Merge branch 'ScanPlusGmbH-ldap'

This commit is contained in:
Christian Mäder 2018-03-05 14:38:17 +01:00
commit b13617aff2
No known key found for this signature in database
GPG Key ID: 92FFD0A711F196BB
9 changed files with 211 additions and 16 deletions

View File

@ -19,12 +19,7 @@ after_script:
after_success: after_success:
- docker login -u="$DOCKER_USERNAME" -p="$DOCKER_PASSWORD" - docker login -u="$DOCKER_USERNAME" -p="$DOCKER_PASSWORD"
- if [ "$TRAVIS_BRANCH" = "master" -a "$TRAVIS_PULL_REQUEST" = "false" ]; then - ./build-all.sh --push
./build-branches.sh --push;
./build-latest.sh --push;
PRERELEASE=true ./build-latest.sh --push;
SRC_ORG=lampwins TAG=webhooks-backend ./build.sh "feature/webhooks-backend" --push;
fi
notifications: notifications:
slack: slack:

9
Dockerfile.ldap Normal file
View File

@ -0,0 +1,9 @@
ARG DOCKER_ORG=ninech
ARG DOCKER_REPO=netbox
ARG FROM_TAG=latest
FROM $DOCKER_ORG/$DOCKER_REPO:$FROM_TAG
RUN pip install django_auth_ldap
COPY docker/ldap_config.docker.py /opt/netbox/netbox/netbox/ldap_config.py
COPY configuration/ldap_config.py /etc/netbox/ldap_config.py

