[pve-firewall.git] / src / PVE / API2 / Firewall / Cluster.pm

package PVE::API2::Firewall::Cluster;

use strict;
use warnings;
use PVE::Exception qw(raise raise_param_exc raise_perm_exc);
use PVE::JSONSchema qw(get_standard_option);

use PVE::Firewall;
use PVE::API2::Firewall::Aliases;
use PVE::API2::Firewall::Rules;
use PVE::API2::Firewall::Groups;
use PVE::API2::Firewall::IPSet;

#fixme: locking?


use base qw(PVE::RESTHandler);

__PACKAGE__->register_method ({
    subclass => "PVE::API2::Firewall::Groups",
    path => 'groups',
});

__PACKAGE__->register_method ({
    subclass => "PVE::API2::Firewall::ClusterRules",
    path => 'rules',
});

__PACKAGE__->register_method ({
    subclass => "PVE::API2::Firewall::ClusterIPSetList",
    path => 'ipset',
});

__PACKAGE__->register_method ({
    subclass => "PVE::API2::Firewall::ClusterAliases",
    path => 'aliases',
});


__PACKAGE__->register_method({
    name => 'index',
    path => '',
    method => 'GET',
    permissions => { user => 'all' },
    description => "Directory index.",
    parameters => {
    	additionalProperties => 0,
    },
    returns => {
	type => 'array',
	items => {
	    type => "object",
	    properties => {},
	},
	links => [ { rel => 'child', href => "{name}" } ],
    },
    code => sub {
	my ($param) = @_;

	my $result = [
	    { name => 'aliases' },
	    { name => 'rules' },
	    { name => 'options' },
	    { name => 'groups' },
	    { name => 'ipset' },
	    { name => 'macros' },
	    { name => 'refs' },
	    ];

	return $result;
    }});

my $option_properties = $PVE::Firewall::cluster_option_properties;

my $add_option_properties = sub {
    my ($properties) = @_;

    foreach my $k (keys %$option_properties) {
	$properties->{$k} = $option_properties->{$k};
    }

    return $properties;
};


__PACKAGE__->register_method({
    name => 'get_options',
    path => 'options',
    method => 'GET',
    description => "Get Firewall options.",
    permissions => {
	check => ['perm', '/', [ 'Sys.Audit' ]],
    },
    parameters => {
    	additionalProperties => 0,
    },
    returns => {
	type => "object",
    	#additionalProperties => 1,
	properties => $option_properties,
    },
    code => sub {
	my ($param) = @_;

	my $cluster_conf = PVE::Firewall::load_clusterfw_conf();

	return PVE::Firewall::copy_opject_with_digest($cluster_conf->{options});
    }});


__PACKAGE__->register_method({
    name => 'set_options',
    path => 'options',
    method => 'PUT',
    description => "Set Firewall options.",
    protected => 1,
    permissions => {
	check => ['perm', '/', [ 'Sys.Modify' ]],
    },
    parameters => {
    	additionalProperties => 0,
	properties => &$add_option_properties({
	    delete => {
		type => 'string', format => 'pve-configid-list',
		description => "A list of settings you want to delete.",
		optional => 1,
	    },
	    digest => get_standard_option('pve-config-digest'),
	}),
    },
    returns => { type => "null" },
    code => sub {
	my ($param) = @_;

	my $cluster_conf = PVE::Firewall::load_clusterfw_conf();

	my (undef, $digest) = PVE::Firewall::copy_opject_with_digest($cluster_conf->{options});
	PVE::Tools::assert_if_modified($digest, $param->{digest});

	if ($param->{delete}) {
	    foreach my $opt (PVE::Tools::split_list($param->{delete})) {
		raise_param_exc({ delete => "no such option '$opt'" })
		    if !$option_properties->{$opt};
		delete $cluster_conf->{options}->{$opt};
	    }
	}

	if (defined($param->{enable}) && ($param->{enable} > 1)) {
	    $param->{enable} = time();
	}

	foreach my $k (keys %$option_properties) {
	    next if !defined($param->{$k});
	    $cluster_conf->{options}->{$k} = $param->{$k};
	}

	PVE::Firewall::save_clusterfw_conf($cluster_conf);

