135/netdisco
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Refactored ACL support with multi-object compare

Browse Source 
Squashed commit of the following:

commit 4081e22202693bd7c4ea00e95daad8e628c6fd5a
Author: Oliver Gorwits <oliver@cpan.org>
Date:   Mon May 29 21:02:07 2023 +0100

    large rename of check_acl* to acl_matches*

commit 3cfa284ddd24d68765c255578cc5c184afbdcd83
Author: Oliver Gorwits <oliver@cpan.org>
Date:   Fri May 19 20:39:03 2023 +0100

    update permission doc

commit 8c7bb93cc5e9fafb770f98f446e45cbd94b14894
Author: Oliver Gorwits <oliver@cpan.org>
Date:   Wed May 17 21:50:07 2023 +0100

    migrate most check_acl_only to acl_matches_only

commit c47f699f2a22f08f2f3e093ed0f24c891e6f9a82
Author: Oliver Gorwits <oliver@cpan.org>
Date:   Wed May 17 21:39:19 2023 +0100

    rename check_acl* to be acl_matches*

commit a884a22c3ab1f3262118c3a47ed8e25b0b0a7336
Author: Oliver Gorwits <oliver@cpan.org>
Date:   Sun May 14 16:50:42 2023 +0100

    update macsuck_no_deviceports to use acl_matches

commit 8c256af728721329b64d071fa529dfc844073ac6
Author: Oliver Gorwits <oliver@cpan.org>
Date:   Sun May 7 22:54:33 2023 +0100

    update hide_deviceports to use acl_matches multi @things

commit cd5d9978aba1da459be4fed4500f395df13f7784
Author: Oliver Gorwits <oliver@cpan.org>
Date:   Sun May 7 22:53:38 2023 +0100

    check_acl fix to allow all @things to offer a property before fallback to missing as empty string

commit 1a3ab9a7646e9f994f03126d45fc36e9e5a13ed5
Author: Oliver Gorwits <oliver@cpan.org>
Date:   Tue May 2 15:31:17 2023 +0100

    add ignore_deviceports to portproperties discover; improve comments

commit 51385ce89458dc939587dae902fda431719c22c9
Merge: b97c07d2 3f8ffe78
Author: Oliver Gorwits <oliver@cpan.org>
Date:   Tue May 2 15:21:48 2023 +0100

    Merge branch 'master' into og-acl_multidict

commit b97c07d237d750c1d9eb3095d8ff3908512eac2a
Author: Oliver Gorwits <oliver@cpan.org>
Date:   Sat Mar 25 14:37:53 2023 +0000

    add support for arrayref of items, and unblessed hash, to check_acl
This commit is contained in:
Oliver Gorwits
2023-05-29 21:32:07 +01:00
parent 3f8ffe787f
commit 9355f5c2b9
27 changed files with 463 additions and 335 deletions
Download Patch File Download Diff File Expand all files Collapse all files

