Created API model for our access_token endpoint

Author: jaredhendrickson13

pfSense-pkg-API/files/etc/inc/api.inc

@@ -352,6 +352,7 @@ function api_whitelist_check() {
     $if_conf = $config["interfaces"];
     $whitelist = array("any");
     $srv_ip = $_SERVER["SERVER_ADDR"];
+
     // Check that we have a package configuration
     if (is_numeric($pkg_id)) {
         // Override defaults with user specified config

pfSense-pkg-API/files/etc/inc/api/api_calls/APIAccessToken.inc

@@ -1,15 +1,16 @@
 <?php
-require_once("api/framework/APITools.inc");
 require_once("api/framework/APIBaseModel.inc");
 require_once("api/framework/APIResponse.inc");
-require_once("api/framework/APIAuth.inc");
 
 class APIAccessToken extends APIBaseModel {
     # Create our method constructor
     public function __construct() {
         parent::__construct();
-        $this->methods = ["GET"];
-        $this->validators = ["validateAuthMode"];
+        $this->set_auth_mode = "local";
+        $this->methods = ["POST"];
+        $this->validators = [
+            $this->validateAuthMode()
+        ];
     }
 
     # Validate our API configurations auth mode (must be JWT)
@@ -18,13 +19,13 @@ class APIAccessToken extends APIBaseModel {
 
         # Add error if our auth mode is invalid
         if ($api_config["authmode"] !== "jwt") {
-            $this->errors[] = APIResponse\get(9);
+            return APIResponse\get(9);
         }
     }
 
     # Override action subclass to create a JWT and return it to the user
     public function action() {
-        $jwt = api_create_jwt($this->client->username);
+        $jwt = APITools\create_jwt($this->client->username);
         return APIResponse\get(0, ["token" => $jwt]);
     }
 }

pfSense-pkg-API/files/etc/inc/api/framework/APIAuth.inc

@@ -1,7 +1,6 @@
 <?php
 require_once("api/framework/APITools.inc");
 
-
 # Creates an object capable of verifying authentication and authorization based on the configuration
 class APIAuth {
     private $api_config;
@@ -14,9 +13,9 @@ class APIAuth {
     public $is_authorized;
 
     # Create our method constructor
-    public function __construct($req_privs){
+    public function __construct($req_privs, $enforce_auth_mode=null){
         $this->api_config = APITools\get_api_config()[1];
-        $this->auth_mode = $this->api_config["authmode"];
+        $this->auth_mode = (is_null($enforce_auth_mode)) ? $this->api_config["authmode"] : $enforce_auth_mode;
         $this->request = APITools\get_request_data();
         $this->req_privs = $req_privs;
         $this->privs = [];

pfSense-pkg-API/files/etc/inc/api/framework/APIBaseModel.inc

@@ -12,39 +12,21 @@ class APIBaseModel {
     public $errors;
     public $methods;
     public $requires_auth;
+    public $set_auth_mode;
 
     public function __construct() {
         $this->methods = ["GET", "POST"];
         $this->privileges = ["page-all"];
-        $this->client = new APIAuth($this->privileges);
+        $this->client = null;
         $this->requires_auth = true;
+        $this->set_auth_mode = null;
         $this->validators = [];
         $this->initial_data = APITools\get_request_data();
         $this->validated_data = [];
         $this->errors = [];
 
     }
 
-    private function check_authentication() {
-        if ($this->requires_auth === true) {
-            if (!$this->client->is_authenticated) {
-                $this->errors[] = APIResponse\get(3);
-            }
-        }
-    }
-
-    private function check_authorization() {
-        if (!$this->client->is_authorized) {
-            $this->errors[] = APIResponse\get(4);
-        }
-    }
-
-    private function check_method() {
-        if (!in_array($_SERVER["REQUEST_METHOD"], $this->methods)) {
-            $this->errors[] = APIResponse\get(2);
-        }
-    }
-
     public function action() {
         # This function is intended to be overridden by an API model extended class
         # Any configuration writes, system configurations, etc should be added when overriding this base class
@@ -53,12 +35,15 @@ class APIBaseModel {
     }
 
