security/acme-client: Update ACL.xml fix for issues/5458#5473
Open
progS1m wants to merge 1 commit into
Open
Conversation
fraenki
changed the title
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
#5458
Important notices
Before you submit a pull request, we ask you kindly to acknowledge the following:
Model used: Google Gemini
Extent of AI involvement: AI was used as a troubleshooting partner to help trace the OPNsense redirect loop to the missing API endpoint in the ACL.xml file, and to assist in drafting this pull request description. The actual environment testing, code verification, and identification of the missing granular privilege were done manually by me.
Describe the problem
Currently, non-admin users who are granted the Services: ACME Client privilege experience an "access denied" error and a redirect loop when attempting to view the ACME logs via the UI (ui/acmeclient/logs).
This occurs because modern OPNsense versions rely on granular backend API endpoints for logging. While the os-acme-client plugin's ACL.xml successfully grants access to the frontend interface via the ui/acmeclient/* wildcard, it is missing the explicit permission for the backend logging API. Because the API route is unregistered in the ACL, OPNsense's security framework defaults it to admin-only access, causing the log viewer to fail for restricted users.
Describe the proposed solution
This PR adds the missing backend API routing pattern to the plugin's Access Control List (ACL.xml).
By adding api/diagnostics/log/core/acmeclient/* under the existing AcmeClient privilege, users who are granted access to the ACME client will automatically inherit the necessary API permissions to fetch and view the logs. This aligns the plugin with current OPNsense logging architectures (similar to how os-wireguard handles its logging endpoints) and resolves the redirect loop for non-admin users.
Related issue
#5458