Compare commits

...

24 Commits

Author SHA1 Message Date
Aiirondev_dev c8818edf0b better documentation for error finding and slight adjustments for library_loan_admin _ensure_audit_indexes_once 2026-06-25 09:37:44 +02:00
Aiirondev_dev b270bc9367 another relevant change to password security for the salt that is generated for every user Indivisdualy, to fix the temporary approach from before 2026-06-24 19:41:22 +02:00
Aiirondev_dev e1c284fc40 additional changes to the generatio of the tenant 2026-06-24 17:24:34 +02:00
Aiirondev_dev debd4dceb1 additional changes for the encoding 2026-06-24 17:02:56 +02:00
Aiirondev_dev db15df57c3 Merge remote-tracking branch 'refs/remotes/origin/main' 2026-06-24 17:02:30 +02:00
Aiirondev_dev bcfe2095d5 slight fix of the encoding of the Processing for firsdt user generation 2026-06-24 17:01:20 +02:00
Aiirondev_dev 69ac6eca63 Some more fixes of the manage-tenants.sh file 2026-06-24 15:55:21 +02:00
Aiirondev_dev 717e3ce15e Merge remote-tracking branch 'refs/remotes/origin/main' 2026-06-24 12:51:33 +02:00
Aiirondev_dev 007ae04bf3 SIGHT CHANGES FOR THE CORRECT STARTUP OF THE DATABASE 2026-06-24 12:51:15 +02:00
Aiirondev_dev c0947c5cf1 fix for the adding process of manage-tenant 2026-06-24 00:38:47 +02:00
Aiirondev_dev c1d2935ad6 nother changes for the removal of the tenant Databases 2026-06-24 00:30:25 +02:00
Aiirondev_dev 9fde0b4b2a slight fixes of the removal process 2026-06-24 00:18:21 +02:00
Aiirondev_dev da7b075cc4 addition of thew help for tenant managment 2026-06-23 23:57:35 +02:00
Aiirondev_dev 347f258b8f adjustment of the encryption for user password 2026-06-23 22:41:53 +02:00
Aiirondev_dev 2421f867ed Smal changes for Module access 2026-06-23 14:40:27 +02:00
Aiirondev_dev 921915e92f new slight adjust of some namings in thze dropdown 2026-06-23 14:26:39 +02:00
Aiirondev_dev a4b0866293 permision changes for testing 2026-06-23 13:03:51 +02:00
Aiirondev_dev e10d86da4b manage te damaged Item ffield 2026-06-23 12:26:09 +02:00
Aiirondev_dev f160f23e9c sdmal changes 2026-06-23 12:01:23 +02:00
Aiirondev_dev ca272542de Merge remote-tracking branch 'refs/remotes/origin/main' 2026-06-22 00:21:26 +02:00
Aiirondev_dev 7df9b65389 Changes from sha512 to scrypt to fit with DS-GVO 2026-06-22 00:21:15 +02:00
Aiirondev_dev e4af76c9c1 smal change of the upload layout and text, changes of the Student Barcode download to alow further scoolyears 2026-06-20 13:54:42 +02:00
Aiirondev_dev f5944bf090 implementation of the Item Media Type 2026-06-20 12:01:21 +02:00
Aiirondev_dev 4e68da2368 Second Changes to include the Scool name into the Bibliotheksausweis 2026-06-18 13:09:57 +02:00
9 changed files with 245 additions and 250 deletions
+1 -2
View File
@@ -8,5 +8,4 @@ INVENTAR_APP_MEM_SWAP_LIMIT=768m
INVENTAR_WORKERS=4 INVENTAR_WORKERS=4
INVENTAR_THREADS=2 INVENTAR_THREADS=2
INVENTAR_WORKER_TIMEOUT=30 INVENTAR_WORKER_TIMEOUT=30
INVENTAR_WORKER_CONNECTIONS=100 INVENTAR_WORKER_CONNECTIONS=100
+2
View File
@@ -1,5 +1,7 @@
services: services:
app: app:
working_dir: /app/Web
command: ["gunicorn", "app:app", "--bind", "0.0.0.0:8000", "--workers", "4", "--threads", "2", "--timeout", "30", "--graceful-timeout", "20", "--worker-connections", "100", "--max-requests", "1000", "--max-requests-jitter", "100", "--log-level", "info", "--access-logfile", "-", "--error-logfile", "-"]
image: ghcr.io/aiirondev/legendary-octo-garbanzo:v0.7.42 image: ghcr.io/aiirondev/legendary-octo-garbanzo:v0.7.42
build: null build: null
ports: ports:
+8
View File
@@ -556,6 +556,14 @@ sudo chmod 644 certs/inventarsystem.crt
## Fehlerbehebung ## Fehlerbehebung
### Logs Auslesen
```bash
docker logs inventarsystem-app-1
docker exec inventarsystem-app-1 cat /data/logs/application.log | tail -n 100
docker compose exec mongodb mongosh
```
### Webserver startet nicht ### Webserver startet nicht
```bash ```bash
+21 -4
View File
@@ -731,6 +731,7 @@ AUDIT_INDEXES_READY = False
def _ensure_audit_indexes_once(): def _ensure_audit_indexes_once():
"""Ensure audit indexes exist once per process.""" """Ensure audit indexes exist once per process."""
