[pve-firewall.git] / src / PVE / API2 / Firewall / Cluster.pm

package PVE::API2::Firewall::Cluster;

use strict;
use warnings;
use PVE::Exception qw(raise raise_param_exc raise_perm_exc);
use PVE::JSONSchema qw(get_standard_option);

use PVE::Firewall;
use PVE::API2::Firewall::Aliases;
use PVE::API2::Firewall::Rules;
use PVE::API2::Firewall::Groups;
use PVE::API2::Firewall::IPSet;

#fixme: locking?

use Data::Dumper; # fixme: remove

use base qw(PVE::RESTHandler);

__PACKAGE__->register_method ({
    subclass => "PVE::API2::Firewall::Groups",
    path => 'groups',
});

__PACKAGE__->register_method ({
    subclass => "PVE::API2::Firewall::ClusterRules",
    path => 'rules',
});

__PACKAGE__->register_method ({
    subclass => "PVE::API2::Firewall::ClusterIPSetList",
    path => 'ipset',
});

__PACKAGE__->register_method ({
    subclass => "PVE::API2::Firewall::ClusterAliases",
    path => 'aliases',
});


__PACKAGE__->register_method({
    name => 'index',
    path => '',
    method => 'GET',
    permissions => { user => 'all' },
    description => "Directory index.",
    parameters => {
    	additionalProperties => 0,
    },
    returns => {
	type => 'array',
	items => {
	    type => "object",
	    properties => {},
	},
	links => [ { rel => 'child', href => "{name}" } ],
    },
    code => sub {
	my ($param) = @_;

	my $result = [
	    { name => 'aliases' },
	    { name => 'rules' },
	    { name => 'options' },
	    { name => 'groups' },
	    { name => 'ipset' },
	    { name => 'macros' },
	    { name => 'refs' },
	    ];

	return $result;
    }});

my $option_properties = $PVE::Firewall::cluster_option_properties;

my $add_option_properties = sub {
    my ($properties) = @_;

    foreach my $k (keys %$option_properties) {
	$properties->{$k} = $option_properties->{$k};
    }

    return $properties;
};


__PACKAGE__->register_method({
    name => 'get_options',
    path => 'options',
    method => 'GET',
    description => "Get Firewall options.",
    permissions => {
	check => ['perm', '/', [ 'Sys.Audit' ]],
    },
    parameters => {
    	additionalProperties => 0,
    },
    returns => {
	type => "object",
    	#additionalProperties => 1,
	properties => $option_properties,
    },
    code => sub {
	my ($param) = @_;

	my $cluster_conf = PVE::Firewall::load_clusterfw_conf();

	return PVE::Firewall::copy_opject_with_digest($cluster_conf->{options});
    }});


__PACKAGE__->register_method({
    name => 'set_options',
    path => 'options',
    method => 'PUT',
    description => "Set Firewall options.",
    protected => 1,
    permissions => {
	check => ['perm', '/', [ 'Sys.Modify' ]],
    },
    parameters => {
    	additionalProperties => 0,
	properties => &$add_option_properties({
	    delete => {
		type => 'string', format => 'pve-configid-list',
		description => "A list of settings you want to delete.",
		optional => 1,
	    },
	    digest => get_standard_option('pve-config-digest'),
	}),
    },
    returns => { type => "null" },
    code => sub {
	my ($param) = @_;

	my $cluster_conf = PVE::Firewall::load_clusterfw_conf();

	my (undef, $digest) = PVE::Firewall::copy_opject_with_digest($cluster_conf->{options});
	PVE::Tools::assert_if_modified($digest, $param->{digest});

	if ($param->{delete}) {
	    foreach my $opt (PVE::Tools::split_list($param->{delete})) {
		raise_param_exc({ delete => "no such option '$opt'" })
		    if !$option_properties->{$opt};
		delete $cluster_conf->{options}->{$opt};
	    }
	}

	if (defined($param->{enable}) && ($param->{enable} > 1)) {
	    $param->{enable} = time();
	}

	foreach my $k (keys %$option_properties) {
	    next if !defined($param->{$k});
	    $cluster_conf->{options}->{$k} = $param->{$k};
	}

	PVE::Firewall::save_clusterfw_conf($cluster_conf);