View File

@ -136,6 +136,10 @@ COPY startup_scripts/ /opt/netbox/startup_scripts/
COPY initializers/ /opt/netbox/initializers/ COPY initializers/ /opt/netbox/initializers/
``` ```
#### LDAP enabled variant
In the images tagged with "-ldap" you can authenticate netbox against an LDAP / AD server. The included ldap_config.py is configured to use an AD domain controller. The custom values can be injected with environment variables like those in the main configuration file.
### Production ### Production
The default settings are optimized for (local) development environments. The default settings are optimized for (local) development environments.

60
build-all.sh Executable file
View File

@ -0,0 +1,60 @@
#!/bin/bash
# Builds all Docker images this project provides
VARIANTS=("" "ldap")
if [ ! -z "${DEBUG}" ]; then
export DEBUG
fi
ERROR=0
# Don't build if not on `master` and don't build if on a pull request,
# but build when DEBUG is not empty
if [ ! -z "${DEBUG}" ] || \
( [ "$TRAVIS_BRANCH" = "master" ] && [ "$TRAVIS_PULL_REQUEST" = "false" ] ); then
for VARIANT in "${VARIANTS[@]}"; do
export VARIANT
# Checking which VARIANT to build
if [ -z "$VARIANT" ]; then
DOCKERFILE="Dockerfile"
else
DOCKERFILE="Dockerfile.${VARIANT}"
# Fail fast
if [ ! -f "${DOCKERFILE}" ]; then
echo "🚨 The Dockerfile '${DOCKERFILE}' for variant '${VARIANT}' doesn't exist."
ERROR=1
if [ -z "$DEBUG" ]; then
continue
else
echo "⚠️ Would skip this, but DEBUG is enabled."
fi
fi
fi
echo "🛠 Building '$DOCKERFILE'"
# build the latest release
# shellcheck disable=SC2068
./build-latest.sh $@
# build the latest pre-release
# shellcheck disable=SC2068
PRERELEASE=true ./build-latest.sh $@
# build all branches
# shellcheck disable=SC2068
./build-branches.sh $@
# special build
# shellcheck disable=SC2068
SRC_ORG=lampwins TAG=webhooks-backend ./build.sh "feature/webhooks-backend" $@
done
else
echo "❎ Not building anything."
fi
exit $ERROR

View File

@ -1,14 +1,15 @@
#!/bin/bash #!/bin/bash
# Builds all published branches
ORIGINAL_GITHUB_REPO="digitalocean/netbox" ORIGINAL_GITHUB_REPO="digitalocean/netbox"
GITHUB_REPO="${GITHUB_REPO-$ORIGINAL_GITHUB_REPO}" GITHUB_REPO="${GITHUB_REPO-$ORIGINAL_GITHUB_REPO}"
URL_RELEASES="https://api.github.com/repos/${GITHUB_REPO}/branches" URL_RELEASES="https://api.github.com/repos/${GITHUB_REPO}/branches"
CURL_OPTS="-s" CURL="curl -sS"
CURL="curl ${CURL_OPTS}"
BRANCHES=$($CURL "${URL_RELEASES}" | jq -r 'map(.name) | .[] | scan("^[^v].+")') BRANCHES=$($CURL "${URL_RELEASES}" | jq -r 'map(.name) | .[] | scan("^[^v].+")')
for BRANCH in $BRANCHES; do for BRANCH in $BRANCHES; do
# shellcheck disable=SC2068
./build.sh "${BRANCH}" $@ ./build.sh "${BRANCH}" $@
done done

View File

@ -1,4 +1,5 @@
#!/bin/bash #!/bin/bash
# Builds the latest released version
ORIGINAL_GITHUB_REPO="digitalocean/netbox" ORIGINAL_GITHUB_REPO="digitalocean/netbox"
GITHUB_REPO="${GITHUB_REPO-$ORIGINAL_GITHUB_REPO}" GITHUB_REPO="${GITHUB_REPO-$ORIGINAL_GITHUB_REPO}"
@ -6,25 +7,32 @@ URL_RELEASES="https://api.github.com/repos/${GITHUB_REPO}/releases"
JQ_LATEST="group_by(.prerelease) | .[] | sort_by(.published_at) | reverse | .[0] | select(.prerelease==${PRERELEASE-false}) | .tag_name" JQ_LATEST="group_by(.prerelease) | .[] | sort_by(.published_at) | reverse | .[0] | select(.prerelease==${PRERELEASE-false}) | .tag_name"
CURL_OPTS="-s" CURL="curl -sS"
CURL="curl ${CURL_OPTS}"
VERSION=$($CURL "${URL_RELEASES}" | jq -r "${JQ_LATEST}") VERSION=$($CURL "${URL_RELEASES}" | jq -r "${JQ_LATEST}")
# Check if the prerelease version is actually higher than stable version # Check if the prerelease version is actually higher than stable version
if [ "${PRERELEASE}" == "true" ]; then if [ "${PRERELEASE}" == "true" ]; then
JQ_STABLE="group_by(.prerelease) | .[] | sort_by(.published_at) | reverse | .[0] | select(.prerelease==false) | .tag_name" JQ_STABLE="group_by(.prerelease) | .[] | sort_by(.published_at) | reverse | .[0] | select(.prerelease==false) | .tag_name"
