Merge branch 'opnsense:master' into route-disable-to-enable

Author: TomWalraven

.github/pull_request_template.md

@@ -0,0 +1,30 @@
+**Important notices**
+
+Before you submit a pull request, we ask you kindly to acknowledge the following:
+
+- [ ] I have read the contributing guidelines at https://github.com/opnsense/core/blob/master/CONTRIBUTING.md
+- [ ] I opened an issue first for non-trivial changes and linked it below.
+- [ ] AI tools were used to create at least part of the code submitted herewith.
+
+If AI was used, please disclose:
+
+- Model used:
+- Extent of AI involvement:
+
+---
+
+**Describe the problem**
+
+A clear and concise description of the problem this pull request addresses.
+
+---
+
+**Describe the proposed solution**
+
+Explain what this pull request changes and why.
+
+---
+
+**Related issue**
+
+If this pull request relates to an issue, link it here.

plist

@@ -640,6 +640,7 @@
 /usr/local/opnsense/mvc/app/models/OPNsense/Base/FieldTypes/IPPortField.php
 /usr/local/opnsense/mvc/app/models/OPNsense/Base/FieldTypes/IntegerField.php
 /usr/local/opnsense/mvc/app/models/OPNsense/Base/FieldTypes/InterfaceField.php
+/usr/local/opnsense/mvc/app/models/OPNsense/Base/FieldTypes/JsonField.php
 /usr/local/opnsense/mvc/app/models/OPNsense/Base/FieldTypes/JsonKeyValueStoreField.php
 /usr/local/opnsense/mvc/app/models/OPNsense/Base/FieldTypes/LegacyLinkField.php
 /usr/local/opnsense/mvc/app/models/OPNsense/Base/FieldTypes/MacAddressField.php

src/opnsense/mvc/app/controllers/OPNsense/Core/Api/DashboardController.php

@@ -105,7 +105,7 @@ public function getDashboardAction()
         $dashboard = null;
 
         if (($node = $this->usermdl->getUserByName($this->getUserName())) !== null) {
-            $dashboard = json_decode(base64_decode($node->dashboard->getValue()), true);
+            $dashboard = $node->dashboard->deserialize();
         }
 
         if (empty($dashboard)) {
@@ -160,12 +160,10 @@ public function saveWidgetsAction()
     {
         $result = ['result' => 'failed'];
         if ($this->request->isPost() && $this->request->hasPost('widgets')) {
-            $dashboard = json_encode($this->request->getPost());
-            if (strlen($dashboard) > (1024 * 1024)) {
-                // prevent saving large blobs of data
-                throw new UserException(gettext("Dashboard size limit reached"));
-            } elseif (($node = $this->usermdl->getUserByName($this->getUserName())) !== null) {
-                $node->dashboard = base64_encode($dashboard);
+            if (($node = $this->usermdl->getUserByName($this->getUserName())) !== null) {
+                if (!$node->dashboard->serialize($this->request->getPost())) {
+                    throw new UserException(gettext("Dashboard size limit reached"));
+                }
                 if ($this->usermdl->serializeToConfig(false, true)) {
                     /* selectively save dashboard property, ignoring user-config-readonly when set */
                     Config::getInstance()->save();
@@ -184,7 +182,6 @@ public function restoreDefaultsAction()
         if ($this->request->isPost() && ($node = $this->usermdl->getUserByName($this->getUserName())) !== null) {
             $node->dashboard = '';
             $config = Config::getInstance()->object();
-            $name = $this->getUserName();
             if ($this->usermdl->serializeToConfig(false, true)) {
                 /* selectively reset dashboard property, ignoring user-config-readonly when set */
                 Config::getInstance()->save();

