Updated contributor doc, migrated API endpoints from function based to class based for APIFirewallVirtualIPs and APIFirewallNAT, started migrating APIFirewallRules

Author: jaredhendrickson13

CONTRIBUTING.md

@@ -105,7 +105,8 @@ not specified, the default values are assumed:
 
 - `$this->privileges` : Allows you to set what pfSense permissions are required for clients to access this model. This
 utilizes the same permissions as the pfSense webConfigurator. Specify the privileges internal config value in array
-format. Defaults to `["page-all"]` which requires client to have the 'WebCfg - All Pages' permission.
+format. Defaults to `["page-all"]` which requires client to have the 'WebCfg - All Pages' permission. A list of pfSense
+privileges can be found here: https://github.com/pfsense/pfsense/blob/master/src/etc/inc/priv.defs.inc
 
 - `$this->requires_auth` : Specify whether authentication and authorization is required for the API model. If set to 
 `false` clients will not have to authenticate or have privilege to access. Defaults to `true`.
@@ -115,9 +116,6 @@ writing a model that tests user's local database credentials and do not want the
 auth mode you would specify `$this->set_auth_mode = "local";` to always force local authentication. Defaults to the 
 API's configured auth mode in the /api/ webConfigurator page.
 
-- `$this->validators` : Allows you to specify function calls that validate the API payload data. More information on
-writing model validators is included below. Defaults to `[]` which does not provide any validation. 
-
 
 #### Other Base Model Properties ####
 There are other properties inherited from APIBaseModel that are not intended (and shouldn't be) overridden by your
@@ -128,11 +126,11 @@ custom API model:
 - `$this->validated_data` : An array for validators to use to populate data that has been validated
 - `$this->errors` : An array to populate any errors encountered. Should be an array of APIResponse values.
 
-#### Writing API Model Validators ####
-By default, API models do not provide any sort of validation. You are responsible for writing the class methods to 
-validate the request. Validator methods are essentially class methods that check specific field(s) in our 
-`$this->initial_data` property and either adds them to our `$this->validated_data` property, or adds an error response 
-to `$this->errors`.
+#### Overriding API Model Validation ####
+By default, API models do not provide any sort of validation. You are responsible for overriding the class method to 
+validate the request. To validate requests, you must override the `validate_payload()` method to check specific field(s)
+in the `$this->initial_data` property and either add them to our `$this->validated_data` property if they are valid, or 
+appends an error response to the `$this->errors` property.
 