	# instant firewall update when using double (anti-lockout) API call
	# -> not waiting for a firewall update at the first (timestamp enable) set
	if (defined($param->{enable}) && ($param->{enable} > 1)) {
	    PVE::Firewall::update();
	}

	return undef;
    }});

__PACKAGE__->register_method({
    name => 'get_macros',
    path => 'macros',
    method => 'GET',
    description => "List available macros",
    permissions => { user => 'all' },
    parameters => {
    	additionalProperties => 0,
    },
    returns => {
	type => 'array',
	items => {
	    type => "object",
	    properties => {
		macro => {
		    description => "Macro name.",
		    type => 'string',
		},
		descr => {
		    description => "More verbose description (if available).",
		    type => 'string',
		}
	    },
	},
    },
    code => sub {
	my ($param) = @_;

	my $res = [];

	my ($macros, $descr) = PVE::Firewall::get_macros();

	foreach my $macro (keys %$macros) {
	    push @$res, { macro => $macro, descr => $descr->{$macro} || $macro };
	}

	return $res;
    }});

__PACKAGE__->register_method({
    name => 'refs',
    path => 'refs',
    method => 'GET',
    description => "Lists possible IPSet/Alias reference which are allowed in source/dest properties.",
    permissions => {
	check => ['perm', '/', [ 'Sys.Audit' ]],
    },
    parameters => {
	additionalProperties => 0,
	properties => {
	    type => {
		description => "Only list references of specified type.",
		type => 'string',
		enum => ['alias', 'ipset'],
		optional => 1,
	    },
	},
    },
    returns => {
	type => 'array',
	items => {
	    type => "object",
	    properties => {
		type => {
		    type => 'string',
		    enum => ['alias', 'ipset'],
		},
		name => {
		    type => 'string',
		},
		ref => {
		    type => 'string',
		},
		comment => {
		    type => 'string',
		    optional => 1,
		},
	    },
	},
    },
    code => sub {
	my ($param) = @_;

	my $conf = PVE::Firewall::load_clusterfw_conf();

	my $res = [];

	if (!$param->{type} || $param->{type} eq 'ipset') {
	    foreach my $name (keys %{$conf->{ipset}}) {
		my $data = {
		    type => 'ipset',
		    name => $name,
		    ref => "+$name",
		};
		if (my $comment = $conf->{ipset_comments}->{$name}) {
		    $data->{comment} = $comment;
		}
		push @$res, $data;
	    }
	}

	if (!$param->{type} || $param->{type} eq 'alias') {
	    foreach my $name (keys %{$conf->{aliases}}) {
		my $e = $conf->{aliases}->{$name};
		my $data = {
		    type => 'alias',
		    name => $name,
		    ref => $name,
		};
		$data->{comment} = $e->{comment} if $e->{comment};
		push @$res, $data;
	    }
	}

	return $res;
    }});

