[pve-firewall.git] / src / PVE / API2 / Firewall / Rules.pm

package PVE::API2::Firewall::RulesBase;

use strict;
use warnings;
use PVE::JSONSchema qw(get_standard_option);
use PVE::Exception qw(raise raise_param_exc);

use PVE::Firewall;

use base qw(PVE::RESTHandler);

my $api_properties = { 
    pos => {
	description => "Rule position.",
	type => 'integer',
	minimum => 0,
    },
};

sub load_config {
    my ($class, $param) = @_;

    die "implement this in subclass";

    #return ($fw_conf, $rules);
}

sub save_rules {
    my ($class, $param, $fw_conf, $rules) = @_;

    die "implement this in subclass";
}

my $additional_param_hash = {};

sub allow_groups {
    return 1;
}

sub additional_parameters {
    my ($class, $new_value) = @_;

    if (defined($new_value)) {
	$additional_param_hash->{$class} = $new_value;
    }

    # return a copy
    my $copy = {};
    my $org = $additional_param_hash->{$class} || {};
    foreach my $p (keys %$org) { $copy->{$p} = $org->{$p}; }
    return $copy;
}

sub register_get_rules {
    my ($class) = @_;

    my $properties = $class->additional_parameters();

    $class->register_method({
	name => 'get_rules',
	path => '',
	method => 'GET',
	description => "List rules.",
	parameters => {
	    additionalProperties => 0,
	    properties => $properties,
	},
	returns => {
	    type => 'array',
	    items => {
		type => "object",
		properties => {
		    pos => {
			type => 'integer',
		    }
		},
	    },
	    links => [ { rel => 'child', href => "{pos}" } ],
	},
	code => sub {
	    my ($param) = @_;

	    my ($fw_conf, $rules) = $class->load_config($param);

	    my ($list, $digest) = PVE::Firewall::copy_list_with_digest($rules);

	    my $ind = 0;
	    foreach my $rule (@$list) {
		$rule->{pos} = $ind++;
	    }

	    return $list;
	}});
}

sub register_get_rule {
    my ($class) = @_;

    my $properties = $class->additional_parameters();

    $properties->{pos} = $api_properties->{pos};
    
    $class->register_method({
	name => 'get_rule',
	path => '{pos}',
	method => 'GET',
	description => "Get single rule data.",
	parameters => {
	    additionalProperties => 0,
	    properties => $properties,
	},
	returns => {
	    type => "object",
	    properties => {
		pos => {
		    type => 'integer',
		}
	    },
	},
	code => sub {
	    my ($param) = @_;

	    my ($fw_conf, $rules) = $class->load_config($param);

	    my ($list, $digest) = PVE::Firewall::copy_list_with_digest($rules);
	
	    die "no rule at position $param->{pos}\n" if $param->{pos} >= scalar(@$list);
	
	    my $rule = $list->[$param->{pos}];
	    $rule->{pos} = $param->{pos};

	    return $rule;
	}});
}

sub register_create_rule {
    my ($class) = @_;

    my $properties = $class->additional_parameters();

    my $create_rule_properties = PVE::Firewall::add_rule_properties($properties);
    $create_rule_properties->{action}->{optional} = 0;
    $create_rule_properties->{type}->{optional} = 0;
    
    $class->register_method({
	name => 'create_rule',
	path => '',
	method => 'POST',
	description => "Create new rule.",
	protected => 1,
	parameters => {
	    additionalProperties => 0,
	    properties => $create_rule_properties,
	},
	returns => { type => "null" },
	code => sub {
	    my ($param) = @_;

	    my ($fw_conf, $rules) = $class->load_config($param);

	    my $rule = {};

	    PVE::Firewall::copy_rule_data($rule, $param);
	    PVE::Firewall::verify_rule($rule, $class->allow_groups());

	    $rule->{enable} = 0 if !defined($param->{enable});

	    unshift @$rules, $rule;

	    $class->save_rules($param, $fw_conf, $rules);

	    return undef;
	}});
}

sub register_update_rule {
    my ($class) = @_;

    my $properties = $class->additional_parameters();

