Implement application API Keys

Author: DaneEveritt

app/Contracts/Repository/ApiKeyRepositoryInterface.php

@@ -15,6 +15,14 @@ interface ApiKeyRepositoryInterface extends RepositoryInterface
      */
     public function getAccountKeys(User $user): Collection;
 
+    /**
+     * Get all of the application API keys that exist for a specific user.
+     *
+     * @param \Pterodactyl\Models\User $user
+     * @return \Illuminate\Support\Collection
+     */
+    public function getApplicationKeys(User $user): Collection;
+
     /**
      * Delete an account API key from the panel for a specific user.
      *
@@ -23,4 +31,13 @@ public function getAccountKeys(User $user): Collection;
      * @return int
      */
     public function deleteAccountKey(User $user, string $identifier): int;
+
+    /**
+     * Delete an application API key from the panel for a specific user.
+     *
+     * @param \Pterodactyl\Models\User $user
+     * @param string                   $identifier
+     * @return int
+     */
+    public function deleteApplicationKey(User $user, string $identifier): int;
 }

app/Http/Controllers/Admin/ApplicationApiController.php

@@ -0,0 +1,117 @@
+<?php
+
+namespace Pterodactyl\Http\Controllers\Admin;
+
+use Illuminate\View\View;
+use Illuminate\Http\Request;
+use Illuminate\Http\Response;
+use Pterodactyl\Models\ApiKey;
+use Illuminate\Http\RedirectResponse;
+use Prologue\Alerts\AlertsMessageBag;
+use Pterodactyl\Services\Acl\Api\AdminAcl;
+use Pterodactyl\Http\Controllers\Controller;
+use Pterodactyl\Services\Api\KeyCreationService;
+use Pterodactyl\Contracts\Repository\ApiKeyRepositoryInterface;
+use Pterodactyl\Http\Requests\Admin\Api\StoreApplicationApiKeyRequest;
+
+class ApplicationApiController extends Controller
+{
+    /**
+     * @var \Prologue\Alerts\AlertsMessageBag
+     */
+    private $alert;
+
+    /**
+     * @var \Pterodactyl\Services\Api\KeyCreationService
+     */
+    private $keyCreationService;
+
+    /**
+     * @var \Pterodactyl\Contracts\Repository\ApiKeyRepositoryInterface
+     */
+    private $repository;
+
+    /**
+     * ApplicationApiController constructor.
+     *
+     * @param \Prologue\Alerts\AlertsMessageBag                           $alert
+     * @param \Pterodactyl\Contracts\Repository\ApiKeyRepositoryInterface $repository
+     * @param \Pterodactyl\Services\Api\KeyCreationService                $keyCreationService
+     */
+    public function __construct(
+        AlertsMessageBag $alert,
+        ApiKeyRepositoryInterface $repository,
+        KeyCreationService $keyCreationService
+    ) {
+        $this->alert = $alert;
+        $this->keyCreationService = $keyCreationService;
+        $this->repository = $repository;
+    }
+
+    /**
+     * Render view showing all of a user's application API keys.
+     *
+     * @param \Illuminate\Http\Request $request
+     * @return \Illuminate\View\View
+     */
+    public function index(Request $request): View
+    {
+        return view('admin.api.index', [
+            'keys' => $this->repository->getApplicationKeys($request->user()),
+        ]);
+    }
+
+    /**
+     * Render view allowing an admin to create a new application API key.
+     *
+     * @return \Illuminate\View\View
+     */
+    public function create(): View
+    {
+        $resources = AdminAcl::getResourceList();
+        sort($resources);
+
+        return view('admin.api.new', [
+            'resources' => $resources,
+            'permissions' => [
+                'r' => AdminAcl::READ,
+                'rw' => AdminAcl::READ | AdminAcl::WRITE,
+                'n' => AdminAcl::NONE,
+            ],
+        ]);
+    }
+
+    /**
+     * Store the new key and redirect the user back to the application key listing.
+     *
+     * @param \Pterodactyl\Http\Requests\Admin\Api\StoreApplicationApiKeyRequest $request
+     * @return \Illuminate\Http\RedirectResponse
+     *
+     * @throws \Pterodactyl\Exceptions\Model\DataValidationException
+     */
+    public function store(StoreApplicationApiKeyRequest $request): RedirectResponse
+    {
+        $this->keyCreationService->setKeyType(ApiKey::TYPE_APPLICATION)->handle([
+            'memo' => $request->input('memo'),
+            'user_id' => $request->user()->id,
+        ], $request->getKeyPermissions());
+
+        $this->alert->success('A new application API key has been generated for your account.')->flash();
+
+        return redirect()->route('admin.api.index');
+    }
+
+    /**
+     * Delete an application API key from the database.
+     *
+     * @param \Illuminate\Http\Request $request
+     * @param string                   $identifier
+     * @return \Illuminate\Http\Response
+     */
+    public function delete(Request $request, string $identifier): Response
+    {
+        $this->repository->deleteApplicationKey($request->user(), $identifier);
+
+        return response('', 204);
+    }
+}