50
lib/App/Netdisco/Worker/Plugin/Discover/CanonicalIP.pm
View File

@@ -5,7 +5,7 @@ use App::Netdisco::Worker::Plugin;
use aliased 'App::Netdisco::Worker::Status';
use App::Netdisco::Transport::SNMP ();
use App::Netdisco::Util::Permission 'check_acl_no';
use App::Netdisco::Util::Permission 'acl_matches';
use App::Netdisco::Util::DNS 'ipv4_from_hostname';
use App::Netdisco::Util::Device 'is_discoverable';
use Dancer::Plugin::DBIC 'schema';
@@ -34,37 +34,39 @@ register_worker({ phase => 'main', driver => 'snmp' }, sub {
if (scalar @{ setting('device_identity') }) {
my @idmaps = @{ setting('device_identity') };
my $devips = $device->device_ips->order_by('alias');
my @devips = $device->device_ips->order_by('alias')->all;
ALIAS: while (my $alias = $devips->next) {
next if $alias->alias eq $old_ip;
# using ALIASMAP break so that we stop after first successful renumber
foreach my $map (@idmaps) {
next unless ref {} eq ref $map;
ALIASMAP: foreach my $map (@idmaps) {
next unless ref {} eq ref $map;
foreach my $key (sort keys %$map) {
# lhs matches device, rhs matches device_ip
if (check_acl_no($device, $key)
and check_acl_no($alias, $map->{$key})) {
foreach my $key (sort keys %$map) {
# lhs matches device, rhs matches device_ip
next unless $key and $map->{$key};
next unless acl_matches($device, $key);
if (not is_discoverable( $alias->alias )) {
debug sprintf ' [%s] device - cannot renumber to %s - not discoverable',
$old_ip, $alias->alias;
next;
}
foreach my $alias (@devips) {
next if $alias->alias eq $old_ip;
next unless acl_matches($alias, $map->{$key});
if (App::Netdisco::Transport::SNMP->test_connection( $alias->alias )) {
$new_ip = $alias->alias;
last ALIAS;
}
else {
debug sprintf ' [%s] device - cannot renumber to %s - SNMP connect failed',
$old_ip, $alias->alias;
}
if (not is_discoverable( $alias->alias )) {
debug sprintf ' [%s] device - cannot renumber to %s - not discoverable',
$old_ip, $alias->alias;
next;
}
if (App::Netdisco::Transport::SNMP->test_connection( $alias->alias )) {
$new_ip = $alias->alias;
last ALIASMAP;
}
else {
debug sprintf ' [%s] device - cannot renumber to %s - SNMP connect failed',
$old_ip, $alias->alias;
}
}
}
} # ALIAS
}
}
return if $new_ip eq $old_ip;

6
lib/App/Netdisco/Worker/Plugin/Discover/Hooks.pm
View File

@@ -5,7 +5,7 @@ use App::Netdisco::Worker::Plugin;
use aliased 'App::Netdisco::Worker::Status';
use App::Netdisco::Util::Worker;
use App::Netdisco::Util::Permission qw/check_acl_no check_acl_only/;
use App::Netdisco::Util::Permission qw/acl_matches acl_matches_only/;
register_worker({ phase => 'late' }, sub {
my ($job, $workerconf) = @_;
@@ -21,8 +21,8 @@ register_worker({ phase => 'late' }, sub {
my $no = ($conf->{'filter'}->{'no'} || []);
my $only = ($conf->{'filter'}->{'only'} || []);
next if check_acl_no( $job->device, $no );
next unless check_acl_only( $job->device, $only);
next if acl_matches( $job->device, $no );
next unless acl_matches_only( $job->device, $only);
if (vars->{'new_device'} and $conf->{'event'} eq 'new_device') {
$count += queue_hook('new_device', $conf);

4
lib/App/Netdisco/Worker/Plugin/Discover/Neighbors.pm
View File

@@ -6,7 +6,7 @@ use aliased 'App::Netdisco::Worker::Status';
use App::Netdisco::Transport::SNMP ();
use App::Netdisco::Util::Device qw/get_device is_discoverable/;
use App::Netdisco::Util::Permission 'check_acl_no';
use App::Netdisco::Util::Permission 'acl_matches';
use App::Netdisco::JobQueue 'jq_insert';
use Dancer::Plugin::DBIC 'schema';
use List::MoreUtils ();
@@ -185,7 +185,7 @@ sub store_neighbors {
# useable remote IP...
if ((! $r_netaddr) or ($remote_ip eq '0.0.0.0') or
check_acl_no($remote_ip, 'group:__LOOPBACK_ADDRESSES__')) {
acl_matches($remote_ip, 'group:__LOOPBACK_ADDRESSES__')) {
if ($remote_id) {
my $devices = schema('netdisco')->resultset('Device');

6
lib/App/Netdisco/Worker/Plugin/Discover/Neighbors/Routed.pm
View File

@@ -6,7 +6,7 @@ use App::Netdisco::Transport::SNMP;
use aliased 'App::Netdisco::Worker::Status';
use App::Netdisco::Util::Device qw/get_device is_discoverable/;
use App::Netdisco::Util::Permission 'check_acl_no';
use App::Netdisco::Util::Permission 'acl_matches';
use App::Netdisco::JobQueue 'jq_insert';
register_worker({ phase => 'main', driver => 'snmp' }, sub {
@@ -15,8 +15,8 @@ register_worker({ phase => 'main', driver => 'snmp' }, sub {
my $device = $job->device;
return unless $device->in_storage and ($device->has_layer(3)
or check_acl_no($device, 'force_macsuck')
or check_acl_no($device, 'ignore_layers'));
or acl_matches($device, 'force_arpnip')
or acl_matches($device, 'ignore_layers'));
my $snmp = App::Netdisco::Transport::SNMP->reader_for($device)
or return Status->defer("discover failed: could not SNMP connect to $device");

