Complete resource pool support for projects

This commit is contained in:
grossmj 2023-09-11 18:15:03 +07:00
parent d53ef175f8
commit a95dda0d1d
6 changed files with 256 additions and 30 deletions

View File

@ -38,6 +38,7 @@ from gns3server.db.repositories.users import UsersRepository
from gns3server.db.repositories.rbac import RbacRepository
from gns3server.db.repositories.images import ImagesRepository
from gns3server.db.repositories.templates import TemplatesRepository
from gns3server.db.repositories.pools import ResourcePoolsRepository
from .dependencies.database import get_repository
from .dependencies.rbac import has_privilege
@ -57,7 +58,8 @@ async def endpoints(
users_repo: UsersRepository = Depends(get_repository(UsersRepository)),
rbac_repo: RbacRepository = Depends(get_repository(RbacRepository)),
images_repo: ImagesRepository = Depends(get_repository(ImagesRepository)),
templates_repo: TemplatesRepository = Depends(get_repository(TemplatesRepository))
templates_repo: TemplatesRepository = Depends(get_repository(TemplatesRepository)),
pools_repo: ResourcePoolsRepository = Depends(get_repository(ResourcePoolsRepository))
) -> List[dict]:
"""
List all endpoints to be used in ACL entries.
@ -128,6 +130,11 @@ async def endpoints(
for template in templates:
add_to_endpoints(f"/templates/{template.template_id}", f'Template "{template.name}"', "template")
# resource pools
add_to_endpoints("/pools", "All resource pools", "pool")
pools = await pools_repo.get_resource_pools()
for pool in pools:
add_to_endpoints(f"/pools/{pool.resource_pool_id}", f'Resource pool "{pool.name}"', "pool")
return endpoints

View File

@ -47,9 +47,11 @@ from gns3server.utils.asyncio import aiozipstream
from gns3server.utils.path import is_safe_path
from gns3server.db.repositories.templates import TemplatesRepository
from gns3server.db.repositories.rbac import RbacRepository
from gns3server.db.repositories.pools import ResourcePoolsRepository
from gns3server.services.templates import TemplatesService
from .dependencies.rbac import has_privilege, has_privilege_on_websocket
from .dependencies.authentication import get_current_active_user
from .dependencies.database import get_repository
responses = {404: {"model": schemas.ErrorMessage, "description": "Could not find project"}}
@ -69,10 +71,13 @@ def dep_project(project_id: UUID) -> Project:
@router.get(
"",
response_model=List[schemas.Project],
response_model_exclude_unset=True,
dependencies=[Depends(has_privilege("Project.Audit"))]
response_model_exclude_unset=True
)
async def get_projects() -> List[schemas.Project]:
async def get_projects(
current_user: schemas.User = Depends(get_current_active_user),
rbac_repo: RbacRepository = Depends(get_repository(RbacRepository)),
pools_repo: ResourcePoolsRepository = Depends(get_repository(ResourcePoolsRepository))
) -> List[schemas.Project]:
"""
Return all projects.
@ -80,7 +85,22 @@ async def get_projects() -> List[schemas.Project]:
"""
controller = Controller.instance()
return [p.asdict() for p in controller.projects.values()]
projects = []
if current_user.is_superadmin:
# super admin sees all projects
return [p.asdict() for p in controller.projects.values()]
elif await rbac_repo.check_user_has_privilege(current_user.user_id, "/projects", "Project.Audit"):
# user with Project.Audit privilege on '/projects' sees all projects except those in resource pools
project_ids_in_pools = [str(r.resource_id) for r in await pools_repo.get_resources() if r.resource_type == "project"]
projects.extend([p.asdict() for p in controller.projects.values() if p.id not in project_ids_in_pools])
# user with Project.Audit privilege on resource pools sees the projects in these pools
user_pool_resources = await rbac_repo.get_user_pool_resources(current_user.user_id, "Project.Audit")
project_ids_in_pools = [str(r.resource_id) for r in user_pool_resources if r.resource_type == "project"]
projects.extend([p.asdict() for p in controller.projects.values() if p.id in project_ids_in_pools])
return projects
@router.post(

View File

@ -81,6 +81,23 @@ async def create_role(
return await rbac_repo.create_role(role_create)
@router.get(
"/privileges",
response_model=List[schemas.Privilege],
dependencies=[Depends(has_privilege("Role.Audit"))]
)
async def get_privileges(
rbac_repo: RbacRepository = Depends(get_repository(RbacRepository)),
) -> List[schemas.Privilege]:
"""
Get all available privileges.
Required privilege: Role.Audit
"""
return await rbac_repo.get_privileges()
@router.get(
"/{role_id}",
response_model=schemas.Role,

