Merge branch 'main' into 52-fix-archlinux-image-script

Author: lg-epitech

.env.example

@@ -1,22 +1,28 @@
 # Postgres
-POSTGRES_NAME = distribox
-POSTGRES_USER = distribox_user
-POSTGRES_PORT = 5432
-POSTGRES_PASSWORD = distribox_password
+POSTGRES_NAME=distribox
+POSTGRES_USER=distribox_user
+POSTGRES_PORT=5432
+POSTGRES_PASSWORD=distribox_password
 # This should be `database` for docker compose usage, localhost for independant use
-POSTGRES_HOST = database
+POSTGRES_HOST=database
 
 # Admin
-ADMIN_USERNAME = admin
-# You should change this
-ADMIN_PASSWORD = admin
+ADMIN_USERNAME=admin
+# You should change this, we recommend a strong password
+ADMIN_PASSWORD=admin
+
+# Ports
+VITE_PORT=3000
+BACKEND_PORT=8080
 
-# Frontend
-VITE_PORT = 3000
 # This should be your backend url, By default the backend is deployed on port 8080, if you have a reverse proxy, ensure you have the right address
-VITE_API_DOMAIN = http://localhost:8080
+VITE_API_DOMAIN=http://localhost:${BACKEND_PORT}
 
 # Backend
 # This should be your frontend url, if the application is deployed on https://example.com, the frontend url should be the same. This will be used inside of the CORS
-FRONTEND_URL = http://localhost:3000
-BACKEND_PORT = 8080
+FRONTEND_URL=http://localhost:${VITE_PORT}
+# You should make this a strong secret, this is used to encrypt sensitive data
+DISTRIBOX_SECRET=secret
+# This is the name of the bucket where the images will be uploaded, the public one is called distribox-images
+DISTRIBOX_BUCKET_REGISTRY=distribox-images
+AWS_REGION=eu-west-3

README.md

@@ -83,6 +83,15 @@ docker compose up -d
 
 Once the application started, you will find your application portal at `localhost:3000`. For further use and deployment we recommend applying a reverse proxy for convenience of your users.
 
+## Permissions
+
+Distribox uses a simple permission system to control what each user can see and do.
+
+- Every account has one or more policies.
+- Policies grant access to specific areas or actions (for example viewing hosts, listing VMs, or managing users).
+- If a policy is missing, the related feature is hidden or access is refused.
+- The default admin account has full access.
+
 ## Get involved
 
 You're invited to join this project ! Check out the [contributing guide](./CONTRIBUTING.md).

atlas/main.tf

@@ -54,6 +54,13 @@ resource "aws_s3_bucket_policy" "public_read" {
         Principal = "*"
         Action    = "s3:GetObject"
         Resource  = "${aws_s3_bucket.images.arn}/*"
+      },
+      {
+        Sid       = "PublicListBucket"
+        Effect    = "Allow"
+        Principal = "*"
+        Action    = "s3:ListBucket"
+        Resource  = aws_s3_bucket.images.arn
       }
     ]
   })

backend/Dockerfile

@@ -1,8 +1,9 @@
-FROM python:3.9 as base
+FROM python:3.13 as base
 
 RUN apt-get update && apt-get install -y \
     qemu-utils \
     libvirt-dev \
+    genisoimage \
     && rm -rf /var/lib/apt/lists/*
 
 FROM base as builder
@@ -12,8 +13,8 @@ RUN pip install --no-cache-dir --upgrade -r /code/requirements.txt
 
 FROM builder as dev-stage
 COPY ./app /code/app
-CMD ["uvicorn", "app.main:app", "--host", "0.0.0.0", "--port", "8080", "--reload"]
+CMD uvicorn app.main:app --host 0.0.0.0 --port ${BACKEND_PORT} --reload
 
 FROM builder as production-stage
 COPY ./app /code/app
-CMD ["fastapi", "run", "app/main.py", "--port", "8080"]
+CMD fastapi run app/main.py --port ${BACKEND_PORT}

images/scripts/seed-config/meta-data backend/app/assets/seed-config/meta-dataimages/scripts/seed-config/meta-data renamed to backend/app/assets/seed-config/meta-data

