From 5d4ecb7f9e1de18d201afb3969f4499a5639168b Mon Sep 17 00:00:00 2001 From: ryanmerolle Date: Tue, 20 Apr 2021 17:47:49 -0400 Subject: [PATCH] user, group, & permissions fix --- initializers/groups.yml | 38 +++------------- initializers/object_permissions.yml | 22 ++++++++++ initializers/users.yml | 37 ++++++---------- startup_scripts/000_users.py | 5 +-- startup_scripts/010_groups.py | 22 ++++++---- startup_scripts/015_object_permissions.py | 44 +++++++++++++++++++ .../startup_script_utils/permissions.py | 22 ---------- 7 files changed, 100 insertions(+), 90 deletions(-) create mode 100644 initializers/object_permissions.yml create mode 100644 startup_scripts/015_object_permissions.py delete mode 100644 startup_scripts/startup_script_utils/permissions.py diff --git a/initializers/groups.yml b/initializers/groups.yml index b91ef39..45f4703 100644 --- a/initializers/groups.yml +++ b/initializers/groups.yml @@ -1,35 +1,9 @@ -## To list all permissions, run: -## -## docker-compose run --rm --entrypoint /bin/bash netbox -## $ ./manage.py migrate -## $ ./manage.py shell -## > from django.contrib.auth.models import Permission -## > print('\n'.join([p.codename for p in Permission.objects.all()])) -## -## Permission lists support wildcards. See the examples below. -## -## Examples: - -# applications: +# - name: applications # users: -# - technical_user -# readers: +# - technical_user +# - name: readers # users: -# - reader -# writers: +# - reader +# - name: writers # users: -# - writer -# permissions: -# - delete_device -# - delete_virtualmachine -# - add_* -# - change_* -# vm_managers: -# permissions: -# - '*_virtualmachine' -# device_managers: -# permissions: -# - '*device*' -# creators: -# permissions: -# - add_* +# - writer diff --git a/initializers/object_permissions.yml b/initializers/object_permissions.yml new file mode 100644 index 0000000..5daa981 --- /dev/null +++ b/initializers/object_permissions.yml @@ -0,0 +1,22 @@ +#- name: all.ro +# description: 'Read Only for All Objects' +# enabled: true +# # object_types: all +# groups: +# - applications +# - readers +# actions: +# - view +#- name: all.rw +# description: 'Read/Write for All Objects' +# enabled: true +# # object_types: all +# groups: +# - writers +# users: +# - jdoe +# actions: +# - add +# - change +# - delete +# - view diff --git a/initializers/users.yml b/initializers/users.yml index 2aea62e..5e0168d 100644 --- a/initializers/users.yml +++ b/initializers/users.yml @@ -1,23 +1,14 @@ -## To list all permissions, run: -## -## docker-compose run --rm --entrypoint /bin/bash netbox -## $ ./manage.py migrate -## $ ./manage.py shell -## > from django.contrib.auth.models import Permission -## > print('\n'.join([p.codename for p in Permission.objects.all()])) -## -## Permission lists support wildcards. See the examples below. -## -## Examples: - -# technical_user: -# api_token: 0123456789technicaluser789abcdef01234567 # must be looooong! -# reader: -# password: reader -# writer: -# password: writer -# permissions: -# - delete_device -# - delete_virtualmachine -# - add_* -# - change_* +#- username: technical_user +# api_token: 0123456789technicaluser789abcdef01234567 # must be looooong! +#- username: reader +# password: reader +#- username: writer +# password: writer +#- username: jdoe +# first_name: John +# last_name: Doe +# api_token: 0123456789jdoe789abcdef01234567jdoe +# is_active: True +# is_superuser: False +# is_staff: False +# email: john.doe@example.com diff --git a/startup_scripts/000_users.py b/startup_scripts/000_users.py index 66b8519..1435d81 100644 --- a/startup_scripts/000_users.py +++ b/startup_scripts/000_users.py @@ -1,7 +1,7 @@ import sys from django.contrib.auth.models import User -from startup_script_utils import load_yaml, set_permissions +from startup_script_utils import load_yaml from users.models import Token users = load_yaml("/opt/netbox/initializers/users.yml") @@ -19,6 +19,3 @@ for username, user_details in users.items(): if user_details.get("api_token", 0): Token.objects.create(user=user, key=user_details["api_token"]) - - yaml_permissions = user_details.get("permissions", []) - set_permissions(user.user_permissions, yaml_permissions) diff --git a/startup_scripts/010_groups.py b/startup_scripts/010_groups.py index 6726868..a17d004 100644 --- a/startup_scripts/010_groups.py +++ b/startup_scripts/010_groups.py @@ -1,23 +1,27 @@ import sys -from django.contrib.auth.models import Group, User -from startup_script_utils import load_yaml, set_permissions +from users.models import AdminGroup, AdminUser +from startup_script_utils import load_yaml groups = load_yaml("/opt/netbox/initializers/groups.yml") if groups is None: sys.exit() -for groupname, group_details in groups.items(): - group, created = Group.objects.get_or_create(name=groupname) +for params in groups: + groupname=params['name'] + + group, created = AdminGroup.objects.get_or_create( + name=groupname + ) if created: print("👥 Created group", groupname) - for username in group_details.get("users", []): - user = User.objects.get(username=username) + for username in params.get("users", []): + user = AdminUser.objects.get(username=username) if user: - user.groups.add(group) + group.user_set.add(user) + print(" 👤 Assigned user %s to group %s" % (username, AdminGroup.name)) - yaml_permissions = group_details.get("permissions", []) - set_permissions(group.permissions, yaml_permissions) + group.save() diff --git a/startup_scripts/015_object_permissions.py b/startup_scripts/015_object_permissions.py new file mode 100644 index 0000000..f2de75c --- /dev/null +++ b/startup_scripts/015_object_permissions.py @@ -0,0 +1,44 @@ +import sys + +from users.models import ObjectPermission, AdminGroup, AdminUser +from startup_script_utils import load_yaml +from django.contrib.contenttypes.models import ContentType + +object_permissions = load_yaml("/opt/netbox/initializers/object_permissions.yml") + +if object_permissions is None: + sys.exit() + + +for params in object_permissions: + + object_permission, created = ObjectPermission.objects.get_or_create( + name=params['name'], + description=params['description'], + enabled=params['enabled'], + actions=params['actions'] + ) + +# Need to try to pass a list of model_name and app_label for more than just the current all objects. + #object_types = ContentType.objects.filter(app_label__in=params.pop("object_types")) + #object_permission.object_types.set(ContentType.objects.filter(app_label__in=params.pop("object_types"))) + object_permission.object_types.set(ContentType.objects.all()) + object_permission.save() + + print("🔓 Created object permission", object_permission.name) + + for groupname in params.get("groups", []): + group = AdminGroup.objects.get(name=groupname) + + if group: + object_permission.groups.add(group) + print(" 👥 Assigned group %s object permission of %s" % (groupname, object_permission.name)) + + for username in params.get("users", []): + user = AdminUser.objects.get(username=username) + + if user: + object_permission.users.add(user) + print(" 👤 Assigned user %s object permission of %s" % (username, object_permission.name)) + + object_permission.save() diff --git a/startup_scripts/startup_script_utils/permissions.py b/startup_scripts/startup_script_utils/permissions.py deleted file mode 100644 index 021b0b5..0000000 --- a/startup_scripts/startup_script_utils/permissions.py +++ /dev/null @@ -1,22 +0,0 @@ -from django.contrib.auth.models import Permission - - -def set_permissions(subject, permission_filters): - if subject is None or permission_filters is None: - return - subject.clear() - for permission_filter in permission_filters: - if "*" in permission_filter: - permission_filter_regex = "^" + permission_filter.replace("*", ".*") + "$" - permissions = Permission.objects.filter(codename__iregex=permission_filter_regex) - print( - " ⚿ Granting", - permissions.count(), - "permissions matching '" + permission_filter + "'", - ) - else: - permissions = Permission.objects.filter(codename=permission_filter) - print(" ⚿ Granting permission", permission_filter) - - for permission in permissions: - subject.add(permission)