From fdded458e00bfbb6b906e6fea75555d4b67387cd Mon Sep 17 00:00:00 2001
From: Ad Schellevis <ad@opnsense.org>
Date: Wed, 19 Feb 2025 15:59:30 +0100
Subject: [PATCH] Firewall: Aliases - offer better pluggability for dynamic
 alias types and move current json static_aliases and interface networks into
 their own classes.

When services offer aliases which are less static, the current json option isn't very practical as we only want the package manager to ship files into these directories.
The new DynamicAliases namespace may contain simple php classes, which return a named set of aliases to merge into the set.

Since all of these classes are created on each alias query, it's highly advisable to keep their implementations as lightweight as possible.
---
 plist                                         |  3 ++
 .../app/models/OPNsense/Firewall/Alias.php    |  2 +-
 .../InterfaceNetworkAliases.php               | 54 +++++++++++++++++++
 .../Firewall/DynamicAliases/README.md         | 11 ++++
 .../Firewall/DynamicAliases/StaticAliases.php | 46 ++++++++++++++++
 .../Firewall/FieldTypes/AliasField.php        | 45 +++++++++-------
 6 files changed, 140 insertions(+), 21 deletions(-)
 create mode 100644 src/opnsense/mvc/app/models/OPNsense/Firewall/DynamicAliases/InterfaceNetworkAliases.php
 create mode 100644 src/opnsense/mvc/app/models/OPNsense/Firewall/DynamicAliases/README.md
 create mode 100644 src/opnsense/mvc/app/models/OPNsense/Firewall/DynamicAliases/StaticAliases.php

diff --git a/plist b/plist
index e45d98f51..4bef2c62f 100644
--- a/plist
+++ b/plist
@@ -731,6 +731,9 @@
 /usr/local/opnsense/mvc/app/models/OPNsense/Firewall/Alias.xml
 /usr/local/opnsense/mvc/app/models/OPNsense/Firewall/Category.php
 /usr/local/opnsense/mvc/app/models/OPNsense/Firewall/Category.xml
+/usr/local/opnsense/mvc/app/models/OPNsense/Firewall/DynamicAliases/InterfaceNetworkAliases.php
+/usr/local/opnsense/mvc/app/models/OPNsense/Firewall/DynamicAliases/README.md
+/usr/local/opnsense/mvc/app/models/OPNsense/Firewall/DynamicAliases/StaticAliases.php
 /usr/local/opnsense/mvc/app/models/OPNsense/Firewall/FieldTypes/AliasContentField.php
 /usr/local/opnsense/mvc/app/models/OPNsense/Firewall/FieldTypes/AliasField.php
 /usr/local/opnsense/mvc/app/models/OPNsense/Firewall/FieldTypes/AliasNameField.php
diff --git a/src/opnsense/mvc/app/models/OPNsense/Firewall/Alias.php b/src/opnsense/mvc/app/models/OPNsense/Firewall/Alias.php
index bf3cad09e..2d4489872 100644
--- a/src/opnsense/mvc/app/models/OPNsense/Firewall/Alias.php
+++ b/src/opnsense/mvc/app/models/OPNsense/Firewall/Alias.php
@@ -1,7 +1,7 @@
 <?php
 