    $properties->{pos} = $api_properties->{pos};
    
    $properties->{moveto} = {
	description => "Move rule to new position <moveto>. Other arguments are ignored.",
	type => 'integer',
	minimum => 0,
	optional => 1,
    };

    $properties->{delete} = {
	type => 'string', format => 'pve-configid-list',
	description => "A list of settings you want to delete.",
	optional => 1,
    };

    my $update_rule_properties = PVE::Firewall::add_rule_properties($properties);

    $class->register_method({
	name => 'update_rule',
	path => '{pos}',
	method => 'PUT',
	description => "Modify rule data.",
	protected => 1,
	parameters => {
	    additionalProperties => 0,
	    properties => $update_rule_properties,
	},
	returns => { type => "null" },
	code => sub {
	    my ($param) = @_;

	    my ($fw_conf, $rules) = $class->load_config($param);

	    my (undef, $digest) = PVE::Firewall::copy_list_with_digest($rules);
	    PVE::Tools::assert_if_modified($digest, $param->{digest});

	    die "no rule at position $param->{pos}\n" if $param->{pos} >= scalar(@$rules);
	
	    my $rule = $rules->[$param->{pos}];

	    my $moveto = $param->{moveto};
	    if (defined($moveto) && $moveto != $param->{pos}) {
		my $newrules = [];
		for (my $i = 0; $i < scalar(@$rules); $i++) {
		    next if $i == $param->{pos};
		    if ($i == $moveto) {
			push @$newrules, $rule;
		    }
		    push @$newrules, $rules->[$i];
		}
		push @$newrules, $rule if $moveto >= scalar(@$rules);
		$rules = $newrules;
	    } else {
		PVE::Firewall::copy_rule_data($rule, $param);
		
		PVE::Firewall::delete_rule_properties($rule, $param->{'delete'}) if $param->{'delete'};

		PVE::Firewall::verify_rule($rule, $class->allow_groups());
	    }

	    $class->save_rules($param, $fw_conf, $rules);

	    return undef;
	}});
}

sub register_delete_rule {
    my ($class) = @_;

    my $properties = $class->additional_parameters();

    $properties->{pos} = $api_properties->{pos};

    $properties->{digest} = get_standard_option('pve-config-digest');
    
    $class->register_method({
	name => 'delete_rule',
	path => '{pos}',
	method => 'DELETE',
	description => "Delete rule.",
	protected => 1,
	parameters => {
	    additionalProperties => 0,
	    properties => $properties,
	},
	returns => { type => "null" },
	code => sub {
	    my ($param) = @_;

	    my ($fw_conf, $rules) = $class->load_config($param);

	    my (undef, $digest) = PVE::Firewall::copy_list_with_digest($rules);
	    PVE::Tools::assert_if_modified($digest, $param->{digest});
	
	    die "no rule at position $param->{pos}\n" if $param->{pos} >= scalar(@$rules);
	
	    splice(@$rules, $param->{pos}, 1);
	    
	    $class->save_rules($param, $fw_conf, $rules);

	    return undef;
	}});
}

sub register_handlers {
    my ($class) = @_;

    $class->register_get_rules();
    $class->register_get_rule();
    $class->register_create_rule();
    $class->register_update_rule();
    $class->register_delete_rule();
}

package PVE::API2::Firewall::GroupRules;

use strict;
use warnings;
use PVE::JSONSchema qw(get_standard_option);

use base qw(PVE::API2::Firewall::RulesBase);

__PACKAGE__->additional_parameters({ group => get_standard_option('pve-security-group-name') });

sub allow_groups {
    return 0;
}

sub load_config {
    my ($class, $param) = @_;

    my $fw_conf = PVE::Firewall::load_clusterfw_conf();
    my $rules = $fw_conf->{groups}->{$param->{group}};
    die "no such security group '$param->{group}'\n" if !defined($rules);

    return ($fw_conf, $rules);
}

sub save_rules {
    my ($class, $param, $fw_conf, $rules) = @_;

