refactor: improve handling of permissions, users, and settings

conftest.py

@@ -10,7 +10,9 @@
 from tortoise.contrib.fastapi import RegisterTortoise
 
 from goosebit import app
+from goosebit.auth.permissions import GOOSEBIT_PERMISSIONS
 from goosebit.db.models import UpdateModeEnum, UpdateStateEnum
+from goosebit.settings import PWD_CXT
 
 # Configure logging
 logging.basicConfig(level=logging.WARN)
@@ -33,10 +35,14 @@ async def clear_cache():
 
 @pytest_asyncio.fixture(scope="function")
 async def test_app():
+    from goosebit.users import create_initial_user
+
     async with RegisterTortoise(
         app=app,
         config=TORTOISE_CONF,
     ):
+        await Tortoise.generate_schemas()
+        await create_initial_user(username="testing@goosebit.test", hashed_pwd=PWD_CXT.hash("test"))
         yield app
 
 
@@ -45,7 +51,7 @@ async def async_client(test_app):
     async with AsyncClient(
         transport=ASGITransport(app=test_app), base_url="http://test", follow_redirects=True
     ) as client:
-        login_data = {"username": "admin@goosebit.local", "password": "admin"}
+        login_data = {"username": "testing@goosebit.test", "password": "test"}
         response = await client.post("/login", data=login_data, follow_redirects=True)
         assert response.status_code == 200
 
@@ -66,7 +72,7 @@ async def db():
 
 @pytest_asyncio.fixture(scope="function")
 async def test_data(db):
-    from goosebit.db.models import Device, Hardware, Rollout, Software
+    from goosebit.db.models import Device, Hardware, Rollout, Software, User
 
     # Create a temporary directory
     with tempfile.TemporaryDirectory() as temp_dir:
@@ -119,6 +125,22 @@ async def test_data(db):
             auth_token="auth_token1",
         )
 
+        user_admin = await User.create(
+            username="admin@goosebit.test",
+            hashed_pwd=PWD_CXT.hash("testadmin"),
+            permissions=[GOOSEBIT_PERMISSIONS()],
+        )
+
+        user_read_only = await User.create(
+            username="read_only@goosebit.test",
+            hashed_pwd=PWD_CXT.hash("testread"),
+            permissions=[
+                GOOSEBIT_PERMISSIONS["device"]["read"](),
+                GOOSEBIT_PERMISSIONS["software"]["read"](),
+                GOOSEBIT_PERMISSIONS["rollout"]["read"](),
+            ],
+        )
+
         yield dict(
             hardware=hardware,
             software_release=software_release,
@@ -129,4 +151,6 @@ async def test_data(db):
             device_assigned=device_assigned,
             device_authentication=device_assigned,
             device_no_authentication=device_rollout,
+            user_admin=user_admin,
+            user_read_only=user_read_only,
         )

docker/demo/docker-compose.yml

@@ -20,11 +20,8 @@ services:
     image: upstreamdata/goosebit
     environment:
       GOOSEBIT_DB_URI: postgres://db_user:db_pw@postgres:5432/goosebit
-      GOOSEBIT_USERS: |-
-        [
-          {"username": "admin@goosebit.local", "password": "admin", "permissions": ["*"]},
-          {"username": "ci", "password": "foo", "permissions": ["software.read", "software.write", "rollout.read", "rollout.write"]}
-        ]
+      GOOSEBIT_INITAL_USER: |-
+        {"username": "admin@goosebit.local", "password": "admin"}
       GOOSEBIT_SECRET_KEY: 1a7090da4fbe9c72f888a4772302eac3
       GOOSEBIT_ARTIFACTS_DIR: /artifacts
       FORWARDED_ALLOW_IPS: "*"

goosebit.yaml

@@ -35,20 +35,6 @@ poll_time: 00:01:00
 # Defaults to a randomized value. If this value is not set, user sessions will not persist when app restarts.
 #secret_key: my_very_top_secret_key123
 
