Add server database management support to API.

DaneEveritt · DaneEveritt · commit de07b3cc7fb5 · 2018-01-25T22:34:53.000-06:00
diff --git a/app/Exceptions/DisplayException.php b/app/Exceptions/DisplayException.php
@@ -46,6 +46,14 @@ public function getErrorLevel()
         return $this->level;
     }
 
+    /**
+     * @return int
+     */
+    public function getStatusCode()
+    {
+        return Response::HTTP_BAD_REQUEST;
+    }
+
     /**
      * Render the exception to the user by adding a flashed message to the session
      * and then redirecting them back to the page that they came from. If the
diff --git a/app/Extensions/Spatie/Fractalistic/Fractal.php b/app/Extensions/Spatie/Fractalistic/Fractal.php
@@ -3,8 +3,8 @@
 namespace Pterodactyl\Extensions\Spatie\Fractalistic;
 
 use League\Fractal\TransformerAbstract;
+use Spatie\Fractal\Fractal as SpatieFractal;
 use League\Fractal\Serializer\JsonApiSerializer;
-use Spatie\Fractalistic\Fractal as SpatieFractal;
 use Illuminate\Contracts\Pagination\LengthAwarePaginator;
 use League\Fractal\Pagination\IlluminatePaginatorAdapter;
 
diff --git a/app/Http/Controllers/Api/Application/Servers/DatabaseController.php b/app/Http/Controllers/Api/Application/Servers/DatabaseController.php
@@ -2,13 +2,32 @@
 
 namespace Pterodactyl\Http\Controllers\Api\Application\Servers;
 
+use Illuminate\Http\Response;
 use Pterodactyl\Models\Server;
+use Pterodactyl\Models\Database;
+use Illuminate\Http\JsonResponse;
+use Pterodactyl\Services\Databases\DatabasePasswordService;
+use Pterodactyl\Services\Databases\DatabaseManagementService;
 use Pterodactyl\Contracts\Repository\DatabaseRepositoryInterface;
 use Pterodactyl\Transformers\Api\Application\ServerDatabaseTransformer;
 use Pterodactyl\Http\Controllers\Api\Application\ApplicationApiController;
+use Pterodactyl\Http\Requests\Api\Application\Servers\Databases\GetServerDatabaseRequest;
+use Pterodactyl\Http\Requests\Api\Application\Servers\Databases\GetServerDatabasesRequest;
+use Pterodactyl\Http\Requests\Api\Application\Servers\Databases\ServerDatabaseWriteRequest;
+use Pterodactyl\Http\Requests\Api\Application\Servers\Databases\StoreServerDatabaseRequest;
 
 class DatabaseController extends ApplicationApiController
 {
+    /**
+     * @var \Pterodactyl\Services\Databases\DatabaseManagementService
+     */
+    private $databaseManagementService;
+
+    /**
+     * @var \Pterodactyl\Services\Databases\DatabasePasswordService
+     */
+    private $databasePasswordService;
+
     /**
      * @var \Pterodactyl\Contracts\Repository\DatabaseRepositoryInterface
      */
@@ -17,28 +36,105 @@ class DatabaseController extends ApplicationApiController
     /**
      * DatabaseController constructor.
      *
+     * @param \Pterodactyl\Services\Databases\DatabaseManagementService     $databaseManagementService
+     * @param \Pterodactyl\Services\Databases\DatabasePasswordService       $databasePasswordService
      * @param \Pterodactyl\Contracts\Repository\DatabaseRepositoryInterface $repository
      */
-    public function __construct(DatabaseRepositoryInterface $repository)
-    {
+    public function __construct(
+        DatabaseManagementService $databaseManagementService,
+        DatabasePasswordService $databasePasswordService,
+        DatabaseRepositoryInterface $repository
+    ) {
         parent::__construct();
 
+        $this->databaseManagementService = $databaseManagementService;
+        $this->databasePasswordService = $databasePasswordService;
         $this->repository = $repository;
     }
 
