firewall_objects/objects/

mod.rs

//! Object storage helpers, including optional JSON serialization (`serde` feature).

use crate::builder::BuilderEntry;
use crate::error::{FirewallObjectError, Result};
use crate::ip::network::{NetworkObj, NetworkObjGroup};
use crate::service::{ApplicationObj, ServiceObj, ServiceObjGroup};
use std::collections::BTreeMap;

#[cfg(feature = "serde")]
use serde::{Deserialize, Serialize};

#[cfg(feature = "serde")]
use serde_json;

/// Unified representation of objects managed via CRUD helpers.
#[cfg_attr(feature = "serde", derive(Serialize, Deserialize))]
#[cfg_attr(feature = "serde", serde(tag = "kind", rename_all = "snake_case"))]
#[derive(Debug, Clone)]
pub enum ObjectRecord {
    Network(NetworkObj),
    NetworkGroup(NetworkObjGroup),
    Service(ServiceObj),
    ServiceGroup(ServiceObjGroup),
    Application(ApplicationObj),
}

#[cfg_attr(feature = "serde", derive(Serialize, Deserialize))]
#[cfg_attr(feature = "serde", serde(rename_all = "snake_case"))]
#[derive(Debug, Clone, Copy, PartialEq, Eq, Hash)]
pub enum ObjectKind {
    Network,
    NetworkGroup,
    Service,
    ServiceGroup,
    Application,
}

/// In-memory store for firewall objects.
#[derive(Debug, Default)]
pub struct ObjectStore {
    networks: BTreeMap<String, NetworkObj>,
    network_groups: BTreeMap<String, NetworkObjGroup>,
    services: BTreeMap<String, ServiceObj>,
    service_groups: BTreeMap<String, ServiceObjGroup>,
    applications: BTreeMap<String, ApplicationObj>,
}

impl ObjectStore {
    pub fn new() -> Self {
        Self::default()
    }

    #[cfg(feature = "serde")]
    /// Create an object from a JSON payload.
    ///
    /// ```
    /// # use firewall_objects::objects::{ObjectStore, ObjectKind};
    /// # use firewall_objects::service::TransportService;
    /// let payload = r#"{
    ///     "kind": "service",
    ///     "name": "https",
    ///     "value": { "Tcp": 443 }
    /// }"#;
    /// let mut store = ObjectStore::new();
    /// store.create_from_json(payload).unwrap();
    /// assert!(store.get(ObjectKind::Service, "https").is_ok());
    /// ```
    pub fn create_from_json(&mut self, payload: &str) -> Result<()> {
        let obj: ObjectRecord = serde_json::from_str(payload)?;
        self.create(obj)
    }

    #[cfg(feature = "serde")]
    pub fn update_from_json(&mut self, payload: &str) -> Result<()> {
        let obj: ObjectRecord = serde_json::from_str(payload)?;
        self.update(obj)
    }

    pub fn create(&mut self, obj: ObjectRecord) -> Result<()> {
        match obj {
            ObjectRecord::Network(net) => {
                if self.networks.contains_key(&net.name) {
                    return Err(FirewallObjectError::Message(format!(
                        "network '{}' already exists",
                        net.name
                    )));
                }
                self.networks.insert(net.name.clone(), net);
            }
            ObjectRecord::NetworkGroup(group) => {
                if self.network_groups.contains_key(&group.name) {
                    return Err(FirewallObjectError::Message(format!(
                        "network group '{}' already exists",
                        group.name
                    )));
                }
                self.network_groups.insert(group.name.clone(), group);
            }
            ObjectRecord::Service(service) => {
                if self.services.contains_key(&service.name) {
                    return Err(FirewallObjectError::Message(format!(
                        "service '{}' already exists",
                        service.name
                    )));
                }
                self.services.insert(service.name.clone(), service);
            }
            ObjectRecord::ServiceGroup(group) => {
                if self.service_groups.contains_key(&group.name) {
                    return Err(FirewallObjectError::Message(format!(
                        "service group '{}' already exists",
                        group.name
                    )));
                }
                self.service_groups.insert(group.name.clone(), group);
            }
            ObjectRecord::Application(app) => {
                if self.applications.contains_key(&app.name) {
                    return Err(FirewallObjectError::Message(format!(
                        "application '{}' already exists",
                        app.name
                    )));
                }
                self.applications.insert(app.name.clone(), app);
            }
        }
        Ok(())
    }

