Added basic OPNsense integration, and fixed PfSense API by changing from X-API-Key and X-API-Secret headers to only x-api-key header (lowercase as specified in v2 API docs)

2026-04-17 05:53:15 +02:00 · 2026-01-14 17:44:56 +01:00
parent 8ed18f2473
commit 325ddc2733
13 changed files with 311 additions and 53 deletions
--- a/internal/integrations/mikrotik.go
+++ b/internal/integrations/mikrotik.go
@@ -97,7 +97,18 @@ func (m *mikrotikIntegration) runCommand(req Request, command string) error {
 	address := net.JoinHostPort(cfg.Host, fmt.Sprintf("%d", port))
 	client, err := ssh.Dial("tcp", address, clientCfg)
 	if err != nil {
-		return fmt.Errorf("failed to connect to mikrotik: %w", err)
+		// Provide more specific error messages for common connection issues
+		if netErr, ok := err.(net.Error); ok {
+			if netErr.Timeout() {
+				return fmt.Errorf("connection to mikrotik at %s timed out: %w", address, err)
+			}
+		}
+		if opErr, ok := err.(*net.OpError); ok {
+			if opErr.Err != nil {
+				return fmt.Errorf("failed to connect to mikrotik at %s: %v (check host, port %d, and network connectivity)", address, opErr.Err, port)
+			}
+		}
+		return fmt.Errorf("failed to connect to mikrotik at %s: %w (check host, port %d, username, and credentials)", address, err, port)
 	}
 	defer client.Close()

