netbox-config-diff 2.14.3__tar.gz → 2.15.1__tar.gz

{netbox_config_diff-2.14.3 → netbox_config_diff-2.15.1}/PKG-INFO

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: netbox-config-diff
-Version: 2.14.3
+Version: 2.15.1
 Summary: Push rendered device configurations from NetBox to devices and apply them.
 Author: Artem Kotik
 Author-email: miaow2@yandex.ru
@@ -232,7 +232,7 @@ Requires-Dist: pytest==8.3.4; extra == "test"
 Requires-Dist: pytest-django==4.9.0; extra == "test"
 Dynamic: license-file
 
-[![NetBox version](https://img.shields.io/badge/NetBox-4.5-blue.svg)](https://github.com/netbox-community/netbox)
+[![NetBox version](https://img.shields.io/badge/NetBox-4.5|4.6-blue.svg)](https://github.com/netbox-community/netbox)
 [![Supported Versions](https://img.shields.io/pypi/pyversions/netbox-config-diff.svg)](https://pypi.org/project/netbox-config-diff/)
 [![PyPI version](https://badge.fury.io/py/netbox-config-diff.svg)](https://badge.fury.io/py/netbox-config-diff)
 [![Ruff](https://img.shields.io/endpoint?url=https://raw.githubusercontent.com/charliermarsh/ruff/main/assets/badge/v2.json)](https://github.com/astral-sh/ruff)
@@ -289,6 +289,7 @@ This is possible thanks to the scrapli_cfg. Read [Scrapli](https://github.com/sc
 |  4.3           | =>2.10.0, <=2.12.0 |
 |  4.4           | =>2.11.0, <=2.13.0 |
 |  4.5           |      =>2.14.0      |
+|  4.6           |      =>2.15.0      |
 
 <!--install-start-->
 ## Installing

{netbox_config_diff-2.14.3 → netbox_config_diff-2.15.1}/README.md

@@ -1,4 +1,4 @@
-[![NetBox version](https://img.shields.io/badge/NetBox-4.5-blue.svg)](https://github.com/netbox-community/netbox)
+[![NetBox version](https://img.shields.io/badge/NetBox-4.5|4.6-blue.svg)](https://github.com/netbox-community/netbox)
 [![Supported Versions](https://img.shields.io/pypi/pyversions/netbox-config-diff.svg)](https://pypi.org/project/netbox-config-diff/)
 [![PyPI version](https://badge.fury.io/py/netbox-config-diff.svg)](https://badge.fury.io/py/netbox-config-diff)
 [![Ruff](https://img.shields.io/endpoint?url=https://raw.githubusercontent.com/charliermarsh/ruff/main/assets/badge/v2.json)](https://github.com/astral-sh/ruff)
@@ -55,6 +55,7 @@ This is possible thanks to the scrapli_cfg. Read [Scrapli](https://github.com/sc
 |  4.3           | =>2.10.0, <=2.12.0 |
 |  4.4           | =>2.11.0, <=2.13.0 |
 |  4.5           |      =>2.14.0      |
+|  4.6           |      =>2.15.0      |
 
 <!--install-start-->
 ## Installing

{netbox_config_diff-2.14.3 → netbox_config_diff-2.15.1}/netbox_config_diff/__init__.py

@@ -2,7 +2,7 @@ from netbox.plugins import PluginConfig
 
 __author__ = "Artem Kotik"
 __email__ = "miaow2@yandex.ru"
-__version__ = "2.14.3"
+__version__ = "2.15.1"
 
 
 class ConfigDiffConfig(PluginConfig):
@@ -15,12 +15,13 @@ class ConfigDiffConfig(PluginConfig):
     base_url = "config-diff"
     required_settings = ["USERNAME", "PASSWORD"]
     min_version = "4.5.0"
-    max_version = "4.5.99"
+    max_version = "4.6.99"
     default_settings = {
         "USER_SECRET_ROLE": "Username",
         "PASSWORD_SECRET_ROLE": "Password",
         "SECOND_AUTH_SECRET_ROLE": "Second Auth",
         "PATH_TO_SSH_CONFIG_FILE": "",
+        "SECRETS_PRECEDENCE": ["device", "role", "platform"],
     }
 
 

{netbox_config_diff-2.14.3 → netbox_config_diff-2.15.1}/netbox_config_diff/compliance/secrets.py

@@ -1,4 +1,5 @@
 import base64
+from operator import attrgetter
 from typing import TYPE_CHECKING
 
 from dcim.models import Device
@@ -34,8 +35,8 @@ class SecretsMixin:
             sk = SessionKey.objects.get(userkey__user=self.request.user)
             self.master_key = sk.get_master_key(self.session_key)
         except Exception as e:
-            if getattr(self, "logger"):
-                if getattr(self.logger, "log_failure"):
+            if hasattr(self, "logger"):
+                if hasattr(self.logger, "log_failure"):
                     self.logger.log_failure(f"Can't fetch master_key: {str(e)}")
                 else:
                     self.logger.error(f"Can't fetch master_key: {str(e)}")
@@ -49,28 +50,42 @@ class SecretsMixin:
             return None
         return secret.plaintext
 
