Update middleware logic

This commit is contained in:
Dane Everitt 2020-12-15 20:19:09 -08:00
parent 84c05efaa5
commit acd6dc62d0
No known key found for this signature in database
GPG Key ID: EEA66103B3D71F53
10 changed files with 175 additions and 77 deletions

View File

@ -93,7 +93,7 @@ func (e *RequestError) AbortWithStatus(status int, c *gin.Context) {
// Helper function to just abort with an internal server error. This is generally the response // Helper function to just abort with an internal server error. This is generally the response
// from most errors encountered by the API. // from most errors encountered by the API.
func (e *RequestError) AbortWithServerError(c *gin.Context) { func (e *RequestError) Abort(c *gin.Context) {
e.AbortWithStatus(http.StatusInternalServerError, c) e.AbortWithStatus(http.StatusInternalServerError, c)
} }
@ -128,7 +128,7 @@ func (e *RequestError) AbortFilesystemError(c *gin.Context) {
return return
} }
e.AbortWithServerError(c) e.Abort(c)
} }
// Format the error to a string and include the UUID. // Format the error to a string and include the UUID.

View File

@ -3,60 +3,100 @@ package router
import ( import (
"github.com/gin-gonic/gin" "github.com/gin-gonic/gin"
"github.com/google/uuid" "github.com/google/uuid"
"github.com/pkg/errors"
"github.com/pterodactyl/wings/config" "github.com/pterodactyl/wings/config"
"github.com/pterodactyl/wings/server" "github.com/pterodactyl/wings/server"
"io"
"net/http" "net/http"
"strings" "strings"
) )
type Middleware struct{}
// A custom handler function allowing for errors bubbled up by c.Error() to be returned in a
// standardized format with tracking UUIDs on them for easier log searching.
func (m *Middleware) ErrorHandler() gin.HandlerFunc {
return func(c *gin.Context) {
c.Next()
err := c.Errors.Last()
if err == nil {
return
}
tracked := TrackedError(err)
// If there is a server in the context for this request pull it out so that we can
// track the error specifically for that server.
if s, ok := c.Get("server"); ok {
tracked = TrackedServerError(err, s.(*server.Server))
}
// Sometimes requests have already modifed the status by the time this handler is
// called. In those cases, try to attach the error message but don't try to change
// the response status since it has already been set.
if c.Writer.Status() != 200 {
if err.Error() == io.EOF.Error() {
c.JSON(c.Writer.Status(), gin.H{"error": "A JSON formatted body is required for this endpoint."})
} else {
tracked.AbortWithStatus(c.Writer.Status(), c)
}
return
}
tracked.Abort(c)
return
}
}
// Set the access request control headers on all of the requests. // Set the access request control headers on all of the requests.
func SetAccessControlHeaders(c *gin.Context) { func (m *Middleware) SetAccessControlHeaders() gin.HandlerFunc {
c.Header("Access-Control-Allow-Headers", "Accept, Content-Type, Content-Length, Accept-Encoding, X-CSRF-Token, Authorization") origins := config.Get().AllowedOrigins
location := config.Get().PanelLocation
return func(c *gin.Context) {
c.Header("Access-Control-Allow-Credentials", "true")
c.Header("Access-Control-Allow-Methods", "GET, POST, PATCH, PUT, DELETE, OPTIONS")
c.Header("Access-Control-Allow-Headers", "Accept, Accept-Encoding, Authorization, Cache-Control, Content-Type, Content-Length, Origin, X-Real-IP, X-CSRF-Token")
o := c.GetHeader("Origin") o := c.GetHeader("Origin")
if o != config.Get().PanelLocation { if o != location {
for _, origin := range config.Get().AllowedOrigins { for _, origin := range origins {
if origin != "*" && o != origin { if origin != "*" && o != origin {
continue continue
} }
c.Header("Access-Control-Allow-Origin", origin) c.Header("Access-Control-Allow-Origin", origin)
