Begin implementation of new daemon authentication scheme

Author: DaneEveritt

app/Contracts/Repository/DaemonKeyRepositoryInterface.php

@@ -0,0 +1,46 @@
+<?php
+/*
+ * Pterodactyl - Panel
+ * Copyright (c) 2015 - 2017 Dane Everitt <dane@daneeveritt.com>.
+ *
+ * Permission is hereby granted, free of charge, to any person obtaining a copy
+ * of this software and associated documentation files (the "Software"), to deal
+ * in the Software without restriction, including without limitation the rights
+ * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+ * copies of the Software, and to permit persons to whom the Software is
+ * furnished to do so, subject to the following conditions:
+ *
+ * The above copyright notice and this permission notice shall be included in all
+ * copies or substantial portions of the Software.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+ * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+ * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+ * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+ * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+ * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+ * SOFTWARE.
+ */
+
+namespace Pterodactyl\Contracts\Repository;
+
+interface DaemonKeyRepositoryInterface extends RepositoryInterface
+{
+    /**
+     * Gets the daemon keys associated with a specific server.
+     *
+     * @param int $server
+     * @return \Illuminate\Support\Collection
+     */
+    public function getServerKeys($server);
+
+    /**
+     * Return a daemon key with the associated server relation attached.
+     *
+     * @param string $key
+     * @return \Pterodactyl\Models\DaemonKey
+     *
+     * @throws \Pterodactyl\Exceptions\Repository\RecordNotFoundException
+     */
+    public function getKeyWithServer($key);
+}

app/Contracts/Repository/SubuserRepositoryInterface.php

@@ -46,6 +46,17 @@ public function getWithServer($id);
      */
     public function getWithPermissions($id);
 
+    /**
+     * Return a subuser and associated permissions given a user_id and server_id.
+     *
+     * @param int $user
+     * @param int $server
+     * @return \Pterodactyl\Models\Subuser
+     *
+     * @throws \Pterodactyl\Exceptions\Repository\RecordNotFoundException
+     */
+    public function getWithPermissionsUsingUserAndServer($user, $server);
+
     /**
      * Find a subuser and return with server and permissions relationships.
      *
@@ -55,4 +66,15 @@ public function getWithPermissions($id);
      * @throws \Pterodactyl\Exceptions\Repository\RecordNotFoundException
      */
     public function getWithServerAndPermissions($id);
+
+    /**
+     * Return a subuser and their associated connection key for a server.
+     *
+     * @param int $user
+     * @param int $server
+     * @return \Pterodactyl\Models\Subuser
+     *
+     * @throws \Pterodactyl\Exceptions\Repository\RecordNotFoundException
+     */
+    public function getWithKey($user, $server);
 }

app/Exceptions/Handler.php

@@ -66,11 +66,16 @@ public function render($request, Exception $exception)
                 $displayError = 'An unhandled exception was encountered with this request.';
             }
 
-            $response = response()->json([
-                'error' => $displayError,
-                'http_code' => (! $this->isHttpException($exception)) ?: $exception->getStatusCode(),
-                'trace' => (! config('app.debug')) ? null : class_basename($exception) . ' in ' . $exception->getFile() . ' on line ' . $exception->getLine(),
-            ], ($this->isHttpException($exception)) ? $exception->getStatusCode() : 500, [], JSON_UNESCAPED_SLASHES);
+            $response = response()->json(
+                [
+                    'error' => $displayError,
+                    'http_code' => (! $this->isHttpException($exception)) ?: $exception->getStatusCode(),
+                    'trace' => (! config('app.debug')) ? null : $exception->getTrace(),
+                ],
+                $this->isHttpException($exception) ? $exception->getStatusCode() : 500,
+                $this->isHttpException($exception) ? $exception->getHeaders() : [],
+                JSON_UNESCAPED_SLASHES
+            );
 
             parent::report($exception);
         } elseif ($exception instanceof DisplayException) {

