Implement changes to administrative user revocation, closes pterodactyl#733

DaneEveritt · DaneEveritt · commit 975597b4d0c3 · 2017-12-03T14:00:47.000-06:00
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -10,6 +10,10 @@ This project follows [Semantic Versioning](http://semver.org) guidelines.
 * `[beta.2]` — Fixes a bug that would throw a red page of death when submitting an invalid egg variable value for a server in the Admin CP.
 * `[beta.2]` — Someone found a `@todo` that I never `@todid` and thus database hosts could not be created without being linked to a node. This is fixed...
 * `[beta.2]` — Fixes bug that caused incorrect rendering of CPU usage on server graphs due to missing variable.
+* `[beta.2]` — Fixes bug causing schedules to be un-deletable.
+
+### Changed
+* Revoking the administrative status for an admin will revoke all authentication tokens currently assigned to their account.
 
 ## v0.7.0-beta.2 (Derelict Dermodactylus)
 ### Fixed
diff --git a/app/Contracts/Repository/Daemon/ServerRepositoryInterface.php b/app/Contracts/Repository/Daemon/ServerRepositoryInterface.php
@@ -78,8 +78,10 @@ public function details();
     /**
      * Revoke an access key on the daemon before the time is expired.
      *
-     * @param string $key
+     * @param string|array $key
      * @return \Psr\Http\Message\ResponseInterface
+     *
+     * @throws \GuzzleHttp\Exception\RequestException
      */
     public function revokeAccessKey($key);
 }
diff --git a/app/Contracts/Repository/DaemonKeyRepositoryInterface.php b/app/Contracts/Repository/DaemonKeyRepositoryInterface.php
@@ -24,7 +24,9 @@
 
 namespace Pterodactyl\Contracts\Repository;
 
+use Pterodactyl\Models\User;
 use Pterodactyl\Models\DaemonKey;
+use Illuminate\Support\Collection;
 
 interface DaemonKeyRepositoryInterface extends RepositoryInterface
 {
@@ -59,4 +61,22 @@ public function getServerKeys($server);
      * @throws \Pterodactyl\Exceptions\Repository\RecordNotFoundException
      */
     public function getKeyWithServer($key);
+
+    /**
+     * Get all of the keys for a specific user including the information needed
+     * from their server relation for revocation on the daemon.
+     *
+     * @param \Pterodactyl\Models\User $user
+     * @return \Illuminate\Support\Collection
+     */
+    public function getKeysForRevocation(User $user): Collection;
+
+    /**
+     * Delete an array of daemon keys from the database. Used primarily in
+     * conjunction with getKeysForRevocation.
+     *
+     * @param array $ids
+     * @return bool|int
+     */
+    public function deleteKeys(array $ids);
 }
diff --git a/app/Exceptions/Http/Connection/DaemonConnectionException.php b/app/Exceptions/Http/Connection/DaemonConnectionException.php
@@ -1,11 +1,4 @@
 <?php
-/**
- * Pterodactyl - Panel
- * Copyright (c) 2015 - 2017 Dane Everitt <dane@daneeveritt.com>.
- *
- * This software is licensed under the terms of the MIT license.
- * https://opensource.org/licenses/MIT
- */
 
 namespace Pterodactyl\Exceptions\Http\Connection;
 
diff --git a/app/Http/Controllers/Admin/UserController.php b/app/Http/Controllers/Admin/UserController.php
@@ -1,11 +1,4 @@
 <?php
-/**
- * Pterodactyl - Panel
- * Copyright (c) 2015 - 2017 Dane Everitt <dane@daneeveritt.com>.
- *
- * This software is licensed under the terms of the MIT license.
- * https://opensource.org/licenses/MIT
- */
 
 namespace Pterodactyl\Http\Controllers\Admin;
 