 For example:
 ```php
@@ -145,15 +143,10 @@ class NewAPIModel extends APIBaseModel {
         $this->methods = ["POST"];
         $this->privileges = ["page-all", "page-diagnostics-arptable"];
         $this->requires_auth = false;
-        
-        # CALL YOUR VALIDATOR METHODS HERE. This must be an array of function calls!
-        $this->validators = [
-            $this->validateTest()
-        ];   
     }
 
-    # Create a new validator method that validates our payloads 'test' value.
-    private function validateTest() {
+    # Overrides our APIBaseModel validate_payload method to validate data within our initial_data property
+    public function validate_payload() {
         # Check if we have a test value in our payload, if so add the value to validated_data array
         if (array_key_exists("test", $this->initial_data)) {
             $this->validated_data["test"] = $this->initial_data["test"];
@@ -186,11 +179,11 @@ class NewAPIModel extends APIBaseModel {
 
         # CALL YOUR VALIDATOR METHODS HERE. This must be an array of function calls!
         $this->validators = [
-            $this->validateTest()
+            $this->validate_payload()
         ];   
     }
 
-    private function validateTest() {
+    public function validate_payload() {
         if (array_key_exists("test", $this->initial_data)) {
             $this->validated_data["test"] = $this->initial_data["test"];
         } 

pfSense-pkg-API/files/etc/inc/api.inc

@@ -789,7 +789,7 @@ function sort_firewall_rules($mode=null, $data=null) {
 // Sorts nat rules by specified criteria and reloads the filter
 function sort_nat_rules($mode=null, $data=null) {
     // Variables
-    global $err_lib, $config;
+    global $config;
     $sort_arr = [];
     $master_arr = [];
     foreach ($config["nat"]["rule"] as $idx => $fre) {

pfSense-pkg-API/files/etc/inc/api/api_models/APIAccessToken.inc

@@ -8,18 +8,15 @@ class APIAccessToken extends APIBaseModel {
         parent::__construct();
         $this->set_auth_mode = "local";
         $this->methods = ["POST"];
-        $this->validators = [
-            $this->validateAuthMode()
-        ];
     }
 
     # Validate our API configurations auth mode (must be JWT)
-    private function validateAuthMode() {
+    public function validate_payload() {
         $api_config = APITools\get_api_config()[1];
 
         # Add error if our auth mode is invalid
         if ($api_config["authmode"] !== "jwt") {
-            return APIResponse\get(9);
+            $this->errors[] = APIResponse\get(9);
         }
     }
 

pfSense-pkg-API/files/etc/inc/api/api_models/APIFirewallNatPortForwards.inc

@@ -0,0 +1,21 @@
+<?php
+require_once("api/framework/APIBaseModel.inc");
+require_once("api/framework/APIResponse.inc");
+
+class APIFirewallNatPortForwards extends APIBaseModel {
+    # Create our method constructor
+    public function __construct() {
+        parent::__construct();
+        $this->methods = ["GET"];
+        $this->privileges = ["page-all", "page-firewall-nat-portforward"];
+    }
+
+    public function action() {
+        global $config;
+        // Check that we have a virtual IP configuration
+        if (!empty($config["nat"]["rule"])) {
+            $this->validated_data = $config["nat"]["rule"];
+        }
+        return APIResponse\get(0, $this->validated_data);
+    }
+}

pfSense-pkg-API/files/etc/inc/api/api_models/APIFirewallNatPortForwardsAdd.inc

@@ -0,0 +1,173 @@
+<?php
+require_once("api/framework/APIBaseModel.inc");
+require_once("api/framework/APIResponse.inc");
+
+class APIFirewallNatPortForwardsAdd extends APIBaseModel {
+    # Create our method constructor
+    public function __construct() {
+        parent::__construct();
+        $this->methods = ["POST"];
+        $this->privileges = ["page-all", "page-firewall-nat-portforward-edit"];
+    }
+
+    public function action() {
+        global $config;
+        $_SESSION["Username"] = $this->client->username;
+        $change_note = " Added NAT rule via API";    // Add a change note
+        $config["nat"]["rule"][] = $this->validated_data;    // Write to our master config
+        $next_rule_id = count($config["nat"]["rule"]);    // Save our next rule ID
+        APITools\sort_nat_rules($this->initial_data["top"], $next_rule_id);    // Sort our nat rules
+        write_config(sprintf(gettext($change_note)));    // Apply our configuration change
+        filter_configure();    // Ensure our firewall filter is reloaded
+        return APIResponse\get(0, $this->validated_data);
+    }
+
+    // TODO: break this down into smaller field specific validators
+    public function validate_payload() {
+        global $config;
