Added endpoints for /services/sshd/ and /services/ssdh/modify to read and modify existing sshd configurations, added endpoints for /system/hostname/ and /system/hostname/modify/ to read and modify the existing system hostname, added pre-run check to ensure a supported version of pfSense is running before making any changes, updated Makefile and pkg-plist accordingly

Author: jaredhendrickson13

pfSense-pkg-API/Makefile

@@ -90,7 +90,14 @@ do-install:
 	${MKDIR} ${STAGEDIR}${PREFIX}/www/api/v1/system/config
 	${INSTALL_DATA} ${FILESDIR}${PREFIX}/www/api/v1/system/config/index.php \
 		${STAGEDIR}${PREFIX}/www/api/v1/system/config
-
+	# Hostname base
+	${MKDIR} ${STAGEDIR}${PREFIX}/www/api/v1/system/hostname
+	${INSTALL_DATA} ${FILESDIR}${PREFIX}/www/api/v1/system/hostname/index.php \
+		${STAGEDIR}${PREFIX}/www/api/v1/system/hostname
+	# Hostname modify
+	${MKDIR} ${STAGEDIR}${PREFIX}/www/api/v1/system/hostname/modify
+	${INSTALL_DATA} ${FILESDIR}${PREFIX}/www/api/v1/system/hostname/modify/index.php \
+		${STAGEDIR}${PREFIX}/www/api/v1/system/hostname/modify
 	# STATUS API ENDPOINTS----------------------------------------
 	${MKDIR} ${STAGEDIR}${PREFIX}/www/api/v1/status/
 	# CARP base
@@ -263,6 +270,12 @@ do-install:
 		${STAGEDIR}${PREFIX}/www/api/v1/services/ntpd/restart
 	# SSHD base
 	${MKDIR} ${STAGEDIR}${PREFIX}/www/api/v1/services/sshd
+	${INSTALL_DATA} ${FILESDIR}${PREFIX}/www/api/v1/services/sshd/index.php \
+		${STAGEDIR}${PREFIX}/www/api/v1/services/sshd
+	# SSHD modify
+	${MKDIR} ${STAGEDIR}${PREFIX}/www/api/v1/services/sshd/modify
+	${INSTALL_DATA} ${FILESDIR}${PREFIX}/www/api/v1/services/sshd/modify/index.php \
+		${STAGEDIR}${PREFIX}/www/api/v1/services/sshd/modify
 	# SSHD start
 	${MKDIR} ${STAGEDIR}${PREFIX}/www/api/v1/services/sshd/start
 	${INSTALL_DATA} ${FILESDIR}${PREFIX}/www/api/v1/services/sshd/start/index.php \

pfSense-pkg-API/files/etc/inc/api.inc

@@ -204,6 +204,7 @@ function api_authorized($req_privs, $read_only=false) {
 
 // Run our pre-runtime checks
 function api_runtime_allowed() {
+    api_version_check();    // Die if incompatible pfSense version
     api_enabled();    // Die if API is disabled in configuration
     api_whitelist_check();    // Die if server address is not whitelisted
 }
@@ -245,6 +246,21 @@ function is_api_read_only() {
     }
 }
 
+// Check if our pfSense version is allowed to run this version of API
+function api_version_check() {
+    # Local variables
+    $curr_ver = str_replace(".", "", explode("-", get_pfsense_version()["version"])[0]);
+    $min_ver = 244;
+    $curr_ver = is_numeric($curr_ver) ? intval($curr_ver) : 0;
+    $valid_ver = false;
+    if ($curr_ver < $min_ver) {
+        http_response_code(501);
+        $api_resp = array("status" => "not implemented", "code" => 501, "return" => 17, "message" => "incompatible pfsense version");
+        echo json_encode($api_resp) . PHP_EOL;
+        die();
+    }
+}
+
 // Check if server IP is allowed to answer API calls. Redirects to login if not
 function api_whitelist_check() {
     global $config;
@@ -342,6 +358,39 @@ function api_extended_search($base_data, $search_data) {
     return $base_data;
 }
 
