic.
|
||||
*
|
||||
* @param string $path
|
||||
* @return string
|
||||
*/
|
||||
private function encode(string $path): string
|
||||
{
|
||||
return Collection::make(explode('/', rawurldecode($path)))->map(function ($value) {
|
||||
return rawurlencode($value);
|
||||
})->join('/');
|
||||
}
|
||||
}
|
||||
|
|
|
|||
|
|
@ -3,15 +3,16 @@
|
|||
namespace Pterodactyl\Http\Controllers\Api\Client\Servers;
|
||||
|
||||
use Illuminate\Http\Request;
|
||||
use Pterodactyl\Models\User;
|
||||
use Pterodactyl\Models\Server;
|
||||
use Pterodactyl\Models\Subuser;
|
||||
use Illuminate\Http\JsonResponse;
|
||||
use Pterodactyl\Models\Permission;
|
||||
use Illuminate\Support\Facades\Log;
|
||||
use Pterodactyl\Repositories\Eloquent\SubuserRepository;
|
||||
use Pterodactyl\Services\Subusers\SubuserCreationService;
|
||||
use Pterodactyl\Repositories\Wings\DaemonServerRepository;
|
||||
use Pterodactyl\Transformers\Api\Client\SubuserTransformer;
|
||||
use Pterodactyl\Http\Controllers\Api\Client\ClientApiController;
|
||||
use Pterodactyl\Exceptions\Http\Connection\DaemonConnectionException;
|
||||
use Pterodactyl\Http\Requests\Api\Client\Servers\Subusers\GetSubuserRequest;
|
||||
use Pterodactyl\Http\Requests\Api\Client\Servers\Subusers\StoreSubuserRequest;
|
||||
use Pterodactyl\Http\Requests\Api\Client\Servers\Subusers\DeleteSubuserRequest;
|
||||
|
|
@ -29,20 +30,28 @@ class SubuserController extends ClientApiController
|
|||
*/
|
||||
private $creationService;
|
||||
|
||||
/**
|
||||
* @var \Pterodactyl\Repositories\Wings\DaemonServerRepository
|
||||
*/
|
||||
private $serverRepository;
|
||||
|
||||
/**
|
||||
* SubuserController constructor.
|
||||
*
|
||||
* @param \Pterodactyl\Repositories\Eloquent\SubuserRepository $repository
|
||||
* @param \Pterodactyl\Services\Subusers\SubuserCreationService $creationService
|
||||
* @param \Pterodactyl\Repositories\Wings\DaemonServerRepository $serverRepository
|
||||
*/
|
||||
public function __construct(
|
||||
SubuserRepository $repository,
|
||||
SubuserCreationService $creationService
|
||||
SubuserCreationService $creationService,
|
||||
DaemonServerRepository $serverRepository
|
||||
) {
|
||||
parent::__construct();
|
||||
|
||||
$this->repository = $repository;
|
||||
$this->creationService = $creationService;
|
||||
$this->serverRepository = $serverRepository;
|
||||
}
|
||||
|
||||
/**
|
||||
|
|
@ -101,19 +110,38 @@ class SubuserController extends ClientApiController
|
|||
* Update a given subuser in the system for the server.
|
||||
*
|
||||
* @param \Pterodactyl\Http\Requests\Api\Client\Servers\Subusers\UpdateSubuserRequest $request
|
||||
* @param \Pterodactyl\Models\Server $server
|
||||
* @return array
|
||||
*
|
||||
* @throws \Pterodactyl\Exceptions\Model\DataValidationException
|
||||
* @throws \Pterodactyl\Exceptions\Repository\RecordNotFoundException
|
||||
*/
|
||||
public function update(UpdateSubuserRequest $request): array
|
||||
public function update(UpdateSubuserRequest $request, Server $server): array
|
||||
{
|
||||
/** @var \Pterodactyl\Models\Subuser $subuser */
|
||||
$subuser = $request->attributes->get('subuser');
|
||||
|
||||
$this->repository->update($subuser->id, [
|
||||
'permissions' => $this->getDefaultPermissions($request),
|
||||
]);
|
||||
$permissions = $this->getDefaultPermissions($request);
|
||||
$current = $subuser->permissions;
|
||||
|
||||
sort($permissions);
|
||||
sort($current);
|
||||
|
||||
// Only update the database and hit up the Wings instance to invalidate JTI's if the permissions
|
||||
// have actually changed for the user.
