mirror of
https://github.com/GNS3/gns3-server
synced 2024-11-28 19:28:07 +00:00
Merge remote-tracking branch 'origin/3.0' into gh-pages
This commit is contained in:
commit
91ca94c798
@ -32,6 +32,8 @@ from . import users
|
||||
from . import groups
|
||||
from . import roles
|
||||
from . import acl
|
||||
from . import pools
|
||||
from . import privileges
|
||||
|
||||
from .dependencies.authentication import get_current_active_user
|
||||
|
||||
@ -60,6 +62,13 @@ router.include_router(
|
||||
tags=["Roles"]
|
||||
)
|
||||
|
||||
router.include_router(
|
||||
privileges.router,
|
||||
dependencies=[Depends(get_current_active_user)],
|
||||
prefix="/access/privileges",
|
||||
tags=["Privileges"]
|
||||
)
|
||||
|
||||
router.include_router(
|
||||
acl.router,
|
||||
prefix="/access/acl",
|
||||
@ -123,6 +132,12 @@ router.include_router(
|
||||
tags=["Appliances"]
|
||||
)
|
||||
|
||||
router.include_router(
|
||||
pools.router,
|
||||
prefix="/pools",
|
||||
tags=["Resource pools"]
|
||||
)
|
||||
|
||||
router.include_router(
|
||||
gns3vm.router,
|
||||
dependencies=[Depends(get_current_active_user)],
|
||||
|
@ -38,6 +38,7 @@ from gns3server.db.repositories.users import UsersRepository
|
||||
from gns3server.db.repositories.rbac import RbacRepository
|
||||
from gns3server.db.repositories.images import ImagesRepository
|
||||
from gns3server.db.repositories.templates import TemplatesRepository
|
||||
from gns3server.db.repositories.pools import ResourcePoolsRepository
|
||||
from .dependencies.database import get_repository
|
||||
from .dependencies.rbac import has_privilege
|
||||
|
||||
@ -57,7 +58,8 @@ async def endpoints(
|
||||
users_repo: UsersRepository = Depends(get_repository(UsersRepository)),
|
||||
rbac_repo: RbacRepository = Depends(get_repository(RbacRepository)),
|
||||
images_repo: ImagesRepository = Depends(get_repository(ImagesRepository)),
|
||||
templates_repo: TemplatesRepository = Depends(get_repository(TemplatesRepository))
|
||||
templates_repo: TemplatesRepository = Depends(get_repository(TemplatesRepository)),
|
||||
pools_repo: ResourcePoolsRepository = Depends(get_repository(ResourcePoolsRepository))
|
||||
) -> List[dict]:
|
||||
"""
|
||||
List all endpoints to be used in ACL entries.
|
||||
@ -128,6 +130,11 @@ async def endpoints(
|
||||
for template in templates:
|
||||
add_to_endpoints(f"/templates/{template.template_id}", f'Template "{template.name}"', "template")
|
||||
|
||||
# resource pools
|
||||
add_to_endpoints("/pools", "All resource pools", "pool")
|
||||
pools = await pools_repo.get_resource_pools()
|
||||
for pool in pools:
|
||||
add_to_endpoints(f"/pools/{pool.resource_pool_id}", f'Resource pool "{pool.name}"', "pool")
|
||||
return endpoints
|
||||
|
||||
|
||||
|
@ -26,7 +26,7 @@ from gns3server.db.repositories.rbac import RbacRepository
|
||||
from gns3server.services import auth_service
|
||||
from .database import get_repository
|
||||
|
||||
oauth2_scheme = OAuth2PasswordBearer(tokenUrl="/v3/users/login", auto_error=False)
|
||||
oauth2_scheme = OAuth2PasswordBearer(tokenUrl="/v3/access/users/login", auto_error=False)
|
||||
|
||||
|
||||
async def get_user_from_token(
|
||||
|
@ -196,6 +196,11 @@ async def add_member_to_group(
|
||||
if not user:
|
||||
raise ControllerNotFoundError(f"User '{user_id}' not found")
|
||||
|
||||
user_groups = await users_repo.get_user_memberships(user_id)
|
||||
for group in user_groups:
|
||||
if group.user_group_id == user_group_id:
|
||||
raise ControllerBadRequestError(f"Username '{user.username}' is already member of group '{group.name}'")
|
||||
|
||||
user_group = await users_repo.add_member_to_user_group(user_group_id, user)
|
||||
if not user_group:
|
||||
raise ControllerNotFoundError(f"User group '{user_group_id}' not found")
|
||||
|
228
gns3server/api/routes/controller/pools.py
Normal file
228
gns3server/api/routes/controller/pools.py
Normal file
@ -0,0 +1,228 @@
|
||||
#!/usr/bin/env python
|
||||
#
|
||||
# Copyright (C) 2023 GNS3 Technologies Inc.
|
||||
#
|
||||
# This program is free software: you can redistribute it and/or modify
|
||||
# it under the terms of the GNU General Public License as published by
|
||||
# the Free Software Foundation, either version 3 of the License, or
|
||||
# (at your option) any later version.
|
||||
#
|
||||
# This program is distributed in the hope that it will be useful,
|
||||
# but WITHOUT ANY WARRANTY; without even the implied warranty of
|
||||
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
||||
# GNU General Public License for more details.
|
||||
#
|
||||
# You should have received a copy of the GNU General Public License
|
||||
# along with this program. If not, see <http://www.gnu.org/licenses/>.
|
||||
|
||||
"""
|
||||
API routes for resource pools.
|
||||
"""
|
||||
|
||||
from fastapi import APIRouter, Depends, status
|
||||
from uuid import UUID
|
||||
from typing import List
|
||||
|
||||
from gns3server import schemas
|
||||
from gns3server.controller.controller_error import (
|
||||
ControllerError,
|
||||
ControllerBadRequestError,
|
||||
ControllerNotFoundError
|
||||
)
|
||||
|
||||
from gns3server.controller import Controller
|
||||
from gns3server.db.repositories.rbac import RbacRepository
|
||||
from gns3server.db.repositories.pools import ResourcePoolsRepository
|
||||
|
||||
from .dependencies.rbac import has_privilege
|
||||
from .dependencies.database import get_repository
|
||||
|
||||
import logging
|
||||
|
||||
log = logging.getLogger(__name__)
|
||||
|
||||
router = APIRouter()
|
||||
|
||||
|
||||
@router.get(
|
||||
"",
|
||||
response_model=List[schemas.ResourcePool],
|
||||
dependencies=[Depends(has_privilege("Pool.Audit"))]
|
||||
)
|
||||
async def get_resource_pools(
|
||||
pools_repo: ResourcePoolsRepository = Depends(get_repository(ResourcePoolsRepository))
|
||||
) -> List[schemas.ResourcePool]:
|
||||
"""
|
||||
Get all resource pools.
|
||||
|
||||
Required privilege: Pool.Audit
|
||||
"""
|
||||
|
||||
return await pools_repo.get_resource_pools()
|
||||
|
||||
|
||||
@router.post(
|
||||
"",
|
||||
response_model=schemas.ResourcePool,
|
||||
status_code=status.HTTP_201_CREATED,
|
||||
dependencies=[Depends(has_privilege("Pool.Allocate"))]
|
||||
)
|
||||
async def create_resource_pool(
|
||||
resource_pool_create: schemas.ResourcePoolCreate,
|
||||
pools_repo: ResourcePoolsRepository = Depends(get_repository(ResourcePoolsRepository))
|
||||
) -> schemas.ResourcePool:
|
||||
"""
|
||||
Create a new resource pool
|
||||
|
||||
Required privilege: Pool.Allocate
|
||||
"""
|
||||
|
||||
if await pools_repo.get_resource_pool_by_name(resource_pool_create.name):
|
||||
raise ControllerBadRequestError(f"Resource pool '{resource_pool_create.name}' already exists")
|
||||
|
||||
return await pools_repo.create_resource_pool(resource_pool_create)
|
||||
|
||||
|
||||
@router.get(
|
||||
"/{resource_pool_id}",
|
||||
response_model=schemas.ResourcePool,
|
||||
dependencies=[Depends(has_privilege("Pool.Audit"))]
|
||||
)
|
||||
async def get_resource_pool(
|
||||
resource_pool_id: UUID,
|
||||
pools_repo: ResourcePoolsRepository = Depends(get_repository(ResourcePoolsRepository))
|
||||
) -> schemas.ResourcePool:
|
||||
"""
|
||||
Get a resource pool.
|
||||
|
||||
Required privilege: Pool.Audit
|
||||
"""
|
||||
|
||||
resource_pool = await pools_repo.get_resource_pool(resource_pool_id)
|
||||
if not resource_pool:
|
||||
raise ControllerNotFoundError(f"Resource pool '{resource_pool_id}' not found")
|
||||
return resource_pool
|
||||
|
||||
|
||||
@router.put(
|
||||
"/{resource_pool_id}",
|
||||
response_model=schemas.ResourcePool,
|
||||
dependencies=[Depends(has_privilege("Pool.Modify"))]
|
||||
)
|
||||
async def update_resource_pool(
|
||||
resource_pool_id: UUID,
|
||||
resource_pool_update: schemas.ResourcePoolUpdate,
|
||||
pools_repo: ResourcePoolsRepository = Depends(get_repository(ResourcePoolsRepository))
|
||||
) -> schemas.ResourcePool:
|
||||
"""
|
||||
Update a resource pool.
|
||||
|
||||
Required privilege: Pool.Modify
|
||||
"""
|
||||
|
||||
resource_pool = await pools_repo.get_resource_pool(resource_pool_id)
|
||||
if not resource_pool:
|
||||
raise ControllerNotFoundError(f"Resource pool '{resource_pool_id}' not found")
|
||||
|
||||
return await pools_repo.update_resource_pool(resource_pool_id, resource_pool_update)
|
||||
|
||||
|
||||
@router.delete(
|
||||
"/{resource_pool_id}",
|
||||
status_code=status.HTTP_204_NO_CONTENT,
|
||||
dependencies=[Depends(has_privilege("Pool.Allocate"))]
|
||||
)
|
||||
async def delete_resource_pool(
|
||||
resource_pool_id: UUID,
|
||||
pools_repo: ResourcePoolsRepository = Depends(get_repository(ResourcePoolsRepository)),
|
||||
rbac_repo: RbacRepository = Depends(get_repository(RbacRepository))
|
||||
) -> None:
|
||||
"""
|
||||
Delete a resource pool.
|
||||
|
||||
Required privilege: Pool.Allocate
|
||||
"""
|
||||
|
||||
resource_pool = await pools_repo.get_resource_pool(resource_pool_id)
|
||||
if not resource_pool:
|
||||
raise ControllerNotFoundError(f"Resource pool '{resource_pool_id}' not found")
|
||||
|
||||
success = await pools_repo.delete_resource_pool(resource_pool_id)
|
||||
if not success:
|
||||
raise ControllerError(f"Resource pool '{resource_pool_id}' could not be deleted")
|
||||
await rbac_repo.delete_all_ace_starting_with_path(f"/pools/{resource_pool_id}")
|
||||
|
||||
|
||||
@router.get(
|
||||
"/{resource_pool_id}/resources",
|
||||
response_model=List[schemas.Resource],
|
||||
dependencies=[Depends(has_privilege("Pool.Audit"))]
|
||||
)
|
||||
async def get_pool_resources(
|
||||
resource_pool_id: UUID,
|
||||
pools_repo: ResourcePoolsRepository = Depends(get_repository(ResourcePoolsRepository)),
|
||||
) -> List[schemas.Resource]:
|
||||
"""
|
||||
Get all resource in a pool.
|
||||
|
||||
Required privilege: Pool.Audit
|
||||
"""
|
||||
|
||||
return await pools_repo.get_pool_resources(resource_pool_id)
|
||||
|
||||
|
||||
@router.put(
|
||||
"/{resource_pool_id}/resources/{resource_id}",
|
||||
status_code=status.HTTP_204_NO_CONTENT,
|
||||
dependencies=[Depends(has_privilege("Pool.Modify"))]
|
||||
)
|
||||
async def add_resource_to_pool(
|
||||
resource_pool_id: UUID,
|
||||
resource_id: UUID,
|
||||
pools_repo: ResourcePoolsRepository = Depends(get_repository(ResourcePoolsRepository)),
|
||||
) -> None:
|
||||
"""
|
||||
Add resource to a resource pool.
|
||||
|
||||
Required privilege: Pool.Modify
|
||||
"""
|
||||
|
||||
resource_pool = await pools_repo.get_resource_pool(resource_pool_id)
|
||||
if not resource_pool:
|
||||
raise ControllerNotFoundError(f"Resource pool '{resource_pool_id}' not found")
|
||||
|
||||
resources = await pools_repo.get_pool_resources(resource_pool_id)
|
||||
for resource in resources:
|
||||
if resource.resource_id == resource_id:
|
||||
raise ControllerBadRequestError(f"Resource '{resource_id}' is already in '{resource_pool.name}'")
|
||||
|
||||
# we only support projects in resource pools for now
|
||||
project = Controller.instance().get_project(str(resource_id))
|
||||
resource_create = schemas.ResourceCreate(resource_id=resource_id, resource_type="project", name=project.name)
|
||||
resource = await pools_repo.create_resource(resource_create)
|
||||
await pools_repo.add_resource_to_pool(resource_pool_id, resource)
|
||||
|
||||
|
||||
@router.delete(
|
||||
"/{resource_pool_id}/resources/{resource_id}",
|
||||
status_code=status.HTTP_204_NO_CONTENT,
|
||||
dependencies=[Depends(has_privilege("Pool.Modify"))]
|
||||
)
|
||||
async def remove_resource_from_pool(
|
||||
resource_pool_id: UUID,
|
||||
resource_id: UUID,
|
||||
pools_repo: ResourcePoolsRepository = Depends(get_repository(ResourcePoolsRepository)),
|
||||
) -> None:
|
||||
"""
|
||||
Remove resource from a resource pool.
|
||||
|
||||
Required privilege: Pool.Modify
|
||||
"""
|
||||
|
||||
resource = await pools_repo.get_resource(resource_id)
|
||||
if not resource:
|
||||
raise ControllerNotFoundError(f"Resource '{resource_id}' not found")
|
||||
|
||||
resource_pool = await pools_repo.remove_resource_from_pool(resource_pool_id, resource)
|
||||
if not resource_pool:
|
||||
raise ControllerNotFoundError(f"Resource pool '{resource_pool_id}' not found")
|
43
gns3server/api/routes/controller/privileges.py
Normal file
43
gns3server/api/routes/controller/privileges.py
Normal file
@ -0,0 +1,43 @@
|
||||
#
|
||||
# Software Name : GNS3 server
|
||||
# Version: 3
|
||||
# SPDX-FileCopyrightText: Copyright (c) 2023 Orange Business Services
|
||||
# SPDX-License-Identifier: GPL-3.0-or-later
|
||||
#
|
||||
# This software is distributed under the GPL-3.0 or any later version,
|
||||
# the text of which is available at https://www.gnu.org/licenses/gpl-3.0.txt
|
||||
# or see the "LICENSE" file for more details.
|
||||
#
|
||||
# Author: Sylvain MATHIEU
|
||||
#
|
||||
|
||||
"""
|
||||
API route for privileges
|
||||
"""
|
||||
|
||||
from typing import List
|
||||
from gns3server.db.repositories.rbac import RbacRepository
|
||||
from .dependencies.database import get_repository
|
||||
from fastapi import APIRouter, Depends
|
||||
import logging
|
||||
|
||||
from gns3server import schemas
|
||||
|
||||
log = logging.getLogger(__name__)
|
||||
router = APIRouter()
|
||||
|
||||
|
||||
@router.get(
|
||||
"",
|
||||
response_model=List[schemas.Privilege],
|
||||
)
|
||||
async def get_privileges(
|
||||
rbac_repo: RbacRepository = Depends(get_repository(RbacRepository))
|
||||
) -> List[schemas.Privilege]:
|
||||
"""
|
||||
Get all privileges.
|
||||
|
||||
Required privilege: None
|
||||
"""
|
||||
|
||||
return await rbac_repo.get_privileges()
|
@ -47,9 +47,11 @@ from gns3server.utils.asyncio import aiozipstream
|
||||
from gns3server.utils.path import is_safe_path
|
||||
from gns3server.db.repositories.templates import TemplatesRepository
|
||||
from gns3server.db.repositories.rbac import RbacRepository
|
||||
from gns3server.db.repositories.pools import ResourcePoolsRepository
|
||||
from gns3server.services.templates import TemplatesService
|
||||
|
||||
from .dependencies.rbac import has_privilege, has_privilege_on_websocket
|
||||
from .dependencies.authentication import get_current_active_user
|
||||
from .dependencies.database import get_repository
|
||||
|
||||
responses = {404: {"model": schemas.ErrorMessage, "description": "Could not find project"}}
|
||||
@ -69,10 +71,13 @@ def dep_project(project_id: UUID) -> Project:
|
||||
@router.get(
|
||||
"",
|
||||
response_model=List[schemas.Project],
|
||||
response_model_exclude_unset=True,
|
||||
dependencies=[Depends(has_privilege("Project.Audit"))]
|
||||
response_model_exclude_unset=True
|
||||
)
|
||||
async def get_projects() -> List[schemas.Project]:
|
||||
async def get_projects(
|
||||
current_user: schemas.User = Depends(get_current_active_user),
|
||||
rbac_repo: RbacRepository = Depends(get_repository(RbacRepository)),
|
||||
pools_repo: ResourcePoolsRepository = Depends(get_repository(ResourcePoolsRepository))
|
||||
) -> List[schemas.Project]:
|
||||
"""
|
||||
Return all projects.
|
||||
|
||||
@ -80,7 +85,22 @@ async def get_projects() -> List[schemas.Project]:
|
||||
"""
|
||||
|
||||
controller = Controller.instance()
|
||||
return [p.asdict() for p in controller.projects.values()]
|
||||
projects = []
|
||||
|
||||
if current_user.is_superadmin:
|
||||
# super admin sees all projects
|
||||
return [p.asdict() for p in controller.projects.values()]
|
||||
elif await rbac_repo.check_user_has_privilege(current_user.user_id, "/projects", "Project.Audit"):
|
||||
# user with Project.Audit privilege on '/projects' sees all projects except those in resource pools
|
||||
project_ids_in_pools = [str(r.resource_id) for r in await pools_repo.get_resources() if r.resource_type == "project"]
|
||||
projects.extend([p.asdict() for p in controller.projects.values() if p.id not in project_ids_in_pools])
|
||||
|
||||
# user with Project.Audit privilege on resource pools sees the projects in these pools
|
||||
user_pool_resources = await rbac_repo.get_user_pool_resources(current_user.user_id, "Project.Audit")
|
||||
project_ids_in_pools = [str(r.resource_id) for r in user_pool_resources if r.resource_type == "project"]
|
||||
projects.extend([p.asdict() for p in controller.projects.values() if p.id in project_ids_in_pools])
|
||||
|
||||
return projects
|
||||
|
||||
|
||||
@router.post(
|
||||
|
@ -488,8 +488,9 @@ class DockerVM(BaseNode):
|
||||
params["Env"].append(f"DISPLAY=:{self._display}")
|
||||
params["HostConfig"]["Mounts"].append({
|
||||
"Type": "bind",
|
||||
"Source": "/tmp/.X11-unix/",
|
||||
"Target": "/tmp/.X11-unix/"
|
||||
"Source": f"/tmp/.X11-unix/X{self._display}",
|
||||
"Target": f"/tmp/.X11-unix/X{self._display}",
|
||||
"ReadOnly": True
|
||||
})
|
||||
|
||||
if self._extra_hosts:
|
||||
|
@ -147,6 +147,15 @@ class Config:
|
||||
|
||||
return os.path.dirname(self._main_config_file)
|
||||
|
||||
@property
|
||||
def controller_vars(self):
|
||||
"""
|
||||
Return the controller variables file path.
|
||||
"""
|
||||
|
||||
controller_vars_filename = "gns3_controller.vars"
|
||||
return os.path.join(self.config_dir, controller_vars_filename)
|
||||
|
||||
@property
|
||||
def server_config(self):
|
||||
"""
|
||||
|
@ -21,6 +21,7 @@ import uuid
|
||||
import shutil
|
||||
import asyncio
|
||||
import random
|
||||
import json
|
||||
|
||||
try:
|
||||
import importlib_resources
|
||||
@ -42,7 +43,7 @@ from .topology import load_topology
|
||||
from .gns3vm import GNS3VM
|
||||
from .gns3vm.gns3_vm_error import GNS3VMError
|
||||
from .controller_error import ControllerError, ControllerNotFoundError
|
||||
|
||||
from ..version import __version__
|
||||
|
||||
import logging
|
||||
|
||||
@ -64,7 +65,9 @@ class Controller:
|
||||
self.symbols = Symbols()
|
||||
self._appliance_manager = ApplianceManager()
|
||||
self._iou_license_settings = {"iourc_content": "", "license_check": True}
|
||||
self._config_loaded = False
|
||||
self._vars_loaded = False
|
||||
self._vars_file = Config.instance().controller_vars
|
||||
log.info(f'Loading controller vars file "{self._vars_file}"')
|
||||
|
||||
async def start(self, computes=None):
|
||||
|
||||
@ -83,7 +86,7 @@ class Controller:
|
||||
if host == "0.0.0.0":
|
||||
host = "127.0.0.1"
|
||||
|
||||
self._load_controller_settings()
|
||||
self._load_controller_vars()
|
||||
|
||||
if server_config.enable_ssl:
|
||||
self._ssl_context = self._create_ssl_context(server_config)
|
||||
@ -185,7 +188,7 @@ class Controller:
|
||||
async def reload(self):
|
||||
|
||||
log.info("Controller is reloading")
|
||||
self._load_controller_settings()
|
||||
self._load_controller_vars()
|
||||
|
||||
# remove all projects deleted from disk.
|
||||
for project in self._projects.copy().values():
|
||||
@ -198,65 +201,54 @@ class Controller:
|
||||
|
||||
def save(self):
|
||||
"""
|
||||
Save the controller configuration on disk
|
||||
Save the controller vars on disk
|
||||
"""
|
||||
|
||||
if self._config_loaded is False:
|
||||
return
|
||||
controller_vars = dict()
|
||||
if self._vars_loaded:
|
||||
controller_vars = {
|
||||
"appliances_etag": self._appliance_manager.appliances_etag,
|
||||
"version": __version__
|
||||
}
|
||||
|
||||
if self._iou_license_settings["iourc_content"]:
|
||||
if self._iou_license_settings["iourc_content"]:
|
||||
|
||||
iou_config = Config.instance().settings.IOU
|
||||
server_config = Config.instance().settings.Server
|
||||
iou_config = Config.instance().settings.IOU
|
||||
server_config = Config.instance().settings.Server
|
||||
|
||||
if iou_config.iourc_path:
|
||||
iourc_path = iou_config.iourc_path
|
||||
else:
|
||||
os.makedirs(server_config.secrets_dir, exist_ok=True)
|
||||
iourc_path = os.path.join(server_config.secrets_dir, "gns3_iourc_license")
|
||||
if iou_config.iourc_path:
|
||||
iourc_path = iou_config.iourc_path
|
||||
else:
|
||||
os.makedirs(server_config.secrets_dir, exist_ok=True)
|
||||
iourc_path = os.path.join(server_config.secrets_dir, "gns3_iourc_license")
|
||||
|
||||
try:
|
||||
with open(iourc_path, "w+") as f:
|
||||
f.write(self._iou_license_settings["iourc_content"])
|
||||
log.info(f"iourc file '{iourc_path}' saved")
|
||||
except OSError as e:
|
||||
log.error(f"Cannot write IOU license file '{iourc_path}': {e}")
|
||||
try:
|
||||
with open(iourc_path, "w+") as f:
|
||||
f.write(self._iou_license_settings["iourc_content"])
|
||||
log.info(f"iourc file '{iourc_path}' saved")
|
||||
except OSError as e:
|
||||
log.error(f"Cannot write IOU license file '{iourc_path}': {e}")
|
||||
|
||||
if self._appliance_manager.appliances_etag:
|
||||
etag_directory = os.path.dirname(Config.instance().server_config)
|
||||
os.makedirs(etag_directory, exist_ok=True)
|
||||
etag_appliances_path = os.path.join(etag_directory, "gns3_appliances_etag")
|
||||
try:
|
||||
os.makedirs(os.path.dirname(self._vars_file), exist_ok=True)
|
||||
with open(self._vars_file, 'w+') as f:
|
||||
json.dump(controller_vars, f, indent=4)
|
||||
except OSError as e:
|
||||
log.error(f"Cannot write controller vars file '{self._vars_file}': {e}")
|
||||
|
||||
try:
|
||||
with open(etag_appliances_path, "w+") as f:
|
||||
f.write(self._appliance_manager.appliances_etag)
|
||||
log.info(f"etag appliances file '{etag_appliances_path}' saved")
|
||||
except OSError as e:
|
||||
log.error(f"Cannot write Etag appliance file '{etag_appliances_path}': {e}")
|
||||
|
||||
def _load_controller_settings(self):
|
||||
def _load_controller_vars(self):
|
||||
"""
|
||||
Reload the controller configuration from disk
|
||||
Reload the controller vars from disk
|
||||
"""
|
||||
|
||||
# try:
|
||||
# if not os.path.exists(self._config_file):
|
||||
# self._config_loaded = True
|
||||
# self.save()
|
||||
# with open(self._config_file) as f:
|
||||
# controller_settings = json.load(f)
|
||||
# except (OSError, ValueError) as e:
|
||||
# log.critical("Cannot load configuration file '{}': {}".format(self._config_file, e))
|
||||
# return []
|
||||
|
||||
# load GNS3 VM settings
|
||||
# if "gns3vm" in controller_settings:
|
||||
# gns3_vm_settings = controller_settings["gns3vm"]
|
||||
# if "port" not in gns3_vm_settings:
|
||||
# # port setting was added in version 2.2.8
|
||||
# # the default port was 3080 before this
|
||||
# gns3_vm_settings["port"] = 3080
|
||||
# self.gns3vm.settings = gns3_vm_settings
|
||||
try:
|
||||
if not os.path.exists(self._vars_file):
|
||||
self.save() # this will create the vars file
|
||||
with open(self._vars_file) as f:
|
||||
controller_vars = json.load(f)
|
||||
except (OSError, ValueError) as e:
|
||||
log.critical(f"Cannot load controller vars file '{self._vars_file}': {e}")
|
||||
return []
|
||||
|
||||
# load the IOU license settings
|
||||
iou_config = Config.instance().settings.IOU
|
||||
@ -276,27 +268,19 @@ class Controller:
|
||||
log.info(f"iourc file '{iourc_path}' loaded")
|
||||
except OSError as e:
|
||||
log.error(f"Cannot read IOU license file '{iourc_path}': {e}")
|
||||
|
||||
self._iou_license_settings["license_check"] = iou_config.license_check
|
||||
|
||||
etag_directory = os.path.dirname(Config.instance().server_config)
|
||||
etag_appliances_path = os.path.join(etag_directory, "gns3_appliances_etag")
|
||||
self._appliance_manager.appliances_etag = None
|
||||
if os.path.exists(etag_appliances_path):
|
||||
try:
|
||||
with open(etag_appliances_path) as f:
|
||||
self._appliance_manager.appliances_etag = f.read()
|
||||
log.info(f"etag appliances file '{etag_appliances_path}' loaded")
|
||||
except OSError as e:
|
||||
log.error(f"Cannot read Etag appliance file '{etag_appliances_path}': {e}")
|
||||
previous_version = controller_vars.get("version")
|
||||
log.info("Comparing controller version {} with config version {}".format(__version__, previous_version))
|
||||
if not previous_version or \
|
||||
parse_version(__version__.split("+")[0]) > parse_version(previous_version.split("+")[0]):
|
||||
self._appliance_manager.install_builtin_appliances()
|
||||
elif not os.listdir(self._appliance_manager.builtin_appliances_path()):
|
||||
self._appliance_manager.install_builtin_appliances()
|
||||
|
||||
# FIXME install builtin appliances only once, need to store "version" somewhere...
|
||||
#if parse_version(__version__.split("+")[0]) > parse_version(controller_settings.get("version", "")):
|
||||
# self._appliance_manager.install_builtin_appliances()
|
||||
|
||||
self._appliance_manager.install_builtin_appliances()
|
||||
self._appliance_manager.appliances_etag = controller_vars.get("appliances_etag")
|
||||
self._appliance_manager.load_appliances()
|
||||
self._config_loaded = True
|
||||
self._vars_loaded = True
|
||||
|
||||
async def load_projects(self):
|
||||
"""
|
||||
@ -420,7 +404,6 @@ class Controller:
|
||||
|
||||
compute = Compute(compute_id=compute_id, controller=self, name=name, **kwargs)
|
||||
self._computes[compute.id] = compute
|
||||
# self.save()
|
||||
if connect:
|
||||
if wait_connection:
|
||||
await compute.connect()
|
||||
@ -470,7 +453,6 @@ class Controller:
|
||||
await self.close_compute_projects(compute)
|
||||
await compute.close()
|
||||
del self._computes[compute_id]
|
||||
# self.save()
|
||||
self.notification.controller_emit("compute.deleted", compute.asdict())
|
||||
|
||||
@property
|
||||
|
@ -21,6 +21,7 @@ import json
|
||||
import asyncio
|
||||
import aiofiles
|
||||
import shutil
|
||||
import platformdirs
|
||||
|
||||
|
||||
from typing import Tuple, List
|
||||
@ -94,13 +95,13 @@ class ApplianceManager:
|
||||
os.makedirs(appliances_path, exist_ok=True)
|
||||
return appliances_path
|
||||
|
||||
def _builtin_appliances_path(self, delete_first=False):
|
||||
def builtin_appliances_path(self, delete_first=False):
|
||||
"""
|
||||
Get the built-in appliance storage directory
|
||||
"""
|
||||
|
||||
config = Config.instance()
|
||||
appliances_dir = os.path.join(config.config_dir, "appliances")
|
||||
appname = vendor = "GNS3"
|
||||
appliances_dir = os.path.join(platformdirs.user_data_dir(appname, vendor, roaming=True), "appliances")
|
||||
if delete_first:
|
||||
shutil.rmtree(appliances_dir, ignore_errors=True)
|
||||
os.makedirs(appliances_dir, exist_ok=True)
|
||||
@ -111,7 +112,7 @@ class ApplianceManager:
|
||||
At startup we copy the built-in appliances files.
|
||||
"""
|
||||
|
||||
dst_path = self._builtin_appliances_path(delete_first=True)
|
||||
dst_path = self.builtin_appliances_path(delete_first=True)
|
||||
log.info(f"Installing built-in appliances in '{dst_path}'")
|
||||
from . import Controller
|
||||
try:
|
||||
@ -316,7 +317,7 @@ class ApplianceManager:
|
||||
self._appliances = {}
|
||||
for directory, builtin in (
|
||||
(
|
||||
self._builtin_appliances_path(),
|
||||
self.builtin_appliances_path(),
|
||||
True,
|
||||
),
|
||||
(
|
||||
@ -434,7 +435,7 @@ class ApplianceManager:
|
||||
|
||||
Controller.instance().save()
|
||||
json_data = await response.json()
|
||||
appliances_dir = self._builtin_appliances_path()
|
||||
appliances_dir = self.builtin_appliances_path()
|
||||
downloaded_appliance_files = []
|
||||
for appliance in json_data:
|
||||
if appliance["type"] == "file":
|
||||
|
@ -22,7 +22,7 @@ from .roles import Role
|
||||
from .privileges import Privilege
|
||||
from .computes import Compute
|
||||
from .images import Image
|
||||
from .resource_pools import Resource, ResourcePool
|
||||
from .pools import Resource, ResourcePool
|
||||
from .templates import (
|
||||
Template,
|
||||
CloudTemplate,
|
||||
|
@ -95,6 +95,18 @@ def create_default_roles(target, connection, **kw):
|
||||
"description": "Update an ACE",
|
||||
"name": "ACE.Modify"
|
||||
},
|
||||
{
|
||||
"description": "Create or delete a resource pool",
|
||||
"name": "Pool.Allocate"
|
||||
},
|
||||
{
|
||||
"description": "View a resource pool",
|
||||
"name": "Pool.Audit"
|
||||
},
|
||||
{
|
||||
"description": "Update a resource pool",
|
||||
"name": "Pool.Modify"
|
||||
},
|
||||
{
|
||||
"description": "Create or delete a template",
|
||||
"name": "Template.Allocate"
|
||||
|
206
gns3server/db/repositories/pools.py
Normal file
206
gns3server/db/repositories/pools.py
Normal file
@ -0,0 +1,206 @@
|
||||
#!/usr/bin/env python
|
||||
#
|
||||
# Copyright (C) 2023 GNS3 Technologies Inc.
|
||||
#
|
||||
# This program is free software: you can redistribute it and/or modify
|
||||
# it under the terms of the GNU General Public License as published by
|
||||
# the Free Software Foundation, either version 3 of the License, or
|
||||
# (at your option) any later version.
|
||||
#
|
||||
# This program is distributed in the hope that it will be useful,
|
||||
# but WITHOUT ANY WARRANTY; without even the implied warranty of
|
||||
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
||||
# GNU General Public License for more details.
|
||||
#
|
||||
# You should have received a copy of the GNU General Public License
|
||||
# along with this program. If not, see <http://www.gnu.org/licenses/>.
|
||||
|
||||
from uuid import UUID
|
||||
from typing import Optional, List, Union
|
||||
from sqlalchemy import select, update, delete
|
||||
from sqlalchemy.ext.asyncio import AsyncSession
|
||||
from sqlalchemy.orm import selectinload
|
||||
|
||||
from .base import BaseRepository
|
||||
|
||||
import gns3server.db.models as models
|
||||
from gns3server import schemas
|
||||
|
||||
import logging
|
||||
|
||||
log = logging.getLogger(__name__)
|
||||
|
||||
|
||||
class ResourcePoolsRepository(BaseRepository):
|
||||
|
||||
def __init__(self, db_session: AsyncSession) -> None:
|
||||
|
||||
super().__init__(db_session)
|
||||
|
||||
async def get_resource(self, resource_id: UUID) -> Optional[models.Resource]:
|
||||
"""
|
||||
Get a resource by its ID.
|
||||
"""
|
||||
|
||||
query = select(models.Resource).where(models.Resource.resource_id == resource_id)
|
||||
result = await self._db_session.execute(query)
|
||||
return result.scalars().first()
|
||||
|
||||
async def get_resources(self) -> List[models.Resource]:
|
||||
"""
|
||||
Get all resources.
|
||||
"""
|
||||
|
||||
query = select(models.Resource)
|
||||
result = await self._db_session.execute(query)
|
||||
return result.scalars().all()
|
||||
|
||||
async def create_resource(self, resource: schemas.ResourceCreate) -> models.Resource:
|
||||
"""
|
||||
Create a new resource.
|
||||
"""
|
||||
|
||||
db_resource = models.Resource(
|
||||
resource_id=resource.resource_id,
|
||||
resource_type=resource.resource_type,
|
||||
name=resource.name
|
||||
)
|
||||
self._db_session.add(db_resource)
|
||||
await self._db_session.commit()
|
||||
await self._db_session.refresh(db_resource)
|
||||
return db_resource
|
||||
|
||||
async def delete_resource(self, resource_id: UUID) -> bool:
|
||||
"""
|
||||
Delete a resource.
|
||||
"""
|
||||
|
||||
query = delete(models.Resource).where(models.Resource.resource_id == resource_id)
|
||||
result = await self._db_session.execute(query)
|
||||
await self._db_session.commit()
|
||||
return result.rowcount > 0
|
||||
|
||||
async def get_resource_pool(self, resource_pool_id: UUID) -> Optional[models.ResourcePool]:
|
||||
"""
|
||||
Get a resource pool by its ID.
|
||||
"""
|
||||
|
||||
query = select(models.ResourcePool).where(models.ResourcePool.resource_pool_id == resource_pool_id)
|
||||
result = await self._db_session.execute(query)
|
||||
return result.scalars().first()
|
||||
|
||||
async def get_resource_pool_by_name(self, name: str) -> Optional[models.ResourcePool]:
|
||||
"""
|
||||
Get a resource pool by its name.
|
||||
"""
|
||||
|
||||
query = select(models.ResourcePool).where(models.ResourcePool.name == name)
|
||||
result = await self._db_session.execute(query)
|
||||
return result.scalars().first()
|
||||
|
||||
async def get_resource_pools(self) -> List[models.ResourcePool]:
|
||||
"""
|
||||
Get all resource pools.
|
||||
"""
|
||||
|
||||
query = select(models.ResourcePool)
|
||||
result = await self._db_session.execute(query)
|
||||
return result.scalars().all()
|
||||
|
||||
async def create_resource_pool(self, resource_pool: schemas.ResourcePoolCreate) -> models.ResourcePool:
|
||||
"""
|
||||
Create a new resource pool.
|
||||
"""
|
||||
|
||||
db_resource_pool = models.ResourcePool(name=resource_pool.name)
|
||||
self._db_session.add(db_resource_pool)
|
||||
await self._db_session.commit()
|
||||
await self._db_session.refresh(db_resource_pool)
|
||||
return db_resource_pool
|
||||
|
||||
async def update_resource_pool(
|
||||
self,
|
||||
resource_pool_id: UUID,
|
||||
resource_pool_update: schemas.ResourcePoolUpdate
|
||||
) -> Optional[models.ResourcePool]:
|
||||
"""
|
||||
Update a resource pool.
|
||||
"""
|
||||
|
||||
update_values = resource_pool_update.model_dump(exclude_unset=True)
|
||||
query = update(models.ResourcePool).\
|
||||
where(models.ResourcePool.resource_pool_id == resource_pool_id).\
|
||||
values(update_values)
|
||||
|
||||
await self._db_session.execute(query)
|
||||
await self._db_session.commit()
|
||||
resource_pool_db = await self.get_resource_pool(resource_pool_id)
|
||||
if resource_pool_db:
|
||||
await self._db_session.refresh(resource_pool_db) # force refresh of updated_at value
|
||||
return resource_pool_db
|
||||
|
||||
async def delete_resource_pool(self, resource_pool_id: UUID) -> bool:
|
||||
"""
|
||||
Delete a resource pool.
|
||||
"""
|
||||
|
||||
query = delete(models.ResourcePool).where(models.ResourcePool.resource_pool_id == resource_pool_id)
|
||||
result = await self._db_session.execute(query)
|
||||
await self._db_session.commit()
|
||||
return result.rowcount > 0
|
||||
|
||||
async def add_resource_to_pool(
|
||||
self,
|
||||
resource_pool_id: UUID,
|
||||
resource: models.Resource
|
||||
) -> Union[None, models.ResourcePool]:
|
||||
"""
|
||||
Add a resource to a resource pool.
|
||||
"""
|
||||
|
||||
query = select(models.ResourcePool).\
|
||||
options(selectinload(models.ResourcePool.resources)).\
|
||||
where(models.ResourcePool.resource_pool_id == resource_pool_id)
|
||||
result = await self._db_session.execute(query)
|
||||
resource_pool_db = result.scalars().first()
|
||||
if not resource_pool_db:
|
||||
return None
|
||||
|
||||
resource_pool_db.resources.append(resource)
|
||||
await self._db_session.commit()
|
||||
await self._db_session.refresh(resource_pool_db)
|
||||
return resource_pool_db
|
||||
|
||||
async def remove_resource_from_pool(
|
||||
self,
|
||||
resource_pool_id: UUID,
|
||||
resource: models.Resource
|
||||
) -> Union[None, models.ResourcePool]:
|
||||
"""
|
||||
Remove a resource from a resource pool.
|
||||
"""
|
||||
|
||||
query = select(models.ResourcePool).\
|
||||
options(selectinload(models.ResourcePool.resources)).\
|
||||
where(models.ResourcePool.resource_pool_id == resource_pool_id)
|
||||
result = await self._db_session.execute(query)
|
||||
resource_pool_db = result.scalars().first()
|
||||
if not resource_pool_db:
|
||||
return None
|
||||
|
||||
resource_pool_db.resources.remove(resource)
|
||||
await self._db_session.commit()
|
||||
await self._db_session.refresh(resource_pool_db)
|
||||
return resource_pool_db
|
||||
|
||||
async def get_pool_resources(self, resource_pool_id: UUID) -> List[models.Resource]:
|
||||
"""
|
||||
Get all resources from a resource pool.
|
||||
"""
|
||||
|
||||
query = select(models.Resource).\
|
||||
join(models.Resource.resource_pools).\
|
||||
filter(models.ResourcePool.resource_pool_id == resource_pool_id)
|
||||
|
||||
result = await self._db_session.execute(query)
|
||||
return result.scalars().all()
|
@ -18,7 +18,7 @@
|
||||
from uuid import UUID
|
||||
from urllib.parse import urlparse
|
||||
from typing import Optional, List, Union
|
||||
from sqlalchemy import select, update, delete, null
|
||||
from sqlalchemy import select, update, delete
|
||||
from sqlalchemy.ext.asyncio import AsyncSession
|
||||
from sqlalchemy.orm import selectinload
|
||||
|
||||
@ -309,6 +309,75 @@ class RbacRepository(BaseRepository):
|
||||
return True # only allow if the path is the original path or the ACE is set to propagate
|
||||
return False
|
||||
|
||||
async def _get_resources_in_pools(self, aces, path: str = None) -> List[models.Resource]:
|
||||
"""
|
||||
Get all resources in pools.
|
||||
"""
|
||||
|
||||
pool_resources = []
|
||||
for ace_path, ace_propagate, ace_allowed, ace_privilege in aces:
|
||||
if ace_path.startswith("/pool"):
|
||||
resource_pool_id = ace_path.split("/")[2]
|
||||
query = select(models.Resource). \
|
||||
join(models.Resource.resource_pools). \
|
||||
filter(models.ResourcePool.resource_pool_id == resource_pool_id)
|
||||
|
||||
result = await self._db_session.execute(query)
|
||||
resources = result.scalars().all()
|
||||
|
||||
for resource in resources:
|
||||
# we only support projects in resource pools for now
|
||||
if resource.resource_type == "project":
|
||||
if path:
|
||||
if path.startswith(f"/projects/{resource.resource_id}"):
|
||||
pool_resources.append(resource)
|
||||
else:
|
||||
pool_resources.append(resource)
|
||||
return pool_resources
|
||||
|
||||
async def _get_user_aces(self, user_id: UUID, privilege_name: str):
|
||||
"""
|
||||
Retrieve all user ACEs matching the user_id and privilege name.
|
||||
"""
|
||||
|
||||
query = select(models.ACE.path, models.ACE.propagate, models.ACE.allowed, models.Privilege.name).\
|
||||
join(models.Privilege.roles).\
|
||||
join(models.Role.acl_entries).\
|
||||
join(models.ACE.user). \
|
||||
filter(models.User.user_id == user_id).\
|
||||
filter(models.Privilege.name == privilege_name).\
|
||||
order_by(models.ACE.path.desc())
|
||||
|
||||
result = await self._db_session.execute(query)
|
||||
return result.all()
|
||||
|
||||
async def _get_group_aces(self, user_id: UUID, privilege_name: str):
|
||||
"""
|
||||
Retrieve all group ACEs matching the user_id and privilege name.
|
||||
"""
|
||||
|
||||
query = select(models.ACE.path, models.ACE.propagate, models.ACE.allowed, models.Privilege.name). \
|
||||
join(models.Privilege.roles). \
|
||||
join(models.Role.acl_entries). \
|
||||
join(models.ACE.group). \
|
||||
join(models.UserGroup.users).\
|
||||
filter(models.User.user_id == user_id). \
|
||||
filter(models.Privilege.name == privilege_name)
|
||||
|
||||
result = await self._db_session.execute(query)
|
||||
return result.all()
|
||||
|
||||
async def get_user_pool_resources(self, user_id: UUID, privilege_name: str) -> List[models.Resource]:
|
||||
"""
|
||||
Get all resources in pools belonging to a user and groups
|
||||
"""
|
||||
|
||||
user_aces = await self._get_user_aces(user_id, privilege_name)
|
||||
pool_resources = await self._get_resources_in_pools(user_aces)
|
||||
group_aces = await self._get_group_aces(user_id, privilege_name)
|
||||
pool_resources.extend(await self._get_resources_in_pools(group_aces))
|
||||
return list(set(pool_resources))
|
||||
|
||||
async def check_user_has_privilege(self, user_id: UUID, path: str, privilege_name: str) -> bool:
|
||||
"""
|
||||
Resource paths form a file system like tree and privileges can be inherited by paths down that tree
|
||||
@ -321,38 +390,34 @@ class RbacRepository(BaseRepository):
|
||||
* Privileges on deeper levels replace those inherited from an upper level.
|
||||
"""
|
||||
|
||||
# retrieve all user ACEs matching the user_id and privilege name
|
||||
query = select(models.ACE.path, models.ACE.propagate, models.ACE.allowed, models.Privilege.name).\
|
||||
join(models.Privilege.roles).\
|
||||
join(models.Role.acl_entries).\
|
||||
join(models.ACE.user). \
|
||||
filter(models.User.user_id == user_id).\
|
||||
filter(models.Privilege.name == privilege_name).\
|
||||
order_by(models.ACE.path.desc())
|
||||
|
||||
query = select(models.Resource)
|
||||
result = await self._db_session.execute(query)
|
||||
aces = result.all()
|
||||
resources = result.scalars().all()
|
||||
projects_in_pools = [f"/projects/{r.resource_id}" for r in resources if r.resource_type == "project"]
|
||||
path_is_in_pool = False
|
||||
for project_in_pool in projects_in_pools:
|
||||
if path.startswith(project_in_pool):
|
||||
path_is_in_pool = True
|
||||
break
|
||||
|
||||
aces = await self._get_user_aces(user_id, privilege_name)
|
||||
try:
|
||||
if self._check_path_with_aces(path, aces):
|
||||
# the user has an ACE matching the path and privilege,there is no need to check group ACEs
|
||||
if path_is_in_pool:
|
||||
if await self._get_resources_in_pools(aces, path):
|
||||
return True
|
||||
elif self._check_path_with_aces(path, aces):
|
||||
# the user has an ACE matching the path and privilege, there is no need to check group ACEs
|
||||
return True
|
||||
except PermissionError:
|
||||
return False
|
||||
|
||||
# retrieve all group ACEs matching the user_id and privilege name
|
||||
query = select(models.ACE.path, models.ACE.propagate, models.ACE.allowed, models.Privilege.name). \
|
||||
join(models.Privilege.roles). \
|
||||
join(models.Role.acl_entries). \
|
||||
join(models.ACE.group). \
|
||||
join(models.UserGroup.users).\
|
||||
filter(models.User.user_id == user_id). \
|
||||
filter(models.Privilege.name == privilege_name)
|
||||
|
||||
result = await self._db_session.execute(query)
|
||||
aces = result.all()
|
||||
|
||||
aces = await self._get_group_aces(user_id, privilege_name)
|
||||
try:
|
||||
return self._check_path_with_aces(path, aces)
|
||||
if path_is_in_pool:
|
||||
if await self._get_resources_in_pools(aces, path):
|
||||
return True
|
||||
elif self._check_path_with_aces(path, aces):
|
||||
return True
|
||||
except PermissionError:
|
||||
return False
|
||||
return False
|
||||
|
@ -31,6 +31,7 @@ from .controller.nodes import NodeCreate, NodeUpdate, NodeDuplicate, NodeCapture
|
||||
from .controller.projects import ProjectCreate, ProjectUpdate, ProjectDuplicate, Project, ProjectFile, ProjectCompression
|
||||
from .controller.users import UserCreate, UserUpdate, LoggedInUserUpdate, User, Credentials, UserGroupCreate, UserGroupUpdate, UserGroup
|
||||
from .controller.rbac import RoleCreate, RoleUpdate, Role, Privilege, ACECreate, ACEUpdate, ACE
|
||||
from .controller.pools import Resource, ResourceCreate, ResourcePoolCreate, ResourcePoolUpdate, ResourcePool
|
||||
from .controller.tokens import Token
|
||||
from .controller.snapshots import SnapshotCreate, Snapshot
|
||||
from .controller.iou_license import IOULicense
|
||||
|
81
gns3server/schemas/controller/pools.py
Normal file
81
gns3server/schemas/controller/pools.py
Normal file
@ -0,0 +1,81 @@
|
||||
#
|
||||
# Copyright (C) 2020 GNS3 Technologies Inc.
|
||||
#
|
||||
# This program is free software: you can redistribute it and/or modify
|
||||
# it under the terms of the GNU General Public License as published by
|
||||
# the Free Software Foundation, either version 3 of the License, or
|
||||
# (at your option) any later version.
|
||||
#
|
||||
# This program is distributed in the hope that it will be useful,
|
||||
# but WITHOUT ANY WARRANTY; without even the implied warranty of
|
||||
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
||||
# GNU General Public License for more details.
|
||||
#
|
||||
# You should have received a copy of the GNU General Public License
|
||||
# along with this program. If not, see <http://www.gnu.org/licenses/>.
|
||||
|
||||
from typing import Optional
|
||||
from pydantic import ConfigDict, BaseModel, Field
|
||||
from uuid import UUID
|
||||
from enum import Enum
|
||||
|
||||
from .base import DateTimeModelMixin
|
||||
|
||||
|
||||
class ResourceType(str, Enum):
|
||||
|
||||
project = "project"
|
||||
|
||||
|
||||
class ResourceBase(BaseModel):
|
||||
"""
|
||||
Common resource properties.
|
||||
"""
|
||||
|
||||
resource_id: UUID
|
||||
resource_type: ResourceType = Field(..., description="Type of the resource")
|
||||
name: Optional[str] = None
|
||||
model_config = ConfigDict(use_enum_values=True)
|
||||
|
||||
|
||||
class ResourceCreate(ResourceBase):
|
||||
"""
|
||||
Properties to create a resource.
|
||||
"""
|
||||
|
||||
pass
|
||||
|
||||
|
||||
class Resource(DateTimeModelMixin, ResourceBase):
|
||||
|
||||
model_config = ConfigDict(from_attributes=True)
|
||||
|
||||
|
||||
class ResourcePoolBase(BaseModel):
|
||||
"""
|
||||
Common resource pool properties.
|
||||
"""
|
||||
|
||||
name: str
|
||||
|
||||
|
||||
class ResourcePoolCreate(ResourcePoolBase):
|
||||
"""
|
||||
Properties to create a resource pool.
|
||||
"""
|
||||
|
||||
pass
|
||||
|
||||
|
||||
class ResourcePoolUpdate(ResourcePoolBase):
|
||||
"""
|
||||
Properties to update a resource pool.
|
||||
"""
|
||||
|
||||
pass
|
||||
|
||||
|
||||
class ResourcePool(DateTimeModelMixin, ResourcePoolBase):
|
||||
|
||||
resource_pool_id: UUID
|
||||
model_config = ConfigDict(from_attributes=True)
|
@ -1,5 +1,5 @@
|
||||
uvicorn==0.22.0 # v0.22.0 is the last to support Python 3.7
|
||||
fastapi==0.103.0
|
||||
fastapi==0.103.1
|
||||
python-multipart==0.0.6
|
||||
websockets==11.0.3
|
||||
aiohttp>=3.8.5,<3.9
|
||||
@ -10,7 +10,7 @@ sentry-sdk==1.30.0,<1.31
|
||||
psutil==5.9.5
|
||||
distro>=1.8.0
|
||||
py-cpuinfo==9.0.0
|
||||
sqlalchemy==2.0.18
|
||||
sqlalchemy==2.0.20
|
||||
aiosqlite==0.19.0
|
||||
alembic==1.12.0
|
||||
passlib[bcrypt]==1.7.4
|
||||
@ -18,4 +18,5 @@ python-jose==3.3.0
|
||||
email-validator==2.0.0.post2
|
||||
watchfiles==0.20.0
|
||||
zstandard==0.21.0
|
||||
platformdirs==3.10.0
|
||||
importlib_resources>=1.3
|
||||
|
@ -22,7 +22,7 @@ from httpx import AsyncClient
|
||||
|
||||
from sqlalchemy.ext.asyncio import AsyncSession
|
||||
from gns3server.db.repositories.users import UsersRepository
|
||||
from gns3server.schemas.controller.users import User
|
||||
from gns3server.schemas.controller.users import User, UserGroupCreate
|
||||
|
||||
pytestmark = pytest.mark.asyncio
|
||||
|
||||
@ -106,7 +106,7 @@ class TestGroupRoutes:
|
||||
|
||||
class TestGroupMembersRoutes:
|
||||
|
||||
async def test_add_member_to_group(
|
||||
async def test_add_to_group_already_member(
|
||||
self,
|
||||
app: FastAPI,
|
||||
client: AsyncClient,
|
||||
@ -123,6 +123,28 @@ class TestGroupMembersRoutes:
|
||||
user_id=str(test_user.user_id)
|
||||
)
|
||||
)
|
||||
assert response.status_code == status.HTTP_400_BAD_REQUEST
|
||||
|
||||
async def test_add_member_to_group(
|
||||
self,
|
||||
app: FastAPI,
|
||||
client: AsyncClient,
|
||||
test_user: User,
|
||||
db_session: AsyncSession
|
||||
) -> None:
|
||||
|
||||
user_repo = UsersRepository(db_session)
|
||||
new_user_group = UserGroupCreate(
|
||||
name="test_group",
|
||||
)
|
||||
group_in_db = await user_repo.create_user_group(new_user_group)
|
||||
response = await client.put(
|
||||
app.url_path_for(
|
||||
"add_member_to_group",
|
||||
user_group_id=group_in_db.user_group_id,
|
||||
user_id=str(test_user.user_id)
|
||||
)
|
||||
)
|
||||
assert response.status_code == status.HTTP_204_NO_CONTENT
|
||||
members = await user_repo.get_user_group_members(group_in_db.user_group_id)
|
||||
assert len(members) == 1
|
||||
@ -136,7 +158,7 @@ class TestGroupMembersRoutes:
|
||||
) -> None:
|
||||
|
||||
user_repo = UsersRepository(db_session)
|
||||
group_in_db = await user_repo.get_user_group_by_name("Users")
|
||||
group_in_db = await user_repo.get_user_group_by_name("test_group")
|
||||
response = await client.get(
|
||||
app.url_path_for(
|
||||
"get_user_group_members",
|
||||
@ -154,7 +176,7 @@ class TestGroupMembersRoutes:
|
||||
) -> None:
|
||||
|
||||
user_repo = UsersRepository(db_session)
|
||||
group_in_db = await user_repo.get_user_group_by_name("Users")
|
||||
group_in_db = await user_repo.get_user_group_by_name("test_group")
|
||||
|
||||
response = await client.delete(
|
||||
app.url_path_for(
|
||||
|
183
tests/api/routes/controller/test_pools.py
Normal file
183
tests/api/routes/controller/test_pools.py
Normal file
@ -0,0 +1,183 @@
|
||||
#!/usr/bin/env python
|
||||
#
|
||||
# Copyright (C) 2023 GNS3 Technologies Inc.
|
||||
#
|
||||
# This program is free software: you can redistribute it and/or modify
|
||||
# it under the terms of the GNU General Public License as published by
|
||||
# the Free Software Foundation, either version 3 of the License, or
|
||||
# (at your option) any later version.
|
||||
#
|
||||
# This program is distributed in the hope that it will be useful,
|
||||
# but WITHOUT ANY WARRANTY; without even the implied warranty of
|
||||
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
||||
# GNU General Public License for more details.
|
||||
#
|
||||
# You should have received a copy of the GNU General Public License
|
||||
# along with this program. If not, see <http://www.gnu.org/licenses/>.
|
||||
|
||||
import uuid
|
||||
import pytest
|
||||
import pytest_asyncio
|
||||
|
||||
from fastapi import FastAPI, status
|
||||
from httpx import AsyncClient
|
||||
|
||||
from sqlalchemy.ext.asyncio import AsyncSession
|
||||
from gns3server.db.repositories.pools import ResourcePoolsRepository
|
||||
from gns3server.controller import Controller
|
||||
from gns3server.controller.project import Project
|
||||
from gns3server.schemas.controller.pools import ResourceCreate, ResourcePoolCreate
|
||||
|
||||
pytestmark = pytest.mark.asyncio
|
||||
|
||||
|
||||
class TestPoolRoutes:
|
||||
|
||||
async def test_resource_pool(self, app: FastAPI, client: AsyncClient) -> None:
|
||||
|
||||
new_group = {"name": "pool1"}
|
||||
response = await client.post(app.url_path_for("create_resource_pool"), json=new_group)
|
||||
assert response.status_code == status.HTTP_201_CREATED
|
||||
|
||||
async def test_get_resource_pool(self, app: FastAPI, client: AsyncClient, db_session: AsyncSession) -> None:
|
||||
|
||||
pools_repo = ResourcePoolsRepository(db_session)
|
||||
pool_in_db = await pools_repo.get_resource_pool_by_name("pool1")
|
||||
response = await client.get(app.url_path_for("get_resource_pool", resource_pool_id=pool_in_db.resource_pool_id))
|
||||
assert response.status_code == status.HTTP_200_OK
|
||||
assert response.json()["resource_pool_id"] == str(pool_in_db.resource_pool_id)
|
||||
|
||||
async def test_list_resource_pools(self, app: FastAPI, client: AsyncClient) -> None:
|
||||
|
||||
response = await client.get(app.url_path_for("get_resource_pools"))
|
||||
assert response.status_code == status.HTTP_200_OK
|
||||
assert len(response.json()) == 1
|
||||
|
||||
async def test_update_resource_pool(self, app: FastAPI, client: AsyncClient, db_session: AsyncSession) -> None:
|
||||
|
||||
pools_repo = ResourcePoolsRepository(db_session)
|
||||
pool_in_db = await pools_repo.get_resource_pool_by_name("pool1")
|
||||
|
||||
update_pool = {"name": "pool42"}
|
||||
response = await client.put(
|
||||
app.url_path_for("update_resource_pool", resource_pool_id=pool_in_db.resource_pool_id),
|
||||
json=update_pool
|
||||
)
|
||||
assert response.status_code == status.HTTP_200_OK
|
||||
updated_pool_in_db = await pools_repo.get_resource_pool(pool_in_db.resource_pool_id)
|
||||
assert updated_pool_in_db.name == "pool42"
|
||||
|
||||
async def test_resource_group(
|
||||
self,
|
||||
app: FastAPI,
|
||||
client: AsyncClient,
|
||||
db_session: AsyncSession
|
||||
) -> None:
|
||||
|
||||
pools_repo = ResourcePoolsRepository(db_session)
|
||||
pool_in_db = await pools_repo.get_resource_pool_by_name("pool42")
|
||||
response = await client.delete(app.url_path_for("delete_resource_pool", resource_pool_id=pool_in_db.resource_pool_id))
|
||||
assert response.status_code == status.HTTP_204_NO_CONTENT
|
||||
|
||||
|
||||
class TestResourcesPoolRoutes:
|
||||
|
||||
@pytest_asyncio.fixture
|
||||
async def project(self, app: FastAPI, client: AsyncClient, controller: Controller) -> Project:
|
||||
project_id = str(uuid.uuid4())
|
||||
params = {"name": "test", "project_id": project_id}
|
||||
await client.post(app.url_path_for("create_project"), json=params)
|
||||
return controller.get_project(project_id)
|
||||
|
||||
async def test_add_resource_to_pool(
|
||||
self,
|
||||
app: FastAPI,
|
||||
client: AsyncClient,
|
||||
db_session: AsyncSession,
|
||||
project: Project
|
||||
) -> None:
|
||||
|
||||
pools_repo = ResourcePoolsRepository(db_session)
|
||||
new_resource_pool = ResourcePoolCreate(
|
||||
name="pool1",
|
||||
)
|
||||
pool_in_db = await pools_repo.create_resource_pool(new_resource_pool)
|
||||
response = await client.put(
|
||||
app.url_path_for(
|
||||
"add_resource_to_pool",
|
||||
resource_pool_id=pool_in_db.resource_pool_id,
|
||||
resource_id=str(project.id)
|
||||
)
|
||||
)
|
||||
assert response.status_code == status.HTTP_204_NO_CONTENT
|
||||
resources = await pools_repo.get_pool_resources(pool_in_db.resource_pool_id)
|
||||
assert len(resources) == 1
|
||||
assert str(resources[0].resource_id) == project.id
|
||||
|
||||
async def test_add_to_resource_already_in_resource_pool(
|
||||
self,
|
||||
app: FastAPI,
|
||||
client: AsyncClient,
|
||||
db_session: AsyncSession,
|
||||
project: Project
|
||||
) -> None:
|
||||
|
||||
pools_repo = ResourcePoolsRepository(db_session)
|
||||
pool_in_db = await pools_repo.get_resource_pool_by_name("pool1")
|
||||
resource_create = ResourceCreate(resource_id=project.id, resource_type="project")
|
||||
resource = await pools_repo.create_resource(resource_create)
|
||||
await pools_repo.add_resource_to_pool(pool_in_db.resource_pool_id, resource)
|
||||
|
||||
response = await client.put(
|
||||
app.url_path_for(
|
||||
"add_resource_to_pool",
|
||||
resource_pool_id=pool_in_db.resource_pool_id,
|
||||
resource_id=str(resource.resource_id)
|
||||
)
|
||||
)
|
||||
assert response.status_code == status.HTTP_400_BAD_REQUEST
|
||||
|
||||
async def test_get_pool_resources(
|
||||
self,
|
||||
app: FastAPI,
|
||||
client: AsyncClient,
|
||||
db_session: AsyncSession
|
||||
) -> None:
|
||||
|
||||
pools_repo = ResourcePoolsRepository(db_session)
|
||||
pool_in_db = await pools_repo.get_resource_pool_by_name("pool1")
|
||||
response = await client.get(
|
||||
app.url_path_for(
|
||||
"get_pool_resources",
|
||||
resource_pool_id=pool_in_db.resource_pool_id)
|
||||
)
|
||||
assert response.status_code == status.HTTP_200_OK
|
||||
assert len(response.json()) == 2
|
||||
|
||||
async def test_remove_resource_from_pool(
|
||||
self,
|
||||
app: FastAPI,
|
||||
client: AsyncClient,
|
||||
db_session: AsyncSession,
|
||||
project: Project
|
||||
) -> None:
|
||||
|
||||
pools_repo = ResourcePoolsRepository(db_session)
|
||||
pool_in_db = await pools_repo.get_resource_pool_by_name("pool1")
|
||||
resource_create = ResourceCreate(resource_id=project.id, resource_type="project")
|
||||
resource = await pools_repo.create_resource(resource_create)
|
||||
await pools_repo.add_resource_to_pool(pool_in_db.resource_pool_id, resource)
|
||||
|
||||
resources = await pools_repo.get_pool_resources(pool_in_db.resource_pool_id)
|
||||
assert len(resources) == 3
|
||||
|
||||
response = await client.delete(
|
||||
app.url_path_for(
|
||||
"remove_resource_from_pool",
|
||||
resource_pool_id=pool_in_db.resource_pool_id,
|
||||
resource_id=str(project.id)
|
||||
),
|
||||
)
|
||||
assert response.status_code == status.HTTP_204_NO_CONTENT
|
||||
resources = await pools_repo.get_pool_resources(pool_in_db.resource_pool_id)
|
||||
assert len(resources) == 2
|
25
tests/api/routes/controller/test_privileges.py
Normal file
25
tests/api/routes/controller/test_privileges.py
Normal file
@ -0,0 +1,25 @@
|
||||
#
|
||||
# Software Name : GNS3 server
|
||||
# Version: 3
|
||||
# SPDX-FileCopyrightText: Copyright (c) 2023 Orange Business Services
|
||||
# SPDX-License-Identifier: GPL-3.0-or-later
|
||||
#
|
||||
# This software is distributed under the GPL-3.0 or any later version,
|
||||
# the text of which is available at https://www.gnu.org/licenses/gpl-3.0.txt
|
||||
# or see the "LICENSE" file for more details.
|
||||
#
|
||||
# Author: Sylvain MATHIEU
|
||||
#
|
||||
|
||||
import pytest
|
||||
from fastapi import FastAPI, status
|
||||
from httpx import AsyncClient
|
||||
|
||||
pytestmark = pytest.mark.asyncio
|
||||
|
||||
|
||||
class TestPrivilegesRoute:
|
||||
|
||||
async def test_get_privileges(self, app: FastAPI, client: AsyncClient) -> None:
|
||||
response = await client.get(app.url_path_for("get_privileges"))
|
||||
assert response.status_code == status.HTTP_200_OK
|
@ -222,8 +222,9 @@ async def test_create_vnc(compute_project, manager):
|
||||
},
|
||||
{
|
||||
"Type": "bind",
|
||||
"Source": "/tmp/.X11-unix/",
|
||||
"Target": "/tmp/.X11-unix/"
|
||||
"Source": f"/tmp/.X11-unix/X{vm._display}",
|
||||
"Target": f"/tmp/.X11-unix/X{vm._display}",
|
||||
"ReadOnly": True
|
||||
}
|
||||
],
|
||||
"Privileged": True,
|
||||
|
@ -17,14 +17,18 @@
|
||||
|
||||
import pytest
|
||||
import pytest_asyncio
|
||||
import uuid
|
||||
|
||||
from fastapi import FastAPI, status
|
||||
from httpx import AsyncClient
|
||||
|
||||
from sqlalchemy.ext.asyncio import AsyncSession
|
||||
from gns3server.controller import Controller
|
||||
from gns3server.db.repositories.rbac import RbacRepository
|
||||
from gns3server.db.repositories.users import UsersRepository
|
||||
from gns3server.db.repositories.pools import ResourcePoolsRepository
|
||||
from gns3server.schemas.controller.rbac import ACECreate
|
||||
from gns3server.schemas.controller.pools import ResourceCreate, ResourcePoolCreate
|
||||
from gns3server.db.models import User
|
||||
|
||||
pytestmark = pytest.mark.asyncio
|
||||
@ -128,6 +132,113 @@ class TestPrivileges:
|
||||
authorized = await RbacRepository(db_session).check_user_has_privilege(test_user.user_id, path, privilege)
|
||||
assert authorized is True
|
||||
|
||||
|
||||
class TestResourcePools:
|
||||
|
||||
async def test_resource_pool(self, test_user: User, db_session: AsyncSession):
|
||||
|
||||
project_id = uuid.uuid4()
|
||||
project_name = "project42"
|
||||
|
||||
pools_repo = ResourcePoolsRepository(db_session)
|
||||
new_resource_pool = ResourcePoolCreate(name="pool1")
|
||||
pool_in_db = await pools_repo.create_resource_pool(new_resource_pool)
|
||||
|
||||
resource_create = ResourceCreate(resource_id=project_id, resource_type="project", name=project_name)
|
||||
resource = await pools_repo.create_resource(resource_create)
|
||||
await pools_repo.add_resource_to_pool(pool_in_db.resource_pool_id, resource)
|
||||
|
||||
group_id = (await UsersRepository(db_session).get_user_group_by_name("Users")).user_group_id
|
||||
role_id = (await RbacRepository(db_session).get_role_by_name("User")).role_id
|
||||
ace = ACECreate(
|
||||
path=f"/pools/{pool_in_db.resource_pool_id}",
|
||||
ace_type="group",
|
||||
propagate=False,
|
||||
group_id=str(group_id),
|
||||
role_id=str(role_id)
|
||||
)
|
||||
await RbacRepository(db_session).create_ace(ace)
|
||||
|
||||
privilege = "Project.Audit"
|
||||
path = f"/projects/{project_id}"
|
||||
authorized = await RbacRepository(db_session).check_user_has_privilege(test_user.user_id, path, privilege)
|
||||
assert authorized is True
|
||||
|
||||
async def test_list_projects_in_resource_pool(
|
||||
self,
|
||||
app: FastAPI,
|
||||
controller: Controller,
|
||||
authorized_client: AsyncClient,
|
||||
db_session: AsyncSession
|
||||
) -> None:
|
||||
|
||||
uuid1 = str(uuid.uuid4())
|
||||
uuid2 = str(uuid.uuid4())
|
||||
uuid3 = str(uuid.uuid4())
|
||||
await controller.add_project(project_id=uuid1, name="Project1")
|
||||
await controller.add_project(project_id=uuid2, name="Project2")
|
||||
await controller.add_project(project_id=uuid3, name="Project3")
|
||||
|
||||
# user has no access to projects (no ACE on /projects or resource pools)
|
||||
response = await authorized_client.get(app.url_path_for("get_projects"))
|
||||
assert response.status_code == status.HTTP_200_OK
|
||||
assert len(response.json()) == 0
|
||||
|
||||
pools_repo = ResourcePoolsRepository(db_session)
|
||||
new_resource_pool = ResourcePoolCreate(name="pool2")
|
||||
pool_in_db = await pools_repo.create_resource_pool(new_resource_pool)
|
||||
|
||||
resource_create = ResourceCreate(resource_id=uuid2, resource_type="project", name="Project2")
|
||||
resource = await pools_repo.create_resource(resource_create)
|
||||
await pools_repo.add_resource_to_pool(pool_in_db.resource_pool_id, resource)
|
||||
|
||||
group_id = (await UsersRepository(db_session).get_user_group_by_name("Users")).user_group_id
|
||||
role_id = (await RbacRepository(db_session).get_role_by_name("User")).role_id
|
||||
ace = ACECreate(
|
||||
path=f"/pools/{pool_in_db.resource_pool_id}",
|
||||
ace_type="group",
|
||||
propagate=False,
|
||||
group_id=str(group_id),
|
||||
role_id=str(role_id)
|
||||
)
|
||||
await RbacRepository(db_session).create_ace(ace)
|
||||
|
||||
response = await authorized_client.get(app.url_path_for("get_project", project_id=uuid2))
|
||||
assert response.status_code == status.HTTP_200_OK
|
||||
assert response.json()["name"] == "Project2"
|
||||
|
||||
# user should only see one project because it is in the resource pool he has access to
|
||||
response = await authorized_client.get(app.url_path_for("get_projects"))
|
||||
assert response.status_code == status.HTTP_200_OK
|
||||
projects = response.json()
|
||||
assert len(projects) == 1
|
||||
assert projects[0]["project_id"] == uuid2
|
||||
|
||||
ace = ACECreate(
|
||||
path=f"/projects",
|
||||
ace_type="group",
|
||||
propagate=True,
|
||||
group_id=str(group_id),
|
||||
role_id=str(role_id)
|
||||
)
|
||||
await RbacRepository(db_session).create_ace(ace)
|
||||
|
||||
# now user should see all projects because he has access to /projects and the resource pool
|
||||
response = await authorized_client.get(app.url_path_for("get_projects"))
|
||||
assert response.status_code == status.HTTP_200_OK
|
||||
projects = response.json()
|
||||
assert len(projects) == 3
|
||||
|
||||
await RbacRepository(db_session).delete_all_ace_starting_with_path(f"/pools/{pool_in_db.resource_pool_id}")
|
||||
response = await authorized_client.get(app.url_path_for("get_project", project_id=uuid2))
|
||||
assert response.status_code == status.HTTP_403_FORBIDDEN
|
||||
|
||||
# now user should only see the projects that are not in a resource pool
|
||||
response = await authorized_client.get(app.url_path_for("get_projects"))
|
||||
assert response.status_code == status.HTTP_200_OK
|
||||
assert len(response.json()) == 2
|
||||
|
||||
|
||||
# class TestProjectsWithRbac:
|
||||
#
|
||||
# async def test_admin_create_project(self, app: FastAPI, client: AsyncClient):
|
||||
|
Loading…
Reference in New Issue
Block a user