global AUDIT_INDEXES_READY
if AUDIT_INDEXES_READY: if AUDIT_INDEXES_READY:
return return
@@ -1736,7 +1737,6 @@ def is_valid_isbn13(isbn13):
check_digit = (10 - (checksum % 10)) % 10 check_digit = (10 - (checksum % 10)) % 10
return check_digit == int(isbn13[12]) return check_digit == int(isbn13[12])
def normalize_and_validate_isbn(isbn_raw): def normalize_and_validate_isbn(isbn_raw):
"""Normalize ISBN and return a valid canonical ISBN-13/10 or empty string.""" """Normalize ISBN and return a valid canonical ISBN-13/10 or empty string."""
isbn = normalize_isbn(isbn_raw) isbn = normalize_isbn(isbn_raw)
@@ -1996,7 +1996,7 @@ def _upload_student_cards_excel():
synonyms = { synonyms = {
'ausweis_id': ['ausweis_id', 'ausweisid', 'ausweis-id', 'karte', 'kartennummer', 'card_id', 'id'], 'ausweis_id': ['ausweis_id', 'ausweisid', 'ausweis-id', 'karte', 'kartennummer', 'card_id', 'id'],
'student_name': ['student_name', 'schuelername', 'schülername', 'schueler', 'schüler', 'name', 'vollname', 'vorname_nachname', 'nachname_vorname'], 'student_name': ['student_name', 'schuelername', 'schülername', 'schueler', 'schüler', 'name', 'vollname', 'vorname_nachname', 'nachname_vorname'],
'first_name': ['vorname', 'first_name', 'firstname'], 'first_name': ['vorname', 'first_name', 'firstname', 'rufname'],
'last_name': ['nachname', 'last_name', 'lastname'], 'last_name': ['nachname', 'last_name', 'lastname'],
'class_name': ['klasse', 'class', 'class_name', 'jahrgang', 'jahrgangsstufe', 'stufe', 'gruppe', 'asv_klasse'], 'class_name': ['klasse', 'class', 'class_name', 'jahrgang', 'jahrgangsstufe', 'stufe', 'gruppe', 'asv_klasse'],
'notes': ['notizen', 'notes', 'bemerkungen', 'bemerkung', 'hinweis', 'hinweise'], 'notes': ['notizen', 'notes', 'bemerkungen', 'bemerkung', 'hinweis', 'hinweise'],
@@ -4154,6 +4154,10 @@ def student_card_barcode_download():
c.setFillColor(text_dark) c.setFillColor(text_dark)
c.setFont("Helvetica-Bold", 9) c.setFont("Helvetica-Bold", 9)
c.drawString(x_pos + 3*mm, y_pos - 28*mm, card['Klasse']) c.drawString(x_pos + 3*mm, y_pos - 28*mm, card['Klasse'])
c.drawString(x_pos + 3*mm, y_pos - 31*mm, "-")
c.drawString(x_pos + 3*mm, y_pos - 34*mm, "-")
c.drawString(x_pos + 3*mm, y_pos - 37*mm, "-")
c.drawString(x_pos + 3*mm, y_pos - 40*mm, "-")
# Right barcode section with border highlight # Right barcode section with border highlight
barcode_x_start = x_pos + info_width + 1*mm barcode_x_start = x_pos + info_width + 1*mm
@@ -4294,10 +4298,12 @@ def student_card_single_barcode_download(card_id):
c.setLineWidth(2.5) c.setLineWidth(2.5)
c.line(x_pos, y_pos - 10*mm, x_pos + card_width, y_pos - 10*mm) c.line(x_pos, y_pos - 10*mm, x_pos + card_width, y_pos - 10*mm)
school_name = cfg.get_school_info()
school_name = school_name["name"]
# "SCHÜLERAUSWEIS" text in header # "SCHÜLERAUSWEIS" text in header
c.setFont("Helvetica-Bold", 11) c.setFont("Helvetica-Bold", 11)
c.setFillColor(white) c.setFillColor(white)
c.drawString(x_pos + 4*mm, y_pos - 6.5*mm, "SCHÜLERAUSWEIS") c.drawString(x_pos + 4*mm, y_pos - 6.5*mm, f"SCHÜLERAUSWEIS - {str(school_name)}")
# Student name - large and prominent # Student name - large and prominent
c.setFillColor(text_dark) c.setFillColor(text_dark)
@@ -5110,6 +5116,7 @@ def upload_item():
upload_mode = sanitize_form_value(request.form.get('upload_mode', 'item')) upload_mode = sanitize_form_value(request.form.get('upload_mode', 'item'))
individual_codes_raw = sanitize_form_value(request.form.get('individual_codes', '')) individual_codes_raw = sanitize_form_value(request.form.get('individual_codes', ''))
