You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Is your feature request related to a problem? Please describe.
I am working on a project that involves automating the deployment and configuration of opnsense VMs in the cloud. We use the opnsense API to update firewall configurations, but there is no easy way to manage API access without manual work; or at least none that is documented.
Describe the solution you like
I would like user management (at least API key creation and revoke) to be possible via an API, using the same authentication method as the rest of the API. This would allow me to create a VM template with temporary credentials that I could revoke immediately after the initial configuration.
Alternatively, this could be implemented through a configd action and used over an ssh connection.
Describe alternatives you considered
The main alternative is to write a script that handles key creation by making requests as if it were human. This is the "ugly" solution, as it requires parsing HTML forms to extract automatically generated CSRF tokens and may break if the web UI changes.
The text was updated successfully, but these errors were encountered:
// Function to generate a random Base64-encoded string
function generateRandomBase64($length = 60) {
return base64_encode(random_bytes($length));
}
// Function to generate a SHA-512 hashed secret
function generateApiSecret($secret) {
return crypt($secret, '$6$');
}
// Load the XML file
$xml = new DOMDocument();
$xml->load('/conf/config.xml');
// XPath to find the root user node
$xpath = new DOMXPath($xml);
$query = "/opnsense/system/user[name='root']";
$rootUser = $xpath->query($query)->item(0);
if ($rootUser) {
// Find or create the <apikeys> element
$apikeys = $rootUser->getElementsByTagName('apikeys')->item(0);
if (!$apikeys) {
$apikeys = $xml->createElement('apikeys');
$rootUser->appendChild($apikeys);
}
// Generate new API key and secret
$newApiKey = generateRandomBase64();
$newApiSecret = generateRandomBase64();
// Create the new <item> element with <key> and <secret>
$item = $xml->createElement('item');
$key = $xml->createElement('key', $newApiKey);
$secret = $xml->createElement('secret', generateApiSecret($newApiSecret));
$item->appendChild($key);
$item->appendChild($secret);
$apikeys->appendChild($item);
// Save the updated XML back to the file
$xml->save('/conf/config.xml');
// Save the original API key and secret to a file
$fileContent = "APIKEY='$newApiKey'\nAPISECRET='$newApiSecret'\n";
file_put_contents('./apikey', $fileContent);
echo "API key and secret added successfully.\n";
echo "API Key: $newApiKey\n";
echo "API Secret: $newApiSecret\n";
} else {
echo "Root user not found.\n";
}
?>
Important notices
Before you add a new report, we ask you kindly to acknowledge the following:
Is your feature request related to a problem? Please describe.
I am working on a project that involves automating the deployment and configuration of opnsense VMs in the cloud. We use the opnsense API to update firewall configurations, but there is no easy way to manage API access without manual work; or at least none that is documented.
Describe the solution you like
I would like user management (at least API key creation and revoke) to be possible via an API, using the same authentication method as the rest of the API. This would allow me to create a VM template with temporary credentials that I could revoke immediately after the initial configuration.
Alternatively, this could be implemented through a configd action and used over an ssh connection.
Describe alternatives you considered
The main alternative is to write a script that handles key creation by making requests as if it were human. This is the "ugly" solution, as it requires parsing HTML forms to extract automatically generated CSRF tokens and may break if the web UI changes.
The text was updated successfully, but these errors were encountered: