add option to NetBox role for patch. NetBox for OIDC group and role map.

Add option to NetBox role to make it patch NetBox to add custom pipeline
code for OIDC group and role mapping.

The custom pipeline code is licensed under the Creative Commons: CC
BY-SA 4.0 license.

See:
https://github.com/goauthentik/authentik/blob/main/LICENSE
https://github.com/goauthentik/authentik/blob/main/website/integrations/services/netbox/index.md
https://docs.goauthentik.io/integrations/services/netbox/
5676b1a468

README.md

@@ -45,3 +45,8 @@ Im Ansible-Repo müssen diese Sachen hinzugefügt werden:
     * Individuelle Config für den Service. Wenn Docker Compose, hier weiterleiten auf den eigentlichen Dienst in Compose.
     * Cert-Dateinamen anpassen
 * `resources/chaosknoten/`*host*`/docker_compose/compose.yaml.j2`: Config für Docker Compose (wenn verwendet)
+
+## License
+
+This CCCHH ansible-ccchh repository is licensed under the [MIT License](./LICENSE).  
+[`0001_oidc_group_and_role_mapping_custom_pipeline.patch`](./roles/netbox/files/0001_oidc_group_and_role_mapping_custom_pipeline.patch) is licensed under the Creative Commons: CC BY-SA 4.0 license.

roles/netbox/README.md

@@ -18,7 +18,9 @@ Should work on Debian-based distributions.
 
 ## Optional Arguments
 
-None.
+- `netbox__patch_oidc_group_and_role_mapping_custom_pipeline`: Whether or not to patch NetBox to add custom pipeline code for OIDC group and role mapping.
+  See [Custom Pipeline Code for OIDC Group and Role Mapping](#custom-pipeline-code-for-oidc-group-and-role-mapping) for more infos.  
+  Defaults to `false`.
 
 ## NetBox Configuration
 
@@ -71,6 +73,14 @@ The relevant documentation on how to do that can be found here:
 - Web server setup docs: <https://netboxlabs.com/docs/netbox/en/stable/installation/5-http-server/>
 - Example base nginx config: <https://github.com/netbox-community/netbox/blob/main/contrib/nginx.conf>
 
+## Custom Pipeline Code for OIDC Group and Role Mapping
+
+Setting the option `netbox__patch_oidc_group_and_role_mapping_custom_pipeline` to `true` makes this role patch NetBox to add custom pipeline code for OIDC group and role mapping.
+Note that this role uses a patch for NetBox >= 4.0.0.  
+The patch is available in `files/0001_oidc_group_and_role_mapping_custom_pipeline.patch`, licensed under the CC BY-SA 4.0 license and taken from [this authentik NetBox documentation](https://docs.goauthentik.io/integrations/services/netbox/).
+The documentation also shows how to use the pipeline code by defining a custom `SOCIAL_AUTH_PIPELINE`, which you also need to do, as the configuration isn't provided by this role.
+See also [the default settings.py](https://github.com/netbox-community/netbox/blob/main/netbox/netbox/settings.py) for the default `SOCIAL_AUTH_PIPELINE`.
+
 ## Links & Resources
 
 - The NetBox Git Repo: <https://github.com/netbox-community/netbox>

roles/netbox/defaults/main.yaml

@@ -0,0 +1 @@
+netbox__patch_oidc_group_and_role_mapping_custom_pipeline: false

roles/netbox/files/0001_oidc_group_and_role_mapping_custom_pipeline.patch

@@ -0,0 +1,61 @@
+diff --git a/netbox/netbox/custom_pipeline.py b/netbox/netbox/custom_pipeline.py
+new file mode 100644
+index 000000000..470f388dc
+--- /dev/null
++++ b/netbox/netbox/custom_pipeline.py
+@@ -0,0 +1,55 @@
++# Licensed under Creative Commons: CC BY-SA 4.0 license.
++# https://github.com/goauthentik/authentik/blob/main/LICENSE
++# https://github.com/goauthentik/authentik/blob/main/website/integrations/services/netbox/index.md
++# https://docs.goauthentik.io/integrations/services/netbox/
++from netbox.authentication import Group
++
++class AuthFailed(Exception):
++    pass
++
++def add_groups(response, user, backend, *args, **kwargs):
++    try:
++        groups = response['groups']
++    except KeyError:
++        pass
++
++    # Add all groups from oAuth token
++    for group in groups:
++        group, created = Group.objects.get_or_create(name=group)
++        user.groups.add(group)
++
++def remove_groups(response, user, backend, *args, **kwargs):
++    try:
++        groups = response['groups']
++    except KeyError:
++        # Remove all groups if no groups in oAuth token
++        user.groups.clear()
++        pass
++
++    # Get all groups of user
++    user_groups = [item.name for item in user.groups.all()]
++    # Get groups of user which are not part of oAuth token
++    delete_groups = list(set(user_groups) - set(groups))
++
++    # Delete non oAuth token groups
++    for delete_group in delete_groups:
++        group = Group.objects.get(name=delete_group)
++        user.groups.remove(group)
++
++
++def set_roles(response, user, backend, *args, **kwargs):
++    # Remove Roles temporary
++    user.is_superuser = False
++    user.is_staff = False
++    try:
++        groups = response['groups']
++    except KeyError:
++        # When no groups are set
++        # save the user without Roles
++        user.save()
++        pass
++
++    # Set roles is role (superuser or staff) is in groups
++    user.is_superuser = True if 'superusers' in groups else False
++    user.is_staff = True if 'staff' in groups else False
++    user.save()

roles/netbox/meta/argument_specs.yaml

@@ -10,3 +10,7 @@ argument_specs:
       netbox__config:
         type: str
         required: true
+      netbox__patch_oidc_group_and_role_mapping_custom_pipeline:
+        type: bool
+        required: false
+        default: false

roles/netbox/tasks/main.yaml

@@ -25,6 +25,12 @@
     - Run upgrade script
     - Ensure netbox systemd services are set up and up-to-date
 
+- name: Ensure patch for adding custom pipeline code for OIDC group and role mapping is applied
+  ansible.posix.patch:
+    src: 0001_oidc_group_and_role_mapping_custom_pipeline.patch
+    basedir: /opt/netbox/
+  when: netbox__patch_oidc_group_and_role_mapping_custom_pipeline
+
 - name: Ensure netbox user
   block:
     - name: Ensure netbox group exists