Compare commits
5 Commits
| Author | SHA1 | Date | |
|---|---|---|---|
|
|
bdf6d605cd | ||
|
|
a2f6cab492 | ||
|
|
476fda7203 | ||
|
|
9348336709 | ||
|
|
e5194a1dbb |
@@ -166,8 +166,9 @@ def get_users(db: Session = Depends(get_db)):
|
|||||||
users = db.query(models.User).all()
|
users = db.query(models.User).all()
|
||||||
# Auto-seed if empty
|
# Auto-seed if empty
|
||||||
if not users:
|
if not users:
|
||||||
# [SECURITY FIX C-03] Generate random password instead of hardcoded "admin"
|
# [SECURITY] For initial setup and recovery, we use a predictable default.
|
||||||
initial_password = secrets.token_urlsafe(16)
|
# User MUST change this immediately in Settings.
|
||||||
|
initial_password = "Admin123!"
|
||||||
new_user = models.User(
|
new_user = models.User(
|
||||||
username="Admin",
|
username="Admin",
|
||||||
role="admin",
|
role="admin",
|
||||||
@@ -177,7 +178,7 @@ def get_users(db: Session = Depends(get_db)):
|
|||||||
db.add(new_user)
|
db.add(new_user)
|
||||||
db.commit()
|
db.commit()
|
||||||
db.refresh(new_user)
|
db.refresh(new_user)
|
||||||
log.warning(f"[SECURITY] Admin initial seeded. Temporary password: {initial_password} — CHANGE IMMEDIATELY!")
|
log.warning(f"[SECURITY] Admin initial seeded. Credentials: Admin / {initial_password} — CHANGE IMMEDIATELY!")
|
||||||
return [new_user]
|
return [new_user]
|
||||||
return users
|
return users
|
||||||
|
|
||||||
|
|||||||
41
backend/scripts/reset_admin.py
Normal file
41
backend/scripts/reset_admin.py
Normal file
@@ -0,0 +1,41 @@
|
|||||||
|
import os
|
||||||
|
import sys
|
||||||
|
from sqlalchemy.orm import Session
|
||||||
|
from passlib.context import CryptContext
|
||||||
|
from ..database import SessionLocal
|
||||||
|
from .. import models
|
||||||
|
|
||||||
|
pwd_context = CryptContext(schemes=["pbkdf2_sha256"], deprecated="auto")
|
||||||
|
|
||||||
|
def reset_admin():
|
||||||
|
db = SessionLocal()
|
||||||
|
try:
|
||||||
|
username = "Admin"
|
||||||
|
password = "Admin123!"
|
||||||
|
hashed_password = pwd_context.hash(password)
|
||||||
|
|
||||||
|
user = db.query(models.User).filter(models.User.username == username).first()
|
||||||
|
if user:
|
||||||
|
user.hashed_password = hashed_password
|
||||||
|
user.role = "admin"
|
||||||
|
print(f"✅ User '{username}' found. Password has been reset to: {password}")
|
||||||
|
else:
|
||||||
|
new_user = models.User(
|
||||||
|
username=username,
|
||||||
|
role="admin",
|
||||||
|
origin="local",
|
||||||
|
hashed_password=hashed_password
|
||||||
|
)
|
||||||
|
db.add(new_user)
|
||||||
|
print(f"✅ User '{username}' not found. Created new admin with password: {password}")
|
||||||
|
|
||||||
|
db.commit()
|
||||||
|
print("💾 Changes saved to database.")
|
||||||
|
except Exception as e:
|
||||||
|
print(f"❌ Error resetting admin: {e}")
|
||||||
|
db.rollback()
|
||||||
|
finally:
|
||||||
|
db.close()
|
||||||
|
|
||||||
|
if __name__ == "__main__":
|
||||||
|
reset_admin()
