[pve-firewall.git] / src / PVE / API2 / Firewall / Rules.pm

package PVE::API2::Firewall::RulesBase;

use strict;
use warnings;
use PVE::JSONSchema qw(get_standard_option);

use PVE::Firewall;

use base qw(PVE::RESTHandler);

my $api_properties = { 
    pos => {
	description => "Rule position.",
	type => 'integer',
	minimum => 0,
    },
};

sub load_config {
    my ($class, $param) = @_;

    die "implement this in subclass";

    #return ($fw_conf, $rules);
}

sub save_rules {
    my ($class, $param, $fw_conf, $rules) = @_;

    die "implement this in subclass";
}

my $additional_param_hash = {};

sub allow_groups {
    return 1;
}

sub additional_parameters {
    my ($class, $new_value) = @_;

    if (defined($new_value)) {
	$additional_param_hash->{$class} = $new_value;
    }

    # return a copy
    my $copy = {};
    my $org = $additional_param_hash->{$class} || {};
    foreach my $p (keys %$org) { $copy->{$p} = $org->{$p}; }
    return $copy;
}

sub register_get_rules {
    my ($class) = @_;

    my $properties = $class->additional_parameters();

    $class->register_method({
	name => 'get_rules',
	path => '',
	method => 'GET',
	description => "List rules.",
	parameters => {
	    additionalProperties => 0,
	    properties => $properties,
	},
	returns => {
	    type => 'array',
	    items => {
		type => "object",
		properties => {
		    pos => {
			type => 'integer',
		    }
		},
	    },
	    links => [ { rel => 'child', href => "{pos}" } ],
	},
	code => sub {
	    my ($param) = @_;

	    my ($fw_conf, $rules) = $class->load_config($param);

	    my $digest = $fw_conf->{digest};

	    my $res = [];

	    my $ind = 0;
	    foreach my $rule (@$rules) {
		push @$res, PVE::Firewall::cleanup_fw_rule($rule, $digest, $ind++);
	    }

	    return $res;
	}});
}

sub register_get_rule {
    my ($class) = @_;

    my $properties = $class->additional_parameters();

    $properties->{pos} = $api_properties->{pos};
    
    $class->register_method({
	name => 'get_rule',
	path => '{pos}',
	method => 'GET',
	description => "Get single rule data.",
	parameters => {
	    additionalProperties => 0,
	    properties => $properties,
	},
	returns => {
	    type => "object",
	    properties => {
		pos => {
		    type => 'integer',
		}
	    },
	},
	code => sub {
	    my ($param) = @_;

	    my ($fw_conf, $rules) = $class->load_config($param);

	    my $digest = $fw_conf->{digest};
	    # fixme: check digest
	
	    die "no rule at position $param->{pos}\n" if $param->{pos} >= scalar(@$rules);
	
	    my $rule = $rules->[$param->{pos}];
	    
	    return PVE::Firewall::cleanup_fw_rule($rule, $digest, $param->{pos});
	}});
}

sub register_create_rule {
    my ($class) = @_;

    my $properties = $class->additional_parameters();

    my $create_rule_properties = PVE::Firewall::add_rule_properties($properties);
    $create_rule_properties->{action}->{optional} = 0;
    $create_rule_properties->{type}->{optional} = 0;
    
    $class->register_method({
	name => 'create_rule',
	path => '',
	method => 'POST',
	description => "Create new rule.",
	protected => 1,
	parameters => {
	    additionalProperties => 0,
	    properties => $create_rule_properties,
	},
	returns => { type => "null" },
	code => sub {
	    my ($param) = @_;

	    my ($fw_conf, $rules) = $class->load_config($param);

	    my $digest = $fw_conf->{digest};

	    my $rule = {};

	    PVE::Firewall::copy_rule_data($rule, $param);
	    PVE::Firewall::verify_rule($rule, $class->allow_groups());

	    $rule->{enable} = 0 if !defined($param->{enable});

	    unshift @$rules, $rule;