--- a/internal/integrations/opnsense.go
+++ b/internal/integrations/opnsense.go
@@ -0,0 +1,128 @@
+package integrations
+
+import (
+	"bytes"
+	"crypto/tls"
+	"encoding/base64"
+	"encoding/json"
+	"fmt"
+	"io"
+	"net/http"
+	"strings"
+	"time"
+
+	"github.com/swissmakers/fail2ban-ui/internal/config"
+)
+
+type opnsenseIntegration struct{}
+
+func init() {
+	Register(&opnsenseIntegration{})
+}
+
+func (o *opnsenseIntegration) ID() string {
+	return "opnsense"
+}
+
+func (o *opnsenseIntegration) DisplayName() string {
+	return "OPNsense"
+}
+
+func (o *opnsenseIntegration) Validate(cfg config.AdvancedActionsConfig) error {
+	if cfg.OPNsense.BaseURL == "" {
+		return fmt.Errorf("OPNsense base URL is required")
+	}
+	if cfg.OPNsense.APIKey == "" || cfg.OPNsense.APISecret == "" {
+		return fmt.Errorf("OPNsense API key and secret are required")
+	}
+	if cfg.OPNsense.Alias == "" {
+		return fmt.Errorf("OPNsense alias is required")
+	}
+	return nil
+}
+
+func (o *opnsenseIntegration) BlockIP(req Request) error {
+	if err := o.Validate(req.Config); err != nil {
+		return err
+	}
+	return o.callAPI(req, "add", req.IP)
+}
+
+func (o *opnsenseIntegration) UnblockIP(req Request) error {
+	if err := o.Validate(req.Config); err != nil {
+		return err
+	}
+	return o.callAPI(req, "del", req.IP)
+}
+
+func (o *opnsenseIntegration) callAPI(req Request, action, ip string) error {
+	cfg := req.Config.OPNsense
+
+	// OPNsense uses /api/firewall/alias_util/{action}/{alias_name}
+	apiURL := strings.TrimSuffix(cfg.BaseURL, "/") + fmt.Sprintf("/api/firewall/alias_util/%s/%s", action, cfg.Alias)
+
+	// Request body for OPNsense
+	payload := map[string]string{
+		"address": ip,
+	}
+	data, err := json.Marshal(payload)
+	if err != nil {
+		return fmt.Errorf("failed to encode OPNsense payload: %w", err)
+	}
+
+	httpClient := &http.Client{
+		Timeout: 10 * time.Second,
+	}
+	if cfg.SkipTLSVerify {
+		httpClient.Transport = &http.Transport{
+			TLSClientConfig: &tls.Config{InsecureSkipVerify: true}, // #nosec G402 - user controlled
+		}
+	}
+
+	reqLogger := "OPNsense"
+	if req.Logger != nil {
+		req.Logger("Calling OPNsense API %s action=%s payload=%s", apiURL, action, string(data))
+	}
+
+	httpReq, err := http.NewRequest(http.MethodPost, apiURL, bytes.NewReader(data))
+	if err != nil {
+		return fmt.Errorf("failed to create OPNsense request: %w", err)
+	}
+	httpReq.Header.Set("Content-Type", "application/json")
+
+	// OPNsense uses Basic Auth with API key as username and API secret as password
+	auth := base64.StdEncoding.EncodeToString([]byte(cfg.APIKey + ":" + cfg.APISecret))
+	httpReq.Header.Set("Authorization", "Basic "+auth)
+
+	resp, err := httpClient.Do(httpReq)
+	if err != nil {
+		// Provide more specific error messages for connection issues
+		if netErr, ok := err.(interface {
+			Timeout() bool
+			Error() string
+		}); ok && netErr.Timeout() {
+			return fmt.Errorf("OPNsense API request to %s timed out: %w", apiURL, err)
+		}
+		return fmt.Errorf("OPNsense API request to %s failed: %w (check base URL, network connectivity, and API credentials)", apiURL, err)
+	}
+	defer resp.Body.Close()
+
+	// Read response body for better error messages
+	bodyBytes, _ := io.ReadAll(resp.Body)
+	bodyStr := strings.TrimSpace(string(bodyBytes))
+
+	if resp.StatusCode >= 300 {
+		if bodyStr != "" {
+			return fmt.Errorf("OPNsense API request failed: status %s, response: %s", resp.Status, bodyStr)
+		}
+		return fmt.Errorf("OPNsense API request failed: status %s (check API credentials and alias name)", resp.Status)
+	}
+
+	if req.Logger != nil {
+		req.Logger("%s API call succeeded", reqLogger)
+		if bodyStr != "" {
+			req.Logger("%s API response: %s", reqLogger, bodyStr)
+		}
+	}
+	return nil
+}
--- a/internal/integrations/pfsense.go
+++ b/internal/integrations/pfsense.go
@@ -5,6 +5,7 @@ import (
 	"crypto/tls"
 	"encoding/json"
 	"fmt"
+	"io"
 	"net/http"
 	"strings"
 	"time"
@@ -30,8 +31,8 @@ func (p *pfSenseIntegration) Validate(cfg config.AdvancedActionsConfig) error {
 	if cfg.PfSense.BaseURL == "" {
 		return fmt.Errorf("pfSense base URL is required")
 	}
-	if cfg.PfSense.APIToken == "" || cfg.PfSense.APISecret == "" {
-		return fmt.Errorf("pfSense API token and secret are required")
+	if cfg.PfSense.APIToken == "" {
+		return fmt.Errorf("pfSense API key is required")
 	}
 	if cfg.PfSense.Alias == "" {
 		return fmt.Errorf("pfSense alias is required")
@@ -92,21 +93,38 @@ func (p *pfSenseIntegration) callAPI(req Request, action string, payload map[str
 		return fmt.Errorf("failed to create pfSense request: %w", err)
 	}
 	httpReq.Header.Set("Content-Type", "application/json")
-	httpReq.Header.Set("X-API-Key", cfg.APIToken)
-	httpReq.Header.Set("X-API-Secret", cfg.APISecret)
+	// pfSense REST API v2 uses KeyAuth with x-api-key header only
+	httpReq.Header.Set("x-api-key", cfg.APIToken)

 	resp, err := httpClient.Do(httpReq)
 	if err != nil {
-		return fmt.Errorf("pfSense request failed: %w", err)
+		// Provide more specific error messages for connection issues
+		if netErr, ok := err.(interface {
+			Timeout() bool
+			Error() string
+		}); ok && netErr.Timeout() {
+			return fmt.Errorf("pfSense API request to %s timed out: %w", apiURL, err)
+		}
+		return fmt.Errorf("pfSense API request to %s failed: %w (check base URL, network connectivity, and API credentials)", apiURL, err)
 	}
 	defer resp.Body.Close()

+	// Read response body for better error messages
+	bodyBytes, _ := io.ReadAll(resp.Body)
+	bodyStr := strings.TrimSpace(string(bodyBytes))
+
 	if resp.StatusCode >= 300 {
-		return fmt.Errorf("pfSense request failed: status %s", resp.Status)
+		if bodyStr != "" {
+			return fmt.Errorf("pfSense API request failed: status %s, response: %s", resp.Status, bodyStr)
+		}
+		return fmt.Errorf("pfSense API request failed: status %s (check API credentials and alias name)", resp.Status)
 	}

 	if req.Logger != nil {
 		req.Logger("%s API call succeeded", reqLogger)
+		if bodyStr != "" {
+			req.Logger("%s API response: %s", reqLogger, bodyStr)
+		}
 	}
 	return nil
 }