netbox-bmc 0.4.0__py3-none-any.whl

netbox_bmc/__init__.py

@@ -0,0 +1,78 @@
+from netbox.plugins import PluginConfig
+
+__version__ = "0.4.0"
+__author__ = "tak-labo"
+__email__ = ""
+
+
+class NetBoxBMCConfig(PluginConfig):
+    name = "netbox_bmc"
+    verbose_name = "NetBox BMC (IPMI/Redfish)"
+    description = "Unified out-of-band management: Redfish & IPMI inventory sync, power control, console access"
+    version = __version__
+    author = __author__
+    author_email = __email__
+    base_url = "bmc"
+    min_version = "4.5"
+    max_version = "4.6.99"
+    default_settings = {
+        # 定期一括同期の間隔 (分)。0 で無効。
+        "sync_interval_minutes": 0,
+        "default_verify_ssl": False,
+        # netbox-secrets バックグラウンドジョブ用サービスアカウント設定
+        # (netbox-secrets 使用時のみ必要)
+        # "service_account": "bmc-sync",
+        # "service_private_key_path": "/opt/netbox/bmc-sync.pem",
+    }
+
+    def ready(self):
+        super().ready()
+        from . import jobs  # noqa: F401
+
+        interval = (getattr(self, "settings", None) or {}).get("sync_interval_minutes") or 0
+        if interval:
+            self._enqueue_scheduled_sync(interval)
+
+    @staticmethod
+    def _enqueue_scheduled_sync(interval_minutes: int) -> None:
+        """
+        ScheduledInventorySyncJob の定期ジョブを登録する。
+
+        ready() は workers / web プロセスの起動ごとに呼ばれるため、
+        既に pending / scheduled / running の同名ジョブがあればスキップして
+        冪等にする。初回マイグレーション前など Job テーブル未作成の場合は黙って抜ける。
+        """
+        import logging
+
+        from django.db import DatabaseError
+
+        from .jobs import ScheduledInventorySyncJob
+
+        logger = logging.getLogger("netbox_bmc")
+
+        try:
+            from datetime import timedelta
+
+            from core.models import Job
+            from django.utils import timezone
+
+            active = Job.objects.filter(
+                name=ScheduledInventorySyncJob.Meta.name,
+                status__in=("pending", "scheduled", "running"),
+            ).exists()
+            if active:
+                return
+
+            ScheduledInventorySyncJob.enqueue(
+                instance=None,
+                schedule_at=timezone.now() + timedelta(minutes=interval_minutes),
+                interval=interval_minutes,
+            )
+        except DatabaseError:
+            # マイグレーション前: Job テーブルが存在しない
+            pass
+        except Exception as e:
+            logger.warning("Failed to schedule recurring inventory sync: %s", e)
+
+
+config = NetBoxBMCConfig

netbox_bmc/api/serializers.py

@@ -0,0 +1,23 @@
+from netbox.api.serializers import NetBoxModelSerializer
+from rest_framework import serializers
+
+from ..models import BMCEndpoint
+
+
+class BMCEndpointSerializer(NetBoxModelSerializer):
+    url = serializers.HyperlinkedIdentityField(
+        view_name="plugins-api:netbox_bmc-api:bmcendpoint-detail",
+    )
+    password = serializers.CharField(write_only=True, required=False, allow_blank=True)
+
+    class Meta:
+        model = BMCEndpoint
+        fields = (
+            "id", "url", "display",
+            "device", "address", "port", "protocol", "verify_ssl",
+            "username", "password",
+            "detected_vendor", "detected_protocol",
+            "last_sync", "last_sync_status",
+            "tags", "custom_fields", "created", "last_updated",
+        )
+        brief_fields = ("id", "url", "display", "device", "address")

netbox_bmc/api/urls.py

@@ -0,0 +1,7 @@
+from netbox.api.routers import NetBoxRouter
+
+from . import views
+
+router = NetBoxRouter()
+router.register("endpoints", views.BMCEndpointViewSet)
+urlpatterns = router.urls

netbox_bmc/api/views.py

@@ -0,0 +1,9 @@
+from netbox.api.viewsets import NetBoxModelViewSet
+
+from ..models import BMCEndpoint
+from .serializers import BMCEndpointSerializer
+
+
+class BMCEndpointViewSet(NetBoxModelViewSet):
+    queryset = BMCEndpoint.objects.prefetch_related("tags")
+    serializer_class = BMCEndpointSerializer