src/opnsense/mvc/app/controllers/OPNsense/Firewall/Api/FilterController.php

@@ -98,36 +98,16 @@ public function searchRuleAction()
                 }
             }
         }
-
-        /* filter logic for mvc rules */
-        $filter_funct_mvc = function ($record) use ($categories, $interfaces, $show_all) {
-            $is_cat = empty($categories) || array_intersect(explode(',', $record->categories), $categories);
-            $rule_interfaces = $record->interface->getValues();
-
-            // ALL rules, skip interface logic entirely
-            if ($interfaces === null) {
-                return $is_cat;
-            }
-
-            if (!$record->interfacenot->isEmpty()) {
-                $if_intersects = !array_intersect($interfaces, $rule_interfaces); /* All but interface */
-            } else {
-                $if_intersects = array_intersect($interfaces, $rule_interfaces);
-            }
-
-            if (empty($interfaces)) {
-                $is_if = count($rule_interfaces) != 1 || !$record->interfacenot->isEmpty();
-            } elseif ($show_all) {
-                $is_if = $if_intersects || empty($rule_interfaces);
-            } elseif (!$record->interfacenot->isEmpty()) {
-                // Exclude as it should only be returned with show_all
-                $is_if = false;
-            } else {
-                // Include only an exact match, not a partial overlap
-                $is_if = $if_intersects && (count($interfaces) == count($rule_interfaces));
+        /* extract all mvc records so we can filter and sort all at once */
+        $allrules = [];
+        foreach ($this->getModel()->rules->rule->iterateItems() as $uuid => $record) {
+            $row = ['uuid' => $record->getAttributes()['uuid']];
+            $reflen = strlen($record->__reference) + 1;
+            foreach ($record->getFlatNodes() as $key => $val) {
+                $row[substr($key, $reflen)] = $val->getValue();
             }
-            return $is_cat && $is_if;
-        };
+            $allrules[] = $row;
+        }
 
         if ($show_all) {
             /* only query stats when fill info is requested */
@@ -136,39 +116,25 @@ public function searchRuleAction()
             $rule_stats = [];
         }
 
-
-        $filter_funct_rs  = function (&$record) use ($categories, $interfaces, $rule_stats) {
-            /* always merge stats when found */
-            if (!empty($record['uuid']) && !empty($rule_stats[$record['uuid']])) {
-                $record = array_merge($record, $rule_stats[$record['uuid']]);
-            }
-            /* frontend can format aliases with an alias icon */
-            foreach (['source_net','source_port','destination_net','destination_port'] as $field) {
-                if (!empty($record[$field])) {
-                    $record["alias_meta_{$field}"] = $this->getNetworks($record[$field]);
-                }
-            }
-
-            /* frontend can format categories with colors */
+        $filter_funct_rs = function (&$record) use ($categories, $interfaces, $rule_stats) {
+            /* Filter criteria */
             $r_categories = !empty($record['categories']) ? array_map('trim', explode(',', $record['categories'])) : [];
-            $record['category_colors'] = $this->getCategoryColors($r_categories);
-
-            if (empty($record['legacy'])) {
-                /* mvc already filtered */
-                return true;
-            }
             $is_cat = empty($categories) || array_intersect($r_categories, $categories);
-
-            if (!empty($record['interfacenot'])) {
-                $is_if = !array_intersect(explode(',', $record['interface'] ?? ''), $interfaces ?? []);
+            $rule_interfaces = array_filter(explode(',', $record['interface'] ?? ''));
+            if ($interfaces === null || empty($record['interface'])) {
+                $is_if = true; // ALL interfaces or floating always matches
+            } elseif (!empty($record['interfacenot'])) {
+                $is_if = !array_intersect($rule_interfaces, $interfaces ?? []);
             } else {
-                $is_if = array_intersect(explode(',', $record['interface'] ?? ''), $interfaces ?? []);
+                $is_if = array_intersect($rule_interfaces, $interfaces ?? []);
             }
-            // ALL interfaces or floating always matches
-            $is_if = $is_if || $interfaces === null || empty($record['interface']);
 
-            if ($is_cat && $is_if) {
-                /* translate/convert legacy fields before returning, similar to mvc handling */
+            if (!$is_cat || !$is_if) {
+                return false; /* not reached */
+            }
+
+            /* translate/convert legacy fields before returning, similar to mvc handling */
+            if (!empty($record['legacy'])) {
                 foreach ($this->getLegacyFieldMap() as $topic => $data) {
                     if (!empty($record[$topic])) {
                         $tmp = [];
@@ -178,42 +144,42 @@ public function searchRuleAction()
                         $record[$topic] = implode(',', $tmp);
                     }
                 }
-                // Tag legacy rules as "Automatic generated rules" if they have an empty category
-                if (!empty($record['is_automatic'])) {
-                    $label = gettext('Automatically generated rules');
-                    $record['categories'] = $label;  // Grouping key for tree view
-                    $record['category_colors'] = [['name'  => $label]];  // Category formatter metadata
-                }
+            }
 
-                return true;
-            } else {
-                return false;
+            /* Formatting */
+
+            /* always merge stats when found */
+            if (!empty($record['uuid']) && !empty($rule_stats[$record['uuid']])) {
+                $record = array_merge($record, $rule_stats[$record['uuid']]);
             }
-        };
 
