From 77d4eabadcbceb904e26bace34cb229b950cf910 Mon Sep 17 00:00:00 2001 From: grossmj Date: Sat, 12 Aug 2023 17:31:58 +1000 Subject: [PATCH 01/19] Catch ConnectionResetError exception when client disconnects --- gns3server/web/route.py | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/gns3server/web/route.py b/gns3server/web/route.py index 115d209c..4a7103a3 100644 --- a/gns3server/web/route.py +++ b/gns3server/web/route.py @@ -232,8 +232,7 @@ class Route(object): response.set_status(408) response.json({"message": "Request canceled", "status": 408}) raise # must raise to let aiohttp know the connection has been closed - except aiohttp.ClientError: - log.warning("Client error") + except (ConnectionResetError, aiohttp.ClientError): response = Response(request=request, route=route) response.set_status(408) response.json({"message": "Client error", "status": 408}) From 2d7438446cfaf8bd9b7af557eb9fb15e05002bc7 Mon Sep 17 00:00:00 2001 From: grossmj Date: Sat, 12 Aug 2023 17:47:48 +1000 Subject: [PATCH 02/19] Upgrade dependencies --- requirements.txt | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/requirements.txt b/requirements.txt index ba457a97..7116e212 100644 --- a/requirements.txt +++ b/requirements.txt @@ -1,8 +1,8 @@ -jsonschema>=4.17.3,<4.18; python_version >= '3.7' +jsonschema>=4.19.0,<4.20; python_version >= '3.7' jsonschema==3.2.0; python_version < '3.7' # v3.2.0 is the last version to support Python 3.6 -aiohttp>=3.8.4,<3.9 +aiohttp>=3.8.5,<3.9 aiohttp-cors>=0.7.0,<0.8 -aiofiles>=23.1.0,<23.2; python_version >= '3.7' +aiofiles>=23.2.1,<23.3; python_version >= '3.7' aiofiles==0.8.0; python_version < '3.7' # v0.8.0 is the last version to support Python 3.6 Jinja2>=3.1.2,<3.2; python_version >= '3.7' Jinja2==3.0.3; python_version < '3.7' # v3.0.3 is the last version to support Python 3.6 From 6a614fbd78b630c2473cd702f4211180e8c24b1a Mon Sep 17 00:00:00 2001 From: grossmj Date: Sat, 12 Aug 2023 17:51:24 +1000 Subject: [PATCH 03/19] Downgrade jsonschema --- requirements.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/requirements.txt b/requirements.txt index 7116e212..de280d34 100644 --- a/requirements.txt +++ b/requirements.txt @@ -1,4 +1,4 @@ -jsonschema>=4.19.0,<4.20; python_version >= '3.7' +jsonschema>=4.17.3,<4.18; python_version >= '3.7' # v4.17.3 is the last version to support Python 3.7 jsonschema==3.2.0; python_version < '3.7' # v3.2.0 is the last version to support Python 3.6 aiohttp>=3.8.5,<3.9 aiohttp-cors>=0.7.0,<0.8 From df2f96828eeefc2ed60fce9697843ebc751d11d6 Mon Sep 17 00:00:00 2001 From: grossmj Date: Sat, 12 Aug 2023 18:48:43 +1000 Subject: [PATCH 04/19] Use the user data dir to store built-in appliances --- gns3server/controller/__init__.py | 2 ++ gns3server/controller/appliance_manager.py | 13 +++++++------ requirements.txt | 1 + 3 files changed, 10 insertions(+), 6 deletions(-) diff --git a/gns3server/controller/__init__.py b/gns3server/controller/__init__.py index 2220f7e5..19d7976e 100644 --- a/gns3server/controller/__init__.py +++ b/gns3server/controller/__init__.py @@ -255,6 +255,8 @@ class Controller: if not previous_version or \ parse_version(__version__.split("+")[0]) > parse_version(previous_version.split("+")[0]): self._appliance_manager.install_builtin_appliances() + elif not os.listdir(self._appliance_manager.builtin_appliances_path()): + self._appliance_manager.install_builtin_appliances() self._appliance_manager.appliances_etag = controller_settings.get("appliances_etag") self._appliance_manager.load_appliances() diff --git a/gns3server/controller/appliance_manager.py b/gns3server/controller/appliance_manager.py index 76cadfbf..d6878d71 100644 --- a/gns3server/controller/appliance_manager.py +++ b/gns3server/controller/appliance_manager.py @@ -21,6 +21,7 @@ import uuid import asyncio import aiohttp import shutil +import platformdirs try: @@ -81,13 +82,13 @@ class ApplianceManager: os.makedirs(appliances_path, exist_ok=True) return appliances_path - def _builtin_appliances_path(self, delete_first=False): + def builtin_appliances_path(self, delete_first=False): """ Get the built-in appliance storage directory """ - config = Config.instance() - appliances_dir = os.path.join(config.config_dir, "appliances") + appname = vendor = "GNS3" + appliances_dir = os.path.join(platformdirs.user_data_dir(appname, vendor, roaming=True), "appliances") if delete_first: shutil.rmtree(appliances_dir, ignore_errors=True) os.makedirs(appliances_dir, exist_ok=True) @@ -98,7 +99,7 @@ class ApplianceManager: At startup we copy the built-in appliances files. """ - dst_path = self._builtin_appliances_path(delete_first=True) + dst_path = self.builtin_appliances_path(delete_first=True) log.info(f"Installing built-in appliances in '{dst_path}'") from . import Controller try: @@ -112,7 +113,7 @@ class ApplianceManager: """ self._appliances = {} - for directory, builtin in ((self._builtin_appliances_path(), True,), (self._custom_appliances_path(), False,)): + for directory, builtin in ((self.builtin_appliances_path(), True,), (self._custom_appliances_path(), False,)): if directory and os.path.isdir(directory): for file in os.listdir(directory): if not file.endswith('.gns3a') and not file.endswith('.gns3appliance'): @@ -215,7 +216,7 @@ class ApplianceManager: from . import Controller Controller.instance().save() json_data = await response.json() - appliances_dir = self._builtin_appliances_path() + appliances_dir = self.builtin_appliances_path() downloaded_appliance_files = [] for appliance in json_data: if appliance["type"] == "file": diff --git a/requirements.txt b/requirements.txt index de280d34..392d35df 100644 --- a/requirements.txt +++ b/requirements.txt @@ -11,6 +11,7 @@ psutil==5.9.5 async-timeout>=4.0.2,<4.1 distro>=1.8.0 py-cpuinfo>=9.0.0,<10.0 +platformdirs>=3.10.0 importlib-resources>=1.3; python_version <= '3.9' truststore>=0.7.0; python_version >= '3.10' setuptools>=60.8.1; python_version >= '3.7' From 090d1c8c84c4b6859d60e38fe2d46388f4c5fd9e Mon Sep 17 00:00:00 2001 From: grossmj Date: Sat, 12 Aug 2023 19:04:14 +1000 Subject: [PATCH 05/19] Only use platformdirs with Python >= '3.7' --- gns3server/controller/appliance_manager.py | 11 ++++++++--- requirements.txt | 2 +- 2 files changed, 9 insertions(+), 4 deletions(-) diff --git a/gns3server/controller/appliance_manager.py b/gns3server/controller/appliance_manager.py index d6878d71..53daed1b 100644 --- a/gns3server/controller/appliance_manager.py +++ b/gns3server/controller/appliance_manager.py @@ -21,7 +21,6 @@ import uuid import asyncio import aiohttp import shutil -import platformdirs try: @@ -87,8 +86,14 @@ class ApplianceManager: Get the built-in appliance storage directory """ - appname = vendor = "GNS3" - appliances_dir = os.path.join(platformdirs.user_data_dir(appname, vendor, roaming=True), "appliances") + try: + import platformdirs + appname = vendor = "GNS3" + appliances_dir = os.path.join(platformdirs.user_data_dir(appname, vendor, roaming=True), "appliances") + except ImportError: + # platformdirs is not available on Python 3.6, use the old method + config = Config.instance() + appliances_dir = os.path.join(config.config_dir, "appliances") if delete_first: shutil.rmtree(appliances_dir, ignore_errors=True) os.makedirs(appliances_dir, exist_ok=True) diff --git a/requirements.txt b/requirements.txt index 392d35df..67b604f2 100644 --- a/requirements.txt +++ b/requirements.txt @@ -11,7 +11,7 @@ psutil==5.9.5 async-timeout>=4.0.2,<4.1 distro>=1.8.0 py-cpuinfo>=9.0.0,<10.0 -platformdirs>=3.10.0 +platformdirs>=3.10.0; python_version >= '3.7' importlib-resources>=1.3; python_version <= '3.9' truststore>=0.7.0; python_version >= '3.10' setuptools>=60.8.1; python_version >= '3.7' From a69feb3682d983cbf263d33209cab604c357ec8b Mon Sep 17 00:00:00 2001 From: grossmj Date: Sat, 12 Aug 2023 19:15:29 +1000 Subject: [PATCH 06/19] Use an older version of platformdirs --- gns3server/controller/appliance_manager.py | 11 +++-------- requirements.txt | 2 +- 2 files changed, 4 insertions(+), 9 deletions(-) diff --git a/gns3server/controller/appliance_manager.py b/gns3server/controller/appliance_manager.py index 53daed1b..d6878d71 100644 --- a/gns3server/controller/appliance_manager.py +++ b/gns3server/controller/appliance_manager.py @@ -21,6 +21,7 @@ import uuid import asyncio import aiohttp import shutil +import platformdirs try: @@ -86,14 +87,8 @@ class ApplianceManager: Get the built-in appliance storage directory """ - try: - import platformdirs - appname = vendor = "GNS3" - appliances_dir = os.path.join(platformdirs.user_data_dir(appname, vendor, roaming=True), "appliances") - except ImportError: - # platformdirs is not available on Python 3.6, use the old method - config = Config.instance() - appliances_dir = os.path.join(config.config_dir, "appliances") + appname = vendor = "GNS3" + appliances_dir = os.path.join(platformdirs.user_data_dir(appname, vendor, roaming=True), "appliances") if delete_first: shutil.rmtree(appliances_dir, ignore_errors=True) os.makedirs(appliances_dir, exist_ok=True) diff --git a/requirements.txt b/requirements.txt index 67b604f2..3153ce45 100644 --- a/requirements.txt +++ b/requirements.txt @@ -11,7 +11,7 @@ psutil==5.9.5 async-timeout>=4.0.2,<4.1 distro>=1.8.0 py-cpuinfo>=9.0.0,<10.0 -platformdirs>=3.10.0; python_version >= '3.7' +platformdirs>=2.4.0 importlib-resources>=1.3; python_version <= '3.9' truststore>=0.7.0; python_version >= '3.10' setuptools>=60.8.1; python_version >= '3.7' From d6e1ee5dbb0c21badc48666042104e6593b7233f Mon Sep 17 00:00:00 2001 From: grossmj Date: Sun, 27 Aug 2023 18:30:37 +1000 Subject: [PATCH 07/19] Prevent X11 socket file to be modified by Docker container --- gns3server/compute/docker/docker_vm.