Fixed bug that unnecessarily required the protocol field when updating firewall rules, fixed bug that prevented ports from being behaving correctly when updating firewall rules, fixed bug that prevented firewall rules from being disabled, fixed bug that preventing clients from receiving access tokens when API is set to read only mode

Jared Hendrickson · Jared Hendrickson · commit 87fcfc04b4e5 · 2020-10-01T14:28:29.000-06:00
diff --git a/pfSense-pkg-API/files/etc/inc/api/framework/APIAuth.inc b/pfSense-pkg-API/files/etc/inc/api/framework/APIAuth.inc
@@ -20,6 +20,7 @@ class APIAuth {
     private $api_config;
     private $request;
     public $auth_mode;
+    public $read_mode;
     public $req_privs;
     public $username;
     public $privs;
@@ -28,9 +29,10 @@ class APIAuth {
     public $is_authorized;
 
     # Create our method constructor
-    public function __construct($req_privs, $enforce_auth_mode=null){
+    public function __construct($req_privs, $enforce_auth_mode=null, $read_mode=null){
         $this->api_config = APITools\get_api_config()[1];
         $this->auth_mode = (is_null($enforce_auth_mode)) ? $this->api_config["authmode"] : $enforce_auth_mode;
+        $this->read_mode = (is_null($read_mode)) ? array_key_exists("readonly", $this->api_config) : $read_mode;
         $this->request = APITools\get_request_data();
         $this->req_privs = $req_privs;
         $this->privs = [];
@@ -113,17 +115,17 @@ class APIAuth {
     # AUTHORIZATION #
     # Checks if the current user has the necessary privileges to access this resource
     public function authorize() {
-        // Local variables
+        # Local variables
         $authorized = false;
         $client_config =& getUserEntry($this->username);;
         $this->privs = get_user_privileges($client_config);
         $read_only = array_key_exists("readonly", $this->api_config);
 
         # If no require privileges were given, assume call is always authorized
         if (!empty($this->req_privs)) {
-            // Ensure our API is not read only OR if it is read only, only authorize the request if it is a GET request
-            if ($read_only === false or ($read_only === true and $_SERVER['REQUEST_METHOD'] === "GET")) {
-                // Loop through each of our req privs and ensure the client has them, also check if access is read only
+            # If API is in readonly mode, only allow GET requests
+            if ($this->read_mode === false or ($this->read_mode === true and $_SERVER['REQUEST_METHOD'] === "GET")) {
+                # Loop through each of our req privs and ensure the client has them, also check if access is read only
                 foreach ($this->req_privs as &$priv) {
                     if (in_array($priv, $this->privs)) {
                         $authorized = true;
diff --git a/pfSense-pkg-API/files/etc/inc/api/framework/APIModel.inc b/pfSense-pkg-API/files/etc/inc/api/framework/APIModel.inc
@@ -30,6 +30,7 @@ class APIModel {
     public $change_note;
     public $requires_auth;
     public $set_auth_mode;
+    public $set_read_mode;
 
     public function __construct() {
         global $config;
@@ -39,6 +40,7 @@ class APIModel {
         $this->client = null;
         $this->requires_auth = true;
         $this->set_auth_mode = null;
+        $this->set_read_mode = null;
         $this->change_note = "Made unknown change via API";
         $this->id = null;
         $this->validate_id = true;
@@ -95,7 +97,7 @@ class APIModel {
     }
 
     private function check_authentication() {
-        $this->client = new APIAuth($this->privileges, $this->set_auth_mode);
+        $this->client = new APIAuth($this->privileges, $this->set_auth_mode, $this->set_read_mode);
         if ($this->requires_auth === true) {
             if (!$this->client->is_authenticated) {
                 $this->errors[] = APIResponse\get(3);
diff --git a/pfSense-pkg-API/files/etc/inc/api/models/APIAccessTokenCreate.inc b/pfSense-pkg-API/files/etc/inc/api/models/APIAccessTokenCreate.inc
@@ -21,6 +21,7 @@ class APIAccessTokenCreate extends APIModel {
     public function __construct() {
         parent::__construct();
         $this->set_auth_mode = "local";
+        $this->set_read_mode = false;
     }
 