	# instant firewall update when using double (anti-lockout) API call
	# -> not waiting for a firewall update at the first (timestamp enable) set
	if (defined($param->{enable}) && ($param->{enable} > 1)) {
	    PVE::Firewall::update();
	}

	return undef;
    }});

__PACKAGE__->register_method({
    name => 'get_macros',
    path => 'macros',
    method => 'GET',
    description => "List available macros",
    permissions => { user => 'all' },
    parameters => {
    	additionalProperties => 0,
    },
    returns => {
	type => 'array',
	items => {
	    type => "object",
	    properties => {
		macro => {
		    description => "Macro name.",
		    type => 'string',
		},
		descr => {
		    description => "More verbose description (if available).",
		    type => 'string',
		}
	    },
	},
    },
    code => sub {
	my ($param) = @_;

	my $res = [];

	my ($macros, $descr) = PVE::Firewall::get_macros();

	foreach my $macro (keys %$macros) {
	    push @$res, { macro => $macro, descr => $descr->{$macro} || $macro };
	}

	return $res;
    }});

__PACKAGE__->register_method({
    name => 'refs',
    path => 'refs',
    method => 'GET',
    description => "Lists possible IPSet/Alias reference which are allowed in source/dest properties.",
    permissions => {
	check => ['perm', '/', [ 'Sys.Audit' ]],
    },
    parameters => {
	additionalProperties => 0,
	properties => {
	    type => {
		description => "Only list references of specified type.",
		type => 'string',
		enum => ['alias', 'ipset'],
		optional => 1,
	    },
	},
    },
    returns => {
	type => 'array',
	items => {
	    type => "object",
	    properties => {
		type => {
		    type => 'string',
		    enum => ['alias', 'ipset'],
		},
		name => {
		    type => 'string',
		},
		ref => {
		    type => 'string',
		},
		comment => {
		    type => 'string',
		    optional => 1,
		},
	    },
	},
    },
    code => sub {
	my ($param) = @_;

	my $conf = PVE::Firewall::load_clusterfw_conf();

	my $res = [];

	if (!$param->{type} || $param->{type} eq 'ipset') {
	    foreach my $name (keys %{$conf->{ipset}}) {
		my $data = {
		    type => 'ipset',
		    name => $name,
		    ref => "+$name",
		};
		if (my $comment = $conf->{ipset_comments}->{$name}) {
		    $data->{comment} = $comment;
		}
		push @$res, $data;
	    }
	}

	if (!$param->{type} || $param->{type} eq 'alias') {
	    foreach my $name (keys %{$conf->{aliases}}) {
		my $e = $conf->{aliases}->{$name};
		my $data = {
		    type => 'alias',
		    name => $name,
		    ref => $name,
		};
		$data->{comment} = $e->{comment} if $e->{comment};
		push @$res, $data;
	    }
	}

	return $res;
    }});

