chore(FreeRADIUSClient): cleanup FreeRADIUSClient model

jaredhendrickson13 · jaredhendrickson13 · commit 15ab63c586d1 · 2025-07-19T20:07:02.000-06:00
diff --git a/pfSense-pkg-RESTAPI/files/usr/local/pkg/RESTAPI/Models/FreeRADIUSClient.inc b/pfSense-pkg-RESTAPI/files/usr/local/pkg/RESTAPI/Models/FreeRADIUSClient.inc
@@ -5,83 +5,77 @@ namespace RESTAPI\Models;
 require_once 'RESTAPI/autoloader.inc';
 
 use RESTAPI\Core\Model;
-use RESTAPI\Fields\Base64Field;
 use RESTAPI\Fields\BooleanField;
-use RESTAPI\Fields\ForeignModelField;
 use RESTAPI\Fields\IntegerField;
 use RESTAPI\Fields\PortField;
-use RESTAPI\Fields\ObjectField;
 use RESTAPI\Fields\StringField;
-use RESTAPI\Responses\ConflictError;
 use RESTAPI\Responses\ValidationError;
-use RESTAPI\Responses\ServerError;
-use RESTAPI\Validators\HostnameValidator;
 use RESTAPI\Validators\IPAddressValidator;
 use RESTAPI\Validators\RegexValidator;
 
 /**
- * Defines a Model that represents FreeRADIUS Interfaces
+ * Defines a Model that represents FreeRADIUS Clients
  */
 class FreeRADIUSClient extends Model {
     public StringField $addr;
     public PortField $port;
     public StringField $type;
-    public StringField $ipv;
+    public StringField $ip_version;
     public StringField $description;
+    public StringField $shortname;
+    public StringField $secret;
+    public StringField $proto;
+    public StringField $nastype;
+    public BooleanField $msgauth;
+    public IntegerField $maxconn;
+    public StringField $naslogin;
+    public StringField $naspassword;
 
-    /**
-     *
-     */
     public function __construct(mixed $id = null, mixed $parent_id = null, mixed $data = [], mixed ...$options) {
-        #
         # Set model attributes
-        #
         $this->packages = ['pfSense-pkg-freeradius3'];
         $this->package_includes = ['freeradius.inc'];
         $this->config_path = 'installedpackages/freeradiusclients/config';
         $this->many = true;
         $this->always_apply = true;
 
-        #
         # Set model fields
-        #
         $this->addr = new StringField(
-            internal_name: 'varclientip',
             required: true,
             unique: true,
+            internal_name: 'varclientip',
             validators: [new IPAddressValidator(allow_ipv4: true, allow_ipv6: true)],
-            help_text: 'The IP address or network of the RADIUS client(s) in CIDR notation. This is the IP of the NAS (switch, access point, firewall, router, etc.)',
+            help_text: 'The IP address or network of the RADIUS client(s) in CIDR notation. This is the IP of the ' .
+                'NAS (switch, access point, firewall, router, etc.)',
         );
-        $this->ipv = new StringField(
-            internal_name: 'varclientipversion',
-            choices: ['ipaddr', 'ipv6addr'],
-            allow_empty: true,
+        $this->ip_version = new StringField(
             default: 'ipaddr',
+            choices: ['ipaddr', 'ipv6addr'],
+            internal_name: 'varclientipversion',
             help_text: 'The IP version of the this Client.',
         );
         $this->shortname = new StringField(
-            internal_name: 'varclientshortname',
             required: true,
-            allow_null: false,
+            internal_name: 'varclientshortname',
             help_text: 'A short name for the client. This is generally the hostname of the NAS.',
         );
         $this->secret = new StringField(
-            internal_name: 'varclientsharedsecret',
             required: true,
             sensitive: true,
-            allow_empty: false,
-            help_text: 'This is the shared secret (password) which the NAS (switch, accesspoint, etc.) needs to communicate with the RADIUS server.',
+            maximum_length: 31,
+            internal_name: 'varclientsharedsecret',
+            help_text: 'This is the shared secret (password) which the NAS (switch, accesspoint, etc.) needs to ' .
+                'communicate with the RADIUS server.',
         );
 
