Compare commits
2 Commits
| Author | SHA1 | Date | |
|---|---|---|---|
|
|
ee7e7b7bd7 | ||
|
|
9d7e4f0ca3 |
@@ -73,6 +73,11 @@ def authenticate_ldap(username, password):
|
|||||||
return None
|
return None
|
||||||
|
|
||||||
real_user_dn = conn.entries[0].entry_dn
|
real_user_dn = conn.entries[0].entry_dn
|
||||||
|
user_groups = []
|
||||||
|
if hasattr(conn.entries[0], 'memberOf'):
|
||||||
|
user_groups = [str(g).lower() for g in conn.entries[0].memberOf.values]
|
||||||
|
log.debug(f"LDAP: Found memberOf groups on user: {user_groups}")
|
||||||
|
|
||||||
log.debug(f"LDAP: Canonical DN found: {real_user_dn}")
|
log.debug(f"LDAP: Canonical DN found: {real_user_dn}")
|
||||||
|
|
||||||
# Check roles based on group membership
|
# Check roles based on group membership
|
||||||
@@ -87,27 +92,39 @@ def authenticate_ldap(username, password):
|
|||||||
groups_dn = config.get("groups_dn", "ou=groups")
|
groups_dn = config.get("groups_dn", "ou=groups")
|
||||||
|
|
||||||
# Iterate through mappings to find the highest role
|
# Iterate through mappings to find the highest role
|
||||||
# Priority: admin > user
|
|
||||||
potential_roles = []
|
potential_roles = []
|
||||||
|
|
||||||
for mapping in role_mappings:
|
for mapping in role_mappings:
|
||||||
group_name = mapping["group"]
|
group_name = mapping["group"]
|
||||||
target_role = mapping["role"]
|
target_role = mapping["role"]
|
||||||
|
|
||||||
# Construct group DN if it's just a common name, else use as is
|
# Construct group DN if it's just a common name
|
||||||
if "=" not in group_name:
|
if "=" not in group_name:
|
||||||
full_group_dn = f"cn={group_name},{groups_dn},{base_dn}"
|
full_group_dn = f"cn={group_name},{groups_dn},{base_dn}"
|
||||||
else:
|
else:
|
||||||
full_group_dn = group_name
|
full_group_dn = group_name
|
||||||
|
|
||||||
log.debug(f"LDAP: Checking membership in group: {full_group_dn}")
|
full_group_dn_lower = full_group_dn.lower()
|
||||||
conn.search(full_group_dn, '(objectClass=*)', attributes=['member'])
|
|
||||||
|
|
||||||
|
log.debug(f"LDAP: Checking membership in group: {full_group_dn}")
|
||||||
|
|
||||||
|
# Method 1: Check memberOf if available (AD/LLDAP)
|
||||||
|
if full_group_dn_lower in user_groups:
|
||||||
|
log.debug(f"LDAP: Match found via memberOf for {target_role}")
|
||||||
|
potential_roles.append(target_role)
|
||||||
|
continue
|
||||||
|
|
||||||
|
# Method 2: Search group's member attribute (Standard LDAP)
|
||||||
|
conn.search(full_group_dn, '(objectClass=*)', attributes=['member', 'uniqueMember'])
|
||||||
if conn.entries:
|
if conn.entries:
|
||||||
members = conn.entries[0].member.values
|
members = []
|
||||||
if real_user_dn in members or user_dn in members or \
|
if hasattr(conn.entries[0], 'member'):
|
||||||
any(m.lower().replace(" ", "") == real_user_dn.lower().replace(" ", "") for m in members):
|
members = [str(m).lower() for m in conn.entries[0].member.values]
|
||||||
log.debug(f"LDAP: User is in group {group_name}, assigning role: {target_role}")
|
elif hasattr(conn.entries[0], 'uniqueMember'):
|
||||||
|
members = [str(m).lower() for m in conn.entries[0].uniqueMember.values]
|
||||||
|
|
||||||
|
if real_user_dn.lower() in members or user_dn.lower() in members:
|
||||||
|
log.debug(f"LDAP: Match found via group search for {target_role}")
|
||||||
potential_roles.append(target_role)
|
potential_roles.append(target_role)
|
||||||
|
|
||||||
if "admin" in potential_roles:
|
if "admin" in potential_roles:
|
||||||
|
|||||||
@@ -1,21 +1,35 @@
|
|||||||
# TFM aInventory - Caddy Explicit IP Configuration
|
# TFM aInventory - Caddy Patched IP Configuration
|
||||||
# Version 1.9.10 - Focused on resolving Protocol Errors on private IPs.
|
# Version 1.9.12 - Secure Seal & IP Stability
|
||||||
{
|
{
|
||||||
admin off
|
admin off
|
||||||
admin off
|
|
||||||
auto_https disable_redirects
|
auto_https disable_redirects
|
||||||
auto_https disable_redirects
|
|
||||||
|
|
||||||
|
# Trust local CA for internal certificate issuance
|
||||||
|
local_certs
|
||||||
|
}
|
||||||
|
|
||||||
# Frontend SSL Proxy (8919 -> 443)
|
# Frontend SSL Proxy (8919 -> 443)
|
||||||
https://{$SERVER_IP:192.168.84.113}:443 {
|
https://{$SERVER_IP:192.168.84.113}:443 {
|
||||||
tls internal {
|
tls internal {
|
||||||
reverse_proxy frontend:3000
|
on_demand
|
||||||
|
}
|
||||||
|
reverse_proxy frontend:3000
|
||||||
|
|
||||||
|
# Security Headers for PWA
|
||||||
|
header {
|
||||||
|
Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"
|
||||||
|
X-XSS-Protection "1; mode=block"
|
||||||
|
X-Content-Type-Options "nosniff"
|
||||||
|
X-Frame-Options "SAMEORIGIN"
|
||||||
|
Referrer-Policy "strict-origin-when-cross-origin"
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
# Backend SSL Proxy (8918 -> 444)
|
# Backend SSL Proxy (8918 -> 444)
|
||||||
https://{$SERVER_IP:192.168.84.113}:444 {
|
https://{$SERVER_IP:192.168.84.113}:444 {
|
||||||
tls internal {
|
tls internal {
|
||||||
reverse_proxy backend:8000
|
on_demand
|
||||||
|
}
|
||||||
|
reverse_proxy backend:8000
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|||||||
8
config/proxy/Dockerfile
Normal file
8
config/proxy/Dockerfile
Normal file
@@ -0,0 +1,8 @@
|
|||||||
|
FROM caddy:2-alpine
|
||||||
|
|
||||||
|
# Install nss-tools to allow Caddy to manage its internal trust store (fixes certutil warning)
|
||||||
|
# Install ca-certificates to ensure Caddy can trust external sites if needed
|
||||||
|
RUN apk add --no-cache nss-tools ca-certificates
|
||||||
|
|
||||||
|
# Expose the internal proxy ports
|
||||||
|
EXPOSE 80 443 444
|
||||||
29
deploy.sh
29
deploy.sh
@@ -1,6 +1,6 @@
|
|||||||
#!/bin/bash
|
#!/bin/bash
|
||||||
# =============================================================================
|
# =============================================================================
|
||||||
# TFM aInventory - Bulletproof Deployment Script (v1.9.10)
|
# TFM aInventory - Bulletproof Deployment Script (v1.9.12)
|
||||||
# =============================================================================
|
# =============================================================================
|
||||||
|
|
||||||
set -e
|
set -e
|
||||||
@@ -30,7 +30,7 @@ for arg in "$@"; do
|
|||||||
--help)
|
--help)
|
||||||
echo "Usage: ./deploy.sh [options]"
|
echo "Usage: ./deploy.sh [options]"
|
||||||
echo "Options:"
|
echo "Options:"
|
||||||
echo " --reset-ssl Clear Caddy storage and reset certificates"
|
echo " --reset-ssl Clear Caddy storage and reset certificates (Aggressive)"
|
||||||
echo " --reset-admin Force reset Admin password to 'Admin123!'"
|
echo " --reset-admin Force reset Admin password to 'Admin123!'"
|
||||||
echo " --help Show this help message"
|
echo " --help Show this help message"
|
||||||
exit 0
|
exit 0
|
||||||
@@ -39,19 +39,25 @@ for arg in "$@"; do
|
|||||||
done
|
done
|
||||||
|
|
||||||
if [ "$RESET_SSL" = true ]; then
|
if [ "$RESET_SSL" = true ]; then
|
||||||
echo "🧹 Resetting SSL certificates..."
|
echo "🧹 Aggressive SSL Reset in progress..."
|
||||||
docker compose down
|
docker compose down
|
||||||
|
# Clear internal docker volumes
|
||||||
docker volume rm -f inventory_caddy_data 2>/dev/null || true
|
docker volume rm -f inventory_caddy_data 2>/dev/null || true
|
||||||
echo "✅ SSL data cleared."
