Initial release — Salus by Stranto v1.6.1.0

FastAPI/Jinja2 web app for viewing and rebooting TP-Link Omada APs across all sites. Authentik OIDC auth, SQLite audit log, Docker deploy. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-04-27 14:36:02 +02:00
commit 284924e86d
17 changed files with 1646 additions and 0 deletions
--- a/app/main.py
+++ b/app/main.py
@@ -0,0 +1,308 @@
+import csv
+import io
+import datetime
+import secrets
+import logging
+import os
+from typing import Optional
+
+# Load .env before any module-level os.getenv() calls in auth/omada/database
+from dotenv import load_dotenv
+load_dotenv()
+
+from fastapi import FastAPI, Request, Depends, HTTPException
+from fastapi.responses import HTMLResponse, RedirectResponse, StreamingResponse
+from fastapi.templating import Jinja2Templates
+from fastapi.staticfiles import StaticFiles
+from starlette.middleware.sessions import SessionMiddleware
+from sqlalchemy.orm import Session
+
+from app.database import init_db, get_db, RebootLog
+from app.auth import (
+    SESSION_SECRET_KEY,
+    build_login_url,
+    exchange_code,
+    get_current_user,
+)
+from app.omada import omada_client
+
+logging.basicConfig(level=logging.INFO, format="%(asctime)s %(levelname)s %(name)s: %(message)s")
+logger = logging.getLogger(__name__)
+
+app = FastAPI(title="Salus by Stranto", docs_url=None, redoc_url=None)
+
+app.add_middleware(
+    SessionMiddleware,
+    secret_key=SESSION_SECRET_KEY,
+    max_age=86400,
+    same_site="lax",
+    https_only=False,
+)
+
+BASE_DIR = os.path.dirname(__file__)
+templates = Jinja2Templates(directory=os.path.join(BASE_DIR, "templates"))
+app.mount("/static", StaticFiles(directory=os.path.join(BASE_DIR, "static")), name="static")
+
+
+@app.on_event("startup")
+async def startup():
+    init_db()
+    logger.info("Database initialized")
+
+
+@app.get("/health")
+async def health():
+    return {"status": "ok"}
+
+
+@app.get("/debug/sites")
+async def debug_sites():
+    """Temporary: lists all accessible Omada sites."""
+    try:
+        sites = await omada_client.get_all_sites()
+        return {"sites": [{"name": k, "key": v} for k, v in sites.items()]}
+    except Exception as exc:
+        return {"error": str(exc)}
+
+
+# ---------------------------------------------------------------------------
+# Auth helpers
+# ---------------------------------------------------------------------------
+
+def _redirect_login():
+    return RedirectResponse("/auth/login", status_code=302)
+
+
+def _get_user_or_redirect(request: Request):
+    """Return user dict or a RedirectResponse. Callers must check the type."""
+    return get_current_user(request)
+
+
+def _csrf_token(request: Request) -> str:
+    if "csrf_token" not in request.session:
+        request.session["csrf_token"] = secrets.token_hex(32)
+    return request.session["csrf_token"]
+
+
+def _verify_csrf(request: Request, token: str):
+    expected = request.session.get("csrf_token")
+    if not expected or not secrets.compare_digest(expected, token):
+        raise HTTPException(status_code=403, detail="CSRF token invalid")
+
+
+AUTH_DISABLED = os.getenv("AUTH_DISABLED", "false").strip().lower() == "true"
+
+DEV_USER = {"username": "dev-user", "email": "dev@localhost", "name": "Dev User", "sub": "dev"}
+
+
+# ---------------------------------------------------------------------------
+# Auth routes
+# ---------------------------------------------------------------------------
+
+@app.get("/auth/login", response_class=HTMLResponse)
+async def login(request: Request):
+    if AUTH_DISABLED:
+        request.session["user"] = DEV_USER
+        return RedirectResponse("/", status_code=302)
+    if get_current_user(request):
+        return RedirectResponse("/", status_code=302)
+    return templates.TemplateResponse("login.html", {"request": request})
+
+
+@app.get("/auth/login/start")
+async def login_start(request: Request):
+    if AUTH_DISABLED:
+        request.session["user"] = DEV_USER
+        return RedirectResponse("/", status_code=302)
+    url = await build_login_url(request)
+    return RedirectResponse(url, status_code=302)
+
+
+@app.get("/auth/callback")
+async def callback(request: Request):
+    await exchange_code(request)
+    return RedirectResponse("/", status_code=302)
+
+
+@app.get("/auth/logout")
+async def logout(request: Request):
+    request.session.clear()
+    return RedirectResponse("/auth/login", status_code=302)
+
+
+# ---------------------------------------------------------------------------
+# Main pages
+# ---------------------------------------------------------------------------
+
+@app.get("/", response_class=HTMLResponse)
+async def index(request: Request):
+    user = get_current_user(request)
+    if not user:
+        return _redirect_login()
+
+    error: Optional[str] = None
+    aps: list = []
+    try:
+        aps = await omada_client.get_aps()
+    except Exception as exc:
+        logger.error("Failed to fetch APs: %s", exc)
+        error = str(exc)
+
+    csrf = _csrf_token(request)
