PyPI - netbox-sqlquery - Versions diffs - 0.1.3__tar.gz → 0.1.4__tar.gz - Mend

netbox-sqlquery 0.1.3tar.gz → 0.1.4tar.gz

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (43) hide show

{netbox_sqlquery-0.1.3 → netbox_sqlquery-0.1.4}/PKG-INFO RENAMED Viewed

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: netbox-sqlquery
-Version: 0.1.3
+Version: 0.1.4
 Summary: SQL query interface for NetBox with syntax highlighting, abstract views, and role-based access control
 Author-email: Ravi Pina <ravi@pina.org>
 License-Expression: Apache-2.0

{netbox_sqlquery-0.1.3 → netbox_sqlquery-0.1.4}/netbox_sqlquery/__init__.py RENAMED Viewed

@@ -12,7 +12,7 @@ class NetBoxSQLQueryConfig(PluginConfig):
         "SQL query interface for NetBox with syntax highlighting,"
         " abstract views, and role-based access control"
     )
-    version = "0.1.3"
+    version = "0.1.4"
     author = "Ravi Pina"
     author_email = "ravi@pina.org"
     base_url = "sqlquery"

netbox_sqlquery-0.1.4/netbox_sqlquery/api/views.py ADDED Viewed

@@ -0,0 +1,107 @@
+import logging
+from django.utils import timezone
+from rest_framework import status
+from rest_framework.decorators import action
+from rest_framework.response import Response
+from rest_framework.viewsets import ModelViewSet
+from netbox_sqlquery.access import can_execute_write, check_access, extract_tables
+from netbox_sqlquery.models import SavedQuery
+from netbox_sqlquery.query import execute_read_query, execute_write_query, is_write_query
+from .serializers import SavedQuerySerializer
+logger = logging.getLogger("netbox_sqlquery")
+class SavedQueryViewSet(ModelViewSet):
+    serializer_class = SavedQuerySerializer
+    def get_queryset(self):
+        return SavedQuery.visible_to(self.request.user)
+    def perform_create(self, serializer):
+        serializer.save(owner=self.request.user)
+    @action(detail=True, methods=["post"])
+    def execute(self, request, pk=None):
+        """Execute a saved query and return results as JSON."""
+        saved_query = self.get_object()
+        sql = saved_query.sql.strip()
+        user = request.user
+        if not sql:
+            return Response(
+                {"error": "Saved query has no SQL."},
+                status=status.HTTP_400_BAD_REQUEST,
+            )
+        is_write = is_write_query(sql)
+        # Check write permission
+        if is_write and not can_execute_write(user):
+            return Response(
+                {"error": "Write queries require the 'change' permission or superuser status."},
+                status=status.HTTP_403_FORBIDDEN,
+            )
+        # Require confirmation for write queries
+        if is_write:
+            confirmed = request.data.get("confirmed")
+            if not confirmed:
+                return Response(
+                    {
+                        "error": "Write queries require explicit confirmation.",
+                        "detail": 'Include {"confirmed": true} in the request body.',
+                    },
+                    status=status.HTTP_400_BAD_REQUEST,
+                )
+        # Table access check
+        denied = check_access(user, extract_tables(sql))
+        if denied:
+            return Response(
+                {"error": f"Access denied to: {', '.join(sorted(denied))}"},
+                status=status.HTTP_403_FORBIDDEN,
+            )
+        # Execute
+        if is_write:
+            result = execute_write_query(sql)
+        else:
+            result = execute_read_query(sql)
+        if result.get("error"):
+            return Response(
+                {"error": result["error"]},
+                status=status.HTTP_400_BAD_REQUEST,
+            )
+        # Update run tracking
+        saved_query.run_count += 1
+        saved_query.last_run = timezone.now()
+        saved_query.save(update_fields=["run_count", "last_run"])
+        # Audit log
+        truncated_sql = sql[:500]
+        logger.info(
+            "api query user=%s query=%s sql=%s",
+            user.username,
+            saved_query.name,
+            truncated_sql,
+        )
+        # Build response
+        response_data = {
+            "query_name": saved_query.name,
+            "columns": result["columns"],
+            "rows": result["rows"],
+            "row_count": result["row_count"],
+        }
+        if is_write:
+            response_data["rows_affected"] = result.get("rows_affected", 0)
+        else:
+            response_data["truncated"] = result.get("truncated", False)
+        return Response(response_data)

