netbox-plugin-dns 0.21.4__py3-none-any.whl → 1.4.7__py3-none-any.whl

netbox_dns/utilities/ipam_dnssync.py

@@ -0,0 +1,370 @@
+import re
+
+from collections import defaultdict
+
+from dns import name as dns_name
+
+from django.conf import settings
+from django.db.models import Q
+
+from netbox.context import current_request
+from ipam.models import IPAddress, Prefix
+
+from netbox_dns.choices import RecordStatusChoices, RecordTypeChoices
+
+from .dns import get_parent_zone_names
+from .conversions import regex_from_list
+
+
+__all__ = (
+    "get_zones",
+    "check_dns_records",
+    "update_dns_records",
+    "delete_dns_records",
+    "get_views_by_prefix",
+    "get_ip_addresses_by_prefix",
+    "get_ip_addresses_by_view",
+    "get_ip_addresses_by_zone",
+    "check_record_permission",
+    "get_query_from_filter",
+    "check_filter",
+)
+
+
+def _get_assigned_views(ip_address):
+    longest_prefix = Prefix.objects.filter(
+        vrf=ip_address.vrf,
+        prefix__net_contains_or_equals=str(ip_address.address.ip),
+        netbox_dns_views__isnull=False,
+    ).last()
+
+    if longest_prefix is None:
+        return []
+
+    return longest_prefix.netbox_dns_views.all()
+
+
+def _get_record_status(ip_address):
+    return (
+        RecordStatusChoices.STATUS_ACTIVE
+        if ip_address.status
+        in settings.PLUGINS_CONFIG["netbox_dns"].get(
+            "dnssync_ipaddress_active_status", []
+        )
+        else RecordStatusChoices.STATUS_INACTIVE
+    )
+
+
+def _valid_entry(ip_address, zone):
+    return zone.view in _get_assigned_views(ip_address) and dns_name.from_text(
+        ip_address.dns_name
+    ).is_subdomain(dns_name.from_text(zone.name))
+
+
+def _match_data(ip_address, record):
+    cf_disable_ptr = ip_address.custom_field_data.get(
+        "ipaddress_dns_record_disable_ptr"
+    )
+
+    return (
+        record.fqdn.rstrip(".") == ip_address.dns_name.rstrip(".")
+        and record.value == str(ip_address.address.ip)
+        and record.status == _get_record_status(ip_address)
+        and record.ttl == ip_address.custom_field_data.get("ipaddress_dns_record_ttl")
+        and (cf_disable_ptr is None or record.disable_ptr == cf_disable_ptr)
+    )
+
+
+def get_zones(ip_address, view=None, old_zone=None):
+    from netbox_dns.models import Zone
+
+    if view is None:
+        views = _get_assigned_views(ip_address)
+        if not views:
+            return []
+
+    else:
+        views = [view]
+
+    min_labels = settings.PLUGINS_CONFIG["netbox_dns"].get(
+        "dnssync_minimum_zone_labels", 2
+    )
+
+    zones = Zone.objects.filter(
+        view__in=views,
+        name__iregex=regex_from_list(
+            get_parent_zone_names(
+                ip_address.dns_name, min_labels=min_labels, include_self=True
+            )
+        ),
+        active=True,
+    )
+
+    zone_map = defaultdict(list)
+
+    if old_zone is not None:
+        zones = zones.exclude(pk=old_zone.pk)
+        if _valid_entry(ip_address, old_zone):
+            zone_map[old_zone.view].append(old_zone)
+
+    for zone in zones:
+        zone_map[zone.view].append(zone)
+
+    return [
+        sorted(zones_per_view, key=lambda x: len(x.name))[-1]
+        for zones_per_view in zone_map.values()
+    ]
+
+
+def check_dns_records(ip_address, zone=None, view=None):
+    from netbox_dns.models import Zone, Record
+
+    if ip_address.dns_name == "":
+        return
+
+    if zone is None:
+        zones = get_zones(ip_address, view=view)
+
+        if not ip_address._state.adding:
+            for record in ip_address.netbox_dns_records.filter(zone__in=zones):
+                if not _match_data(ip_address, record):
+                    updated = record.update_from_ip_address(ip_address)
+
+                    if updated:
+                        record.clean()
+
+            zones = Zone.objects.filter(pk__in=[zone.pk for zone in zones]).exclude(
+                pk__in=set(ip_address.netbox_dns_records.values_list("zone", flat=True))
+            )
+
+        for zone in zones:
+            record = Record.create_from_ip_address(