@@ -160,10 +153,30 @@ public function store(UserFormRequest $request)
      *
      * @throws \Pterodactyl\Exceptions\Model\DataValidationException
      * @throws \Pterodactyl\Exceptions\Repository\RecordNotFoundException
+     * @throws \Pterodactyl\Exceptions\Http\Connection\DaemonConnectionException
      */
     public function update(UserFormRequest $request, User $user)
     {
-        $this->updateService->handle($user->id, $request->normalize());
+        $this->updateService->setUserLevel(User::USER_LEVEL_ADMIN);
+        $data = $this->updateService->handle($user, $request->normalize());
+
+        if (! empty($data->get('exceptions'))) {
+            foreach ($data->get('exceptions') as $node => $exception) {
+                /** @var \GuzzleHttp\Exception\RequestException $exception */
+                /** @var \GuzzleHttp\Psr7\Response|null $response */
+                $response = method_exists($exception, 'getResponse') ? $exception->getResponse() : null;
+                $message = trans('admin/server.exceptions.daemon_exception', [
+                    'code' => is_null($response) ? 'E_CONN_REFUSED' : $response->getStatusCode(),
+                ]);
+
+                $this->alert->danger(trans('exceptions.users.node_revocation_failed', [
+                    'node' => $node,
+                    'error' => $message,
+                    'link' => route('admin.nodes.view', $node),
+                ]))->flash();
+            }
+        }
+
         $this->alert->success($this->translator->trans('admin/user.notices.account_updated'))->flash();
 
         return redirect()->route('admin.users.view', $user->id);
diff --git a/app/Http/Controllers/Base/AccountController.php b/app/Http/Controllers/Base/AccountController.php
@@ -1,30 +1,8 @@
 <?php
-/**
- * Pterodactyl - Panel
- * Copyright (c) 2015 - 2017 Dane Everitt <dane@daneeveritt.com>
- * Some Modifications (c) 2015 Dylan Seidt <dylan.seidt@gmail.com>.
- *
- * Permission is hereby granted, free of charge, to any person obtaining a copy
- * of this software and associated documentation files (the "Software"), to deal
- * in the Software without restriction, including without limitation the rights
- * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
- * copies of the Software, and to permit persons to whom the Software is
- * furnished to do so, subject to the following conditions:
- *
- * The above copyright notice and this permission notice shall be included in all
- * copies or substantial portions of the Software.
- *
- * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
- * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
- * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
- * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
- * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
- * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
- * SOFTWARE.
- */
 
 namespace Pterodactyl\Http\Controllers\Base;
 
+use Pterodactyl\Models\User;
 use Prologue\Alerts\AlertsMessageBag;
 use Pterodactyl\Http\Controllers\Controller;
 use Pterodactyl\Services\Users\UserUpdateService;
@@ -48,10 +26,8 @@ class AccountController extends Controller
      * @param \Prologue\Alerts\AlertsMessageBag             $alert
      * @param \Pterodactyl\Services\Users\UserUpdateService $updateService
      */
-    public function __construct(
-        AlertsMessageBag $alert,
-        UserUpdateService $updateService
-    ) {
+    public function __construct(AlertsMessageBag $alert, UserUpdateService $updateService)
+    {
         $this->alert = $alert;
         $this->updateService = $updateService;
     }
@@ -74,6 +50,7 @@ public function index()
      *
      * @throws \Pterodactyl\Exceptions\Model\DataValidationException
      * @throws \Pterodactyl\Exceptions\Repository\RecordNotFoundException
+     * @throws \Pterodactyl\Exceptions\Http\Connection\DaemonConnectionException
      */
     public function update(AccountDataFormRequest $request)
     {
@@ -86,7 +63,8 @@ public function update(AccountDataFormRequest $request)
             $data = $request->only(['name_first', 'name_last', 'username']);
         }
 
-        $this->updateService->handle($request->user()->id, $data);
+        $this->updateService->setUserLevel(User::USER_LEVEL_USER);
+        $this->updateService->handle($request->user(), $data);
         $this->alert->success(trans('base.account.details_updated'))->flash();
 