item_count_raw = sanitize_form_value(request.form.get('item_count', '1')) item_count_raw = sanitize_form_value(request.form.get('item_count', '1'))
item_type_input = sanitize_form_value(request.form.get('item_type_input', ''))
try: try:
item_count = int(item_count_raw) if item_count_raw else 1 item_count = int(item_count_raw) if item_count_raw else 1
@@ -5189,6 +5196,8 @@ def upload_item():
item_isbn = isbn_raw item_isbn = isbn_raw
if upload_mode == 'library': if upload_mode == 'library':
item_type = 'book' item_type = 'book'
if item_type_input != "":
item_type = item_type_input
if upload_mode == 'library': if upload_mode == 'library':
if not cfg.MODULES.is_enabled('library'): if not cfg.MODULES.is_enabled('library'):
@@ -10263,10 +10272,18 @@ def notifications_unread_status():
@app.route('/admin/damaged_items') @app.route('/admin/damaged_items')
def admin_damaged_items(): def admin_damaged_items():
"""Dedicated admin management window for damaged items.""" """Dedicated admin management window for damaged items."""
if 'username' not in session or not us.check_admin(session['username']): if 'username' not in session:
flash('Administratorrechte erforderlich.', 'error') flash('Administratorrechte erforderlich.', 'error')
return redirect(url_for('login')) return redirect(url_for('login'))
'''
permissions = _get_current_user_permissions()
if not _action_access_allowed(permissions, 'can_manage_settings'):
flash('Sie haben keine Berechtigung, die Schulstammdaten zu ändern.', 'error')
if cfg.MODULES.is_enabled('library'):
return redirect(url_for('library_admin'))
'''
client = None client = None
try: try:
client = MongoClient(MONGODB_HOST, MONGODB_PORT) client = MongoClient(MONGODB_HOST, MONGODB_PORT)
+1 -2
View File
@@ -284,7 +284,6 @@ def _match_inventory(path):
if path == '/' or path.startswith('/home'): return True if path == '/' or path.startswith('/home'): return True
return path.startswith(('/scanner', '/inventory', '/upload_admin', '/manage_filters', '/manage_locations', '/admin_borrowings', '/admin_damaged_items', '/admin/borrowings', '/admin/damaged_items')) return path.startswith(('/scanner', '/inventory', '/upload_admin', '/manage_filters', '/manage_locations', '/admin_borrowings', '/admin_damaged_items', '/admin/borrowings', '/admin/damaged_items'))
def _match_terminplan(path): def _match_terminplan(path):
if not path: if not path:
return False return False
@@ -292,7 +291,7 @@ def _match_terminplan(path):
def _match_library(path): def _match_library(path):
if not path: return False if not path: return False
return path.startswith(('/library', '/library_', '/student_cards')) return path.startswith(('/library', '/library_', '/student_cards', '/admin_damaged_items', '/admin_borrowings', '/admin/library'))
def _match_student_cards(path): def _match_student_cards(path):
if not path: return False if not path: return False
+90 -105
View File
@@ -20,6 +20,8 @@ import string
from bson.objectid import ObjectId from bson.objectid import ObjectId
import Web.modules.database.settings as cfg import Web.modules.database.settings as cfg
from Web.modules.database.settings import MongoClient from Web.modules.database.settings import MongoClient
import hmac
import os
logger = logging.getLogger('app') logger = logging.getLogger('app')
logger.setLevel(logging.DEBUG) logger.setLevel(logging.DEBUG)
@@ -430,103 +432,84 @@ def check_password_strength(password):
return True return True
def hashing(password): def hashing(password, salt=None):
""" """
Hash a password using SHA-512. Hasht ein Passwort mit scrypt.
- Wenn kein Salt übergeben wird, wird ein sicherer, zufälliger Salt generiert (für neue Passwörter).
