v1.5.0 Fixes & Features

.github/dependabot.yml

@@ -0,0 +1,15 @@
+# To get started with Dependabot version updates, you'll need to specify which
+# package ecosystems to update and where the package manifests are located.
+# Please see the documentation for all configuration options:
+# https://docs.github.com/github/administering-a-repository/configuration-options-for-dependency-updates
+
+version: 2
+updates:
+  - package-ecosystem: "composer"
+    directory: "/"
+    schedule:
+      interval: "weekly"
+  - package-ecosystem: "pip"
+    directory: "/"
+    schedule:
+      interval: "weekly"

.github/workflows/openapi.yml

@@ -0,0 +1,12 @@
+name: OpenAPI
+on: [push]
+
+jobs:
+  lint:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v2
+      - name: Lint OpenAPI spec
+        uses: vaibhav-jain/spectral-action/@v2.6
+        with:
+          file_path: pfSense-pkg-API/files/usr/local/www/api/documentation/openapi.yml

.github/workflows/phplint.yml

@@ -0,0 +1,18 @@
+name: PHPlint
+on: [push]
+
+jobs:
+  lint:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v3
+      - name: Lint on PHP 7.2
+        uses: firehed/lint-php-action@v1
+        with:
+          file-extensions: 'php, inc'
+          php-version: "7.2"
+      - name: Lint on PHP 7.4
+        uses: firehed/lint-php-action@v1
+        with:
+          file-extensions: 'php, inc'
+          php-version: "7.4"

.github/workflows/pylint.yml

@@ -0,0 +1,23 @@
+name: Pylint
+
+on: [push]
+
+jobs:
+  lint:
+    runs-on: ubuntu-latest
+    strategy:
+      matrix:
+        python-version: ["3.8", "3.9", "3.10"]
+    steps:
+    - uses: actions/checkout@v3
+    - name: Set up Python ${{ matrix.python-version }}
+      uses: actions/setup-python@v3
+      with:
+        python-version: ${{ matrix.python-version }}
+    - name: Install dependencies
+      run: |
+        python -m pip install --upgrade pip
+        pip install -r requirements.txt
+    - name: Analysing the code with pylint
+      run: |
+        pylint $(git ls-files '*.py')

.gitignore

@@ -3,3 +3,5 @@ tests/e2e_test_framework/__pycache__/
 *.DS_Store
 .phplint-cache
 *.pyc
+venv/
+vendor/

.pylintrc

@@ -0,0 +1,7 @@
+[DEFAULT]
+# Tests require duplicate code and may contain many test cases that require many lines of code
+disable=duplicate-code,too-many-lines
+
+[FORMAT]
+# Follow normal pep8 restriction
+max-line-length=120

.spectral.yml

@@ -0,0 +1 @@
+extends: ["spectral:oas", "spectral:asyncapi"]

README.md

@@ -1,4 +1,8 @@
----
+# pfSense-API
+
+[![OpenAPI](https://github.com/jaredhendrickson13/pfsense-api/actions/workflows/openapi.yml/badge.svg)](https://github.com/jaredhendrickson13/pfsense-api/actions/workflows/openapi.yml)
+[![PHPlint](https://github.com/jaredhendrickson13/pfsense-api/actions/workflows/phplint.yml/badge.svg)](https://github.com/jaredhendrickson13/pfsense-api/actions/workflows/phplint.yml)
+[![Pylint](https://github.com/jaredhendrickson13/pfsense-api/actions/workflows/pylint.yml/badge.svg)](https://github.com/jaredhendrickson13/pfsense-api/actions/workflows/pylint.yml)
 
 # Introduction
 
@@ -136,12 +140,14 @@ curl -H "Authorization: Bearer xxxxx.xxxxxx.xxxxxx" -X GET https://pfsense.examp
 <details>
     <summary>API Token</summary>
 
-Uses standalone tokens generated via the webConfigurator. These are better suited to distribute to systems as they are
+Uses standalone tokens generated via API or webConfigurator. These are better suited to distribute to systems as they are
 revocable and will only allow API authentication; not webConfigurator or SSH authentication (like the local database
 credentials). To generate or revoke credentials, navigate to System > API within the webConfigurator and ensure the
 Authentication Mode is set to API token. Then you should have the options to configure API Token generation, generate
 new tokens, and revoke existing tokens. After generating a new API token, the actual token will display at the top of
-the page on the success banner. This token will only be displayed once so ensure it is stored somewhere safe.<br><br>
+the page on the success banner. This token will only be displayed once so ensure it is stored somewhere safe.
+Alternatively, you can generate new API tokens using the /api/v1/access_token endpoint. This endpoint will always
+require the use of the Local Database authentication type to receive the API token.<br><br>
 
 Once you have your API token, you may authenticate your API call by specifying your client-id and client-token within
 an `Authorization` header, these values must be separated by a space. For example:<br>
@@ -159,6 +165,14 @@ functionality is still supported but is not recommended. It will be removed in a
 pfSense API uses the same privileges as the pfSense webConfigurator. The required privileges for each endpoint are
 stated within the API documentation.
 