|
||||
if ($permissions !== $current) {
|
||||
$this->repository->update($subuser->id, [
|
||||
'permissions' => $this->getDefaultPermissions($request),
|
||||
]);
|
||||
|
||||
try {
|
||||
$this->serverRepository->setServer($server)->revokeJTIs([md5($subuser->user_id . $server->uuid)]);
|
||||
} catch (DaemonConnectionException $exception) {
|
||||
// Don't block this request if we can't connect to the Wings instance. Chances are it is
|
||||
// offline in this event and the token will be invalid anyways once Wings boots back.
|
||||
Log::warning($exception, ['user_id' => $subuser->user_id, 'server_id' => $server->id]);
|
||||
}
|
||||
}
|
||||
|
||||
return $this->fractal->item($subuser->refresh())
|
||||
->transformWith($this->getTransformer(SubuserTransformer::class))
|
||||
|
|
@ -124,15 +152,23 @@ class SubuserController extends ClientApiController
|
|||
* Removes a subusers from a server's assignment.
|
||||
*
|
||||
* @param \Pterodactyl\Http\Requests\Api\Client\Servers\Subusers\DeleteSubuserRequest $request
|
||||
* @param \Pterodactyl\Models\Server $server
|
||||
* @return \Illuminate\Http\JsonResponse
|
||||
*/
|
||||
public function delete(DeleteSubuserRequest $request)
|
||||
public function delete(DeleteSubuserRequest $request, Server $server)
|
||||
{
|
||||
/** @var \Pterodactyl\Models\Subuser $subuser */
|
||||
$subuser = $request->attributes->get('subuser');
|
||||
|
||||
$this->repository->delete($subuser->id);
|
||||
|
||||
try {
|
||||
$this->serverRepository->setServer($server)->revokeJTIs([md5($subuser->user_id . $server->uuid)]);
|
||||
} catch (DaemonConnectionException $exception) {
|
||||
// Don't block this request if we can't connect to the Wings instance.
|
||||
Log::warning($exception, ['user_id' => $subuser->user_id, 'server_id' => $server->id]);
|
||||
}
|
||||
|
||||
return new JsonResponse([], JsonResponse::HTTP_NO_CONTENT);
|
||||
}
|
||||
|
||||
|
|
|
|||
|
|
@ -59,7 +59,7 @@ class WebsocketController extends ClientApiController
|
|||
}
|
||||
|
||||
$token = $this->jwtService
|
||||
->setExpiresAt(CarbonImmutable::now()->addMinutes(15))
|
||||
->setExpiresAt(CarbonImmutable::now()->addMinutes(10))
|
||||
->setClaims([
|
||||
'user_id' => $request->user()->id,
|
||||
'server_uuid' => $server->uuid,
|
||||
|
|
|
|||
|
|
@ -163,7 +163,7 @@ class Permission extends Model
|
|||
'allocation' => [
|
||||
'description' => 'Permissions that control a user\'s ability to modify the port allocations for this server.',
|
||||
'keys' => [
|
||||
'read' => 'Allows a user to view the allocations assigned to this server.',
|
||||
'read' => 'Allows a user to view all allocations currently assigned to this server. Users with any level of access to this server can always view the primary allocation.',
|
||||
'create' => 'Allows a user to assign additional allocations to the server.',
|
||||
'update' => 'Allows a user to change the primary server allocation and attach notes to each allocation.',
|
||||
'delete' => 'Allows a user to delete an allocation from the server.',
|
||||
|
|
|
|||
|
|
@ -126,11 +126,10 @@ class DaemonServerRepository extends DaemonRepository
|
|||
}
|
||||
|
||||
/**
|
||||
* Requests the daemon to create a full archive of the server.