     /**
      * Return a listing of all databases currently available to a single
      * server.
      *
-     * @param \Pterodactyl\Models\Server $server
+     * @param \Pterodactyl\Http\Requests\Api\Application\Servers\Databases\GetServerDatabasesRequest $request
+     * @param \Pterodactyl\Models\Server                                                             $server
      * @return array
      */
-    public function index(Server $server): array
+    public function index(GetServerDatabasesRequest $request, Server $server): array
     {
         $databases = $this->repository->getDatabasesForServer($server->id);
 
         return $this->fractal->collection($databases)
             ->transformWith($this->getTransformer(ServerDatabaseTransformer::class))
             ->toArray();
     }
+
+    /**
+     * Return a single server database.
+     *
+     * @param \Pterodactyl\Http\Requests\Api\Application\Servers\Databases\GetServerDatabaseRequest $request
+     * @param \Pterodactyl\Models\Server                                                            $server
+     * @param \Pterodactyl\Models\Database                                                          $database
+     * @return array
+     */
+    public function view(GetServerDatabaseRequest $request, Server $server, Database $database): array
+    {
+        return $this->fractal->item($database)
+            ->transformWith($this->getTransformer(ServerDatabaseTransformer::class))
+            ->toArray();
+    }
+
+    /**
+     * Reset the password for a specific server database.
+     *
+     * @param \Pterodactyl\Models\Server   $server
+     * @param \Pterodactyl\Models\Database $database
+     * @return \Illuminate\Http\Response
+     *
+     * @throws \Pterodactyl\Exceptions\Model\DataValidationException
+     * @throws \Pterodactyl\Exceptions\Repository\RecordNotFoundException
+     */
+    public function resetPassword(ServerDatabaseWriteRequest $request, Server $server, Database $database): Response
+    {
+        $this->databasePasswordService->handle($database, str_random(24));
+
+        return response('', 204);
+    }
+
+    /**
+     * Create a new database on the Panel for a given server.
+     *
+     * @param \Pterodactyl\Http\Requests\Api\Application\Servers\Databases\StoreServerDatabaseRequest $request
+     * @param \Pterodactyl\Models\Server                                                              $server
+     * @return \Illuminate\Http\JsonResponse
+     *
+     * @throws \Exception
+     * @throws \Pterodactyl\Exceptions\DisplayException
+     * @throws \Pterodactyl\Exceptions\Model\DataValidationException
+     */
+    public function store(StoreServerDatabaseRequest $request, Server $server): JsonResponse
+    {
+        $database = $this->databaseManagementService->create($server->id, $request->validated());
+
+        return $this->fractal->item($database)
+            ->transformWith($this->getTransformer(ServerDatabaseTransformer::class))
+            ->respond(201);
+    }
+
+    /**
+     * Delete a specific database from the Panel.
+     *
+     * @param \Pterodactyl\Http\Requests\Api\Application\Servers\Databases\ServerDatabaseWriteRequest $request
+     * @param \Pterodactyl\Models\Server                                                              $server
+     * @param \Pterodactyl\Models\Database                                                            $database
+     * @return \Illuminate\Http\Response
+     *
+     * @throws \Pterodactyl\Exceptions\Repository\RecordNotFoundException
+     */
+    public function delete(ServerDatabaseWriteRequest $request, Server $server, Database $database): Response
+    {
+        $this->databaseManagementService->delete($database->id);
+
+        return response('', 204);
+    }
 }
diff --git a/app/Http/Middleware/Api/ApiSubstituteBindings.php b/app/Http/Middleware/Api/ApiSubstituteBindings.php
@@ -3,11 +3,8 @@
 namespace Pterodactyl\Http\Middleware\Api;
 
 use Closure;
-use ReflectionMethod;
-use Illuminate\Container\Container;
-use Illuminate\Routing\ImplicitRouteBinding;
-use Illuminate\Contracts\Routing\UrlRoutable;
 use Illuminate\Routing\Middleware\SubstituteBindings;
+use Illuminate\Database\Eloquent\ModelNotFoundException;
 
 class ApiSubstituteBindings extends SubstituteBindings
 {
@@ -24,47 +21,18 @@ public function handle($request, Closure $next)
         $route = $request->route();
 
