From a425eed175fe2a7ee6a3b5f3aa7fe06c9e161ce1 Mon Sep 17 00:00:00 2001
From: Franco Fichtner <franco@opnsense.org>
Date: Thu, 18 Nov 2021 08:45:25 +0100
Subject: [PATCH] xmlrpc: support authentication using API keys

authenticate_user() is not being called by anyone else so
move it to xmlrpc.php and extend it to allow for API keys
to work.

Since the authentication in this page is always bound to
local credentials it makes sense to extend the user-based
access with the API key-based access as they don't get in
the way of each other.

PR: https://github.com/travisghansen/hass-opnsense/discussions/6
---
 src/etc/inc/auth.inc | 11 -----------
 src/www/xmlrpc.php   | 28 ++++++++++++++++++++++++----
 2 files changed, 24 insertions(+), 15 deletions(-)

diff --git a/src/etc/inc/auth.inc b/src/etc/inc/auth.inc
index 4d190e6be..5966ef05f 100644
--- a/src/etc/inc/auth.inc
+++ b/src/etc/inc/auth.inc
@@ -815,14 +815,3 @@ function get_authenticator($authcfg = null)
     $authFactory = new OPNsense\Auth\AuthenticationFactory();
     return $authFactory->get($authName);
 }
-
-function authenticate_user($username, $password, $authcfg = null)
-{
-    $authenticator = get_authenticator($authcfg);
-    if ($authenticator != null) {
-        return $authenticator->authenticate($username, $password);
-    } else {
-        log_error('Unable to retrieve authenticator for ' . $username);
-        return false;
-    }
-}
diff --git a/src/www/xmlrpc.php b/src/www/xmlrpc.php
index 2da4f8410..1149e306f 100644
--- a/src/www/xmlrpc.php
+++ b/src/www/xmlrpc.php
@@ -1,7 +1,7 @@
 <?php
 
 /*
- * Copyright (C) 2015 Deciso B.V.
+ * Copyright (C) 2015-2021 Deciso B.V.
  * All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
@@ -41,17 +41,37 @@ function http_basic_auth($http_auth_header)
     if (count($tags) >= 2) {
         $userinfo= explode(':', base64_decode($tags[1]), 2);
         if (count($userinfo) == 2) {
-            if (authenticate_user($userinfo[0], $userinfo[1])) {
+            $username = authenticate_user($userinfo[0], $userinfo[1]);
+            if ($username !== false) {
                 $aclObj = new \OPNsense\Core\ACL();
-                return $aclObj->isPageAccessible($userinfo[0], '/xmlrpc.php');
+                return $aclObj->isPageAccessible($username, '/xmlrpc.php');
             }
         }
     }
 
-    // not authenticated
+    /* not authenticated */
     return false;
 }
 
+function authenticate_user($username, $password)
+{
+    $authFactory = new OPNsense\Auth\AuthenticationFactory();
+
+    foreach(['Local Database', 'Local API'] as $authName) {
+        $authenticator = $authFactory->get($authName);
+        if ($authenticator != null && $authenticator->authenticate($username, $password)) {
+            $authResult = $authenticator->getLastAuthProperties();
+            if (array_key_exists('username', $authResult)) {
+	        $username = $authResult['username'];
+	    }
+            return $username;
+        }
+    }
+
+    log_error('Unable to retrieve authenticator for ' . $username);
+
+    return false;
+}
 
 /**
  *   Simple XML-RPC server using IXR_Library