From 84f0bcdbdb182c104c07b1170daf8a4927655253 Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Thu, 9 Mar 2023 10:24:25 +0100
Subject: [PATCH] firmware: actually extract the subscription from the mirror
 #4881

We do not use it very often and almost all mandatory reads are done
via opnsense-update which figures this out differently.
---
 src/etc/inc/system.inc                        | 19 +++++++++++++------
 .../OPNsense/Core/Api/FirmwareController.php  |  5 -----
 .../mvc/app/models/OPNsense/Core/Firmware.php | 10 ++--------
 .../OPNsense/Core/Migrations/M1_0_0.php       |  4 ++++
 .../OPNsense/Core/Migrations/M1_0_1.php       |  7 ++++++-
 .../mvc/app/views/OPNsense/Core/firmware.volt |  2 +-
 .../OPNsense/Filter/filter_geoip.conf         |  4 ++--
 src/sbin/opnsense-version                     |  3 +--
 8 files changed, 29 insertions(+), 25 deletions(-)

diff --git a/src/etc/inc/system.inc b/src/etc/inc/system.inc
index 2e358a06f..b9a9a46d9 100644
--- a/src/etc/inc/system.inc
+++ b/src/etc/inc/system.inc
@@ -763,9 +763,21 @@ function system_firmware_configure($verbose = false)
 
     /* calculate the effective ABI */
     $args = [ exec_safe('-A %s', shell_safe('opnsense-version -x')) ];
+    $url_sub = '';
+
+    if (!empty($config['system']['firmware']['subscription'])) {
+        /*
+         * Append the url now that it is not in the mirror anymore.
+         * This only ever works if the mirror is set to a non-default.
+         */
+        $url_sub = '/' . $config['system']['firmware']['subscription'];
+    } else {
+        /* clear the license file when no subscription key is set */
+        @unlink('/usr/local/opnsense/version/core.license');
+    }
 
     if (!empty($config['system']['firmware']['mirror'])) {
-        $args[] = exec_safe('-m %s', str_replace('/', '\/', $config['system']['firmware']['mirror']));
+        $args[] = exec_safe('-m %s', str_replace('/', '\/', $config['system']['firmware']['mirror'] . $url_sub));
     }
 
     if (!empty($config['system']['firmware']['flavour'])) {
@@ -775,11 +787,6 @@ function system_firmware_configure($verbose = false)
     /* rewrite the config via the defaults and possible arguments */
     mwexec('/usr/local/sbin/opnsense-update -sd ' . join(' ', $args));
 
-    /* clear the license file when no subscription key is set */
-    if (empty(shell_safe('/usr/local/sbin/opnsense-update -K'))) {
-        @unlink('/usr/local/opnsense/version/core.license');
-    }
-
     service_log("done.\n", $verbose);
 }
 
diff --git a/src/opnsense/mvc/app/controllers/OPNsense/Core/Api/FirmwareController.php b/src/opnsense/mvc/app/controllers/OPNsense/Core/Api/FirmwareController.php
index e0cef3a60..4a2c68da5 100644
--- a/src/opnsense/mvc/app/controllers/OPNsense/Core/Api/FirmwareController.php
+++ b/src/opnsense/mvc/app/controllers/OPNsense/Core/Api/FirmwareController.php
@@ -1019,11 +1019,6 @@ class FirmwareController extends ApiMutableModelControllerBase
             return $response;
         }
 
-        if (!empty((string)$mdl->subscription)) {
-            /* append subscription */
-            $mdl->mirror = (string)$mdl->mirror . '/' . (string)$mdl->subscription;
-        }
-
         $response['status'] = 'ok';
         $this->save();
 
diff --git a/src/opnsense/mvc/app/models/OPNsense/Core/Firmware.php b/src/opnsense/mvc/app/models/OPNsense/Core/Firmware.php
index ae3e8def5..ac2f56c96 100644
--- a/src/opnsense/mvc/app/models/OPNsense/Core/Firmware.php
+++ b/src/opnsense/mvc/app/models/OPNsense/Core/Firmware.php
@@ -113,17 +113,11 @@ class Firmware extends BaseModel
     {
         $validOptions = $this->getRepositoryOptions();
 
-        /* XXX for now make sure the subscription is removed if given */
-        $mirror_stripped = (string)$this->mirror;
-        if (!empty((string)$this->subscription)) {
-            $mirror_stripped = str_replace('/' . (string)$this->subscription, '', $mirror_stripped);
-        }
-
         /* standard model validations */
         $messages = parent::performValidation($validateFullModel);
 
         /* extended validations */
-        if (!$validOptions['mirrors_allow_custom'] && !isset($validOptions['mirrors'][$mirror_stripped])) {
+        if (!$validOptions['mirrors_allow_custom'] && !isset($validOptions['mirrors'][(string)$this->mirror])) {
             $messages->appendMessage(new Message(gettext('Unable to set invalid firmware mirror'), 'mirror'));
         }
         if (!$validOptions['flavours_allow_custom'] && !isset($validOptions['flavours'][(string)$this->flavour])) {
@@ -132,7 +126,7 @@ class Firmware extends BaseModel
         if (!isset($validOptions['families'][(string)$this->type])) {
             $messages->appendMessage(new Message(gettext('Unable to set invalid firmware release type'), 'type'));
         }
-        if (in_array($mirror_stripped, $validOptions['mirrors_has_subscription'])) {
+        if (in_array((string)$this->mirror, $validOptions['mirrors_has_subscription'])) {
             if (!preg_match('/^[a-z0-9]{8}(-[a-z0-9]{4}){3}-[a-z0-9]{12}$/i', (string)$this->subscription)) {
                 $messages->appendMessage(new Message(gettext('A valid subscription is required for this firmware mirror'), 'subscription'));
             }
diff --git a/src/opnsense/mvc/app/models/OPNsense/Core/Migrations/M1_0_0.php b/src/opnsense/mvc/app/models/OPNsense/Core/Migrations/M1_0_0.php
index a4c61da4c..2a18569a2 100644
--- a/src/opnsense/mvc/app/models/OPNsense/Core/Migrations/M1_0_0.php
+++ b/src/opnsense/mvc/app/models/OPNsense/Core/Migrations/M1_0_0.php
@@ -29,6 +29,7 @@
 namespace OPNsense\Core\Migrations;
 
