Add permissions checking to API middleware list

DaneEveritt · DaneEveritt · commit bf9708fe4fac · 2017-11-19T15:23:37.000-06:00
diff --git a/app/Contracts/Repository/ApiKeyRepositoryInterface.php b/app/Contracts/Repository/ApiKeyRepositoryInterface.php
@@ -9,6 +9,16 @@
 
 namespace Pterodactyl\Contracts\Repository;
 
+use Pterodactyl\Models\APIKey;
+
 interface ApiKeyRepositoryInterface extends RepositoryInterface
 {
+    /**
+     * Load permissions for a key onto the model.
+     *
+     * @param \Pterodactyl\Models\APIKey $model
+     * @param bool                       $refresh
+     * @return \Pterodactyl\Models\APIKey
+     */
+    public function loadPermissions(APIKey $model, bool $refresh = false): APIKey;
 }
diff --git a/app/Http/Kernel.php b/app/Http/Kernel.php
@@ -24,6 +24,7 @@
 use Pterodactyl\Http\Middleware\API\AuthenticateIPAccess;
 use Pterodactyl\Http\Middleware\Daemon\DaemonAuthenticate;
 use Illuminate\Cookie\Middleware\AddQueuedCookiesToResponse;
+use Pterodactyl\Http\Middleware\API\HasPermissionToResource;
 use Pterodactyl\Http\Middleware\Server\AuthenticateAsSubuser;
 use Pterodactyl\Http\Middleware\Server\SubuserBelongsToServer;
 use Pterodactyl\Http\Middleware\RequireTwoFactorAuthentication;
@@ -95,6 +96,9 @@ class Kernel extends HttpKernel
         'bindings' => SubstituteBindings::class,
         'recaptcha' => VerifyReCaptcha::class,
 
+        // API specific middleware.
+        'api..user_level' => HasPermissionToResource::class,
+
         // Server specific middleware (used for authenticating access to resources)
         //
         // These are only used for individual server authentication, and not gloabl
diff --git a/app/Http/Middleware/API/HasPermissionToResource.php b/app/Http/Middleware/API/HasPermissionToResource.php
@@ -0,0 +1,58 @@
+<?php
+
+namespace Pterodactyl\Http\Middleware\API;
+
+use Closure;
+use Illuminate\Http\Request;
+use Pterodactyl\Contracts\Repository\ApiKeyRepositoryInterface;
+use Symfony\Component\HttpKernel\Exception\NotFoundHttpException;
+use Symfony\Component\HttpKernel\Exception\AccessDeniedHttpException;
+
+class HasPermissionToResource
+{
+    /**
+     * @var \Pterodactyl\Contracts\Repository\ApiKeyRepositoryInterface
+     */
+    private $repository;
+
+    /**
+     * HasPermissionToResource constructor.
+     *
+     * @param \Pterodactyl\Contracts\Repository\ApiKeyRepositoryInterface $repository
+     */
+    public function __construct(ApiKeyRepositoryInterface $repository)
+    {
+        $this->repository = $repository;
+    }
+
+    /**
+     * Determine if an API key has permission to access the given route.
+     *
+     * @param \Illuminate\Http\Request $request
+     * @param \Closure                 $next
+     * @param string                   $role
+     * @return mixed
+     */
+    public function handle(Request $request, Closure $next, string $role = 'admin')
+    {
+        /** @var \Pterodactyl\Models\APIKey $model */
+        $model = $request->attributes->get('api_key');
+
+        if ($role === 'admin' && ! $request->user()->root_admin) {
+            throw new NotFoundHttpException;
+        }
+
+        $this->repository->loadPermissions($model);
+        $routeKey = str_replace(['api.', 'admin.'], '', $request->route()->getName());
+
+        $count = $model->getRelation('permissions')->filter(function ($permission) use ($routeKey) {
+            return $routeKey === str_replace('-', '.', $permission->permission);
+        })->count();
+
+        if ($count === 1) {
+            return $next($request);
+        }
+
+        throw new AccessDeniedHttpException('Cannot access resource without required `' . $routeKey . '` permission.');
+    }
+}
diff --git a/app/Http/Middleware/HMACAuthorization.php b/app/Http/Middleware/HMACAuthorization.php
diff --git a/app/Providers/RouteServiceProvider.php b/app/Providers/RouteServiceProvider.php
@@ -49,7 +49,7 @@ public function map()
              ->namespace($this->namespace . '\Server')
              ->group(base_path('routes/server.php'));
 
-        Route::middleware(['api'])->prefix('/api/admin')
+        Route::middleware(['api', 'api..user_level:admin'])->prefix('/api/admin')
             ->namespace($this->namespace . '\API\Admin')
             ->group(base_path('routes/api-admin.php'));
 
diff --git a/app/Repositories/Eloquent/ApiKeyRepository.php b/app/Repositories/Eloquent/ApiKeyRepository.php
@@ -21,4 +21,20 @@ public function model()
     {
         return APIKey::class;
     }
+
+    /**
+     * Load permissions for a key onto the model.
+     *
+     * @param \Pterodactyl\Models\APIKey $model
+     * @param bool                       $refresh
+     * @return \Pterodactyl\Models\APIKey
+     */
+    public function loadPermissions(APIKey $model, bool $refresh = false): APIKey
+    {
+        if (! $model->relationLoaded('permissions') || $refresh) {
+            $model->load('permissions');
+        }
+
+        return $model;
+    }
 }
diff --git a/database/factories/ModelFactory.php b/database/factories/ModelFactory.php
@@ -232,3 +232,11 @@
         'updated_at' => \Carbon\Carbon::now()->toDateTimeString(),
     ];
 });
+
+$factory->define(Pterodactyl\Models\APIPermission::class, function (Faker\Generator $faker) {
+    return [
+        'id' => $faker->unique()->randomNumber(),
+        'key_id' => $faker->randomNumber(),
+        'permission' => mb_strtolower($faker->word),
+    ];
+});
diff --git a/tests/Unit/Http/Middleware/API/HasPermissionToResourceTest.php b/tests/Unit/Http/Middleware/API/HasPermissionToResourceTest.php