+// Check our local pfSense version
+function get_pfsense_version() {
+    # VARIABLES
+    $ver_path = "/etc/version";    // Assign the path to our version file
+    $ver_patch_path = "/etc/version.patch";    // Assign the path to our version patch file
+    $ver_bt_path = "/etc/version.buildtime";    // Assign the path to our version build time file
+    $ver_lc_path = "/etc/version.lastcommit";    // Assign the path to our version last commit file
+    $ver_data = array();    // Init an empty array for our version data
+    # RUN TIME
+    // Check that our files exist, if so read the files. Otherwise return error
+    if (file_exists($ver_path)) {
+        $ver_file = fopen($ver_path, "r");    // Open our file
+        $ver = str_replace(PHP_EOL, "", fread($ver_file, filesize($ver_path)));    // Save our version data
+        $ver_data["version"] = $ver;    // Save to array
+    }
+    if (file_exists($ver_patch_path)) {
+        $ver_patch_file = fopen($ver_patch_path, "r");    // Open our file
+        $ver_patch = str_replace(PHP_EOL, "", fread($ver_patch_file, filesize($ver_patch_path)));    // Save patch
+        $ver_data["patch"] = $ver_patch;    // Save to array
+    }
+    if (file_exists($ver_bt_path)) {
+        $ver_bt_file = fopen($ver_bt_path, "r");    // Open our file
+        $ver_bt = str_replace(PHP_EOL, "", fread($ver_bt_file, filesize($ver_bt_path)));    // Save bt data
+        $ver_data["buildtime"] = $ver_bt;    // Save to array
+    }
+    if (file_exists($ver_lc_path)) {
+        $ver_lc_file = fopen($ver_lc_path, "r");    // Open our file
+        $ver_lc = str_replace(PHP_EOL, "", fread($ver_lc_file, filesize($ver_lc_path)));    // Save bt data
+        $ver_data["lastcommit"] = $ver_lc;    // Save to array
+    }
+    return $ver_data;
+}
+
 // Check if a DNS Resolver (Unbound) host override already exists
 function unbound_host_override_exists($hostname, $domain) {
     // Local variables

pfSense-pkg-API/files/etc/inc/apicalls.inc

@@ -1966,6 +1966,106 @@ function api_system_version() {
     }
 }
 
+function api_system_hostname() {
+    # VARIABLES
+    global $config, $api_resp, $client_params;
+    $read_only_action = true;    // Set whether this action requires read only access
+    $req_privs = array("page-all", "page-system");    // Allowed privs
+    $http_method = $_SERVER['REQUEST_METHOD'];    // Save our HTTP method
+    $host_array = array("hostname" => "", "domain" => "");    // Init our return array
+    # RUN TIME
+    // Check that client is authenticated and authorized
+    if (api_authorized($req_privs, $read_only_action)) {
+        // Check that our HTTP method is GET (READ)
+        if ($http_method === 'GET') {
+            // Check that we have a hostname configuration
+            if (!empty($config["system"]["hostname"])) {
+                $host_array["hostname"] = $config["system"]["hostname"];
+            }
+            // Check that we have a domain configuration
+            if (!empty($config["system"]["domain"])) {
+                $host_array["domain"] = $config["system"]["domain"];
+            }
+            if (isset($client_params['search'])) {
+                $search = $client_params['search'];
+                $host_array = api_extended_search($host_array, $search);
+            }
+            // Print our JSON response
+            $api_resp = array("status" => "ok", "code" => 200, "return" => 0, "message" => "", "data" => $host_array);
+            return $api_resp;
+        } else {
+            $api_resp = array("status" => "bad request", "code" => 400, "return" => 2, "message" => "invalid http method");
+            return $api_resp;
+        }
+    } else {
+        return $api_resp;
+    }
+}
+
+function api_system_hostname_modify() {
+    # VARIABLES
+    global $config, $api_resp, $client_params, $client_id;
+    $read_only_action = false;    // Set whether this action requires read only access
+    $req_privs = array("page-all", "page-system");    // Array of privs allowed
+    $http_method = $_SERVER['REQUEST_METHOD'];    // Save our HTTP method
+    # RUN TIME
+    // Check that client is authenticated and authorized
+    if (api_authorized($req_privs, $read_only_action)) {
+        // Check that our HTTP method is POST (DELETE)
+        if ($http_method === 'POST') {
+            if (isset($client_params['hostname'])) {
+                $hostname = $client_params['hostname'];
+                $hostname = trim($hostname);
+                // Check if our hostname is valid
+                if (!is_hostname($hostname) or !is_unqualified_hostname($hostname)) {
+                    $api_resp = array("status" => "bad request", "code" => 400, "return" => 170);
+                    $api_resp["message"] = "invalid hostname";
+                    return $api_resp;
+                } else {
+                    $config["system"]["hostname"] = $hostname;
+                }
+            }
+            if (isset($client_params['domain'])) {
+                $domain = $client_params['domain'];
+                $domain = trim($domain);
+                // Check if our hostname is valid
+                if (!is_domain($domain)) {
+                    $api_resp = array("status" => "bad request", "code" => 400, "return" => 171);
+                    $api_resp["message"] = "invalid domain";
+                    return $api_resp;
+                } else {
+                    $config["system"]["domain"] = $domain;
+                }
+            }
+            // Write our new hostname
+            $_SESSION["Username"] = $client_id;    // Save our CLIENT ID to session data for logging
+            $change_note = " Modified system hostname via API";    // Add a change note
+            write_config(sprintf(gettext($change_note)));    // Apply our configuration change
+            // Update a slew of backend services
+            if (isset($hostname) or isset($domain)) {
+                system_hostname_configure();
+                system_hosts_generate();
+                system_resolvconf_generate();
+                if (isset($config['dnsmasq']['enable'])) {
+                    services_dnsmasq_configure();
+                } elseif (isset($config['unbound']['enable'])) {
+                    services_unbound_configure();
+                }
+                filter_configure();
+            }
+            // Print our JSON response
+            $api_resp = array("status" => "ok", "code" => 200, "return" => 0, "message" => "system hostname modified");
+            $api_resp["data"] = array("hostname" => $config["system"]["hostname"], "domain" => $config["system"]["domain"]);
+            return $api_resp;
+        } else {
+            $api_resp = array("status" => "bad request", "code" => 400, "return" => 2, "message" => "invalid http method");
+            return $api_resp;
+        }
+    } else {
+        return $api_resp;
+    }
+}
+
 function api_system_arp() {
     # VARIABLES
     global $g, $config, $argv, $userindex, $api_resp, $client_params;
@@ -3008,6 +3108,145 @@ function api_services() {
     }
 }
 
