Initial commit: enterprise digital platform with portal SSO, DigiServer, IT Assets, NetworkView, Server Monitor
This commit is contained in:
ske087
@@ -0,0 +1,6 @@
|
||||
from app.routes.auth import bp as auth_bp
|
||||
from app.routes.dashboard import bp as dashboard_bp
|
||||
from app.routes.settings import bp as settings_bp
|
||||
from app.routes.api import bp as api_bp
|
||||
|
||||
__all__ = ['auth_bp', 'dashboard_bp', 'settings_bp', 'api_bp']
|
||||
@@ -0,0 +1,70 @@
|
||||
from flask import Blueprint, request, make_response, current_app
|
||||
import jwt
|
||||
|
||||
bp = Blueprint('api', __name__, url_prefix='/api')
|
||||
|
||||
|
||||
@bp.route('/verify-token')
|
||||
def verify_token():
|
||||
"""
|
||||
Called internally by nginx auth_request.
|
||||
Reads the platform JWT cookie, verifies it, and returns 200 with user
|
||||
identity headers on success, or 401/403 on failure.
|
||||
"""
|
||||
token = request.cookies.get(current_app.config['PORTAL_COOKIE_NAME'])
|
||||
if not token:
|
||||
return '', 401
|
||||
|
||||
try:
|
||||
payload = jwt.decode(
|
||||
token,
|
||||
current_app.config['PORTAL_JWT_SECRET'],
|
||||
algorithms=['HS256'],
|
||||
options={'require': ['exp', 'sub', 'user_id']},
|
||||
)
|
||||
except jwt.ExpiredSignatureError:
|
||||
return '', 401
|
||||
except jwt.InvalidTokenError:
|
||||
return '', 401
|
||||
|
||||
# Per-app access check based on the original request URI
|
||||
original_uri = request.headers.get('X-Original-URI', '')
|
||||
required_app = _app_from_uri(original_uri)
|
||||
user_id = payload.get('user_id')
|
||||
portal_role = payload.get('role', 'user')
|
||||
|
||||
if required_app:
|
||||
user_apps = payload.get('apps', [])
|
||||
if required_app not in user_apps:
|
||||
return '', 403
|
||||
|
||||
# Resolve the effective role for this specific app.
|
||||
# If the admin has set a per-app role override in AppAccess, use that;
|
||||
# otherwise fall back to the portal-level role from the JWT.
|
||||
effective_role = portal_role
|
||||
if required_app and user_id:
|
||||
try:
|
||||
from app.models.app_access import AppAccess
|
||||
access = AppAccess.query.filter_by(
|
||||
user_id=user_id, app_name=required_app, is_active=True
|
||||
).first()
|
||||
if access and access.app_role:
|
||||
effective_role = access.app_role
|
||||
except Exception:
|
||||
pass # fall back to portal role
|
||||
|
||||
resp = make_response('', 200)
|
||||
resp.headers['X-Auth-User-Id'] = str(user_id or '')
|
||||
resp.headers['X-Auth-Username'] = payload.get('sub', '')
|
||||
resp.headers['X-Auth-Role'] = effective_role
|
||||
return resp
|
||||
|
||||
|
||||
def _app_from_uri(uri):
|
||||
if uri.startswith('/digiserver/'):
|
||||
return 'digiserver'
|
||||
if uri.startswith('/itassets/'):
|
||||
return 'itassets'
|
||||
if uri.startswith('/networkview/'):
|
||||
return 'networkview'
|
||||
return None
|
||||
@@ -0,0 +1,76 @@
|
||||
from datetime import datetime
|
||||
from flask import Blueprint, render_template, redirect, url_for, flash, request, make_response, current_app
|
||||
from flask_login import login_user, logout_user, login_required, current_user
|
||||
from werkzeug.security import check_password_hash
|
||||
import jwt
|
||||
|
||||
from app.extensions import db
|
||||
from app.models.user import PortalUser
|
||||
|
||||
bp = Blueprint('auth', __name__)
|
||||
|
||||
|
||||
def _issue_portal_cookie(user, response):
|
||||
"""Sign and attach the platform-wide JWT cookie to a response."""