     public function validate() {
+        $this->check_enable();
+        $this->check_server_ip();
+        $this->check_version();
         $this->check_method();
         if ($this->requires_auth) {
             $this->check_authentication();
             $this->check_authorization();
         }
-        $this->errors = array_merge($this->errors, $this->validators);
+        $this->errors = array_filter(array_merge($this->errors, $this->validators));
 
 
         if (count($this->errors) === 0) {
@@ -77,10 +62,78 @@ class APIBaseModel {
     }
 
     public function listen() {
+        header("Content-Type: application/json", true);
+        header("Referer: no-referrer");
         $resp = $this->call();
         http_response_code($resp["code"]);
         echo json_encode($resp) . PHP_EOL;
         exit();
     }
 
+    private function check_authentication() {
+        $this->client = new APIAuth($this->privileges, $this->set_auth_mode);
+        if ($this->requires_auth === true) {
+            if (!$this->client->is_authenticated) {
+                $this->errors[] = APIResponse\get(3);
+            }
+        }
+    }
+
+    private function check_authorization() {
+        if (!$this->client->is_authorized) {
+            $this->errors[] = APIResponse\get(4);
+        }
+    }
+
+    private function check_method() {
+        if (!in_array($_SERVER["REQUEST_METHOD"], $this->methods)) {
+            $this->errors[] = APIResponse\get(2);
+        }
+    }
+
+    # Check if the API is enabled before answering calls, if not, redirect to wc login
+    private function check_enable() {
+        $api_config = APITools\get_api_config()[1];
+        if (!isset($api_config["enable"])) {
+            header("Location: /");
+            die();
+        }
+    }
+
+    # Check if server is running a supported version of pfSense
+    private function check_version() {
+        # Local variables
+        $curr_ver = str_replace(".", "", explode("-", APITools\get_pfsense_version()["version"])[0]);
+        $min_ver = 244;
+        $curr_ver = is_numeric($curr_ver) ? intval($curr_ver) : 0;
+        if ($curr_ver < $min_ver) {
+            $this->errors[] = APIResponse\get(5);
+        }
+    }
+
+    # Check if server IP is allowed to answer API calls. Redirects to login if not
+    private function check_server_ip() {
+        $pkg_conf = APITools\get_api_config()[1];
+        $allow_ifs = $pkg_conf["allowed_interfaces"];
+        $whitelist = explode(",", $allow_ifs);
+
+        // Check if our server IP is in our whitelist
+        foreach ($whitelist as $wif) {
+            $if_info = get_interface_info($wif);
+            // Check if our server IP is a valid if address, localhost, or any
+            if ($_SERVER["SERVER_ADDR"] === $if_info["ipaddr"]) {
+                return;
+            } elseif ($_SERVER["SERVER_ADDR"] === $if_info["ipaddrv6"]) {
+                return;
+            } elseif (in_array($_SERVER["SERVER_ADDR"], ["::1", "127.0.0.1", "localhost"]) and $wif === "localhost") {
+                return;
+            }elseif ($wif === "any") {
+                return;
+            }
+        }
+
+        # Return 444 response if we did not find a previous match
+        $this->errors[] = APIResponse\get(6);
+    }
+
 }

pfSense-pkg-API/files/etc/inc/api/framework/APITools.inc

@@ -1,6 +1,5 @@
 <?php
 namespace APITools;
-require_once("apiresp.inc");
 require_once("php-jwt/src/JWT.php");
 require_once("php-jwt/src/ExpiredException.php");
 require_once("php-jwt/src/SignatureInvalidException.php");
@@ -29,6 +28,40 @@ function get_request_data() {
     return $data;
 }
 
