Update middleware logic
This commit is contained in:
parent
84c05efaa5
commit
acd6dc62d0
|
@ -93,7 +93,7 @@ func (e *RequestError) AbortWithStatus(status int, c *gin.Context) {
|
|||
|
||||
// Helper function to just abort with an internal server error. This is generally the response
|
||||
// from most errors encountered by the API.
|
||||
func (e *RequestError) AbortWithServerError(c *gin.Context) {
|
||||
func (e *RequestError) Abort(c *gin.Context) {
|
||||
e.AbortWithStatus(http.StatusInternalServerError, c)
|
||||
}
|
||||
|
||||
|
@ -128,7 +128,7 @@ func (e *RequestError) AbortFilesystemError(c *gin.Context) {
|
|||
return
|
||||
}
|
||||
|
||||
e.AbortWithServerError(c)
|
||||
e.Abort(c)
|
||||
}
|
||||
|
||||
// Format the error to a string and include the UUID.
|
||||
|
|
|
@ -3,60 +3,100 @@ package router
|
|||
import (
|
||||
"github.com/gin-gonic/gin"
|
||||
"github.com/google/uuid"
|
||||
"github.com/pkg/errors"
|
||||
"github.com/pterodactyl/wings/config"
|
||||
"github.com/pterodactyl/wings/server"
|
||||
"io"
|
||||
"net/http"
|
||||
"strings"
|
||||
)
|
||||
|
||||
type Middleware struct{}
|
||||
|
||||
// A custom handler function allowing for errors bubbled up by c.Error() to be returned in a
|
||||
// standardized format with tracking UUIDs on them for easier log searching.
|
||||
func (m *Middleware) ErrorHandler() gin.HandlerFunc {
|
||||
return func(c *gin.Context) {
|
||||
c.Next()
|
||||
err := c.Errors.Last()
|
||||
if err == nil {
|
||||
return
|
||||
}
|
||||
|
||||
tracked := TrackedError(err)
|
||||
// If there is a server in the context for this request pull it out so that we can
|
||||
// track the error specifically for that server.
|
||||
if s, ok := c.Get("server"); ok {
|
||||
tracked = TrackedServerError(err, s.(*server.Server))
|
||||
}
|
||||
|
||||
// Sometimes requests have already modifed the status by the time this handler is
|
||||
// called. In those cases, try to attach the error message but don't try to change
|
||||
// the response status since it has already been set.
|
||||
if c.Writer.Status() != 200 {
|
||||
if err.Error() == io.EOF.Error() {
|
||||
c.JSON(c.Writer.Status(), gin.H{"error": "A JSON formatted body is required for this endpoint."})
|
||||
} else {
|
||||
tracked.AbortWithStatus(c.Writer.Status(), c)
|
||||
}
|
||||
return
|
||||
}
|
||||
tracked.Abort(c)
|
||||
return
|
||||
}
|
||||
}
|
||||
|
||||
// Set the access request control headers on all of the requests.
|
||||
func SetAccessControlHeaders(c *gin.Context) {
|
||||
c.Header("Access-Control-Allow-Headers", "Accept, Content-Type, Content-Length, Accept-Encoding, X-CSRF-Token, Authorization")
|
||||
func (m *Middleware) SetAccessControlHeaders() gin.HandlerFunc {
|
||||
origins := config.Get().AllowedOrigins
|
||||
location := config.Get().PanelLocation
|
||||
return func(c *gin.Context) {
|
||||
c.Header("Access-Control-Allow-Credentials", "true")
|
||||
c.Header("Access-Control-Allow-Methods", "GET, POST, PATCH, PUT, DELETE, OPTIONS")
|
||||
c.Header("Access-Control-Allow-Headers", "Accept, Accept-Encoding, Authorization, Cache-Control, Content-Type, Content-Length, Origin, X-Real-IP, X-CSRF-Token")
|
||||
|
||||
o := c.GetHeader("Origin")
|
||||
if o != config.Get().PanelLocation {
|
||||
for _, origin := range config.Get().AllowedOrigins {
|
||||
if o != location {
|
||||
for _, origin := range origins {
|
||||
if origin != "*" && o != origin {
|
||||
continue
|
||||
}
|
||||
|
||||
c.Header("Access-Control-Allow-Origin", origin)
|
||||
c.Next()
|
||||
return
|
||||
}
|
||||
}
|
||||
|
||||
c.Header("Access-Control-Allow-Origin", config.Get().PanelLocation)
|
||||
c.Header("Access-Control-Allow-Origin", location)
|
||||
c.Next()
|
||||
}
|
||||
}
|
||||
|
||||
// Authenticates the request token against the given permission string, ensuring that
|
||||
// if it is a server permission, the token has control over that server. If it is a global
|
||||
// token, this will ensure that the request is using a properly signed global token.
