[pve-firewall.git] / src / PVE / API2 / Firewall / Cluster.pm

package PVE::API2::Firewall::Cluster;

use strict;
use warnings;
use PVE::Exception qw(raise raise_param_exc raise_perm_exc);
use PVE::JSONSchema qw(get_standard_option);

use PVE::Firewall;
use PVE::API2::Firewall::Rules;
use PVE::API2::Firewall::Groups;
use PVE::API2::Firewall::IPSet;

#fixme: locking?

use Data::Dumper; # fixme: remove

use base qw(PVE::RESTHandler);

__PACKAGE__->register_method ({
    subclass => "PVE::API2::Firewall::Groups",  
    path => 'groups',
});

__PACKAGE__->register_method ({
    subclass => "PVE::API2::Firewall::ClusterRules",  
    path => 'rules',
});

__PACKAGE__->register_method ({
    subclass => "PVE::API2::Firewall::ClusterIPSetList",  
    path => 'ipset',
});

__PACKAGE__->register_method({
    name => 'index',
    path => '',
    method => 'GET',
    permissions => { user => 'all' },
    description => "Directory index.",
    parameters => {
    	additionalProperties => 0,
    },
    returns => {
	type => 'array',
	items => {
	    type => "object",
	    properties => {},
	},
	links => [ { rel => 'child', href => "{name}" } ],
    },
    code => sub {
	my ($param) = @_;

	my $result = [
	    { name => 'rules' },
	    { name => 'options' },
	    { name => 'groups' },
	    { name => 'ipset' },
	    { name => 'macros' },
	    ];

	return $result;
    }});

my $option_properties = {
    enable => {
	type => 'boolean',
	optional => 1,
    },
    policy_in => {
	description => "Input policy.",
	type => 'string',
	optional => 1,
	enum => ['ACCEPT', 'REJECT', 'DROP'],
    },
    policy_out => { 
	description => "Output policy.",
	type => 'string',
	optional => 1,
	enum => ['ACCEPT', 'REJECT', 'DROP'],
    },
};

my $add_option_properties = sub {
    my ($properties) = @_;

    foreach my $k (keys %$option_properties) {
	$properties->{$k} = $option_properties->{$k};
    }
    
    return $properties;
};


__PACKAGE__->register_method({
    name => 'get_options',
    path => 'options',
    method => 'GET',
    description => "Get Firewall options.",
    parameters => {
    	additionalProperties => 0,
    },
    returns => {
	type => "object",
    	#additionalProperties => 1,
	properties => $option_properties,
    },
    code => sub {
	my ($param) = @_;

	my $cluster_conf = PVE::Firewall::load_clusterfw_conf();

	return PVE::Firewall::copy_opject_with_digest($cluster_conf->{options});
    }});


__PACKAGE__->register_method({
    name => 'set_options',
    path => 'options',
    method => 'PUT',
    description => "Set Firewall options.",
    protected => 1,
    parameters => {
    	additionalProperties => 0,
	properties => &$add_option_properties({
	    delete => {
		type => 'string', format => 'pve-configid-list',
		description => "A list of settings you want to delete.",
		optional => 1,
	    },
	    digest => get_standard_option('pve-config-digest'),
	}),
    },
    returns => { type => "null" },
    code => sub {
	my ($param) = @_;

	my $cluster_conf = PVE::Firewall::load_clusterfw_conf();

	my (undef, $digest) = PVE::Firewall::copy_opject_with_digest($cluster_conf->{options});
	PVE::Tools::assert_if_modified($digest, $param->{digest});

	if ($param->{delete}) {
	    foreach my $opt (PVE::Tools::split_list($param->{delete})) {
		raise_param_exc({ delete => "no such option '$opt'" }) 
		    if !$option_properties->{$opt};
		delete $cluster_conf->{options}->{$opt};
	    }
	}

	if (defined($param->{enable})) {
	    $param->{enable} = $param->{enable} ? 1 : 0;
	}

	foreach my $k (keys %$option_properties) {
	    next if !defined($param->{$k});
	    $cluster_conf->{options}->{$k} = $param->{$k}; 
	}

