dns/bind: Make builtin ACLs available

Makes the builtin ACLs (none, any. localhost and localnets) available
for selection:

1. Created new custom field types:
    * AclField extending ArrayField
    * AclModelRelationField extending ModelRelationField
    * AclNetField extending NetworkField
2. Adds builtin ACLs as child nodes to ACL list via new AclField field type
3. Removes builtin name RegEx constraint from name field in Acl model
4. Ensures "any" and "none" builtins cannot be part of an ACL multi-select
via new AclModelRelationField field type
5. Ensures network validation is skipped for builtin ACLs via new AclNetField
field type
6. Updates the General and Domain models to use AclModelRelationField
7. Updates general.volt to:
    * Disable command buttons for builtin ACLs
    * Ensure the builtin ACLs are added to config.xml
8. Updates named.conf to exclude builtin ACLs from custom name list
9. Bumps model versions:
    * Acl to v1.0.1
    * General to v1.0.13
    * Domain to v1.1.3

Signed-off-by: benyamin-codez <[email protected]>

Author: benyamin-codez

dns/bind/src/opnsense/mvc/app/controllers/OPNsense/Bind/Api/AclController.php

@@ -52,7 +52,11 @@ public function addAclAction()
 
     public function delAclAction($uuid)
     {
-        return $this->delBase('acls.acl', $uuid);
+        $del_tgt = $this->getBase('acl', 'acls.acl', $uuid);
+        # skip if builtins...
+        if (!($del_tgt['acl']['name'] == 'any' || $del_tgt['acl']['name'] == 'localnets' || $del_tgt['acl']['name'] == 'localhost' || $del_tgt['acl']['name'] == 'none')) {
+            return $this->delBase('acls.acl', $uuid);
+        }
     }
 
     public function setAclAction($uuid)

dns/bind/src/opnsense/mvc/app/models/OPNsense/Bind/Acl.xml

@@ -1,26 +1,26 @@
 <model>
     <mount>//OPNsense/bind/acl</mount>
     <description>BIND ACL configuration</description>
-    <version>1.0.0</version>
+    <version>1.0.1</version>
     <items>
         <acls>
-            <acl type="ArrayField">
+            <acl type=".\AclField">
                 <enabled type="BooleanField">
                     <Default>1</Default>
                     <Required>Y</Required>
                 </enabled>
                 <name type="TextField">
                     <Required>Y</Required>
-                    <Mask>/^(?!any$|localhost$|localnets$|none$)[0-9a-zA-Z_\-]{1,32}$/u</Mask>
-                    <ValidationMessage>Should be a string between 1 and 32 characters. Allowed characters are 0-9, a-z, A-Z, _ and -. Built-in ACL names must not be used: any, localhost, localnets, none.</ValidationMessage>
+                    <Mask>/^[0-9a-zA-Z_\-]{1,32}$/u</Mask>
+                    <ValidationMessage>Should be a string between 1 and 32 characters. Allowed characters are 0-9, a-z, A-Z, _ and -.</ValidationMessage>
                      <Constraints>
                         <check001>
                             <ValidationMessage>An ACL with this name already exists.</ValidationMessage>
                             <type>UniqueConstraint</type>
                         </check001>
                     </Constraints>
                 </name>
-                <networks type="NetworkField">
+                <networks type=".\AclNetField">
                     <Required>Y</Required>
                     <AsList>Y</AsList>
                 </networks>

dns/bind/src/opnsense/mvc/app/models/OPNsense/Bind/Domain.xml

@@ -1,7 +1,7 @@
 <model>
     <mount>//OPNsense/bind/domain</mount>
     <description>BIND domain configuration</description>
-    <version>1.1.2</version>
+    <version>1.1.3</version>
     <items>
         <domains>
             <domain type="ArrayField">
@@ -42,7 +42,7 @@
                 <domainname type="TextField">
                     <Required>Y</Required>
                 </domainname>
-                <allowtransfer type="ModelRelationField">
+                <allowtransfer type=".\AclModelRelationField">
                     <Model>
                         <template>
                             <source>OPNsense.Bind.Acl</source>
@@ -53,7 +53,7 @@
                     <Multiple>Y</Multiple>
                 </allowtransfer>
                 <allowrndctransfer type="BooleanField"/>
-                <allowquery type="ModelRelationField">
+                <allowquery type=".\AclModelRelationField">
                     <Model>
                         <template>
                             <source>OPNsense.Bind.Acl</source>