STABLE_VERSION=$(curl $CURL_OPTS "${URL_RELEASES}" | jq -r "${JQ_STABLE}") STABLE_VERSION=$($CURL "${URL_RELEASES}" | jq -r "${JQ_STABLE}")
# shellcheck disable=SC2003
MAJOR_STABLE=$(expr match "${STABLE_VERSION}" 'v\([0-9]\+\)') MAJOR_STABLE=$(expr match "${STABLE_VERSION}" 'v\([0-9]\+\)')
# shellcheck disable=SC2003
MINOR_STABLE=$(expr match "${STABLE_VERSION}" 'v[0-9]\+\.\([0-9]\+\)') MINOR_STABLE=$(expr match "${STABLE_VERSION}" 'v[0-9]\+\.\([0-9]\+\)')
# shellcheck disable=SC2003
MAJOR_UNSTABLE=$(expr match "${VERSION}" 'v\([0-9]\+\)') MAJOR_UNSTABLE=$(expr match "${VERSION}" 'v\([0-9]\+\)')
# shellcheck disable=SC2003
MINOR_UNSTABLE=$(expr match "${VERSION}" 'v[0-9]\+\.\([0-9]\+\)') MINOR_UNSTABLE=$(expr match "${VERSION}" 'v[0-9]\+\.\([0-9]\+\)')
if ( [ "$MAJOR_STABLE" -eq "$MAJOR_UNSTABLE" ] && [ "$MINOR_STABLE" -ge "$MINOR_UNSTABLE" ] ) \ if ( [ "$MAJOR_STABLE" -eq "$MAJOR_UNSTABLE" ] && [ "$MINOR_STABLE" -ge "$MINOR_UNSTABLE" ] ) \
|| [ "$MAJOR_STABLE" -gt "$MAJOR_UNSTABLE" ]; then || [ "$MAJOR_STABLE" -gt "$MAJOR_UNSTABLE" ]; then
echo "Latest unstable version ('$VERSION') is not higher than the latest stable version ('$STABLE_VERSION')." echo "❎ Latest unstable version ('$VERSION') is not higher than the latest stable version ('$STABLE_VERSION')."
exit 0 if [ -z "$DEBUG" ]; then
exit 0
else
echo "⚠️ Would exit here with code '0', but DEBUG is enabled."
fi
fi fi
fi fi
@ -39,6 +47,7 @@ AUTHORIZATION_HEADER="Authorization: Bearer ${BEARER_TOKEN}"
ALREADY_BUILT="$($CURL -H "${AUTHORIZATION_HEADER}" "${URL_DOCKERHUB_TAG}" | jq -e ".tags | any(.==\"${VERSION}\")")" ALREADY_BUILT="$($CURL -H "${AUTHORIZATION_HEADER}" "${URL_DOCKERHUB_TAG}" | jq -e ".tags | any(.==\"${VERSION}\")")"
if [ "$ALREADY_BUILT" == "false" ]; then if [ "$ALREADY_BUILT" == "false" ]; then
# shellcheck disable=SC2068
./build.sh "${VERSION}" $@ ./build.sh "${VERSION}" $@
else else
echo "${VERSION} already exists on https://hub.docker.com/r/${DOCKERHUB_REPO}" echo "${VERSION} already exists on https://hub.docker.com/r/${DOCKERHUB_REPO}"

View File

@ -1,4 +1,5 @@
#!/bin/bash #!/bin/bash
# Builds the Dockerfile[.variant] and injects tgz'ed Netbox code from Github
set -e set -e
@ -8,6 +9,8 @@ if [ "${1}x" == "x" ] || [ "${1}" == "--help" ] || [ "${1}" == "-h" ]; then
echo " --push Pushes built Docker image to docker hub." echo " --push Pushes built Docker image to docker hub."
echo "" echo ""
echo "You can use the following ENV variables to customize the build:" echo "You can use the following ENV variables to customize the build:"
echo " DEBUG If defined, the script does not stop when certain checks are unsatisfied."
echo " DRY_RUN Prints all build statements instead of running them."
echo " DOCKER_OPTS Add parameters to Docker." echo " DOCKER_OPTS Add parameters to Docker."
echo " Default:" echo " Default:"
echo " When <TAG> starts with 'v': \"\"" echo " When <TAG> starts with 'v': \"\""
@ -35,6 +38,17 @@ if [ "${1}x" == "x" ] || [ "${1}" == "--help" ] || [ "${1}" == "-h" ]; then
echo " URL Where to fetch the package from." echo " URL Where to fetch the package from."
echo " Must be a tar.gz file of the source code." echo " Must be a tar.gz file of the source code."
echo " Default: https://github.com/<SRC_ORG>/<SRC_REPO>/archive/\$BRANCH.tar.gz" echo " Default: https://github.com/<SRC_ORG>/<SRC_REPO>/archive/\$BRANCH.tar.gz"
echo " VARIANT The variant to build."
echo " The value will be used as a suffix to the \$TAG and for the Dockerfile"
echo " selection. The TAG being build must exist for the base variant and"
echo " corresponding Dockerfile must start with the following lines:"
echo " ARG DOCKER_ORG=ninech"
echo " ARG DOCKER_REPOT=netbox"
echo " ARG FROM_TAG=latest"
echo " FROM \$DOCKER_ORG/\$DOCKER_REPO:\$FROM_TAG"
echo " Example: VARIANT=ldap will result in the tag 'latest-ldap' and the"
echo " Dockerfile 'Dockerfile.ldap' being used."
echo " Default: empty"
if [ "${1}x" == "x" ]; then if [ "${1}x" == "x" ]; then
exit 1 exit 1
@ -70,15 +84,53 @@ case "${TAG}" in
CACHE="${CACHE---no-cache}";; CACHE="${CACHE---no-cache}";;
esac esac
