Skip to content
Snippets Groups Projects

Compare revisions

Changes are shown as if the source revision was being merged into the target revision. Learn more about comparing revisions.

Source

Select target project
No results found

Target

Select target project
No results found
Show changes
Commits on Source (2)
Hide whitespace changes
Inline Side-by-side
README_dnssync_perm.md
View file @ 1bf803b4
......@@ -2,11 +2,22 @@
## Purpose
By design, the NetBox DNS DNSsync feature does not check DNS permissions when syncing DNS records through an action done in the IPAM.
### Permissions validation on dns_name
The script *dnssync_perm.py* provides partial permission validation for DNSsync, but only when adding or modifying an IP address.
By design, the NetBox DNS DNSsync feature does not check DNS permissions
when syncing DNS records through an action done in the IPAM.
NamePermissionValidator provides partial permission validation for
DNSsync, but only when adding or modifying an IP address.
NB: No permission is checked when deleting an IP address. This is
consistent with the idea that IPAM actions have complete control over
the DNSsync-ed records.
### Correctness of dns_name
NameZoneValidator implement a strict policy for dns_name when used with
dns_sync, ensuring that the name is not empty and only contains a
valid zone.
No permission is checked when deleting an IP address This is consistent with the idea that IPAM actions have complete control over the DNSsync-ed records.
## Installation
......@@ -15,10 +26,10 @@ Copy this script to a "validators" directory into Netbox:
mkdir -p /opt/netbox/netbox/validators
cp dnssync_perm.py /opt/netbox/netbox/validators/
Activate the validator by adding the following lines in /opt/netbox/netbox/netbox/configuration.py:
Activate the validators by adding the following lines in /opt/netbox/netbox/netbox/configuration.py:
from validators.dnssync_perm import NamePermissionValidator
from validators.dnssync_perm import NamePermissionValidator, NameZoneValidator,
CUSTOM_VALIDATORS = {
"ipam.ipaddress": ( NamePermissionValidator(), ),
"ipam.ipaddress": ( NameZoneValidator(), NamePermissionValidator(), ),
}
dnssync_perm.py
View file @ 1bf803b4
......@@ -123,19 +123,19 @@ class NameZoneValidator(CustomValidator):
def validate(self, ipaddress, request):
dns_name = ipaddress.dns_name
#breakpoint()
if dns_name == "":
self.fail("DNS name can not be empty", field="dns_name")
if dns_name.find(".") == -1:
self.fail("DNS name must contain a zone", field="dns_name")
# This check is necessary because of the prefix-DNS view relation of dns_sync
if not ipaddress_in_existing_prefix(ipaddress, request):
self.fail(f"IP address '{address}' is not in any existing prefix")
self.fail(f"IP address '{ipaddress}' is not in any existing prefix", field="address")
if not prefix_has_dns_view(ipaddress, request):
self.fail(f"IP address '{address}' is in a prefix for which there is no DNS view defined. Ask NetBox administrator")
self.fail(f"IP address '{ipaddress}' is in a prefix for which there is no DNS view defined. Ask your NetBox administrator", field="address")
if not name_has_valid_zone(dns_name, ipaddress, request):
self.fail(f"Name '{dns_name}' has an invalid zone name", field="dns_name")
self.fail(f"Name '{dns_name}' is in an non-existing zone name", field="dns_name")