netbox_sqlquery-0.1.4/netbox_sqlquery/query.py ADDED Viewed

@@ -0,0 +1,115 @@
+"""Shared query execution functions used by both the web UI and API."""
+from django.db import DatabaseError, connection, transaction
+from netbox.plugins import get_plugin_config
+class _ReadOnlyRollback(Exception):
+    """Raised to force rollback of the read-only transaction."""
+def execute_read_query(sql, timeout_ms=None, max_rows=None):
+    """Execute a read-only SQL query.
+    Returns dict with keys: columns, rows, row_count, truncated, error.
+    """
+    if timeout_ms is None:
+        timeout_ms = get_plugin_config("netbox_sqlquery", "statement_timeout_ms")
+    if max_rows is None:
+        max_rows = get_plugin_config("netbox_sqlquery", "max_rows")
+    result = {"columns": [], "rows": [], "row_count": 0, "truncated": False, "error": None}
+    try:
+        with transaction.atomic():
+            with connection.cursor() as cursor:
+                cursor.execute(f"SET LOCAL statement_timeout = '{timeout_ms}'")
+                cursor.execute("SET TRANSACTION READ ONLY")
+                cursor.execute(sql)
+                columns = [col[0] for col in cursor.description]
+                rows = cursor.fetchmany(max_rows + 1)
+            raise _ReadOnlyRollback()
+    except _ReadOnlyRollback:
+        truncated = len(rows) > max_rows
+        if truncated:
+            rows = rows[:max_rows]
+        result.update(
+            columns=columns,
+            rows=[list(r) for r in rows],
+            row_count=len(rows),
+            truncated=truncated,
+        )
+    except DatabaseError as exc:
+        result["error"] = str(exc)
+    return result
+def execute_write_query(sql, timeout_ms=None, max_rows=None):
+    """Execute a write SQL query (INSERT/UPDATE/DELETE).
+    Returns dict with keys: columns, rows, row_count, rows_affected, error.
+    """
+    if timeout_ms is None:
+        timeout_ms = get_plugin_config("netbox_sqlquery", "statement_timeout_ms")
+    if max_rows is None:
+        max_rows = get_plugin_config("netbox_sqlquery", "max_rows")
+    result = {
+        "columns": [],
+        "rows": [],
+        "row_count": 0,
+        "rows_affected": 0,
+        "error": None,
+    }
+    try:
+        exec_sql = sql
+        has_returning = "RETURNING" in sql.upper()
+        normalized = sql.lstrip().upper()
+        if not has_returning and (
+            normalized.startswith("UPDATE") or normalized.startswith("DELETE")
+        ):
+            exec_sql = sql.rstrip().rstrip(";") + " RETURNING *"
+        with connection.cursor() as cursor:
+            cursor.execute(f"SET LOCAL statement_timeout = '{timeout_ms}'")
+            cursor.execute(exec_sql)
+            rows_affected = cursor.rowcount
+            if cursor.description:
+                columns = [col[0] for col in cursor.description]
+                rows = cursor.fetchmany(max_rows)
+                result.update(
+                    columns=columns,
+                    rows=[list(r) for r in rows],
+                    row_count=len(rows),
+                )
+        result["rows_affected"] = rows_affected
+    except DatabaseError as exc:
+        result["error"] = str(exc)
+    return result
+def is_write_query(sql):
+    """Check if a SQL statement is a write query."""
+    normalized = sql.lstrip().upper()
+    return (
+        normalized.startswith("INSERT")
+        or normalized.startswith("UPDATE")
+        or normalized.startswith("DELETE")
+    )
+def is_allowed_query(sql):
+    """Check if a SQL statement type is permitted."""
+    normalized = sql.lstrip().upper()
+    return (
+        normalized.startswith("SELECT")
+        or normalized.startswith("WITH")
+        or normalized.startswith("INSERT")
+        or normalized.startswith("UPDATE")
+        or normalized.startswith("DELETE")
+    )

{netbox_sqlquery-0.1.3 → netbox_sqlquery-0.1.4}/netbox_sqlquery/views.py RENAMED Viewed

