feat: OBS-406 - [Netbox Diode Plugin] Secure NetBox diode plugin API endpoints #46
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Created permissions.py. Added permissions for tests.
Julio-Oliveira-Encora
requested review from
mfiedorowicz and
natm
as code owners
OBS-406 Secure NetBox diode plugin API endpoints
NetBox Diode plugin API endpoints need to be secured. We should consider setting dedicated permissions per API endpoint/view, so we can decide if NetBox user can perform specific operations. Example use of custom permissions per view: https://github.com/netbox-community/netbox/blob/develop/netbox/virtualization/views.py#L651-L652 |
There was a problem hiding this comment.
Alternative to avoid the need to check for individual objects permissions:
- Create
netbox_diode_plugin/models.py:
#!/usr/bin/env python
# Copyright 2024 NetBox Labs Inc
"""Diode Netbox Plugin - Models."""
from django.db import models
class ObjectState(models.Model):
"""
Dummy model used to generate permissions for Diode NetBox Plugin. Does not exist in the database.
"""
class Meta:
managed = False
default_permissions = ()
permissions = (
("view_objectstate", "Can view ObjectState"),
)- In your
permissions.py:
#!/usr/bin/env python
# Copyright 2024 NetBox Labs Inc
"""Diode Netbox Plugin - API Permissions."""
from rest_framework.permissions import SAFE_METHODS, BasePermission
class IsDiodeViewer(BasePermission):
"""
Custom permission to allow users that has permissions to view the object type.
For example, if the request contains "object_type=dcim.site" and the user has this permission, he can see the object.
"""
def has_permission(self, request, view):
"""Check if the request is in SAFE_METHODS and user has netbox_diode_plugin.view_objectstate permission."""
return request.method in SAFE_METHODS and request.user.has_perm(f'netbox_diode_plugin.view_objectstate')NetBox permission with our ObjectState object based on dummy model:
What do you think?
diode-netbox-plugin/netbox_diode_plugin/tests/test_object_state.py
Outdated
Show resolved
Hide resolved
mfiedorowicz
approved these changes
Feb 27, 2024
Julio-Oliveira-Encora
deleted the
obs-406-secure-netbox-diode-plugin-api-endpoints
branch
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Added the permission classes IsAuthenticated and IsDiodeViewer] for ObjectStateView.
It checks if the user is authenticated and if the user has permissions according to the "object_type" parameter.
Also, check if the request is GET.