         $this->router->substituteBindings($route);
-        $this->resolveForRoute($route);
 
-        return $next($request);
-    }
-
-    /**
-     * Resolve the implicit route bindings for the given route. This function
-     * overrides Laravel's default inn \Illuminate\Routing\ImplictRouteBinding
-     * to not throw a 404 error when a model is not found.
-     *
-     * If a model is not found using the provided information, the binding is
-     * replaced with null which is then checked in the form requests on API
-     * routes. This avoids a potential imformation leak on API routes for
-     * unauthenticated users.
-     *
-     * @param \Illuminate\Routing\Route $route
-     */
-    protected function resolveForRoute($route)
-    {
-        $parameters = $route->parameters();
-
-        // Avoid having to copy and paste the entirety of that class into this middleware
-        // by using reflection to access a protected method.
-        $reflection = new ReflectionMethod(ImplicitRouteBinding::class, 'getParameterName');
-        $reflection->setAccessible(true);
-
-        foreach ($route->signatureParameters(UrlRoutable::class) as $parameter) {
-            if (! $parameterName = $reflection->invokeArgs(null, [$parameter->name, $parameters])) {
-                continue;
-            }
-
-            $parameterValue = $parameters[$parameterName];
-
-            if ($parameterValue instanceof UrlRoutable) {
-                continue;
-            }
-
-            // Try to find an existing model, if one is not found simply bind the
-            // parameter as null.
-            $instance = Container::getInstance()->make($parameter->getClass()->name);
-            $route->setParameter($parameterName, $instance->resolveRouteBinding($parameterValue));
+        // Attempt to resolve bindings for this route. If one of the models
+        // cannot be resolved do not immediately return a 404 error. Set a request
+        // attribute that can be checked in the base API request class to only
+        // trigger a 404 after validating that the API key making the request is valid
+        // and even has permission to access the requested resource.
+        try {
+            $this->router->substituteImplicitBindings($route);
+        } catch (ModelNotFoundException $exception) {
+            $request->attributes->set('is_missing_model', true);
         }
+
+        return $next($request);
     }
 }
diff --git a/app/Http/Requests/Api/Application/ApplicationApiRequest.php b/app/Http/Requests/Api/Application/ApplicationApiRequest.php
@@ -73,26 +73,32 @@ public function key(): ApiKey
         return $this->attributes->get('api_key');
     }
 
-    /**
+    /*
      * Determine if the request passes the authorization check as well
      * as the exists check.
      *
      * @return bool
      *
      * @throws \Symfony\Component\HttpKernel\Exception\NotFoundHttpException
      */
+
+    /**
+     * @return bool
+     */
     protected function passesAuthorization()
     {
-        $passes = parent::passesAuthorization();
+        if (! parent::passesAuthorization()) {
+            return false;
+        }
 
         // Only let the user know that a resource does not exist if they are
         // authenticated to access the endpoint. This avoids exposing that
         // an item exists (or does not exist) to the user until they can prove
         // that they have permission to know about it.
-        if ($passes && ! $this->resourceExists()) {
+        if ($this->attributes->get('is_missing_model', false) || ! $this->resourceExists()) {
             throw new NotFoundHttpException('The requested resource does not exist on this server.');
         }
 