	    $class->save_rules($param, $fw_conf, $rules);

	    return undef;
	}});
}

sub register_update_rule {
    my ($class) = @_;

    my $properties = $class->additional_parameters();

    $properties->{pos} = $api_properties->{pos};
    
    $properties->{moveto} = {
	description => "Move rule to new position <moveto>. Other arguments are ignored.",
	type => 'integer',
	minimum => 0,
	optional => 1,
    };

    $properties->{delete} = {
	type => 'string', format => 'pve-configid-list',
	description => "A list of settings you want to delete.",
	optional => 1,
    };

    my $update_rule_properties = PVE::Firewall::add_rule_properties($properties);

    $class->register_method({
	name => 'update_rule',
	path => '{pos}',
	method => 'PUT',
	description => "Modify rule data.",
	protected => 1,
	parameters => {
	    additionalProperties => 0,
	    properties => $update_rule_properties,
	},
	returns => { type => "null" },
	code => sub {
	    my ($param) = @_;

	    my ($fw_conf, $rules) = $class->load_config($param);

	    my $digest = $fw_conf->{digest};
	    # fixme: check digest
	
	    die "no rule at position $param->{pos}\n" if $param->{pos} >= scalar(@$rules);
	
	    my $rule = $rules->[$param->{pos}];

	    my $moveto = $param->{moveto};
	    if (defined($moveto) && $moveto != $param->{pos}) {
		my $newrules = [];
		for (my $i = 0; $i < scalar(@$rules); $i++) {
		    next if $i == $param->{pos};
		    if ($i == $moveto) {
			push @$newrules, $rule;
		    }
		    push @$newrules, $rules->[$i];
		}
		push @$newrules, $rule if $moveto >= scalar(@$rules);
		$rules = $newrules;
	    } else {
		raise_param_exc({ type => "property is missing"})
		    if !defined($param->{type});
		raise_param_exc({ action => "property is missing"})
		    if !defined($param->{action});

		PVE::Firewall::copy_rule_data($rule, $param);
		
		PVE::Firewall::delete_rule_properties($rule, $param->{'delete'}) if $param->{'delete'};

		PVE::Firewall::verify_rule($rule, $class->allow_groups());
	    }

	    $class->save_rules($param, $fw_conf, $rules);

	    return undef;
	}});
}

sub register_delete_rule {
    my ($class) = @_;

    my $properties = $class->additional_parameters();

    $properties->{pos} = $api_properties->{pos};
    
    $class->register_method({
	name => 'delete_rule',
	path => '{pos}',
	method => 'DELETE',
	description => "Delete rule.",
	protected => 1,
	parameters => {
	    additionalProperties => 0,
	    properties => $properties,
	},
	returns => { type => "null" },
	code => sub {
	    my ($param) = @_;

	    my ($fw_conf, $rules) = $class->load_config($param);

	    my $digest = $fw_conf->{digest};
	    # fixme: check digest
	
	    die "no rule at position $param->{pos}\n" if $param->{pos} >= scalar(@$rules);
	
	    splice(@$rules, $param->{pos}, 1);
	    
	    $class->save_rules($param, $fw_conf, $rules);

	    return undef;
	}});
}

sub register_handlers {
    my ($class) = @_;

    $class->register_get_rules();
    $class->register_get_rule();
    $class->register_create_rule();
    $class->register_update_rule();
    $class->register_delete_rule();
}

package PVE::API2::Firewall::GroupRules;

use strict;
use warnings;

use base qw(PVE::API2::Firewall::RulesBase);

__PACKAGE__->additional_parameters({ group => {
    description => "Security group name.",
    type => 'string',
    maxLength => 20, # fixme: what length?
}});

sub allow_groups {
    return 0;
}

sub load_config {
    my ($class, $param) = @_;

    my $fw_conf = PVE::Firewall::load_clusterfw_conf();
    my $rules = $fw_conf->{groups}->{$param->{group}};
    die "no such security group '$param->{group}'\n" if !defined($rules);

    return ($fw_conf, $rules);
}

sub save_rules {
    my ($class, $param, $fw_conf, $rules) = @_;

