Add TACACS+ support per #660 (#662)

Build.PL

@@ -27,6 +27,7 @@ Module::Build->new(
     'App::local::lib::helper' => '0.07',
     'Archive::Extract' => '0',
     'Authen::Radius' => '0',
+    'Authen::TacacsPlus' => '0',
     'CGI::Expand' => '2.05',
     'Data::Printer' => '0',
     'DBD::Pg' => '0',

lib/App/Netdisco/DB.pm

@@ -11,7 +11,7 @@ __PACKAGE__->load_namespaces(
 );
 
 our # try to hide from kwalitee
-  $VERSION = 60; # schema version used for upgrades, keep as integer
+  $VERSION = 61; # schema version used for upgrades, keep as integer
 
 use Path::Class;
 use File::ShareDir 'dist_dir';

lib/App/Netdisco/DB/Result/User.pm

@@ -31,6 +31,8 @@ __PACKAGE__->add_columns(
   { data_type => "boolean", default_value => \"false", is_nullable => 1 },
   "radius",
   { data_type => "boolean", default_value => \"false", is_nullable => 1 },
+  "tacacs",
+  { data_type => "boolean", default_value => \"false", is_nullable => 1 },
   "admin",
   { data_type => "boolean", default_value => \"false", is_nullable => 1 },
   "fullname",

lib/App/Netdisco/DB/Result/Virtual/UserRole.pm

@@ -23,6 +23,9 @@ __PACKAGE__->result_source_instance->view_definition(<<ENDSQL
   SELECT username, 'radius' AS role FROM users
     WHERE radius
   UNION
+  SELECT username, 'tacacs' AS role FROM users
+    WHERE tacacs
+  UNION
   SELECT username, 'api' AS role FROM users
     WHERE token IS NOT NULL AND token_from IS NOT NULL
 ENDSQL

lib/App/Netdisco/Web/Auth/Provider/DBIC.pm

@@ -14,6 +14,7 @@ use Dancer::Plugin::Passphrase;
 use Digest::MD5;
 use Net::LDAP;
 use Authen::Radius;
+use Authen::TacacsPlus;
 use Try::Tiny;
 
 sub authenticate_user {
@@ -113,6 +114,9 @@ sub match_password {
     elsif ($user->radius) {
       $pwmatch_result = $self->match_with_radius($password, $username);
     }
+    elsif ($user->tacacs) {
+      $pwmatch_result = $self->match_with_tacacs($password, $username);
+    }
     else {
       $pwmatch_result = $self->match_with_local_pass($password, $user);
     }
@@ -251,4 +255,24 @@ sub match_with_radius {
   return $radius_return;
 }
 
+sub match_with_tacacs {
+  my($self, $pass, $user) = @_;
+  return unless setting('tacacs') and ref {} eq ref setting('tacacs');
+
+  my $conf = setting('tacacs');
+  my $tacacs = new Authen::TacacsPlus(Host => $conf->{server}, Key => $conf->{key});
+  if (not $tacacs) {
+      debug sprintf('auth error: Authen::TacacsPlus: %s', Authen::TacacsPlus::errmsg());
+      return undef;
+  }
+
+  my $tacacs_return = $tacacs->authen($user,$pass);
+  if (not $tacacs_return) {
+      debug sprintf('error: Authen::TacacsPlus: %s', Authen::TacacsPlus::errmsg());
+  }
+  $tacacs->close();
+
+  return $tacacs_return;
+}
+
 1;

lib/App/Netdisco/Web/Plugin/AdminTask/Users.pm

@@ -42,6 +42,7 @@ ajax '/ajax/control/admin/users/add' => require_role setting('defanged_admin') =
           fullname => param('fullname'),
           ldap => (param('ldap') ? \'true' : \'false'),
           radius => (param('radius') ? \'true' : \'false'),
+          tacacs => (param('tacacs') ? \'true' : \'false'),
           port_control => (param('port_control') ? \'true' : \'false'),
           admin => (param('admin') ? \'true' : \'false'),
           note => param('note'),
@@ -73,6 +74,7 @@ ajax '/ajax/control/admin/users/update' => require_role setting('defanged_admin'
         fullname => param('fullname'),
         ldap => (param('ldap') ? \'true' : \'false'),
         radius => (param('radius') ? \'true' : \'false'),
+        tacacs => (param('tacacs') ? \'true' : \'false'),
         port_control => (param('port_control') ? \'true' : \'false'),
         admin => (param('admin') ? \'true' : \'false'),
         note => param('note'),

share/schema_versions/App-Netdisco-DB-60-61-PostgreSQL.sql

@@ -0,0 +1,5 @@
+BEGIN;
+
+ALTER TABLE users ADD COLUMN "tacacs" boolean DEFAULT false;
+
+COMMIT;

share/views/ajax/admintask/users.tt

@@ -6,6 +6,7 @@
       <th class="nd_center-cell">Password</th>
       <th class="nd_center-cell">LDAP Auth</th>
       <th class="nd_center-cell">RADIUS Auth</th>
+      <th class="nd_center-cell">TACACS+ Auth</th>
       <th class="nd_center-cell">Port Control</th>
       <th class="nd_center-cell">Administrator</th>
       <th class="nd_center-cell">Created</th>
@@ -21,6 +22,7 @@
       <td class="nd_center-cell"><input class="span2" data-form="add" name="password" type="password"></td>
       <td class="nd_center-cell"><input data-form="add" type="checkbox" name="ldap"></td>
       <td class="nd_center-cell"><input data-form="add" type="checkbox" name="radius"></td>
+      <td class="nd_center-cell"><input data-form="add" type="checkbox" name="tacacs"></td>
       <td class="nd_center-cell"><input data-form="add" type="checkbox" name="port_control"></td>
       <td class="nd_center-cell"><input data-form="add" type="checkbox" name="admin"></td>
       <td class="nd_center-cell"></td>
@@ -50,6 +52,9 @@
       <td class="nd_center-cell">
         <input data-form="update" name="radius" type="checkbox" [% ' checked="checked"' IF row.radius %]>
       </td>
+      <td class="nd_center-cell">
+        <input data-form="update" name="tacacs" type="checkbox" [% ' checked="checked"' IF row.tacacs %]>
+      </td>
       <td class="nd_center-cell">
         <input data-form="update" name="port_control" type="checkbox" [% ' checked="checked"' IF row.port_control %]>
       </td>

share/views/ajax/admintask/users_csv.tt

@@ -1,6 +1,6 @@
 [% USE CSV -%]
 [% CSV.dump([ 'Full Name' 'Username'
-              'LDAP Auth' 'RADIUS Auth' 'Port Control' 'Administrator' 'Created'
+              'LDAP Auth' 'RADIUS Auth' 'TACACS+ Auth' 'Port Control' 'Administrator' 'Created'
               'Last Login' 'Note']) %]
 
 [% FOREACH row IN results %]
@@ -9,6 +9,7 @@
   [% mylist.push(row.username) %]
   [% mylist.push(row.ldap) %]
   [% mylist.push(row.radius) %]
+  [% mylist.push(row.tacacs) %]
   [% mylist.push(row.port_control) %]
   [% mylist.push(row.admin) %]
   [% mylist.push(row.created) %]