CCCHH/ansible-infra
CCCHH/ansible-infra
4
2
Fork 1
Code Issues 4 Pull requests 1 Wiki Activity Actions

move to copy
All checks were successful
/ Ansible Lint (push) Successful in 1m45s
Details
/ Ansible Lint (pull_request) Successful in 1m39s
Details

Browse source
This commit is contained in:
June 2025-02-15 04:44:30 +01:00
commit c0ae5dcdcd
Signed by: june
SSH key fingerprint: SHA256:o9EAq4Y9N9K0pBQeBTqhSDrND5E7oB+60ZNx0U1yPe0
7 changed files with 80 additions and 73 deletions
Download patch file Download diff file Expand all files Collapse all files

2
README.md
View file

@ -49,4 +49,4 @@ Im Ansible-Repo müssen diese Sachen hinzugefügt werden:
## License ## License
This CCCHH ansible-ccchh repository is licensed under the [MIT License](./LICENSE). This CCCHH ansible-ccchh repository is licensed under the [MIT License](./LICENSE).
[`0001_oidc_group_and_role_mapping_custom_pipeline.patch`](./roles/netbox/files/0001_oidc_group_and_role_mapping_custom_pipeline.patch) is licensed under the Creative Commons: CC BY-SA 4.0 license. [`custom_pipeline_oidc_group_and_role_mapping.py`](./roles/netbox/files/custom_pipeline_oidc_group_and_role_mapping.py) is licensed under the Creative Commons: CC BY-SA 4.0 license.

8
roles/netbox/README.md
View file

@ -18,7 +18,7 @@ Should work on Debian-based distributions.
## Optional Arguments ## Optional Arguments
- `netbox__patch_oidc_group_and_role_mapping_custom_pipeline`: Whether or not to patch NetBox to add custom pipeline code for OIDC group and role mapping. - `netbox__custom_pipeline_oidc_group_and_role_mapping`: Whether or not to have custom pipeline code for OIDC group and role mapping present.
See [Custom Pipeline Code for OIDC Group and Role Mapping](#custom-pipeline-code-for-oidc-group-and-role-mapping) for more infos. See [Custom Pipeline Code for OIDC Group and Role Mapping](#custom-pipeline-code-for-oidc-group-and-role-mapping) for more infos.
Defaults to `false`. Defaults to `false`.
@ -75,9 +75,9 @@ The relevant documentation on how to do that can be found here:
## Custom Pipeline Code for OIDC Group and Role Mapping ## Custom Pipeline Code for OIDC Group and Role Mapping
Setting the option `netbox__patch_oidc_group_and_role_mapping_custom_pipeline` to `true` makes this role patch NetBox to add custom pipeline code for OIDC group and role mapping. Setting the option `netbox__custom_pipeline_oidc_group_and_role_mapping` to `true` makes this role ensure custom pipeline code for OIDC group and role mapping is present.
Note that this role uses a patch for NetBox >= 4.0.0. Note that this role uses code for NetBox >= 4.0.0.
The patch is available in `files/0001_oidc_group_and_role_mapping_custom_pipeline.patch`, licensed under the CC BY-SA 4.0 license and taken from [this authentik NetBox documentation](https://docs.goauthentik.io/integrations/services/netbox/). The code is available in `files/custom_pipeline_oidc_group_and_role_mapping.py`, licensed under the CC BY-SA 4.0 license and taken from [this authentik NetBox documentation](https://docs.goauthentik.io/integrations/services/netbox/).
The documentation also shows how to use the pipeline code by defining a custom `SOCIAL_AUTH_PIPELINE`, which you also need to do, as the configuration isn't provided by this role. The documentation also shows how to use the pipeline code by defining a custom `SOCIAL_AUTH_PIPELINE`, which you also need to do, as the configuration isn't provided by this role.
See also [the default settings.py](https://github.com/netbox-community/netbox/blob/main/netbox/netbox/settings.py) for the default `SOCIAL_AUTH_PIPELINE`. See also [the default settings.py](https://github.com/netbox-community/netbox/blob/main/netbox/netbox/settings.py) for the default `SOCIAL_AUTH_PIPELINE`.

2
roles/netbox/defaults/main.yaml
View file

@ -1 +1 @@
netbox__patch_oidc_group_and_role_mapping_custom_pipeline: false netbox__custom_pipeline_oidc_group_and_role_mapping: false

61
roles/netbox/files/0001_oidc_group_and_role_mapping_custom_pipeline.patch
View file