@@ -2,6 +2,7 @@ import csv
 import io
 import json
 import logging
+import re
 from django.contrib.auth.mixins import UserPassesTestMixin
 from django.db import DatabaseError, connection, transaction
@@ -27,6 +28,7 @@ from .access import (
 from .filtersets import SavedQueryFilterSet
 from .forms import SavedQueryFilterForm, SavedQueryForm
 from .models import SavedQuery
+from .query import execute_read_query, execute_write_query
 from .schema import get_abstract_schema, get_schema
 from .tables import SavedQueryTable
@@ -180,55 +182,33 @@ class QueryView(UserPassesTestMixin, TemplateView):
         return self.render_to_response(ctx)
     def _execute_read(self, ctx, sql, timeout_ms, max_rows):
-        try:
-            with transaction.atomic():
-                with connection.cursor() as cursor:
-                    cursor.execute(f"SET LOCAL statement_timeout = '{timeout_ms}'")
-                    cursor.execute("SET TRANSACTION READ ONLY")
-                    cursor.execute(sql)
-                    columns = [col[0] for col in cursor.description]
-                    rows = cursor.fetchmany(max_rows + 1)
-                raise _ReadOnlyRollback()
-        except _ReadOnlyRollback:
-            truncated = len(rows) > max_rows
-            if truncated:
-                rows = rows[:max_rows]
+        result = execute_read_query(sql, timeout_ms, max_rows)
+        if result["error"]:
+            ctx["error"] = result["error"]
+        else:
             ctx.update(
-                columns=columns,
-                rows=rows,
-                row_count=len(rows),
-                truncated=truncated,
+                columns=result["columns"],
+                rows=result["rows"],
+                row_count=result["row_count"],
+                truncated=result["truncated"],
                 max_rows=max_rows,
             )
-        except DatabaseError as exc:
-            ctx["error"] = str(exc)
         return ctx
     def _execute_write(self, ctx, sql, timeout_ms):
         max_rows = get_plugin_config("netbox_sqlquery", "max_rows")
-        try:
-            # Append RETURNING * if the user didn't include a RETURNING clause
-            exec_sql = sql
-            has_returning = "RETURNING" in sql.upper()
-            normalized = sql.lstrip().upper()
-            if not has_returning and (
-                normalized.startswith("UPDATE") or normalized.startswith("DELETE")
-            ):
-                exec_sql = sql.rstrip().rstrip(";") + " RETURNING *"
-            with connection.cursor() as cursor:
-                cursor.execute(f"SET LOCAL statement_timeout = '{timeout_ms}'")
-                cursor.execute(exec_sql)
-                row_count = cursor.rowcount
-                if cursor.description:
-                    columns = [col[0] for col in cursor.description]
-                    rows = cursor.fetchmany(max_rows)
-                    ctx.update(columns=columns, rows=rows, row_count=len(rows))
-            ctx["write_result"] = f"{row_count} row{'s' if row_count != 1 else ''} affected."
-        except DatabaseError as exc:
-            ctx["error"] = str(exc)
+        result = execute_write_query(sql, timeout_ms, max_rows)
+        if result["error"]:
+            ctx["error"] = result["error"]
+        else:
+            if result["columns"]:
+                ctx.update(
+                    columns=result["columns"],
+                    rows=result["rows"],
+                    row_count=result["row_count"],
+                )
+            affected = result["rows_affected"]
+            ctx["write_result"] = f"{affected} row{'s' if affected != 1 else ''} affected."
         return ctx
@@ -304,7 +284,6 @@ class SavedQueryAjaxSave(UserPassesTestMixin, View):
             return JsonResponse({"error": "Name must be 100 characters or fewer."}, status=400)
         # Validate name against injection
-        import re
         if not re.match(r"^[a-zA-Z0-9][a-zA-Z0-9 _\-\.]*$", name):
             return JsonResponse(

{netbox_sqlquery-0.1.3 → netbox_sqlquery-0.1.4}/netbox_sqlquery.egg-info/PKG-INFO RENAMED Viewed

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: netbox-sqlquery
-Version: 0.1.3
+Version: 0.1.4
 Summary: SQL query interface for NetBox with syntax highlighting, abstract views, and role-based access control
 Author-email: Ravi Pina <ravi@pina.org>
 License-Expression: Apache-2.0

{netbox_sqlquery-0.1.3 → netbox_sqlquery-0.1.4}/netbox_sqlquery.egg-info/SOURCES.txt RENAMED Viewed

@@ -9,6 +9,7 @@ netbox_sqlquery/forms.py
 netbox_sqlquery/models.py
 netbox_sqlquery/navigation.py
 netbox_sqlquery/preferences.py
+netbox_sqlquery/query.py
 netbox_sqlquery/schema.py
 netbox_sqlquery/tables.py
 netbox_sqlquery/urls.py

{netbox_sqlquery-0.1.3 → netbox_sqlquery-0.1.4}/pyproject.toml RENAMED Viewed

@@ -4,7 +4,7 @@ build-backend = "setuptools.build_meta"
 [project]
 name = "netbox-sqlquery"
-version = "0.1.3"
+version = "0.1.4"
 description = "SQL query interface for NetBox with syntax highlighting, abstract views, and role-based access control"
 readme = "README.md"
 license = "Apache-2.0"

netbox_sqlquery-0.1.3/netbox_sqlquery/api/views.py DELETED Viewed

@@ -1,15 +0,0 @@
-from rest_framework.viewsets import ModelViewSet
-from netbox_sqlquery.models import SavedQuery
-from .serializers import SavedQuerySerializer
-class SavedQueryViewSet(ModelViewSet):
-    serializer_class = SavedQuerySerializer
-    def get_queryset(self):
-        return SavedQuery.visible_to(self.request.user)
-    def perform_create(self, serializer):
-        serializer.save(owner=self.request.user)