From 6d4da98b8e77514f7ac1ef0b1cc1ca1a49778932 Mon Sep 17 00:00:00 2001 From: grossmj Date: Tue, 25 May 2021 18:34:59 +0930 Subject: [PATCH 1/9] Base API and tables for RBAC support. --- gns3server/api/routes/controller/__init__.py | 80 ++++--- gns3server/api/routes/controller/groups.py | 59 ++++++ .../api/routes/controller/permissions.py | 122 +++++++++++ gns3server/api/routes/controller/roles.py | 178 ++++++++++++++++ gns3server/db/models/__init__.py | 2 + gns3server/db/models/base.py | 35 +++- gns3server/db/models/permissions.py | 45 ++++ gns3server/db/models/roles.py | 59 ++++++ gns3server/db/models/users.py | 23 +- gns3server/db/repositories/rbac.py | 196 ++++++++++++++++++ gns3server/db/repositories/users.py | 48 +++++ gns3server/schemas/__init__.py | 1 + gns3server/schemas/controller/rbac.py | 120 +++++++++++ tests/api/routes/controller/test_groups.py | 84 ++++++++ tests/api/routes/controller/test_roles.py | 186 +++++++++++++++++ 15 files changed, 1196 insertions(+), 42 deletions(-) create mode 100644 gns3server/api/routes/controller/permissions.py create mode 100644 gns3server/api/routes/controller/roles.py create mode 100644 gns3server/db/models/permissions.py create mode 100644 gns3server/db/models/roles.py create mode 100644 gns3server/db/repositories/rbac.py create mode 100644 gns3server/schemas/controller/rbac.py create mode 100644 tests/api/routes/controller/test_roles.py diff --git a/gns3server/api/routes/controller/__init__.py b/gns3server/api/routes/controller/__init__.py index 9a2dc526..976fe8a3 100644 --- a/gns3server/api/routes/controller/__init__.py +++ b/gns3server/api/routes/controller/__init__.py @@ -30,6 +30,8 @@ from . import symbols from . import templates from . import users from . import groups +from . import roles +from . import permissions from .dependencies.authentication import get_current_active_user @@ -46,31 +48,36 @@ router.include_router( ) router.include_router( - appliances.router, + roles.router, dependencies=[Depends(get_current_active_user)], - prefix="/appliances", - tags=["Appliances"] + prefix="/roles", + tags=["Roles"] ) router.include_router( - computes.router, + roles.router, dependencies=[Depends(get_current_active_user)], - prefix="/computes", - tags=["Computes"] + prefix="/permissions", + tags=["Permissions"] ) router.include_router( - drawings.router, + templates.router, dependencies=[Depends(get_current_active_user)], - prefix="/projects/{project_id}/drawings", - tags=["Drawings"]) + tags=["Templates"] +) router.include_router( - gns3vm.router, - deprecated=True, + projects.router, dependencies=[Depends(get_current_active_user)], - prefix="/gns3vm", - tags=["GNS3 VM"] + prefix="/projects", + tags=["Projects"]) + +router.include_router( + nodes.router, + dependencies=[Depends(get_current_active_user)], + prefix="/projects/{project_id}/nodes", + tags=["Nodes"] ) router.include_router( @@ -81,10 +88,28 @@ router.include_router( ) router.include_router( - nodes.router, + drawings.router, dependencies=[Depends(get_current_active_user)], - prefix="/projects/{project_id}/nodes", - tags=["Nodes"] + prefix="/projects/{project_id}/drawings", + tags=["Drawings"]) + +router.include_router( + symbols.router, + dependencies=[Depends(get_current_active_user)], + prefix="/symbols", tags=["Symbols"] +) + +router.include_router( + snapshots.router, + dependencies=[Depends(get_current_active_user)], + prefix="/projects/{project_id}/snapshots", + tags=["Snapshots"]) + +router.include_router( + computes.router, + dependencies=[Depends(get_current_active_user)], + prefix="/computes", + tags=["Computes"] ) router.include_router( @@ -94,25 +119,16 @@ router.include_router( tags=["Notifications"]) router.include_router( - projects.router, + appliances.router, dependencies=[Depends(get_current_active_user)], - prefix="/projects", - tags=["Projects"]) - -router.include_router( - snapshots.router, - dependencies=[Depends(get_current_active_user)], - prefix="/projects/{project_id}/snapshots", - tags=["Snapshots"]) - -router.include_router( - symbols.router, - dependencies=[Depends(get_current_active_user)], - prefix="/symbols", tags=["Symbols"] + prefix="/appliances", + tags=["Appliances"] ) router.include_router( - templates.router, + gns3vm.router, + deprecated=True, dependencies=[Depends(get_current_active_user)], - tags=["Templates"] + prefix="/gns3vm", + tags=["GNS3 VM"] ) diff --git a/gns3server/api/routes/controller/groups.py b/gns3server/api/routes/controller/groups.py index b3a96f66..d27fc43b 100644 --- a/gns3server/api/routes/controller/groups.py +++ b/gns3server/api/routes/controller/groups.py @@ -31,6 +31,7 @@ from gns3server.controller.controller_error import ( ) from gns3server.db.repositories.users import UsersRepository +from gns3server.db.repositories.rbac import RbacRepository from .dependencies.database import get_repository import logging @@ -182,3 +183,61 @@ async def remove_member_from_group( user_group = await users_repo.remove_member_from_user_group(user_group_id, user) if not user_group: raise ControllerNotFoundError(f"User group '{user_group_id}' not found") + + +@router.get("/{user_group_id}/roles", response_model=List[schemas.Role]) +async def get_user_group_roles( + user_group_id: UUID, + users_repo: UsersRepository = Depends(get_repository(UsersRepository)) +) -> List[schemas.Role]: + """ + Get all user group roles. + """ + + return await users_repo.get_user_group_roles(user_group_id) + + +@router.put( + "/{user_group_id}/roles/{role_id}", + status_code=status.HTTP_204_NO_CONTENT +) +async def add_role_to_group( + user_group_id: UUID, + role_id: UUID, + users_repo: UsersRepository = Depends(get_repository(UsersRepository)), + rbac_repo: RbacRepository = Depends(get_repository(RbacRepository)) +) -> None: + """ + Add role to an user group. + """ + + role = await rbac_repo.get_role(role_id) + if not role: + raise ControllerNotFoundError(f"Role '{role_id}' not found") + + user_group = await users_repo.add_role_to_user_group(user_group_id, role) + if not user_group: + raise ControllerNotFoundError(f"User group '{user_group_id}' not found") + + +@router.delete( + "/{user_group_id}/roles/{role_id}", + status_code=status.HTTP_204_NO_CONTENT +) +async def remove_role_from_group( + user_group_id: UUID, + role_id: UUID, + users_repo: UsersRepository = Depends(get_repository(UsersRepository)), + rbac_repo: RbacRepository = Depends(get_repository(RbacRepository)) +) -> None: + """ + Remove role from an user group. + """ + + role = await rbac_repo.get_role(role_id) + if not role: + raise ControllerNotFoundError(f"Role '{role_id}' not found") + + user_group = await users_repo.remove_role_from_user_group(user_group_id, role) + if not user_group: + raise ControllerNotFoundError(f"User group '{user_group_id}' not found") diff --git a/gns3server/api/routes/controller/permissions.py b/gns3server/api/routes/controller/permissions.py new file mode 100644 index 00000000..bff7e180 --- /dev/null +++ b/gns3server/api/routes/controller/permissions.py @@ -0,0 +1,122 @@ +#!/usr/bin/env python +# +# Copyright (C) 2021 GNS3 Technologies Inc. +# +# This program is free software: you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation, either version 3 of the License, or +# (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see . + +""" +API routes for permissions. +""" + +from fastapi import APIRouter, Depends, status +from uuid import UUID +from typing import List + +from gns3server import schemas +from gns3server.controller.controller_error import ( + ControllerBadRequestError, + ControllerNotFoundError, + ControllerForbiddenError, +) + +from gns3server.db.repositories.rbac import RbacRepository +from .dependencies.database import get_repository + +import logging + +log = logging.getLogger(__name__) + +router = APIRouter() + + +@router.get("", response_model=List[schemas.Permission]) +async def get_permissions( + rbac_repo: RbacRepository = Depends(get_repository(RbacRepository)) +) -> List[schemas.Permission]: + """ + Get all permissions. + """ + + return await rbac_repo.get_permissions() + + +@router.post("", response_model=schemas.Permission, status_code=status.HTTP_201_CREATED) +async def create_permission( + permission_create: schemas.PermissionCreate, + rbac_repo: RbacRepository = Depends(get_repository(RbacRepository)) +) -> schemas.Permission: + """ + Create a new permission. + """ + + # if await rbac_repo.get_role_by_path(role_create.name): + # raise ControllerBadRequestError(f"Role '{role_create.name}' already exists") + + return await rbac_repo.create_permission(permission_create) + + +@router.get("/{permission_id}", response_model=schemas.Permission) +async def get_permission( + permission_id: UUID, + rbac_repo: RbacRepository = Depends(get_repository(RbacRepository)), +) -> schemas.Permission: + """ + Get a permission. + """ + + permission = await rbac_repo.get_permission(permission_id) + if not permission: + raise ControllerNotFoundError(f"Permission '{permission_id}' not found") + return permission + + +@router.put("/{permission_id}", response_model=schemas.Permission) +async def update_permission( + permission_id: UUID, + permission_update: schemas.PermissionUpdate, + rbac_repo: RbacRepository = Depends(get_repository(RbacRepository)) +) -> schemas.Permission: + """ + Update a permission. + """ + + permission = await rbac_repo.get_permission(permission_id) + if not permission: + raise ControllerNotFoundError(f"Permission '{permission_id}' not found") + + #if not user_group.is_updatable: + # raise ControllerForbiddenError(f"User group '{user_group_id}' cannot be updated") + + return await rbac_repo.update_permission(permission_id, permission_update) + + +@router.delete("/{permission_id}", status_code=status.HTTP_204_NO_CONTENT) +async def delete_permission( + permission_id: UUID, + rbac_repo: RbacRepository = Depends(get_repository(RbacRepository)), +) -> None: + """ + Delete a permission. + """ + + permission = await rbac_repo.get_permission(permission_id) + if not permission: + raise ControllerNotFoundError(f"Permission '{permission_id}' not found") + + #if not user_group.is_updatable: + # raise ControllerForbiddenError(f"User group '{user_group_id}' cannot be deleted") + + success = await rbac_repo.delete_permission(permission_id) + if not success: + raise ControllerNotFoundError(f"Permission '{permission_id}' could not be deleted") diff --git a/gns3server/api/routes/controller/roles.py b/gns3server/api/routes/controller/roles.py new file mode 100644 index 00000000..280c0cef --- /dev/null +++ b/gns3server/api/routes/controller/roles.py @@ -0,0 +1,178 @@ +#!/usr/bin/env python +# +# Copyright (C) 2021 GNS3 Technologies Inc. +# +# This program is free software: you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation, either version 3 of the License, or +# (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see . + +""" +API routes for roles. +""" + +from fastapi import APIRouter, Depends, status +from uuid import UUID +from typing import List + +from gns3server import schemas +from gns3server.controller.controller_error import ( + ControllerBadRequestError, + ControllerNotFoundError, + ControllerForbiddenError, +) + +from gns3server.db.repositories.rbac import RbacRepository +from .dependencies.database import get_repository + +import logging + +log = logging.getLogger(__name__) + +router = APIRouter() + + +@router.get("", response_model=List[schemas.Role]) +async def get_roles( + rbac_repo: RbacRepository = Depends(get_repository(RbacRepository)) +) -> List[schemas.Role]: + """ + Get all roles. + """ + + return await rbac_repo.get_roles() + + +@router.post("", response_model=schemas.Role, status_code=status.HTTP_201_CREATED) +async def create_role( + role_create: schemas.RoleCreate, + rbac_repo: RbacRepository = Depends(get_repository(RbacRepository)) +) -> schemas.Role: + """ + Create a new role. + """ + + if await rbac_repo.get_role_by_name(role_create.name): + raise ControllerBadRequestError(f"Role '{role_create.name}' already exists") + + return await rbac_repo.create_role(role_create) + + +@router.get("/{role_id}", response_model=schemas.Role) +async def get_role( + role_id: UUID, + rbac_repo: RbacRepository = Depends(get_repository(RbacRepository)), +) -> schemas.Role: + """ + Get a role. + """ + + role = await rbac_repo.get_role(role_id) + if not role: + raise ControllerNotFoundError(f"Role '{role_id}' not found") + return role + + +@router.put("/{role_id}", response_model=schemas.Role) +async def update_role( + role_id: UUID, + role_update: schemas.RoleUpdate, + rbac_repo: RbacRepository = Depends(get_repository(RbacRepository)) +) -> schemas.Role: + """ + Update a role. + """ + + role = await rbac_repo.get_role(role_id) + if not role: + raise ControllerNotFoundError(f"Role '{role_id}' not found") + + #if not user_group.is_updatable: + # raise ControllerForbiddenError(f"User group '{user_group_id}' cannot be updated") + + return await rbac_repo.update_role(role_id, role_update) + + +@router.delete("/{role_id}", status_code=status.HTTP_204_NO_CONTENT) +async def delete_role( + role_id: UUID, + rbac_repo: RbacRepository = Depends(get_repository(RbacRepository)), +) -> None: + """ + Delete a role. + """ + + role = await rbac_repo.get_role(role_id) + if not role: + raise ControllerNotFoundError(f"Role '{role_id}' not found") + + #if not user_group.is_updatable: + # raise ControllerForbiddenError(f"User group '{user_group_id}' cannot be deleted") + + success = await rbac_repo.delete_role(role_id) + if not success: + raise ControllerNotFoundError(f"Role '{role_id}' could not be deleted") + + +@router.get("/{role_id}/permissions", response_model=List[schemas.Permission]) +async def get_role_permissions( + role_id: UUID, + rbac_repo: RbacRepository = Depends(get_repository(RbacRepository)) +) -> List[schemas.Permission]: + """ + Get all role permissions. + """ + + return await rbac_repo.get_role_permissions(role_id) + + +@router.put( + "/{role_id}/permissions/{permission_id}", + status_code=status.HTTP_204_NO_CONTENT +) +async def add_permission_to_role( + role_id: UUID, + permission_id: UUID, + rbac_repo: RbacRepository = Depends(get_repository(RbacRepository)) +) -> None: + """ + Add a permission to a role. + """ + + permission = await rbac_repo.get_permission(permission_id) + if not permission: + raise ControllerNotFoundError(f"Permission '{permission_id}' not found") + + role = await rbac_repo.add_permission_to_role(role_id, permission) + if not role: + raise ControllerNotFoundError(f"Role '{role_id}' not found") + + +@router.delete( + "/{role_id}/permissions/{permission_id}", + status_code=status.HTTP_204_NO_CONTENT +) +async def remove_permission_from_role( + role_id: UUID, + permission_id: UUID, + rbac_repo: RbacRepository = Depends(get_repository(RbacRepository)), +) -> None: + """ + Remove member from an user group. + """ + + permission = await rbac_repo.get_permission(permission_id) + if not permission: + raise ControllerNotFoundError(f"Permission '{permission_id}' not found") + + role = await rbac_repo.remove_permission_from_role(role_id, permission) + if not role: + raise ControllerNotFoundError(f"Role '{role_id}' not found") diff --git a/gns3server/db/models/__init__.py b/gns3server/db/models/__init__.py index 1c644f72..ed5f7ead 100644 --- a/gns3server/db/models/__init__.py +++ b/gns3server/db/models/__init__.py @@ -17,6 +17,8 @@ from .base import Base from .users import User, UserGroup +from .roles import Role +from .permissions import Permission from .computes import Compute from .templates import ( Template, diff --git a/gns3server/db/models/base.py b/gns3server/db/models/base.py index 1dbae1af..731a4547 100644 --- a/gns3server/db/models/base.py +++ b/gns3server/db/models/base.py @@ -19,7 +19,7 @@ import uuid from fastapi.encoders import jsonable_encoder from sqlalchemy import Column, DateTime, func, inspect -from sqlalchemy.types import TypeDecorator, CHAR +from sqlalchemy.types import TypeDecorator, CHAR, VARCHAR from sqlalchemy.dialects.postgresql import UUID from sqlalchemy.ext.declarative import as_declarative @@ -72,6 +72,37 @@ class GUID(TypeDecorator): return value +class ListException(Exception): + pass + + +class ListType(TypeDecorator): + """ + Save/restore a Python list to/from a database column. + """ + + impl = VARCHAR + cache_ok = True + + def __init__(self, separator=',', *args, **kwargs): + + self._separator = separator + super().