1;
Commit	Line	Data
b4366f00 DM	1	package PVE::API2::Firewall::Cluster;
	2
	3	use strict;
	4	use warnings;
1df4ba7e	5	use PVE::Exception qw(raise raise_param_exc raise_perm_exc);
b4366f00 DM	6	use PVE::JSONSchema qw(get_standard_option);
	7
	8	use PVE::Firewall;
81d574a7	9	use PVE::API2::Firewall::Aliases;
86791289	10	use PVE::API2::Firewall::Rules;
b4366f00	11	use PVE::API2::Firewall::Groups;
009ee3ac	12	use PVE::API2::Firewall::IPSet;
b4366f00	13
1df4ba7e DM	14	#fixme: locking?
1df4ba7e DM	15
b4366f00 DM	16	use Data::Dumper; # fixme: remove
	17
	18	use base qw(PVE::RESTHandler);
	19
	20	__PACKAGE__->register_method ({
947d6ea2	21	subclass => "PVE::API2::Firewall::Groups",
b4366f00 DM	22	path => 'groups',
	23	});
	24
86791289	25	__PACKAGE__->register_method ({
947d6ea2	26	subclass => "PVE::API2::Firewall::ClusterRules",
86791289 DM	27	path => 'rules',
	28	});
	29
c85c87f9	30	__PACKAGE__->register_method ({
947d6ea2	31	subclass => "PVE::API2::Firewall::ClusterIPSetList",
c85c87f9 DM	32	path => 'ipset',
	33	});
	34
81d574a7	35	__PACKAGE__->register_method ({
947d6ea2	36	subclass => "PVE::API2::Firewall::ClusterAliases",
81d574a7 DM	37	path => 'aliases',
	38	});
	39
	40
b4366f00 DM	41	__PACKAGE__->register_method({
	42	name => 'index',
	43	path => '',
	44	method => 'GET',
	45	permissions => { user => 'all' },
	46	description => "Directory index.",
	47	parameters => {
	48	additionalProperties => 0,
	49	},
	50	returns => {
	51	type => 'array',
	52	items => {
	53	type => "object",
	54	properties => {},
	55	},
	56	links => [ { rel => 'child', href => "{name}" } ],
	57	},
	58	code => sub {
	59	my ($param) = @_;
	60
	61	my $result = [
81d574a7	62	{ name => 'aliases' },
b4366f00 DM	63	{ name => 'rules' },
	64	{ name => 'options' },
	65	{ name => 'groups' },
9d6f90e6	66	{ name => 'ipset' },
ebd54ae9	67	{ name => 'macros' },
947d6ea2	68	{ name => 'refs' },
b4366f00 DM	69	];
	70
	71	return $result;
	72	}});
1df4ba7e	73
e313afe0	74	my $option_properties = $PVE::Firewall::cluster_option_properties;
271f287b DM	75
	76	my $add_option_properties = sub {
	77	my ($properties) = @_;
	78
	79	foreach my $k (keys %$option_properties) {
	80	$properties->{$k} = $option_properties->{$k};
	81	}
947d6ea2	82
271f287b DM	83	return $properties;
	84	};
	85
	86
1df4ba7e DM	87	__PACKAGE__->register_method({
	88	name => 'get_options',
	89	path => 'options',
	90	method => 'GET',
	91	description => "Get Firewall options.",
0ec56841 DM	92	permissions => {
	93	check => ['perm', '/', [ 'Sys.Audit' ]],
	94	},
1df4ba7e DM	95	parameters => {
	96	additionalProperties => 0,
	97	},
	98	returns => {
	99	type => "object",
	100	#additionalProperties => 1,
271f287b	101	properties => $option_properties,
1df4ba7e DM	102	},
	103	code => sub {
	104	my ($param) = @_;
	105
	106	my $cluster_conf = PVE::Firewall::load_clusterfw_conf();
	107
5d38d64f	108	return PVE::Firewall::copy_opject_with_digest($cluster_conf->{options});
1df4ba7e DM	109	}});
1df4ba7e DM	110
1df4ba7e DM	111
	112	__PACKAGE__->register_method({
	113	name => 'set_options',
	114	path => 'options',
	115	method => 'PUT',
	116	description => "Set Firewall options.",
68c90e21	117	protected => 1,
0ec56841 DM	118	permissions => {
	119	check => ['perm', '/', [ 'Sys.Modify' ]],
	120	},
1df4ba7e DM	121	parameters => {
	122	additionalProperties => 0,
	123	properties => &$add_option_properties({
	124	delete => {
	125	type => 'string', format => 'pve-configid-list',
	126	description => "A list of settings you want to delete.",
	127	optional => 1,
	128	},
5d38d64f	129	digest => get_standard_option('pve-config-digest'),
1df4ba7e DM	130	}),
	131	},
	132	returns => { type => "null" },
	133	code => sub {
	134	my ($param) = @_;
	135
	136	my $cluster_conf = PVE::Firewall::load_clusterfw_conf();
	137
5d38d64f DM	138	my (undef, $digest) = PVE::Firewall::copy_opject_with_digest($cluster_conf->{options});
