Updated contribution doc, started painful migration from function based API calls to object oriented design, small framework adjustments

Jared Hendrickson · Jared Hendrickson · commit 96ef7e49b7fa · 2020-08-21T21:08:06.000-06:00
diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md
diff --git a/pfSense-pkg-API/Makefile b/pfSense-pkg-API/Makefile
diff --git a/pfSense-pkg-API/files/etc/inc/api.inc b/pfSense-pkg-API/files/etc/inc/api.inc
@@ -1304,7 +1304,7 @@ function get_carp_if_status() {
 // Enables CARP interfaces
 function enable_carp($enable) {
     // Local variables
-    global $err_lib, $config;
+    global $config;
     $vip_arr = $config['virtualip']['vip'];
     $no_action = (is_carp_enabled() === $enable) ? true : false;    // Check if a change is even requried
     // Disable if $enable is false, enable if $enable is true
diff --git a/pfSense-pkg-API/files/etc/inc/api/api_models/APIAccessToken.inc b/pfSense-pkg-API/files/etc/inc/api/api_models/APIAccessToken.inc
@@ -23,7 +23,7 @@ class APIAccessToken extends APIBaseModel {
         }
     }
 
-    # Override action subclass to create a JWT and return it to the user
+    # Override action subclass to create a JWT and return it to the user after successful validation
     public function action() {
         $jwt = APITools\create_jwt($this->client->username);
         return APIResponse\get(0, ["token" => $jwt]);
diff --git a/pfSense-pkg-API/files/etc/inc/api/api_models/APIFirewallNat.inc b/pfSense-pkg-API/files/etc/inc/api/api_models/APIFirewallNat.inc
@@ -0,0 +1,22 @@
+<?php
+require_once("api/framework/APIBaseModel.inc");
+require_once("api/framework/APIResponse.inc");
+
+
+class APIFirewallNat extends APIBaseModel {
+    # Create our method constructor
+    public function __construct() {
+        parent::__construct();
+        $this->methods = ["GET"];
+        $this->validators = [];
+    }
+
+    public function action() {
+        global $config;
+        // Check that we have a NAT configuration
+        if (!empty($config["nat"])) {
+            $this->validated_data = $config["nat"];
+        }
+        return APIResponse\get(0, $this->validated_data);
+    }
+}
diff --git a/pfSense-pkg-API/files/etc/inc/api/api_models/APIStatusCarp.inc b/pfSense-pkg-API/files/etc/inc/api/api_models/APIStatusCarp.inc
@@ -0,0 +1,23 @@
+<?php
+require_once("api/framework/APIBaseModel.inc");
+require_once("api/framework/APIResponse.inc");
+
+
+class APIStatusCarp extends APIBaseModel {
+    # Create our method constructor
+    public function __construct() {
+        parent::__construct();
+        $this->privileges = ["page-all", "page-status-carp"];
+        $this->methods = ["GET"];
+        $this->validators = [];
+    }
+
+    public function action() {
+        global $config;
+        $carp_status = [];
+        $carp_status["enable"] = APITools\is_carp_enabled();
+        $carp_status["maintenance_mode"] = isset($config["virtualip_carp_maintenancemode"]);
+        $carp_status["interfaces"] = APITools\get_carp_if_status();
+        return APIResponse\get(0, $carp_status);
+    }
+}
diff --git a/pfSense-pkg-API/files/etc/inc/api/api_models/APIStatusCarpModify.inc b/pfSense-pkg-API/files/etc/inc/api/api_models/APIStatusCarpModify.inc
@@ -0,0 +1,45 @@
+<?php
+require_once("api/framework/APIBaseModel.inc");
+require_once("api/framework/APIResponse.inc");
+
+
+class APIStatusCarpModify extends APIBaseModel {
+    # Create our method constructor
+    public function __construct() {
+        parent::__construct();
+        $this->privileges = ["page-all", "page-status-carp"];
+        $this->methods = ["POST"];
+        $this->validators = [$this->validate_payload()];
+    }
+
+    private function validate_payload() {
+        // Check if user specified enable value
+        if (isset($this->initial_data['enable'])) {
+            // Check if value is true or false
+            if (boolval($this->initial_data['enable'])) {
+                $enable = true;
+            } else {
+                $enable = false;
+            }
+            $this->validated_data["enable"] = $enable;
+        }
+        // Check if user specified maintenance mode value
+        if (isset($this->initial_data['maintenance_mode'])) {
+            // Check if value is true or false
+            if (boolval($this->initial_data['maintenance_mode'])) {
+                $mm_enable = true;
+            } else {
+                $mm_enable = false;
+            }
+            $this->validated_data["maintenance_mode"] = $mm_enable;
+        }
+    }
+
+    public function action() {
+        // Add our CARP settings
+        $_SESSION["Username"] = $this->client->username;
+        interfaces_carp_set_maintenancemode($this->validated_data["maintenance_mode"]);
+        APITools\enable_carp($this->validated_data["enable"]);
+        return APIResponse\get(0, $this->validated_data);
+    }
+}
diff --git a/pfSense-pkg-API/files/etc/inc/api/framework/APIAuth.inc b/pfSense-pkg-API/files/etc/inc/api/framework/APIAuth.inc
@@ -61,7 +61,7 @@ class APIAuth {
 
