NAS-139116: Add hosts allow/deny fields to SMB share purposes (#13056)

(cherry picked from commit 28b3164)

Co-authored-by: William Grzybowski <[email protected]>

Author: bugclerk

src/app/helptext/sharing/smb/smb.ts

@@ -114,34 +114,29 @@ export const helptextSharingSmb = {
   ),
 
   hostsallowLabel: T('Hosts Allow'),
-  hostsAllowTooltip: T('Enter a list of allowed hostnames or IP addresses.\
-    Separate entries by pressing <code>Enter</code>. A more detailed description \
-    with examples can be found \
-    <a href="https://wiki.samba.org/index.php/1.4_Samba_Security" target="_blank">here</a>. <br><br> \
-    If neither *Hosts Allow* or *Hosts Deny* contains \
-    an entry, then SMB share access is allowed for any host. <br><br> \
-    If there is a *Hosts Allow* list but no *Hosts Deny* list, then only allow \
-    hosts on the *Hosts Allow* list. <br><br> \
-    If there is a *Hosts Deny* list but no *Hosts Allow* list, then allow all \
-    hosts that are not on the *Hosts Deny* list. <br><br> \
-    If there is both a *Hosts Allow* and *Hosts Deny* list, then allow all hosts \
-    that are on the *Hosts Allow* list. <br><br> \
-    If there is a host not on the *Hosts Allow* and not on the *Hosts Deny* list, \
-    then allow it.'),
+  hostsAllowTooltip: T('A list of IP addresses or subnets that are allowed to access the SMB share. \
+Separate entries by pressing <code>Enter</code>. The EXCEPT keyword may be used to limit a wildcard list. \
+<br><br><b>Note:</b> Hostname lookups are disabled on the SMB server for performance reasons. \
+<br><br><b>Examples:</b><br> \
+• Single IPs: <code>192.168.0.200</code>, <code>150.203.</code><br> \
+• CIDR notation: <code>150.203.15.0/255.255.255.0</code><br> \
+• EXCEPT syntax: <code>150.203. EXCEPT 150.203.6.66</code> \
+<br><br><b>Behavior:</b><br> \
+• If neither <i>Hosts Allow</i> nor <i>Hosts Deny</i> contains an entry, SMB share access is allowed for any host.<br> \
+• If there is a <i>Hosts Allow</i> list but no <i>Hosts Deny</i> list, only allow hosts on the <i>Hosts Allow</i> list.<br> \
+• If there is both a <i>Hosts Allow</i> and <i>Hosts Deny</i> list, allow all hosts on the <i>Hosts Allow</i> list.<br> \
+• Hosts not on either list are allowed.'),
   hostsdenyLabel: T('Hosts Deny'),
   hostsdenyTooltip: T(
-    'Enter a list of denied hostnames or IP addresses.\
- Separate entries by pressing <code>Enter</code>. \
- If neither *Hosts Allow* or *Hosts Deny* contains \
- an entry, then SMB share access is allowed for any host. <br><br> \
- If there is a *Hosts Allow* list but no *Hosts Deny* list, then only allow \
- hosts on the *Hosts Allow* list. <br><br> \
- If there is a *Hosts Deny* list but no *Hosts Allow* list, then allow all \
- hosts that are not on the *Hosts Deny* list. <br><br> \
- If there is both a *Hosts Allow* and *Hosts Deny* list, then allow all hosts \
- that are on the *Hosts Allow* list. <br><br> \
- If there is a host not on the *Hosts Allow* and not on the *Hosts Deny* list, \
- then allow it.',
+    'A list of IP addresses or subnets that are not allowed to access the SMB share. \
+Separate entries by pressing <code>Enter</code>. The keyword <code>ALL</code> or the netmask \
+<code>0.0.0.0/0</code> may be used to deny all by default. \
+<br><br><b>Examples:</b><br> \
+• Partial IPs: <code>150.203.4.</code><br> \
+• Deny all: <code>ALL</code> or <code>0.0.0.0/0</code> \
+<br><br><b>Behavior:</b><br> \
+• If there is a <i>Hosts Deny</i> list but no <i>Hosts Allow</i> list, allow all hosts not on the <i>Hosts Deny</i> list.<br> \
+• If there is both a <i>Hosts Allow</i> and <i>Hosts Deny</i> list, the <i>Hosts Allow</i> list takes precedence.',
   ),
 
   shadowcopyLabel: T('Enable Shadow Copies'),

src/app/interfaces/smb-share.interface.ts

@@ -106,7 +106,7 @@ export interface ExternalSmbShare extends BaseShare {
 
 export interface VeeamRepositorySmbShare extends BaseShare {
   purpose: SmbSharePurpose.VeeamRepositoryShare;
-  options: Record<string, never>;
+  options: VeeamRepositorySmbShareOptions;
 }
 
