Module: Shells::PfSenseCommon

Included in:

PfSenseSerialSession, PfSenseSshSession

Defined in:

lib/shells/pf_sense_common.rb

Overview

Common functionality for interacting with a pfSense device.

Defined Under Namespace

Classes: MenuNavigationFailure, PublicKeyInvalid, PublicKeyNotFound, RestartNow, UserNotFound

Constant Summary

BASE_SHELL =

The base shell used when possible.

'/bin/sh'

PF_SHELL =

The pfSense shell itself.

'/usr/local/sbin/pfSsh.php'

PF_PROMPT =

The prompt in the pfSense shell.

'pfSense shell:'

Instance Attribute Summary

• #pf_sense_host ⇒ Object

  Gets the hostname of the pfSense device.

• #pf_sense_user ⇒ Object

  Gets the user currently logged into the pfSense device.

• #pf_sense_version ⇒ Object

  Gets the version of the pfSense firmware.

Class Method Summary

• .included(base) ⇒ Object

  :nodoc:.

Instance Method Summary

• #apply_filter_config ⇒ Object

  Apply the firewall configuration.

• #apply_user_config(user_id) ⇒ Object

  Applies the user configuration for the specified user.

• #config_parsed? ⇒ Boolean

  Determines if the configuration has been parsed during this session.

• #enable_cert_auth(public_key = '~/.ssh/id_rsa.pub') ⇒ Object

  Enabled public key authentication for the current pfSense user.

• #exec_prompt(&block) ⇒ Object

  :nodoc:.

• #exec_shell(&block) ⇒ Object

  :nodoc:.

• #get_config_section(section_name) ⇒ Object

  Gets a configuration section from the pfSense device.

• #line_ending ⇒ Object

  :nodoc:.

• #parse_config ⇒ Object

  Reloads the pfSense configuration on the device.

• #pf_exec(*commands) ⇒ Object

  Executes a series of commands on the pfSense shell.

• #quit ⇒ Object

  Exits the shell session immediately.

• #reboot ⇒ Object

  Exits the shell session immediately and requests a reboot of the pfSense device.

• #set_config_section(section_name, values, message = '') ⇒ Object

  Sets a configuration section to the pfSense device.

• #validate_options ⇒ Object

  :nodoc:.

Instance Attribute Details

#pf_sense_host ⇒ Object

Gets the hostname of the pfSense device.

# File 'lib/shells/pf_sense_common.rb', line 63

def pf_sense_host
  @pf_sense_host
end

#pf_sense_user ⇒ Object

Gets the user currently logged into the pfSense device.

# File 'lib/shells/pf_sense_common.rb', line 59

def pf_sense_user
  @pf_sense_user
end

#pf_sense_version ⇒ Object

Gets the version of the pfSense firmware.

# File 'lib/shells/pf_sense_common.rb', line 55

def pf_sense_version
  @pf_sense_version
end

Class Method Details

.included(base) ⇒ Object

:nodoc:

# File 'lib/shells/pf_sense_common.rb', line 70

def self.included(base)  #:nodoc:

  # Trap the RestartNow exception.
  # When encountered, change the :quit option to '/sbin/reboot'.
  # This requires rewriting the @options instance variable since the hash is frozen
  # after initial validation.
  base.on_exception do |shell, ex|
    if ex.is_a?(Shells::PfSenseCommon::RestartNow)
      shell.send(:change_quit, '/sbin/reboot')
      true
    else
      false
    end
  end

end

Instance Method Details

#apply_filter_config ⇒ Object

Apply the firewall configuration.

You need to apply the firewall configuration after you make changes to aliases, NAT rules, or filter rules.

# File 'lib/shells/pf_sense_common.rb', line 201

def apply_filter_config
  pf_exec(
      'require_once("shaper.inc");',
      'require_once("filter.inc");',
      'filter_configure_sync();'
  )
end

#apply_user_config(user_id) ⇒ Object

Applies the user configuration for the specified user.