-# User account for the frontend. Available permissions:
-# "software.read", "software.write", "software.delete"
-# "device.read", "device.write", "device.delete"
-# "rollout.read", "rollout.write", "rollout.delete"
-users:
-  - username: admin@goosebit.local
-    password: admin
-    permissions:
-      - "*"
-  - username: ops@goosebit.local
-    password: ops
-    permissions:
-      - "device.read"
-
 ## Internal settings that usually don't need to be modified
 metrics:
   prometheus:

goosebit/__init__.py

@@ -14,12 +14,12 @@
 from tortoise.exceptions import ValidationError
 
 from goosebit import api, db, ui, updater
-from goosebit.api.telemetry import metrics
 from goosebit.auth import get_user_from_request, login_user, redirect_if_authenticated
-from goosebit.settings import config
+from goosebit.settings import PWD_CXT, config
 from goosebit.ui.nav import nav
 from goosebit.ui.static import static
 from goosebit.ui.templates import templates
+from goosebit.users import create_initial_user
 
 logger = getLogger(__name__)
 
@@ -29,7 +29,6 @@ async def lifespan(_: FastAPI):
     db_ready = await db.init()
     if not db_ready:
         logger.exception("DB does not exist, try running `poetry run aerich upgrade`.")
-    await metrics.init()
     if db_ready:
         yield
     await db.close()
@@ -104,7 +103,18 @@ async def login_get(request: Request):
 
 @app.post("/login", tags=["login"])
 async def login_post(form_data: Annotated[OAuth2PasswordRequestForm, Depends()]):
-    return {"access_token": login_user(form_data.username, form_data.password), "token_type": "bearer"}
+    return {"access_token": await login_user(form_data.username, form_data.password), "token_type": "bearer"}
+
+
+@app.get("/setup", include_in_schema=False)
+async def setup_get(request: Request):
+    return templates.TemplateResponse(request, "setup.html.jinja")
+
+
+@app.post("/setup", include_in_schema=False)
+async def setup_post(form_data: Annotated[OAuth2PasswordRequestForm, Depends()]):
+    await create_initial_user(form_data.username, PWD_CXT.hash(form_data.password))
+    return {"access_token": await login_user(form_data.username, form_data.password), "token_type": "bearer"}
 
 
 @app.get("/logout", include_in_schema=False)

goosebit/api/telemetry/metrics.py

@@ -2,7 +2,7 @@
 from opentelemetry.sdk.metrics import MeterProvider
 from opentelemetry.sdk.resources import SERVICE_NAME, Resource
 
-from goosebit.settings import USERS, config
+from goosebit.settings import config
 
 from . import prometheus
 
@@ -28,7 +28,3 @@
     "users.count",
     description="The number of registered users",
 )
-
-
-async def init():
-    users_count.set(len(USERS))

goosebit/api/v1/devices/device/routes.py

@@ -5,6 +5,7 @@
 
 from goosebit.api.v1.devices.device.responses import DeviceLogResponse, DeviceResponse
 from goosebit.auth import validate_user_permissions
+from goosebit.auth.permissions import GOOSEBIT_PERMISSIONS
 from goosebit.db import Device
 from goosebit.device_manager import get_device
 
@@ -13,7 +14,7 @@
 
 @router.get(
     "",
-    dependencies=[Security(validate_user_permissions, scopes=["device.read"])],
+    dependencies=[Security(validate_user_permissions, scopes=[GOOSEBIT_PERMISSIONS["device"]["read"]()])],
 )
 async def device_get(_: Request, device: Device = Depends(get_device)) -> DeviceResponse:
     if device is None:
@@ -24,7 +25,7 @@ async def device_get(_: Request, device: Device = Depends(get_device)) -> Device
 
 @router.get(
     "/log",
-    dependencies=[Security(validate_user_permissions, scopes=["device.read"])],
+    dependencies=[Security(validate_user_permissions, scopes=[GOOSEBIT_PERMISSIONS["device"]["read"]()])],
 )
 async def device_logs(_: Request, device: Device = Depends(get_device)) -> DeviceLogResponse:
     if device is None:

goosebit/api/v1/devices/routes.py

@@ -8,6 +8,7 @@
 
 from goosebit.api.responses import StatusResponse
 from goosebit.auth import validate_user_permissions
+from goosebit.auth.permissions import GOOSEBIT_PERMISSIONS
 from goosebit.db.models import Device, Software, UpdateModeEnum
 from goosebit.device_manager import DeviceManager, get_device
 from goosebit.schema.devices import DeviceSchema
@@ -22,7 +23,7 @@
 
