51ea1fc802
* Migration 0012: firewall_zones (id, name UNIQUE, description, builtin),
Seed wan/lan/dmz/mgmt/cluster als builtin. CHECK-Constraints auf
network_interfaces.role + firewall_rules.{src,dst}_zone +
firewall_nat_rules.{in,out}_zone gedroppt — Validation lebt jetzt
app-side (Handler prüft Existenz in firewall_zones).
* Backend: firewall.ZonesRepo (CRUD + Exists + References-Lookup),
/api/v1/firewall/zones, builtin geschützt (Name nicht änderbar,
Delete blockiert), Rename eines Custom-Zone aktuell ohne Cascade
(Handler-Sorge bei Rules/NAT/Networks).
* Handler-Validation in CreateRule/UpdateRule/CreateNAT/UpdateNAT +
NetworksHandler: Zone-Existence-Check pro Mutation, 400 bei Tippfehler.
* Frontend: Firewall-Tab "Zonen" (CRUD mit builtin-Schutz). Networks-
Form lädt Rollen aus /firewall/zones (statt hardcoded Liste); Rules-
und NAT-Forms ziehen die Zone-Auswahl ebenfalls aus der API.
* Domain-Form bekommt Primary-Backend-Picker (Field war im Modell,
fehlte im UI). Backends-Tabelle zeigt umgekehrt welche Domains
darauf zeigen — bidirektionale Sicht ohne Schemaänderung.
* HAProxy-Renderer: safeID-FuncMap escaped Server-Namen mit Whitespace
("Control Master 1" → "Control_Master_1"). Vorher ist haproxy beim
Reload an Spaces im Backend-Namen kaputt gegangen.
* Version 1.0.3 → 1.0.6.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
194 lines
4.9 KiB
Go
194 lines
4.9 KiB
Go
package handlers
|
|
|
|
import (
|
|
"errors"
|
|
"strconv"
|
|
|
|
"github.com/gin-gonic/gin"
|
|
|
|
"git.netcell-it.de/projekte/edgeguard-native/internal/handlers/response"
|
|
"git.netcell-it.de/projekte/edgeguard-native/internal/models"
|
|
"git.netcell-it.de/projekte/edgeguard-native/internal/services/audit"
|
|
"git.netcell-it.de/projekte/edgeguard-native/internal/services/firewall"
|
|
"git.netcell-it.de/projekte/edgeguard-native/internal/services/ipaddresses"
|
|
"git.netcell-it.de/projekte/edgeguard-native/internal/services/networkifs"
|
|
)
|
|
|
|
type NetworksHandler struct {
|
|
Repo *networkifs.Repo
|
|
IPs *ipaddresses.Repo
|
|
Zones *firewall.ZonesRepo
|
|
Audit *audit.Repo
|
|
NodeID string
|
|
}
|
|
|
|
func NewNetworksHandler(
|
|
repo *networkifs.Repo, ips *ipaddresses.Repo,
|
|
zones *firewall.ZonesRepo, a *audit.Repo, nodeID string,
|
|
) *NetworksHandler {
|
|
return &NetworksHandler{Repo: repo, IPs: ips, Zones: zones, Audit: a, NodeID: nodeID}
|
|
}
|
|
|
|
func (h *NetworksHandler) Register(rg *gin.RouterGroup) {
|
|
g := rg.Group("/network-interfaces")
|
|
g.GET("", h.List)
|
|
g.POST("", h.Create)
|
|
g.GET("/:id", h.Get)
|
|
g.PUT("/:id", h.Update)
|
|
g.DELETE("/:id", h.Delete)
|
|
g.GET("/:id/ip-addresses", h.ListIPs)
|
|
}
|
|
|
|
func (h *NetworksHandler) List(c *gin.Context) {
|
|
out, err := h.Repo.List(c.Request.Context())
|
|
if err != nil {
|
|
response.Internal(c, err)
|
|
return
|
|
}
|
|
response.OK(c, gin.H{"interfaces": out})
|
|
}
|
|
|
|
func (h *NetworksHandler) Get(c *gin.Context) {
|
|
id, ok := parseID(c)
|
|
if !ok {
|
|
return
|
|
}
|
|
x, err := h.Repo.Get(c.Request.Context(), id)
|
|
if err != nil {
|
|
if errors.Is(err, networkifs.ErrNotFound) {
|
|
response.NotFound(c, err)
|
|
return
|
|
}
|
|
response.Internal(c, err)
|
|
return
|
|
}
|
|
response.OK(c, x)
|
|
}
|
|
|
|
func (h *NetworksHandler) Create(c *gin.Context) {
|
|
var req models.NetworkInterface
|
|
if err := c.ShouldBindJSON(&req); err != nil {
|
|
response.BadRequest(c, err)
|
|
return
|
|
}
|
|
if err := validateInterface(&req); err != nil {