    $fw_conf->{groups}->{$param->{group}} = $rules;
    PVE::Firewall::save_clusterfw_conf($fw_conf);
}

__PACKAGE__->register_handlers();

package PVE::API2::Firewall::ClusterRules;

use strict;
use warnings;

use base qw(PVE::API2::Firewall::RulesBase);

sub load_config {
    my ($class, $param) = @_;

    my $fw_conf = PVE::Firewall::load_clusterfw_conf();
    my $rules = $fw_conf->{rules};

    return ($fw_conf, $rules);
}

sub save_rules {
    my ($class, $param, $fw_conf, $rules) = @_;

    $fw_conf->{rules} = $rules;
    PVE::Firewall::save_clusterfw_conf($fw_conf);
}

__PACKAGE__->register_handlers();

package PVE::API2::Firewall::HostRules;

use strict;
use warnings;
use PVE::JSONSchema qw(get_standard_option);

use base qw(PVE::API2::Firewall::RulesBase);

__PACKAGE__->additional_parameters({ node => get_standard_option('pve-node')});

sub load_config {
    my ($class, $param) = @_;

    my $fw_conf = PVE::Firewall::load_hostfw_conf();
    my $rules = $fw_conf->{rules};

    return ($fw_conf, $rules);
}

sub save_rules {
    my ($class, $param, $fw_conf, $rules) = @_;

    $fw_conf->{rules} = $rules;
    PVE::Firewall::save_hostfw_conf($fw_conf);
}

__PACKAGE__->register_handlers();

package PVE::API2::Firewall::VMRules;

use strict;
use warnings;
use PVE::JSONSchema qw(get_standard_option);

use base qw(PVE::API2::Firewall::RulesBase);

__PACKAGE__->additional_parameters({ 
    node => get_standard_option('pve-node'),
    vmid => get_standard_option('pve-vmid'),				   
});

sub load_config {
    my ($class, $param) = @_;

    my $fw_conf = PVE::Firewall::load_vmfw_conf($param->{vmid});
    my $rules = $fw_conf->{rules};

    return ($fw_conf, $rules);
}

sub save_rules {
    my ($class, $param, $fw_conf, $rules) = @_;

    $fw_conf->{rules} = $rules;
    PVE::Firewall::save_vmfw_conf($param->{vmid}, $fw_conf);
}

