public inbox for pve-devel@lists.proxmox.com
 help / color / mirror / Atom feed
From: Stefan Hanreich <s.hanreich@proxmox.com>
To: pve-devel@lists.proxmox.com
Subject: [pve-devel] [PATCH pve-firewall v2 11/17] api: add vnet endpoints
Date: Thu, 10 Oct 2024 17:56:44 +0200	[thread overview]
Message-ID: <20241010155650.255698-12-s.hanreich@proxmox.com> (raw)
In-Reply-To: <20241010155650.255698-1-s.hanreich@proxmox.com>

Signed-off-by: Stefan Hanreich <s.hanreich@proxmox.com>
---
 src/PVE/API2/Firewall/Makefile |   1 +
 src/PVE/API2/Firewall/Rules.pm |  84 +++++++++++++++++
 src/PVE/API2/Firewall/Vnet.pm  | 168 +++++++++++++++++++++++++++++++++
 src/PVE/Firewall.pm            |  10 ++
 4 files changed, 263 insertions(+)
 create mode 100644 src/PVE/API2/Firewall/Vnet.pm

diff --git a/src/PVE/API2/Firewall/Makefile b/src/PVE/API2/Firewall/Makefile
index e916755..325c4d3 100644
--- a/src/PVE/API2/Firewall/Makefile
+++ b/src/PVE/API2/Firewall/Makefile
@@ -9,6 +9,7 @@ LIB_SOURCES=			\
 	Cluster.pm		\
 	Host.pm			\
 	VM.pm			\
+	Vnet.pm			\
 	Groups.pm
 
 all:
diff --git a/src/PVE/API2/Firewall/Rules.pm b/src/PVE/API2/Firewall/Rules.pm
index f5cb002..e57b3de 100644
--- a/src/PVE/API2/Firewall/Rules.pm
+++ b/src/PVE/API2/Firewall/Rules.pm
@@ -18,6 +18,25 @@ my $api_properties = {
     },
 };
 
+=head3 check_privileges_for_method($class, $method_name, $param)
+
+If the permission checks from the register_method() call are not sufficient,
+this function can be overriden for performing additional permission checks
+before API methods are executed. If the permission check fails, this function
+should die with an appropriate error message. The name of the method calling
+this function is provided by C<$method_name> and the parameters of the API
+method are provided by C<$param>
+
+Default implementation is a no-op to preserve backwards compatibility with
+existing subclasses, since this got added later on. It preserves existing
+behavior without having to change every subclass.
+
+=cut
+
+sub check_privileges_for_method {
+    my ($class, $method_name, $param) = @_;
+}
+
 sub lock_config {
     my ($class, $param, $code) = @_;
 
@@ -94,6 +113,8 @@ sub register_get_rules {
 	code => sub {
 	    my ($param) = @_;
 
+	    $class->check_privileges_for_method('get_rules', $param);
+
 	    my ($cluster_conf, $fw_conf, $rules) = $class->load_config($param);
 
 	    my ($list, $digest) = PVE::Firewall::copy_list_with_digest($rules);
@@ -192,6 +213,8 @@ sub register_get_rule {
 	code => sub {
 	    my ($param) = @_;
 
+	    $class->check_privileges_for_method('get_rule', $param);
+
 	    my ($cluster_conf, $fw_conf, $rules) = $class->load_config($param);
 
 	    my ($list, $digest) = PVE::Firewall::copy_list_with_digest($rules);
@@ -232,6 +255,8 @@ sub register_create_rule {
 	code => sub {
 	    my ($param) = @_;
 
+	    $class->check_privileges_for_method('create_rule', $param);
+
 	    $class->lock_config($param, sub {
 		my ($param) = @_;
 
@@ -293,6 +318,8 @@ sub register_update_rule {
 	code => sub {
 	    my ($param) = @_;
 
+	    $class->check_privileges_for_method('update_rule', $param);
+
 	    $class->lock_config($param, sub {
 		my ($param) = @_;
 
@@ -359,6 +386,8 @@ sub register_delete_rule {
 	code => sub {
 	    my ($param) = @_;
 