|
||||
func AuthorizationMiddleware(c *gin.Context) {
|
||||
func (m *Middleware) RequireAuthorization() gin.HandlerFunc {
|
||||
token := config.Get().AuthenticationToken
|
||||
return func(c *gin.Context) {
|
||||
auth := strings.SplitN(c.GetHeader("Authorization"), " ", 2)
|
||||
|
||||
if len(auth) != 2 || auth[0] != "Bearer" {
|
||||
c.Header("WWW-Authenticate", "Bearer")
|
||||
c.AbortWithStatusJSON(http.StatusUnauthorized, gin.H{
|
||||
"error": "The required authorization heads were not present in the request.",
|
||||
})
|
||||
|
||||
return
|
||||
}
|
||||
|
||||
// Try to match the request against the global token for the Daemon, regardless
|
||||
// of the permission type. If nothing is matched we will fall through to the Panel
|
||||
// API to try and validate permissions for a server.
|
||||
if auth[1] == config.Get().AuthenticationToken {
|
||||
// All requests to Wings must be authorized with the authentication token present in
|
||||
// the Wings configuration file. Remeber, all requests to Wings come from the Panel
|
||||
// backend, or using a signed JWT for temporary authentication.
|
||||
if auth[1] == token {
|
||||
c.Next()
|
||||
|
||||
return
|
||||
}
|
||||
|
||||
c.AbortWithStatusJSON(http.StatusForbidden, gin.H{
|
||||
"error": "You are not authorized to access this endpoint.",
|
||||
})
|
||||
}
|
||||
}
|
||||
|
||||
// Helper function to fetch a server out of the servers collection stored in memory.
|
||||
|
@ -68,14 +108,28 @@ func GetServer(uuid string) *server.Server {
|
|||
|
||||
// Ensure that the requested server exists in this setup. Returns a 404 if we cannot
|
||||
// locate it.
|
||||
func ServerExists(c *gin.Context) {
|
||||
func (m *Middleware) ServerExists() gin.HandlerFunc {
|
||||
return func(c *gin.Context) {
|
||||
u, err := uuid.Parse(c.Param("server"))
|
||||
if err != nil || GetServer(u.String()) == nil {
|
||||
if err == nil {
|
||||
if s := GetServer(u.String()); s != nil {
|
||||
c.Set("server", s)
|
||||
c.Next()
|
||||
return
|
||||
}
|
||||
}
|
||||
c.AbortWithStatusJSON(http.StatusNotFound, gin.H{
|
||||
"error": "The resource you requested does not exist.",
|
||||
})
|
||||
return
|
||||
}
|
||||
|
||||
c.Next()
|
||||
}
|
||||
|
||||
// Returns the server instance from the gin context. If there is no server set in the
|
||||
// context (e.g. calling from a controller not protected by ServerExists) this function
|
||||
// will panic.