__init__(*args, **kwargs) + + def process_bind_param(self, value, dialect): + if value is not None: + if any(self._separator in str(item) for item in value): + raise ListException(f"List values cannot contain '{self._separator}'" + f"Please use a different separator.") + return self._separator.join(map(str, value)) + + def process_result_value(self, value, dialect): + if value is None: + return [] + else: + return list(map(str, value.split(self._separator))) + + class BaseTable(Base): __abstract__ = True @@ -79,6 +110,8 @@ class BaseTable(Base): created_at = Column(DateTime, server_default=func.current_timestamp()) updated_at = Column(DateTime, server_default=func.current_timestamp(), onupdate=func.current_timestamp()) + __mapper_args__ = {"eager_defaults": True} + def generate_uuid(): return str(uuid.uuid4()) diff --git a/gns3server/db/models/permissions.py b/gns3server/db/models/permissions.py new file mode 100644 index 00000000..046815b1 --- /dev/null +++ b/gns3server/db/models/permissions.py @@ -0,0 +1,45 @@ +#!/usr/bin/env python +# +# Copyright (C) 2021 GNS3 Technologies Inc. +# +# This program is free software: you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation, either version 3 of the License, or +# (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see . + +from sqlalchemy import Table, Column, String, ForeignKey, Boolean +from sqlalchemy.orm import relationship + +from .base import Base, BaseTable, generate_uuid, GUID, ListType + +import logging + +log = logging.getLogger(__name__) + + +permission_role_link = Table( + "permissions_roles_link", + Base.metadata, + Column("permission_id", GUID, ForeignKey("permissions.permission_id", ondelete="CASCADE")), + Column("role_id", GUID, ForeignKey("roles.role_id", ondelete="CASCADE")) + +) + + +class Permission(BaseTable): + + __tablename__ = "permissions" + + permission_id = Column(GUID, primary_key=True, default=generate_uuid) + methods = Column(ListType) + path = Column(String) + action = Column(String) + roles = relationship("Role", secondary=permission_role_link, back_populates="permissions") diff --git a/gns3server/db/models/roles.py b/gns3server/db/models/roles.py new file mode 100644 index 00000000..db34052c --- /dev/null +++ b/gns3server/db/models/roles.py @@ -0,0 +1,59 @@ +#!/usr/bin/env python +# +# Copyright (C) 2021 GNS3 Technologies Inc. +# +# This program is free software: you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation, either version 3 of the License, or +# (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see . + +from sqlalchemy import Table, Column, String, Boolean, ForeignKey, event +from sqlalchemy.orm import relationship + +from .base import Base, BaseTable, generate_uuid, GUID +from .permissions import permission_role_link + +import logging + +log = logging.getLogger(__name__) + +role_group_link = Table( + "roles_groups_link", + Base.metadata, + Column("role_id", GUID, ForeignKey("roles.role_id", ondelete="CASCADE")), + Column("user_group_id", GUID, ForeignKey("user_groups.user_group_id", ondelete="CASCADE")) +) + + +class Role(BaseTable): + + __tablename__ = "roles" + + role_id = Column(GUID, primary_key=True, default=generate_uuid) + name = Column(String) + description = Column(String) + is_updatable = Column(Boolean, default=True) + permissions = relationship("Permission", secondary=permission_role_link, back_populates="roles") + groups = relationship("UserGroup", secondary=role_group_link, back_populates="roles") + + +@event.listens_for(Role.__table__, 'after_create') +def create_default_roles(target, connection, **kw): + + default_roles = [ + {"name": "Administrator", "description": "Administrator role", "is_updatable": False}, + {"name": "User", "description": "User role", "is_updatable": False}, + ] + + stmt = target.insert().values(default_roles) + connection.execute(stmt) + connection.commit() + log.info("The default roles have been created in the database") diff --git a/gns3server/db/models/users.py b/gns3server/db/models/users.py index 046ec5c4..99fbd144 100644 --- a/gns3server/db/models/users.py +++ b/gns3server/db/models/users.py @@ -19,6 +19,8 @@ from sqlalchemy import Table, Boolean, Column, String, ForeignKey, event from sqlalchemy.orm import relationship from .base import Base, BaseTable, generate_uuid, GUID +from .roles import role_group_link + from gns3server.config import Config from gns3server.services import auth_service @@ -26,11 +28,11 @@ import logging log = logging.getLogger(__name__) -users_group_members = Table( - "users_group_members", +user_group_link = Table( + "users_groups_link", Base.metadata, Column("user_id", GUID, ForeignKey("users.user_id", ondelete="CASCADE")), - Column("user_group_id", GUID, ForeignKey("users_group.user_group_id", ondelete="CASCADE")) + Column("user_group_id", GUID, ForeignKey("user_groups.user_group_id", ondelete="CASCADE")) ) @@ -45,7 +47,9 @@ class User(BaseTable): hashed_password = Column(String) is_active = Column(Boolean, default=True) is_superadmin = Column(Boolean, default=False) - groups = relationship("UserGroup", secondary=users_group_members, back_populates="users") + groups = relationship("UserGroup", secondary=user_group_link, back_populates="users") + permission_id = Column(GUID, ForeignKey('permissions.permission_id', ondelete="CASCADE")) + permissions = relationship("Permission") @event.listens_for(User.__table__, 'after_create') @@ -68,12 +72,13 @@ def create_default_super_admin(target, connection, **kw): class UserGroup(BaseTable): - __tablename__ = "users_group" + __tablename__ = "user_groups" user_group_id = Column(GUID, primary_key=True, default=generate_uuid) name = Column(String, unique=True, index=True) is_updatable = Column(Boolean, default=True) - users = relationship("User", secondary=users_group_members, back_populates="groups") + users = relationship("User", secondary=user_group_link, back_populates="groups") + roles = relationship("Role", secondary=role_group_link, back_populates="groups") @event.listens_for(UserGroup.__table__, 'after_create') @@ -91,11 +96,11 @@ def create_default_user_groups(target, connection, **kw): log.info("The default user groups have been created in the database") -@event.listens_for(users_group_members, 'after_create') +@event.listens_for(user_group_link, 'after_create') def add_admin_to_group(target, connection, **kw): - users_group_table = UserGroup.__table__ - stmt = users_group_table.select().where(users_group_table.c.name == "Administrators") + user_groups_table = UserGroup.__table__ + stmt = user_groups_table.select().where(user_groups_table.c.name == "Administrators") result = connection.execute(stmt) user_group_id = result.first().user_group_id diff --git a/gns3server/db/repositories/rbac.py b/gns3server/db/repositories/rbac.py new file mode 100644 index 00000000..4e95eb08 --- /dev/null +++ b/gns3server/db/repositories/rbac.py @@ -0,0 +1,196 @@ +#!/usr/bin/env python +# +# Copyright (C) 2020 GNS3 Technologies Inc. +# +# This program is free software: you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation, either version 3 of the License, or +# (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see . + +from uuid import UUID +from typing import Optional, List, Union +from sqlalchemy import select, update, delete +from sqlalchemy.ext.asyncio import AsyncSession +from sqlalchemy.orm import selectinload + +from .base import BaseRepository + +import gns3server.db.models as models +from gns3server import schemas + +import logging + +log = logging.getLogger(__name__) + + +class RbacRepository(BaseRepository): + + def __init__(self, db_session: AsyncSession) -> None: + + super().__init__(db_session) + + async def get_role(self, role_id: UUID) -> Optional[models.Role]: + + query = select(models.Role).\ + options(selectinload(models.Role.permissions)).\ + where(models.Role.role_id == role_id) + result = await self._db_session.execute(query) + return result.scalars().first() + + async def get_role_by_name(self, name: str) -> Optional[models.Role]: + + query = select(models.Role).\ + options(selectinload(models.Role.permissions)).\ + where(models.Role.name == name) + #query = select(models.Role).where(models.Role.name == name) + result = await self._db_session.execute(query) + return result.scalars().first() + + async def get_roles(self) -> List[models.Role]: + + query = select(models.Role).options(selectinload(models.Role.permissions)) + result = await self._db_session.execute(query) + return result.scalars().all() + + async def create_role(self, role_create: schemas.RoleCreate) -> models.Role: + + db_role = models.Role( + name=role_create.name, + description=role_create.description, + ) + self._db_session.add(db_role) + await self._db_session.commit() + #await self._db_session.refresh(db_role) + return await self.get_role(db_role.role_id) + + async def update_role( + self, + role_id: UUID, + role_update: schemas.RoleUpdate + ) -> Optional[models.Role]: + + update_values = role_update.dict(exclude_unset=True) + query = update(models.Role).where(models.Role.role_id == role_id).values(update_values) + + await self._db_session.execute(query) + await self._db_session.commit() + return await self.get_role(role_id) + + async def delete_role(self, role_id: UUID) -> bool: + + query = delete(models.Role).where(models.Role.role_id == role_id) + result = await self._db_session.execute(query) + await self._db_session.commit() + return result.rowcount > 0 + + async def add_permission_to_role( + self, + role_id: UUID, + permission: models.Permission + ) -> Union[None, models.Role]: + + query = select(models.Role).\ + options(selectinload(models.Role.permissions)).\ + where(models.Role.role_id == role_id) + result = await self._db_session.execute(query) + role_db = result.scalars().first() + if not role_db: + return None + + role_db.permissions.append(permission) + await self._db_session.commit() + await self._db_session.refresh(role_db) + return role_db + + async def remove_permission_from_role( + self, + role_id: UUID, + permission: models.Permission + ) -> Union[None, models.Role]: + + query = select(models.Role).\ + options(selectinload(models.Role.permissions)).\ + where(models.Role.role_id == role_id) + result = await self._db_session.execute(query) + role_db = result.scalars().first() + if not role_db: + return None + + role_db.permissions.remove(permission) + await self._db_session.commit() + await self._db_session.refresh(role_db) + return role_db + + async def get_role_permissions(self, role_id: UUID) -> List[models.Permission]: + + query = select(models.Permission).\ + join(models.Permission.roles).\ + filter(models.Role.role_id == role_id) + + result = await self._db_session.execute(query) + return result.scalars().all() + + async def get_permission(self, permission_id: UUID) -> Optional[models.Permission]: + + query = select(models.Permission).where(models.Permission.permission_id == permission_id) + result = await self._db_session.execute(query) + return result.scalars().first() + + async def get_permission_by_path(self, path: str) -> Optional[models.Permission]: + + query = select(models.Permission).where(models.Permission.path == path) + result = await self._db_session.execute(query) + return result.scalars().first() + + async def get_permissions(self) -> List[models.Permission]: + + query = select(models.Permission) + result = await self._db_session.execute(query) + return result.scalars().all() + + async def create_permission(self, permission_create: schemas.PermissionCreate) -> models.Permission: + + create_values = permission_create.dict(exclude_unset=True) + # action = create_values.pop("action", "deny") + # is_allowed = False + # if action == "allow": + # is_allowed = True + + db_permission = models.Permission( + methods=permission_create.methods, + path=permission_create.path, + action=permission_create.action, + ) + self._db_session.add(db_permission) + + await self._db_session.commit() + await self._db_session.refresh(db_permission) + return db_permission + + async def update_permission( + self, + permission_id: UUID, + permission_update: schemas.PermissionUpdate + ) -> Optional[models.Permission]: + + update_values = permission_update.dict(exclude_unset=True) + query = update(models.Permission).where(models.Permission.permission_id == permission_id).values(update_values) + + await self._db_session.execute(query) + await self._db_session.commit() + return await self.get_permission(permission_id) + + async def delete_permission(self, permission_id: UUID) -> bool: + + query = delete(models.Permission).where(models.Permission.permission_id == permission_id) + result = await self._db_session.execute(query) + await self._db_session.commit() + return result.rowcount > 0 diff --git a/gns3server/db/repositories/users.py b/gns3server/db/repositories/users.py index c93c741e..9dbc5a0f 100644 --- a/gns3server/db/repositories/users.py +++ b/gns3server/db/repositories/users.py @@ -210,3 +210,51 @@ class UsersRepository(BaseRepository): result = await self._db_session.execute(query) return result.scalars().all() + + async def add_role_to_user_group( + self, + user_group_id: UUID, + role: models.Role + ) -> Union[None, models.UserGroup]: + + query = select(models.UserGroup).\ + options(selectinload(models.UserGroup.roles)).\ + where(models.UserGroup.user_group_id == user_group_id) + result = await self._db_session.execute(query) + user_group_db = result.scalars().first() + if not user_group_db: + return None + + user_group_db.roles.append(role) + await self._db_session.commit() + await self._db_session.refresh(user_group_db) + return user_group_db + + async def remove_role_from_user_group( + self, + user_group_id: UUID, + role: models.Role + ) -> Union[None, models.UserGroup]: + + query = select(models.UserGroup).\ + options(selectinload(models.UserGroup.roles)).\ + where(models.UserGroup.user_group_id == user_group_id) + result = await self._db_session.execute(query) + user_group_db = result.scalars().first() + if not user_group_db: + return None + + user_group_db.roles.remove(role) + await self._db_session.commit() + await self._db_session.refresh(user_group_db) + return user_group_db + + async def get_user_group_roles(self, user_group_id: UUID) -> List[models.Role]: + + query = select(models.Role). \ + options(selectinload(models.Role.permissions)). \ + join(models.UserGroup.roles). \ + filter(models.UserGroup.user_group_id == user_group_id) + + result = await self._db_session.execute(query) + return result.scalars().all() diff --git a/gns3server/schemas/__init__.py b/gns3server/schemas/__init__.py index f32985a5..e5683059 100644 --- a/gns3server/schemas/__init__.py +++ b/gns3server/schemas/__init__.py @@ -28,6 +28,7 @@ from .controller.gns3vm import GNS3VM from .controller.nodes import NodeCreate, NodeUpdate, NodeDuplicate, NodeCapture, Node from .controller.projects import ProjectCreate, ProjectUpdate, ProjectDuplicate, Project, ProjectFile from .controller.users import UserCreate, UserUpdate, User, Credentials, UserGroupCreate, UserGroupUpdate, UserGroup +from .controller.rbac import RoleCreate, RoleUpdate, Role, PermissionCreate, PermissionUpdate, Permission from .controller.tokens import Token from .controller.snapshots import SnapshotCreate, Snapshot from .controller.iou_license import IOULicense diff --git a/gns3server/schemas/controller/rbac.py b/gns3server/schemas/controller/rbac.py new file mode 100644 index 00000000..c6b2113a --- /dev/null +++ b/gns3server/schemas/controller/rbac.py @@ -0,0 +1,120 @@ +# +# Copyright (C) 2020 GNS3 Technologies Inc. +# +# This program is free software: you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation, either version 3 of the License, or +# (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see . + +from typing import Optional, List +from pydantic import BaseModel, validator +from uuid import UUID +from enum import Enum + +from .base import DateTimeModelMixin + + +class HTTPMethods(str, Enum): + """ + HTTP method type. + """ + + get = "GET" + head = "HEAD" + post = "POST" + patch = "PATCH" + put = "PUT" + delete = "DELETE" + + +class PermissionAction(str, Enum): + """ + Action to perform when permission is matched. + """ + + allow = "ALLOW" + deny = "DENY" + + +class PermissionBase(BaseModel): + """ + Common permission properties. + """ + + methods: List[HTTPMethods] + path: str + action: PermissionAction + description: Optional[str] = None + + class Config: + use_enum_values = True + + @validator("action", pre=True) + def action_uppercase(cls, v): + return v.upper() + + +class PermissionCreate(PermissionBase): + """ + Properties to create a permission. + """ + + pass + + +class PermissionUpdate(PermissionBase): + """ + Properties to update a role. + """ + + pass + + +class Permission(DateTimeModelMixin, PermissionBase): + + permission_id: UUID + + class Config: + orm_mode = True + + +class RoleBase(BaseModel): + """ + Common role properties. + """ + + name: Optional[str] = None + description: Optional[str] = None + + +class RoleCreate(RoleBase): + """ + Properties to create a role. + """ + + name: str + + +class RoleUpdate(RoleBase): + """ + Properties to update a role. + """ + + pass + + +class Role(DateTimeModelMixin, RoleBase): + + role_id: UUID + permissions: List[Permission] + + class Config: + orm_mode = True diff --git a/tests/api/routes/controller/test_groups.py b/tests/api/routes/controller/test_groups.py index 7551ab9b..469090ea 100644 --- a/tests/api/routes/controller/test_groups.py +++ b/tests/api/routes/controller/test_groups.py @@ -22,7 +22,10 @@ from httpx import AsyncClient from sqlalchemy.ext.asyncio import AsyncSession from gns3server.db.repositories.users import UsersRepository +from gns3server.db.repositories.rbac import RbacRepository from gns3server.schemas.controller.users import User +from gns3server.schemas.controller.rbac import Role +from gns3server import schemas pytestmark = pytest.mark.asyncio @@ -103,6 +106,9 @@ class TestGroupRoutes: response = await client.delete(app.url_path_for("delete_user_group", user_group_id=group_in_db.user_group_id)) assert response.status_code == status.HTTP_403_FORBIDDEN + +class TestGroupMembersRoutes: + async def test_add_member_to_group( self, app: FastAPI, @@ -163,3 +169,81 @@ class TestGroupRoutes: assert response.status_code == status.HTTP_204_NO_CONTENT members = await user_repo.get_user_group_members(group_in_db.user_group_id) assert len(members) == 0 + + +@pytest.fixture +async def test_role(db_session: AsyncSession) -> Role: + + new_role = schemas.RoleCreate( + name="TestRole", + description="This is my test role" + ) + rbac_repo = RbacRepository(db_session) + existing_role = await rbac_repo.get_role_by_name(new_role.name) + if existing_role: + return existing_role + return await rbac_repo.create_role(new_role) + + +class TestGroupRolesRoutes: + + async def test_add_role_to_group( + self, + app: FastAPI, + client: AsyncClient, + test_role: Role, + db_session: AsyncSession + ) -> None: + + user_repo = UsersRepository(db_session) + group_in_db = await user_repo.get_user_group_by_name("Users") + response = await client.put( + app.url_path_for( + "add_role_to_group", + user_group_id=group_in_db.user_group_id, + role_id=str(test_role.role_id) + ) + ) + assert response.status_code == status.HTTP_204_NO_CONTENT + roles = await user_repo.get_user_group_roles(group_in_db.user_group_id) + assert len(roles) == 1 + assert roles[0].name == test_role.name + + async def test_get_user_group_roles( + self, + app: FastAPI, + client: AsyncClient, + db_session: AsyncSession + ) -> None: + + user_repo = UsersRepository(db_session) + group_in_db = await user_repo.get_user_group_by_name("Users") + response = await client.get( + app.url_path_for( + "get_user_group_roles", + user_group_id=group_in_db.user_group_id) + ) + assert response.status_code == status.HTTP_200_OK + assert len(response.json()) == 1 + + async def test_remove_role_from_group( + self, + app: FastAPI, + client: AsyncClient, + test_role: Role, + db_session: AsyncSession + ) -> None: + + user_repo = UsersRepository(db_session) + group_in_db = await user_repo.get_user_group_by_name("Users") + + response = await client.delete( + app.url_path_for( + "remove_role_from_group", + user_group_id=group_in_db.user_group_id, + role_id=test_role.role_id + ), + ) + assert response.status_code == status.HTTP_204_NO_CONTENT + roles = await user_repo.get_user_group_roles(group_in_db.user_group_id) + assert len(roles) == 0 diff --git a/tests/api/routes/controller/test_roles.py b/tests/api/routes/controller/test_roles.py new file mode 100644 index 00000000..11594384 --- /dev/null +++ b/tests/api/routes/controller/test_roles.py @@ -0,0 +1,186 @@ +#!/usr/bin/env python +# +# Copyright (C) 2021 GNS3 Technologies Inc. +# +# This program is free software: you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation, either version 3 of the License, or +# (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see . + +import pytest + +from fastapi import FastAPI, status +from httpx import AsyncClient + +from sqlalchemy.ext.asyncio import AsyncSession +from gns3server.db.repositories.rbac import RbacRepository +from gns3server.schemas.controller.rbac import Permission, HTTPMethods, PermissionAction +from gns3server import schemas + +pytestmark = pytest.mark.asyncio + + +class TestRolesRoutes: + + async def test_create_role(self, app: FastAPI, client: AsyncClient) -> None: + + new_role = {"name": "role1"} + response = await client.post(app.url_path_for("create_role"), json=new_role) + assert response.status_code == status.HTTP_201_CREATED + + async def test_get_role(self, app: FastAPI, client: AsyncClient, db_session: AsyncSession) -> None: + + rbac_repo = RbacRepository(db_session) + role_in_db = await rbac_repo.get_role_by_name("role1") + response = await client.get(app.url_path_for("get_role", role_id=role_in_db.role_id)) + assert response.status_code == status.HTTP_200_OK + assert response.json()["role_id"] == str(role_in_db.role_id) + + async def test_list_roles(self, app: FastAPI, client: AsyncClient) -> None: + + response = await client.get(app.url_path_for("get_roles")) + assert response.status_code == status.HTTP_200_OK + assert len(response.json()) == 3 # 2 default roles + role1 + + async def test_update_role(self, app: FastAPI, client: AsyncClient, db_session: AsyncSession) -> None: + + rbac_repo = RbacRepository(db_session) + role_in_db = await rbac_repo.get_role_by_name("role1") + + update_role = {"name": "role42"} + response = await client.put( + app.url_path_for("update_role", role_id=role_in_db.role_id), + json=update_role + ) + assert response.status_code == status.HTTP_200_OK + updated_role_in_db = await rbac_repo.get_role(role_in_db.role_id) + assert updated_role_in_db.name == "role42" + + # async def test_cannot_update_admin_group( + # self, + # app: FastAPI, + # client: AsyncClient, + # db_session: AsyncSession + # ) -> None: + # + # user_repo = UsersRepository(db_session) + # group_in_db = await user_repo.get_user_group_by_name("Administrators") + # update_group = {"name": "Hackers"} + # response = await client.put( + # app.url_path_for("update_user_group", user_group_id=group_in_db.user_group_id), + # json=update_group + # ) + # assert response.status_code == status.HTTP_403_FORBIDDEN + + async def test_delete_role( + self, + app: FastAPI, + client: AsyncClient, + db_session: AsyncSession + ) -> None: + + rbac_repo = RbacRepository(db_session) + role_in_db = await rbac_repo.get_role_by_name("role42") + response = await client.delete(app.url_path_for("delete_role", role_id=role_in_db.role_id)) + assert response.status_code == status.HTTP_204_NO_CONTENT + + # async def test_cannot_delete_admin_group( + # self, + # app: FastAPI, + # client: AsyncClient, + # db_session: AsyncSession + # ) -> None: + # + # user_repo = UsersRepository(db_session) + # group_in_db = await user_repo.get_user_group_by_name("Administrators") + # response = await client.delete(app.url_path_for("delete_user_group", user_group_id=group_in_db.user_group_id)) + # assert response.status_code == status.HTTP_403_FORBIDDEN + + +@pytest.fixture +async def test_permission(db_session: AsyncSession) -> Permission: + + new_permission = schemas.PermissionCreate( + methods=[HTTPMethods.get, HTTPMethods.post], + path="/projects", + action=PermissionAction.allow + ) + rbac_repo = RbacRepository(db_session) + existing_permission = await rbac_repo.get_permission_by_path("/projects") + if existing_permission: + return existing_permission + return await rbac_repo.create_permission(new_permission) + + +class TestRolesPermissionsRoutes: + + async def test_add_permission_to_role( + self, + app: FastAPI, + client: AsyncClient, + test_permission: Permission, + db_session: AsyncSession + ) -> None: + + rbac_repo = RbacRepository(db_session) + role_in_db = await rbac_repo.get_role_by_name("User") + + response = await client.put( + app.url_path_for( + "add_permission_to_role", + role_id=role_in_db.role_id, + permission_id=str(test_permission.permission_id) + ) + ) + assert response.status_code == status.HTTP_204_NO_CONTENT + permissions = await rbac_repo.get_role_permissions(role_in_db.role_id) + assert len(permissions) == 1 + assert permissions[0].path == test_permission.path + + async def test_get_role_permissions( + self, + app: FastAPI, + client: AsyncClient, + db_session: AsyncSession + ) -> None: + + rbac_repo = RbacRepository(db_session) + role_in_db = await rbac_repo.get_role_by_name("User") + + response = await client.get( + app.url_path_for( + "get_role_permissions", + role_id=role_in_db.role_id) + ) + assert response.status_code == status.HTTP_200_OK + assert len(response.json()) == 1 + + async def test_remove_role_from_group( + self, + app: FastAPI, + client: AsyncClient, + test_permission: Permission, + db_session: AsyncSession + ) -> None: + + rbac_repo = RbacRepository(db_session) + role_in_db = await rbac_repo.get_role_by_name("User") + + response = await client.delete( + app.url_path_for( + "remove_permission_from_role", + role_id=role_in_db.role_id, + permission_id=str(test_permission.permission_id) + ), + ) + assert response.status_code == status.HTTP_204_NO_CONTENT + permissions = await rbac_repo.get_role_permissions(role_in_db.role_id) + assert len(permissions) == 0 From fbc47598d9d7c2350db761d71ba1258a99fd3ad9 Mon Sep 17 00:00:00 2001 From: grossmj Date: Thu, 27 May 2021 17:28:44 +0930 Subject: [PATCH 2/9] Basic functional RBAC support. --- gns3server/api/routes/controller/__init__.py | 2 +- .../controller/dependencies/authentication.py | 25 ++- gns3server/api/routes/controller/groups.py | 4 +- .../api/routes/controller/permissions.py | 11 +- gns3server/api/routes/controller/projects.py | 17 +- gns3server/api/routes/controller/roles.py | 8 +- gns3server/api/routes/controller/users.py | 27 ++- gns3server/db/models/permissions.py | 73 +++++++- gns3server/db/models/roles.py | 30 +++- gns3server/db/models/users.py | 44 +++-- gns3server/db/repositories/rbac.py | 164 +++++++++++++++++- gns3server/db/repositories/users.py | 69 +++++++- gns3server/schemas/controller/rbac.py | 1 + gns3server/schemas/controller/users.py | 2 +- tests/api/routes/controller/test_groups.py | 13 +- .../api/routes/controller/test_permissions.py | 83 +++++++++ tests/api/routes/controller/test_roles.py | 11 +- tests/api/routes/controller/test_users.py | 28 +-- tests/conftest.py | 7 +- 19 files changed, 527 insertions(+), 92 deletions(-) create mode 100644 tests/api/routes/controller/test_permissions.py diff --git a/gns3server/api/routes/controller/__init__.py b/gns3server/api/routes/controller/__init__.py index 976fe8a3..2e12010e 100644 --- a/gns3server/api/routes/controller/__init__.py +++ b/gns3server/api/routes/controller/__init__.py @@ -55,7 +55,7 @@ router.include_router( ) router.include_router( - roles.router, + permissions.router, dependencies=[Depends(get_current_active_user)], prefix="/permissions", tags=["Permissions"] diff --git a/gns3server/api/routes/controller/dependencies/authentication.py b/gns3server/api/routes/controller/dependencies/authentication.py index 60ee5de2..36e35d47 100644 --- a/gns3server/api/routes/controller/dependencies/authentication.py +++ b/gns3server/api/routes/controller/dependencies/authentication.py @@ -15,13 +15,13 @@ # along with this program. If not, see . -from fastapi import Depends, HTTPException, status +from fastapi import Request, Depends, HTTPException, status from fastapi.security import OAuth2PasswordBearer from gns3server import schemas from gns3server.db.repositories.users import UsersRepository +from gns3server.db.repositories.rbac import RbacRepository from gns3server.services import auth_service - from .database import get_repository oauth2_scheme = OAuth2PasswordBearer(tokenUrl="/v3/users/login") @@ -42,7 +42,11 @@ async def get_user_from_token( return user -async def get_current_active_user(current_user: schemas.User = Depends(get_user_from_token)) -> schemas.User: +async def get_current_active_user( + request: Request, + current_user: schemas.User = Depends(get_user_from_token), + rbac_repo: RbacRepository = Depends(get_repository(RbacRepository)) +) -> schemas.User: # Super admin is always authorized if current_user.is_superadmin: @@ -54,4 +58,19 @@ async def get_current_active_user(current_user: schemas.User = Depends(get_user_ detail="Not an active user", headers={"WWW-Authenticate": "Bearer"}, ) + + # remove the prefix (e.g. "/v3") from URL path + if request.url.path.startswith("/v3"): + path = request.url.path[len("/v3"):] + else: + path = request.url.path + + authorized = await rbac_repo.check_user_is_authorized(current_user.user_id, request.method, path) + if not authorized: + raise HTTPException( + status_code=status.HTTP_401_UNAUTHORIZED, + detail=f"User is not authorized '{current_user.user_id}' on {request.method} '{path}'", + headers={"WWW-Authenticate": "Bearer"}, + ) + return current_user diff --git a/gns3server/api/routes/controller/groups.py b/gns3server/api/routes/controller/groups.py index d27fc43b..84c980a6 100644 --- a/gns3server/api/routes/controller/groups.py +++ b/gns3server/api/routes/controller/groups.py @@ -99,7 +99,7 @@ async def update_user_group( if not user_group: raise ControllerNotFoundError(f"User group '{user_group_id}' not found") - if not user_group.is_updatable: + if user_group.builtin: raise ControllerForbiddenError(f"User group '{user_group_id}' cannot be updated") return await users_repo.update_user_group(user_group_id, user_group_update) @@ -121,7 +121,7 @@ async def delete_user_group( if not user_group: raise ControllerNotFoundError(f"User group '{user_group_id}' not found") - if not user_group.is_updatable: + if user_group.builtin: raise ControllerForbiddenError(f"User group '{user_group_id}' cannot be deleted") success = await users_repo.delete_user_group(user_group_id) diff --git a/gns3server/api/routes/controller/permissions.py b/gns3server/api/routes/controller/permissions.py index bff7e180..466a2707 100644 --- a/gns3server/api/routes/controller/permissions.py +++ b/gns3server/api/routes/controller/permissions.py @@ -60,8 +60,9 @@ async def create_permission( Create a new permission. """ - # if await rbac_repo.get_role_by_path(role_create.name): - # raise ControllerBadRequestError(f"Role '{role_create.name}' already exists") + if await rbac_repo.check_permission_exists(permission_create): + raise ControllerBadRequestError(f"Permission '{permission_create.methods} {permission_create.path} " + f"{permission_create.action}' already exists") return await rbac_repo.create_permission(permission_create) @@ -95,9 +96,6 @@ async def update_permission( if not permission: raise ControllerNotFoundError(f"Permission '{permission_id}' not found") - #if not user_group.is_updatable: - # raise ControllerForbiddenError(f"User group '{user_group_id}' cannot be updated") - return await rbac_repo.update_permission(permission_id, permission_update) @@ -114,9 +112,6 @@ async def delete_permission( if not permission: raise ControllerNotFoundError(f"Permission '{permission_id}' not found") - #if not user_group.is_updatable: - # raise ControllerForbiddenError(f"User group '{user_group_id}' cannot be deleted") - success = await rbac_repo.delete_permission(permission_id) if not success: raise ControllerNotFoundError(f"Permission '{permission_id}' could not be deleted") diff --git a/gns3server/api/routes/controller/projects.py b/gns3server/api/routes/controller/projects.py index 5e8022c8..1d7aa2a5 100644 --- a/gns3server/api/routes/controller/projects.py +++ b/gns3server/api/routes/controller/projects.py @@ -47,6 +47,10 @@ from gns3server.controller.export_project import export_project as export_contro from gns3server.utils.asyncio import aiozipstream from gns3server.utils.path import is_safe_path from gns3server.config import Config +from gns3server.db.repositories.rbac import RbacRepository + +from .dependencies.authentication import get_current_active_user +from .dependencies.database import get_repository responses = {404: {"model": schemas.ErrorMessage, "description": "Could not find project"}} @@ -82,13 +86,18 @@ def get_projects() -> List[schemas.Project]: response_model_exclude_unset=True, responses={409: {"model": schemas.ErrorMessage, "description": "Could