From: Dietmar Maurer <dietmar@proxmox.com>
Date: Mon, 21 Jul 2014 08:48:00 +0000 (+0200)
Subject: Firewall/IPSet: implement permission
X-Git-Url: https://git.proxmox.com/?p=pve-firewall.git;a=commitdiff_plain;h=9f6845cfa97dbe5e264c9d4e188a245ba3d7edf5

Firewall/IPSet: implement permission

Facor out common code into PVE/Firewall.
---

diff --git a/src/PVE/API2/Firewall/IPSet.pm b/src/PVE/API2/Firewall/IPSet.pm
index 24a45ae..70acab4 100644
--- a/src/PVE/API2/Firewall/IPSet.pm
+++ b/src/PVE/API2/Firewall/IPSet.pm
@@ -39,6 +39,12 @@ sub save_config {
     die "implement this in subclass";
 }
 
+sub rule_env {
+    my ($class, $param) = @_;
+    
+    die "implement this in subclass";
+}
+
 sub save_ipset {
     my ($class, $param, $fw_conf, $ipset) = @_;
 
@@ -79,6 +85,7 @@ sub register_get_ipset {
 	path => '',
 	method => 'GET',
 	description => "List IPSet content",
+	permissions => PVE::Firewall::rules_audit_permissions($class->rule_env()),
 	parameters => {
 	    additionalProperties => 0,
 	    properties => $properties,
@@ -126,6 +133,7 @@ sub register_delete_ipset {
 	method => 'DELETE',
 	description => "Delete IPSet",
 	protected => 1,
+	permissions => PVE::Firewall::rules_modify_permissions($class->rule_env()),
 	parameters => {
 	    additionalProperties => 0,
 	    properties => $properties,
@@ -161,6 +169,7 @@ sub register_create_ip {
 	method => 'POST',
 	description => "Add IP or Network to IPSet.",
 	protected => 1,
+	permissions => PVE::Firewall::rules_modify_permissions($class->rule_env()),
 	parameters => {
 	    additionalProperties => 0,
 	    properties => $properties,
@@ -207,6 +216,7 @@ sub register_read_ip {
 	path => '{cidr}',
 	method => 'GET',
 	description => "Read IP or Network settings from IPSet.",
+	permissions => PVE::Firewall::rules_audit_permissions($class->rule_env()),
 	protected => 1,
 	parameters => {
 	    additionalProperties => 0,
@@ -247,6 +257,7 @@ sub register_update_ip {
 	method => 'PUT',
 	description => "Update IP or Network settings",
 	protected => 1,
+	permissions => PVE::Firewall::rules_modify_permissions($class->rule_env()),
 	parameters => {
 	    additionalProperties => 0,
 	    properties => $properties,
@@ -288,6 +299,7 @@ sub register_delete_ip {
 	method => 'DELETE',
 	description => "Remove IP or Network from IPSet.",
 	protected => 1,
+	permissions => PVE::Firewall::rules_modify_permissions($class->rule_env()),
 	parameters => {
 	    additionalProperties => 0,
 	    properties => $properties,
@@ -331,6 +343,12 @@ use warnings;
 
 use base qw(PVE::API2::Firewall::IPSetBase);
 
+sub rule_env {
+    my ($class, $param) = @_;
+    
+    return 'cluster';
+}
+
 sub load_config {
     my ($class, $param) = @_;
 
@@ -357,6 +375,12 @@ use PVE::JSONSchema qw(get_standard_option);
 
 use base qw(PVE::API2::Firewall::IPSetBase);
 
+sub rule_env {
+    my ($class, $param) = @_;
+    
+    return 'vm';
+}
+
 __PACKAGE__->additional_parameters({ 
     node => get_standard_option('pve-node'),
     vmid => get_standard_option('pve-vmid'),				   
@@ -389,6 +413,12 @@ use PVE::JSONSchema qw(get_standard_option);
 
 use base qw(PVE::API2::Firewall::IPSetBase);
 
+sub rule_env {
+    my ($class, $param) = @_;
+    
+    return 'ct';
+}
+
 __PACKAGE__->additional_parameters({ 
     node => get_standard_option('pve-node'),
     vmid => get_standard_option('pve-vmid'),				   
@@ -437,6 +467,12 @@ sub save_config {
     die "implement this in subclass";
 }
 
+sub rule_env {
+    my ($class, $param) = @_;
+    
+    die "implement this in subclass";
+}
+
 my $additional_param_hash_list = {};
 
 sub additional_parameters {
@@ -482,6 +518,7 @@ sub register_index {
 	path => '',
 	method => 'GET',
 	description => "List IPSets",
+	permissions => PVE::Firewall::rules_audit_permissions($class->rule_env()),
 	parameters => {
 	    additionalProperties => 0,
 	    properties => $properties,
@@ -531,6 +568,7 @@ sub register_create {
 	method => 'POST',
 	description => "Create new IPSet",
 	protected => 1,
+	permissions => PVE::Firewall::rules_modify_permissions($class->rule_env()),
 	parameters => {
 	    additionalProperties => 0,
 	    properties => $properties,
@@ -585,6 +623,12 @@ use PVE::Firewall;
 
 use base qw(PVE::API2::Firewall::BaseIPSetList);
 
+sub rule_env {
+    my ($class, $param) = @_;
+    
+    return 'cluster';
+}
+
 sub load_config {
     my ($class, $param) = @_;
  
@@ -621,6 +665,12 @@ __PACKAGE__->additional_parameters({
     vmid => get_standard_option('pve-vmid'),				   
 });
 
+sub rule_env {
+    my ($class, $param) = @_;
+    
+    return 'vm';
+}
+
 sub load_config {
     my ($class, $param) = @_;
  
