Refactored ACL support with multi-object compare
Squashed commit of the following:
commit 4081e22202693bd7c4ea00e95daad8e628c6fd5a
Author: Oliver Gorwits <oliver@cpan.org>
Date: Mon May 29 21:02:07 2023 +0100
large rename of check_acl* to acl_matches*
commit 3cfa284ddd24d68765c255578cc5c184afbdcd83
Author: Oliver Gorwits <oliver@cpan.org>
Date: Fri May 19 20:39:03 2023 +0100
update permission doc
commit 8c7bb93cc5e9fafb770f98f446e45cbd94b14894
Author: Oliver Gorwits <oliver@cpan.org>
Date: Wed May 17 21:50:07 2023 +0100
migrate most check_acl_only to acl_matches_only
commit c47f699f2a22f08f2f3e093ed0f24c891e6f9a82
Author: Oliver Gorwits <oliver@cpan.org>
Date: Wed May 17 21:39:19 2023 +0100
rename check_acl* to be acl_matches*
commit a884a22c3ab1f3262118c3a47ed8e25b0b0a7336
Author: Oliver Gorwits <oliver@cpan.org>
Date: Sun May 14 16:50:42 2023 +0100
update macsuck_no_deviceports to use acl_matches
commit 8c256af728721329b64d071fa529dfc844073ac6
Author: Oliver Gorwits <oliver@cpan.org>
Date: Sun May 7 22:54:33 2023 +0100
update hide_deviceports to use acl_matches multi @things
commit cd5d9978aba1da459be4fed4500f395df13f7784
Author: Oliver Gorwits <oliver@cpan.org>
Date: Sun May 7 22:53:38 2023 +0100
check_acl fix to allow all @things to offer a property before fallback to missing as empty string
commit 1a3ab9a7646e9f994f03126d45fc36e9e5a13ed5
Author: Oliver Gorwits <oliver@cpan.org>
Date: Tue May 2 15:31:17 2023 +0100
add ignore_deviceports to portproperties discover; improve comments
commit 51385ce89458dc939587dae902fda431719c22c9
Merge: b97c07d2 3f8ffe78
Author: Oliver Gorwits <oliver@cpan.org>
Date: Tue May 2 15:21:48 2023 +0100
Merge branch 'master' into og-acl_multidict
commit b97c07d237d750c1d9eb3095d8ff3908512eac2a
Author: Oliver Gorwits <oliver@cpan.org>
Date: Sat Mar 25 14:37:53 2023 +0000
add support for arrayref of items, and unblessed hash, to check_acl
This commit is contained in:
Oliver Gorwits
179
xt/20-checkacl.t
179
xt/20-checkacl.t
@@ -8,8 +8,8 @@ use Test::More 1.302083;
|
||||
use Test::File::ShareDir::Dist { 'App-Netdisco' => 'share/' };
|
||||
|
||||
BEGIN {
|
||||
use_ok( 'App::Netdisco::Configuration', 'check_acl' );
|
||||
use_ok( 'App::Netdisco::Util::Permission', 'check_acl' );
|
||||
use_ok( 'App::Netdisco::Configuration', 'acl_matches' );
|
||||
use_ok( 'App::Netdisco::Util::Permission', 'acl_matches' );
|
||||
}
|
||||
|
||||
use Dancer qw/:script !pass/;
|
||||
@@ -37,79 +37,79 @@ my @conf = (
|
||||
);
|
||||
|
||||
# name, ipv4, ipv6, v4 prefix, v6 prefix
|
||||
ok(check_acl('localhost',[$conf[0]]), 'same name');
|
||||
ok(check_acl('127.0.0.1',[$conf[2]]), 'same ipv4');
|
||||
ok(check_acl('::1',[$conf[4]]), 'same ipv6');
|
||||
ok(check_acl('127.0.0.0/29',[$conf[6]]), 'same v4 prefix');
|
||||
ok(check_acl('::1/128',[$conf[8]]), 'same v6 prefix');
|
||||
ok(acl_matches('localhost',[$conf[0]]), 'same name');
|
||||
ok(acl_matches('127.0.0.1',[$conf[2]]), 'same ipv4');
|
||||
ok(acl_matches('::1',[$conf[4]]), 'same ipv6');
|
||||
ok(acl_matches('127.0.0.0/29',[$conf[6]]), 'same v4 prefix');
|
||||
ok(acl_matches('::1/128',[$conf[8]]), 'same v6 prefix');
|
||||
|
||||
# failed name, ipv4, ipv6, v4 prefix, v6 prefix
|
||||
is(check_acl('www.microsoft.com',[$conf[0]]), 0, 'failed name');
|
||||