     # Attempts to authenticate using API token authentication
     private function authenticate_token() {
-        if (APITools\authenticate_token($this->request["client-id"], $this->request["client-id"]) === true) {
+        if (APITools\authenticate_token($this->request["client-id"], $this->request["client-token"]) === true) {
             $this->username = pack("H*", $this->request["client-id"]);
             // Ensure user is not disabled
             if (APITools\is_user_disabled($this->request["client-id"]) === false) {
diff --git a/pfSense-pkg-API/files/etc/inc/api/framework/APIBaseModel.inc b/pfSense-pkg-API/files/etc/inc/api/framework/APIBaseModel.inc
@@ -31,7 +31,7 @@ class APIBaseModel {
         # This function is intended to be overridden by an API model extended class
         # Any configuration writes, system configurations, etc should be added when overriding this base class
         # If this class is not overridden a 500 unexpected error is returned
-        return APIResponse\get(1);
+        return APIResponse\get(10);
     }
 
     public function validate() {
diff --git a/pfSense-pkg-API/files/etc/inc/api/framework/APIResponse.inc b/pfSense-pkg-API/files/etc/inc/api/framework/APIResponse.inc
@@ -65,6 +65,12 @@ function get($id, $data=[]) {
             "return" => $id,
             "message" => "Authentication mode must be set to JWT to enable access token authentication",
         ],
+        10 => [
+            "status" => "server error",
+            "code" => "500",
+            "return" => $id,
+            "message" => "Your API request was valid but no actions were specified for this endpoint",
+        ]
     ];
 
     $response = $responses[$id];
diff --git a/pfSense-pkg-API/files/etc/inc/api/framework/APITools.inc b/pfSense-pkg-API/files/etc/inc/api/framework/APITools.inc
@@ -14,9 +14,6 @@ require_once("shaper.inc");
 require_once("auth.inc");
 require_once("functions.inc");
 use Firebase\JWT\JWT;
-use Firebase\JWT\ExpiredException;
-use Firebase\JWT\SignatureInvalidException;
-use Firebase\JWT\BeforeValidException;
 
 # Gathers our URL form encoded data or JSON body data from our request and places them in a single array
 function get_request_data() {
@@ -121,7 +118,7 @@ function decode_jwt($token) {
     $key = get_api_config()[1]["server_key"];    // Save our current server key
     try {
         $decoded = (array) JWT::decode($token, $key, array('HS256'));
-    } catch (Exception $e) {
+    } catch (\Exception $e) {
         $decoded = false;
     }
     return $decoded;
@@ -180,4 +177,79 @@ function generate_token($username) {
     $change_note = " Generated API key";    // Add a change note
     write_config(sprintf(gettext($change_note)));    // Apply our configuration change
     return $key_new;
+}
+
+// Check if CARP is enabled for disabled
+function is_carp_enabled() {
+    // Check current CARP status
+    $status = get_single_sysctl('net.inet.carp.allow');
+    $enabled = boolval(intval($status) > 0);
+    return $enabled;
+}
+
+// Check each CARP interface's status
+function get_carp_if_status() {
+    // Local variables
+    global $err_lib, $config;
+    $carp_if_stats = [];
+    $carp_enabled = is_carp_enabled();
+    foreach ($config['virtualip']['vip'] as $carp) {
+        if ($carp['mode'] == "carp") {
+            $carp_if_ent = [];
+            $carp_if_ent["interface"] = $carp["interface"];
+            $carp_if_ent["vhid"] = $carp['vhid'];
+            $carp_if_ent["subnet"] = $carp['subnet'];
+            $carp_if_ent["subnet_bits"] = $carp['subnet_bits'];
+            $status = get_carp_interface_status("_vip{$carp['uniqid']}");
+            if ($carp_enabled == false) {
+                $carp_if_ent["status"] = "disabled";
+            } else {
+                if ($status == "MASTER") {
+                    $carp_if_ent["status"] = "master";
+                } else if ($status == "BACKUP") {
+                    $carp_if_ent["status"] = "backup";
+                } else if ($status == "INIT") {
+                    $carp_if_ent["status"] = "init";
+                }
+            }
+            // Add config to our array
+            $carp_if_stats[] = $carp_if_ent;
+        }
+    }
+    // Return our status
+    return $carp_if_stats;
+}
+
+// Enables CARP interfaces
+function enable_carp($enable) {
+    // Local variables
+    global $config;
+    $vip_arr = $config['virtualip']['vip'];
+    $no_action = (is_carp_enabled() === $enable) ? true : false;    // Check if a change is even requried
+    // Disable if $enable is false, enable if $enable is true
+    if (!$no_action and $enable === false) {
+        set_single_sysctl('net.inet.carp.allow', '0');
+        foreach ($vip_arr as $vip) {
+            if ($vip['mode'] != "carp" && $vip['mode'] != "ipalias")
+                continue;
+            if ($vip['mode'] == "ipalias" && substr($vip['interface'], 0, 4) != "_vip")
+                continue;
+            interface_vip_bring_down($vip);
+        }
+    } elseif (!$no_action and $enable === true) {
+        foreach ($vip_arr as $vip) {
+            switch ($vip['mode']) {
+                case "carp":
+                    interface_carp_configure($vip);
+                    break;
+                case 'ipalias':
+                    if (substr($vip['interface'], 0, 4) == "_vip") {
+                        interface_ipalias_configure($vip);
+                    }
+                    break;
+            }
+        }
+        interfaces_sync_setup();
+        set_single_sysctl('net.inet.carp.allow', '1');
+    }
 }
diff --git a/pfSense-pkg-API/files/etc/inc/apicalls.inc b/pfSense-pkg-API/files/etc/inc/apicalls.inc
@@ -128,7 +128,7 @@ function api_firewall_nat() {
     # VARIABLES
     global $err_lib, $config, $api_resp, $client_params;
     $read_only_action = true;    // Set whether this action requires read only access
-    $req_privs = array("page-all", "page-firewall-virtualipaddresses");    // Array of privs allowed
+    $req_privs = array("page-all");    // Array of privs allowed
     $http_method = $_SERVER['REQUEST_METHOD'];    // Save our HTTP method
     $nat_array = array();    // Init our array
     # RUN TIME
diff --git a/pfSense-pkg-API/files/usr/local/www/api/v1/access_token/index.php b/pfSense-pkg-API/files/usr/local/www/api/v1/access_token/index.php
@@ -1,7 +1,7 @@
 <?php
 # Copyright 2020 - Jared Hendrickson
 # IMPORTS
-require_once("api/api_calls/APIAccessToken.inc");
+require_once("api/api_models/APIAccessToken.inc");
 
