[pmg-devel] [PATCH v2 pmg-api 2/4] fix #2437: api: Add endpoint for managing tls_inbound_domains entries

[Christoph Heiss]

Add a new API endpoint `/config/tlsinbounddomains` for managing entries
of the `tls_inbound_domains` postfix map. Modelled after the
`DestinationTLSPolicy` implementation.

Signed-off-by: Christoph Heiss <c.heiss at proxmox.com>
---
Changes v1 -> v2:
 * New patch; split out from patch #1

 src/Makefile                      |   1 +
 src/PMG/API2/Config.pm            |   7 ++
 src/PMG/API2/InboundTLSDomains.pm | 127 ++++++++++++++++++++++++++++++
 3 files changed, 135 insertions(+)
 create mode 100644 src/PMG/API2/InboundTLSDomains.pm

diff --git a/src/Makefile b/src/Makefile
index 0b424e9..32eac57 100644
--- a/src/Makefile
+++ b/src/Makefile
@@ -132,6 +132,7 @@ LIBSOURCES =				\
 	PMG/API2/DKIMSignDomains.pm	\
 	PMG/API2/DKIMSign.pm		\
 	PMG/API2/Fetchmail.pm		\
+	PMG/API2/InboundTLSDomains.pm	\
 	PMG/API2/Users.pm		\
 	PMG/API2/Transport.pm		\
 	PMG/API2/MyNetworks.pm		\
diff --git a/src/PMG/API2/Config.pm b/src/PMG/API2/Config.pm
index 37da096..c71432a 100644
--- a/src/PMG/API2/Config.pm
+++ b/src/PMG/API2/Config.pm
@@ -23,6 +23,7 @@ use PMG::API2::SMTPWhitelist;
 use PMG::API2::MimeTypes;
 use PMG::API2::Fetchmail;
 use PMG::API2::DestinationTLSPolicy;
+use PMG::API2::InboundTLSDomains;
 use PMG::API2::DKIMSign;
 use PMG::API2::SACustom;
 use PMG::API2::PBS::Remote;
@@ -86,6 +87,11 @@ __PACKAGE__->register_method ({
     path => 'tlspolicy',
 });

+__PACKAGE__->register_method ({
+    subclass => "PMG::API2::InboundTLSDomains",
+    path => 'tlsinbounddomains',
+});
+
 __PACKAGE__->register_method({
     subclass => "PMG::API2::DKIMSign",
     path => 'dkim',
@@ -146,6 +152,7 @@ __PACKAGE__->register_method ({
 	push @$res, { section => 'ruledb' };
 	push @$res, { section => 'tfa' };
 	push @$res, { section => 'tlspolicy' };
+	push @$res, { section => 'tlsinbounddomains' };
 	push @$res, { section => 'transport' };
 	push @$res, { section => 'users' };
 	push @$res, { section => 'whitelist' };
diff --git a/src/PMG/API2/InboundTLSDomains.pm b/src/PMG/API2/InboundTLSDomains.pm
new file mode 100644
index 0000000..38bebca
--- /dev/null
+++ b/src/PMG/API2/InboundTLSDomains.pm
@@ -0,0 +1,127 @@
+package PMG::API2::InboundTLSDomains;
+
+use strict;
+use warnings;
+
+use PVE::RESTHandler;
+use PVE::INotify;
+use PVE::Exception qw(raise_param_exc);
+
+use PMG::Config;
+
+use base qw(PVE::RESTHandler);
+
+__PACKAGE__->register_method ({
+    name => 'index',
+    path => '',
+    method => 'GET',
+    description => 'List tls_inbound_domains entries.',
+    proxyto => 'master',
+    permissions => { check => [ 'admin', 'audit' ] },
+    parameters => {
+	additionalProperties => 0,
+	properties => {},
+    },
+    returns => {
+	type => 'array',
+	items => {
+	    type => 'string',
+	    format => 'transport-domain',
+	},
+	description => 'List of domains for which TLS will be enforced on incoming connections',
+	links => [ { rel => 'child', href => '{domain}' } ],
+    },
+    code => sub {
+	my ($param) = @_;
+
+	my $res = [];
+
+	my $domains = PVE::INotify::read_file('tls_inbound_domains');
+
+	foreach my $domain (sort keys %$domains) {
+	    push @$res, { domain => $domain };
+	}
+
+	return $res;
+    }});
+
+__PACKAGE__->register_method ({
+    name => 'create',
+    path => '',
+    method => 'POST',
+    proxyto => 'master',
+    protected => 1,
+    permissions => { check => [ 'admin' ] },
+    description => 'Add new tls_inbound_domains entry.',
+    parameters => {
+	additionalProperties => 0,
+	properties => {
+	    domain => {
+		type => 'string',
+		format => 'transport-domain',
+		description => 'Domain for which TLS should be enforced on incoming connections',
+	    },
+	},
+    },
+    returns => { type => 'null' },
+    code => sub {
+	my ($param) = @_;
+	my $domain = $param->{domain};
+
+	my $code = sub {
+	    my $domains = PVE::INotify::read_file('tls_inbound_domains');
+	    raise_param_exc({ domain => "InboundTLSDomains entry for '$domain' already exists" })
+		if $domains->{$domain};
+
+	    $domains->{$domain} = 1;
+
+	    PVE::INotify::write_file('tls_inbound_domains', $domains);
+	    PMG::Config::postmap_tls_inbound_domains();
+	};
+
+	PMG::Config::lock_config($code, 'adding tls_inbound_domains entry failed');
+
+	return undef;
+    }});
+
+__PACKAGE__->register_method ({
+    name => 'delete',
+    path => '{domain}',
+    method => 'DELETE',
+    description => 'Delete a tls_inbound_domains entry',
+    protected => 1,
+    permissions => { check => [ 'admin' ] },
+    proxyto => 'master',
+    parameters => {
+	additionalProperties => 0,
+	properties => {
+	    domain => {
+		type => 'string',
+		format => 'transport-domain',
+		description => 'Domain which should be removed from tls_inbound_domains',
+	    },
+	}
+    },
+    returns => { type => 'null' },
+    code => sub {
+	my ($param) = @_;
+	my $domain = $param->{domain};
+
+	my $code = sub {
+	    my $domains = PVE::INotify::read_file('tls_inbound_domains');
+
+	    raise_param_exc({ domain => "tls_inbound_domains entry for '$domain' does not exist" })
+		if !$domains->{$domain};
+
+	    delete $domains->{$domain};
+
+	    PVE::INotify::write_file('tls_inbound_domains', $domains);
+	    PMG::Config::postmap_tls_inbound_domains();
+	};
+
+	PMG::Config::lock_config($code, 'deleting tls_inbound_domains entry failed');
+
+	return undef;
+    }});
+
+1;
--
2.39.2