Merge pull request #8039 from netbox-community/5869-available-prefixes

Fixes #5869: Fix permissions evaluation under available prefix/IP REST API endpoints

docs/release-notes/version-3.1.md

@@ -4,6 +4,7 @@
 
 ### Bug Fixes
 
+* [#5869](https://github.com/netbox-community/netbox/issues/5869) - Fix permissions evaluation under available prefix/IP REST API endpoints
 * [#7990](https://github.com/netbox-community/netbox/issues/7990) - Fix `title` display on contact detail view
 * [#7996](https://github.com/netbox-community/netbox/issues/7996) - Show WWN field in interface creation form
 * [#8001](https://github.com/netbox-community/netbox/issues/8001) - Correct verbose name for wireless LAN group model

netbox/ipam/api/mixins.py

@@ -1,185 +0,0 @@
-from django.core.exceptions import ObjectDoesNotExist, PermissionDenied
-from django.db import transaction
-from django.shortcuts import get_object_or_404
-from django_pglocks import advisory_lock
-from drf_yasg.utils import swagger_auto_schema
-from rest_framework import status
-from rest_framework.decorators import action
-from rest_framework.response import Response
-
-from ipam.models import *
-from netbox.config import get_config
-from utilities.constants import ADVISORY_LOCK_KEYS
-from . import serializers
-
-
-class AvailablePrefixesMixin:
-
-    @swagger_auto_schema(method='get', responses={200: serializers.AvailablePrefixSerializer(many=True)})
-    @swagger_auto_schema(method='post', responses={201: serializers.PrefixSerializer(many=False)})
-    @action(detail=True, url_path='available-prefixes', methods=['get', 'post'])
-    @advisory_lock(ADVISORY_LOCK_KEYS['available-prefixes'])
-    def available_prefixes(self, request, pk=None):
-        """
-        A convenience method for returning available child prefixes within a parent.
-
-        The advisory lock decorator uses a PostgreSQL advisory lock to prevent this API from being
-        invoked in parallel, which results in a race condition where multiple insertions can occur.
-        """
-        prefix = get_object_or_404(self.queryset, pk=pk)
-        available_prefixes = prefix.get_available_prefixes()
-
-        if request.method == 'POST':
-
-            # Validate Requested Prefixes' length
-            serializer = serializers.PrefixLengthSerializer(
-                data=request.data if isinstance(request.data, list) else [request.data],
-                many=True,
-                context={
-                    'request': request,
-                    'prefix': prefix,
-                }
-            )
-            if not serializer.is_valid():
-                return Response(
-                    serializer.errors,
-                    status=status.HTTP_400_BAD_REQUEST
-                )
-
-            requested_prefixes = serializer.validated_data
-            # Allocate prefixes to the requested objects based on availability within the parent
-            for i, requested_prefix in enumerate(requested_prefixes):
-
-                # Find the first available prefix equal to or larger than the requested size
-                for available_prefix in available_prefixes.iter_cidrs():
-                    if requested_prefix['prefix_length'] >= available_prefix.prefixlen:
-                        allocated_prefix = '{}/{}'.format(available_prefix.network, requested_prefix['prefix_length'])
-                        requested_prefix['prefix'] = allocated_prefix
-                        requested_prefix['vrf'] = prefix.vrf.pk if prefix.vrf else None
-                        break
-                else:
-                    return Response(
-                        {
-                            "detail": "Insufficient space is available to accommodate the requested prefix size(s)"
-                        },
-                        status=status.HTTP_204_NO_CONTENT
-                    )
-
-                # Remove the allocated prefix from the list of available prefixes
-                available_prefixes.remove(allocated_prefix)
-
-            # Initialize the serializer with a list or a single object depending on what was requested
-            context = {'request': request}
-            if isinstance(request.data, list):
-                serializer = serializers.PrefixSerializer(data=requested_prefixes, many=True, context=context)
-            else:
-                serializer = serializers.PrefixSerializer(data=requested_prefixes[0], context=context)
-
-            # Create the new Prefix(es)
-            if serializer.is_valid():
-                try:
-                    with transaction.atomic():
-                        created = serializer.save()
-                        self._validate_objects(created)
-                except ObjectDoesNotExist:
-                    raise PermissionDenied()
-                return Response(serializer.data, status=status.HTTP_201_CREATED)
