From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from firstgate.proxmox.com (firstgate.proxmox.com [212.224.123.68]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits)) (No client certificate requested) by lists.proxmox.com (Postfix) with ESMTPS id A08ED91DA6 for ; Mon, 20 Mar 2023 11:36:33 +0100 (CET) Received: from firstgate.proxmox.com (localhost [127.0.0.1]) by firstgate.proxmox.com (Proxmox) with ESMTP id 827BB28F4 for ; Mon, 20 Mar 2023 11:36:03 +0100 (CET) Received: from proxmox-new.maurer-it.com (proxmox-new.maurer-it.com [94.136.29.106]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits)) (No client certificate requested) by firstgate.proxmox.com (Proxmox) with ESMTPS for ; Mon, 20 Mar 2023 11:36:02 +0100 (CET) Received: from proxmox-new.maurer-it.com (localhost.localdomain [127.0.0.1]) by proxmox-new.maurer-it.com (Proxmox) with ESMTP id 2EA3E45A3D for ; Mon, 20 Mar 2023 11:36:02 +0100 (CET) From: Christoph Heiss To: pmg-devel@lists.proxmox.com Date: Mon, 20 Mar 2023 11:35:46 +0100 Message-Id: <20230320103548.382757-3-c.heiss@proxmox.com> X-Mailer: git-send-email 2.39.2 In-Reply-To: <20230320103548.382757-1-c.heiss@proxmox.com> References: <20230320103548.382757-1-c.heiss@proxmox.com> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-SPAM-LEVEL: Spam detection results: 0 AWL -0.069 Adjusted score from AWL reputation of From: address BAYES_00 -1.9 Bayes spam probability is 0 to 1% KAM_DMARC_STATUS 0.01 Test Rule for DKIM or SPF Failure with Strict Alignment SPF_HELO_NONE 0.001 SPF: HELO does not publish an SPF Record SPF_PASS -0.001 SPF: sender matches SPF record Subject: [pmg-devel] [PATCH v2 pmg-api 2/4] fix #2437: api: Add endpoint for managing tls_inbound_domains entries X-BeenThere: pmg-devel@lists.proxmox.com X-Mailman-Version: 2.1.29 Precedence: list List-Id: Proxmox Mail Gateway development discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 20 Mar 2023 10:36:33 -0000 Add a new API endpoint `/config/tlsinbounddomains` for managing entries of the `tls_inbound_domains` postfix map. Modelled after the `DestinationTLSPolicy` implementation. Signed-off-by: Christoph Heiss --- Changes v1 -> v2: * New patch; split out from patch #1 src/Makefile | 1 + src/PMG/API2/Config.pm | 7 ++ src/PMG/API2/InboundTLSDomains.pm | 127 ++++++++++++++++++++++++++++++ 3 files changed, 135 insertions(+) create mode 100644 src/PMG/API2/InboundTLSDomains.pm diff --git a/src/Makefile b/src/Makefile index 0b424e9..32eac57 100644 --- a/src/Makefile +++ b/src/Makefile @@ -132,6 +132,7 @@ LIBSOURCES = \ PMG/API2/DKIMSignDomains.pm \ PMG/API2/DKIMSign.pm \ PMG/API2/Fetchmail.pm \ + PMG/API2/InboundTLSDomains.pm \ PMG/API2/Users.pm \ PMG/API2/Transport.pm \ PMG/API2/MyNetworks.pm \ diff --git a/src/PMG/API2/Config.pm b/src/PMG/API2/Config.pm index 37da096..c71432a 100644 --- a/src/PMG/API2/Config.pm +++ b/src/PMG/API2/Config.pm @@ -23,6 +23,7 @@ use PMG::API2::SMTPWhitelist; use PMG::API2::MimeTypes; use PMG::API2::Fetchmail; use PMG::API2::DestinationTLSPolicy; +use PMG::API2::InboundTLSDomains; use PMG::API2::DKIMSign; use PMG::API2::SACustom; use PMG::API2::PBS::Remote; @@ -86,6 +87,11 @@ __PACKAGE__->register_method ({ path => 'tlspolicy', }); +__PACKAGE__->register_method ({ + subclass => "PMG::API2::InboundTLSDomains", + path => 'tlsinbounddomains', +}); + __PACKAGE__->register_method({ subclass => "PMG::API2::DKIMSign", path => 'dkim', @@ -146,6 +152,7 @@ __PACKAGE__->register_method ({ push @$res, { section => 'ruledb' }; push @$res, { section => 'tfa' }; push @$res, { section => 'tlspolicy' }; + push @$res, { section => 'tlsinbounddomains' }; push @$res, { section => 'transport' }; push @$res, { section => 'users' }; push @$res, { section => 'whitelist' }; diff --git a/src/PMG/API2/InboundTLSDomains.pm b/src/PMG/API2/InboundTLSDomains.pm new file mode 100644 index 0000000..38bebca --- /dev/null +++ b/src/PMG/API2/InboundTLSDomains.pm @@ -0,0 +1,127 @@ +package PMG::API2::InboundTLSDomains; + +use strict; +use warnings; + +use PVE::RESTHandler; +use PVE::INotify; +use PVE::Exception qw(raise_param_exc); + +use PMG::Config; + +use base qw(PVE::RESTHandler); + +__PACKAGE__->register_method ({ + name => 'index', + path => '', + method => 'GET', + description => 'List tls_inbound_domains entries.', + proxyto => 'master', + permissions => { check => [ 'admin', 'audit' ] }, + parameters => { + additionalProperties => 0, + properties => {}, + }, + returns => { + type => 'array', + items => { + type => 'string', + format => 'transport-domain', + }, + description => 'List of domains for which TLS will be enforced on incoming connections', + links => [ { rel => 'child', href => '{domain}' } ], + }, + code => sub { + my ($param) = @_; + + my $res = []; + + my $domains = PVE::INotify::read_file('tls_inbound_domains'); + + foreach my $domain (sort keys %$domains) { + push @$res, { domain => $domain }; + } + + return $res; + }}); + +__PACKAGE__->register_method ({ + name => 'create', + path => '', + method => 'POST', + proxyto => 'master', + protected => 1, + permissions => { check => [ 'admin' ] }, + description => 'Add new tls_inbound_domains entry.', + parameters => { + additionalProperties => 0, + properties => { + domain => { + type => 'string', + format => 'transport-domain', + description => 'Domain for which TLS should be enforced on incoming connections', + }, + }, + }, + returns => { type => 'null' }, + code => sub { + my ($param) = @_; + my $domain = $param->{domain}; + + my $code = sub { + my $domains = PVE::INotify::read_file('tls_inbound_domains'); + raise_param_exc({ domain => "InboundTLSDomains entry for '$domain' already exists" }) + if $domains->{$domain}; + + $domains->{$domain} = 1; + + PVE::INotify::write_file('tls_inbound_domains', $domains); + PMG::Config::postmap_tls_inbound_domains(); + }; + + PMG::Config::lock_config($code, 'adding tls_inbound_domains entry failed'); + + return undef; + }}); + +__PACKAGE__->register_method ({ + name => 'delete', + path => '{domain}', + method => 'DELETE', + description => 'Delete a tls_inbound_domains entry', + protected => 1, + permissions => { check => [ 'admin' ] }, + proxyto => 'master', + parameters => { + additionalProperties => 0, + properties => { + domain => { + type => 'string', + format => 'transport-domain', + description => 'Domain which should be removed from tls_inbound_domains', + }, + } + }, + returns => { type => 'null' }, + code => sub { + my ($param) = @_; + my $domain = $param->{domain}; + + my $code = sub { + my $domains = PVE::INotify::read_file('tls_inbound_domains'); + + raise_param_exc({ domain => "tls_inbound_domains entry for '$domain' does not exist" }) + if !$domains->{$domain}; + + delete $domains->{$domain}; + + PVE::INotify::write_file('tls_inbound_domains', $domains); + PMG::Config::postmap_tls_inbound_domains(); + }; + + PMG::Config::lock_config($code, 'deleting tls_inbound_domains entry failed'); + + return undef; + }}); + +1; -- 2.39.2