|
||||
import time
|
||||
expiry_hours = current_app.config['JWT_EXPIRY_HOURS']
|
||||
now = int(time.time())
|
||||
payload = {
|
||||
'sub': user.username,
|
||||
'user_id': user.id,
|
||||
'email': user.email,
|
||||
'role': 'admin' if user.is_admin else 'user',
|
||||
'apps': user.get_accessible_apps(),
|
||||
'iss': 'enterprise-digital-platform',
|
||||
'iat': now,
|
||||
'exp': now + expiry_hours * 3600,
|
||||
}
|
||||
token = jwt.encode(payload, current_app.config['PORTAL_JWT_SECRET'], algorithm='HS256')
|
||||
response.set_cookie(
|
||||
current_app.config['PORTAL_COOKIE_NAME'],
|
||||
token,
|
||||
httponly=True,
|
||||
samesite='Lax',
|
||||
max_age=expiry_hours * 3600,
|
||||
path='/',
|
||||
)
|
||||
return response
|
||||
|
||||
|
||||
@bp.route('/login', methods=['GET', 'POST'])
|
||||
def login():
|
||||
if current_user.is_authenticated:
|
||||
return redirect(url_for('dashboard.index'))
|
||||
|
||||
if request.method == 'POST':
|
||||
username = request.form.get('username', '').strip()
|
||||
password = request.form.get('password', '')
|
||||
|
||||
if not username or not password:
|
||||
flash('Please enter username and password.', 'danger')
|
||||
return render_template('auth/login.html')
|
||||
|
||||
user = PortalUser.query.filter_by(username=username, is_active=True).first()
|
||||
if user and check_password_hash(user.password_hash, password):
|
||||
user.last_login = datetime.utcnow()
|
||||
db.session.commit()
|
||||
login_user(user, remember=False)
|
||||
|
||||
next_page = request.args.get('next') or url_for('dashboard.index')
|
||||
resp = make_response(redirect(next_page))
|
||||
_issue_portal_cookie(user, resp)
|
||||
return resp
|
||||
|
||||
flash('Invalid username or password.', 'danger')
|
||||
|
||||
return render_template('auth/login.html')
|
||||
|
||||
|
||||
@bp.route('/logout')
|
||||
@login_required
|
||||
def logout():
|
||||
logout_user()
|
||||
resp = make_response(redirect(url_for('auth.login')))
|
||||
resp.delete_cookie(current_app.config['PORTAL_COOKIE_NAME'], path='/')
|
||||
flash('You have been signed out.', 'info')
|
||||
return resp
|
||||
@@ -0,0 +1,25 @@
|
||||
from flask import Blueprint, render_template, redirect, url_for, current_app
|
||||
from flask_login import login_required, current_user
|
||||
|
||||
bp = Blueprint('dashboard', __name__)
|
||||
|
||||
|
||||
@bp.route('/')
|
||||
@login_required
|
||||
def index():
|
||||
user_apps = set(current_user.get_accessible_apps())
|
||||
apps = []
|
||||
for app_def in current_app.config['REGISTERED_APPS']:
|
||||
apps.append({**app_def, 'has_access': app_def['id'] in user_apps})
|
||||
return render_template('dashboard/index.html', apps=apps)
|
||||
|
||||
|
||||
@bp.route('/access-denied')
|
||||
@login_required
|
||||
def access_denied():
|
||||
return render_template('dashboard/access_denied.html'), 403
|
||||
|
||||
|
||||
@bp.route('/health')
|
||||
def health():
|
||||
return {'status': 'ok'}, 200
|
||||
@@ -0,0 +1,295 @@
|
||||
from flask import Blueprint, render_template, redirect, url_for, flash, request, current_app
|
||||
from flask_login import login_required, current_user
|
||||
from werkzeug.security import generate_password_hash
|
||||
|
||||
from app.extensions import db
|
||||
from app.models.user import PortalUser
|
||||
from app.models.app_access import AppAccess
|
||||
from app.models.api_key import ApiKey
|
||||
|
||||
bp = Blueprint('settings', __name__, url_prefix='/settings')
|
||||
|
||||
|
||||
def _sync_user_to_app(app_id, username, role):
|
||||
"""
|
||||
Notify an app's internal /internal/sync-user endpoint so the user is
|
||||
pre-created / role-updated in that app's own DB.