    /// Insert any builder entry or object emitted by the [`builder`](crate::builder) helpers.
    ///
    /// ```
    /// use firewall_objects::builder::{address, service, service_group};
    /// use firewall_objects::objects::ObjectStore;
    ///
    /// let mut store = ObjectStore::new();
    /// store.add(address("server1", "192.0.2.10").unwrap()).unwrap();
    ///
    /// let services = service_group("web").unwrap()
    ///     .with_service(service::tcp(443)).unwrap()
    ///     .with_service(service::udp(8443)).unwrap()
    ///     .build().unwrap();
    /// store.add(services).unwrap();
    /// ```
    pub fn add<T>(&mut self, entry: T) -> Result<()>
    where
        T: Into<BuilderEntry>,
    {
        match entry.into() {
            BuilderEntry::Network(net) => self.insert_network(net),
            BuilderEntry::NetworkGroup(group) => self.insert_network_group(group),
            BuilderEntry::Service(service) => self.insert_service(service),
            BuilderEntry::ServiceGroup(group) => self.insert_service_group(group),
            BuilderEntry::Application(app) => self.insert_application(app),
        }
    }

    pub fn update(&mut self, obj: ObjectRecord) -> Result<()> {
        match obj {
            ObjectRecord::Network(net) => match self.networks.get_mut(&net.name) {
                Some(existing) => {
                    *existing = net;
                }
                None => return Err(not_found("network", &net.name)),
            },
            ObjectRecord::NetworkGroup(group) => match self.network_groups.get_mut(&group.name) {
                Some(existing) => {
                    *existing = group;
                }
                None => return Err(not_found("network group", &group.name)),
            },
            ObjectRecord::Service(service) => match self.services.get_mut(&service.name) {
                Some(existing) => {
                    *existing = service;
                }
                None => return Err(not_found("service", &service.name)),
            },
            ObjectRecord::ServiceGroup(group) => match self.service_groups.get_mut(&group.name) {
                Some(existing) => {
                    *existing = group;
                }
                None => return Err(not_found("service group", &group.name)),
            },
            ObjectRecord::Application(app) => match self.applications.get_mut(&app.name) {
                Some(existing) => {
                    *existing = app;
                }
                None => return Err(not_found("application", &app.name)),
            },
        }
        Ok(())
    }

    pub fn delete(&mut self, kind: ObjectKind, name: &str) -> Result<()> {
        let removed = match kind {
            ObjectKind::Network => self.networks.remove(name).is_some(),
            ObjectKind::NetworkGroup => self.network_groups.remove(name).is_some(),
            ObjectKind::Service => self.services.remove(name).is_some(),
            ObjectKind::ServiceGroup => self.service_groups.remove(name).is_some(),
            ObjectKind::Application => self.applications.remove(name).is_some(),
        };

        if removed {
            Ok(())
        } else {
            Err(not_found(kind_name(kind), name))
        }
    }

    pub fn get(&self, kind: ObjectKind, name: &str) -> Result<ObjectRecord> {
        let cloned = match kind {
            ObjectKind::Network => self
                .networks
                .get(name)
                .cloned()
                .map(ObjectRecord::Network)
                .ok_or_else(|| not_found("network", name))?,
            ObjectKind::NetworkGroup => self
                .network_groups
                .get(name)
                .cloned()
                .map(ObjectRecord::NetworkGroup)
                .ok_or_else(|| not_found("network group", name))?,
            ObjectKind::Service => self
                .services
                .get(name)
                .cloned()
                .map(ObjectRecord::Service)
                .ok_or_else(|| not_found("service", name))?,
            ObjectKind::ServiceGroup => self
                .service_groups
                .get(name)
                .cloned()
                .map(ObjectRecord::ServiceGroup)
                .ok_or_else(|| not_found("service group", name))?,
            ObjectKind::Application => self
                .applications
                .get(name)
                .cloned()
                .map(ObjectRecord::Application)
                .ok_or_else(|| not_found("application", name))?,
        };
        Ok(cloned)
    }