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/gns3server/compute/docker/docker_vm.py b/gns3server/compute/docker/docker_vm.py index a10312e3..500e526d 100644 --- a/gns3server/compute/docker/docker_vm.py +++ b/gns3server/compute/docker/docker_vm.py @@ -406,7 +406,7 @@ class DockerVM(BaseNode): await self._start_vnc() params["Env"].append("QT_GRAPHICSSYSTEM=native") # To fix a Qt issue: https://github.com/GNS3/gns3-server/issues/556 params["Env"].append("DISPLAY=:{}".format(self._display)) - params["HostConfig"]["Binds"].append("/tmp/.X11-unix/:/tmp/.X11-unix/") + params["HostConfig"]["Binds"].append("/tmp/.X11-unix/X{0}:/tmp/.X11-unix/X{0}:ro".format(self._display)) if self._extra_hosts: extra_hosts = self._format_extra_hosts(self._extra_hosts) From c2783d355f638d0ae2a1678f0d9a1242a208e50a Mon Sep 17 00:00:00 2001 From: grossmj Date: Sun, 27 Aug 2023 18:41:25 +1000 Subject: [PATCH 08/19] Fix test_create_vnc test --- tests/compute/docker/test_docker_vm.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tests/compute/docker/test_docker_vm.py b/tests/compute/docker/test_docker_vm.py index 9396cc89..3a395a56 100644 --- a/tests/compute/docker/test_docker_vm.py +++ b/tests/compute/docker/test_docker_vm.py @@ -182,7 +182,7 @@ async def test_create_vnc(compute_project, manager): "Binds": [ "{}:/gns3:ro".format(get_resource("compute/docker/resources")), "{}:/gns3volumes/etc/network".format(os.path.join(vm.working_dir, "etc", "network")), - '/tmp/.X11-unix/:/tmp/.X11-unix/' + "/tmp/.X11-unix/X{0}:/tmp/.X11-unix/X{0}:ro".format(vm._display) ], "Privileged": True }, From 66047b343159a44c9a480ef9f6c7ef8e32c5059a Mon Sep 17 00:00:00 2001 From: grossmj Date: Sun, 3 Sep 2023 17:31:05 +0700 Subject: [PATCH 09/19] Fix OAuth2PasswordBearer token URL --- gns3server/api/routes/controller/dependencies/authentication.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/gns3server/api/routes/controller/dependencies/authentication.py b/gns3server/api/routes/controller/dependencies/authentication.py index fa846cb4..ce49ab0a 100644 --- a/gns3server/api/routes/controller/dependencies/authentication.py +++ b/gns3server/api/routes/controller/dependencies/authentication.py @@ -26,7 +26,7 @@ from gns3server.db.repositories.rbac import RbacRepository from gns3server.services import auth_service from .database import get_repository -oauth2_scheme = OAuth2PasswordBearer(tokenUrl="/v3/users/login", auto_error=False) +oauth2_scheme = OAuth2PasswordBearer(tokenUrl="/v3/access/users/login", auto_error=False) async def get_user_from_token( From 8aa9d1aae635aedf3b2ef19c2022ef8689d5bbfb Mon Sep 17 00:00:00 2001 From: grossmj Date: Sun, 3 Sep 2023 17:58:51 +0700 Subject: [PATCH 10/19] Upgrade dependencies and fix user group tests --- gns3server/api/routes/controller/groups.py | 5 ++++ requirements.txt | 4 +-- tests/api/routes/controller/test_groups.py | 30 +++++++++++++++++++--- 3 files changed, 33 insertions(+), 6 deletions(-) diff --git a/gns3server/api/routes/controller/groups.py b/gns3server/api/routes/controller/groups.py index d4652353..c74f2b8c 100644 --- a/gns3server/api/routes/controller/groups.py +++ b/gns3server/api/routes/controller/groups.py @@ -196,6 +196,11 @@ async def add_member_to_group( if not user: raise ControllerNotFoundError(f"User '{user_id}' not found") + user_groups = await users_repo.get_user_memberships(user_id) + for group in user_groups: + if group.user_group_id == user_group_id: + raise ControllerBadRequestError(f"Username '{user.username}' is already member of group '{group.name}'") + user_group = await users_repo.add_member_to_user_group(user_group_id, user) if not user_group: raise ControllerNotFoundError(f"User group '{user_group_id}' not found") diff --git a/requirements.txt b/requirements.txt index cd5242e6..1c5b44b2 100644 --- a/requirements.txt +++ b/requirements.txt @@ -1,5 +1,5 @@ uvicorn==0.22.0 # v0.22.0 is the last to support Python 3.7 -fastapi==0.103.0 +fastapi==0.103.1 python-multipart==0.0.6 websockets==11.0.3 aiohttp>=3.8.5,<3.9 @@ -10,7 +10,7 @@ sentry-sdk==1.30.0,<1.31 psutil==5.9.5 distro>=1.8.0 py-cpuinfo==9.0.0 -sqlalchemy==2.0.18 +sqlalchemy==2.0.20 aiosqlite==0.19.0 alembic==1.12.0 passlib[bcrypt]==1.7.4 diff --git a/tests/api/routes/controller/test_groups.py b/tests/api/routes/controller/test_groups.py index 5dee0809..642f283e 100644 --- a/tests/api/routes/controller/test_groups.py +++ b/tests/api/routes/controller/test_groups.py @@ -22,7 +22,7 @@ from httpx import AsyncClient from sqlalchemy.ext.asyncio import AsyncSession from gns3server.db.repositories.users import UsersRepository -from gns3server.schemas.controller.users import User +from gns3server.schemas.controller.users import User, UserGroupCreate pytestmark = pytest.mark.asyncio @@ -106,7 +106,7 @@ class TestGroupRoutes: class TestGroupMembersRoutes: - async def test_add_member_to_group( + async def test_add_to_group_already_member( self, app: FastAPI, client: AsyncClient, @@ -123,6 +123,28 @@ class TestGroupMembersRoutes: user_id=str(test_user.user_id) ) ) + assert response.status_code == status.HTTP_400_BAD_REQUEST + + async def test_add_member_to_group( + self, + app: FastAPI, + client: AsyncClient, + test_user: User, + db_session: AsyncSession + ) -> None: + + user_repo = UsersRepository(db_session) + new_user_group = UserGroupCreate( + name="test_group", + ) + group_in_db = await user_repo.create_user_group(new_user_group) + response = await client.put( + app.url_path_for( + "add_member_to_group", + user_group_id=group_in_db.user_group_id, + user_id=str(test_user.user_id) + ) + ) assert response.status_code == status.HTTP_204_NO_CONTENT members = await user_repo.get_user_group_members(group_in_db.user_group_id) assert len(members) == 1 @@ -136,7 +158,7 @@ class TestGroupMembersRoutes: ) -> None: user_repo = UsersRepository(db_session) - group_in_db = await user_repo.get_user_group_by_name("Users") + group_in_db = await user_repo.get_user_group_by_name("test_group") response = await client.get( app.url_path_for( "get_user_group_members", @@ -154,7 +176,7 @@ class TestGroupMembersRoutes: ) -> None: user_repo = UsersRepository(db_session) - group_in_db = await user_repo.get_user_group_by_name("Users") + group_in_db = await user_repo.get_user_group_by_name("test_group") response = await client.delete( app.url_path_for( From 0c12849d0dbf8fad2b639a402472656831a9f73f Mon Sep 17 00:00:00 2001 From: grossmj Date: Wed, 6 Sep 2023 16:28:46 +0700 Subject: [PATCH 11/19] Use controller vars file to store version and appliance etag --- gns3server/config.py | 9 +++ gns3server/controller/__init__.py | 121 ++++++++++++------------------ 2 files changed, 59 insertions(+), 71 deletions(-) diff --git a/gns3server/config.py b/gns3server/config.py index a01b5491..0aee2117 100644 --- a/gns3server/config.py +++ b/gns3server/config.py @@ -147,6 +147,15 @@ class Config: return os.path.dirname(self._main_config_file) + @property + def controller_vars(self): + """ + Return the controller variables file path. + """ + + controller_vars_filename = "gns3_controller.vars" + return os.path.join(self.config_dir, controller_vars_filename) + @property def server_config(self): """ diff --git a/gns3server/controller/__init__.py b/gns3server/controller/__init__.py index 6608838a..7568b569 100644 --- a/gns3server/controller/__init__.py +++ b/gns3server/controller/__init__.py @@ -21,6 +21,7 @@ import uuid import shutil import asyncio import random +import json try: import importlib_resources @@ -42,7 +43,7 @@ from .topology import load_topology from .gns3vm import GNS3VM from .gns3vm.gns3_vm_error import GNS3VMError from .controller_error import ControllerError, ControllerNotFoundError - +from ..version import __version__ import logging @@ -64,7 +65,9 @@ class Controller: self.symbols = Symbols() self._appliance_manager = ApplianceManager() self._iou_license_settings = {"iourc_content": "", "license_check": True} - self._config_loaded = False + self._vars_loaded = False + self._vars_file = Config.instance().controller_vars + log.info(f'Loading controller vars file "{self._vars_file}"') async def start(self, computes=None): @@ -83,7 +86,7 @@ class Controller: if host == "0.0.0.0": host = "127.0.0.1" - self._load_controller_settings() + self._load_controller_vars() if server_config.enable_ssl: self._ssl_context = self._create_ssl_context(server_config) @@ -185,7 +188,7 @@ class Controller: async def reload(self): log.info("Controller is reloading") - self._load_controller_settings() + self._load_controller_vars() # remove all projects deleted from disk. for project in self._projects.copy().values(): @@ -198,65 +201,54 @@ class Controller: def save(self): """ - Save the controller configuration on disk + Save the controller vars on disk """ - if self._config_loaded is False: - return + controller_vars = dict() + if self._vars_loaded: + controller_vars = { + "appliances_etag": self._appliance_manager.appliances_etag, + "version": __version__ + } - if self._iou_license_settings["iourc_content"]: + if self._iou_license_settings["iourc_content"]: - iou_config = Config.instance().settings.IOU - server_config = Config.instance().settings.Server + iou_config = Config.instance().settings.IOU + server_config = Config.instance().settings.Server - if iou_config.iourc_path: - iourc_path = iou_config.iourc_path - else: - os.makedirs(server_config.secrets_dir, exist_ok=True) - iourc_path = os.path.join(server_config.secrets_dir, "gns3_iourc_license") + if iou_config.iourc_path: + iourc_path = iou_config.iourc_path + else: + os.makedirs(server_config.secrets_dir, exist_ok=True) + iourc_path = os.path.join(server_config.secrets_dir, "gns3_iourc_license") - try: - with open(iourc_path, "w+") as f: - f.write(self._iou_license_settings["iourc_content"]) - log.info(f"iourc file '{iourc_path}' saved") - except OSError as e: - log.error(f"Cannot write IOU license file '{iourc_path}': {e}") + try: + with open(iourc_path, "w+") as f: + f.write(self._iou_license_settings["iourc_content"]) + log.info(f"iourc file '{iourc_path}' saved") + except OSError as e: + log.error(f"Cannot write IOU license file '{iourc_path}': {e}") - if self._appliance_manager.appliances_etag: - etag_directory = os.path.dirname(Config.instance().server_config) - os.makedirs(etag_directory, exist_ok=True) - etag_appliances_path = os.path.join(etag_directory, "gns3_appliances_etag") + try: + os.makedirs(os.path.dirname(self._vars_file), exist_ok=True) + with open(self._vars_file, 'w+') as f: + json.dump(controller_vars, f, indent=4) + except OSError as e: + log.error(f"Cannot write controller vars file '{self._vars_file}': {e}") - try: - with open(etag_appliances_path, "w+") as f: - f.write(self._appliance_manager.appliances_etag) - log.info(f"etag appliances file '{etag_appliances_path}' saved") - except OSError as e: - log.error(f"Cannot write Etag appliance file '{etag_appliances_path}': {e}") - - def _load_controller_settings(self): + def _load_controller_vars(self): """ - Reload the controller configuration from disk + Reload the controller vars from disk """ - # try: - # if not os.path.exists(self._config_file): - # self._config_loaded = True - # self.save() - # with open(self._config_file) as f: - # controller_settings = json.load(f) - # except (OSError, ValueError) as e: - # log.critical("Cannot load configuration file '{}': {}".format(self._config_file, e)) - # return [] - - # load GNS3 VM settings - # if "gns3vm" in controller_settings: - # gns3_vm_settings = controller_settings["gns3vm"] - # if "port" not in gns3_vm_settings: - # # port setting was added in version 2.2.8 - # # the default port was 3080 before this - # gns3_vm_settings["port"] = 3080 - # self.gns3vm.settings = gns3_vm_settings + try: + if not os.path.exists(self._vars_file): + self.save() # this will create the vars file + with open(self._vars_file) as f: + controller_vars = json.load(f) + except (OSError, ValueError) as e: + log.critical(f"Cannot load controller vars file '{self._vars_file}': {e}") + return [] # load the IOU license settings iou_config = Config.instance().settings.IOU @@ -276,27 +268,16 @@ class Controller: log.info(f"iourc file '{iourc_path}' loaded") except OSError as e: log.error(f"Cannot read IOU license file '{iourc_path}': {e}") - self._iou_license_settings["license_check"] = iou_config.license_check - etag_directory = os.path.dirname(Config.instance().server_config) - etag_appliances_path = os.path.join(etag_directory, "gns3_appliances_etag") - self._appliance_manager.appliances_etag = None - if os.path.exists(etag_appliances_path): - try: - with open(etag_appliances_path) as f: - self._appliance_manager.appliances_etag = f.read() - log.info(f"etag appliances file '{etag_appliances_path}' loaded") - except OSError as e: - log.error(f"Cannot read Etag appliance file '{etag_appliances_path}': {e}") + current_version = __version__.split("+")[0] + previous_version = controller_vars.get("version", "").split("+")[0] + if not previous_version or parse_version(current_version) > parse_version(previous_version): + self._appliance_manager.install_builtin_appliances() - # FIXME install builtin appliances only once, need to store "version" somewhere... - #if parse_version(__version__.split("+")[0]) > parse_version(controller_settings.get("version", "")): - # self._appliance_manager.install_builtin_appliances() - - self._appliance_manager.install_builtin_appliances() + self._appliance_manager.appliances_etag = controller_vars.get("appliances_etag") self._appliance_manager.load_appliances() - self._config_loaded = True + self._vars_loaded = True async def load_projects(self): """ @@ -420,7 +401,6 @@ class Controller: compute = Compute(compute_id=compute_id, controller=self, name=name, **kwargs) self._computes[compute.id] = compute - # self.save() if connect: if wait_connection: await compute.connect() @@ -470,7 +450,6 @@ class Controller: await self.close_compute_projects(compute) await compute.close() del self._computes[compute_id] - # self.save() self.notification.controller_emit("compute.deleted", compute.asdict()) @property From 709aa460747d74cbfb3b1c640017d4be6dc586f0 Mon Sep 17 00:00:00 2001 From: grossmj Date: Wed, 6 Sep 2023 16:48:24 +0700 Subject: [PATCH 12/19] Fix issue with controller config saved before checking current version with previous one --- gns3server/controller/__init__.py | 44 +++++++++++++++---------------- 1 file changed, 21 insertions(+), 23 deletions(-) diff --git a/gns3server/controller/__init__.py b/gns3server/controller/__init__.py index 19d7976e..101854c9 100644 --- a/gns3server/controller/__init__.py +++ b/gns3server/controller/__init__.py @@ -191,29 +191,28 @@ class Controller: Save the controller configuration on disk """ - if self._config_loaded is False: - return + controller_settings = dict() + if self._config_loaded: + controller_settings = {"computes": [], + "templates": [], + "gns3vm": self.gns3vm.__json__(), + "iou_license": self._iou_license_settings, + "appliances_etag": self._appliance_manager.appliances_etag, + "version": __version__} - controller_settings = {"computes": [], - "templates": [], - "gns3vm": self.gns3vm.__json__(), - "iou_license": self._iou_license_settings, - "appliances_etag": self._appliance_manager.appliances_etag, - "version": __version__} + for template in self._template_manager.templates.values(): + if not template.builtin: + controller_settings["templates"].append(template.__json__()) - for template in self._template_manager.templates.values(): - if not template.builtin: - controller_settings["templates"].append(template.__json__()) - - for compute in self._computes.values(): - if compute.id != "local" and compute.id != "vm": - controller_settings["computes"].append({"host": compute.host, - "name": compute.name, - "port": compute.port, - "protocol": compute.protocol, - "user": compute.user, - "password": compute.password, - "compute_id": compute.id}) + for compute in self._computes.values(): + if compute.id != "local" and compute.id != "vm": + controller_settings["computes"].append({"host": compute.host, + "name": compute.name, + "port": compute.port, + "protocol": compute.protocol, + "user": compute.user, + "password": compute.password, + "compute_id": compute.id}) try: os.makedirs(os.path.dirname(self._config_file), exist_ok=True) @@ -229,8 +228,7 @@ class Controller: try: if not os.path.exists(self._config_file): - self._config_loaded = True - self.save() + self.save() # this will create the config file with open(self._config_file) as f: controller_settings = json.load(f) except (OSError, ValueError) as e: From c11b3c3911f31c67b5c9b362e35ff8009ef133b6 Mon Sep 17 00:00:00 2001 From: grossmj Date: Wed, 6 Sep 2023 23:42:50 +0700 Subject: [PATCH 13/19] Fix tests after merge --- gns3server/compute/docker/docker_vm.py | 3 ++- gns3server/controller/__init__.py | 2 +- 2 files changed, 3 insertions(+), 2 deletions(-) diff --git a/gns3server/compute/docker/docker_vm.py b/gns3server/compute/docker/docker_vm.py index dc04c1d6..62560deb 100644 --- a/gns3server/compute/docker/docker_vm.py +++ b/gns3server/compute/docker/docker_vm.py @@ -489,7 +489,8 @@ class DockerVM(BaseNode): params["HostConfig"]["Mounts"].append({ "Type": "bind", "Source": f"/tmp/.X11-unix/X{self._display}", - "Target": f"/tmp/.X11-unix/X{self._display}" + "Target": f"/tmp/.X11-unix/X{self._display}", + "ReadOnly": True }) if self._extra_hosts: diff --git a/gns3server/controller/__init__.py b/gns3server/controller/__init__.py index 2d06ca8d..4ecc9f08 100644 --- a/gns3server/controller/__init__.py +++ b/gns3server/controller/__init__.py @@ -270,7 +270,7 @@ class Controller: log.error(f"Cannot read IOU license file '{iourc_path}': {e}") self._iou_license_settings["license_check"] = iou_config.license_check - previous_version = controller_settings.get("version") + previous_version = controller_vars.get("version") log.info("Comparing controller version {} with config version {}".format(__version__, previous_version)) if not previous_version or \ parse_version(__version__.split("+")[0]) > parse_version(previous_version.split("+")[0]): From f7d287242f9bbc3caf2e1e6107ee15d80f725438 Mon Sep 17 00:00:00 2001 From: grossmj Date: Thu, 7 Sep 2023 16:32:04 +0700 Subject: [PATCH 14/19] Upgrade platformdirs --- requirements.