Add support for storing SSH keys on user accounts

Author: DaneEveritt

app/Http/Controllers/Api/Client/SSHKeyController.php

@@ -0,0 +1,48 @@
+<?php
+
+namespace Pterodactyl\Http\Controllers\Api\Client;
+
+use Illuminate\Http\JsonResponse;
+use Pterodactyl\Http\Requests\Api\Client\ClientApiRequest;
+use Pterodactyl\Transformers\Api\Client\SSHKeyTransformer;
+use Pterodactyl\Http\Requests\Api\Client\Account\StoreSSHKeyRequest;
+
+class SSHKeyController extends ClientApiController
+{
+    /**
+     * Returns all of the SSH keys that have been configured for the logged in
+     * user account.
+     */
+    public function index(ClientApiRequest $request): array
+    {
+        return $this->fractal->collection($request->user()->sshKeys)
+            ->transformWith($this->getTransformer(SSHKeyTransformer::class))
+            ->toArray();
+    }
+
+    /**
+     * Stores a new SSH key for the authenticated user's account.
+     */
+    public function store(StoreSSHKeyRequest $request): array
+    {
+        $model = $request->user()->sshKeys()->create([
+            'name' => $request->input('name'),
+            'public_key' => $request->input('public_key'),
+            'fingerprint' => $request->getKeyFingerprint(),
+        ]);
+
+        return $this->fractal->item($model)
+            ->transformWith($this->getTransformer(SSHKeyTransformer::class))
+            ->toArray();
+    }
+
+    /**
+     * Deletes an SSH key from the user's account.
+     */
+    public function delete(ClientApiRequest $request, string $identifier): JsonResponse
+    {
+        $request->user()->sshKeys()->where('fingerprint', $identifier)->delete();
+
+        return new JsonResponse([], JsonResponse::HTTP_NO_CONTENT);
+    }
+}

app/Http/Requests/Api/Application/ApplicationApiRequest.php

@@ -3,6 +3,7 @@
 namespace Pterodactyl\Http\Requests\Api\Application;
 
 use Pterodactyl\Models\ApiKey;
+use Illuminate\Validation\Validator;
 use Pterodactyl\Services\Acl\Api\AdminAcl;
 use Illuminate\Foundation\Http\FormRequest;
 use Pterodactyl\Exceptions\PterodactylException;
@@ -96,6 +97,16 @@ public function getModel(string $model)
         return $this->route()->parameter($parameterKey);
     }
 
+    /**
+     * Helper method allowing a developer to easily hook into this logic without having
+     * to remember what the method name is called or where to use it. By default this is
+     * a no-op.
+     */
+    public function withValidator(Validator $validator): void
+    {
+        // do nothing
+    }
+
     /**
      * Validate that the resource exists and can be accessed prior to booting
      * the validator and attempting to use the data.

app/Http/Requests/Api/Client/Account/StoreSSHKeyRequest.php

@@ -0,0 +1,71 @@
+<?php
+
+namespace Pterodactyl\Http\Requests\Api\Client\Account;
+
+use Exception;
+use phpseclib3\Crypt\DSA;
+use phpseclib3\Crypt\RSA;
+use Pterodactyl\Models\UserSSHKey;
+use Illuminate\Validation\Validator;
+use phpseclib3\Crypt\PublicKeyLoader;
+use phpseclib3\Crypt\Common\PublicKey;
+use phpseclib3\Exception\NoKeyLoadedException;
+use Pterodactyl\Http\Requests\Api\Client\ClientApiRequest;
+
+class StoreSSHKeyRequest extends ClientApiRequest
+{
+    protected ?PublicKey $key;
+
+    /**
+     * Returns the rules for this request.
+     */
+    public function rules(): array
+    {
+        return [
+            'name' => UserSSHKey::getRulesForField('name'),
+            'public_key' => UserSSHKey::getRulesForField('public_key'),
+        ];
+    }
+
+    /**
+     * Check to see if this SSH key has already been added to the user's account
+     * and if so return an error.
+     */
+    public function withValidator(Validator $validator): void
+    {
+        $validator->after(function () {
+            try {
+                $this->key = PublicKeyLoader::loadPublicKey($this->input('public_key'));
+            } catch (NoKeyLoadedException $exception) {
+                $this->validator->errors()->add('public_key', 'The public key provided is not valid.');
+
+                return;
+            }
+
+            if ($this->key instanceof DSA) {
+                $this->validator->errors()->add('public_key', 'DSA public keys are not supported.');
+            }
+
+            if ($this->key instanceof RSA && $this->key->getLength() < 2048) {
+                $this->validator->errors()->add('public_key', 'RSA keys must be at 2048 bytes.');
+            }
+
+            $fingerprint = $this->key->getFingerprint('sha256');
+            if ($this->user()->sshKeys()->where('fingerprint', $fingerprint)->exists()) {
+                $this->validator->errors()->add('public_key', 'The public key provided already exists on your account.');
+            }
+        });
+    }
+
+    /**
+     * Returns the SHA256 fingerprint of the key provided.
+     */
+    public function getKeyFingerprint(): string
+    {
+        if (!$this->key) {
+            throw new Exception('The public key was not properly loaded for this request.');
+        }
+
+        return $this->key->getFingerprint('sha256');
+    }
+}

