Feature/newapisystem (hestiacp#2535)

* Adds new API system

* Each key is composed of an identification hash and a secret hash;
* Permission system for keys with command limitation;
* API connection by non-admin users;
* Added /api/v2/ route to not conflict with the old version;
* Option to enable V2 in system settings;
* Management of keys by the panel;
* New keys are saved in the "data/access-keys" directory;
* API settings in "data/api".

* Changes to the new API system

* Merges API routes;
* Renames config index to API_SYSTEM;
* Updates locales;
* Validation to avoid creating a new key when refreshing the page;
* Adds key creation and deletion logs.

* Fixes for Shellcheck

* API changes and fixes

* Changes "disabled" to "readonly" in the fields of list_access_key.html;
* Initializes the api directory in the installer;
* Initialize api directory in 1.6.0 upgrade;
* Changes the API version in the installer;
* Change JS to hide the IPs field only when the 2 API versions are disabled;
* Removes $v_comment variable from the key creation page;
* Keep legacy api enabled for now
* Allow for coded disabled api without lookup if disabled
* Allow enable / disable legacy / new api seperate
* Allow changes to api to enable / disable api for legacy / new api
* Return access_key:access_secret_key for use in bash

Co-authored-by: Jaap Marcus <9754650+jaapmarcus@users.noreply.github.com>

Author: jhmaverick

.gitignore

@@ -15,4 +15,5 @@ test/node_modules/
 npm-debug.log
 .phpunit.result.cache
 .vs
-.nova
+.nova
+/.idea/

bin/v-add-access-key

@@ -0,0 +1,109 @@
+#!/bin/bash
+# info: generate access key
+# options: USER [PERMISSIONS] [COMMENT] [FORMAT]
+#
+# example: v-add-access-key admin v-purge-nginx-cache,v-list-mail-accounts comment json
+#
+# The "PERMISSIONS" argument is optional for the admin user only.
+# This function creates a key file in $HESTIA/data/access-keys/
+
+#----------------------------------------------------------#
+#                Variables & Functions                     #
+#----------------------------------------------------------#
+
+# Argument definition
+user=$1
+permissions=$2
+comment=$3
+format=${4-shell}
+
+# Includes
+# shellcheck source=/etc/hestiacp/hestia.conf
+source /etc/hestiacp/hestia.conf
+# shellcheck source=/usr/local/hestia/func/main.sh
+source $HESTIA/func/main.sh
+# load config file
+source_conf "$HESTIA/conf/hestia.conf"
+
+keygen() {
+    local LENGTH=${1:-20}
+    local USE_SPECIAL_CHARACTERS="${2:-no}"
+
+    local MATRIX='0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz'
+    if [[ "$USE_SPECIAL_CHARACTERS" == "yes" ]]; then
+        MATRIX+='_-+^~=%'
+    fi
+
+    local PASS N
+    while [ ${N:=1} -le $LENGTH ]; do
+        PASS="$PASS${MATRIX:$(($RANDOM%${#MATRIX})):1}"
+        let N+=1
+    done
+
+    echo "$PASS"
+}
+
+access_key_id="$(keygen)"
+secret_access_key="$(keygen 40 yes)"
+
+# Perform verification if read-only mode is enabled
+check_hestia_demo_mode
+
+# Remove whitespace and bin path from permissions
+permissions="$(cleanup_key_permissions "$permissions")"
+
+time_n_date=$(date +'%T %F')
+time=$(echo "$time_n_date" |cut -f 1 -d \ )
+date=$(echo "$time_n_date" |cut -f 2 -d \ )
+
+#----------------------------------------------------------#
+#                    Verifications                         #
+#----------------------------------------------------------#
+
+check_args '1' "$#" 'USER [PERMISSIONS] [COMMENT] [FORMAT]'
+is_format_valid 'user'
+is_object_valid 'user' 'USER' "$user"
+is_key_permissions_format_valid "$permissions" "$user"
+if [ -n "$comment" ]; then
+    is_format_valid 'comment'
+fi
+
+#----------------------------------------------------------#
+#                       Action                             #
+#----------------------------------------------------------#
+
+if [ ! -d "$HESTIA/data/access-keys/" ]; then
+    mkdir -p $HESTIA/data/access-keys/
+    chown root:root $HESTIA/data/access-keys/
+    chmod 750 $HESTIA/data/access-keys/
+fi
+
+if [[ -e "$HESTIA/data/access-keys/${access_key_id}" ]]; then
+    while [[ -e "$HESTIA/data/access-keys/${access_key_id}" ]]; do
+        access_key_id=$(keygen)
+    done
+fi
+
+echo "SECRET_ACCESS_KEY='$secret_access_key'" >"$HESTIA/data/access-keys/${access_key_id}"
+echo "USER='$user'" >>"$HESTIA/data/access-keys/${access_key_id}"
+echo "PERMISSIONS='$permissions'" >>"$HESTIA/data/access-keys/${access_key_id}"
+echo "COMMENT='$comment'" >>"$HESTIA/data/access-keys/${access_key_id}"
+echo "TIME='$time'" >>"$HESTIA/data/access-keys/${access_key_id}"
+echo "DATE='$date'" >>"$HESTIA/data/access-keys/${access_key_id}"
+# TODO Index reserved for future implementation
+echo "EXPIRES_IN=''" >>"$HESTIA/data/access-keys/${access_key_id}"
+echo "IP=''" >>"$HESTIA/data/access-keys/${access_key_id}"
+
+chmod 640 "$HESTIA/data/access-keys/${access_key_id}"
+
+$BIN/v-list-access-key "$access_key_id" "$format"
+
+#----------------------------------------------------------#
+#                       Hestia                             #
+#----------------------------------------------------------#
+
+# Logging
+log_history "Access key $access_key_id generated" "Warning" "$user" "API"
+log_event "$OK" "$ARGUMENTS"
+
+exit