    $fw_conf->{groups}->{$param->{group}} = $rules;
    PVE::Firewall::save_clusterfw_conf($fw_conf);
}

__PACKAGE__->register_handlers();

package PVE::API2::Firewall::ClusterRules;

use strict;
use warnings;

use base qw(PVE::API2::Firewall::RulesBase);

sub load_config {
    my ($class, $param) = @_;

    my $fw_conf = PVE::Firewall::load_clusterfw_conf();
    my $rules = $fw_conf->{rules};

    return ($fw_conf, $rules);
}

sub save_rules {
    my ($class, $param, $fw_conf, $rules) = @_;

    $fw_conf->{rules} = $rules;
    PVE::Firewall::save_clusterfw_conf($fw_conf);
}

__PACKAGE__->register_handlers();

package PVE::API2::Firewall::HostRules;

use strict;
use warnings;
use PVE::JSONSchema qw(get_standard_option);

use base qw(PVE::API2::Firewall::RulesBase);

__PACKAGE__->additional_parameters({ node => get_standard_option('pve-node')});

sub load_config {
    my ($class, $param) = @_;

    my $fw_conf = PVE::Firewall::load_hostfw_conf();
    my $rules = $fw_conf->{rules};

    return ($fw_conf, $rules);
}

sub save_rules {
    my ($class, $param, $fw_conf, $rules) = @_;

    $fw_conf->{rules} = $rules;
    PVE::Firewall::save_hostfw_conf($fw_conf);
}

__PACKAGE__->register_handlers();

package PVE::API2::Firewall::VMRules;

use strict;
use warnings;
use PVE::JSONSchema qw(get_standard_option);

use base qw(PVE::API2::Firewall::RulesBase);

__PACKAGE__->additional_parameters({ 
    node => get_standard_option('pve-node'),
    vmid => get_standard_option('pve-vmid'),				   
});

sub load_config {
    my ($class, $param) = @_;

    my $fw_conf = PVE::Firewall::load_vmfw_conf($param->{vmid});
    my $rules = $fw_conf->{rules};

    return ($fw_conf, $rules);
}

sub save_rules {
    my ($class, $param, $fw_conf, $rules) = @_;

    $fw_conf->{rules} = $rules;
    PVE::Firewall::save_vmfw_conf($param->{vmid}, $fw_conf);
}