@@ -1,17 +1,14 @@
 #cloud-config
 
-# Nom d'hôte (peut aussi être mis dans meta-data, mais fonctionne ici)
 hostname: distribox
 fqdn: distribox.local
 
-# Configuration des utilisateurs
 users:
   - name: user
     groups: sudo
     shell: /bin/bash
     sudo: ["ALL=(ALL) NOPASSWD:ALL"]
 
-# Définition des mots de passe
 chpasswd:
   list: |
     user:password
@@ -20,8 +17,3 @@ ssh_pwauth: true
 
 package_update: true
 package_upgrade: true
-# packages:
-#   - qemu-guest-agent
-#   - xubuntu-desktop
-#   - vim
-# package_reboot_if_required: false

images/scripts/seed-config/user-data backend/app/assets/seed-config/user-dataimages/scripts/seed-config/user-data renamed to backend/app/assets/seed-config/user-data

@@ -1,9 +1,12 @@
 import libvirt
+import boto3
+from botocore import UNSIGNED
+from botocore.config import Config
 from dotenv import load_dotenv
 from os import getenv
+from sqlalchemy import inspect, text
 from sqlmodel import create_engine, SQLModel
 from app.telemetry.monitor import SystemMonitor
-
 load_dotenv()
 
 
@@ -13,6 +16,10 @@ def get_env_or_default(key: str, default: str) -> str:
     return value if value else default
 
 
+distribox_bucket_registry = get_env_or_default(
+    "DISTRIBOX_BUCKET_REGISTRY", "distribox-images")
+aws_region = get_env_or_default("AWS_REGION", "eu-west-3")
+
 db_name = get_env_or_default("POSTGRES_NAME", "distribox")
 db_user = get_env_or_default("POSTGRES_USER", "distribox_user")
 db_pass = get_env_or_default("POSTGRES_PASSWORD", "distribox_password")
@@ -22,11 +29,39 @@ def get_env_or_default(key: str, default: str) -> str:
 database_url = f"postgresql+psycopg2://{db_user}:{db_pass}@{db_host}:{db_port}/{db_name}"
 engine = create_engine(database_url, echo=True)
 
+s3 = boto3.client(
+    "s3",
+    config=Config(signature_version=UNSIGNED),
+    region_name=aws_region
+)
+
 
 def init_db():
     """Initialize database tables."""
     SQLModel.metadata.create_all(engine)
 
+    with engine.begin() as conn:
+        inspector = inspect(conn)
+        if "users" not in inspector.get_table_names():
+            return
+
+        columns = {column["name"] for column in inspector.get_columns("users")}
+        if "created_by" not in columns:
+            conn.execute(
+                text("ALTER TABLE users ADD COLUMN created_by VARCHAR"))
+        if "last_activity" not in columns:
+            conn.execute(
+                text("ALTER TABLE users ADD COLUMN last_activity TIMESTAMP"))
+        if "password" not in columns:
+            conn.execute(text("ALTER TABLE users ADD COLUMN password VARCHAR"))
+        if "policies" not in columns:
+            conn.execute(
+                text(
+                    "ALTER TABLE users "
+                    "ADD COLUMN policies JSON NOT NULL DEFAULT '[]'::json"
+                )
+            )
+
 