	139	PVE::Tools::assert_if_modified($digest, $param->{digest});
	140
1df4ba7e DM	141	if ($param->{delete}) {
1df4ba7e DM	142	foreach my $opt (PVE::Tools::split_list($param->{delete})) {
947d6ea2	143	raise_param_exc({ delete => "no such option '$opt'" })
1df4ba7e DM	144	if !$option_properties->{$opt};
	145	delete $cluster_conf->{options}->{$opt};
	146	}
	147	}
	148
72d055fc AG	149	if (defined($param->{enable}) && ($param->{enable} > 1)) {
72d055fc AG	150	$param->{enable} = time();
271f287b DM	151	}
	152
	153	foreach my $k (keys %$option_properties) {
	154	next if !defined($param->{$k});
947d6ea2	155	$cluster_conf->{options}->{$k} = $param->{$k};
1df4ba7e DM	156	}
1df4ba7e DM	157
1df4ba7e DM	158	PVE::Firewall::save_clusterfw_conf($cluster_conf);
1df4ba7e DM	159
c05492d6 AG	160	# instant firewall update when using double (anti-lockout) API call
	161	# -> not waiting for a firewall update at the first (timestamp enable) set
	162	if (defined($param->{enable}) && ($param->{enable} > 1)) {
	163	PVE::Firewall::update();
	164	}
	165
1df4ba7e DM	166	return undef;
1df4ba7e DM	167	}});
ebd54ae9 DM	168
	169	__PACKAGE__->register_method({
	170	name => 'get_macros',
	171	path => 'macros',
	172	method => 'GET',
	173	description => "List available macros",
0ec56841	174	permissions => { user => 'all' },
ebd54ae9 DM	175	parameters => {
	176	additionalProperties => 0,
	177	},
	178	returns => {
	179	type => 'array',
	180	items => {
	181	type => "object",
	182	properties => {
	183	macro => {
	184	description => "Macro name.",
	185	type => 'string',
	186	},
	187	descr => {
	188	description => "More verbose description (if available).",
	189	type => 'string',
	190	}
	191	},
	192	},
	193	},
	194	code => sub {
	195	my ($param) = @_;
	196
	197	my $res = [];
	198
	199	my ($macros, $descr) = PVE::Firewall::get_macros();
	200
	201	foreach my $macro (keys %$macros) {
	202	push @$res, { macro => $macro, descr => $descr->{$macro} \|\| $macro };
	203	}
	204
	205	return $res;
	206	}});
	207
947d6ea2 DM	208	__PACKAGE__->register_method({
	209	name => 'refs',
	210	path => 'refs',
	211	method => 'GET',
	212	description => "Lists possible IPSet/Alias reference which are allowed in source/dest properties.",
0ec56841 DM	213	permissions => {
	214	check => ['perm', '/', [ 'Sys.Audit' ]],
	215	},
947d6ea2 DM	216	parameters => {
947d6ea2 DM	217	additionalProperties => 0,
f2c0865c DM	218	properties => {
	219	type => {
	220	description => "Only list references of specified type.",
	221	type => 'string',
	222	enum => ['alias', 'ipset'],
	223	optional => 1,
	224	},
	225	},
947d6ea2 DM	226	},
	227	returns => {
	228	type => 'array',
	229	items => {
	230	type => "object",
	231	properties => {
	232	type => {
	233	type => 'string',
	234	enum => ['alias', 'ipset'],
	235	},
	236	name => {
	237	type => 'string',
	238	},
	239	ref => {
	240	type => 'string',
	241	},
	242	comment => {
	243	type => 'string',
	244	optional => 1,
	245	},
	246	},
	247	},
	248	},
	249	code => sub {
	250	my ($param) = @_;
	251
	252	my $conf = PVE::Firewall::load_clusterfw_conf();
	253
	254	my $res = [];
	255
f2c0865c DM	256	if (!$param->{type} \|\| $param->{type} eq 'ipset') {
	257	foreach my $name (keys %{$conf->{ipset}}) {
	258	my $data = {
	259	type => 'ipset',
	260	name => $name,
	261	ref => "+$name",
	262	};
	263	if (my $comment = $conf->{ipset_comments}->{$name}) {
	264	$data->{comment} = $comment;
	265	}
	266	push @$res, $data;
947d6ea2	267	}
947d6ea2 DM	268	}
947d6ea2 DM	269
f2c0865c DM	270	if (!$param->{type} \|\| $param->{type} eq 'alias') {
	271	foreach my $name (keys %{$conf->{aliases}}) {
	272	my $e = $conf->{aliases}->{$name};
	273	my $data = {
	274	type => 'alias',
	275	name => $name,
	276	ref => $name,
	277	};
	278	$data->{comment} = $e->{comment} if $e->{comment};
	279	push @$res, $data;
	280	}
947d6ea2 DM	281	}
	282
	283	return $res;
	284	}});
	285
ebd54ae9	286	1;