- Added endpoint for /interfaces/delete/

- Added endpoint for /system/certificates/ to read all system SSL certificates
- Added endpoint for /system/certifciates/add to import a new SSL certificate
- Added endpoint for /system/certificates/delete to delete an existing SSL certificate
- Added endpoint for /users/authservers/ to read all LDAP and RADIUS authentication server configurations
- Added endpoint for /users/authservers/ldap/ to read LDAP authentication server configurations
- Added endpoint for /users/authservers/radius/ to read RADIUS authentication server configurations
- Changed default API token hash algorithm to SHA256
- Added SHA512 to allow API token hash algorithms
- Added snippet to check if a user is disabled before allowing API access

Author: jaredhendrickson13

pfSense-pkg-API/Makefile

@@ -71,7 +71,18 @@ do-install:
 	${MKDIR} ${STAGEDIR}${PREFIX}/www/api/v1/users/modify
 	${INSTALL_DATA} ${FILESDIR}${PREFIX}/www/api/v1/users/modify/index.php \
 		${STAGEDIR}${PREFIX}/www/api/v1/users/modify
-
+	# Authservers base
+	${MKDIR} ${STAGEDIR}${PREFIX}/www/api/v1/users/authservers
+	${INSTALL_DATA} ${FILESDIR}${PREFIX}/www/api/v1/users/authservers/index.php \
+		${STAGEDIR}${PREFIX}/www/api/v1/users/authservers
+	# Authservers ldap
+	${MKDIR} ${STAGEDIR}${PREFIX}/www/api/v1/users/authservers/ldap
+	${INSTALL_DATA} ${FILESDIR}${PREFIX}/www/api/v1/users/authservers/ldap/index.php \
+		${STAGEDIR}${PREFIX}/www/api/v1/users/authservers/ldap
+	# Authservers radius
+	${MKDIR} ${STAGEDIR}${PREFIX}/www/api/v1/users/authservers/radius
+	${INSTALL_DATA} ${FILESDIR}${PREFIX}/www/api/v1/users/authservers/radius/index.php \
+		${STAGEDIR}${PREFIX}/www/api/v1/users/authservers/radius
 	# SYSTEM API ENDPOINTS----------------------------------------
 	${MKDIR} ${STAGEDIR}${PREFIX}/www/api/v1/system/
 	# Version base
@@ -98,6 +109,18 @@ do-install:
 	${MKDIR} ${STAGEDIR}${PREFIX}/www/api/v1/system/hostname/modify
 	${INSTALL_DATA} ${FILESDIR}${PREFIX}/www/api/v1/system/hostname/modify/index.php \
 		${STAGEDIR}${PREFIX}/www/api/v1/system/hostname/modify
+	# Certificates base
+	${MKDIR} ${STAGEDIR}${PREFIX}/www/api/v1/system/certificates
+	${INSTALL_DATA} ${FILESDIR}${PREFIX}/www/api/v1/system/certificates/index.php \
+		${STAGEDIR}${PREFIX}/www/api/v1/system/certificates
+	# Certificates add
+	${MKDIR} ${STAGEDIR}${PREFIX}/www/api/v1/system/certificates/add
+	${INSTALL_DATA} ${FILESDIR}${PREFIX}/www/api/v1/system/certificates/add/index.php \
+		${STAGEDIR}${PREFIX}/www/api/v1/system/certificates/add
+	# Certificates delete
+	${MKDIR} ${STAGEDIR}${PREFIX}/www/api/v1/system/certificates/delete
+	${INSTALL_DATA} ${FILESDIR}${PREFIX}/www/api/v1/system/certificates/delete/index.php \
+		${STAGEDIR}${PREFIX}/www/api/v1/system/certificates/delete
 	# STATUS API ENDPOINTS----------------------------------------
 	${MKDIR} ${STAGEDIR}${PREFIX}/www/api/v1/status/
 	# CARP base
@@ -118,6 +141,10 @@ do-install:
 	${MKDIR} ${STAGEDIR}${PREFIX}/www/api/v1/interfaces/add
 	${INSTALL_DATA} ${FILESDIR}${PREFIX}/www/api/v1/interfaces/add/index.php \
 		${STAGEDIR}${PREFIX}/www/api/v1/interfaces/add
+	# Interfaces delete
+	${MKDIR} ${STAGEDIR}${PREFIX}/www/api/v1/interfaces/delete
+	${INSTALL_DATA} ${FILESDIR}${PREFIX}/www/api/v1/interfaces/delete/index.php \
+		${STAGEDIR}${PREFIX}/www/api/v1/interfaces/delete
 	# Vlans base
 	${MKDIR} ${STAGEDIR}${PREFIX}/www/api/v1/interfaces/vlans
 	${INSTALL_DATA} ${FILESDIR}${PREFIX}/www/api/v1/interfaces/vlans/index.php \

pfSense-pkg-API/files/etc/inc/api.inc

@@ -47,6 +47,14 @@ function str_starts_with($needle, $haystack) {
     return (substr($haystack, 0, $length) === $needle);
 }
 