+                ip_address,
+                zone,
+            )
+
+            if record is not None:
+                record.clean()
+
+    if ip_address._state.adding:
+        return
+
+    try:
+        new_zone = get_zones(ip_address, old_zone=zone)[0]
+    except IndexError:
+        return
+
+    for record in ip_address.netbox_dns_records.filter(zone=zone):
+        updated = record.update_from_ip_address(ip_address, new_zone)
+
+        if updated:
+            record.clean(new_zone=new_zone)
+
+
+def update_dns_records(ip_address, view=None, force=False):
+    from netbox_dns.models import Zone, Record
+
+    updated = False
+
+    if ip_address.dns_name == "":
+        return delete_dns_records(ip_address)
+
+    zones = get_zones(ip_address, view=view)
+
+    if not ip_address._state.adding:
+        if view is None:
+            address_records = ip_address.netbox_dns_records.all()
+        else:
+            address_records = ip_address.netbox_dns_records.filter(zone__view=view)
+
+        for record in address_records:
+            record.snapshot()
+
+            if record.zone not in zones or ip_address.custom_field_data.get(
+                "ipaddress_dns_disabled"
+            ):
+                record.delete()
+                updated = True
+                continue
+
+            record.update_fqdn()
+            updated, deleted = record.update_from_ip_address(ip_address)
+
+            if deleted:
+                record.delete()
+                updated = True
+            elif updated:
+                record.save()
+                updated = True
+
+        zones = Zone.objects.filter(pk__in=[zone.pk for zone in zones]).exclude(
+            pk__in=set(ip_address.netbox_dns_records.values_list("zone", flat=True))
+        )
+
+    for zone in zones:
+        record = Record.create_from_ip_address(
+            ip_address,
+            zone,
+        )
+
+        if record is not None:
+            record.save()
+            updated = True
+
+    return updated
+
+
+def delete_dns_records(ip_address, view=None):
+    from netbox_dns.models import Record
+
+    if current_request.get() is None:
+        address_records = ip_address.netbox_dns_records.all()
+    else:
+        # +
+        # This is a dirty hack made necessary by NetBox grand idea of manipulating
+        # objects in its event handling code, removing references to related objects
+        # in pre_delete() before our pre_delete() handler has the chance to handle
+        # them.
+        #
+        # TODO: Find something better. This is really awful.
+        # -
+        address_records = Record.objects.filter(
+            Q(
+                Q(ipam_ip_address=ip_address)
+                | Q(
+                    type__in=(RecordTypeChoices.A, RecordTypeChoices.AAAA),
+                    managed=True,
+                    ip_address=ip_address.address,
+                    ipam_ip_address__isnull=True,
+                )
+            ),
+        )
+
+    if view is not None:
+        address_records &= Record.objects.filter(zone__view=view)
+
+    if not address_records.exists():
+        return False
+
+    for record in address_records:
+        record.delete()
+
+    return True
+
+
+def get_views_by_prefix(prefix):
+    from netbox_dns.models import View
+
+    if (views := prefix.netbox_dns_views.all()).exists():
+        return views
+
+    if (parent := prefix.get_parents().filter(netbox_dns_views__isnull=False)).exists():
+        return parent.last().netbox_dns_views.all()
+
+    return View.objects.none()
+
+
+def get_ip_addresses_by_prefix(prefix, check_view=True):
+    """
+    Find all IPAddress objects that are in a given prefix, provided that prefix
+    is assigned to NetBox DNS view. IPAddress objects belonging to a sub-prefix
+    that is assigned to a NetBox DNS view itself are excluded, because the zones
+    that are relevant for them are depending on the view set of the sub-prefix.
+
+    If neither the prefix nor any parent prefix is assigned to a view, the list
+    of IPAddress objects returned is empty.
