brandon/nas-burnin
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions 1
nas-burnin/app/database.py
Brandon Walter d4c0770b9e feat: app-level login + hardening sweep (1.0.0-22 -> 1.0.0-23) 
Two layered changes shipped in this branch:

== 1.0.0-22: app-level authentication ==

The dashboard previously had only an IP allowlist. Adds username +
bcrypt password auth, signed-cookie sessions, and a "first user setup"
flow.

* New app/auth.py: User dataclass, bcrypt hash/verify, get_user_by_id/
  username, create_user, touch_last_login, FastAPI `get_current_user`
  dependency. Session secret loaded from SESSION_SECRET env or persisted
  to /data/session_secret.
* New app/auth_cli.py: `python -m app.auth_cli list|reset|add` for
  out-of-band user management. Passwords always read from a TTY prompt.
* Schema: idempotent ALTER for `users` table (id, username unique,
  password_hash, full_name, is_admin, created_at, last_login_at).
* main.py: SessionMiddleware (HMAC-signed cookie, max-age 7 days,
  SameSite=strict — see hardening section) + _AuthGateMiddleware that
  populates request.state.current_user and bounces unauth'd HTML GETs
  to /login while returning 401 JSON for everything else.
* Routes: GET /login renders first-user-setup form when users table is
  empty otherwise sign-in form; POST /login; POST /api/v1/auth/setup
  (only works while empty); GET|POST /logout.
* Bootstrap: env vars INITIAL_ADMIN_USERNAME + INITIAL_ADMIN_PASSWORD
  create the first admin on startup if both set AND users table empty.
  Ignored thereafter — change passwords via UI or CLI.
* Layout: header shows current_user.full_name|username + Logout link.
  Modal operator field auto-fills from the logged-in user via
  <meta name="default-operator"> rendered in layout (replaces the
  localStorage-only previous behaviour).
* requirements.txt: pinned bcrypt>=4.0,<5.0, itsdangerous>=2.1,
  python-multipart>=0.0.7. First step toward addressing the
  unpinned-deps gotcha.
* New app/templates/login.html with first-user-setup variant.

== 1.0.0-23: hardening sweep ==

Closes the eight-item gap audit:

* DB retention + automated backup. New app/retention.py runs daily at
  03:00 local. Nulls burnin_stages.log_text on stages older than
  retention_log_days (default 35), VACUUMs to reclaim pages, then runs
  `sqlite3 .backup` to /data/backups/app-YYYY-MM-DD.db keeping the
  retention_backup_keep most recent (default 14). Wired into the
  lifespan supervisor next to mailer/poller.

* CSRF mitigation. SessionMiddleware bumped to SameSite=strict so the
  browser refuses to send the session cookie on cross-site POSTs —
  removes the actual CSRF vector. Trade-off: external links into the
  app require re-auth.

* Login rate limiting. In-memory per-username AND per-source-IP failure
  counters in auth.py. 10 failures within 10 min trips a 15-min lockout
  for both keys. Returns HTTP 429 with a clear "try again in N min"
  message. Cleared on successful login.

* Login audit events. New event types in audit_events: user_login,
  user_login_failed, user_login_locked_out, user_logout,
  user_password_changed. All include source IP. Recorded via
  auth.audit_auth_event().

* Password change UI. Header link "Change password" opens
  templates/components/modal_password.html (current/new/confirm).
  Posts to POST /api/v1/auth/change-password — bcrypt-verifies current,
  requires >=8 char new pw, writes audit event.

* NVMe burn-in path. _stage_surface_validate now detects nvme*
  devnames and routes to _stage_surface_validate_nvme() which runs
  `nvme format -s 1 --force` (cryptographic erase). Seconds vs hours
  of badblocks, exercises the controller's secure-erase. Falls back
  to badblocks if nvme-cli isn't installed. Post-format SMART check.