|
||||
Silently swallows errors so it never breaks the portal flow.
|
||||
"""
|
||||
import urllib.request
|
||||
import json
|
||||
|
||||
registered = {a['id']: a for a in current_app.config.get('REGISTERED_APPS', [])}
|
||||
app_meta = registered.get(app_id)
|
||||
if not app_meta or not app_meta.get('internal_url'):
|
||||
return
|
||||
|
||||
secret = current_app.config.get('INTERNAL_SYNC_SECRET', '')
|
||||
url = app_meta['internal_url'].rstrip('/') + '/internal/sync-user'
|
||||
body = json.dumps({'username': username, 'role': role}).encode()
|
||||
req = urllib.request.Request(
|
||||
url,
|
||||
data=body,
|
||||
headers={
|
||||
'Content-Type': 'application/json',
|
||||
'X-Internal-Token': secret,
|
||||
},
|
||||
method='POST',
|
||||
)
|
||||
try:
|
||||
with urllib.request.urlopen(req, timeout=3):
|
||||
pass
|
||||
except Exception:
|
||||
pass # Best-effort; SSO will sync on first login anyway
|
||||
|
||||
|
||||
def _admin_required(f):
|
||||
from functools import wraps
|
||||
from flask_login import current_user
|
||||
from flask import abort
|
||||
|
||||
@wraps(f)
|
||||
def decorated(*args, **kwargs):
|
||||
if not current_user.is_admin:
|
||||
abort(403)
|
||||
return f(*args, **kwargs)
|
||||
return decorated
|
||||
|
||||
|
||||
@bp.route('/')
|
||||
@login_required
|
||||
@_admin_required
|
||||
def index():
|
||||
users = PortalUser.query.order_by(PortalUser.username).all()
|
||||
registered_apps = current_app.config['REGISTERED_APPS']
|
||||
return render_template('settings/index.html', users=users, registered_apps=registered_apps)
|
||||
|
||||
|
||||
# ── User management ────────────────────────────────────────────────────────────
|
||||
|
||||
@bp.route('/users/new', methods=['GET', 'POST'])
|
||||
@login_required
|
||||
@_admin_required
|
||||
def new_user():
|
||||
registered_apps = current_app.config['REGISTERED_APPS']
|
||||
if request.method == 'POST':
|
||||
username = request.form.get('username', '').strip()
|
||||
email = request.form.get('email', '').strip()
|
||||
password = request.form.get('password', '')
|
||||
is_admin = request.form.get('is_admin') == 'on'
|
||||
|
||||
if not username or not email or not password:
|
||||
flash('Username, email and password are required.', 'danger')
|
||||
return render_template('settings/new_user.html', registered_apps=registered_apps)
|
||||
|
||||
if PortalUser.query.filter_by(username=username).first():
|
||||
flash('Username already exists.', 'danger')
|
||||
return render_template('settings/new_user.html', registered_apps=registered_apps)
|
||||
|
||||
user = PortalUser(
|
||||
username=username,
|
||||
email=email,
|
||||
password_hash=generate_password_hash(password),
|
||||
is_admin=is_admin,
|
||||
is_active=True,
|
||||
)
|
||||
db.session.add(user)
|
||||
db.session.flush()
|
||||
|
||||
for app in registered_apps:
|
||||
app_id = app['id']
|
||||
role_val = request.form.get(f'role_{app_id}', 'none').strip()
|
||||
if role_val in ('admin', 'user'):
|
||||
db.session.add(AppAccess(user_id=user.id, app_name=app_id,
|
||||
is_active=True, app_role=role_val))
|
||||
|
||||
db.session.commit()
|
||||
|
||||
# Best-effort: pre-create user in each app that supports sync
|
||||
for app in registered_apps:
|
||||
app_id = app['id']
|
||||
role_val = request.form.get(f'role_{app_id}', 'none').strip()
|
||||
if role_val in ('admin', 'user'):
|
||||
