Add ApiKey service, cleanup old API key methods

https://zube.io/pterodactyl/panel/c/525

Author: DaneEveritt

app/Http/Controllers/Base/APIController.php

@@ -25,22 +25,48 @@
 
 namespace Pterodactyl\Http\Controllers\Base;
 
-use Log;
-use Alert;
 use Illuminate\Http\Request;
 use Pterodactyl\Models\APIKey;
+use Prologue\Alerts\AlertsMessageBag;
 use Pterodactyl\Models\APIPermission;
-use Pterodactyl\Repositories\APIRepository;
-use Pterodactyl\Exceptions\DisplayException;
+use Pterodactyl\Services\ApiKeyService;
 use Pterodactyl\Http\Controllers\Controller;
-use Pterodactyl\Exceptions\DisplayValidationException;
+use Pterodactyl\Http\Requests\ApiKeyRequest;
 
 class APIController extends Controller
 {
+    /**
+     * @var \Prologue\Alerts\AlertsMessageBag
+     */
+    protected $alert;
+
+    /**
+     * @var \Pterodactyl\Models\APIKey
+     */
+    protected $model;
+
+    /**
+     * @var \Pterodactyl\Services\ApiKeyService
+     */
+    protected $service;
+
+    /**
+     * APIController constructor.
+     *
+     * @param \Prologue\Alerts\AlertsMessageBag   $alert
+     * @param \Pterodactyl\Services\ApiKeyService $service
+     */
+    public function __construct(AlertsMessageBag $alert, ApiKeyService $service, APIKey $model)
+    {
+        $this->alert = $alert;
+        $this->model = $model;
+        $this->service = $service;
+    }
+
     /**
      * Display base API index page.
      *
-     * @param  \Illuminate\Http\Request  $request
+     * @param  \Illuminate\Http\Request $request
      * @return \Illuminate\View\View
      */
     public function index(Request $request)
@@ -53,68 +79,61 @@ public function index(Request $request)
     /**
      * Display API key creation page.
      *
-     * @param  \Illuminate\Http\Request  $request
      * @return \Illuminate\View\View
      */
-    public function create(Request $request)
+    public function create()
     {
         return view('base.api.new', [
             'permissions' => [
-                'user' => collect(APIPermission::permissions())->pull('_user'),
-                'admin' => collect(APIPermission::permissions())->except('_user')->toArray(),
+                'user' => collect(APIPermission::PERMISSIONS)->pull('_user'),
+                'admin' => collect(APIPermission::PERMISSIONS)->except('_user')->toArray(),
             ],
         ]);
     }
 
     /**
      * Handle saving new API key.
      *
-     * @param  \Illuminate\Http\Request  $request
+     * @param  \Pterodactyl\Http\Requests\ApiKeyRequest $request
      * @return \Illuminate\Http\RedirectResponse
+     *
+     * @throws \Exception
+     * @throws \Pterodactyl\Exceptions\Model\DataValidationException
      */
-    public function store(Request $request)
+    public function store(ApiKeyRequest $request)
     {
-        try {
-            $repo = new APIRepository($request->user());
-            $secret = $repo->create($request->intersect([
-                'memo', 'allowed_ips',
-                'admin_permissions', 'permissions',
-            ]));
-            Alert::success('An API Key-Pair has successfully been generated. The API secret for this public key is shown below and will not be shown again.<br /><br /><code>' . $secret . '</code>')->flash();
-
-            return redirect()->route('account.api');
-        } catch (DisplayValidationException $ex) {
-            return redirect()->route('account.api.new')->withErrors(json_decode($ex->getMessage()))->withInput();
-        } catch (DisplayException $ex) {
-            Alert::danger($ex->getMessage())->flash();
-        } catch (\Exception $ex) {
-            Log::error($ex);
-            Alert::danger('An unhandled exception occured while attempting to add this API key.')->flash();
+        $adminPermissions = [];
+        if ($request->user()->isRootAdmin()) {
+            $adminPermissions = $request->input('admin_permissions') ?? [];
         }
 
