From: Dietmar Maurer Date: Mon, 21 Jul 2014 08:24:09 +0000 (+0200) Subject: Firewall/Rules: add permissions X-Git-Url: https://git.proxmox.com/?p=pve-firewall.git;a=commitdiff_plain;h=7f733a5a9fb2a46d55905688aa4b1c80dd724bf3 Firewall/Rules: add permissions --- diff --git a/src/PVE/API2/Firewall/Rules.pm b/src/PVE/API2/Firewall/Rules.pm index 83190b4..ec93dec 100644 --- a/src/PVE/API2/Firewall/Rules.pm +++ b/src/PVE/API2/Firewall/Rules.pm @@ -53,21 +53,64 @@ sub additional_parameters { return $copy; } +my $rules_modify_permissions = sub { + my ($rule_env) = @_; + + if ($rule_env eq 'host') { + return { + check => ['perm', '/nodes/{node}', [ 'Sys.Modify' ]], + }; + } elsif ($rule_env eq 'cluster' || $rule_env eq 'group') { + return { + check => ['perm', '/', [ 'Sys.Modify' ]], + }; + } elsif ($rule_env eq 'vm' || $rule_env eq 'ct') { + return { + check => ['perm', '/vms/{vmid}', [ 'VM.Config.Network' ]], + } + } + + return undef; +}; + +my $rules_audit_permissions = sub { + my ($rule_env) = @_; + + if ($rule_env eq 'host') { + return { + check => ['perm', '/nodes/{node}', [ 'Sys.Audit' ]], + }; + } elsif ($rule_env eq 'cluster' || $rule_env eq 'group') { + return { + check => ['perm', '/', [ 'Sys.Audit' ]], + }; + } elsif ($rule_env eq 'vm' || $rule_env eq 'ct') { + return { + check => ['perm', '/vms/{vmid}', [ 'VM.Audit' ]], + } + } + + return undef; +}; + sub register_get_rules { my ($class) = @_; my $properties = $class->additional_parameters(); + my $rule_env = $class->rule_env(); + $class->register_method({ name => 'get_rules', path => '', method => 'GET', description => "List rules.", + permissions => &$rules_audit_permissions($rule_env), parameters => { additionalProperties => 0, properties => $properties, }, - proxyto => $class->rule_env() eq 'host' ? 'node' : undef, + proxyto => $rule_env eq 'host' ? 'node' : undef, returns => { type => 'array', items => { @@ -103,16 +146,19 @@ sub register_get_rule { $properties->{pos} = $api_properties->{pos}; + my $rule_env = $class->rule_env(); + $class->register_method({ name => 'get_rule', path => '{pos}', method => 'GET', description => "Get single rule data.", + permissions => &$rules_audit_permissions($rule_env), parameters => { additionalProperties => 0, properties => $properties, }, - proxyto => $class->rule_env() eq 'host' ? 'node' : undef, + proxyto => $rule_env eq 'host' ? 'node' : undef, returns => { type => "object", properties => { @@ -146,17 +192,20 @@ sub register_create_rule { $create_rule_properties->{action}->{optional} = 0; $create_rule_properties->{type}->{optional} = 0; + my $rule_env = $class->rule_env(); + $class->register_method({ name => 'create_rule', path => '', method => 'POST', description => "Create new rule.", protected => 1, + permissions => &$rules_modify_permissions($rule_env), parameters => { additionalProperties => 0, properties => $create_rule_properties, }, - proxyto => $class->rule_env() eq 'host' ? 'node' : undef, + proxyto => $rule_env eq 'host' ? 'node' : undef, returns => { type => "null" }, code => sub { my ($param) = @_; @@ -185,6 +234,8 @@ sub register_update_rule { $properties->{pos} = $api_properties->{pos}; + my $rule_env = $class->rule_env(); + $properties->{moveto} = { description => "Move rule to new position . Other arguments are ignored.", type => 'integer', @@ -206,11 +257,12 @@ sub register_update_rule { method => 'PUT', description => "Modify rule data.", protected => 1, + permissions => &$rules_modify_permissions($rule_env), parameters => { additionalProperties => 0, properties => $update_rule_properties, }, - proxyto => $class->rule_env() eq 'host' ? 'node' : undef, + proxyto => $rule_env eq 'host' ? 'node' : undef, returns => { type => "null" }, code => sub { my ($param) = @_; @@ -259,17 +311,20 @@ sub register_delete_rule { $properties->{digest} = get_standard_option('pve-config-digest'); + my $rule_env = $class->rule_env(); + $class->register_method({ name => 'delete_rule', path => '{pos}', method => 'DELETE', description => "Delete rule.", protected => 1, + permissions => &$rules_modify_permissions($rule_env), parameters => { additionalProperties => 0, properties => $properties, }, - proxyto => $class->rule_env() eq 'host' ? 'node' : undef, + proxyto => $rule_env eq 'host' ? 'node' : undef, returns => { type => "null" }, code => sub { my ($param) = @_;