 use OPNsense\Base\BaseModelMigration;
+use OPNsense\Core\Firmware;
 
 class M1_0_0 extends BaseModelMigration
 {
@@ -38,6 +39,9 @@ class M1_0_0 extends BaseModelMigration
      */
     public function run($model)
     {
+        if (!($model instanceof Firmware)) {
+            return;
+        }
         if ((empty((string)$model->type) || (string)$model->type == 'devel') && !empty((string)$model->mirror)) {
             $is_business = strpos((string)$model->mirror, 'opnsense-update.deciso.com') !== false;
             if ($is_business) {
diff --git a/src/opnsense/mvc/app/models/OPNsense/Core/Migrations/M1_0_1.php b/src/opnsense/mvc/app/models/OPNsense/Core/Migrations/M1_0_1.php
index bc591bef6..6d132a7aa 100644
--- a/src/opnsense/mvc/app/models/OPNsense/Core/Migrations/M1_0_1.php
+++ b/src/opnsense/mvc/app/models/OPNsense/Core/Migrations/M1_0_1.php
@@ -29,15 +29,19 @@
 namespace OPNsense\Core\Migrations;
 
 use OPNsense\Base\BaseModelMigration;
+use OPNsense\Core\Firmware;
 
 class M1_0_1 extends BaseModelMigration
 {
     /**
-     * Migrate BE release type
+     * Migrate subscription and remove old flavour types
      * @param $model
      */
     public function run($model)
     {
+        if (!($model instanceof Firmware)) {
+            return;
+        }
         if (in_array((string)$model->flavour, ['latest', 'libressl'])) {
             $model->flavour = null;
         }
@@ -46,6 +50,7 @@ class M1_0_1 extends BaseModelMigration
             if ($is_business) {
                 $url = explode('/', (string)$model->mirror);
                 $model->subscription = array_pop($url);
+                $model->mirror = implode('/', $url);
             }
         }
     }
diff --git a/src/opnsense/mvc/app/views/OPNsense/Core/firmware.volt b/src/opnsense/mvc/app/views/OPNsense/Core/firmware.volt
index f14466eb8..987be1bb1 100644
--- a/src/opnsense/mvc/app/views/OPNsense/Core/firmware.volt
+++ b/src/opnsense/mvc/app/views/OPNsense/Core/firmware.volt
@@ -659,7 +659,7 @@
                 var custom_selected = true;
                 $.each(firmwareoptions.mirrors, function(key, value) {
                     var selected = false;
-                    if ((key != "" && firmwareconfig['mirror'].indexOf(key) != -1) || key == firmwareconfig['mirror']) {
+                    if (key == firmwareconfig['mirror']) {
                         selected = true;
                         custom_selected = false;
                     }
diff --git a/src/opnsense/service/templates/OPNsense/Filter/filter_geoip.conf b/src/opnsense/service/templates/OPNsense/Filter/filter_geoip.conf
index 7b3eeab41..0ec932d60 100644
--- a/src/opnsense/service/templates/OPNsense/Filter/filter_geoip.conf
+++ b/src/opnsense/service/templates/OPNsense/Filter/filter_geoip.conf
@@ -1,8 +1,8 @@
 [settings]
 {% if not helpers.empty('OPNsense.Firewall.Alias.geoip.url') %}
 url={{OPNsense.Firewall.Alias.geoip.url}}
-{% elif not helpers.empty('system.firmware.mirror') and system.firmware.mirror.find('opnsense-update.deciso.com') > -1 and system.firmware.mirror.count('-') > 3 %}
-url={{system.firmware.mirror}}/GeopIPAlias.zip
+{% elif not helpers.empty('system.firmware.mirror') and system.firmware.mirror.find('opnsense-update.deciso.com') > -1 and no helpers.empty('system.firmware.subscription') %}
+url={{system.firmware.mirror}}/{{system.firmware.subscription}}/GeopIPAlias.zip
 {% else %}
 url=
 {% endif %}
diff --git a/src/sbin/opnsense-version b/src/sbin/opnsense-version
index 6aeb5e110..e533c6c3d 100755
--- a/src/sbin/opnsense-version
+++ b/src/sbin/opnsense-version
@@ -141,8 +141,7 @@ core)
 		target_abi_minor=${product_abi#*.}
 
 		IS_BUSINESS=$(echo ${product_id} | grep -c -- '-business')
-		WANT_BUSINESS=$(${PLUGINCTL} -g system.firmware.mirror | \
-		    grep -c 'opnsense-update\.deciso\.com')
+		WANT_BUSINESS=$(${PLUGINCTL} -g system.firmware.subscription | grep -c '.')
 
 		if [ "${IS_BUSINESS}${WANT_BUSINESS}" = "01" -o ]; then
 			case ${target_abi_minor} in