 export interface FcpSmbShare extends BaseShare {
@@ -116,6 +116,8 @@ export interface FcpSmbShare extends BaseShare {
 
 export interface FcpSmbShareOptions {
   aapl_name_mangling?: boolean;
+  hostsallow?: string[];
+  hostsdeny?: string[];
 }
 
 export type SmbShareOptions =
@@ -126,6 +128,7 @@ export type SmbShareOptions =
   | TimeLockedSmbShareOptions
   | PrivateDatasetsSmbShareOptions
   | ExternalSmbShareOptions
+  | VeeamRepositorySmbShareOptions
   | FcpSmbShareOptions;
 
 export interface LegacySmbShareOptions {
@@ -150,6 +153,8 @@ export interface LegacySmbShareOptions {
 
 export interface DefaultSmbShareOptions {
   aapl_name_mangling?: boolean;
+  hostsallow?: string[];
+  hostsdeny?: string[];
 }
 
 export interface TimeMachineSmbShareOptions {
@@ -158,27 +163,40 @@ export interface TimeMachineSmbShareOptions {
   auto_snapshot?: boolean;
   auto_dataset_creation?: boolean;
   dataset_naming_schema?: string | null;
+  hostsallow?: string[];
+  hostsdeny?: string[];
 }
 
 export interface MultiProtocolSmbShareOptions {
   aapl_name_mangling?: boolean;
+  hostsallow?: string[];
+  hostsdeny?: string[];
 }
 
 export interface TimeLockedSmbShareOptions {
   grace_period?: number;
   aapl_name_mangling?: boolean;
+  hostsallow?: string[];
+  hostsdeny?: string[];
 }
 
 export interface PrivateDatasetsSmbShareOptions {
   dataset_naming_schema?: string | null;
   auto_quota?: number;
   aapl_name_mangling?: boolean;
+  hostsallow?: string[];
+  hostsdeny?: string[];
 }
 
 export interface ExternalSmbShareOptions {
   remote_path?: string[];
 }
 
+export interface VeeamRepositorySmbShareOptions {
+  hostsallow?: string[];
+  hostsdeny?: string[];
+}
+
 export interface SmbSharesec {
   id: number;
   share_acl: SmbSharesecAce[];

src/app/pages/sharing/smb/smb-form/smb-form-presets.ts

@@ -1,26 +1,28 @@
 import {
-  SmbSharePurpose, SmbShare,
+  SmbSharePurpose, SmbShareOptions,
 } from 'app/interfaces/smb-share.interface';
 
-export const presetEnabledFields: Partial<{
-  [T in SmbSharePurpose]: (keyof Extract<SmbShare, { purpose: T }>['options'])[]
-}> = {
+// Distribute keyof over union to get all possible option keys
+type AllOptionKeys<T> = T extends unknown ? keyof T : never;
+type OptionKeys = AllOptionKeys<SmbShareOptions>;
+
+export const presetEnabledFields: Partial<Record<SmbSharePurpose, OptionKeys[]>> = {
   [SmbSharePurpose.LegacyShare]: [
-    'recyclebin', 'path_suffix', 'hostsallow', 'hostsdeny', 'guestok', 'streams',
-    'durablehandle', 'shadowcopy', 'fsrvp', 'home', 'acl', 'afp', 'timemachine',
-    'timemachine_quota', 'aapl_name_mangling', 'auxsmbconf', 'vuid',
+    'recyclebin', 'path_suffix', 'guestok', 'streams', 'durablehandle', 'shadowcopy',
+    'fsrvp', 'home', 'acl', 'afp', 'timemachine', 'timemachine_quota',
+    'aapl_name_mangling', 'auxsmbconf', 'vuid', 'hostsallow', 'hostsdeny',
   ],
-  [SmbSharePurpose.DefaultShare]: ['aapl_name_mangling'],
+  [SmbSharePurpose.DefaultShare]: ['aapl_name_mangling', 'hostsallow', 'hostsdeny'],
   [SmbSharePurpose.TimeMachineShare]: [
-    'timemachine_quota', 'vuid', 'auto_snapshot',
-    'auto_dataset_creation', 'dataset_naming_schema',
+    'timemachine_quota', 'vuid', 'auto_snapshot', 'auto_dataset_creation',
+    'dataset_naming_schema', 'hostsallow', 'hostsdeny',
   ],
-  [SmbSharePurpose.MultiProtocolShare]: ['aapl_name_mangling'],
-  [SmbSharePurpose.TimeLockedShare]: ['grace_period', 'aapl_name_mangling'],
+  [SmbSharePurpose.MultiProtocolShare]: ['aapl_name_mangling', 'hostsallow', 'hostsdeny'],
+  [SmbSharePurpose.TimeLockedShare]: ['grace_period', 'aapl_name_mangling', 'hostsallow', 'hostsdeny'],
   [SmbSharePurpose.PrivateDatasetsShare]: [
-    'dataset_naming_schema', 'auto_quota', 'aapl_name_mangling',
+    'dataset_naming_schema', 'auto_quota', 'aapl_name_mangling', 'hostsallow', 'hostsdeny',
   ],
   [SmbSharePurpose.ExternalShare]: ['remote_path'],
-  [SmbSharePurpose.VeeamRepositoryShare]: [],
-  [SmbSharePurpose.FcpShare]: ['aapl_name_mangling'],
+  [SmbSharePurpose.VeeamRepositoryShare]: ['hostsallow', 'hostsdeny'],
+  [SmbSharePurpose.FcpShare]: ['aapl_name_mangling', 'hostsallow', 'hostsdeny'],
 };

