Update CHANGELOG.md

Prior to this logic not only was the error response incorrect for events, but we registered event listeners before the authentication event; so if auth failed we flooded the socket with tons of output that was never going to be sent anyways.

This change now waits to register listeners until the socket is fully authenticated and we're guaranteed to have a token present.

.github/workflows/build-test.yml

@@ -60,7 +60,7 @@ jobs:
         run: go test ./...
       - name: Upload Artifact
         uses: actions/upload-artifact@v2
-        if: ${{ matrix.go == '^1.16' && (github.ref == 'refs/heads/develop' || github.event_name == 'pull_request') }}
+        if: ${{ github.ref == 'refs/heads/develop' || github.event_name == 'pull_request' }}
         with:
           name: wings_${{ matrix.goos }}_${{ matrix.goarch }}
           path: build/wings_${{ matrix.goos }}_${{ matrix.goarch }}

CHANGELOG.md

@@ -1,5 +1,28 @@
 # Changelog
 
+## v1.5.3
+### Fixed
+* Fixes improper event registration and error handling during socket authentication that would cause the incorrect error message to be returned to the client, or no error in some scenarios. Event registration is now delayed until the socket is fully authenticated to ensure needless listeners are not registed.
+* Fixes dollar signs always being evaluated as environment variables with no way to escape them. They can now be escaped as `$$` which will transform into a single dollar sign.
+
+### Changed
+* A websocket connection to a server will be closed by Wings if there is a send error encountered and the client will be left to handle reconnections, rather than simply logging the error and continuing to listen for new events.
+
+## v1.5.2
+### Fixed
+* Fixes servers not properly re-syncing with the Panel if they are already running causing them to be hard-stopped when terminated, rather than stopped with the configured action.
+
+### Changed
+* Changes SFTP server implementation to use ED25519 server keys rather than deprecated SHA1 RSA keys.
+
+### Added
+* Adds server uptime output in the stats event emitted to the websocket.
+
+## v1.5.1
+### Added
+* Global configuration option for toggling server crash detection (`system.crash_detection.enabled`)
+* RPM specfile
+
 ## v1.5.0
 ### Fixed
 * Fixes a race condition when setting the application name in the console output for a server.

README.md

@@ -30,7 +30,7 @@ I would like to extend my sincere thanks to the following sponsors for helping f
 | [**Spill Hosting**](https://spillhosting.no/) | Spill Hosting is a Norwegian hosting service, which aims for inexpensive services on quality servers. Premium i9-9900K processors will run your game like a dream. |
 | [**DeinServerHost**](https://deinserverhost.de/) | DeinServerHost offers Dedicated, vps and Gameservers for many popular Games like Minecraft and Rust in Germany since 2013. |
 | [**HostBend**](https://hostbend.com/) | HostBend offers a variety of solutions for developers, students, and others who have a tight budget but don't want to compromise quality and support. |
-| [**Capitol Hosting Solutions**](https://capitolsolutions.cloud/) | CHS is *the* budget friendly hosting company for Australian and American gamers, offering a variety of plans from Web Hosting to Game Servers; Custom Solutions too! |
+| [**Capitol Hosting Solutions**](https://chs.gg/) | CHS is *the* budget friendly hosting company for Australian and American gamers, offering a variety of plans from Web Hosting to Game Servers; Custom Solutions too! |
 | [**ByteAnia**](https://byteania.com/?utm_source=pterodactyl) | ByteAnia offers the best performing and most affordable **Ryzen 5000 Series hosting** on the market for *unbeatable prices*! |
 | [**Aussie Server Hosts**](https://aussieserverhosts.com/) | No frills Australian Owned and operated High Performance Server hosting for some of the most demanding games serving Australia and New Zealand. |
 | [**VibeGAMES**](https://vibegames.net/) | VibeGAMES is a game server provider that specializes in DDOS protection for the games we offer. We have multiple locations in the US, Brazil, France, Germany, Singapore, Australia and South Africa.|

cmd/root.go

@@ -255,6 +255,13 @@ func rootCmdRun(cmd *cobra.Command, _ []string) {
 				// state being tracked.
 				s.Environment.SetState(environment.ProcessOfflineState)
 			}
+
+			if state := s.Environment.State(); state == environment.ProcessStartingState || state == environment.ProcessRunningState {
+				s.Log().Debug("re-syncing server configuration for already running server")
+				if err := s.Sync(); err != nil {
+					s.Log().WithError(err).Error("failed to re-sync server configuration")
+				}
+			}
 		})
 	}
 