-
-            return Response(serializer.errors, status=status.HTTP_400_BAD_REQUEST)
-
-        else:
-
-            serializer = serializers.AvailablePrefixSerializer(available_prefixes.iter_cidrs(), many=True, context={
-                'request': request,
-                'vrf': prefix.vrf,
-            })
-
-            return Response(serializer.data)
-
-
-class AvailableIPsMixin:
-    parent_model = Prefix
-
-    @swagger_auto_schema(method='get', responses={200: serializers.AvailableIPSerializer(many=True)})
-    @swagger_auto_schema(method='post', responses={201: serializers.AvailableIPSerializer(many=True)},
-                         request_body=serializers.AvailableIPSerializer(many=True))
-    @action(detail=True, url_path='available-ips', methods=['get', 'post'], queryset=IPAddress.objects.all())
-    @advisory_lock(ADVISORY_LOCK_KEYS['available-ips'])
-    def available_ips(self, request, pk=None):
-        """
-        A convenience method for returning available IP addresses within a Prefix or IPRange. By default, the number of
-        IPs returned will be equivalent to PAGINATE_COUNT. An arbitrary limit (up to MAX_PAGE_SIZE, if set) may be
-        passed, however results will not be paginated.
-
-        The advisory lock decorator uses a PostgreSQL advisory lock to prevent this API from being
-        invoked in parallel, which results in a race condition where multiple insertions can occur.
-        """
-        parent = get_object_or_404(self.parent_model.objects.restrict(request.user), pk=pk)
-
-        # Create the next available IP
-        if request.method == 'POST':
-
-            # Normalize to a list of objects
-            requested_ips = request.data if isinstance(request.data, list) else [request.data]
-
-            # Determine if the requested number of IPs is available
-            available_ips = parent.get_available_ips()
-            if available_ips.size < len(requested_ips):
-                return Response(
-                    {
-                        "detail": f"An insufficient number of IP addresses are available within {parent} "
-                                  f"({len(requested_ips)} requested, {len(available_ips)} available)"
-                    },
-                    status=status.HTTP_204_NO_CONTENT
-                )
-
-            # Assign addresses from the list of available IPs and copy VRF assignment from the parent
-            available_ips = iter(available_ips)
-            for requested_ip in requested_ips:
-                requested_ip['address'] = f'{next(available_ips)}/{parent.mask_length}'
-                requested_ip['vrf'] = parent.vrf.pk if parent.vrf else None
-
-            # Initialize the serializer with a list or a single object depending on what was requested
-            context = {'request': request}
-            if isinstance(request.data, list):
-                serializer = serializers.IPAddressSerializer(data=requested_ips, many=True, context=context)
-            else:
-                serializer = serializers.IPAddressSerializer(data=requested_ips[0], context=context)
-
-            # Create the new IP address(es)
-            if serializer.is_valid():
-                try:
-                    with transaction.atomic():
-                        created = serializer.save()
-                        self._validate_objects(created)
-                except ObjectDoesNotExist:
-                    raise PermissionDenied()
-                return Response(serializer.data, status=status.HTTP_201_CREATED)
-
-            return Response(serializer.errors, status=status.HTTP_400_BAD_REQUEST)
-
-        # Determine the maximum number of IPs to return
-        else:
-            config = get_config()
-            PAGINATE_COUNT = config.PAGINATE_COUNT
-            MAX_PAGE_SIZE = config.MAX_PAGE_SIZE
-            try:
-                limit = int(request.query_params.get('limit', PAGINATE_COUNT))
-            except ValueError:
-                limit = PAGINATE_COUNT
-            if MAX_PAGE_SIZE:
-                limit = min(limit, MAX_PAGE_SIZE)
-
-            # Calculate available IPs within the parent
-            ip_list = []
-            for index, ip in enumerate(parent.get_available_ips(), start=1):
-                ip_list.append(ip)
-                if index == limit:
-                    break
-            serializer = serializers.AvailableIPSerializer(ip_list, many=True, context={
-                'request': request,
-                'parent': parent,
-                'vrf': parent.vrf,
-            })
-
-            return Response(serializer.data)

netbox/ipam/api/urls.py

@@ -1,4 +1,7 @@
+from django.urls import path
+
 from netbox.api import OrderedDefaultRouter
+from ipam.models import IPRange, Prefix
 from . import views
 
