2019-04-07 23:28:01 +00:00
|
|
|
package main
|
|
|
|
|
|
|
|
import (
|
2019-09-09 00:40:06 +00:00
|
|
|
"encoding/json"
|
2019-04-20 21:57:37 +00:00
|
|
|
"errors"
|
2019-09-25 04:21:59 +00:00
|
|
|
"github.com/gbrlsnchs/jwt/v3"
|
2019-04-20 21:57:37 +00:00
|
|
|
"github.com/gorilla/websocket"
|
2019-04-20 06:29:52 +00:00
|
|
|
"github.com/julienschmidt/httprouter"
|
2019-09-09 00:40:06 +00:00
|
|
|
"github.com/pterodactyl/wings/config"
|
2019-04-20 21:57:37 +00:00
|
|
|
"github.com/pterodactyl/wings/server"
|
2019-04-07 23:28:01 +00:00
|
|
|
"go.uber.org/zap"
|
2019-04-20 06:29:52 +00:00
|
|
|
"net/http"
|
2019-04-20 21:57:37 +00:00
|
|
|
"os"
|
2019-04-20 18:59:28 +00:00
|
|
|
"strings"
|
2019-04-21 00:38:12 +00:00
|
|
|
"sync"
|
2019-09-25 04:21:59 +00:00
|
|
|
"time"
|
2019-04-07 23:28:01 +00:00
|
|
|
)
|
|
|
|
|
2019-04-21 19:02:28 +00:00
|
|
|
const (
|
|
|
|
SetStateEvent = "set state"
|
|
|
|
SendServerLogsEvent = "send logs"
|
|
|
|
SendCommandEvent = "send command"
|
|
|
|
)
|
|
|
|
|
2019-04-20 06:29:52 +00:00
|
|
|
type WebsocketMessage struct {
|
2019-04-20 18:59:28 +00:00
|
|
|
// The event to perform. Should be one of the following that are supported:
|
2019-04-20 06:29:52 +00:00
|
|
|
//
|
|
|
|
// - status : Returns the server's power state.
|
|
|
|
// - logs : Returns the server log data at the time of the request.
|
|
|
|
// - power : Performs a power action aganist the server based the data.
|
|
|
|
// - command : Performs a command on a server using the data field.
|
2019-04-20 18:59:28 +00:00
|
|
|
Event string `json:"event"`
|
2019-04-07 23:28:01 +00:00
|
|
|
|
2019-04-20 06:29:52 +00:00
|
|
|
// The data to pass along, only used by power/command currently. Other requests
|
2019-04-20 18:59:28 +00:00
|
|
|
// should either omit the field or pass an empty value as it is ignored.
|
|
|
|
Args []string `json:"args,omitempty"`
|
2019-04-20 21:57:37 +00:00
|
|
|
|
2019-09-25 04:21:59 +00:00
|
|
|
// The authentication JWT passed along with every call to the websocket that
|
|
|
|
// should be used to validate the user's authenticity and ability to perform
|
|
|
|
// whatever action they're doing.
|
|
|
|
Token string `json:"token,omitempty"`
|
|
|
|
|
|
|
|
// Is set to true when the request is originating from outside of the Daemon,
|
|
|
|
// otherwise set to false for outbound.