app/Http/Kernel.php

@@ -21,6 +21,7 @@
 use Illuminate\Auth\Middleware\AuthenticateWithBasicAuth;
 use Pterodactyl\Http\Middleware\Api\Admin\AuthenticateKey;
 use Illuminate\Foundation\Http\Middleware\ValidatePostSize;
+use Pterodactyl\Http\Middleware\Api\Admin\AuthenticateUser;
 use Pterodactyl\Http\Middleware\Api\Admin\SetSessionDriver;
 use Illuminate\Cookie\Middleware\AddQueuedCookiesToResponse;
 use Pterodactyl\Http\Middleware\Server\AuthenticateAsSubuser;
@@ -66,10 +67,11 @@ class Kernel extends HttpKernel
             RequireTwoFactorAuthentication::class,
         ],
         'api' => [
-            'throttle:60,1',
+            'throttle:120,1',
             SubstituteBindings::class,
             SetSessionDriver::class,
             AuthenticateKey::class,
+            AuthenticateUser::class,
             AuthenticateIPAccess::class,
         ],
         'daemon' => [

app/Http/Middleware/Api/Admin/AuthenticateUser.php

@@ -0,0 +1,27 @@
+<?php
+
+namespace Pterodactyl\Http\Middleware\Api\Admin;
+
+use Closure;
+use Illuminate\Http\Request;
+use Symfony\Component\HttpKernel\Exception\AccessDeniedHttpException;
+
+class AuthenticateUser
+{
+    /**
+     * Authenticate that the currently authenticated user is an administrator
+     * and should be allowed to proceede through the application API.
+     *
+     * @param \Illuminate\Http\Request $request
+     * @param \Closure                 $next
+     * @return mixed
+     */
+    public function handle(Request $request, Closure $next)
+    {
+        if (is_null($request->user()) || ! $request->user()->root_admin) {
+            throw new AccessDeniedHttpException;
+        }
+
+        return $next($request);
+    }
+}

app/Http/Requests/Admin/Api/StoreApplicationApiKeyRequest.php

@@ -0,0 +1,39 @@
+<?php
+
+namespace Pterodactyl\Http\Requests\Admin\Api;
+
+use Pterodactyl\Models\ApiKey;
+use Pterodactyl\Services\Acl\Api\AdminAcl;
+use Pterodactyl\Http\Requests\Admin\AdminFormRequest;
+
+class StoreApplicationApiKeyRequest extends AdminFormRequest
+{
+    /**
+     * @return array
+     */
+    public function rules()
+    {
+        $modelRules = ApiKey::getCreateRules();
+
+        return collect(AdminAcl::getResourceList())->mapWithKeys(function ($resource) use ($modelRules) {
+            return [AdminAcl::COLUMN_IDENTIFER . $resource => $modelRules['r_' . $resource]];
+        })->merge(['memo' => $modelRules['memo']])->toArray();
+    }
+
+    /**
+     * @return array
+     */
+    public function attributes()
+    {
+        return [
+            'memo' => 'Description',
+        ];
+    }
+
+    public function getKeyPermissions(): array
+    {
+        return collect($this->validated())->filter(function ($value, $key) {
+            return substr($key, 0, strlen(AdminAcl::COLUMN_IDENTIFER)) === AdminAcl::COLUMN_IDENTIFER;
+        })->toArray();
+    }
+}

app/Repositories/Eloquent/ApiKeyRepository.php

@@ -32,6 +32,19 @@ public function getAccountKeys(User $user): Collection
             ->get($this->getColumns());
     }
 