* Mounted-FS detection. ssh_client.get_mounted_drives() runs
  `findmnt -no SOURCE`, parses non-ZFS sources back to base devnames.
  Poller treats them as pool_name='(mounted)', pool_role='mounted'.
  Confirm token DESTROY MOUNTED FILESYSTEM, distinct purple styling,
  audit event mounted_drive_unlocked, daily-report banner picks it up.

* Deeper /health. Real readiness check — DB write probe (PRAGMA
  journal_mode), poller freshness (age <= 3x stale_threshold), SSH
  test_connection() when configured. Returns 503 when any check fails
  so a proxy/orchestrator can take the container out of rotation.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-05-02 11:08:29 -04:00

170 lines
6.4 KiB
Python
Raw Blame History

import aiosqlite
from pathlib import Path
from app.config import settings
SCHEMA = """
CREATE TABLE IF NOT EXISTS drives (
id INTEGER PRIMARY KEY AUTOINCREMENT,
truenas_disk_id TEXT UNIQUE NOT NULL,
devname TEXT NOT NULL,
serial TEXT,
model TEXT,
size_bytes INTEGER,
temperature_c INTEGER,
smart_health TEXT DEFAULT 'UNKNOWN',
last_seen_at TEXT NOT NULL,
last_polled_at TEXT NOT NULL,
notes TEXT,
location TEXT
);
CREATE TABLE IF NOT EXISTS smart_tests (
id INTEGER PRIMARY KEY AUTOINCREMENT,
drive_id INTEGER NOT NULL REFERENCES drives(id) ON DELETE CASCADE,
test_type TEXT NOT NULL CHECK(test_type IN ('short', 'long')),
state TEXT NOT NULL DEFAULT 'idle',
percent INTEGER DEFAULT 0,
truenas_job_id INTEGER,
started_at TEXT,
eta_at TEXT,
finished_at TEXT,
error_text TEXT,
UNIQUE(drive_id, test_type)
);
CREATE TABLE IF NOT EXISTS burnin_jobs (
id INTEGER PRIMARY KEY AUTOINCREMENT,
drive_id INTEGER NOT NULL REFERENCES drives(id),
profile TEXT NOT NULL,
state TEXT NOT NULL DEFAULT 'queued',
percent INTEGER DEFAULT 0,
stage_name TEXT,
operator TEXT NOT NULL,
created_at TEXT NOT NULL,
started_at TEXT,
finished_at TEXT,
error_text TEXT
);
CREATE TABLE IF NOT EXISTS burnin_stages (
id INTEGER PRIMARY KEY AUTOINCREMENT,
burnin_job_id INTEGER NOT NULL REFERENCES burnin_jobs(id) ON DELETE CASCADE,
stage_name TEXT NOT NULL,
state TEXT NOT NULL DEFAULT 'pending',
percent INTEGER DEFAULT 0,
started_at TEXT,
finished_at TEXT,
duration_seconds REAL,
error_text TEXT
);
CREATE TABLE IF NOT EXISTS audit_events (
id INTEGER PRIMARY KEY AUTOINCREMENT,
event_type TEXT NOT NULL,
drive_id INTEGER REFERENCES drives(id),
burnin_job_id INTEGER REFERENCES burnin_jobs(id),
operator TEXT,
message TEXT NOT NULL,
created_at TEXT NOT NULL DEFAULT (strftime('%Y-%m-%dT%H:%M:%fZ', 'now'))
);
CREATE INDEX IF NOT EXISTS idx_smart_drive_type ON smart_tests(drive_id, test_type);
CREATE INDEX IF NOT EXISTS idx_burnin_jobs_drive ON burnin_jobs(drive_id, state);
CREATE INDEX IF NOT EXISTS idx_burnin_stages_job ON burnin_stages(burnin_job_id);
CREATE INDEX IF NOT EXISTS idx_audit_events_job ON audit_events(burnin_job_id);
"""
# Migrations for existing databases that predate schema additions.
# Each entry is tried with try/except — SQLite raises OperationalError
# ("duplicate column name") if the column already exists, which is safe to ignore.
_MIGRATIONS = [
