friwall/web/__init__.py

import os
import syslog
import secrets

import flask
import flask_login

def create_app(test_config=None):
    app = flask.Flask(__name__)
    syslog.openlog('friwall')

    # Ensure all required keys exist.
    settings = {
        'secret_key': secrets.token_hex(),
        'ldap_host': '',
        'ldap_user': '',
        'ldap_pass': '',
        'ldap_base_dn': '', # search for VPN users under this DN
        'user_group': '', # limit VPN users to this LDAP group
        'oidc_server': '',
        'oidc_client_id': '',
        'oidc_client_secret': '',
        'admin_group': '', # OIDC group for admin access
        'admin_mail': '', # where to report errors
        'no_nat_set': '', # name of destination IP set for which no NAT should be done
        'wg_endpoint': '',
        'wg_port': '51820',
        'wg_allowed_nets': '',
        'wg_dns': '',
        'wg_key': '',
        'wg_net': '', # allocate wireguard IPv4 addresses from this prefix
        'wg_net6': '', # allocate wireguard IPv6 addresses from this prefix
        'version': 0,
    }

    from . import db
    with db.locked():
        settings |= db.read('settings')
        db.write('settings', settings)

    app.config['SECRET_KEY'] = settings.get('secret_key', '')

    from . import auth
    auth.init_app(app, settings)

    from . import errors
    errors.init_app(app)

    from . import system
    system.init_app(app)

    from . import config
    app.register_blueprint(config.blueprint, url_prefix='/config')

    from . import ipsets
    app.register_blueprint(ipsets.blueprint, url_prefix='/ipsets')

    from . import rules
    app.register_blueprint(rules.blueprint, url_prefix='/rules')

    from . import vpn
    app.register_blueprint(vpn.blueprint, url_prefix='/vpn')

    @app.route('/')
    @flask_login.login_required
    def home():
        return flask.render_template('index.html')

    @app.route('/nodes')
    @flask_login.login_required
    def nodes():
        if not flask_login.current_user.is_admin:
            return flask.Response('forbidden', status=403, mimetype='text/plain')
        with db.locked('nodes'):
            version = db.load('settings').get('version')
            nodes = db.read('nodes')
        return flask.render_template('nodes.html', version=version, nodes=nodes)

    return app
Make a squash 2022-01-03 10:33:02 +00:00			`import os`
Add error reporting over email and improve logging 2023-07-03 13:55:49 +00:00			`import syslog`
Initialize settings 2023-01-26 15:11:32 +00:00			`import secrets`
Make a squash 2022-01-03 10:33:02 +00:00
			`import flask`
			`import flask_login`

			`def create_app(test_config=None):`
			`app = flask.Flask(__name__)`
Add error reporting over email and improve logging 2023-07-03 13:55:49 +00:00			`syslog.openlog('friwall')`
Make a squash 2022-01-03 10:33:02 +00:00
Initialize settings 2023-01-26 15:11:32 +00:00			`# Ensure all required keys exist.`
			`settings = {`
Fix up Flask settings DEBUG is apparently strongly discouraged. Use --debug instead. 2023-05-29 11:34:44 +00:00			`'secret_key': secrets.token_hex(),`
Initialize settings 2023-01-26 15:11:32 +00:00			`'ldap_host': '',`
			`'ldap_user': '',`
			`'ldap_pass': '',`
Add setting to disable NAT for a given destination IP set 2024-09-16 14:24:09 +00:00			`'ldap_base_dn': '', # search for VPN users under this DN`
			`'user_group': '', # limit VPN users to this LDAP group`
Get OIDC end_session_endpoint from server metadata 2023-09-14 08:09:45 +00:00			`'oidc_server': '',`
Switch to OIDC authentication 2023-09-06 12:28:06 +00:00			`'oidc_client_id': '',`
			`'oidc_client_secret': '',`
Add setting to disable NAT for a given destination IP set 2024-09-16 14:24:09 +00:00			`'admin_group': '', # OIDC group for admin access`
			`'admin_mail': '', # where to report errors`
			`'no_nat_set': '', # name of destination IP set for which no NAT should be done`
Initialize settings 2023-01-26 15:11:32 +00:00			`'wg_endpoint': '',`
			`'wg_port': '51820',`
Parametrize wg.conf template 2023-09-15 11:59:04 +00:00			`'wg_allowed_nets': '',`
Fix default wg_dns setting All settings are processed as strings so use empty string in place of False for default. 2024-07-29 09:16:08 +00:00			`'wg_dns': '',`
Initialize settings 2023-01-26 15:11:32 +00:00			`'wg_key': '',`
Add setting to disable NAT for a given destination IP set 2024-09-16 14:24:09 +00:00			`'wg_net': '', # allocate wireguard IPv4 addresses from this prefix`
			`'wg_net6': '', # allocate wireguard IPv6 addresses from this prefix`
Initialize settings 2023-01-26 15:11:32 +00:00			`'version': 0,`
			`}`
Make a squash 2022-01-03 10:33:02 +00:00
			`from . import db`
Simplify database locking Use a single lock for everything to ensure we don’t go inconsistent. One exception is the firewall nodes table which is only accessed when pushing updated config. 2023-05-19 07:30:28 +00:00			`with db.locked():`
Initialize settings 2023-01-26 15:11:32 +00:00			`settings \|= db.read('settings')`
			`db.write('settings', settings)`