__PACKAGE__->register_handlers();

1;
Commit	Line	Data
86791289 DM	1	package PVE::API2::Firewall::RulesBase;
	2
	3	use strict;
	4	use warnings;
	5	use PVE::JSONSchema qw(get_standard_option);
	6
	7	use PVE::Firewall;
	8
	9	use base qw(PVE::RESTHandler);
	10
	11	my $api_properties = {
86791289 DM	12	pos => {
	13	description => "Rule position.",
	14	type => 'integer',
	15	minimum => 0,
	16	},
	17	};
	18
	19	sub load_config {
	20	my ($class, $param) = @_;
	21
	22	die "implement this in subclass";
	23
	24	#return ($fw_conf, $rules);
	25	}
	26
	27	sub save_rules {
	28	my ($class, $param, $fw_conf, $rules) = @_;
	29
	30	die "implement this in subclass";
	31	}
	32
63c91681	33	my $additional_param_hash = {};
86791289	34
7ca36671 DM	35	sub allow_groups {
	36	return 1;
	37	}
	38
63c91681	39	sub additional_parameters {
86791289 DM	40	my ($class, $new_value) = @_;
86791289 DM	41
63c91681 DM	42	if (defined($new_value)) {
	43	$additional_param_hash->{$class} = $new_value;
	44	}
86791289	45
63c91681 DM	46	# return a copy
	47	my $copy = {};
	48	my $org = $additional_param_hash->{$class} \|\| {};
	49	foreach my $p (keys %$org) { $copy->{$p} = $org->{$p}; }
	50	return $copy;
86791289 DM	51	}
	52
	53	sub register_get_rules {
	54	my ($class) = @_;
	55
63c91681	56	my $properties = $class->additional_parameters();
86791289 DM	57
	58	$class->register_method({
	59	name => 'get_rules',
	60	path => '',
	61	method => 'GET',
	62	description => "List rules.",
	63	parameters => {
	64	additionalProperties => 0,
	65	properties => $properties,
	66	},
	67	returns => {
	68	type => 'array',
	69	items => {
	70	type => "object",
	71	properties => {
	72	pos => {
	73	type => 'integer',
	74	}
	75	},
	76	},
	77	links => [ { rel => 'child', href => "{pos}" } ],
	78	},
	79	code => sub {
	80	my ($param) = @_;
	81
	82	my ($fw_conf, $rules) = $class->load_config($param);
	83
	84	my $digest = $fw_conf->{digest};
	85
	86	my $res = [];
	87
	88	my $ind = 0;
	89	foreach my $rule (@$rules) {
	90	push @$res, PVE::Firewall::cleanup_fw_rule($rule, $digest, $ind++);
	91	}
	92
	93	return $res;
	94	}});
	95	}
	96
	97	sub register_get_rule {
	98	my ($class) = @_;
	99
63c91681	100	my $properties = $class->additional_parameters();
86791289 DM	101
	102	$properties->{pos} = $api_properties->{pos};
	103
86791289 DM	104	$class->register_method({
	105	name => 'get_rule',
	106	path => '{pos}',
	107	method => 'GET',
	108	description => "Get single rule data.",
	109	parameters => {
	110	additionalProperties => 0,
	111	properties => $properties,
	112	},
	113	returns => {
	114	type => "object",
	115	properties => {
	116	pos => {
	117	type => 'integer',
	118	}
	119	},
	120	},
	121	code => sub {
	122	my ($param) = @_;
	123
	124	my ($fw_conf, $rules) = $class->load_config($param);
	125
	126	my $digest = $fw_conf->{digest};
	127	# fixme: check digest
	128
	129	die "no rule at position $param->{pos}\n" if $param->{pos} >= scalar(@$rules);
	130
	131	my $rule = $rules->[$param->{pos}];
	132
	133	return PVE::Firewall::cleanup_fw_rule($rule, $digest, $param->{pos});
	134	}});
	135	}
	136
	137	sub register_create_rule {
	138	my ($class) = @_;
	139
63c91681	140	my $properties = $class->additional_parameters();
86791289 DM	141
86791289 DM	142	my $create_rule_properties = PVE::Firewall::add_rule_properties($properties);
3655b01f DM	143	$create_rule_properties->{action}->{optional} = 0;
	144	$create_rule_properties->{type}->{optional} = 0;
	145
86791289 DM	146	$class->register_method({
	147	name => 'create_rule',
	148	path => '',
	149	method => 'POST',
	150	description => "Create new rule.",
	151	protected => 1,
	152	parameters => {