    #[cfg(feature = "serde")]
    /// Serialize an object to JSON.
    ///
    /// ```
    /// # use firewall_objects::objects::{ObjectStore, ObjectRecord, ObjectKind};
    /// # use firewall_objects::service::TransportService;
    /// let mut store = ObjectStore::new();
    /// store.create(ObjectRecord::Service(
    ///     firewall_objects::service::ServiceObj::new(
    ///         "dns".into(),
    ///         TransportService::udp(53),
    ///     )
    /// )).unwrap();
    /// let json = store.to_json(ObjectKind::Service, "dns").unwrap();
    /// assert!(json.contains("\"dns\""));
    /// ```
    pub fn to_json(&self, kind: ObjectKind, name: &str) -> Result<String> {
        let obj = self.get(kind, name)?;
        serde_json::to_string_pretty(&obj).map_err(FirewallObjectError::from)
    }

    /// Convenience: insert a network object.
    pub fn insert_network(&mut self, obj: NetworkObj) -> Result<()> {
        self.create(ObjectRecord::Network(obj))
    }

    /// Convenience: insert a network group.
    pub fn insert_network_group(&mut self, group: NetworkObjGroup) -> Result<()> {
        self.create(ObjectRecord::NetworkGroup(group))
    }

    /// Convenience: insert a service object.
    pub fn insert_service(&mut self, obj: ServiceObj) -> Result<()> {
        self.create(ObjectRecord::Service(obj))
    }

    /// Convenience: insert a service group.
    pub fn insert_service_group(&mut self, group: ServiceObjGroup) -> Result<()> {
        self.create(ObjectRecord::ServiceGroup(group))
    }

    /// Convenience: insert an application.
    pub fn insert_application(&mut self, app: ApplicationObj) -> Result<()> {
        self.create(ObjectRecord::Application(app))
    }

    /// Convenience accessor for networks.
    pub fn network(&self, name: &str) -> Result<NetworkObj> {
        match self.get(ObjectKind::Network, name)? {
            ObjectRecord::Network(obj) => Ok(obj),
            _ => unreachable!(),
        }
    }

    /// Convenience accessor for network groups.
    pub fn network_group(&self, name: &str) -> Result<NetworkObjGroup> {
        match self.get(ObjectKind::NetworkGroup, name)? {
            ObjectRecord::NetworkGroup(obj) => Ok(obj),
            _ => unreachable!(),
        }
    }

    /// Convenience accessor for services.
    pub fn service(&self, name: &str) -> Result<ServiceObj> {
        match self.get(ObjectKind::Service, name)? {
            ObjectRecord::Service(obj) => Ok(obj),
            _ => unreachable!(),
        }
    }

    /// Convenience accessor for service groups.
    pub fn service_group(&self, name: &str) -> Result<ServiceObjGroup> {
        match self.get(ObjectKind::ServiceGroup, name)? {
            ObjectRecord::ServiceGroup(obj) => Ok(obj),
            _ => unreachable!(),
        }
    }

    /// Convenience accessor for applications.
    pub fn application(&self, name: &str) -> Result<ApplicationObj> {
        match self.get(ObjectKind::Application, name)? {
            ObjectRecord::Application(obj) => Ok(obj),
            _ => unreachable!(),
        }
    }
}

fn not_found(entity: &str, name: &str) -> FirewallObjectError {
    FirewallObjectError::Message(format!("{entity} '{name}' not found"))
}

fn kind_name(kind: ObjectKind) -> &'static str {
    match kind {
        ObjectKind::Network => "network",
        ObjectKind::NetworkGroup => "network group",
        ObjectKind::Service => "service",
        ObjectKind::ServiceGroup => "service group",
        ObjectKind::Application => "application",
    }
}

#[cfg(test)]
mod tests {
    use super::*;
    use crate::service::{ApplicationMatchInput, ApplicationObj, TransportService};
    use std::collections::BTreeSet;

    #[cfg(feature = "serde")]
    use serde_json;