__PACKAGE__->register_handlers();

1;
Commit	Line	Data
86791289 DM	1	package PVE::API2::Firewall::RulesBase;
	2
	3	use strict;
	4	use warnings;
	5	use PVE::JSONSchema qw(get_standard_option);
0d22acb3	6	use PVE::Exception qw(raise raise_param_exc);
86791289 DM	7
	8	use PVE::Firewall;
	9
	10	use base qw(PVE::RESTHandler);
	11
	12	my $api_properties = {
86791289 DM	13	pos => {
	14	description => "Rule position.",
	15	type => 'integer',
	16	minimum => 0,
	17	},
	18	};
	19
	20	sub load_config {
	21	my ($class, $param) = @_;
	22
	23	die "implement this in subclass";
	24
	25	#return ($fw_conf, $rules);
	26	}
	27
	28	sub save_rules {
	29	my ($class, $param, $fw_conf, $rules) = @_;
	30
	31	die "implement this in subclass";
	32	}
	33
63c91681	34	my $additional_param_hash = {};
86791289	35
7ca36671 DM	36	sub allow_groups {
	37	return 1;
	38	}
	39
63c91681	40	sub additional_parameters {
86791289 DM	41	my ($class, $new_value) = @_;
86791289 DM	42
63c91681 DM	43	if (defined($new_value)) {
	44	$additional_param_hash->{$class} = $new_value;
	45	}
86791289	46
63c91681 DM	47	# return a copy
	48	my $copy = {};
	49	my $org = $additional_param_hash->{$class} \|\| {};
	50	foreach my $p (keys %$org) { $copy->{$p} = $org->{$p}; }
	51	return $copy;
86791289 DM	52	}
	53
	54	sub register_get_rules {
	55	my ($class) = @_;
	56
63c91681	57	my $properties = $class->additional_parameters();
86791289 DM	58
	59	$class->register_method({
	60	name => 'get_rules',
	61	path => '',
	62	method => 'GET',
	63	description => "List rules.",
	64	parameters => {
	65	additionalProperties => 0,
	66	properties => $properties,
	67	},
	68	returns => {
	69	type => 'array',
	70	items => {
	71	type => "object",
	72	properties => {
	73	pos => {
	74	type => 'integer',
	75	}
	76	},
	77	},
	78	links => [ { rel => 'child', href => "{pos}" } ],
	79	},
	80	code => sub {
	81	my ($param) = @_;
	82
	83	my ($fw_conf, $rules) = $class->load_config($param);
	84
5d38d64f	85	my ($list, $digest) = PVE::Firewall::copy_list_with_digest($rules);
86791289 DM	86
86791289 DM	87	my $ind = 0;
5d38d64f DM	88	foreach my $rule (@$list) {
5d38d64f DM	89	$rule->{pos} = $ind++;
86791289 DM	90	}
86791289 DM	91
5d38d64f	92	return $list;
86791289 DM	93	}});
	94	}
	95
	96	sub register_get_rule {
	97	my ($class) = @_;
	98
63c91681	99	my $properties = $class->additional_parameters();
86791289 DM	100
	101	$properties->{pos} = $api_properties->{pos};
	102
86791289 DM	103	$class->register_method({
	104	name => 'get_rule',
	105	path => '{pos}',
	106	method => 'GET',
	107	description => "Get single rule data.",
	108	parameters => {
	109	additionalProperties => 0,
	110	properties => $properties,
	111	},
	112	returns => {
	113	type => "object",
	114	properties => {
	115	pos => {
	116	type => 'integer',
	117	}
	118	},
	119	},
	120	code => sub {
	121	my ($param) = @_;
	122
	123	my ($fw_conf, $rules) = $class->load_config($param);
	124
5d38d64f	125	my ($list, $digest) = PVE::Firewall::copy_list_with_digest($rules);
86791289	126
5d38d64f	127	die "no rule at position $param->{pos}\n" if $param->{pos} >= scalar(@$list);
86791289	128
5d38d64f DM	129	my $rule = $list->[$param->{pos}];
	130	$rule->{pos} = $param->{pos};
	131
	132	return $rule;
86791289 DM	133	}});
	134	}
	135
	136	sub register_create_rule {
	137	my ($class) = @_;
	138
63c91681	139	my $properties = $class->additional_parameters();
86791289 DM	140
86791289 DM	141	my $create_rule_properties = PVE::Firewall::add_rule_properties($properties);
3655b01f DM	142	$create_rule_properties->{action}->{optional} = 0;
	143	$create_rule_properties->{type}->{optional} = 0;
	144
86791289 DM	145	$class->register_method({
	146	name => 'create_rule',
	147	path => '',
	148	method => 'POST',