app/Models/User.php

@@ -10,13 +10,16 @@
 use Illuminate\Database\Eloquent\Builder;
 use Illuminate\Auth\Passwords\CanResetPassword;
 use Pterodactyl\Traits\Helpers\AvailableLanguages;
+use Illuminate\Database\Eloquent\Relations\HasMany;
 use Illuminate\Foundation\Auth\Access\Authorizable;
 use Illuminate\Contracts\Auth\Authenticatable as AuthenticatableContract;
 use Illuminate\Contracts\Auth\Access\Authorizable as AuthorizableContract;
 use Illuminate\Contracts\Auth\CanResetPassword as CanResetPasswordContract;
 use Pterodactyl\Notifications\SendPasswordReset as ResetPasswordNotification;
 
 /**
+ * \Pterodactyl\Models\User.
+ *
  * @property int $id
  * @property string|null $external_id
  * @property string $uuid
@@ -38,6 +41,37 @@
  * @property \Pterodactyl\Models\ApiKey[]|\Illuminate\Database\Eloquent\Collection $apiKeys
  * @property \Pterodactyl\Models\Server[]|\Illuminate\Database\Eloquent\Collection $servers
  * @property \Pterodactyl\Models\RecoveryToken[]|\Illuminate\Database\Eloquent\Collection $recoveryTokens
+ * @property string|null $remember_token
+ * @property int|null $api_keys_count
+ * @property \Illuminate\Notifications\DatabaseNotificationCollection|\Illuminate\Notifications\DatabaseNotification[] $notifications
+ * @property int|null $notifications_count
+ * @property int|null $recovery_tokens_count
+ * @property int|null $servers_count
+ * @property \Illuminate\Database\Eloquent\Collection|\Pterodactyl\Models\UserSSHKey[] $sshKeys
+ * @property int|null $ssh_keys_count
+ *
+ * @method static \Database\Factories\UserFactory factory(...$parameters)
+ * @method static Builder|User newModelQuery()
+ * @method static Builder|User newQuery()
+ * @method static Builder|User query()
+ * @method static Builder|User whereCreatedAt($value)
+ * @method static Builder|User whereEmail($value)
+ * @method static Builder|User whereExternalId($value)
+ * @method static Builder|User whereGravatar($value)
+ * @method static Builder|User whereId($value)
+ * @method static Builder|User whereLanguage($value)
+ * @method static Builder|User whereNameFirst($value)
+ * @method static Builder|User whereNameLast($value)
+ * @method static Builder|User wherePassword($value)
+ * @method static Builder|User whereRememberToken($value)
+ * @method static Builder|User whereRootAdmin($value)
+ * @method static Builder|User whereTotpAuthenticatedAt($value)
+ * @method static Builder|User whereTotpSecret($value)
+ * @method static Builder|User whereUpdatedAt($value)
+ * @method static Builder|User whereUseTotp($value)
+ * @method static Builder|User whereUsername($value)
+ * @method static Builder|User whereUuid($value)
+ * @mixin \Eloquent
  */
 class User extends Model implements
     AuthenticatableContract,
@@ -225,6 +259,11 @@ public function recoveryTokens()
         return $this->hasMany(RecoveryToken::class);
     }
 