app/Http/Controllers/API/Remote/ValidateKeyController.php

@@ -0,0 +1,90 @@
+<?php
+/*
+ * Pterodactyl - Panel
+ * Copyright (c) 2015 - 2017 Dane Everitt <dane@daneeveritt.com>.
+ *
+ * Permission is hereby granted, free of charge, to any person obtaining a copy
+ * of this software and associated documentation files (the "Software"), to deal
+ * in the Software without restriction, including without limitation the rights
+ * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+ * copies of the Software, and to permit persons to whom the Software is
+ * furnished to do so, subject to the following conditions:
+ *
+ * The above copyright notice and this permission notice shall be included in all
+ * copies or substantial portions of the Software.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+ * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+ * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+ * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+ * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+ * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+ * SOFTWARE.
+ */
+
+namespace Pterodactyl\Http\Controllers\API\Remote;
+
+use Spatie\Fractal\Fractal;
+use Pterodactyl\Http\Controllers\Controller;
+use Illuminate\Contracts\Foundation\Application;
+use Illuminate\Foundation\Testing\HttpException;
+use League\Fractal\Serializer\JsonApiSerializer;
+use Pterodactyl\Transformers\Daemon\ApiKeyTransformer;
+use Pterodactyl\Contracts\Repository\DaemonKeyRepositoryInterface;
+
+class ValidateKeyController extends Controller
+{
+    /**
+     * @var \Illuminate\Contracts\Foundation\Application
+     */
+    protected $app;
+
+    /**
+     * @var \Pterodactyl\Contracts\Repository\DaemonKeyRepositoryInterface
+     */
+    protected $daemonKeyRepository;
+
+    /**
+     * @var \Spatie\Fractal\Fractal
+     */
+    protected $fractal;
+
+    /**
+     * ValidateKeyController constructor.
+     *
+     * @param \Illuminate\Contracts\Foundation\Application                   $app
+     * @param \Pterodactyl\Contracts\Repository\DaemonKeyRepositoryInterface $daemonKeyRepository
+     * @param \Spatie\Fractal\Fractal                                        $fractal
+     */
+    public function __construct(
+        Application $app,
+        DaemonKeyRepositoryInterface $daemonKeyRepository,
+        Fractal $fractal
+    ) {
+        $this->app = $app;
+        $this->daemonKeyRepository = $daemonKeyRepository;
+        $this->fractal = $fractal;
+    }
+
+    /**
+     * Return the server(s) and permissions associated with an API key.
+     *
+     * @param string $token
+     * @return array
+     *
+     * @throws \Illuminate\Foundation\Testing\HttpException
+     * @throws \Pterodactyl\Exceptions\Repository\RecordNotFoundException
+     */
+    public function index($token)
+    {
+        if (! starts_with($token, 'i_')) {
+            throw new HttpException(501);
+        }
+
+        $key = $this->daemonKeyRepository->getKeyWithServer($token);
+
+        return $this->fractal->item($key, $this->app->make(ApiKeyTransformer::class), 'server')
+            ->serializeWith(JsonApiSerializer::class)
+            ->toArray();
+    }
+}

app/Http/Kernel.php

@@ -2,7 +2,9 @@
 
 namespace Pterodactyl\Http;
 
+use Pterodactyl\Http\Middleware\DaemonAuthenticate;
 use Illuminate\Foundation\Http\Kernel as HttpKernel;
+use Illuminate\Routing\Middleware\SubstituteBindings;
 
 class Kernel extends HttpKernel
 {
@@ -43,6 +45,10 @@ class Kernel extends HttpKernel
             'throttle:60,1',
             'bindings',
         ],
+        'daemon' => [
+            \Pterodactyl\Http\Middleware\Daemon\DaemonAuthenticate::class,
+            SubstituteBindings::class,
+        ],
     ];
 
     /**
@@ -57,7 +63,7 @@ class Kernel extends HttpKernel
         'server' => \Pterodactyl\Http\Middleware\ServerAuthenticate::class,
         'subuser' => \Pterodactyl\Http\Middleware\SubuserAccessAuthenticate::class,
         'admin' => \Pterodactyl\Http\Middleware\AdminAuthenticate::class,
-        'daemon' => \Pterodactyl\Http\Middleware\DaemonAuthenticate::class,
+        'daemon-old' => DaemonAuthenticate::class,
         'csrf' => \Pterodactyl\Http\Middleware\VerifyCsrfToken::class,
         'throttle' => \Illuminate\Routing\Middleware\ThrottleRequests::class,
         'can' => \Illuminate\Auth\Middleware\Authorize::class,

