Create API model APIUserAuthServerRADIUSCreate.inc to create RADIUS authentication servers, updated documentation to include instructions

Author: jaredhendrickson13

.gitignore

@@ -1,5 +1,5 @@
 .idea
-*/__pycache__/
+tests/unit_test_framework/__pycache__/
 *.DS_Store
 .phplint-cache
 

docs/documentation.json

@@ -291,6 +291,87 @@
 							},
 							"response": []
 						},
+						{
+							"name": "Create RADIUS Auth Servers",
+							"request": {
+								"method": "POST",
+								"header": [
+									{
+										"key": "Content-Type",
+										"name": "Content-Type",
+										"type": "text",
+										"value": "application/json"
+									}
+								],
+								"body": {
+									"mode": "raw",
+									"raw": "{\n    \"name\": \"TEST_RADIUS\",\n    \"host\": \"123\",\n    \"radius_secret\": \"testsecret\",\n    \"radius_auth_port\": 1812,\n    \"radius_acct_port\": 1813,\n    \"radius_protocol\": \"MSCHAPv2\",\n    \"radius_timeout\": 5,\n    \"radius_nasip_attribute\": \"wan\"\n}"
+								},
+								"url": {
+									"raw": "https://{{$hostname}}/api/v1/user/auth_server/radius?name=string&host=string&radius_secret=string&radius_auth_port=integer&radius_acct_port=integer&radius_timeout=integer&radis_nasip_attribute=string&active=boolean&radius_protocol=string",
+									"protocol": "https",
+									"host": [
+										"{{$hostname}}"
+									],
+									"path": [
+										"api",
+										"v1",
+										"user",
+										"auth_server",
+										"radius"
+									],
+									"query": [
+										{
+											"key": "name",
+											"value": "string",
+											"description": "Specify a descriptive name for the RADIUS authentication server to create. This name must be unique from all other authentication servers on the system."
+										},
+										{
+											"key": "host",
+											"value": "string",
+											"description": "Specify the IP or hostname of the remote RADIUS authentication server."
+										},
+										{
+											"key": "radius_secret",
+											"value": "string",
+											"description": "Specify the shared secret of the remote RADIUS authentication server. "
+										},
+										{
+											"key": "radius_auth_port",
+											"value": "integer",
+											"description": "Specify the remote RADIUS authentication server's authentication port. If no value is specified, the authentication service on the remote RADIUS server will not be used. This field is optional if a `radius_acct_port` value is specified. (optional)"
+										},
+										{
+											"key": "radius_acct_port",
+											"value": "integer",
+											"description": "Specify the remote RADIUS authentication server's accounting port. If no value is specified, the accounting service on the remote RADIUS server will not be used. This field is optional if a `radius_auth_port` value is specified.(optional)"
+										},
+										{
+											"key": "radius_timeout",
+											"value": "integer",
+											"description": "Specify the amount of time (in seconds) to wait for the remote RADIUS server to respond before timing out. This value must be `1` or greater. Defaults to `5`. (optional)"
+										},
+										{
+											"key": "radis_nasip_attribute",
+											"value": "string",
+											"description": "Specify which Interface's IP address to send in the NAS IP RADIUS attribute. You may specify either the physical Interface ID, the pfSense Interface ID or the descriptive Interface name. Defaults to `wan`. (optional)"
+										},
+										{
+											"key": "active",
+											"value": "boolean",
+											"description": "Specify whether pfSense should use this authentication server by default after creation.  (optional)"
+										},
+										{
+											"key": "radius_protocol",
+											"value": "string",
+											"description": "Specify the RADIUS authentication protocol to use when communicating with the remote RADIUS server. Options are `PAP`, `CHAP_MD5`, `MSCHAPv1` or `MSCHAPv2`. Defaults to `MSCHAPv2`. (optional)"
+										}
+									]
+								},
+								"description": "Delete an existing RADIUS authentication server.<br><br>\n\n_Requires at least one of the following privileges:_ [`page-all`, `page-system-authservers`]"
+							},
+							"response": []
+						},
 						{
 							"name": "Delete Auth Servers",
 							"request": {

pfSense-pkg-API/files/etc/inc/api/endpoints/APIUserAuthServerRADIUS.inc

@@ -24,6 +24,10 @@ class APIUserAuthServerRADIUS extends APIEndpoint {
         return (new APIUserAuthServerRADIUSRead())->call();
     }
 
