Effective Privileges for REST API

[KristijanL]

Describe the bug
I am uncertain whether this is a bug or not, but accessing the “REST API” in pfsense webui requires administrator access. Is this intentional?
I intended to create a service user with limited access only to specific APIs. However, when using the Authentication Method Key, the user needs to log in and create its key, as there is no option to create a key for another user.

pfSense Version & Package Version:

• pfSense Version: [e.g. pfSense 2.7.2]
• Package Version [e.g. v2.3.2 ]

[jaredhendrickson13]

There are privileges for each UI page that can be assigned to users via API or UI:

• page-system-restapi-acl-entry-edit
• page-system-restapi-acl
• page-system-restapi-key-edit
• page-system-restapi-key
• page-system-restapi-settings
• page-system-restapi-updates

You can also create keys from the API itself using the POST /api/v2/auth/key endpoint. Keys can only be created for the authenticating user however, so your service account would need to make the request to be able to use the key. That endpoint requires the use of basic auth (regardless of the configured auth modes) to generate the key for this reason.

[colindclare]

I can second this issue. Despite having all 6 permissions for the GUI, a user I created cannot access the REST API page in the web dashboard.

Testing a user with permissions for REST API and system logs pages

pfSense shell verifying user perms:

pfSense shell: foreach ($config['system']['user'] as $user) {
pfSense shell:    if ($user['name'] == 'apiuser') {
pfSense shell:      var_dump($user['priv']);
pfSense shell:   }
pfSense shell: }
pfSense shell: exec
array(8) {
  [0]=>
  string(18) "page-dashboard-all"
  [1]=>
  string(34) "page-system-restapi-acl-entry-edit"
  [2]=>
  string(23) "page-system-restapi-acl"
  [3]=>
  string(28) "page-system-restapi-key-edit"
  [4]=>
  string(23) "page-system-restapi-key"
  [5]=>
  string(28) "page-system-restapi-settings"
  [6]=>
  string(27) "page-system-restapi-updates"
  [7]=>
  string(28) "page-diagnostics-logs-system"
}

curl requests to REST API and logs (a test page I allowed for this user0, using PHPSESSID from an actual web session for this user:

cclare@localhost[11:42:21] [~/GitProjects/pfsense-api] [master]
-> % curl --include -sk -b "PHPSESSID=${apiuserSession}" 'https://192.168.0.150:12345/system_restapi_key.php' | grep -iE 'HTTP/|location: '
HTTP/2 302 
location: /index.php
cclare@localhost [11:42:24] [~/GitProjects/pfsense-api] [master]
-> % curl --include -sk -b "PHPSESSID=${apiuserSession}" 'https://192.168.0.150:12345/status_logs.php' | grep -iE 'HTTP/|location: '
HTTP/2 200 

To replicate the issue:

• As an admin, create a user with the above permissions (all REST API permissions, WebCfg - Dashboard (All), and WebCfg - Status: Logs: System
• Log in as the created user
• Attempt to navigate to System > REST API. It will not appear in the menu, and attempts to hit the URLs directly are 302'd back to the home page.
• Attempt to Navigate to Status > System Logs. This page will work without issue

[jaredhendrickson13]

Got it, I am able to reproduce that. I'll take a deeper look this week and see what's going on. The web UI permissions are completely handled by the pfSense package system so it's likely something's not linking up with the package like it used to.

[jaredhendrickson13]

A fix for this is in v2.3.5. I will note that the REST API menu will only show up in the 'System' dropdown menu if the user holds the 'WebCfg - System: RESTAPI Settings' privilege. This is because pfSense only checks if the user has privileges to access the first tab in the page when determining what options should be displayed in those drop down menus. Users will still be able to access the pages of other tabs like Keys and Access Lists through their URLs directly however (assuming they have privileges to those pages).