Add provisioning feature

We introduce a new Django management command: `provision`. For each app, some resources can be created and updated automatically, based on their configuration in the Zentral config. We start with the MDM `SCEPConfig` resources.
zentralopensource · Jun 20, 2024 · c0366e8 · c0366e8
1 parent 758ae7c
commit c0366e8
Show file tree

Hide file tree

Showing 18 changed files with 740 additions and 57 deletions.
diff --git a/docker-entrypoint.py b/docker-entrypoint.py
@@ -47,6 +47,21 @@ def wait_for_db_migration():
     print("DB migration OK")
 
 
+def wait_for_provisioning():
+    i = 0
+    while True:
+        try:
+            subprocess.run(['python', 'server/manage.py', 'provision'], check=True)
+        except subprocess.CalledProcessError:
+            retry_delay = min(20, (i + 1)) * random.uniform(0.8, 1.2)
+            warnings.warn(f"Can't do provisioning! Sleep {retry_delay:.1f}s…")
+            time.sleep(retry_delay)
+            i += 1
+        else:
+            break
+    print("Provisioning OK")
+
+
 def django_collectstatic():
     subprocess.run(['python', 'server/manage.py', 'collectstatic', '-v0', '--noinput'], check=True)
 
@@ -120,6 +135,7 @@ def create_zentral_superuser():
             create_zentral_superuser()
         else:
             wait_for_db(env)
+        wait_for_provisioning()
         if cmd in KNOWN_COMMANDS_TRIGGERING_COLLECTSTATIC:
             django_collectstatic()
         wd = KNOWN_COMMANDS_CHDIR.get(cmd)

diff --git a/server/base/management/commands/provision.py b/server/base/management/commands/provision.py
@@ -0,0 +1,36 @@
+import inspect
+import logging
+from django.apps import apps
+from django.core.management.base import BaseCommand
+from django.db import transaction
+from zentral.conf import settings
+from zentral.utils.apps import ZentralAppConfig
+from zentral.utils.provisioning import Provisioner
+
+
+logger = logging.getLogger("zentral.server.base.management.commands.provision")
+
+
+class Command(BaseCommand):
+    help = 'Provision Zentral'
+
+    @staticmethod
+    def add_arguments(parser):
+        pass
+
+    def iter_provisiners(self):
+        for app_config in apps.app_configs.values():
+            if not isinstance(app_config, ZentralAppConfig):
+                continue
+            if not app_config.provisioning_module:
+                continue
+            for _, provisioner_cls in inspect.getmembers(
+                app_config.provisioning_module,
+                lambda m: inspect.isclass(m) and m != Provisioner and issubclass(m, Provisioner)
+            ):
+                yield provisioner_cls(app_config, settings)
+
+    def handle(self, *args, **options):
+        with transaction.atomic():
+            for provisioner in self.iter_provisiners():
+                provisioner.apply()
diff --git a/server/templates/_created_updated_at.html b/server/templates/_created_updated_at.html
@@ -1,6 +1,12 @@
 <div class="table-responsive">
     <table class="table w-auto">
         <tbody>
+        {% if object.provisioning_uid %}
+            <tr>
+                <th class="border-0 p-0 pe-3 text-secondary">Provisioning UID</th>
+                <td class="border-0 p-0 text-secondary">{{ object.provisioning_uid }}</td>
+            </tr>
+        {% endif %}
         {% if object.version %}
             <tr>
                 <th class="border-0 p-0 pe-3 text-secondary">Version</th>

diff --git a/tests/conf/base.json b/tests/conf/base.json
@@ -152,6 +152,20 @@
       "push_csr_signer": {
         "backend": "zentral.contrib.mdm.push_csr_signers.ZentralSaaSPushCSRSigner",
         "url": "https://www.example.com/api/"
+      },
+      "provisioning": {
+        "scep_configs": {
+          "test": {
+            "name": "YoloFomo",
+            "url": "https://www.example.com/scep/",
+            "challenge_type": "MICROSOFT_CA",
+            "microsoft_ca_challenge_kwargs": {
+              "url": "https://www.example.com/ndes/",
+              "username": "Yolo",
+              "password": "Fomo"
+            }
+          }
+        }
       }
     },
     "zentral.contrib.munki": {

diff --git a/tests/mdm/test_management_commands.py b/tests/mdm/test_management_commands.py
@@ -5,7 +5,7 @@
 from django.core.management import call_command
 from django.test import TestCase
 from django.utils.crypto import get_random_string
-from zentral.contrib.mdm.models import Location
+from zentral.contrib.mdm.models import Location, SCEPConfig
 from zentral.contrib.mdm.dep_client import DEPClientError
 from .utils import force_dep_virtual_server
 
@@ -204,3 +204,21 @@ def test_sync_dep_devices_list_servers(self, sync_dep_virtual_server_devices):
             f"{dvs2.pk} {dvs2}\n"
         )
         sync_dep_virtual_server_devices.assert_not_called()
+
+    # provisioning
+
+    def test_scep_config_provisioning(self):
+        qs = SCEPConfig.objects.all()
+        self.assertEqual(qs.count(), 0)
+        call_command('provision')
+        self.assertEqual(qs.count(), 1)
+        scep_config = qs.first()
+        # see tests/conf/base.json
+        self.assertEqual(scep_config.name, "YoloFomo")
+        self.assertEqual(scep_config.challenge_type, "MICROSOFT_CA")
+        self.assertEqual(
+            scep_config.get_challenge_kwargs(),
+            {"url": "https://www.example.com/ndes/",
+             "username": "Yolo",
+             "password": "Fomo"}
+        )