From e953e3945fb268d2f36be8115f48708df0f557d8 Mon Sep 17 00:00:00 2001 From: Oliver Gorwits Date: Fri, 3 Sep 2021 06:14:44 +0100 Subject: [PATCH] ACLs portctl_no and portctl_only for limiting port control targets --- Changes | 6 ++++++ lib/App/Netdisco/Util/Port.pm | 11 +++++++++++ share/config.yml | 2 ++ 3 files changed, 19 insertions(+) diff --git a/Changes b/Changes index 0a446e64..d5aebd4e 100644 --- a/Changes +++ b/Changes @@ -1,3 +1,9 @@ +2.049002 - 2021-09-03 + + [NEW FEATURES] + + * ACLs portctl_no and portctl_only for limiting port control targets + 2.049001 - 2021-08-22 [ENHANCEMENTS] diff --git a/lib/App/Netdisco/Util/Port.pm b/lib/App/Netdisco/Util/Port.pm index 84df6957..e1cb2e45 100644 --- a/lib/App/Netdisco/Util/Port.pm +++ b/lib/App/Netdisco/Util/Port.pm @@ -4,6 +4,7 @@ use Dancer qw/:syntax :script/; use Dancer::Plugin::DBIC 'schema'; use App::Netdisco::Util::Device 'get_device'; +use App::Netdisco::Util::Permission qw/check_acl_no check_acl_only/; use base 'Exporter'; our @EXPORT = (); @@ -68,6 +69,10 @@ sub vlan_reconfig_check { =item * +Permission check that C and C pass for the device. + +=item * + Permission check that C is false in Netdisco config. =item * @@ -99,6 +104,12 @@ sub port_reconfig_check { my $has_phone = port_has_phone($port); my $is_vlan = is_vlan_interface($port); + # check for limits on devices + return "forbidden: device [$ip] is in denied ACL" + if check_acl_no($ip, 'portctl_no'); + return "forbidden: device [$ip] is not in permitted ACL" + unless check_acl_only($ip, 'portctl_only'); + # only permitted to change interface name return "forbidden: not permitted to change port configuration" if setting('portctl_nameonly'); diff --git a/share/config.yml b/share/config.yml index 4b170bf1..1010f67a 100644 --- a/share/config.yml +++ b/share/config.yml @@ -184,6 +184,8 @@ table_showrecordsmenu: - [10, 25, 50, 100, 'All'] vlanctl: true portctl_nameonly: false +portctl_no: [] +portctl_only: [] portctl_nophones: false portctl_vlans: false portctl_uplinks: false