1;
Commit	Line	Data
b4366f00 DM	1	package PVE::API2::Firewall::Cluster;
	2
	3	use strict;
	4	use warnings;
1df4ba7e	5	use PVE::Exception qw(raise raise_param_exc raise_perm_exc);
b4366f00 DM	6	use PVE::JSONSchema qw(get_standard_option);
	7
	8	use PVE::Firewall;
81d574a7	9	use PVE::API2::Firewall::Aliases;
86791289	10	use PVE::API2::Firewall::Rules;
b4366f00	11	use PVE::API2::Firewall::Groups;
009ee3ac	12	use PVE::API2::Firewall::IPSet;
b4366f00	13
1df4ba7e DM	14	#fixme: locking?
1df4ba7e DM	15
b4366f00 DM	16
	17	use base qw(PVE::RESTHandler);
	18
	19	__PACKAGE__->register_method ({
947d6ea2	20	subclass => "PVE::API2::Firewall::Groups",
b4366f00 DM	21	path => 'groups',
	22	});
	23
86791289	24	__PACKAGE__->register_method ({
947d6ea2	25	subclass => "PVE::API2::Firewall::ClusterRules",
86791289 DM	26	path => 'rules',
	27	});
	28
c85c87f9	29	__PACKAGE__->register_method ({
947d6ea2	30	subclass => "PVE::API2::Firewall::ClusterIPSetList",
c85c87f9 DM	31	path => 'ipset',
	32	});
	33
81d574a7	34	__PACKAGE__->register_method ({
947d6ea2	35	subclass => "PVE::API2::Firewall::ClusterAliases",
81d574a7 DM	36	path => 'aliases',
	37	});
	38
	39
b4366f00 DM	40	__PACKAGE__->register_method({
	41	name => 'index',
	42	path => '',
	43	method => 'GET',
	44	permissions => { user => 'all' },
	45	description => "Directory index.",
	46	parameters => {
	47	additionalProperties => 0,
	48	},
	49	returns => {
	50	type => 'array',
	51	items => {
	52	type => "object",
	53	properties => {},
	54	},
	55	links => [ { rel => 'child', href => "{name}" } ],
	56	},
	57	code => sub {
	58	my ($param) = @_;
	59
	60	my $result = [
81d574a7	61	{ name => 'aliases' },
b4366f00 DM	62	{ name => 'rules' },
	63	{ name => 'options' },
	64	{ name => 'groups' },
9d6f90e6	65	{ name => 'ipset' },
ebd54ae9	66	{ name => 'macros' },
947d6ea2	67	{ name => 'refs' },
b4366f00 DM	68	];
	69
	70	return $result;
	71	}});
1df4ba7e	72
e313afe0	73	my $option_properties = $PVE::Firewall::cluster_option_properties;
271f287b DM	74
	75	my $add_option_properties = sub {
	76	my ($properties) = @_;
	77
	78	foreach my $k (keys %$option_properties) {
	79	$properties->{$k} = $option_properties->{$k};
	80	}
947d6ea2	81
271f287b DM	82	return $properties;
	83	};
	84
	85
1df4ba7e DM	86	__PACKAGE__->register_method({
	87	name => 'get_options',
	88	path => 'options',
	89	method => 'GET',
	90	description => "Get Firewall options.",
0ec56841 DM	91	permissions => {
	92	check => ['perm', '/', [ 'Sys.Audit' ]],
	93	},
1df4ba7e DM	94	parameters => {
	95	additionalProperties => 0,
	96	},
	97	returns => {
	98	type => "object",
	99	#additionalProperties => 1,
271f287b	100	properties => $option_properties,
1df4ba7e DM	101	},
	102	code => sub {
	103	my ($param) = @_;
	104
	105	my $cluster_conf = PVE::Firewall::load_clusterfw_conf();
	106
5d38d64f	107	return PVE::Firewall::copy_opject_with_digest($cluster_conf->{options});
1df4ba7e DM	108	}});
1df4ba7e DM	109
1df4ba7e DM	110
	111	__PACKAGE__->register_method({
	112	name => 'set_options',
	113	path => 'options',
	114	method => 'PUT',
	115	description => "Set Firewall options.",
68c90e21	116	protected => 1,
0ec56841 DM	117	permissions => {
	118	check => ['perm', '/', [ 'Sys.Modify' ]],
	119	},
1df4ba7e DM	120	parameters => {
	121	additionalProperties => 0,
	122	properties => &$add_option_properties({
	123	delete => {
	124	type => 'string', format => 'pve-configid-list',
	125	description => "A list of settings you want to delete.",
	126	optional => 1,
	127	},
5d38d64f	128	digest => get_standard_option('pve-config-digest'),
1df4ba7e DM	129	}),
	130	},
	131	returns => { type => "null" },
	132	code => sub {
	133	my ($param) = @_;
	134
	135	my $cluster_conf = PVE::Firewall::load_clusterfw_conf();
	136
5d38d64f DM	137	my (undef, $digest) = PVE::Firewall::copy_opject_with_digest($cluster_conf->{options});