+        $user_created_msg = $_SESSION["Username"]."@".$_SERVER["REMOTE_ADDR"]." (API)";    // Save the username and ip of client
+        $allowed_nat_ref = ["enable", "disable", "purenat"];    // Save our allow NAT reflection types
+        $allowed_prot = ["tcp", "udp", "tcp/udp", "icmp", "esp", "ah", "gre", "ipv6", "igmp", "pim", "ospf"];
+        if (isset($this->initial_data['interface'])) {
+            $interface = $this->initial_data['interface'];
+            $interface = APITools\get_pfsense_if_id($interface);
+        } else {
+            $this->errors[] = APIResponse\get(4000);
+        }
+        if (isset($this->initial_data['protocol'])) {
+            $protocol = $this->initial_data['protocol'];
+        } else {
+            $this->errors[] = APIResponse\get(4001);
+
+        }
+        if (isset($this->initial_data['target'])) {
+            $localip = $this->initial_data['target'];
+        } else {
+            $this->errors[] = APIResponse\get(4002);
+        }
+        if (isset($this->initial_data['local-port'])) {
+            $localport = $this->initial_data['local-port'];
+        } else {
+            $this->errors[] = APIResponse\get(4003);
+        }
+        if (isset($this->initial_data['src'])) {
+            $src = $this->initial_data['src'];
+        } else {
+            $this->errors[] = APIResponse\get(4004);
+
+        }
+        if (isset($this->initial_data['srcport'])) {
+            $srcport = $this->initial_data['srcport'];
+        }
+        if (isset($this->initial_data['dst'])) {
+            $dst = $this->initial_data['dst'];
+        } else {
+            $this->errors[] = APIResponse\get(4005);
+
+        }
+        if (isset($this->initial_data['dstport'])) {
+            $dstport = $this->initial_data['dstport'];
+        }
+        if (isset($this->initial_data['disabled'])) {
+            if ($this->initial_data['disabled']) {
+                $disabled = true;
+            }
+        }
+        if (isset($this->initial_data['nordr'])) {
+            if ($this->initial_data['nordr']) {
+                $nordr = true;
+            }
+        }
+        if (isset($this->initial_data['nosync'])) {
+            if ($this->initial_data['nosync'] === true) {
+                $nosync = true;
+            }
+        }
+        if (isset($this->initial_data['top'])) {
+            if ($this->initial_data['top']) {
+                $this->initial_data = "top";
+            }
+        }
+        if (isset($this->initial_data['descr'])) {
+            $descr = $this->initial_data['descr'];
+        }
+        if (isset($this->initial_data['natreflection'])) {
+            $natreflection = $this->initial_data['natreflection'];
+        }
+        
+        // INPUT VALIDATION/FORMATTING
+        // Check that our required array/interface values are valid
+        if (!is_string($interface)) {
+            $this->errors[] = APIResponse\get(4006);
+        } elseif (!in_array($protocol, $allowed_prot)) {
+            $this->errors[] = APIResponse\get(4007);
+        } elseif (isset($natreflection) and !in_array($natreflection, $allowed_nat_ref)) {
+            $this->errors[] = APIResponse\get(4008);
+        } elseif (!is_ipaddrv4($localip) and !alias_in_use($localip)) {
+            $this->errors[] = APIResponse\get(4009);
+        } elseif (!is_port_or_range($localport)) {
+            $this->errors[] = APIResponse\get(4010);
+        }
+        $this->validated_data = array();
+        // Check if rule is disabled
+        if ($disabled) {
+            $this->validated_data["disabled"] = "";
+        }
+        // Check if pfsync is disabled
+        if ($nosync) {
+            $this->validated_data["nosync"] = "";
+        }
+        // Check if RDR is disabled is disabled
+        if ($nordr) {
+            $this->validated_data["nordr"] = "";
+        }
+        // Check if user specified NAT reflection
+        if ($natreflection) {
+            $this->validated_data["natreflection"] = $natreflection;
+        }
+        $this->validated_data["interface"] = $interface;
+        $this->validated_data["protocol"] = $protocol;
+        $this->validated_data["source"] = array();
+        $this->validated_data["destination"] = array();
+        $this->validated_data["target"] = $localip;
+        $this->validated_data["local-port"] = $localport;
+        $this->validated_data["descr"] = $descr;
+        $this->validated_data["associated-rule-id"] = "pass";
+        $this->validated_data["created"] = array("time" => time(), "username" => $user_created_msg);
+        $this->validated_data["updated"] = $this->validated_data["created"];
+        // Check if our source and destination values are valid
+        foreach (array("source" => $src, "destination" => $dst) as $dir => $val) {