netbox_bmc/credentials.py

@@ -0,0 +1,209 @@
+"""
+netbox-secrets からBMC認証情報を取得するヘルパー。
+
+【復号の経路】
+  バックグラウンドジョブ (InventorySyncJob / ScheduledInventorySyncJob):
+    request なし → PLUGINS_CONFIG の service_private_key_path に
+    置いたサービスアカウントの RSA 秘密鍵 (PEM) で UserKey を復号し
+    master_key を取得する。
+
+  request 引数経路は将来的な REST API 同期実行用に残してあるが、
+  ジョブ kwargs を介してセッションキーを渡すと Job レコードに平文で
+  保存されてしまうため、現状の UI トリガーでは使用しない。
+
+【Secretのレイアウト規約】
+  - SecretRole slug : bmc-credentials
+  - Secret.name    : BMC username (非暗号化フィールド)
+  - Secret.plaintext: BMC password (RSA暗号化)
+  - assigned_object: Device (当該 BMCEndpoint の device)
+
+【フォールバック動作】
+  netbox-secrets が未インストールの場合は BMCEndpoint.username/password の
+  平文フィールドにフォールバックする (後方互換)。
+"""
+from __future__ import annotations
+
+import base64
+import logging
+from dataclasses import dataclass
+from pathlib import Path
+from typing import TYPE_CHECKING
+
+from django.conf import settings
+from django.contrib.contenttypes.models import ContentType
+
+if TYPE_CHECKING:
+    from django.http import HttpRequest
+
+    from .models import BMCEndpoint
+
+logger = logging.getLogger("netbox_bmc.credentials")
+
+SECRET_ROLE_SLUG = "bmc-credentials"
+
+
+@dataclass
+class Credential:
+    username: str
+    password: str
+    source: str  # "netbox_secrets" | "plaintext_fallback"
+
+
+def get_credential(endpoint: BMCEndpoint,
+                   request: HttpRequest | None = None) -> Credential:
+    """
+    BMCEndpoint に紐づく認証情報を取得して返す。
+
+    netbox-secrets が使用可能な場合:
+      - request が渡された場合はセッションキーで復号
+      - request=None の場合はサービスアカウント秘密鍵で復号
+
+    どちらも失敗した場合 / netbox-secrets 未インストールの場合:
+      - endpoint.username / endpoint.password を返す
+    """
+    try:
+        return _get_from_secrets(endpoint, request)
+    except _SecretsUnavailable:
+        logger.debug("netbox-secrets unavailable, using plaintext fields")
+    except _SecretNotFound:
+        logger.debug("No bmc-credentials secret for device %s, using plaintext fields",
+                     endpoint.device)
+    except Exception as e:
+        # netbox-secrets が利用可能なのに復号に失敗した場合は警告ではなく
+        # error レベルで残す (運用上、無音で平文に落ちると気付きにくい)。
+        logger.error("Failed to decrypt secret for %s: %s, using plaintext fields",
+                     endpoint.device, e)
+
+    # フォールバック
+    return Credential(
+        username=endpoint.username,
+        password=endpoint.password,
+        source="plaintext_fallback",
+    )
+
+
+# ---------------------------------------------------------------------------
+# 内部実装
+# ---------------------------------------------------------------------------
+
+class _SecretsUnavailable(Exception):
+    pass
+
+
+class _SecretNotFound(Exception):
+    pass
+
+
+def _get_from_secrets(endpoint: BMCEndpoint,
+                      request: HttpRequest | None) -> Credential:
+    try:
+        from netbox_secrets.models import Secret, SecretRole
+    except ImportError:
+        raise _SecretsUnavailable from None
+
+    device = endpoint.device
+    device_ct = ContentType.objects.get_for_model(device)
+
+    role_qs = SecretRole.objects.filter(slug=SECRET_ROLE_SLUG)
+    if not role_qs.exists():
+        raise _SecretNotFound(f"SecretRole '{SECRET_ROLE_SLUG}' not found")
+
+    secret_qs = Secret.objects.filter(
+        role__in=role_qs,
+        assigned_object_type=device_ct,
+        assigned_object_id=device.pk,
+    )
+    if not secret_qs.exists():
+        raise _SecretNotFound
+
+    secret = secret_qs.first()
+    master_key = _resolve_master_key(request)
+    secret.decrypt(master_key)
+
+    if secret.plaintext is None:
+        raise Exception("decrypt returned None — wrong key?")
+
+    return Credential(
+        username=secret.name,          # name フィールドがユーザー名
+        password=secret.plaintext,
+        source="netbox_secrets",
+    )
+
+
+def _resolve_master_key(request: HttpRequest | None) -> bytes:
+    """
+    master_key (bytes) を返す。
+
+    request あり  → Cookie または X-Session-Key ヘッダからセッションキーを取得
+    request なし  → サービスアカウント秘密鍵で復号
+    """
+
+    if request is not None:
+        return _master_key_from_request(request)
+
+    return _master_key_from_service_account()
+
+
+def _master_key_from_request(request) -> bytes:
+    from netbox_secrets.models import UserKey
+
+    # X-Session-Key ヘッダ (API) or session_key Cookie (ブラウザ)
+    session_key_b64 = (
+        request.META.get("HTTP_X_SESSION_KEY")
+        or request.COOKIES.get("session_key")
+    )
+    if not session_key_b64:
+        raise Exception("No X-Session-Key header or session_key cookie in request")
+
+    session_key = base64.b64decode(session_key_b64)
+    try:
+        uk = UserKey.objects.get(user=request.user)
+    except UserKey.DoesNotExist as e:
+        raise Exception(f"No UserKey found for user {request.user}") from e
+
+    master_key = uk.get_master_key(session_key)
+    if master_key is None:
+        raise Exception("get_master_key returned None — session key may be expired")
+    return master_key
+
+
+def _master_key_from_service_account() -> bytes:
+    """
+    PLUGINS_CONFIG["netbox_bmc"]["service_account"] で指定された
+    サービスアカウントの UserKey と RSA 秘密鍵ファイルで master_key を取得する。
+
+    configuration.py での設定例:
+        PLUGINS_CONFIG = {
+            "netbox_bmc": {
+                "service_account": "bmc-sync",          # NetBoxユーザー名
+                "service_private_key_path": "/opt/netbox/bmc-sync.pem",
+            }
+        }
+    """
+    from netbox_secrets.models import UserKey
+
+    plugin_cfg = settings.PLUGINS_CONFIG.get("netbox_bmc", {})
+    account = plugin_cfg.get("service_account")
+    key_path = plugin_cfg.get("service_private_key_path")
+
+    if not account or not key_path:
+        raise Exception(
+            "service_account and service_private_key_path must be set in "
+            "PLUGINS_CONFIG['netbox_bmc'] for background job decryption"
+        )
+
+    pem = Path(key_path).read_text()
+
+    try:
+        uk = UserKey.objects.get(user__username=account)
+    except UserKey.DoesNotExist as e:
+        raise Exception(f"No UserKey for service account '{account}'") from e
+
+    # UserKey.get_master_key は秘密鍵PEM文字列を受け付ける
+    master_key = uk.get_master_key(private_key=pem)
+    if master_key is None:
+        raise Exception(
+            f"master_key is None for service account '{account}' — "
+            "check that the private key matches the stored public key"
+        )
+    return master_key