+	    $class->check_privileges_for_method('delete_rule', $param);
+
 	    $class->lock_config($param, sub {
 		my ($param) = @_;
 
@@ -634,4 +663,59 @@ sub save_rules {
 
 __PACKAGE__->register_handlers();
 
+package PVE::API2::Firewall::VnetRules;
+
+use strict;
+use warnings;
+use PVE::JSONSchema qw(get_standard_option);
+
+use base qw(PVE::API2::Firewall::RulesBase);
+
+__PACKAGE__->additional_parameters({
+    vnet => get_standard_option('pve-sdn-vnet-id'),
+});
+
+sub check_privileges_for_method {
+    my ($class, $method_name, $param) = @_;
+
+    if ($method_name eq 'get_rule' || $method_name eq 'get_rules') {
+	PVE::API2::Firewall::Vnet::check_vnet_access($param->{vnet}, ['SDN.Audit', 'SDN.Allocate']);
+    } elsif ($method_name =~ '(update|create|delete)_rule') {
+	PVE::API2::Firewall::Vnet::check_vnet_access($param->{vnet}, ['SDN.Allocate']);
+    } else {
+	die "unknown method: $method_name";
+    }
+}
+
+sub rule_env {
+    my ($class, $param) = @_;
+
+    return 'vnet';
+}
+
+sub lock_config {
+    my ($class, $param, $code) = @_;
+
+    PVE::Firewall::lock_vnetfw_conf($param->{vnet}, 10, $code, $param);
+}
+
+sub load_config {
+    my ($class, $param) = @_;
+
+    my $cluster_conf = PVE::Firewall::load_clusterfw_conf(undef, { load_sdn_config => 1 });
+    my $fw_conf = PVE::Firewall::load_vnetfw_conf($cluster_conf, 'vnet', $param->{vnet});
+    my $rules = $fw_conf->{rules};
+
+    return ($cluster_conf, $fw_conf, $rules);
+}
+
+sub save_rules {
+    my ($class, $param, $fw_conf, $rules) = @_;
+
+    $fw_conf->{rules} = $rules;
+    PVE::Firewall::save_vnetfw_conf($param->{vnet}, $fw_conf);
+}
+
+__PACKAGE__->register_handlers();
+
 1;
diff --git a/src/PVE/API2/Firewall/Vnet.pm b/src/PVE/API2/Firewall/Vnet.pm
new file mode 100644
index 0000000..cb49b67
--- /dev/null
+++ b/src/PVE/API2/Firewall/Vnet.pm
@@ -0,0 +1,168 @@
+package PVE::API2::Firewall::Vnet;
+
+use strict;
+use warnings;
+
+use Storable qw(dclone);
+
+use PVE::Exception qw(raise_param_exc);
+use PVE::JSONSchema qw(get_standard_option);
+use PVE::RPCEnvironment;
+
+use PVE::Firewall;
+use PVE::API2::Firewall::Rules;
+
+
+use base qw(PVE::RESTHandler);
+
+sub check_vnet_access {
+    my ($vnetid, $privileges) = @_;
+
+    my $vnet = PVE::Network::SDN::Vnets::get_vnet($vnetid, 1)
+	or die "invalid vnet specified";
+
+    my $zoneid = $vnet->{zone};
+
+    my $rpcenv = PVE::RPCEnvironment::get();
+    my $authuser = $rpcenv->get_user();
+
+    $rpcenv->check_any($authuser, "/sdn/zones/$zoneid/$vnetid", $privileges);
+};
+
+__PACKAGE__->register_method ({
+    subclass => "PVE::API2::Firewall::VnetRules",
+    path => 'rules',
+});
+
+__PACKAGE__->register_method({
+    name => 'index',
+    path => '',
+    method => 'GET',
+    description => "Directory index.",
+    parameters => {
+	additionalProperties => 0,
+	properties => {
+	    vnet => get_standard_option('pve-sdn-vnet-id'),
+	},
+    },
+    returns => {
+	type => 'array',
+	items => {
+	    type => "object",
+	    properties => {},
+	},
+	links => [ { rel => 'child', href => "{name}" } ],
+    },
+    code => sub {
+	my ($param) = @_;
+
+	my $result = [
+	    { name => 'rules' },
+	    { name => 'options' },
+	];
+
+	return $result;
+    }});
+
+my $option_properties = dclone($PVE::Firewall::vnet_option_properties);