	PVE::Firewall::save_clusterfw_conf($cluster_conf);

	return undef;
    }});

__PACKAGE__->register_method({
    name => 'get_macros',
    path => 'macros',
    method => 'GET',
    description => "List available macros",
    parameters => {
    	additionalProperties => 0,
    },
    returns => {
	type => 'array',
	items => {
	    type => "object",
	    properties => {
		macro => {
		    description => "Macro name.",
		    type => 'string',
		},
		descr => {
		    description => "More verbose description (if available).",
		    type => 'string',
		}
	    },
	},
    },
    code => sub {
	my ($param) = @_;

	my $res = [];

	my ($macros, $descr) = PVE::Firewall::get_macros();

	foreach my $macro (keys %$macros) {
	    push @$res, { macro => $macro, descr => $descr->{$macro} || $macro };
	}

	return $res;
    }});

1;
Commit	Line	Data
b4366f00 DM	1	package PVE::API2::Firewall::Cluster;
	2
	3	use strict;
	4	use warnings;
1df4ba7e	5	use PVE::Exception qw(raise raise_param_exc raise_perm_exc);
b4366f00 DM	6	use PVE::JSONSchema qw(get_standard_option);
	7
	8	use PVE::Firewall;
86791289	9	use PVE::API2::Firewall::Rules;
b4366f00	10	use PVE::API2::Firewall::Groups;
009ee3ac	11	use PVE::API2::Firewall::IPSet;
b4366f00	12
1df4ba7e DM	13	#fixme: locking?
1df4ba7e DM	14
b4366f00 DM	15	use Data::Dumper; # fixme: remove
	16
	17	use base qw(PVE::RESTHandler);
	18
	19	__PACKAGE__->register_method ({
	20	subclass => "PVE::API2::Firewall::Groups",
	21	path => 'groups',
	22	});
	23
86791289 DM	24	__PACKAGE__->register_method ({
	25	subclass => "PVE::API2::Firewall::ClusterRules",
	26	path => 'rules',
	27	});
	28
c85c87f9 DM	29	__PACKAGE__->register_method ({
	30	subclass => "PVE::API2::Firewall::ClusterIPSetList",
	31	path => 'ipset',
	32	});
	33
b4366f00 DM	34	__PACKAGE__->register_method({
	35	name => 'index',
	36	path => '',
	37	method => 'GET',
	38	permissions => { user => 'all' },
	39	description => "Directory index.",
	40	parameters => {
	41	additionalProperties => 0,
	42	},
	43	returns => {
	44	type => 'array',
	45	items => {
	46	type => "object",
	47	properties => {},
	48	},
	49	links => [ { rel => 'child', href => "{name}" } ],
	50	},
	51	code => sub {
	52	my ($param) = @_;
	53
	54	my $result = [
	55	{ name => 'rules' },
	56	{ name => 'options' },
	57	{ name => 'groups' },
9d6f90e6	58	{ name => 'ipset' },
ebd54ae9	59	{ name => 'macros' },
b4366f00 DM	60	];
	61
	62	return $result;
	63	}});
1df4ba7e	64
271f287b DM	65	my $option_properties = {
	66	enable => {
	67	type => 'boolean',
	68	optional => 1,
	69	},
	70	policy_in => {
	71	description => "Input policy.",
	72	type => 'string',
	73	optional => 1,
	74	enum => ['ACCEPT', 'REJECT', 'DROP'],
	75	},
	76	policy_out => {
	77	description => "Output policy.",
	78	type => 'string',
	79	optional => 1,
	80	enum => ['ACCEPT', 'REJECT', 'DROP'],
	81	},
	82	};
	83
	84	my $add_option_properties = sub {
	85	my ($properties) = @_;
	86
	87	foreach my $k (keys %$option_properties) {
	88	$properties->{$k} = $option_properties->{$k};
	89	}
	90