	153	additionalProperties => 0,
	154	properties => $create_rule_properties,
	155	},
	156	returns => { type => "null" },
	157	code => sub {
	158	my ($param) = @_;
	159
	160	my ($fw_conf, $rules) = $class->load_config($param);
	161
	162	my $digest = $fw_conf->{digest};
3655b01f DM	163
3655b01f DM	164	my $rule = {};
86791289 DM	165
86791289 DM	166	PVE::Firewall::copy_rule_data($rule, $param);
7ca36671	167	PVE::Firewall::verify_rule($rule, $class->allow_groups());
86791289	168
3655b01f DM	169	$rule->{enable} = 0 if !defined($param->{enable});
3655b01f DM	170
86791289 DM	171	unshift @$rules, $rule;
	172
	173	$class->save_rules($param, $fw_conf, $rules);
	174
	175	return undef;
	176	}});
	177	}
	178
	179	sub register_update_rule {
	180	my ($class) = @_;
	181
63c91681	182	my $properties = $class->additional_parameters();
86791289 DM	183
	184	$properties->{pos} = $api_properties->{pos};
	185
86791289 DM	186	$properties->{moveto} = {
	187	description => "Move rule to new position <moveto>. Other arguments are ignored.",
	188	type => 'integer',
	189	minimum => 0,
	190	optional => 1,
	191	};
	192
5b7974df DM	193	$properties->{delete} = {
	194	type => 'string', format => 'pve-configid-list',
	195	description => "A list of settings you want to delete.",
	196	optional => 1,
	197	};
	198
86791289 DM	199	my $update_rule_properties = PVE::Firewall::add_rule_properties($properties);
	200
	201	$class->register_method({
	202	name => 'update_rule',
	203	path => '{pos}',
	204	method => 'PUT',
	205	description => "Modify rule data.",
	206	protected => 1,
	207	parameters => {
	208	additionalProperties => 0,
	209	properties => $update_rule_properties,
	210	},
	211	returns => { type => "null" },
	212	code => sub {
	213	my ($param) = @_;
	214
	215	my ($fw_conf, $rules) = $class->load_config($param);
	216
	217	my $digest = $fw_conf->{digest};
	218	# fixme: check digest
	219
	220	die "no rule at position $param->{pos}\n" if $param->{pos} >= scalar(@$rules);
	221
	222	my $rule = $rules->[$param->{pos}];
	223
	224	my $moveto = $param->{moveto};
	225	if (defined($moveto) && $moveto != $param->{pos}) {
	226	my $newrules = [];
	227	for (my $i = 0; $i < scalar(@$rules); $i++) {
	228	next if $i == $param->{pos};
	229	if ($i == $moveto) {
	230	push @$newrules, $rule;
	231	}
	232	push @$newrules, $rules->[$i];
	233	}
	234	push @$newrules, $rule if $moveto >= scalar(@$rules);
	235	$rules = $newrules;
	236	} else {
3655b01f DM	237	raise_param_exc({ type => "property is missing"})
	238	if !defined($param->{type});
	239	raise_param_exc({ action => "property is missing"})
	240	if !defined($param->{action});
	241
86791289	242	PVE::Firewall::copy_rule_data($rule, $param);
5b7974df DM	243
5b7974df DM	244	PVE::Firewall::delete_rule_properties($rule, $param->{'delete'}) if $param->{'delete'};
7ca36671 DM	245
7ca36671 DM	246	PVE::Firewall::verify_rule($rule, $class->allow_groups());
86791289 DM	247	}
	248
	249	$class->save_rules($param, $fw_conf, $rules);
	250
	251	return undef;
	252	}});
	253	}
	254
	255	sub register_delete_rule {
	256	my ($class) = @_;
	257
63c91681	258	my $properties = $class->additional_parameters();
86791289 DM	259
	260	$properties->{pos} = $api_properties->{pos};
	261
86791289 DM	262	$class->register_method({
	263	name => 'delete_rule',
	264	path => '{pos}',
	265	method => 'DELETE',
	266	description => "Delete rule.",
	267	protected => 1,
	268	parameters => {
	269	additionalProperties => 0,
	270	properties => $properties,
	271	},
	272	returns => { type => "null" },
	273	code => sub {
	274	my ($param) = @_;
	275
	276	my ($fw_conf, $rules) = $class->load_config($param);