 
@@ -42,4 +45,23 @@ router.register('vlans', views.VLANViewSet)
 router.register('services', views.ServiceViewSet)
 
 app_name = 'ipam-api'
-urlpatterns = router.urls
+
+urlpatterns = [
+    path(
+        'ip-ranges/<int:pk>/available-ips/',
+        views.IPRangeAvailableIPAddressesView.as_view(),
+        name='iprange-available-ips'
+    ),
+    path(
+        'prefixes/<int:pk>/available-prefixes/',
+        views.AvailablePrefixesView.as_view(),
+        name='prefix-available-prefixes'
+    ),
+    path(
+        'prefixes/<int:pk>/available-ips/',
+        views.PrefixAvailableIPAddressesView.as_view(),
+        name='prefix-available-ips'
+    ),
+]
+
+urlpatterns += router.urls

netbox/ipam/api/views.py

@@ -1,12 +1,23 @@
+from django.core.exceptions import ObjectDoesNotExist, PermissionDenied
+from django.db import transaction
+from django_pglocks import advisory_lock
+from django.shortcuts import get_object_or_404
+from drf_yasg.utils import swagger_auto_schema
+from rest_framework import status
+from rest_framework.response import Response
 from rest_framework.routers import APIRootView
+from rest_framework.views import APIView
+
 
 from dcim.models import Site
 from extras.api.views import CustomFieldModelViewSet
 from ipam import filtersets
 from ipam.models import *
-from netbox.api.views import ModelViewSet
+from netbox.api.views import ModelViewSet, ObjectValidationMixin
+from netbox.config import get_config
+from utilities.constants import ADVISORY_LOCK_KEYS
 from utilities.utils import count_related
-from . import mixins, serializers
+from . import serializers
 
 
 class IPAMRootView(APIRootView):
@@ -18,7 +29,7 @@ class IPAMRootView(APIRootView):
 
 
 #
-# ASNs
+# Viewsets
 #
 
 class ASNViewSet(CustomFieldModelViewSet):
@@ -27,10 +38,6 @@ class ASNViewSet(CustomFieldModelViewSet):
     filterset_class = filtersets.ASNFilterSet
 
 
-#
-# VRFs
-#
-
 class VRFViewSet(CustomFieldModelViewSet):
     queryset = VRF.objects.prefetch_related('tenant').prefetch_related(
         'import_targets', 'export_targets', 'tags'
@@ -42,20 +49,12 @@ class VRFViewSet(CustomFieldModelViewSet):
     filterset_class = filtersets.VRFFilterSet
 
 
-#
-# Route targets
-#
-
 class RouteTargetViewSet(CustomFieldModelViewSet):
     queryset = RouteTarget.objects.prefetch_related('tenant').prefetch_related('tags')
     serializer_class = serializers.RouteTargetSerializer
     filterset_class = filtersets.RouteTargetFilterSet
 
 
-#
-# RIRs
-#
-
 class RIRViewSet(CustomFieldModelViewSet):
     queryset = RIR.objects.annotate(
         aggregate_count=count_related(Aggregate, 'rir')
@@ -64,20 +63,12 @@ class RIRViewSet(CustomFieldModelViewSet):
     filterset_class = filtersets.RIRFilterSet
 
 
-#
-# Aggregates
-#
-
 class AggregateViewSet(CustomFieldModelViewSet):
     queryset = Aggregate.objects.prefetch_related('rir').prefetch_related('tags')
     serializer_class = serializers.AggregateSerializer
     filterset_class = filtersets.AggregateFilterSet
 
 
-#
-# Roles
-#
-
 class RoleViewSet(CustomFieldModelViewSet):
     queryset = Role.objects.annotate(
         prefix_count=count_related(Prefix, 'role'),
@@ -87,11 +78,7 @@ class RoleViewSet(CustomFieldModelViewSet):
     filterset_class = filtersets.RoleFilterSet
 