not create project"}}, ) -async def create_project(project_data: schemas.ProjectCreate) -> schemas.Project: +async def create_project( + project_data: schemas.ProjectCreate, + current_user: schemas.User = Depends(get_current_active_user), + rbac_repo: RbacRepository = Depends(get_repository(RbacRepository)) +) -> schemas.Project: """ Create a new project. """ controller = Controller.instance() project = await controller.add_project(**jsonable_encoder(project_data, exclude_unset=True)) + await rbac_repo.add_permission_to_user(current_user.user_id, f"/projects/{project.id}/*") return project.asdict() @@ -115,7 +124,10 @@ async def update_project( @router.delete("/{project_id}", status_code=status.HTTP_204_NO_CONTENT) -async def delete_project(project: Project = Depends(dep_project)) -> None: +async def delete_project( + project: Project = Depends(dep_project), + rbac_repo: RbacRepository = Depends(get_repository(RbacRepository)) +) -> None: """ Delete a project. """ @@ -123,6 +135,7 @@ async def delete_project(project: Project = Depends(dep_project)) -> None: controller = Controller.instance() await project.delete() controller.remove_project(project) + await rbac_repo.delete_all_permissions_matching_path(f"/projects/{project.id}") @router.get("/{project_id}/stats") diff --git a/gns3server/api/routes/controller/roles.py b/gns3server/api/routes/controller/roles.py index 280c0cef..1d013f97 100644 --- a/gns3server/api/routes/controller/roles.py +++ b/gns3server/api/routes/controller/roles.py @@ -95,8 +95,8 @@ async def update_role( if not role: raise ControllerNotFoundError(f"Role '{role_id}' not found") - #if not user_group.is_updatable: - # raise ControllerForbiddenError(f"User group '{user_group_id}' cannot be updated") + if role.builtin: + raise ControllerForbiddenError(f"Role '{role_id}' cannot be updated") return await rbac_repo.update_role(role_id, role_update) @@ -114,8 +114,8 @@ async def delete_role( if not role: raise ControllerNotFoundError(f"Role '{role_id}' not found") - #if not user_group.is_updatable: - # raise ControllerForbiddenError(f"User group '{user_group_id}' cannot be deleted") + if role.builtin: + raise ControllerForbiddenError(f"Role '{role_id}' cannot be deleted") success = await rbac_repo.delete_role(role_id) if not success: diff --git a/gns3server/api/routes/controller/users.py b/gns3server/api/routes/controller/users.py index e3fc578e..df279e20 100644 --- a/gns3server/api/routes/controller/users.py +++ b/gns3server/api/routes/controller/users.py @@ -88,6 +88,24 @@ async def authenticate( return token +@router.get("/me", response_model=schemas.User) +async def get_logged_in_user(current_user: schemas.User = Depends(get_current_active_user)) -> schemas.User: + """ + Get the current active user. + """ + + return current_user + + +@router.get("/me", response_model=schemas.User) +async def get_logged_in_user(current_user: schemas.User = Depends(get_current_active_user)) -> schemas.User: + """ + Get the current active user. + """ + + return current_user + + @router.get("", response_model=List[schemas.User], dependencies=[Depends(get_current_active_user)]) async def get_users( users_repo: UsersRepository = Depends(get_repository(UsersRepository)) @@ -178,15 +196,6 @@ async def delete_user( raise ControllerNotFoundError(f"User '{user_id}' could not be deleted") -@router.get("/me/", response_model=schemas.User) -async def get_current_active_user(current_user: schemas.User = Depends(get_current_active_user)) -> schemas.User: - """ - Get the current active user. - """ - - return current_user - - @router.get( "/{user_id}/groups", dependencies=[Depends(get_current_active_user)], diff --git a/gns3server/db/models/permissions.py b/gns3server/db/models/permissions.py index 046815b1..534f2274 100644 --- a/gns3server/db/models/permissions.py +++ b/gns3server/db/models/permissions.py @@ -15,7 +15,7 @@ # You should have received a copy of the GNU General Public License # along with this program. If not, see . -from sqlalchemy import Table, Column, String, ForeignKey, Boolean +from sqlalchemy import Table, Column, String, ForeignKey, event from sqlalchemy.orm import relationship from .base import Base, BaseTable, generate_uuid, GUID, ListType @@ -39,7 +39,78 @@ class Permission(BaseTable): __tablename__ = "permissions" permission_id = Column(GUID, primary_key=True, default=generate_uuid) + description = Column(String) methods = Column(ListType) path = Column(String) action = Column(String) + user_id = Column(GUID, ForeignKey('users.user_id', ondelete="CASCADE")) roles = relationship("Role", secondary=permission_role_link, back_populates="permissions") + + +@event.listens_for(Permission.__table__, 'after_create') +def create_default_roles(target, connection, **kw): + + default_permissions = [ + { + "description": "Allow access to all endpoints", + "methods": ["GET", "HEAD", "POST", "PUT", "DELETE", "PATCH"], + "path": "/", + "action": "ALLOW" + }, + { + "description": "Allow access to the logged in user", + "methods": ["GET"], + "path": "/users/me", + "action": "ALLOW" + }, + { + "description": "Allow to create a project or list projects", + "methods": ["GET", "POST"], + "path": "/projects", + "action": "ALLOW" + }, + { + "description": "Allow to access to all symbol endpoints", + "methods": ["GET", "HEAD", "POST", "PUT", "DELETE", "PATCH"], + "path": "/symbols", + "action": "ALLOW" + }, + ] + + stmt = target.insert().values(default_permissions) + connection.execute(stmt) + connection.commit() + log.debug("The default permissions have been created in the database") + + +@event.listens_for(permission_role_link, 'after_create') +def add_permissions_to_role(target, connection, **kw): + + from .roles import Role + roles_table = Role.__table__ + stmt = roles_table.select().where(roles_table.c.name == "Administrator") + result = connection.execute(stmt) + role_id = result.first().role_id + + permissions_table = Permission.__table__ + stmt = permissions_table.select().where(permissions_table.c.path == "/") + result = connection.execute(stmt) + permission_id = result.first().permission_id + + # add root path to the "Administrator" role + stmt = target.insert().values(permission_id=permission_id, role_id=role_id) + connection.execute(stmt) + + stmt = roles_table.select().where(roles_table.c.name == "User") + result = connection.execute(stmt) + role_id = result.first().role_id + + # add minimum required paths to the "User" role + for path in ("/projects", "/symbols", "/users/me"): + stmt = permissions_table.select().where(permissions_table.c.path == path) + result = connection.execute(stmt) + permission_id = result.first().permission_id + stmt = target.insert().values(permission_id=permission_id, role_id=role_id) + connection.execute(stmt) + + connection.commit() diff --git a/gns3server/db/models/roles.py b/gns3server/db/models/roles.py index db34052c..76b1d6f1 100644 --- a/gns3server/db/models/roles.py +++ b/gns3server/db/models/roles.py @@ -40,7 +40,7 @@ class Role(BaseTable): role_id = Column(GUID, primary_key=True, default=generate_uuid) name = Column(String) description = Column(String) - is_updatable = Column(Boolean, default=True) + builtin = Column(Boolean, default=False) permissions = relationship("Permission", secondary=permission_role_link, back_populates="roles") groups = relationship("UserGroup", secondary=role_group_link, back_populates="roles") @@ -49,11 +49,33 @@ class Role(BaseTable): def create_default_roles(target, connection, **kw): default_roles = [ - {"name": "Administrator", "description": "Administrator role", "is_updatable": False}, - {"name": "User", "description": "User role", "is_updatable": False}, + {"name": "Administrator", "description": "Administrator role", "builtin": True}, + {"name": "User", "description": "User role", "builtin": True}, ] stmt = target.insert().values(default_roles) connection.execute(stmt) connection.commit() - log.info("The default roles have been created in the database") + log.debug("The default roles have been created in the database") + + +@event.listens_for(role_group_link, 'after_create') +def add_admin_to_group(target, connection, **kw): + + from .users import UserGroup + user_groups_table = UserGroup.__table__ + roles_table = Role.__table__ + + # Add roles to built-in user groups + groups_to_roles = {"Administrators": "Administrator", "Users": "User"} + for user_group, role in groups_to_roles.items(): + stmt = user_groups_table.select().where(user_groups_table.c.name == user_group) + result = connection.execute(stmt) + user_group_id = result.first().user_group_id + stmt = roles_table.select().where(roles_table.c.name == role) + result = connection.execute(stmt) + role_id = result.first().role_id + stmt = target.insert().values(role_id=role_id, user_group_id=user_group_id) + connection.execute(stmt) + + connection.commit() diff --git a/gns3server/db/models/users.py b/gns3server/db/models/users.py index 99fbd144..32c44bbd 100644 --- a/gns3server/db/models/users.py +++ b/gns3server/db/models/users.py @@ -48,7 +48,6 @@ class User(BaseTable): is_active = Column(Boolean, default=True) is_superadmin = Column(Boolean, default=False) groups = relationship("UserGroup", secondary=user_group_link, back_populates="users") - permission_id = Column(GUID, ForeignKey('permissions.permission_id', ondelete="CASCADE")) permissions = relationship("Permission") @@ -67,7 +66,7 @@ def create_default_super_admin(target, connection, **kw): ) connection.execute(stmt) connection.commit() - log.info("The default super admin account has been created in the database") + log.debug("The default super admin account has been created in the database") class UserGroup(BaseTable): @@ -76,7 +75,7 @@ class UserGroup(BaseTable): user_group_id = Column(GUID, primary_key=True, default=generate_uuid) name = Column(String, unique=True, index=True) - is_updatable = Column(Boolean, default=True) + builtin = Column(Boolean, default=False) users = relationship("User", secondary=user_group_link, back_populates="groups") roles = relationship("Role", secondary=role_group_link, back_populates="groups") @@ -85,30 +84,29 @@ class UserGroup(BaseTable): def create_default_user_groups(target, connection, **kw): default_groups = [ - {"name": "Administrators", "is_updatable": False}, - {"name": "Editors", "is_updatable": False}, - {"name": "Users", "is_updatable": False} + {"name": "Administrators", "builtin": True}, + {"name": "Users", "builtin": True} ] stmt = target.insert().values(default_groups) connection.execute(stmt) connection.commit() - log.info("The default user groups have been created in the database") + log.debug("The default user groups have been created in the database") -@event.listens_for(user_group_link, 'after_create') -def add_admin_to_group(target, connection, **kw): - - user_groups_table = UserGroup.__table__ - stmt = user_groups_table.select().where(user_groups_table.c.name == "Administrators") - result = connection.execute(stmt) - user_group_id = result.first().user_group_id - - users_table = User.__table__ - stmt = users_table.select().where(users_table.c.is_superadmin.is_(True)) - result = connection.execute(stmt) - user_id = result.first().user_id - - stmt = target.insert().values(user_id=user_id, user_group_id=user_group_id) - connection.execute(stmt) - connection.commit() +# @event.listens_for(user_group_link, 'after_create') +# def add_admin_to_group(target, connection, **kw): +# +# user_groups_table = UserGroup.__table__ +# stmt = user_groups_table.select().where(user_groups_table.c.name == "Administrators") +# result = connection.execute(stmt) +# user_group_id = result.first().user_group_id +# +# users_table = User.__table__ +# stmt = users_table.select().where(users_table.c.is_superadmin.is_(True)) +# result = connection.execute(stmt) +# user_id = result.first().user_id +# +# stmt = target.insert().values(user_id=user_id, user_group_id=user_group_id) +# connection.execute(stmt) +# connection.commit() diff --git a/gns3server/db/repositories/rbac.py b/gns3server/db/repositories/rbac.py index 4e95eb08..f8862a8f 100644 --- a/gns3server/db/repositories/rbac.py +++ b/gns3server/db/repositories/rbac.py @@ -24,6 +24,7 @@ from sqlalchemy.orm import selectinload from .base import BaseRepository import gns3server.db.models as models +from gns3server.schemas.controller.rbac import HTTPMethods, PermissionAction from gns3server import schemas import logging @@ -38,6 +39,9 @@ class RbacRepository(BaseRepository): super().__init__(db_session) async def get_role(self, role_id: UUID) -> Optional[models.Role]: + """ + Get a role by its ID. + """ query = select(models.Role).\ options(selectinload(models.Role.permissions)).\ @@ -46,6 +50,9 @@ class RbacRepository(BaseRepository): return result.scalars().first() async def get_role_by_name(self, name: str) -> Optional[models.Role]: + """ + Get a role by its name. + """ query = select(models.Role).\ options(selectinload(models.Role.permissions)).\ @@ -55,12 +62,18 @@ class RbacRepository(BaseRepository): return result.scalars().first() async def get_roles(self) -> List[models.Role]: + """ + Get all roles. + """ query = select(models.Role).options(selectinload(models.Role.permissions)) result = await self._db_session.execute(query) return result.scalars().all() async def create_role(self, role_create: schemas.RoleCreate) -> models.Role: + """ + Create a new role. + """ db_role = models.Role( name=role_create.name, @@ -76,6 +89,9 @@ class RbacRepository(BaseRepository): role_id: UUID, role_update: schemas.RoleUpdate ) -> Optional[models.Role]: + """ + Update a role. + """ update_values = role_update.dict(exclude_unset=True) query = update(models.Role).where(models.Role.role_id == role_id).values(update_values) @@ -85,6 +101,9 @@ class RbacRepository(BaseRepository): return await self.get_role(role_id) async def delete_role(self, role_id: UUID) -> bool: + """ + Delete a role. + """ query = delete(models.Role).where(models.Role.role_id == role_id) result = await self._db_session.execute(query) @@ -96,6 +115,9 @@ class RbacRepository(BaseRepository): role_id: UUID, permission: models.Permission ) -> Union[None, models.Role]: + """ + Add a permission to a role. + """ query = select(models.Role).\ options(selectinload(models.Role.permissions)).\ @@ -115,6 +137,9 @@ class RbacRepository(BaseRepository): role_id: UUID, permission: models.Permission ) -> Union[None, models.Role]: + """ + Remove a permission from a role. + """ query = select(models.Role).\ options(selectinload(models.Role.permissions)).\ @@ -130,6 +155,9 @@ class RbacRepository(BaseRepository): return role_db async def get_role_permissions(self, role_id: UUID) -> List[models.Permission]: + """ + Get all the role permissions. + """ query = select(models.Permission).\ join(models.Permission.roles).\ @@ -139,30 +167,48 @@ class RbacRepository(BaseRepository): return result.scalars().all() async def get_permission(self, permission_id: UUID) -> Optional[models.Permission]: + """ + Get a permission by its ID. + """ query = select(models.Permission).where(models.Permission.permission_id == permission_id) result = await self._db_session.execute(query) return result.scalars().first() async def get_permission_by_path(self, path: str) -> Optional[models.Permission]: + """ + Get a permission by its path. + """ query = select(models.Permission).where(models.Permission.path == path) result = await self._db_session.execute(query) return result.scalars().first() async def get_permissions(self) -> List[models.Permission]: + """ + Get all permissions. + """ query = select(models.Permission) result = await self._db_session.execute(query) return result.scalars().all() - async def create_permission(self, permission_create: schemas.PermissionCreate) -> models.Permission: + async def check_permission_exists(self, permission_create: schemas.PermissionCreate) -> bool: + """ + Check if a permission exists. + """ - create_values = permission_create.dict(exclude_unset=True) - # action = create_values.pop("action", "deny") - # is_allowed = False - # if action == "allow": - # is_allowed = True + query = select(models.Permission).