@@ -287,12 +294,12 @@ func rootCmdRun(cmd *cobra.Command, _ []string) {
 
 	sys := config.Get().System
 	// Ensure the archive directory exists.
-	if err := os.MkdirAll(sys.ArchiveDirectory, 0755); err != nil {
+	if err := os.MkdirAll(sys.ArchiveDirectory, 0o755); err != nil {
 		log.WithField("error", err).Error("failed to create archive directory")
 	}
 
 	// Ensure the backup directory exists.
-	if err := os.MkdirAll(sys.BackupDirectory, 0755); err != nil {
+	if err := os.MkdirAll(sys.BackupDirectory, 0o755); err != nil {
 		log.WithField("error", err).Error("failed to create backup directory")
 	}
 
@@ -385,7 +392,7 @@ func initConfig() {
 // in the code without having to pass around a logger instance.
 func initLogging() {
 	dir := config.Get().System.LogDirectory
-	if err := os.MkdirAll(path.Join(dir, "/install"), 0700); err != nil {
+	if err := os.MkdirAll(path.Join(dir, "/install"), 0o700); err != nil {
 		log2.Fatalf("cmd/root: failed to create install directory path: %s", err)
 	}
 	p := filepath.Join(dir, "/wings.log")

config/config.go

@@ -48,10 +48,12 @@ var DefaultTLSConfig = &tls.Config{
 	CurvePreferences:         []tls.CurveID{tls.X25519, tls.CurveP256},
 }
 
-var mu sync.RWMutex
-var _config *Configuration
-var _jwtAlgo *jwt.HMACSHA
-var _debugViaFlag bool
+var (
+	mu            sync.RWMutex
+	_config       *Configuration
+	_jwtAlgo      *jwt.HMACSHA
+	_debugViaFlag bool
+)
 
 // Locker specific to writing the configuration to the disk, this happens
 // in areas that might already be locked, so we don't want to crash the process.
@@ -181,6 +183,9 @@ type SystemConfiguration struct {
 }
 
 type CrashDetection struct {
+	// CrashDetectionEnabled sets if crash detection is enabled globally for all servers on this node.
+	CrashDetectionEnabled bool `default:"true" yaml:"enabled"`
+
 	// Determines if Wings should detect a server that stops with a normal exit code of
 	// "0" as being crashed if the process stopped without any Wings interaction. E.g.
 	// the user did not press the stop button, but the process stopped cleanly.
@@ -375,7 +380,7 @@ func WriteToDisk(c *Configuration) error {
 	if err != nil {
 		return err
 	}
-	if err := ioutil.WriteFile(c.path, b, 0600); err != nil {
+	if err := ioutil.WriteFile(c.path, b, 0o600); err != nil {
 		return err
 	}
 	return nil
@@ -452,9 +457,22 @@ func FromFile(path string) error {
 		return err
 	}
 	// Replace environment variables within the configuration file with their
-	// values from the host system.
-	b = []byte(os.ExpandEnv(string(b)))
-	if err := yaml.Unmarshal(b, c); err != nil {
+	// values from the host system. This function works almost identically to
+	// the default os.ExpandEnv function, except it supports escaping dollar
+	// signs in the text if you pass "$$" through.
+	//
+	// "some$$foo" -> "some$foo"
+	// "some$foo" -> "some" (or "someVALUE_OF_FOO" if FOO is defined in env)
+	//
+	// @see https://github.com/pterodactyl/panel/issues/3692
+	exp := os.Expand(string(b), func(s string) string {
+		if s == "$" {
+			return s
+		}
+		return os.Getenv(s)
+	})
+
+	if err := yaml.Unmarshal([]byte(exp), c); err != nil {
 		return err
 	}
 	// Store this configuration in the global state.
@@ -470,7 +488,7 @@ func FromFile(path string) error {
 func ConfigureDirectories() error {
 	root := _config.System.RootDirectory
 	log.WithField("path", root).Debug("ensuring root data directory exists")
-	if err := os.MkdirAll(root, 0700); err != nil {
+	if err := os.MkdirAll(root, 0o700); err != nil {
 		return err
 	}
 
@@ -491,17 +509,17 @@ func ConfigureDirectories() error {
 	}
 
 	log.WithField("path", _config.System.Data).Debug("ensuring server data directory exists")
-	if err := os.MkdirAll(_config.System.Data, 0700); err != nil {
+	if err := os.MkdirAll(_config.System.Data, 0o700); err != nil {
 		return err
 	}
 
 	log.WithField("path", _config.System.ArchiveDirectory).Debug("ensuring archive data directory exists")
-	if err := os.MkdirAll(_config.System.ArchiveDirectory, 0700); err != nil {
+	if err := os.MkdirAll(_config.System.ArchiveDirectory, 0o700); err != nil {
 		return err
 	}
 
 	log.WithField("path", _config.System.BackupDirectory).Debug("ensuring backup data directory exists")
-	if err := os.MkdirAll(_config.System.BackupDirectory, 0700); err != nil {
+	if err := os.MkdirAll(_config.System.BackupDirectory, 0o700); err != nil {
 		return err
 	}
 

environment/docker/stats.go

@@ -5,6 +5,7 @@ import (
 	"encoding/json"
 	"io"
 	"math"
+	"time"
 