is(check_acl('172.20.0.1',[$conf[2]]), 0, 'failed ipv4');
|
||||
is(check_acl('2001:db8::5',[$conf[4]]), 0, 'failed ipv6');
|
||||
is(check_acl('172.16.1.3/29',[$conf[6]]), 0, 'failed v4 prefix');
|
||||
is(check_acl('2001:db8:f00d::/64',[$conf[8]]), 0, 'failed v6 prefix');
|
||||
is(acl_matches('www.microsoft.com',[$conf[0]]), 0, 'failed name');
|
||||
is(acl_matches('172.20.0.1',[$conf[2]]), 0, 'failed ipv4');
|
||||
is(acl_matches('2001:db8::5',[$conf[4]]), 0, 'failed ipv6');
|
||||
is(acl_matches('172.16.1.3/29',[$conf[6]]), 0, 'failed v4 prefix');
|
||||
is(acl_matches('2001:db8:f00d::/64',[$conf[8]]), 0, 'failed v6 prefix');
|
||||
|
||||
# negated name, ipv4, ipv6, v4 prefix, v6 prefix
|
||||
ok(check_acl('localhost',[$conf[1]]), 'not same name');
|
||||
ok(check_acl('127.0.0.1',[$conf[3]]), 'not same ipv4');
|
||||
ok(check_acl('::1',[$conf[5]]), 'not same ipv6');
|
||||
ok(check_acl('127.0.0.0/29',[$conf[7]]), 'not same v4 prefix');
|
||||
ok(check_acl('::1/128',[$conf[9]]), 'not same v6 prefix');
|
||||
ok(acl_matches('localhost',[$conf[1]]), 'not same name');
|
||||
ok(acl_matches('127.0.0.1',[$conf[3]]), 'not same ipv4');
|
||||
ok(acl_matches('::1',[$conf[5]]), 'not same ipv6');
|
||||
ok(acl_matches('127.0.0.0/29',[$conf[7]]), 'not same v4 prefix');
|
||||
ok(acl_matches('::1/128',[$conf[9]]), 'not same v6 prefix');
|
||||
|
||||
# v4 range, v6 range
|
||||
ok(check_acl('127.0.0.1',[$conf[10]]), 'in v4 range');
|
||||
ok(check_acl('::1',[$conf[12]]), 'in v6 range');
|
||||
ok(acl_matches('127.0.0.1',[$conf[10]]), 'in v4 range');
|
||||
ok(acl_matches('::1',[$conf[12]]), 'in v6 range');
|
||||
|
||||
# failed v4 range, v6 range
|
||||
is(check_acl('172.20.0.1',[$conf[10]]), 0, 'failed v4 range');
|
||||
is(check_acl('2001:db8::5',[$conf[12]]), 0, 'failed v6 range');
|
||||
is(acl_matches('172.20.0.1',[$conf[10]]), 0, 'failed v4 range');
|
||||
is(acl_matches('2001:db8::5',[$conf[12]]), 0, 'failed v6 range');
|
||||
|
||||
# negated v4 range, v6 range
|
||||
ok(check_acl('127.0.0.1',[$conf[11]]), 'not in v4 range');
|
||||
ok(check_acl('::1',[$conf[13]]), 'not in v6 range');
|
||||
ok(acl_matches('127.0.0.1',[$conf[11]]), 'not in v4 range');
|
||||
ok(acl_matches('::1',[$conf[13]]), 'not in v6 range');
|
||||
|
||||
# hostname regexp
|
||||
# FIXME ok(check_acl('localhost',[$conf[14]]), 'name regexp');
|
||||
# FIXME ok(check_acl('127.0.0.1',[$conf[14]]), 'IP regexp');
|
||||
is(check_acl('www.google.com',[$conf[14]]), 0, 'failed regexp');
|
||||
# FIXME ok(acl_matches('localhost',[$conf[14]]), 'name regexp');
|
||||
# FIXME ok(acl_matches('127.0.0.1',[$conf[14]]), 'IP regexp');
|
||||
is(acl_matches('www.google.com',[$conf[14]]), 0, 'failed regexp');
|
||||
|
||||
# OR of prefix, range, regexp, property (2 of, 3 of, 4 of)
|
||||
ok(check_acl('127.0.0.1',[@conf[8,0]]), 'OR: prefix, name');
|
||||
ok(check_acl('127.0.0.1',[@conf[8,12,0]]), 'OR: prefix, range, name');
|
||||
ok(check_acl('127.0.0.1',[@conf[8,12,15,0]]), 'OR: prefix, range, regexp, name');
|
||||
ok(acl_matches('127.0.0.1',[@conf[8,0]]), 'OR: prefix, name');
|
||||
ok(acl_matches('127.0.0.1',[@conf[8,12,0]]), 'OR: prefix, range, name');
|
||||
ok(acl_matches('127.0.0.1',[@conf[8,12,15,0]]), 'OR: prefix, range, regexp, name');
|
||||
|
||||