\ + where(models.Permission.methods == permission_create.methods, + models.Permission.path == permission_create.path, + models.Permission.action == permission_create.action) + result = await self._db_session.execute(query) + return result.scalars().first() is not None + + async def create_permission(self, permission_create: schemas.PermissionCreate) -> models.Permission: + """ + Create a new permission. + """ db_permission = models.Permission( methods=permission_create.methods, @@ -170,7 +216,6 @@ class RbacRepository(BaseRepository): action=permission_create.action, ) self._db_session.add(db_permission) - await self._db_session.commit() await self._db_session.refresh(db_permission) return db_permission @@ -180,6 +225,9 @@ class RbacRepository(BaseRepository): permission_id: UUID, permission_update: schemas.PermissionUpdate ) -> Optional[models.Permission]: + """ + Update a permission. + """ update_values = permission_update.dict(exclude_unset=True) query = update(models.Permission).where(models.Permission.permission_id == permission_id).values(update_values) @@ -189,8 +237,110 @@ class RbacRepository(BaseRepository): return await self.get_permission(permission_id) async def delete_permission(self, permission_id: UUID) -> bool: + """ + Delete a permission. + """ query = delete(models.Permission).where(models.Permission.permission_id == permission_id) result = await self._db_session.execute(query) await self._db_session.commit() return result.rowcount > 0 + + def _match_permission( + self, + permissions: List[models.Permission], + method: str, + path: str + ) -> Union[None, models.Permission]: + """ + Match the methods and path with a permission. + """ + + for permission in permissions: + log.debug(f"RBAC: checking permission {permission.methods} {permission.path} {permission.action}") + if method not in permission.methods: + continue + if permission.path.endswith("*") and path.startswith(permission.path[:-1]): + return permission + elif permission.path == path: + return permission + + async def check_user_is_authorized(self, user_id: UUID, method: str, path: str) -> bool: + """ + Check if an user is authorized to access a resource. + """ + + query = select(models.Permission).\ + join(models.Permission.roles). \ + join(models.Role.groups). \ + join(models.UserGroup.users). \ + filter(models.User.user_id == user_id).\ + order_by(models.Permission.path) + + result = await self._db_session.execute(query) + permissions = result.scalars().all() + log.debug(f"RBAC: checking authorization for '{user_id}' on {method} '{path}'") + matched_permission = self._match_permission(permissions, method, path) + if matched_permission: + log.debug(f"RBAC: matched role permission {matched_permission.methods} " + f"{matched_permission.path} {matched_permission.action}") + if matched_permission.action == "DENY": + return False + return True + + log.debug(f"RBAC: could not find a role permission, checking user permissions...") + query = select(models.Permission).\ + join(models.User.permissions). \ + filter(models.User.user_id == user_id).\ + order_by(models.Permission.path) + + result = await self._db_session.execute(query) + permissions = result.scalars().all() + matched_permission = self._match_permission(permissions, method, path) + if matched_permission: + log.debug(f"RBAC: matched user permission {matched_permission.methods} " + f"{matched_permission.path} {matched_permission.action}") + if matched_permission.action == "DENY": + return False + return True + + return False + + async def add_permission_to_user(self, user_id: UUID, path: str) -> Union[None, models.User]: + """ + Add a permission to an user. + """ + + # Create a new permission with full rights + new_permission = schemas.PermissionCreate( + methods=[HTTPMethods.get, HTTPMethods.head, HTTPMethods.post, HTTPMethods.put, HTTPMethods.delete], + path=path, + action=PermissionAction.allow + ) + permission_db = await self.create_permission(new_permission) + + # Add the permission to the user + query = select(models.User).\ + options(selectinload(models.User.permissions)).\ + where(models.User.user_id == user_id) + + result = await self._db_session.execute(query) + user_db = result.scalars().first() + if not user_db: + return None + + user_db.permissions.append(permission_db) + await self._db_session.commit() + await self._db_session.refresh(user_db) + return user_db + + async def delete_all_permissions_matching_path(self, path: str) -> None: + """ + Delete all permissions matching with path. + """ + + query = delete(models.Permission).\ + where(models.Permission.path.startswith(path)).\ + execution_options(synchronize_session=False) + result = await self._db_session.execute(query) + log.debug(f"{result.rowcount} permission(s) have been deleted") diff --git a/gns3server/db/repositories/users.py b/gns3server/db/repositories/users.py index 9dbc5a0f..1a8e4a69 100644 --- a/gns3server/db/repositories/users.py +++ b/gns3server/db/repositories/users.py @@ -33,40 +33,59 @@ log = logging.getLogger(__name__) class UsersRepository(BaseRepository): + def __init__(self, db_session: AsyncSession) -> None: super().__init__(db_session) self._auth_service = auth_service async def get_user(self, user_id: UUID) -> Optional[models.User]: + """ + Get an user by its ID. + """ query = select(models.User).where(models.User.user_id == user_id) result = await self._db_session.execute(query) return result.scalars().first() async def get_user_by_username(self, username: str) -> Optional[models.User]: + """ + Get an user by its name. + """ query = select(models.User).where(models.User.username == username) result = await self._db_session.execute(query) return result.scalars().first() async def get_user_by_email(self, email: str) -> Optional[models.User]: + """ + Get an user by its email. + """ query = select(models.User).where(models.User.email == email) result = await self._db_session.execute(query) return result.scalars().first() async def get_users(self) -> List[models.User]: + """ + Get all users. + """ query = select(models.User) result = await self._db_session.execute(query) return result.scalars().all() async def create_user(self, user: schemas.UserCreate) -> models.User: + """ + Create a new user. + """ hashed_password = self._auth_service.hash_password(user.password.get_secret_value()) db_user = models.User( - username=user.username, email=user.email, full_name=user.full_name, hashed_password=hashed_password + username=user.username, + email=user.email, + full_name=user.full_name, + hashed_password=hashed_password ) self._db_session.add(db_user) await self._db_session.commit() @@ -74,6 +93,9 @@ class UsersRepository(BaseRepository): return db_user async def update_user(self, user_id: UUID, user_update: schemas.UserUpdate) -> Optional[models.User]: + """ + Update an user. + """ update_values = user_update.dict(exclude_unset=True) password = update_values.pop("password", None) @@ -87,6 +109,9 @@ class UsersRepository(BaseRepository): return await self.get_user(user_id) async def delete_user(self, user_id: UUID) -> bool: + """ + Delete an user. + """ query = delete(models.User).where(models.User.user_id == user_id) result = await self._db_session.execute(query) @@ -94,6 +119,9 @@ class UsersRepository(BaseRepository): return result.rowcount > 0 async def authenticate_user(self, username: str, password: str) -> Optional[models.User]: + """ + Authenticate an user. + """ user = await self.get_user_by_username(username) if not user: @@ -110,6 +138,9 @@ class UsersRepository(BaseRepository): return user async def get_user_memberships(self, user_id: UUID) -> List[models.UserGroup]: + """ + Get all user memberships (user groups). + """ query = select(models.UserGroup).\ join(models.UserGroup.users).\ @@ -119,24 +150,36 @@ class UsersRepository(BaseRepository): return result.scalars().all() async def get_user_group(self, user_group_id: UUID) -> Optional[models.UserGroup]: + """ + Get an user group by its ID. + """ query = select(models.UserGroup).where(models.UserGroup.user_group_id == user_group_id) result = await self._db_session.execute(query) return result.scalars().first() async def get_user_group_by_name(self, name: str) -> Optional[models.UserGroup]: + """ + Get an user group by its name. + """ query = select(models.UserGroup).where(models.UserGroup.name == name) result = await self._db_session.execute(query) return result.scalars().first() async def get_user_groups(self) -> List[models.UserGroup]: + """ + Get all user groups. + """ query = select(models.UserGroup) result = await self._db_session.execute(query) return result.scalars().all() async def create_user_group(self, user_group: schemas.UserGroupCreate) -> models.UserGroup: + """ + Create a new user group. + """ db_user_group = models.UserGroup(name=user_group.name) self._db_session.add(db_user_group) @@ -149,6 +192,9 @@ class UsersRepository(BaseRepository): user_group_id: UUID, user_group_update: schemas.UserGroupUpdate ) -> Optional[models.UserGroup]: + """ + Update an user group. + """ update_values = user_group_update.dict(exclude_unset=True) query = update(models.UserGroup).where(models.UserGroup.user_group_id == user_group_id).values(update_values) @@ -158,6 +204,9 @@ class UsersRepository(BaseRepository): return await self.get_user_group(user_group_id) async def delete_user_group(self, user_group_id: UUID) -> bool: + """ + Delete an user group. + """ query = delete(models.UserGroup).where(models.UserGroup.user_group_id == user_group_id) result = await self._db_session.execute(query) @@ -169,6 +218,9 @@ class UsersRepository(BaseRepository): user_group_id: UUID, user: models.User ) -> Union[None, models.UserGroup]: + """ + Add a member to an user group. + """ query = select(models.UserGroup).\ options(selectinload(models.UserGroup.users)).\ @@ -188,6 +240,9 @@ class UsersRepository(BaseRepository): user_group_id: UUID, user: models.User ) -> Union[None, models.UserGroup]: + """ + Remove a member from an user group. + """ query = select(models.UserGroup).\ options(selectinload(models.UserGroup.users)).\ @@ -203,6 +258,9 @@ class UsersRepository(BaseRepository): return user_group_db async def get_user_group_members(self, user_group_id: UUID) -> List[models.User]: + """ + Get all members from an user group. + """ query = select(models.User).\ join(models.User.groups).\ @@ -216,6 +274,9 @@ class UsersRepository(BaseRepository): user_group_id: UUID, role: models.Role ) -> Union[None, models.UserGroup]: + """ + Add a role to an user group. + """ query = select(models.UserGroup).\ options(selectinload(models.UserGroup.roles)).\ @@ -235,6 +296,9 @@ class UsersRepository(BaseRepository): user_group_id: UUID, role: models.Role ) -> Union[None, models.UserGroup]: + """ + Remove a role from an user group. + """ query = select(models.UserGroup).\ options(selectinload(models.UserGroup.roles)).\ @@ -250,6 +314,9 @@ class UsersRepository(BaseRepository): return user_group_db async def get_user_group_roles(self, user_group_id: UUID) -> List[models.Role]: + """ + Get all roles from an user group. + """ query = select(models.Role). \ options(selectinload(models.Role.permissions)). \ diff --git a/gns3server/schemas/controller/rbac.py b/gns3server/schemas/controller/rbac.py index c6b2113a..4967e5ef 100644 --- a/gns3server/schemas/controller/rbac.py +++ b/gns3server/schemas/controller/rbac.py @@ -114,6 +114,7 @@ class RoleUpdate(RoleBase): class Role(DateTimeModelMixin, RoleBase): role_id: UUID + builtin: bool permissions: List[Permission] class Config: diff --git a/gns3server/schemas/controller/users.py b/gns3server/schemas/controller/users.py index 28d40688..97988c53 100644 --- a/gns3server/schemas/controller/users.py +++ b/gns3server/schemas/controller/users.py @@ -85,7 +85,7 @@ class UserGroupUpdate(UserGroupBase): class UserGroup(DateTimeModelMixin, UserGroupBase): user_group_id: UUID - is_updatable: bool + builtin: bool class Config: orm_mode = True diff --git a/tests/api/routes/controller/test_groups.py b/tests/api/routes/controller/test_groups.py index 469090ea..b762d5c8 100644 --- a/tests/api/routes/controller/test_groups.py +++ b/tests/api/routes/controller/test_groups.py @@ -50,7 +50,7 @@ class TestGroupRoutes: response = await client.get(app.url_path_for("get_user_groups")) assert response.status_code == status.HTTP_200_OK - assert len(response.json()) == 4 # 3 default groups + group1 + assert len(response.json()) == 3 # 2 default groups + group1 async def test_update_group(self, app: FastAPI, client: AsyncClient, db_session: AsyncSession) -> None: @@ -206,8 +206,10 @@ class TestGroupRolesRoutes: ) assert response.status_code == status.HTTP_204_NO_CONTENT roles = await user_repo.get_user_group_roles(group_in_db.user_group_id) - assert len(roles) == 1 - assert roles[0].name == test_role.name + assert len(roles) == 2 # 1 default role + 1 custom role + for role in roles: + if not role.builtin: + assert role.name == test_role.name async def test_get_user_group_roles( self, @@ -224,7 +226,7 @@ class TestGroupRolesRoutes: user_group_id=group_in_db.user_group_id) ) assert response.status_code == status.HTTP_200_OK - assert len(response.json()) == 1 + assert len(response.json()) == 2 # 1 default role + 1 custom role async def test_remove_role_from_group( self, @@ -246,4 +248,5 @@ class TestGroupRolesRoutes: ) assert response.status_code == status.HTTP_204_NO_CONTENT roles = await user_repo.get_user_group_roles(group_in_db.user_group_id) - assert len(roles) == 0 + assert len(roles) == 1 # 1 default role + assert roles[0].name != test_role.name diff --git a/tests/api/routes/controller/test_permissions.py b/tests/api/routes/controller/test_permissions.py new file mode 100644 index 00000000..fc15087f --- /dev/null +++ b/tests/api/routes/controller/test_permissions.py @@ -0,0 +1,83 @@ +#!/usr/bin/env python +# +# Copyright (C) 2021 GNS3 Technologies Inc. +# +# This program is free software: you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation, either version 3 of the License, or +# (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see . + +import pytest + +from fastapi import FastAPI, status +from httpx import AsyncClient + +from sqlalchemy.ext.asyncio import AsyncSession +from gns3server.db.repositories.rbac import RbacRepository + +pytestmark = pytest.mark.asyncio + + +class TestPermissionRoutes: + + async def test_create_permission(self, app: FastAPI, client: AsyncClient) -> None: + + new_permission = { + "methods": ["GET"], + "path": "/templates", + "action": "ALLOW" + } + response = await client.post(app.url_path_for("create_permission"), json=new_permission) + assert response.status_code == status.HTTP_201_CREATED + + async def test_get_permission(self, app: FastAPI, client: AsyncClient, db_session: AsyncSession) -> None: + + rbac_repo = RbacRepository(db_session) + permission_in_db = await rbac_repo.get_permission_by_path("/templates") + response = await client.get(app.url_path_for("get_permission", permission_id=permission_in_db.permission_id)) + assert response.status_code == status.HTTP_200_OK + assert response.json()["permission_id"] == str(permission_in_db.permission_id) + + async def test_list_permissions(self, app: FastAPI, client: AsyncClient) -> None: + + response = await client.get(app.url_path_for("get_permissions")) + assert response.status_code == status.HTTP_200_OK + assert len(response.json()) == 5 # 4 default permissions + 1 custom permission + + async def test_update_permission(self, app: FastAPI, client: AsyncClient, db_session: AsyncSession) -> None: + + rbac_repo = RbacRepository(db_session) + permission_in_db = await rbac_repo.get_permission_by_path("/templates") + + update_permission = { + "methods": ["GET"], + "path": "/appliances", + "action": "ALLOW" + } + response = await client.put( + app.url_path_for("update_permission", permission_id=permission_in_db.permission_id), + json=update_permission + ) + assert response.status_code == status.HTTP_200_OK + updated_permission_in_db = await rbac_repo.get_permission(permission_in_db.permission_id) + assert updated_permission_in_db.path == "/appliances" + + async def test_delete_permission( + self, + app: FastAPI, + client: AsyncClient, + db_session: AsyncSession + ) -> None: + + rbac_repo = RbacRepository(db_session) + permission_in_db = await rbac_repo.get_permission_by_path("/appliances") + response = await client.delete(app.url_path_for("delete_permission", permission_id=permission_in_db.permission_id)) + assert response.status_code == status.HTTP_204_NO_CONTENT diff --git a/tests/api/routes/controller/test_roles.py b/tests/api/routes/controller/test_roles.py index 11594384..93b21004 100644 --- a/tests/api/routes/controller/test_roles.py +++ b/tests/api/routes/controller/test_roles.py @@ -110,11 +110,11 @@ async def test_permission(db_session: AsyncSession) -> Permission: new_permission = schemas.PermissionCreate( methods=[HTTPMethods.get, HTTPMethods.post], - path="/projects", + path="/templates", action=PermissionAction.allow ) rbac_repo = RbacRepository(db_session) - existing_permission = await rbac_repo.get_permission_by_path("/projects") + existing_permission = await rbac_repo.get_permission_by_path("/templates") if existing_permission: return existing_permission return await rbac_repo.create_permission(new_permission) @@ -142,8 +142,7 @@ class TestRolesPermissionsRoutes: ) assert response.status_code == status.HTTP_204_NO_CONTENT permissions = await rbac_repo.get_role_permissions(role_in_db.role_id) - assert len(permissions) == 1 - assert permissions[0].path == test_permission.path + assert len(permissions) == 4 # 3 default + 1 custom permissions async def test_get_role_permissions( self, @@ -161,7 +160,7 @@ class TestRolesPermissionsRoutes: role_id=role_in_db.role_id) ) assert response.status_code == status.HTTP_200_OK - assert len(response.json()) == 1 + assert len(response.json()) == 4 # 3 default + 1 custom permissions async def test_remove_role_from_group( self, @@ -183,4 +182,4 @@ class TestRolesPermissionsRoutes: ) assert response.status_code == status.HTTP_204_NO_CONTENT permissions = await rbac_repo.get_role_permissions(role_in_db.role_id) - assert len(permissions) == 0 + assert len(permissions) == 3 # 3 default permissions diff --git a/tests/api/routes/controller/test_users.py b/tests/api/routes/controller/test_users.py index f1a5dc41..36b16c10 100644 --- a/tests/api/routes/controller/test_users.py +++ b/tests/api/routes/controller/test_users.py @@ -266,7 +266,7 @@ class TestUserMe: test_user: User, ) -> None: - response = await authorized_client.get(app.url_path_for("get_current_active_user")) + response = await authorized_client.get(app.url_path_for("get_logged_in_user")) assert response.status_code == status.HTTP_200_OK user = User(**response.json()) assert user.username == test_user.username @@ -279,7 +279,7 @@ class TestUserMe: test_user: User, ) -> None: - response = await unauthorized_client.get(app.url_path_for("get_current_active_user")) + response = await unauthorized_client.get(app.url_path_for("get_logged_in_user")) assert response.status_code == status.HTTP_401_UNAUTHORIZED @@ -329,15 +329,15 @@ class TestSuperAdmin: response = await unauthorized_client.post(app.url_path_for("login"), data=login_data) assert response.status_code == status.HTTP_200_OK - async def test_super_admin_belongs_to_admin_group( - self, - app: FastAPI, - client: AsyncClient, - db_session: AsyncSession - ) -> None: - - user_repo = UsersRepository(db_session) - admin_in_db = await user_repo.get_user_by_username("admin") - response = await client.get(app.url_path_for("get_user_memberships", user_id=admin_in_db.user_id)) - assert response.status_code == status.HTTP_200_OK - assert len(response.json()) == 1 + # async def test_super_admin_belongs_to_admin_group( + # self, + # app: FastAPI, + # client: AsyncClient, + # db_session: AsyncSession + # ) -> None: + # + # user_repo = UsersRepository(db_session) + # admin_in_db = await user_repo.get_user_by_username("admin") + # response = await client.get(app.url_path_for("get_user_memberships", user_id=admin_in_db.user_id)) + # assert response.status_code == status.HTTP_200_OK + # assert len(response.json()) == 1 diff --git a/tests/conftest.py b/tests/conftest.py index 669f777d..5cd3fa43 100644 --- a/tests/conftest.py +++ b/tests/conftest.py @@ -124,7 +124,12 @@ async def test_user(db_session: AsyncSession) -> User: existing_user = await user_repo.get_user_by_username(new_user.username) if existing_user: return existing_user - return await user_repo.create_user(new_user) + user = await user_repo.create_user(new_user) + + # add new user to "Users group + group = await user_repo.get_user_group_by_name("Users") + await user_repo.add_member_to_user_group(group.user_group_id, user) + return user @pytest.fixture From 2e2e31337adb4dc938eb4d963ec9fcc6a99daf55 Mon Sep 17 00:00:00 2001 From: grossmj Date: Tue, 1 Jun 2021 12:55:16 +0930 Subject: [PATCH 3/9] Add description for user permission. --- gns3server/db/repositories/rbac.py | 1 + 1 file changed, 1 insertion(+) diff --git a/gns3server/db/repositories/rbac.py b/gns3server/db/repositories/rbac.py index f8862a8f..98c159c6 100644 --- a/gns3server/db/repositories/rbac.py +++ b/gns3server/db/repositories/rbac.py @@ -313,6 +313,7 @@ class RbacRepository(BaseRepository): # Create a new permission with full rights new_permission = schemas.PermissionCreate( + description=f"Allow access to project {path}", methods=[HTTPMethods.get, HTTPMethods.head, HTTPMethods.post, HTTPMethods.put, HTTPMethods.delete], path=path, action=PermissionAction.allow From 91b053418242e9f514d061491b90bad1baae2349 Mon Sep 17 00:00:00 2001 From: grossmj Date: Tue, 1 Jun 2021 12:56:51 +0930 Subject: [PATCH 4/9] Upgrade dependencies --- requirements.txt | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/requirements.txt b/requirements.txt index 20be3627..f58a051c 100644 --- a/requirements.txt +++ b/requirements.txt @@ -1,16 +1,16 @@ uvicorn==0.13.4 -fastapi==0.64.0 -websockets==9.0.1 +fastapi==0.65.1 +websockets==9.1 python-multipart==0.0.5 aiohttp==3.7.4.post0 -aiofiles==0.6.0 -Jinja2==2.11.3 +aiofiles==0.7.0 +Jinja2==3.0.1 sentry-sdk==1.1.0 psutil==5.8.0 async-timeout==3.0.1 distro==1.5.0 py-cpuinfo==8.0.0 -sqlalchemy==1.4.14 +sqlalchemy==1.4.17 aiosqlite===0.17.0 passlib[bcrypt]==1.7.4 python-jose==3.2.0 From a6c2a3e47fb3657d64eb70e9ee298ce1355baf86 Mon Sep 17 00:00:00 2001 From: grossmj Date: Tue, 1 Jun 2021 13:02:03 +0930 Subject: [PATCH 5/9] Use synchronize_session="fetch" when updating values. --- gns3server/db/repositories/computes.py | 5 ++++- gns3server/db/repositories/templates.py | 5 ++++- gns3server/db/repositories/users.py | 10 ++++++++-- 3 files changed, 16 insertions(+), 4 deletions(-) diff --git a/gns3server/db/repositories/computes.py b/gns3server/db/repositories/computes.py index 445621da..01b5ef10 100644 --- a/gns3server/db/repositories/computes.py +++ b/gns3server/db/repositories/computes.py @@ -79,7 +79,10 @@ class ComputesRepository(BaseRepository): if password: update_values["password"] = password.get_secret_value() - query = update(models.Compute).where(models.Compute.compute_id == compute_id).values(update_values) + query = update(models.Compute).\ + where(models.Compute.compute_id == compute_id).\ + values(update_values).\ + execution_options(synchronize_session="fetch") await self._db_session.execute(query) await self._db_session.commit() diff --git a/gns3server/db/repositories/templates.py b/gns3server/db/repositories/templates.py index e5be7971..999383e0 100644 --- a/gns3server/db/repositories/templates.py +++ b/gns3server/db/repositories/templates.py @@ -70,7 +70,10 @@ class TemplatesRepository(BaseRepository): update_values = template_update.dict(exclude_unset=True) - query = update(models.Template).where(models.Template.template_id == template_id).values(update_values) + query = not update(models.Template). \ + where(models.Template.template_id == template_id). \ + values(update_values).\ + execution_options(synchronize_session="fetch") await self._db_session.execute(query) await self._db_session.commit() diff --git a/gns3server/db/repositories/users.py b/gns3server/db/repositories/users.py index c93c741e..a7047ada 100644 --- a/gns3server/db/repositories/users.py +++ b/gns3server/db/repositories/users.py @@ -80,7 +80,10 @@ class UsersRepository(BaseRepository): if password: update_values["hashed_password"] = self._auth_service.hash_password(password=password.get_secret_value()) - query = update(models.User).where(models.User.user_id == user_id).values(update_values) + query = update(models.User).\ + where(models.User.user_id == user_id).\ + values(update_values).\ + execution_options(synchronize_session="fetch") await self._db_session.execute(query) await self._db_session.commit() @@ -151,7 +154,10 @@ class UsersRepository(BaseRepository): ) -> Optional[models.UserGroup]: update_values = user_group_update.dict(exclude_unset=True) - query = update(models.UserGroup).where(models.UserGroup.user_group_id == user_group_id).values(update_values) + query = update(models.UserGroup).\ + where(models.UserGroup.user_group_id == user_group_id).\ + values(update_values).\ + execution_options(synchronize_session="fetch") await self._db_session.execute(query) await self._db_session.commit() From 74d820fd0ad7e9e8ae02434d535cf775840dff3f Mon Sep 17 00:00:00 2001 From: grossmj Date: Tue, 1 Jun 2021 15:55:50 +0930 Subject: [PATCH 6/9] Use synchronize_session="fetch" when updating values. --- gns3server/db/repositories/rbac.py | 10 ++++++++-- 1 file changed, 8 insertions(+), 2 deletions(-) diff --git a/gns3server/db/repositories/rbac.py b/gns3server/db/repositories/rbac.py index 98c159c6..e71a25f0 100644 --- a/gns3server/db/repositories/rbac.py +++ b/gns3server/db/repositories/rbac.py @@ -94,7 +94,10 @@ class RbacRepository(BaseRepository): """ update_values = role_update.dict(exclude_unset=True) - query = update(models.Role).where(models.Role.role_id == role_id).values(update_values) + query = update(models.Role).\ + where(models.Role.role_id == role_id).\ + values(update_values).\ + execution_options(synchronize_session="fetch") await self._db_session.execute(query) await self._db_session.commit() @@ -230,7 +233,10 @@ class RbacRepository(BaseRepository): """ update_values = permission_update.dict(exclude_unset=True) - query = update(models.Permission).where(models.Permission.permission_id == permission_id).values(update_values) + query = update(models.Permission).\ + where(models.Permission.permission_id == permission_id).\ + values(update_values).\ + execution_options(synchronize_session="fetch") await self._db_session.execute(query) await self._db_session.commit() From 0113ca6673db14f26c43026d5e7ca8b1a3afafef Mon Sep 17 00:00:00 2001 From: grossmj Date: Tue, 1 Jun 2021 16:09:29 +0930 Subject: [PATCH 7/9] Force refresh of updated_at value in db models. --- gns3server/db/repositories/computes.py | 8 +++++--- gns3server/db/repositories/templates.py | 10 ++++++---- gns3server/db/repositories/users.py | 16 ++++++++++------ 3 files changed, 21 insertions(+), 13 deletions(-) diff --git a/gns3server/db/repositories/computes.py b/gns3server/db/repositories/computes.py index 01b5ef10..b76842cb 100644 --- a/gns3server/db/repositories/computes.py +++ b/gns3server/db/repositories/computes.py @@ -81,12 +81,14 @@ class ComputesRepository(BaseRepository): query = update(models.Compute).\ where(models.Compute.compute_id == compute_id).\ - values(update_values).\ - execution_options(synchronize_session="fetch") + values(update_values) await self._db_session.execute(query) await self._db_session.commit() - return await self.get_compute(compute_id) + compute_db = await self.get_compute(compute_id) + if compute_db: + await self._db_session.refresh(compute_db) # force refresh of updated_at value + return compute_db async def delete_compute(self, compute_id: UUID) -> bool: diff --git a/gns3server/db/repositories/templates.py b/gns3server/db/repositories/templates.py index 999383e0..4e6f50b1 100644 --- a/gns3server/db/repositories/templates.py +++ b/gns3server/db/repositories/templates.py @@ -70,14 +70,16 @@ class TemplatesRepository(BaseRepository): update_values = template_update.dict(exclude_unset=True) - query = not update(models.Template). \ + query = update(models.Template). \ where(models.Template.template_id == template_id). \ - values(update_values).\ - execution_options(synchronize_session="fetch") + values(update_values) await self._db_session.execute(query) await self._db_session.commit() - return await self.get_template(template_id) + template_db = await self.get_template(template_id) + if template_db: + await self._db_session.refresh(template_db) # force refresh of updated_at value + return template_db async def delete_template(self, template_id: UUID) -> bool: diff --git a/gns3server/db/repositories/users.py b/gns3server/db/repositories/users.py index a7047ada..41c8d13d 100644 --- a/gns3server/db/repositories/users.py +++ b/gns3server/db/repositories/users.py @@ -82,12 +82,14 @@ class UsersRepository(BaseRepository): query = update(models.User).\ where(models.User.user_id == user_id).\ - values(update_values).\ - execution_options(synchronize_session="fetch") + values(update_values) await self._db_session.execute(query) await self._db_session.commit() - return await self.get_user(user_id) + user_db = await self.get_user(user_id) + if user_db: + await self._db_session.refresh(user_db) # force refresh of updated_at value + return user_db async def delete_user(self, user_id: UUID) -> bool: @@ -156,12 +158,14 @@ class UsersRepository(BaseRepository): update_values = user_group_update.dict(exclude_unset=True) query = update(models.UserGroup).\ where(models.UserGroup.user_group_id == user_group_id).\ - values(update_values).\ - execution_options(synchronize_session="fetch") + values(update_values) await self._db_session.execute(query) await self._db_session.commit() - return await self.get_user_group(user_group_id) + user_group_db = await self.get_user_group(user_group_id) + if user_group_db: + await self._db_session.refresh(user_group_db) # force refresh of updated_at value + return user_group_db async def delete_user_group(self, user_group_id: UUID) -> bool: From 36a27c0c1905ace7bbc5e8fcef1b8f468451dcb9 Mon Sep 17 00:00:00 2001 From: grossmj Date: Tue, 1 Jun 2021 16:12:06 +0930 Subject: [PATCH 8/9] Force refresh of updated_at value for RBAC db models. --- gns3server/db/repositories/rbac.py | 16 ++++++++++------ 1 file changed, 10 insertions(+), 6 deletions(-) diff --git a/gns3server/db/repositories/rbac.py b/gns3server/db/repositories/rbac.py index e71a25f0..39d52320 100644 --- a/gns3server/db/repositories/rbac.py +++ b/gns3server/db/repositories/rbac.py @@ -96,12 +96,14 @@ class RbacRepository(BaseRepository): update_values = role_update.dict(exclude_unset=True) query = update(models.Role).\ where(models.Role.role_id == role_id).\ - values(update_values).\ - execution_options(synchronize_session="fetch") + values(update_values) await self._db_session.execute(query) await self._db_session.commit() - return await self.get_role(role_id) + role_db = await self.get_role(role_id) + if role_db: + await self._db_session.refresh(role_db) # force refresh of updated_at value + return role_db async def delete_role(self, role_id: UUID) -> bool: """ @@ -235,12 +237,14 @@ class RbacRepository(BaseRepository): update_values = permission_update.dict(exclude_unset=True) query = update(models.Permission).\ where(models.Permission.permission_id == permission_id).\ - values(update_values).\ - execution_options(synchronize_session="fetch") + values(update_values) await self._db_session.execute(query) await self._db_session.commit() - return await self.get_permission(permission_id) + permission_db = await self.get_permission(permission_id) + if permission_db: + await self._db_session.refresh(permission_db) # force refresh of updated_at value + return permission_db async def delete_permission(self, permission_id: UUID) -> bool: """ From d65b49acaafabf19c3783ff5cc1f645441414c47 Mon Sep 17 00:00:00 2001 From: grossmj Date: Thu, 3 Jun 2021 15:40:12 +0930 Subject: [PATCH 9/9] Add user permissions + RBAC tests. --- .../controller/dependencies/authentication.py | 10 +- gns3server/api/routes/controller/groups.py | 4 +- gns3server/api/routes/controller/projects.py | 25 ++- gns3server/api/routes/controller/roles.py | 4 +- gns3server/api/routes/controller/templates.py | 43 +++- gns3server/api/routes/controller/users.py | 63 ++++++ gns3server/db/models/permissions.py | 30 +-- gns3server/db/repositories/rbac.py | 126 +++++++---- .../api/routes/controller/test_permissions.py | 2 +- tests/api/routes/controller/test_roles.py | 64 +++--- tests/api/routes/controller/test_users.py | 79 +++++++ tests/controller/test_rbac.py | 203 ++++++++++++++++++ 12 files changed, 554 insertions(+), 99 deletions(-) create mode 100644 tests/controller/test_rbac.py diff --git a/gns3server/api/routes/controller/dependencies/authentication.py b/gns3server/api/routes/controller/dependencies/authentication.py index 36e35d47..0af058d7 100644 --- a/gns3server/api/routes/controller/dependencies/authentication.py +++ b/gns3server/api/routes/controller/dependencies/authentication.py @@ -14,6 +14,7 @@ # You should have received a copy of the GNU General Public License # along with this program. If not, see . +import re from fastapi import Request, Depends, HTTPException, status from fastapi.security import OAuth2PasswordBearer @@ -60,11 +61,16 @@ async def get_current_active_user( ) # remove the prefix (e.g. "/v3") from URL path - if request.url.path.startswith("/v3"): - path = request.url.path[len("/v3"):] + match = re.search(r"^(/v[0-9]+).