 	"emperror.dev/errors"
 	"github.com/docker/docker/api/types"
@@ -12,6 +13,23 @@ import (
 	"github.com/pterodactyl/wings/environment"
 )
 
+// Uptime returns the current uptime of the container in milliseconds. If the
+// container is not currently running this will return 0.
+func (e *Environment) Uptime(ctx context.Context) (int64, error) {
+	ins, err := e.client.ContainerInspect(ctx, e.Id)
+	if err != nil {
+		return 0, errors.Wrap(err, "environment: could not inspect container")
+	}
+	if !ins.State.Running {
+		return 0, nil
+	}
+	started, err := time.Parse(time.RFC3339, ins.State.StartedAt)
+	if err != nil {
+		return 0, errors.Wrap(err, "environment: failed to parse container start time")
+	}
+	return time.Since(started).Milliseconds(), nil
+}
+
 // Attach to the instance and then automatically emit an event whenever the resource usage for the
 // server process changes.
 func (e *Environment) pollResources(ctx context.Context) error {
@@ -28,6 +46,11 @@ func (e *Environment) pollResources(ctx context.Context) error {
 	}
 	defer stats.Body.Close()
 
+	uptime, err := e.Uptime(ctx)
+	if err != nil {
+		e.log().WithField("error", err).Warn("failed to calculate container uptime")
+	}
+
 	dec := json.NewDecoder(stats.Body)
 	for {
 		select {
@@ -50,7 +73,12 @@ func (e *Environment) pollResources(ctx context.Context) error {
 				return nil
 			}
 
+			if !v.PreRead.IsZero() {
+				uptime = uptime + v.Read.Sub(v.PreRead).Milliseconds()
+			}
+
 			st := environment.Stats{
+				Uptime:      uptime,
 				Memory:      calculateDockerMemory(v.MemoryStats),
 				MemoryLimit: v.MemoryStats.Limit,
 				CpuAbsolute: calculateDockerAbsoluteCpu(v.PreCPUStats, v.CPUStats),

environment/environment.go

@@ -104,4 +104,8 @@ type ProcessEnvironment interface {
 	// handle this itself, but there are some scenarios where it is helpful for the server
 	// to update the state externally (e.g. starting -> started).
 	SetState(string)
+
+	// Uptime returns the current environment uptime in milliseconds. This is
+	// the time that has passed since it was last started.
+	Uptime(ctx context.Context) (int64, error)
 }

environment/stats.go

@@ -1,8 +1,6 @@
 package environment
 
-// Defines the current resource usage for a given server instance. If a server is offline you
-// should obviously expect memory and CPU usage to be 0. However, disk will always be returned
-// since that is not dependent on the server being running to collect that data.
+// Stats defines the current resource usage for a given server instance.
 type Stats struct {
 	// The total amount of memory, in bytes, that this server instance is consuming. This is
 	// calculated slightly differently than just using the raw Memory field that the stats
@@ -19,12 +17,11 @@ type Stats struct {
 	// does not take into account any limits on the server process itself.
 	CpuAbsolute float64 `json:"cpu_absolute"`
 
-	// The current disk space being used by the server. This is cached to prevent slow lookup
-	// issues on frequent refreshes.
-	// Disk int64 `json:"disk_bytes"`
-
 	// Current network transmit in & out for a container.
 	Network NetworkStats `json:"network"`
+
+	// The current uptime of the container, in milliseconds.
+	Uptime int64 `json:"uptime"`
 }
 
 type NetworkStats struct {

go.mod

@@ -33,7 +33,6 @@ require (
 	github.com/gorilla/websocket v1.4.2
 	github.com/iancoleman/strcase v0.2.0
 	github.com/icza/dyno v0.0.0-20210726202311-f1bafe5d9996
-	github.com/imdario/mergo v0.3.12
 	github.com/juju/ratelimit v1.0.1
 	github.com/karrick/godirwalk v1.16.1
 	github.com/klauspost/compress v1.13.2 // indirect