+function api_services_sshd() {
+    # VARIABLES
+    global $config, $api_resp, $client_params;
+    $read_only_action = true;    // Set whether this action requires read only access
+    $req_privs = array("page-all", "page-system-advanced-admin");    // Array of privs allowed
+    $http_method = $_SERVER['REQUEST_METHOD'];    // Save our HTTP method
+    $ssh_array = array();    // Init our return array
+    # RUN TIME
+    // Check that client is authenticated and authorized
+    if (api_authorized($req_privs, $read_only_action)) {
+        // Check that our HTTP method is GET (READ)
+        if ($http_method === 'GET') {
+            // Check that we have a configuration
+            if (!empty($config["system"]["ssh"])) {
+                $ssh_array = $config["system"]["ssh"];
+            }
+            if (isset($client_params['search'])) {
+                $search = $client_params['search'];
+                $ssh_array = api_extended_search($ssh_array, $search);
+            }
+            // Print our JSON response
+            $api_resp = array("status" => "ok", "code" => 200, "return" => 0, "message" => "", "data" => $ssh_array);
+            return $api_resp;
+        } else {
+            $api_resp = array("status" => "bad request", "code" => 400, "return" => 2, "message" => "invalid http method");
+            return $api_resp;
+        }
+    } else {
+        return $api_resp;
+    }
+}
+
+function api_services_sshd_modify() {
+    # VARIABLES
+    global $config, $api_resp, $client_id, $client_params;
+    $read_only_action = false;    // Set whether this action requires read only access
+    $req_privs = array("page-all", "page-system-advanced-admin");    // Array of privileges allowing this action
+    $http_method = $_SERVER['REQUEST_METHOD'];    // Save our HTTP method
+    $allowed_auth_types = array("disabled", "enabled", "both");    // Array of allowed auth types
+    $err_found = false;    // Track errors
+    # RUN TIME
+    // Check that client is authenticated and authorized
+    if (api_authorized($req_privs, $read_only_action)) {
+        $api_resp = array("status" => "bad request", "code" => 400);
+        // Check that our HTTP method is POST (UPDATE)
+        if ($http_method === 'POST') {
+            if (isset($client_params['enable'])) {
+                $enable = $client_params['enable'];
+                if ($enable === true) {
+                    $config["system"]["ssh"]["enable"] = "enabled";
+                } elseif ($enable === false) {
+                    unset($config["system"]["ssh"]["enable"]);
+                } else {
+                    $api_resp["message"] = "invalid sshd enable value";
+                    $api_resp["return"] = 165;
+                }
+            }
+            if (isset($client_params["sshdkeyonly"])) {
+                $sshdkeyonly = $client_params["sshdkeyonly"];
+                // Check if our auth type is valid
+                if (in_array($sshdkeyonly, $allowed_auth_types)) {
+                    if ($sshdkeyonly === "disabled") {
+                        unset($config["system"]["ssh"]["sshdkeyonly"]);
+                    } else {
+                        $config["system"]["ssh"]["sshdkeyonly"] = $sshdkeyonly;
+                    }
+                } else {
+                    $err_found = true;
+                    $api_resp["message"] = "invalid sshd key only type";
+                    $api_resp["return"] = 166;
+                }
+            }
+            if (isset($client_params['sshdagentforwarding'])) {
+                $sshdagentforwarding = $client_params['sshdagentforwarding'];
+                if ($sshdagentforwarding === true) {
+                    $config["system"]["ssh"]["sshdagentforwarding"] = "enabled";
+                } elseif ($sshdagentforwarding === false) {
+                    unset($config["system"]["ssh"]["sshdagentforwarding"]);
+                } else {
+                    $err_found = true;
+                    $api_resp["message"] = "invalid sshd agent forwarding value";
+                    $api_resp["return"] = 167;
+                }
+            }
+            if (isset($client_params['port'])) {
+                $port = strval($client_params['port']);
+                // Convert string to array
+                if (is_port($port)) {
+                    $config["system"]["ssh"]["port"] = $port;
+                } else {
+                    $err_found = true;
+                    $api_resp["message"] = "invalid sshd port value";
+                    $api_resp["return"] = 168;
+                }
+            }
+            // Add debug data if requested
+            if (array_key_exists("debug", $client_params)) {
+                echo "ENABLE SSHD:" . PHP_EOL;
+                echo var_dump($enable) . PHP_EOL;
+                echo "SSHD KEY ONLY:" . PHP_EOL;
+                echo var_dump($sshdkeyonly) . PHP_EOL;
+                echo "SSHD AGENT FORWARDING:" . PHP_EOL;
+                echo var_dump($sshdagentforwarding) . PHP_EOL;
+                echo "SSHD PORT:" . PHP_EOL;
+                echo var_dump($port) . PHP_EOL;
+
+            }
+            // Check if we found an error, if so, quit
+            if ($err_found) {
+                http_response_code(400);
+                echo json_encode($api_resp);
+                die();
+            }
+            $_SESSION["Username"] = $client_id;    // Save our CLIENT ID to session data for logging
+            $change_note = " Modified SSHD configuration via API";    // Add a change note
+            write_config(sprintf(gettext($change_note)));    // Apply our configuration change
+            // Check that something was changed before altering service
+            if (isset($enable) or isset($port) or isset($sshdagentforwarding) or isset($sshdkeyonly)) {
+                killbyname("sshd");    // Kill SSHD
+                log_error(gettext("secure shell configuration has changed. Stopping sshd."));
+                if ($config['system']['ssh']['enable']) {
+                    log_error(gettext("secure shell configuration has changed. Restarting sshd."));
+                    send_event("service restart sshd");
+                }
+            }
+            // Loop through each alias and see if our alias was added successfully
+            $api_resp = array("status" => "ok", "code" => 200, "return" => 0);
+            $api_resp["message"] = "sshd configuration modified";
+            $api_resp["data"] = $config["system"]["ssh"];
+            return $api_resp;
+        } else {
+            $api_resp = array("status" => "bad request", "code" => 400, "return" => 2, "message" => "invalid http method");
+            return $api_resp;
+        }
+    } else {
+        return $api_resp;
+    }
+}
+
 function api_services_sshd_start() {
     # VARIABLES
     global $config, $api_resp, $client_params;