|
docker volume rm -f inventory_caddy_config 2>/dev/null || true
|
||||||
|
# Clear persistent host volumes if they exist
|
||||||
|
rm -rf ./data/caddy_data/* 2>/dev/null || true
|
||||||
|
rm -rf ./data/caddy_config/* 2>/dev/null || true
|
||||||
|
echo "✅ SSL storage completely cleared."
|
||||||
fi
|
fi
|
||||||
|
|
||||||
echo "🚀 Starting TFM aInventory Services..."
|
echo "🚀 Starting TFM aInventory Services..."
|
||||||
|
# Use --build to ensure the custom Caddy image is built
|
||||||
docker compose --env-file inventory.env up -d --build --remove-orphans
|
docker compose --env-file inventory.env up -d --build --remove-orphans
|
||||||
|
|
||||||
if [ "$RESET_ADMIN" = true ]; then
|
if [ "$RESET_ADMIN" = true ]; then
|
||||||
echo "🔐 Resetting Admin credentials..."
|
echo "🔐 Resetting Admin credentials..."
|
||||||
# Wait for container to be ready
|
# Wait for container to be ready
|
||||||
sleep 2
|
sleep 3
|
||||||
docker compose exec backend python3 -m backend.scripts.reset_admin
|
docker compose exec backend python3 -m backend.scripts.reset_admin
|
||||||
fi
|
fi
|
||||||
|
|
||||||
@@ -60,17 +66,18 @@ echo "🔍 Verifying port mapping..."
|
|||||||
docker compose ps --format "table {{.Name}}\t{{.Status}}\t{{.Ports}}"
|
docker compose ps --format "table {{.Name}}\t{{.Status}}\t{{.Ports}}"
|
||||||
|
|
||||||
echo ""
|
echo ""
|
||||||
echo "🚀 DIAGNOSTIC LOGS (Proxy SSL Handshake):"
|
echo "🚀 DIAGNOSTIC LOGS (Proxy Status):"
|
||||||
docker compose logs proxy --tail 20
|
docker compose logs proxy --tail 20
|
||||||
|
|
||||||
echo ""
|
echo ""
|
||||||
echo "✅ Deployment complete."
|
echo "✅ Deployment complete (v1.9.12)."
|
||||||
echo " ------------------------------------------------------------"
|
echo " ------------------------------------------------------------"
|
||||||
echo " DEFAULT CREDENTIALS:"
|
echo " ACCESS COORDINATES:"
|
||||||
|
echo " 1. SECURE: https://${SERVER_IP:-localhost}:${FRONTEND_SSL_PORT:-8919}"
|
||||||
|
echo " 2. DIRECT: http://${SERVER_IP:-localhost}:${FRONTEND_PORT:-8917}"
|
||||||
|
echo " ------------------------------------------------------------"
|
||||||
|
echo " CREDENTIALS (if first run or reset):"
|
||||||
echo " User: Admin"
|
echo " User: Admin"
|
||||||
echo " Pass: Admin123!"
|
echo " Pass: Admin123!"
|
||||||
echo " ------------------------------------------------------------"
|
echo " ------------------------------------------------------------"
|
||||||
echo " 1. SECURE ACCESS: https://${SERVER_IP:-localhost}:${FRONTEND_SSL_PORT:-8919}"
|
|
||||||
echo " 2. DIRECT ACCESS: http://${SERVER_IP:-localhost}:${FRONTEND_PORT:-8917}"
|
|
||||||
echo " ------------------------------------------------------------"
|
|
||||||
echo ""
|
echo ""
|
||||||
|
|||||||
@@ -12,6 +12,7 @@ services:
|
|||||||
volumes:
|
volumes:
|
||||||
- ./data:/app/data
|
- ./data:/app/data
|
||||||
- ./logs:/app/logs
|
- ./logs:/app/logs
|
||||||
|
- ./config:/app/config
|
||||||
- ./scripts:/app/scripts:ro
|
- ./scripts:/app/scripts:ro
|
||||||
environment:
|
environment:
|
||||||
- DATA_DIR=/app/data
|
- DATA_DIR=/app/data
|
||||||
@@ -36,7 +37,9 @@ services:
|
|||||||
restart: unless-stopped
|
restart: unless-stopped
|
||||||
|
|
||||||
proxy:
|
proxy:
|
||||||
image: caddy:alpine
|
build:
|
||||||
|
context: .