 /**
- *    Copyright (C) 2018 Deciso B.V.
+ *    Copyright (C) 2018-2025 Deciso B.V.
  *
  *    All rights reserved.
  *
diff --git a/src/opnsense/mvc/app/models/OPNsense/Firewall/DynamicAliases/InterfaceNetworkAliases.php b/src/opnsense/mvc/app/models/OPNsense/Firewall/DynamicAliases/InterfaceNetworkAliases.php
new file mode 100644
index 000000000..513aeec8c
--- /dev/null
+++ b/src/opnsense/mvc/app/models/OPNsense/Firewall/DynamicAliases/InterfaceNetworkAliases.php
@@ -0,0 +1,54 @@
+<?php
+
+/**
+ *    Copyright (C) 2025 Deciso B.V.
+ *
+ *    All rights reserved.
+ *
+ *    Redistribution and use in source and binary forms, with or without
+ *    modification, are permitted provided that the following conditions are met:
+ *
+ *    1. Redistributions of source code must retain the above copyright notice,
+ *       this list of conditions and the following disclaimer.
+ *
+ *    2. Redistributions in binary form must reproduce the above copyright
+ *       notice, this list of conditions and the following disclaimer in the
+ *       documentation and/or other materials provided with the distribution.
+ *
+ *    THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+ *    INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+ *    AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ *    AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+ *    OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ *    SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ *    INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ *    CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ *    ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ *    POSSIBILITY OF SUCH DAMAGE.
+ *
+ */
+
+namespace OPNsense\Firewall\DynamicAliases;
+
+use OPNsense\Core\Config;
+
+
+class InterfaceNetworkAliases
+{
+    public function collect()
+    {
+        $result = [];
+        foreach (Config::getInstance()->object()->interfaces->children() as $k => $n) {
+            $table_name = sprintf("__%s_network", $k);
+            $table_desc = !empty((string)$n->descr) ? (string)$n->descr : $k;
+            $result[$table_name] = [
+                "enabled" => "1",
+                "name" => $table_name,
+                "type" => "internal",
+                "description" => sprintf("%s %s", $table_desc, gettext("net")),
+                "content" => ""
+            ];
+        }
+        return $result;
+    }
+}
diff --git a/src/opnsense/mvc/app/models/OPNsense/Firewall/DynamicAliases/README.md b/src/opnsense/mvc/app/models/OPNsense/Firewall/DynamicAliases/README.md
new file mode 100644
index 000000000..a5c297e28
--- /dev/null
+++ b/src/opnsense/mvc/app/models/OPNsense/Firewall/DynamicAliases/README.md
@@ -0,0 +1,11 @@
+DynamicAliases
+========================
+
+This namespace may contain simple classes which generate aliases that should be merged automatically in Firewall/Aliases.
+Each class should have a `collect()` method returning a named array with alias registration info.
+
+An easy example of the expected result can be found in `../static_aliases/core.json`
+
+** Note: make sure actions are "light weight" to prevent excessive api execution times.
+
+
diff --git a/src/opnsense/mvc/app/models/OPNsense/Firewall/DynamicAliases/StaticAliases.php b/src/opnsense/mvc/app/models/OPNsense/Firewall/DynamicAliases/StaticAliases.php
new file mode 100644
index 000000000..0ea9ef61e
--- /dev/null
+++ b/src/opnsense/mvc/app/models/OPNsense/Firewall/DynamicAliases/StaticAliases.php
@@ -0,0 +1,46 @@
+<?php
+
+/**
+ *    Copyright (C) 2025 Deciso B.V.
+ *
+ *    All rights reserved.
+ *
+ *    Redistribution and use in source and binary forms, with or without
+ *    modification, are permitted provided that the following conditions are met:
+ *
+ *    1. Redistributions of source code must retain the above copyright notice,
+ *       this list of conditions and the following disclaimer.
+ *
+ *    2. Redistributions in binary form must reproduce the above copyright
+ *       notice, this list of conditions and the following disclaimer in the
+ *       documentation and/or other materials provided with the distribution.
+ *
+ *    THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+ *    INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+ *    AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+ *    AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY,
+ *    OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
+ *    SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
+ *    INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
+ *    CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ *    ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+ *    POSSIBILITY OF SUCH DAMAGE.
+ *
+ */
+
+namespace OPNsense\Firewall\DynamicAliases;
+
+class StaticAliases
+{
+    public function collect()
+    {
+        $result = [];
+        foreach (glob(__DIR__ . "/../static_aliases/*.json") as $filename) {
+            $payload = json_decode(file_get_contents($filename), true);
+            if (is_array($payload)) {
+                $result = array_merge($result, $payload);
+            }
+        }
+        return $result;
+    }
+}
diff --git a/src/opnsense/mvc/app/models/OPNsense/Firewall/FieldTypes/AliasField.php b/src/opnsense/mvc/app/models/OPNsense/Firewall/FieldTypes/AliasField.php
index 6369f4ef5..9746b293e 100644
--- a/src/opnsense/mvc/app/models/OPNsense/Firewall/FieldTypes/AliasField.php
+++ b/src/opnsense/mvc/app/models/OPNsense/Firewall/FieldTypes/AliasField.php
@@ -1,7 +1,7 @@
 <?php
 
 /**
- *    Copyright (C) 2020 Deciso B.V.
+ *    Copyright (C) 2020-2025 Deciso B.V.
  *
  *    All rights reserved.
  *
@@ -30,11 +30,11 @@
 
 namespace OPNsense\Firewall\FieldTypes;
 
+use ReflectionClass;
+use ReflectionException;
 use OPNsense\Base\FieldTypes\ArrayField;
-use OPNsense\Base\FieldTypes\TextField;
-use OPNsense\Base\FieldTypes\IntegerField;
 use OPNsense\Core\Backend;
-use OPNsense\Core\Config;
+
 
 class AliasField extends ArrayField
 {
@@ -51,28 +51,33 @@ class AliasField extends ArrayField
     protected static function getStaticChildren()
     {
         $result = [];
-        foreach (glob(__DIR__ . "/../static_aliases/*.json") as $filename) {
-            $payload = json_decode(file_get_contents($filename), true);
-            if (is_array($payload)) {
-                foreach ($payload as $aliasname => $content) {
-                    $result[$aliasname] = $content;
+        foreach (glob(__DIR__ . "/../DynamicAliases/*.php") as $filename) {
+            $origin = explode('.', basename($filename))[0];
+            $classname = 'OPNsense\\Firewall\\DynamicAliases\\' . $origin;
+            try {
+                $obj = (new ReflectionClass($classname))->newInstance();
+                $payload = $obj->collect();
+                if (is_array($payload)) {
+                    foreach ($payload as $aliasname => $content) {
+                        /* XXX: will overwrite when exists */
+                        $result[$aliasname] = $content;
+                    }
                 }
+            } catch (\Error | \Exception | ReflectionException $e) {
+                syslog(LOG_ERR, sprintf(
+                    "Invalid DynamicAliases object %s in %s (%s)",
+                    $classname,
+                    realpath($filename),
+                    $e->getMessage()
+                ));
             }
         }
-        foreach (Config::getInstance()->object()->interfaces->children() as $k => $n) {
-            $table_name = sprintf("__%s_network", $k);
-            $table_desc = !empty((string)$n->descr) ? (string)$n->descr : $k;
-            $result[$table_name] = [
-                "enabled" => "1",
-                "name" => $table_name,
-                "type" => "internal",
-                "description" => sprintf("%s %s", $table_desc, gettext("net")),
-                "content" => ""
-            ];
-        }
         return $result;
     }
 
+    /**
+     * {@inheritdoc}
+     */
     protected function actionPostLoadingEvent()
     {
         parent::actionPostLoadingEvent();