@@ -658,6 +708,12 @@ __PACKAGE__->additional_parameters({
     vmid => get_standard_option('pve-vmid'),				   
 });
 
+sub rule_env {
+    my ($class, $param) = @_;
+    
+    return 'ct';
+}
+
 sub load_config {
     my ($class, $param) = @_;
  
diff --git a/src/PVE/API2/Firewall/Rules.pm b/src/PVE/API2/Firewall/Rules.pm
index ec93dec..400cd7c 100644
--- a/src/PVE/API2/Firewall/Rules.pm
+++ b/src/PVE/API2/Firewall/Rules.pm
@@ -53,46 +53,6 @@ sub additional_parameters {
     return $copy;
 }
 
-my $rules_modify_permissions = sub {
-    my ($rule_env) = @_;
-
-    if ($rule_env eq 'host') {
-	return {
-	    check => ['perm', '/nodes/{node}', [ 'Sys.Modify' ]],
-	};
-    } elsif ($rule_env eq 'cluster' || $rule_env eq 'group') {
-	return {
-	    check => ['perm', '/', [ 'Sys.Modify' ]],
-	};
-    } elsif ($rule_env eq 'vm' ||   $rule_env eq 'ct') {
-	return {
-	    check => ['perm', '/vms/{vmid}', [ 'VM.Config.Network' ]],
-	}
-    }
-
-    return undef;
-};
-
-my $rules_audit_permissions = sub {
-    my ($rule_env) = @_;
-
-    if ($rule_env eq 'host') {
-	return {
-	    check => ['perm', '/nodes/{node}', [ 'Sys.Audit' ]],
-	};
-    } elsif ($rule_env eq 'cluster' || $rule_env eq 'group') {
-	return {
-	    check => ['perm', '/', [ 'Sys.Audit' ]],
-	};
-    } elsif ($rule_env eq 'vm' ||   $rule_env eq 'ct') {
-	return {
-	    check => ['perm', '/vms/{vmid}', [ 'VM.Audit' ]],
-	}
-    }
-
-    return undef;
-};
-
 sub register_get_rules {
     my ($class) = @_;
 
@@ -105,7 +65,7 @@ sub register_get_rules {
 	path => '',
 	method => 'GET',
 	description => "List rules.",
-	permissions => &$rules_audit_permissions($rule_env),
+	permissions => PVE::Firewall::rules_audit_permissions($rule_env),
 	parameters => {
 	    additionalProperties => 0,
 	    properties => $properties,
@@ -153,7 +113,7 @@ sub register_get_rule {
 	path => '{pos}',
 	method => 'GET',
 	description => "Get single rule data.",
-	permissions => &$rules_audit_permissions($rule_env),
+	permissions => PVE::Firewall::rules_audit_permissions($rule_env),
 	parameters => {
 	    additionalProperties => 0,
 	    properties => $properties,
@@ -200,7 +160,7 @@ sub register_create_rule {
 	method => 'POST',
 	description => "Create new rule.",
 	protected => 1,
-	permissions => &$rules_modify_permissions($rule_env),
+	permissions => PVE::Firewall::rules_modify_permissions($rule_env),
 	parameters => {
 	    additionalProperties => 0,
 	    properties => $create_rule_properties,
@@ -257,7 +217,7 @@ sub register_update_rule {
 	method => 'PUT',
 	description => "Modify rule data.",
 	protected => 1,
-	permissions => &$rules_modify_permissions($rule_env),
+	permissions => PVE::Firewall::rules_modify_permissions($rule_env),
 	parameters => {
 	    additionalProperties => 0,
 	    properties => $update_rule_properties,
@@ -319,7 +279,7 @@ sub register_delete_rule {
 	method => 'DELETE',
 	description => "Delete rule.",
 	protected => 1,
-	permissions => &$rules_modify_permissions($rule_env),
+	permissions => PVE::Firewall::rules_modify_permissions($rule_env),
 	parameters => {
 	    additionalProperties => 0,
 	    properties => $properties,
diff --git a/src/PVE/Firewall.pm b/src/PVE/Firewall.pm
index 27cf1e6..727204a 100644
--- a/src/PVE/Firewall.pm
+++ b/src/PVE/Firewall.pm
@@ -1211,6 +1211,46 @@ sub copy_rule_data {
     return $rule;
 }
 
+sub rules_modify_permissions {
+    my ($rule_env) = @_;
+
+    if ($rule_env eq 'host') {
+	return {
+	    check => ['perm', '/nodes/{node}', [ 'Sys.Modify' ]],
+	};
+    } elsif ($rule_env eq 'cluster' || $rule_env eq 'group') {
+	return {
+	    check => ['perm', '/', [ 'Sys.Modify' ]],
+	};
+    } elsif ($rule_env eq 'vm' ||   $rule_env eq 'ct') {
+	return {
+	    check => ['perm', '/vms/{vmid}', [ 'VM.Config.Network' ]],
+	}
+    }
+
+    return undef;
+}
+
+sub rules_audit_permissions {
+    my ($rule_env) = @_;
+
+    if ($rule_env eq 'host') {
+	return {
+	    check => ['perm', '/nodes/{node}', [ 'Sys.Audit' ]],
+	};
+    } elsif ($rule_env eq 'cluster' || $rule_env eq 'group') {
+	return {
+	    check => ['perm', '/', [ 'Sys.Audit' ]],
+	};
+    } elsif ($rule_env eq 'vm' ||   $rule_env eq 'ct') {
+	return {
+	    check => ['perm', '/vms/{vmid}', [ 'VM.Audit' ]],
+	}
+    }
+
+    return undef;
+}
+
 # core functions
 my $bridge_firewall_enabled = 0;