firewall_objects/

builder.rs

//! Convenience helpers for assembling firewall objects in "builder" style.
//!
//! This module targets interactive or prototyping flows where developers want to express
//! object definitions with as little boilerplate as possible. Helper functions turn dotted
//! notation such as `address("app1", "192.0.2.10")` or `service::tcp(443)` into strongly
//! typed objects that can be inserted into an [`ObjectStore`](crate::objects::ObjectStore).
//!
//! ```
//! use firewall_objects::builder::{address, service, service_group};
//! use firewall_objects::objects::ObjectStore;
//!
//! let mut store = ObjectStore::new();
//!
//! for entry in [
//!     address("server1", "192.168.50.10").unwrap(),
//!     address("Public DMZ", "10.10.105.0/24").unwrap(),
//! ] {
//!     store.add(entry).unwrap();
//! }
//!
//! let allowed_services = service_group("allowed services")
//!     .unwrap()
//!     .add(service::tcp(443))
//!     .unwrap()
//!     .add(service::udp(53))
//!     .unwrap()
//!     .build()
//!     .unwrap();
//!
//! store.add(allowed_services).unwrap();
//! assert!(store.network("server1").is_ok());
//! assert!(store.service_group("allowed services").is_ok());
//! ```

use std::collections::BTreeSet;
use std::str::FromStr;

use crate::ip::network::{Network, NetworkObj, NetworkObjGroup};
use crate::service::{ApplicationObj, ServiceObj, ServiceObjGroup, TransportService};

/// Unified wrapper returned by the builders so [`ObjectStore::add`](crate::objects::ObjectStore::add)
/// can accept any object or builder directly.
#[derive(Debug, Clone)]
pub enum BuilderEntry {
    Network(NetworkObj),
    NetworkGroup(NetworkObjGroup),
    Service(ServiceObj),
    ServiceGroup(ServiceObjGroup),
    Application(ApplicationObj),
}

impl From<NetworkObj> for BuilderEntry {
    fn from(obj: NetworkObj) -> Self {
        BuilderEntry::Network(obj)
    }
}

impl From<NetworkObjGroup> for BuilderEntry {
    fn from(group: NetworkObjGroup) -> Self {
        BuilderEntry::NetworkGroup(group)
    }
}

impl From<ServiceObj> for BuilderEntry {
    fn from(obj: ServiceObj) -> Self {
        BuilderEntry::Service(obj)
    }
}

impl From<ServiceObjGroup> for BuilderEntry {
    fn from(group: ServiceObjGroup) -> Self {
        BuilderEntry::ServiceGroup(group)
    }
}

impl From<ApplicationObj> for BuilderEntry {
    fn from(app: ApplicationObj) -> Self {
        BuilderEntry::Application(app)
    }
}

/// Helper that builds a `NetworkObj` from a human-friendly input. The `name` is optional—pass
/// an empty string to default to the normalized value.
pub fn address(name: &str, value: &str) -> Result<NetworkObj, String> {
    let network = Network::new(value)?;
    let trimmed = name.trim();
    let final_name = if trimmed.is_empty() {
        network.to_string()
    } else {
        trimmed.to_string()
    };
    Ok(NetworkObj::new(final_name, network))
}

/// Start a network group builder with the provided `name`.
pub fn network_group(name: &str) -> Result<NetworkGroupBuilder, String> {
    NetworkGroupBuilder::new(name)
}

/// Start a service group builder with the provided `name`.
pub fn service_group(name: &str) -> Result<ServiceGroupBuilder, String> {
    ServiceGroupBuilder::new(name)
}

/// Begin composing an application object.
pub fn application(name: &str, category: &str) -> Result<ApplicationBuilder, String> {
    ApplicationBuilder::new(name, category)
}

/// Builder helper for adding multiple network objects into the same group.
#[derive(Debug, Clone)]
pub struct NetworkGroupBuilder {
    name: String,
    members: BTreeSet<NetworkObj>,
}

impl NetworkGroupBuilder {
    pub fn new(name: &str) -> Result<Self, String> {
        let trimmed = name.trim();
        if trimmed.is_empty() {
            return Err("network group name cannot be empty".into());
        }
        Ok(Self {
            name: trimmed.to_string(),
            members: BTreeSet::new(),
        })
    }

    /// Add a network object or builder entry (created via [`address`]).
    pub fn add<N>(mut self, entry: N) -> Result<Self, String>
    where
        N: IntoNetworkObj,
    {
        let obj = entry.into_network_obj();
        if self.members.iter().any(|existing| existing.name == obj.name) {
            return Err(format!(
                "network object '{}' already exists in group '{}'",
                obj.name, self.name
            ));
        }
        self.members.insert(obj);
        Ok(self)
    }

    pub fn build(self) -> Result<NetworkObjGroup, String> {
        NetworkObjGroup::new(&self.name, self.members)
    }
}

/// Builder helper for constructing service groups through chained calls.
#[derive(Debug, Clone)]
pub struct ServiceGroupBuilder {
    name: String,
    members: BTreeSet<ServiceObj>,
}

impl ServiceGroupBuilder {
    pub fn new(name: &str) -> Result<Self, String> {
        let trimmed = name.trim();
        if trimmed.is_empty() {
            return Err("service group name cannot be empty".into());
        }
        Ok(Self {
            name: trimmed.to_string(),
            members: BTreeSet::new(),
        })
    }