app/Http/Middleware/Daemon/DaemonAuthenticate.php

@@ -0,0 +1,82 @@
+<?php
+/*
+ * Pterodactyl - Panel
+ * Copyright (c) 2015 - 2017 Dane Everitt <dane@daneeveritt.com>.
+ *
+ * Permission is hereby granted, free of charge, to any person obtaining a copy
+ * of this software and associated documentation files (the "Software"), to deal
+ * in the Software without restriction, including without limitation the rights
+ * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+ * copies of the Software, and to permit persons to whom the Software is
+ * furnished to do so, subject to the following conditions:
+ *
+ * The above copyright notice and this permission notice shall be included in all
+ * copies or substantial portions of the Software.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+ * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+ * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+ * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+ * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+ * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+ * SOFTWARE.
+ */
+
+namespace Pterodactyl\Http\Middleware\Daemon;
+
+use Closure;
+use Illuminate\Http\Request;
+use Symfony\Component\HttpKernel\Exception\HttpException;
+use Pterodactyl\Contracts\Repository\NodeRepositoryInterface;
+use Pterodactyl\Exceptions\Repository\RecordNotFoundException;
+
+class DaemonAuthenticate
+{
+    /**
+     * @var array
+     */
+    protected $except = ['daemon.configuration'];
+
+    /**
+     * @var \Pterodactyl\Contracts\Repository\NodeRepositoryInterface
+     */
+    protected $repository;
+
+    /**
+     * DaemonAuthenticate constructor.
+     *
+     * @param \Pterodactyl\Contracts\Repository\NodeRepositoryInterface $repository
+     */
+    public function __construct(NodeRepositoryInterface $repository)
+    {
+        $this->repository = $repository;
+    }
+
+    /**
+     * Check if a request from the daemon can be properly attributed back to a single node instance.
+     *
+     * @param \Illuminate\Http\Request $request
+     * @param \Closure                 $next
+     * @return mixed
+     *
+     * @throws \Symfony\Component\HttpKernel\Exception\HttpException
+     */
+    public function handle(Request $request, Closure $next)
+    {
+        $token = $request->bearerToken();
+
+        if (is_null($token)) {
+            throw new HttpException(401, null, null, ['WWW-Authenticate' => 'Bearer']);
+        }
+
+        try {
+            $node = $this->repository->findFirstWhere([['daemonSecret', '=', $token]]);
+        } catch (RecordNotFoundException $exception) {
+            throw new HttpException(403);
+        }
+
+        $request->attributes->set('node.model', $node);
+
+        return $next($request);
+    }
+}

app/Http/Middleware/Server/ScheduleAccess.php

@@ -70,8 +70,8 @@ public function __construct(
      * @param \Closure                 $next
      * @return mixed
      *
-     * @throws \Pterodactyl\Exceptions\DisplayException
-     * @throws \Pterodactyl\Exceptions\Repository\RecordNotFoundException
+     * @throws \Symfony\Component\HttpKernel\Exception\HttpException
+     * @throws \Symfony\Component\HttpKernel\Exception\NotFoundHttpException
      */
     public function handle($request, Closure $next)
     {

app/Http/Middleware/Server/SubuserAccess.php

@@ -63,6 +63,7 @@ public function __construct(Session $session, SubuserRepositoryInterface $reposi
      *
      * @throws \Pterodactyl\Exceptions\DisplayException
      * @throws \Pterodactyl\Exceptions\Repository\RecordNotFoundException
+     * @throws \Symfony\Component\HttpKernel\Exception\NotFoundHttpException
      */
     public function handle($request, Closure $next)
     {

app/Http/Middleware/ServerAuthenticate.php

@@ -82,6 +82,8 @@ public function __construct(
      *
      * @throws \Illuminate\Auth\AuthenticationException
      * @throws \Pterodactyl\Exceptions\Repository\RecordNotFoundException
+     * @throws \Symfony\Component\HttpKernel\Exception\AccessDeniedHttpException
+     * @throws \Symfony\Component\HttpKernel\Exception\NotFoundHttpException
      */
     public function handle(Request $request, Closure $next)
     {