]> git.proxmox.com Git - pve-firewall.git/blob - src/PVE/API2/Firewall/Cluster.pm
projects / pve-firewall.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
implement permission for Alias class.
[pve-firewall.git] / src / PVE / API2 / Firewall / Cluster.pm
1 package PVE::API2::Firewall::Cluster;
2
3 use strict;
4 use warnings;
5 use PVE::Exception qw(raise raise_param_exc raise_perm_exc);
6 use PVE::JSONSchema qw(get_standard_option);
7
8 use PVE::Firewall;
9 use PVE::API2::Firewall::Aliases;
10 use PVE::API2::Firewall::Rules;
11 use PVE::API2::Firewall::Groups;
12 use PVE::API2::Firewall::IPSet;
13
14 #fixme: locking?
15
16 use Data::Dumper; # fixme: remove
17
18 use base qw(PVE::RESTHandler);
19
20 __PACKAGE__->register_method ({
21 subclass => "PVE::API2::Firewall::Groups",
22 path => 'groups',
23 });
24
25 __PACKAGE__->register_method ({
26 subclass => "PVE::API2::Firewall::ClusterRules",
27 path => 'rules',
28 });
29
30 __PACKAGE__->register_method ({
31 subclass => "PVE::API2::Firewall::ClusterIPSetList",
32 path => 'ipset',
33 });
34
35 __PACKAGE__->register_method ({
36 subclass => "PVE::API2::Firewall::ClusterAliases",
37 path => 'aliases',
38 });
39
40
41 __PACKAGE__->register_method({
42 name => 'index',
43 path => '',
44 method => 'GET',
45 permissions => { user => 'all' },
46 description => "Directory index.",
47 parameters => {
48 additionalProperties => 0,
49 },
50 returns => {
51 type => 'array',
52 items => {
53 type => "object",
54 properties => {},
55 },
56 links => [ { rel => 'child', href => "{name}" } ],
57 },
58 code => sub {
59 my ($param) = @_;
60
61 my $result = [
62 { name => 'aliases' },
63 { name => 'rules' },
64 { name => 'options' },
65 { name => 'groups' },
66 { name => 'ipset' },
67 { name => 'macros' },
68 { name => 'refs' },
69 ];
70
71 return $result;
72 }});
73
74 my $option_properties = {
75 enable => {
76 type => 'boolean',
77 optional => 1,
78 },
79 policy_in => {
80 description => "Input policy.",
81 type => 'string',
82 optional => 1,
83 enum => ['ACCEPT', 'REJECT', 'DROP'],
84 },
85 policy_out => {
86 description => "Output policy.",
87 type => 'string',
88 optional => 1,
89 enum => ['ACCEPT', 'REJECT', 'DROP'],
90 },
91 };
92
93 my $add_option_properties = sub {
94 my ($properties) = @_;
95
96 foreach my $k (keys %$option_properties) {
97 $properties->{$k} = $option_properties->{$k};
98 }
99
100 return $properties;
101 };
102
103
104 __PACKAGE__->register_method({
105 name => 'get_options',
106 path => 'options',
107 method => 'GET',
108 description => "Get Firewall options.",
109 permissions => {
110 check => ['perm', '/', [ 'Sys.Audit' ]],
111 },
112 parameters => {
113 additionalProperties => 0,
114 },
115 returns => {
116 type => "object",
117 #additionalProperties => 1,
118 properties => $option_properties,
119 },
120 code => sub {
121 my ($param) = @_;
122
123 my $cluster_conf = PVE::Firewall::load_clusterfw_conf();
124
125 return PVE::Firewall::copy_opject_with_digest($cluster_conf->{options});
126 }});
127
128
129 __PACKAGE__->register_method({
130 name => 'set_options',
131 path => 'options',
132 method => 'PUT',
133 description => "Set Firewall options.",
134 protected => 1,
135 permissions => {
136 check => ['perm', '/', [ 'Sys.Modify' ]],
137 },
138 parameters => {
139 additionalProperties => 0,
140 properties => &$add_option_properties({
141 delete => {
142 type => 'string', format => 'pve-configid-list',
143 description => "A list of settings you want to delete.",