View File

@ -309,6 +309,75 @@ class RbacRepository(BaseRepository):
return True # only allow if the path is the original path or the ACE is set to propagate
return False
async def _get_resources_in_pools(self, aces, path: str = None) -> List[models.Resource]:
"""
Get all resources in pools.
"""
pool_resources = []
for ace_path, ace_propagate, ace_allowed, ace_privilege in aces:
if ace_path.startswith("/pool"):
resource_pool_id = ace_path.split("/")[2]
query = select(models.Resource). \
join(models.Resource.resource_pools). \
filter(models.ResourcePool.resource_pool_id == resource_pool_id)
result = await self._db_session.execute(query)
resources = result.scalars().all()
for resource in resources:
# we only support projects in resource pools for now
if resource.resource_type == "project":
if path:
if path.startswith(f"/projects/{resource.resource_id}"):
pool_resources.append(resource)
else:
pool_resources.append(resource)
return pool_resources
async def _get_user_aces(self, user_id: UUID, privilege_name: str):
"""
Retrieve all user ACEs matching the user_id and privilege name.
"""
query = select(models.ACE.path, models.ACE.propagate, models.ACE.allowed, models.Privilege.name).\
join(models.Privilege.roles).\
join(models.Role.acl_entries).\
join(models.ACE.user). \
filter(models.User.user_id == user_id).\
filter(models.Privilege.name == privilege_name).\
order_by(models.ACE.path.desc())
result = await self._db_session.execute(query)
return result.all()
async def _get_group_aces(self, user_id: UUID, privilege_name: str):
"""
Retrieve all group ACEs matching the user_id and privilege name.
"""
query = select(models.ACE.path, models.ACE.propagate, models.ACE.allowed, models.Privilege.name). \
join(models.Privilege.roles). \
join(models.Role.acl_entries). \
join(models.ACE.group). \
join(models.UserGroup.users).\
filter(models.User.user_id == user_id). \
filter(models.Privilege.name == privilege_name)
result = await self._db_session.execute(query)
return result.all()
async def get_user_pool_resources(self, user_id: UUID, privilege_name: str) -> List[models.Resource]:
"""
Get all resources in pools belonging to a user and groups
"""
user_aces = await self._get_user_aces(user_id, privilege_name)
pool_resources = await self._get_resources_in_pools(user_aces)
group_aces = await self._get_group_aces(user_id, privilege_name)
pool_resources.extend(await self._get_resources_in_pools(group_aces))
return list(set(pool_resources))
async def check_user_has_privilege(self, user_id: UUID, path: str, privilege_name: str) -> bool:
"""
Resource paths form a file system like tree and privileges can be inherited by paths down that tree
@ -321,38 +390,34 @@ class RbacRepository(BaseRepository):
* Privileges on deeper levels replace those inherited from an upper level.
"""
# retrieve all user ACEs matching the user_id and privilege name
query = select(models.ACE.path, models.ACE.propagate, models.ACE.allowed, models.Privilege.name).\
join(models.Privilege.roles).\
join(models.Role.acl_entries).\
join(models.ACE.user). \
filter(models.User.user_id == user_id).\
filter(models.Privilege.name == privilege_name).\
order_by(models.ACE.path.desc())
query = select(models.Resource)
result = await self._db_session.execute(query)
aces = result.all()
resources = result.scalars().all()
projects_in_pools = [f"/projects/{r.resource_id}" for r in resources if r.resource_type == "project"]
path_is_in_pool = False
for project_in_pool in projects_in_pools:
if path.startswith(project_in_pool):
path_is_in_pool = True
break
aces = await self._get_user_aces(user_id, privilege_name)
try:
if self._check_path_with_aces(path, aces):
# the user has an ACE matching the path and privilege,there is no need to check group ACEs
if path_is_in_pool:
if await self._get_resources_in_pools(aces, path):
return True
elif self._check_path_with_aces(path, aces):
# the user has an ACE matching the path and privilege, there is no need to check group ACEs
return True
except PermissionError:
return False
# retrieve all group ACEs matching the user_id and privilege name
query = select(models.ACE.path, models.ACE.propagate, models.ACE.allowed, models.Privilege.name). \
join(models.Privilege.roles). \
join(models.Role.acl_entries). \
join(models.ACE.group). \
join(models.UserGroup.users).\
filter(models.User.user_id == user_id). \
filter(models.Privilege.name == privilege_name)
result = await self._db_session.execute(query)
aces = result.all()
aces = await self._get_group_aces(user_id, privilege_name)
try:
return self._check_path_with_aces(path, aces)
if path_is_in_pool:
if await self._get_resources_in_pools(aces, path):
return True
elif self._check_path_with_aces(path, aces):
return True
except PermissionError:
return False
return False

View File

@ -42,6 +42,12 @@ class TestRolesRoutes:
assert response.status_code == status.HTTP_200_OK
assert response.json()["role_id"] == str(role_in_db.role_id)
async def test_get_privileges(self, app: FastAPI, client: AsyncClient):
response = await client.get(app.url_path_for("get_privileges"))
assert response.status_code == status.HTTP_200_OK
assert len(response.json()) == 45 # 45 built-in privileges
async def test_list_roles(self, app: FastAPI, client: AsyncClient) -> None:
response = await client.get(app.url_path_for("get_roles"))

