src/PVE/API2/Firewall/Groups.pm

   1 package PVE::API2::Firewall::Groups;
   2
   3 use strict;
   4 use warnings;
   5 use PVE::JSONSchema qw(get_standard_option);
   6 use PVE::Exception qw(raise raise_param_exc);
   7
   8 use PVE::Firewall;
   9 use PVE::API2::Firewall::Rules;
  10
  11
  12 use base qw(PVE::RESTHandler);
  13
  14 my $get_security_group_list = sub {
  15     my ($cluster_conf) = @_;
  16
  17     my $res = [];
  18     foreach my $group (sort keys %{$cluster_conf->{groups}}) {
  19         my $data = {
  20             group => $group,
  21         };
  22         if (my $comment = $cluster_conf->{group_comments}->{$group}) {
  23             $data->{comment} = $comment;
  24         }
  25         push @$res, $data;
  26     }
  27
  28     my ($list, $digest) = PVE::Firewall::copy_list_with_digest($res);
  29
  30     return wantarray ? ($list, $digest) : $list;
  31 };
  32
  33 my $rename_fw_rules = sub {
  34     my ($old, $new, $rules) = @_;
  35
  36     for my $rule (@{$rules}) {
  37         next if ($rule->{type} ne "group" || $rule->{action} ne $old);
  38         $rule->{action} = $new;
  39     }
  40 };
  41
  42 __PACKAGE__->register_method({
  43     name => 'list_security_groups',
  44     path => '',
  45     method => 'GET',
  46     description => "List security groups.",
  47     permissions => { user => 'all' },
  48     parameters => {
  49         additionalProperties => 0,
  50         properties => {},
  51     },
  52     returns => {
  53         type => 'array',
  54         items => {
  55             type => "object",
  56             properties => {
  57                 group => get_standard_option('pve-security-group-name'),
  58                 digest => get_standard_option('pve-config-digest', { optional => 0} ),
  59                 comment => {
  60                     type => 'string',
  61                     optional => 1,
  62                 }
  63             },
  64         },
  65         links => [ { rel => 'child', href => "{group}" } ],
  66     },
  67     code => sub {
  68         my ($param) = @_;
  69
  70         my $cluster_conf = PVE::Firewall::load_clusterfw_conf();
  71
  72         return &$get_security_group_list($cluster_conf);
  73     }});
  74
  75 __PACKAGE__->register_method({
  76     name => 'create_security_group',
  77     path => '',
  78     method => 'POST',
  79     description => "Create new security group.",
  80     protected => 1,
  81     permissions => {
  82         check => ['perm', '/', [ 'Sys.Modify' ]],
  83     },
  84     parameters => {
  85         additionalProperties => 0,
  86         properties => {
  87             group => get_standard_option('pve-security-group-name'),
  88             comment => {
  89                 type => 'string',
  90                 optional => 1,
  91             },
  92             rename => get_standard_option('pve-security-group-name', {
  93                 description => "Rename/update an existing security group. You can set 'rename' to the same value as 'name' to update the 'comment' of an existing group.",
  94                 optional => 1,
  95             }),
  96             digest => get_standard_option('pve-config-digest'),
  97         },
  98     },
  99     returns => { type => 'null' },
 100     code => sub {
 101         my ($param) = @_;
 102
 103         my $group = $param->{group};
 104         my $rename = $param->{rename};
 105         my $comment = $param->{comment};
 106
 107         PVE::Firewall::lock_clusterfw_conf(10, sub {
 108             my $cluster_conf = PVE::Firewall::load_clusterfw_conf();
 109
 110             if ($rename) {
 111                 my (undef, $digest) = &$get_security_group_list($cluster_conf);
 112                 PVE::Tools::assert_if_modified($digest, $param->{digest});
 113
 114                 raise_param_exc({ group => "Security group '$rename' does not exist" })
 115                     if !$cluster_conf->{groups}->{$rename};
 116
 117                 # prevent overwriting an existing group
 118                 raise_param_exc({ group => "Security group '$group' does already exist" })
 119                     if $cluster_conf->{groups}->{$group} &&
 120                     $group ne $rename;
 121
 122                 if ($rename eq $group) {
 123                     $cluster_conf->{group_comments}->{$rename} = $comment if defined($comment);
 124                     PVE::Firewall::save_clusterfw_conf($cluster_conf);
 125                     return;
 126                 }
 127
 128                 # Create an exact copy of the old security group
 129                 $cluster_conf->{groups}->{$group} = $cluster_conf->{groups}->{$rename};
 130                 $cluster_conf->{group_comments}->{$group} = $cluster_conf->{group_comments}->{$rename};
 131
 132                 # Update comment if provided
 133                 $cluster_conf->{group_comments}->{$group} = $comment if defined($comment);
 134
 135                 # Write the copy to the cluster config, so that if something fails inbetween, the new firewall
 136                 # rules won't be broken when the new name is referenced
 137                 PVE::Firewall::save_clusterfw_conf($cluster_conf);
 138
 139                 # Update all the host configs to the new copy
 140                 my $hosts = PVE::Cluster::get_nodelist();
 141                 foreach my $host (@$hosts) {
 142                     PVE::Firewall::lock_hostfw_conf($host, 10, sub {
 143                         my $host_conf_path = "/etc/pve/nodes/$host/host.fw";
 144                         my $host_conf = PVE::Firewall::load_hostfw_conf($cluster_conf, $host_conf_path);
 145
 146                         if (defined($host_conf)) {
 147                             &$rename_fw_rules($rename,
 148                                 $group,
 149                                 $host_conf->{rules});
 150                             PVE::Firewall::save_hostfw_conf($host_conf, $host_conf_path);
 151                         }
 152                     });
 153                 }
 154
 155                 # Update all the VM configs
 156                 my $vms = PVE::Cluster::get_vmlist();
 157                 foreach my $vm (keys %{$vms->{ids}}) {
 158                     PVE::Firewall::lock_vmfw_conf($vm, 10, sub {
 159                         my $vm_type = $vms->{ids}->{$vm}->{type} eq "lxc" ? "ct" : "vm";
 160                         my $vm_conf = PVE::Firewall::load_vmfw_conf($cluster_conf, $vm_type, $vm, "/etc/pve/firewall");
 161
 162                         if (defined($vm_conf)) {
 163                             &$rename_fw_rules($rename,
 164                                 $group,
 165                                 $vm_conf->{rules});
 166                             PVE::Firewall::save_vmfw_conf($vm, $vm_conf);
 167                         }
 168                     });
 169                 }
 170
 171                 # And also update the cluster itself
 172                 &$rename_fw_rules($rename,
 173                     $group,
 174                     $cluster_conf->{rules});
 175
 176                 # Now that everything has been updated, the old rule can be deleted
 177                 delete $cluster_conf->{groups}->{$rename};
 178                 delete $cluster_conf->{group_comments}->{$rename};
 179             } else {
 180                 foreach my $name (keys %{$cluster_conf->{groups}}) {
 181                     raise_param_exc({ group => "Security group '$name' already exists" })
 182                         if $name eq $group;
 183                 }
 184
 185                 $cluster_conf->{groups}->{$group} = [];
 186                 $cluster_conf->{group_comments}->{$group} = $comment if defined($comment);
 187             }
 188
 189             PVE::Firewall::save_clusterfw_conf($cluster_conf);
 190         });
 191
 192         return undef;
 193     }});
 194
 195 __PACKAGE__->register_method ({
 196     subclass => "PVE::API2::Firewall::GroupRules",
 197     path => '{group}',
 198 });
 199
 200 1;