         return redirect()->route('account');
diff --git a/app/Http/Middleware/AdminAuthenticate.php b/app/Http/Middleware/AdminAuthenticate.php
@@ -21,6 +21,8 @@ class AdminAuthenticate
      * @param \Illuminate\Http\Request $request
      * @param \Closure                 $next
      * @return mixed
+     *
+     * @throws \Symfony\Component\HttpKernel\Exception\AccessDeniedHttpException
      */
     public function handle(Request $request, Closure $next)
     {
diff --git a/app/Http/Middleware/DaemonAuthenticate.php b/app/Http/Middleware/DaemonAuthenticate.php
@@ -46,6 +46,8 @@ public function __construct(NodeRepositoryInterface $repository)
      * @param \Illuminate\Http\Request $request
      * @param \Closure                 $next
      * @return mixed
+     *
+     * @throws \Symfony\Component\HttpKernel\Exception\AccessDeniedHttpException
      */
     public function handle(Request $request, Closure $next)
     {
diff --git a/app/Http/Middleware/Server/AuthenticateAsSubuser.php b/app/Http/Middleware/Server/AuthenticateAsSubuser.php
@@ -47,9 +47,8 @@ public function __construct(DaemonKeyProviderService $keyProviderService, Sessio
      * @param \Closure                 $next
      * @return mixed
      *
-     * @throws \Illuminate\Auth\AuthenticationException
      * @throws \Pterodactyl\Exceptions\Model\DataValidationException
-     * @throws \Pterodactyl\Exceptions\Repository\RecordNotFoundException
+     * @throws \Symfony\Component\HttpKernel\Exception\AccessDeniedHttpException
      */
     public function handle(Request $request, Closure $next)
     {
diff --git a/app/Http/Requests/Admin/UserFormRequest.php b/app/Http/Requests/Admin/UserFormRequest.php
@@ -19,7 +19,11 @@ class UserFormRequest extends AdminFormRequest
     public function rules()
     {
         if ($this->method() === 'PATCH') {
-            return User::getUpdateRulesForId($this->route()->parameter('user')->id);
+            $rules = User::getUpdateRulesForId($this->route()->parameter('user')->id);
+
+            return array_merge($rules, [
+                'ignore_connection_error' => 'sometimes|nullable|boolean',
+            ]);
         }
 
         return User::getCreateRules();
@@ -30,7 +34,7 @@ public function normalize($only = [])
         if ($this->method === 'PATCH') {
             return array_merge(
                 $this->intersect('password'),
-                $this->only(['email', 'username', 'name_first', 'name_last', 'root_admin'])
+                $this->only(['email', 'username', 'name_first', 'name_last', 'root_admin', 'ignore_connection_error'])
             );
         }
 
diff --git a/app/Repositories/Daemon/ServerRepository.php b/app/Repositories/Daemon/ServerRepository.php
@@ -107,7 +107,13 @@ public function details()
      */
     public function revokeAccessKey($key)
     {
-        Assert::stringNotEmpty($key, 'First argument passed to revokeAccessKey must be a non-empty string, received %s.');
+        if (is_array($key)) {
+            return $this->getHttpClient()->request('POST', 'keys', [
+                'json' => $key,
+            ]);
+        }
+
+        Assert::stringNotEmpty($key, 'First argument passed to revokeAccessKey must be a non-empty string or array, received %s.');
 
         return $this->getHttpClient()->request('DELETE', 'keys/' . $key);
     }
diff --git a/app/Repositories/Eloquent/DaemonKeyRepository.php b/app/Repositories/Eloquent/DaemonKeyRepository.php
@@ -24,8 +24,10 @@
 
 namespace Pterodactyl\Repositories\Eloquent;
 
+use Pterodactyl\Models\User;
 use Webmozart\Assert\Assert;
 use Pterodactyl\Models\DaemonKey;
+use Illuminate\Support\Collection;
 use Pterodactyl\Exceptions\Repository\RecordNotFoundException;
 use Pterodactyl\Contracts\Repository\DaemonKeyRepositoryInterface;
 
@@ -83,4 +85,28 @@ public function getKeyWithServer($key)
 