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/requirements.txt b/requirements.txt index 2f8880f1..321af4f5 100644 --- a/requirements.txt +++ b/requirements.txt @@ -18,5 +18,5 @@ python-jose==3.3.0 email-validator==2.0.0.post2 watchfiles==0.20.0 zstandard==0.21.0 -platformdirs==2.4.0 +platformdirs==3.10.0 importlib_resources>=1.3 From d53ef175f8b16842e28c46b379c6ea3de0f3215d Mon Sep 17 00:00:00 2001 From: grossmj Date: Thu, 7 Sep 2023 17:31:11 +0700 Subject: [PATCH 15/19] DB and API for resource pools --- gns3server/api/routes/controller/__init__.py | 7 + gns3server/api/routes/controller/pools.py | 228 ++++++++++++++++++ gns3server/db/models/__init__.py | 2 +- .../db/models/{resource_pools.py => pools.py} | 0 gns3server/db/models/privileges.py | 12 + gns3server/db/repositories/pools.py | 206 ++++++++++++++++ gns3server/db/repositories/rbac.py | 2 +- gns3server/schemas/__init__.py | 1 + gns3server/schemas/controller/pools.py | 81 +++++++ tests/api/routes/controller/test_pools.py | 183 ++++++++++++++ 10 files changed, 720 insertions(+), 2 deletions(-) create mode 100644 gns3server/api/routes/controller/pools.py rename gns3server/db/models/{resource_pools.py => pools.py} (100%) create mode 100644 gns3server/db/repositories/pools.py create mode 100644 gns3server/schemas/controller/pools.py create mode 100644 tests/api/routes/controller/test_pools.py diff --git a/gns3server/api/routes/controller/__init__.py b/gns3server/api/routes/controller/__init__.py index 28ad9b01..3f37e920 100644 --- a/gns3server/api/routes/controller/__init__.py +++ b/gns3server/api/routes/controller/__init__.py @@ -32,6 +32,7 @@ from . import users from . import groups from . import roles from . import acl +from . import pools from .dependencies.authentication import get_current_active_user @@ -123,6 +124,12 @@ router.include_router( tags=["Appliances"] ) +router.include_router( + pools.router, + prefix="/pools", + tags=["Resource pools"] +) + router.include_router( gns3vm.router, dependencies=[Depends(get_current_active_user)], diff --git a/gns3server/api/routes/controller/pools.py b/gns3server/api/routes/controller/pools.py new file mode 100644 index 00000000..17e1c17c --- /dev/null +++ b/gns3server/api/routes/controller/pools.py @@ -0,0 +1,228 @@ +#!/usr/bin/env python +# +# Copyright (C) 2023 GNS3 Technologies Inc. +# +# This program is free software: you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation, either version 3 of the License, or +# (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see . + +""" +API routes for resource pools. +""" + +from fastapi import APIRouter, Depends, status +from uuid import UUID +from typing import List + +from gns3server import schemas +from gns3server.controller.controller_error import ( + ControllerError, + ControllerBadRequestError, + ControllerNotFoundError +) + +from gns3server.controller import Controller +from gns3server.db.repositories.rbac import RbacRepository +from gns3server.db.repositories.pools import ResourcePoolsRepository + +from .dependencies.rbac import has_privilege +from .dependencies.database import get_repository + +import logging + +log = logging.getLogger(__name__) + +router = APIRouter() + + +@router.get( + "", + response_model=List[schemas.ResourcePool], + dependencies=[Depends(has_privilege("Pool.Audit"))] +) +async def get_resource_pools( + pools_repo: ResourcePoolsRepository = Depends(get_repository(ResourcePoolsRepository)) +) -> List[schemas.ResourcePool]: + """ + Get all resource pools. + + Required privilege: Pool.Audit + """ + + return await pools_repo.get_resource_pools() + + +@router.post( + "", + response_model=schemas.ResourcePool, + status_code=status.HTTP_201_CREATED, + dependencies=[Depends(has_privilege("Pool.Allocate"))] +) +async def create_resource_pool( + resource_pool_create: schemas.ResourcePoolCreate, + pools_repo: ResourcePoolsRepository = Depends(get_repository(ResourcePoolsRepository)) +) -> schemas.ResourcePool: + """ + Create a new resource pool + + Required privilege: Pool.Allocate + """ + + if await pools_repo.get_resource_pool_by_name(resource_pool_create.name): + raise ControllerBadRequestError(f"Resource pool '{resource_pool_create.name}' already exists") + + return await pools_repo.create_resource_pool(resource_pool_create) + + +@router.get( + "/{resource_pool_id}", + response_model=schemas.ResourcePool, + dependencies=[Depends(has_privilege("Pool.Audit"))] +) +async def get_resource_pool( + resource_pool_id: UUID, + pools_repo: ResourcePoolsRepository = Depends(get_repository(ResourcePoolsRepository)) +) -> schemas.ResourcePool: + """ + Get a resource pool. + + Required privilege: Pool.Audit + """ + + resource_pool = await pools_repo.get_resource_pool(resource_pool_id) + if not resource_pool: + raise ControllerNotFoundError(f"Resource pool '{resource_pool_id}' not found") + return resource_pool + + +@router.put( + "/{resource_pool_id}", + response_model=schemas.ResourcePool, + dependencies=[Depends(has_privilege("Pool.Modify"))] +) +async def update_resource_pool( + resource_pool_id: UUID, + resource_pool_update: schemas.ResourcePoolUpdate, + pools_repo: ResourcePoolsRepository = Depends(get_repository(ResourcePoolsRepository)) +) -> schemas.ResourcePool: + """ + Update a resource pool. + + Required privilege: Pool.Modify + """ + + resource_pool = await pools_repo.get_resource_pool(resource_pool_id) + if not resource_pool: + raise ControllerNotFoundError(f"Resource pool '{resource_pool_id}' not found") + + return await pools_repo.update_resource_pool(resource_pool_id, resource_pool_update) + + +@router.delete( + "/{resource_pool_id}", + status_code=status.HTTP_204_NO_CONTENT, + dependencies=[Depends(has_privilege("Pool.Allocate"))] +) +async def delete_resource_pool( + resource_pool_id: UUID, + pools_repo: ResourcePoolsRepository = Depends(get_repository(ResourcePoolsRepository)), + rbac_repo: RbacRepository = Depends(get_repository(RbacRepository)) +) -> None: + """ + Delete a resource pool. + + Required privilege: Pool.Allocate + """ + + resource_pool = await pools_repo.get_resource_pool(resource_pool_id) + if not resource_pool: + raise ControllerNotFoundError(f"Resource pool '{resource_pool_id}' not found") + + success = await pools_repo.delete_resource_pool(resource_pool_id) + if not success: + raise ControllerError(f"Resource pool '{resource_pool_id}' could not be deleted") + await rbac_repo.delete_all_ace_starting_with_path(f"/pools/{resource_pool_id}") + + +@router.get( + "/{resource_pool_id}/resources", + response_model=List[schemas.Resource], + dependencies=[Depends(has_privilege("Pool.Audit"))] +) +async def get_pool_resources( + resource_pool_id: UUID, + pools_repo: ResourcePoolsRepository = Depends(get_repository(ResourcePoolsRepository)), +) -> List[schemas.Resource]: + """ + Get all resource in a pool. + + Required privilege: Pool.Audit + """ + + return await pools_repo.get_pool_resources(resource_pool_id) + + +@router.put( + "/{resource_pool_id}/resources/{resource_id}", + status_code=status.HTTP_204_NO_CONTENT, + dependencies=[Depends(has_privilege("Pool.Modify"))] +) +async def add_resource_to_pool( + resource_pool_id: UUID, + resource_id: UUID, + pools_repo: ResourcePoolsRepository = Depends(get_repository(ResourcePoolsRepository)), +) -> None: + """ + Add resource to a resource pool. + + Required privilege: Pool.Modify + """ + + resource_pool = await pools_repo.get_resource_pool(resource_pool_id) + if not resource_pool: + raise ControllerNotFoundError(f"Resource pool '{resource_pool_id}' not found") + + resources = await pools_repo.get_pool_resources(resource_pool_id) + for resource in resources: + if resource.resource_id == resource_id: + raise ControllerBadRequestError(f"Resource '{resource_id}' is already in '{resource_pool.name}'") + + # we only support projects in resource pools for now + project = Controller.instance().get_project(str(resource_id)) + resource_create = schemas.ResourceCreate(resource_id=resource_id, resource_type="project", name=project.name) + resource = await pools_repo.create_resource(resource_create) + await pools_repo.add_resource_to_pool(resource_pool_id, resource) + + +@router.delete( + "/{resource_pool_id}/resources/{resource_id}", + status_code=status.HTTP_204_NO_CONTENT, + dependencies=[Depends(has_privilege("Pool.Modify"))] +) +async def remove_resource_from_pool( + resource_pool_id: UUID, + resource_id: UUID, + pools_repo: ResourcePoolsRepository = Depends(get_repository(ResourcePoolsRepository)), +) -> None: + """ + Remove resource from a resource pool. + + Required privilege: Pool.Modify + """ + + resource = await pools_repo.get_resource(resource_id) + if not resource: + raise ControllerNotFoundError(f"Resource '{resource_id}' not found") + + resource_pool = await pools_repo.remove_resource_from_pool(resource_pool_id, resource) + if not resource_pool: + raise ControllerNotFoundError(f"Resource pool '{resource_pool_id}' not found") diff --git a/gns3server/db/models/__init__.py b/gns3server/db/models/__init__.py index c31c21b1..ed7c0142 100644 --- a/gns3server/db/models/__init__.py +++ b/gns3server/db/models/__init__.py @@ -22,7 +22,7 @@ from .roles import Role from .privileges import Privilege from .computes import Compute from .images import Image -from .resource_pools import Resource, ResourcePool +from .pools import Resource, ResourcePool from .templates import ( Template, CloudTemplate, diff --git a/gns3server/db/models/resource_pools.py b/gns3server/db/models/pools.py similarity index 100% rename from gns3server/db/models/resource_pools.py rename to gns3server/db/models/pools.py diff --git a/gns3server/db/models/privileges.py b/gns3server/db/models/privileges.py index 65f0df38..ad63503c 100644 --- a/gns3server/db/models/privileges.py +++ b/gns3server/db/models/privileges.py @@ -95,6 +95,18 @@ def create_default_roles(target, connection, **kw): "description": "Update an ACE", "name": "ACE.Modify" }, + { + "description": "Create or delete a resource pool", + "name": "Pool.Allocate" + }, + { + "description": "View a resource pool", + "name": "Pool.Audit" + }, + { + "description": "Update a resource pool", + "name": "Pool.Modify" + }, { "description": "Create or delete a template", "name": "Template.Allocate" diff --git a/gns3server/db/repositories/pools.py b/gns3server/db/repositories/pools.py new file mode 100644 index 00000000..5f3f259d --- /dev/null +++ b/gns3server/db/repositories/pools.py @@ -0,0 +1,206 @@ +#!/usr/bin/env python +# +# Copyright (C) 2023 GNS3 Technologies Inc. +# +# This program is free software: you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation, either version 3 of the License, or +# (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see . + +from uuid import UUID +from typing import Optional, List, Union +from sqlalchemy import select, update, delete +from sqlalchemy.ext.asyncio import AsyncSession +from sqlalchemy.orm import selectinload + +from .base import BaseRepository + +import gns3server.db.models as models +from gns3server import schemas + +import logging + +log = logging.getLogger(__name__) + + +class ResourcePoolsRepository(BaseRepository): + + def __init__(self, db_session: AsyncSession) -> None: + + super().__init__(db_session) + + async def get_resource(self, resource_id: UUID) -> Optional[models.Resource]: + """ + Get a resource by its ID. + """ + + query = select(models.Resource).where(models.Resource.resource_id == resource_id) + result = await self._db_session.execute(query) + return result.scalars().first() + + async def get_resources(self) -> List[models.Resource]: + """ + Get all resources. + """ + + query = select(models.Resource) + result = await self._db_session.execute(query) + return result.scalars().all() + + async def create_resource(self, resource: schemas.ResourceCreate) -> models.Resource: + """ + Create a new resource. + """ + + db_resource = models.Resource( + resource_id=resource.resource_id, + resource_type=resource.resource_type, + name=resource.name + ) + self._db_session.add(db_resource) + await self._db_session.commit() + await self._db_session.refresh(db_resource) + return db_resource + + async def delete_resource(self, resource_id: UUID) -> bool: + """ + Delete a resource. + """ + + query = delete(models.Resource).where(models.Resource.resource_id == resource_id) + result = await self._db_session.execute(query) + await self._db_session.commit() + return result.rowcount > 0 + + async def get_resource_pool(self, resource_pool_id: UUID) -> Optional[models.ResourcePool]: + """ + Get a resource pool by its ID. + """ + + query = select(models.ResourcePool).where(models.ResourcePool.resource_pool_id == resource_pool_id) + result = await self._db_session.execute(query) + return result.scalars().first() + + async def get_resource_pool_by_name(self, name: str) -> Optional[models.ResourcePool]: + """ + Get a resource pool by its name. + """ + + query = select(models.ResourcePool).where(models.ResourcePool.name == name) + result = await self._db_session.execute(query) + return result.scalars().first() + + async def get_resource_pools(self) -> List[models.ResourcePool]: + """ + Get all resource pools. + """ + + query = select(models.ResourcePool) + result = await self._db_session.execute(query) + return result.scalars().all() + + async def create_resource_pool(self, resource_pool: schemas.ResourcePoolCreate) -> models.ResourcePool: + """ + Create a new resource pool. + """ + + db_resource_pool = models.ResourcePool(name=resource_pool.name) + self._db_session.add(db_resource_pool) + await self._db_session.commit() + await self._db_session.refresh(db_resource_pool) + return db_resource_pool + + async def update_resource_pool( + self, + resource_pool_id: UUID, + resource_pool_update: schemas.ResourcePoolUpdate + ) -> Optional[models.ResourcePool]: + """ + Update a resource pool. + """ + + update_values = resource_pool_update.model_dump(exclude_unset=True) + query = update(models.ResourcePool).\ + where(models.ResourcePool.resource_pool_id == resource_pool_id).\ + values(update_values) + + await self._db_session.execute(query) + await self._db_session.commit() + resource_pool_db = await self.get_resource_pool(resource_pool_id) + if resource_pool_db: + await self._db_session.refresh(resource_pool_db) # force refresh of updated_at value + return resource_pool_db + + async def delete_resource_pool(self, resource_pool_id: UUID) -> bool: + """ + Delete a resource pool. + """ + + query = delete(models.ResourcePool).where(models.ResourcePool.resource_pool_id == resource_pool_id) + result = await self._db_session.execute(query) + await self._db_session.commit() + return result.rowcount > 0 + + async def add_resource_to_pool( + self, + resource_pool_id: UUID, + resource: models.Resource + ) -> Union[None, models.ResourcePool]: + """ + Add a resource to a resource pool. + """ + + query = select(models.ResourcePool).\ + options(selectinload(models.ResourcePool.resources)).\ + where(models.ResourcePool.resource_pool_id == resource_pool_id) + result = await self._db_session.execute(query) + resource_pool_db = result.scalars().first() + if not resource_pool_db: + return None + + resource_pool_db.resources.append(resource) + await self._db_session.commit() + await self._db_session.refresh(resource_pool_db) + return resource_pool_db + + async def remove_resource_from_pool( + self, + resource_pool_id: UUID, + resource: models.Resource + ) -> Union[None, models.ResourcePool]: + """ + Remove a resource from a resource pool. + """ + + query = select(models.ResourcePool).\ + options(selectinload(models.ResourcePool.resources)).\ + where(models.ResourcePool.resource_pool_id == resource_pool_id) + result = await self._db_session.execute(query) + resource_pool_db = result.scalars().first() + if not resource_pool_db: + return None + + resource_pool_db.resources.remove(resource) + await self._db_session.commit() + await self._db_session.refresh(resource_pool_db) + return resource_pool_db + + async def get_pool_resources(self, resource_pool_id: UUID) -> List[models.Resource]: + """ + Get all resources from a resource pool. + """ + + query = select(models.Resource).\ + join(models.Resource.resource_pools).\ + filter(models.ResourcePool.resource_pool_id == resource_pool_id) + + result = await self._db_session.execute(query) + return result.scalars().all() diff --git a/gns3server/db/repositories/rbac.py b/gns3server/db/repositories/rbac.py index cf1aa9a8..99ea8dea 100644 --- a/gns3server/db/repositories/rbac.py +++ b/gns3server/db/repositories/rbac.py @@ -18,7 +18,7 @@ from uuid import UUID from urllib.parse import urlparse from typing import Optional, List, Union -from sqlalchemy import select, update, delete, null +from sqlalchemy import select, update, delete from sqlalchemy.ext.asyncio import AsyncSession from sqlalchemy.orm import selectinload diff --git a/gns3server/schemas/__init__.py b/gns3server/schemas/__init__.py index 5b764c7e..d38b31d3 100644 --- a/gns3server/schemas/__init__.py +++ b/gns3server/schemas/__init__.py @@ -31,6 +31,7 @@ from .controller.nodes import NodeCreate, NodeUpdate, NodeDuplicate, NodeCapture from .controller.projects import ProjectCreate, ProjectUpdate, ProjectDuplicate, Project, ProjectFile, ProjectCompression from .controller.users import UserCreate, UserUpdate, LoggedInUserUpdate, User, Credentials, UserGroupCreate, UserGroupUpdate, UserGroup from .controller.rbac import RoleCreate, RoleUpdate, Role, Privilege, ACECreate, ACEUpdate, ACE +from .controller.pools import Resource, ResourceCreate, ResourcePoolCreate, ResourcePoolUpdate, ResourcePool from .controller.tokens import Token from .controller.snapshots import SnapshotCreate, Snapshot from .controller.iou_license import IOULicense diff --git a/gns3server/schemas/controller/pools.py b/gns3server/schemas/controller/pools.py new file mode 100644 index 00000000..0235cc1c --- /dev/null +++ b/gns3server/schemas/controller/pools.py @@ -0,0 +1,81 @@ +# +# Copyright (C) 2020 GNS3 Technologies Inc. +# +# This program is free software: you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation, either version 3 of the License, or +# (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see . + +from typing import Optional +from pydantic import ConfigDict, BaseModel, Field +from uuid import UUID +from enum import Enum + +from .base import DateTimeModelMixin + + +class ResourceType(str, Enum): + + project = "project" + + +class ResourceBase(BaseModel): + """ + Common resource properties. + """ + + resource_id: UUID + resource_type: ResourceType = Field(..., description="Type of the resource") + name: Optional[str] = None + model_config = ConfigDict(use_enum_values=True) + + +class ResourceCreate(ResourceBase): + """ + Properties to create a resource. + """ + + pass + + +class Resource(DateTimeModelMixin, ResourceBase): + + model_config = ConfigDict(from_attributes=True) + + +class ResourcePoolBase(BaseModel): + """ + Common resource pool properties. + """ + + name: str + + +class ResourcePoolCreate(ResourcePoolBase): + """ + Properties to create a resource pool. + """ + + pass + + +class ResourcePoolUpdate(ResourcePoolBase): + """ + Properties to update a resource pool. + """ + + pass + + +class ResourcePool(DateTimeModelMixin, ResourcePoolBase): + + resource_pool_id: UUID + model_config = ConfigDict(from_attributes=True) diff --git a/tests/api/routes/controller/test_pools.py b/tests/api/routes/controller/test_pools.py new file mode 100644 index 00000000..38782e44 --- /dev/null +++ b/tests/api/routes/controller/test_pools.py @@ -0,0 +1,183 @@ +#!