     # Validate our API configurations auth mode (must be JWT)
diff --git a/pfSense-pkg-API/files/etc/inc/api/models/APIFirewallRuleCreate.inc b/pfSense-pkg-API/files/etc/inc/api/models/APIFirewallRuleCreate.inc
@@ -34,6 +34,9 @@ class APIFirewallRuleCreate extends APIModel {
     }
 
     public function validate_payload() {
+        # Include static rule ID
+        $this->validated_data["id"] = "";
+
         # Check for our required 'type' payload value
         if (isset($this->initial_data["type"])) {
             $type_options = array("pass", "block", "reject");
@@ -179,8 +182,8 @@ class APIFirewallRuleCreate extends APIModel {
 
 
         # Check for our optional 'disabled' payload value
-        if ($this->initial_data['disabled'] !== true) {
-            $this->validated_data["id"] = "";
+        if ($this->initial_data['disabled'] === true) {
+            $this->validated_data["disabled"] = "";
         }
 
         # Check for our optional 'descr' payload value
diff --git a/pfSense-pkg-API/files/etc/inc/api/models/APIFirewallRuleUpdate.inc b/pfSense-pkg-API/files/etc/inc/api/models/APIFirewallRuleUpdate.inc
@@ -51,7 +51,7 @@ class APIFirewallRuleUpdate extends APIModel {
             $this->errors[] = APIResponse\get(4031);
         }
 
-        # Check for our required 'type' payload value
+        # Check for our optional 'type' payload value
         if (isset($this->initial_data["type"])) {
             $type_options = array("pass", "block", "reject");
             # Ensure our type is a valid option
@@ -62,7 +62,7 @@ class APIFirewallRuleUpdate extends APIModel {
             }
         }
 
-        # Check for our required 'interface' payload value
+        # Check for our optional 'interface' payload value
         if (isset($this->initial_data['interface'])) {
             $this->initial_data['interface'] = APITools\get_pfsense_if_id($this->initial_data['interface']);
             # Check that we found the request pfSense interface ID
@@ -73,7 +73,7 @@ class APIFirewallRuleUpdate extends APIModel {
             }
         }
 
-        # Check for our required 'ipprotocol' payload value
+        # Check for our optional 'ipprotocol' payload value
         if (isset($this->initial_data['ipprotocol'])) {
             $ipprotocol_options = array("inet", "inet6", "inet46");
             # Check that our ipprotocol value is a support option
@@ -84,13 +84,21 @@ class APIFirewallRuleUpdate extends APIModel {
             }
         }
 
-        # Check for our required 'protocol' payload value
+        # Check for our optional 'protocol' payload value
         if (isset($this->initial_data['protocol'])) {
-            $port_required = (!in_array($this->validated_data["protocol"], ["tcp", "udp", "tcp/udp"])) ? true : false;
+            $missing_port = (!in_array($this->validated_data["protocol"], ["tcp", "udp", "tcp/udp"])) ? true : false;
+            $requires_port = (in_array($this->initial_data["protocol"], ["tcp", "udp", "tcp/udp"])) ? true : false;
             $protocol_options = [
                 "any", "tcp", "udp", "tcp/udp", "icmp", "esp", "ah",
                 "gre", "ipv6", "igmp", "pim", "ospf", "carp", "pfsync"
             ];
+
+            # If a new protocol was chosen that doesn't require a port, remove existing ports from the rule
+            if ((!in_array($this->initial_data["protocol"], ["tcp", "udp", "tcp/udp"]))) {
+                unset($this->validated_data["source"]["port"]);
+                unset($this->validated_data["destination"]["port"]);
+            }
+
             # Check that our protocol value is a support option
             if (in_array($this->initial_data["protocol"], $protocol_options)) {
                 # Don't add a specific protocol if any
@@ -102,9 +110,10 @@ class APIFirewallRuleUpdate extends APIModel {
             } else {
                 $this->errors[] = APIResponse\get(4042);
             }
-            $protocol = $this->initial_data['protocol'];
         } else {
-            $this->errors[] = APIResponse\get(4036);
+            # If a new protocol was not selected don't validate ports
+            $requires_port = false;
+            $missing_port = false;
         }
 