	149	description => "Create new rule.",
	150	protected => 1,
	151	parameters => {
	152	additionalProperties => 0,
	153	properties => $create_rule_properties,
	154	},
	155	returns => { type => "null" },
	156	code => sub {
	157	my ($param) = @_;
	158
	159	my ($fw_conf, $rules) = $class->load_config($param);
	160
3655b01f	161	my $rule = {};
86791289 DM	162
86791289 DM	163	PVE::Firewall::copy_rule_data($rule, $param);
7ca36671	164	PVE::Firewall::verify_rule($rule, $class->allow_groups());
86791289	165
3655b01f DM	166	$rule->{enable} = 0 if !defined($param->{enable});
3655b01f DM	167
86791289 DM	168	unshift @$rules, $rule;
	169
	170	$class->save_rules($param, $fw_conf, $rules);
	171
	172	return undef;
	173	}});
	174	}
	175
	176	sub register_update_rule {
	177	my ($class) = @_;
	178
63c91681	179	my $properties = $class->additional_parameters();
86791289 DM	180
	181	$properties->{pos} = $api_properties->{pos};
	182
86791289 DM	183	$properties->{moveto} = {
	184	description => "Move rule to new position <moveto>. Other arguments are ignored.",
	185	type => 'integer',
	186	minimum => 0,
	187	optional => 1,
	188	};
	189
5b7974df DM	190	$properties->{delete} = {
	191	type => 'string', format => 'pve-configid-list',
	192	description => "A list of settings you want to delete.",
	193	optional => 1,
	194	};
	195
86791289 DM	196	my $update_rule_properties = PVE::Firewall::add_rule_properties($properties);
	197
	198	$class->register_method({
	199	name => 'update_rule',
	200	path => '{pos}',
	201	method => 'PUT',
	202	description => "Modify rule data.",
	203	protected => 1,
	204	parameters => {
	205	additionalProperties => 0,
	206	properties => $update_rule_properties,
	207	},
	208	returns => { type => "null" },
	209	code => sub {
	210	my ($param) = @_;
	211
	212	my ($fw_conf, $rules) = $class->load_config($param);
	213
5d38d64f DM	214	my (undef, $digest) = PVE::Firewall::copy_list_with_digest($rules);
5d38d64f DM	215	PVE::Tools::assert_if_modified($digest, $param->{digest});
ddf1e07d	216
86791289 DM	217	die "no rule at position $param->{pos}\n" if $param->{pos} >= scalar(@$rules);
	218
	219	my $rule = $rules->[$param->{pos}];
	220
	221	my $moveto = $param->{moveto};
	222	if (defined($moveto) && $moveto != $param->{pos}) {
	223	my $newrules = [];
	224	for (my $i = 0; $i < scalar(@$rules); $i++) {
	225	next if $i == $param->{pos};
	226	if ($i == $moveto) {
	227	push @$newrules, $rule;
	228	}
	229	push @$newrules, $rules->[$i];
	230	}
	231	push @$newrules, $rule if $moveto >= scalar(@$rules);
	232	$rules = $newrules;
	233	} else {
	234	PVE::Firewall::copy_rule_data($rule, $param);
5b7974df DM	235
5b7974df DM	236	PVE::Firewall::delete_rule_properties($rule, $param->{'delete'}) if $param->{'delete'};
7ca36671 DM	237
7ca36671 DM	238	PVE::Firewall::verify_rule($rule, $class->allow_groups());
86791289 DM	239	}
	240
	241	$class->save_rules($param, $fw_conf, $rules);
	242
	243	return undef;
	244	}});
	245	}
	246
	247	sub register_delete_rule {
	248	my ($class) = @_;
	249
63c91681	250	my $properties = $class->additional_parameters();
86791289 DM	251
86791289 DM	252	$properties->{pos} = $api_properties->{pos};
ddf1e07d DM	253
ddf1e07d DM	254	$properties->{digest} = get_standard_option('pve-config-digest');
86791289	255
86791289 DM	256	$class->register_method({
	257	name => 'delete_rule',
	258	path => '{pos}',
	259	method => 'DELETE',
	260	description => "Delete rule.",
	261	protected => 1,
	262	parameters => {
	263	additionalProperties => 0,
	264	properties => $properties,
	265	},
	266	returns => { type => "null" },
	267	code => sub {
	268	my ($param) = @_;
	269
	270	my ($fw_conf, $rules) = $class->load_config($param);
	271
