Firewall/Groups: add permissions

[pve-firewall.git] / src / PVE / API2 / Firewall / Groups.pm

diff --git a/src/PVE/API2/Firewall/Groups.pm b/src/PVE/API2/Firewall/Groups.pm
index 9ce6ce775ea971bd5f45c7c44f9a08ddc96f3ad8..e8f211603b687fc9705cb6acdb4ac77f7848bf9c 100644 (file)
--- a/src/PVE/API2/Firewall/Groups.pm
+++ b/src/PVE/API2/Firewall/Groups.pm
@@ -3,289 +3,128 @@ package PVE::API2::Firewall::Groups;
 use strict;
 use warnings;
 use PVE::JSONSchema qw(get_standard_option);
+use PVE::Exception qw(raise raise_param_exc);
 
 use PVE::Firewall;
-
+use PVE::API2::Firewall::Rules;
 
 use Data::Dumper; # fixme: remove
 
 use base qw(PVE::RESTHandler);
 
-__PACKAGE__->register_method({
-    name => 'list',
-    path => '',
-    method => 'GET',
-    description => "List security groups.",
-    proxyto => 'node',
-    parameters => {
-       additionalProperties => 0,
-       properties => {
-           node => get_standard_option('pve-node'),
-       },
-    },
-    returns => {
-       type => 'array',
-       items => {
-           type => "object",
-           properties => { 
-               name => {
-                   description => "Security group name.",
-                   type => 'string',
-               },
-           },
-       },
-       links => [ { rel => 'child', href => "{name}" } ],
-    },
-    code => sub {
-       my ($param) = @_;
-
-       my $groups_conf = PVE::Firewall::load_security_groups();
+my $get_security_group_list = sub {
+    my ($cluster_conf) = @_;
 
-       my $res = [];
-       foreach my $group (keys %{$groups_conf->{rules}}) {
-           push @$res, { name => $group, count => scalar(@{$groups_conf->{rules}->{$group}}) };
+    my $res = [];
+    foreach my $group (keys %{$cluster_conf->{groups}}) {
+       my $data = { 
+           group => $group,
+       };
+       if (my $comment = $cluster_conf->{group_comments}->{$group}) {
+           $data->{comment} = $comment;
        }
+       push @$res, $data;
+    }
 
-       return $res;
-    }});
+    my ($list, $digest) = PVE::Firewall::copy_list_with_digest($res);
+
+    return wantarray ? ($list, $digest) : $list;
+};
 
 __PACKAGE__->register_method({
-    name => 'get_rules',
-    path => '{group}',
+    name => 'list_security_groups',
+    path => '',
     method => 'GET',
-    description => "List security groups rules.",
-    proxyto => 'node',
+    description => "List security groups.",
+    permissions => { user => 'all' },
     parameters => {
        additionalProperties => 0,
-       properties => {
-           node => get_standard_option('pve-node'),
-           group => {
-               description => "Security group name.",
-               type => 'string',
-           },
-       },
+       properties => {},
     },
     returns => {
        type => 'array',
        items => {
            type => "object",
-           properties => {
-               pos => {
-                   type => 'integer',
+           properties => { 
+               group => get_standard_option('pve-security-group-name'),
+               digest => get_standard_option('pve-config-digest', { optional => 0} ),
+               comment => { 
+                   type => 'string',
+                   optional => 1,
                }
            },
        },
-       links => [ { rel => 'child', href => "{pos}" } ],
+       links => [ { rel => 'child', href => "{group}" } ],
     },
     code => sub {
        my ($param) = @_;
 
-       my $groups_conf = PVE::Firewall::load_security_groups();
-
-       my $rules = $groups_conf->{rules}->{$param->{group}};
-       die "no such security group\n" if !defined($rules);
-
-       my $digest = $groups_conf->{digest};
-
-       my $res = [];
-
-       my $ind = 0;
-       foreach my $rule (@$rules) {
-           push @$res, PVE::Firewall::cleanup_fw_rule($rule, $digest, $ind++);
-       }
+       my $cluster_conf = PVE::Firewall::load_clusterfw_conf();
 