"ALTER TABLE drives ADD COLUMN notes TEXT",
"ALTER TABLE drives ADD COLUMN location TEXT",
# Stage 7: SSH command output + SMART attribute storage
"ALTER TABLE burnin_stages ADD COLUMN log_text TEXT",
"ALTER TABLE burnin_stages ADD COLUMN bad_blocks INTEGER DEFAULT 0",
"ALTER TABLE drives ADD COLUMN smart_attrs TEXT",
"ALTER TABLE smart_tests ADD COLUMN raw_output TEXT",
# Stage 8: track last reset time so dashboard burn-in col clears after reset
"ALTER TABLE drives ADD COLUMN last_reset_at TEXT",
# 1.0.0-15: pool-membership lock
"ALTER TABLE drives ADD COLUMN pool_name TEXT",
"ALTER TABLE drives ADD COLUMN pool_role TEXT",
"ALTER TABLE drives ADD COLUMN pool_seen_at TEXT",
# 1.0.0-19: enforce one active burn-in per drive at the storage layer.
# Closes the read-then-insert race in burnin.start_job — without this,
# two concurrent /api/v1/burnin/start requests for the same drive could
# both observe zero active jobs and both insert queued rows.
"""CREATE UNIQUE INDEX IF NOT EXISTS uniq_active_burnin_per_drive
ON burnin_jobs (drive_id) WHERE state IN ('queued', 'running')""",
# 1.0.0-22: app-level login (username + bcrypt password)
"""CREATE TABLE IF NOT EXISTS users (
id INTEGER PRIMARY KEY AUTOINCREMENT,
username TEXT UNIQUE NOT NULL,
password_hash TEXT NOT NULL,
full_name TEXT,
is_admin INTEGER NOT NULL DEFAULT 0,
created_at TEXT NOT NULL,
last_login_at TEXT
)""",
]
async def _run_migrations(db: aiosqlite.Connection) -> None:
for sql in _MIGRATIONS:
try:
await db.execute(sql)
except Exception:
pass # Column already exists — harmless
# Remove the old CHECK(profile IN ('quick','full')) constraint if present.
# SQLite can't ALTER a CHECK — requires a full table rebuild.
cur = await db.execute(
"SELECT sql FROM sqlite_master WHERE type='table' AND name='burnin_jobs'"
)
row = await cur.fetchone()
if row and "CHECK" in (row[0] or ""):
await db.executescript("""
PRAGMA foreign_keys=OFF;
CREATE TABLE burnin_jobs_new (
id INTEGER PRIMARY KEY AUTOINCREMENT,
drive_id INTEGER NOT NULL REFERENCES drives(id),
profile TEXT NOT NULL,
state TEXT NOT NULL DEFAULT 'queued',
percent INTEGER DEFAULT 0,
stage_name TEXT,
operator TEXT NOT NULL,
created_at TEXT NOT NULL,
started_at TEXT,
finished_at TEXT,
error_text TEXT
);
INSERT INTO burnin_jobs_new SELECT * FROM burnin_jobs;
DROP TABLE burnin_jobs;
ALTER TABLE burnin_jobs_new RENAME TO burnin_jobs;
CREATE INDEX IF NOT EXISTS idx_burnin_jobs_drive ON burnin_jobs(drive_id, state);
PRAGMA foreign_keys=ON;
""")
async def init_db() -> None:
Path(settings.db_path).parent.mkdir(parents=True, exist_ok=True)
async with aiosqlite.connect(settings.db_path) as db:
await db.execute("PRAGMA journal_mode=WAL")
await db.execute("PRAGMA foreign_keys=ON")
await db.executescript(SCHEMA)
await _run_migrations(db)
await db.commit()
async def get_db():
db = await aiosqlite.connect(settings.db_path)
db.row_factory = aiosqlite.Row
try:
await db.execute("PRAGMA journal_mode=WAL")
await db.execute("PRAGMA foreign_keys=ON")
yield db
finally:
await db.close()
Reference in a new issue View git blame Copy permalink