Compare commits
4 Commits
| Author | SHA1 | Date | |
|---|---|---|---|
|
|
9d7e4f0ca3 | ||
|
|
bdf6d605cd | ||
|
|
a2f6cab492 | ||
|
|
476fda7203 |
@@ -166,8 +166,9 @@ def get_users(db: Session = Depends(get_db)):
|
||||
users = db.query(models.User).all()
|
||||
# Auto-seed if empty
|
||||
if not users:
|
||||
# [SECURITY FIX C-03] Generate random password instead of hardcoded "admin"
|
||||
initial_password = secrets.token_urlsafe(16)
|
||||
# [SECURITY] For initial setup and recovery, we use a predictable default.
|
||||
# User MUST change this immediately in Settings.
|
||||
initial_password = "Admin123!"
|
||||
new_user = models.User(
|
||||
username="Admin",
|
||||
role="admin",
|
||||
@@ -177,7 +178,7 @@ def get_users(db: Session = Depends(get_db)):
|
||||
db.add(new_user)
|
||||
db.commit()
|
||||
db.refresh(new_user)
|
||||
log.warning(f"[SECURITY] Admin initial seeded. Temporary password: {initial_password} — CHANGE IMMEDIATELY!")
|
||||
log.warning(f"[SECURITY] Admin initial seeded. Credentials: Admin / {initial_password} — CHANGE IMMEDIATELY!")
|
||||
return [new_user]
|
||||
return users
|
||||
|
||||
|
||||
41
backend/scripts/reset_admin.py
Normal file
41
backend/scripts/reset_admin.py
Normal file
@@ -0,0 +1,41 @@
|
||||
import os
|
||||
import sys
|
||||
from sqlalchemy.orm import Session
|
||||
from passlib.context import CryptContext
|
||||
from ..database import SessionLocal
|
||||
from .. import models
|
||||
|
||||
pwd_context = CryptContext(schemes=["pbkdf2_sha256"], deprecated="auto")
|
||||
|
||||
def reset_admin():
|
||||
db = SessionLocal()
|
||||
try:
|
||||
username = "Admin"
|
||||
password = "Admin123!"
|
||||
hashed_password = pwd_context.hash(password)
|
||||
|
||||
user = db.query(models.User).filter(models.User.username == username).first()
|
||||
if user:
|
||||
user.hashed_password = hashed_password
|
||||
user.role = "admin"
|
||||
print(f"✅ User '{username}' found. Password has been reset to: {password}")
|
||||
else:
|
||||
new_user = models.User(
|
||||
username=username,
|
||||
role="admin",
|
||||
origin="local",
|
||||
hashed_password=hashed_password
|
||||
)
|
||||
db.add(new_user)
|
||||
print(f"✅ User '{username}' not found. Created new admin with password: {password}")
|
||||
|
||||
db.commit()
|
||||
print("💾 Changes saved to database.")
|
||||
except Exception as e:
|
||||
print(f"❌ Error resetting admin: {e}")
|
||||
db.rollback()
|
||||
finally:
|
||||
db.close()
|
||||
|
||||
if __name__ == "__main__":
|
||||
reset_admin()
|
||||
@@ -1,9 +1,21 @@
|
||||
https://:{$FRONTEND_SSL_PORT} {
|
||||
# TFM aInventory - Caddy Explicit IP Configuration
|
||||
# Version 1.9.10 - Focused on resolving Protocol Errors on private IPs.
|
||||
{
|
||||
# Global options
|
||||
admin off
|
||||
# Disable automatic HTTP->HTTPS redirects to prevent port conflicts on non-standard ports
|
||||
auto_https disable_redirects
|
||||
}
|
||||
|
||||
# Frontend SSL Proxy - Explicit address to improve handshake success
|
||||
https://{$SERVER_IP:192.168.84.113}:443 {
|
||||
tls internal
|
||||
reverse_proxy frontend:3000
|
||||
}
|
||||
|
||||
# Backend SSL Proxy
|
||||
https://:{$BACKEND_SSL_PORT} {
|
||||
https://{$SERVER_IP:192.168.84.113}:444 {
|
||||
tls internal
|
||||
reverse_proxy backend:8000
|
||||
}
|
||||
}
|
||||
|
||||
@@ -1,19 +1,17 @@
|
||||
{
|
||||
"_comment": "Copy this file to ldap_config.json and fill in real values. NEVER commit ldap_config.json to Git.",
|
||||
"ldap_enabled": false,
|
||||
"server_uri": "ldap://YOUR_LDAP_SERVER_IP:389",
|
||||
"base_dn": "dc=yourdomain,dc=com",
|
||||
"user_template": "cn={username},ou=people,dc=yourdomain,dc=com",
|
||||
"groups_dn": "ou=groups",
|
||||
"server_uri": "ldap://192.168.1.100:389",
|
||||
"use_tls": false,
|
||||
"ignore_cert": false,
|
||||
"base_dn": "dc=example,dc=com",
|
||||
"user_template": "uid={username},ou=users,dc=example,dc=com",
|
||||
"role_mappings": [
|
||||
{
|
||||
"group": "inventory_admins",
|
||||
"group": "cn=inventory_admins,ou=groups,dc=example,dc=com",
|
||||
"role": "admin"
|
||||
},
|
||||
{
|
||||
"group": "inventory_users",
|
||||
"group": "cn=inventory_users,ou=groups,dc=example,dc=com",
|
||||
"role": "user"
|
||||
}
|
||||
]