26
lib/App/Netdisco/Worker/Plugin/Discover/PortProperties.pm
View File

@@ -8,6 +8,8 @@ use App::Netdisco::Transport::SNMP ();
use Dancer::Plugin::DBIC 'schema';
use Encode;
use App::Netdisco::Util::Web 'sort_port';
use App::Netdisco::Util::Permission 'acl_matches';
use App::Netdisco::Util::FastResolver 'hostnames_resolve_async';
use App::Netdisco::Util::Device qw/is_discoverable match_to_setting/;
@@ -131,6 +133,28 @@ register_worker({ phase => 'main', driver => 'snmp' }, sub {
$properties{ $port }->{remote_serial} = $rem_serial->{ $idx };
}
if (scalar @{ setting('ignore_deviceports') }) {
foreach my $map (@{ setting('ignore_deviceports')}) {
next unless ref {} eq ref $map;
foreach my $key (sort keys %$map) {
# lhs matches device, rhs matches port
next unless $key and $map->{$key};
next unless acl_matches($device, $key);
foreach my $port (sort { sort_port($a, $b) } keys %properties) {
next unless acl_matches([$properties{$port}, $device_ports->{$port}],
$map->{$key});
debug sprintf ' [%s] properties - removing %s (config:ignore_deviceports)',
$device->ip, $port;
$device_ports->{$port}->delete; # like, for real, in the DB
delete $properties{$port};
}
}
}
}
foreach my $idx (keys %$interfaces) {
next unless defined $idx;
my $port = $interfaces->{$idx} or next;
@@ -155,7 +179,7 @@ register_worker({ phase => 'main', driver => 'snmp' }, sub {
schema('netdisco')->txn_do(sub {
my $gone = $device->properties_ports->delete;
debug sprintf ' [%s] properties - removed %d ports with properties',
debug sprintf ' [%s] properties - removed %d port properties',
$device->ip, $gone;
$device->properties_ports->populate(
[map {{ port => $_, %{ $properties{$_} } }} keys %properties] );