-        /**
-         * XXX: fetch mvc results first, we need to collect all to ensure proper pagination
-         *      as pagination is passed using the request, we need to reset it temporary here as we don't know
-         *      which page we need (yet) and don't want to duplicate large portions of code.
-         **/
-        $ORG_REQ = $_REQUEST;
-        unset($_REQUEST['rowCount']);
-        unset($_REQUEST['current']);
-        if ($show_all) {
-            /* searchBase should not filter here since we later search for IP addresses in aliases */
-            unset($_REQUEST['searchPhrase']);
-        }
-        $filterset = $this->searchBase("rules.rule", null, "sort_order", $filter_funct_mvc)['rows'];
+            // Tag legacy rules as "Automatic generated rules" if they have an empty category
+            if (!empty($record['is_automatic'])) {
+                $label = gettext('Automatically generated rules');
+                $record['categories'] = $label;  // Grouping key for tree view
+                $record['category_colors'] = [['name'  => $label]];  // Category formatter metadata
+            }
+
+            /* frontend can format aliases with an alias icon */
+            foreach (['source_net','source_port','destination_net','destination_port'] as $field) {
+                if (!empty($record[$field])) {
+                    $record["alias_meta_{$field}"] = $this->getNetworks($record[$field]);
+                }
+            }
+
+            /* frontend can format categories with colors */
+            $record['category_colors'] = $this->getCategoryColors($r_categories);
+            return true;
+        };
 
         /* only fetch internal and legacy rules when 'show_all' is set */
         if ($show_all) {
-            $otherrules = json_decode((new Backend())->configdRun('filter list non_mvc_rules'), true) ?? [];
-        } else {
-            $otherrules = [];
+            $allrules = array_merge(
+                $allrules,
+                json_decode((new Backend())->configdRun('filter list non_mvc_rules'), true) ?? []
+            );
         }
 
-        $_REQUEST = $ORG_REQ; /* XXX:  fix me ?*/
-
         $search_clauses = [];
         $backend = new Backend();
         foreach (preg_split('/\s+/', (string)$this->request->getPost('searchPhrase', null, '')) as $token) {
@@ -229,7 +195,7 @@ public function searchRuleAction()
             }
         }
         $result = $this->searchRecordsetBase(
-            array_merge($otherrules, $filterset),
+            $allrules,
             null,
             "sort_order",
             $filter_funct_rs,

src/opnsense/mvc/app/library/OPNsense/Auth/LDAP.php

@@ -392,7 +392,7 @@ public function connect($bind_url, $userdn = null, $password = null, $timeout =
 
     /**
      * search user by name or expression
-     * @param string $username username(s) to search
+     * @param string $username username(s) to search (unescaped ldap search)
      * @param string $userNameAttribute ldap attribute to use for the search
      * @param string|null $extendedQuery additional search criteria (narrow down search)
      * @return array|bool
@@ -405,12 +405,11 @@ public function searchUsers($username, $userNameAttribute, $extendedQuery = null
             // add $userNameAttribute to search results
             $this->addSearchAttribute($userNameAttribute);
             $result = [];
-            $username_safe = ldap_escape($username, '', LDAP_ESCAPE_FILTER);
             if (empty($extendedQuery)) {
-                $searchResults = $this->search("({$userNameAttribute}={$username_safe})");
+                $searchResults = $this->search("({$userNameAttribute}={$username})");
             } else {
                 // add additional search phrases
-                $searchResults = $this->search("(&({$userNameAttribute}={$username_safe})({$extendedQuery}))");
+                $searchResults = $this->search("(&({$userNameAttribute}={$username})({$extendedQuery}))");
             }
             if ($searchResults !== false) {
                 for ($i = 0; $i < $searchResults["count"]; $i++) {
@@ -509,7 +508,8 @@ protected function _authenticate($username, $password)
         } else {
             // we don't know this users distinguished name, try to find it
             if ($this->connect($this->ldapBindURL, $this->ldapBindDN, $this->ldapBindPassword)) {
-                $result = $this->searchUsers($username, $this->ldapAttributeUser, $this->ldapExtendedQuery);
+                $username_safe = ldap_escape($username, '', LDAP_ESCAPE_FILTER);
+                $result = $this->searchUsers($username_safe, $this->ldapAttributeUser, $this->ldapExtendedQuery);
                 if ($result !== false && count($result) > 0) {
                     $user_dn = $result[0]['dn'];
                     $ldap_is_connected = $this->connect($this->ldapBindURL, $result[0]['dn'], $password);

src/opnsense/mvc/app/library/OPNsense/Auth/Radius.php

@@ -1,7 +1,7 @@
 <?php
 
 /*
- * Copyright (C) 2015 Deciso B.V.
+ * Copyright (C) 2015-2026 Deciso B.V.
  * All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
@@ -28,6 +28,8 @@
 
 namespace OPNsense\Auth;
 
