Refactored ACL support with multi-object compare

Squashed commit of the following: commit 4081e22202693bd7c4ea00e95daad8e628c6fd5a Author: Oliver Gorwits <oliver@cpan.org> Date: Mon May 29 21:02:07 2023 +0100 large rename of check_acl* to acl_matches* commit 3cfa284ddd24d68765c255578cc5c184afbdcd83 Author: Oliver Gorwits <oliver@cpan.org> Date: Fri May 19 20:39:03 2023 +0100 update permission doc commit 8c7bb93cc5e9fafb770f98f446e45cbd94b14894 Author: Oliver Gorwits <oliver@cpan.org> Date: Wed May 17 21:50:07 2023 +0100 migrate most check_acl_only to acl_matches_only commit c47f699f2a22f08f2f3e093ed0f24c891e6f9a82 Author: Oliver Gorwits <oliver@cpan.org> Date: Wed May 17 21:39:19 2023 +0100 rename check_acl* to be acl_matches* commit a884a22c3ab1f3262118c3a47ed8e25b0b0a7336 Author: Oliver Gorwits <oliver@cpan.org> Date: Sun May 14 16:50:42 2023 +0100 update macsuck_no_deviceports to use acl_matches commit 8c256af728721329b64d071fa529dfc844073ac6 Author: Oliver Gorwits <oliver@cpan.org> Date: Sun May 7 22:54:33 2023 +0100 update hide_deviceports to use acl_matches multi @things commit cd5d9978aba1da459be4fed4500f395df13f7784 Author: Oliver Gorwits <oliver@cpan.org> Date: Sun May 7 22:53:38 2023 +0100 check_acl fix to allow all @things to offer a property before fallback to missing as empty string commit 1a3ab9a7646e9f994f03126d45fc36e9e5a13ed5 Author: Oliver Gorwits <oliver@cpan.org> Date: Tue May 2 15:31:17 2023 +0100 add ignore_deviceports to portproperties discover; improve comments commit 51385ce89458dc939587dae902fda431719c22c9 Merge: b97c07d2 3f8ffe78 Author: Oliver Gorwits <oliver@cpan.org> Date: Tue May 2 15:21:48 2023 +0100 Merge branch 'master' into og-acl_multidict commit b97c07d237d750c1d9eb3095d8ff3908512eac2a Author: Oliver Gorwits <oliver@cpan.org> Date: Sat Mar 25 14:37:53 2023 +0000 add support for arrayref of items, and unblessed hash, to check_acl
2023-05-29 21:32:07 +01:00
parent 3f8ffe787f
commit 9355f5c2b9
27 changed files with 463 additions and 335 deletions
--- a/lib/App/Netdisco/Worker/Plugin/Macsuck/Hooks.pm
+++ b/lib/App/Netdisco/Worker/Plugin/Macsuck/Hooks.pm
@@ -5,7 +5,7 @@ use App::Netdisco::Worker::Plugin;
 use aliased 'App::Netdisco::Worker::Status';

 use App::Netdisco::Util::Worker;
-use App::Netdisco::Util::Permission qw/check_acl_no check_acl_only/;
+use App::Netdisco::Util::Permission qw/acl_matches acl_matches_only/;

 register_worker({ phase => 'late' }, sub {
  my ($job, $workerconf) = @_;
@@ -21,8 +21,8 @@ register_worker({ phase => 'late' }, sub {
    my $no   = ($conf->{'filter'}->{'no'}   || []);
    my $only = ($conf->{'filter'}->{'only'} || []);

-    next if check_acl_no( $job->device, $no );
-    next unless check_acl_only( $job->device, $only);
+    next if acl_matches( $job->device, $no );
+    next unless acl_matches_only( $job->device, $only);

    if ($conf->{'event'} eq 'macsuck') {
      $count += queue_hook('macsuck', $conf);
--- a/lib/App/Netdisco/Worker/Plugin/Macsuck/Nodes.pm
+++ b/lib/App/Netdisco/Worker/Plugin/Macsuck/Nodes.pm
@@ -5,11 +5,12 @@ use App::Netdisco::Worker::Plugin;
 use aliased 'App::Netdisco::Worker::Status';

 use App::Netdisco::Transport::SNMP ();
-use App::Netdisco::Util::Permission qw/check_acl_no check_acl_only/;
+use App::Netdisco::Util::Permission 'acl_matches';
 use App::Netdisco::Util::PortMAC 'get_port_macs';
 use App::Netdisco::Util::Device 'match_to_setting';
 use App::Netdisco::Util::Node 'check_mac';
 use App::Netdisco::Util::SNMP 'snmp_comm_reindex';
+use App::Netdisco::Util::Web 'sort_port';

 use Dancer::Plugin::DBIC 'schema';
 use Time::HiRes 'gettimeofday';
@@ -37,7 +38,8 @@ register_worker({ phase => 'early',

  # cache the device ports to save hitting the database for many single rows
  vars->{'device_ports'} = {map {($_->port => $_)}
-                          $device->ports(undef, {prefetch => {neighbor_alias => 'device'}})->all};
+                          $device->ports(undef, {prefetch => ['properties',
+                                                              {neighbor_alias => 'device'}]})->all};
 });

 register_worker({ phase => 'main', driver => 'direct',
@@ -488,14 +490,15 @@ sub sanity_macs {

          foreach my $key (sort keys %$map) {
              # lhs matches device, rhs matches port
-              next unless check_acl_only($device, $key);
+              next unless $key and $map->{$key};
+              next unless acl_matches($device, $key);

-              foreach my $port (keys %{ $device_ports }) {
-                  next unless check_acl_only($device_ports->{$port}, $map->{$key});
+              foreach my $port (sort { sort_port($a, $b) } keys %{ $device_ports }) {
+                  next unless acl_matches($device_ports->{$port}, $map->{$key});

-                  ++$ignoreport->{$port};
                  debug sprintf ' [%s] macsuck %s - port suppressed by macsuck_no_deviceports',
                    $device->ip, $port;
+                  ++$ignoreport->{$port};
              }
          }
      }
@@ -559,7 +562,7 @@ sub sanity_macs {
              # with device lookups.

              my $neigh_cannot_macsuck = eval { # can fail
-                check_acl_no(($device_port->neighbor || "0 but true"), 'macsuck_unsupported') ||
+                acl_matches(($device_port->neighbor || "0 but true"), 'macsuck_unsupported') ||
                match_to_setting($device_port->remote_type, 'macsuck_unsupported_type') };

              # here, is_uplink comes from Discover::Neighbors finding LLDP remnants