|
||||
|
||||
82
deploy.sh
82
deploy.sh
@@ -1,32 +1,76 @@
|
||||
#!/bin/bash
|
||||
# deploy.sh - Production Deployment Script for TFM aInventory
|
||||
# Forces Docker Compose to use the inventory.env file for both host and container.
|
||||
# =============================================================================
|
||||
# TFM aInventory - Bulletproof Deployment Script (v1.9.10)
|
||||
# =============================================================================
|
||||
|
||||
echo "🐳 TFM aInventory - Starting Deployment..."
|
||||
set -e
|
||||
|
||||
# 1. Check for configuration file
|
||||
if [ ! -f "inventory.env" ]; then
|
||||
echo "❌ ERROR: inventory.env not found!"
|
||||
echo "Please create it or use the template provided."
|
||||
exit 1
|
||||
# Load environment variables (from root inventory.env)
|
||||
if [ -f inventory.env ]; then
|
||||
export $(grep -v '^#' inventory.env | xargs)
|
||||
echo "✅ Loaded configuration from inventory.env"
|
||||
else
|
||||
echo "⚠️ inventory.env not found. Using default values."
|
||||
fi
|
||||
|
||||
# 2. Source the env file for the current shell (helps some docker versions)
|
||||
export $(grep -v '^#' inventory.env | xargs)
|
||||
# Parse arguments
|
||||
RESET_SSL=false
|
||||
RESET_ADMIN=false
|
||||
|
||||
# 3. Optional: Reset Caddy certificates if needed
|
||||
if [[ "$*" == *"--reset-ssl"* ]]; then
|
||||
echo "🧹 Resetting Caddy certificates..."
|
||||
for arg in "$@"; do
|
||||
case $arg in
|
||||
--reset-ssl)
|
||||
RESET_SSL=true
|
||||
shift
|
||||
;;
|
||||
--reset-admin)
|
||||
RESET_ADMIN=true
|
||||
shift
|
||||
;;
|
||||
--help)
|
||||
echo "Usage: ./deploy.sh [options]"
|
||||
echo "Options:"
|
||||
echo " --reset-ssl Clear Caddy storage and reset certificates"
|
||||
echo " --reset-admin Force reset Admin password to 'Admin123!'"
|
||||
echo " --help Show this help message"
|
||||
exit 0
|
||||
;;
|
||||
esac
|
||||
done
|
||||
|
||||
if [ "$RESET_SSL" = true ]; then
|
||||
echo "🧹 Resetting SSL certificates..."
|
||||
docker compose down
|
||||
docker volume rm ainventory_caddy_data ainventory_caddy_config 2>/dev/null || true
|
||||
docker volume rm -f inventory_caddy_data 2>/dev/null || true
|
||||
echo "✅ SSL data cleared."
|
||||
fi
|
||||
|
||||
# 4. Run Docker Compose with explicit env-file flag
|
||||
echo "🚀 Building and starting containers..."
|
||||
echo "🚀 Starting TFM aInventory Services..."
|
||||
docker compose --env-file inventory.env up -d --build --remove-orphans
|
||||
|
||||
if [ "$RESET_ADMIN" = true ]; then
|
||||
echo "🔐 Resetting Admin credentials..."
|
||||
# Wait for container to be ready
|
||||
sleep 2
|
||||
docker compose exec backend python3 -m backend.scripts.reset_admin
|
||||
fi
|
||||
|
||||
echo ""
|
||||
echo "✅ Deployment requested."
|
||||
echo " Access URL: https://${SERVER_IP:-localhost}:${FRONTEND_SSL_PORT:-8919}"
|
||||
echo " Run 'docker compose ps' to check status."
|
||||
echo "🔍 Verifying port mapping..."
|
||||
docker compose ps --format "table {{.Name}}\t{{.Status}}\t{{.Ports}}"
|
||||
|
||||
echo ""
|
||||
echo "🚀 DIAGNOSTIC LOGS (Proxy SSL Handshake):"
|
||||
docker compose logs proxy --tail 20
|
||||
|
||||
echo ""
|
||||
echo "✅ Deployment complete."