 @router.get(
     "",
-    dependencies=[Security(validate_user_permissions, scopes=["device.read"])],
+    dependencies=[Security(validate_user_permissions, scopes=[GOOSEBIT_PERMISSIONS["device"]["read"]()])],
 )
 async def devices_get(_: Request) -> DevicesResponse:
     devices = await Device.all().prefetch_related("hardware", "assigned_software", "assigned_software__compatibility")
@@ -42,7 +43,7 @@ async def set_assigned_sw(d: DeviceSchema):
 
 @router.delete(
     "",
-    dependencies=[Security(validate_user_permissions, scopes=["device.delete"])],
+    dependencies=[Security(validate_user_permissions, scopes=[GOOSEBIT_PERMISSIONS["device"]["delete"]()])],
 )
 async def devices_delete(_: Request, config: DevicesDeleteRequest) -> StatusResponse:
     await DeviceManager.delete_devices(config.devices)
@@ -51,7 +52,7 @@ async def devices_delete(_: Request, config: DevicesDeleteRequest) -> StatusResp
 
 @router.patch(
     "",
-    dependencies=[Security(validate_user_permissions, scopes=["device.write"])],
+    dependencies=[Security(validate_user_permissions, scopes=[GOOSEBIT_PERMISSIONS["device"]["write"]()])],
 )
 async def devices_patch(_: Request, config: DevicesPatchRequest) -> StatusResponse:
     for dev_id in config.devices:
@@ -81,7 +82,7 @@ async def devices_patch(_: Request, config: DevicesPatchRequest) -> StatusRespon
 
 @router.put(
     "",
-    dependencies=[Security(validate_user_permissions, scopes=["device.write"])],
+    dependencies=[Security(validate_user_permissions, scopes=[GOOSEBIT_PERMISSIONS["device"]["write"]()])],
 )
 async def devices_put(_: Request, config: DevicesPutRequest) -> StatusResponse:
     for dev_id in config.devices:

goosebit/api/v1/rollouts/routes.py

@@ -3,6 +3,7 @@
 
 from goosebit.api.responses import StatusResponse
 from goosebit.auth import validate_user_permissions
+from goosebit.auth.permissions import GOOSEBIT_PERMISSIONS
 from goosebit.db.models import Rollout, Software
 
 from .requests import RolloutsDeleteRequest, RolloutsPatchRequest, RolloutsPutRequest
@@ -13,7 +14,7 @@
 
 @router.get(
     "",
-    dependencies=[Security(validate_user_permissions, scopes=["rollout.read"])],
+    dependencies=[Security(validate_user_permissions, scopes=[GOOSEBIT_PERMISSIONS["rollout"]["read"]()])],
 )
 async def rollouts_get(_: Request) -> RolloutsResponse:
     rollouts = await Rollout.all().prefetch_related("software", "software__compatibility")
@@ -22,7 +23,7 @@ async def rollouts_get(_: Request) -> RolloutsResponse:
 
 @router.post(
     "",
-    dependencies=[Security(validate_user_permissions, scopes=["rollout.write"])],
+    dependencies=[Security(validate_user_permissions, scopes=[GOOSEBIT_PERMISSIONS["rollout"]["write"]()])],
 )
 async def rollouts_put(_: Request, rollout: RolloutsPutRequest) -> RolloutsPutResponse:
     software = await Software.filter(id=rollout.software_id)
@@ -38,7 +39,7 @@ async def rollouts_put(_: Request, rollout: RolloutsPutRequest) -> RolloutsPutRe
 
 @router.patch(
     "",
-    dependencies=[Security(validate_user_permissions, scopes=["rollout.write"])],
+    dependencies=[Security(validate_user_permissions, scopes=[GOOSEBIT_PERMISSIONS["rollout"]["write"]()])],
 )
 async def rollouts_patch(_: Request, rollouts: RolloutsPatchRequest) -> StatusResponse:
     await Rollout.filter(id__in=rollouts.ids).update(paused=rollouts.paused)
@@ -47,7 +48,7 @@ async def rollouts_patch(_: Request, rollouts: RolloutsPatchRequest) -> StatusRe
 
