[pve-firewall.git] / src / PVE / API2 / Firewall / Cluster.pm

package PVE::API2::Firewall::Cluster;

use strict;
use warnings;
use PVE::Exception qw(raise raise_param_exc raise_perm_exc);
use PVE::JSONSchema qw(get_standard_option);

use PVE::Firewall;
use PVE::API2::Firewall::Aliases;
use PVE::API2::Firewall::Rules;
use PVE::API2::Firewall::Groups;
use PVE::API2::Firewall::IPSet;

#fixme: locking?

use Data::Dumper; # fixme: remove

use base qw(PVE::RESTHandler);

__PACKAGE__->register_method ({
    subclass => "PVE::API2::Firewall::Groups",
    path => 'groups',
});

__PACKAGE__->register_method ({
    subclass => "PVE::API2::Firewall::ClusterRules",
    path => 'rules',
});

__PACKAGE__->register_method ({
    subclass => "PVE::API2::Firewall::ClusterIPSetList",
    path => 'ipset',
});

__PACKAGE__->register_method ({
    subclass => "PVE::API2::Firewall::ClusterAliases",
    path => 'aliases',
});


__PACKAGE__->register_method({
    name => 'index',
    path => '',
    method => 'GET',
    permissions => { user => 'all' },
    description => "Directory index.",
    parameters => {
    	additionalProperties => 0,
    },
    returns => {
	type => 'array',
	items => {
	    type => "object",
	    properties => {},
	},
	links => [ { rel => 'child', href => "{name}" } ],
    },
    code => sub {
	my ($param) = @_;

	my $result = [
	    { name => 'aliases' },
	    { name => 'rules' },
	    { name => 'options' },
	    { name => 'groups' },
	    { name => 'ipset' },
	    { name => 'macros' },
	    { name => 'refs' },
	    ];

	return $result;
    }});

my $option_properties = {
    enable => {
	type => 'boolean',
	optional => 1,
    },
    policy_in => {
	description => "Input policy.",
	type => 'string',
	optional => 1,
	enum => ['ACCEPT', 'REJECT', 'DROP'],
    },
    policy_out => {
	description => "Output policy.",
	type => 'string',
	optional => 1,
	enum => ['ACCEPT', 'REJECT', 'DROP'],
    },
};

my $add_option_properties = sub {
    my ($properties) = @_;

    foreach my $k (keys %$option_properties) {
	$properties->{$k} = $option_properties->{$k};
    }

    return $properties;
};


__PACKAGE__->register_method({
    name => 'get_options',
    path => 'options',
    method => 'GET',
    description => "Get Firewall options.",
    permissions => {
	check => ['perm', '/', [ 'Sys.Audit' ]],
    },
    parameters => {
    	additionalProperties => 0,
    },
    returns => {
	type => "object",
    	#additionalProperties => 1,
	properties => $option_properties,
    },
    code => sub {
	my ($param) = @_;

	my $cluster_conf = PVE::Firewall::load_clusterfw_conf();

	return PVE::Firewall::copy_opject_with_digest($cluster_conf->{options});
    }});


__PACKAGE__->register_method({
    name => 'set_options',
    path => 'options',
    method => 'PUT',
    description => "Set Firewall options.",
    protected => 1,
    permissions => {
	check => ['perm', '/', [ 'Sys.Modify' ]],
    },
    parameters => {
    	additionalProperties => 0,
	properties => &$add_option_properties({
	    delete => {
		type => 'string', format => 'pve-configid-list',
		description => "A list of settings you want to delete.",
		optional => 1,
	    },
	    digest => get_standard_option('pve-config-digest'),
	}),
    },
    returns => { type => "null" },
    code => sub {
	my ($param) = @_;

	my $cluster_conf = PVE::Firewall::load_clusterfw_conf();

	my (undef, $digest) = PVE::Firewall::copy_opject_with_digest($cluster_conf->{options});
	PVE::Tools::assert_if_modified($digest, $param->{digest});

	if ($param->{delete}) {
	    foreach my $opt (PVE::Tools::split_list($param->{delete})) {
		raise_param_exc({ delete => "no such option '$opt'" })
		    if !$option_properties->{$opt};
		delete $cluster_conf->{options}->{$opt};
	    }
	}

	if (defined($param->{enable})) {
	    $param->{enable} = $param->{enable} ? 1 : 0;
	}

	foreach my $k (keys %$option_properties) {
	    next if !defined($param->{$k});
	    $cluster_conf->{options}->{$k} = $param->{$k};
	}