+use OPNsense\Firewall\Util;
+
 /**
  * Class Radius connector
  * @package OPNsense\Auth
@@ -69,6 +71,11 @@ class Radius extends Base implements IAuthConnector
      */
     private $callingStationId = null;
 
+    /**
+     * @var string ip addess to use for NAS-IP-Address attribute
+     */
+    private $nasIpAddress = null;
+
     /**
      * @var int timeout to use
      */
@@ -158,15 +165,17 @@ public function getDescription()
     public function setProperties($config)
     {
         // map properties to object
-        $confMap = array('host' => 'radiusHost',
-            'radius_secret' => 'sharedSecret',
-            'radius_timeout' => 'timeout',
-            'radius_auth_port' => 'authPort',
+        $confMap = [
+            'host' => 'radiusHost',
             'radius_acct_port' => 'acctPort',
+            'radius_auth_port' => 'authPort',
+            'radius_nasipaddress' => 'nasIpAddress',
             'radius_protocol' => 'protocol',
+            'radius_secret' => 'sharedSecret',
             'radius_stationid' => 'calledStationId',
-            'refid' => 'nasIdentifier'
-        );
+            'radius_timeout' => 'timeout',
+            'refid' => 'nasIdentifier',
+        ];
 
         // map properties 1-on-1
         foreach ($confMap as $confSetting => $objectProperty) {
@@ -195,6 +204,7 @@ public function setProperties($config)
     public function getConfigurationOptions()
     {
         $options = [];
+
         $options['radius_protocol'] = [];
         $options['radius_protocol']['name'] = gettext('Protocol');
         $options['radius_protocol']['type'] = 'dropdown';
@@ -210,6 +220,19 @@ public function getConfigurationOptions()
                 return [];
             }
         };
+
+        $options['radius_nasipaddress'] = [];
+        $options['radius_nasipaddress']['name'] = gettext('NAS IP address');
+        $options['radius_nasipaddress']['type'] = 'text';
+        $options['radius_nasipaddress']['default'] = '';
+        $options['radius_nasipaddress']['validate'] = function ($value) {
+            if (!empty($value) && !Util::isIpAddress($value)) {
+                return [gettext('Invalid NAS IP address specified')];
+            } else {
+                return [];
+            }
+        };
+
         return $options;
     }
 
@@ -501,18 +524,20 @@ public function authenticate($username, $password)
             $error = radius_strerror($radius);
         } elseif (!radius_put_int($radius, RADIUS_SERVICE_TYPE, RADIUS_LOGIN)) {
             $error = radius_strerror($radius);
-        } elseif (!radius_put_int($radius, RADIUS_FRAMED_PROTOCOL, RADIUS_ETHERNET)) {
+        } elseif (empty($this->nasIpAddress) && !radius_put_int($radius, RADIUS_FRAMED_PROTOCOL, RADIUS_ETHERNET)) {
             $error = radius_strerror($radius);
         } elseif (!radius_put_string($radius, RADIUS_NAS_IDENTIFIER, $this->nasIdentifier)) {
             $error = radius_strerror($radius);
         } elseif (!radius_put_int($radius, RADIUS_NAS_PORT, 0)) {
             $error = radius_strerror($radius);
-        } elseif (!radius_put_int($radius, RADIUS_NAS_PORT_TYPE, RADIUS_ETHERNET)) {
+        } elseif (!radius_put_int($radius, RADIUS_NAS_PORT_TYPE, empty($this->nasIpAddress) ? RADIUS_ETHERNET : RADIUS_VIRTUAL)) {
             $error = radius_strerror($radius);
         } elseif (!empty($this->calledStationId) && !radius_put_string($radius, RADIUS_CALLED_STATION_ID, $this->calledStationId)) {
             $error = radius_strerror($radius);
         } elseif (!empty($this->callingStationId) && !radius_put_string($radius, RADIUS_CALLING_STATION_ID, $this->callingStationId)) {
             $error = radius_strerror($radius);
+        } elseif (!empty($this->nasIpAddress) && !radius_put_addr($radius, RADIUS_NAS_IP_ADDRESS, $this->nasIpAddress)) {
+            $error = radius_stderror($radius);
         } else {
             // Implement extra protocols in this section.
             switch ($this->protocol) {