|
2019-04-20 21:57:37 +00:00
|
|
|
inbound bool
|
2019-04-20 06:29:52 +00:00
|
|
|
}
|
|
|
|
|
2019-04-21 00:38:12 +00:00
|
|
|
type WebsocketHandler struct {
|
|
|
|
Server *server.Server
|
|
|
|
Mutex sync.Mutex
|
|
|
|
Connection *websocket.Conn
|
2019-09-25 04:21:59 +00:00
|
|
|
JWT *WebsocketTokenPayload
|
2019-04-21 00:38:12 +00:00
|
|
|
}
|
|
|
|
|
2019-09-25 04:21:59 +00:00
|
|
|
type WebsocketTokenPayload struct {
|
|
|
|
jwt.Payload
|
|
|
|
UserID json.Number `json:"user_id"`
|
|
|
|
ServerUUID string `json:"server_uuid"`
|
|
|
|
Permissions []string `json:"permissions"`
|
2019-09-09 00:40:06 +00:00
|
|
|
}
|
|
|
|
|
2019-09-25 04:21:59 +00:00
|
|
|
const (
|
|
|
|
PermissionConnect = "connect"
|
|
|
|
PermissionSendCommand = "send-command"
|
|
|
|
PermissionSendPower = "send-power"
|
|
|
|
)
|
2019-09-09 00:40:06 +00:00
|
|
|
|
2019-09-25 04:21:59 +00:00
|
|
|
// Checks if the given token payload has a permission string.
|
|
|
|
func (wtp *WebsocketTokenPayload) HasPermission(permission string) bool {
|
|
|
|
for _, k := range wtp.Permissions {
|
|
|
|
if k == permission {
|
|
|
|
return true
|
2019-09-09 00:40:06 +00:00
|
|
|
}
|
2019-09-25 04:21:59 +00:00
|
|
|
}
|
2019-09-09 00:40:06 +00:00
|
|
|
|
2019-09-25 04:21:59 +00:00
|
|
|
return false
|
|
|
|
}
|
2019-09-09 00:40:06 +00:00
|
|
|
|
2019-09-25 04:21:59 +00:00
|
|
|
var alg *jwt.HMACSHA
|
|
|
|
|
|
|
|
// Validates the provided JWT against the known secret for the Daemon and returns the
|
|
|
|
// parsed data.
|
|
|
|
//
|
|
|
|
// This function DOES NOT validate that the token is valid for the connected server, nor
|
|
|
|
// does it ensure that the user providing the token is able to actually do things.
|
|
|
|
func ParseJWT(token []byte) (*WebsocketTokenPayload, error) {
|
|
|
|
var payload WebsocketTokenPayload
|
|
|
|
if alg == nil {
|
|
|
|
alg = jwt.NewHS256([]byte(config.Get().AuthenticationToken))
|
|
|
|
}
|
2019-09-09 00:40:06 +00:00
|
|
|
|
2019-09-25 04:21:59 +00:00
|
|
|
_, err := jwt.Verify(token, alg, &payload)
|
|
|
|
if err != nil {
|
|
|
|
return nil, err
|
|
|
|
}
|
2019-09-09 00:40:06 +00:00
|
|
|
|
2019-09-25 04:21:59 +00:00
|
|
|
// Check the time of the JWT becoming valid does not exceed more than 15 seconds
|
|
|
|
// compared to the system time. This accounts for clock drift to some degree.
|
|
|
|
if time.Now().Unix() - payload.NotBefore.Unix() <= -15 {
|
|
|
|
return nil, errors.New("jwt violates nbf")
|
|
|
|
}
|
|
|
|
|
|
|
|
// Compare the expiration time of the token to the current system time. Include
|
|
|
|
// up to 15 seconds of clock drift, and if it has expired return an error and
|
|
|
|
// do not process the action.
|
|
|
|
if time.Now().Unix() - payload.ExpirationTime.Unix() > 15 {
|
|
|
|
return nil, errors.New("jwt violates exp")
|
|
|
|
}
|
|
|
|
|
|
|
|
if !payload.HasPermission(PermissionConnect) {
|
|
|
|
return nil, errors.New("not authorized to connect to this socket")
|
|
|
|
}
|
|
|
|
|
|
|
|
return &payload, nil
|
|
|
|
}
|
2019-09-09 00:40:06 +00:00
|
|
|
|
2019-09-25 04:21:59 +00:00
|
|
|
// Checks if the JWT is still valid.