 
-#
-# Prefixes
-#
-
-class PrefixViewSet(mixins.AvailableIPsMixin, mixins.AvailablePrefixesMixin, CustomFieldModelViewSet):
+class PrefixViewSet(CustomFieldModelViewSet):
     queryset = Prefix.objects.prefetch_related(
         'site', 'vrf__tenant', 'tenant', 'vlan', 'role', 'tags'
     )
@@ -106,11 +93,7 @@ class PrefixViewSet(mixins.AvailableIPsMixin, mixins.AvailablePrefixesMixin, Cus
         return super().get_serializer_class()
 
 
-#
-# IP ranges
-#
-
-class IPRangeViewSet(mixins.AvailableIPsMixin, CustomFieldModelViewSet):
+class IPRangeViewSet(CustomFieldModelViewSet):
     queryset = IPRange.objects.prefetch_related('vrf', 'role', 'tenant', 'tags')
     serializer_class = serializers.IPRangeSerializer
     filterset_class = filtersets.IPRangeFilterSet
@@ -118,10 +101,6 @@ class IPRangeViewSet(mixins.AvailableIPsMixin, CustomFieldModelViewSet):
     parent_model = IPRange  # AvailableIPsMixin
 
 
-#
-# IP addresses
-#
-
 class IPAddressViewSet(CustomFieldModelViewSet):
     queryset = IPAddress.objects.prefetch_related(
         'vrf__tenant', 'tenant', 'nat_inside', 'nat_outside', 'tags', 'assigned_object'
@@ -130,10 +109,6 @@ class IPAddressViewSet(CustomFieldModelViewSet):
     filterset_class = filtersets.IPAddressFilterSet
 
 
-#
-# FHRP groups
-#
-
 class FHRPGroupViewSet(CustomFieldModelViewSet):
     queryset = FHRPGroup.objects.prefetch_related('ip_addresses', 'tags')
     serializer_class = serializers.FHRPGroupSerializer
@@ -147,10 +122,6 @@ class FHRPGroupAssignmentViewSet(CustomFieldModelViewSet):
     filterset_class = filtersets.FHRPGroupAssignmentFilterSet
 
 
-#
-# VLAN groups
-#
-
 class VLANGroupViewSet(CustomFieldModelViewSet):
     queryset = VLANGroup.objects.annotate(
         vlan_count=count_related(VLAN, 'group')
@@ -159,10 +130,6 @@ class VLANGroupViewSet(CustomFieldModelViewSet):
     filterset_class = filtersets.VLANGroupFilterSet
 
 
-#
-# VLANs
-#
-
 class VLANViewSet(CustomFieldModelViewSet):
     queryset = VLAN.objects.prefetch_related(
         'site', 'group', 'tenant', 'role', 'tags'
@@ -173,13 +140,190 @@ class VLANViewSet(CustomFieldModelViewSet):
     filterset_class = filtersets.VLANFilterSet
 