         # Check for our optional 'icmpsubtype' payload value when our protocol is set to ICMP
@@ -130,7 +139,7 @@ class APIFirewallRuleUpdate extends APIModel {
             }
         }
 
-        # Check for our required 'src' payload value
+        # Check for our optional 'src' payload value
         if (isset($this->initial_data['src'])) {
             // Check if our source and destination values are valid
             $dir_check = APITools\is_valid_rule_addr($this->initial_data['src'], "source");
@@ -141,7 +150,7 @@ class APIFirewallRuleUpdate extends APIModel {
             }
         }
 
-        # Check for our required 'src' payload value
+        # Check for our optional 'src' payload value
         if (isset($this->initial_data['dst'])) {
             // Check if our source and destination values are valid
             $dir_check = APITools\is_valid_rule_addr($this->initial_data['dst'], "destination");
@@ -152,16 +161,16 @@ class APIFirewallRuleUpdate extends APIModel {
             }
         }
 
-        # Check for our required 'srcport' and 'dstport' payload values if protocol is TCP, UDP or TCP/UDP
-        if ($port_required && in_array($this->initial_data["protocol"], ["tcp", "udp", "tcp/udp"])) {
+        # Check for our optional 'srcport' and 'dstport' payload values if protocol is TCP, UDP or TCP/UDP
+        if ($requires_port) {
             if (isset($this->initial_data['srcport'])) {
                 $val = str_replace("-", ":", $this->initial_data['srcport']);
                 if (!is_port_or_range($val) and $val !== "any") {
                     $this->errors[] = APIResponse\get(4048);
                 } elseif ($val !== "any") {
                     $this->validated_data["source"]["port"] = str_replace(":", "-", $val);;
                 }
-            } else {
+            } elseif ($missing_port) {
                 $this->errors[] = APIResponse\get(4047);
             }
 
@@ -172,7 +181,7 @@ class APIFirewallRuleUpdate extends APIModel {
                 } elseif ($val !== "any") {
                     $this->validated_data["destination"]["port"] = str_replace(":", "-", $val);;
                 }
-            } else {
+            } elseif ($missing_port) {
                 $this->errors[] = APIResponse\get(4047);
             }
         }
@@ -189,8 +198,10 @@ class APIFirewallRuleUpdate extends APIModel {
 
 
         # Check for our optional 'disabled' payload value
-        if ($this->initial_data['disabled'] !== true) {
-            $this->validated_data["id"] = "";
+        if ($this->initial_data['disabled'] === true) {
+            $this->validated_data["disabled"] = "";
+        } elseif ($this->initial_data['disabled'] === false) {
+            unset($this->validated_data["disabled"]);
         }
 
