ske087
296 lines
10 KiB
Python
296 lines
10 KiB
Python
from flask import Blueprint, render_template, redirect, url_for, flash, request, current_app
|
|
from flask_login import login_required, current_user
|
|
from werkzeug.security import generate_password_hash
|
|
|
|
from app.extensions import db
|
|
from app.models.user import PortalUser
|
|
from app.models.app_access import AppAccess
|
|
from app.models.api_key import ApiKey
|
|
|
|
bp = Blueprint('settings', __name__, url_prefix='/settings')
|
|
|
|
|
|
def _sync_user_to_app(app_id, username, role):
|
|
"""
|
|
Notify an app's internal /internal/sync-user endpoint so the user is
|
|
pre-created / role-updated in that app's own DB.
|
|
Silently swallows errors so it never breaks the portal flow.
|
|
"""
|
|
import urllib.request
|
|
import json
|
|
|
|
registered = {a['id']: a for a in current_app.config.get('REGISTERED_APPS', [])}
|
|
app_meta = registered.get(app_id)
|
|
if not app_meta or not app_meta.get('internal_url'):
|
|
return
|
|
|
|
secret = current_app.config.get('INTERNAL_SYNC_SECRET', '')
|
|
url = app_meta['internal_url'].rstrip('/') + '/internal/sync-user'
|
|
body = json.dumps({'username': username, 'role': role}).encode()
|
|
req = urllib.request.Request(
|
|
url,
|
|
data=body,
|
|
headers={
|
|
'Content-Type': 'application/json',
|
|
'X-Internal-Token': secret,
|
|
},
|
|
method='POST',
|
|
)
|
|
try:
|
|
with urllib.request.urlopen(req, timeout=3):
|
|
pass
|
|
except Exception:
|
|
pass # Best-effort; SSO will sync on first login anyway
|
|
|
|
|
|
def _admin_required(f):
|
|
from functools import wraps
|
|
from flask_login import current_user
|
|
from flask import abort
|
|
|
|
@wraps(f)
|
|
def decorated(*args, **kwargs):
|
|
if not current_user.is_admin:
|
|
abort(403)
|
|
return f(*args, **kwargs)
|
|
return decorated
|
|
|
|
|
|
@bp.route('/')
|
|
@login_required
|
|
@_admin_required
|
|
def index():
|
|
users = PortalUser.query.order_by(PortalUser.username).all()
|
|
registered_apps = current_app.config['REGISTERED_APPS']
|
|
return render_template('settings/index.html', users=users, registered_apps=registered_apps)
|
|
|
|
|
|
# ── User management ────────────────────────────────────────────────────────────
|
|
|
|
@bp.route('/users/new', methods=['GET', 'POST'])
|
|
@login_required
|
|
@_admin_required
|
|
def new_user():
|
|
registered_apps = current_app.config['REGISTERED_APPS']
|
|
if request.method == 'POST':
|
|
username = request.form.get('username', '').strip()
|
|
email = request.form.get('email', '').strip()
|
|
password = request.form.get('password', '')
|
|
is_admin = request.form.get('is_admin') == 'on'
|
|
|
|
if not username or not email or not password:
|
|
flash('Username, email and password are required.', 'danger')
|
|
return render_template('settings/new_user.html', registered_apps=registered_apps)
|
|
|
|
if PortalUser.query.filter_by(username=username).first():
|
|
flash('Username already exists.', 'danger')
|
|
return render_template('settings/new_user.html', registered_apps=registered_apps)
|
|
|
|
user = PortalUser(
|
|
username=username,
|
|
email=email,
|
|
password_hash=generate_password_hash(password),
|
|
is_admin=is_admin,
|
|
is_active=True,
|
|
)
|
|
db.session.add(user)
|
|
db.session.flush()
|
|
|
|
for app in registered_apps:
|
|
app_id = app['id']
|