 
-#
-# Services
-#
-
 class ServiceViewSet(ModelViewSet):
     queryset = Service.objects.prefetch_related(
         'device', 'virtual_machine', 'tags', 'ipaddresses'
     )
     serializer_class = serializers.ServiceSerializer
     filterset_class = filtersets.ServiceFilterSet
+
+
+#
+# Views
+#
+
+class AvailablePrefixesView(ObjectValidationMixin, APIView):
+    queryset = Prefix.objects.all()
+
+    @swagger_auto_schema(responses={200: serializers.AvailablePrefixSerializer(many=True)})
+    def get(self, request, pk):
+        prefix = get_object_or_404(Prefix.objects.restrict(request.user), pk=pk)
+        available_prefixes = prefix.get_available_prefixes()
+
+        serializer = serializers.AvailablePrefixSerializer(available_prefixes.iter_cidrs(), many=True, context={
+            'request': request,
+            'vrf': prefix.vrf,
+        })
+
+        return Response(serializer.data)
+
+    @swagger_auto_schema(
+        request_body=serializers.PrefixLengthSerializer,
+        responses={201: serializers.PrefixSerializer(many=True)}
+    )
+    @advisory_lock(ADVISORY_LOCK_KEYS['available-prefixes'])
+    def post(self, request, pk):
+        self.queryset = self.queryset.restrict(request.user, 'add')
+        prefix = get_object_or_404(Prefix.objects.restrict(request.user), pk=pk)
+        available_prefixes = prefix.get_available_prefixes()
+
+        # Validate Requested Prefixes' length
+        serializer = serializers.PrefixLengthSerializer(
+            data=request.data if isinstance(request.data, list) else [request.data],
+            many=True,
+            context={
+                'request': request,
+                'prefix': prefix,
+            }
+        )
+        if not serializer.is_valid():
+            return Response(
+                serializer.errors,
+                status=status.HTTP_400_BAD_REQUEST
+            )
+
+        requested_prefixes = serializer.validated_data
+        # Allocate prefixes to the requested objects based on availability within the parent
+        for i, requested_prefix in enumerate(requested_prefixes):
+
+            # Find the first available prefix equal to or larger than the requested size
+            for available_prefix in available_prefixes.iter_cidrs():
+                if requested_prefix['prefix_length'] >= available_prefix.prefixlen:
+                    allocated_prefix = '{}/{}'.format(available_prefix.network, requested_prefix['prefix_length'])
+                    requested_prefix['prefix'] = allocated_prefix
+                    requested_prefix['vrf'] = prefix.vrf.pk if prefix.vrf else None
+                    break
+            else:
+                return Response(
+                    {
+                        "detail": "Insufficient space is available to accommodate the requested prefix size(s)"
+                    },
+                    status=status.HTTP_204_NO_CONTENT
+                )
+
+            # Remove the allocated prefix from the list of available prefixes
+            available_prefixes.remove(allocated_prefix)
+
+        # Initialize the serializer with a list or a single object depending on what was requested
+        context = {'request': request}
+        if isinstance(request.data, list):
+            serializer = serializers.PrefixSerializer(data=requested_prefixes, many=True, context=context)
+        else:
+            serializer = serializers.PrefixSerializer(data=requested_prefixes[0], context=context)
+
+        # Create the new Prefix(es)
+        if serializer.is_valid():
+            try:
+                with transaction.atomic():
+                    created = serializer.save()
+                    self._validate_objects(created)
+            except ObjectDoesNotExist:
+                raise PermissionDenied()
+            return Response(serializer.data, status=status.HTTP_201_CREATED)
+
+        return Response(serializer.errors, status=status.HTTP_400_BAD_REQUEST)
+
+
+class AvailableIPAddressesView(ObjectValidationMixin, APIView):
+    queryset = IPAddress.objects.all()
+
+    def get_parent(self, request, pk):
+        raise NotImplemented()
+
+    @swagger_auto_schema(responses={200: serializers.AvailableIPSerializer(many=True)})
+    def get(self, request, pk):
+        parent = self.get_parent(request, pk)
+        config = get_config()
+        PAGINATE_COUNT = config.PAGINATE_COUNT
+        MAX_PAGE_SIZE = config.MAX_PAGE_SIZE
+
+        try:
+            limit = int(request.query_params.get('limit', PAGINATE_COUNT))
+        except ValueError:
+            limit = PAGINATE_COUNT
+        if MAX_PAGE_SIZE:
+            limit = min(limit, MAX_PAGE_SIZE)
+
+        # Calculate available IPs within the parent
+        ip_list = []
+        for index, ip in enumerate(parent.get_available_ips(), start=1):
+            ip_list.append(ip)
+            if index == limit:
+                break
+        serializer = serializers.AvailableIPSerializer(ip_list, many=True, context={
+            'request': request,
+            'parent': parent,
+            'vrf': parent.vrf,
+        })
+
+        return Response(serializer.data)
+
+    @swagger_auto_schema(
+        request_body=serializers.AvailableIPSerializer,
+        responses={201: serializers.IPAddressSerializer(many=True)}
+    )
+    @advisory_lock(ADVISORY_LOCK_KEYS['available-ips'])
+    def post(self, request, pk):
+        self.queryset = self.queryset.restrict(request.user, 'add')
+        parent = self.get_parent(request, pk)
+
+        # Normalize to a list of objects
+        requested_ips = request.data if isinstance(request.data, list) else [request.data]
+
+        # Determine if the requested number of IPs is available
+        available_ips = parent.get_available_ips()
+        if available_ips.size < len(requested_ips):
+            return Response(
+                {
+                    "detail": f"An insufficient number of IP addresses are available within {parent} "
+                              f"({len(requested_ips)} requested, {len(available_ips)} available)"
+                },
+                status=status.HTTP_204_NO_CONTENT
+            )
+
+        # Assign addresses from the list of available IPs and copy VRF assignment from the parent
+        available_ips = iter(available_ips)
+        for requested_ip in requested_ips:
+            requested_ip['address'] = f'{next(available_ips)}/{parent.mask_length}'
+            requested_ip['vrf'] = parent.vrf.pk if parent.vrf else None
+
+        # Initialize the serializer with a list or a single object depending on what was requested
+        context = {'request': request}
+        if isinstance(request.data, list):
+            serializer = serializers.IPAddressSerializer(data=requested_ips, many=True, context=context)
+        else:
+            serializer = serializers.IPAddressSerializer(data=requested_ips[0], context=context)
+
+        # Create the new IP address(es)
+        if serializer.is_valid():
+            try:
+                with transaction.atomic():
+                    created = serializer.save()
+                    self._validate_objects(created)
+            except ObjectDoesNotExist:
+                raise PermissionDenied()
+            return Response(serializer.data, status=status.HTTP_201_CREATED)
+
+        return Response(serializer.errors, status=status.HTTP_400_BAD_REQUEST)
+
+
+class PrefixAvailableIPAddressesView(AvailableIPAddressesView):
+
+    def get_parent(self, request, pk):
+        return get_object_or_404(Prefix.objects.restrict(request.user), pk=pk)
+
+
+class IPRangeAvailableIPAddressesView(AvailableIPAddressesView):
+
+    def get_parent(self, request, pk):
+        return get_object_or_404(IPRange.objects.restrict(request.user), pk=pk)

