add PMG::API2::DestinationTLSPolicy

to handle /etc/pmg/tls_policy via API, using PMG::API2::Transport
as base/inspiration.

This enables PMG to enforce TLS on a per-domain basis.
See http://www.postfix.org/postconf.5.html#smtp_tls_policy_maps and
http://www.postfix.org/TLS_README.html#client_tls_policy for reference.

Signed-off-by: Stoiko Ivanov <s.ivanov@proxmox.com>

diff --git a/Makefile b/Makefile
index 4346e370ecb9222619987849d1ab1a0e9df8c877..53d97fd74ef65145163c55cf63166fc9a5190e0d 100644 (file)
--- a/Makefile
+++ b/Makefile
@@ -123,6 +123,7 @@ LIBSOURCES =                                \
        PMG/API2/Services.pm            \
        PMG/API2/Tasks.pm               \
        PMG/API2/LDAP.pm                \
+       PMG/API2/DestinationTLSPolicy.pm\
        PMG/API2/Domains.pm             \
        PMG/API2/Fetchmail.pm           \
        PMG/API2/Users.pm               \

diff --git a/PMG/API2/Config.pm b/PMG/API2/Config.pm
index e0bf2c16ec16fba3c51933124d3c350ec981b717..3b688faafbdbd41b4ab50073ca5e0f3e01908600 100644 (file)
--- a/PMG/API2/Config.pm
+++ b/PMG/API2/Config.pm
@@ -22,6 +22,7 @@ use PMG::API2::MyNetworks;
 use PMG::API2::SMTPWhitelist;
 use PMG::API2::MimeTypes;
 use PMG::API2::Fetchmail;
+use PMG::API2::DestinationTLSPolicy;
 
 use base qw(PVE::RESTHandler);
 
@@ -75,6 +76,11 @@ __PACKAGE__->register_method ({
     path => 'mimetypes',
 });
 
+__PACKAGE__->register_method ({
+    subclass => "PMG::API2::DestinationTLSPolicy",
+    path => 'tlspolicy',
+});
+
 __PACKAGE__->register_method ({
     name => 'index', 
     path => '',
@@ -111,6 +117,7 @@ __PACKAGE__->register_method ({
        push @$res, { section => 'transport' };
        push @$res, { section => 'whitelist' };
        push @$res, { section => 'regextest' };
+       push @$res, { section => 'tlspolicy' };
 
        return $res;
     }});

