Firewall/IPSet: implement permission

Facor out common code into PVE/Firewall.

diff --git a/src/PVE/API2/Firewall/IPSet.pm b/src/PVE/API2/Firewall/IPSet.pm
index 24a45ae9a1a046429d7ae59a65712b371ad26270..70acab4bdfb56f94cf277f3533a4d324d68e7752 100644 (file)
--- a/src/PVE/API2/Firewall/IPSet.pm
+++ b/src/PVE/API2/Firewall/IPSet.pm
@@ -39,6 +39,12 @@ sub save_config {
     die "implement this in subclass";
 }
 
+sub rule_env {
+    my ($class, $param) = @_;
+    
+    die "implement this in subclass";
+}
+
 sub save_ipset {
     my ($class, $param, $fw_conf, $ipset) = @_;
 
@@ -79,6 +85,7 @@ sub register_get_ipset {
        path => '',
        method => 'GET',
        description => "List IPSet content",
+       permissions => PVE::Firewall::rules_audit_permissions($class->rule_env()),
        parameters => {
            additionalProperties => 0,
            properties => $properties,
@@ -126,6 +133,7 @@ sub register_delete_ipset {
        method => 'DELETE',
        description => "Delete IPSet",
        protected => 1,
+       permissions => PVE::Firewall::rules_modify_permissions($class->rule_env()),
        parameters => {
            additionalProperties => 0,
            properties => $properties,
@@ -161,6 +169,7 @@ sub register_create_ip {
        method => 'POST',
        description => "Add IP or Network to IPSet.",
        protected => 1,
+       permissions => PVE::Firewall::rules_modify_permissions($class->rule_env()),
        parameters => {
            additionalProperties => 0,
            properties => $properties,
@@ -207,6 +216,7 @@ sub register_read_ip {
        path => '{cidr}',
        method => 'GET',
        description => "Read IP or Network settings from IPSet.",
+       permissions => PVE::Firewall::rules_audit_permissions($class->rule_env()),
        protected => 1,
        parameters => {
            additionalProperties => 0,
@@ -247,6 +257,7 @@ sub register_update_ip {
        method => 'PUT',
        description => "Update IP or Network settings",
        protected => 1,
+       permissions => PVE::Firewall::rules_modify_permissions($class->rule_env()),
        parameters => {
            additionalProperties => 0,
            properties => $properties,
@@ -288,6 +299,7 @@ sub register_delete_ip {
        method => 'DELETE',
        description => "Remove IP or Network from IPSet.",
        protected => 1,
+       permissions => PVE::Firewall::rules_modify_permissions($class->rule_env()),
        parameters => {
            additionalProperties => 0,
            properties => $properties,
@@ -331,6 +343,12 @@ use warnings;
 
 use base qw(PVE::API2::Firewall::IPSetBase);
 
+sub rule_env {
+    my ($class, $param) = @_;
+    
+    return 'cluster';
+}
+
 sub load_config {
     my ($class, $param) = @_;
 
@@ -357,6 +375,12 @@ use PVE::JSONSchema qw(get_standard_option);
 
 use base qw(PVE::API2::Firewall::IPSetBase);
 
+sub rule_env {
+    my ($class, $param) = @_;
+    
+    return 'vm';
+}
+
 __PACKAGE__->additional_parameters({ 
     node => get_standard_option('pve-node'),
     vmid => get_standard_option('pve-vmid'),                              
@@ -389,6 +413,12 @@ use PVE::JSONSchema qw(get_standard_option);
 
 use base qw(PVE::API2::Firewall::IPSetBase);
 
+sub rule_env {
+    my ($class, $param) = @_;
+    
+    return 'ct';
+}
+
 __PACKAGE__->additional_parameters({ 
     node => get_standard_option('pve-node'),
     vmid => get_standard_option('pve-vmid'),                              
@@ -437,6 +467,12 @@ sub save_config {
     die "implement this in subclass";
 }
 
+sub rule_env {
+    my ($class, $param) = @_;
+    
+    die "implement this in subclass";
+}
+
 my $additional_param_hash_list = {};
 
 sub additional_parameters {
@@ -482,6 +518,7 @@ sub register_index {
        path => '',
        method => 'GET',
        description => "List IPSets",
+       permissions => PVE::Firewall::rules_audit_permissions($class->rule_env()),
        parameters => {
            additionalProperties => 0,
            properties => $properties,
@@ -531,6 +568,7 @@ sub register_create {
        method => 'POST',
        description => "Create new IPSet",
        protected => 1,
+       permissions => PVE::Firewall::rules_modify_permissions($class->rule_env()),
        parameters => {
            additionalProperties => 0,
            properties => $properties,
@@ -585,6 +623,12 @@ use PVE::Firewall;
 
 use base qw(PVE::API2::Firewall::BaseIPSetList);
 
+sub rule_env {
+    my ($class, $param) = @_;
+    
+    return 'cluster';
+}
+
 sub load_config {
     my ($class, $param) = @_;
  
@@ -621,6 +665,12 @@ __PACKAGE__->additional_parameters({
     vmid => get_standard_option('pve-vmid'),                              
 });
 
+sub rule_env {
+    my ($class, $param) = @_;
+    
+    return 'vm';
+}
+
 sub load_config {
     my ($class, $param) = @_;
  
@@ -658,6 +708,12 @@ __PACKAGE__->additional_parameters({
     vmid => get_standard_option('pve-vmid'),                              
 });
 