dns/bind/src/opnsense/mvc/app/models/OPNsense/Bind/FieldTypes/AclField.php

@@ -0,0 +1,163 @@
+<?php
+
+/*
+ * Copyright (C) 2025 Deciso B.V.
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright notice,
+ *    this list of conditions and the following disclaimer.
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+ * INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ * AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+ * OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ * POSSIBILITY OF SUCH DAMAGE.
+ */
+
+namespace OPNsense\BIND\FieldTypes;
+
+use OPNsense\Base\FieldTypes\ArrayField;
+
+class ACLField extends ArrayField
+{
+    /*
+     * Extends ArrayField to programmatically add BIND's builtin ACL types to
+     * the model. The private property $internalTemplateNode is duplicated.
+     * The actionPostLoadingEvent() method is replaced to add the builtin ACLs
+     * as child nodes. The ability to add static children is removed. The builtin
+     * ACL names are defined by the static $builtinNames property. Values for the
+     * builtin ACLs are populated by the getBuiltinChildren() method. The public
+     * function add() is also required.
+     */
+
+    /**
+     * {@inheritdoc}
+     */
+    private $internalTemplateNode = null;
+
+    /**
+     * @var list to define builtin BIND ACL names
+     */
+    private static $builtinNames = ['none', 'localhost', 'localnets', 'any'];
+
+    /**
+     * @return array of builtin BIND ACLs
+     */
+    protected function getBuiltinChildren()
+    {
+        $builtins = [];
+        foreach (self::$builtinNames as $aclName) {
+            $builtins [] = [
+                'enabled' => '1',
+                'name' => $aclName,
+                'networks' => 'system derived'
+            ];
+        }
+        return $builtins;
+    }
+
+    /**
+     * {@inheritdoc}
+     */
+    public function add()
+    {
+        $nodeUUID = $this->generateUUID();
+        $container_node = $this->newContainerField($this->__reference . "." . $nodeUUID, $this->internalXMLTagName);
+
+        $template_ref = $this->internalTemplateNode->__reference;
+        foreach ($this->internalTemplateNode->iterateItems() as $key => $node) {
+            $new_node = clone $node;
+            $new_node->setInternalReference($container_node->__reference . "." . $key);
+            $new_node->applyDefault();
+            $new_node->setChanged();
+            $container_node->addChildNode($key, $new_node);
+
+            if ($node->isContainer()) {
+                foreach ($node->iterateRecursiveItems() as $subnode) {
+                    if (is_a($subnode, "OPNsense\\Base\\FieldTypes\\ArrayField")) {
+                        // validate child nodes, nesting not supported in this version.
+                        throw new \Exception("Unsupported copy, Array doesn't support nesting.");
+                    }
+                }
+
+                /**
+                 * XXX: incomplete, only supports one nesting level of container fields. In the long run we probably
+                 *      should refactor the add() function to push identifiers differently.
+                 */
+                foreach ($node->iterateItems() as $subkey => $subnode) {
+                    $new_subnode = clone $subnode;
+                    $new_subnode->setInternalReference($new_node->__reference . "." . $subkey);
+                    $new_subnode->applyDefault();
+                    $new_subnode->setChanged();
+                    $new_node->addChildNode($subkey, $new_subnode);
+                }
+            }
+        }
+
+        // make sure we have a UUID on repeating child items
+        $container_node->setAttributeValue("uuid", $nodeUUID);
+
+        // add node to this object
+        $this->addChildNode($nodeUUID, $container_node);
+
+        return $container_node;
+    }
+
+    /**
+     * {@inheritdoc}
+     */
+    protected function actionPostLoadingEvent()
+    {
+        // always make sure there's a node to copy our structure from
+        if ($this->internalTemplateNode == null) {
+            $firstKey = array_keys($this->internalChildnodes)[0];
+            $this->internalTemplateNode = $this->internalChildnodes[$firstKey];
+            /**
+             * if first node is empty, remove reference node.
+             */
+            if ($this->internalChildnodes[$firstKey]->getInternalIsVirtual()) {
+                unset($this->internalChildnodes[$firstKey]);
+            }
+        }
+
+        // init builtin entries returned by getBuiltinChildren()
+        foreach (static::getBuiltinChildren() as $skey => $payload) {
+            $nodeUUID = $this->generateUUID();
+            $container_node = $this->newContainerField($this->__reference . "." . $nodeUUID, $this->internalXMLTagName);
+            $container_node->setAttributeValue("uuid", $nodeUUID);
+            $template_ref = $this->internalTemplateNode->__reference;
+            foreach ($this->internalTemplateNode->iterateItems() as $key => $value) {
+                if ($key == 'name') {
+                    foreach ($this->iterateItems() as $pkey => $pnode) {
+                        foreach ($pnode->iterateItems() as $subkey => $subnode) {
+                            if ($subkey == 'name' && $subnode == $payload[$key]) {
+                                // The builtin ACL already exists, let's skip it...
+                                continue 4;
+                            }
+                        }
+                    }
+                }
+                $node = clone $value;
+                $node->setInternalReference($container_node->__reference . "." . $key);
+                if (isset($payload[$key])) {
+                    $node->setValue($payload[$key]);
+                }
+                $node->setChanged();
+                $container_node->addChildNode($key, $node);
+            }
+            $this->addChildNode($nodeUUID, $container_node);
+        }
+    }
+}