         $this->proto = new StringField(
-            internal_name: 'varclientproto',
-            choices: ['udp', 'tcp'],
-            allow_empty: true,
             default: 'udp',
-            help_text: 'The protocol the client uses. (Default: udp)',
+            choices: ['udp', 'tcp'],
+            internal_name: 'varclientproto',
+            help_text: 'The protocol the client uses.',
         );
         $this->nastype = new StringField(
-            internal_name: 'varclientnastype',
+            default: 'other',
             choices: [
                 'cisco',
                 'cvx',
@@ -96,41 +90,45 @@ class FreeRADIUSClient extends Model {
                 'other',
             ],
             allow_empty: true,
-            default: 'other',
-            help_text: 'The NAS type of the client. This is used by checkrad.pl for simultaneous use checks. (Default: other)',
+            internal_name: 'varclientnastype',
+            help_text: 'The NAS type of the client. This is used by checkrad.pl for simultaneous use checks.',
         );
-        $this->msgauth = new StringField(
+        $this->msgauth = new BooleanField(
+            default: false,
+            indicates_true: 'yes',
+            indicates_false: 'no',
             internal_name: 'varrequiremessageauthenticator',
-            choices: ['yes', 'no'],
-            default: 'no',
-            help_text: 'RFC5080 requires Message-Authenticator in Access-Request. But older NAS (switches or accesspoints) do not include that. (Default: no)',
+            help_text: 'RFC5080 requires Message-Authenticator in Access-Request. But older NAS (switches or ' .
+                'accesspoints) do not include that.',
         );
         $this->maxconn = new IntegerField(
-            internal_name: 'varclientmaxconnections',
+            default: 16,
             minimum: 1,
             maximum: 32,
-            default: 16,
-            help_text: 'Takes only effect if you use TCP as protocol. Limits the number of simultaneous TCP connections from a client. (max=32)',
+            internal_name: 'varclientmaxconnections',
+            help_text: 'Takes only effect if you use TCP as protocol. Limits the number of simultaneous TCP 
+                connections from a client.',
         );
         $this->naslogin = new StringField(
-            internal_name: 'varclientlogininput',
-            allow_empty: true,
             default: '',
-            help_text: 'If supported by your NAS, you can use SNMP or finger for simultaneous-use checks instead of (s)radutmp file and accounting.  Leave empty to choose (s)radutmp. (Default: empty) ',
+            allow_empty: true,
+            internal_name: 'varclientlogininput',
+            help_text: 'If supported by your NAS, you can use SNMP or finger for simultaneous-use checks instead of ' .
+                '(s)radutmp file and accounting. Leave empty to choose (s)radutmp.',
         );
         $this->naspassword = new StringField(
-            internal_name: 'varclientpasswordinput',
-            allow_empty: true,
             default: '',
+            allow_empty: true,
             sensitive: true,
-            help_text: 'If supported by your NAS, you can use SNMP or finger for simultaneous-use checks instead of (s)radutmp file and accounting.  Leave empty to choose
-(s)radutmp. (Default: empty) ',
+            internal_name: 'varclientpasswordinput',
+            help_text: 'If supported by your NAS, you can use SNMP or finger for simultaneous-use checks instead of ' .
+                '(s)radutmp file and accounting. Leave empty to choose (s)radutmp.',
         );
 
         $this->description = new StringField(
             required: false,
-            allow_empty: true,
             default: '',
+            allow_empty: true,
             validators: [
                 new RegexValidator(
                     pattern: "/^[a-zA-Z0-9 _,.;:+=()-]*$/",
@@ -144,44 +142,55 @@ class FreeRADIUSClient extends Model {
     }
 
     /**
-     * Perform additional validation on the Model's fields and data.
+     * Perform extra validation on the Model's 'addr' field.
+     * @param string $value The value to validate.
+     * @returns string The validated value.
+     * @throws ValidationError If the value does not match IP version specified in the 'ip_version' field.
      */
-    public function validate_extra(): void {
-        $input_errors = [];
+    public function validate_addr(string $value): string {
+        # Do not allow the value to be an IPv4 address if ip_version is 'ipv6addr'
+        if ($this->addr->has_label('is_ipaddrv4') and $this->ip_version->value === 'ipv6addr') {
+            throw new ValidationError(
+                message: "Field `addr` cannot be an IPv4 address when `ip_version` is set to `ipv6addr`, received `$value`.",
+                response_id: 'FREERADIUS_CLIENT_ADDR_IPV4_NOT_ALLOWED',
+            );
+        }
 
-        /*
-         */
-        $iface_addr = $this->addr->value;
-        if ($iface_addr != '*') {
-            if (is_ipaddrv4($iface_addr)) {
-                $this->ipv->value = 'ipaddr';
-            } elseif (is_ipaddrv6($iface_addr)) {
-                $this->ipv->value = 'ipv6addr';
-            } else {
-                // we don't must be here because Model validator for $this->addr
-                $input_errors[] = "Cann't recognize IP-address={$iface_addr}";
-            }
+        # Do not allow the value to be an IPv6 address if ip_version is 'ipaddr'
+        if ($this->addr->has_label('is_ipaddrv6') and $this->ip_version->value === 'ipaddr') {
+            throw new ValidationError(
+                message: "Field `addr` cannot be an IPv6 address when `ip_version` is set to `ipaddr`, received `$value`.",
+                response_id: 'FREERADIUS_CLIENT_ADDR_IPV6_NOT_ALLOWED',
+            );
         }
 
-        # Run service level validations
-        $client = $this->to_internal();
-        freeradius_validate_clients($iface, $input_errors);
+        return $value;
+    }
 
+    /**
+     * Perform additional validation on the Model's fields and data.
+     */
+    /**
+     * Perform additional validation on the Model's fields and data.
+     */
+    public function validate_extra(): void {
         # If there were validation errors that were not caught by the model fields, throw a ValidationError.
         # Ideally the Model should catch all validation errors itself so prompt the user to report this error
+        $input_errors = [];
+        freeradius_validate_clients($this->to_internal(), $input_errors);
         if (!empty($input_errors)) {
             throw new ValidationError(
                 message: "An unexpected validation error has occurred: $input_errors[0]. Please report this issue at " .
                     'https://github.com/jaredhendrickson13/pfsense-api/issues/new',
-                response_id: 'FREERADIUS_USER_UNEXPECTED_VALIDATION_ERROR',
+                response_id: 'FREERADIUS_CLIENTS_UNEXPECTED_VALIDATION_ERROR',
             );
         }
     }
 
     /**
      * Apply specific action on Client(s)
      */
-    public function apply() {
+    public function apply(): void {
         freeradius_clients_resync();
     }
 }