+            $dir_check = APITools\is_valid_rule_addr($val, $dir);
+            if (!$dir_check["valid"]) {
+                if ($dir === "source") {
+                    $this->errors[] = APIResponse\get(4011);
+                } else {
+                    $this->errors[] = APIResponse\get(4012);
+
+                }
+            } else {
+                $this->validated_data = array_merge($this->validated_data, $dir_check["data"]);
+            }
+        }
+        // Check if protocol calls for additional specifications
+        if (in_array($protocol, array("tcp", "udp", "tcp/udp"))) {
+            $port_req = true;
+        }
+        // Check our src and dst port values if ports are required
+        if ($port_req) {
+            foreach (array("source" => $srcport, "destination" => $dstport) as $dir => $val) {
+                $val = str_replace("-", ":", $val);
+                if (!is_port_or_range($val) and $val !== "any") {
+                    if ($dir === "source") {
+                        $this->errors[] = APIResponse\get(4013);
+
+                    } else {
+                        $this->errors[] = APIResponse\get(4014);
+                    }
+                } elseif ($val !== "any") {
+                    $this->validated_data[$dir]["port"] = str_replace(":", "-", $val);
+                }
+            }
+        }
+    }
+}

pfSense-pkg-API/files/etc/inc/api/api_models/APIFirewallNatPortForwardsDelete.inc

@@ -0,0 +1,38 @@
+<?php
+require_once("api/framework/APIBaseModel.inc");
+require_once("api/framework/APIResponse.inc");
+
+class APIFirewallNatPortForwardsDelete extends APIBaseModel {
+    # Create our method constructor
+    public function __construct() {
+        parent::__construct();
+        $this->methods = ["POST"];
+        $this->privileges = ["page-all", "page-nat-portforward-edit"];
+    }
+
+    public function action() {
+        global $config;
+        $_SESSION["Username"] = $this->client->username;    // Save our CLIENT ID to session data for logging
+        $change_note = " Deleted NAT rule via API";    // Add a change note
+        $del_rule = $config["nat"]["rule"][$this->validated_data["id"]];    // Save the rule we are deleting
+        unset($config["nat"]["rule"][$this->validated_data["id"]]);    // Remove rule from our config
+        APITools\sort_nat_rules();    // Sort our NAT rules
+        write_config(sprintf(gettext($change_note)));    // Apply our configuration change
+        filter_configure();    // Ensure our firewall filter is reloaded
+        return APIResponse\get(0, $del_rule);
+    }
+    
+    public function validate_payload() {
+        global $config;
+        if (isset($this->initial_data['id'])) {
+            // Check that our rule ID exists
+            if (array_key_exists($this->initial_data['id'], $config["nat"]["rule"])) {
+                $this->validated_data["id"] = $this->initial_data['id'];
+            } else {
+                $this->errors[] = APIResponse\get(4016);
+            }
+        } else {
+            $this->errors[] = APIResponse\get(4015);
+        }
+    }
+}

pfSense-pkg-API/files/etc/inc/api/api_models/APIFirewallRules.inc

@@ -0,0 +1,24 @@
+<?php
+require_once("api/framework/APIBaseModel.inc");
+require_once("api/framework/APIResponse.inc");
+
+
+class APIFirewallRules extends APIBaseModel {
+    # Create our method constructor
+    public function __construct() {
+        parent::__construct();
+        $this->methods = ["GET"];
+        $this->privileges = ["page-all", "page-firewall-rules"];
+    }
+
+    public function action() {
+        global $config;
+        // Check that we have a configuration
+        if (!empty($config["filter"]["rule"])) {
+            $rule_array = $config["filter"]["rule"];
+        } else {
+            $rule_array = [];
+        }
+        return APIResponse\get(0, $rule_array);
+    }
+}

pfSense-pkg-API/files/etc/inc/api/api_models/APIFirewallVirtualIPs.inc

@@ -0,0 +1,24 @@
+<?php
+require_once("api/framework/APIBaseModel.inc");
+require_once("api/framework/APIResponse.inc");
+
+
+class APIFirewallVirtualIPs extends APIBaseModel {
+    # Create our method constructor
+    public function __construct() {
+        parent::__construct();
+        $this->methods = ["GET"];
+        $this->privileges = ["page-all", "page-firewall-virtualipaddresses"];
+    }
+
+    public function action() {
+        global $config;
+        // Check that we have a virtual IP configuration
+        if (!empty($config["virtualip"]["vip"])) {
+            $vip_array = $config["virtualip"]["vip"];
+        } else {
+            $vip_array = [];
+        }
+        return APIResponse\get(0, $vip_array);
+    }
+}