1
0
mirror of https://github.com/GNS3/gns3-server synced 2024-11-28 19:28:07 +00:00

Merge remote-tracking branch 'origin/3.0' into gh-pages

This commit is contained in:
github-actions 2023-09-14 15:47:42 +00:00
commit 91ca94c798
24 changed files with 1139 additions and 120 deletions

View File

@ -32,6 +32,8 @@ from . import users
from . import groups from . import groups
from . import roles from . import roles
from . import acl from . import acl
from . import pools
from . import privileges
from .dependencies.authentication import get_current_active_user from .dependencies.authentication import get_current_active_user
@ -60,6 +62,13 @@ router.include_router(
tags=["Roles"] tags=["Roles"]
) )
router.include_router(
privileges.router,
dependencies=[Depends(get_current_active_user)],
prefix="/access/privileges",
tags=["Privileges"]
)
router.include_router( router.include_router(
acl.router, acl.router,
prefix="/access/acl", prefix="/access/acl",
@ -123,6 +132,12 @@ router.include_router(
tags=["Appliances"] tags=["Appliances"]
) )
router.include_router(
pools.router,
prefix="/pools",
tags=["Resource pools"]
)
router.include_router( router.include_router(
gns3vm.router, gns3vm.router,
dependencies=[Depends(get_current_active_user)], dependencies=[Depends(get_current_active_user)],

View File

@ -38,6 +38,7 @@ from gns3server.db.repositories.users import UsersRepository
from gns3server.db.repositories.rbac import RbacRepository from gns3server.db.repositories.rbac import RbacRepository
from gns3server.db.repositories.images import ImagesRepository from gns3server.db.repositories.images import ImagesRepository
from gns3server.db.repositories.templates import TemplatesRepository from gns3server.db.repositories.templates import TemplatesRepository
from gns3server.db.repositories.pools import ResourcePoolsRepository
from .dependencies.database import get_repository from .dependencies.database import get_repository
from .dependencies.rbac import has_privilege from .dependencies.rbac import has_privilege
@ -57,7 +58,8 @@ async def endpoints(
users_repo: UsersRepository = Depends(get_repository(UsersRepository)), users_repo: UsersRepository = Depends(get_repository(UsersRepository)),
rbac_repo: RbacRepository = Depends(get_repository(RbacRepository)), rbac_repo: RbacRepository = Depends(get_repository(RbacRepository)),
images_repo: ImagesRepository = Depends(get_repository(ImagesRepository)), images_repo: ImagesRepository = Depends(get_repository(ImagesRepository)),
templates_repo: TemplatesRepository = Depends(get_repository(TemplatesRepository)) templates_repo: TemplatesRepository = Depends(get_repository(TemplatesRepository)),
pools_repo: ResourcePoolsRepository = Depends(get_repository(ResourcePoolsRepository))
) -> List[dict]: ) -> List[dict]:
""" """
List all endpoints to be used in ACL entries. List all endpoints to be used in ACL entries.
@ -128,6 +130,11 @@ async def endpoints(
for template in templates: for template in templates:
add_to_endpoints(f"/templates/{template.template_id}", f'Template "{template.name}"', "template") add_to_endpoints(f"/templates/{template.template_id}", f'Template "{template.name}"', "template")
# resource pools
add_to_endpoints("/pools", "All resource pools", "pool")
pools = await pools_repo.get_resource_pools()
for pool in pools:
add_to_endpoints(f"/pools/{pool.resource_pool_id}", f'Resource pool "{pool.name}"', "pool")
return endpoints return endpoints

View File

@ -26,7 +26,7 @@ from gns3server.db.repositories.rbac import RbacRepository
from gns3server.services import auth_service from gns3server.services import auth_service
from .database import get_repository from .database import get_repository
oauth2_scheme = OAuth2PasswordBearer(tokenUrl="/v3/users/login", auto_error=False) oauth2_scheme = OAuth2PasswordBearer(tokenUrl="/v3/access/users/login", auto_error=False)
async def get_user_from_token( async def get_user_from_token(

View File

@ -196,6 +196,11 @@ async def add_member_to_group(
if not user: if not user:
raise ControllerNotFoundError(f"User '{user_id}' not found") raise ControllerNotFoundError(f"User '{user_id}' not found")
user_groups = await users_repo.get_user_memberships(user_id)
for group in user_groups:
if group.user_group_id == user_group_id:
raise ControllerBadRequestError(f"Username '{user.username}' is already member of group '{group.name}'")
user_group = await users_repo.add_member_to_user_group(user_group_id, user) user_group = await users_repo.add_member_to_user_group(user_group_id, user)
if not user_group: if not user_group:
raise ControllerNotFoundError(f"User group '{user_group_id}' not found") raise ControllerNotFoundError(f"User group '{user_group_id}' not found")