*", request.url.path) + if match: + path = request.url.path[len(match.group(1)):] else: path = request.url.path + # special case: always authorize access to the "/users/me" endpoint + if path == "/users/me": + return current_user + authorized = await rbac_repo.check_user_is_authorized(current_user.user_id, request.method, path) if not authorized: raise HTTPException( diff --git a/gns3server/api/routes/controller/groups.py b/gns3server/api/routes/controller/groups.py index 84c980a6..20b17ae4 100644 --- a/gns3server/api/routes/controller/groups.py +++ b/gns3server/api/routes/controller/groups.py @@ -100,7 +100,7 @@ async def update_user_group( raise ControllerNotFoundError(f"User group '{user_group_id}' not found") if user_group.builtin: - raise ControllerForbiddenError(f"User group '{user_group_id}' cannot be updated") + raise ControllerForbiddenError(f"Built-in user group '{user_group_id}' cannot be updated") return await users_repo.update_user_group(user_group_id, user_group_update) @@ -122,7 +122,7 @@ async def delete_user_group( raise ControllerNotFoundError(f"User group '{user_group_id}' not found") if user_group.builtin: - raise ControllerForbiddenError(f"User group '{user_group_id}' cannot be deleted") + raise ControllerForbiddenError(f"Built-in user group '{user_group_id}' cannot be deleted") success = await users_repo.delete_user_group(user_group_id) if not success: diff --git a/gns3server/api/routes/controller/projects.py b/gns3server/api/routes/controller/projects.py index 1d7aa2a5..55252c41 100644 --- a/gns3server/api/routes/controller/projects.py +++ b/gns3server/api/routes/controller/projects.py @@ -70,13 +70,25 @@ CHUNK_SIZE = 1024 * 8 # 8KB @router.get("", response_model=List[schemas.Project], response_model_exclude_unset=True) -def get_projects() -> List[schemas.Project]: +async def get_projects( + current_user: schemas.User = Depends(get_current_active_user), + rbac_repo: RbacRepository = Depends(get_repository(RbacRepository)) +) -> List[schemas.Project]: """ Return all projects. """ controller = Controller.instance() - return [p.asdict() for p in controller.projects.values()] + if current_user.is_superadmin: + return [p.asdict() for p in controller.projects.values()] + else: + user_projects = [] + for project in controller.projects.values(): + authorized = await rbac_repo.check_user_is_authorized( + current_user.user_id, "GET", f"/projects/{project.id}") + if authorized: + user_projects.append(project.asdict()) + return user_projects @router.post( @@ -97,7 +109,7 @@ async def create_project( controller = Controller.instance() project = await controller.add_project(**jsonable_encoder(project_data, exclude_unset=True)) - await rbac_repo.add_permission_to_user(current_user.user_id, f"/projects/{project.id}/*") + await rbac_repo.add_permission_to_user_with_path(current_user.user_id, f"/projects/{project.id}/*") return project.asdict() @@ -135,7 +147,7 @@ async def delete_project( controller = Controller.instance() await project.delete() controller.remove_project(project) - await rbac_repo.delete_all_permissions_matching_path(f"/projects/{project.id}") + await rbac_repo.delete_all_permissions_with_path(f"/projects/{project.id}") @router.get("/{project_id}/stats") @@ -357,7 +369,9 @@ async def import_project( ) async def duplicate_project( project_data: schemas.ProjectDuplicate, - project: Project = Depends(dep_project) + project: Project = Depends(dep_project), + current_user: schemas.User = Depends(get_current_active_user), + rbac_repo: RbacRepository = Depends(get_repository(RbacRepository)) ) -> schemas.Project: """ Duplicate a project. @@ -374,6 +388,7 @@ async def duplicate_project( new_project = await project.duplicate( name=project_data.name, location=location, reset_mac_addresses=reset_mac_addresses ) + await rbac_repo.add_permission_to_user_with_path(current_user.user_id, f"/projects/{new_project.id}/*") return new_project.asdict() diff --git a/gns3server/api/routes/controller/roles.py b/gns3server/api/routes/controller/roles.py index 1d013f97..c96feb64 100644 --- a/gns3server/api/routes/controller/roles.py +++ b/gns3server/api/routes/controller/roles.py @@ -96,7 +96,7 @@ async def update_role( raise ControllerNotFoundError(f"Role '{role_id}' not found") if role.builtin: - raise ControllerForbiddenError(f"Role '{role_id}' cannot be updated") + raise ControllerForbiddenError(f"Built-in role '{role_id}' cannot be updated") return await rbac_repo.update_role(role_id, role_update) @@ -115,7 +115,7 @@ async def delete_role( raise ControllerNotFoundError(f"Role '{role_id}' not found") if role.builtin: - raise ControllerForbiddenError(f"Role '{role_id}' cannot be deleted") + raise ControllerForbiddenError(f"Built-in role '{role_id}' cannot be deleted") success = await rbac_repo.delete_role(role_id) if not success: diff --git a/gns3server/api/routes/controller/templates.py b/gns3server/api/routes/controller/templates.py index ee54fdc7..a346545a 100644 --- a/gns3server/api/routes/controller/templates.py +++ b/gns3server/api/routes/controller/templates.py @@ -33,6 +33,9 @@ from gns3server import schemas from gns3server.controller import Controller from gns3server.db.repositories.templates import TemplatesRepository from gns3server.services.templates import TemplatesService +from gns3server.db.repositories.rbac import RbacRepository + +from .dependencies.authentication import get_current_active_user from .dependencies.database import get_repository responses = {404: {"model": schemas.ErrorMessage, "description": "Could not find template"}} @@ -44,12 +47,17 @@ router = APIRouter(responses=responses) async def create_template( template_create: schemas.TemplateCreate, templates_repo: TemplatesRepository = Depends(get_repository(TemplatesRepository)), + current_user: schemas.User = Depends(get_current_active_user), + rbac_repo: RbacRepository = Depends(get_repository(RbacRepository)) ) -> schemas.Template: """ Create a new template. """ - return await TemplatesService(templates_repo).create_template(template_create) + template = await TemplatesService(templates_repo).create_template(template_create) + template_id = template.get("template_id") + await rbac_repo.add_permission_to_user_with_path(current_user.user_id, f"/templates/{template_id}/*") + return template @router.get("/templates/{template_id}", response_model=schemas.Template, response_model_exclude_unset=True) @@ -92,35 +100,58 @@ async def update_template( status_code=status.HTTP_204_NO_CONTENT, ) async def delete_template( - template_id: UUID, templates_repo: TemplatesRepository = Depends(get_repository(TemplatesRepository)) + template_id: UUID, + templates_repo: TemplatesRepository = Depends(get_repository(TemplatesRepository)), + rbac_repo: RbacRepository = Depends(get_repository(RbacRepository)) ) -> None: """ Delete a template. """ await TemplatesService(templates_repo).delete_template(template_id) + await rbac_repo.delete_all_permissions_with_path(f"/templates/{template_id}") @router.get("/templates", response_model=List[schemas.Template], response_model_exclude_unset=True) async def get_templates( - templates_repo: TemplatesRepository = Depends(get_repository(TemplatesRepository)), + templates_repo: TemplatesRepository = Depends(get_repository(TemplatesRepository)), + current_user: schemas.User = Depends(get_current_active_user), + rbac_repo: RbacRepository = Depends(get_repository(RbacRepository)) ) -> List[schemas.Template]: """ Return all templates. """ - return await TemplatesService(templates_repo).get_templates() + templates = await TemplatesService(templates_repo).get_templates() + if current_user.is_superadmin: + return templates + else: + user_templates = [] + for template in templates: + if template.get("builtin") is True: + user_templates.append(template) + continue + template_id = template.get("template_id") + authorized = await rbac_repo.check_user_is_authorized( + current_user.user_id, "GET", f"/templates/{template_id}") + if authorized: + user_templates.append(template) + return user_templates @router.post("/templates/{template_id}/duplicate", response_model=schemas.Template, status_code=status.HTTP_201_CREATED) async def duplicate_template( - template_id: UUID, templates_repo: TemplatesRepository = Depends(get_repository(TemplatesRepository)) + template_id: UUID, templates_repo: TemplatesRepository = Depends(get_repository(TemplatesRepository)), + current_user: schemas.User = Depends(get_current_active_user), + rbac_repo: RbacRepository = Depends(get_repository(RbacRepository)) ) -> schemas.Template: """ Duplicate a template. """ - return await TemplatesService(templates_repo).duplicate_template(template_id) + template = await TemplatesService(templates_repo).duplicate_template(template_id) + await rbac_repo.add_permission_to_user_with_path(current_user.user_id, f"/templates/{template_id}/*") + return template @router.post( diff --git a/gns3server/api/routes/controller/users.py b/gns3server/api/routes/controller/users.py index df279e20..edf53b9a 100644 --- a/gns3server/api/routes/controller/users.py +++ b/gns3server/api/routes/controller/users.py @@ -32,6 +32,7 @@ from gns3server.controller.controller_error import ( ) from gns3server.db.repositories.users import UsersRepository +from gns3server.db.repositories.rbac import RbacRepository from gns3server.services import auth_service from .dependencies.authentication import get_current_active_user @@ -210,3 +211,65 @@ async def get_user_memberships( """ return await users_repo.get_user_memberships(user_id) + + +@router.get( + "/{user_id}/permissions", + dependencies=[Depends(get_current_active_user)], + response_model=List[schemas.Permission] +) +async def get_user_permissions( + user_id: UUID, + rbac_repo: RbacRepository = Depends(get_repository(RbacRepository)) +) -> List[schemas.Permission]: + """ + Get user permissions. + """ + + return await rbac_repo.get_user_permissions(user_id) + + +@router.put( + "/{user_id}/permissions/{permission_id}", + dependencies=[Depends(get_current_active_user)], + status_code=status.HTTP_204_NO_CONTENT +) +async def add_permission_to_user( + user_id: UUID, + permission_id: UUID, + rbac_repo: RbacRepository = Depends(get_repository(RbacRepository)) +) -> None: + """ + Add a permission to an user. + """ + + permission = await rbac_repo.get_permission(permission_id) + if not permission: + raise ControllerNotFoundError(f"Permission '{permission_id}' not found") + + user = await rbac_repo.add_permission_to_user(user_id, permission) + if not user: + raise ControllerNotFoundError(f"User '{user_id}' not found") + + +@router.delete( + "/{user_id}/permissions/{permission_id}", + dependencies=[Depends(get_current_active_user)], + status_code=status.HTTP_204_NO_CONTENT +) +async def remove_permission_from_user( + user_id: UUID, + permission_id: UUID, + rbac_repo: RbacRepository = Depends(get_repository(RbacRepository)), +) -> None: + """ + Remove permission from an user. + """ + + permission = await rbac_repo.get_permission(permission_id) + if not permission: + raise ControllerNotFoundError(f"Permission '{permission_id}' not found") + + user = await rbac_repo.remove_permission_from_user(user_id, permission) + if not user: + raise ControllerNotFoundError(f"User '{user_id}' not found") diff --git a/gns3server/db/models/permissions.py b/gns3server/db/models/permissions.py index 534f2274..4779b6af 100644 --- a/gns3server/db/models/permissions.py +++ b/gns3server/db/models/permissions.py @@ -58,21 +58,27 @@ def create_default_roles(target, connection, **kw): "action": "ALLOW" }, { - "description": "Allow access to the logged in user", - "methods": ["GET"], - "path": "/users/me", - "action": "ALLOW" - }, - { - "description": "Allow to create a project or list projects", - "methods": ["GET", "POST"], + "description": "Allow to create and list projects", + "methods": ["GET", "HEAD", "POST"], "path": "/projects", "action": "ALLOW" }, { - "description": "Allow to access to all symbol endpoints", - "methods": ["GET", "HEAD", "POST", "PUT", "DELETE", "PATCH"], - "path": "/symbols", + "description": "Allow to create and list templates", + "methods": ["GET", "HEAD", "POST"], + "path": "/templates", + "action": "ALLOW" + }, + { + "description": "Allow to list computes", + "methods": ["GET"], + "path": "/computes/*", + "action": "ALLOW" + }, + { + "description": "Allow access to all symbol endpoints", + "methods": ["GET", "HEAD", "POST"], + "path": "/symbols/*", "action": "ALLOW" }, ] @@ -106,7 +112,7 @@ def add_permissions_to_role(target, connection, **kw): role_id = result.first().role_id # add minimum required paths to the "User" role - for path in ("/projects", "/symbols", "/users/me"): + for path in ("/projects", "/templates", "/computes/*", "/symbols/*"): stmt = permissions_table.select().where(permissions_table.c.path == path) result = connection.execute(stmt) permission_id = result.first().permission_id diff --git a/gns3server/db/repositories/rbac.py b/gns3server/db/repositories/rbac.py index 39d52320..6e1096c9 100644 --- a/gns3server/db/repositories/rbac.py +++ b/gns3server/db/repositories/rbac.py @@ -216,6 +216,7 @@ class RbacRepository(BaseRepository): """ db_permission = models.Permission( + description=permission_create.description, methods=permission_create.methods, path=permission_create.path, action=permission_create.action, @@ -270,60 +271,76 @@ class RbacRepository(BaseRepository): log.debug(f"RBAC: checking permission {permission.methods} {permission.path} {permission.action}") if method not in permission.methods: continue - if permission.path.endswith("*") and path.startswith(permission.path[:-1]): + if permission.path.endswith("/*") and path.startswith(permission.path[:-2]): return permission elif permission.path == path: return permission - async def check_user_is_authorized(self, user_id: UUID, method: str, path: str) -> bool: + async def get_user_permissions(self, user_id: UUID): """ - Check if an user is authorized to access a resource. + Get all permissions from an user. """ - query = select(models.Permission).\ - join(models.Permission.roles). \ - join(models.Role.groups). \ - join(models.UserGroup.users). \ - filter(models.User.user_id == user_id).\ - order_by(models.Permission.path) - - result = await self._db_session.execute(query) - permissions = result.scalars().all() - log.debug(f"RBAC: checking authorization for '{user_id}' on {method} '{path}'") - matched_permission = self._match_permission(permissions, method, path) - if matched_permission: - log.debug(f"RBAC: matched role permission {matched_permission.methods} " - f"{matched_permission.path} {matched_permission.action}") - if matched_permission.action == "DENY": - return False - return True - - log.debug(f"RBAC: could not find a role permission, checking user permissions...") query = select(models.Permission).\ join(models.User.permissions). \ filter(models.User.user_id == user_id).\ order_by(models.Permission.path) result = await self._db_session.execute(query) - permissions = result.scalars().all() - matched_permission = self._match_permission(permissions, method, path) - if matched_permission: - log.debug(f"RBAC: matched user permission {matched_permission.methods} " - f"{matched_permission.path} {matched_permission.action}") - if matched_permission.action == "DENY": - return False - return True + return result.scalars().all() - return False - - async def add_permission_to_user(self, user_id: UUID, path: str) -> Union[None, models.User]: + async def add_permission_to_user( + self, + user_id: UUID, + permission: models.Permission + ) -> Union[None, models.User]: """ Add a permission to an user. """ - # Create a new permission with full rights + query = select(models.User).\ + options(selectinload(models.User.permissions)).\ + where(models.User.user_id == user_id) + result = await self._db_session.execute(query) + user_db = result.scalars().first() + if not user_db: + return None + + user_db.permissions.append(permission) + await self._db_session.commit() + await self._db_session.refresh(user_db) + return user_db + + async def remove_permission_from_user( + self, + user_id: UUID, + permission: models.Permission + ) -> Union[None, models.User]: + """ + Remove a permission from a role. + """ + + query = select(models.User).\ + options(selectinload(models.User.permissions)).