|
|
response.BadRequest(c, err)
|
|
return
|
|
}
|
|
if ok, err := h.Zones.Exists(c.Request.Context(), req.Role); err != nil {
|
|
response.Internal(c, err)
|
|
return
|
|
} else if !ok {
|
|
response.BadRequest(c, errors.New("role: zone "+req.Role+" does not exist"))
|
|
return
|
|
}
|
|
out, err := h.Repo.Create(c.Request.Context(), req)
|
|
if err != nil {
|
|
response.Internal(c, err)
|
|
return
|
|
}
|
|
_ = h.Audit.Log(c.Request.Context(), actorOf(c), "network_interface.create", req.Name, out, h.NodeID)
|
|
response.Created(c, out)
|
|
}
|
|
|
|
func (h *NetworksHandler) Update(c *gin.Context) {
|
|
id, ok := parseID(c)
|
|
if !ok {
|
|
return
|
|
}
|
|
var req models.NetworkInterface
|
|
if err := c.ShouldBindJSON(&req); err != nil {
|
|
response.BadRequest(c, err)
|
|
return
|
|
}
|
|
if err := validateInterface(&req); err != nil {
|
|
response.BadRequest(c, err)
|
|
return
|
|
}
|
|
if ok, err := h.Zones.Exists(c.Request.Context(), req.Role); err != nil {
|
|
response.Internal(c, err)
|
|
return
|
|
} else if !ok {
|
|
response.BadRequest(c, errors.New("role: zone "+req.Role+" does not exist"))
|
|
return
|
|
}
|
|
out, err := h.Repo.Update(c.Request.Context(), id, req)
|
|
if err != nil {
|
|
if errors.Is(err, networkifs.ErrNotFound) {
|
|
response.NotFound(c, err)
|
|
return
|
|
}
|
|
response.Internal(c, err)
|
|
return
|
|
}
|
|
_ = h.Audit.Log(c.Request.Context(), actorOf(c), "network_interface.update", out.Name, out, h.NodeID)
|
|
response.OK(c, out)
|
|
}
|
|
|
|
func (h *NetworksHandler) Delete(c *gin.Context) {
|
|
id, ok := parseID(c)
|
|
if !ok {
|
|
return
|
|
}
|
|
if err := h.Repo.Delete(c.Request.Context(), id); err != nil {
|
|
if errors.Is(err, networkifs.ErrNotFound) {
|
|
response.NotFound(c, err)
|
|
return
|
|
}
|
|
response.Internal(c, err)
|
|
return
|
|
}
|
|
_ = h.Audit.Log(c.Request.Context(), actorOf(c), "network_interface.delete",
|
|
strconv.FormatInt(id, 10), gin.H{"id": id}, h.NodeID)
|
|
response.NoContent(c)
|
|
}
|
|
|
|
// validateInterface enforces the per-type rules that the SQL CHECK
|
|
// constraints alone can't express in a friendly way:
|
|
// - vlan: parent + vlan_id required
|
|
// - bridge / bond: ≥ 1 member required, vlan_id forbidden
|
|
// - ethernet / wireguard: parent + members + vlan_id ignored
|
|
//
|
|
// The caller normalises empty members to nil before calling so the
|
|
// repo always receives [] (NOT NULL).
|
|
func validateInterface(i *models.NetworkInterface) error {
|
|
switch i.Type {
|
|
case "vlan":
|
|
if i.Parent == nil || *i.Parent == "" {
|
|
return errors.New("vlan requires parent")
|
|
}
|
|
if i.VLANID == nil {
|
|
return errors.New("vlan requires vlan_id")
|
|
}
|
|
i.Members = nil
|
|
case "bridge", "bond":
|
|
if len(i.Members) == 0 {
|
|
return errors.New(i.Type + " requires at least one member interface")
|
|
}
|
|
i.Parent = nil
|
|
i.VLANID = nil
|
|
case "ethernet", "wireguard":
|
|
i.Parent = nil
|
|
i.VLANID = nil
|
|
i.Members = nil
|
|
default:
|
|
return errors.New("unknown interface type")
|
|
}
|
|
return nil
|
|
}
|
|
|
|
// ListIPs surfaces the addresses bound to a single interface — UI
|
|
// uses this for the per-interface IP-list tab.
|
|
func (h *NetworksHandler) ListIPs(c *gin.Context) {
|
|
id, ok := parseID(c)
|
|
if !ok {
|
|
return
|
|
}
|
|
out, err := h.IPs.ListForInterface(c.Request.Context(), id)
|
|
if err != nil {
|
|
response.Internal(c, err)
|
|
return
|
|
}
|
|
response.OK(c, gin.H{"ip_addresses": out})
|
|
}
|