bin/v-change-sys-api

@@ -2,15 +2,18 @@
 # info: Enable / Disable API access 
 # options: STATUS 
 #
-# example: v-change-sys-api enable
-#          # Enable API
+# example: v-change-sys-api enable legacy
+#          # Enable legacy api currently default on most of api based systems
+# example: v-change-sys-api enable api
+#          # Enable api
 #
 # example: v-change-sys-api disable
 #          # Disable API
 #
 # Enabled / Disable API
 
 status=$1
+version=$2
 
 # Includes
 # shellcheck source=/etc/hestiacp/hestia.conf
@@ -24,9 +27,8 @@ source_conf "$HESTIA/conf/hestia.conf"
 #                Variables & Functions                     #
 #----------------------------------------------------------#
 
-check_args '1' "$#" "STATUS"
+check_args '1' "$#" "STATUS" "VERSION"
 is_type_valid "enable,disable,remove" "$status"
-
 # Perform verification if read-only mode is enabled
 check_hestia_demo_mode
 
@@ -51,10 +53,12 @@ if [ "$status" = "enable" ]; then
         sed -i 's|die("Error: Disabled");|//die("Error: Disabled");|g' $HESTIA/web/api/index.php
         sed -i 's|////|//|g' $HESTIA/web/api/index.php
     fi
-    $HESTIA/bin/v-change-sys-config-value "API" "yes"
+    if [ "$version" = "legacy" ] || [ "$version" = "all" ]; then $HESTIA/bin/v-change-sys-config-value "API" "yes"; fi
+    if [ "$version" = "api" ] || [ "$version" = "all" ]; then $HESTIA/bin/v-change-sys-config-value "API_SYSTEM" "1"; fi
 else
     $HESTIA/bin/v-change-sys-config-value "API" "no"
     $HESTIA/bin/v-change-sys-config-value "API_ALLOWED_IP" ""
+    $HESTIA/bin/v-change-sys-config-value "API_SYSTEM" "0"
     if [ "$status" != "remove" ]; then
         sed -i 's|//die("Error: Disabled");|die("Error: Disabled");|g' $HESTIA/web/api/index.php
     fi