+    protected function post() {
+        return (new APIUserAuthServerRADIUSCreate())->call();
+    }
+
     protected function delete() {
         return (new APIUserAuthServerRADIUSDelete())->call();
     }

pfSense-pkg-API/files/etc/inc/api/framework/APIResponse.inc

@@ -1712,13 +1712,13 @@ function get($id, $data=[], $all=false) {
             "status" => "bad request",
             "code" => 400,
             "return" => $id,
-            "message" => "LDAP authentication server hostname or IP required"
+            "message" => "Authentication server hostname or IP required"
         ],
         5012 => [
             "status" => "bad request",
             "code" => 400,
             "return" => $id,
-            "message" => "Invalid LDAP authentication server hostname or IP"
+            "message" => "Invalid authentication server hostname or IP"
         ],
         5013 => [
             "status" => "bad request",
@@ -1804,6 +1804,60 @@ function get($id, $data=[], $all=false) {
             "return" => $id,
             "message" => "Authentication server name already in use"
         ],
+        5027 => [
+            "status" => "bad request",
+            "code" => 400,
+            "return" => $id,
+            "message" => "Unsupported RADIUS protocol"
+        ],
+        5028 => [
+            "status" => "bad request",
+            "code" => 400,
+            "return" => $id,
+            "message" => "RADIUS secret required"
+        ],
+        5029 => [
+            "status" => "bad request",
+            "code" => 400,
+            "return" => $id,
+            "message" => "RADIUS secret must be string type"
+        ],
+        5030 => [
+            "status" => "bad request",
+            "code" => 400,
+            "return" => $id,
+            "message" => "Invalid RADIUS authentication port"
+        ],
+        5031 => [
+            "status" => "bad request",
+            "code" => 400,
+            "return" => $id,
+            "message" => "Invalid RADIUS accounting port"
+        ],
+        5032 => [
+            "status" => "bad request",
+            "code" => 400,
+            "return" => $id,
+            "message" => "RADIUS authentication and/or accounting port required"
+        ],
+        5033 => [
+            "status" => "bad request",
+            "code" => 400,
+            "return" => $id,
+            "message" => "RADIUS timeout must be an integer of 1 or greater"
+        ],
+        5034 => [
+            "status" => "bad request",
+            "code" => 400,
+            "return" => $id,
+            "message" => "Unknown RADIUS NAS-IP attribute"
+        ],
+        5035 => [
+            "status" => "bad request",
+            "code" => 400,
+            "return" => $id,
+            "message" => "Authentication server name is required"
+        ],
 
         //6000-6999 reserved for /routing API calls
         6000 => [
@@ -1983,7 +2037,7 @@ function get($id, $data=[], $all=false) {
 
 
     ];
-    $response = $responses[(!in_array($id, $responses)) ? $id : 1];
+    $response = $responses[(array_key_exists($id, $responses)) ? $id : 1];
     $response["data"] = $data;
     if ($all === true) {
         $response = $responses;