-        return redirect()->route('account.api.new')->withInput();
+        $secret = $this->service->create([
+            'user_id' => $request->user()->id,
+            'allowed_ips' => $request->input('allowed_ips'),
+            'memo' => $request->input('memo'),
+        ], $request->input('permissions') ?? [], $adminPermissions);
+
+        $this->alert->success('An API Key-Pair has successfully been generated. The API secret for this public key is shown below and will not be shown again.<br /><br /><code>' . $secret . '</code>')->flash();
+
+        return redirect()->route('account.api');
     }
 
     /**
-     * Handle revoking API key.
-     *
      * @param  \Illuminate\Http\Request  $request
      * @param  string                    $key
-     * @return \Illuminate\Http\JsonResponse|\Illuminate\Http\Response
+     * @return \Illuminate\Http\Response
+     *
+     * @throws \Exception
      */
     public function revoke(Request $request, $key)
     {
-        try {
-            $repo = new APIRepository($request->user());
-            $repo->revoke($key);
+        $key = $this->model->newQuery()
+            ->where('user_id', $request->user()->id)
+            ->where('public', $key)
+            ->firstOrFail();
 
-            return response('', 204);
-        } catch (\Exception $ex) {
-            Log::error($ex);
+        $this->service->revoke($key);
 
-            return response()->json([
-                'error' => 'An error occured while attempting to remove this key.',
-            ], 503);
-        }
+        return response('', 204);
     }
 }

app/Http/Requests/Admin/AdminFormRequest.php

@@ -24,7 +24,6 @@
 
 namespace Pterodactyl\Http\Requests\Admin;
 
-use Pterodactyl\Models\User;
 use Illuminate\Foundation\Http\FormRequest;
 
 abstract class AdminFormRequest extends FormRequest
@@ -37,7 +36,7 @@ abstract class AdminFormRequest extends FormRequest
      */
     public function authorize()
     {
-        if (! $this->user() instanceof User) {
+        if (is_null($this->user())) {
             return false;
         }
 

app/Http/Requests/ApiKeyRequest.php

@@ -0,0 +1,89 @@
+<?php
+/*
+ * Pterodactyl - Panel
+ * Copyright (c) 2015 - 2017 Dane Everitt <dane@daneeveritt.com>.
+ *
+ * Permission is hereby granted, free of charge, to any person obtaining a copy
+ * of this software and associated documentation files (the "Software"), to deal
+ * in the Software without restriction, including without limitation the rights
+ * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+ * copies of the Software, and to permit persons to whom the Software is
+ * furnished to do so, subject to the following conditions:
+ *
+ * The above copyright notice and this permission notice shall be included in all
+ * copies or substantial portions of the Software.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+ * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+ * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+ * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+ * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+ * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+ * SOFTWARE.
+ */
+
+namespace Pterodactyl\Http\Requests;
+
+use IPTools\Network;
+
+class ApiKeyRequest extends BaseFormRequest
+{
+    /**
+     * Rules applied to data passed in this request.
+     *
+     * @return array
+     */
+    public function rules()
+    {
+        $this->parseAllowedIntoArray();
+
+        return [
+            'memo' => 'required|nullable|string|max:500',
+            'permissions' => 'sometimes|present|array',
+            'admin_permissions' => 'sometimes|present|array',
+            'allowed_ips' => 'present',
+            'allowed_ips.*' => 'sometimes|string',
+        ];
+    }
+
+    /**
+     * Parse the string of allowed IPs into an array.
+     */
+    protected function parseAllowedIntoArray()
+    {
+        $loop = [];
+        if (! empty($this->input('allowed_ips'))) {
+            foreach (explode(PHP_EOL, $this->input('allowed_ips')) as $ip) {
+                $loop[] = trim($ip);
+            }
+        }
+
+        $this->merge(['allowed_ips' => $loop], $this->except('allowed_ips'));
+    }
+
+    /**
+     * Run additional validation rules on the request to ensure all of the data is good.
+     *
+     * @param \Illuminate\Validation\Validator $validator
+     */
+    public function withValidator($validator)
+    {
+        $validator->after(function ($validator) {
+            if (empty($this->input('permissions')) && empty($this->input('admin_permissions'))) {
+                $validator->errors()->add('permissions', 'At least one permission must be selected.');
+            }
+        });
+
+        $validator->after(function ($validator) {
+            foreach ($this->input('allowed_ips') as $ip) {
+                $ip = trim($ip);
+
+                try {
+                    Network::parse($ip);
+                } catch (\Exception $ex) {
+                    $validator->errors()->add('allowed_ips', 'Could not parse IP ' . $ip . ' because it is in an invalid format.');
+                }
+            }
+        });
+    }
+}