pfSense-pkg-API/files/usr/local/www/api/v1/api_return_codes.txt

@@ -16,7 +16,7 @@ API RETURN CODES
 14: ip or subnet in use
 15: forbidden
 16: invalid mac address
-
+17: incompatible pfsense version
 20: Username required
 21: Password required
 22: User already exists
@@ -106,6 +106,12 @@ API RETURN CODES
 163: invalid redirect ip address
 164: invalid redirect port
 164: invalid rule association value
+165: invalid sshd enable value
+166: invalid sshd key only type
+167: invalid sshd agent forwarding value
+168: invalid sshd port value
+170: invalid hostname
+171: invalid domain
 
 
 

pfSense-pkg-API/files/usr/local/www/api/v1/services/sshd/index.php

@@ -0,0 +1,10 @@
+<?php
+# Copyright 2020 - Jared Hendrickson
+# IMPORTS
+require_once("apicalls.inc");
+
+# RUN API CALL
+$resp = api_services_sshd();
+http_response_code($resp["code"]);
+echo json_encode($resp) . PHP_EOL;
+exit();

pfSense-pkg-API/files/usr/local/www/api/v1/services/sshd/modify/index.php

@@ -0,0 +1,10 @@
+<?php
+# Copyright 2020 - Jared Hendrickson
+# IMPORTS
+require_once("apicalls.inc");
+
+# RUN API CALL
+$resp = api_services_sshd_modify();
+http_response_code($resp["code"]);
+echo json_encode($resp) . PHP_EOL;
+exit();