|
|
|
|
func (wsh *WebsocketHandler) TokenValid() error {
|
|
|
|
if wsh.JWT == nil {
|
|
|
|
return errors.New("no jwt present")
|
2019-09-09 00:40:06 +00:00
|
|
|
}
|
2019-09-25 04:21:59 +00:00
|
|
|
|
|
|
|
if time.Now().Unix() - wsh.JWT.ExpirationTime.Unix() > 15 {
|
|
|
|
return errors.New("jwt violates nbf")
|
|
|
|
}
|
|
|
|
|
|
|
|
if !wsh.JWT.HasPermission(PermissionConnect) {
|
|
|
|
return errors.New("jwt does not have connect permission")
|
|
|
|
}
|
|
|
|
|
|
|
|
if wsh.Server.Uuid != wsh.JWT.ServerUUID {
|
|
|
|
return errors.New("jwt server uuid mismatch")
|
|
|
|
}
|
|
|
|
|
|
|
|
return nil
|
2019-09-09 00:40:06 +00:00
|
|
|
}
|
|
|
|
|
2019-04-21 00:38:12 +00:00
|
|
|
// Handle a request for a specific server websocket. This will handle inbound requests as well
|
|
|
|
// as ensure that any console output is also passed down the wire on the socket.
|
2019-04-20 06:29:52 +00:00
|
|
|
func (rt *Router) routeWebsocket(w http.ResponseWriter, r *http.Request, ps httprouter.Params) {
|
2019-09-25 04:21:59 +00:00
|
|
|
token, err := ParseJWT([]byte(r.URL.Query().Get("token")))
|
|
|
|
if err != nil {
|
|
|
|
return
|
|
|
|
}
|
|
|
|
|
2019-04-20 06:29:52 +00:00
|
|
|
c, err := rt.upgrader.Upgrade(w, r, nil)
|
2019-04-07 23:28:01 +00:00
|
|
|
if err != nil {
|
2019-04-20 06:29:52 +00:00
|
|
|
zap.S().Error(err)
|
|
|
|
return
|
2019-04-07 23:28:01 +00:00
|
|
|
}
|
2019-04-20 06:29:52 +00:00
|
|
|
defer c.Close()
|
|
|
|
|
2019-04-20 18:59:28 +00:00
|
|
|
s := rt.Servers.Get(ps.ByName("server"))
|
2019-04-21 00:38:12 +00:00
|
|
|
handler := WebsocketHandler{
|
2019-04-21 19:02:28 +00:00
|
|
|
Server: s,
|
|
|
|
Mutex: sync.Mutex{},
|
2019-04-21 00:38:12 +00:00
|
|
|
Connection: c,
|
2019-09-25 04:21:59 +00:00
|
|
|
JWT: token,
|
2019-04-21 00:38:12 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
handleOutput := func(data string) {
|
|
|
|
handler.SendJson(&WebsocketMessage{
|
2019-05-27 23:58:05 +00:00
|
|
|
Event: server.ConsoleOutputEvent,
|
2019-04-21 19:02:28 +00:00
|
|
|
Args: []string{data},
|
|
|
|
})
|
|
|
|
}
|
|
|
|
|
|
|
|
handleServerStatus := func(data string) {
|
|
|
|
handler.SendJson(&WebsocketMessage{
|
2019-05-27 23:58:05 +00:00
|
|
|
Event: server.StatusEvent,
|
2019-04-21 00:38:12 +00:00
|
|
|
Args: []string{data},
|
|
|
|
})
|
|
|
|
}
|
|
|
|
|
2019-09-06 05:08:10 +00:00
|
|
|
handleResourceUse := func(data string) {
|
|
|
|
handler.SendJson(&WebsocketMessage{
|
|
|
|
Event: server.StatsEvent,
|
2019-09-09 00:40:06 +00:00
|
|
|
Args: []string{data},
|
2019-09-06 05:08:10 +00:00
|
|
|
})
|
|
|
|
}
|
|
|
|
|
2019-04-21 19:02:28 +00:00
|
|
|