+# Check our local pfSense version
+function get_pfsense_version() {
+    # VARIABLES
+    $ver_path = "/etc/version";    // Assign the path to our version file
+    $ver_patch_path = "/etc/version.patch";    // Assign the path to our version patch file
+    $ver_bt_path = "/etc/version.buildtime";    // Assign the path to our version build time file
+    $ver_lc_path = "/etc/version.lastcommit";    // Assign the path to our version last commit file
+    $ver_data = array();    // Init an empty array for our version data
+
+    // Check that our files exist, if so read the files. Otherwise return error
+    if (file_exists($ver_path)) {
+        $ver_file = fopen($ver_path, "r");    // Open our file
+        $ver = str_replace(PHP_EOL, "", fread($ver_file, filesize($ver_path)));    // Save our version data
+        $ver_data["version"] = $ver;    // Save to array
+    }
+    if (file_exists($ver_patch_path)) {
+        $ver_patch_file = fopen($ver_patch_path, "r");    // Open our file
+        $ver_patch = str_replace(PHP_EOL, "", fread($ver_patch_file, filesize($ver_patch_path)));    // Save patch
+        $ver_data["patch"] = $ver_patch;    // Save to array
+    }
+    if (file_exists($ver_bt_path)) {
+        $ver_bt_file = fopen($ver_bt_path, "r");    // Open our file
+        $ver_bt = str_replace(PHP_EOL, "", fread($ver_bt_file, filesize($ver_bt_path)));    // Save bt data
+        $ver_data["buildtime"] = $ver_bt;    // Save to array
+    }
+    if (file_exists($ver_lc_path)) {
+        $ver_lc_file = fopen($ver_lc_path, "r");    // Open our file
+        $ver_lc = str_replace(PHP_EOL, "", fread($ver_lc_file, filesize($ver_lc_path)));    // Save bt data
+        $ver_data["lastcommit"] = $ver_lc;    // Save to array
+    }
+    $ver_data["program"] = floatval(str_replace(".", "", explode("-", $ver)[0]).".".$ver_patch);
+    return $ver_data;
+}
+
 # Locates our API configuration from pfSense's XML configuration. Returns
 function get_api_config() {
     global $config;
@@ -58,8 +91,8 @@ function is_user_disabled($username) {
 # Creates JWT server key if one does not exist, or optionally allows rotation of the JWT server key
 function create_jwt_server_key($rotate=false) {
     global $config;
-    $pkg_index = get_api_configuration()[0];    // Save our current API configs pkg index
-    $api_config = get_api_configuration()[1];    // Save our current API config
+    $pkg_index = get_api_config()[0];    // Save our current API configs pkg index
+    $api_config = get_api_config()[1];    // Save our current API config
     # Create a new server key if one is not set
     if (empty($api_config["server_key"]) or $rotate === true) {
         $config["installedpackages"]["package"][$pkg_index]["conf"]["server_key"] = bin2hex(random_bytes(32));
@@ -84,6 +117,7 @@ function create_jwt($data) {
 
 # Decodes a JWT using our store server key
 function decode_jwt($token) {
+    $token = (is_string($token)) ? $token : "";
     $key = get_api_config()[1]["server_key"];    // Save our current server key
     try {
         $decoded = (array) JWT::decode($token, $key, array('HS256'));
@@ -123,4 +157,27 @@ function authenticate_token($cid, $ctoken) {
         }
     }
     return $authenticated;
+}
+
+// Generate new API tokens for token auth mode
+function generate_token($username) {
+    // Local variables
+    global $config;
+    $pkg_index = get_api_config()[0];    // Save our current API configs pkg index
+    $api_config = get_api_config()[1];    // Save our current API config
+    $key_hash_algo = $api_config["keyhash"];    // Pull our configured key hash algorithm
+    $key_bit_strength = $api_config["keybytes"];    // Pull our configured key bit strength
+    $key_user = bin2hex($username);    // Save our user's dedicated API client-ID
+    $key_new = bin2hex(random_bytes(intval($key_bit_strength)));    // Generate a new key
+    $key_hash = hash($key_hash_algo, $key_new);    // Hash our key using our configured algos
+
+    // Loop through our existing keys to see
+    $api_config["keys"] = !is_array($api_config["keys"]) ? array("key" => []) : $api_config["keys"];
+    $api_config["keys"]["key"][] = array("client_id" => $key_user, "client_token" => $key_hash, "algo" => $key_hash_algo);
+
+    // Write our changes
+    $config["installedpackages"]["package"][$pkg_index]["conf"] = $api_config;    // Write change to config
+    $change_note = " Generated API key";    // Add a change note
+    write_config(sprintf(gettext($change_note)));    // Apply our configuration change
+    return $key_new;
 }