netbox_bmc/drivers/__init__.py

@@ -0,0 +1,3 @@
+from .base import BaseDriver, BMCError, detect_and_build
+
+__all__ = ["BaseDriver", "BMCError", "detect_and_build"]

netbox_bmc/drivers/base.py

@@ -0,0 +1,71 @@
+"""
+ドライバ基底クラスとプロトコル/ベンダー自動検出。
+
+設計方針:
+- BaseDriver は最小限のインターフェイスのみ定義
+- Redfish はパスをハードコードせず ServiceRoot からリンクを辿る
+- ベンダー固有処理 (OEM 拡張) はベンダーサブクラスでオーバーライド
+"""
+from __future__ import annotations
+
+from ..inventory import InventoryResult
+
+
+class BMCError(Exception):
+    """ドライバ層の共通例外。"""
+
+
+class BaseDriver:
+    protocol: str = ""
+
+    def __init__(self, address: str, username: str, password: str,
+                 port: int | None = None, verify_ssl: bool = False,
+                 timeout: int = 15):
+        self.address = address
+        self.username = username
+        self.password = password
+        self.port = port
+        self.verify_ssl = verify_ssl
+        self.timeout = timeout
+
+    # --- 必須インターフェイス -------------------------------------------
+    def get_inventory(self) -> InventoryResult:
+        raise NotImplementedError
+
+    def get_power_state(self) -> str:
+        raise NotImplementedError
+
+    def set_power(self, action: str) -> None:
+        """action: on | off | cycle | reset | soft"""
+        raise NotImplementedError
+
+    def close(self) -> None:
+        pass
+
+    def __enter__(self):
+        return self
+
+    def __exit__(self, *exc):
+        self.close()
+
+
+def detect_and_build(address: str, username: str, password: str,
+                     protocol: str = "auto", **kwargs) -> BaseDriver:
+    """
+    プロトコルを判別してドライバインスタンスを返す。
+
+    auto の場合: まず https://<addr>/redfish/v1 を叩き、応答があれば
+    Redfish、なければ IPMI へフォールバックする。
+    """
+    from .ipmi import IPMIDriver
+    from .redfish import build_redfish_driver, probe_redfish
+
+    if protocol == "redfish":
+        return build_redfish_driver(address, username, password, **kwargs)
+    if protocol == "ipmi":
+        return IPMIDriver(address, username, password, **kwargs)
+
+    # auto
+    if probe_redfish(address, timeout=5, verify_ssl=kwargs.get("verify_ssl", False)):
+        return build_redfish_driver(address, username, password, **kwargs)
+    return IPMIDriver(address, username, password, **kwargs)