- Format für neue Hashes: v1$<salt_hex>$<hash_hex>
"""
password_bytes = password.encode('utf-8') # Explizit UTF-8 für Plattformunabhängigkeit
Args: if salt is None:
password (str): Password to hash # Neuer Benutzer / Passwortänderung -> Dynamischer Salt
random_salt = os.urandom(16)
Returns: hashed = hashlib.scrypt(password_bytes, salt=random_salt, n=16384, r=8, p=1)
str: Hexadecimal digest of the hashed password return f"v1${random_salt.hex()}${hashed.hex()}"
else:
# Bestehender Benutzer (wird zur Verifizierung aufgerufen)
hashed = hashlib.scrypt(password_bytes, salt=salt, n=16384, r=8, p=1)
return hashed.hex()
def verify_password(provided_password, stored_password_string):
""" """
return hashlib.sha512(password.encode()).hexdigest() Verifiziert ein Passwort gegen einen gespeicherten Hash-String.
Unterstützt das alte Format (statischer Salt) und das neue Format (v1$...).
"""
if not stored_password_string:
return False
# Überprüfung für das neue, sichere Format
if stored_password_string.startswith("v1$"):
try:
_, salt_hex, hash_hex = stored_password_string.split("$")
salt_bytes = bytes.fromhex(salt_hex)
# Berechne den Hash des eingegebenen Passworts mit dem extrahierten Salt
calculated_hash = hashing(provided_password, salt=salt_bytes)
# Timing-Attack-sicherer Vergleich
return hmac.compare_digest(calculated_hash, hash_hex)
except (ValueError, TypeError):
logger.error("Ungültiges Hash-Format in der Datenbank entdeckt.")
return False
else:
# Abwärtskompatibilität: Altes Format mit statischem Salt b'some_salt'
old_static_salt = b'some_salt'
calculated_hash = hashing(provided_password, salt=old_static_salt)
return hmac.compare_digest(calculated_hash, stored_password_string)
def check_nm_pwd(username, password): def check_nm_pwd(username, password):
""" """
Verify username and password combination. Überprüft die Kombination aus Benutzername und Passwort (optimiert).
Args:
username (str): Username to check
password (str): Password to verify
Returns:
dict: User document if credentials are valid, None otherwise
""" """
db_name, tenant_id = _resolve_request_tenant_db() db_name, tenant_id = _resolve_request_tenant_db()
ctx = None
try:
from tenant import get_tenant_context
ctx = get_tenant_context()
except Exception:
ctx = None
if not db_name: if not db_name:
if _has_tenant_configs(): if _has_tenant_configs():
logger.warning( logger.warning("Default DB fallback verweigert, da Tenant-Konfigurationen existieren.")
"Refusing default DB fallback for login because tenant configs exist and no tenant was resolved."
)
return None return None
db_name = cfg.MONGODB_DB db_name = cfg.MONGODB_DB
logger.info(
"check_nm_pwd start: username=%r tenant=%r db=%r host=%r port=%r uri=%r",
username,
tenant_id,
db_name,
cfg.MONGODB_HOST,
cfg.MONGODB_PORT,
getattr(cfg, 'MONGODB_URI', None),
)
client = MongoClient(cfg.MONGODB_HOST, cfg.MONGODB_PORT) client = MongoClient(cfg.MONGODB_HOST, cfg.MONGODB_PORT)
try: try:
hashed_password = hashing(password)
logger.info("check_nm_pwd password hash for username=%r: %s", username, hashed_password)
available_dbs = []
try:
available_dbs = client.list_database_names()
logger.debug("MongoDB connected. Available databases=%s", available_dbs)
except Exception as exc:
logger.exception("Unable to list MongoDB databases: %s", exc)
db = client[db_name] db = client[db_name]
try:
existing_collections = db.list_collection_names()
except Exception as exc:
logger.exception("Unable to list collections for db=%r: %s", db_name, exc)
existing_collections = []
logger.debug("Tenant db=%r collections=%s", db_name, existing_collections)
users = db['users'] users = db['users']
query = {'$or': [{'Username': username}, {'username': username}]} query = {'$or': [{'Username': username}, {'username': username}]}
logger.debug("Running user lookup on %r: %s", db_name, query)
user_record = users.find_one(query) user_record = users.find_one(query)
if user_record is None: if user_record is None:
logger.warning("No user document found in db=%r for username=%r", db_name, username) logger.warning("Kein Benutzer für %r in DB %r gefunden.", username, db_name)
if db_name not in available_dbs:
logger.warning("Tenant database %r is missing from available MongoDB databases", db_name)
if 'users' not in existing_collections:
logger.warning("Tenant database %r has no users collection", db_name)
return None return None
logger.info("Found user document for username=%r in db=%r: %s", username, db_name, user_record)
stored_password = user_record.get('Password') or user_record.get('password') stored_password = user_record.get('Password') or user_record.get('password')
if stored_password is None:
logger.warning("User document for username=%r in db=%r has no password field", username, db_name) if not verify_password(password, stored_password):
logger.warning("Falsches Passwort für Benutzer %r in DB %r.", username, db_name)
return None return None
if stored_password != hashed_password: # Automatische Migration alter Hashes auf das neue Format
logger.warning( if not stored_password.startswith("v1$"):
"Password mismatch for username=%r in db=%r: provided_hash=%s stored_hash=%s", users.update_one({'_id': user_record['_id']}, {'$set': {'Password': hashing(password)}})
username,
db_name,
hashed_password,
stored_password,
)
return None
return user_record return user_record
finally: finally:
@@ -556,44 +539,46 @@ def add_user(
bool: True if user was added successfully, False if password was too weak bool: True if user was added successfully, False if password was too weak
""" """
client = MongoClient(cfg.MONGODB_HOST, cfg.MONGODB_PORT) client = MongoClient(cfg.MONGODB_HOST, cfg.MONGODB_PORT)
db = _get_tenant_db(client) try:
users = db['users'] db = _get_tenant_db(client)
if not check_password_strength(password): users = db['users']
return False if not check_password_strength(password):
permission_defaults = build_default_permission_payload(permission_preset) return False
if isinstance(action_permissions, dict): permission_defaults = build_default_permission_payload(permission_preset)
for key, value in action_permissions.items(): if isinstance(action_permissions, dict):
permission_defaults['actions'][str(key)] = bool(value) for key, value in action_permissions.items():
if isinstance(page_permissions, dict): permission_defaults['actions'][str(key)] = bool(value)
for key, value in page_permissions.items(): if isinstance(page_permissions, dict):
permission_defaults['pages'][str(key)] = bool(value) for key, value in page_permissions.items():
permission_defaults['pages'][str(key)] = bool(value)
user_doc = { user_doc = {
'Username': username, 'Username': username,
'Password': hashing(password), 'Password': hashing(password),
'Admin': False, 'Admin': False,
'active_ausleihung': None, 'active_ausleihung': None,
'name': name.strip() if name else '', 'name': name.strip() if name else '',
'last_name': last_name.strip() if last_name else '', 'last_name': last_name.strip() if last_name else '',
'IsStudent': bool(is_student), 'IsStudent': bool(is_student),
'PermissionPreset': permission_defaults['preset'], 'PermissionPreset': permission_defaults['preset'],
'ActionPermissions': permission_defaults['actions'], 'ActionPermissions': permission_defaults['actions'],
'PagePermissions': permission_defaults['pages'], 'PagePermissions': permission_defaults['pages'],
} }
normalized_card = normalize_student_card_id(student_card_id) normalized_card = normalize_student_card_id(student_card_id)
if bool(is_student): if bool(is_student):
if normalized_card: if normalized_card:
user_doc['StudentCardId'] = normalized_card user_doc['StudentCardId'] = normalized_card
if max_borrow_days is not None: if max_borrow_days is not None:
try: try:
user_doc['MaxBorrowDays'] = int(max_borrow_days) user_doc['MaxBorrowDays'] = int(max_borrow_days)
except (TypeError, ValueError): except (TypeError, ValueError):
pass pass