+    """
+    if check_view and not get_views_by_prefix(prefix):
+        return IPAddress.objects.none()
+
+    queryset = IPAddress.objects.filter(
+        vrf=prefix.vrf, address__net_host_contained=prefix.prefix
+    )
+
+    for exclude_child in (
+        prefix.get_children().filter(netbox_dns_views__isnull=False).distinct()
+    ):
+        queryset = queryset.exclude(
+            vrf=exclude_child.vrf,
+            address__net_host_contained=exclude_child.prefix,
+        )
+
+    return queryset
+
+
+def get_ip_addresses_by_view(view):
+    """
+    Find all IPAddress objects that are within prefixes that have a NetBox DNS
+    view assigned to them, or that inherit a view from their parent prefix.
+
+    Inheritance is defined recursively if the prefix is assigned to the view or
+    if it is a child prefix of the prefix that is not assigned to a view directly
+    or by inheritance.
+    """
+    queryset = IPAddress.objects.none()
+    for prefix in Prefix.objects.filter(netbox_dns_views__in=[view]):
+        sub_queryset = IPAddress.objects.filter(
+            vrf=prefix.vrf, address__net_host_contained=prefix.prefix
+        )
+        for exclude_child in prefix.get_children().exclude(
+            Q(netbox_dns_views__isnull=True) | Q(netbox_dns_views__in=[view])
+        ):
+            sub_queryset = sub_queryset.exclude(
+                vrf=exclude_child.vrf,
+                address__net_host_contained=exclude_child.prefix,
+            )
+        queryset |= sub_queryset
+
+    return queryset
+
+
+def get_ip_addresses_by_zone(zone):
+    """
+    Find all IPAddress objects that are relevant for a NetBox DNS zone. These
+    are the IPAddress objects in prefixes assigned to the same view, if the
+    'dns_name' attribute of the IPAddress object ends in the zone's name.
+    """
+    queryset = get_ip_addresses_by_view(zone.view).filter(
+        dns_name__regex=rf"\.{re.escape(zone.name)}\.?$"
+    )
+
+    return queryset
+
+
+def check_record_permission(add=True, change=True, delete=True):
+    checks = locals().copy()
+
+    request = current_request.get()
+
+    if request is None:
+        return True
+
+    return all(
+        (
+            request.user.has_perm(f"netbox_dns.{perm}_record")
+            for perm, check in checks.items()
+            if check
+        )
+    )
+
+
+def get_query_from_filter(ip_address_filter):
+    query = Q()
+
+    if not isinstance(ip_address_filter, list):
+        ip_address_filter = [ip_address_filter]
+
+    for condition in ip_address_filter:
+        if condition:
+            query |= Q(**condition)
+        else:
+            return Q()
+
+    return query
+
+
+def check_filter(ip_address, ip_address_filter):
+    query = get_query_from_filter(ip_address_filter)
+    against = ip_address._get_field_expression_map(meta=IPAddress._meta)
+
+    return query.check(against)

netbox_dns/validators/__init__.py

@@ -0,0 +1,4 @@
+from .dns_name import *
+from .dns_value import *
+from .rfc2317 import *
+from .dnssec import *

netbox_dns/validators/dns_name.py

@@ -0,0 +1,116 @@
+import re
+from socket import inet_aton
+
+from django.core.exceptions import ValidationError
+from django.utils.translation import gettext as _
+
+from netbox.plugins.utils import get_plugin_config
+
+
+__all__ = (
+    "validate_fqdn",
+    "validate_rname",
+    "validate_generic_name",
+    "validate_domain_name",
+)
+
+
+def _get_label(tolerate_leading_underscores=False, always_tolerant=False):
+    tolerate_characters = re.escape(
+        get_plugin_config("netbox_dns", "tolerate_characters_in_zone_labels", "")
+    )
+    label_characters = rf"a-z0-9{tolerate_characters}"
+
+    if always_tolerant:
+        label = r"[a-z0-9_][a-z0-9_-]*(?<![-_])"
+        zone_label = rf"[{label_characters}_][{label_characters}_-]*(?<![-_])"
+
+        return label, zone_label
+
+    tolerate_underscores = get_plugin_config(
+        "netbox_dns", "tolerate_underscores_in_labels"
+    )
+
+    if tolerate_leading_underscores:
+        if tolerate_underscores:
+            label = r"[a-z0-9_][a-z0-9_-]*(?<![-_])"
+            zone_label = rf"[{label_characters}_][{label_characters}_-]*(?<![-_])"
+        else:
+            label = r"[a-z0-9_][a-z0-9-]*(?<!-)"
+            zone_label = rf"[{label_characters}_][{label_characters}-]*(?<!-)"
+    elif tolerate_underscores:
+        label = r"[a-z0-9][a-z0-9_-]*(?<![-_])"
+        zone_label = rf"[{label_characters}][{label_characters}_-]*(?<![-_])"
+    else:
+        label = r"[a-z0-9][a-z0-9-]*(?<!-)"
+        zone_label = rf"[{label_characters}][{label_characters}-]*(?<!-)"
+
+    return label, zone_label
+
+
+def _has_invalid_double_dash(name):
+    return bool(re.findall(r"(^|\.)(?!xn)..--", name, re.IGNORECASE))
+
+
+def validate_fqdn(name, always_tolerant=False):
+    label, zone_label = _get_label(always_tolerant=always_tolerant)
+    regex = rf"^(\*|{label})(\.{zone_label})+\.?$"
+
+    if not re.match(regex, name, flags=re.IGNORECASE) or _has_invalid_double_dash(name):
+        raise ValidationError(
+            _("{name} is not a valid fully qualified DNS host name").format(name=name)
+        )
+
+
+def validate_rname(name, always_tolerant=False):
+    label, zone_label = _get_label(always_tolerant=always_tolerant)
+    regex = rf"^(\*|{label})(\\\.{label})*(\.{zone_label}){{2,}}\.?$"
+
+    if not re.match(regex, name, flags=re.IGNORECASE) or _has_invalid_double_dash(name):
+        raise ValidationError(_("{name} is not a valid RName").format(name=name))
+
+
+def validate_generic_name(
+    name, tolerate_leading_underscores=False, always_tolerant=False
+):
+    label, zone_label = _get_label(
+        tolerate_leading_underscores=tolerate_leading_underscores,
+        always_tolerant=always_tolerant,
+    )
+    regex = rf"^([*@]|(\*\.)?{label}(\.{zone_label})*\.?)$"
+
+    if not re.match(regex, name, flags=re.IGNORECASE) or _has_invalid_double_dash(name):
+        raise ValidationError(
+            _("{name} is not a valid DNS host name").format(name=name)
+        )
+
+
+def validate_domain_name(
+    name, always_tolerant=False, allow_empty_label=False, zone_name=False
+):
+    if name == "@" and allow_empty_label:
+        return
+
+    if name == "." and (
+        always_tolerant or get_plugin_config("netbox_dns", "enable_root_zones")
+    ):
+        return
+
+    try:
+        inet_aton(name)
+        raise ValidationError(
+            _("{name} is not a valid DNS domain name").format(name=name)
+        )
+    except OSError:
+        pass
+
+    label, zone_label = _get_label(always_tolerant=always_tolerant)
+    if zone_name:
+        regex = rf"^{zone_label}(\.{zone_label})*\.?$"
+    else:
+        regex = rf"^{label}(\.{zone_label})*\.?$"
+
+    if not re.match(regex, name, flags=re.IGNORECASE) or _has_invalid_double_dash(name):
+        raise ValidationError(
+            _("{name} is not a valid DNS domain name").format(name=name)
+        )

netbox_dns/validators/dns_value.py

@@ -0,0 +1,147 @@
+import re
+import textwrap
+
+from dns import rdata, name as dns_name
+from dns.exception import SyntaxError
+
+from django.core.exceptions import ValidationError
+from django.utils.translation import gettext as _
+
+from netbox.plugins.utils import get_plugin_config
+
+from netbox_dns.choices import RecordClassChoices, RecordTypeChoices
+from netbox_dns.validators import (
+    validate_fqdn,
+    validate_domain_name,
+    validate_generic_name,
+)
+
+MAX_TXT_LENGTH = 255
+
+__all__ = ("validate_record_value",)
+
+
+def validate_record_value(record):
+    def _validate_idn(name):
+        try:
+            name.to_unicode()
+        except dns_name.IDNAException as exc:
+            raise ValidationError(
+                "{name} is not a valid IDN: {error}.".format(
+                    name=name.to_text(), error=exc
+                )
+            )
+
+    def _split_text_value(value):
+        # +
+        # Text values longer than 255 characters need to be broken up for TXT and
+        # SPF records.