go.sum

@@ -513,8 +513,6 @@ github.com/imdario/mergo v0.3.5/go.mod h1:2EnlNZ0deacrJVfApfmtdGgDfMuh/nq6Ok1EcJ
 github.com/imdario/mergo v0.3.8/go.mod h1:2EnlNZ0deacrJVfApfmtdGgDfMuh/nq6Ok1EcJh5FfA=
 github.com/imdario/mergo v0.3.10/go.mod h1:jmQim1M+e3UYxmgPu/WyfjB3N3VflVyUjjjwH0dnCYA=
 github.com/imdario/mergo v0.3.11/go.mod h1:jmQim1M+e3UYxmgPu/WyfjB3N3VflVyUjjjwH0dnCYA=
-github.com/imdario/mergo v0.3.12 h1:b6R2BslTbIEToALKP7LxUvijTsNI9TAe80pLWN2g/HU=
-github.com/imdario/mergo v0.3.12/go.mod h1:jmQim1M+e3UYxmgPu/WyfjB3N3VflVyUjjjwH0dnCYA=
 github.com/inconshreveable/mousetrap v1.0.0 h1:Z8tu5sraLXCXIcARxBp/8cbvlwVa7Z1NHg9XEKhtSvM=
 github.com/inconshreveable/mousetrap v1.0.0/go.mod h1:PxqpIevigyE2G7u3NXJIT2ANytuPF1OarO4DADm73n8=
 github.com/j-keck/arping v0.0.0-20160618110441-2cf9dc699c56/go.mod h1:ymszkNOg6tORTn+6F6j+Jc8TOr5osrynvN6ivFWZ2GA=

router/router_server_ws.go

@@ -24,12 +24,6 @@ var expectedCloseCodes = []int{
 func getServerWebsocket(c *gin.Context) {
 	manager := middleware.ExtractManager(c)
 	s, _ := manager.Get(c.Param("server"))
-	handler, err := websocket.GetHandler(s, c.Writer, c.Request)
-	if err != nil {
-		NewServerError(err, s).Abort(c)
-		return
-	}
-	defer handler.Connection.Close()
 
 	// Create a context that can be canceled when the user disconnects from this
 	// socket that will also cancel listeners running in separate threads. If the
@@ -38,10 +32,22 @@ func getServerWebsocket(c *gin.Context) {
 	ctx, cancel := context.WithCancel(c.Request.Context())
 	defer cancel()
 
+	handler, err := websocket.GetHandler(s, c.Writer, c.Request)
+	if err != nil {
+		NewServerError(err, s).Abort(c)
+		return
+	}
+	defer handler.Connection.Close()
+
 	// Track this open connection on the server so that we can close them all programmatically
 	// if the server is deleted.
 	s.Websockets().Push(handler.Uuid(), &cancel)
-	defer s.Websockets().Remove(handler.Uuid())
+	handler.Logger().Debug("opening connection to server websocket")
+
+	defer func() {
+		s.Websockets().Remove(handler.Uuid())
+		handler.Logger().Debug("closing connection to server websocket")
+	}()
 
 	// If the server is deleted we need to send a close message to the connected client
 	// so that they disconnect since there will be no more events sent along. Listen for
@@ -57,16 +63,13 @@ func getServerWebsocket(c *gin.Context) {
 		}
 	}()
 
-	go handler.ListenForServerEvents(ctx)
-	go handler.ListenForExpiration(ctx)
-
 	for {
 		j := websocket.Message{}
 
 		_, p, err := handler.Connection.ReadMessage()
 		if err != nil {
 			if ws.IsUnexpectedCloseError(err, expectedCloseCodes...) {
-				s.Log().WithField("error", err).Warn("error handling websocket message for server")
+				handler.Logger().WithField("error", err).Warn("error handling websocket message for server")
 			}
 			break
 		}
@@ -79,7 +82,7 @@ func getServerWebsocket(c *gin.Context) {
 		}
 
 		go func(msg websocket.Message) {
-			if err := handler.HandleInbound(msg); err != nil {
+			if err := handler.HandleInbound(ctx, msg); err != nil {
 				handler.SendErrorJson(msg, err)
 			}
 		}(j)

router/websocket/listeners.go

@@ -2,17 +2,45 @@ package websocket
 
 import (
 	"context"
+	"sync"
 	"time"
 
+	"emperror.dev/errors"
 	"github.com/pterodactyl/wings/events"
 	"github.com/pterodactyl/wings/server"
 )
 