 class QEMUConfig:
     qemu_conn = None

backend/app/core/config.py

@@ -0,0 +1,127 @@
+from collections.abc import Iterable
+
+# When this changes, please update the frontend as well here frontend/app/lib/types/policies.ts
+DISTRIBOX_ADMIN_POLICY = "distribox:admin"
+
+POLICIES: list[dict[str, str]] = [
+    {
+        "policy": DISTRIBOX_ADMIN_POLICY,
+        "description": "This policy gives full access to the Distribox dashboard application.",
+    },
+    {
+        "policy": "auth:me:get",
+        "description": "Allows a user to fetch their own authenticated profile.",
+    },
+    {
+        "policy": "auth:changePassword",
+        "description": "Allows a user to change their own password.",
+    },
+    {
+        "policy": "host:get",
+        "description": "Allows the user to fetch the host resources.",
+    },
+    {
+        "policy": "images:get",
+        "description": "Allows the user to fetch images metadata from the registry.",
+    },
+    {
+        "policy": "policies:get",
+        "description": "Allows the user to fetch policies.",
+    },
+    {
+        "policy": "users:get",
+        "description": "Allows the user to fetch users.",
+    },
+    {
+        "policy": "users:create",
+        "description": "Allows the user to create users.",
+    },
+    {
+        "policy": "users:updatePolicies",
+        "description": "Allows the user to update user policies.",
+    },
+    {
+        "policy": "users:delete",
+        "description": "Allows the user to delete users.",
+    },
+    {
+        "policy": "users:getPassword",
+        "description": "Allows the user to fetch user passwords.",
+    },
+    {
+        "policy": "vms:get",
+        "description": "Allows the user to list virtual machines.",
+    },
+    {
+        "policy": "vms:getById",
+        "description": "Allows the user to fetch a virtual machine by id.",
+    },
+    {
+        "policy": "vms:create",
+        "description": "Allows the user to create virtual machines.",
+    },
+    {
+        "policy": "vms:start",
+        "description": "Allows the user to start virtual machines.",
+    },
+    {
+        "policy": "vms:stop",
+        "description": "Allows the user to stop virtual machines.",
+    },
+    {
+        "policy": "vms:credentials:create",
+        "description": "Allows the user to create virtual machine credentials.",
+    },
+    {
+        "policy": "vms:delete",
+        "description": "Allows the user to remove virtual machines.",
+    },
+    {
+        "policy": "vms:credentials:revoke",
+        "description": "Allows the user to revoke virtual machine credentials.",
+    },
+    {
+        "policy": "vms:credentials:list",
+        "description": "Allows the user to list virtual machine credentials.",
+    },
+    {
+        "policy": "vms:credentials:getById",
+        "description": "Allows the user to fetch a virtual machine credential by id.",
+    },
+]
+
+VALID_POLICIES = {entry["policy"] for entry in POLICIES}
+POLICY_BY_NAME = {entry["policy"]: entry for entry in POLICIES}
+
+
+def normalize_policies(policies: Iterable[str]) -> list[str]:
+    """Deduplicate while preserving first-seen order."""
+    normalized: list[str] = []
+    seen: set[str] = set()
+
+    for policy in policies:
+        if policy not in seen:
+            normalized.append(policy)
+            seen.add(policy)
+
+    return normalized
+
+
+def invalid_policies(policies: Iterable[str]) -> list[str]:
+    return [policy for policy in policies if policy not in VALID_POLICIES]
+
+
+def expand_policies(policies: Iterable[str]) -> list[dict[str, str]]:
+    expanded: list[dict[str, str]] = []
+    for policy in policies:
+        policy_entry = POLICY_BY_NAME.get(policy)
+        if policy_entry is not None:
+            expanded.append(policy_entry)
+        else:
+            expanded.append(
+                {
+                    "policy": policy,
+                    "description": "Custom policy",
+                }
+            )
+    return expanded

backend/app/core/policies.py

@@ -8,7 +8,9 @@ def build_xml(vm_read: VmRead):
     domain = etree.Element("domain", type="kvm")
 
     etree.SubElement(domain, "name").text = str(vm_read.id)
-    etree.SubElement(domain, "memory", unit="MiB").text = str(vm_read.mem)
+    # Frontend sends memory in GiB; libvirt XML expects MiB here.
+    memory_mib = vm_read.mem * 1024
+    etree.SubElement(domain, "memory", unit="MiB").text = str(memory_mib)
     etree.SubElement(domain, "vcpu", placement="static").text = str(
         vm_read.vcpus)