    #[test]
    fn create_and_get_objects() {
        let mut store = ObjectStore::new();
        store
            .create(ObjectRecord::Network(
                NetworkObj::try_from(("db1", "192.0.2.10")).unwrap(),
            ))
            .unwrap();
        store
            .create(ObjectRecord::Service(ServiceObj::new(
                "web".into(),
                TransportService::tcp(443),
            )))
            .unwrap();

        assert!(store.get(ObjectKind::Network, "db1").is_ok());
        assert!(store.get(ObjectKind::Service, "web").is_ok());
    }

    #[test]
    fn update_requires_existing() {
        let mut store = ObjectStore::new();
        let err = store
            .update(ObjectRecord::Service(ServiceObj::new(
                "dns".into(),
                TransportService::udp(53),
            )))
            .unwrap_err();
        assert!(format!("{err}").contains("not found"));
    }

    #[test]
    fn delete_objects() {
        let mut store = ObjectStore::new();
        store
            .create(ObjectRecord::Network(
                NetworkObj::try_from(("api", "192.0.2.5")).unwrap(),
            ))
            .unwrap();
        store.delete(ObjectKind::Network, "api").unwrap();
        assert!(store.get(ObjectKind::Network, "api").is_err());

        let mut members = BTreeSet::new();
        members.insert(NetworkObj::try_from(("app", "192.0.2.6")).unwrap());
        let group = NetworkObjGroup::new("tier1", members).unwrap();
        store.create(ObjectRecord::NetworkGroup(group)).unwrap();
        store.delete(ObjectKind::NetworkGroup, "tier1").unwrap();
    }

    #[test]
    fn applications_supported() {
        let mut store = ObjectStore::new();
        let app = ApplicationObj {
            name: "metrics-ui".into(),
            category: "internal".into(),
            transports: vec![TransportService::tcp(443)],
            dns_suffixes: vec![".corp.local".into()],
            tls_sni_suffixes: vec![],
            http_hosts: vec!["metrics.corp.local".into()],
        };

        store
            .create(ObjectRecord::Application(app.clone()))
            .unwrap();

        let fetched = store.get(ObjectKind::Application, "metrics-ui").unwrap();
        if let ObjectRecord::Application(obj) = fetched {
            assert!(obj.matches(&ApplicationMatchInput {
                http_host: Some("metrics.corp.local"),
                ..Default::default()
            }));
        } else {
            panic!("expected application");
        }
    }

    #[cfg(feature = "serde")]
    #[test]
    fn json_round_trip() {
        let mut store = ObjectStore::new();
        let payload = serde_json::to_string(&ObjectRecord::Application(ApplicationObj {
            name: "docs".into(),
            category: "external".into(),
            transports: vec![TransportService::tcp(443)],
            dns_suffixes: vec![".example.com".into()],
            tls_sni_suffixes: vec![".example.com".into()],
            http_hosts: vec!["docs.example.com".into()],
        }))
        .unwrap();

        store.create_from_json(&payload).unwrap();
        let json = store.to_json(ObjectKind::Application, "docs").unwrap();
        assert!(json.contains("docs"));
    }

    #[test]
    fn helper_methods_insert_and_get() {
        let mut store = ObjectStore::new();
        let network = NetworkObj::try_from(("app", "192.0.2.20")).unwrap();
        store.insert_network(network.clone()).unwrap();
        assert_eq!(store.network("app").unwrap(), network);

        let service = ServiceObj::new("web".into(), TransportService::tcp(443));
        store.insert_service(service.clone()).unwrap();
        assert_eq!(store.service("web").unwrap(), service);

        let app = ApplicationObj {
            name: "helper-app".into(),
            category: "misc".into(),
            transports: vec![TransportService::udp(6000)],
            dns_suffixes: vec![".helpers.local".into()],
            tls_sni_suffixes: vec![],
            http_hosts: vec![],
        };
        store.insert_application(app.clone()).unwrap();
        assert!(
            store
                .application("helper-app")
                .unwrap()
                .matches(&ApplicationMatchInput {
                    dns_query: Some("svc.helpers.local"),
                    ..Default::default()
                })
        );
    }
}