+    public function sshKeys(): HasMany
+    {
+        return $this->hasMany(UserSSHKey::class);
+    }
+
     /**
      * Returns all of the servers that a user can access by way of being the owner of the
      * server, or because they are assigned as a subuser for that server.

app/Models/UserSSHKey.php

@@ -0,0 +1,61 @@
+<?php
+
+namespace Pterodactyl\Models;
+
+use Illuminate\Database\Eloquent\SoftDeletes;
+use Illuminate\Database\Eloquent\Relations\BelongsTo;
+
+/**
+ * \Pterodactyl\Models\UserSSHKey.
+ *
+ * @property int $id
+ * @property int $user_id
+ * @property string $name
+ * @property string $fingerprint
+ * @property string $public_key
+ * @property \Illuminate\Support\Carbon|null $created_at
+ * @property \Illuminate\Support\Carbon|null $updated_at
+ * @property \Illuminate\Support\Carbon|null $deleted_at
+ * @property \Pterodactyl\Models\User $user
+ *
+ * @method static \Illuminate\Database\Eloquent\Builder|UserSSHKey newModelQuery()
+ * @method static \Illuminate\Database\Eloquent\Builder|UserSSHKey newQuery()
+ * @method static \Illuminate\Database\Query\Builder|UserSSHKey onlyTrashed()
+ * @method static \Illuminate\Database\Eloquent\Builder|UserSSHKey query()
+ * @method static \Illuminate\Database\Eloquent\Builder|UserSSHKey whereCreatedAt($value)
+ * @method static \Illuminate\Database\Eloquent\Builder|UserSSHKey whereDeletedAt($value)
+ * @method static \Illuminate\Database\Eloquent\Builder|UserSSHKey whereFingerprint($value)
+ * @method static \Illuminate\Database\Eloquent\Builder|UserSSHKey whereId($value)
+ * @method static \Illuminate\Database\Eloquent\Builder|UserSSHKey whereName($value)
+ * @method static \Illuminate\Database\Eloquent\Builder|UserSSHKey wherePublicKey($value)
+ * @method static \Illuminate\Database\Eloquent\Builder|UserSSHKey whereUpdatedAt($value)
+ * @method static \Illuminate\Database\Eloquent\Builder|UserSSHKey whereUserId($value)
+ * @method static \Illuminate\Database\Query\Builder|UserSSHKey withTrashed()
+ * @method static \Illuminate\Database\Query\Builder|UserSSHKey withoutTrashed()
+ * @mixin \Eloquent
+ */
+class UserSSHKey extends Model
+{
+    use SoftDeletes;
+
+    public const RESOURCE_NAME = 'ssh_key';
+
+    protected $table = 'user_ssh_keys';
+
+    protected $fillable = [
+        'name',
+        'public_key',
+        'fingerprint',
+    ];
+
+    public static $validationRules = [
+        'name' => ['required', 'string'],
+        'fingerprint' => ['required', 'string'],
+        'public_key' => ['required', 'string'],
+    ];
+
+    public function user(): BelongsTo
+    {
+        return $this->belongsTo(User::class);
+    }
+}

app/Transformers/Api/Client/SSHKeyTransformer.php

@@ -0,0 +1,26 @@
+<?php
+
+namespace Pterodactyl\Transformers\Api\Client;
+
+use Pterodactyl\Models\UserSSHKey;
+
+class SSHKeyTransformer extends BaseClientTransformer
+{
+    public function getResourceName(): string
+    {
+        return UserSSHKey::RESOURCE_NAME;
+    }
+
+    /**
+     * Return's a user's SSH key in an API response format.
+     */
+    public function transform(UserSSHKey $model): array
+    {
+        return [
+            'name' => $model->name,
+            'fingerprint' => $model->fingerprint,
+            'public_key' => $model->public_key,
+            'created_at' => $model->created_at->toIso8601String(),
+        ];
+    }
+}

composer.json

@@ -30,6 +30,7 @@
         "league/flysystem-aws-s3-v3": "~1.0.29",
         "league/flysystem-memory": "~1.0.2",
         "matriphe/iso-639": "~1.2.0",
+        "phpseclib/phpseclib": "~3.0",
         "pragmarx/google2fa": "~5.0.0",
         "predis/predis": "~1.1.10",
         "prologue/alerts": "~0.4.8",