Home
Help
Search
Login
Register
OPNsense Forum
»
Archive
»
19.7 Legacy Series
»
Accessing User and Certificate config from ApiControllerBase
« previous
next »
Print
Pages: [
1
]
Author
Topic: Accessing User and Certificate config from ApiControllerBase (Read 3706 times)
engelant
Newbie
Posts: 8
Karma: 1
Accessing User and Certificate config from ApiControllerBase
«
on:
August 29, 2019, 08:02:11 pm »
I'm currently trying to get certificates from OPNsense via the API. As there are no APIs provided to access the Trust store I had the idea of simply creating a user with API key for every client that needs to get a cert, assign the required cert as one of the "User Certificates" and introduce a new System Privilege "API - Allow own certificate/key download".
I get the API and API permission related stuff to work, but I have no clue how to access the user and cert model properly.
What I now would need to do is to get the user ($this->logged_in_user from ApiControllerBase), with which I could get user certificates for that user. With that cert refid(s) I can get descr, crt, prv and caref and that's it.
Problem is, after $this->logged_in_user I have no idea which Model/Controller to call to get my desired data. Can somebody help out?
Logged
mimugmail
Hero Member
Posts: 6766
Karma: 494
Re: Accessing User and Certificate config from ApiControllerBase
«
Reply #1 on:
August 29, 2019, 09:29:50 pm »
certificates are legacy code and not api enabled, sorry.
Maybe ... *maybe* ... you could write a fake plugin which is MVC enabled and takes certificates from config, e.g. like FreeRADIUS plugin. But there wont be a user separation.
Logged
WWW:
www.routerperformance.net
Support plans:
https://www.max-it.de/en/it-services/opnsense/
Commercial Plugins (German):
https://opnsense.max-it.de/
engelant
Newbie
Posts: 8
Karma: 1
Re: Accessing User and Certificate config from ApiControllerBase
«
Reply #2 on:
August 29, 2019, 09:57:44 pm »
I noticed that It's old API. My idea was to access the data as direct from the config as necessary.
What would be the recommended way to read the config without a Controller/Model being availible?
Logged
fabian
Hero Member
Posts: 2769
Karma: 200
OPNsense Contributor (Language, VPN, Proxy, etc.)
Re: Accessing User and Certificate config from ApiControllerBase
«
Reply #3 on:
August 29, 2019, 10:48:34 pm »
I work with them using the raw config object/array. Just use that one.
Logged
mimugmail
Hero Member
Posts: 6766
Karma: 494
Re: Accessing User and Certificate config from ApiControllerBase
«
Reply #4 on:
August 29, 2019, 10:48:41 pm »
https://github.com/opnsense/plugins/blob/master/net/freeradius/src/opnsense/scripts/Freeradius/generate_certs.php
Logged
WWW:
www.routerperformance.net
Support plans:
https://www.max-it.de/en/it-services/opnsense/
Commercial Plugins (German):
https://opnsense.max-it.de/
fabian
Hero Member
Posts: 2769
Karma: 200
OPNsense Contributor (Language, VPN, Proxy, etc.)
Re: Accessing User and Certificate config from ApiControllerBase
«
Reply #5 on:
August 29, 2019, 10:54:29 pm »
Oder:
https://github.com/opnsense/plugins/blob/master/www/nginx/src/opnsense/scripts/nginx/setup.php
Logged
engelant
Newbie
Posts: 8
Karma: 1
Re: Accessing User and Certificate config from ApiControllerBase
«
Reply #6 on:
August 30, 2019, 03:14:02 pm »
Spot on, thanks for the examples. I was able to write my own very first plugin, now to see if my code meets the contribution guidelines.
While unrelated to the issue, anyone knows ho to re-read the ACL.xml? I installed und uninstalled helloworld to refresh, but c'mon. Also, is there a way yet to make the permission appear as "API" instead of "GUI" in the permission assignment table?
Logged
franco
Administrator
Hero Member
Posts: 17661
Karma: 1611
Re: Accessing User and Certificate config from ApiControllerBase
«
Reply #7 on:
August 30, 2019, 03:24:37 pm »
I want to join the fun pasting code lines
https://github.com/opnsense/core/blob/master/src/etc/rc.configure_firmware#L54
We don't have API permissions. With the MVC code we try to cluster GUI access with API access as the GUI parts need the API anyway and so you end up with a use case instead of per-page/action permissions. There's no downside to having GUI access for API only scripts.
EDIT: Maybe as a historical reference "GUI" in the permission merely means it's not a "User" permission which we've tried to remove and I think there is only one left so "GUI" prefix will be removed in an upcoming release to avoid further confusion.
But you can always decide to have API-only permissions in your plugin. In this case the GUI is a bit off in its interpretation until said "User" permission is removed.
Cheers,
Franco
«
Last Edit: August 30, 2019, 03:28:55 pm by franco
»
Logged
Print
Pages: [
1
]
« previous
next »
OPNsense Forum
»
Archive
»
19.7 Legacy Series
»
Accessing User and Certificate config from ApiControllerBase