+// RegisterListenerEvents will setup the server event listeners and expiration
+// timers. This is only triggered on first authentication with the websocket,
+// reconnections will not call it.
+//
+// This needs to be called once the socket is properly authenticated otherwise
+// you'll get a flood of error spam in the output that doesn't make sense because
+// Docker events being output to the socket will fail when it hasn't been
+// properly initialized yet.
+//
+// @see https://github.com/pterodactyl/panel/issues/3295
+func (h *Handler) registerListenerEvents(ctx context.Context) {
+	h.Logger().Debug("registering event listeners for connection")
+
+	go func() {
+		if err := h.listenForServerEvents(ctx); err != nil {
+			h.Logger().Warn("error while processing server event; closing websocket connection")
+			if err := h.Connection.Close(); err != nil {
+				h.Logger().WithField("error", errors.WithStack(err)).Error("error closing websocket connection")
+			}
+		}
+	}()
+
+	go h.listenForExpiration(ctx)
+}
+
+
 // ListenForExpiration checks the time to expiration on the JWT every 30 seconds
 // until the token has expired. If we are within 3 minutes of the token expiring,
 // send a notice over the socket that it is expiring soon. If it has expired,
 // send that notice as well.
-func (h *Handler) ListenForExpiration(ctx context.Context) {
+func (h *Handler) listenForExpiration(ctx context.Context) {
 	// Make a ticker and completion channel that is used to continuously poll the
 	// JWT stored in the session to send events to the socket when it is expiring.
 	ticker := time.NewTicker(time.Second * 30)
@@ -52,24 +80,44 @@ var e = []string{
 // ListenForServerEvents will listen for different events happening on a server
 // and send them along to the connected websocket client. This function will
 // block until the context provided to it is canceled.
-func (h *Handler) ListenForServerEvents(ctx context.Context) {
-	h.server.Log().Debug("listening for server events over websocket")
+func (h *Handler) listenForServerEvents(pctx context.Context) error {
+	var o sync.Once
+	var err error
+	ctx, cancel := context.WithCancel(pctx)
+
 	callback := func(e events.Event) {
-		if err := h.SendJson(&Message{Event: e.Topic, Args: []string{e.Data}}); err != nil {
-			h.server.Log().WithField("error", err).Warn("error while sending server data over websocket")
+		if sendErr := h.SendJson(&Message{Event: e.Topic, Args: []string{e.Data}}); sendErr != nil {
+			h.Logger().WithField("event", e.Topic).WithField("error", sendErr).Error("failed to send event over server websocket")
+			// Avoid race conditions by only setting the error once and then canceling
+			// the context. This way if additional processing errors come through due
+			// to a massive flood of things you still only report and stop at the first.
+			o.Do(func() {
+				err = sendErr
+				cancel()
+			})
 		}
 	}
 
-	// Subscribe to all of the events with the same callback that will push the data out over the
-	// websocket for the server.
+	// Subscribe to all of the events with the same callback that will push the
+	// data out over the websocket for the server.
 	for _, evt := range e {
 		h.server.Events().On(evt, &callback)
 	}
 
-	<-ctx.Done()
-	// Block until the context is stopped and then de-register all of the event listeners
-	// that we registered earlier.
+	// When this function returns de-register all of the event listeners.
+	defer func() {
 		for _, evt := range e {
 			h.server.Events().Off(evt, &callback)
 		}
+	}()
+
+	<-ctx.Done()
+	// If the internal context is stopped it is either because the parent context
+	// got canceled or because we ran into an error. If the "err" variable is nil
+	// we can assume the parent was canceled and need not perform any actions.
+	if err != nil {
+		return errors.WithStack(err)
+	}
+
+	return nil
 }

router/websocket/websocket.go

@@ -75,7 +75,7 @@ func NewTokenPayload(token []byte) (*tokens.WebsocketPayload, error) {
 	return &payload, nil
 }
 
-// Returns a new websocket handler using the context provided.
+// GetHandler returns a new websocket handler using the context provided.
 func GetHandler(s *server.Server, w http.ResponseWriter, r *http.Request) (*Handler, error) {
 	upgrader := websocket.Upgrader{
 		// Ensure that the websocket request is originating from the Panel itself,
@@ -116,6 +116,12 @@ func (h *Handler) Uuid() uuid.UUID {
 	return h.uuid
 }
 
+func (h *Handler) Logger() *log.Entry {
+	return log.WithField("subsystem", "websocket").
+		WithField("connection", h.Uuid().String()).
+		WithField("server", h.server.ID())
+}
+
 func (h *Handler) SendJson(v *Message) error {
 	// Do not send JSON down the line if the JWT on the connection is not valid!
 	if err := h.TokenValid(); err != nil {
@@ -263,7 +269,7 @@ func (h *Handler) setJwt(token *tokens.WebsocketPayload) {
 }
 