# Checking which VARIANT to build
if [ -z "$VARIANT" ]; then
DOCKERFILE="Dockerfile"
else
DOCKERFILE="Dockerfile.${VARIANT}"
DOCKER_TAG="${DOCKER_TAG}-${VARIANT}"
# Fail fast
if [ ! -f "${DOCKERFILE}" ]; then
echo "🚨 The Dockerfile ${DOCKERFILE} for variant '${VARIANT}' doesn't exist."
if [ -z "$DEBUG" ]; then
exit 1
else
echo "⚠️ Would exit here with code '1', but DEBUG is enabled."
fi
fi
fi
# Docker options # Docker options
DOCKER_OPTS="${DOCKER_OPTS-$CACHE}" DOCKER_OPTS=(
"$CACHE"
--pull
)
# Build args
DOCKER_BUILD_ARGS=(
--build-arg "FROM_TAG=${TAG}"
--build-arg "BRANCH=${BRANCH}"
--build-arg "URL=${URL}"
--build-arg "DOCKER_ORG=${DOCKER_ORG}"
--build-arg "DOCKER_REPO=${DOCKER_REPO}"
)
if [ -z "$DRY_RUN" ]; then
DOCKER_CMD="docker"
else
echo "⚠️ DRY_RUN MODE ON ⚠️"
DOCKER_CMD="echo docker"
fi
echo "🐳 Building the Docker image '${DOCKER_TAG}' from the url '${URL}'." echo "🐳 Building the Docker image '${DOCKER_TAG}' from the url '${URL}'."
docker build -t "${DOCKER_TAG}" --build-arg "BRANCH=${BRANCH}" --build-arg "URL=${URL}" --pull ${DOCKER_OPTS} . $DOCKER_CMD build -t "${DOCKER_TAG}" "${DOCKER_BUILD_ARGS[@]}" "${DOCKER_OPTS[@]}" -f "${DOCKERFILE}" .
echo "✅ Finished building the Docker images '${DOCKER_TAG}'" echo "✅ Finished building the Docker images '${DOCKER_TAG}'"
if [ "${2}" == "--push" ] ; then if [ "${2}" == "--push" ] ; then
echo "⏫ Pushing '${DOCKER_TAG}" echo "⏫ Pushing '${DOCKER_TAG}"
docker push "${DOCKER_TAG}" $DOCKER_CMD push "${DOCKER_TAG}"
echo "✅ Finished pushing the Docker image '${DOCKER_TAG}'." echo "✅ Finished pushing the Docker image '${DOCKER_TAG}'."
fi fi

View File

@ -0,0 +1,55 @@
import ldap
import os
from django_auth_ldap.config import LDAPSearch, GroupOfNamesType
# Server URI
AUTH_LDAP_SERVER_URI = os.environ.get('AUTH_LDAP_SERVER_URI', '')
# The following may be needed if you are binding to Active Directory.
AUTH_LDAP_CONNECTION_OPTIONS = {
ldap.OPT_REFERRALS: 0
}
# Set the DN and password for the NetBox service account.
AUTH_LDAP_BIND_DN = os.environ.get('AUTH_LDAP_BIND_DN', '')
AUTH_LDAP_BIND_PASSWORD = os.environ.get('AUTH_LDAP_BIND_PASSWORD', '')
# Include this setting if you want to ignore certificate errors. This might be needed to accept a self-signed cert.
# Note that this is a NetBox-specific setting which sets:
# ldap.set_option(ldap.OPT_X_TLS_REQUIRE_CERT, ldap.OPT_X_TLS_NEVER)
LDAP_IGNORE_CERT_ERRORS = True
AUTH_LDAP_USER_SEARCH = LDAPSearch(os.environ.get('AUTH_LDAP_USER_SEARCH_BASEDN', ''),
ldap.SCOPE_SUBTREE,
"(sAMAccountName=%(user)s)")
# This search ought to return all groups to which the user belongs. django_auth_ldap uses this to determine group
# heirarchy.
AUTH_LDAP_GROUP_SEARCH = LDAPSearch(os.environ.get('AUTH_LDAP_GROUP_SEARCH_BASEDN', ''), ldap.SCOPE_SUBTREE,
"(objectClass=group)")
AUTH_LDAP_GROUP_TYPE = GroupOfNamesType()
# Define a group required to login.
AUTH_LDAP_REQUIRE_GROUP = os.environ.get('AUTH_LDAP_REQUIRE_GROUP_DN', '')
# Define special user types using groups. Exercise great caution when assigning superuser status.
AUTH_LDAP_USER_FLAGS_BY_GROUP = {
"is_active": os.environ.get('AUTH_LDAP_REQUIRE_GROUP_DN', ''),
"is_staff": os.environ.get('AUTH_LDAP_IS_ADMIN_DN', ''),
"is_superuser": os.environ.get('AUTH_LDAP_IS_SUPERUSER_DN', '')
}
# For more granular permissions, we can map LDAP groups to Django groups.
AUTH_LDAP_FIND_GROUP_PERMS = True
# Cache groups for one hour to reduce LDAP traffic
AUTH_LDAP_CACHE_GROUPS = True
AUTH_LDAP_GROUP_CACHE_TIMEOUT = 3600
# Populate the Django user from the LDAP directory.
AUTH_LDAP_USER_ATTR_MAP = {
"first_name": os.environ.get('AUTH_LDAP_ATTR_FIRSTNAME', 'givenName'),
"last_name": os.environ.get('AUTH_LDAP_ATTR_LASTNAME', 'sn'),
"email": os.environ.get('AUTH_LDAP_ATTR_MAIL', 'mail')
}

View File

@ -0,0 +1,10 @@
import importlib.util
import sys
try:
spec = importlib.util.spec_from_file_location('ldap_config', '/etc/netbox/ldap_config.py')
module = importlib.util.module_from_spec(spec)
spec.loader.exec_module(module)
sys.modules['netbox.ldap_config'] = module
except:
raise ImportError('')