netbox_bmc/drivers/ipmi.py

@@ -0,0 +1,103 @@
+"""
+IPMI ドライバ (レガシー BMC 向けフォールバック)。
+
+pyghmi の get_inventory() で FRU 情報を取得する。
+Redfish より取得できる情報は限定的 (CPU/DIMM の詳細は出ないことが多い)。
+既存 netbox-ipmi-plugin の電源操作・SOL 周りはここに段階的に移植する。
+"""
+from __future__ import annotations
+
+import logging
+
+from ..inventory import Component, InventoryResult, SystemInfo
+from .base import BaseDriver, BMCError
+
+logger = logging.getLogger("netbox_bmc.ipmi")
+
+POWER_ACTION_MAP = {
+    "on": "on",
+    "off": "off",
+    "soft": "softoff",
+    "cycle": "boot",   # pyghmi: off→on
+    "reset": "reset",
+}
+
+
+class IPMIDriver(BaseDriver):
+    protocol = "ipmi"
+
+    def __init__(self, *args, **kwargs):
+        super().__init__(*args, **kwargs)
+        try:
+            from pyghmi.ipmi import command
+        except ImportError as e:
+            raise BMCError("pyghmi is not installed") from e
+        try:
+            self.cmd = command.Command(
+                bmc=self.address,
+                userid=self.username,
+                password=self.password,
+                port=self.port or 623,
+            )
+        except Exception as e:
+            raise BMCError(f"IPMI connection to {self.address} failed: {e}") from e
+
+    def get_inventory(self) -> InventoryResult:
+        system = SystemInfo()
+        components: list[Component] = []
+        try:
+            for name, info in self.cmd.get_inventory():
+                if info is None:
+                    continue
+                if name == "System":
+                    system.manufacturer = info.get("Manufacturer", "") or ""
+                    system.model = info.get("Product name", "") or ""
+                    system.serial = info.get("Serial Number", "") or ""
+                    system.uuid = str(info.get("UUID", "") or "")
+                else:
+                    components.append(Component(
+                        kind=_guess_kind(name),
+                        name=name,
+                        manufacturer=info.get("Manufacturer", "") or "",
+                        part_id=info.get("Part Number", "")
+                                or info.get("Product name", "") or "",
+                        serial=info.get("Serial Number", "") or "",
+                    ))
+        except Exception as e:
+            raise BMCError(f"IPMI FRU read failed: {e}") from e
+
+        return InventoryResult(system=system, components=components,
+                               vendor=system.manufacturer or "Unknown",
+                               protocol=self.protocol)
+
+    def get_power_state(self) -> str:
+        try:
+            return self.cmd.get_power().get("powerstate", "unknown")
+        except Exception as e:
+            raise BMCError(str(e)) from e
+
+    def set_power(self, action: str) -> None:
+        mapped = POWER_ACTION_MAP.get(action)
+        if not mapped:
+            raise BMCError(f"Unknown power action: {action}")
+        try:
+            self.cmd.set_power(mapped, wait=False)
+        except Exception as e:
+            raise BMCError(f"IPMI power action failed: {e}") from e
+
+    def close(self):
+        try:
+            self.cmd.ipmi_session.logout()
+        except Exception:
+            pass
+
+
+def _guess_kind(fru_name: str) -> str:
+    n = fru_name.lower()
+    if "psu" in n or "power" in n:
+        return "psu"
+    if "fan" in n:
+        return "fan"
+    if "nic" in n or "net" in n:
+        return "nic"
+    return "other"