|
2 | 2 |
|
3 | 3 | namespace Pterodactyl\Http\Controllers\Api\Remote; |
4 | 4 |
|
| 5 | +use Pterodactyl\Models\User; |
5 | 6 | use Illuminate\Http\Request; |
| 7 | +use Pterodactyl\Models\Server; |
6 | 8 | use Illuminate\Http\JsonResponse; |
7 | 9 | use Pterodactyl\Models\Permission; |
8 | 10 | use Pterodactyl\Http\Controllers\Controller; |
9 | 11 | use Illuminate\Foundation\Auth\ThrottlesLogins; |
10 | | -use Pterodactyl\Repositories\Eloquent\UserRepository; |
11 | 12 | use Pterodactyl\Exceptions\Http\HttpForbiddenException; |
12 | | -use Pterodactyl\Repositories\Eloquent\ServerRepository; |
13 | 13 | use Pterodactyl\Services\Servers\GetUserPermissionsService; |
14 | 14 | use Symfony\Component\HttpKernel\Exception\NotFoundHttpException; |
15 | 15 | use Pterodactyl\Http\Requests\Api\Remote\SftpAuthenticationFormRequest; |
16 | 16 | use Symfony\Component\HttpKernel\Exception\TooManyRequestsHttpException; |
17 | 17 |
|
18 | | -class SftpAuthenticationController extends Controller |
| 18 | +abstract class SftpAuthenticationController extends Controller |
19 | 19 | { |
20 | 20 | use ThrottlesLogins; |
21 | 21 |
|
22 | | - /** |
23 | | - * @var \Pterodactyl\Repositories\Eloquent\UserRepository |
24 | | - */ |
25 | | - private $userRepository; |
| 22 | + protected GetUserPermissionsService $permissions; |
| 23 | + |
| 24 | + public function __construct(GetUserPermissionsService $permissions) |
| 25 | + { |
| 26 | + $this->permissions = $permissions; |
| 27 | + } |
26 | 28 |
|
27 | 29 | /** |
28 | | - * @var \Pterodactyl\Repositories\Eloquent\ServerRepository |
| 30 | + * Authenticate a set of credentials and return the associated server details |
| 31 | + * for a SFTP connection on the daemon. |
29 | 32 | */ |
30 | | - private $serverRepository; |
| 33 | + public function __invoke(SftpAuthenticationFormRequest $request): JsonResponse |
| 34 | + { |
| 35 | + $connection = $this->parseUsername($request->input('username')); |
| 36 | + |
| 37 | + $this->validateRequestState($request); |
| 38 | + |
| 39 | + $user = $this->getUser($request, $connection['username']); |
| 40 | + $server = $this->getServer($request, $connection['server']); |
| 41 | + |
| 42 | + if ($request->input('type') !== 'public_key') { |
| 43 | + if (!password_verify($request->input('password'), $user->password)) { |
| 44 | + $this->reject($request); |
| 45 | + } |
| 46 | + } |
| 47 | + |
| 48 | + $this->validateSftpAccess($user, $server); |
| 49 | + |
| 50 | + return new JsonResponse([ |
| 51 | + 'server' => $server->uuid, |
| 52 | + 'public_keys' => $user->sshKeys->map(fn ($value) => $value->public_key)->toArray(), |
| 53 | + 'permissions' => $permissions ?? ['*'], |
| 54 | + ]); |
| 55 | + } |
31 | 56 |
|
32 | 57 | /** |
33 | | - * @var \Pterodactyl\Services\Servers\GetUserPermissionsService |
| 58 | + * Finds the server being requested and ensures that it belongs to the node this |
| 59 | + * request stems from. |
34 | 60 | */ |
35 | | - private $permissionsService; |
| 61 | + protected function getServer(Request $request, string $uuid): Server |
| 62 | + { |
| 63 | + return Server::query() |
| 64 | + ->where(fn ($builder) => $builder->where('uuid', $uuid)->orWhere('uuidShort', $uuid)) |
| 65 | + ->where('node_id', $request->attributes->get('node')->id) |
| 66 | + ->firstOr(function () use ($request) { |
| 67 | + $this->reject($request); |
| 68 | + }); |
| 69 | + } |
36 | 70 |
|
37 | 71 | /** |
38 | | - * SftpController constructor. |
| 72 | + * Finds a user with the given username or increments the login attempts. |
39 | 73 | */ |
40 | | - public function __construct( |
41 | | - GetUserPermissionsService $permissionsService, |
42 | | - UserRepository $userRepository, |
43 | | - ServerRepository $serverRepository |
44 | | - ) { |
45 | | - $this->userRepository = $userRepository; |
46 | | - $this->serverRepository = $serverRepository; |
47 | | - $this->permissionsService = $permissionsService; |
| 74 | + protected function getUser(Request $request, string $username): User |
| 75 | + { |