c.Next() c.Next()
return return
} }
} }
c.Header("Access-Control-Allow-Origin", location)
c.Header("Access-Control-Allow-Origin", config.Get().PanelLocation)
c.Next() c.Next()
}
} }
// Authenticates the request token against the given permission string, ensuring that // Authenticates the request token against the given permission string, ensuring that
// if it is a server permission, the token has control over that server. If it is a global // if it is a server permission, the token has control over that server. If it is a global
// token, this will ensure that the request is using a properly signed global token. // token, this will ensure that the request is using a properly signed global token.
func AuthorizationMiddleware(c *gin.Context) { func (m *Middleware) RequireAuthorization() gin.HandlerFunc {
token := config.Get().AuthenticationToken
return func(c *gin.Context) {
auth := strings.SplitN(c.GetHeader("Authorization"), " ", 2) auth := strings.SplitN(c.GetHeader("Authorization"), " ", 2)
if len(auth) != 2 || auth[0] != "Bearer" { if len(auth) != 2 || auth[0] != "Bearer" {
c.Header("WWW-Authenticate", "Bearer") c.Header("WWW-Authenticate", "Bearer")
c.AbortWithStatusJSON(http.StatusUnauthorized, gin.H{ c.AbortWithStatusJSON(http.StatusUnauthorized, gin.H{
"error": "The required authorization heads were not present in the request.", "error": "The required authorization heads were not present in the request.",
}) })
return return
} }
// Try to match the request against the global token for the Daemon, regardless // All requests to Wings must be authorized with the authentication token present in
// of the permission type. If nothing is matched we will fall through to the Panel // the Wings configuration file. Remeber, all requests to Wings come from the Panel
// API to try and validate permissions for a server. // backend, or using a signed JWT for temporary authentication.
if auth[1] == config.Get().AuthenticationToken { if auth[1] == token {
c.Next() c.Next()
return return
} }
c.AbortWithStatusJSON(http.StatusForbidden, gin.H{ c.AbortWithStatusJSON(http.StatusForbidden, gin.H{
"error": "You are not authorized to access this endpoint.", "error": "You are not authorized to access this endpoint.",
}) })
}
} }
// Helper function to fetch a server out of the servers collection stored in memory. // Helper function to fetch a server out of the servers collection stored in memory.
@ -68,14 +108,28 @@ func GetServer(uuid string) *server.Server {
// Ensure that the requested server exists in this setup. Returns a 404 if we cannot // Ensure that the requested server exists in this setup. Returns a 404 if we cannot
// locate it. // locate it.
func ServerExists(c *gin.Context) { func (m *Middleware) ServerExists() gin.HandlerFunc {
return func(c *gin.Context) {
u, err := uuid.Parse(c.Param("server")) u, err := uuid.Parse(c.Param("server"))
if err != nil || GetServer(u.String()) == nil { if err == nil {
if s := GetServer(u.String()); s != nil {
c.Set("server", s)
c.Next()
return
}
}
c.AbortWithStatusJSON(http.StatusNotFound, gin.H{ c.AbortWithStatusJSON(http.StatusNotFound, gin.H{
"error": "The resource you requested does not exist.", "error": "The resource you requested does not exist.",
}) })
return
} }
}
c.Next()
// Returns the server instance from the gin context. If there is no server set in the
// context (e.g. calling from a controller not protected by ServerExists) this function
// will panic.
func ExtractServer(c *gin.Context) *server.Server {
if s, ok := c.Get("server"); ok {
return s.(*server.Server)
}
panic(errors.New("cannot extract server, missing on gin context"))
} }