|
||||
func ExtractServer(c *gin.Context) *server.Server {
|
||||
if s, ok := c.Get("server"); ok {
|
||||
return s.(*server.Server)
|
||||
}
|
||||
panic(errors.New("cannot extract server, missing on gin context"))
|
||||
}
|
||||
|
|
|
@ -9,10 +9,9 @@ import (
|
|||
func Configure() *gin.Engine {
|
||||
gin.SetMode("release")
|
||||
|
||||
m := Middleware{}
|
||||
router := gin.New()
|
||||
|
||||
router.Use(gin.Recovery())
|
||||
router.Use(SetAccessControlHeaders)
|
||||
router.Use(gin.Recovery(), m.ErrorHandler(), m.SetAccessControlHeaders())
|
||||
// @todo log this into a different file so you can setup IP blocking for abusive requests and such.
|
||||
// This should still dump requests in debug mode since it does help with understanding the request
|
||||
// lifecycle and quickly seeing what was called leading to the logs. However, it isn't feasible to mix
|
||||
|
@ -40,16 +39,16 @@ func Configure() *gin.Engine {
|
|||
// This route is special it sits above all of the other requests because we are
|
||||
// using a JWT to authorize access to it, therefore it needs to be publicly
|
||||
// accessible.
|
||||
router.GET("/api/servers/:server/ws", ServerExists, getServerWebsocket)
|
||||
router.GET("/api/servers/:server/ws", m.ServerExists(), getServerWebsocket)
|
||||
|
||||
// This request is called by another daemon when a server is going to be transferred out.
|
||||
// This request does not need the AuthorizationMiddleware as the panel should never call it
|
||||
// and requests are authenticated through a JWT the panel issues to the other daemon.
|
||||
router.GET("/api/servers/:server/archive", ServerExists, getServerArchive)
|
||||
router.GET("/api/servers/:server/archive", m.ServerExists(), getServerArchive)
|
||||
|
||||
// All of the routes beyond this mount will use an authorization middleware
|
||||
// and will not be accessible without the correct Authorization header provided.
|
||||
protected := router.Use(AuthorizationMiddleware)
|
||||
protected := router.Use(m.RequireAuthorization())
|
||||
protected.POST("/api/update", postUpdateConfiguration)
|
||||
protected.GET("/api/system", getSystemInformation)
|
||||
protected.GET("/api/servers", getAllServers)
|
||||
|
@ -59,7 +58,7 @@ func Configure() *gin.Engine {
|
|||
// These are server specific routes, and require that the request be authorized, and
|
||||
// that the server exist on the Daemon.
|
||||
server := router.Group("/api/servers/:server")
|
||||
server.Use(AuthorizationMiddleware, ServerExists)
|
||||
server.Use(m.RequireAuthorization(), m.ServerExists())
|
||||
{
|
||||
server.GET("", getServer)
|
||||
server.PATCH("", patchServer)
|
||||
|
|
|
@ -15,7 +15,7 @@ import (
|
|||
func getDownloadBackup(c *gin.Context) {
|
||||
token := tokens.BackupPayload{}
|
||||
if err := tokens.ParseToken([]byte(c.Query("token")), &token); err != nil {
|
||||
TrackedError(err).AbortWithServerError(c)
|
||||
TrackedError(err).Abort(c)
|
||||
return
|
||||
}
|
||||
|
||||
|
@ -36,13 +36,13 @@ func getDownloadBackup(c *gin.Context) {
|
|||
return
|
||||
}
|
||||
|
||||
TrackedServerError(err, s).AbortWithServerError(c)
|
||||
TrackedServerError(err, s).Abort(c)
|
||||
return
|
||||
}
|
||||
|
||||
f, err := os.Open(b.Path())
|
||||
if err != nil {
|
||||
TrackedServerError(err, s).AbortWithServerError(c)
|
||||
TrackedServerError(err, s).Abort(c)
|
||||
return
|
||||
}
|
||||
defer f.Close()
|
||||
|
@ -58,7 +58,7 @@ func getDownloadBackup(c *gin.Context) {
|
|||
func getDownloadFile(c *gin.Context) {
|
||||
token := tokens.FilePayload{}
|
||||
if err := tokens.ParseToken([]byte(c.Query("token")), &token); err != nil {
|
||||
TrackedError(err).AbortWithServerError(c)
|
||||
TrackedError(err).Abort(c)
|
||||
return
|
||||
}
|
||||
|
||||
|
@ -75,7 +75,7 @@ func getDownloadFile(c *gin.Context) {
|
|||
// If there is an error or we're somehow trying to download a directory, just
|
||||
// respond with the appropriate error.