pfSense-pkg-API/files/etc/inc/api/models/APIUserAuthServerRADIUSCreate.inc

@@ -0,0 +1,176 @@
+<?php
+//   Copyright 2021 Jared Hendrickson
+//
+//   Licensed under the Apache License, Version 2.0 (the "License");
+//   you may not use this file except in compliance with the License.
+//   You may obtain a copy of the License at
+//
+//       http://www.apache.org/licenses/LICENSE-2.0
+//
+//   Unless required by applicable law or agreed to in writing, software
+//   distributed under the License is distributed on an "AS IS" BASIS,
+//   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+//   See the License for the specific language governing permissions and
+//   limitations under the License.
+
+require_once("api/framework/APIModel.inc");
+require_once("api/framework/APIResponse.inc");
+
+class APIUserAuthServerRADIUSCreate extends APIModel {
+    # Create our method constructor
+    public function __construct() {
+        parent::__construct();
+        $this->privileges = ["page-all", "page-system-authserver"];
+        $this->change_note = "Added RADIUS authentication server via API";
+    }
+
+    public function action() {
+        # Add our new authentication server to the configuration
+        $this->config["system"]["authserver"][] = $this->validated_data;
+
+        # Check if clients wants to set this as default auth server
+        if ($this->initial_data["active"] === true) {
+            $this->config['system']['webgui']['authmode'] = $this->validated_data["name"];
+        }
+
+        $this->write_config();
+        return APIResponse\get(0, $this->validated_data);
+    }
+
+    public function validate_payload() {
+        # Set static configuration attributes
+        $this->validated_data["type"] = "radius";
+        $this->validated_data["refid"] = uniqid();
+
+        # Validate input fields
+        $this->__validate_name();
+        $this->__validate_host();
+        $this->__validate_radius_secret();
+        $this->__validate_radius_auth_port();
+        $this->__validate_radius_acct_port();
+        $this->__validate_radius_protocol();
+        $this->__validate_radius_timeout();
+        $this->__validate_radius_nasip_attribute();
+    }
+
+    private function __validate_name() {
+        # Validate our required `name` payload value
+        if (isset($this->initial_data["name"])) {
+            # Ensure the name is not already in use
+            if (!APITools\is_authentication_server($this->initial_data["name"])) {
+                $this->validated_data["name"] = $this->initial_data["name"];
+            } else {
+                $this->errors[] = APIResponse\get(5026);
+            }
+        } else {
+            $this->errors[] = APIResponse\get(5035);
+        }
+    }
+
+    private function __validate_host() {
+        # Validate our required `host` payload value
+        if (isset($this->initial_data["host"])) {
+            # Ensure the `host` value is a valid IP or hostname
+            if (is_ipaddr($this->initial_data["host"]) or is_hostname($this->initial_data["host"])) {
+                $this->validated_data["host"] = $this->initial_data["host"];
+            } else {
+                $this->errors[] = APIResponse\get(5012);
+            }
+        } else {
+            $this->errors[] = APIResponse\get(5011);
+        }
+    }
+
+    private function __validate_radius_secret() {
+        # Validate our required `radius_secret` payload value
+        if (isset($this->initial_data["radius_secret"])) {
+            # Ensure the `radius_secret` is a string
+            if (is_string($this->initial_data["radius_secret"])) {
+                $this->validated_data["radius_secret"] = $this->initial_data["radius_secret"];
+            } else {
+                $this->errors[] = APIResponse\get(5029);
+            }
+        } else {
+            $this->errors[] = APIResponse\get(5028);
+        }
+    }
+
+    private function __validate_radius_auth_port() {
+        # Validate our required `radius_auth_port` payload value
+        if (isset($this->initial_data["radius_auth_port"])) {
+            # Ensure the `radius_auth_port` is a port
+            if (is_port(strval($this->initial_data["radius_auth_port"]))) {
+                $this->validated_data["radius_auth_port"] = $this->initial_data["radius_auth_port"];
+            } else {
+                $this->errors[] = APIResponse\get(5030);
+            }
+        }
+    }
+
+    private function __validate_radius_acct_port() {
+        # Validate our required `radius_acct_port` payload value
+        if (isset($this->initial_data["radius_acct_port"])) {
+            # Ensure the `radius_acct_port` is a port
+            if (is_port(strval($this->initial_data["radius_acct_port"]))) {
+                $this->validated_data["radius_acct_port"] = $this->initial_data["radius_acct_port"];
+            } else {
+                $this->errors[] = APIResponse\get(5031);
+            }
+        }
+        # Throw an error if neither an authentication nor accounting port was provided
+        elseif (!isset($this->validated_data["radius_auth_port"])) {
+            $this->errors[] = APIResponse\get(5032);
+        }
+    }
+
+    private function __validate_radius_protocol() {
+        # Validate our optional `radius_protocol` payload value
+        if (isset($this->initial_data["radius_protocol"])) {
+            # Ensure the value is a valid RADIUS protocol option
+            if (in_array($this->initial_data["radius_protocol"], ["PAP", "CHAP_MD5", "MSCHAPv1", "MSCHAPv2"])) {
+                $this->validated_data["radius_protocol"] = $this->initial_data["radius_protocol"];
+            } else {
+                $this->errors[] = APIResponse\get(5027);
+            }
+        }
+        # Assume default if none was specified
+        else {
+            $this->validated_data["radius_protocol"] = "MSCHAPv2";
+        }
+    }
+
+    private function __validate_radius_timeout() {
+        # Validate our required `radius_timeout` payload value
+        if (isset($this->initial_data["radius_timeout"])) {
+            # Ensure the `radius_timeout` is an integer of 1 or greater
+            if (is_integer($this->initial_data["radius_timeout"]) and $this->initial_data["radius_timeout"] >= 1) {
+                $this->validated_data["radius_timeout"] = $this->initial_data["radius_timeout"];
+            } else {
+                $this->errors[] = APIResponse\get(5033);
+            }
+        }
+        # Otherwise assume default value
+        else {
+            $this->validated_data["radius_timeout"] = 5;
+        }
+    }
+
+    private function __validate_radius_nasip_attribute() {
+        # Validate our required `radius_nasip_attribute` payload value
+        if (isset($this->initial_data["radius_nasip_attribute"])) {
+            # Try to locate the interface associated with the client's input
+            $if = APITools\get_pfsense_if_id($this->initial_data["radius_nasip_attribute"]);
+
+            # Ensure the client's input matched an existing interface
+            if ($if) {
+                $this->validated_data["radius_nasip_attribute"] = $if;
+            } else {
+                $this->errors[] = APIResponse\get(5034);
+            }
+        }
+        # Otherwise assume default value
+        else {
+            $this->validated_data["radius_nasip_attribute"] = "wan";
+        }
+    }
+}