         return $instance;
     }
+
+    /**
+     * Get all of the keys for a specific user including the information needed
+     * from their server relation for revocation on the daemon.
+     *
+     * @param \Pterodactyl\Models\User $user
+     * @return \Illuminate\Support\Collection
+     */
+    public function getKeysForRevocation(User $user): Collection
+    {
+        return $this->getBuilder()->with('server:id,uuid,node_id')->where('user_id', $user->id)->get($this->getColumns());
+    }
+
+    /**
+     * Delete an array of daemon keys from the database. Used primarily in
+     * conjunction with getKeysForRevocation.
+     *
+     * @param array $ids
+     * @return bool|int
+     */
+    public function deleteKeys(array $ids)
+    {
+        return $this->getBuilder()->whereIn('id', $ids)->delete();
+    }
 }
diff --git a/app/Services/DaemonKeys/RevokeMultipleDaemonKeysService.php b/app/Services/DaemonKeys/RevokeMultipleDaemonKeysService.php
@@ -0,0 +1,91 @@
+<?php
+
+namespace Pterodactyl\Services\DaemonKeys;
+
+use Pterodactyl\Models\User;
+use GuzzleHttp\Exception\RequestException;
+use Pterodactyl\Contracts\Repository\DaemonKeyRepositoryInterface;
+use Pterodactyl\Exceptions\Http\Connection\DaemonConnectionException;
+use Pterodactyl\Contracts\Repository\Daemon\ServerRepositoryInterface as DaemonServerRepository;
+
+class RevokeMultipleDaemonKeysService
+{
+    /**
+     * @var array
+     */
+    protected $exceptions = [];
+
+    /**
+     * @var \Pterodactyl\Contracts\Repository\Daemon\ServerRepositoryInterface
+     */
+    private $daemonRepository;
+
+    /**
+     * @var \Pterodactyl\Contracts\Repository\DaemonKeyRepositoryInterface
+     */
+    private $repository;
+
+    /**
+     * RevokeMultipleDaemonKeysService constructor.
+     *
+     * @param \Pterodactyl\Contracts\Repository\DaemonKeyRepositoryInterface     $repository
+     * @param \Pterodactyl\Contracts\Repository\Daemon\ServerRepositoryInterface $daemonRepository
+     */
+    public function __construct(
+        DaemonKeyRepositoryInterface $repository,
+        DaemonServerRepository $daemonRepository
+    ) {
+        $this->daemonRepository = $daemonRepository;
+        $this->repository = $repository;
+    }
+
+    /**
+     * Grab all of the keys that exist for a single user and delete them from all
+     * daemon's that they are assigned to. If connection fails, this function will
+     * return an error.
+     *
+     * @param \Pterodactyl\Models\User $user
+     * @param bool                     $ignoreConnectionErrors
+     *
+     * @throws \Pterodactyl\Exceptions\Http\Connection\DaemonConnectionException
+     */
+    public function handle(User $user, bool $ignoreConnectionErrors = false)
+    {
+        $keys = $this->repository->getKeysForRevocation($user);
+
+        $keys->groupBy('server.node_id')->each(function ($group, $node) use ($ignoreConnectionErrors) {
+            try {
+                $this->daemonRepository->setNode($node)->revokeAccessKey(collect($group)->pluck('secret')->toArray());
+            } catch (RequestException $exception) {
+                if (! $ignoreConnectionErrors) {
+                    throw new DaemonConnectionException($exception);
+                }
+
+                $this->setConnectionException($node, $exception);
+            }
+
+            $this->repository->deleteKeys(collect($group)->pluck('id')->toArray());
+        });
+    }
+
+    /**
+     * Returns an array of exceptions that were returned by the handle function.
+     *
+     * @return RequestException[]
+     */
+    public function getExceptions()
+    {
+        return $this->exceptions;
+    }
+
+    /**
+     * Add an exception for a node to the array.
+     *
+     * @param int                                    $node
+     * @param \GuzzleHttp\Exception\RequestException $exception
+     */
+    protected function setConnectionException(int $node, RequestException $exception)
+    {
+        $this->exceptions[$node] = $exception;
+    }
+}
diff --git a/app/Services/Users/UserUpdateService.php b/app/Services/Users/UserUpdateService.php
diff --git a/resources/lang/en/exceptions.php b/resources/lang/en/exceptions.php
diff --git a/resources/themes/pterodactyl/admin/users/view.blade.php b/resources/themes/pterodactyl/admin/users/view.blade.php
diff --git a/tests/Unit/Http/Controllers/Base/AccountControllerTest.php b/tests/Unit/Http/Controllers/Base/AccountControllerTest.php
diff --git a/tests/Unit/Services/DaemonKeys/RevokeMultipleDaemonKeysServiceTest.php b/tests/Unit/Services/DaemonKeys/RevokeMultipleDaemonKeysServiceTest.php
diff --git a/tests/Unit/Services/Users/UserUpdateServiceTest.php b/tests/Unit/Services/Users/UserUpdateServiceTest.php