+sub rule_env {
+    my ($class, $param) = @_;
+    
+    return 'ct';
+}
+
 sub load_config {
     my ($class, $param) = @_;
  

diff --git a/src/PVE/API2/Firewall/Rules.pm b/src/PVE/API2/Firewall/Rules.pm
index ec93dec2b1ba71e0a4afeba65e20e13e20c6890d..400cd7cdd15d30b6af3c6b03cc82a361fb18f636 100644 (file)
--- a/src/PVE/API2/Firewall/Rules.pm
+++ b/src/PVE/API2/Firewall/Rules.pm
@@ -53,46 +53,6 @@ sub additional_parameters {
     return $copy;
 }
 
-my $rules_modify_permissions = sub {
-    my ($rule_env) = @_;
-
-    if ($rule_env eq 'host') {
-       return {
-           check => ['perm', '/nodes/{node}', [ 'Sys.Modify' ]],
-       };
-    } elsif ($rule_env eq 'cluster' || $rule_env eq 'group') {
-       return {
-           check => ['perm', '/', [ 'Sys.Modify' ]],
-       };
-    } elsif ($rule_env eq 'vm' ||   $rule_env eq 'ct') {
-       return {
-           check => ['perm', '/vms/{vmid}', [ 'VM.Config.Network' ]],
-       }
-    }
-
-    return undef;
-};
-
-my $rules_audit_permissions = sub {
-    my ($rule_env) = @_;
-
-    if ($rule_env eq 'host') {
-       return {
-           check => ['perm', '/nodes/{node}', [ 'Sys.Audit' ]],
-       };
-    } elsif ($rule_env eq 'cluster' || $rule_env eq 'group') {
-       return {
-           check => ['perm', '/', [ 'Sys.Audit' ]],
-       };
-    } elsif ($rule_env eq 'vm' ||   $rule_env eq 'ct') {
-       return {
-           check => ['perm', '/vms/{vmid}', [ 'VM.Audit' ]],
-       }
-    }
-
-    return undef;
-};
-
 sub register_get_rules {
     my ($class) = @_;
 
@@ -105,7 +65,7 @@ sub register_get_rules {
        path => '',
        method => 'GET',
        description => "List rules.",
-       permissions => &$rules_audit_permissions($rule_env),
+       permissions => PVE::Firewall::rules_audit_permissions($rule_env),
        parameters => {
            additionalProperties => 0,
            properties => $properties,
@@ -153,7 +113,7 @@ sub register_get_rule {
        path => '{pos}',
        method => 'GET',
        description => "Get single rule data.",
-       permissions => &$rules_audit_permissions($rule_env),
+       permissions => PVE::Firewall::rules_audit_permissions($rule_env),
        parameters => {
            additionalProperties => 0,
            properties => $properties,
@@ -200,7 +160,7 @@ sub register_create_rule {
        method => 'POST',
        description => "Create new rule.",
        protected => 1,
-       permissions => &$rules_modify_permissions($rule_env),
+       permissions => PVE::Firewall::rules_modify_permissions($rule_env),
        parameters => {
            additionalProperties => 0,
            properties => $create_rule_properties,
@@ -257,7 +217,7 @@ sub register_update_rule {
        method => 'PUT',
        description => "Modify rule data.",
        protected => 1,
-       permissions => &$rules_modify_permissions($rule_env),
+       permissions => PVE::Firewall::rules_modify_permissions($rule_env),
        parameters => {
            additionalProperties => 0,
            properties => $update_rule_properties,
@@ -319,7 +279,7 @@ sub register_delete_rule {
        method => 'DELETE',
        description => "Delete rule.",
        protected => 1,
-       permissions => &$rules_modify_permissions($rule_env),
+       permissions => PVE::Firewall::rules_modify_permissions($rule_env),
        parameters => {
            additionalProperties => 0,
            properties => $properties,

diff --git a/src/PVE/Firewall.pm b/src/PVE/Firewall.pm
index 27cf1e6e4b84dc4b05ddbd594295801c347574dc..727204a733afd20fe7780456495ecbfd0f388a60 100644 (file)
--- a/src/PVE/Firewall.pm
+++ b/src/PVE/Firewall.pm
@@ -1211,6 +1211,46 @@ sub copy_rule_data {
     return $rule;
 }
 
+sub rules_modify_permissions {
+    my ($rule_env) = @_;
+
+    if ($rule_env eq 'host') {
+       return {
+           check => ['perm', '/nodes/{node}', [ 'Sys.Modify' ]],
+       };
+    } elsif ($rule_env eq 'cluster' || $rule_env eq 'group') {
+       return {
+           check => ['perm', '/', [ 'Sys.Modify' ]],
+       };
+    } elsif ($rule_env eq 'vm' ||   $rule_env eq 'ct') {
+       return {
+           check => ['perm', '/vms/{vmid}', [ 'VM.Config.Network' ]],
+       }
+    }
+
+    return undef;
+}
+
+sub rules_audit_permissions {
+    my ($rule_env) = @_;
+
+    if ($rule_env eq 'host') {
+       return {
+           check => ['perm', '/nodes/{node}', [ 'Sys.Audit' ]],
+       };
+    } elsif ($rule_env eq 'cluster' || $rule_env eq 'group') {
+       return {
+           check => ['perm', '/', [ 'Sys.Audit' ]],
+       };
+    } elsif ($rule_env eq 'vm' ||   $rule_env eq 'ct') {
+       return {
+           check => ['perm', '/vms/{vmid}', [ 'VM.Audit' ]],
+       }
+    }
+
+    return undef;
+}
+
 # core functions
 my $bridge_firewall_enabled = 0;