         # Check for our optional 'descr' payload value

Original file line number	Diff line number	Diff line change
`@@ -21,6 +21,7 @@ class APIAccessTokenCreate extends APIModel {`
`21`	`21`	`public function __construct() {`
`22`	`22`	`parent::__construct();`
`23`	`23`	`$this->set_auth_mode = "local";`
	`24`	`+ $this->set_read_mode = false;`
`24`	`25`	`}`
`25`	`26`
`26`	`27`	`# Validate our API configurations auth mode (must be JWT)`
Original file line number	Diff line number	Diff line change
`@@ -51,7 +51,7 @@ class APIFirewallRuleUpdate extends APIModel {`
`51`	`51`	`$this->errors[] = APIResponse\get(4031);`
`52`	`52`	`}`
`53`	`53`
`54`		`- # Check for our required 'type' payload value`
	`54`	`+ # Check for our optional 'type' payload value`
`55`	`55`	`if (isset($this->initial_data["type"])) {`
`56`	`56`	`$type_options = array("pass", "block", "reject");`
`57`	`57`	`# Ensure our type is a valid option`
`@@ -62,7 +62,7 @@ class APIFirewallRuleUpdate extends APIModel {`
`62`	`62`	`}`
`63`	`63`	`}`
`64`	`64`
`65`		`- # Check for our required 'interface' payload value`
	`65`	`+ # Check for our optional 'interface' payload value`
`66`	`66`	`if (isset($this->initial_data['interface'])) {`
`67`	`67`	`$this->initial_data['interface'] = APITools\get_pfsense_if_id($this->initial_data['interface']);`
`68`	`68`	`# Check that we found the request pfSense interface ID`
`@@ -73,7 +73,7 @@ class APIFirewallRuleUpdate extends APIModel {`
`73`	`73`	`}`
`74`	`74`	`}`
`75`	`75`
`76`		`- # Check for our required 'ipprotocol' payload value`
	`76`	`+ # Check for our optional 'ipprotocol' payload value`
`77`	`77`	`if (isset($this->initial_data['ipprotocol'])) {`
`78`	`78`	`$ipprotocol_options = array("inet", "inet6", "inet46");`
`79`	`79`	`# Check that our ipprotocol value is a support option`
`@@ -84,13 +84,21 @@ class APIFirewallRuleUpdate extends APIModel {`
`84`	`84`	`}`
`85`	`85`	`}`
`86`	`86`
`87`		`- # Check for our required 'protocol' payload value`
	`87`	`+ # Check for our optional 'protocol' payload value`
`88`	`88`	`if (isset($this->initial_data['protocol'])) {`
`89`		`- $port_required = (!in_array($this->validated_data["protocol"], ["tcp", "udp", "tcp/udp"])) ? true : false;`
	`89`	`+ $missing_port = (!in_array($this->validated_data["protocol"], ["tcp", "udp", "tcp/udp"])) ? true : false;`
	`90`	`+ $requires_port = (in_array($this->initial_data["protocol"], ["tcp", "udp", "tcp/udp"])) ? true : false;`
`90`	`91`	`$protocol_options = [`
`91`	`92`	`"any", "tcp", "udp", "tcp/udp", "icmp", "esp", "ah",`
`92`	`93`	`"gre", "ipv6", "igmp", "pim", "ospf", "carp", "pfsync"`
`93`	`94`	`];`
	`95`	`+`
	`96`	`+ # If a new protocol was chosen that doesn't require a port, remove existing ports from the rule`
	`97`	`+ if ((!in_array($this->initial_data["protocol"], ["tcp", "udp", "tcp/udp"]))) {`
	`98`	`+ unset($this->validated_data["source"]["port"]);`
	`99`	`+ unset($this->validated_data["destination"]["port"]);`
	`100`	`+ }`
	`101`	`+`
`94`	`102`	`# Check that our protocol value is a support option`
`95`	`103`	`if (in_array($this->initial_data["protocol"], $protocol_options)) {`
`96`	`104`	`# Don't add a specific protocol if any`
`@@ -102,9 +110,10 @@ class APIFirewallRuleUpdate extends APIModel {`
`102`	`110`	`} else {`
`103`	`111`	`$this->errors[] = APIResponse\get(4042);`