View File

@ -0,0 +1,228 @@
#!/usr/bin/env python
#
# Copyright (C) 2023 GNS3 Technologies Inc.
#
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
"""
API routes for resource pools.
"""
from fastapi import APIRouter, Depends, status
from uuid import UUID
from typing import List
from gns3server import schemas
from gns3server.controller.controller_error import (
ControllerError,
ControllerBadRequestError,
ControllerNotFoundError
)
from gns3server.controller import Controller
from gns3server.db.repositories.rbac import RbacRepository
from gns3server.db.repositories.pools import ResourcePoolsRepository
from .dependencies.rbac import has_privilege
from .dependencies.database import get_repository
import logging
log = logging.getLogger(__name__)
router = APIRouter()
@router.get(
"",
response_model=List[schemas.ResourcePool],
dependencies=[Depends(has_privilege("Pool.Audit"))]
)
async def get_resource_pools(
pools_repo: ResourcePoolsRepository = Depends(get_repository(ResourcePoolsRepository))
) -> List[schemas.ResourcePool]:
"""
Get all resource pools.
Required privilege: Pool.Audit
"""
return await pools_repo.get_resource_pools()
@router.post(
"",
response_model=schemas.ResourcePool,
status_code=status.HTTP_201_CREATED,
dependencies=[Depends(has_privilege("Pool.Allocate"))]
)
async def create_resource_pool(
resource_pool_create: schemas.ResourcePoolCreate,
pools_repo: ResourcePoolsRepository = Depends(get_repository(ResourcePoolsRepository))
) -> schemas.ResourcePool:
"""
Create a new resource pool
Required privilege: Pool.Allocate
"""
if await pools_repo.get_resource_pool_by_name(resource_pool_create.name):
raise ControllerBadRequestError(f"Resource pool '{resource_pool_create.name}' already exists")
return await pools_repo.create_resource_pool(resource_pool_create)
@router.get(
"/{resource_pool_id}",
response_model=schemas.ResourcePool,
dependencies=[Depends(has_privilege("Pool.Audit"))]
)
async def get_resource_pool(
resource_pool_id: UUID,
pools_repo: ResourcePoolsRepository = Depends(get_repository(ResourcePoolsRepository))
) -> schemas.ResourcePool:
"""
Get a resource pool.
Required privilege: Pool.Audit
"""
resource_pool = await pools_repo.get_resource_pool(resource_pool_id)
if not resource_pool:
raise ControllerNotFoundError(f"Resource pool '{resource_pool_id}' not found")
return resource_pool
@router.put(
"/{resource_pool_id}",
response_model=schemas.ResourcePool,
dependencies=[Depends(has_privilege("Pool.Modify"))]
)
async def update_resource_pool(
resource_pool_id: UUID,
resource_pool_update: schemas.ResourcePoolUpdate,
pools_repo: ResourcePoolsRepository = Depends(get_repository(ResourcePoolsRepository))
) -> schemas.ResourcePool:
"""
Update a resource pool.
Required privilege: Pool.Modify
"""
resource_pool = await pools_repo.get_resource_pool(resource_pool_id)
if not resource_pool:
raise ControllerNotFoundError(f"Resource pool '{resource_pool_id}' not found")
return await pools_repo.update_resource_pool(resource_pool_id, resource_pool_update)
@router.delete(
"/{resource_pool_id}",
status_code=status.HTTP_204_NO_CONTENT,
dependencies=[Depends(has_privilege("Pool.Allocate"))]
)
async def delete_resource_pool(
resource_pool_id: UUID,
pools_repo: ResourcePoolsRepository = Depends(get_repository(ResourcePoolsRepository)),
rbac_repo: RbacRepository = Depends(get_repository(RbacRepository))
) -> None:
"""
Delete a resource pool.
Required privilege: Pool.Allocate
"""
resource_pool = await pools_repo.get_resource_pool(resource_pool_id)
if not resource_pool:
raise ControllerNotFoundError(f"Resource pool '{resource_pool_id}' not found")
success = await pools_repo.delete_resource_pool(resource_pool_id)
if not success:
raise ControllerError(f"Resource pool '{resource_pool_id}' could not be deleted")
await rbac_repo.delete_all_ace_starting_with_path(f"/pools/{resource_pool_id}")
@router.get(
"/{resource_pool_id}/resources",
response_model=List[schemas.Resource],
dependencies=[Depends(has_privilege("Pool.Audit"))]
)
async def get_pool_resources(
resource_pool_id: UUID,
pools_repo: ResourcePoolsRepository = Depends(get_repository(ResourcePoolsRepository)),
) -> List[schemas.Resource]:
"""
Get all resource in a pool.
Required privilege: Pool.Audit
"""
return await pools_repo.get_pool_resources(resource_pool_id)
@router.put(
"/{resource_pool_id}/resources/{resource_id}",
status_code=status.HTTP_204_NO_CONTENT,
dependencies=[Depends(has_privilege("Pool.Modify"))]
)
async def add_resource_to_pool(
resource_pool_id: UUID,
resource_id: UUID,
pools_repo: ResourcePoolsRepository = Depends(get_repository(ResourcePoolsRepository)),
) -> None:
"""
Add resource to a resource pool.
Required privilege: Pool.Modify
"""
resource_pool = await pools_repo.get_resource_pool(resource_pool_id)
if not resource_pool:
raise ControllerNotFoundError(f"Resource pool '{resource_pool_id}' not found")
resources = await pools_repo.get_pool_resources(resource_pool_id)
for resource in resources:
if resource.resource_id == resource_id:
raise ControllerBadRequestError(f"Resource '{resource_id}' is already in '{resource_pool.name}'")
# we only support projects in resource pools for now
project = Controller.instance().get_project(str(resource_id))
resource_create = schemas.ResourceCreate(resource_id=resource_id, resource_type="project", name=project.name)
resource = await pools_repo.create_resource(resource_create)
await pools_repo.add_resource_to_pool(resource_pool_id, resource)
@router.delete(
"/{resource_pool_id}/resources/{resource_id}",
status_code=status.HTTP_204_NO_CONTENT,
dependencies=[Depends(has_privilege("Pool.Modify"))]
)
async def remove_resource_from_pool(
resource_pool_id: UUID,
resource_id: UUID,
pools_repo: ResourcePoolsRepository = Depends(get_repository(ResourcePoolsRepository)),
) -> None:
"""
Remove resource from a resource pool.
Required privilege: Pool.Modify
"""
resource = await pools_repo.get_resource(resource_id)
if not resource:
raise ControllerNotFoundError(f"Resource '{resource_id}' not found")
resource_pool = await pools_repo.remove_resource_from_pool(resource_pool_id, resource)
if not resource_pool:
raise ControllerNotFoundError(f"Resource pool '{resource_pool_id}' not found")

View File

@ -0,0 +1,43 @@
#
# Software Name : GNS3 server
# Version: 3
# SPDX-FileCopyrightText: Copyright (c) 2023 Orange Business Services
# SPDX-License-Identifier: GPL-3.0-or-later
#
# This software is distributed under the GPL-3.0 or any later version,
# the text of which is available at https://www.gnu.org/licenses/gpl-3.0.txt
# or see the "LICENSE" file for more details.
#
# Author: Sylvain MATHIEU
#
"""
API route for privileges
"""
from typing import List
from gns3server.db.repositories.rbac import RbacRepository
from .dependencies.database import get_repository
from fastapi import APIRouter, Depends
import logging
from gns3server import schemas
log = logging.getLogger(__name__)
router = APIRouter()
@router.get(
"",
response_model=List[schemas.Privilege],
)
async def get_privileges(
rbac_repo: RbacRepository = Depends(get_repository(RbacRepository))
) -> List[schemas.Privilege]:
"""
Get all privileges.
Required privilege: None
"""
return await rbac_repo.get_privileges()

View File

@ -47,9 +47,11 @@ from gns3server.utils.asyncio import aiozipstream
from gns3server.utils.path import is_safe_path from gns3server.utils.path import is_safe_path
from gns3server.db.repositories.templates import TemplatesRepository from gns3server.db.repositories.templates import TemplatesRepository
from gns3server.db.repositories.rbac import RbacRepository from gns3server.db.repositories.rbac import RbacRepository
from gns3server.db.repositories.pools import ResourcePoolsRepository
from gns3server.services.templates import TemplatesService from gns3server.services.templates import TemplatesService
from .dependencies.rbac import has_privilege, has_privilege_on_websocket from .dependencies.rbac import has_privilege, has_privilege_on_websocket
from .dependencies.authentication import get_current_active_user
from .dependencies.database import get_repository from .dependencies.database import get_repository
responses = {404: {"model": schemas.ErrorMessage, "description": "Could not find project"}} responses = {404: {"model": schemas.ErrorMessage, "description": "Could not find project"}}
@ -69,10 +71,13 @@ def dep_project(project_id: UUID) -> Project:
@router.get( @router.get(
"", "",
response_model=List[schemas.Project], response_model=List[schemas.Project],
response_model_exclude_unset=True, response_model_exclude_unset=True
dependencies=[Depends(has_privilege("Project.Audit"))]
) )
async def get_projects() -> List[schemas.Project]: async def get_projects(
current_user: schemas.User = Depends(get_current_active_user),
rbac_repo: RbacRepository = Depends(get_repository(RbacRepository)),
pools_repo: ResourcePoolsRepository = Depends(get_repository(ResourcePoolsRepository))
) -> List[schemas.Project]:
""" """
Return all projects. Return all projects.
@ -80,7 +85,22 @@ async def get_projects() -> List[schemas.Project]:
""" """
controller = Controller.instance() controller = Controller.instance()
return [p.asdict() for p in controller.projects.values()] projects = []
if current_user.is_superadmin:
# super admin sees all projects
return [p.asdict() for p in controller.projects.values()]
elif await rbac_repo.check_user_has_privilege(current_user.user_id, "/projects", "Project.Audit"):
# user with Project.Audit privilege on '/projects' sees all projects except those in resource pools
project_ids_in_pools = [str(r.resource_id) for r in await pools_repo.get_resources() if r.resource_type == "project"]
projects.extend([p.asdict() for p in controller.projects.values() if p.id not in project_ids_in_pools])
# user with Project.Audit privilege on resource pools sees the projects in these pools
user_pool_resources = await rbac_repo.get_user_pool_resources(current_user.user_id, "Project.Audit")
project_ids_in_pools = [str(r.resource_id) for r in user_pool_resources if r.resource_type == "project"]
projects.extend([p.asdict() for p in controller.projects.values() if p.id in project_ids_in_pools])
return projects
@router.post( @router.post(