# File 'lib/shells/pf_sense_common.rb', line 211

def apply_user_config(user_id)
  user_id = user_id.to_i
  pf_exec(
      'require_once("auth.inc");',
      "$user_entry = $config[\"system\"][\"user\"][#{user_id}];",
      '$user_groups = array();',
      'foreach ($config["system"]["group"] as $gidx => $group) {',
      '  if (is_array($group["member"])) {',
      "    if (in_array(#{user_id}, $group[\"member\"])) { $user_groups[] = $group[\"name\"]; }",
      '  }',
      '}',
      # Intentionally run set_groups before and after to ensure group membership gets fully applied.
      'local_user_set_groups($user_entry, $user_groups);',
      'local_user_set($user_entry);',
      'local_user_set_groups($user_entry, $user_groups);'
  )
end

#config_parsed? ⇒ Boolean

Determines if the configuration has been parsed during this session.

Returns:

• (Boolean)

# File 'lib/shells/pf_sense_common.rb', line 165

def config_parsed?
  instance_variable_defined?(:@config_parsed) && instance_variable_get(:@config_parsed)
end

#enable_cert_auth(public_key = '~/.ssh/id_rsa.pub') ⇒ Object

Enabled public key authentication for the current pfSense user.

Once this has been done you should be able to connect without using a password.

Raises:

• (Shells::PfSenseCommon::UserNotFound)

# File 'lib/shells/pf_sense_common.rb', line 233

def enable_cert_auth(public_key = '~/.ssh/id_rsa.pub')
  cert_regex = /^ssh-[rd]sa (?:[A-Za-z0-9+\/]{4})*(?:[A-Za-z0-9+\/]{2}==|[A-Za-z0-9+\/]{3}=)? \S*$/m

  # get our cert unless the user provided a full cert for us.
  unless public_key =~ cert_regex
    public_key = File.expand_path(public_key)
    if File.exist?(public_key)
      public_key = File.read(public_key).to_s.strip
    else
      raise Shells::PfSenseCommon::PublicKeyNotFound
    end
    raise Shells::PfSenseCommon::PublicKeyInvalid unless public_key =~ cert_regex
  end

  cfg = get_config_section 'system'
  user_id = nil
  user_name = options[:user].downcase
  cfg['user'].each_with_index do |user,index|
    if user['name'].downcase == user_name
      user_id = index

      authkeys = Base64.decode64(user['authorizedkeys'].to_s).gsub("\r\n", "\n").strip
      unless authkeys == '' || authkeys =~ cert_regex
        warn "Existing authorized keys for user #{options[:user]} are invalid and are being reset."
        authkeys = ''
      end

      if authkeys == ''
        user['authorizedkeys'] = Base64.strict_encode64(public_key)
      else
        authkeys = authkeys.split("\n")
        unless authkeys.include?(public_key)
          authkeys << public_key unless authkeys.include?(public_key)
          user['authorizedkeys'] = Base64.strict_encode64(authkeys.join("\n"))
        end
      end

      break
    end
  end


  raise Shells::PfSenseCommon::UserNotFound unless user_id

  set_config_section 'system', cfg, "Enable certificate authentication for #{options[:user]}."

  apply_user_config user_id
end

#exec_prompt(&block) ⇒ Object

:nodoc:

# File 'lib/shells/pf_sense_common.rb', line 137

def exec_prompt(&block) #:nodoc:
  debug 'Initializing pfSense shell...'
  exec '/usr/local/sbin/pfSsh.php', command_timeout: 5
  begin
    block.call
  ensure
    debug 'Quitting pfSense shell...'
    send_data 'exit' + line_ending
  end
end

#exec_shell(&block) ⇒ Object

:nodoc:

# File 'lib/shells/pf_sense_common.rb', line 98

def exec_shell(&block) #:nodoc:
  super do
    # We want to drop to the shell before executing the block.
    # So we'll navigate the menu to get the option for the shell.
    # For this first navigation we allow a delay only if we are not connected to a serial device.
    # Serial connections are always on, so they don't need to initialize first.
    menu_option = get_menu_option 'Shell', !(Shells::SerialSession > self.class)
    raise MenuNavigationFailure unless menu_option