# OR of negated prefix, range, regexp, property (2 of, 3 of, 4 of)
|
||||
ok(check_acl('127.0.0.1',[@conf[17,0]]), 'OR: !prefix, name');
|
||||
ok(check_acl('127.0.0.1',[@conf[17,18,0]]), 'OR: !prefix, !range, name');
|
||||
ok(check_acl('127.0.0.1',[@conf[17,18,19,0]]), 'OR: !prefix, !range, !regexp, name');
|
||||
ok(acl_matches('127.0.0.1',[@conf[17,0]]), 'OR: !prefix, name');
|
||||
ok(acl_matches('127.0.0.1',[@conf[17,18,0]]), 'OR: !prefix, !range, name');
|
||||
ok(acl_matches('127.0.0.1',[@conf[17,18,19,0]]), 'OR: !prefix, !range, !regexp, name');
|
||||
|
||||
# AND of prefix, range, regexp, property (2 of, 3 of, 4 of)
|
||||
ok(check_acl('127.0.0.1',[@conf[6,0,20]]), 'AND: prefix, name');
|
||||
ok(check_acl('127.0.0.1',[@conf[6,10,0,20]]), 'AND: prefix, range, name');
|
||||
# FIXME ok(check_acl('127.0.0.1',[@conf[6,10,14,0,20]]), 'AND: prefix, range, regexp, name');
|
||||
ok(acl_matches('127.0.0.1',[@conf[6,0,20]]), 'AND: prefix, name');
|
||||
ok(acl_matches('127.0.0.1',[@conf[6,10,0,20]]), 'AND: prefix, range, name');
|
||||
# FIXME ok(acl_matches('127.0.0.1',[@conf[6,10,14,0,20]]), 'AND: prefix, range, regexp, name');
|
||||
|
||||
# failed AND on prefix, range, regexp
|
||||
is(check_acl('127.0.0.1',[@conf[8,10,14,0,20]]), 0, 'failed AND: prefix!, range, regexp, name');
|
||||
is(check_acl('127.0.0.1',[@conf[6,12,14,0,20]]), 0, 'failed AND: prefix, range!, regexp, name');
|
||||
is(check_acl('127.0.0.1',[@conf[6,10,15,0,20]]), 0, 'failed AND: prefix, range, regexp!, name');
|
||||
is(acl_matches('127.0.0.1',[@conf[8,10,14,0,20]]), 0, 'failed AND: prefix!, range, regexp, name');
|
||||
is(acl_matches('127.0.0.1',[@conf[6,12,14,0,20]]), 0, 'failed AND: prefix, range!, regexp, name');
|
||||
is(acl_matches('127.0.0.1',[@conf[6,10,15,0,20]]), 0, 'failed AND: prefix, range, regexp!, name');
|
||||
|
||||
# AND of negated prefix, range, regexp, property (2 of, 3 of, 4 of)
|
||||
ok(check_acl('127.0.0.1',[@conf[9,0,20]]), 'AND: !prefix, name');
|
||||
ok(check_acl('127.0.0.1',[@conf[7,11,0,20]]), 'AND: !prefix, !range, name');
|
||||
ok(check_acl('127.0.0.1',[@conf[9,13,16,0,20]]), 'AND: !prefix, !range, !regexp, name');
|
||||
ok(acl_matches('127.0.0.1',[@conf[9,0,20]]), 'AND: !prefix, name');
|
||||
ok(acl_matches('127.0.0.1',[@conf[7,11,0,20]]), 'AND: !prefix, !range, name');
|
||||
ok(acl_matches('127.0.0.1',[@conf[9,13,16,0,20]]), 'AND: !prefix, !range, !regexp, name');
|
||||
|
||||
# group ref
|
||||
is(check_acl('192.0.2.1',[$conf[22]]), 1, '!missing group ref');
|
||||
is(check_acl('192.0.2.1',[$conf[21]]), 0, 'failed missing group ref');
|
||||
is(acl_matches('192.0.2.1',[$conf[22]]), 1, '!missing group ref');
|
||||
is(acl_matches('192.0.2.1',[$conf[21]]), 0, 'failed missing group ref');
|
||||
setting('host_groups')->{'groupreftest'} = ['192.0.2.1'];
|
||||
is(check_acl('192.0.2.1',[$conf[21]]), 1, 'group ref');
|
||||
is(check_acl('192.0.2.1',[$conf[22]]), 0, 'failed !missing group ref');
|
||||
is(acl_matches('192.0.2.1',[$conf[21]]), 1, 'group ref');
|
||||
is(acl_matches('192.0.2.1',[$conf[22]]), 0, 'failed !missing group ref');
|
||||
|
||||
# scalar promoted to list
|
||||
ok(check_acl('localhost',$conf[0]), 'scalar promoted');
|
||||
ok(check_acl('localhost',$conf[1]), 'not scalar promoted');
|
||||