View File

@ -488,8 +488,9 @@ class DockerVM(BaseNode):
params["Env"].append(f"DISPLAY=:{self._display}") params["Env"].append(f"DISPLAY=:{self._display}")
params["HostConfig"]["Mounts"].append({ params["HostConfig"]["Mounts"].append({
"Type": "bind", "Type": "bind",
"Source": "/tmp/.X11-unix/", "Source": f"/tmp/.X11-unix/X{self._display}",
"Target": "/tmp/.X11-unix/" "Target": f"/tmp/.X11-unix/X{self._display}",
"ReadOnly": True
}) })
if self._extra_hosts: if self._extra_hosts:

View File

@ -147,6 +147,15 @@ class Config:
return os.path.dirname(self._main_config_file) return os.path.dirname(self._main_config_file)
@property
def controller_vars(self):
"""
Return the controller variables file path.
"""
controller_vars_filename = "gns3_controller.vars"
return os.path.join(self.config_dir, controller_vars_filename)
@property @property
def server_config(self): def server_config(self):
""" """

View File

@ -21,6 +21,7 @@ import uuid
import shutil import shutil
import asyncio import asyncio
import random import random
import json
try: try:
import importlib_resources import importlib_resources
@ -42,7 +43,7 @@ from .topology import load_topology
from .gns3vm import GNS3VM from .gns3vm import GNS3VM
from .gns3vm.gns3_vm_error import GNS3VMError from .gns3vm.gns3_vm_error import GNS3VMError
from .controller_error import ControllerError, ControllerNotFoundError from .controller_error import ControllerError, ControllerNotFoundError
from ..version import __version__
import logging import logging
@ -64,7 +65,9 @@ class Controller:
self.symbols = Symbols() self.symbols = Symbols()
self._appliance_manager = ApplianceManager() self._appliance_manager = ApplianceManager()
self._iou_license_settings = {"iourc_content": "", "license_check": True} self._iou_license_settings = {"iourc_content": "", "license_check": True}
self._config_loaded = False self._vars_loaded = False
self._vars_file = Config.instance().controller_vars
log.info(f'Loading controller vars file "{self._vars_file}"')
async def start(self, computes=None): async def start(self, computes=None):
@ -83,7 +86,7 @@ class Controller:
if host == "0.0.0.0": if host == "0.0.0.0":
host = "127.0.0.1" host = "127.0.0.1"
self._load_controller_settings() self._load_controller_vars()
if server_config.enable_ssl: if server_config.enable_ssl:
self._ssl_context = self._create_ssl_context(server_config) self._ssl_context = self._create_ssl_context(server_config)
@ -185,7 +188,7 @@ class Controller:
async def reload(self): async def reload(self):
log.info("Controller is reloading") log.info("Controller is reloading")
self._load_controller_settings() self._load_controller_vars()
# remove all projects deleted from disk. # remove all projects deleted from disk.
for project in self._projects.copy().values(): for project in self._projects.copy().values():
@ -198,65 +201,54 @@ class Controller:
def save(self): def save(self):
""" """
Save the controller configuration on disk Save the controller vars on disk
""" """
if self._config_loaded is False: controller_vars = dict()
return if self._vars_loaded:
controller_vars = {
"appliances_etag": self._appliance_manager.appliances_etag,
"version": __version__
}
if self._iou_license_settings["iourc_content"]: if self._iou_license_settings["iourc_content"]:
iou_config = Config.instance().settings.IOU iou_config = Config.instance().settings.IOU
server_config = Config.instance().settings.Server server_config = Config.instance().settings.Server
if iou_config.iourc_path: if iou_config.iourc_path:
iourc_path = iou_config.iourc_path iourc_path = iou_config.iourc_path
else: else:
os.makedirs(server_config.secrets_dir, exist_ok=True) os.makedirs(server_config.secrets_dir, exist_ok=True)
iourc_path = os.path.join(server_config.secrets_dir, "gns3_iourc_license") iourc_path = os.path.join(server_config.secrets_dir, "gns3_iourc_license")
try: try:
with open(iourc_path, "w+") as f: with open(iourc_path, "w+") as f:
f.write(self._iou_license_settings["iourc_content"]) f.write(self._iou_license_settings["iourc_content"])
log.info(f"iourc file '{iourc_path}' saved") log.info(f"iourc file '{iourc_path}' saved")
except OSError as e: except OSError as e:
log.error(f"Cannot write IOU license file '{iourc_path}': {e}") log.error(f"Cannot write IOU license file '{iourc_path}': {e}")
if self._appliance_manager.appliances_etag: try:
etag_directory = os.path.dirname(Config.instance().server_config) os.makedirs(os.path.dirname(self._vars_file), exist_ok=True)
os.makedirs(etag_directory, exist_ok=True) with open(self._vars_file, 'w+') as f:
etag_appliances_path = os.path.join(etag_directory, "gns3_appliances_etag") json.dump(controller_vars, f, indent=4)
except OSError as e:
log.error(f"Cannot write controller vars file '{self._vars_file}': {e}")
try: def _load_controller_vars(self):
with open(etag_appliances_path, "w+") as f:
f.write(self._appliance_manager.appliances_etag)
log.info(f"etag appliances file '{etag_appliances_path}' saved")
except OSError as e:
log.error(f"Cannot write Etag appliance file '{etag_appliances_path}': {e}")
def _load_controller_settings(self):
""" """
Reload the controller configuration from disk Reload the controller vars from disk
""" """
# try: try:
# if not os.path.exists(self._config_file): if not os.path.exists(self._vars_file):
# self._config_loaded = True self.save() # this will create the vars file
# self.save() with open(self._vars_file) as f:
# with open(self._config_file) as f: controller_vars = json.load(f)
# controller_settings = json.load(f) except (OSError, ValueError) as e:
# except (OSError, ValueError) as e: log.critical(f"Cannot load controller vars file '{self._vars_file}': {e}")
# log.critical("Cannot load configuration file '{}': {}".format(self._config_file, e)) return []
# return []
# load GNS3 VM settings
# if "gns3vm" in controller_settings:
# gns3_vm_settings = controller_settings["gns3vm"]
# if "port" not in gns3_vm_settings:
# # port setting was added in version 2.2.8
# # the default port was 3080 before this
# gns3_vm_settings["port"] = 3080
# self.gns3vm.settings = gns3_vm_settings
# load the IOU license settings # load the IOU license settings
iou_config = Config.instance().settings.IOU iou_config = Config.instance().settings.IOU
@ -276,27 +268,19 @@ class Controller:
log.info(f"iourc file '{iourc_path}' loaded") log.info(f"iourc file '{iourc_path}' loaded")
except OSError as e: except OSError as e:
log.error(f"Cannot read IOU license file '{iourc_path}': {e}") log.error(f"Cannot read IOU license file '{iourc_path}': {e}")
self._iou_license_settings["license_check"] = iou_config.license_check self._iou_license_settings["license_check"] = iou_config.license_check
etag_directory = os.path.dirname(Config.instance().server_config) previous_version = controller_vars.get("version")
etag_appliances_path = os.path.join(etag_directory, "gns3_appliances_etag") log.info("Comparing controller version {} with config version {}".format(__version__, previous_version))
self._appliance_manager.appliances_etag = None if not previous_version or \
if os.path.exists(etag_appliances_path): parse_version(__version__.split("+")[0]) > parse_version(previous_version.split("+")[0]):
try: self._appliance_manager.install_builtin_appliances()
with open(etag_appliances_path) as f: elif not os.listdir(self._appliance_manager.builtin_appliances_path()):
self._appliance_manager.appliances_etag = f.read() self._appliance_manager.install_builtin_appliances()
log.info(f"etag appliances file '{etag_appliances_path}' loaded")
except OSError as e:
log.error(f"Cannot read Etag appliance file '{etag_appliances_path}': {e}")
# FIXME install builtin appliances only once, need to store "version" somewhere... self._appliance_manager.appliances_etag = controller_vars.get("appliances_etag")
#if parse_version(__version__.split("+")[0]) > parse_version(controller_settings.get("version", "")):
# self._appliance_manager.install_builtin_appliances()
self._appliance_manager.install_builtin_appliances()
self._appliance_manager.load_appliances() self._appliance_manager.load_appliances()
self._config_loaded = True self._vars_loaded = True
async def load_projects(self): async def load_projects(self):
""" """
@ -420,7 +404,6 @@ class Controller:
compute = Compute(compute_id=compute_id, controller=self, name=name, **kwargs) compute = Compute(compute_id=compute_id, controller=self, name=name, **kwargs)
self._computes[compute.id] = compute self._computes[compute.id] = compute
# self.save()
if connect: if connect:
if wait_connection: if wait_connection:
await compute.connect() await compute.connect()
@ -470,7 +453,6 @@ class Controller:
await self.close_compute_projects(compute) await self.close_compute_projects(compute)
await compute.close() await compute.close()
del self._computes[compute_id] del self._computes[compute_id]
# self.save()
self.notification.controller_emit("compute.deleted", compute.asdict()) self.notification.controller_emit("compute.deleted", compute.asdict())
@property @property

View File

@ -21,6 +21,7 @@ import json
import asyncio import asyncio
import aiofiles import aiofiles
import shutil import shutil
import platformdirs
from typing import Tuple, List from typing import Tuple, List
@ -94,13 +95,13 @@ class ApplianceManager:
os.makedirs(appliances_path, exist_ok=True) os.makedirs(appliances_path, exist_ok=True)
return appliances_path return appliances_path
def _builtin_appliances_path(self, delete_first=False): def builtin_appliances_path(self, delete_first=False):
""" """
Get the built-in appliance storage directory Get the built-in appliance storage directory
""" """
config = Config.instance() appname = vendor = "GNS3"
appliances_dir = os.path.join(config.config_dir, "appliances") appliances_dir = os.path.join(platformdirs.user_data_dir(appname, vendor, roaming=True), "appliances")
if delete_first: if delete_first:
shutil.rmtree(appliances_dir, ignore_errors=True) shutil.rmtree(appliances_dir, ignore_errors=True)
os.makedirs(appliances_dir, exist_ok=True) os.makedirs(appliances_dir, exist_ok=True)
@ -111,7 +112,7 @@ class ApplianceManager:
At startup we copy the built-in appliances files. At startup we copy the built-in appliances files.
""" """
dst_path = self._builtin_appliances_path(delete_first=True) dst_path = self.builtin_appliances_path(delete_first=True)
log.info(f"Installing built-in appliances in '{dst_path}'") log.info(f"Installing built-in appliances in '{dst_path}'")
from . import Controller from . import Controller
try: try:
@ -316,7 +317,7 @@ class ApplianceManager:
self._appliances = {} self._appliances = {}
for directory, builtin in ( for directory, builtin in (
( (
self._builtin_appliances_path(), self.builtin_appliances_path(),
True, True,
), ),
( (
@ -434,7 +435,7 @@ class ApplianceManager:
Controller.instance().save() Controller.instance().save()
json_data = await response.json() json_data = await response.json()
appliances_dir = self._builtin_appliances_path() appliances_dir = self.builtin_appliances_path()
downloaded_appliance_files = [] downloaded_appliance_files = []
for appliance in json_data: for appliance in json_data:
if appliance["type"] == "file": if appliance["type"] == "file":

View File

@ -22,7 +22,7 @@ from .roles import Role
from .privileges import Privilege from .privileges import Privilege
from .computes import Compute from .computes import Compute
from .images import Image from .images import Image
from .resource_pools import Resource, ResourcePool from .pools import Resource, ResourcePool
from .templates import ( from .templates import (
Template, Template,
CloudTemplate, CloudTemplate,

View File

@ -95,6 +95,18 @@ def create_default_roles(target, connection, **kw):
"description": "Update an ACE", "description": "Update an ACE",
"name": "ACE.Modify" "name": "ACE.Modify"
}, },
{
"description": "Create or delete a resource pool",
"name": "Pool.Allocate"
},
{
"description": "View a resource pool",
"name": "Pool.Audit"
},
{
"description": "Update a resource pool",
"name": "Pool.Modify"
},
{ {
"description": "Create or delete a template", "description": "Create or delete a template",
"name": "Template.Allocate" "name": "Template.Allocate"

View File

@ -0,0 +1,206 @@
#!/usr/bin/env python
#
# Copyright (C) 2023 GNS3 Technologies Inc.
#
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
from uuid import UUID
from typing import Optional, List, Union
from sqlalchemy import select, update, delete
from sqlalchemy.ext.asyncio import AsyncSession
from sqlalchemy.orm import selectinload
from .base import BaseRepository
import gns3server.db.models as models
from gns3server import schemas
import logging
log = logging.getLogger(__name__)
class ResourcePoolsRepository(BaseRepository):
def __init__(self, db_session: AsyncSession) -> None:
super().__init__(db_session)
async def get_resource(self, resource_id: UUID) -> Optional[models.Resource]:
"""
Get a resource by its ID.
"""
query = select(models.Resource).where(models.Resource.resource_id == resource_id)
result = await self._db_session.execute(query)
return result.scalars().first()
async def get_resources(self) -> List[models.Resource]:
"""
Get all resources.
"""
query = select(models.Resource)
result = await self._db_session.execute(query)
return result.scalars().all()
async def create_resource(self, resource: schemas.ResourceCreate) -> models.Resource:
"""
Create a new resource.
"""
db_resource = models.Resource(
resource_id=resource.resource_id,
resource_type=resource.resource_type,
name=resource.name
)
self._db_session.add(db_resource)
await self._db_session.commit()
await self._db_session.refresh(db_resource)
return db_resource
async def delete_resource(self, resource_id: UUID) -> bool:
"""
Delete a resource.
"""
query = delete(models.Resource).where(models.Resource.resource_id == resource_id)
result = await self._db_session.execute(query)
await self._db_session.commit()
return result.rowcount > 0
async def get_resource_pool(self, resource_pool_id: UUID) -> Optional[models.ResourcePool]:
"""
Get a resource pool by its ID.
"""
query = select(models.ResourcePool).where(models.ResourcePool.resource_pool_id == resource_pool_id)
result = await self._db_session.execute(query)
return result.scalars().first()
async def get_resource_pool_by_name(self, name: str) -> Optional[models.ResourcePool]:
"""
Get a resource pool by its name.
"""
query = select(models.ResourcePool).where(models.ResourcePool.name == name)
result = await self._db_session.execute(query)
return result.scalars().first()
async def get_resource_pools(self) -> List[models.ResourcePool]:
"""
Get all resource pools.
"""
query = select(models.ResourcePool)
result = await self._db_session.execute(query)
return result.scalars().all()
async def create_resource_pool(self, resource_pool: schemas.ResourcePoolCreate) -> models.ResourcePool:
"""
Create a new resource pool.
"""
db_resource_pool = models.ResourcePool(name=resource_pool.name)
self._db_session.add(db_resource_pool)
await self._db_session.commit()
await self._db_session.refresh(db_resource_pool)
return db_resource_pool
async def update_resource_pool(
self,
resource_pool_id: UUID,
resource_pool_update: schemas.ResourcePoolUpdate
) -> Optional[models.ResourcePool]:
"""
Update a resource pool.
"""
update_values = resource_pool_update.model_dump(exclude_unset=True)
query = update(models.ResourcePool).\
where(models.ResourcePool.resource_pool_id == resource_pool_id).\
values(update_values)
await self._db_session.execute(query)
await self._db_session.commit()
resource_pool_db = await self.get_resource_pool(resource_pool_id)
if resource_pool_db:
await self._db_session.refresh(resource_pool_db) # force refresh of updated_at value
return resource_pool_db
async def delete_resource_pool(self, resource_pool_id: UUID) -> bool:
"""
Delete a resource pool.
"""
query = delete(models.ResourcePool).where(models.ResourcePool.resource_pool_id == resource_pool_id)
result = await self._db_session.execute(query)
await self._db_session.commit()
return result.rowcount > 0
async def add_resource_to_pool(
self,
resource_pool_id: UUID,
resource: models.Resource
) -> Union[None, models.ResourcePool]:
"""
Add a resource to a resource pool.
"""
query = select(models.ResourcePool).\
options(selectinload(models.ResourcePool.resources)).\
where(models.ResourcePool.resource_pool_id == resource_pool_id)
result = await self._db_session.execute(query)
resource_pool_db = result.scalars().first()
if not resource_pool_db:
return None
resource_pool_db.resources.append(resource)
await self._db_session.commit()
await self._db_session.refresh(resource_pool_db)
return resource_pool_db
async def remove_resource_from_pool(
self,
resource_pool_id: UUID,
resource: models.Resource
) -> Union[None, models.ResourcePool]:
"""
Remove a resource from a resource pool.
"""
query = select(models.ResourcePool).\
options(selectinload(models.ResourcePool.resources)).\
where(models.ResourcePool.resource_pool_id == resource_pool_id)
result = await self._db_session.execute(query)
resource_pool_db = result.scalars().first()
if not resource_pool_db:
return None
resource_pool_db.resources.remove(resource)
await self._db_session.commit()
await self._db_session.refresh(resource_pool_db)
return resource_pool_db
async def get_pool_resources(self, resource_pool_id: UUID) -> List[models.Resource]:
"""
Get all resources from a resource pool.
"""
query = select(models.Resource).\
join(models.Resource.resource_pools).\
filter(models.ResourcePool.resource_pool_id == resource_pool_id)
result = await self._db_session.execute(query)
return result.scalars().all()

View File

@ -18,7 +18,7 @@
from uuid import UUID from uuid import UUID
from urllib.parse import urlparse from urllib.parse import urlparse
from typing import Optional, List, Union from typing import Optional, List, Union
from sqlalchemy import select, update, delete, null from sqlalchemy import select, update, delete
from sqlalchemy.ext.asyncio import AsyncSession from sqlalchemy.ext.asyncio import AsyncSession
from sqlalchemy.orm import selectinload from sqlalchemy.orm import selectinload
@ -309,6 +309,75 @@ class RbacRepository(BaseRepository):
return True # only allow if the path is the original path or the ACE is set to propagate return True # only allow if the path is the original path or the ACE is set to propagate
return False return False
async def _get_resources_in_pools(self, aces, path: str = None) -> List[models.Resource]:
"""
Get all resources in pools.
"""
pool_resources = []
for ace_path, ace_propagate, ace_allowed, ace_privilege in aces:
if ace_path.startswith("/pool"):
resource_pool_id = ace_path.split("/")[2]
query = select(models.Resource). \
join(models.Resource.resource_pools). \
filter(models.ResourcePool.resource_pool_id == resource_pool_id)
result = await self._db_session.execute(query)
resources = result.scalars().all()
for resource in resources:
# we only support projects in resource pools for now
if resource.resource_type == "project":
if path:
if path.startswith(f"/projects/{resource.resource_id}"):
pool_resources.append(resource)
else:
pool_resources.append(resource)
return pool_resources
async def _get_user_aces(self, user_id: UUID, privilege_name: str):
"""
Retrieve all user ACEs matching the user_id and privilege name.
"""
query = select(models.ACE.path, models.ACE.propagate, models.ACE.allowed, models.Privilege.name).\
join(models.Privilege.roles).\
join(models.Role.acl_entries).\
join(models.ACE.user). \
filter(models.User.user_id == user_id).\
filter(models.Privilege.name == privilege_name).\
order_by(models.ACE.path.desc())
result = await self._db_session.execute(query)
return result.all()
async def _get_group_aces(self, user_id: UUID, privilege_name: str):
"""
Retrieve all group ACEs matching the user_id and privilege name.
"""
query = select(models.ACE.path, models.ACE.propagate, models.ACE.allowed, models.Privilege.name). \
join(models.Privilege.roles). \
join(models.Role.acl_entries). \
join(models.ACE.group). \
join(models.UserGroup.users).\
filter(models.User.user_id == user_id). \
filter(models.Privilege.name == privilege_name)
result = await self._db_session.execute(query)
return result.all()
async def get_user_pool_resources(self, user_id: UUID, privilege_name: str) -> List[models.Resource]:
"""
Get all resources in pools belonging to a user and groups
"""
user_aces = await self._get_user_aces(user_id, privilege_name)
pool_resources = await self._get_resources_in_pools(user_aces)
group_aces = await self._get_group_aces(user_id, privilege_name)
pool_resources.extend(await self._get_resources_in_pools(group_aces))
return list(set(pool_resources))
async def check_user_has_privilege(self, user_id: UUID, path: str, privilege_name: str) -> bool: async def check_user_has_privilege(self, user_id: UUID, path: str, privilege_name: str) -> bool:
""" """
Resource paths form a file system like tree and privileges can be inherited by paths down that tree Resource paths form a file system like tree and privileges can be inherited by paths down that tree
@ -321,38 +390,34 @@ class RbacRepository(BaseRepository):
* Privileges on deeper levels replace those inherited from an upper level. * Privileges on deeper levels replace those inherited from an upper level.
""" """
# retrieve all user ACEs matching the user_id and privilege name query = select(models.Resource)
query = select(models.ACE.path, models.ACE.propagate, models.ACE.allowed, models.Privilege.name).\
join(models.Privilege.roles).\
join(models.Role.acl_entries).\
join(models.ACE.user). \
filter(models.User.user_id == user_id).\
filter(models.Privilege.name == privilege_name).\
order_by(models.ACE.path.desc())
result = await self._db_session.execute(query) result = await self._db_session.execute(query)
aces = result.all() resources = result.scalars().all()
projects_in_pools = [f"/projects/{r.resource_id}" for r in resources if r.resource_type == "project"]
path_is_in_pool = False
for project_in_pool in projects_in_pools:
if path.startswith(project_in_pool):
path_is_in_pool = True
break
aces = await self._get_user_aces(user_id, privilege_name)
try: try:
if self._check_path_with_aces(path, aces): if path_is_in_pool:
# the user has an ACE matching the path and privilege,there is no need to check group ACEs if await self._get_resources_in_pools(aces, path):
return True
elif self._check_path_with_aces(path, aces):
# the user has an ACE matching the path and privilege, there is no need to check group ACEs
return True return True
except PermissionError: except PermissionError:
return False return False
# retrieve all group ACEs matching the user_id and privilege name aces = await self._get_group_aces(user_id, privilege_name)
query = select(models.ACE.path, models.ACE.propagate, models.ACE.allowed, models.Privilege.name). \
join(models.Privilege.roles). \
join(models.Role.acl_entries). \
join(models.ACE.group). \
join(models.UserGroup.users).\
filter(models.User.user_id == user_id). \
filter(models.Privilege.name == privilege_name)
result = await self._db_session.execute(query)
aces = result.all()
try: try:
return self._check_path_with_aces(path, aces) if path_is_in_pool:
if await self._get_resources_in_pools(aces, path):
return True
elif self._check_path_with_aces(path, aces):
return True
except PermissionError: except PermissionError:
return False return False
return False

View File

@ -31,6 +31,7 @@ from .controller.nodes import NodeCreate, NodeUpdate, NodeDuplicate, NodeCapture
from .controller.projects import ProjectCreate, ProjectUpdate, ProjectDuplicate, Project, ProjectFile, ProjectCompression from .controller.projects import ProjectCreate, ProjectUpdate, ProjectDuplicate, Project, ProjectFile, ProjectCompression
from .controller.users import UserCreate, UserUpdate, LoggedInUserUpdate, User, Credentials, UserGroupCreate, UserGroupUpdate, UserGroup from .controller.users import UserCreate, UserUpdate, LoggedInUserUpdate, User, Credentials, UserGroupCreate, UserGroupUpdate, UserGroup
from .controller.rbac import RoleCreate, RoleUpdate, Role, Privilege, ACECreate, ACEUpdate, ACE from .controller.rbac import RoleCreate, RoleUpdate, Role, Privilege, ACECreate, ACEUpdate, ACE
from .controller.pools import Resource, ResourceCreate, ResourcePoolCreate, ResourcePoolUpdate, ResourcePool
from .controller.tokens import Token from .controller.tokens import Token
from .controller.snapshots import SnapshotCreate, Snapshot from .controller.snapshots import SnapshotCreate, Snapshot
from .controller.iou_license import IOULicense from .controller.iou_license import IOULicense

View File

@ -0,0 +1,81 @@
#
# Copyright (C) 2020 GNS3 Technologies Inc.
#
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
from typing import Optional
from pydantic import ConfigDict, BaseModel, Field
from uuid import UUID
from enum import Enum
from .base import DateTimeModelMixin
class ResourceType(str, Enum):
project = "project"
class ResourceBase(BaseModel):
"""
Common resource properties.
"""
resource_id: UUID
resource_type: ResourceType = Field(..., description="Type of the resource")
name: Optional[str] = None
model_config = ConfigDict(use_enum_values=True)
class ResourceCreate(ResourceBase):
"""
Properties to create a resource.
"""
pass
class Resource(DateTimeModelMixin, ResourceBase):
model_config = ConfigDict(from_attributes=True)
class ResourcePoolBase(BaseModel):
"""
Common resource pool properties.
"""
name: str
class ResourcePoolCreate(ResourcePoolBase):
"""
Properties to create a resource pool.
"""
pass
class ResourcePoolUpdate(ResourcePoolBase):
"""
Properties to update a resource pool.
"""
pass
class ResourcePool(DateTimeModelMixin, ResourcePoolBase):
resource_pool_id: UUID
model_config = ConfigDict(from_attributes=True)

View File

@ -1,5 +1,5 @@
uvicorn==0.22.0 # v0.22.0 is the last to support Python 3.7 uvicorn==0.22.0 # v0.22.0 is the last to support Python 3.7
fastapi==0.103.0 fastapi==0.103.1
python-multipart==0.0.6 python-multipart==0.0.6
websockets==11.0.3 websockets==11.0.3
aiohttp>=3.8.5,<3.9 aiohttp>=3.8.5,<3.9
@ -10,7 +10,7 @@ sentry-sdk==1.30.0,<1.31
psutil==5.9.5 psutil==5.9.5
distro>=1.8.0 distro>=1.8.0
py-cpuinfo==9.0.0 py-cpuinfo==9.0.0
sqlalchemy==2.0.18 sqlalchemy==2.0.20
aiosqlite==0.19.0 aiosqlite==0.19.0
alembic==1.12.0 alembic==1.12.0
passlib[bcrypt]==1.7.4 passlib[bcrypt]==1.7.4
@ -18,4 +18,5 @@ python-jose==3.3.0
email-validator==2.0.0.post2 email-validator==2.0.0.post2
watchfiles==0.20.0 watchfiles==0.20.0
zstandard==0.21.0 zstandard==0.21.0
platformdirs==3.10.0
importlib_resources>=1.3 importlib_resources>=1.3

View File

@ -22,7 +22,7 @@ from httpx import AsyncClient
from sqlalchemy.ext.asyncio import AsyncSession from sqlalchemy.ext.asyncio import AsyncSession
from gns3server.db.repositories.users import UsersRepository from gns3server.db.repositories.users import UsersRepository
from gns3server.schemas.controller.users import User from gns3server.schemas.controller.users import User, UserGroupCreate
pytestmark = pytest.mark.asyncio pytestmark = pytest.mark.asyncio
@ -106,7 +106,7 @@ class TestGroupRoutes:
class TestGroupMembersRoutes: class TestGroupMembersRoutes:
async def test_add_member_to_group( async def test_add_to_group_already_member(
self, self,
app: FastAPI, app: FastAPI,
client: AsyncClient, client: AsyncClient,
@ -123,6 +123,28 @@ class TestGroupMembersRoutes:
user_id=str(test_user.user_id) user_id=str(test_user.user_id)
) )
) )
assert response.status_code == status.HTTP_400_BAD_REQUEST
async def test_add_member_to_group(
self,
app: FastAPI,
client: AsyncClient,
test_user: User,
db_session: AsyncSession
) -> None:
user_repo = UsersRepository(db_session)
new_user_group = UserGroupCreate(
name="test_group",
)
group_in_db = await user_repo.create_user_group(new_user_group)
response = await client.put(
app.url_path_for(
"add_member_to_group",
user_group_id=group_in_db.user_group_id,
user_id=str(test_user.user_id)
)
)
assert response.status_code == status.HTTP_204_NO_CONTENT assert response.status_code == status.HTTP_204_NO_CONTENT
members = await user_repo.get_user_group_members(group_in_db.user_group_id) members = await user_repo.get_user_group_members(group_in_db.user_group_id)
assert len(members) == 1 assert len(members) == 1
@ -136,7 +158,7 @@ class TestGroupMembersRoutes:
) -> None: ) -> None:
user_repo = UsersRepository(db_session) user_repo = UsersRepository(db_session)
group_in_db = await user_repo.get_user_group_by_name("Users") group_in_db = await user_repo.get_user_group_by_name("test_group")
response = await client.get( response = await client.get(
app.url_path_for( app.url_path_for(
"get_user_group_members", "get_user_group_members",
@ -154,7 +176,7 @@ class TestGroupMembersRoutes:
) -> None: ) -> None:
user_repo = UsersRepository(db_session) user_repo = UsersRepository(db_session)
group_in_db = await user_repo.get_user_group_by_name("Users") group_in_db = await user_repo.get_user_group_by_name("test_group")
response = await client.delete( response = await client.delete(
app.url_path_for( app.url_path_for(

View File

@ -0,0 +1,183 @@
#!/usr/bin/env python
#
# Copyright (C) 2023 GNS3 Technologies Inc.
#
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
import uuid
import pytest
import pytest_asyncio
from fastapi import FastAPI, status
from httpx import AsyncClient
from sqlalchemy.ext.asyncio import AsyncSession
from gns3server.db.repositories.pools import ResourcePoolsRepository
from gns3server.controller import Controller
from gns3server.controller.project import Project
from gns3server.schemas.controller.pools import ResourceCreate, ResourcePoolCreate
pytestmark = pytest.mark.asyncio
class TestPoolRoutes:
async def test_resource_pool(self, app: FastAPI, client: AsyncClient) -> None:
new_group = {"name": "pool1"}
response = await client.post(app.url_path_for("create_resource_pool"), json=new_group)
assert response.status_code == status.HTTP_201_CREATED
async def test_get_resource_pool(self, app: FastAPI, client: AsyncClient, db_session: AsyncSession) -> None:
pools_repo = ResourcePoolsRepository(db_session)
pool_in_db = await pools_repo.get_resource_pool_by_name("pool1")
response = await client.get(app.url_path_for("get_resource_pool", resource_pool_id=pool_in_db.resource_pool_id))
assert response.status_code == status.HTTP_200_OK
assert response.json()["resource_pool_id"] == str(pool_in_db.resource_pool_id)
async def test_list_resource_pools(self, app: FastAPI, client: AsyncClient) -> None:
response = await client.get(app.url_path_for("get_resource_pools"))
assert response.status_code == status.HTTP_200_OK
assert len(response.json()) == 1
async def test_update_resource_pool(self, app: FastAPI, client: AsyncClient, db_session: AsyncSession) -> None:
pools_repo = ResourcePoolsRepository(db_session)
pool_in_db = await pools_repo.get_resource_pool_by_name("pool1")
update_pool = {"name": "pool42"}
response = await client.put(
app.url_path_for("update_resource_pool", resource_pool_id=pool_in_db.resource_pool_id),
json=update_pool
)
assert response.status_code == status.HTTP_200_OK
updated_pool_in_db = await pools_repo.get_resource_pool(pool_in_db.resource_pool_id)
assert updated_pool_in_db.name == "pool42"
async def test_resource_group(
self,
app: FastAPI,
client: AsyncClient,
db_session: AsyncSession
) -> None:
pools_repo = ResourcePoolsRepository(db_session)
pool_in_db = await pools_repo.get_resource_pool_by_name("pool42")
response = await client.delete(app.url_path_for("delete_resource_pool", resource_pool_id=pool_in_db.resource_pool_id))
assert response.status_code == status.HTTP_204_NO_CONTENT
class TestResourcesPoolRoutes:
@pytest_asyncio.fixture
async def project(self, app: FastAPI, client: AsyncClient, controller: Controller) -> Project:
project_id = str(uuid.uuid4())
params = {"name": "test", "project_id": project_id}
await client.post(app.url_path_for("create_project"), json=params)
return controller.get_project(project_id)
async def test_add_resource_to_pool(
self,
app: FastAPI,
client: AsyncClient,
db_session: AsyncSession,
project: Project
) -> None:
pools_repo = ResourcePoolsRepository(db_session)
new_resource_pool = ResourcePoolCreate(
name="pool1",
)
pool_in_db = await pools_repo.create_resource_pool(new_resource_pool)
response = await client.put(
app.url_path_for(
"add_resource_to_pool",
resource_pool_id=pool_in_db.resource_pool_id,
resource_id=str(project.id)
)
)
assert response.status_code == status.HTTP_204_NO_CONTENT
resources = await pools_repo.get_pool_resources(pool_in_db.resource_pool_id)
assert len(resources) == 1
assert str(resources[0].resource_id) == project.id
async def test_add_to_resource_already_in_resource_pool(
self,
app: FastAPI,
client: AsyncClient,
db_session: AsyncSession,
project: Project
) -> None:
pools_repo = ResourcePoolsRepository(db_session)
pool_in_db = await pools_repo.get_resource_pool_by_name("pool1")
resource_create = ResourceCreate(resource_id=project.id, resource_type="project")
resource = await pools_repo.create_resource(resource_create)
await pools_repo.add_resource_to_pool(pool_in_db.resource_pool_id, resource)
response = await client.put(
app.url_path_for(
"add_resource_to_pool",
resource_pool_id=pool_in_db.resource_pool_id,
resource_id=str(resource.resource_id)
)
)
assert response.status_code == status.HTTP_400_BAD_REQUEST
async def test_get_pool_resources(
self,
app: FastAPI,
client: AsyncClient,
db_session: AsyncSession
) -> None:
pools_repo = ResourcePoolsRepository(db_session)
pool_in_db = await pools_repo.get_resource_pool_by_name("pool1")
response = await client.get(
app.url_path_for(
"get_pool_resources",
resource_pool_id=pool_in_db.resource_pool_id)
)
assert response.status_code == status.HTTP_200_OK
assert len(response.json()) == 2
async def test_remove_resource_from_pool(
self,
app: FastAPI,
client: AsyncClient,
db_session: AsyncSession,
project: Project
) -> None:
pools_repo = ResourcePoolsRepository(db_session)
pool_in_db = await pools_repo.get_resource_pool_by_name("pool1")
resource_create = ResourceCreate(resource_id=project.id, resource_type="project")
resource = await pools_repo.create_resource(resource_create)
await pools_repo.add_resource_to_pool(pool_in_db.resource_pool_id, resource)
resources = await pools_repo.get_pool_resources(pool_in_db.resource_pool_id)
assert len(resources) == 3
response = await client.delete(
app.url_path_for(
"remove_resource_from_pool",
resource_pool_id=pool_in_db.resource_pool_id,
resource_id=str(project.id)
),
)
assert response.status_code == status.HTTP_204_NO_CONTENT
resources = await pools_repo.get_pool_resources(pool_in_db.resource_pool_id)
assert len(resources) == 2

View File

@ -0,0 +1,25 @@
#
# Software Name : GNS3 server
# Version: 3
# SPDX-FileCopyrightText: Copyright (c) 2023 Orange Business Services
# SPDX-License-Identifier: GPL-3.0-or-later
#
# This software is distributed under the GPL-3.0 or any later version,
# the text of which is available at https://www.gnu.org/licenses/gpl-3.0.txt
# or see the "LICENSE" file for more details.
#
# Author: Sylvain MATHIEU
#
import pytest
from fastapi import FastAPI, status
from httpx import AsyncClient
pytestmark = pytest.mark.asyncio
class TestPrivilegesRoute:
async def test_get_privileges(self, app: FastAPI, client: AsyncClient) -> None:
response = await client.get(app.url_path_for("get_privileges"))
assert response.status_code == status.HTTP_200_OK

View File

@ -222,8 +222,9 @@ async def test_create_vnc(compute_project, manager):
}, },
{ {
"Type": "bind", "Type": "bind",
"Source": "/tmp/.X11-unix/", "Source": f"/tmp/.X11-unix/X{vm._display}",
"Target": "/tmp/.X11-unix/" "Target": f"/tmp/.X11-unix/X{vm._display}",
"ReadOnly": True
} }
], ],
"Privileged": True, "Privileged": True,

View File

@ -17,14 +17,18 @@
import pytest import pytest
import pytest_asyncio import pytest_asyncio
import uuid
from fastapi import FastAPI, status from fastapi import FastAPI, status
from httpx import AsyncClient from httpx import AsyncClient
from sqlalchemy.ext.asyncio import AsyncSession from sqlalchemy.ext.asyncio import AsyncSession
from gns3server.controller import Controller
from gns3server.db.repositories.rbac import RbacRepository from gns3server.db.repositories.rbac import RbacRepository
from gns3server.db.repositories.users import UsersRepository from gns3server.db.repositories.users import UsersRepository
from gns3server.db.repositories.pools import ResourcePoolsRepository
from gns3server.schemas.controller.rbac import ACECreate from gns3server.schemas.controller.rbac import ACECreate
from gns3server.schemas.controller.pools import ResourceCreate, ResourcePoolCreate
from gns3server.db.models import User from gns3server.db.models import User
pytestmark = pytest.mark.asyncio pytestmark = pytest.mark.asyncio
@ -128,6 +132,113 @@ class TestPrivileges:
authorized = await RbacRepository(db_session).check_user_has_privilege(test_user.user_id, path, privilege) authorized = await RbacRepository(db_session).check_user_has_privilege(test_user.user_id, path, privilege)
assert authorized is True assert authorized is True
class TestResourcePools:
async def test_resource_pool(self, test_user: User, db_session: AsyncSession):
project_id = uuid.uuid4()
project_name = "project42"
pools_repo = ResourcePoolsRepository(db_session)
new_resource_pool = ResourcePoolCreate(name="pool1")
pool_in_db = await pools_repo.create_resource_pool(new_resource_pool)
resource_create = ResourceCreate(resource_id=project_id, resource_type="project", name=project_name)
resource = await pools_repo.create_resource(resource_create)
await pools_repo.add_resource_to_pool(pool_in_db.resource_pool_id, resource)
group_id = (await UsersRepository(db_session).get_user_group_by_name("Users")).user_group_id
role_id = (await RbacRepository(db_session).get_role_by_name("User")).role_id
ace = ACECreate(
path=f"/pools/{pool_in_db.resource_pool_id}",
ace_type="group",
propagate=False,
group_id=str(group_id),
role_id=str(role_id)
)
await RbacRepository(db_session).create_ace(ace)
privilege = "Project.Audit"
path = f"/projects/{project_id}"
authorized = await RbacRepository(db_session).check_user_has_privilege(test_user.user_id, path, privilege)
assert authorized is True
async def test_list_projects_in_resource_pool(
self,
app: FastAPI,
controller: Controller,
authorized_client: AsyncClient,
db_session: AsyncSession
) -> None:
uuid1 = str(uuid.uuid4())
uuid2 = str(uuid.uuid4())
uuid3 = str(uuid.uuid4())
await controller.add_project(project_id=uuid1, name="Project1")
await controller.add_project(project_id=uuid2, name="Project2")
await controller.add_project(project_id=uuid3, name="Project3")
# user has no access to projects (no ACE on /projects or resource pools)
response = await authorized_client.get(app.url_path_for("get_projects"))
assert response.status_code == status.HTTP_200_OK
assert len(response.json()) == 0
pools_repo = ResourcePoolsRepository(db_session)
new_resource_pool = ResourcePoolCreate(name="pool2")
pool_in_db = await pools_repo.create_resource_pool(new_resource_pool)
resource_create = ResourceCreate(resource_id=uuid2, resource_type="project", name="Project2")
resource = await pools_repo.create_resource(resource_create)
await pools_repo.add_resource_to_pool(pool_in_db.resource_pool_id, resource)
group_id = (await UsersRepository(db_session).get_user_group_by_name("Users")).user_group_id
role_id = (await RbacRepository(db_session).get_role_by_name("User")).role_id
ace = ACECreate(
path=f"/pools/{pool_in_db.resource_pool_id}",
ace_type="group",
propagate=False,
group_id=str(group_id),
role_id=str(role_id)
)
await RbacRepository(db_session).create_ace(ace)
response = await authorized_client.get(app.url_path_for("get_project", project_id=uuid2))
assert response.status_code == status.HTTP_200_OK
assert response.json()["name"] == "Project2"
# user should only see one project because it is in the resource pool he has access to
response = await authorized_client.get(app.url_path_for("get_projects"))
assert response.status_code == status.HTTP_200_OK
projects = response.json()
assert len(projects) == 1
assert projects[0]["project_id"] == uuid2
ace = ACECreate(
path=f"/projects",
ace_type="group",
propagate=True,
group_id=str(group_id),
role_id=str(role_id)
)
await RbacRepository(db_session).create_ace(ace)
# now user should see all projects because he has access to /projects and the resource pool
response = await authorized_client.get(app.url_path_for("get_projects"))
assert response.status_code == status.HTTP_200_OK
projects = response.json()
assert len(projects) == 3
await RbacRepository(db_session).delete_all_ace_starting_with_path(f"/pools/{pool_in_db.resource_pool_id}")
response = await authorized_client.get(app.url_path_for("get_project", project_id=uuid2))
assert response.status_code == status.HTTP_403_FORBIDDEN
# now user should only see the projects that are not in a resource pool
response = await authorized_client.get(app.url_path_for("get_projects"))
assert response.status_code == status.HTTP_200_OK
assert len(response.json()) == 2
# class TestProjectsWithRbac: # class TestProjectsWithRbac:
# #
# async def test_admin_create_project(self, app: FastAPI, client: AsyncClient): # async def test_admin_create_project(self, app: FastAPI, client: AsyncClient):