	277
	278	my $digest = $fw_conf->{digest};
	279	# fixme: check digest
	280
	281	die "no rule at position $param->{pos}\n" if $param->{pos} >= scalar(@$rules);
	282
	283	splice(@$rules, $param->{pos}, 1);
	284
	285	$class->save_rules($param, $fw_conf, $rules);
	286
	287	return undef;
	288	}});
	289	}
	290
	291	sub register_handlers {
	292	my ($class) = @_;
	293
	294	$class->register_get_rules();
	295	$class->register_get_rule();
	296	$class->register_create_rule();
	297	$class->register_update_rule();
	298	$class->register_delete_rule();
	299	}
	300
	301	package PVE::API2::Firewall::GroupRules;
	302
	303	use strict;
	304	use warnings;
	305
	306	use base qw(PVE::API2::Firewall::RulesBase);
	307
63c91681 DM	308	__PACKAGE__->additional_parameters({ group => {
	309	description => "Security group name.",
	310	type => 'string',
	311	maxLength => 20, # fixme: what length?
	312	}});
86791289	313
7ca36671 DM	314	sub allow_groups {
	315	return 0;
	316	}
	317
86791289 DM	318	sub load_config {
	319	my ($class, $param) = @_;
	320
	321	my $fw_conf = PVE::Firewall::load_clusterfw_conf();
	322	my $rules = $fw_conf->{groups}->{$param->{group}};
	323	die "no such security group '$param->{group}'\n" if !defined($rules);
	324
	325	return ($fw_conf, $rules);
	326	}
	327
	328	sub save_rules {
	329	my ($class, $param, $fw_conf, $rules) = @_;
	330
	331	$fw_conf->{groups}->{$param->{group}} = $rules;
	332	PVE::Firewall::save_clusterfw_conf($fw_conf);
	333	}
	334
63c91681	335	__PACKAGE__->register_handlers();
86791289 DM	336
	337	package PVE::API2::Firewall::ClusterRules;
	338
	339	use strict;
	340	use warnings;
	341
	342	use base qw(PVE::API2::Firewall::RulesBase);
	343
	344	sub load_config {
	345	my ($class, $param) = @_;
	346
	347	my $fw_conf = PVE::Firewall::load_clusterfw_conf();
	348	my $rules = $fw_conf->{rules};
	349
	350	return ($fw_conf, $rules);
	351	}
	352
	353	sub save_rules {
	354	my ($class, $param, $fw_conf, $rules) = @_;
	355
	356	$fw_conf->{rules} = $rules;
	357	PVE::Firewall::save_clusterfw_conf($fw_conf);
	358	}
	359
63c91681 DM	360	__PACKAGE__->register_handlers();
	361
	362	package PVE::API2::Firewall::HostRules;
	363
	364	use strict;
	365	use warnings;
	366	use PVE::JSONSchema qw(get_standard_option);
	367
	368	use base qw(PVE::API2::Firewall::RulesBase);
	369
	370	__PACKAGE__->additional_parameters({ node => get_standard_option('pve-node')});
	371
	372	sub load_config {
	373	my ($class, $param) = @_;
	374
	375	my $fw_conf = PVE::Firewall::load_hostfw_conf();
	376	my $rules = $fw_conf->{rules};
	377
	378	return ($fw_conf, $rules);
	379	}
	380
	381	sub save_rules {
	382	my ($class, $param, $fw_conf, $rules) = @_;
	383
	384	$fw_conf->{rules} = $rules;
	385	PVE::Firewall::save_hostfw_conf($fw_conf);
	386	}
	387
	388	__PACKAGE__->register_handlers();
86791289	389
464f933e DM	390	package PVE::API2::Firewall::VMRules;
	391
	392	use strict;
	393	use warnings;
	394	use PVE::JSONSchema qw(get_standard_option);
	395
	396	use base qw(PVE::API2::Firewall::RulesBase);
	397
	398	__PACKAGE__->additional_parameters({
	399	node => get_standard_option('pve-node'),
	400	vmid => get_standard_option('pve-vmid'),
	401	});
	402
	403	sub load_config {
	404	my ($class, $param) = @_;
	405
	406	my $fw_conf = PVE::Firewall::load_vmfw_conf($param->{vmid});
	407	my $rules = $fw_conf->{rules};
	408
	409	return ($fw_conf, $rules);
	410	}
	411
	412	sub save_rules {
	413	my ($class, $param, $fw_conf, $rules) = @_;
	414
	415	$fw_conf->{rules} = $rules;
	416	PVE::Firewall::save_vmfw_conf($param->{vmid}, $fw_conf);
	417	}
	418
	419	__PACKAGE__->register_handlers();
	420
86791289	421	1;