|
||||
echo " ------------------------------------------------------------"
|
||||
echo " DEFAULT CREDENTIALS:"
|
||||
echo " User: Admin"
|
||||
echo " Pass: Admin123!"
|
||||
echo " ------------------------------------------------------------"
|
||||
echo " 1. SECURE ACCESS: https://${SERVER_IP:-localhost}:${FRONTEND_SSL_PORT:-8919}"
|
||||
echo " 2. DIRECT ACCESS: http://${SERVER_IP:-localhost}:${FRONTEND_PORT:-8917}"
|
||||
echo " ------------------------------------------------------------"
|
||||
echo ""
|
||||
|
||||
@@ -40,8 +40,8 @@ services:
|
||||
networks:
|
||||
- inventory_net
|
||||
ports:
|
||||
- ${BACKEND_SSL_PORT:-3002}:${BACKEND_SSL_PORT:-3002}
|
||||
- ${FRONTEND_SSL_PORT:-3003}:${FRONTEND_SSL_PORT:-3003}
|
||||
- ${BACKEND_SSL_PORT:-8918}:444
|
||||
- ${FRONTEND_SSL_PORT:-8919}:443
|
||||
env_file:
|
||||
- inventory.env
|
||||
volumes:
|
||||
|
||||
@@ -1 +1 @@
|
||||
{"version": "1.9.7", "last_build": "2026-04-13-2142", "codename": "SSLFix", "commit": "e5194a1d"}
|
||||
{"version": "1.9.10", "last_build": "2026-04-13-2207", "codename": "AccessRecovery", "commit": "bdf6d605"}
|
||||
|
||||
@@ -88,37 +88,56 @@ export default function LoginPage() {
|
||||
<User size={32} />
|
||||
</div>
|
||||
<h2 className="text-2xl font-black text-white tracking-tight">Identity Check</h2>
|
||||
<p className="text-slate-500 text-sm">Select operator profile or use enterprise login</p>
|
||||
<p className="text-slate-500 text-sm">Select operator profile or use direct login</p>
|
||||
</div>
|
||||
|
||||
<div className="grid gap-3">
|
||||
{!selectedUserForLogin && !isEnterprise ? (
|
||||
<>
|
||||
{users.map(user => (
|
||||
<button
|
||||
key={user.id}
|
||||
onClick={() => handleSelectUser(user)}
|
||||
className="bg-slate-800/50 hover:bg-slate-800 border border-slate-800 hover:border-primary/40 p-4 rounded-2xl text-left transition-all group flex items-center justify-between"
|
||||
>
|
||||
<div className="flex items-center gap-3">
|
||||
<div className="w-8 h-8 rounded-full bg-slate-900 border border-slate-700 flex items-center justify-center text-slate-500 group-hover:text-primary transition-colors">
|
||||
{user.role === 'admin' ? <Shield size={14} /> : <User size={14} />}
|
||||
</div>
|
||||
<div>
|
||||
<p className="text-white font-black text-sm">{user.username}</p>
|
||||
<p className="text-xs text-slate-500 font-bold mt-1">{user.role}</p>
|
||||
</div>
|
||||
</div>
|
||||
<ChevronRight size={16} className="text-slate-600 group-hover:text-primary transition-colors" />
|
||||
</button>
|
||||
))}
|
||||
<div className="pt-2">
|
||||
{users.length > 0 ? (
|
||||
<>
|
||||
{users.map(user => (
|
||||
<button
|
||||
key={user.id}
|
||||
onClick={() => handleSelectUser(user)}
|
||||
className="bg-slate-800/50 hover:bg-slate-800 border border-slate-800 hover:border-primary/40 p-4 rounded-2xl text-left transition-all group flex items-center justify-between"
|
||||
>
|
||||
<div className="flex items-center gap-3">
|
||||
<div className="w-8 h-8 rounded-full bg-slate-900 border border-slate-700 flex items-center justify-center text-slate-500 group-hover:text-primary transition-colors">
|
||||
{user.role === 'admin' ? <Shield size={14} /> : <User size={14} />}
|
||||
</div>
|
||||
<div>
|
||||
<p className="text-white font-black text-sm">{user.username}</p>
|
||||
<p className="text-xs text-slate-500 font-bold mt-1">{user.role}</p>
|
||||
</div>
|
||||
</div>
|
||||
<ChevronRight size={16} className="text-slate-600 group-hover:text-primary transition-colors" />
|
||||
</button>
|
||||
))}
|
||||
</>
|
||||
) : (
|
||||
<div className="text-center p-4 text-slate-500 text-xs font-bold animate-pulse">
|
||||
Connectivity issues? Use manual login below.