 @router.delete(
     "",
-    dependencies=[Security(validate_user_permissions, scopes=["rollout.delete"])],
+    dependencies=[Security(validate_user_permissions, scopes=[GOOSEBIT_PERMISSIONS["rollout"]["delete"]()])],
 )
 async def rollouts_delete(_: Request, rollouts: RolloutsDeleteRequest) -> StatusResponse:
     await Rollout.filter(id__in=rollouts.ids).delete()

goosebit/api/v1/routes.py

@@ -1,9 +1,10 @@
 from fastapi import APIRouter
 
-from . import devices, download, rollouts, software
+from . import devices, download, rollouts, settings, software
 
 router = APIRouter(prefix="/v1")
 router.include_router(software.router)
 router.include_router(devices.router)
 router.include_router(rollouts.router)
 router.include_router(download.router)
+router.include_router(settings.router)

goosebit/api/v1/settings/__init__.py

@@ -0,0 +1 @@
+from .routes import router  # noqa: F401

goosebit/api/v1/settings/routes.py

@@ -0,0 +1,14 @@
+from fastapi import APIRouter
+
+from goosebit.auth.permissions import GOOSEBIT_PERMISSIONS, Permission
+
+from . import users
+
+router = APIRouter(prefix="/settings", tags=["settings"])
+
+router.include_router(users.router)
+
+
+@router.get("/permissions", response_model_exclude_none=True)
+async def settings_permissions_get() -> Permission:
+    return GOOSEBIT_PERMISSIONS

goosebit/api/v1/settings/users/__init__.py

@@ -0,0 +1 @@
+from .routes import router  # noqa: F401

goosebit/api/v1/settings/users/requests.py

@@ -0,0 +1,16 @@
+from pydantic import BaseModel
+
+
+class UsersPutRequest(BaseModel):
+    username: str
+    password: str
+    permissions: list[str]
+
+
+class UsersPatchRequest(BaseModel):
+    usernames: list[str]
+    enabled: bool
+
+
+class UsersDeleteRequest(BaseModel):
+    usernames: list[str]

goosebit/api/v1/settings/users/responses.py

@@ -0,0 +1,7 @@
+from pydantic import BaseModel
+
+from goosebit.schema.users import UserSchema
+
+
+class SettingsUsersResponse(BaseModel):
+    users: list[UserSchema]

goosebit/api/v1/settings/users/routes.py

@@ -0,0 +1,56 @@
+from __future__ import annotations
+
+from fastapi import APIRouter, HTTPException, Security
+from fastapi.requests import Request
+
+from goosebit.api.responses import StatusResponse
+from goosebit.auth import validate_user_permissions
+from goosebit.auth.permissions import GOOSEBIT_PERMISSIONS
+from goosebit.db.models import User
+from goosebit.users import UserManager, create_user
+
+from .requests import UsersDeleteRequest, UsersPatchRequest, UsersPutRequest
+from .responses import SettingsUsersResponse
+
+router = APIRouter(prefix="/users")
+
+
+@router.get(
+    "",
+    dependencies=[Security(validate_user_permissions, scopes=[GOOSEBIT_PERMISSIONS["settings"]["users"]["read"]()])],
+)
+async def settings_users_get(_: Request) -> SettingsUsersResponse:
+    users = await User.all()
+    return SettingsUsersResponse(users=users)
+
+
+@router.post(
+    "",
+    dependencies=[Security(validate_user_permissions, scopes=[GOOSEBIT_PERMISSIONS["settings"]["users"]["write"]()])],
+)
+async def settings_users_put(_: Request, user: UsersPutRequest) -> StatusResponse:
+    await create_user(username=user.username, password=user.password, permissions=user.permissions)
+    return StatusResponse(success=True)
+
+
+@router.delete(
+    "",
+    dependencies=[Security(validate_user_permissions, scopes=[GOOSEBIT_PERMISSIONS["settings"]["users"]["delete"]()])],
+)
+async def settings_users_delete(_: Request, config: UsersDeleteRequest) -> StatusResponse:
+    await UserManager.delete_users(config.usernames)
+    return StatusResponse(success=True)
+
+
+@router.patch(
+    "",
+    dependencies=[Security(validate_user_permissions, scopes=[GOOSEBIT_PERMISSIONS["settings"]["users"]["delete"]()])],
+)
+async def settings_users_patch(_: Request, config: UsersPatchRequest) -> StatusResponse:
+    for username in config.usernames:
+        if await User.get_or_none(username=username) is None:
+            raise HTTPException(404, f"User with username {username} not found")
+
+        user = await UserManager.get_user(username)
+        await UserManager.update_enabled(user, config.enabled)
+    return StatusResponse(success=True)