|
role_val = request.form.get(f'role_{app_id}', 'none').strip()
|
|
if role_val in ('admin', 'user'):
|
|
db.session.add(AppAccess(user_id=user.id, app_name=app_id,
|
|
is_active=True, app_role=role_val))
|
|
|
|
db.session.commit()
|
|
|
|
# Best-effort: pre-create user in each app that supports sync
|
|
for app in registered_apps:
|
|
app_id = app['id']
|
|
role_val = request.form.get(f'role_{app_id}', 'none').strip()
|
|
if role_val in ('admin', 'user'):
|
|
_sync_user_to_app(app_id, username, role_val)
|
|
|
|
flash(f'User "{username}" created successfully.', 'success')
|
|
return redirect(url_for('settings.index'))
|
|
|
|
return render_template('settings/new_user.html', registered_apps=registered_apps)
|
|
|
|
|
|
@bp.route('/users/<int:user_id>/access', methods=['POST'])
|
|
@login_required
|
|
@_admin_required
|
|
def update_access(user_id):
|
|
user = PortalUser.query.get_or_404(user_id)
|
|
registered_apps = current_app.config['REGISTERED_APPS']
|
|
|
|
for app in registered_apps:
|
|
app_id = app['id']
|
|
# The UI sends role_<app_id> = 'admin' | 'user' | 'none'
|
|
role_val = request.form.get(f'role_{app_id}', 'none').strip()
|
|
should_have = role_val in ('admin', 'user')
|
|
app_role = role_val if role_val in ('admin', 'user') else None
|
|
|
|
existing = AppAccess.query.filter_by(user_id=user.id, app_name=app_id).first()
|
|
if existing:
|
|
existing.is_active = should_have
|
|
existing.app_role = app_role
|
|
elif should_have:
|
|
db.session.add(AppAccess(user_id=user.id, app_name=app_id,
|
|
is_active=True, app_role=app_role))
|
|
|
|
db.session.commit()
|
|
|
|
# Best-effort: pre-create / update user in each app that supports sync
|
|
for app in registered_apps:
|
|
app_id = app['id']
|
|
role_val = request.form.get(f'role_{app_id}', 'none').strip()
|
|
if role_val in ('admin', 'user'):
|
|
_sync_user_to_app(app_id, user.username, role_val)
|
|
|
|
flash(f'Access for "{user.username}" updated.', 'success')
|
|
return redirect(url_for('settings.index'))
|
|
|
|
|
|
@bp.route('/users/<int:user_id>/delete', methods=['POST'])
|
|
@login_required
|
|
@_admin_required
|
|
def delete_user(user_id):
|
|
if user_id == current_user.id:
|
|
flash('You cannot delete your own account.', 'danger')
|
|
return redirect(url_for('settings.index'))
|
|
user = PortalUser.query.get_or_404(user_id)
|
|
db.session.delete(user)
|
|
db.session.commit()
|
|
flash(f'User "{user.username}" deleted.', 'success')
|
|
return redirect(url_for('settings.index'))
|
|
|
|
|
|
# ── API key management ─────────────────────────────────────────────────────────
|
|
|
|
@bp.route('/api-keys')
|
|
@login_required
|
|
@_admin_required
|
|
def api_keys():
|
|
keys = ApiKey.query.order_by(ApiKey.created_at.desc()).all()
|
|
registered_apps = current_app.config['REGISTERED_APPS']
|
|
users = PortalUser.query.order_by(PortalUser.username).all()
|
|
return render_template('settings/api_keys.html', keys=keys, registered_apps=registered_apps, users=users)
|
|
|
|
|
|
@bp.route('/api-keys/new', methods=['POST'])
|
|
@login_required
|
|
@_admin_required
|
|
def new_api_key():
|
|
user_id = request.form.get('user_id', type=int)
|
|
app_name = request.form.get('app_name', '').strip()
|
|
description = request.form.get('description', '').strip()
|
|
|
|
if not user_id or not app_name:
|
|