+// Restarts the pfSense webConfigurator
+function restart_webconfigurator() {
+    ob_flush();
+    flush();
+    log_error(gettext("webConfigurator configuration has changed. Restarting webConfigurator."));
+    send_event("service restart webgui");
+}
+
 // API authentication debug function
 function api_auth_debug($req_privs=array()) {
     global $client_id, $client_params, $read_priv;
@@ -129,9 +137,10 @@ function api_authenticate_token($cid, $ctoken) {
 // Check if user authenticates successfully
 function api_authenticate() {
     // Local variables
-    global $client_id, $client_token;
+    global $config, $client_id, $client_token;
     $authenticated = false;
     $api_config = get_api_configuration()[1];
+    $users = index_users();
     // Format our client ID and token based on our configured auth mode
     if ($api_config["authmode"] === "base64") {
         $client_id = base64_decode($client_id);
@@ -148,14 +157,18 @@ function api_authenticate() {
             $authenticated = true;
         }
     } else {
-        // Check AUTHENTICATION-------------------------------------------------------------------
+        // Check local auth
         $local_auth = authenticate_user($client_id, $client_token);    // Test auth locally
         if ($local_auth === true) {
             unset($_SESSION["Username"]);
             $_SESSION["Username"] = $client_id;
             $authenticated = true;
         }
     }
+    // Check if user is disabled
+    if (array_key_exists("disabled", $config["system"]["user"][$users[$client_id]])) {
+        $authenticated = false;
+    }
     return $authenticated;
 }
 
@@ -1046,6 +1059,69 @@ function apply_interface_config($if_conf) {
     return true;
 }
 
+// Delete an interface
+function destroy_interface($id) {
+    // Local variables
+    global $config;
+    $err_msg = "";
+    $success = false;
+    if ($id === "wan") {
+        $err_msg = "wan interface cannot be deleted";
+    } elseif (link_interface_to_group($id)) {
+        $err_msg = "interface member of group";
+    } elseif (link_interface_to_bridge($id)) {
+        $err_msg = "interface member of bridge";
+    } elseif (link_interface_to_gre($id)) {
+        $err_msg = "interface member of gre tunnel";
+    } elseif (link_interface_to_gif($id)) {
+        $err_msg = "interface member of gif tunnel";
+    } elseif (interface_has_queue($id)) {
+        $err_msg = "interface traffic shaper configured";
+    } else {
+        unset($config['interfaces'][$id]['enable']);
+        $realid = get_real_interface($id);
+        interface_bring_down($id);   // Bring down interface
+        unset($config['interfaces'][$id]);	// Delete our interface from configuration
+        // Remove DHCP config for interface
+        if (is_array($config['dhcpd']) && is_array($config['dhcpd'][$id])) {
+            unset($config['dhcpd'][$id]);
+            services_dhcpd_configure('inet');
+        }
+        // Removed interface config for dhcp6
+        if (is_array($config['dhcpdv6']) && is_array($config['dhcpdv6'][$id])) {
+            unset($config['dhcpdv6'][$id]);
+            services_dhcpd_configure('inet6');
+        }
+        // Remove ACL for interface
+        if (count($config['filter']['rule']) > 0) {
+            foreach ($config['filter']['rule'] as $x => $rule) {
+                if ($rule['interface'] == $id) {
+                    unset($config['filter']['rule'][$x]);
+                }
+            }
+        }
+        // Remove NAT config for interface
+        if (is_array($config['nat']['rule']) && count($config['nat']['rule']) > 0) {
+            foreach ($config['nat']['rule'] as $x => $rule) {
+                if ($rule['interface'] == $id) {
+                    unset($config['nat']['rule'][$x]['interface']);
+                }
+            }
+        }
+        $change_note = " Deleted interface via API";    // Add a change note
+        write_config(sprintf(gettext($change_note)));    // Apply our configuration change
+        // Disable DHCP if last interface
+        if ($config['interfaces']['lan'] && $config['dhcpd']['wan']) {
+            unset($config['dhcpd']['wan']);
+        }
+        // Update VLAN assignments
+        link_interface_to_vlans($realid, "update");
+        // Write success return
+        $success = true;
+    }
+    return array("status" => $success, "msg" => $err_msg);
+}
+
 // Check if CARP is enabled for disabled
 function is_carp_enabled() {
     // Check current CARP status