	138	PVE::Tools::assert_if_modified($digest, $param->{digest});
	139
1df4ba7e DM	140	if ($param->{delete}) {
1df4ba7e DM	141	foreach my $opt (PVE::Tools::split_list($param->{delete})) {
947d6ea2	142	raise_param_exc({ delete => "no such option '$opt'" })
1df4ba7e DM	143	if !$option_properties->{$opt};
	144	delete $cluster_conf->{options}->{$opt};
	145	}
	146	}
	147
72d055fc AG	148	if (defined($param->{enable}) && ($param->{enable} > 1)) {
72d055fc AG	149	$param->{enable} = time();
271f287b DM	150	}
	151
	152	foreach my $k (keys %$option_properties) {
	153	next if !defined($param->{$k});
947d6ea2	154	$cluster_conf->{options}->{$k} = $param->{$k};
1df4ba7e DM	155	}
1df4ba7e DM	156
1df4ba7e DM	157	PVE::Firewall::save_clusterfw_conf($cluster_conf);
1df4ba7e DM	158
c05492d6 AG	159	# instant firewall update when using double (anti-lockout) API call
	160	# -> not waiting for a firewall update at the first (timestamp enable) set
	161	if (defined($param->{enable}) && ($param->{enable} > 1)) {
	162	PVE::Firewall::update();
	163	}
	164
1df4ba7e DM	165	return undef;
1df4ba7e DM	166	}});
ebd54ae9 DM	167
	168	__PACKAGE__->register_method({
	169	name => 'get_macros',
	170	path => 'macros',
	171	method => 'GET',
	172	description => "List available macros",
0ec56841	173	permissions => { user => 'all' },
ebd54ae9 DM	174	parameters => {
	175	additionalProperties => 0,
	176	},
	177	returns => {
	178	type => 'array',
	179	items => {
	180	type => "object",
	181	properties => {
	182	macro => {
	183	description => "Macro name.",
	184	type => 'string',
	185	},
	186	descr => {
	187	description => "More verbose description (if available).",
	188	type => 'string',
	189	}
	190	},
	191	},
	192	},
	193	code => sub {
	194	my ($param) = @_;
	195
	196	my $res = [];
	197
	198	my ($macros, $descr) = PVE::Firewall::get_macros();
	199
	200	foreach my $macro (keys %$macros) {
	201	push @$res, { macro => $macro, descr => $descr->{$macro} \|\| $macro };
	202	}
	203
	204	return $res;
	205	}});
	206
947d6ea2 DM	207	__PACKAGE__->register_method({
	208	name => 'refs',
	209	path => 'refs',
	210	method => 'GET',
	211	description => "Lists possible IPSet/Alias reference which are allowed in source/dest properties.",
0ec56841 DM	212	permissions => {
	213	check => ['perm', '/', [ 'Sys.Audit' ]],
	214	},
947d6ea2 DM	215	parameters => {
947d6ea2 DM	216	additionalProperties => 0,
f2c0865c DM	217	properties => {
	218	type => {
	219	description => "Only list references of specified type.",
	220	type => 'string',
	221	enum => ['alias', 'ipset'],
	222	optional => 1,
	223	},
	224	},
947d6ea2 DM	225	},
	226	returns => {
	227	type => 'array',
	228	items => {
	229	type => "object",
	230	properties => {
	231	type => {
	232	type => 'string',
	233	enum => ['alias', 'ipset'],
	234	},
	235	name => {
	236	type => 'string',
	237	},
	238	ref => {
	239	type => 'string',
	240	},
	241	comment => {
	242	type => 'string',
	243	optional => 1,
	244	},
	245	},
	246	},
	247	},
	248	code => sub {
	249	my ($param) = @_;
	250
	251	my $conf = PVE::Firewall::load_clusterfw_conf();
	252
	253	my $res = [];
	254
f2c0865c DM	255	if (!$param->{type} \|\| $param->{type} eq 'ipset') {
	256	foreach my $name (keys %{$conf->{ipset}}) {
	257	my $data = {
	258	type => 'ipset',
	259	name => $name,
	260	ref => "+$name",
	261	};
	262	if (my $comment = $conf->{ipset_comments}->{$name}) {
	263	$data->{comment} = $comment;
	264	}
	265	push @$res, $data;
947d6ea2	266	}
947d6ea2 DM	267	}
947d6ea2 DM	268
f2c0865c DM	269	if (!$param->{type} \|\| $param->{type} eq 'alias') {
	270	foreach my $name (keys %{$conf->{aliases}}) {
	271	my $e = $conf->{aliases}->{$name};
	272	my $data = {
	273	type => 'alias',
	274	name => $name,
	275	ref => $name,
	276	};
	277	$data->{comment} = $e->{comment} if $e->{comment};
	278	push @$res, $data;
	279	}
947d6ea2 DM	280	}
	281
	282	return $res;
	283	}});
	284
ebd54ae9	285	1;