View File

@ -9,10 +9,9 @@ import (
func Configure() *gin.Engine { func Configure() *gin.Engine {
gin.SetMode("release") gin.SetMode("release")
m := Middleware{}
router := gin.New() router := gin.New()
router.Use(gin.Recovery(), m.ErrorHandler(), m.SetAccessControlHeaders())
router.Use(gin.Recovery())
router.Use(SetAccessControlHeaders)
// @todo log this into a different file so you can setup IP blocking for abusive requests and such. // @todo log this into a different file so you can setup IP blocking for abusive requests and such.
// This should still dump requests in debug mode since it does help with understanding the request // This should still dump requests in debug mode since it does help with understanding the request
// lifecycle and quickly seeing what was called leading to the logs. However, it isn't feasible to mix // lifecycle and quickly seeing what was called leading to the logs. However, it isn't feasible to mix
@ -40,16 +39,16 @@ func Configure() *gin.Engine {
// This route is special it sits above all of the other requests because we are // This route is special it sits above all of the other requests because we are
// using a JWT to authorize access to it, therefore it needs to be publicly // using a JWT to authorize access to it, therefore it needs to be publicly
// accessible. // accessible.
router.GET("/api/servers/:server/ws", ServerExists, getServerWebsocket) router.GET("/api/servers/:server/ws", m.ServerExists(), getServerWebsocket)
// This request is called by another daemon when a server is going to be transferred out. // This request is called by another daemon when a server is going to be transferred out.
// This request does not need the AuthorizationMiddleware as the panel should never call it // This request does not need the AuthorizationMiddleware as the panel should never call it
// and requests are authenticated through a JWT the panel issues to the other daemon. // and requests are authenticated through a JWT the panel issues to the other daemon.
router.GET("/api/servers/:server/archive", ServerExists, getServerArchive) router.GET("/api/servers/:server/archive", m.ServerExists(), getServerArchive)
// All of the routes beyond this mount will use an authorization middleware // All of the routes beyond this mount will use an authorization middleware
// and will not be accessible without the correct Authorization header provided. // and will not be accessible without the correct Authorization header provided.
protected := router.Use(AuthorizationMiddleware) protected := router.Use(m.RequireAuthorization())
protected.POST("/api/update", postUpdateConfiguration) protected.POST("/api/update", postUpdateConfiguration)
protected.GET("/api/system", getSystemInformation) protected.GET("/api/system", getSystemInformation)
protected.GET("/api/servers", getAllServers) protected.GET("/api/servers", getAllServers)
@ -59,7 +58,7 @@ func Configure() *gin.Engine {
// These are server specific routes, and require that the request be authorized, and // These are server specific routes, and require that the request be authorized, and
// that the server exist on the Daemon. // that the server exist on the Daemon.
server := router.Group("/api/servers/:server") server := router.Group("/api/servers/:server")
server.Use(AuthorizationMiddleware, ServerExists) server.Use(m.RequireAuthorization(), m.ServerExists())
{ {
server.GET("", getServer) server.GET("", getServer)
server.PATCH("", patchServer) server.PATCH("", patchServer)

View File

@ -15,7 +15,7 @@ import (
func getDownloadBackup(c *gin.Context) { func getDownloadBackup(c *gin.Context) {
token := tokens.BackupPayload{} token := tokens.BackupPayload{}
if err := tokens.ParseToken([]byte(c.Query("token")), &token); err != nil { if err := tokens.ParseToken([]byte(c.Query("token")), &token); err != nil {
TrackedError(err).AbortWithServerError(c) TrackedError(err).Abort(c)
return return
} }
@ -36,13 +36,13 @@ func getDownloadBackup(c *gin.Context) {
return return
} }
TrackedServerError(err, s).AbortWithServerError(c) TrackedServerError(err, s).Abort(c)
return return
} }
f, err := os.Open(b.Path()) f, err := os.Open(b.Path())
if err != nil { if err != nil {
TrackedServerError(err, s).AbortWithServerError(c) TrackedServerError(err, s).Abort(c)
return return
} }
defer f.Close() defer f.Close()
@ -58,7 +58,7 @@ func getDownloadBackup(c *gin.Context) {
func getDownloadFile(c *gin.Context) { func getDownloadFile(c *gin.Context) {
token := tokens.FilePayload{} token := tokens.FilePayload{}
if err := tokens.ParseToken([]byte(c.Query("token")), &token); err != nil { if err := tokens.ParseToken([]byte(c.Query("token")), &token); err != nil {
TrackedError(err).AbortWithServerError(c) TrackedError(err).Abort(c)
return return
} }
@ -75,7 +75,7 @@ func getDownloadFile(c *gin.Context) {
// If there is an error or we're somehow trying to download a directory, just // If there is an error or we're somehow trying to download a directory, just
// respond with the appropriate error. // respond with the appropriate error.
if err != nil { if err != nil {
TrackedServerError(err, s).AbortWithServerError(c) TrackedServerError(err, s).Abort(c)
return return
} else if st.IsDir() { } else if st.IsDir() {
c.AbortWithStatusJSON(http.StatusNotFound, gin.H{ c.AbortWithStatusJSON(http.StatusNotFound, gin.H{
@ -86,7 +86,7 @@ func getDownloadFile(c *gin.Context) {
f, err := os.Open(p) f, err := os.Open(p)
if err != nil { if err != nil {
TrackedServerError(err, s).AbortWithServerError(c) TrackedServerError(err, s).Abort(c)
return return
} }