	PVE::Firewall::save_clusterfw_conf($cluster_conf);

	return undef;
    }});

__PACKAGE__->register_method({
    name => 'get_macros',
    path => 'macros',
    method => 'GET',
    description => "List available macros",
    permissions => { user => 'all' },
    parameters => {
    	additionalProperties => 0,
    },
    returns => {
	type => 'array',
	items => {
	    type => "object",
	    properties => {
		macro => {
		    description => "Macro name.",
		    type => 'string',
		},
		descr => {
		    description => "More verbose description (if available).",
		    type => 'string',
		}
	    },
	},
    },
    code => sub {
	my ($param) = @_;

	my $res = [];

	my ($macros, $descr) = PVE::Firewall::get_macros();

	foreach my $macro (keys %$macros) {
	    push @$res, { macro => $macro, descr => $descr->{$macro} || $macro };
	}

	return $res;
    }});

__PACKAGE__->register_method({
    name => 'refs',
    path => 'refs',
    method => 'GET',
    description => "Lists possible IPSet/Alias reference which are allowed in source/dest properties.",
    permissions => {
	check => ['perm', '/', [ 'Sys.Audit' ]],
    },
    parameters => {
	additionalProperties => 0,
	properties => {
	    type => {
		description => "Only list references of specified type.",
		type => 'string',
		enum => ['alias', 'ipset'],
		optional => 1,
	    },
	},
    },
    returns => {
	type => 'array',
	items => {
	    type => "object",
	    properties => {
		type => {
		    type => 'string',
		    enum => ['alias', 'ipset'],
		},
		name => {
		    type => 'string',
		},
		ref => {
		    type => 'string',
		},
		comment => {
		    type => 'string',
		    optional => 1,
		},
	    },
	},
    },
    code => sub {
	my ($param) = @_;

	my $conf = PVE::Firewall::load_clusterfw_conf();

	my $res = [];

	if (!$param->{type} || $param->{type} eq 'ipset') {
	    foreach my $name (keys %{$conf->{ipset}}) {
		my $data = {
		    type => 'ipset',
		    name => $name,
		    ref => "+$name",
		};
		if (my $comment = $conf->{ipset_comments}->{$name}) {
		    $data->{comment} = $comment;
		}
		push @$res, $data;
	    }
	}

	if (!$param->{type} || $param->{type} eq 'alias') {
	    foreach my $name (keys %{$conf->{aliases}}) {
		my $e = $conf->{aliases}->{$name};
		my $data = {
		    type => 'alias',
		    name => $name,
		    ref => $name,
		};
		$data->{comment} = $e->{comment} if $e->{comment};
		push @$res, $data;
	    }
	}

	return $res;
    }});