_sync_user_to_app(app_id, username, role_val)
|
||||
|
||||
flash(f'User "{username}" created successfully.', 'success')
|
||||
return redirect(url_for('settings.index'))
|
||||
|
||||
return render_template('settings/new_user.html', registered_apps=registered_apps)
|
||||
|
||||
|
||||
@bp.route('/users/<int:user_id>/access', methods=['POST'])
|
||||
@login_required
|
||||
@_admin_required
|
||||
def update_access(user_id):
|
||||
user = PortalUser.query.get_or_404(user_id)
|
||||
registered_apps = current_app.config['REGISTERED_APPS']
|
||||
|
||||
for app in registered_apps:
|
||||
app_id = app['id']
|
||||
# The UI sends role_<app_id> = 'admin' | 'user' | 'none'
|
||||
role_val = request.form.get(f'role_{app_id}', 'none').strip()
|
||||
should_have = role_val in ('admin', 'user')
|
||||
app_role = role_val if role_val in ('admin', 'user') else None
|
||||
|
||||
existing = AppAccess.query.filter_by(user_id=user.id, app_name=app_id).first()
|
||||
if existing:
|
||||
existing.is_active = should_have
|
||||
existing.app_role = app_role
|
||||
elif should_have:
|
||||
db.session.add(AppAccess(user_id=user.id, app_name=app_id,
|
||||
is_active=True, app_role=app_role))
|
||||
|
||||
db.session.commit()
|
||||
|
||||
# Best-effort: pre-create / update user in each app that supports sync
|
||||
for app in registered_apps:
|
||||
app_id = app['id']
|
||||
role_val = request.form.get(f'role_{app_id}', 'none').strip()
|
||||
if role_val in ('admin', 'user'):
|
||||
_sync_user_to_app(app_id, user.username, role_val)
|
||||
|
||||
flash(f'Access for "{user.username}" updated.', 'success')
|
||||
return redirect(url_for('settings.index'))
|
||||
|
||||
|
||||
@bp.route('/users/<int:user_id>/delete', methods=['POST'])
|
||||
@login_required
|
||||
@_admin_required
|
||||
def delete_user(user_id):
|
||||
if user_id == current_user.id:
|
||||
flash('You cannot delete your own account.', 'danger')
|
||||
return redirect(url_for('settings.index'))
|
||||
user = PortalUser.query.get_or_404(user_id)
|
||||
db.session.delete(user)
|
||||
db.session.commit()
|
||||
flash(f'User "{user.username}" deleted.', 'success')
|
||||
return redirect(url_for('settings.index'))
|
||||
|
||||
|
||||
# ── API key management ─────────────────────────────────────────────────────────
|
||||
|
||||
@bp.route('/api-keys')
|
||||
@login_required
|
||||
@_admin_required
|
||||
def api_keys():
|
||||
keys = ApiKey.query.order_by(ApiKey.created_at.desc()).all()
|
||||
registered_apps = current_app.config['REGISTERED_APPS']
|
||||
users = PortalUser.query.order_by(PortalUser.username).all()
|
||||
return render_template('settings/api_keys.html', keys=keys, registered_apps=registered_apps, users=users)
|
||||
|
||||
|
||||
@bp.route('/api-keys/new', methods=['POST'])
|
||||
@login_required
|
||||
@_admin_required
|
||||
def new_api_key():
|
||||
user_id = request.form.get('user_id', type=int)
|
||||
app_name = request.form.get('app_name', '').strip()
|
||||
description = request.form.get('description', '').strip()
|
||||
|
||||
if not user_id or not app_name:
|
||||
flash('User and application are required.', 'danger')
|
||||
return redirect(url_for('settings.api_keys'))
|
||||
|
||||
key = ApiKey(
|
||||
user_id=user_id,
|
||||
key=ApiKey.generate_key(),
|
||||
app_name=app_name,
|
||||
description=description or None,
|
||||
)
|
||||
db.session.add(key)
|
||||