View File

@ -41,7 +41,7 @@ func getServerLogs(c *gin.Context) {
out, err := s.ReadLogfile(l) out, err := s.ReadLogfile(l)
if err != nil { if err != nil {
TrackedServerError(err, s).AbortWithServerError(c) TrackedServerError(err, s).Abort(c)
return return
} }
@ -110,7 +110,7 @@ func postServerCommands(c *gin.Context) {
s := GetServer(c.Param("server")) s := GetServer(c.Param("server"))
if running, err := s.Environment.IsRunning(); err != nil { if running, err := s.Environment.IsRunning(); err != nil {
TrackedServerError(err, s).AbortWithServerError(c) TrackedServerError(err, s).Abort(c)
return return
} else if !running { } else if !running {
c.AbortWithStatusJSON(http.StatusBadGateway, gin.H{ c.AbortWithStatusJSON(http.StatusBadGateway, gin.H{
@ -144,7 +144,7 @@ func patchServer(c *gin.Context) {
buf.ReadFrom(c.Request.Body) buf.ReadFrom(c.Request.Body)
if err := s.UpdateDataStructure(buf.Bytes()); err != nil { if err := s.UpdateDataStructure(buf.Bytes()); err != nil {
TrackedServerError(err, s).AbortWithServerError(c) TrackedServerError(err, s).Abort(c)
return return
} }
@ -214,7 +214,7 @@ func deleteServer(c *gin.Context) {
// forcibly terminate it before removing the container, so we do not need to handle // forcibly terminate it before removing the container, so we do not need to handle
// that here. // that here.
if err := s.Environment.Destroy(); err != nil { if err := s.Environment.Destroy(); err != nil {
TrackedServerError(err, s).AbortWithServerError(c) TrackedServerError(err, s).Abort(c)
} }
// Once the environment is terminated, remove the server files from the system. This is // Once the environment is terminated, remove the server files from the system. This is

View File

@ -34,7 +34,7 @@ func postServerBackup(c *gin.Context) {
} }
if err != nil { if err != nil {
TrackedServerError(err, s).AbortWithServerError(c) TrackedServerError(err, s).Abort(c)
return return
} }
@ -63,7 +63,7 @@ func deleteServerBackup(c *gin.Context) {
return return
} }
TrackedServerError(err, s).AbortWithServerError(c) TrackedServerError(err, s).Abort(c)
return return
} }
@ -72,7 +72,7 @@ func deleteServerBackup(c *gin.Context) {
// the backup previously and it is now missing when we go to delete, just treat it as having // the backup previously and it is now missing when we go to delete, just treat it as having
// been successful, rather than returning a 404. // been successful, rather than returning a 404.
if !errors.Is(err, os.ErrNotExist) { if !errors.Is(err, os.ErrNotExist) {
TrackedServerError(err, s).AbortWithServerError(c) TrackedServerError(err, s).Abort(c)
return return
} }
} }

View File

@ -192,7 +192,7 @@ func postServerDeleteFiles(c *gin.Context) {
} }
if err := g.Wait(); err != nil { if err := g.Wait(); err != nil {
TrackedServerError(err, s).AbortWithServerError(c) TrackedServerError(err, s).Abort(c)
return return
} }
@ -205,7 +205,7 @@ func postServerWriteFile(c *gin.Context) {
f, err := url.QueryUnescape(c.Query("file")) f, err := url.QueryUnescape(c.Query("file"))
if err != nil { if err != nil {
TrackedServerError(err, s).AbortWithServerError(c) TrackedServerError(err, s).Abort(c)
return return
} }
f = "/" + strings.TrimLeft(f, "/") f = "/" + strings.TrimLeft(f, "/")
@ -225,6 +225,51 @@ func postServerWriteFile(c *gin.Context) {
c.Status(http.StatusNoContent) c.Status(http.StatusNoContent)
} }
// Writes the contents of the remote URL to a file on a server.
func postServerDownloadRemoteFile(c *gin.Context) {
s := ExtractServer(c)
var data struct {
URL string `binding:"required" json:"url"`
BasePath string `json:"path"`
}
if err := c.BindJSON(&data); err != nil {
return
}
u, err := url.Parse(data.URL)
if err != nil {
if e, ok := err.(*url.Error); ok {
c.AbortWithStatusJSON(http.StatusBadRequest, gin.H{
"error": "An error occurred while parsing that URL: " + e.Err.Error(),
})
return
}
TrackedServerError(err, s).Abort(c)
return
}
resp, err := http.Get(u.String())
if err != nil {
TrackedServerError(err, s).Abort(c)
return
}
defer resp.Body.Close()
filename := strings.Split(u.Path, "/")
if err := s.Filesystem().Writefile(filepath.Join(data.BasePath, filename[len(filename)-1]), resp.Body); err != nil {
if errors.Is(err, filesystem.ErrIsDirectory) {
c.AbortWithStatusJSON(http.StatusBadRequest, gin.H{
"error": "Cannot write file, name conflicts with an existing directory by the same name.",
})
return
}
TrackedServerError(err, s).AbortFilesystemError(c)
return
}
c.Status(http.StatusNoContent)
}
// Create a directory on a server. // Create a directory on a server.
func postServerCreateDirectory(c *gin.Context) { func postServerCreateDirectory(c *gin.Context) {
s := GetServer(c.Param("server")) s := GetServer(c.Param("server"))
@ -246,7 +291,7 @@ func postServerCreateDirectory(c *gin.Context) {
return return
} }
TrackedServerError(err, s).AbortWithServerError(c) TrackedServerError(err, s).Abort(c)
return return
} }
@ -315,7 +360,7 @@ func postServerDecompressFiles(c *gin.Context) {
return return
} }
TrackedServerError(err, s).AbortWithServerError(c) TrackedServerError(err, s).Abort(c)
return return
} }
@ -418,7 +463,7 @@ func postServerChmodFile(c *gin.Context) {
func postServerUploadFiles(c *gin.Context) { func postServerUploadFiles(c *gin.Context) {
token := tokens.UploadPayload{} token := tokens.UploadPayload{}
if err := tokens.ParseToken([]byte(c.Query("token")), &token); err != nil { if err := tokens.ParseToken([]byte(c.Query("token")), &token); err != nil {
TrackedError(err).AbortWithServerError(c) TrackedError(err).Abort(c)
return return
} }

