From 94c39a5427953793fc1b54b6dda153aa110753d0 Mon Sep 17 00:00:00 2001
From: Andrea Leardini <andre8244@gmail.com>
Date: Thu, 30 Jan 2025 11:22:10 +0100
Subject: [PATCH] fix(ns-api): add dns-list-zones api

---
 packages/ns-api/README.md             | 17 +++++++++++++++++
 packages/ns-api/files/ns.threatshield | 14 +++++++++++++-
 2 files changed, 30 insertions(+), 1 deletion(-)

diff --git a/packages/ns-api/README.md b/packages/ns-api/README.md
index b147f9a6..389003ec 100644
--- a/packages/ns-api/README.md
+++ b/packages/ns-api/README.md
@@ -5978,6 +5978,23 @@ Response example:
 {"message": "success"}
 ```
 
+### dns-list-zones
+
+List firewall zones that can be configured on Threat shield DNS (all zones but WAN):
+```
+api-cli ns.threatshield dns-list-zones
+```
+
+Response example:
+```json
+{
+  "data": [
+    "lan",
+    "myzone"
+  ]
+}
+```
+
 ### dns-list-allowed
 
 List domains always allowed:
diff --git a/packages/ns-api/files/ns.threatshield b/packages/ns-api/files/ns.threatshield
index d4b0ff3e..2297b996 100644
--- a/packages/ns-api/files/ns.threatshield
+++ b/packages/ns-api/files/ns.threatshield
@@ -14,7 +14,7 @@ import urllib.request
 import urllib.error
 from euci import EUci
 from nethsec.utils import ValidationError
-from nethsec import utils
+from nethsec import utils, firewall
 import base64
 import time
 import subprocess
@@ -397,6 +397,13 @@ def dns_edit_blocklist(e_uci, payload):
     e_uci.save('adblock')
     return {'message': 'success'}
 
+def dns_list_zones(e_uci):
+    zones_no_wan = {zone_name: zone for zone_name, zone in firewall.list_zones_no_aliases(e_uci).items() if zone['name'] != 'wan'}
+    zones = []
+    for zone in zones_no_wan.values():
+        zones.append(zone['name'])
+    return { 'data': zones }
+
 def dns_list_settings(e_uci):
     ts_enabled = e_uci.get('adblock', 'global', 'ts_enabled', default='0')
     try:
@@ -411,6 +418,8 @@ def dns_list_settings(e_uci):
 
 def dns_edit_settings(e_uci, payload):
     if payload['enabled']:
+        if 'zones' in payload and 'wan' in payload['zones']:
+            raise ValidationError('zones', 'wan_zone_not_allowed', payload['zones'])
         e_uci.set('adblock', 'global', 'ts_enabled', '1')
         e_uci.set('adblock', 'global', 'adb_enabled', '1')
         e_uci.set('adblock', 'global', 'adb_backup', '1')
@@ -557,6 +566,7 @@ if cmd == 'list':
         'dns-list-blocklist': {},
         'dns-edit-blocklist': { "blocklist": "blocklist_name", "enabled": True },
         'dns-list-settings': {},
+        'dns-list-zones': {},
         'dns-edit-settings': { 'enabled': True, 'zones': ["lan"], "ports": ["53", "853"] },
         'dns-list-allowed': {},
         'dns-add-allowed': { 'address': 'test.org' , 'description': 'optional'},
@@ -617,6 +627,8 @@ elif cmd == 'call':
         elif action == 'dns-edit-settings':
             payload = json.loads(sys.stdin.read())
             ret = dns_edit_settings(e_uci, payload)
+        elif action == 'dns-list-zones':
+            ret = dns_list_zones(e_uci)
         elif action == 'dns-add-allowed':
             payload = json.loads(sys.stdin.read())
             ret = dns_add_allowed(payload)