|
||||||
@@ -1,12 +1,21 @@
|
|||||||
# TFM aInventory - Caddy Self-Signed Internal Proxy
|
# TFM aInventory - Caddy Explicit IP Configuration
|
||||||
# This replaces the need for `local-ssl-proxy` in Node.
|
# Version 1.9.10 - Focused on resolving Protocol Errors on private IPs.
|
||||||
{
|
{
|
||||||
:{$FRONTEND_SSL_PORT} {
|
# Global options
|
||||||
|
admin off
|
||||||
|
# Disable automatic HTTP->HTTPS redirects to prevent port conflicts on non-standard ports
|
||||||
|
auto_https disable_redirects
|
||||||
|
}
|
||||||
|
|
||||||
|
# Frontend SSL Proxy - Explicit address to improve handshake success
|
||||||
|
https://{$SERVER_IP:192.168.84.113}:443 {
|
||||||
|
tls internal
|
||||||
reverse_proxy frontend:3000
|
reverse_proxy frontend:3000
|
||||||
}
|
}
|
||||||
|
|
||||||
# Backend SSL Proxy
|
# Backend SSL Proxy
|
||||||
:{$BACKEND_SSL_PORT} {
|
https://{$SERVER_IP:192.168.84.113}:444 {
|
||||||
|
tls internal
|
||||||
reverse_proxy backend:8000
|
reverse_proxy backend:8000
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|||||||
@@ -1,19 +1,17 @@
|
|||||||
{
|
{
|
||||||
"_comment": "Copy this file to ldap_config.json and fill in real values. NEVER commit ldap_config.json to Git.",
|
|
||||||
"ldap_enabled": false,
|
"ldap_enabled": false,
|
||||||
"server_uri": "ldap://YOUR_LDAP_SERVER_IP:389",
|
"server_uri": "ldap://192.168.1.100:389",
|
||||||
"base_dn": "dc=yourdomain,dc=com",
|
|
||||||
"user_template": "cn={username},ou=people,dc=yourdomain,dc=com",
|
|
||||||
"groups_dn": "ou=groups",
|
|
||||||
"use_tls": false,
|
"use_tls": false,
|
||||||
"ignore_cert": false,
|
"ignore_cert": false,
|
||||||
|
"base_dn": "dc=example,dc=com",
|
||||||
|
"user_template": "uid={username},ou=users,dc=example,dc=com",
|
||||||
"role_mappings": [
|
"role_mappings": [
|
||||||
{
|
{
|
||||||
"group": "inventory_admins",
|
"group": "cn=inventory_admins,ou=groups,dc=example,dc=com",
|
||||||
"role": "admin"
|
"role": "admin"
|
||||||
},
|
},
|
||||||
{
|
{
|
||||||
"group": "inventory_users",
|
"group": "cn=inventory_users,ou=groups,dc=example,dc=com",
|
||||||
"role": "user"
|
"role": "user"
|
||||||
}
|
}
|
||||||
]
|
]
|
||||||
|
|||||||
81
deploy.sh
81
deploy.sh
@@ -1,25 +1,76 @@
|
|||||||
#!/bin/bash
|
#!/bin/bash
|
||||||
# deploy.sh - Production Deployment Script for TFM aInventory
|
# =============================================================================
|
||||||
# Forces Docker Compose to use the inventory.env file for both host and container.
|
# TFM aInventory - Bulletproof Deployment Script (v1.9.10)
|
||||||
|
# =============================================================================
|
||||||
|
|
||||||
echo "🐳 TFM aInventory - Starting Deployment..."
|
set -e
|
||||||
|
|
||||||
# 1. Check for configuration file
|
# Load environment variables (from root inventory.env)
|
||||||
if [ ! -f "inventory.env" ]; then
|
if [ -f inventory.env ]; then
|
||||||
echo "❌ ERROR: inventory.env not found!"
|
export $(grep -v '^#' inventory.env | xargs)
|
||||||
echo "Please create it or use the template provided."
|
echo "✅ Loaded configuration from inventory.env"
|
||||||
exit 1
|
else
|
||||||
|
echo "⚠️ inventory.env not found. Using default values."
|
||||||
fi
|
fi
|
||||||
|
|
||||||
# 2. Source the env file for the current shell (helps some docker versions)
|
# Parse arguments
|
||||||
export $(grep -v '^#' inventory.env | xargs)
|
RESET_SSL=false
|
||||||
|
RESET_ADMIN=false
|
||||||
|
|
||||||
# 3. Run Docker Compose with explicit env-file flag
|
for arg in "$@"; do
|
||||||
echo "🚀 Building and starting containers..."
|
case $arg in
|
||||||
|
--reset-ssl)
|
||||||
|
RESET_SSL=true
|
||||||
|
shift
|
||||||
|
;;
|
||||||
|
--reset-admin)
|
||||||
|
RESET_ADMIN=true
|
||||||
|
shift
|
||||||
|
;;
|
||||||
|
--help)
|
||||||
|
echo "Usage: ./deploy.sh [options]"
|
||||||
|
echo "Options:"
|
||||||
|
echo " --reset-ssl Clear Caddy storage and reset certificates"
|
||||||
|
echo " --reset-admin Force reset Admin password to 'Admin123!'"
|
||||||
|
echo " --help Show this help message"
|
||||||
|
exit 0
|
||||||
|
;;
|
||||||
|
esac
|
||||||
|
done
|
||||||
|
|
||||||
|
if [ "$RESET_SSL" = true ]; then
|
||||||
|
echo "🧹 Resetting SSL certificates..."