 # RUN API CALL
 (new APIAccessToken())->listen();
diff --git a/pfSense-pkg-API/files/usr/local/www/api/v1/firewall/nat/index.php b/pfSense-pkg-API/files/usr/local/www/api/v1/firewall/nat/index.php
@@ -1,10 +1,5 @@
 <?php
 # Copyright 2020 - Jared Hendrickson
 # IMPORTS
-require_once("apicalls.inc");
-
-# RUN API CALL
-$resp = api_firewall_nat();
-http_response_code($resp["code"]);
-echo json_encode($resp) . PHP_EOL;
-exit();
+require_once("api/api_models/APIFirewallNat.inc");
+(new APIFirewallNat())->listen();
diff --git a/pfSense-pkg-API/files/usr/local/www/api/v1/status/carp/index.php b/pfSense-pkg-API/files/usr/local/www/api/v1/status/carp/index.php
@@ -1,10 +1,5 @@
 <?php
 # Copyright 2020 - Jared Hendrickson
-# IMPORTS
-require_once("apicalls.inc");
+require_once("api/api_models/APIStatusCarp.inc");
+(new APIStatusCarp())->listen();
 
-# RUN API CALL
-$resp = api_status_carp();
-http_response_code($resp["code"]);
-echo json_encode($resp) . PHP_EOL;
-exit();
diff --git a/pfSense-pkg-API/files/usr/local/www/api/v1/status/carp/modify/index.php b/pfSense-pkg-API/files/usr/local/www/api/v1/status/carp/modify/index.php
@@ -1,10 +1,5 @@
 <?php
 # Copyright 2020 - Jared Hendrickson
-# IMPORTS
-require_once("apicalls.inc");
+require_once("api/api_models/APIStatusCarpModify.inc");
+(new APIStatusCarpModify())->listen();;
 
-# RUN API CALL
-$resp = api_status_carp_modify();
-http_response_code($resp["code"]);
-echo json_encode($resp) . PHP_EOL;
-exit();

Original file line number	Diff line number	Diff line change
`@@ -23,7 +23,7 @@ class APIAccessToken extends APIBaseModel {`
`23`	`23`	`}`
`24`	`24`	`}`
`25`	`25`
`26`		`- # Override action subclass to create a JWT and return it to the user`
	`26`	`+ # Override action subclass to create a JWT and return it to the user after successful validation`
`27`	`27`	`public function action() {`
`28`	`28`	`$jwt = APITools\create_jwt($this->client->username);`
`29`	`29`	`return APIResponse\get(0, ["token" => $jwt]);`
Original file line number	Diff line number	Diff line change
`@@ -31,7 +31,7 @@ class APIBaseModel {`
`31`	`31`	`# This function is intended to be overridden by an API model extended class`
`32`	`32`	`# Any configuration writes, system configurations, etc should be added when overriding this base class`
`33`	`33`	`# If this class is not overridden a 500 unexpected error is returned`
`34`		`- return APIResponse\get(1);`
	`34`	`+ return APIResponse\get(10);`
`35`	`35`	`}`
`36`	`36`
`37`	`37`	`public function validate() {`