db.session.commit()
|
||||
flash(f'API key created: {key.key}', 'success')
|
||||
return redirect(url_for('settings.api_keys'))
|
||||
|
||||
|
||||
@bp.route('/api-keys/<int:key_id>/revoke', methods=['POST'])
|
||||
@login_required
|
||||
@_admin_required
|
||||
def revoke_api_key(key_id):
|
||||
key = ApiKey.query.get_or_404(key_id)
|
||||
key.is_active = False
|
||||
db.session.commit()
|
||||
flash('API key revoked.', 'success')
|
||||
return redirect(url_for('settings.api_keys'))
|
||||
|
||||
|
||||
# ── Module management ──────────────────────────────────────────────────────────
|
||||
|
||||
@bp.route('/modules')
|
||||
@login_required
|
||||
@_admin_required
|
||||
def modules():
|
||||
from app.models.module_config import ModuleConfig
|
||||
from app.services import module_manager
|
||||
|
||||
registered_apps = current_app.config['REGISTERED_APPS']
|
||||
cfg_map = {m.app_id: m for m in ModuleConfig.query.all()}
|
||||
|
||||
module_statuses = []
|
||||
for app in registered_apps:
|
||||
cfg = cfg_map.get(app['id'])
|
||||
enabled = cfg.enabled if cfg else True
|
||||
running = module_manager.is_running(app['id'])
|
||||
module_statuses.append({
|
||||
'app': app,
|
||||
'enabled': enabled,
|
||||
'running': running,
|
||||
})
|
||||
|
||||
return render_template('settings/modules.html', module_statuses=module_statuses)
|
||||
|
||||
|
||||
@bp.route('/modules/<app_id>/toggle', methods=['POST'])
|
||||
@login_required
|
||||
@_admin_required
|
||||
def toggle_module(app_id):
|
||||
from app.models.module_config import ModuleConfig
|
||||
from app.services import module_manager
|
||||
|
||||
registered_ids = {a['id'] for a in current_app.config['REGISTERED_APPS']}
|
||||
if app_id not in registered_ids:
|
||||
flash('Unknown application.', 'danger')
|
||||
return redirect(url_for('settings.modules'))
|
||||
|
||||
action = request.form.get('action') # 'enable' or 'disable'
|
||||
if action not in ('enable', 'disable'):
|
||||
flash('Invalid action.', 'danger')
|
||||
return redirect(url_for('settings.modules'))
|
||||
|
||||
cfg = ModuleConfig.query.filter_by(app_id=app_id).first()
|
||||
if cfg is None:
|
||||
cfg = ModuleConfig(app_id=app_id, enabled=True)
|
||||
db.session.add(cfg)
|
||||
|
||||
app_meta = next(a for a in current_app.config['REGISTERED_APPS'] if a['id'] == app_id)
|
||||
name = app_meta['name']
|
||||
|
||||
if action == 'disable':
|
||||
cfg.enabled = False
|
||||
db.session.commit()
|
||||
module_manager.write_module_state(app_id, False)
|
||||
if module_manager.is_running(app_id):
|
||||
module_manager.stop_service(app_id)
|
||||
flash(f'{name} has been disabled and stopped.', 'success')
|
||||
else:
|
||||
flash(f'{name} has been disabled.', 'success')
|
||||
|
||||
else: # enable
|
||||
cfg.enabled = True
|
||||
db.session.commit()
|
||||
module_manager.write_module_state(app_id, True)
|
||||
if not module_manager.is_running(app_id):
|
||||
ok = module_manager.start_service(app_id)
|
||||
if ok:
|
||||
flash(f'{name} has been enabled and is starting up.', 'success')
|
||||
else:
|
||||
flash(
|
||||
f'{name} enabled. No launch spec found — '
|
||||
'run ./start-dev.sh to start it.',
|
||||
'warning',
|
||||
)
|
||||
else:
|
||||
flash(f'{name} is already running and has been re-enabled.', 'success')
|
||||
|
||||
return redirect(url_for('settings.modules'))
|
||||
Reference in New Issue
Block a user