|
||||
* Once the daemon is finished they will send a POST request to
|
||||
* "/api/remote/servers/{uuid}/archive" with a boolean.
|
||||
* Requests the daemon to create a full archive of the server. Once the daemon is finished
|
||||
* they will send a POST request to "/api/remote/servers/{uuid}/archive" with a boolean.
|
||||
*
|
||||
* @throws DaemonConnectionException
|
||||
* @throws \Pterodactyl\Exceptions\Http\Connection\DaemonConnectionException
|
||||
*/
|
||||
public function requestArchive(): void
|
||||
{
|
||||
|
|
@ -144,4 +143,25 @@ class DaemonServerRepository extends DaemonRepository
|
|||
throw new DaemonConnectionException($exception);
|
||||
}
|
||||
}
|
||||
|
||||
/**
|
||||
* Revokes an array of JWT JTI's by marking any token generated before the current time on
|
||||
* the Wings instance as being invalid.
|
||||
*
|
||||
* @param array $jtis
|
||||
* @throws \Pterodactyl\Exceptions\Http\Connection\DaemonConnectionException
|
||||
*/
|
||||
public function revokeJTIs(array $jtis): void
|
||||
{
|
||||
Assert::isInstanceOf($this->server, Server::class);
|
||||
|
||||
try {
|
||||
$this->getHttpClient()
|
||||
->post(sprintf('/api/servers/%s/ws/deny', $this->server->uuid), [
|
||||
'json' => ['jtis' => $jtis],
|
||||
]);
|
||||
} catch (TransferException $exception) {
|
||||
throw new DaemonConnectionException($exception);
|
||||
}
|
||||
}
|
||||
}
|
||||
|
|
|
|||
|
|
@ -55,7 +55,7 @@ class NodeJWTService
|
|||
|
||||
$builder = (new Builder)->issuedBy(config('app.url'))
|
||||
->permittedFor($node->getConnectionAddress())
|
||||
->identifiedBy(hash('sha256', $identifiedBy), true)
|
||||
->identifiedBy(md5($identifiedBy), true)
|
||||
->issuedAt(CarbonImmutable::now()->getTimestamp())
|
||||
->canOnlyBeUsedAfter(CarbonImmutable::now()->subMinutes(5)->getTimestamp());
|
||||
|
||||
|
|
|
|||
|
|
@ -83,15 +83,23 @@ class ServerTransformer extends BaseClientTransformer
|
|||
*/
|
||||
public function includeAllocations(Server $server)
|
||||
{
|
||||
$transformer = $this->makeTransformer(AllocationTransformer::class);
|
||||
|
||||
// While we include this permission, we do need to actually handle it slightly different here
|
||||
// for the purpose of keeping things functionally working. If the user doesn't have read permissions
|
||||
// for the allocations we'll only return the primary server allocation, and any notes associated
|
||||
// with it will be hidden.
|
||||
//
|
||||
// This allows us to avoid too much permission regression, without also hiding information that
|
||||
// is generally needed for the frontend to make sense when browsing or searching results.
|
||||
if (! $this->getUser()->can(Permission::ACTION_ALLOCATION_READ, $server)) {
|
||||
return $this->null();
|
||||
$primary = clone $server->allocation;
|
||||
$primary->notes = null;
|
||||
|
||||
return $this->collection([$primary], $transformer, Allocation::RESOURCE_NAME);
|
||||
}
|
||||
|
||||
return $this->collection(
|
||||
$server->allocations,
|
||||
$this->makeTransformer(AllocationTransformer::class),
|
||||
Allocation::RESOURCE_NAME
|
||||
);
|
||||
return $this->collection($server->allocations, $transformer, Allocation::RESOURCE_NAME);
|
||||
}
|
||||
|
||||
/**
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue