Merge pull request #497 from ryanmerolle/startup-scripts-2.10+

user, group, & permissions fix

initializers/groups.yml

@@ -1,35 +1,9 @@
-## To list all permissions, run:
-## 
-## docker-compose run --rm --entrypoint /bin/bash netbox
-## $ ./manage.py migrate
-## $ ./manage.py shell
-## > from django.contrib.auth.models import Permission
-## > print('\n'.join([p.codename for p in Permission.objects.all()]))
-##
-## Permission lists support wildcards. See the examples below.
-##
-## Examples:
-
 # applications:
 #   users:
-#   - technical_user
+#     - technical_user
 # readers:
 #   users:
-#   - reader
+#     - reader
 # writers:
 #   users:
-#   - writer
-#   permissions:
-#   - delete_device
-#   - delete_virtualmachine
-#   - add_*
-#   - change_*
-# vm_managers:
-#   permissions:
-#   - '*_virtualmachine'
-# device_managers:
-#   permissions:
-#   - '*device*'
-# creators:
-#   permissions:
-#   - add_*
+#     - writer

initializers/object_permissions.yml

@@ -0,0 +1,48 @@
+# all.ro:
+#   actions:
+#     - view
+#   description: 'Read Only for All Objects'
+#   enabled: true
+#   groups:
+#     - applications
+#     - readers
+#   object_types: all
+#   users:
+#     - jdoe
+# all.rw:
+#   actions:
+#     - add
+#     - change
+#     - delete
+#     - view
+#   description: 'Read/Write for All Objects'
+#   enabled: true
+#   groups:
+#     - writers
+#   object_types: all
+# network_team.rw:
+#   actions:
+#     - add
+#     - change
+#     - delete
+#     - view
+#   description: "Network Team Permissions"
+#   enabled: true
+#   object_types:
+#     circuits:
+#       - circuit
+#       - circuittermination
+#       - circuittype
+#       - provider
+#     dcim: all
+#     ipam:
+#       - aggregate
+#       - ipaddress
+#       - prefix
+#       - rir
+#       - role
+#       - routetarget
+#       - service
+#       - vlan
+#       - vlangroup
+#       - vrf

initializers/users.yml

@@ -1,23 +1,14 @@
-## To list all permissions, run:
-## 
-## docker-compose run --rm --entrypoint /bin/bash netbox
-## $ ./manage.py migrate
-## $ ./manage.py shell
-## > from django.contrib.auth.models import Permission
-## > print('\n'.join([p.codename for p in Permission.objects.all()]))
-##
-## Permission lists support wildcards. See the examples below.
-##
-## Examples:
-
 # technical_user:
 #   api_token: 0123456789technicaluser789abcdef01234567 # must be looooong!
 # reader:
 #   password: reader
 # writer:
 #   password: writer
-#   permissions:
-#   - delete_device
-#   - delete_virtualmachine
-#   - add_*
-#   - change_*
+# jdoe:
+#   first_name: John
+#   last_name: Doe
+#   api_token: 0123456789jdoe789abcdef01234567jdoe
+#   is_active: True
+#   is_superuser: False
+#   is_staff: False
+#   email: john.doe@example.com

startup_scripts/000_users.py

@@ -1,7 +1,7 @@
 import sys
 
 from django.contrib.auth.models import User
-from startup_script_utils import load_yaml, set_permissions
+from startup_script_utils import load_yaml
 from users.models import Token
 
 users = load_yaml("/opt/netbox/initializers/users.yml")
@@ -19,6 +19,3 @@ for username, user_details in users.items():
 
         if user_details.get("api_token", 0):
             Token.objects.create(user=user, key=user_details["api_token"])
-
-        yaml_permissions = user_details.get("permissions", [])
-        set_permissions(user.user_permissions, yaml_permissions)

startup_scripts/010_groups.py

@@ -1,23 +1,23 @@
 import sys
 
-from django.contrib.auth.models import Group, User
-from startup_script_utils import load_yaml, set_permissions
+from startup_script_utils import load_yaml
+from users.models import AdminGroup, AdminUser
 