pfSense-pkg-API/files/usr/local/www/api/index.php

@@ -1,7 +1,7 @@
 <?php
 include_once("util.inc");
 include_once("guiconfig.inc");
-require_once("api.inc");
+require_once("api/framework/APITools.inc");
 
 // Variables
 global $config;    // Define our config globally
@@ -12,24 +12,23 @@
 display_top_tabs($tab_array, true);    // Ensure the tabs are written to the top of page
 $user = $_SESSION["Username"];    // Save our username
 $sec_client_id = bin2hex($user);    // Save our secure username client ID (token mode)
-$b64_client_id = base64_encode($user);    // Save a base64 encoded version of our username
-$pkg_config = get_api_configuration();    // Save our entire pkg config
+$pkg_config = APITools\get_api_config();    // Save our entire pkg config
 $pkg_index = $pkg_config[0];    // Save our pkg configurations index value
 $api_config = $pkg_config[1];    // Save our api configuration from our pkg config
-$available_auth_modes = array("local" => "Local Database", "base64" => "Base64", "token" => "API Token", "jwt" => "JWT");
+$available_auth_modes = array("local" => "Local Database", "token" => "API Token", "jwt" => "JWT");
 $available_hash_algos = array("sha256" => "SHA256", "sha384" => "SHA384", "sha512" => "SHA512", "md5" => "MD5");
 $available_key_bytes = array("16", "32", "64");    // Save our allowed key bitlengths
 $non_config_ifs = array("any" => "Any", "localhost" => "Link-local");    // Save non-configurable interface ids
 $availabe_api_if = array_merge($non_config_ifs, get_configured_interface_with_descr(true));    // Combine if arrays
 
 // UPON POST
 if ($_POST["gen"] === "1") {
-    $new_key = api_generate_token($user);
+    $new_key = APITools\generate_token($user);
     print_apply_result_box(0, "\nSave this API key somewhere safe, it cannot be viewed again: \n".$new_key);
 }
 // Rotate JWT server key requested
 if ($_POST["rotate_server_key"] === "1") {
-    api_create_jwt_server_key(true);
+    APITools\create_jwt_server_key(true);
     print_apply_result_box(0, "\nRotated JWT server key.\n");
 }
 
@@ -220,7 +219,7 @@
 <?php
         if ($api_config["authmode"] === "token") {
             // Pull credentials if configured
-            $user_creds = api_get_existing_tokens($user);
+            $user_creds = APITools\get_existing_tokens($user);
             echo "<div class=\"panel panel-default\">".PHP_EOL;
             echo "    <div class=\"panel-heading\">".PHP_EOL;
             echo "        <h2 class=\"panel-title\">API Credentials</h2>".PHP_EOL;

pfSense-pkg-API/files/usr/local/www/api/v1/access_token/index.php

@@ -1,10 +1,7 @@
 <?php
 # Copyright 2020 - Jared Hendrickson
 # IMPORTS
-require_once("apicalls.inc");
+require_once("api/api_calls/APIAccessToken.inc");
 
 # RUN API CALL
-$resp = api_access_token();
-http_response_code($resp["code"]);
-echo json_encode($resp) . PHP_EOL;
-exit();
+(new APIAccessToken())->listen();