is(check_acl('www.microsoft.com',$conf[0]), 0, 'failed scalar promoted');
|
||||
ok(acl_matches('localhost',$conf[0]), 'scalar promoted');
|
||||
ok(acl_matches('localhost',$conf[1]), 'not scalar promoted');
|
||||
is(acl_matches('www.microsoft.com',$conf[0]), 0, 'failed scalar promoted');
|
||||
|
||||
use App::Netdisco::DB;
|
||||
my $dip = App::Netdisco::DB->resultset('DeviceIp')->new_result({
|
||||
@@ -125,15 +125,80 @@ my $dip = App::Netdisco::DB->resultset('DeviceIp')->new_result({
|
||||
});
|
||||
|
||||
# device properties
|
||||
ok(check_acl($dip, [$conf[23]]), 'instance anon property deviceport:alias');
|
||||
ok(check_acl($dip, ['ip:'.$conf[2]]), 'instance named property deviceport:ip');
|
||||
ok(check_acl($dip, ['!ip:'. $conf[23]]), 'negated instance named property deviceport:ip');
|
||||
is(check_acl($dip, ['port:'.$conf[2]]), 0, 'failed instance named property deviceport:ip');
|
||||
ok(check_acl($dip, ['port:.*GigabitEthernet.*']), 'instance named property regexp deviceport:port');
|
||||
ok(acl_matches($dip, [$conf[23]]), '1obj instance anon property deviceport:alias');
|
||||
ok(acl_matches($dip, ['ip:'.$conf[2]]), '1obj instance named property deviceport:ip');
|
||||
ok(acl_matches($dip, ['!ip:'. $conf[23]]), '1obj negated instance named property deviceport:ip');
|
||||
is(acl_matches($dip, ['port:'.$conf[2]]), 0, '1obj failed instance named property deviceport:ip');
|
||||
ok(acl_matches($dip, ['port:.*GigabitEthernet.*']), '1obj instance named property regexp deviceport:port');
|
||||
|
||||
ok(check_acl($dip, ['type:l3ipvlan']), 'related item field match');
|
||||
ok(check_acl($dip, ['remote_ip:']), 'related item field empty');
|
||||
ok(check_acl($dip, ['!type:']), 'related item field not empty');
|
||||
is(check_acl($dip, ['foobar:xyz']), 0, 'unknown property');
|
||||
# DeviceIp no longer has DevicePort slot accessors
|
||||
#ok(acl_matches($dip, ['type:l3ipvlan']), '1obj related item field match');
|
||||
#ok(acl_matches($dip, ['remote_ip:']), '1obj related item field empty');
|
||||
#ok(acl_matches($dip, ['!type:']), '1obj related item field not empty');
|
||||
#is(acl_matches($dip, ['foobar:xyz']), 0, '1obj unknown property');
|
||||
|
||||
my $dip2 = App::Netdisco::DB->resultset('DeviceIp')->new_result({
|
||||
ip => '127.0.0.1',
|
||||
port => 'TenGigabitEthernet1/10',
|
||||
alias => '192.0.2.1',
|
||||
});
|
||||
|
||||
my $dp = App::Netdisco::DB->resultset('DevicePort')->new_result({
|
||||
ip => '127.0.0.1',
|
||||
port => 'TenGigabitEthernet1/10',
|
||||
type => 'l3ipvlan',
|
||||
});
|
||||
|
||||
# device properties
|
||||
ok(acl_matches([$dip2, $dp], [$conf[23]]), '2obj instance anon property deviceport:alias');
|
||||
ok(acl_matches([$dip2, $dp], ['ip:'.$conf[2]]), '2obj instance named property deviceport:ip');
|
||||
ok(acl_matches([undef, $dip2, $dp], ['ip:'.$conf[2]]), '2obj instance named property after undef');
|
||||
ok(acl_matches([$dip2, $dp], ['!ip:'. $conf[23]]), '2obj negated instance named property deviceport:ip');
|
||||
is(acl_matches([$dip2, $dp], ['port:'.$conf[2]]), 0, '2obj failed instance named property deviceport:ip');
|
||||
ok(acl_matches([$dip2, $dp], ['port:.*GigabitEthernet.*']), '2obj instance named property regexp deviceport:port');
|
||||
|
||||