\ + where(models.User.user_id == user_id) + result = await self._db_session.execute(query) + user_db = result.scalars().first() + if not user_db: + return None + + user_db.permissions.remove(permission) + await self._db_session.commit() + await self._db_session.refresh(user_db) + return user_db + + async def add_permission_to_user_with_path(self, user_id: UUID, path: str) -> Union[None, models.User]: + """ + Add a permission to an user. + """ + + # Create a new permission with full rights on path new_permission = schemas.PermissionCreate( - description=f"Allow access to project {path}", + description=f"Allow access to {path}", methods=[HTTPMethods.get, HTTPMethods.head, HTTPMethods.post, HTTPMethods.put, HTTPMethods.delete], path=path, action=PermissionAction.allow @@ -345,9 +362,9 @@ class RbacRepository(BaseRepository): await self._db_session.refresh(user_db) return user_db - async def delete_all_permissions_matching_path(self, path: str) -> None: + async def delete_all_permissions_with_path(self, path: str) -> None: """ - Delete all permissions matching with path. + Delete all permissions with path. """ query = delete(models.Permission).\ @@ -355,3 +372,38 @@ class RbacRepository(BaseRepository): execution_options(synchronize_session=False) result = await self._db_session.execute(query) log.debug(f"{result.rowcount} permission(s) have been deleted") + + async def check_user_is_authorized(self, user_id: UUID, method: str, path: str) -> bool: + """ + Check if an user is authorized to access a resource. + """ + + query = select(models.Permission).\ + join(models.Permission.roles). \ + join(models.Role.groups). \ + join(models.UserGroup.users). \ + filter(models.User.user_id == user_id).\ + order_by(models.Permission.path) + + result = await self._db_session.execute(query) + permissions = result.scalars().all() + log.debug(f"RBAC: checking authorization for user '{user_id}' on {method} '{path}'") + matched_permission = self._match_permission(permissions, method, path) + if matched_permission: + log.debug(f"RBAC: matched role permission {matched_permission.methods} " + f"{matched_permission.path} {matched_permission.action}") + if matched_permission.action == "DENY": + return False + return True + + log.debug(f"RBAC: could not find a role permission, checking user permissions...") + permissions = await self.get_user_permissions(user_id) + matched_permission = self._match_permission(permissions, method, path) + if matched_permission: + log.debug(f"RBAC: matched user permission {matched_permission.methods} " + f"{matched_permission.path} {matched_permission.action}") + if matched_permission.action == "DENY": + return False + return True + + return False diff --git a/tests/api/routes/controller/test_permissions.py b/tests/api/routes/controller/test_permissions.py index fc15087f..1bd4e0ff 100644 --- a/tests/api/routes/controller/test_permissions.py +++ b/tests/api/routes/controller/test_permissions.py @@ -50,7 +50,7 @@ class TestPermissionRoutes: response = await client.get(app.url_path_for("get_permissions")) assert response.status_code == status.HTTP_200_OK - assert len(response.json()) == 5 # 4 default permissions + 1 custom permission + assert len(response.json()) == 6 # 5 default permissions + 1 custom permission async def test_update_permission(self, app: FastAPI, client: AsyncClient, db_session: AsyncSession) -> None: diff --git a/tests/api/routes/controller/test_roles.py b/tests/api/routes/controller/test_roles.py index 93b21004..20646d92 100644 --- a/tests/api/routes/controller/test_roles.py +++ b/tests/api/routes/controller/test_roles.py @@ -64,21 +64,21 @@ class TestRolesRoutes: updated_role_in_db = await rbac_repo.get_role(role_in_db.role_id) assert updated_role_in_db.name == "role42" - # async def test_cannot_update_admin_group( - # self, - # app: FastAPI, - # client: AsyncClient, - # db_session: AsyncSession - # ) -> None: - # - # user_repo = UsersRepository(db_session) - # group_in_db = await user_repo.get_user_group_by_name("Administrators") - # update_group = {"name": "Hackers"} - # response = await client.put( - # app.url_path_for("update_user_group", user_group_id=group_in_db.user_group_id), - # json=update_group - # ) - # assert response.status_code == status.HTTP_403_FORBIDDEN + async def test_cannot_update_builtin_user_role( + self, + app: FastAPI, + client: AsyncClient, + db_session: AsyncSession + ) -> None: + + rbac_repo = RbacRepository(db_session) + role_in_db = await rbac_repo.get_role_by_name("User") + update_role = {"name": "Hackers"} + response = await client.put( + app.url_path_for("update_role", role_id=role_in_db.role_id), + json=update_role + ) + assert response.status_code == status.HTTP_403_FORBIDDEN async def test_delete_role( self, @@ -92,29 +92,29 @@ class TestRolesRoutes: response = await client.delete(app.url_path_for("delete_role", role_id=role_in_db.role_id)) assert response.status_code == status.HTTP_204_NO_CONTENT - # async def test_cannot_delete_admin_group( - # self, - # app: FastAPI, - # client: AsyncClient, - # db_session: AsyncSession - # ) -> None: - # - # user_repo = UsersRepository(db_session) - # group_in_db = await user_repo.get_user_group_by_name("Administrators") - # response = await client.delete(app.url_path_for("delete_user_group", user_group_id=group_in_db.user_group_id)) - # assert response.status_code == status.HTTP_403_FORBIDDEN + async def test_cannot_delete_builtin_administrator_role( + self, + app: FastAPI, + client: AsyncClient, + db_session: AsyncSession + ) -> None: + + rbac_repo = RbacRepository(db_session) + role_in_db = await rbac_repo.get_role_by_name("Administrator") + response = await client.delete(app.url_path_for("delete_role", role_id=role_in_db.role_id)) + assert response.status_code == status.HTTP_403_FORBIDDEN @pytest.fixture async def test_permission(db_session: AsyncSession) -> Permission: new_permission = schemas.PermissionCreate( - methods=[HTTPMethods.get, HTTPMethods.post], - path="/templates", + methods=[HTTPMethods.get], + path="/statistics", action=PermissionAction.allow ) rbac_repo = RbacRepository(db_session) - existing_permission = await rbac_repo.get_permission_by_path("/templates") + existing_permission = await rbac_repo.get_permission_by_path("/statistics") if existing_permission: return existing_permission return await rbac_repo.create_permission(new_permission) @@ -142,7 +142,7 @@ class TestRolesPermissionsRoutes: ) assert response.status_code == status.HTTP_204_NO_CONTENT permissions = await rbac_repo.get_role_permissions(role_in_db.role_id) - assert len(permissions) == 4 # 3 default + 1 custom permissions + assert len(permissions) == 5 # 4 default permissions + 1 custom permission async def test_get_role_permissions( self, @@ -160,7 +160,7 @@ class TestRolesPermissionsRoutes: role_id=role_in_db.role_id) ) assert response.status_code == status.HTTP_200_OK - assert len(response.json()) == 4 # 3 default + 1 custom permissions + assert len(response.json()) == 5 # 4 default permissions + 1 custom permission async def test_remove_role_from_group( self, @@ -182,4 +182,4 @@ class TestRolesPermissionsRoutes: ) assert response.status_code == status.HTTP_204_NO_CONTENT permissions = await rbac_repo.get_role_permissions(role_in_db.role_id) - assert len(permissions) == 3 # 3 default permissions + assert len(permissions) == 4 # 4 default permissions diff --git a/tests/api/routes/controller/test_users.py b/tests/api/routes/controller/test_users.py index 36b16c10..ce0d8801 100644 --- a/tests/api/routes/controller/test_users.py +++ b/tests/api/routes/controller/test_users.py @@ -25,9 +25,12 @@ from jose import jwt from sqlalchemy.ext.asyncio import AsyncSession from gns3server.db.repositories.users import UsersRepository +from gns3server.db.repositories.rbac import RbacRepository +from gns3server.schemas.controller.rbac import Permission, HTTPMethods, PermissionAction from gns3server.services import auth_service from gns3server.config import Config from gns3server.schemas.controller.users import User +from gns3server import schemas import gns3server.db.models as models pytestmark = pytest.mark.asyncio @@ -341,3 +344,79 @@ class TestSuperAdmin: # response = await client.get(app.url_path_for("get_user_memberships", user_id=admin_in_db.user_id)) # assert response.status_code == status.HTTP_200_OK # assert len(response.json()) == 1 + +@pytest.fixture +async def test_permission(db_session: AsyncSession) -> Permission: + + new_permission = schemas.PermissionCreate( + methods=[HTTPMethods.get], + path="/statistics", + action=PermissionAction.allow + ) + rbac_repo = RbacRepository(db_session) + existing_permission = await rbac_repo.get_permission_by_path("/statistics") + if existing_permission: + return existing_permission + return await rbac_repo.create_permission(new_permission) + + +class TestUserPermissionsRoutes: + + async def test_add_permission_to_user( + self, + app: FastAPI, + client: AsyncClient, + test_user: User, + test_permission: Permission, + db_session: AsyncSession + ) -> None: + + response = await client.put( + app.url_path_for( + "add_permission_to_user", + user_id=str(test_user.user_id), + permission_id=str(test_permission.permission_id) + ) + ) + assert response.status_code == status.HTTP_204_NO_CONTENT + rbac_repo = RbacRepository(db_session) + permissions = await rbac_repo.get_user_permissions(test_user.user_id) + assert len(permissions) == 1 + assert permissions[0].permission_id == test_permission.permission_id + + async def test_get_user_permissions( + self, + app: FastAPI, + client: AsyncClient, + test_user: User, + db_session: AsyncSession + ) -> None: + + response = await client.get( + app.url_path_for( + "get_user_permissions", + user_id=str(test_user.user_id)) + ) + assert response.status_code == status.HTTP_200_OK + assert len(response.json()) == 1 + + async def test_remove_permission_from_user( + self, + app: FastAPI, + client: AsyncClient, + test_user: User, + test_permission: Permission, + db_session: AsyncSession + ) -> None: + + response = await client.delete( + app.url_path_for( + "remove_permission_from_user", + user_id=str(test_user.user_id), + permission_id=str(test_permission.permission_id) + ), + ) + assert response.status_code == status.HTTP_204_NO_CONTENT + rbac_repo = RbacRepository(db_session) + permissions = await rbac_repo.get_user_permissions(test_user.user_id) + assert len(permissions) == 0 diff --git a/tests/controller/test_rbac.py b/tests/controller/test_rbac.py new file mode 100644 index 00000000..faa4e6df --- /dev/null +++ b/tests/controller/test_rbac.py @@ -0,0 +1,203 @@ +#!/usr/bin/env python +# +# Copyright (C) 2021 GNS3 Technologies Inc. +# +# This program is free software: you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation, either version 3 of the License, or +# (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see . + +import pytest + +from fastapi import FastAPI, status +from httpx import AsyncClient + +from sqlalchemy.ext.asyncio import AsyncSession +from gns3server.db.repositories.rbac import RbacRepository +from gns3server.db.models import User + +pytestmark = pytest.mark.asyncio + + +class TestPermissions: + + @pytest.mark.parametrize( + "method, path, result", + ( + ("GET", "/users", False), + ("GET", "/projects", True), + ("GET", "/projects/e451ad73-2519-4f83-87fe-a8e821792d44", False), + ("POST", "/projects", True), + ("GET", "/templates", True), + ("GET", "/templates/62e92cf1-244a-4486-8dae-b95439b54da9", False), + ("POST", "/templates", True), + ("GET", "/computes", True), + ("GET", "/computes/local", True), + ("GET", "/symbols", True), + ("GET", "/symbols/default_symbols", True), + ), + ) + async def test_default_permissions_user_group( + self, + app: FastAPI, + authorized_client: AsyncClient, + test_user: User, + db_session: AsyncSession, + method: str, + path: str, + result: bool + ) -> None: + + rbac_repo = RbacRepository(db_session) + authorized = await rbac_repo.check_user_is_authorized(test_user.user_id, method, path) + assert authorized == result + + +class TestProjectsWithRbac: + + async def test_admin_create_project(self, app: FastAPI, client: AsyncClient): + + params = {"name": "Admin project"} + response = await client.post(app.url_path_for("create_project"), json=params) + assert response.status_code == status.HTTP_201_CREATED + + async def test_user_only_access_own_projects( + self, + app: FastAPI, + authorized_client: AsyncClient, + test_user: User, + db_session: AsyncSession + ) -> None: + + params = {"name": "User project"} + response = await authorized_client.post(app.url_path_for("create_project"), json=params) + assert response.status_code == status.HTTP_201_CREATED + project_id = response.json()["project_id"] + + rbac_repo = RbacRepository(db_session) + permissions_in_db = await rbac_repo.get_user_permissions(test_user.user_id) + assert len(permissions_in_db) == 1 + assert permissions_in_db[0].path == f"/projects/{project_id}/*" + + response = await authorized_client.get(app.url_path_for("get_projects")) + assert response.status_code == status.HTTP_200_OK + projects = response.json() + assert len(projects) == 1 + + async def test_admin_access_all_projects(self, app: FastAPI, client: AsyncClient): + + response = await client.get(app.url_path_for("get_projects")) + assert response.status_code == status.HTTP_200_OK + projects = response.json() + assert len(projects) == 2 + + async def test_admin_user_give_permission_on_project( + self, + app: FastAPI, + client: AsyncClient, + test_user: User + ): + + response = await client.get(app.url_path_for("get_projects")) + assert response.status_code == status.HTTP_200_OK + projects = response.json() + project_id = None + for project in projects: + if project["name"] == "Admin project": + project_id = project["project_id"] + break + + new_permission = { + "methods": ["GET"], + "path": f"/projects/{project_id}", + "action": "ALLOW" + } + response = await client.post(app.url_path_for("create_permission"), json=new_permission) + assert response.status_code == status.HTTP_201_CREATED + permission_id = response.json()["permission_id"] + + response = await client.put( + app.url_path_for( + "add_permission_to_user", + user_id=test_user.user_id, + permission_id=permission_id + ) + ) + assert response.status_code == status.HTTP_204_NO_CONTENT + + async def test_user_access_admin_project( + self, + app: FastAPI, + authorized_client: AsyncClient, + test_user: User, + db_session: AsyncSession + ) -> None: + + response = await authorized_client.get(app.url_path_for("get_projects")) + assert response.status_code == status.HTTP_200_OK + projects = response.json() + assert len(projects) == 2 + + +class TestTemplatesWithRbac: + + async def test_admin_create_template(self, app: FastAPI, client: AsyncClient): + + new_template = {"base_script_file": "vpcs_base_config.txt", + "category": "guest", + "console_auto_start": False, + "console_type": "telnet", + "default_name_format": "PC{0}", + "name": "ADMIN_VPCS_TEMPLATE", + "compute_id": "local", + "symbol": ":/symbols/vpcs_guest.svg", + "template_type": "vpcs"} + + response = await client.post(app.url_path_for("create_template"), json=new_template) + assert response.status_code == status.HTTP_201_CREATED + + async def test_user_only_access_own_templates( + self, app: FastAPI, + authorized_client: AsyncClient, + test_user: User, + db_session: AsyncSession + ) -> None: + + new_template = {"base_script_file": "vpcs_base_config.txt", + "category": "guest", + "console_auto_start": False, + "console_type": "telnet", + "default_name_format": "PC{0}", + "name": "USER_VPCS_TEMPLATE", + "compute_id": "local", + "symbol": ":/symbols/vpcs_guest.svg", + "template_type": "vpcs"} + + response = await authorized_client.post(app.url_path_for("create_template"), json=new_template) + assert response.status_code == status.HTTP_201_CREATED + template_id = response.json()["template_id"] + + rbac_repo = RbacRepository(db_session) + permissions_in_db = await rbac_repo.get_user_permissions(test_user.user_id) + assert len(permissions_in_db) == 1 + assert permissions_in_db[0].path == f"/templates/{template_id}/*" + + response = await authorized_client.get(app.url_path_for("get_templates")) + assert response.status_code == status.HTTP_200_OK + templates = [template for template in response.json() if template["builtin"] is False] + assert len(templates) == 1 + + async def test_admin_access_all_templates(self, app: FastAPI, client: AsyncClient): + + response = await client.get(app.url_path_for("get_templates")) + assert response.status_code == status.HTTP_200_OK + templates = [template for template in response.json() if template["builtin"] is False] + assert len(templates) == 2