View File

@ -14,7 +14,7 @@ func getServerWebsocket(c *gin.Context) {
s := GetServer(c.Param("server")) s := GetServer(c.Param("server"))
handler, err := websocket.GetHandler(s, c.Writer, c.Request) handler, err := websocket.GetHandler(s, c.Writer, c.Request)
if err != nil { if err != nil {
TrackedServerError(err, s).AbortWithServerError(c) TrackedServerError(err, s).Abort(c)
return return
} }
defer handler.Connection.Close() defer handler.Connection.Close()

View File

@ -16,7 +16,7 @@ import (
func getSystemInformation(c *gin.Context) { func getSystemInformation(c *gin.Context) {
i, err := system.GetSystemInformation() i, err := system.GetSystemInformation()
if err != nil { if err != nil {
TrackedError(err).AbortWithServerError(c) TrackedError(err).Abort(c)
return return
} }
@ -45,7 +45,7 @@ func postCreateServer(c *gin.Context) {
return return
} }
TrackedError(err).AbortWithServerError(c) TrackedError(err).Abort(c)
return return
} }
@ -99,7 +99,7 @@ func postUpdateConfiguration(c *gin.Context) {
// before this code was run. // before this code was run.
config.Set(&ccopy) config.Set(&ccopy)
TrackedError(err).AbortWithServerError(c) TrackedError(err).Abort(c)
return return
} }

View File

@ -37,7 +37,7 @@ func getServerArchive(c *gin.Context) {
token := tokens.TransferPayload{} token := tokens.TransferPayload{}
if err := tokens.ParseToken([]byte(auth[1]), &token); err != nil { if err := tokens.ParseToken([]byte(auth[1]), &token); err != nil {
TrackedError(err).AbortWithServerError(c) TrackedError(err).Abort(c)
return return
} }
@ -53,7 +53,7 @@ func getServerArchive(c *gin.Context) {
st, err := s.Archiver.Stat() st, err := s.Archiver.Stat()
if err != nil { if err != nil {
if !errors.Is(err, os.ErrNotExist) { if !errors.Is(err, os.ErrNotExist) {
TrackedServerError(err, s).SetMessage("failed to stat archive").AbortWithServerError(c) TrackedServerError(err, s).SetMessage("failed to stat archive").Abort(c)
return return
} }
@ -63,7 +63,7 @@ func getServerArchive(c *gin.Context) {
checksum, err := s.Archiver.Checksum() checksum, err := s.Archiver.Checksum()
if err != nil { if err != nil {
TrackedServerError(err, s).SetMessage("failed to calculate checksum").AbortWithServerError(c) TrackedServerError(err, s).SetMessage("failed to calculate checksum").Abort(c)
return return
} }
@ -76,7 +76,7 @@ func getServerArchive(c *gin.Context) {
tserr.SetMessage("failed to open archive") tserr.SetMessage("failed to open archive")
} }
tserr.AbortWithServerError(c) tserr.Abort(c)
return return
} }
defer file.Close() defer file.Close()