ok(acl_matches([$dip2, $dp], ['type:l3ipvlan']), '2obj related item field match');
|
||||
ok(acl_matches([$dip2, $dp], ['remote_ip:']), '2obj related item field empty');
|
||||
ok(acl_matches([$dip2, $dp], ['!type:']), '2obj related item field not empty');
|
||||
is(acl_matches([$dip2, $dp], ['foobar:xyz']), 0, '2obj unknown property');
|
||||
|
||||
my $dip2c = { $dip2->get_inflated_columns };
|
||||
my $dpc = { $dp->get_inflated_columns };
|
||||
|
||||
# device properties
|
||||
ok(acl_matches([$dip2c, $dpc], [$conf[23]]), 'hh instance anon property deviceport:alias');
|
||||
ok(acl_matches([$dip2c, $dpc], ['ip:'.$conf[2]]), 'hh instance named property deviceport:ip');
|
||||
ok(acl_matches([$dip2c, $dpc], ['!ip:'. $conf[23]]), 'hh negated instance named property deviceport:ip');
|
||||
is(acl_matches([$dip2c, $dpc], ['port:'.$conf[2]]), 0, 'hh failed instance named property deviceport:ip');
|
||||
ok(acl_matches([$dip2c, $dpc], ['port:.*GigabitEthernet.*']), 'hh instance named property regexp deviceport:port');
|
||||
|
||||
ok(acl_matches([$dip2c, $dpc], ['type:l3ipvlan']), 'hh related item field match');
|
||||
ok(acl_matches([$dip2c, $dpc], ['remote_ip:']), 'hh related item field empty');
|
||||
ok(acl_matches([$dip2c, $dpc], ['!type:']), 'hh related item field not empty');
|
||||
is(acl_matches([$dip2c, $dpc], ['foobar:xyz']), 0, 'hh unknown property');
|
||||
|
||||
# device properties
|
||||
ok(acl_matches([$dip2, $dpc], [$conf[23]]), 'oh instance anon property deviceport:alias');
|
||||
ok(acl_matches([$dip2, $dpc], ['ip:'.$conf[2]]), 'oh instance named property deviceport:ip');
|
||||
ok(acl_matches([$dip2, $dpc], ['!ip:'. $conf[23]]), 'oh negated instance named property deviceport:ip');
|
||||
is(acl_matches([$dip2, $dpc], ['port:'.$conf[2]]), 0, 'oh failed instance named property deviceport:ip');
|
||||
ok(acl_matches([$dip2, $dpc], ['port:.*GigabitEthernet.*']), 'oh instance named property regexp deviceport:port');
|
||||
|
||||
ok(acl_matches([$dip2, $dpc], ['type:l3ipvlan']), 'oh related item field match');
|
||||
ok(acl_matches([$dip2, $dpc], ['remote_ip:']), 'oh related item field empty');
|
||||
ok(acl_matches([$dip2, $dpc], ['!type:']), 'oh related item field not empty');
|
||||
is(acl_matches([$dip2, $dpc], ['foobar:xyz']), 0, 'oh unknown property');
|
||||
|
||||
# device properties
|
||||
ok(acl_matches([$dip2c, $dp], [$conf[23]]), 'ho instance anon property deviceport:alias');
|
||||
ok(acl_matches([$dip2c, $dp], ['ip:'.$conf[2]]), 'ho instance named property deviceport:ip');
|
||||
ok(acl_matches([$dip2c, $dp], ['!ip:'. $conf[23]]), 'ho negated instance named property deviceport:ip');
|
||||
is(acl_matches([$dip2c, $dp], ['port:'.$conf[2]]), 0, 'ho failed instance named property deviceport:ip');
|
||||
ok(acl_matches([$dip2c, $dp], ['port:.*GigabitEthernet.*']), 'ho instance named property regexp deviceport:port');
|
||||
|
||||
ok(acl_matches([$dip2c, $dp], ['type:l3ipvlan']), 'ho related item field match');
|
||||
ok(acl_matches([$dip2c, $dp], ['remote_ip:']), 'ho related item field empty');
|
||||
ok(acl_matches([$dip2c, $dp], ['!type:']), 'ho related item field not empty');
|
||||
is(acl_matches([$dip2c, $dp], ['foobar:xyz']), 0, 'ho unknown property');
|
||||
|
||||
done_testing;
|
||||
|
||||
Reference in New Issue
Block a user