bin/v-check-access-key

@@ -0,0 +1,114 @@
+#!/bin/bash
+# info: check access key
+# options: ACCESS_KEY_ID SECRET_ACCESS_KEY COMMAND [IP] [FORMAT]
+#
+# example: v-check-access-key key_id secret v-purge-nginx-cache 127.0.0.1 json
+#
+# * Checks if the key exists;
+# * Checks if the secret belongs to the key;
+# * Checks if the key user is suspended;
+# * Checks if the key has permission to run the command.
+
+#----------------------------------------------------------#
+#                Variables & Functions                     #
+#----------------------------------------------------------#
+
+access_key_id="$(basename "$1")"
+secret_access_key=$2
+hst_command=$3
+ip=${4-127.0.0.1}
+format=${5-shell}
+
+# Includes
+# shellcheck source=/etc/hestiacp/hestia.conf
+source /etc/hestiacp/hestia.conf
+# shellcheck source=/usr/local/hestia/func/main.sh
+source $HESTIA/func/main.sh
+# load config file
+source_conf "$HESTIA/conf/hestia.conf"
+
+# Perform verification if read-only mode is enabled
+check_hestia_demo_mode
+
+time_n_date=$(date +'%T %F')
+time=$(echo "$time_n_date" |cut -f 1 -d \ )
+date=$(echo "$time_n_date" |cut -f 2 -d \ )
+
+# JSON list function
+json_list() {
+    echo -n '{"USER": "'$user'"';
+
+    if [[ -n "$user_arg_pos" ]]; then
+        echo -n ', "USER_ARG_POSITION": '$user_arg_pos''
+    fi
+
+    echo '}'
+}
+
+# SHELL list function
+shell_list() {
+    echo "USER:               $user"
+    if [[ -n "$user_arg_pos" ]]; then
+        echo "USER_ARG_POSITION:  $user_arg_pos"
+    fi
+}
+
+# Callback to intercept invalid result validation
+abort_missmatch() {
+    echo "Error: $2"
+    echo "$date $time ${access_key_id:-api} $ip failed to login" >> $HESTIA/log/auth.log
+
+    # Add a log for user
+    if [[ "$1" == "$E_PASSWORD" && -n "$user" ]]; then
+        log_history "[$ip] $access_key_id $2" "Error" "$user" "API"
+    fi
+
+    if [[ "$1" == "$E_FORBIDEN" ]]; then
+        exit "$1"
+    fi
+
+    exit "$E_PASSWORD"
+}
+
+#----------------------------------------------------------#
+#                    Verifications                         #
+#----------------------------------------------------------#
+
+# Add a callback to intercept invalid "check_result" results
+CHECK_RESULT_CALLBACK="abort_missmatch"
+
+check_args '3' "$#" 'ACCESS_KEY_ID SECRET_ACCESS_KEY COMMAND [IP] [FORMAT]'
+is_format_valid 'access_key_id'
+is_object_valid 'key' 'KEY' "$access_key_id"
+is_format_valid 'secret_access_key'
+check_access_key_secret "$access_key_id" "$secret_access_key" user
+check_access_key_cmd "$access_key_id" "$hst_command" user_arg_pos
+
+# Check if key owner is active
+is_format_valid 'user'
+is_object_valid 'user' 'USER' "$user"
+export USER_DATA=$HESTIA/data/users/$user
+is_object_unsuspended 'user' 'USER' "$user"
+
+# Remove the check_result callback
+CHECK_RESULT_CALLBACK=""
+
+#----------------------------------------------------------#
+#                       Action                             #
+#----------------------------------------------------------#
+
+# Listing data
+case $format in
+    json)   json_list ;;
+    shell)  shell_list ;;
+esac
+
+#----------------------------------------------------------#
+#                       Hestia                             #
+#----------------------------------------------------------#
+
+# Logging
+log_history "[$ip] Access key $access_key_id successfully launched with command $hst_command" "Info" "$user" "API"
+echo "$date $time $access_key_id $ip $hst_command successfully launched" >> $HESTIA/log/auth.log
+
+exit

bin/v-delete-access-key

@@ -0,0 +1,57 @@
+#!/bin/bash
+# info: delete access key
+# options: ACCESS_KEY_ID
+#
+# example: v-delete-access-key mykey
+#
+# This function removes a key from in $HESTIA/data/access-keys/
+
+#----------------------------------------------------------#
+#                Variables & Functions                     #
+#----------------------------------------------------------#
+
+# Includes
+# shellcheck source=/etc/hestiacp/hestia.conf
+source /etc/hestiacp/hestia.conf
+# shellcheck source=/usr/local/hestia/func/main.sh
+source $HESTIA/func/main.sh
+# load config file
+source_conf "$HESTIA/conf/hestia.conf"
+
+#----------------------------------------------------------#
+#                Variables & Functions                     #
+#----------------------------------------------------------#
+
+access_key_id=$1
+
+check_args '1' "$#" "ACCESS_KEY_ID"
+is_format_valid 'access_key_id'
+is_object_valid 'key' 'KEY' "$access_key_id"
+
+# Perform verification if read-only mode is enabled
+check_hestia_demo_mode
+
+#----------------------------------------------------------#
+#                       Action                             #
+#----------------------------------------------------------#
+
+if [ ! -d "$HESTIA/data/access-keys/" ]; then
+  exit "$E_NOTEXIST"
+fi
+
+if [[ -e "${HESTIA}/data/access-keys/${access_key_id}" ]]; then
+    source_conf "${HESTIA}/data/access-keys/${access_key_id}"
+    rm "${HESTIA}/data/access-keys/${access_key_id}"
+else
+    exit "$E_NOTEXIST"
+fi
+
+#----------------------------------------------------------#
+#                       Hestia                             #
+#----------------------------------------------------------#
+
+# Logging
+log_history "Access key $access_key_id deleted" "Info" "$USER" "API"
+log_event "$OK" "$ARGUMENTS"
+
+exit