twothatit
72bad11129
Fix #1 - SECRET_KEY startup validation (config.py, .env): - App refuses to start if SECRET_KEY is missing, shorter than 32 chars, or matches a known insecure default value - .env: replaced hardcoded test key with placeholder + generation hint Fix #2 - Docker socket proxy (docker-compose.yml): - Add tecnativa/docker-socket-proxy sidecar - Only expose required Docker API endpoints (CONTAINERS, IMAGES, NETWORKS, POST, EXEC); dangerous endpoints explicitly blocked - Remove direct /var/run/docker.sock mount from main container - Route Docker API via DOCKER_HOST=tcp://docker-socket-proxy:2375 Fix #3 - Azure AD group whitelist (auth.py, models.py, validators.py): - New azure_allowed_group_id field in SystemConfig - After token exchange, verify group membership via Graph API /me/memberOf - Deny login with HTTP 403 if user is not in the required group - New Azure AD users now get role 'viewer' instead of 'admin' Fix #4 - Rate limiting on login (main.py, auth.py, requirements.txt): - Add slowapi==0.1.9 dependency - Initialize SlowAPI limiter in main.py with 429 exception handler - Apply 10 requests/minute limit per IP on /login and /mfa/verify
107 lines
4.2 KiB
Python
107 lines
4.2 KiB
Python
"""FastAPI entry point for NetBird MSP Appliance."""
|
|
|
|
import logging
|
|
import os
|
|
|
|
from fastapi import FastAPI, Request
|
|
from fastapi.middleware.cors import CORSMiddleware
|
|
from fastapi.responses import JSONResponse
|
|
from fastapi.staticfiles import StaticFiles
|
|
from slowapi import Limiter, _rate_limit_exceeded_handler
|
|
from slowapi.errors import RateLimitExceeded
|
|
from slowapi.util import get_remote_address
|
|
|
|
from app.database import init_db
|
|
from app.routers import auth, customers, deployments, monitoring, settings, users
|
|
|
|
# ---------------------------------------------------------------------------
|
|
# Logging
|
|
# ---------------------------------------------------------------------------
|
|
LOG_LEVEL = os.environ.get("LOG_LEVEL", "INFO").upper()
|
|
logging.basicConfig(
|
|
level=getattr(logging, LOG_LEVEL, logging.INFO),
|
|
format="%(asctime)s [%(levelname)s] %(name)s: %(message)s",
|
|
)
|
|
logger = logging.getLogger(__name__)
|
|
|
|
# ---------------------------------------------------------------------------
|
|
# Application
|
|
# ---------------------------------------------------------------------------
|
|
# ---------------------------------------------------------------------------
|
|
# Rate limiter (SlowAPI)
|
|
# ---------------------------------------------------------------------------
|
|
limiter = Limiter(key_func=get_remote_address)
|
|
|
|
# ---------------------------------------------------------------------------
|
|
# Application
|
|
# ---------------------------------------------------------------------------
|
|
app = FastAPI(
|
|
title="NetBird MSP Appliance",
|
|
description="Multi-tenant NetBird management platform for MSPs",
|
|
version="1.0.0",
|
|
docs_url="/api/docs",
|
|
redoc_url="/api/redoc",
|
|
openapi_url="/api/openapi.json",
|
|
)
|
|
|
|
# Attach limiter to app state and register the 429 exception handler
|
|
app.state.limiter = limiter
|
|
app.add_exception_handler(RateLimitExceeded, _rate_limit_exceeded_handler)
|
|
|
|
# CORS — allow same-origin; adjust if needed
|
|
app.add_middleware(
|
|
CORSMiddleware,
|
|
allow_origins=["*"],
|
|
allow_credentials=True,
|
|
allow_methods=["*"],
|
|
allow_headers=["*"],
|
|
)
|
|
|
|
# ---------------------------------------------------------------------------
|
|
# Routers
|
|
# ---------------------------------------------------------------------------
|
|
app.include_router(auth.router, prefix="/api/auth", tags=["Authentication"])
|
|
app.include_router(settings.router, prefix="/api/settings", tags=["Settings"])
|
|
app.include_router(customers.router, prefix="/api/customers", tags=["Customers"])
|
|
app.include_router(deployments.router, prefix="/api/customers", tags=["Deployments"])
|
|
app.include_router(monitoring.router, prefix="/api/monitoring", tags=["Monitoring"])
|
|
app.include_router(users.router, prefix="/api/users", tags=["Users"])
|
|
|
|
# ---------------------------------------------------------------------------
|
|
# Static files — serve the frontend SPA
|
|
# ---------------------------------------------------------------------------
|
|
STATIC_DIR = os.path.join(os.path.dirname(os.path.dirname(__file__)), "static")
|
|
if os.path.isdir(STATIC_DIR):
|
|
app.mount("/static", StaticFiles(directory=STATIC_DIR), name="static")
|
|
|
|
# Serve index.html at root
|
|
from fastapi.responses import FileResponse
|
|
|
|
@app.get("/", include_in_schema=False)
|
|
async def serve_index():
|
|
"""Serve the main dashboard."""
|
|
index_path = os.path.join(STATIC_DIR, "index.html")
|
|
if os.path.isfile(index_path):
|
|
return FileResponse(index_path)
|
|
return JSONResponse({"message": "NetBird MSP Appliance API is running."})
|
|
|
|
|
|
# ---------------------------------------------------------------------------
|
|
# Health endpoint (unauthenticated)
|
|
# ---------------------------------------------------------------------------
|
|
@app.get("/api/health", tags=["Health"])
|
|
async def health_check():
|
|
"""Simple health check endpoint for Docker HEALTHCHECK."""
|
|
return {"status": "ok", "service": "netbird-msp-appliance"}
|
|
|
|
|
|
# ---------------------------------------------------------------------------
|
|
# Startup event
|
|
# ---------------------------------------------------------------------------
|
|
@app.on_event("startup")
|
|
async def startup_event():
|
|
"""Initialize database tables on startup."""
|
|
logger.info("Starting NetBird MSP Appliance...")
|
|
init_db()
|
|
logger.info("Database initialized.")
|