/usr/bin/env python +# +# Copyright (C) 2023 GNS3 Technologies Inc. +# +# This program is free software: you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation, either version 3 of the License, or +# (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see . + +import uuid +import pytest +import pytest_asyncio + +from fastapi import FastAPI, status +from httpx import AsyncClient + +from sqlalchemy.ext.asyncio import AsyncSession +from gns3server.db.repositories.pools import ResourcePoolsRepository +from gns3server.controller import Controller +from gns3server.controller.project import Project +from gns3server.schemas.controller.pools import ResourceCreate, ResourcePoolCreate + +pytestmark = pytest.mark.asyncio + + +class TestPoolRoutes: + + async def test_resource_pool(self, app: FastAPI, client: AsyncClient) -> None: + + new_group = {"name": "pool1"} + response = await client.post(app.url_path_for("create_resource_pool"), json=new_group) + assert response.status_code == status.HTTP_201_CREATED + + async def test_get_resource_pool(self, app: FastAPI, client: AsyncClient, db_session: AsyncSession) -> None: + + pools_repo = ResourcePoolsRepository(db_session) + pool_in_db = await pools_repo.get_resource_pool_by_name("pool1") + response = await client.get(app.url_path_for("get_resource_pool", resource_pool_id=pool_in_db.resource_pool_id)) + assert response.status_code == status.HTTP_200_OK + assert response.json()["resource_pool_id"] == str(pool_in_db.resource_pool_id) + + async def test_list_resource_pools(self, app: FastAPI, client: AsyncClient) -> None: + + response = await client.get(app.url_path_for("get_resource_pools")) + assert response.status_code == status.HTTP_200_OK + assert len(response.json()) == 1 + + async def test_update_resource_pool(self, app: FastAPI, client: AsyncClient, db_session: AsyncSession) -> None: + + pools_repo = ResourcePoolsRepository(db_session) + pool_in_db = await pools_repo.get_resource_pool_by_name("pool1") + + update_pool = {"name": "pool42"} + response = await client.put( + app.url_path_for("update_resource_pool", resource_pool_id=pool_in_db.resource_pool_id), + json=update_pool + ) + assert response.status_code == status.HTTP_200_OK + updated_pool_in_db = await pools_repo.get_resource_pool(pool_in_db.resource_pool_id) + assert updated_pool_in_db.name == "pool42" + + async def test_resource_group( + self, + app: FastAPI, + client: AsyncClient, + db_session: AsyncSession + ) -> None: + + pools_repo = ResourcePoolsRepository(db_session) + pool_in_db = await pools_repo.get_resource_pool_by_name("pool42") + response = await client.delete(app.url_path_for("delete_resource_pool", resource_pool_id=pool_in_db.resource_pool_id)) + assert response.status_code == status.HTTP_204_NO_CONTENT + + +class TestResourcesPoolRoutes: + + @pytest_asyncio.fixture + async def project(self, app: FastAPI, client: AsyncClient, controller: Controller) -> Project: + project_id = str(uuid.uuid4()) + params = {"name": "test", "project_id": project_id} + await client.post(app.url_path_for("create_project"), json=params) + return controller.get_project(project_id) + + async def test_add_resource_to_pool( + self, + app: FastAPI, + client: AsyncClient, + db_session: AsyncSession, + project: Project + ) -> None: + + pools_repo = ResourcePoolsRepository(db_session) + new_resource_pool = ResourcePoolCreate( + name="pool1", + ) + pool_in_db = await pools_repo.create_resource_pool(new_resource_pool) + response = await client.put( + app.url_path_for( + "add_resource_to_pool", + resource_pool_id=pool_in_db.resource_pool_id, + resource_id=str(project.id) + ) + ) + assert response.status_code == status.HTTP_204_NO_CONTENT + resources = await pools_repo.get_pool_resources(pool_in_db.resource_pool_id) + assert len(resources) == 1 + assert str(resources[0].resource_id) == project.id + + async def test_add_to_resource_already_in_resource_pool( + self, + app: FastAPI, + client: AsyncClient, + db_session: AsyncSession, + project: Project + ) -> None: + + pools_repo = ResourcePoolsRepository(db_session) + pool_in_db = await pools_repo.get_resource_pool_by_name("pool1") + resource_create = ResourceCreate(resource_id=project.id, resource_type="project") + resource = await pools_repo.create_resource(resource_create) + await pools_repo.add_resource_to_pool(pool_in_db.resource_pool_id, resource) + + response = await client.put( + app.url_path_for( + "add_resource_to_pool", + resource_pool_id=pool_in_db.resource_pool_id, + resource_id=str(resource.resource_id) + ) + ) + assert response.status_code == status.HTTP_400_BAD_REQUEST + + async def test_get_pool_resources( + self, + app: FastAPI, + client: AsyncClient, + db_session: AsyncSession + ) -> None: + + pools_repo = ResourcePoolsRepository(db_session) + pool_in_db = await pools_repo.get_resource_pool_by_name("pool1") + response = await client.get( + app.url_path_for( + "get_pool_resources", + resource_pool_id=pool_in_db.resource_pool_id) + ) + assert response.status_code == status.HTTP_200_OK + assert len(response.json()) == 2 + + async def test_remove_resource_from_pool( + self, + app: FastAPI, + client: AsyncClient, + db_session: AsyncSession, + project: Project + ) -> None: + + pools_repo = ResourcePoolsRepository(db_session) + pool_in_db = await pools_repo.get_resource_pool_by_name("pool1") + resource_create = ResourceCreate(resource_id=project.id, resource_type="project") + resource = await pools_repo.create_resource(resource_create) + await pools_repo.add_resource_to_pool(pool_in_db.resource_pool_id, resource) + + resources = await pools_repo.get_pool_resources(pool_in_db.resource_pool_id) + assert len(resources) == 3 + + response = await client.delete( + app.url_path_for( + "remove_resource_from_pool", + resource_pool_id=pool_in_db.resource_pool_id, + resource_id=str(project.id) + ), + ) + assert response.status_code == status.HTTP_204_NO_CONTENT + resources = await pools_repo.get_pool_resources(pool_in_db.resource_pool_id) + assert len(resources) == 2 From a95dda0d1da4a9ef86bad7e3bd74b99c6b161562 Mon Sep 17 00:00:00 2001 From: grossmj Date: Mon, 11 Sep 2023 18:15:03 +0700 Subject: [PATCH 16/19] Complete resource pool support for projects --- gns3server/api/routes/controller/acl.py | 9 +- gns3server/api/routes/controller/projects.py | 28 ++++- gns3server/api/routes/controller/roles.py | 17 +++ gns3server/db/repositories/rbac.py | 115 +++++++++++++++---- tests/api/routes/controller/test_roles.py | 6 + tests/controller/test_rbac.py | 111 ++++++++++++++++++ 6 files changed, 256 insertions(+), 30 deletions(-) diff --git a/gns3server/api/routes/controller/acl.py b/gns3server/api/routes/controller/acl.py index 778ef51b..cef43bf2 100644 --- a/gns3server/api/routes/controller/acl.py +++ b/gns3server/api/routes/controller/acl.py @@ -38,6 +38,7 @@ from gns3server.db.repositories.users import UsersRepository from gns3server.db.repositories.rbac import RbacRepository from gns3server.db.repositories.images import ImagesRepository from gns3server.db.repositories.templates import TemplatesRepository +from gns3server.db.repositories.pools import ResourcePoolsRepository from .dependencies.database import get_repository from .dependencies.rbac import has_privilege @@ -57,7 +58,8 @@ async def endpoints( users_repo: UsersRepository = Depends(get_repository(UsersRepository)), rbac_repo: RbacRepository = Depends(get_repository(RbacRepository)), images_repo: ImagesRepository = Depends(get_repository(ImagesRepository)), - templates_repo: TemplatesRepository = Depends(get_repository(TemplatesRepository)) + templates_repo: TemplatesRepository = Depends(get_repository(TemplatesRepository)), + pools_repo: ResourcePoolsRepository = Depends(get_repository(ResourcePoolsRepository)) ) -> List[dict]: """ List all endpoints to be used in ACL entries. @@ -128,6 +130,11 @@ async def endpoints( for template in templates: add_to_endpoints(f"/templates/{template.template_id}", f'Template "{template.name}"', "template") + # resource pools + add_to_endpoints("/pools", "All resource pools", "pool") + pools = await pools_repo.get_resource_pools() + for pool in pools: + add_to_endpoints(f"/pools/{pool.resource_pool_id}", f'Resource pool "{pool.name}"', "pool") return endpoints diff --git a/gns3server/api/routes/controller/projects.py b/gns3server/api/routes/controller/projects.py index d228fcf7..758ab79f 100644 --- a/gns3server/api/routes/controller/projects.py +++ b/gns3server/api/routes/controller/projects.py @@ -47,9 +47,11 @@ from gns3server.utils.asyncio import aiozipstream from gns3server.utils.path import is_safe_path from gns3server.db.repositories.templates import TemplatesRepository from gns3server.db.repositories.rbac import RbacRepository +from gns3server.db.repositories.pools import ResourcePoolsRepository from gns3server.services.templates import TemplatesService from .dependencies.rbac import has_privilege, has_privilege_on_websocket +from .dependencies.authentication import get_current_active_user from .dependencies.database import get_repository responses = {404: {"model": schemas.ErrorMessage, "description": "Could not find project"}} @@ -69,10 +71,13 @@ def dep_project(project_id: UUID) -> Project: @router.get( "", response_model=List[schemas.Project], - response_model_exclude_unset=True, - dependencies=[Depends(has_privilege("Project.Audit"))] + response_model_exclude_unset=True ) -async def get_projects() -> List[schemas.Project]: +async def get_projects( + current_user: schemas.User = Depends(get_current_active_user), + rbac_repo: RbacRepository = Depends(get_repository(RbacRepository)), + pools_repo: ResourcePoolsRepository = Depends(get_repository(ResourcePoolsRepository)) +) -> List[schemas.Project]: """ Return all projects. @@ -80,7 +85,22 @@ async def get_projects() -> List[schemas.Project]: """ controller = Controller.instance() - return [p.asdict() for p in controller.projects.values()] + projects = [] + + if current_user.is_superadmin: + # super admin sees all projects + return [p.asdict() for p in controller.projects.values()] + elif await rbac_repo.check_user_has_privilege(current_user.user_id, "/projects", "Project.Audit"): + # user with Project.Audit privilege on '/projects' sees all projects