-       return $res;
+       return &$get_security_group_list($cluster_conf);
     }});
 
 __PACKAGE__->register_method({
-    name => 'get_rule',
-    path => '{group}/{pos}',
-    method => 'GET',
-    description => "Get single rule data.",
-    proxyto => 'node',
-    parameters => {
-       additionalProperties => 0,
-       properties => {
-           node => get_standard_option('pve-node'),
-           group => {
-               description => "Security group name.",
-               type => 'string',
-           },
-           pos => {
-               description => "Return rule from position <pos>.",
-               type => 'integer',
-               minimum => 0,
-           },
-       },
-    },
-    returns => {
-       type => "object",
-       properties => {
-           pos => {
-               type => 'integer',
-           }
-       },
-    },
-    code => sub {
-       my ($param) = @_;
-
-       my $groups_conf = PVE::Firewall::load_security_groups();
-
-       my $rules = $groups_conf->{rules}->{$param->{group}};
-       die "no such security group\n" if !defined($rules);
-
-       my $digest = $groups_conf->{digest};
-       # fixme: check digest
-       
-       die "no rule at position $param->{pos}\n" if $param->{pos} >= scalar(@$rules);
-       
-       my $rule = $rules->[$param->{pos}];
-
-       return PVE::Firewall::cleanup_fw_rule($rule, $digest, $param->{pos});
-   }});
-
-
-__PACKAGE__->register_method({
-    name => 'create_rule',
-    path => '{group}',
+    name => 'create_security_group',
+    path => '',
     method => 'POST',
-    description => "Create new rule.",
-    proxyto => 'node',
+    description => "Create new security group.",
     protected => 1,
-    parameters => {
-       additionalProperties => 0,
-       properties => PVE::Firewall::add_rule_properties({
-           node => get_standard_option('pve-node'),
-           group => {
-               description => "Security group name.",
-               type => 'string',
-           },
-       }),
+    permissions => {
+       check => ['perm', '/', [ 'Sys.Modify' ]],
     },
-    returns => { type => "null" },
-    code => sub {
-       my ($param) = @_;
-
-       my $groups_conf = PVE::Firewall::load_security_groups();
-
-       my $rules = $groups_conf->{rules}->{$param->{group}};
-       die "no such security group\n" if !defined($rules);
-
-       my $digest = $groups_conf->{digest};
-               
-       my $rule = { type => 'out', action => 'ACCEPT', enable => 0};
-
-       PVE::Firewall::copy_rule_data($rule, $param);
-
-       unshift @$rules, $rule;
-
-       PVE::Firewall::save_security_groups($groups_conf);
-
-       return undef;
-   }});
-
-__PACKAGE__->register_method({
-    name => 'update_rule',
-    path => '{group}/{pos}',
-    method => 'PUT',
-    description => "Modify rule data.",
-    proxyto => 'node',
-    protected => 1,
     parameters => {
-       additionalProperties => 0,
-       properties => PVE::Firewall::add_rule_properties({
-           node => get_standard_option('pve-node'),
-           group => {
-               description => "Security group name.",
+       additionalProperties => 0,
+       properties => { 
+           group => get_standard_option('pve-security-group-name'),
+           comment => {
                type => 'string',
-           },
-           moveto => {
-               description => "Move rule to new position <moveto>.",
-               type => 'integer',
-               minimum => 0,
                optional => 1,
            },
-       }),
+           rename => get_standard_option('pve-security-group-name', {
+               description => "Rename/update an existing security group. You can set 'rename' to the same value as 'name' to update the 'comment' of an existing group.",
+               optional => 1,
+           }),
+           digest => get_standard_option('pve-config-digest'),
+       },
     },
-    returns => { type => "null" },
+    returns => { type => 'null' },
     code => sub {
        my ($param) = @_;
 