|
||||
if err != nil {
|
||||
TrackedServerError(err, s).AbortWithServerError(c)
|
||||
TrackedServerError(err, s).Abort(c)
|
||||
return
|
||||
} else if st.IsDir() {
|
||||
c.AbortWithStatusJSON(http.StatusNotFound, gin.H{
|
||||
|
@ -86,7 +86,7 @@ func getDownloadFile(c *gin.Context) {
|
|||
|
||||
f, err := os.Open(p)
|
||||
if err != nil {
|
||||
TrackedServerError(err, s).AbortWithServerError(c)
|
||||
TrackedServerError(err, s).Abort(c)
|
||||
return
|
||||
}
|
||||
|
||||
|
|
|
@ -41,7 +41,7 @@ func getServerLogs(c *gin.Context) {
|
|||
|
||||
out, err := s.ReadLogfile(l)
|
||||
if err != nil {
|
||||
TrackedServerError(err, s).AbortWithServerError(c)
|
||||
TrackedServerError(err, s).Abort(c)
|
||||
return
|
||||
}
|
||||
|
||||
|
@ -110,7 +110,7 @@ func postServerCommands(c *gin.Context) {
|
|||
s := GetServer(c.Param("server"))
|
||||
|
||||
if running, err := s.Environment.IsRunning(); err != nil {
|
||||
TrackedServerError(err, s).AbortWithServerError(c)
|
||||
TrackedServerError(err, s).Abort(c)
|
||||
return
|
||||
} else if !running {
|
||||
c.AbortWithStatusJSON(http.StatusBadGateway, gin.H{
|
||||
|
@ -144,7 +144,7 @@ func patchServer(c *gin.Context) {
|
|||
buf.ReadFrom(c.Request.Body)
|
||||
|
||||
if err := s.UpdateDataStructure(buf.Bytes()); err != nil {
|
||||
TrackedServerError(err, s).AbortWithServerError(c)
|
||||
TrackedServerError(err, s).Abort(c)
|
||||
return
|
||||
}
|
||||
|
||||
|
@ -214,7 +214,7 @@ func deleteServer(c *gin.Context) {
|
|||
// forcibly terminate it before removing the container, so we do not need to handle
|
||||
// that here.
|
||||
if err := s.Environment.Destroy(); err != nil {
|
||||
TrackedServerError(err, s).AbortWithServerError(c)
|
||||
TrackedServerError(err, s).Abort(c)
|
||||
}
|
||||
|
||||
// Once the environment is terminated, remove the server files from the system. This is
|
||||
|
|
|
@ -34,7 +34,7 @@ func postServerBackup(c *gin.Context) {
|
|||
}
|
||||
|
||||
if err != nil {
|
||||
TrackedServerError(err, s).AbortWithServerError(c)
|
||||
TrackedServerError(err, s).Abort(c)
|
||||
return
|
||||
}
|
||||
|
||||
|
@ -63,7 +63,7 @@ func deleteServerBackup(c *gin.Context) {
|
|||
return
|
||||
}
|
||||
|
||||
TrackedServerError(err, s).AbortWithServerError(c)
|
||||
TrackedServerError(err, s).Abort(c)
|
||||
return
|
||||
}
|
||||
|
||||
|
@ -72,7 +72,7 @@ func deleteServerBackup(c *gin.Context) {
|
|||
// the backup previously and it is now missing when we go to delete, just treat it as having
|
||||
// been successful, rather than returning a 404.