|
||||||
|
dockerfile: config/proxy/Dockerfile
|
||||||
networks:
|
networks:
|
||||||
- inventory_net
|
- inventory_net
|
||||||
ports:
|
ports:
|
||||||
|
|||||||
@@ -1 +1 @@
|
|||||||
{"version": "1.9.9", "last_build": "2026-04-13-2157", "codename": "DirectAccess", "commit": "a2f6cab4"}
|
{"version": "1.9.11", "last_build": "2026-04-13-2215", "codename": "Convergence", "commit": "9d7e4f0c"}
|
||||||
|
|||||||
@@ -88,37 +88,56 @@ export default function LoginPage() {
|
|||||||
<User size={32} />
|
<User size={32} />
|
||||||
</div>
|
</div>
|
||||||
<h2 className="text-2xl font-black text-white tracking-tight">Identity Check</h2>
|
<h2 className="text-2xl font-black text-white tracking-tight">Identity Check</h2>
|
||||||
<p className="text-slate-500 text-sm">Select operator profile or use enterprise login</p>
|
<p className="text-slate-500 text-sm">Select operator profile or use direct login</p>
|
||||||
</div>
|
</div>
|
||||||
|
|
||||||
<div className="grid gap-3">
|
<div className="grid gap-3">
|
||||||
{!selectedUserForLogin && !isEnterprise ? (
|
{!selectedUserForLogin && !isEnterprise ? (
|
||||||
<>
|
<>
|
||||||
{users.map(user => (
|
{users.length > 0 ? (
|
||||||
<button
|
<>
|
||||||
key={user.id}
|
{users.map(user => (
|
||||||
onClick={() => handleSelectUser(user)}
|
<button
|
||||||
className="bg-slate-800/50 hover:bg-slate-800 border border-slate-800 hover:border-primary/40 p-4 rounded-2xl text-left transition-all group flex items-center justify-between"
|
key={user.id}
|
||||||
>
|
onClick={() => handleSelectUser(user)}
|
||||||
<div className="flex items-center gap-3">
|
className="bg-slate-800/50 hover:bg-slate-800 border border-slate-800 hover:border-primary/40 p-4 rounded-2xl text-left transition-all group flex items-center justify-between"
|
||||||
<div className="w-8 h-8 rounded-full bg-slate-900 border border-slate-700 flex items-center justify-center text-slate-500 group-hover:text-primary transition-colors">
|
>
|
||||||
{user.role === 'admin' ? <Shield size={14} /> : <User size={14} />}
|
<div className="flex items-center gap-3">
|
||||||
</div>
|
<div className="w-8 h-8 rounded-full bg-slate-900 border border-slate-700 flex items-center justify-center text-slate-500 group-hover:text-primary transition-colors">
|
||||||
<div>
|
{user.role === 'admin' ? <Shield size={14} /> : <User size={14} />}
|
||||||
<p className="text-white font-black text-sm">{user.username}</p>
|
</div>
|
||||||
<p className="text-xs text-slate-500 font-bold mt-1">{user.role}</p>
|
<div>
|
||||||
</div>
|
<p className="text-white font-black text-sm">{user.username}</p>
|
||||||
</div>
|
<p className="text-xs text-slate-500 font-bold mt-1">{user.role}</p>
|
||||||
<ChevronRight size={16} className="text-slate-600 group-hover:text-primary transition-colors" />
|
</div>
|
||||||
</button>
|
</div>
|
||||||
))}
|
<ChevronRight size={16} className="text-slate-600 group-hover:text-primary transition-colors" />
|
||||||
<div className="pt-2">
|
</button>
|
||||||
|
))}
|
||||||
|
</>
|
||||||
|
) : (
|
||||||
|
<div className="text-center p-4 text-slate-500 text-xs font-bold animate-pulse">
|
||||||
|
Connectivity issues? Use manual login below.