+    return templates.TemplateResponse("index.html", {
+        "request": request,
+        "user": user,
+        "aps": aps,
+        "error": error,
+        "csrf_token": csrf,
+    })
+
+
+@app.get("/audit", response_class=HTMLResponse)
+async def audit_page(
+    request: Request,
+    db: Session = Depends(get_db),
+    username: str = "",
+    ap_name: str = "",
+):
+    user = get_current_user(request)
+    if not user:
+        return _redirect_login()
+
+    query = db.query(RebootLog).order_by(RebootLog.timestamp.desc())
+    if username.strip():
+        query = query.filter(RebootLog.username.icontains(username.strip()))
+    if ap_name.strip():
+        query = query.filter(RebootLog.ap_name.icontains(ap_name.strip()))
+    logs = query.all()
+
+    return templates.TemplateResponse("audit.html", {
+        "request": request,
+        "user": user,
+        "logs": logs,
+        "filter_username": username,
+        "filter_ap": ap_name,
+    })
+
+
+@app.get("/audit/export")
+async def export_csv(request: Request, db: Session = Depends(get_db)):
+    user = get_current_user(request)
+    if not user:
+        return _redirect_login()
+
+    logs = db.query(RebootLog).order_by(RebootLog.timestamp.desc()).all()
+    buf = io.StringIO()
+    writer = csv.writer(buf)
+    writer.writerow(["Timestamp (UTC)", "Username", "Email", "AP Name", "MAC", "IP", "Result", "Error"])
+    for log in logs:
+        writer.writerow([
+            log.timestamp.isoformat(timespec="seconds"),
+            log.username,
+            log.user_email,
+            log.ap_name,
+            log.ap_mac,
+            log.ap_ip or "",
+            log.result,
+            log.error_message or "",
+        ])
+
+    filename = f"audit_log_{datetime.date.today().isoformat()}.csv"
+    return StreamingResponse(
+        io.BytesIO(buf.getvalue().encode("utf-8-sig")),
+        media_type="text/csv",
+        headers={"Content-Disposition": f'attachment; filename="{filename}"'},
+    )
+
+
+# ---------------------------------------------------------------------------
+# API endpoints
+# ---------------------------------------------------------------------------
+
+@app.post("/api/reboot")
+async def api_reboot(request: Request, db: Session = Depends(get_db)):
+    user = get_current_user(request)
+    if not user:
+        raise HTTPException(status_code=401, detail="Not authenticated")
+
+    body = await request.json()
+    _verify_csrf(request, body.get("csrf_token", ""))
+
+    mac: str = body.get("mac", "").strip()
+    ap_name: str = body.get("name", "")
+    ap_ip: str = body.get("ip", "")
+    site_key: str = body.get("site_key", "")
+
+    if not mac:
+        raise HTTPException(status_code=400, detail="MAC address required")
+
+    result = "success"
+    error_msg: Optional[str] = None
+    try:
+        await omada_client.reboot_ap(mac, site_key)
+        logger.info("Reboot sent for AP %s (%s) by %s", ap_name, mac, user["username"])
+    except Exception as exc:
+        result = "error"
+        error_msg = str(exc)
+        logger.error("Reboot failed for AP %s (%s): %s", ap_name, mac, exc)
+
+    db.add(RebootLog(
+        timestamp=datetime.datetime.utcnow(),
+        username=user["username"],
+        user_email=user["email"],
+        ap_name=ap_name,
+        ap_mac=mac,
+        ap_ip=ap_ip,
+        result=result,
+        error_message=error_msg,
+    ))
+    db.commit()
+
+    if result == "error":
+        raise HTTPException(status_code=502, detail=error_msg)
+    return {"status": "ok", "mac": mac}
+
+
+@app.post("/api/reboot-bulk")
+async def api_reboot_bulk(request: Request, db: Session = Depends(get_db)):
+    user = get_current_user(request)
+    if not user:
+        raise HTTPException(status_code=401, detail="Not authenticated")
+
+    body = await request.json()
+    _verify_csrf(request, body.get("csrf_token", ""))
+
+    aps: list = body.get("aps", [])
+    if not aps:
+        raise HTTPException(status_code=400, detail="No APs specified")
+
+    results = []
+    for ap in aps:
+        mac = ap.get("mac", "").strip()
+        ap_name = ap.get("name", "")
+        ap_ip = ap.get("ip", "")
+        site_key = ap.get("site_key", "")
+        result = "success"
+        error_msg = None
+        try:
+            await omada_client.reboot_ap(mac, site_key)
+            logger.info("Bulk reboot sent for AP %s (%s) by %s", ap_name, mac, user["username"])
+        except Exception as exc:
+            result = "error"
+            error_msg = str(exc)
+            logger.error("Bulk reboot failed for AP %s (%s): %s", ap_name, mac, exc)
+
+        db.add(RebootLog(
+            timestamp=datetime.datetime.utcnow(),
+            username=user["username"],
+            user_email=user["email"],
+            ap_name=ap_name,
+            ap_mac=mac,
+            ap_ip=ap_ip,
+            result=result,
+            error_message=error_msg,
+        ))
+        results.append({"mac": mac, "name": ap_name, "result": result, "error": error_msg})
+
+    db.commit()
+    return {"results": results}