+    def get_secret_value(self, objects: tuple[object | None, ...], role_name: str) -> str | None:
+        for obj in objects:
+            if not obj:
+                continue
+
+            secrets = getattr(obj, "secrets", None)
+            if not secrets:
+                continue
+
+            if secret := secrets.filter(role__name=role_name).first():
+                if value := self.get_secret(secret):
+                    return value
+
+        return None
+
     def get_credentials(self, device: Device) -> tuple[str, str, str, str]:
-        if not self.netbox_secrets_installed:
+        if not self.netbox_secrets_installed or not self.secrets_precedence:
             return self.username, self.password, self.auth_secondary, self.default_desired_privilege_level
 
-        if secret := device.secrets.filter(role__name=self.user_role).first():
-            username = value if (value := self.get_secret(secret)) else self.username
-        else:
-            username = self.username
-        if secret := device.secrets.filter(role__name=self.password_role).first():
-            password = value if (value := self.get_secret(secret)) else self.password
-        else:
-            password = self.password
-        if secret := device.secrets.filter(role__name=self.auth_secondary_role).first():
-            auth_secondary = value if (value := self.get_secret(secret)) else self.auth_secondary
-        else:
-            auth_secondary = self.auth_secondary
-        if secret := device.secrets.filter(role__name=self.default_desired_privilege_level_role).first():
-            default_desired_privilege_level = (
-                value if (value := self.get_secret(secret)) else self.default_desired_privilege_level
-            )
-        else:
-            default_desired_privilege_level = self.default_desired_privilege_level
+        secret_objects: list[object] = []
+        for entry in self.secrets_precedence:
+            if entry == "device":
+                secret_objects.append(device)
+                continue
+            try:
+                secret_objects.append(attrgetter(entry)(device))
+            except AttributeError:
+                    pass
+
+        username = self.get_secret_value(secret_objects, self.user_role) or self.username
+        password = self.get_secret_value(secret_objects, self.password_role) or self.password
+        auth_secondary = self.get_secret_value(secret_objects, self.auth_secondary_role) or self.auth_secondary
+        default_desired_privilege_level = (
+            self.get_secret_value(secret_objects, self.default_desired_privilege_level_role)
+            or self.default_desired_privilege_level
+        )
 
         return username, password, auth_secondary, default_desired_privilege_level
 
@@ -83,6 +98,7 @@ class SecretsMixin:
             self.default_desired_privilege_level_role = get_plugin_config(
                 "netbox_config_diff", "DEFAULT_DESIRED_PRIVILEGE_LEVEL_ROLE"
             )
+            self.secrets_precedence = get_plugin_config("netbox_config_diff", "SECRETS_PRECEDENCE")
             self.netbox_secrets_installed = True
 
         self.username = get_plugin_config("netbox_config_diff", "USERNAME")

{netbox_config_diff-2.14.3 → netbox_config_diff-2.15.1}/netbox_config_diff.egg-info/PKG-INFO

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: netbox-config-diff
-Version: 2.14.3
+Version: 2.15.1
 Summary: Push rendered device configurations from NetBox to devices and apply them.
 Author: Artem Kotik
 Author-email: miaow2@yandex.ru
@@ -232,7 +232,7 @@ Requires-Dist: pytest==8.3.4; extra == "test"
 Requires-Dist: pytest-django==4.9.0; extra == "test"
 Dynamic: license-file
 
-[![NetBox version](https://img.shields.io/badge/NetBox-4.5-blue.svg)](https://github.com/netbox-community/netbox)
+[![NetBox version](https://img.shields.io/badge/NetBox-4.5|4.6-blue.svg)](https://github.com/netbox-community/netbox)
 [![Supported Versions](https://img.shields.io/pypi/pyversions/netbox-config-diff.svg)](https://pypi.org/project/netbox-config-diff/)
 [![PyPI version](https://badge.fury.io/py/netbox-config-diff.svg)](https://badge.fury.io/py/netbox-config-diff)
 [![Ruff](https://img.shields.io/endpoint?url=https://raw.githubusercontent.com/charliermarsh/ruff/main/assets/badge/v2.json)](https://github.com/astral-sh/ruff)
@@ -289,6 +289,7 @@ This is possible thanks to the scrapli_cfg. Read [Scrapli](https://github.com/sc
 |  4.3           | =>2.10.0, <=2.12.0 |
 |  4.4           | =>2.11.0, <=2.13.0 |
 |  4.5           |      =>2.14.0      |
+|  4.6           |      =>2.15.0      |
 