except those in resource pools + project_ids_in_pools = [str(r.resource_id) for r in await pools_repo.get_resources() if r.resource_type == "project"] + projects.extend([p.asdict() for p in controller.projects.values() if p.id not in project_ids_in_pools]) + + # user with Project.Audit privilege on resource pools sees the projects in these pools + user_pool_resources = await rbac_repo.get_user_pool_resources(current_user.user_id, "Project.Audit") + project_ids_in_pools = [str(r.resource_id) for r in user_pool_resources if r.resource_type == "project"] + projects.extend([p.asdict() for p in controller.projects.values() if p.id in project_ids_in_pools]) + + return projects @router.post( diff --git a/gns3server/api/routes/controller/roles.py b/gns3server/api/routes/controller/roles.py index f1a5434f..a3aceca3 100644 --- a/gns3server/api/routes/controller/roles.py +++ b/gns3server/api/routes/controller/roles.py @@ -81,6 +81,23 @@ async def create_role( return await rbac_repo.create_role(role_create) +@router.get( + "/privileges", + response_model=List[schemas.Privilege], + dependencies=[Depends(has_privilege("Role.Audit"))] +) +async def get_privileges( + rbac_repo: RbacRepository = Depends(get_repository(RbacRepository)), +) -> List[schemas.Privilege]: + """ + Get all available privileges. + + Required privilege: Role.Audit + """ + + return await rbac_repo.get_privileges() + + @router.get( "/{role_id}", response_model=schemas.Role, diff --git a/gns3server/db/repositories/rbac.py b/gns3server/db/repositories/rbac.py index 99ea8dea..a0ed5efc 100644 --- a/gns3server/db/repositories/rbac.py +++ b/gns3server/db/repositories/rbac.py @@ -309,6 +309,75 @@ class RbacRepository(BaseRepository): return True # only allow if the path is the original path or the ACE is set to propagate return False + async def _get_resources_in_pools(self, aces, path: str = None) -> List[models.Resource]: + """ + Get all resources in pools. + """ + + pool_resources = [] + for ace_path, ace_propagate, ace_allowed, ace_privilege in aces: + if ace_path.startswith("/pool"): + resource_pool_id = ace_path.split("/")[2] + query = select(models.Resource). \ + join(models.Resource.resource_pools). \ + filter(models.ResourcePool.resource_pool_id == resource_pool_id) + + result = await self._db_session.execute(query) + resources = result.scalars().all() + + for resource in resources: + # we only support projects in resource pools for now + if resource.resource_type == "project": + if path: + if path.startswith(f"/projects/{resource.resource_id}"): + pool_resources.append(resource) + else: + pool_resources.append(resource) + return pool_resources + + async def _get_user_aces(self, user_id: UUID, privilege_name: str): + """ + Retrieve all user ACEs matching the user_id and privilege name. + """ + + query = select(models.ACE.path, models.ACE.propagate, models.ACE.allowed, models.Privilege.name).\ + join(models.Privilege.roles).\ + join(models.Role.acl_entries).\ + join(models.ACE.user). \ + filter(models.User.user_id == user_id).\ + filter(models.Privilege.name == privilege_name).\ + order_by(models.ACE.path.desc()) + + result = await self._db_session.execute(query) + return result.all() + + async def _get_group_aces(self, user_id: UUID, privilege_name: str): + """ + Retrieve all group ACEs matching the user_id and privilege name. + """ + + query = select(models.ACE.path, models.ACE.propagate, models.ACE.allowed, models.Privilege.name). \ + join(models.Privilege.roles). \ + join(models.Role.acl_entries). \ + join(models.ACE.group). \ + join(models.UserGroup.users).\ + filter(models.User.user_id == user_id). \ + filter(models.Privilege.name == privilege_name) + + result = await self._db_session.execute(query) + return result.all() + + async def get_user_pool_resources(self, user_id: UUID, privilege_name: str) -> List[models.Resource]: + """ + Get all resources in pools belonging to a user and groups + """ + + user_aces = await self._get_user_aces(user_id, privilege_name) + pool_resources = await self._get_resources_in_pools(user_aces) + group_aces = await self._get_group_aces(user_id, privilege_name) + pool_resources.extend(await self._get_resources_in_pools(group_aces)) + return list(set(pool_resources)) + async def check_user_has_privilege(self, user_id: UUID, path: str, privilege_name: str) -> bool: """ Resource paths form a file system like tree and privileges can be inherited by paths down that tree @@ -321,38 +390,34 @@ class RbacRepository(BaseRepository): * Privileges on deeper levels replace those inherited from an upper level. """ - # retrieve all user ACEs matching the user_id and privilege name - query = select(models.ACE.path, models.ACE.propagate, models.ACE.allowed, models.Privilege.name).\ - join(models.Privilege.roles).\ - join(models.Role.acl_entries).\ - join(models.ACE.user). \ - filter(models.User.user_id == user_id).\ - filter(models.Privilege.name == privilege_name).\ - order_by(models.ACE.path.desc()) - + query = select(models.Resource) result = await self._db_session.execute(query) - aces = result.all() + resources = result.scalars().all() + projects_in_pools = [f"/projects/{r.resource_id}" for r in resources if r.resource_type == "project"] + path_is_in_pool = False + for project_in_pool in projects_in_pools: + if path.startswith(project_in_pool): + path_is_in_pool = True + break + aces = await self._get_user_aces(user_id, privilege_name) try: - if self._check_path_with_aces(path, aces): - # the user has an ACE matching the path and privilege,there is no need to check group ACEs + if path_is_in_pool: + if await self._get_resources_in_pools(aces, path): + return True + elif self._check_path_with_aces(path, aces): + # the user has an ACE matching the path and privilege, there is no need to check group ACEs return True except PermissionError: return False - # retrieve all group ACEs matching the user_id and privilege name - query = select(models.ACE.path, models.ACE.propagate, models.ACE.allowed, models.Privilege.name). \ - join(models.Privilege.roles). \ - join(models.Role.acl_entries). \ - join(models.ACE.group). \ - join(models.UserGroup.users).\ - filter(models.User.user_id == user_id). \ - filter(models.Privilege.name == privilege_name) - - result = await self._db_session.execute(query) - aces = result.all() - + aces = await self._get_group_aces(user_id, privilege_name) try: - return self._check_path_with_aces(path, aces) + if path_is_in_pool: + if await self._get_resources_in_pools(aces, path): + return True + elif self._check_path_with_aces(path, aces): + return True except PermissionError: return False + return False diff --git a/tests/api/routes/controller/test_roles.py b/tests/api/routes/controller/test_roles.py index b6fca22b..ec0f614d 100644 --- a/tests/api/routes/controller/test_roles.py +++ b/tests/api/routes/controller/test_roles.py @@ -42,6 +42,12 @@ class TestRolesRoutes: assert response.status_code == status.HTTP_200_OK assert response.json()["role_id"] == str(role_in_db.role_id) + async def test_get_privileges(self, app: FastAPI, client: AsyncClient): + + response = await client.get(app.url_path_for("get_privileges")) + assert response.status_code == status.HTTP_200_OK + assert len(response.json()) == 45 # 45 built-in privileges + async def test_list_roles(self, app: FastAPI, client: AsyncClient) -> None: response = await client.get(app.url_path_for("get_roles")) diff --git a/tests/controller/test_rbac.py b/tests/controller/test_rbac.py index 51339d83..7dde61e4 100644 --- a/tests/controller/test_rbac.py +++ b/tests/controller/test_rbac.py @@ -17,14 +17,18 @@ import pytest import pytest_asyncio +import uuid from fastapi import FastAPI, status from httpx import AsyncClient from sqlalchemy.ext.asyncio import AsyncSession +from gns3server.controller import Controller from gns3server.db.repositories.rbac import RbacRepository from gns3server.db.repositories.users import UsersRepository +from gns3server.db.repositories.pools import ResourcePoolsRepository from gns3server.schemas.controller.rbac import ACECreate +from gns3server.schemas.controller.pools import ResourceCreate, ResourcePoolCreate from gns3server.db.models import User pytestmark = pytest.mark.asyncio @@ -128,6 +132,113 @@ class TestPrivileges: authorized = await RbacRepository(db_session).check_user_has_privilege(test_user.user_id, path, privilege) assert authorized is True + +class TestResourcePools: + + async def test_resource_pool(self, test_user: User, db_session: AsyncSession): + + project_id = uuid.uuid4() + project_name = "project42" + + pools_repo = ResourcePoolsRepository(db_session) + new_resource_pool = ResourcePoolCreate(name="pool1") + pool_in_db = await pools_repo.create_resource_pool(new_resource_pool) + + resource_create = ResourceCreate(resource_id=project_id, resource_type="project", name=project_name) + resource = await pools_repo.create_resource(resource_create) + await pools_repo.add_resource_to_pool(pool_in_db.resource_pool_id, resource) + + group_id = (await UsersRepository(db_session).get_user_group_by_name("Users")).user_group_id + role_id = (await RbacRepository(db_session).get_role_by_name("User")).role_id + ace = ACECreate( + path=f"/pools/{pool_in_db.resource_pool_id}", + ace_type="group", + propagate=False, + group_id=str(group_id), + role_id=str(role_id) + ) + await RbacRepository(db_session).create_ace(ace) + + privilege = "Project.Audit" + path = f"/projects/{project_id}" + authorized = await RbacRepository(db_session).check_user_has_privilege(test_user.user_id, path, privilege) + assert authorized is True + + async def test_list_projects_in_resource_pool( + self, + app: FastAPI, + controller: Controller, + authorized_client: AsyncClient, + db_session: AsyncSession + ) -> None: + + uuid1 = str(uuid.uuid4()) + uuid2 = str(uuid.uuid4()) + uuid3 = str(uuid.uuid4()) + await controller.add_project(project_id=uuid1, name="Project1") + await controller.add_project(project_id=uuid2, name="Project2") + await controller.add_project(project_id=uuid3, name="Project3") + + # user has no access to projects (no ACE on /projects or resource pools) + response = await authorized_client.get(app.url_path_for("get_projects")) + assert response.status_code == status.HTTP_200_OK + assert len(response.json()) == 0 + + pools_repo = ResourcePoolsRepository(db_session) + new_resource_pool = ResourcePoolCreate(name="pool2") + pool_in_db = await pools_repo.create_resource_pool(new_resource_pool) + + resource_create = ResourceCreate(resource_id=uuid2, resource_type="project", name="Project2") + resource = await pools_repo.create_resource(resource_create) + await pools_repo.add_resource_to_pool(pool_in_db.resource_pool_id, resource) + + group_id = (await UsersRepository(db_session).get_user_group_by_name("Users")).user_group_id + role_id = (await RbacRepository(db_session).get_role_by_name("User")).role_id + ace = ACECreate( + path=f"/pools/{pool_in_db.resource_pool_id}", + ace_type="group", + propagate=False, + group_id=str(group_id), + role_id=str(role_id) + ) + await RbacRepository(db_session).create_ace(ace) + + response = await authorized_client.get(app.url_path_for("get_project", project_id=uuid2)) + assert response.status_code == status.HTTP_200_OK + assert response.json()["name"] == "Project2" + + # user should only see one project because it is in the resource pool he has access to + response = await authorized_client.get(app.url_path_for("get_projects")) + assert response.status_code == status.HTTP_200_OK + projects = response.json() + assert len(projects) == 1 + assert projects[0]["project_id"] == uuid2 + + ace = ACECreate( + path=f"/projects", + ace_type="group", + propagate=True, + group_id=str(group_id), + role_id=str(role_id) + ) + await RbacRepository(db_session).create_ace(ace) + + # now user should see all projects because he has access to /projects and the resource pool + response = await authorized_client.get(app.url_path_for("get_projects")) + assert response.status_code == status.HTTP_200_OK + projects = response.json() + assert len(projects) == 3 + + await RbacRepository(db_session).delete_all_ace_starting_with_path(f"/pools/{pool_in_db.resource_pool_id}") + response = await authorized_client.get(app.url_path_for("get_project", project_id=uuid2)) + assert response.status_code == status.HTTP_403_FORBIDDEN + + # now user should only see the projects that are not in a resource pool + response = await authorized_client.get(app.url_path_for("get_projects")) + assert response.status_code == status.HTTP_200_OK + assert len(response.json()) == 2 + + # class TestProjectsWithRbac: # # async def test_admin_create_project(self, app: FastAPI, client: AsyncClient): From 10eeefc1f5e01489bf9633fb1381f013717f633c Mon Sep 17 00:00:00 2001 From: Sylvain MATHIEU OBS Date: Tue, 12 Sep 2023 15:24:54 +0200 Subject: [PATCH 17/19] API: add endpoint to expose availables privileges to web UI --- gns3server/api/routes/controller/__init__.py | 7 +++ .../api/routes/controller/privileges.py | 43 +++++++++++++++++++ .../api/routes/controller/test_privileges.py | 25 +++++++++++ 3 files changed, 75 insertions(+) create mode 100644 gns3server/api/routes/controller/privileges.py create mode 100644 tests/api/routes/controller/test_privileges.py diff --git a/gns3server/api/routes/controller/__init__.py b/gns3server/api/routes/controller/__init__.py index 28ad9b01..0ebaeb32 100644 --- a/gns3server/api/routes/controller/__init__.py +++ b/gns3server/api/routes/controller/__init__.py @@ -32,6 +32,7 @@ from . import users from . import groups from . import roles from . import acl +from . import privileges from .dependencies.authentication import get_current_active_user @@ -60,6 +61,12 @@ router.include_router( tags=["Roles"] ) +router.include_router( + privileges.router, + prefix="/access/privileges", + tags=["Privileges"] +) + router.include_router( acl.router, prefix="/access/acl", diff --git a/gns3server/api/routes/controller/privileges.py b/gns3server/api/routes/controller/privileges.py new file mode 100644 index 00000000..a1dfb77a --- /dev/null +++ b/gns3server/api/routes/controller/privileges.py @@ -0,0 +1,43 @@ +# +# Software Name : GNS3 server +# Version: 3 +# SPDX-FileCopyrightText: Copyright (c) 2023 Orange Business Services +# SPDX-License-Identifier: GPL-3.0-or-later +# +# This software is distributed under the GPL-3.0 or any later version, +# the text of which is available at https://www.gnu.org/licenses/gpl-3.0.txt +# or see the "LICENSE" file for more details. +# +# Author: Sylvain MATHIEU +# + + +""" +API route for privileges +""" +from typing import List +from gns3server.db.repositories.rbac import RbacRepository +from .dependencies.database import get_repository +from fastapi import APIRouter, Depends +import logging + +from gns3server import schemas + +log = logging.getLogger(__name__) +router = APIRouter() + + +@router.get( + "", + response_model=List[schemas.Privilege], +) +async def get_privileges( + rbac_repo: RbacRepository = Depends(get_repository(RbacRepository)) +) -> List[schemas.Privilege]: + """ + Get all privileges. + + Required privilege: None + """ + + return await rbac_repo.get_privileges() diff --git a/tests/api/routes/controller/test_privileges.py b/tests/api/routes/controller/test_privileges.py new file mode 100644 index 00000000..273ac1be --- /dev/null +++ b/tests/api/routes/controller/test_privileges.py @@ -0,0 +1,25 @@ +# +# Software Name : GNS3 server +# Version: 3 +# SPDX-FileCopyrightText: Copyright (c) 2023 Orange Business Services +# SPDX-License-Identifier: GPL-3.0-or-later +# +# This software is distributed under the GPL-3.0 or any later version, +# the text of which is available at https://www.gnu.org/licenses/gpl-3.0.txt +# or see the "LICENSE" file for more details. +# +# Author: Sylvain MATHIEU +# + +import pytest +from fastapi import FastAPI, status +from httpx import AsyncClient + +pytestmark = pytest.mark.asyncio + + +class TestPrivilegesRoute: + + async def test_get_privileges(self, app: FastAPI, client: AsyncClient) -> None: + response = await client.get(app.url_path_for("get_privileges")) + assert response.status_code == status.HTTP_200_OK From 1f90bb14b62361dc6b8b631b61908a21e55d8259 Mon Sep 17 00:00:00 2001 From: grossmj Date: Thu, 14 Sep 2023 22:36:21 +0700 Subject: [PATCH 18/19] Require users to be logged in for privilege API endpoints --- gns3server/api/routes/controller/__init__.py | 1 + gns3server/api/routes/controller/privileges.py | 2 +- 2 files changed, 2 insertions(+), 1 deletion(-) diff --git a/gns3server/api/routes/controller/__init__.py b/gns3server/api/routes/controller/__init__.py index 0ebaeb32..9ce8f839 100644 --- a/gns3server/api/routes/controller/__init__.py +++ b/gns3server/api/routes/controller/__init__.py @@ -63,6 +63,7 @@ router.include_router( router.include_router( privileges.router, + dependencies=[Depends(get_current_active_user)], prefix="/access/privileges", tags=["Privileges"] ) diff --git a/gns3server/api/routes/controller/privileges.py b/gns3server/api/routes/controller/privileges.py index a1dfb77a..45d250e6 100644 --- a/gns3server/api/routes/controller/privileges.py +++ b/gns3server/api/routes/controller/privileges.py @@ -11,10 +11,10 @@ # Author: Sylvain MATHIEU # - """ API route for privileges """ + from typing import List from gns3server.db.repositories.rbac import RbacRepository from .dependencies.database import get_repository From 7534718a1c51a9893c08ecc030e2a41af623a1cf Mon Sep 17 00:00:00 2001 From: grossmj Date: Thu, 14 Sep 2023 22:41:08 +0700 Subject: [PATCH 19/19] Remove privileges endpoint from roles --- gns3server/api/routes/controller/roles.py | 17 ----------------- tests/api/routes/controller/test_roles.py | 6 ------ 2 files changed, 23 deletions(-) diff --git a/gns3server/api/routes/controller/roles.py b/gns3server/api/routes/controller/roles.py index a3aceca3..f1a5434f 100644 --- a/gns3server/api/routes/controller/roles.py +++ b/gns3server/api/routes/controller/roles.py @@ -81,23 +81,6 @@ async def create_role( return await rbac_repo.create_role(role_create) -@router.get( - "/privileges", - response_model=List[schemas.Privilege], - dependencies=[Depends(has_privilege("Role.Audit"))] -) -async def get_privileges( - rbac_repo: RbacRepository = Depends(get_repository(RbacRepository)), -) -> List[schemas.Privilege]: - """ - Get all available privileges. - - Required privilege: Role.Audit - """ - - return await rbac_repo.get_privileges() - - @router.get( "/{role_id}", response_model=schemas.Role, diff --git a/tests/api/routes/controller/test_roles.py b/tests/api/routes/controller/test_roles.py index ec0f614d..b6fca22b 100644 --- a/tests/api/routes/controller/test_roles.py +++ b/tests/api/routes/controller/test_roles.py @@ -42,12 +42,6 @@ class TestRolesRoutes: assert response.status_code == status.HTTP_200_OK assert response.json()["role_id"] == str(role_in_db.role_id) - async def test_get_privileges(self, app: FastAPI, client: AsyncClient): - - response = await client.get(app.url_path_for("get_privileges")) - assert response.status_code == status.HTTP_200_OK - assert len(response.json()) == 45 # 45 built-in privileges - async def test_list_roles(self, app: FastAPI, client: AsyncClient) -> None: response = await client.get(app.url_path_for("get_roles"))