	91	return $properties;
	92	};
	93
	94
1df4ba7e DM	95	__PACKAGE__->register_method({
	96	name => 'get_options',
	97	path => 'options',
	98	method => 'GET',
	99	description => "Get Firewall options.",
	100	parameters => {
	101	additionalProperties => 0,
	102	},
	103	returns => {
	104	type => "object",
	105	#additionalProperties => 1,
271f287b	106	properties => $option_properties,
1df4ba7e DM	107	},
	108	code => sub {
	109	my ($param) = @_;
	110
	111	my $cluster_conf = PVE::Firewall::load_clusterfw_conf();
	112
5d38d64f	113	return PVE::Firewall::copy_opject_with_digest($cluster_conf->{options});
1df4ba7e DM	114	}});
1df4ba7e DM	115
1df4ba7e DM	116
	117	__PACKAGE__->register_method({
	118	name => 'set_options',
	119	path => 'options',
	120	method => 'PUT',
	121	description => "Set Firewall options.",
68c90e21	122	protected => 1,
1df4ba7e DM	123	parameters => {
	124	additionalProperties => 0,
	125	properties => &$add_option_properties({
	126	delete => {
	127	type => 'string', format => 'pve-configid-list',
	128	description => "A list of settings you want to delete.",
	129	optional => 1,
	130	},
5d38d64f	131	digest => get_standard_option('pve-config-digest'),
1df4ba7e DM	132	}),
	133	},
	134	returns => { type => "null" },
	135	code => sub {
	136	my ($param) = @_;
	137
	138	my $cluster_conf = PVE::Firewall::load_clusterfw_conf();
	139
5d38d64f DM	140	my (undef, $digest) = PVE::Firewall::copy_opject_with_digest($cluster_conf->{options});
	141	PVE::Tools::assert_if_modified($digest, $param->{digest});
	142
1df4ba7e DM	143	if ($param->{delete}) {
	144	foreach my $opt (PVE::Tools::split_list($param->{delete})) {
	145	raise_param_exc({ delete => "no such option '$opt'" })
	146	if !$option_properties->{$opt};
	147	delete $cluster_conf->{options}->{$opt};
	148	}
	149	}
	150
	151	if (defined($param->{enable})) {
271f287b DM	152	$param->{enable} = $param->{enable} ? 1 : 0;
	153	}
	154
	155	foreach my $k (keys %$option_properties) {
	156	next if !defined($param->{$k});
	157	$cluster_conf->{options}->{$k} = $param->{$k};
1df4ba7e DM	158	}
1df4ba7e DM	159
1df4ba7e DM	160	PVE::Firewall::save_clusterfw_conf($cluster_conf);
	161
	162	return undef;
	163	}});
ebd54ae9 DM	164
	165	__PACKAGE__->register_method({
	166	name => 'get_macros',
	167	path => 'macros',
	168	method => 'GET',
	169	description => "List available macros",
	170	parameters => {
	171	additionalProperties => 0,
	172	},
	173	returns => {
	174	type => 'array',
	175	items => {
	176	type => "object",
	177	properties => {
	178	macro => {
	179	description => "Macro name.",
	180	type => 'string',
	181	},
	182	descr => {
	183	description => "More verbose description (if available).",
	184	type => 'string',
	185	}
	186	},
	187	},
	188	},
	189	code => sub {
	190	my ($param) = @_;
	191
	192	my $res = [];
	193
	194	my ($macros, $descr) = PVE::Firewall::get_macros();
	195
	196	foreach my $macro (keys %$macros) {
	197	push @$res, { macro => $macro, descr => $descr->{$macro} \|\| $macro };
	198	}
	199
	200	return $res;
	201	}});
	202
	203	1;