-        return $passes;
+        return true;
     }
 }
diff --git a/app/Http/Requests/Api/Application/Servers/Databases/GetServerDatabaseRequest.php b/app/Http/Requests/Api/Application/Servers/Databases/GetServerDatabaseRequest.php
@@ -0,0 +1,32 @@
+<?php
+
+namespace Pterodactyl\Http\Requests\Api\Application\Servers\Databases;
+
+use Pterodactyl\Services\Acl\Api\AdminAcl;
+use Pterodactyl\Http\Requests\Api\Application\ApplicationApiRequest;
+
+class GetServerDatabaseRequest extends ApplicationApiRequest
+{
+    /**
+     * @var string
+     */
+    protected $resource = AdminAcl::RESOURCE_SERVER_DATABASES;
+
+    /**
+     * @var int
+     */
+    protected $permission = AdminAcl::READ;
+
+    /**
+     * Determine if the requested server database exists.
+     *
+     * @return bool
+     */
+    public function resourceExists(): bool
+    {
+        $server = $this->route()->parameter('server');
+        $database = $this->route()->parameter('database');
+
+        return $database->server_id === $server->id;
+    }
+}
diff --git a/app/Http/Requests/Api/Application/Servers/Databases/GetServerDatabasesRequest.php b/app/Http/Requests/Api/Application/Servers/Databases/GetServerDatabasesRequest.php
@@ -0,0 +1,19 @@
+<?php
+
+namespace Pterodactyl\Http\Requests\Api\Application\Servers\Databases;
+
+use Pterodactyl\Services\Acl\Api\AdminAcl;
+use Pterodactyl\Http\Requests\Api\Application\ApplicationApiRequest;
+
+class GetServerDatabasesRequest extends ApplicationApiRequest
+{
+    /**
+     * @var string
+     */
+    protected $resource = AdminAcl::RESOURCE_SERVER_DATABASES;
+
+    /**
+     * @var int
+     */
+    protected $permission = AdminAcl::READ;
+}
diff --git a/app/Http/Requests/Api/Application/Servers/Databases/ServerDatabaseWriteRequest.php b/app/Http/Requests/Api/Application/Servers/Databases/ServerDatabaseWriteRequest.php
@@ -0,0 +1,13 @@
+<?php
+
+namespace Pterodactyl\Http\Requests\Api\Application\Servers\Databases;
+
+use Pterodactyl\Services\Acl\Api\AdminAcl;
+
+class ServerDatabaseWriteRequest extends GetServerDatabasesRequest
+{
+    /**
+     * @var int
+     */
+    protected $permission = AdminAcl::WRITE;
+}
diff --git a/app/Http/Requests/Api/Application/Servers/Databases/StoreServerDatabaseRequest.php b/app/Http/Requests/Api/Application/Servers/Databases/StoreServerDatabaseRequest.php
diff --git a/routes/api-application.php b/routes/api-application.php

Original file line number	Diff line number	Diff line change
`@@ -73,26 +73,32 @@ public function key(): ApiKey`
`73`	`73`	`return $this->attributes->get('api_key');`
`74`	`74`	`}`
`75`	`75`
`76`		`- /**`
	`76`	`+ /*`
`77`	`77`	`* Determine if the request passes the authorization check as well`
`78`	`78`	`* as the exists check.`
`79`	`79`	`*`
`80`	`80`	`* @return bool`
`81`	`81`	`*`
`82`	`82`	`* @throws \Symfony\Component\HttpKernel\Exception\NotFoundHttpException`
`83`	`83`	`*/`
	`84`	`+`
	`85`	`+ /**`
	`86`	`+ * @return bool`
	`87`	`+ */`
`84`	`88`	`protected function passesAuthorization()`
`85`	`89`	`{`
`86`		`- $passes = parent::passesAuthorization();`
	`90`	`+ if (! parent::passesAuthorization()) {`
	`91`	`+ return false;`
	`92`	`+ }`
`87`	`93`
`88`	`94`	`// Only let the user know that a resource does not exist if they are`
`89`	`95`	`// authenticated to access the endpoint. This avoids exposing that`
`90`	`96`	`// an item exists (or does not exist) to the user until they can prove`
`91`	`97`	`// that they have permission to know about it.`
`92`		`- if ($passes && ! $this->resourceExists()) {`
	`98`	`+ if ($this->attributes->get('is_missing_model', false) \|\| ! $this->resourceExists()) {`
`93`	`99`	`throw new NotFoundHttpException('The requested resource does not exist on this server.');`
`94`	`100`	`}`
`95`	`101`
`96`		`- return $passes;`
	`102`	`+ return true;`
`97`	`103`	`}`
`98`	`104`	`}`