flash('User and application are required.', 'danger')
|
|
return redirect(url_for('settings.api_keys'))
|
|
|
|
key = ApiKey(
|
|
user_id=user_id,
|
|
key=ApiKey.generate_key(),
|
|
app_name=app_name,
|
|
description=description or None,
|
|
)
|
|
db.session.add(key)
|
|
db.session.commit()
|
|
flash(f'API key created: {key.key}', 'success')
|
|
return redirect(url_for('settings.api_keys'))
|
|
|
|
|
|
@bp.route('/api-keys/<int:key_id>/revoke', methods=['POST'])
|
|
@login_required
|
|
@_admin_required
|
|
def revoke_api_key(key_id):
|
|
key = ApiKey.query.get_or_404(key_id)
|
|
key.is_active = False
|
|
db.session.commit()
|
|
flash('API key revoked.', 'success')
|
|
return redirect(url_for('settings.api_keys'))
|
|
|
|
|
|
# ── Module management ──────────────────────────────────────────────────────────
|
|
|
|
@bp.route('/modules')
|
|
@login_required
|
|
@_admin_required
|
|
def modules():
|
|
from app.models.module_config import ModuleConfig
|
|
from app.services import module_manager
|
|
|
|
registered_apps = current_app.config['REGISTERED_APPS']
|
|
cfg_map = {m.app_id: m for m in ModuleConfig.query.all()}
|
|
|
|
module_statuses = []
|
|
for app in registered_apps:
|
|
cfg = cfg_map.get(app['id'])
|
|
enabled = cfg.enabled if cfg else True
|
|
running = module_manager.is_running(app['id'])
|
|
module_statuses.append({
|
|
'app': app,
|
|
'enabled': enabled,
|
|
'running': running,
|
|
})
|
|
|
|
return render_template('settings/modules.html', module_statuses=module_statuses)
|
|
|
|
|
|
@bp.route('/modules/<app_id>/toggle', methods=['POST'])
|
|
@login_required
|
|
@_admin_required
|
|
def toggle_module(app_id):
|
|
from app.models.module_config import ModuleConfig
|
|
from app.services import module_manager
|
|
|
|
registered_ids = {a['id'] for a in current_app.config['REGISTERED_APPS']}
|
|
if app_id not in registered_ids:
|
|
flash('Unknown application.', 'danger')
|
|
return redirect(url_for('settings.modules'))
|
|
|
|
action = request.form.get('action') # 'enable' or 'disable'
|
|
if action not in ('enable', 'disable'):
|
|
flash('Invalid action.', 'danger')
|
|
return redirect(url_for('settings.modules'))
|
|
|
|
cfg = ModuleConfig.query.filter_by(app_id=app_id).first()
|
|
if cfg is None:
|
|
cfg = ModuleConfig(app_id=app_id, enabled=True)
|
|
db.session.add(cfg)
|
|
|
|
app_meta = next(a for a in current_app.config['REGISTERED_APPS'] if a['id'] == app_id)
|
|
name = app_meta['name']
|
|
|
|
if action == 'disable':
|
|
cfg.enabled = False
|
|
db.session.commit()
|
|
module_manager.write_module_state(app_id, False)
|
|
if module_manager.is_running(app_id):
|
|
module_manager.stop_service(app_id)
|
|
flash(f'{name} has been disabled and stopped.', 'success')
|
|
else:
|
|
flash(f'{name} has been disabled.', 'success')
|
|
|
|
else: # enable
|
|
cfg.enabled = True
|
|
db.session.commit()
|
|
module_manager.write_module_state(app_id, True)
|
|
if not module_manager.is_running(app_id):
|
|
ok = module_manager.start_service(app_id)
|
|
if ok:
|
|
flash(f'{name} has been enabled and is starting up.', 'success')
|
|
else:
|
|
flash(
|
|
f'{name} enabled. No launch spec found — '
|
|
'run ./start-dev.sh to start it.',
|
|
'warning',
|
|
)
|
|
else:
|
|
flash(f'{name} is already running and has been re-enabled.', 'success')
|
|
|
|
return redirect(url_for('settings.modules'))
|