| 76 | + return User::query()->where('username', $username)->firstOr(function () use ($request) { |
| 77 | + $this->reject($request); |
| 78 | + }); |
48 | 79 | } |
49 | 80 |
|
50 | 81 | /** |
51 | | - * Authenticate a set of credentials and return the associated server details |
52 | | - * for a SFTP connection on the daemon. |
| 82 | + * Parses the username provided to the request. |
53 | 83 | * |
54 | | - * @throws \Pterodactyl\Exceptions\Repository\RecordNotFoundException |
| 84 | + * @return array{"username": string, "server": string} |
55 | 85 | */ |
56 | | - public function __invoke(SftpAuthenticationFormRequest $request): JsonResponse |
| 86 | + protected function parseUsername(string $value): array |
57 | 87 | { |
58 | 88 | // Reverse the string to avoid issues with usernames that contain periods. |
59 | | - $parts = explode('.', strrev($request->input('username')), 2); |
| 89 | + $parts = explode('.', strrev($value), 2); |
60 | 90 |
|
61 | 91 | // Unreverse the strings after parsing them apart. |
62 | | - $connection = [ |
| 92 | + return [ |
63 | 93 | 'username' => strrev(array_get($parts, 1)), |
64 | 94 | 'server' => strrev(array_get($parts, 0)), |
65 | 95 | ]; |
| 96 | + } |
66 | 97 |
|
| 98 | + /** |
| 99 | + * Checks that the request should not be throttled yet, and that the server was |
| 100 | + * provided in the username. |
| 101 | + */ |
| 102 | + protected function validateRequestState(Request $request): void |
| 103 | + { |
67 | 104 | if ($this->hasTooManyLoginAttempts($request)) { |
68 | 105 | $seconds = $this->limiter()->availableIn($this->throttleKey($request)); |
69 | 106 |
|
70 | 107 | throw new TooManyRequestsHttpException($seconds, "Too many login attempts for this account, please try again in {$seconds} seconds."); |
71 | 108 | } |
72 | 109 |
|
73 | | - /** @var \Pterodactyl\Models\Node $node */ |
74 | | - $node = $request->attributes->get('node'); |
75 | 110 | if (empty($connection['server'])) { |
76 | 111 | throw new NotFoundHttpException(); |
77 | 112 | } |
| 113 | + } |
78 | 114 |
|
79 | | - /** @var \Pterodactyl\Models\User $user */ |
80 | | - $user = $this->userRepository->findFirstWhere([ |
81 | | - ['username', '=', $connection['username']], |
82 | | - ]); |
83 | | - |
84 | | - $server = $this->serverRepository->getByUuid($connection['server'] ?? ''); |
85 | | - if (!password_verify($request->input('password'), $user->password) || $server->node_id !== $node->id) { |
86 | | - $this->incrementLoginAttempts($request); |
| 115 | + /** |
| 116 | + * Rejects the request and increments the login attempts. |
| 117 | + */ |
| 118 | + protected function reject(Request $request): void |
| 119 | + { |
| 120 | + $this->incrementLoginAttempts($request); |
87 | 121 |
|
88 | | - throw new HttpForbiddenException('Authorization credentials were not correct, please try again.'); |
89 | | - } |
| 122 | + throw new HttpForbiddenException('Authorization credentials were not correct, please try again.'); |
| 123 | + } |
90 | 124 |
|
| 125 | + /** |
| 126 | + * Validates that a user should have permission to use SFTP for the given server. |
| 127 | + */ |
| 128 | + protected function validateSftpAccess(User $user, Server $server): void |
| 129 | + { |
91 | 130 | if (!$user->root_admin && $server->owner_id !== $user->id) { |
92 | | - $permissions = $this->permissionsService->handle($server, $user); |
| 131 | + $permissions = $this->permissions->handle($server, $user); |
93 | 132 |
|
94 | 133 | if (!in_array(Permission::ACTION_FILE_SFTP, $permissions)) { |
95 | 134 | throw new HttpForbiddenException('You do not have permission to access SFTP for this server.'); |
96 | 135 | } |
97 | 136 | } |
98 | 137 |
|
99 | 138 | $server->validateCurrentState(); |
100 | | - |
101 | | - return new JsonResponse([ |
102 | | - 'server' => $server->uuid, |
103 | | - // Deprecated, but still needed at the moment for Wings. |
104 | | - 'token' => '', |
105 | | - 'permissions' => $permissions ?? ['*'], |
106 | | - ]); |
107 | 139 | } |
108 | 140 |
|
109 | 141 | /** |
|
0 commit comments