|
||||
if !errors.Is(err, os.ErrNotExist) {
|
||||
TrackedServerError(err, s).AbortWithServerError(c)
|
||||
TrackedServerError(err, s).Abort(c)
|
||||
return
|
||||
}
|
||||
}
|
||||
|
|
|
@ -192,7 +192,7 @@ func postServerDeleteFiles(c *gin.Context) {
|
|||
}
|
||||
|
||||
if err := g.Wait(); err != nil {
|
||||
TrackedServerError(err, s).AbortWithServerError(c)
|
||||
TrackedServerError(err, s).Abort(c)
|
||||
return
|
||||
}
|
||||
|
||||
|
@ -205,7 +205,7 @@ func postServerWriteFile(c *gin.Context) {
|
|||
|
||||
f, err := url.QueryUnescape(c.Query("file"))
|
||||
if err != nil {
|
||||
TrackedServerError(err, s).AbortWithServerError(c)
|
||||
TrackedServerError(err, s).Abort(c)
|
||||
return
|
||||
}
|
||||
f = "/" + strings.TrimLeft(f, "/")
|
||||
|
@ -225,6 +225,51 @@ func postServerWriteFile(c *gin.Context) {
|
|||
c.Status(http.StatusNoContent)
|
||||
}
|
||||
|
||||
// Writes the contents of the remote URL to a file on a server.
|
||||
func postServerDownloadRemoteFile(c *gin.Context) {
|
||||
s := ExtractServer(c)
|
||||
var data struct {
|
||||
URL string `binding:"required" json:"url"`
|
||||
BasePath string `json:"path"`
|
||||
}
|
||||
if err := c.BindJSON(&data); err != nil {
|
||||
return
|
||||
}
|
||||
|
||||
u, err := url.Parse(data.URL)
|
||||
if err != nil {
|
||||
if e, ok := err.(*url.Error); ok {
|
||||
c.AbortWithStatusJSON(http.StatusBadRequest, gin.H{
|
||||
"error": "An error occurred while parsing that URL: " + e.Err.Error(),
|
||||
})
|
||||
return
|
||||
}
|
||||
TrackedServerError(err, s).Abort(c)
|
||||
return
|
||||
}
|
||||
|
||||
resp, err := http.Get(u.String())
|
||||
if err != nil {
|
||||
TrackedServerError(err, s).Abort(c)
|
||||
return
|
||||
}
|
||||
defer resp.Body.Close()
|
||||
|
||||
filename := strings.Split(u.Path, "/")
|
||||
if err := s.Filesystem().Writefile(filepath.Join(data.BasePath, filename[len(filename)-1]), resp.Body); err != nil {
|
||||
if errors.Is(err, filesystem.ErrIsDirectory) {
|
||||
c.AbortWithStatusJSON(http.StatusBadRequest, gin.H{
|
||||
"error": "Cannot write file, name conflicts with an existing directory by the same name.",
|
||||
})
|
||||
return
|
||||
}
|
||||
TrackedServerError(err, s).AbortFilesystemError(c)
|
||||
return
|
||||
}
|
||||
|
||||
c.Status(http.StatusNoContent)
|
||||
}
|
||||
|
||||
// Create a directory on a server.