+
+my sub add_option_properties {
+    my ($properties) = @_;
+
+    foreach my $k (keys %$option_properties) {
+	$properties->{$k} = $option_properties->{$k};
+    }
+
+    return $properties;
+};
+
+
+__PACKAGE__->register_method({
+    name => 'get_options',
+    path => 'options',
+    method => 'GET',
+    description => "Get vnet firewall options.",
+    permissions => {
+	description => "Needs SDN.Audit or SDN.Allocate permissions on '/sdn/zones/<zone>/<vnet>'",
+	user => 'all',
+    },
+    parameters => {
+	additionalProperties => 0,
+	properties => {
+	    vnet => get_standard_option('pve-sdn-vnet-id'),
+	},
+    },
+    returns => {
+	type => "object",
+	properties => $option_properties,
+    },
+    code => sub {
+	my ($param) = @_;
+
+	check_vnet_access($param->{vnet}, ['SDN.Allocate', 'SDN.Audit']);
+
+	my $cluster_conf = PVE::Firewall::load_clusterfw_conf();
+	my $vnetfw_conf = PVE::Firewall::load_vnetfw_conf($cluster_conf, 'vnet', $param->{vnet});
+
+	return PVE::Firewall::copy_opject_with_digest($vnetfw_conf->{options});
+    }});
+
+__PACKAGE__->register_method({
+    name => 'set_options',
+    path => 'options',
+    method => 'PUT',
+    description => "Set Firewall options.",
+    protected => 1,
+    permissions => {
+	description => "Needs SDN.Allocate permissions on '/sdn/zones/<zone>/<vnet>'",
+	user => 'all',
+    },
+    parameters => {
+	additionalProperties => 0,
+	properties => add_option_properties({
+	    vnet => get_standard_option('pve-sdn-vnet-id'),
+	    delete => {
+		type => 'string', format => 'pve-configid-list',
+		description => "A list of settings you want to delete.",
+		optional => 1,
+	    },
+	    digest => get_standard_option('pve-config-digest'),
+	}),
+    },
+    returns => { type => "null" },
+    code => sub {
+	my ($param) = @_;
+
+	check_vnet_access($param->{vnet}, ['SDN.Allocate']);
+
+	PVE::Firewall::lock_vnetfw_conf($param->{vnet}, 10, sub {
+	    my $cluster_conf = PVE::Firewall::load_clusterfw_conf();
+	    my $vnetfw_conf = PVE::Firewall::load_vnetfw_conf($cluster_conf, 'vnet', $param->{vnet});
+
+	    my (undef, $digest) = PVE::Firewall::copy_opject_with_digest($vnetfw_conf->{options});
+	    PVE::Tools::assert_if_modified($digest, $param->{digest});
+
+	    if ($param->{delete}) {
+		for my $opt (PVE::Tools::split_list($param->{delete})) {
+		    raise_param_exc({ delete => "no such option '$opt'" })
+			if !$option_properties->{$opt};
+		    delete $vnetfw_conf->{options}->{$opt};
+		}
+	    }
+
+	    if (defined($param->{enable})) {
+		$param->{enable} = $param->{enable} ? 1 : 0;
+	    }
+
+	    for my $k (keys %$option_properties) {
+		next if !defined($param->{$k});
+		$vnetfw_conf->{options}->{$k} = $param->{$k};
+	    }
+
+	    PVE::Firewall::save_vnetfw_conf($param->{vnet}, $vnetfw_conf);
+	});
+
+	return undef;
+    }});
+
+1;
diff --git a/src/PVE/Firewall.pm b/src/PVE/Firewall.pm
index e8096aa..1a78caf 100644
--- a/src/PVE/Firewall.pm
+++ b/src/PVE/Firewall.pm
@@ -1912,6 +1912,11 @@ sub rules_modify_permissions {
 	return {
 	    check => ['perm', '/vms/{vmid}', [ 'VM.Config.Network' ]],
 	}
+    } elsif ($rule_env eq 'vnet') {
+	return {
+	    description => "Needs SDN.Allocate permissions on '/sdn/zones/<zone>/<vnet>'",
+	    user => 'all',
+	}
     }
 
