Initial commit: enterprise digital platform with portal SSO, DigiServer, IT Assets, NetworkView, Server Monitor

IT_asset_management/app/utils/portal_sso.py

@@ -0,0 +1,58 @@
+"""
+Portal SSO middleware for IT Asset Management.
+
+When the umbrella nginx verifies the portal JWT it sets two headers:
+  X-Auth-Username  — the portal username
+  X-Auth-Role      — 'admin' or 'user'
+
+This before_request handler reads those headers and auto-logs in the
+corresponding local AdminUser, creating them on first access if needed.
+The local session is then maintained normally by Flask-Login.
+"""
+import secrets
+from flask import request
+from flask_login import login_user, current_user
+
+
+def init_portal_sso(app):
+    """Register the SSO before_request handler on the given Flask app."""
+
+    @app.before_request
+    def _portal_sso():
+        if current_user.is_authenticated:
+            return
+
+        username = request.headers.get('X-Auth-Username', '').strip()
+        if not username:
+            return
+
+        role = request.headers.get('X-Auth-Role', 'user').strip()
+        user = _get_or_create_user(username, role)
+        if user:
+            login_user(user, remember=False)
+
+
+def _get_or_create_user(username, role):
+    from app.models.admin_user import AdminUser
+    from app.extensions import db
+
+    target_role = 'admin' if role == 'admin' else 'readonly'
+    try:
+        user = AdminUser.query.filter_by(username=username).first()
+        if not user:
+            user = AdminUser(
+                username=username,
+                email=f'{username}@portal.local',
+                full_name=username,
+                role=target_role,
+                is_active=True,
+            )
+            user.set_password(secrets.token_hex(32))
+            db.session.add(user)
+            db.session.commit()
+        elif user.role != target_role:
+            user.role = target_role
+            db.session.commit()
+        return user
+    except Exception:
+        return None

IT_asset_management/app/utils/script_name_fix.py

@@ -0,0 +1,22 @@
+"""
+ScriptNameFix WSGI middleware.
+
+When nginx strips the path prefix before forwarding to a Flask app it also
+sets the X-Script-Name header (e.g. /itassets).  This middleware reads
+that header and sets SCRIPT_NAME in the WSGI environ so that Flask's
+url_for() generates absolute URLs with the correct prefix.
+"""
+
+
+class ScriptNameFix:
+    def __init__(self, app):
+        self.app = app
+
+    def __call__(self, environ, start_response):
+        script_name = environ.get('HTTP_X_SCRIPT_NAME', '').rstrip('/')
+        if script_name:
+            environ['SCRIPT_NAME'] = script_name
+            path_info = environ.get('PATH_INFO', '/')
+            if path_info.startswith(script_name):
+                environ['PATH_INFO'] = path_info[len(script_name):] or '/'
+        return self.app(environ, start_response)