`104`	`112`	`}`
`105`		`- $protocol = $this->initial_data['protocol'];`
`106`	`113`	`} else {`
`107`		`- $this->errors[] = APIResponse\get(4036);`
	`114`	`+ # If a new protocol was not selected don't validate ports`
	`115`	`+ $requires_port = false;`
	`116`	`+ $missing_port = false;`
`108`	`117`	`}`
`109`	`118`
`110`	`119`	`# Check for our optional 'icmpsubtype' payload value when our protocol is set to ICMP`
`@@ -130,7 +139,7 @@ class APIFirewallRuleUpdate extends APIModel {`
`130`	`139`	`}`
`131`	`140`	`}`
`132`	`141`
`133`		`- # Check for our required 'src' payload value`
	`142`	`+ # Check for our optional 'src' payload value`
`134`	`143`	`if (isset($this->initial_data['src'])) {`
`135`	`144`	`// Check if our source and destination values are valid`
`136`	`145`	`$dir_check = APITools\is_valid_rule_addr($this->initial_data['src'], "source");`
`@@ -141,7 +150,7 @@ class APIFirewallRuleUpdate extends APIModel {`
`141`	`150`	`}`
`142`	`151`	`}`
`143`	`152`
`144`		`- # Check for our required 'src' payload value`
	`153`	`+ # Check for our optional 'src' payload value`
`145`	`154`	`if (isset($this->initial_data['dst'])) {`
`146`	`155`	`// Check if our source and destination values are valid`
`147`	`156`	`$dir_check = APITools\is_valid_rule_addr($this->initial_data['dst'], "destination");`
`@@ -152,16 +161,16 @@ class APIFirewallRuleUpdate extends APIModel {`
`152`	`161`	`}`
`153`	`162`	`}`
`154`	`163`
`155`		`- # Check for our required 'srcport' and 'dstport' payload values if protocol is TCP, UDP or TCP/UDP`
`156`		`- if ($port_required && in_array($this->initial_data["protocol"], ["tcp", "udp", "tcp/udp"])) {`
	`164`	`+ # Check for our optional 'srcport' and 'dstport' payload values if protocol is TCP, UDP or TCP/UDP`
	`165`	`+ if ($requires_port) {`
`157`	`166`	`if (isset($this->initial_data['srcport'])) {`
`158`	`167`	`$val = str_replace("-", ":", $this->initial_data['srcport']);`
`159`	`168`	`if (!is_port_or_range($val) and $val !== "any") {`
`160`	`169`	`$this->errors[] = APIResponse\get(4048);`
`161`	`170`	`} elseif ($val !== "any") {`
`162`	`171`	`$this->validated_data["source"]["port"] = str_replace(":", "-", $val);;`
`163`	`172`	`}`
`164`		`- } else {`
	`173`	`+ } elseif ($missing_port) {`
`165`	`174`	`$this->errors[] = APIResponse\get(4047);`
`166`	`175`	`}`
`167`	`176`
`@@ -172,7 +181,7 @@ class APIFirewallRuleUpdate extends APIModel {`
`172`	`181`	`} elseif ($val !== "any") {`
`173`	`182`	`$this->validated_data["destination"]["port"] = str_replace(":", "-", $val);;`
`174`	`183`	`}`
`175`		`- } else {`
	`184`	`+ } elseif ($missing_port) {`
`176`	`185`	`$this->errors[] = APIResponse\get(4047);`
`177`	`186`	`}`
`178`	`187`	`}`
`@@ -189,8 +198,10 @@ class APIFirewallRuleUpdate extends APIModel {`
`189`	`198`
`190`	`199`
`191`	`200`	`# Check for our optional 'disabled' payload value`
`192`		`- if ($this->initial_data['disabled'] !== true) {`
`193`		`- $this->validated_data["id"] = "";`
	`201`	`+ if ($this->initial_data['disabled'] === true) {`
	`202`	`+ $this->validated_data["disabled"] = "";`
	`203`	`+ } elseif ($this->initial_data['disabled'] === false) {`
	`204`	`+ unset($this->validated_data["disabled"]);`
`194`	`205`	`}`
`195`	`206`
`196`	`207`	`# Check for our optional 'descr' payload value`