users.insert_one(user_doc) users.insert_one(user_doc)
client.close() return True
return True finally:
client.close()
def student_card_exists(student_card_id): def student_card_exists(student_card_id):
+13 -1
View File
@@ -788,7 +788,19 @@
{% if show_library_features %} {% if show_library_features %}
<!-- Library Mode: Single Customizable Filter --> <!-- Library Mode: Single Customizable Filter -->
<div class="filter-inputs"> <div class="filter-inputs">
<h3>Kategorie/Typ (customisierbar):</h3> <h3>Medientyp</h3>
<div class="form-group">
<select name="item_type_input" id="item_type_input">
<option value="" disabled selected>Medientyp auswählen...</option>
<option value="Buch">Buch</option>
<option value="Schulbuch">Schulbuch</option>
<option value="CD">CD</option>
<option value="DVD">DVD</option>
<option value="Sonstiges">Sonstiges</option>
</select>
<small style="display:block; color:#666;">Wählen Sie einen Medientyp aus zur Klassifizierung.</small>
</div>
<h3>Kategorie/Typ:</h3>
<div class="form-group"> <div class="form-group">
<input type="text" name="library_category" id="library_category" placeholder="z.B. Belletristik, Sachbücher, Nachschlagewerke, etc."> <input type="text" name="library_category" id="library_category" placeholder="z.B. Belletristik, Sachbücher, Nachschlagewerke, etc.">
<small style="display:block; color:#666;">Geben Sie hier eine beliebige Kategorie ein zur freien Klassifizierung.</small> <small style="display:block; color:#666;">Geben Sie hier eine beliebige Kategorie ein zur freien Klassifizierung.</small>
+1
View File
@@ -55,6 +55,7 @@ services:
interval: 10s interval: 10s
timeout: 5s timeout: 5s
retries: 10 retries: 10
start_period: 30s
environment: environment:
MONGO_INITDB_DATABASE: inventar_default MONGO_INITDB_DATABASE: inventar_default
+108 -136
View File
@@ -23,70 +23,19 @@ ensure_runtime_config_json() {
echo "Warning: moved unexpected directory $config_path to $backup_path" echo "Warning: moved unexpected directory $config_path to $backup_path"
fi fi
FORCE_REMOVE=false if [ ! -f "$config_path" ]; then
if [ "${2:-}" = "--yes" ] || [ "${2:-}" = "-y" ]; then
FORCE_REMOVE=true
TENANT_ID="${3:-}"
fi
if [ -z "$TENANT_ID" ]; then
cat > "$config_path" <<'EOF' cat > "$config_path" <<'EOF'
{ {
"ver": "2.6.5", "ver": "2.6.5",
"tenants": {}
}
EOF
echo "Created default config.json"
fi
}
if [ "$FORCE_REMOVE" != true ]; then get_tenant_aliases() {
echo -n "WARNING: Are you sure you want to permanently delete all data for tenant '$TENANT_ID'? (y/N) " local tenant_id="$1"
read confirm
if [ "$confirm" != "y" ] && [ "$confirm" != "Y" ]; then
echo "Removal canceled."
exit 0
fi
fi
echo "Removing tenant '$TENANT_ID'..."
APP_CONTAINER=$(docker ps -qf "name=app" | head -n 1)
port_to_remove=""
if [ -n "$APP_CONTAINER" ]; then
port_to_remove="$({ docker exec "$APP_CONTAINER" python3 - "$TENANT_ID" <<'PY'
import sys
sys.path.insert(0, '/app')
sys.path.insert(0, '/app/Web')
from tenant import delete_tenant, get_tenant_config
tenant_id = sys.argv[1]
tenant_cfg = get_tenant_config(tenant_id)
port = tenant_cfg.get('port')
if not delete_tenant(tenant_id):
print(f'Error: failed to delete tenant {tenant_id}', file=sys.stderr)
sys.exit(1)
if port is not None:
print(port)
PY
} 2>/dev/null)"
echo "Tenant '$TENANT_ID' database and config removed."
else
echo "Warning: Application container not running. Tenant database may still exist in MongoDB."
if port_to_remove="$(remove_tenant_port "$TENANT_ID" 2>/dev/null)"; then
:
else
echo "Warning: tenant '$TENANT_ID' was not configured in config.json or could not be removed."
fi
fi
if [ -n "$port_to_remove" ]; then
remove_runtime_port "$port_to_remove"
fi
sync_tenant_port_map
if [ -n "$(docker ps -qf 'name=app' | head -n 1)" ]; then
restart_app_container
fi
if [ -n "$port_to_remove" ]; then
echo "Removed tenant '$TENANT_ID' and cleaned runtime port $port_to_remove."
else
echo "Removed tenant '$TENANT_ID'. No port mapping was present."