144 optional => 1,
145 },
146 digest => get_standard_option('pve-config-digest'),
147 }),
148 },
149 returns => { type => "null" },
150 code => sub {
151 my ($param) = @_;
152
153 my $cluster_conf = PVE::Firewall::load_clusterfw_conf();
154
155 my (undef, $digest) = PVE::Firewall::copy_opject_with_digest($cluster_conf->{options});
156 PVE::Tools::assert_if_modified($digest, $param->{digest});
157
158 if ($param->{delete}) {
159 foreach my $opt (PVE::Tools::split_list($param->{delete})) {
160 raise_param_exc({ delete => "no such option '$opt'" })
161 if !$option_properties->{$opt};
162 delete $cluster_conf->{options}->{$opt};
163 }
164 }
165
166 if (defined($param->{enable})) {
167 $param->{enable} = $param->{enable} ? 1 : 0;
168 }
169
170 foreach my $k (keys %$option_properties) {
171 next if !defined($param->{$k});
172 $cluster_conf->{options}->{$k} = $param->{$k};
173 }
174
175 PVE::Firewall::save_clusterfw_conf($cluster_conf);
176
177 return undef;
178 }});
179
180 __PACKAGE__->register_method({
181 name => 'get_macros',
182 path => 'macros',
183 method => 'GET',
184 description => "List available macros",
185 permissions => { user => 'all' },
186 parameters => {
187 additionalProperties => 0,
188 },
189 returns => {
190 type => 'array',
191 items => {
192 type => "object",
193 properties => {
194 macro => {
195 description => "Macro name.",
196 type => 'string',
197 },
198 descr => {
199 description => "More verbose description (if available).",
200 type => 'string',
201 }
202 },
203 },
204 },
205 code => sub {
206 my ($param) = @_;
207
208 my $res = [];
209
210 my ($macros, $descr) = PVE::Firewall::get_macros();
211
212 foreach my $macro (keys %$macros) {
213 push @$res, { macro => $macro, descr => $descr->{$macro} || $macro };
214 }
215
216 return $res;
217 }});
218
219 __PACKAGE__->register_method({
220 name => 'refs',
221 path => 'refs',
222 method => 'GET',
223 description => "Lists possible IPSet/Alias reference which are allowed in source/dest properties.",
224 permissions => {
225 check => ['perm', '/', [ 'Sys.Audit' ]],
226 },
227 parameters => {
228 additionalProperties => 0,
229 properties => {
230 type => {
231 description => "Only list references of specified type.",
232 type => 'string',
233 enum => ['alias', 'ipset'],
234 optional => 1,
235 },
236 },
237 },
238 returns => {
239 type => 'array',
240 items => {
241 type => "object",
242 properties => {
243 type => {
244 type => 'string',
245 enum => ['alias', 'ipset'],
246 },
247 name => {
248 type => 'string',
249 },
250 ref => {
251 type => 'string',
252 },
253 comment => {
254 type => 'string',
255 optional => 1,
256 },
257 },
258 },
259 },
260 code => sub {
261 my ($param) = @_;
262
263 my $conf = PVE::Firewall::load_clusterfw_conf();
264
265 my $res = [];
266
267 if (!$param->{type} || $param->{type} eq 'ipset') {
268 foreach my $name (keys %{$conf->{ipset}}) {
269 my $data = {
270 type => 'ipset',
271 name => $name,
272 ref => "+$name",
273 };
274 if (my $comment = $conf->{ipset_comments}->{$name}) {
275 $data->{comment} = $comment;
276 }
277 push @$res, $data;
278 }
279 }
280
281 if (!$param->{type} || $param->{type} eq 'alias') {
282 foreach my $name (keys %{$conf->{aliases}}) {
283 my $e = $conf->{aliases}->{$name};
284 my $data = {
285 type => 'alias',
286 name => $name,
287 ref => $name,
288 };
289 $data->{comment} = $e->{comment} if $e->{comment};
290 push @$res, $data;
291 }
292 }
293
294 return $res;
295 }});
296
297 1;
Firewall test scripts