 <!--install-start-->
 ## Installing

{netbox_config_diff-2.14.3 → netbox_config_diff-2.15.1}/netbox_config_diff.egg-info/SOURCES.txt

@@ -108,4 +108,5 @@ tests/factories.py
 tests/test_compliance.py
 tests/test_compliance_utils.py
 tests/test_configurtion_request.py
+tests/test_secrets.py
 tests/test_urls.py

netbox_config_diff-2.15.1/tests/test_secrets.py

@@ -0,0 +1,135 @@
+from types import SimpleNamespace
+
+from netbox_config_diff.compliance.secrets import SecretsMixin
+
+
+class DummySecretsManager:
+    def __init__(self, by_role: dict[str, object]) -> None:
+        self.by_role = by_role
+
+    def filter(self, **kwargs):
+        return SimpleNamespace(first=lambda: self.by_role.get(kwargs["role__name"]))
+
+
+class DummySecretsMixin(SecretsMixin):
+    pass
+
+
+def build_mixin() -> DummySecretsMixin:
+    mixin = DummySecretsMixin()
+    mixin.netbox_secrets_installed = True
+    mixin.username = "default-user"
+    mixin.password = "default-pass"
+    mixin.auth_secondary = "default-secondary"
+    mixin.default_desired_privilege_level = "default-priv"
+    mixin.secrets_precedence = ["device", "role", "platform"]
+
+    mixin.user_role = "user-role"
+    mixin.password_role = "password-role"
+    mixin.auth_secondary_role = "secondary-role"
+    mixin.default_desired_privilege_level_role = "priv-role"
+    return mixin
+
+
+def test_get_credentials_prefers_device_then_role_then_platform() -> None:
+    mixin = build_mixin()
+
+    device = SimpleNamespace(
+        secrets=DummySecretsManager(
+            {
+                "user-role": SimpleNamespace(value="device-user"),
+            }
+        ),
+        role=SimpleNamespace(
+            secrets=DummySecretsManager(
+                {
+                    "user-role": SimpleNamespace(value="role-user"),
+                    "password-role": SimpleNamespace(value="role-pass"),
+                }
+            )
+        ),
+        platform=SimpleNamespace(
+            secrets=DummySecretsManager(
+                {
+                    "user-role": SimpleNamespace(value="platform-user"),
+                    "password-role": SimpleNamespace(value="platform-pass"),
+                    "secondary-role": SimpleNamespace(value="platform-secondary"),
+                    "priv-role": SimpleNamespace(value="platform-priv"),
+                }
+            )
+        ),
+    )
+    mixin.get_secret = lambda secret: secret.value
+
+    assert mixin.get_credentials(device) == (
+        "device-user",
+        "role-pass",
+        "platform-secondary",
+        "platform-priv",
+    )
+
+
+def test_get_credentials_skips_empty_secret_value() -> None:
+    mixin = build_mixin()
+
+    device = SimpleNamespace(
+        secrets=DummySecretsManager(
+            {
+                "password-role": SimpleNamespace(value=""),
+            }
+        ),
+        role=SimpleNamespace(
+            secrets=DummySecretsManager(
+                {
+                    "password-role": SimpleNamespace(value="role-pass"),
+                }
+            )
+        ),
+        platform=SimpleNamespace(secrets=DummySecretsManager({})),
+    )
+    mixin.get_secret = lambda secret: secret.value
+
+    username, password, auth_secondary, default_desired_privilege_level = mixin.get_credentials(device)
+
+    assert username == "default-user"
+    assert password == "role-pass"
+    assert auth_secondary == "default-secondary"
+    assert default_desired_privilege_level == "default-priv"
+
+
+def test_get_credentials_respects_custom_precedence() -> None:
+    mixin = build_mixin()
+
+    device = SimpleNamespace(
+        secrets=DummySecretsManager(
+            {
+                "password-role": SimpleNamespace(value="device-pass"),
+            }
+        ),
+        role=SimpleNamespace(
+            secrets=DummySecretsManager(
+                {
+                    "user-role": SimpleNamespace(value="role-user"),
+                    "password-role": SimpleNamespace(value="role-pass"),
+                }
+            )
+        ),
+        platform=SimpleNamespace(
+            secrets=DummySecretsManager(
+                {
+                    "user-role": SimpleNamespace(value="platform-user"),
+                }
+            )
+        ),
+    )
+    mixin.get_secret = lambda secret: secret.value
+
+    # Force precedence: platform -> device -> role
+    mixin.secrets_precedence = ["platform", "device", "role"]
+
+    assert mixin.get_credentials(device) == (
+        "platform-user",
+        "device-pass",
+        "default-secondary",
+        "default-priv",
+    )