5d38d64f DM	272	my (undef, $digest) = PVE::Firewall::copy_list_with_digest($rules);
5d38d64f DM	273	PVE::Tools::assert_if_modified($digest, $param->{digest});
86791289 DM	274
	275	die "no rule at position $param->{pos}\n" if $param->{pos} >= scalar(@$rules);
	276
	277	splice(@$rules, $param->{pos}, 1);
	278
	279	$class->save_rules($param, $fw_conf, $rules);
	280
	281	return undef;
	282	}});
	283	}
	284
	285	sub register_handlers {
	286	my ($class) = @_;
	287
	288	$class->register_get_rules();
	289	$class->register_get_rule();
	290	$class->register_create_rule();
	291	$class->register_update_rule();
	292	$class->register_delete_rule();
	293	}
	294
	295	package PVE::API2::Firewall::GroupRules;
	296
	297	use strict;
	298	use warnings;
387d0ffc	299	use PVE::JSONSchema qw(get_standard_option);
86791289 DM	300
	301	use base qw(PVE::API2::Firewall::RulesBase);
	302
387d0ffc	303	__PACKAGE__->additional_parameters({ group => get_standard_option('pve-security-group-name') });
86791289	304
7ca36671 DM	305	sub allow_groups {
	306	return 0;
	307	}
	308
86791289 DM	309	sub load_config {
	310	my ($class, $param) = @_;
	311
	312	my $fw_conf = PVE::Firewall::load_clusterfw_conf();
	313	my $rules = $fw_conf->{groups}->{$param->{group}};
	314	die "no such security group '$param->{group}'\n" if !defined($rules);
	315
	316	return ($fw_conf, $rules);
	317	}
	318
	319	sub save_rules {
	320	my ($class, $param, $fw_conf, $rules) = @_;
	321
	322	$fw_conf->{groups}->{$param->{group}} = $rules;
	323	PVE::Firewall::save_clusterfw_conf($fw_conf);
	324	}
	325
63c91681	326	__PACKAGE__->register_handlers();
86791289 DM	327
	328	package PVE::API2::Firewall::ClusterRules;
	329
	330	use strict;
	331	use warnings;
	332
	333	use base qw(PVE::API2::Firewall::RulesBase);
	334
	335	sub load_config {
	336	my ($class, $param) = @_;
	337
	338	my $fw_conf = PVE::Firewall::load_clusterfw_conf();
	339	my $rules = $fw_conf->{rules};
	340
	341	return ($fw_conf, $rules);
	342	}
	343
	344	sub save_rules {
	345	my ($class, $param, $fw_conf, $rules) = @_;
	346
	347	$fw_conf->{rules} = $rules;
	348	PVE::Firewall::save_clusterfw_conf($fw_conf);
	349	}
	350
63c91681 DM	351	__PACKAGE__->register_handlers();
	352
	353	package PVE::API2::Firewall::HostRules;
	354
	355	use strict;
	356	use warnings;
	357	use PVE::JSONSchema qw(get_standard_option);
	358
	359	use base qw(PVE::API2::Firewall::RulesBase);
	360
	361	__PACKAGE__->additional_parameters({ node => get_standard_option('pve-node')});
	362
	363	sub load_config {
	364	my ($class, $param) = @_;
	365
	366	my $fw_conf = PVE::Firewall::load_hostfw_conf();
	367	my $rules = $fw_conf->{rules};
	368
	369	return ($fw_conf, $rules);
	370	}
	371
	372	sub save_rules {
	373	my ($class, $param, $fw_conf, $rules) = @_;
	374
	375	$fw_conf->{rules} = $rules;
	376	PVE::Firewall::save_hostfw_conf($fw_conf);
	377	}
	378
	379	__PACKAGE__->register_handlers();
86791289	380
464f933e DM	381	package PVE::API2::Firewall::VMRules;
	382
	383	use strict;
	384	use warnings;
	385	use PVE::JSONSchema qw(get_standard_option);
	386
	387	use base qw(PVE::API2::Firewall::RulesBase);
	388
	389	__PACKAGE__->additional_parameters({
	390	node => get_standard_option('pve-node'),
	391	vmid => get_standard_option('pve-vmid'),
	392	});
	393
	394	sub load_config {
	395	my ($class, $param) = @_;
	396
	397	my $fw_conf = PVE::Firewall::load_vmfw_conf($param->{vmid});
	398	my $rules = $fw_conf->{rules};
	399
	400	return ($fw_conf, $rules);
	401	}
	402
	403	sub save_rules {
	404	my ($class, $param, $fw_conf, $rules) = @_;
	405
	406	$fw_conf->{rules} = $rules;
	407	PVE::Firewall::save_vmfw_conf($param->{vmid}, $fw_conf);
	408	}
	409
	410	__PACKAGE__->register_handlers();
	411
86791289	412	1;