1;
Commit	Line	Data
b4366f00 DM	1	package PVE::API2::Firewall::Cluster;
	2
	3	use strict;
	4	use warnings;
1df4ba7e	5	use PVE::Exception qw(raise raise_param_exc raise_perm_exc);
b4366f00 DM	6	use PVE::JSONSchema qw(get_standard_option);
	7
	8	use PVE::Firewall;
81d574a7	9	use PVE::API2::Firewall::Aliases;
86791289	10	use PVE::API2::Firewall::Rules;
b4366f00	11	use PVE::API2::Firewall::Groups;
009ee3ac	12	use PVE::API2::Firewall::IPSet;
b4366f00	13
1df4ba7e DM	14	#fixme: locking?
1df4ba7e DM	15
b4366f00 DM	16	use Data::Dumper; # fixme: remove
	17
	18	use base qw(PVE::RESTHandler);
	19
	20	__PACKAGE__->register_method ({
947d6ea2	21	subclass => "PVE::API2::Firewall::Groups",
b4366f00 DM	22	path => 'groups',
	23	});
	24
86791289	25	__PACKAGE__->register_method ({
947d6ea2	26	subclass => "PVE::API2::Firewall::ClusterRules",
86791289 DM	27	path => 'rules',
	28	});
	29
c85c87f9	30	__PACKAGE__->register_method ({
947d6ea2	31	subclass => "PVE::API2::Firewall::ClusterIPSetList",
c85c87f9 DM	32	path => 'ipset',
	33	});
	34
81d574a7	35	__PACKAGE__->register_method ({
947d6ea2	36	subclass => "PVE::API2::Firewall::ClusterAliases",
81d574a7 DM	37	path => 'aliases',
	38	});
	39
	40
b4366f00 DM	41	__PACKAGE__->register_method({
	42	name => 'index',
	43	path => '',
	44	method => 'GET',
	45	permissions => { user => 'all' },
	46	description => "Directory index.",
	47	parameters => {
	48	additionalProperties => 0,
	49	},
	50	returns => {
	51	type => 'array',
	52	items => {
	53	type => "object",
	54	properties => {},
	55	},
	56	links => [ { rel => 'child', href => "{name}" } ],
	57	},
	58	code => sub {
	59	my ($param) = @_;
	60
	61	my $result = [
81d574a7	62	{ name => 'aliases' },
b4366f00 DM	63	{ name => 'rules' },
	64	{ name => 'options' },
	65	{ name => 'groups' },
9d6f90e6	66	{ name => 'ipset' },
ebd54ae9	67	{ name => 'macros' },
947d6ea2	68	{ name => 'refs' },
b4366f00 DM	69	];
	70
	71	return $result;
	72	}});
1df4ba7e	73
271f287b DM	74	my $option_properties = {
	75	enable => {
	76	type => 'boolean',
	77	optional => 1,
	78	},
	79	policy_in => {
	80	description => "Input policy.",
	81	type => 'string',
	82	optional => 1,
	83	enum => ['ACCEPT', 'REJECT', 'DROP'],
	84	},
947d6ea2	85	policy_out => {
271f287b DM	86	description => "Output policy.",
	87	type => 'string',
	88	optional => 1,
	89	enum => ['ACCEPT', 'REJECT', 'DROP'],
	90	},
	91	};
	92
	93	my $add_option_properties = sub {
	94	my ($properties) = @_;
	95
	96	foreach my $k (keys %$option_properties) {
	97	$properties->{$k} = $option_properties->{$k};
	98	}
947d6ea2	99
271f287b DM	100	return $properties;
	101	};
	102
	103
1df4ba7e DM	104	__PACKAGE__->register_method({
	105	name => 'get_options',
	106	path => 'options',
	107	method => 'GET',
	108	description => "Get Firewall options.",
0ec56841 DM	109	permissions => {
	110	check => ['perm', '/', [ 'Sys.Audit' ]],
	111	},
1df4ba7e DM	112	parameters => {
	113	additionalProperties => 0,
	114	},
	115	returns => {
	116	type => "object",
	117	#additionalProperties => 1,
271f287b	118	properties => $option_properties,
1df4ba7e DM	119	},
	120	code => sub {
	121	my ($param) = @_;
	122
	123	my $cluster_conf = PVE::Firewall::load_clusterfw_conf();
	124
5d38d64f	125	return PVE::Firewall::copy_opject_with_digest($cluster_conf->{options});
1df4ba7e DM	126	}});
1df4ba7e DM	127
1df4ba7e DM	128
	129	__PACKAGE__->register_method({
	130	name => 'set_options',
	131	path => 'options',
	132	method => 'PUT',
	133	description => "Set Firewall options.",
68c90e21	134	protected => 1,
0ec56841 DM	135	permissions => {
	136	check => ['perm', '/', [ 'Sys.Modify' ]],
	137	},
1df4ba7e DM	138	parameters => {
	139	additionalProperties => 0,
	140	properties => &$add_option_properties({
	141	delete => {
	142	type => 'string', format => 'pve-configid-list',
	143	description => "A list of settings you want to delete.",
	144	optional => 1,
	145	},