+### Login Protection
+
+By default, all API requests will be monitored by pfSense's Login Protection feature. This will allow API
+authentication attempts to be logged and temporarily blocked if too many failed authentication attempts are made by 
+any one client. It is strongly recommended that this feature be used at all times to prevent brute force attacks on 
+API endpoints. This feature can be disabled by within the webConfigurator system-wide under System > Advanced or 
+only for API requests under System > API.
+
 # Content Types
 
 pfSense API can handle a few different content types. Please note, if a `Content-Type` header is not specified in your

composer.json

@@ -0,0 +1,5 @@
+{
+  "require": {
+    "firebase/php-jwt": "v6.3.*"
+  }
+}

pfSense-pkg-API/files/etc/inc/api/endpoints/APIFirewallAliasAdvanced.inc

@@ -0,0 +1,30 @@
+<?php
+//   Copyright 2022 Jared Hendrickson
+//
+//   Licensed under the Apache License, Version 2.0 (the "License");
+//   you may not use this file except in compliance with the License.
+//   You may obtain a copy of the License at
+//
+//       http://www.apache.org/licenses/LICENSE-2.0
+//
+//   Unless required by applicable law or agreed to in writing, software
+//   distributed under the License is distributed on an "AS IS" BASIS,
+//   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+//   See the License for the specific language governing permissions and
+//   limitations under the License.
+
+require_once("api/framework/APIEndpoint.inc");
+
+class APIFirewallAliasAdvanced extends APIEndpoint {
+    public function __construct() {
+        $this->url = "/api/v1/firewall/alias/advanced";
+    }
+
+    protected function get() {
+        return (new APIFirewallAliasAdvancedRead())->call();
+    }
+
+    protected function put() {
+        return (new APIFirewallAliasAdvancedUpdate())->call();
+    }
+}

pfSense-pkg-API/files/etc/inc/api/endpoints/APIInterfaceGroup.inc

@@ -0,0 +1,38 @@
+<?php
+//   Copyright 2022 Jared Hendrickson
+//
+//   Licensed under the Apache License, Version 2.0 (the "License");
+//   you may not use this file except in compliance with the License.
+//   You may obtain a copy of the License at
+//
+//       http://www.apache.org/licenses/LICENSE-2.0
+//
+//   Unless required by applicable law or agreed to in writing, software
+//   distributed under the License is distributed on an "AS IS" BASIS,
+//   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+//   See the License for the specific language governing permissions and
+//   limitations under the License.
+
+require_once("api/framework/APIEndpoint.inc");
+
+class APIInterfaceGroup extends APIEndpoint {
+    public function __construct() {
+        $this->url = "/api/v1/interface/group";
+    }
+
+    protected function get() {
+        return (new APIInterfaceGroupRead())->call();
+    }
+
+    protected function post() {
+        return (new APIInterfaceGroupCreate())->call();
+    }
+
+    protected function put() {
+        return (new APIInterfaceGroupUpdate())->call();
+    }
+
+    protected function delete() {
+        return (new APIInterfaceGroupDelete())->call();
+    }
+}

pfSense-pkg-API/files/etc/inc/api/endpoints/APIServicesIPsecApply.inc

@@ -0,0 +1,26 @@
+<?php
+//   Copyright 2022 Jared Hendrickson
+//
+//   Licensed under the Apache License, Version 2.0 (the "License");
+//   you may not use this file except in compliance with the License.
+//   You may obtain a copy of the License at
+//
+//       http://www.apache.org/licenses/LICENSE-2.0
+//
+//   Unless required by applicable law or agreed to in writing, software
+//   distributed under the License is distributed on an "AS IS" BASIS,
+//   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+//   See the License for the specific language governing permissions and
+//   limitations under the License.
+
+require_once("api/framework/APIEndpoint.inc");
+
+class APIServicesIPsecApply extends APIEndpoint {
+    public function __construct() {
+        $this->url = "/api/v1/services/ipsec/apply";
+    }
+
+    protected function post() {
+        return (new APIServicesIPsecApplyCreate())->call();
+    }
+}

pfSense-pkg-API/files/etc/inc/api/endpoints/APIServicesIPsecPhase1.inc

@@ -0,0 +1,38 @@
+<?php
+//   Copyright 2022 Jared Hendrickson
+//
+//   Licensed under the Apache License, Version 2.0 (the "License");
+//   you may not use this file except in compliance with the License.
+//   You may obtain a copy of the License at
+//
+//       http://www.apache.org/licenses/LICENSE-2.0
+//
+//   Unless required by applicable law or agreed to in writing, software
+//   distributed under the License is distributed on an "AS IS" BASIS,
+//   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+//   See the License for the specific language governing permissions and
+//   limitations under the License.
+
+require_once("api/framework/APIEndpoint.inc");
+
+class APIServicesIPsecPhase1 extends APIEndpoint {
+    public function __construct() {
+        $this->url = "/api/v1/services/ipsec/phase1";
+    }
+
+    protected function get() {
+        return (new APIServicesIPsecPhase1Read())->call();
+    }
+
+    protected function post() {
+        return (new APIServicesIPsecPhase1Create())->call();
+    }
+
+    protected function put() {
+        return (new APIServicesIPsecPhase1Update())->call();
+    }
+
+    protected function delete() {
+        return (new APIServicesIPsecPhase1Delete())->call();
+    }
+}

pfSense-pkg-API/files/etc/inc/api/endpoints/APIServicesIPsecPhase1Encryption.inc

@@ -0,0 +1,26 @@
+<?php
+//   Copyright 2022 Jared Hendrickson
+//
+//   Licensed under the Apache License, Version 2.0 (the "License");
+//   you may not use this file except in compliance with the License.
+//   You may obtain a copy of the License at
+//
+//       http://www.apache.org/licenses/LICENSE-2.0
+//
+//   Unless required by applicable law or agreed to in writing, software
+//   distributed under the License is distributed on an "AS IS" BASIS,
+//   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+//   See the License for the specific language governing permissions and
+//   limitations under the License.
+
+require_once("api/framework/APIEndpoint.inc");
+
+class APIServicesIPsecPhase1Encryption extends APIEndpoint {
+    public function __construct() {
+        $this->url = "/api/v1/services/ipsec/phase1/encryption";
+    }
+
+    protected function post() {
+        return (new APIServicesIPsecPhase1EncryptionCreate())->call();
+    }
+}