|
||||||
|
</div>
|
||||||
|
)}
|
||||||
|
|
||||||
|
<div className="pt-2 grid grid-cols-2 gap-3">
|
||||||
<button
|
<button
|
||||||
onClick={() => setIsEnterprise(true)}
|
onClick={() => setIsEnterprise(true)}
|
||||||
className="w-full flex items-center justify-center gap-2 py-4 rounded-2xl border border-dashed border-slate-700 text-slate-500 hover:text-primary hover:border-primary/40 transition-all font-bold text-xs"
|
className="flex items-center justify-center gap-2 py-4 rounded-2xl border border-dashed border-slate-700 text-slate-500 hover:text-white hover:border-slate-500 transition-all font-bold text-[10px]"
|
||||||
>
|
>
|
||||||
<Shield size={14} />
|
<Lock size={12} />
|
||||||
Enterprise Login
|
Enterprise
|
||||||
|
</button>
|
||||||
|
<button
|
||||||
|
onClick={() => {
|
||||||
|
setSelectedUserForLogin({ username: '' });
|
||||||
|
// We use an empty username object to trigger the manual input view
|
||||||
|
}}
|
||||||
|
className="flex items-center justify-center gap-2 py-4 rounded-2xl border border-primary/20 bg-primary/5 text-primary hover:bg-primary/10 transition-all font-bold text-[10px]"
|
||||||
|
>
|
||||||
|
<User size={12} />
|
||||||
|
Manual Login
|
||||||
</button>
|
</button>
|
||||||
</div>
|
</div>
|
||||||
</>
|
</>
|
||||||
@@ -180,10 +199,26 @@ export default function LoginPage() {
|
|||||||
</button>
|
</button>
|
||||||
<div>
|
<div>
|
||||||
<p className="text-sm font-bold text-slate-500">Logging in as</p>
|
<p className="text-sm font-bold text-slate-500">Logging in as</p>
|
||||||
<p className="text-white font-black">{selectedUserForLogin.username}</p>
|
<p className="text-white font-black">{selectedUserForLogin.username || "Manual Input"}</p>
|
||||||
</div>
|
</div>
|
||||||
</div>
|
</div>
|
||||||
|
|
||||||
|
{!selectedUserForLogin.username && (
|
||||||
|
<div className="space-y-2">
|
||||||
|
<label className="text-xs font-black text-slate-500 px-1">Username</label>
|
||||||
|
<div className="relative">
|
||||||
|
<User className="absolute left-4 top-1/2 -translate-y-1/2 text-slate-500" size={16} />
|
||||||
|
<input
|
||||||
|
type="text"
|
||||||
|
autoFocus
|
||||||
|
onChange={(e) => setSelectedUserForLogin({...selectedUserForLogin, username: e.target.value})}
|
||||||
|
className="w-full bg-slate-800/50 border border-slate-800 focus:border-primary rounded-2xl py-4 pl-12 pr-4 text-white focus:outline-none transition-all placeholder:text-slate-700 font-mono"
|
||||||
|
placeholder="Admin"
|
||||||
|
/>
|
||||||
|
</div>
|
||||||
|
</div>
|
||||||
|
)}
|
||||||
|
|
||||||
<div className="space-y-2">
|
<div className="space-y-2">
|
||||||
<label className="text-xs font-black text-slate-500 px-1">Password</label>
|
<label className="text-xs font-black text-slate-500 px-1">Password</label>
|
||||||
<div className="relative">
|
<div className="relative">
|
||||||
@@ -209,9 +244,10 @@ export default function LoginPage() {
|
|||||||
)}
|
)}
|
||||||
</div>
|
</div>
|
||||||
|
|
||||||
{users.length === 0 && (
|
{/* Progress bar hint */}
|
||||||
<div className="text-center p-8 text-slate-500 animate-pulse">
|
{users.length === 0 && !selectedUserForLogin && !isEnterprise && (
|
||||||
Initializing users...
|
<div className="w-full bg-slate-800 h-1 rounded-full overflow-hidden">
|
||||||
|
<div className="bg-primary h-full animate-progress-fast shadow-[0_0_8px_rgba(var(--primary-rgb),0.5)]"></div>
|
||||||
</div>
|
</div>
|
||||||
)}
|
)}
|
||||||
</div>
|
</div>
|
||||||
|
|||||||
@@ -14,6 +14,17 @@ if [ -d "/app/logs" ]; then
|
|||||||
chown -R nextjs:nodejs /app/logs
|
chown -R nextjs:nodejs /app/logs
|
||||||
fi
|
fi
|
||||||
|
|
||||||
|
# Generate network.json for frontend runtime discovery
|
||||||
|
echo "🐳 [Docker] Generating public/network.json..."
|
||||||
|
cat <<EOF > /app/public/network.json
|
||||||
|
{
|
||||||
|
"SERVER_IP": "${SERVER_IP:-localhost}",
|
||||||
|
"BACKEND_PORT": ${BACKEND_PORT:-8000},
|
||||||
|
"BACKEND_SSL_PORT": ${BACKEND_SSL_PORT:-8908}
|
||||||
|
}
|
||||||
|
EOF
|
||||||
|
chown nextjs:nodejs /app/public/network.json
|
||||||
|
|
||||||
# Hand off to the application server as the nextjs user
|
# Hand off to the application server as the nextjs user
|
||||||
echo "🐳 [Docker] Starting Next.js standalone server as nextjs user..."
|
echo "🐳 [Docker] Starting Next.js standalone server as nextjs user..."
|
||||||
exec su-exec nextjs node server.js
|
exec su-exec nextjs node server.js
|
||||||
|
|||||||
Reference in New Issue
Block a user