s.AddListener(server.StatusEvent, &handleServerStatus)
|
|
|
|
defer s.RemoveListener(server.StatusEvent, &handleServerStatus)
|
|
|
|
|
2019-04-21 00:38:12 +00:00
|
|
|
s.AddListener(server.ConsoleOutputEvent, &handleOutput)
|
|
|
|
defer s.RemoveListener(server.ConsoleOutputEvent, &handleOutput)
|
2019-04-20 18:59:28 +00:00
|
|
|
|
2019-09-06 05:08:10 +00:00
|
|
|
s.AddListener(server.StatsEvent, &handleResourceUse)
|
|
|
|
defer s.RemoveListener(server.StatsEvent, &handleResourceUse)
|
|
|
|
|
2019-05-27 23:58:05 +00:00
|
|
|
s.Emit(server.StatusEvent, s.State)
|
|
|
|
|
2019-04-20 06:29:52 +00:00
|
|
|
for {
|
2019-04-21 00:38:12 +00:00
|
|
|
j := WebsocketMessage{inbound: true}
|
2019-04-07 23:28:01 +00:00
|
|
|
|
2019-09-09 01:03:39 +00:00
|
|
|
_, p, err := c.ReadMessage()
|
|
|
|
if err != nil {
|
2019-09-23 03:47:38 +00:00
|
|
|
if !websocket.IsCloseError(
|
|
|
|
err,
|
|
|
|
websocket.CloseNormalClosure,
|
|
|
|
websocket.CloseGoingAway,
|
|
|
|
websocket.CloseNoStatusReceived,
|
|
|
|
websocket.CloseServiceRestart,
|
|
|
|
websocket.CloseAbnormalClosure,
|
|
|
|
) {
|
2019-04-20 22:45:48 +00:00
|
|
|
zap.S().Errorw("error handling websocket message", zap.Error(err))
|
|
|
|
}
|
|
|
|
break
|
|
|
|
}
|
|
|
|
|
2019-04-20 06:29:52 +00:00
|
|
|
// Discard and JSON parse errors into the void and don't continue processing this
|
|
|
|
// specific socket request. If we did a break here the client would get disconnected
|
|
|
|
// from the socket, which is NOT what we want to do.
|
2019-09-09 01:03:39 +00:00
|
|
|
if err := json.Unmarshal(p, &j); err != nil {
|
2019-04-20 22:45:48 +00:00
|
|
|
continue
|
2019-04-20 06:29:52 +00:00
|
|
|
}
|
2019-04-07 23:28:01 +00:00
|
|
|
|
2019-04-21 00:38:12 +00:00
|
|
|
if err := handler.HandleInbound(j); err != nil {
|
2019-04-20 21:57:37 +00:00
|
|
|
zap.S().Warnw("error handling inbound websocket request", zap.Error(err))
|
2019-04-20 18:59:28 +00:00
|
|
|
break
|
2019-04-20 06:29:52 +00:00
|
|
|
}
|
|
|
|
}
|
2019-04-21 00:38:12 +00:00
|
|
|
}
|
2019-04-20 21:57:37 +00:00
|
|
|
|
2019-04-21 00:38:12 +00:00
|
|
|
// Perform a blocking send operation on the websocket since we want to avoid any
|
|
|
|
// concurrent writes to the connection, which would cause a runtime panic and cause
|
|
|
|
// the program to crash out.
|
|
|
|
func (wsh *WebsocketHandler) SendJson(v interface{}) error {
|
|
|
|
wsh.Mutex.Lock()
|
|
|
|
defer wsh.Mutex.Unlock()
|
|
|
|
|
|
|
|
return wsh.Connection.WriteJSON(v)
|
2019-04-20 06:29:52 +00:00
|
|
|
}
|
2019-04-20 21:57:37 +00:00
|
|
|
|
2019-04-21 00:38:12 +00:00
|
|
|
// Handle the inbound socket request and route it to the proper server action.