-       my $groups_conf = PVE::Firewall::load_security_groups();
+       my $cluster_conf = PVE::Firewall::load_clusterfw_conf();
 
-       my $rules = $groups_conf->{rules}->{$param->{group}};
-       die "no such security group\n" if !defined($rules);
+       if ($param->{rename}) {
+           my (undef, $digest) = &$get_security_group_list($cluster_conf);
+           PVE::Tools::assert_if_modified($digest, $param->{digest});
 
-       my $digest = $groups_conf->{digest};
-       # fixme: check digest
-       
-       die "no rule at position $param->{pos}\n" if $param->{pos} >= scalar(@$rules);
-       
-       my $rule = $rules->[$param->{pos}];
+           raise_param_exc({ group => "Security group '$param->{rename}' does not exists" }) 
+               if !$cluster_conf->{groups}->{$param->{rename}};
 
-       PVE::Firewall::copy_rule_data($rule, $param);
- 
-       my $moveto = $param->{moveto};
-       if (defined($moveto) && $moveto != $param->{pos}) {
-           my $newrules = [];
-           for (my $i = 0; $i < scalar(@$rules); $i++) {
-               next if $i == $param->{pos};
-               if ($i == $moveto) {
-                   push @$newrules, $rule;
-               }
-               push @$newrules, $rules->[$i];
+           my $data = delete $cluster_conf->{groups}->{$param->{rename}};
+           $cluster_conf->{groups}->{$param->{group}} = $data;
+           if (my $comment = delete $cluster_conf->{group_comments}->{$param->{rename}}) {
+               $cluster_conf->{group_comments}->{$param->{group}} = $comment;
+           }
+           $cluster_conf->{group_comments}->{$param->{group}} = $param->{comment} if defined($param->{comment});
+       } else {
+           foreach my $name (keys %{$cluster_conf->{groups}}) {
+               raise_param_exc({ group => "Security group '$name' already exists" }) 
+                   if $name eq $param->{group};
            }
-           push @$newrules, $rule if $moveto >= scalar(@$rules);
-
-           $groups_conf->{rules}->{$param->{group}} = $newrules;
-       }           
-
-       PVE::Firewall::save_security_groups($groups_conf);
-
-       return undef;
-   }});
-
-__PACKAGE__->register_method({
-    name => 'delete_rule',
-    path => '{group}/{pos}',
-    method => 'DELETE',
-    description => "Delete rule.",
-    proxyto => 'node',
-    protected => 1,
-    parameters => {
-       additionalProperties => 0,
-       properties => {
-           node => get_standard_option('pve-node'),
-           group => {
-               description => "Security group name.",
-               type => 'string',
-           },
-           pos => {
-               description => "Delete rule at position <pos>.",
-               type => 'integer',
-               minimum => 0,
-           },
-       },
-    },
-    returns => { type => "null" },
-    code => sub {
-       my ($param) = @_;
-
-       my $groups_conf = PVE::Firewall::load_security_groups();
 
-       my $rules = $groups_conf->{rules}->{$param->{group}};
-       die "no such security group\n" if !defined($rules);
+           $cluster_conf->{groups}->{$param->{group}} = [];
+           $cluster_conf->{group_comments}->{$param->{group}} = $param->{comment} if defined($param->{comment});
+       }
 
-       my $digest = $groups_conf->{digest};
-       # fixme: check digest
+       PVE::Firewall::save_clusterfw_conf($cluster_conf);
        
-       die "no rule at position $param->{pos}\n" if $param->{pos} >= scalar(@$rules);
-       
-       splice(@$rules, $param->{pos}, 1);
-
-       PVE::Firewall::save_security_groups($groups_conf);
-
        return undef;
-   }});
+    }});
+
+__PACKAGE__->register_method ({
+    subclass => "PVE::API2::Firewall::GroupRules",  
+    path => '{group}',
+});
 
 1;