    /// Add a service object or builder entry (created via [`service::tcp`] or friends).
    pub fn add<S>(mut self, entry: S) -> Result<Self, String>
    where
        S: IntoServiceObj,
    {
        let obj = entry.into_service_obj();
        if self.members.iter().any(|existing| existing.name == obj.name) {
            return Err(format!(
                "service object '{}' already exists in group '{}'",
                obj.name, self.name
            ));
        }
        self.members.insert(obj);
        Ok(self)
    }

    pub fn build(self) -> Result<ServiceObjGroup, String> {
        ServiceObjGroup::new(&self.name, self.members)
    }
}

/// Network helper trait implemented for both raw objects and builder entries.
pub trait IntoNetworkObj {
    fn into_network_obj(self) -> NetworkObj;
}

impl IntoNetworkObj for NetworkObj {
    fn into_network_obj(self) -> NetworkObj {
        self
    }
}

/// Service helper trait implemented for both raw objects and builder entries.
pub trait IntoServiceObj {
    fn into_service_obj(self) -> ServiceObj;
}

impl IntoServiceObj for ServiceObj {
    fn into_service_obj(self) -> ServiceObj {
        self
    }
}

/// Convenience namespace for transport builders: `service::tcp(443)` or `service::parse("udp/53")`.
pub mod service {
    use super::*;

    /// Create a TCP service entry with an auto-generated name (e.g., `"tcp/443"`).
    pub fn tcp(port: u16) -> ServiceObj {
        ServiceObj::new(format!("tcp/{port}"), TransportService::tcp(port))
    }

    /// Create a UDP service entry with an auto-generated name.
    pub fn udp(port: u16) -> ServiceObj {
        ServiceObj::new(format!("udp/{port}"), TransportService::udp(port))
    }

    /// Create an ICMPv4 service entry by type/code.
    pub fn icmpv4(ty: u8, code: Option<u8>) -> ServiceObj {
        let svc = TransportService::icmp(crate::service::icmp::IcmpVersion::V4, ty, code);
        ServiceObj::new(svc.to_string(), svc)
    }

    /// Create an ICMPv6 service entry by type/code.
    pub fn icmpv6(ty: u8, code: Option<u8>) -> ServiceObj {
        let svc = TransportService::icmp(crate::service::icmp::IcmpVersion::V6, ty, code);
        ServiceObj::new(svc.to_string(), svc)
    }

    /// Create a transport definition from a string such as `"tcp/22"` or `"icmp/echo-request"`.
    pub fn parse(definition: &str) -> Result<ServiceObj, String> {
        let svc = TransportService::from_str(definition)?;
        let name = definition.trim();
        let final_name = if name.is_empty() {
            svc.to_string()
        } else {
            name.to_string()
        };
        Ok(ServiceObj::new(final_name, svc))
    }
}

/// Builder for application objects with minimal ceremony.
#[derive(Debug, Clone)]
pub struct ApplicationBuilder {
    name: String,
    category: String,
    transports: Vec<TransportService>,
    dns_suffixes: Vec<String>,
    tls_sni_suffixes: Vec<String>,
    http_hosts: Vec<String>,
}

impl ApplicationBuilder {
    pub fn new(name: &str, category: &str) -> Result<Self, String> {
        let name = name.trim();
        let category = category.trim();

        if name.is_empty() {
            return Err("application name cannot be empty".into());
        }
        if category.is_empty() {
            return Err("application category cannot be empty".into());
        }

        Ok(Self {
            name: name.to_string(),
            category: category.to_string(),
            transports: Vec::new(),
            dns_suffixes: Vec::new(),
            tls_sni_suffixes: Vec::new(),
            http_hosts: Vec::new(),
        })
    }

    /// Append a transport definition by parsing a descriptor like `"tcp/443"` or `"udp/53"`.
    pub fn transport(mut self, descriptor: &str) -> Result<Self, String> {
        self.transports.push(TransportService::from_str(descriptor)?);
        Ok(self)
    }

    /// Append a pre-built transport.
    pub fn transport_value(mut self, svc: TransportService) -> Self {
        self.transports.push(svc);
        self
    }

    pub fn dns_suffix<S: Into<String>>(mut self, suffix: S) -> Self {
        self.dns_suffixes.push(suffix.into());
        self
    }

    pub fn tls_sni_suffix<S: Into<String>>(mut self, suffix: S) -> Self {
        self.tls_sni_suffixes.push(suffix.into());
        self
    }

    pub fn http_host<S: Into<String>>(mut self, host: S) -> Self {
        self.http_hosts.push(host.into());
        self
    }

    pub fn build(self) -> ApplicationObj {
        ApplicationObj {
            name: self.name,
            category: self.category,
            transports: self.transports,
            dns_suffixes: self.dns_suffixes,
            tls_sni_suffixes: self.tls_sni_suffixes,
            http_hosts: self.http_hosts,
        }
    }
}

#[cfg(test)]
mod tests {
    use super::*;

    #[test]
    fn address_defaults_name_when_empty() {
        let obj = address("", "192.0.2.10").unwrap();
        assert_eq!(obj.name, "192.0.2.10");
    }

    #[test]
    fn service_group_builder_rejects_duplicates() {
        let service = service::tcp(443);
        let err = service_group("web")
            .unwrap()
            .add(service.clone())
            .unwrap()
            .add(service)
            .unwrap_err();
        assert!(err.contains("web"));
    }

    #[test]
    fn application_builder_collects_values() {
        let app = application("github", "developer")
            .unwrap()
            .transport("tcp/443")
            .unwrap()
            .dns_suffix(".github.com")
            .http_host("github.com")
            .build();

        assert_eq!(app.name, "github");
        assert_eq!(app.category, "developer");
        assert_eq!(app.transports.len(), 1);
        assert_eq!(app.dns_suffixes, vec![".github.com"]);
        assert_eq!(app.http_hosts, vec!["github.com"]);
    }
}