|
|
|
|
func (wsh *WebsocketHandler) HandleInbound(m WebsocketMessage) error {
|
|
|
|
if !m.inbound {
|
2019-04-20 21:57:37 +00:00
|
|
|
return errors.New("cannot handle websocket message, not an inbound connection")
|
|
|
|
}
|
|
|
|
|
2019-09-25 04:21:59 +00:00
|
|
|
if err := wsh.TokenValid(); err != nil {
|
|
|
|
zap.S().Debugw("jwt token is no longer valid", zap.String("message", err.Error()))
|
|
|
|
|
|
|
|
return nil
|
|
|
|
}
|
|
|
|
|
2019-04-21 00:38:12 +00:00
|
|
|
switch m.Event {
|
2019-04-21 19:02:28 +00:00
|
|
|
case SetStateEvent:
|
2019-04-20 21:57:37 +00:00
|
|
|
{
|
2019-09-25 04:21:59 +00:00
|
|
|
if !wsh.JWT.HasPermission(PermissionSendPower) {
|
|
|
|
return nil
|
|
|
|
}
|
|
|
|
|
2019-04-20 21:57:37 +00:00
|
|
|
var err error
|
2019-04-21 00:38:12 +00:00
|
|
|
switch strings.Join(m.Args, "") {
|
2019-04-20 21:57:37 +00:00
|
|
|
case "start":
|
2019-04-21 00:38:12 +00:00
|
|
|
err = wsh.Server.Environment.Start()
|
2019-04-20 21:57:37 +00:00
|
|
|
break
|
|
|
|
case "stop":
|
2019-04-21 00:38:12 +00:00
|
|
|
err = wsh.Server.Environment.Stop()
|
2019-04-20 21:57:37 +00:00
|
|
|
break
|
|
|
|
case "restart":
|
2019-04-21 19:27:53 +00:00
|
|
|
break
|
|
|
|
case "kill":
|
2019-04-21 00:38:12 +00:00
|
|
|
err = wsh.Server.Environment.Terminate(os.Kill)
|
2019-04-20 21:57:37 +00:00
|
|
|
break
|
|
|
|
}
|
|
|
|
|
|
|
|
if err != nil {
|
|
|
|
return err
|
|
|
|
}
|
|
|
|
}
|
2019-04-21 19:02:28 +00:00
|
|
|
case SendServerLogsEvent:
|
2019-04-20 21:57:37 +00:00
|
|
|
{
|
2019-09-06 06:05:47 +00:00
|
|
|
if running, _ := wsh.Server.Environment.IsRunning(); !running {
|
|
|
|
return nil
|
|
|
|
}
|
|
|
|
|
2019-05-28 01:03:37 +00:00
|
|
|
logs, err := wsh.Server.Environment.Readlog(1024 * 16)
|
2019-04-20 21:57:37 +00:00
|
|
|
if err != nil {
|
|
|
|
return err
|
|
|
|
}
|
|
|
|
|
|
|
|
for _, line := range logs {
|
2019-04-21 00:38:12 +00:00
|
|
|
wsh.SendJson(&WebsocketMessage{
|
2019-05-27 23:58:05 +00:00
|
|
|
Event: server.ConsoleOutputEvent,
|
2019-04-21 00:38:12 +00:00
|
|
|
Args: []string{line},
|
2019-04-20 21:57:37 +00:00
|
|
|
})
|
|
|
|
}
|
|
|
|
|
|
|
|
return nil
|
|
|
|
}
|
2019-04-21 19:02:28 +00:00
|
|
|
case SendCommandEvent:
|
2019-04-20 21:57:37 +00:00
|
|
|
{
|
2019-09-25 04:21:59 +00:00
|
|
|
if !wsh.JWT.HasPermission(PermissionSendCommand) {
|
|
|
|
return nil
|
|
|
|
}
|
|
|
|
|
2019-04-21 00:38:12 +00:00
|
|
|
return wsh.Server.Environment.SendCommand(strings.Join(m.Args, ""))
|
2019-04-20 21:57:37 +00:00
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
return nil
|
2019-04-21 00:38:12 +00:00
|
|
|
}
|