src/app/pages/sharing/smb/smb-form/smb-form.component.spec.ts

@@ -321,6 +321,8 @@ describe('SmbFormComponent', () => {
         },
         options: {
           aapl_name_mangling: true,
+          hostsallow: [],
+          hostsdeny: [],
         },
       }]);
     });
@@ -345,6 +347,8 @@ describe('SmbFormComponent', () => {
             auto_snapshot: true,
             auto_dataset_creation: true,
             dataset_naming_schema: '%u',
+            hostsallow: [],
+            hostsdeny: [],
           },
         }),
       ]);
@@ -362,6 +366,8 @@ describe('SmbFormComponent', () => {
           purpose: SmbSharePurpose.MultiProtocolShare,
           options: {
             aapl_name_mangling: true,
+            hostsallow: [],
+            hostsdeny: [],
           },
         }),
       ]);
@@ -381,6 +387,8 @@ describe('SmbFormComponent', () => {
           options: {
             grace_period: 900,
             aapl_name_mangling: true,
+            hostsallow: [],
+            hostsdeny: [],
           },
         }),
       ]);
@@ -402,6 +410,8 @@ describe('SmbFormComponent', () => {
             dataset_naming_schema: '%u',
             auto_quota: 20,
             aapl_name_mangling: true,
+            hostsallow: [],
+            hostsdeny: [],
           },
         }),
       ]);
@@ -433,7 +443,10 @@ describe('SmbFormComponent', () => {
       expect(api.call).toHaveBeenLastCalledWith('sharing.smb.create', [
         expect.objectContaining({
           purpose: SmbSharePurpose.VeeamRepositoryShare,
-          options: {},
+          options: {
+            hostsallow: [],
+            hostsdeny: [],
+          },
         }),
       ]);
     });
@@ -461,10 +474,31 @@ describe('SmbFormComponent', () => {
           },
           options: {
             aapl_name_mangling: true,
+            hostsallow: [],
+            hostsdeny: [],
           },
         }),
       ]);
     });
+
+    it('sends hosts allow and deny values when specified', async () => {
+      await submitForm({
+        ...commonValues,
+        Purpose: 'Default Share',
+        'Hosts Allow': ['192.168.1.0/24', '10.0.0.1'],
+        'Hosts Deny': ['172.16.0.0/16'],
+      });
+
+      expect(api.call).toHaveBeenLastCalledWith('sharing.smb.create', [
+        expect.objectContaining({
+          purpose: SmbSharePurpose.DefaultShare,
+          options: expect.objectContaining({
+            hostsallow: ['192.168.1.0/24', '10.0.0.1'],
+            hostsdeny: ['172.16.0.0/16'],
+          }),
+        }),
+      ]);
+    });
   });
 
   describe('edit default share', () => {
@@ -488,6 +522,8 @@ describe('SmbFormComponent', () => {
         'Browsable to Network Clients': true,
         'Access Based Share Enumeration': true,
         'Enable Logging': false,
+        'Hosts Allow': [],
+        'Hosts Deny': [],
 
         'Use Apple-style Character Encoding': true,
       });
@@ -625,6 +661,8 @@ describe('SmbFormComponent', () => {
         'Export Read Only',
         'Browsable to Network Clients',
         'Access Based Share Enumeration',
+        'Hosts Allow',
+        'Hosts Deny',
         'Enable Logging',
         'Use Apple-style Character Encoding',
       ]);