BurgerGames/NetBirdMSP-Appliance
0
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
7793ca36666ae50ad4c4fdfd46e1d0cd61cdde08
NetBirdMSP-Appliance/app/database.py
twothatit 7793ca3666 feat: add Windows DNS integration and LDAP/AD authentication 
Windows DNS (WinRM):
- New dns_service.py: create/delete A-records via PowerShell over WinRM (NTLM)
- Idempotent create (removes existing record first), graceful delete
- DNS failures are non-fatal — deployment continues, error logged
- test-dns endpoint: GET /api/settings/test-dns
- Integrated into deploy_customer() and undeploy_customer()

LDAP / Active Directory auth:
- New ldap_service.py: service-account bind + user search + user bind (ldap3)
- Optional AD group restriction via ldap_group_dn
- Login flow: LDAP first → local fallback (prevents admin lockout)
- LDAP users auto-created with auth_provider="ldap" and role="viewer"
- test-ldap endpoint: GET /api/settings/test-ldap
- reset-password/reset-mfa guards extended to block LDAP users

All credentials (dns_password, ldap_bind_password) encrypted with Fernet.
New DB columns added via backwards-compatible migrations.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-02-21 21:06:51 +01:00

134 lines
4.8 KiB
Python
Raw Blame History

"""Database setup and session management for NetBird MSP Appliance."""
import os
import sys
from typing import Generator
from sqlalchemy import create_engine, event
from sqlalchemy.orm import Session, sessionmaker, declarative_base
DATABASE_PATH = os.environ.get("DATABASE_PATH", "/app/data/netbird_msp.db")
DATABASE_URL = f"sqlite:///{DATABASE_PATH}"
engine = create_engine(
DATABASE_URL,
connect_args={"check_same_thread": False},
echo=False,
)
# Enable WAL mode and foreign keys for SQLite
@event.listens_for(engine, "connect")
def _set_sqlite_pragma(dbapi_connection, connection_record) -> None:
cursor = dbapi_connection.cursor()
cursor.execute("PRAGMA journal_mode=WAL")
cursor.execute("PRAGMA foreign_keys=ON")
cursor.close()
SessionLocal = sessionmaker(autocommit=False, autoflush=False, bind=engine)
Base = declarative_base()
def get_db() -> Generator[Session, None, None]:
"""Yield a database session, ensuring it is closed after use."""
db = SessionLocal()
try:
yield db
finally:
db.close()
def init_db() -> None:
"""Create all database tables and run lightweight migrations."""
from app.models import ( # noqa: F401
Customer,
Deployment,
DeploymentLog,
SystemConfig,
User,
)
Base.metadata.create_all(bind=engine)
_run_migrations()
# Insert default SystemConfig row (id=1) if it doesn't exist yet
db = SessionLocal()
try:
if not db.query(SystemConfig).filter(SystemConfig.id == 1).first():
db.add(SystemConfig(
id=1,
base_domain="example.com",
admin_email="admin@example.com",
npm_api_url="http://localhost:81",
npm_api_email_encrypted="",
npm_api_password_encrypted="",
))
db.commit()
finally:
db.close()
def _run_migrations() -> None:
"""Add columns that may be missing from older database versions."""
import sqlite3
conn = sqlite3.connect(DATABASE_PATH)
cursor = conn.cursor()
def _has_column(table: str, column: str) -> bool:
cursor.execute(f"PRAGMA table_info({table})")
return any(row[1] == column for row in cursor.fetchall())
migrations = [
("deployments", "dashboard_port", "INTEGER"),
("system_config", "dashboard_base_port", "INTEGER DEFAULT 9000"),
("deployments", "netbird_admin_email", "TEXT"),
("deployments", "netbird_admin_password", "TEXT"),
("system_config", "branding_name", "TEXT DEFAULT 'NetBird MSP Appliance'"),
("system_config", "branding_logo_path", "TEXT"),
("users", "role", "TEXT DEFAULT 'admin'"),
("users", "auth_provider", "TEXT DEFAULT 'local'"),
("system_config", "azure_enabled", "BOOLEAN DEFAULT 0"),
("system_config", "azure_tenant_id", "TEXT"),
("system_config", "azure_client_id", "TEXT"),
("system_config", "azure_client_secret_encrypted", "TEXT"),
("system_config", "branding_subtitle", "TEXT DEFAULT 'Multi-Tenant Management Platform'"),
("system_config", "default_language", "TEXT DEFAULT 'en'"),
("users", "default_language", "TEXT"),
("deployments", "npm_stream_id", "INTEGER"),
("system_config", "mfa_enabled", "BOOLEAN DEFAULT 0"),
("users", "totp_secret_encrypted", "TEXT"),
("users", "totp_enabled", "BOOLEAN DEFAULT 0"),
("system_config", "ssl_mode", "TEXT DEFAULT 'letsencrypt'"),
("system_config", "wildcard_cert_id", "INTEGER"),
# Windows DNS
("system_config", "dns_enabled", "BOOLEAN DEFAULT 0"),
("system_config", "dns_server", "TEXT"),
("system_config", "dns_username", "TEXT"),
("system_config", "dns_password_encrypted", "TEXT"),
("system_config", "dns_zone", "TEXT"),
("system_config", "dns_record_ip", "TEXT"),
# LDAP
("system_config", "ldap_enabled", "BOOLEAN DEFAULT 0"),
("system_config", "ldap_server", "TEXT"),
("system_config", "ldap_port", "INTEGER DEFAULT 389"),
("system_config", "ldap_use_ssl", "BOOLEAN DEFAULT 0"),
("system_config", "ldap_bind_dn", "TEXT"),
("system_config", "ldap_bind_password_encrypted", "TEXT"),
("system_config", "ldap_base_dn", "TEXT"),
("system_config", "ldap_user_filter", "TEXT DEFAULT '(sAMAccountName={username})'"),
("system_config", "ldap_group_dn", "TEXT"),
]
for table, column, col_type in migrations:
if not _has_column(table, column):
cursor.execute(f"ALTER TABLE {table} ADD COLUMN {column} {col_type}")
conn.commit()
conn.close()
if __name__ == "__main__":
if len(sys.argv) > 1 and sys.argv[1] == "init":
init_db()
print("Database initialized successfully.")
Reference in New Issue View Git Blame Copy Permalink