Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Feature request: create api user from api or shell #5776

Closed
2 tasks done
csbyte opened this issue May 16, 2022 · 2 comments · May be fixed by #6794
Closed
2 tasks done

Feature request: create api user from api or shell #5776

csbyte opened this issue May 16, 2022 · 2 comments · May be fixed by #6794
Labels
help wanted Contributor missing / timeout

Comments

@csbyte
Copy link
Contributor

csbyte commented May 16, 2022

Important notices

Before you add a new report, we ask you kindly to acknowledge the following:

Is your feature request related to a problem? Please describe.

I am working on a project that involves automating the deployment and configuration of opnsense VMs in the cloud. We use the opnsense API to update firewall configurations, but there is no easy way to manage API access without manual work; or at least none that is documented.

Describe the solution you like

I would like user management (at least API key creation and revoke) to be possible via an API, using the same authentication method as the rest of the API. This would allow me to create a VM template with temporary credentials that I could revoke immediately after the initial configuration.

Alternatively, this could be implemented through a configd action and used over an ssh connection.

Describe alternatives you considered

The main alternative is to write a script that handles key creation by making requests as if it were human. This is the "ugly" solution, as it requires parsing HTML forms to extract automatically generated CSRF tokens and may break if the web UI changes.
@OPNsense-bot
Copy link

This issue has been automatically timed-out (after 180 days of inactivity).

For more information about the policies for this repository,
please read https://github.com/opnsense/core/blob/master/CONTRIBUTING.md for further details.

If someone wants to step up and work on this issue,
just let us know, so we can reopen the issue and assign an owner to it.

@OPNsense-bot OPNsense-bot closed this as not planned Won't fix, can't repro, duplicate, stale Nov 12, 2022
@OPNsense-bot OPNsense-bot added the help wanted Contributor missing / timeout label Nov 12, 2022
@levkohimins levkohimins mentioned this issue Aug 29, 2023
Open
@Positronico
Copy link

That's how I'm doing. Adapt as you wish


// Function to generate a random Base64-encoded string
function generateRandomBase64($length = 60) {
    return base64_encode(random_bytes($length));
}

// Function to generate a SHA-512 hashed secret
function generateApiSecret($secret) {
    return crypt($secret, '$6$');
}

// Load the XML file
$xml = new DOMDocument();
$xml->load('/conf/config.xml');

// XPath to find the root user node
$xpath = new DOMXPath($xml);
$query = "/opnsense/system/user[name='root']";
$rootUser = $xpath->query($query)->item(0);

if ($rootUser) {
    // Find or create the <apikeys> element
    $apikeys = $rootUser->getElementsByTagName('apikeys')->item(0);
    if (!$apikeys) {
        $apikeys = $xml->createElement('apikeys');
        $rootUser->appendChild($apikeys);
    }

    // Generate new API key and secret
    $newApiKey = generateRandomBase64();
    $newApiSecret = generateRandomBase64();

    // Create the new <item> element with <key> and <secret>
    $item = $xml->createElement('item');
    $key = $xml->createElement('key', $newApiKey);
    $secret = $xml->createElement('secret', generateApiSecret($newApiSecret));

    $item->appendChild($key);
    $item->appendChild($secret);
    $apikeys->appendChild($item);

    // Save the updated XML back to the file
    $xml->save('/conf/config.xml');

    // Save the original API key and secret to a file
    $fileContent = "APIKEY='$newApiKey'\nAPISECRET='$newApiSecret'\n";
    file_put_contents('./apikey', $fileContent);

    echo "API key and secret added successfully.\n";
    echo "API Key: $newApiKey\n";
    echo "API Secret: $newApiSecret\n";
} else {
    echo "Root user not found.\n";
}

?>

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
help wanted Contributor missing / timeout
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

opnsense-apikey command to manage API keys from shell biptec/opnsense-core
3 participants
@Positronico @csbyte @OPNsense-bot