@ -1,61 +0,0 @@
diff --git a/netbox/netbox/custom_pipeline.py b/netbox/netbox/custom_pipeline.py
new file mode 100644
index 000000000..470f388dc
--- /dev/null
+++ b/netbox/netbox/custom_pipeline.py
@@ -0,0 +1,55 @@
+# Licensed under Creative Commons: CC BY-SA 4.0 license.
+# https://github.com/goauthentik/authentik/blob/main/LICENSE
+# https://github.com/goauthentik/authentik/blob/main/website/integrations/services/netbox/index.md
+# https://docs.goauthentik.io/integrations/services/netbox/
+from netbox.authentication import Group
+
+class AuthFailed(Exception):
+ pass
+
+def add_groups(response, user, backend, *args, **kwargs):
+ try:
+ groups = response['groups']
+ except KeyError:
+ pass
+
+ # Add all groups from oAuth token
+ for group in groups:
+ group, created = Group.objects.get_or_create(name=group)
+ user.groups.add(group)
+
+def remove_groups(response, user, backend, *args, **kwargs):
+ try:
+ groups = response['groups']
+ except KeyError:
+ # Remove all groups if no groups in oAuth token
+ user.groups.clear()
+ pass
+
+ # Get all groups of user
+ user_groups = [item.name for item in user.groups.all()]
+ # Get groups of user which are not part of oAuth token
+ delete_groups = list(set(user_groups) - set(groups))
+
+ # Delete non oAuth token groups
+ for delete_group in delete_groups:
+ group = Group.objects.get(name=delete_group)
+ user.groups.remove(group)
+
+
+def set_roles(response, user, backend, *args, **kwargs):
+ # Remove Roles temporary
+ user.is_superuser = False
+ user.is_staff = False
+ try:
+ groups = response['groups']
+ except KeyError:
+ # When no groups are set
+ # save the user without Roles
+ user.save()
+ pass
+
+ # Set roles is role (superuser or staff) is in groups
+ user.is_superuser = True if 'superusers' in groups else False
+ user.is_staff = True if 'staff' in groups else False
+ user.save()

55
roles/netbox/files/custom_pipeline_oidc_group_and_role_mapping.py Normal file
View file

@ -0,0 +1,55 @@
# Licensed under Creative Commons: CC BY-SA 4.0 license.
# https://github.com/goauthentik/authentik/blob/main/LICENSE
# https://github.com/goauthentik/authentik/blob/main/website/integrations/services/netbox/index.md
# https://docs.goauthentik.io/integrations/services/netbox/
from netbox.authentication import Group
class AuthFailed(Exception):
pass
def add_groups(response, user, backend, *args, **kwargs):
try:
groups = response['groups']
except KeyError:
pass
# Add all groups from oAuth token
for group in groups:
group, created = Group.objects.get_or_create(name=group)
user.groups.add(group)
def remove_groups(response, user, backend, *args, **kwargs):
try:
groups = response['groups']
except KeyError:
# Remove all groups if no groups in oAuth token
user.groups.clear()
pass
# Get all groups of user
user_groups = [item.name for item in user.groups.all()]
# Get groups of user which are not part of oAuth token
delete_groups = list(set(user_groups) - set(groups))
# Delete non oAuth token groups
for delete_group in delete_groups:
group = Group.objects.get(name=delete_group)
user.groups.remove(group)
def set_roles(response, user, backend, *args, **kwargs):
# Remove Roles temporary
user.is_superuser = False
user.is_staff = False
try:
groups = response['groups']
except KeyError:
# When no groups are set
# save the user without Roles
user.save()
pass
# Set roles is role (superuser or staff) is in groups
user.is_superuser = True if 'superusers' in groups else False
user.is_staff = True if 'staff' in groups else False
user.save()

2
roles/netbox/meta/argument_specs.yaml
View file

@ -10,7 +10,7 @@ argument_specs:
netbox__config: netbox__config:
type: str type: str
required: true required: true
netbox__patch_oidc_group_and_role_mapping_custom_pipeline: netbox__custom_pipeline_oidc_group_and_role_mapping:
type: bool type: bool
required: false required: false
default: false default: false

23
roles/netbox/tasks/main.yaml
View file

@ -25,11 +25,24 @@
- Run upgrade script - Run upgrade script
- Ensure netbox systemd services are set up and up-to-date - Ensure netbox systemd services are set up and up-to-date
- name: Ensure patch for adding custom pipeline code for OIDC group and role mapping is applied - name: Ensures custom pipeline code for OIDC group and role mapping is present
ansible.posix.patch: ansible.builtin.copy:
src: 0001_oidc_group_and_role_mapping_custom_pipeline.patch src: custom_pipeline_oidc_group_and_role_mapping.py
basedir: /opt/netbox/ dest: /opt/netbox/netbox/netbox/custom_pipeline_oidc_mapping.py
when: netbox__patch_oidc_group_and_role_mapping_custom_pipeline mode: "0644"
owner: root
group: root
when: netbox__custom_pipeline_oidc_group_and_role_mapping
become: true
notify:
- Ensure netbox systemd services are set up and up-to-date
- name: Ensures custom pipeline code for OIDC group and role mapping is not present
ansible.builtin.file:
path: /opt/netbox/netbox/netbox/custom_pipeline_oidc_mapping.py
state: absent
when: not netbox__custom_pipeline_oidc_group_and_role_mapping
become: true
notify: notify:
- Ensure netbox systemd services are set up and up-to-date - Ensure netbox systemd services are set up and up-to-date