|
||||
func postServerCreateDirectory(c *gin.Context) {
|
||||
s := GetServer(c.Param("server"))
|
||||
|
@ -246,7 +291,7 @@ func postServerCreateDirectory(c *gin.Context) {
|
|||
return
|
||||
}
|
||||
|
||||
TrackedServerError(err, s).AbortWithServerError(c)
|
||||
TrackedServerError(err, s).Abort(c)
|
||||
return
|
||||
}
|
||||
|
||||
|
@ -315,7 +360,7 @@ func postServerDecompressFiles(c *gin.Context) {
|
|||
return
|
||||
}
|
||||
|
||||
TrackedServerError(err, s).AbortWithServerError(c)
|
||||
TrackedServerError(err, s).Abort(c)
|
||||
return
|
||||
}
|
||||
|
||||
|
@ -418,7 +463,7 @@ func postServerChmodFile(c *gin.Context) {
|
|||
func postServerUploadFiles(c *gin.Context) {
|
||||
token := tokens.UploadPayload{}
|
||||
if err := tokens.ParseToken([]byte(c.Query("token")), &token); err != nil {
|
||||
TrackedError(err).AbortWithServerError(c)
|
||||
TrackedError(err).Abort(c)
|
||||
return
|
||||
}
|
||||
|
||||
|
|
|
@ -14,7 +14,7 @@ func getServerWebsocket(c *gin.Context) {
|
|||
s := GetServer(c.Param("server"))
|
||||
handler, err := websocket.GetHandler(s, c.Writer, c.Request)
|
||||
if err != nil {
|
||||
TrackedServerError(err, s).AbortWithServerError(c)
|
||||
TrackedServerError(err, s).Abort(c)
|
||||
return
|
||||
}
|
||||
defer handler.Connection.Close()
|
||||
|
|
|
@ -16,7 +16,7 @@ import (
|
|||
func getSystemInformation(c *gin.Context) {
|
||||
i, err := system.GetSystemInformation()
|
||||
if err != nil {
|
||||
TrackedError(err).AbortWithServerError(c)
|
||||
TrackedError(err).Abort(c)
|
||||
|
||||
return
|
||||
}
|
||||
|
@ -45,7 +45,7 @@ func postCreateServer(c *gin.Context) {
|
|||
return
|
||||
}
|
||||
|
||||
TrackedError(err).AbortWithServerError(c)
|
||||
TrackedError(err).Abort(c)
|
||||
return
|
||||
}
|
||||
|
||||
|
@ -99,7 +99,7 @@ func postUpdateConfiguration(c *gin.Context) {
|
|||
// before this code was run.
|
||||
config.Set(&ccopy)
|
||||
|
||||
TrackedError(err).AbortWithServerError(c)
|
||||
TrackedError(err).Abort(c)
|
||||
return
|
||||
}
|
||||
|
||||
|
|
|
@ -37,7 +37,7 @@ func getServerArchive(c *gin.Context) {
|
|||
|
||||
token := tokens.TransferPayload{}
|
||||
if err := tokens.ParseToken([]byte(auth[1]), &token); err != nil {
|
||||
TrackedError(err).AbortWithServerError(c)
|
||||
TrackedError(err).Abort(c)
|
||||
return
|
||||
}
|
||||
|
||||
|
@ -53,7 +53,7 @@ func getServerArchive(c *gin.Context) {
|
|||
st, err := s.Archiver.Stat()
|
||||
if err != nil {
|
||||
if !errors.Is(err, os.ErrNotExist) {
|
||||
TrackedServerError(err, s).SetMessage("failed to stat archive").AbortWithServerError(c)
|
||||
TrackedServerError(err, s).SetMessage("failed to stat archive").Abort(c)
|
||||
return
|
||||
}
|
||||
|
||||
|
@ -63,7 +63,7 @@ func getServerArchive(c *gin.Context) {
|
|||
|
||||
checksum, err := s.Archiver.Checksum()
|
||||
if err != nil {
|
||||
TrackedServerError(err, s).SetMessage("failed to calculate checksum").AbortWithServerError(c)
|
||||
TrackedServerError(err, s).SetMessage("failed to calculate checksum").Abort(c)
|
||||
return
|
||||
}
|
||||
|
||||
|
@ -76,7 +76,7 @@ func getServerArchive(c *gin.Context) {
|
|||
tserr.SetMessage("failed to open archive")
|
||||
}
|
||||
|
||||
tserr.AbortWithServerError(c)
|
||||
tserr.Abort(c)
|
||||
return
|
||||
}
|
||||
defer file.Close()
|
||||
|
|
Loading…
Reference in New Issue
Block a user