    # For 2.3 and 2.4 this is a valid match.
    # If future versions change the default prompt, we need to change our process.
    # [VERSION][USER@HOSTNAME]/root:  where /root is the current dir.
    shell_regex = /\[(?<VER>[^\]]*)\]\[(?<USERHOST>[^\]]*)\](?<CD>\/.*):\s*$/

    # Now we execute the menu option and wait for the shell_regex to match.
    temporary_prompt(shell_regex) do
      exec menu_option.to_s, command_timeout: 5

      # Once we have a match we should be able to repeat it and store the information from the shell.
      data = prompt_match.match(combined_output)
      self.pf_sense_version = data['VER']
      self.pf_sense_user, _, self.pf_sense_host = data['USERHOST'].partition('@')
    end

    block.call

    # Wait for the shell_regex to match again.
    temporary_prompt(shell_regex) { wait_for_prompt nil, 4, false }

    # Exit the shell to return to the menu.
    send_data 'exit' + line_ending

    # After the block we want to know what the Logout option is and we change the quit command to match.
    menu_option = get_menu_option 'Logout'
    raise MenuNavigationFailure unless menu_option
    change_quit menu_option.to_s
  end
end

#get_config_section(section_name) ⇒ Object

Gets a configuration section from the pfSense device.

# File 'lib/shells/pf_sense_common.rb', line 171

def get_config_section(section_name)
  parse_config unless config_parsed?
  JSON.parse pf_exec("echo json_encode($config[#{section_name.to_s.inspect}]);").strip
end

#line_ending ⇒ Object

:nodoc:

# File 'lib/shells/pf_sense_common.rb', line 66

def line_ending #:nodoc:
  "\n"
end

#parse_config ⇒ Object

Reloads the pfSense configuration on the device.

# File 'lib/shells/pf_sense_common.rb', line 158

def parse_config
  pf_exec 'parse_config(true);'
  @config_parsed = true
end

#pf_exec(*commands) ⇒ Object

Executes a series of commands on the pfSense shell.

# File 'lib/shells/pf_sense_common.rb', line 150

def pf_exec(*commands)
  ret = ''
  commands.each { |cmd| ret += exec(cmd) }
  ret + exec('exec')
end

#quit ⇒ Object

Exits the shell session immediately.

Raises:

• (Shells::SessionCompleted)

# File 'lib/shells/pf_sense_common.rb', line 292

def quit
  raise Shells::SessionCompleted if session_complete?
  raise Shells::ShellBase::QuitNow
end

#reboot ⇒ Object

Exits the shell session immediately and requests a reboot of the pfSense device.

Raises:

• (Shells::SessionCompleted)

# File 'lib/shells/pf_sense_common.rb', line 285

def reboot
  raise Shells::SessionCompleted if session_complete?
  raise Shells::PfSenseCommon::RestartNow
end

#set_config_section(section_name, values, message = '') ⇒ Object

Sets a configuration section to the pfSense device.

Returns the number of changes made to the configuration.

# File 'lib/shells/pf_sense_common.rb', line 180

def set_config_section(section_name, values, message = '')
  current_values = get_config_section(section_name)
  changes = generate_config_changes("$config[#{section_name.to_s.inspect}]", current_values, values)
  if changes&.any?
    if message.to_s.strip == ''
      message = "Updating #{section_name} section."
    end
    changes << "write_config(#{message.inspect});"

    pf_exec(*changes)

    (changes.size - 1)
  else
    0
  end
end

#validate_options ⇒ Object

:nodoc:

# File 'lib/shells/pf_sense_common.rb', line 87

def validate_options  #:nodoc:
  super
  options[:shell] = :shell
  options[:prompt] = 'pfSense shell:'
  options[:quit] = 'exit'
  options[:retrieve_exit_code] = false
  options[:on_non_zero_exit_code] = :ignore
  options[:override_set_prompt] = ->(sh) { true }
  options[:override_get_exit_code] = ->(sh) { 0 }
end