app/Http/Requests/BaseFormRequest.php

@@ -0,0 +1,53 @@
+<?php
+/*
+ * Pterodactyl - Panel
+ * Copyright (c) 2015 - 2017 Dane Everitt <dane@daneeveritt.com>.
+ *
+ * Permission is hereby granted, free of charge, to any person obtaining a copy
+ * of this software and associated documentation files (the "Software"), to deal
+ * in the Software without restriction, including without limitation the rights
+ * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+ * copies of the Software, and to permit persons to whom the Software is
+ * furnished to do so, subject to the following conditions:
+ *
+ * The above copyright notice and this permission notice shall be included in all
+ * copies or substantial portions of the Software.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+ * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+ * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+ * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+ * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+ * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+ * SOFTWARE.
+ */
+
+namespace Pterodactyl\Http\Requests;
+
+use Illuminate\Foundation\Http\FormRequest;
+
+class BaseFormRequest extends FormRequest
+{
+    /**
+     * Determine if a user is authorized to access this endpoint.
+     *
+     * @return bool
+     */
+    public function authorize()
+    {
+        return ! is_null($this->user());
+    }
+
+    /**
+     * Return only the fields that we are interested in from the request.
+     * This will include empty fields as a null value.
+     *
+     * @return array
+     */
+    public function normalize()
+    {
+        return $this->only(
+            array_keys($this->rules())
+        );
+    }
+}

app/Models/APIKey.php

@@ -24,16 +24,14 @@
 
 namespace Pterodactyl\Models;
 
+use Sofa\Eloquence\Eloquence;
+use Sofa\Eloquence\Validable;
 use Illuminate\Database\Eloquent\Model;
+use Sofa\Eloquence\Contracts\Validable as ValidableContract;
 
-class APIKey extends Model
+class APIKey extends Model implements ValidableContract
 {
-    /**
-     * Public key defined length used in verification methods.
-     *
-     * @var int
-     */
-    const PUBLIC_KEY_LEN = 16;
+    use Eloquence, Validable;
 
     /**
      * The table associated with the model.
@@ -65,6 +63,32 @@ class APIKey extends Model
      */
     protected $guarded = ['id', 'created_at', 'updated_at'];
 
+    /**
+     * Rules defining what fields must be passed when making a model.
+     *
+     * @var array
+     */
+    protected static $applicationRules = [
+        'memo' => 'required',
+        'user_id' => 'required',
+        'secret' => 'required',
+        'public' => 'required',
+    ];
+
+    /**
+     * Rules to protect aganist invalid data entry to DB.
+     *
+     * @var array
+     */
+    protected static $dataIntegrityRules = [
+        'user_id' => 'exists:users,id',
+        'public' => 'string|size:16',
+        'secret' => 'string',
+        'memo' => 'nullable|string|max:500',
+        'allowed_ips' => 'nullable|json',
+        'expires_at' => 'nullable|datetime',
+    ];
+
     /**
      * Gets the permissions associated with a key.
      *