 // HandleInbound handles an inbound socket request and route it to the proper action.
-func (h *Handler) HandleInbound(m Message) error {
+func (h *Handler) HandleInbound(ctx context.Context, m Message) error {
 	if m.Event != AuthenticationEvent {
 		if err := h.TokenValid(); err != nil {
 			h.unsafeSendJson(Message{
@@ -279,13 +285,6 @@ func (h *Handler) HandleInbound(m Message) error {
 		{
 			token, err := NewTokenPayload([]byte(strings.Join(m.Args, "")))
 			if err != nil {
-				// If the error says the JWT expired, send a token expired
-				// event and hopefully the client renews the token.
-				if err == jwt.ErrExpValidation {
-					h.SendJson(&Message{Event: TokenExpiredEvent})
-					return nil
-				}
-
 				return err
 			}
 
@@ -298,10 +297,7 @@ func (h *Handler) HandleInbound(m Message) error {
 			h.setJwt(token)
 
 			// Tell the client they authenticated successfully.
-			h.unsafeSendJson(Message{
-				Event: AuthenticationSuccessEvent,
-				Args:  []string{},
-			})
+			h.unsafeSendJson(Message{Event: AuthenticationSuccessEvent})
 
 			// Check if the client was refreshing their authentication token
 			// instead of authenticating for the first time.
@@ -311,6 +307,11 @@ func (h *Handler) HandleInbound(m Message) error {
 				return nil
 			}
 
+			// Now that we've authenticated with the token and confirmed that we're not
+			// reconnecting to the socket, register the event listeners for the server and
+			// the token expiration.
+			h.registerListenerEvents(ctx)
+
 			// On every authentication event, send the current server status back
 			// to the client. :)
 			state := h.server.Environment.State()

rpm/ptero-wings.spec

@@ -0,0 +1,114 @@
+Name:       ptero-wings
+Version:    1.5.0
+Release:    1%{?dist}
+Summary:    The server control plane for Pterodactyl Panel. Written from the ground-up with security, speed, and stability in mind.
+BuildArch:  x86_64
+License:    MIT
+URL:        https://github.com/pterodactyl/wings
+Source0:    https://github.com/pterodactyl/wings/releases/download/v%{version}/wings_linux_amd64
+
+%if 0%{?rhel} && 0%{?rhel} <= 8
+BuildRequires:  systemd
+%else
+BuildRequires:  systemd-rpm-macros
+%endif
+
+
+%description
+Wings is Pterodactyl's server control plane, built for the rapidly
+changing gaming industry and designed to be highly performant and
+secure. Wings provides an HTTP API allowing you to interface directly
+with running server instances, fetch server logs, generate backups,
+and control all aspects of the server lifecycle.
+
+In addition, Wings ships with a built-in SFTP server allowing your
+system to remain free of Pterodactyl specific dependencies, and
+allowing users to authenticate with the same credentials they would
+normally use to access the Panel.
+
+%prep
+
+%build
+#nothing required
+
+%install
+mkdir -p %{buildroot}%{_bindir}
+mkdir -p %{buildroot}%{_unitdir}
+cp %{_sourcedir}/wings_linux_amd64 %{buildroot}%{_bindir}/wings
+
+cat > %{buildroot}%{_unitdir}/wings.service << EOF
+[Unit]
+Description=Pterodactyl Wings Daemon
+After=docker.service
+Requires=docker.service
+PartOf=docker.service
+StartLimitIntervalSec=600
+
+[Service]
+WorkingDirectory=/etc/pterodactyl
+ExecStart=/usr/bin/wings
+ExecReload=/bin/kill -HUP $MAINPID
+Restart=on-failure
+StartLimitInterval=180
+StartLimitBurst=30
+RestartSec=5s
+
+[Install]
+WantedBy=multi-user.target
+EOF
+
+%files
+%attr(0755, root, root) %{_prefix}/bin/wings
+%attr(0644, root, root) %{_unitdir}/wings.service
+
+%post
+
+# Reload systemd
+systemctl daemon-reload
+
+# Create the required directory structure
+mkdir -p /etc/pterodactyl
+mkdir -p /var/lib/pterodactyl/{archives,backups,volumes}
+mkdir -p /var/log/pterodactyl/install
+
+%preun
+
+systemctl is-active %{name} >/dev/null 2>&1
+if [ $? -eq 0 ]; then
+    systemctl stop %{name}
+fi
+
+systemctl is-enabled %{name} >/dev/null 2>&1
+if [ $? -eq 0 ]; then
+    systemctl disable %{name}
+fi
+
+%postun
+rm -rf /var/log/pterodactyl
+
+%verifyscript
+
+wings --version
+
+%changelog
+* Sun Sep 12 2021 Capitol Hosting Solutions Systems Engineering <syseng@chs.gg> - 1.5.0-1
+- specfile by Capitol Hosting Solutions, Upstream by Pterodactyl
+- Rebased for https://github.com/pterodactyl/wings/releases/tag/v1.5.0
+- Fixes a race condition when setting the application name in the console output for a server.
+- Fixes a server being reinstalled causing the file_denylist parameter for an Egg to be ignored until Wings is restarted.
+- Fixes YAML file parser not correctly setting boolean values.
+- Fixes potential issue where the underlying websocket connection is closed but the parent request context is not yet canceled causing a write over a closed connection.
+- Fixes race condition when closing all active websocket connections when a server is deleted.
+- Fixes logic to determine if a server's context is closed out and send a websocket close message to connected clients. Previously this fired off whenever the request itself was closed, and not when the server context was closed.
+- Exposes 8080 in the wings Dockerfile to better support reverse proxy tools.
+- Releases are now built using Go 1.17 — the minimum version required to build Wings remains Go 1.16.
+- Simplifed the logic powering server updates to only pull information from the Panel rather than trying to accept updated values. All parts of Wings needing the most up-to-date server details should call Server#Sync() to fetch the latest stored build information.
+- Installer#New() no longer requires passing all of the server data as a byte slice, rather a new Installer#ServerDetails struct is exposed which can be passed and accepts a UUID and if the server should be started after the installer finishes.
+- Removes complicated (and unused) logic during the server installation process that was a hold-over from legacy Wings architectures.
+- Removes the PATCH /api/servers/:server endpoint — if you were previously using this API call it should be replaced with POST /api/servers/:server/sync.
+
+* Wed Aug 25 2021 Capitol Hosting Solutions Systems Engineering <syseng@chs.gg> - 1.4.7-1
+- specfile by Capitol Hosting Solutions, Upstream by Pterodactyl
+- Rebased for https://github.com/pterodactyl/wings/releases/tag/v1.4.7
+- SFTP access is now properly denied if a server is suspended.
+- Correctly uses start_on_completion and crash_detection_enabled for servers.