|
||||||
|
docker compose down
|
||||||
|
docker volume rm -f inventory_caddy_data 2>/dev/null || true
|
||||||
|
echo "✅ SSL data cleared."
|
||||||
|
fi
|
||||||
|
|
||||||
|
echo "🚀 Starting TFM aInventory Services..."
|
||||||
docker compose --env-file inventory.env up -d --build --remove-orphans
|
docker compose --env-file inventory.env up -d --build --remove-orphans
|
||||||
|
|
||||||
|
if [ "$RESET_ADMIN" = true ]; then
|
||||||
|
echo "🔐 Resetting Admin credentials..."
|
||||||
|
# Wait for container to be ready
|
||||||
|
sleep 2
|
||||||
|
docker compose exec backend python3 -m backend.scripts.reset_admin
|
||||||
|
fi
|
||||||
|
|
||||||
echo ""
|
echo ""
|
||||||
echo "✅ Deployment requested."
|
echo "🔍 Verifying port mapping..."
|
||||||
echo " Access URL: https://${SERVER_IP:-localhost}:${FRONTEND_SSL_PORT:-8919}"
|
docker compose ps --format "table {{.Name}}\t{{.Status}}\t{{.Ports}}"
|
||||||
echo " Run 'docker compose ps' to check status."
|
|
||||||
|
echo ""
|
||||||
|
echo "🚀 DIAGNOSTIC LOGS (Proxy SSL Handshake):"
|
||||||
|
docker compose logs proxy --tail 20
|
||||||
|
|
||||||
|
echo ""
|
||||||
|
echo "✅ Deployment complete."
|
||||||
|
echo " ------------------------------------------------------------"
|
||||||
|
echo " DEFAULT CREDENTIALS:"
|
||||||
|
echo " User: Admin"
|
||||||
|
echo " Pass: Admin123!"
|
||||||
|
echo " ------------------------------------------------------------"
|
||||||
|
echo " 1. SECURE ACCESS: https://${SERVER_IP:-localhost}:${FRONTEND_SSL_PORT:-8919}"
|
||||||
|
echo " 2. DIRECT ACCESS: http://${SERVER_IP:-localhost}:${FRONTEND_PORT:-8917}"
|
||||||
|
echo " ------------------------------------------------------------"
|
||||||
echo ""
|
echo ""
|
||||||
|
|||||||
@@ -40,8 +40,8 @@ services:
|
|||||||
networks:
|
networks:
|
||||||
- inventory_net
|
- inventory_net
|
||||||
ports:
|
ports:
|
||||||
- ${BACKEND_SSL_PORT:-3002}:${BACKEND_SSL_PORT:-3002}
|
- ${BACKEND_SSL_PORT:-8918}:444
|
||||||
- ${FRONTEND_SSL_PORT:-3003}:${FRONTEND_SSL_PORT:-3003}
|
- ${FRONTEND_SSL_PORT:-8919}:443
|
||||||
env_file:
|
env_file:
|
||||||
- inventory.env
|
- inventory.env
|
||||||
volumes:
|
volumes:
|
||||||
|
|||||||
@@ -30,6 +30,7 @@ cp inventory.service.template "$PROD_DIR/"
|
|||||||
cp USER_GUIDE.md "$PROD_DIR/"
|
cp USER_GUIDE.md "$PROD_DIR/"
|
||||||
cp README.md "$PROD_DIR/INSTALLATION_GUIDE.md"
|
cp README.md "$PROD_DIR/INSTALLATION_GUIDE.md"
|
||||||
cp inventory.env "$PROD_DIR/"
|
cp inventory.env "$PROD_DIR/"
|
||||||
|
cp deploy.sh "$PROD_DIR/"
|
||||||
cp .git_path "$PROD_DIR/" 2>/dev/null || true
|
cp .git_path "$PROD_DIR/" 2>/dev/null || true
|
||||||
cp frontend/VERSION.json "$PROD_DIR/"
|
cp frontend/VERSION.json "$PROD_DIR/"
|
||||||
cp frontend/VERSION.json "$PROD_DIR/frontend/"
|
cp frontend/VERSION.json "$PROD_DIR/frontend/"
|
||||||
|
|||||||
@@ -1 +1 @@
|
|||||||
{"version": "1.9.5", "last_build": "2026-04-13-2132", "codename": "Bulletproof", "commit": "a0eaddf9"}
|
{"version": "1.9.9", "last_build": "2026-04-13-2157", "codename": "DirectAccess", "commit": "a2f6cab4"}
|
||||||
|
|||||||
Reference in New Issue
Block a user