user, group, & permissions fix

2024-11-07 08:34:00 +01:00 · 2021-04-20 17:47:49 -04:00 · 2021-04-20 17:47:49 -04:00 · 5d4ecb7f9e
commit 5d4ecb7f9e
parent f2731d3fe6
7 changed files with 100 additions and 90 deletions
--- a/initializers/groups.yml
+++ b/initializers/groups.yml
@ -1,35 +1,9 @@
-## To list all permissions, run:
-## 
-## docker-compose run --rm --entrypoint /bin/bash netbox
-## $ ./manage.py migrate
-## $ ./manage.py shell
-## > from django.contrib.auth.models import Permission
-## > print('\n'.join([p.codename for p in Permission.objects.all()]))
-##
-## Permission lists support wildcards. See the examples below.
-##
-## Examples:
-
-# applications:
+# - name: applications
 #   users:
 #     - technical_user
-# readers:
+# - name: readers
 #   users:
 #     - reader
-# writers:
+# - name: writers
 #   users:
 #     - writer
-#   permissions:
-#   - delete_device
-#   - delete_virtualmachine
-#   - add_*
-#   - change_*
-# vm_managers:
-#   permissions:
-#   - '*_virtualmachine'
-# device_managers:
-#   permissions:
-#   - '*device*'
-# creators:
-#   permissions:
-#   - add_*
--- a/initializers/object_permissions.yml
+++ b/initializers/object_permissions.yml
@ -0,0 +1,22 @@
+#- name: all.ro
+#  description: 'Read Only for All Objects'
+#  enabled: true
+#  # object_types: all
+#  groups:
+#    - applications
+#    - readers
+#  actions:
+#    - view
+#- name: all.rw
+#  description: 'Read/Write for All Objects'
+#  enabled: true
+#  # object_types: all
+#  groups:
+#    - writers
+#  users:
+#    - jdoe
+#  actions:
+#    - add
+#    - change
+#    - delete
+#    - view
--- a/initializers/users.yml
+++ b/initializers/users.yml
@ -1,23 +1,14 @@
-## To list all permissions, run:
-## 
-## docker-compose run --rm --entrypoint /bin/bash netbox
-## $ ./manage.py migrate
-## $ ./manage.py shell
-## > from django.contrib.auth.models import Permission
-## > print('\n'.join([p.codename for p in Permission.objects.all()]))
-##
-## Permission lists support wildcards. See the examples below.
-##
-## Examples:
-
-# technical_user:
+#- username: technical_user
 #  api_token: 0123456789technicaluser789abcdef01234567 # must be looooong!
-# reader:
+#- username: reader
 #  password: reader
-# writer:
+#- username: writer
 #  password: writer
-#   permissions:
-#   - delete_device
-#   - delete_virtualmachine
-#   - add_*
-#   - change_*
+#- username: jdoe
+#  first_name: John
+#  last_name: Doe
+#  api_token: 0123456789jdoe789abcdef01234567jdoe
+#  is_active: True
+#  is_superuser: False
+#  is_staff: False
+#  email: john.doe@example.com
--- a/startup_scripts/000_users.py
+++ b/startup_scripts/000_users.py
@ -1,7 +1,7 @@
 import sys

 from django.contrib.auth.models import User
-from startup_script_utils import load_yaml, set_permissions
+from startup_script_utils import load_yaml
 from users.models import Token

 users = load_yaml("/opt/netbox/initializers/users.yml")
@ -19,6 +19,3 @@ for username, user_details in users.items():

        if user_details.get("api_token", 0):
            Token.objects.create(user=user, key=user_details["api_token"])
-
-        yaml_permissions = user_details.get("permissions", [])
-        set_permissions(user.user_permissions, yaml_permissions)
--- a/startup_scripts/010_groups.py
+++ b/startup_scripts/010_groups.py
@ -1,23 +1,27 @@
 import sys

-from django.contrib.auth.models import Group, User
-from startup_script_utils import load_yaml, set_permissions
+from users.models import AdminGroup, AdminUser
+from startup_script_utils import load_yaml

 groups = load_yaml("/opt/netbox/initializers/groups.yml")
 if groups is None:
    sys.exit()

-for groupname, group_details in groups.items():
-    group, created = Group.objects.get_or_create(name=groupname)
+for params in groups:
+    groupname=params['name']
+
+    group, created = AdminGroup.objects.get_or_create(
+        name=groupname
+    )

    if created:
        print("👥 Created group", groupname)

-    for username in group_details.get("users", []):
-        user = User.objects.get(username=username)
+    for username in params.get("users", []):
+        user = AdminUser.objects.get(username=username)

        if user:
-            user.groups.add(group)
+            group.user_set.add(user)
+            print(" 👤 Assigned user %s to group %s" % (username, AdminGroup.name))

-    yaml_permissions = group_details.get("permissions", [])
-    set_permissions(group.permissions, yaml_permissions)
+    group.save()
--- a/startup_scripts/015_object_permissions.py
+++ b/startup_scripts/015_object_permissions.py
@ -0,0 +1,44 @@
+import sys
+
+from users.models import ObjectPermission, AdminGroup, AdminUser
+from startup_script_utils import load_yaml
+from django.contrib.contenttypes.models import ContentType
+
+object_permissions = load_yaml("/opt/netbox/initializers/object_permissions.yml")
+
+if object_permissions is None:
+    sys.exit()
+
+
+for params in object_permissions:
+
+    object_permission, created = ObjectPermission.objects.get_or_create(
+        name=params['name'],
+        description=params['description'],
+        enabled=params['enabled'],
+        actions=params['actions']
+    )
+
+# Need to try to pass a list of model_name and app_label for more than just the current all objects.
+    #object_types = ContentType.objects.filter(app_label__in=params.pop("object_types"))
+    #object_permission.object_types.set(ContentType.objects.filter(app_label__in=params.pop("object_types")))
+    object_permission.object_types.set(ContentType.objects.all())
+    object_permission.save()
+
+    print("🔓 Created object permission", object_permission.name)
+
+    for groupname in params.get("groups", []):
+        group = AdminGroup.objects.get(name=groupname)
+
+        if group:
+            object_permission.groups.add(group)
+            print(" 👥 Assigned group %s object permission of %s" % (groupname, object_permission.name))
+
+    for username in params.get("users", []):
+        user = AdminUser.objects.get(username=username)
+
+        if user:
+            object_permission.users.add(user)
+            print(" 👤 Assigned user %s object permission of %s" % (username, object_permission.name))
+
+    object_permission.save()
--- a/startup_scripts/startup_script_utils/permissions.py
+++ b/startup_scripts/startup_script_utils/permissions.py
@ -1,22 +0,0 @@
-from django.contrib.auth.models import Permission
-
-
-def set_permissions(subject, permission_filters):
-    if subject is None or permission_filters is None:
-        return
-    subject.clear()
-    for permission_filter in permission_filters:
-        if "*" in permission_filter:
-            permission_filter_regex = "^" + permission_filter.replace("*", ".*") + "$"
-            permissions = Permission.objects.filter(codename__iregex=permission_filter_regex)
-            print(
-                "  ⚿ Granting",
-                permissions.count(),
-                "permissions matching '" + permission_filter + "'",
-            )
-        else:
-            permissions = Permission.objects.filter(codename=permission_filter)
-            print("  ⚿ Granting permission", permission_filter)
-
-        for permission in permissions:
-            subject.add(permission)