     return undef;
@@ -1932,6 +1937,11 @@ sub rules_audit_permissions {
 	return {
 	    check => ['perm', '/vms/{vmid}', [ 'VM.Audit' ]],
 	}
+    } elsif ($rule_env eq 'vnet') {
+	return {
+	    description => "Needs SDN.Audit or SDN.Allocate permissions on '/sdn/zones/<zone>/<vnet>'",
+	    user => 'all',
+	}
     }
 
     return undef;
-- 
2.39.5


_______________________________________________
pve-devel mailing list
pve-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel


  parent reply	other threads:[~2024-10-10 16:03 UTC|newest]

Thread overview: 18+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2024-10-10 15:56 [pve-devel] [PATCH docs/firewall/manager/network/proxmox{-ve-rs, -firewall} v2 00/17] add forward chain firewalling for hosts and vnets Stefan Hanreich
2024-10-10 15:56 ` [pve-devel] [PATCH proxmox-ve-rs v2 01/17] firewall: add forward direction Stefan Hanreich
2024-10-10 15:56 ` [pve-devel] [PATCH proxmox-ve-rs v2 02/17] firewall: add bridge firewall config parser Stefan Hanreich
2024-10-10 15:56 ` [pve-devel] [PATCH proxmox-ve-rs v2 03/17] config: firewall: add tests for interface and directions Stefan Hanreich
2024-10-10 15:56 ` [pve-devel] [PATCH proxmox-ve-rs v2 04/17] host: add struct representing bridge names Stefan Hanreich
2024-10-10 15:56 ` [pve-devel] [PATCH proxmox-firewall v2 05/17] nftables: derive additional traits for nftables types Stefan Hanreich
2024-10-10 15:56 ` [pve-devel] [PATCH proxmox-firewall v2 06/17] sdn: add support for loading vnet-level firewall config Stefan Hanreich
2024-10-10 15:56 ` [pve-devel] [PATCH proxmox-firewall v2 07/17] sdn: create forward firewall rules Stefan Hanreich
2024-10-10 15:56 ` [pve-devel] [PATCH proxmox-firewall v2 08/17] use std::mem::take over drain() Stefan Hanreich
2024-10-10 15:56 ` [pve-devel] [PATCH proxmox-firewall v2 09/17] cargo: make proxmox-ve-config a workspace dependency Stefan Hanreich
2024-10-10 15:56 ` [pve-devel] [PATCH pve-firewall v2 10/17] sdn: add vnet firewall configuration Stefan Hanreich
2024-10-10 15:56 ` Stefan Hanreich [this message]
2024-10-10 15:56 ` [pve-devel] [PATCH pve-manager v2 12/17] firewall: add forward direction to rule panel Stefan Hanreich
2024-10-10 15:56 ` [pve-devel] [PATCH pve-manager v2 13/17] firewall: add vnet to firewall options component Stefan Hanreich
2024-10-10 15:56 ` [pve-devel] [PATCH pve-manager v2 14/17] firewall: make base_url dynamically configurable in " Stefan Hanreich
2024-10-10 15:56 ` [pve-devel] [PATCH pve-manager v2 15/17] sdn: add firewall panel Stefan Hanreich
2024-10-10 15:56 ` [pve-devel] [PATCH pve-network v2 16/17] firewall: add endpoints for vnet-level firewall Stefan Hanreich
2024-10-10 15:56 ` [pve-devel] [PATCH pve-docs v2 17/17] firewall: add documentation for forward direction Stefan Hanreich

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20241010155650.255698-12-s.hanreich@proxmox.com \
    --to=s.hanreich@proxmox.com \
    --cc=pve-devel@lists.proxmox.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox
Service provided by Proxmox Server Solutions GmbH | Privacy | Legal