fi
local normalized alias local normalized alias
normalized="$(printf '%s' "$tenant_id" | tr '[:upper:]' '[:lower:]')" normalized="$(printf '%s' "$tenant_id" | tr '[:upper:]' '[:lower:]')"
printf '%s\n' "$tenant_id" printf '%s\n' "$tenant_id"
@@ -212,7 +161,7 @@ existing['modules'] = {
'inventory': {'enabled': True}, 'inventory': {'enabled': True},
'library': {'enabled': True}, 'library': {'enabled': True},
'student_cards': {'enabled': True, 'default_borrow_days': 14, 'max_borrow_days': 365}, 'student_cards': {'enabled': True, 'default_borrow_days': 14, 'max_borrow_days': 365},
'terminplan': {'enabled': True}, 'terminplan': {'enabled': True},
'mail': {'enabled': True}, 'mail': {'enabled': True},
} }
existing['trial'] = trial_config existing['trial'] = trial_config
@@ -245,8 +194,8 @@ initialize_tenant_database() {
return 0 return 0
fi fi
docker exec "$APP_CONTAINER" python3 -c ' docker exec -i "$APP_CONTAINER" python3 - "$tenant_id" "$mode" <<'PY'
import sys, re, datetime, hashlib import sys, os, re, datetime, hashlib
sys.path.insert(0, "/app") sys.path.insert(0, "/app")
sys.path.insert(0, "/app/Web") sys.path.insert(0, "/app/Web")
from Web.modules.database import settings from Web.modules.database import settings
@@ -258,7 +207,11 @@ sanitized = "".join(c for c in tenant_id if c.isalnum() or c == "_")
db_name = f"inventar_{sanitized}" db_name = f"inventar_{sanitized}"
client = MongoClient(settings.MONGODB_HOST, int(settings.MONGODB_PORT)) client = MongoClient(settings.MONGODB_HOST, int(settings.MONGODB_PORT))
db = client[db_name] db = client[db_name]
hashed_pw = hashlib.sha512("admin123".encode()).hexdigest()
pw_bytes = "admin123".encode("utf-8")
random_salt = os.urandom(16)
hashed = hashlib.scrypt(pw_bytes, salt=random_salt, n=16384, r=8, p=1)
hashed_pw_string = f"v1${random_salt.hex()}${hashed.hex()}"
action_permissions = { action_permissions = {
"can_borrow": True, "can_borrow": True,
@@ -294,7 +247,7 @@ page_permissions = {
if db.users.count_documents({"Username": "admin"}) == 0: if db.users.count_documents({"Username": "admin"}) == 0:
db.users.insert_one({ db.users.insert_one({
"Username": "admin", "Username": "admin",
"Password": hashed_pw, "Password": hashed_pw_string,
"Admin": True, "Admin": True,
"active_ausleihung": None, "active_ausleihung": None,
"name": "Admin", "name": "Admin",
@@ -319,7 +272,7 @@ if mode == "trial":
) )
print(f"Tenant {sys.argv[1]} database initialized. Default admin: admin / admin123") print(f"Tenant {sys.argv[1]} database initialized. Default admin: admin / admin123")
' "$tenant_id" "$mode" PY
} }
update_runtime_ports() { update_runtime_ports() {
@@ -435,7 +388,6 @@ restart_app_container() {
ensure_runtime_config_json ensure_runtime_config_json
# If HOST_WORKDIR is set (called from container), use absolute paths so docker daemon resolves them correctly
if [ -n "${HOST_WORKDIR:-}" ]; then if [ -n "${HOST_WORKDIR:-}" ]; then
workdir="$HOST_WORKDIR" workdir="$HOST_WORKDIR"
compose_args+=( -f "$(readlink -f "$HOST_WORKDIR/docker-compose-multitenant.yml")" ) compose_args+=( -f "$(readlink -f "$HOST_WORKDIR/docker-compose-multitenant.yml")" )
@@ -446,7 +398,6 @@ restart_app_container() {
compose_args+=( --env-file "$(readlink -f "$HOST_WORKDIR/.docker-build.env")" ) compose_args+=( --env-file "$(readlink -f "$HOST_WORKDIR/.docker-build.env")" )
fi fi
else else
# Normal case: called directly from host
compose_args+=( -f "$workdir/docker-compose-multitenant.yml" ) compose_args+=( -f "$workdir/docker-compose-multitenant.yml" )
if [ -f "$workdir/.docker-compose.runtime.override.yml" ]; then if [ -f "$workdir/.docker-compose.runtime.override.yml" ]; then
compose_args+=( -f "$workdir/.docker-compose.runtime.override.yml" ) compose_args+=( -f "$workdir/.docker-compose.runtime.override.yml" )
@@ -456,7 +407,6 @@ restart_app_container() {
fi fi
fi fi
# Pass along COMPOSE_PROJECT_NAME if set so the internal docker-compose sees it
if [ -n "${COMPOSE_PROJECT_NAME:-}" ]; then if [ -n "${COMPOSE_PROJECT_NAME:-}" ]; then
compose_args=( -p "$COMPOSE_PROJECT_NAME" "${compose_args[@]}" ) compose_args=( -p "$COMPOSE_PROJECT_NAME" "${compose_args[@]}" )
fi fi
@@ -566,24 +516,83 @@ remove_runtime_port() {
fi fi
} }
show_help() {
local HEADER='\033[95m'
local BLUE='\033[94m'
local GREEN='\033[92m'
local YELLOW='\033[93m'
local RED='\033[91m'
local BOLD='\033[1m'
local RESET='\033[0m'
cat << EOF
${HEADER}${BOLD}=== MULTI-TENANT INVENTAR MANAGER ===${RESET}
${YELLOW}Nutzung:${RESET} $0 <befehl> [tenant_id] [optionen]
${BLUE}${BOLD}VERFÜGBARE BEFEHLE:${RESET}
${GREEN}add${RESET} <tenant_id> [port]
Legt einen neuen Tenant an, registriert den Port und initialisiert
die MongoDB-Datenbank mit einem Standard-Admin (${YELLOW}admin / admin123${RESET}).