diff --git a/PMG/API2/DestinationTLSPolicy.pm b/PMG/API2/DestinationTLSPolicy.pm
new file mode 100644 (file)
index 0000000..4c1ab56
--- /dev/null
+++ b/PMG/API2/DestinationTLSPolicy.pm
@@ -0,0 +1,214 @@
+package PMG::API2::DestinationTLSPolicy;
+
+use strict;
+use warnings;
+
+use PVE::RESTHandler;
+use PVE::INotify;
+use PVE::Exception qw(raise_param_exc);
+
+use PMG::Config;
+
+use base qw(PVE::RESTHandler);
+
+__PACKAGE__->register_method ({
+    name => 'index',
+    path => '',
+    method => 'GET',
+    description => "List tls_policy entries.",
+    proxyto => 'master',
+    permissions => { check => [ 'admin', 'audit' ] },
+    parameters => {
+       additionalProperties => 0,
+       properties => {},
+    },
+    returns => {
+       type => 'array',
+       items => {
+           type => 'object',
+           properties => {
+               domain => { type => 'string', format => 'transport-domain'},
+               policy => { type => 'string', format => 'tls-policy'},
+           },
+       },
+       links => [ { rel => 'child', href => "{domain}" } ],
+    },
+    code => sub {
+       my ($param) = @_;
+
+       my $res = [];
+
+       my $policies = PVE::INotify::read_file('tls_policy');
+       foreach my $policy (sort keys %$policies) {
+           push @$res, $policies->{$policy};
+       }
+
+       return $res;
+    }});
+
+__PACKAGE__->register_method ({
+    name => 'create',
+    path => '',
+    method => 'POST',
+    proxyto => 'master',
+    protected => 1,
+    permissions => { check => [ 'admin' ] },
+    description => "Add tls_policy entry.",
+    parameters => {
+       additionalProperties => 0,
+       properties => {
+           domain => {
+               description => "Domain name.",
+               type => 'string', format => 'transport-domain',
+           },
+           policy => {
+               description => "TLS policy",
+               type => 'string', format => 'tls-policy',
+           },
+       },
+    },
+    returns => { type => 'null' },
+    code => sub {
+       my ($param) = @_;
+       my $domain = $param->{domain};
+
+       my $code = sub {
+           my $tls_policy = PVE::INotify::read_file('tls_policy');
+           raise_param_exc({ domain => "DestinationTLSPolicy entry for '$domain' already exists" })
+               if $tls_policy->{$domain};
+
+           $tls_policy->{$domain} = {
+               domain => $domain,
+               policy => $param->{policy},
+           };
+
+           PVE::INotify::write_file('tls_policy', $tls_policy);
+           PMG::Config::postmap_tls_policy();
+       };
+
+       PMG::Config::lock_config($code, "add tls_policy entry failed");
+
+       return undef;
+    }});
+
+__PACKAGE__->register_method ({
+    name => 'read',
+    path => '{domain}',
+    method => 'GET',
+    description => "Read tls_policy entry.",
+    proxyto => 'master',
+    permissions => { check => [ 'admin', 'audit' ] },
+    parameters => {
+       additionalProperties => 0,
+       properties => {
+           domain => {
+               description => "Domain name.",
+               type => 'string', format => 'transport-domain',
+           },
+       },
+    },
+    returns => {
+       type => "object",
+       properties => {
+           domain => { type => 'string', format => 'transport-domain'},
+           policy => { type => 'string', format => 'tls-policy'},
+       },
+    },
+    code => sub {
+       my ($param) = @_;
+       my $domain = $param->{domain};
+
+       my $tls_policy = PVE::INotify::read_file('tls_policy');
+
+       if (my $entry = $tls_policy->{$domain}) {
+           return $entry;
+       }
+
+       raise_param_exc({ domain => "DestinationTLSPolicy entry for '$domain' does not exist" });
+    }});
+
+__PACKAGE__->register_method ({
+    name => 'write',
+    path => '{domain}',
+    method => 'PUT',
+    description => "Update tls_policy entry.",
+    protected => 1,
+    permissions => { check => [ 'admin' ] },
+    proxyto => 'master',
+    parameters => {
+       additionalProperties => 0,
+       properties => {
+           domain => {
+               description => "Domain name.",
+               type => 'string', format => 'transport-domain',
+           },
+           policy => {
+               description => "TLS policy",
+               type => 'string', format => 'tls-policy',
+           },
+       },
+    },
+    returns => { type => 'null' },
+    code => sub {
+       my ($param) = @_;
+       my $domain = $param->{domain};
+       my $policy = $param->{policy};
+
+       my $code = sub {
+
+           my $tls_policy = PVE::INotify::read_file('tls_policy');
+
+           raise_param_exc({ domain => "DestinationTLSPolicy entry for '$domain' does not exist" })
+               if !$tls_policy->{$domain};
+
+           $tls_policy->{$domain}->{policy} = $policy;
+
+           PVE::INotify::write_file('tls_policy', $tls_policy);
+           PMG::Config::postmap_tls_policy();
+       };
+
+       PMG::Config::lock_config($code, "update tls_policy entry failed");
+
+       return undef;
+    }});
+
+__PACKAGE__->register_method ({
+    name => 'delete',
+    path => '{domain}',
+    method => 'DELETE',
+    description => "Delete a tls_policy entry",
+    protected => 1,
+    permissions => { check => [ 'admin' ] },
+    proxyto => 'master',
+    parameters => {
+       additionalProperties => 0,
+       properties => {
+           domain => {
+               description => "Domain name.",
+               type => 'string', format => 'transport-domain',
+           },
+       }
+    },
+    returns => { type => 'null' },
+    code => sub {
+       my ($param) = @_;
+       my $domain = $param->{domain};
+
+       my $code = sub {
+           my $tls_policy = PVE::INotify::read_file('tls_policy');
+
+           raise_param_exc({ domain => "DestinationTLSPolicy entry for '$domain' does not exist" })
+               if !$tls_policy->{$domain};
+
+           delete $tls_policy->{$domain};
+
+           PVE::INotify::write_file('tls_policy', $tls_policy);
+           PMG::Config::postmap_tls_policy();
+       };
+
+       PMG::Config::lock_config($code, "delete tls_policy entry failed");
+
+       return undef;
+    }});
+
+1;