ArnesSI
Add audit flows
This PR implements audit flows, a generic way to add workflows for auditing inventory on premises. This feature is not limited to assets, it can be used to audit any object managed in NetBox.
Fixes: #200
Models
Two new models are added:
- Audit Flow Pages allow the definition of reusable user views that list specific NetBox objects. These can be filtered by object type and field values. All object types are supported, as long as they implement a list view.
- Audit Flows group multiple Audit Flow Pages into a single flow. A flow can be initiated from a location type object (e.g. a
LocationorSite), optionally filtered by its fields (e.g. to run specific audit flows in office locations only). The audit flow will then display all audit flow pages and their defined NetBox objects, restricted to the location for which the flow is running. Currently the supported object types areSite,LocationandRack.
Additional features
- A flow can be initiated from a location type object (e.g. a
LocationorSite) using the [Audit] button on its detail page. If multiple audit flows are available, users can select the one to initiate from a drop-down menu. - Audit Flow Pages use the regular tables from the list view of the corresponding object. User preferences for columns and sorting are automatically applied.
- If an object type supports quick search (via
FilterSet), it is also available on an Audit Flow Page. - New objects can be created directly from the audit flow. After creating the object, users are redirected back to the audit flow. The form is pre-populated with relevant information (e.g. site, location). Whenever possible, available choices (e.g. different device types) are automatically generated from the page's object filter.
Other changes
- The minimum required NetBox version is bumped to 4.2.4 to allow using new functionalities of the plugins API (see 2c7ac4e25ff826ea1aef0274e5d0dadcb5e75e6b).
- The
NamedModelmixin class is introduced to minimize redundant code and standardize plugin models (see e8f96652b638cca6750da0b4d6c16eee9b7f4eed). - Following previous PR #215 additional code is restructured to simplify integration of this feature.
Limitations
Currently there is no support for audit trails. I have a rough idea of a possible implementation of this feature in combination with audit flows. However, since the audit trail feature alone might be a bit complex, I'd like to provide this feature in a separate pull request.
Acknowledgments
A prototype of this feature was implemented by students at Aachen University of Applied Sciences during the winter semester 2024/2025. I would like to thank all participants for their contribution to this feature, including Nico Ziegenhagel, @julez, @raikitin, @simon-official, @tamesnasalah and @tim-schueltzke.
Thank you for this pull request. The code looks really nice and neatly organized.
A couple conflicts were introduced since I merged #232 Cloud fix those if you don't mind?
A few more questions I'll put below.
If I try create an audit flow page for Modules and try to assign it to an audit flow for a Site I get this error:
Cannot use page for this flow: No relation between <class 'dcim.models.devices.Module'> and <class 'dcim.models.sites.Site'>
Do you think it would be possible to have a page for Modules or Inventory Items as well? At first glance, looking at AuditFlowPageAssignment._get_lookup_paths() I suspect it could be extended to follow relation Module > Device > Site|Location|Rack? (Haven't tried it though)
If I create an audit flow page for Assets and assign it to a flow for Locations it will show me all Assets that have storage location set to that location. Even if they are installed at some other location. It will also not show assets that are installed at this location, but have storage location set to some other location (or it's empty).
I expected that the assets shown would be determined by the same logic as it's used in Asset.current_site & Asset.current_location. But I suspect this might be difficult to translate into a QuerySet. What do you think?
@matejv I've merged recent master to resolve the merge conflicts.
Do you think it would be possible to have a page for Modules or Inventory Items as well? At first glance, looking at AuditFlowPageAssignment._get_lookup_paths() I suspect it could be extended to follow relation Module > Device > Site|Location|Rack? (Haven't tried it though)
Currently only models with a location type of ForeignKey are supported. I am reluctant to implement transitive relations because they leave room for future extensions without limits. For example, the next FR could be to add an if to map interfaces, cables, etc. and then the method would get quite long. But maybe a dynamic approach could help? I could imagine something like a breadth-first search from model to model until the target model (Site, Location, Rack) is found. Would you allow me to implement this extension in a separate PR, as I need some time to develop a solution?
Also I'd like to mention https://github.com/netbox-community/netbox/issues/19003, so I think modules will be auditable some time in the future.
If I create an audit flow page for Assets and assign it to a flow for Locations it will show me all Assets that have storage location set to that location. Even if they are installed at some other location. It will also not show assets that are installed at this location, but have storage location set to some other location (or it's empty).
Same problem as above: The algorithm currently only looks for direct relationships, which is the storage_location field (current_location is just an alias to the device location). For local testing, I filtered with {"status": "stored"} and did not check assets in use, as these are audited indirectly by devices and modules.
Also, I see a general problem with having multiple types of location fields and properties in the Asset model, which makes stable implementations even more difficult. So I opened the separate FR #244 to address this.
Do you think it would be possible to have a page for Modules or Inventory Items as well? At first glance, looking at AuditFlowPageAssignment._get_lookup_paths() I suspect it could be extended to follow relation Module > Device > Site|Location|Rack? (Haven't tried it though)
Currently only models with a location type of ForeignKey are supported. I am reluctant to implement transitive relations because they leave room for future extensions without limits. For example, the next FR could be to add an if to map interfaces, cables, etc. and then the method would get quite long. But maybe a dynamic approach could help? I could imagine something like a breadth-first search from model to model until the target model (Site, Location, Rack) is found. Would you allow me to implement this extension in a separate PR, as I need some time to develop a solution?
Let's wait with this a bit and see how people start to use the feature and then decide if it's needed.
If I create an audit flow page for Assets and assign it to a flow for Locations it will show me all Assets that have storage location set to that location. Even if they are installed at some other location. It will also not show assets that are installed at this location, but have storage location set to some other location (or it's empty).
Same problem as above: The algorithm currently only looks for direct relationships, which is the storage_location field (current_location is just an alias to the device location). For local testing, I filtered with {"status": "stored"} and did not check assets in use, as these are audited indirectly by devices and modules.
Also, I see a general problem with having multiple types of location fields and properties in the Asset model, which makes stable implementations even more difficult. So I opened the separate FR https://github.com/ArnesSI/netbox-inventory/issues/244 to address this.
So if we implement #244 this problem would go away automatically. I support this solution.