|
||||
</div>
|
||||
)}
|
||||
|
||||
<div className="pt-2 grid grid-cols-2 gap-3">
|
||||
<button
|
||||
onClick={() => setIsEnterprise(true)}
|
||||
className="w-full flex items-center justify-center gap-2 py-4 rounded-2xl border border-dashed border-slate-700 text-slate-500 hover:text-primary hover:border-primary/40 transition-all font-bold text-xs"
|
||||
className="flex items-center justify-center gap-2 py-4 rounded-2xl border border-dashed border-slate-700 text-slate-500 hover:text-white hover:border-slate-500 transition-all font-bold text-[10px]"
|
||||
>
|
||||
<Shield size={14} />
|
||||
Enterprise Login
|
||||
<Lock size={12} />
|
||||
Enterprise
|
||||
</button>
|
||||
<button
|
||||
onClick={() => {
|
||||
setSelectedUserForLogin({ username: '' });
|
||||
// We use an empty username object to trigger the manual input view
|
||||
}}
|
||||
className="flex items-center justify-center gap-2 py-4 rounded-2xl border border-primary/20 bg-primary/5 text-primary hover:bg-primary/10 transition-all font-bold text-[10px]"
|
||||
>
|
||||
<User size={12} />
|
||||
Manual Login
|
||||
</button>
|
||||
</div>
|
||||
</>
|
||||
@@ -180,10 +199,26 @@ export default function LoginPage() {
|
||||
</button>
|
||||
<div>
|
||||
<p className="text-sm font-bold text-slate-500">Logging in as</p>
|
||||
<p className="text-white font-black">{selectedUserForLogin.username}</p>
|
||||
<p className="text-white font-black">{selectedUserForLogin.username || "Manual Input"}</p>
|
||||
</div>
|
||||
</div>
|
||||
|
||||
{!selectedUserForLogin.username && (
|
||||
<div className="space-y-2">
|
||||
<label className="text-xs font-black text-slate-500 px-1">Username</label>
|
||||
<div className="relative">
|
||||
<User className="absolute left-4 top-1/2 -translate-y-1/2 text-slate-500" size={16} />
|
||||
<input
|
||||
type="text"
|
||||
autoFocus
|
||||
onChange={(e) => setSelectedUserForLogin({...selectedUserForLogin, username: e.target.value})}
|
||||
className="w-full bg-slate-800/50 border border-slate-800 focus:border-primary rounded-2xl py-4 pl-12 pr-4 text-white focus:outline-none transition-all placeholder:text-slate-700 font-mono"
|
||||
placeholder="Admin"
|
||||
/>
|
||||
</div>
|
||||
</div>
|
||||
)}
|
||||
|
||||
<div className="space-y-2">
|
||||
<label className="text-xs font-black text-slate-500 px-1">Password</label>
|
||||
<div className="relative">
|
||||
@@ -209,9 +244,10 @@ export default function LoginPage() {
|
||||
)}
|
||||
</div>
|
||||
|
||||
{users.length === 0 && (
|
||||
<div className="text-center p-8 text-slate-500 animate-pulse">
|
||||
Initializing users...
|
||||
{/* Progress bar hint */}
|
||||
{users.length === 0 && !selectedUserForLogin && !isEnterprise && (
|
||||
<div className="w-full bg-slate-800 h-1 rounded-full overflow-hidden">
|
||||
<div className="bg-primary h-full animate-progress-fast shadow-[0_0_8px_rgba(var(--primary-rgb),0.5)]"></div>
|
||||
</div>
|
||||
)}
|
||||
</div>
|
||||
|
||||
@@ -14,6 +14,17 @@ if [ -d "/app/logs" ]; then
|
||||
chown -R nextjs:nodejs /app/logs
|
||||
fi
|
||||
|
||||
# Generate network.json for frontend runtime discovery
|
||||
echo "🐳 [Docker] Generating public/network.json..."
|
||||
cat <<EOF > /app/public/network.json
|
||||
{
|
||||
"SERVER_IP": "${SERVER_IP:-localhost}",
|
||||
"BACKEND_PORT": ${BACKEND_PORT:-8000},
|
||||
"BACKEND_SSL_PORT": ${BACKEND_SSL_PORT:-8908}
|
||||
}
|
||||
EOF
|
||||
chown nextjs:nodejs /app/public/network.json
|
||||
|
||||
# Hand off to the application server as the nextjs user
|
||||
echo "🐳 [Docker] Starting Next.js standalone server as nextjs user..."
|
||||
exec su-exec nextjs node server.js
|
||||
|
||||
Reference in New Issue
Block a user