+        # First, in case they had been split into separate strings, reassemble the
+        # original (long) value, then split it into chunks of a maximum length of
+        # 255 (preferably at word boundaries), and then build a sequence of partial
+        # strings enclosed in double quotes and separated by space.
+        #
+        # See https://datatracker.ietf.org/doc/html/rfc4408#section-3.1.3 for details.
+        # -
+        raw_value = "".join(re.findall(r'"([^"]+)"', value))
+        if not raw_value:
+            raw_value = value
+
+        return " ".join(
+            f'"{part}"'
+            for part in textwrap.wrap(raw_value, MAX_TXT_LENGTH, drop_whitespace=False)
+        )
+
+    if record.type in (RecordTypeChoices.CUSTOM_TYPES):
+        return
+
+    if record.type in (RecordTypeChoices.TXT, RecordTypeChoices.SPF):
+        if not (record.value.isascii() and record.value.isprintable()):
+            raise ValidationError(
+                _(
+                    "Record value {value} for a type {type} record is not a printable ASCII string."
+                ).format(value=record.value, type=record.type)
+            )
+
+        if len(record.value) <= MAX_TXT_LENGTH:
+            return
+
+        try:
+            rr = rdata.from_text(RecordClassChoices.IN, record.type, record.value)
+        except SyntaxError as exc:
+            if str(exc) == "string too long":
+                record.value = _split_text_value(record.value)
+
+    try:
+        rr = rdata.from_text(RecordClassChoices.IN, record.type, record.value)
+    except SyntaxError as exc:
+        raise ValidationError(
+            _(
+                "Record value {value} is not a valid value for a {type} record: {error}."
+            ).format(value=record.value, type=record.type, error=exc)
+        )
+
+    skip_name_validation = record.type in get_plugin_config(
+        "netbox_dns", "tolerate_non_rfc1035_types", default=[]
+    )
+
+    match record.type:
+        case RecordTypeChoices.CNAME:
+            _validate_idn(rr.target)
+            if not skip_name_validation:
+                validate_domain_name(
+                    rr.target.to_text(),
+                    always_tolerant=True,
+                    allow_empty_label=True,
+                )
+
+        case (
+            RecordTypeChoices.NS
+            | RecordTypeChoices.HTTPS
+            | RecordTypeChoices.SRV
+            | RecordTypeChoices.SVCB
+        ):
+            _validate_idn(rr.target)
+            if not skip_name_validation:
+                validate_domain_name(rr.target.to_text(), always_tolerant=True)
+
+        case RecordTypeChoices.DNAME:
+            _validate_idn(rr.target)
+            if not skip_name_validation:
+                validate_domain_name(
+                    rr.target.to_text(), always_tolerant=True, zone_name=True
+                )
+
+        case RecordTypeChoices.PTR | RecordTypeChoices.NSAP_PTR:
+            _validate_idn(rr.target)
+            if not skip_name_validation:
+                validate_fqdn(rr.target.to_text(), always_tolerant=True)
+
+        case RecordTypeChoices.MX | RecordTypeChoices.RT | RecordTypeChoices.KX:
+            _validate_idn(rr.exchange)
+            if not skip_name_validation:
+                validate_domain_name(rr.exchange.to_text(), always_tolerant=True)
+
+        case RecordTypeChoices.NSEC:
+            _validate_idn(rr.next)
+            if not skip_name_validation:
+                validate_domain_name(rr.next.to_text(), always_tolerant=True)
+
+        case RecordTypeChoices.RP:
+            _validate_idn(rr.mbox)
+            _validate_idn(rr.txt)
+            if not skip_name_validation:
+                validate_domain_name(rr.mbox.to_text(), always_tolerant=True)
+                validate_domain_name(rr.txt.to_text(), always_tolerant=True)
+
+        case RecordTypeChoices.NAPTR:
+            _validate_idn(rr.replacement)
+            if not skip_name_validation:
+                validate_generic_name(rr.replacement.to_text(), always_tolerant=True)
+
+        case RecordTypeChoices.PX:
+            _validate_idn(rr.map822)
+            _validate_idn(rr.mapx400)
+            if not skip_name_validation:
+                validate_domain_name(rr.map822.to_text(), always_tolerant=True)
+                validate_domain_name(rr.mapx400.to_text(), always_tolerant=True)