			`app.config['SECRET_KEY'] = settings.get('secret_key', '')`
Make a squash 2022-01-03 10:33:02 +00:00
			`from . import auth`
Get OIDC end_session_endpoint from server metadata 2023-09-14 08:09:45 +00:00			`auth.init_app(app, settings)`
Switch to OIDC authentication 2023-09-06 12:28:06 +00:00
			`from . import errors`
			`errors.init_app(app)`

			`from . import system`
			`system.init_app(app)`
Make a squash 2022-01-03 10:33:02 +00:00
			`from . import config`
Set blueprint paths in main app Make blueprints more self-contained for no apparent reason. 2023-12-04 08:46:37 +00:00			`app.register_blueprint(config.blueprint, url_prefix='/config')`
Make a squash 2022-01-03 10:33:02 +00:00
Add form for editing ipsets 2023-07-24 13:45:45 +00:00			`from . import ipsets`
Set blueprint paths in main app Make blueprints more self-contained for no apparent reason. 2023-12-04 08:46:37 +00:00			`app.register_blueprint(ipsets.blueprint, url_prefix='/ipsets')`
Add form for editing ipsets 2023-07-24 13:45:45 +00:00
Add support for managing forwarding rules 2023-05-29 10:24:21 +00:00			`from . import rules`
Set blueprint paths in main app Make blueprints more self-contained for no apparent reason. 2023-12-04 08:46:37 +00:00			`app.register_blueprint(rules.blueprint, url_prefix='/rules')`
Add support for managing forwarding rules 2023-05-29 10:24:21 +00:00
Make a squash 2022-01-03 10:33:02 +00:00			`from . import vpn`
Set blueprint paths in main app Make blueprints more self-contained for no apparent reason. 2023-12-04 08:46:37 +00:00			`app.register_blueprint(vpn.blueprint, url_prefix='/vpn')`
Make a squash 2022-01-03 10:33:02 +00:00
			`@app.route('/')`
			`@flask_login.login_required`
			`def home():`
			`return flask.render_template('index.html')`

Add node status page 2023-07-07 07:16:51 +00:00			`@app.route('/nodes')`
			`@flask_login.login_required`
			`def nodes():`
Switch to OIDC authentication 2023-09-06 12:28:06 +00:00			`if not flask_login.current_user.is_admin:`
			`return flask.Response('forbidden', status=403, mimetype='text/plain')`
			`with db.locked('nodes'):`
			`version = db.load('settings').get('version')`
			`nodes = db.read('nodes')`
			`return flask.render_template('nodes.html', version=version, nodes=nodes)`
Add node status page 2023-07-07 07:16:51 +00:00
Make a squash 2022-01-03 10:33:02 +00:00			`return app`