server/resources.go

@@ -46,6 +46,7 @@ func (ru *ResourceUsage) Reset() {
 
 	ru.Memory = 0
 	ru.CpuAbsolute = 0
+	ru.Uptime = 0
 	ru.Network.TxBytes = 0
 	ru.Network.RxBytes = 0
 }

server/server.go

@@ -188,7 +188,9 @@ func (s *Server) Sync() error {
 // can be called from scoped where the server may not be fully initialized,
 // therefore other things like the filesystem and environment may not exist yet.
 func (s *Server) SyncWithConfiguration(cfg remote.ServerConfigurationResponse) error {
-	c := Configuration{}
+	c := Configuration{
+		CrashDetectionEnabled: config.Get().System.CrashDetection.CrashDetectionEnabled,
+	}
 	if err := json.Unmarshal(cfg.Settings, &c); err != nil {
 		return errors.WithStackIf(err)
 	}
@@ -196,9 +198,9 @@ func (s *Server) SyncWithConfiguration(cfg remote.ServerConfigurationResponse) e
 	s.cfg.mu.Lock()
 	defer s.cfg.mu.Unlock()
 
-	// Lock the new configuration. Since we have the defered Unlock above we need
+	// Lock the new configuration. Since we have the deferred Unlock above we need
 	// to make sure that the NEW configuration object is already locked since that
-	// defer is running on the memory address for "s.cfg.mu" which we're explcitly
+	// defer is running on the memory address for "s.cfg.mu" which we're explicitly
 	// changing on the next line.
 	c.mu.Lock()
 
@@ -259,7 +261,7 @@ func (s *Server) EnsureDataDirectoryExists() error {
 	if _, err := os.Lstat(s.fs.Path()); err != nil {
 		if os.IsNotExist(err) {
 			s.Log().Debug("server: creating root directory and setting permissions")
-			if err := os.MkdirAll(s.fs.Path(), 0700); err != nil {
+			if err := os.MkdirAll(s.fs.Path(), 0o700); err != nil {
 				return errors.WithStack(err)
 			}
 			if err := s.fs.Chown("/"); err != nil {

server/websockets.go

@@ -52,8 +52,7 @@ func (w *WebsocketBag) CancelAll() {
 
 	if w.conns != nil {
 		for _, cancel := range w.conns {
-			c := *cancel
-			c()
+			(*cancel)()
 		}
 	}
 

sftp/server.go

@@ -3,7 +3,6 @@ package sftp
 import (
 	"context"
 	"crypto/rand"
-	"crypto/rsa"
 	"crypto/x509"
 	"encoding/pem"
 	"io"
@@ -18,6 +17,7 @@ import (
 	"emperror.dev/errors"
 	"github.com/apex/log"
 	"github.com/pkg/sftp"
+	"golang.org/x/crypto/ed25519"
 	"golang.org/x/crypto/ssh"
 