+    /**
+     * Get all of the application API keys that exist for a specific user.
+     *
+     * @param \Pterodactyl\Models\User $user
+     * @return \Illuminate\Support\Collection
+     */
+    public function getApplicationKeys(User $user): Collection
+    {
+        return $this->getBuilder()->where('user_id', $user->id)
+            ->where('key_type', ApiKey::TYPE_APPLICATION)
+            ->get($this->getColumns());
+    }
+
     /**
      * Delete an account API key from the panel for a specific user.
      *
@@ -46,4 +59,19 @@ public function deleteAccountKey(User $user, string $identifier): int
             ->where('identifier', $identifier)
             ->delete();
     }
+
+    /**
+     * Delete an application API key from the panel for a specific user.
+     *
+     * @param \Pterodactyl\Models\User $user
+     * @param string                   $identifier
+     * @return int
+     */
+    public function deleteApplicationKey(User $user, string $identifier): int
+    {
+        return $this->getBuilder()->where('user_id', $user->id)
+            ->where('key_type', ApiKey::TYPE_APPLICATION)
+            ->where('identifier', $identifier)
+            ->delete();
+    }
 }

app/Services/Acl/Api/AdminAcl.php

@@ -2,6 +2,7 @@
 
 namespace Pterodactyl\Services\Acl\Api;
 
+use ReflectionClass;
 use Pterodactyl\Models\ApiKey;
 
 class AdminAcl
@@ -22,7 +23,7 @@ class AdminAcl
 
     /**
      * Resources that are available on the API and can contain a permissions
-     * set for each key. These are stored in the database as permission_{resource}.
+     * set for each key. These are stored in the database as r_{resource}.
      */
     const RESOURCE_SERVERS = 'servers';
     const RESOURCE_NODES = 'nodes';
@@ -63,4 +64,18 @@ public static function check(ApiKey $key, string $resource, int $action = self::
     {
         return self::can(data_get($key, self::COLUMN_IDENTIFER . $resource, self::NONE), $action);
     }
+
+    /**
+     * Return a list of all resource constants defined in this ACL.
+     *
+     * @return array
+     */
+    public static function getResourceList(): array
+    {
+        $reflect = new ReflectionClass(__CLASS__);
+
+        return collect($reflect->getConstants())->filter(function ($value, $key) {
+            return substr($key, 0, 9) === 'RESOURCE_';
+        })->values()->toArray();
+    }
 }

database/migrations/2018_01_13_145209_AddLastUsedAtColumn.php

@@ -17,6 +17,12 @@ public function up()
             $table->unsignedTinyInteger('key_type')->after('user_id')->default(0);
             $table->timestamp('last_used_at')->after('memo')->nullable();
             $table->dropColumn('expires_at');
+
+            $table->dropForeign(['user_id']);
+        });
+
+        Schema::table('api_keys', function (Blueprint $table) {
+            $table->foreign('user_id')->references('id')->on('users')->onDelete('cascade');
         });
     }
 
@@ -30,6 +36,11 @@ public function down()
         Schema::table('api_keys', function (Blueprint $table) {
             $table->timestamp('expires_at')->after('memo')->nullable();
             $table->dropColumn('last_used_at', 'key_type');
+            $table->dropForeign(['user_id']);
+        });
+
+        Schema::table('api_keys', function (Blueprint $table) {
+            $table->foreign('user_id')->references('id')->on('users');
         });
     }
 }