 groups = load_yaml("/opt/netbox/initializers/groups.yml")
 if groups is None:
     sys.exit()
 
 for groupname, group_details in groups.items():
-    group, created = Group.objects.get_or_create(name=groupname)
+    group, created = AdminGroup.objects.get_or_create(name=groupname)
 
     if created:
         print("👥 Created group", groupname)
 
     for username in group_details.get("users", []):
-        user = User.objects.get(username=username)
+        user = AdminUser.objects.get(username=username)
 
         if user:
-            user.groups.add(group)
+            group.user_set.add(user)
+            print(" 👤 Assigned user %s to group %s" % (username, AdminGroup.name))
 
-    yaml_permissions = group_details.get("permissions", [])
-    set_permissions(group.permissions, yaml_permissions)
+    group.save()

startup_scripts/015_object_permissions.py

@@ -0,0 +1,60 @@
+import sys
+
+from django.contrib.contenttypes.models import ContentType
+from startup_script_utils import load_yaml
+from users.models import AdminGroup, AdminUser, ObjectPermission
+
+object_permissions = load_yaml("/opt/netbox/initializers/object_permissions.yml")
+
+if object_permissions is None:
+    sys.exit()
+
+
+for permission_name, permission_details in object_permissions.items():
+
+    object_permission, created = ObjectPermission.objects.get_or_create(
+        name=permission_name,
+        description=permission_details["description"],
+        enabled=permission_details["enabled"],
+        actions=permission_details["actions"],
+    )
+
+    if permission_details.get("object_types", 0):
+        object_types = permission_details["object_types"]
+
+        if object_types == "all":
+            object_permission.object_types.set(ContentType.objects.all())
+
+        else:
+            for app_label, models in object_types.items():
+                if models == "all":
+                    app_models = ContentType.objects.filter(app_label=app_label)
+
+                    for app_model in app_models:
+                        object_permission.object_types.add(app_model.id)
+                else:
+                    # There is
+                    for model in models:
+                        object_permission.object_types.add(
+                            ContentType.objects.get(app_label=app_label, model=model)
+                        )
+
+    print("🔓 Created object permission", object_permission.name)
+
+    if permission_details.get("groups", 0):
+        for groupname in permission_details["groups"]:
+            group = AdminGroup.objects.filter(name=groupname).first()
+
+            if group:
+                object_permission.groups.add(group)
+                print(" 👥 Assigned group %s object permission of %s" % (groupname, groupname))
+
+    if permission_details.get("users", 0):
+        for username in permission_details["users"]:
+            user = AdminUser.objects.filter(username=username).first()
+
+            if user:
+                object_permission.users.add(user)
+                print(" 👤 Assigned user %s object permission of %s" % (username, groupname))
+
+    object_permission.save()

startup_scripts/startup_script_utils/__init__.py

@@ -1,3 +1,2 @@
 from .custom_fields import pop_custom_fields, set_custom_fields_values
 from .load_yaml import load_yaml
-from .permissions import set_permissions

startup_scripts/startup_script_utils/permissions.py

@@ -1,22 +0,0 @@
-from django.contrib.auth.models import Permission
-
-
-def set_permissions(subject, permission_filters):
-    if subject is None or permission_filters is None:
-        return
-    subject.clear()
-    for permission_filter in permission_filters:
-        if "*" in permission_filter:
-            permission_filter_regex = "^" + permission_filter.replace("*", ".*") + "$"
-            permissions = Permission.objects.filter(codename__iregex=permission_filter_regex)
-            print(
-                "  ⚿ Granting",
-                permissions.count(),
-                "permissions matching '" + permission_filter + "'",
-            )
-        else:
-            permissions = Permission.objects.filter(codename=permission_filter)
-            print("  ⚿ Granting permission", permission_filter)
-
-        for permission in permissions:
-            subject.add(permission)