Original file line number	Diff line number	Diff line change
`@@ -78,8 +78,10 @@ public function details();`
`78`	`78`	`/**`
`79`	`79`	`* Revoke an access key on the daemon before the time is expired.`
`80`	`80`	`*`
`81`		`- * @param string $key`
	`81`	`+ * @param string\|array $key`
`82`	`82`	`* @return \Psr\Http\Message\ResponseInterface`
	`83`	`+ *`
	`84`	`+ * @throws \GuzzleHttp\Exception\RequestException`
`83`	`85`	`*/`
`84`	`86`	`public function revokeAccessKey($key);`
`85`	`87`	`}`
Original file line number	Diff line number	Diff line change
`@@ -21,6 +21,8 @@ class AdminAuthenticate`
`21`	`21`	`* @param \Illuminate\Http\Request $request`
`22`	`22`	`* @param \Closure $next`
`23`	`23`	`* @return mixed`
	`24`	`+ *`
	`25`	`+ * @throws \Symfony\Component\HttpKernel\Exception\AccessDeniedHttpException`
`24`	`26`	`*/`
`25`	`27`	`public function handle(Request $request, Closure $next)`
`26`	`28`	`{`
Original file line number	Diff line number	Diff line change
`@@ -46,6 +46,8 @@ public function __construct(NodeRepositoryInterface $repository)`
`46`	`46`	`* @param \Illuminate\Http\Request $request`
`47`	`47`	`* @param \Closure $next`
`48`	`48`	`* @return mixed`
	`49`	`+ *`
	`50`	`+ * @throws \Symfony\Component\HttpKernel\Exception\AccessDeniedHttpException`
`49`	`51`	`*/`
`50`	`52`	`public function handle(Request $request, Closure $next)`
`51`	`53`	`{`
Original file line number	Diff line number	Diff line change
`@@ -47,9 +47,8 @@ public function __construct(DaemonKeyProviderService $keyProviderService, Sessio`
`47`	`47`	`* @param \Closure $next`
`48`	`48`	`* @return mixed`
`49`	`49`	`*`
`50`		`- * @throws \Illuminate\Auth\AuthenticationException`
`51`	`50`	`* @throws \Pterodactyl\Exceptions\Model\DataValidationException`
`52`		`- * @throws \Pterodactyl\Exceptions\Repository\RecordNotFoundException`
	`51`	`+ * @throws \Symfony\Component\HttpKernel\Exception\AccessDeniedHttpException`
`53`	`52`	`*/`
`54`	`53`	`public function handle(Request $request, Closure $next)`
`55`	`54`	`{`
Original file line number	Diff line number	Diff line change
`@@ -19,7 +19,11 @@ class UserFormRequest extends AdminFormRequest`
`19`	`19`	`public function rules()`
`20`	`20`	`{`
`21`	`21`	`if ($this->method() === 'PATCH') {`
`22`		`- return User::getUpdateRulesForId($this->route()->parameter('user')->id);`
	`22`	`+ $rules = User::getUpdateRulesForId($this->route()->parameter('user')->id);`
	`23`	`+`
	`24`	`+ return array_merge($rules, [`
	`25`	`+ 'ignore_connection_error' => 'sometimes\|nullable\|boolean',`
	`26`	`+ ]);`
`23`	`27`	`}`
`24`	`28`
`25`	`29`	`return User::getCreateRules();`
`@@ -30,7 +34,7 @@ public function normalize($only = [])`
`30`	`34`	`if ($this->method === 'PATCH') {`
`31`	`35`	`return array_merge(`
`32`	`36`	`$this->intersect('password'),`
`33`		`- $this->only(['email', 'username', 'name_first', 'name_last', 'root_admin'])`
	`37`	`+ $this->only(['email', 'username', 'name_first', 'name_last', 'root_admin', 'ignore_connection_error'])`
`34`	`38`	`);`
`35`	`39`	`}`
`36`	`40`