View File

@ -17,14 +17,18 @@
import pytest
import pytest_asyncio
import uuid
from fastapi import FastAPI, status
from httpx import AsyncClient
from sqlalchemy.ext.asyncio import AsyncSession
from gns3server.controller import Controller
from gns3server.db.repositories.rbac import RbacRepository
from gns3server.db.repositories.users import UsersRepository
from gns3server.db.repositories.pools import ResourcePoolsRepository
from gns3server.schemas.controller.rbac import ACECreate
from gns3server.schemas.controller.pools import ResourceCreate, ResourcePoolCreate
from gns3server.db.models import User
pytestmark = pytest.mark.asyncio
@ -128,6 +132,113 @@ class TestPrivileges:
authorized = await RbacRepository(db_session).check_user_has_privilege(test_user.user_id, path, privilege)
assert authorized is True
class TestResourcePools:
async def test_resource_pool(self, test_user: User, db_session: AsyncSession):
project_id = uuid.uuid4()
project_name = "project42"
pools_repo = ResourcePoolsRepository(db_session)
new_resource_pool = ResourcePoolCreate(name="pool1")
pool_in_db = await pools_repo.create_resource_pool(new_resource_pool)
resource_create = ResourceCreate(resource_id=project_id, resource_type="project", name=project_name)
resource = await pools_repo.create_resource(resource_create)
await pools_repo.add_resource_to_pool(pool_in_db.resource_pool_id, resource)
group_id = (await UsersRepository(db_session).get_user_group_by_name("Users")).user_group_id
role_id = (await RbacRepository(db_session).get_role_by_name("User")).role_id
ace = ACECreate(
path=f"/pools/{pool_in_db.resource_pool_id}",
ace_type="group",
propagate=False,
group_id=str(group_id),
role_id=str(role_id)
)
await RbacRepository(db_session).create_ace(ace)
privilege = "Project.Audit"
path = f"/projects/{project_id}"
authorized = await RbacRepository(db_session).check_user_has_privilege(test_user.user_id, path, privilege)
assert authorized is True
async def test_list_projects_in_resource_pool(
self,
app: FastAPI,
controller: Controller,
authorized_client: AsyncClient,
db_session: AsyncSession
) -> None:
uuid1 = str(uuid.uuid4())
uuid2 = str(uuid.uuid4())
uuid3 = str(uuid.uuid4())
await controller.add_project(project_id=uuid1, name="Project1")
await controller.add_project(project_id=uuid2, name="Project2")
await controller.add_project(project_id=uuid3, name="Project3")
# user has no access to projects (no ACE on /projects or resource pools)
response = await authorized_client.get(app.url_path_for("get_projects"))
assert response.status_code == status.HTTP_200_OK
assert len(response.json()) == 0
pools_repo = ResourcePoolsRepository(db_session)
new_resource_pool = ResourcePoolCreate(name="pool2")
pool_in_db = await pools_repo.create_resource_pool(new_resource_pool)
resource_create = ResourceCreate(resource_id=uuid2, resource_type="project", name="Project2")
resource = await pools_repo.create_resource(resource_create)
await pools_repo.add_resource_to_pool(pool_in_db.resource_pool_id, resource)
group_id = (await UsersRepository(db_session).get_user_group_by_name("Users")).user_group_id
role_id = (await RbacRepository(db_session).get_role_by_name("User")).role_id
ace = ACECreate(
path=f"/pools/{pool_in_db.resource_pool_id}",
ace_type="group",
propagate=False,
group_id=str(group_id),
role_id=str(role_id)
)
await RbacRepository(db_session).create_ace(ace)
response = await authorized_client.get(app.url_path_for("get_project", project_id=uuid2))
assert response.status_code == status.HTTP_200_OK
assert response.json()["name"] == "Project2"
# user should only see one project because it is in the resource pool he has access to
response = await authorized_client.get(app.url_path_for("get_projects"))
assert response.status_code == status.HTTP_200_OK
projects = response.json()
assert len(projects) == 1
assert projects[0]["project_id"] == uuid2
ace = ACECreate(
path=f"/projects",
ace_type="group",
propagate=True,
group_id=str(group_id),
role_id=str(role_id)
)
await RbacRepository(db_session).create_ace(ace)
# now user should see all projects because he has access to /projects and the resource pool
response = await authorized_client.get(app.url_path_for("get_projects"))
assert response.status_code == status.HTTP_200_OK
projects = response.json()
assert len(projects) == 3
await RbacRepository(db_session).delete_all_ace_starting_with_path(f"/pools/{pool_in_db.resource_pool_id}")
response = await authorized_client.get(app.url_path_for("get_project", project_id=uuid2))
assert response.status_code == status.HTTP_403_FORBIDDEN
# now user should only see the projects that are not in a resource pool
response = await authorized_client.get(app.url_path_for("get_projects"))
assert response.status_code == status.HTTP_200_OK
assert len(response.json()) == 2
# class TestProjectsWithRbac:
#
# async def test_admin_create_project(self, app: FastAPI, client: AsyncClient):