56
lib/App/Netdisco/Worker/Plugin/Discover/Properties.pm
View File

@@ -5,14 +5,16 @@ use App::Netdisco::Worker::Plugin;
use aliased 'App::Netdisco::Worker::Status';
use App::Netdisco::Transport::SNMP ();
use App::Netdisco::Util::Permission qw/check_acl_no check_acl_only/;
use App::Netdisco::Util::Permission qw/acl_matches acl_matches_only/;
use App::Netdisco::Util::FastResolver 'hostnames_resolve_async';
use App::Netdisco::Util::Device 'get_device';
use App::Netdisco::Util::DNS 'hostname_from_ip';
use App::Netdisco::Util::SNMP 'snmp_comm_reindex';
use App::Netdisco::Util::Web 'sort_port';
use Dancer::Plugin::DBIC 'schema';
use Scope::Guard 'guard';
use NetAddr::IP::Lite ':lower';
use Storable 'dclone';
use Encode;
register_worker({ phase => 'early', driver => 'snmp' }, sub {
@@ -66,7 +68,7 @@ register_worker({ phase => 'early', driver => 'snmp' }, sub {
my $protect = setting('snmp_field_protection')->{'device'} || {};
my %dirty = $device->get_dirty_columns;
foreach my $field (keys %dirty) {
next unless check_acl_only($ip, $protect->{$field});
next unless acl_matches_only($ip, $protect->{$field});
if (!defined $dirty{$field} or $dirty{$field} eq '') {
return $job->cancel("discover cancelled: $ip failed to return valid $field");
}
@@ -182,13 +184,6 @@ register_worker({ phase => 'early', driver => 'snmp' }, sub {
my $snmp = App::Netdisco::Transport::SNMP->reader_for($device)
or return Status->defer("discover failed: could not SNMP connect to $device");
# gather device_ips for use in ACLs later
my $device_ips = {};
foreach my $dip ($device->device_ips()->all) {
next unless defined $dip->port and $dip->port;
push @{ $device_ips->{ $dip->port } }, $dip;
}
my $interfaces = $snmp->interfaces;
my $i_type = $snmp->i_type;
my $i_ignore = $snmp->i_ignore;
@@ -272,38 +267,29 @@ register_worker({ phase => 'early', driver => 'snmp' }, sub {
}
if (scalar @{ setting('ignore_deviceports') }) {
foreach my $port (keys %$device_ips) {
if (!exists $deviceports{$port}) {
delete $device_ips->{$port};
next;
}
foreach my $dip (@{ $device_ips->{$port} }) {
$dip->set_inflated_columns({ device_port => $deviceports{$port} });
}
}
foreach my $port (keys %deviceports) {
next if exists $device_ips->{$port};
push @{ $device_ips->{$port} },
schema('netdisco')->resultset('DevicePort')
->new_result( $deviceports{$port} );
}
my $port_map = {};
map { push @{ $port_map->{ $_->port } }, $_ }
grep { $_->port }
$device->device_ips()->all;
map { push @{ $port_map->{ $_->{port} } }, $_ }
values %{ dclone (\%deviceports || {}) };
foreach my $map (@{ setting('ignore_deviceports')}) {
next unless ref {} eq ref $map;
foreach my $key (sort keys %$map) {
# lhs matches device, rhs matches port
next unless check_acl_no($device, $key);
next unless $key and $map->{$key};
next unless acl_matches($device, $key);
PORT: foreach my $port (sort keys %$device_ips) {
foreach my $thing (@{ $device_ips->{$port} }) {
next unless check_acl_no($thing, $map->{$key});
foreach my $port (sort { sort_port( $a, $b) } keys %$port_map) {
next unless acl_matches($port_map->{$port}, $map->{$key});
debug sprintf ' [%s] interfaces - ignoring %s (config:ignore_deviceports)',
$device->ip, $port;
delete $deviceports{$port};
next PORT;
}
debug sprintf ' [%s] interfaces - ignoring %s (config:ignore_deviceports)',
$device->ip, $port;
delete $deviceports{$port};
}
}
}
@@ -446,7 +432,7 @@ sub _get_ipv4_aliases {
my $addr = $ip->addr;
next if $addr eq '0.0.0.0';
next if check_acl_no($ip, 'group:__LOOPBACK_ADDRESSES__');
next if acl_matches($ip, 'group:__LOOPBACK_ADDRESSES__');
next if setting('ignore_private_nets') and $ip->is_rfc1918;
my $iid = $ip_index->{$addr};
@@ -499,7 +485,7 @@ sub _get_ipv6_aliases {
my $addr = $ip->addr;
next if $addr eq '::0';
next if check_acl_no($ip, 'group:__LOOPBACK_ADDRESSES__');
next if acl_matches($ip, 'group:__LOOPBACK_ADDRESSES__');
my $port = $interfaces->{ $ipv6_index->{$iid} };
my $subnet = $ipv6_pfxlen->{$iid}

10
lib/App/Netdisco/Worker/Plugin/Discover/WithNodes.pm
View File

@@ -5,7 +5,7 @@ use App::Netdisco::Worker::Plugin;
use aliased 'App::Netdisco::Worker::Status';
use App::Netdisco::JobQueue 'jq_insert';
use App::Netdisco::Util::Permission 'check_acl_no';
use App::Netdisco::Util::Permission 'acl_matches';
register_worker({ phase => 'main' }, sub {
my ($job, $workerconf) = @_;
@@ -16,8 +16,8 @@ register_worker({ phase => 'main' }, sub {
return unless $device->in_storage and $job->subaction eq 'with-nodes';
if (!defined $device->last_macsuck and ($device->has_layer(2)
or check_acl_no($device, 'force_macsuck')
or check_acl_no($device, 'ignore_layers'))) {
or acl_matches($device, 'force_macsuck')
or acl_matches($device, 'ignore_layers'))) {
jq_insert({
device => $device->ip,
action => 'macsuck',
@@ -28,8 +28,8 @@ register_worker({ phase => 'main' }, sub {
}
if (!defined $device->last_arpnip and ($device->has_layer(3)
or check_acl_no($device, 'force_arpnip')
or check_acl_no($device, 'ignore_layers'))) {
or acl_matches($device, 'force_arpnip')
or acl_matches($device, 'ignore_layers'))) {
jq_insert({
device => $device->ip,
action => 'arpnip',