 	"github.com/pterodactyl/wings/config"
@@ -48,18 +48,20 @@ func New(m *server.Manager) *SFTPServer {
 	}
 }
 
-// Starts the SFTP server and add a persistent listener to handle inbound SFTP connections.
+// Run starts the SFTP server and add a persistent listener to handle inbound
+// SFTP connections. This will automatically generate an ED25519 key if one does
+// not already exist on the system for host key verification purposes.
 func (c *SFTPServer) Run() error {
-	if _, err := os.Stat(path.Join(c.BasePath, ".sftp/id_rsa")); os.IsNotExist(err) {
-		if err := c.generatePrivateKey(); err != nil {
+	if _, err := os.Stat(c.PrivateKeyPath()); os.IsNotExist(err) {
+		if err := c.generateED25519PrivateKey(); err != nil {
 			return err
 		}
 	} else if err != nil {
-		return errors.Wrap(err, "sftp/server: could not stat private key file")
+		return errors.Wrap(err, "sftp: could not stat private key file")
 	}
-	pb, err := ioutil.ReadFile(path.Join(c.BasePath, ".sftp/id_rsa"))
+	pb, err := ioutil.ReadFile(c.PrivateKeyPath())
 	if err != nil {
-		return errors.Wrap(err, "sftp/server: could not read private key file")
+		return errors.Wrap(err, "sftp: could not read private key file")
 	}
 	private, err := ssh.ParsePrivateKey(pb)
 	if err != nil {
@@ -78,7 +80,9 @@ func (c *SFTPServer) Run() error {
 		return err
 	}
 
-	log.WithField("listen", c.Listen).Info("sftp server listening for connections")
+	public := string(ssh.MarshalAuthorizedKey(private.PublicKey()))
+	log.WithField("listen", c.Listen).WithField("public_key", strings.Trim(public, "\n")).Info("sftp server listening for connections")
+
 	for {
 		if conn, _ := listener.Accept(); conn != nil {
 			go func(conn net.Conn) {
@@ -148,26 +152,30 @@ func (c *SFTPServer) AcceptInbound(conn net.Conn, config *ssh.ServerConfig) {
 	}
 }
 
-// Generates a private key that will be used by the SFTP server.
-func (c *SFTPServer) generatePrivateKey() error {
-	key, err := rsa.GenerateKey(rand.Reader, 2048)
+// Generates a new ED25519 private key that is used for host authentication when
+// a user connects to the SFTP server.
+func (c *SFTPServer) generateED25519PrivateKey() error {
+	_, priv, err := ed25519.GenerateKey(rand.Reader)
 	if err != nil {
-		return errors.WithStack(err)
+		return errors.Wrap(err, "sftp: failed to generate ED25519 private key")
 	}
-	if err := os.MkdirAll(path.Join(c.BasePath, ".sftp"), 0755); err != nil {
-		return errors.Wrap(err, "sftp/server: could not create .sftp directory")
+	if err := os.MkdirAll(path.Dir(c.PrivateKeyPath()), 0755); err != nil {
+		return errors.Wrap(err, "sftp: could not create internal sftp data directory")
 	}
-	o, err := os.OpenFile(path.Join(c.BasePath, ".sftp/id_rsa"), os.O_RDWR|os.O_CREATE|os.O_TRUNC, 0600)
+	o, err := os.OpenFile(c.PrivateKeyPath(), os.O_RDWR|os.O_CREATE|os.O_TRUNC, 0600)
 	if err != nil {
 		return errors.WithStack(err)
 	}
 	defer o.Close()
 
-	err = pem.Encode(o, &pem.Block{
-		Type:  "RSA PRIVATE KEY",
-		Bytes: x509.MarshalPKCS1PrivateKey(key),
-	})
-	return errors.WithStack(err)
+	b, err := x509.MarshalPKCS8PrivateKey(priv)
+	if err != nil {
+		return errors.Wrap(err, "sftp: failed to marshal private key into bytes")
+	}
+	if err := pem.Encode(o, &pem.Block{Type: "PRIVATE KEY", Bytes: b}); err != nil {
+		return errors.Wrap(err, "sftp: failed to write ED25519 private key to disk")
+	}
+	return nil
 }
 
 // A function capable of validating user credentials with the Panel API.
@@ -209,3 +217,8 @@ func (c *SFTPServer) passwordCallback(conn ssh.ConnMetadata, pass []byte) (*ssh.
 
 	return sshPerm, nil
 }
+
+// PrivateKeyPath returns the path the host private key for this server instance.
+func (c *SFTPServer) PrivateKeyPath() string {
+	return path.Join(c.BasePath, ".sftp/id_ed25519")
+}