netbox/ipam/tests/test_api.py

@@ -289,7 +289,7 @@ class PrefixTest(APIViewTestCases.APIViewTestCase):
         vrf = VRF.objects.create(name='VRF 1')
         prefix = Prefix.objects.create(prefix=IPNetwork('192.0.2.0/28'), vrf=vrf, is_pool=True)
         url = reverse('ipam-api:prefix-available-prefixes', kwargs={'pk': prefix.pk})
-        self.add_permissions('ipam.add_prefix')
+        self.add_permissions('ipam.view_prefix', 'ipam.add_prefix')
 
         # Create four available prefixes with individual requests
         prefixes_to_be_created = [

netbox/netbox/api/views.py

@@ -123,11 +123,28 @@ class BulkDestroyModelMixin:
                 self.perform_destroy(obj)
 
 
+class ObjectValidationMixin:
+
+    def _validate_objects(self, instance):
+        """
+        Check that the provided instance or list of instances are matched by the current queryset. This confirms that
+        any newly created or modified objects abide by the attributes granted by any applicable ObjectPermissions.
+        """
+        if type(instance) is list:
+            # Check that all instances are still included in the view's queryset
+            conforming_count = self.queryset.filter(pk__in=[obj.pk for obj in instance]).count()
+            if conforming_count != len(instance):
+                raise ObjectDoesNotExist
+        else:
+            # Check that the instance is matched by the view's queryset
+            self.queryset.get(pk=instance.pk)
+
+
 #
 # Viewsets
 #
 
-class ModelViewSet(BulkUpdateModelMixin, BulkDestroyModelMixin, ModelViewSet_):
+class ModelViewSet(BulkUpdateModelMixin, BulkDestroyModelMixin, ObjectValidationMixin, ModelViewSet_):
     """
     Extend DRF's ModelViewSet to support bulk update and delete functions.
     """
@@ -211,20 +228,6 @@ class ModelViewSet(BulkUpdateModelMixin, BulkDestroyModelMixin, ModelViewSet_):
                 **kwargs
             )
 
-    def _validate_objects(self, instance):
-        """
-        Check that the provided instance or list of instances are matched by the current queryset. This confirms that
-        any newly created or modified objects abide by the attributes granted by any applicable ObjectPermissions.
-        """
-        if type(instance) is list:
-            # Check that all instances are still included in the view's queryset
-            conforming_count = self.queryset.filter(pk__in=[obj.pk for obj in instance]).count()
-            if conforming_count != len(instance):
-                raise ObjectDoesNotExist
-        else:
-            # Check that the instance is matched by the view's queryset
-            self.queryset.get(pk=instance.pk)
-
     def list(self, request, *args, **kwargs):
         """
         Overrides ListModelMixin to allow processing ExportTemplates.