5d38d64f	146	digest => get_standard_option('pve-config-digest'),
1df4ba7e DM	147	}),
	148	},
	149	returns => { type => "null" },
	150	code => sub {
	151	my ($param) = @_;
	152
	153	my $cluster_conf = PVE::Firewall::load_clusterfw_conf();
	154
5d38d64f DM	155	my (undef, $digest) = PVE::Firewall::copy_opject_with_digest($cluster_conf->{options});
	156	PVE::Tools::assert_if_modified($digest, $param->{digest});
	157
1df4ba7e DM	158	if ($param->{delete}) {
1df4ba7e DM	159	foreach my $opt (PVE::Tools::split_list($param->{delete})) {
947d6ea2	160	raise_param_exc({ delete => "no such option '$opt'" })
1df4ba7e DM	161	if !$option_properties->{$opt};
	162	delete $cluster_conf->{options}->{$opt};
	163	}
	164	}
	165
	166	if (defined($param->{enable})) {
271f287b DM	167	$param->{enable} = $param->{enable} ? 1 : 0;
	168	}
	169
	170	foreach my $k (keys %$option_properties) {
	171	next if !defined($param->{$k});
947d6ea2	172	$cluster_conf->{options}->{$k} = $param->{$k};
1df4ba7e DM	173	}
1df4ba7e DM	174
1df4ba7e DM	175	PVE::Firewall::save_clusterfw_conf($cluster_conf);
	176
	177	return undef;
	178	}});
ebd54ae9 DM	179
	180	__PACKAGE__->register_method({
	181	name => 'get_macros',
	182	path => 'macros',
	183	method => 'GET',
	184	description => "List available macros",
0ec56841	185	permissions => { user => 'all' },
ebd54ae9 DM	186	parameters => {
	187	additionalProperties => 0,
	188	},
	189	returns => {
	190	type => 'array',
	191	items => {
	192	type => "object",
	193	properties => {
	194	macro => {
	195	description => "Macro name.",
	196	type => 'string',
	197	},
	198	descr => {
	199	description => "More verbose description (if available).",
	200	type => 'string',
	201	}
	202	},
	203	},
	204	},
	205	code => sub {
	206	my ($param) = @_;
	207
	208	my $res = [];
	209
	210	my ($macros, $descr) = PVE::Firewall::get_macros();
	211
	212	foreach my $macro (keys %$macros) {
	213	push @$res, { macro => $macro, descr => $descr->{$macro} \|\| $macro };
	214	}
	215
	216	return $res;
	217	}});
	218
947d6ea2 DM	219	__PACKAGE__->register_method({
	220	name => 'refs',
	221	path => 'refs',
	222	method => 'GET',
	223	description => "Lists possible IPSet/Alias reference which are allowed in source/dest properties.",
0ec56841 DM	224	permissions => {
	225	check => ['perm', '/', [ 'Sys.Audit' ]],
	226	},
947d6ea2 DM	227	parameters => {
947d6ea2 DM	228	additionalProperties => 0,
f2c0865c DM	229	properties => {
	230	type => {
	231	description => "Only list references of specified type.",
	232	type => 'string',
	233	enum => ['alias', 'ipset'],
	234	optional => 1,
	235	},
	236	},
947d6ea2 DM	237	},
	238	returns => {
	239	type => 'array',
	240	items => {
	241	type => "object",
	242	properties => {
	243	type => {
	244	type => 'string',
	245	enum => ['alias', 'ipset'],
	246	},
	247	name => {
	248	type => 'string',
	249	},
	250	ref => {
	251	type => 'string',
	252	},
	253	comment => {
	254	type => 'string',
	255	optional => 1,
	256	},
	257	},
	258	},
	259	},
	260	code => sub {
	261	my ($param) = @_;
	262
	263	my $conf = PVE::Firewall::load_clusterfw_conf();
	264
	265	my $res = [];
	266
f2c0865c DM	267	if (!$param->{type} \|\| $param->{type} eq 'ipset') {
	268	foreach my $name (keys %{$conf->{ipset}}) {
	269	my $data = {
	270	type => 'ipset',
	271	name => $name,
	272	ref => "+$name",
	273	};
	274	if (my $comment = $conf->{ipset_comments}->{$name}) {
	275	$data->{comment} = $comment;
	276	}
	277	push @$res, $data;
947d6ea2	278	}
947d6ea2 DM	279	}
947d6ea2 DM	280
f2c0865c DM	281	if (!$param->{type} \|\| $param->{type} eq 'alias') {
	282	foreach my $name (keys %{$conf->{aliases}}) {
	283	my $e = $conf->{aliases}->{$name};
	284	my $data = {
	285	type => 'alias',
	286	name => $name,
	287	ref => $name,
	288	};
	289	$data->{comment} = $e->{comment} if $e->{comment};
	290	push @$res, $data;
	291	}
947d6ea2 DM	292	}
	293
	294	return $res;
	295	}});
	296
ebd54ae9	297	1;