${GREEN}trial${RESET} <tenant_id> [port] [tage]
Erstellt einen temporären Test-Tenant. Standardlaufzeit: 7 Tage.
Läuft automatisch ab und löscht sich selbst.
${GREEN}remove${RESET} [-y|--yes] <tenant_id>
Löscht einen Tenant, seine Konfiguration, Ports und die Datenbank.
Nutze ${RED}-y${RESET}, um die Bestätigungsabfrage zu überspringen.
${GREEN}restart-tenant${RESET} <tenant_id>
Startet einen spezifischen Tenant neu, indem alle aktiven Sessions
und der Cache in der MongoDB geleert werden (Sitzungs-Reset).
${GREEN}restart-all${RESET}
Führt einen Zero-Downtime Rolling-Restart für alle App-Container durch.
${GREEN}list${RESET}
Listet alle registrierten Tenants aus der 'config.json' sowie alle
aktiven Tenant-Datenbanken aus der MongoDB auf.
${GREEN}module${RESET} <tenant_id> <modulname>=<on|off> ...
Aktiviert oder deaktiviert bestimmte Features/Module für einen Tenant.
Es können mehrere Module gleichzeitig übergeben werden.
${BLUE}${BOLD}GLOBALE OPTIONEN:${RESET}
${GREEN}-h, --help${RESET}
Zeigt diese Hilfe an.
${YELLOW}Beispiele:${RESET}
$0 add schule_muenchen 8081
$0 trial test_user 8082 14
$0 module schule_muenchen barre_code=on leih_historie=off
$0 remove -y test_user
-----------------------------------------------------------------
EOF
}
if [ -z "${1:-}" ]; then if [ -z "${1:-}" ]; then
show_help show_help
exit 0
fi fi
COMMAND="$1" COMMAND="$1"
TENANT_ID="${2:-}"
# === MAIN ROUTING BLOCK ===
case "$COMMAND" in case "$COMMAND" in
-h|--help) -h|--help)
show_help show_help
;; ;;
add) add)
TENANT_ID="${2:-}"
if [ -z "$TENANT_ID" ]; then if [ -z "$TENANT_ID" ]; then
echo "Error: Please provide a tenant_id." echo "Error: Please provide a tenant_id."
exit 1 exit 1
fi fi
PORT_ARG="$3" PORT_ARG="${3:-}"
if [ -n "$PORT_ARG" ]; then if [ -n "$PORT_ARG" ]; then
if ! printf '%s\n' "$PORT_ARG" | grep -qE '^[0-9]+$'; then if ! printf '%s\n' "$PORT_ARG" | grep -qE '^[0-9]+$'; then
echo "Error: Port must be a numeric value." echo "Error: Port must be a numeric value."
@@ -598,68 +607,13 @@ case "$COMMAND" in
fi fi
echo "Adding new tenant '$TENANT_ID'..." echo "Adding new tenant '$TENANT_ID'..."
# Initialize tenant database via Python inside container
echo "Initializing database for $TENANT_ID..." echo "Initializing database for $TENANT_ID..."
APP_CONTAINER=$(docker ps -qf "name=app" | head -n 1) initialize_tenant_database "$TENANT_ID" "standard"
if [ -n "$APP_CONTAINER" ]; then echo "Tenant '$TENANT_ID' successfully added. Ready to use."
docker exec $APP_CONTAINER python3 -c "
import sys, re; sys.path.insert(0, '/app'); sys.path.insert(0, '/app/Web'); from Web.modules.database import settings; from pymongo import MongoClient; import hashlib
tenant_id = sys.argv[1].lower()
sanitized = ''.join(c for c in tenant_id if c.isalnum() or c == '_')
db_name = f'inventar_{sanitized}'
client = MongoClient(settings.MONGODB_HOST, int(settings.MONGODB_PORT))
db = client[db_name]
hashed_pw = hashlib.sha512('admin123'.encode()).hexdigest()
if db.users.count_documents({'Username': 'admin'}) == 0:
db.users.insert_one({
'Username': 'admin',
'Password': hashed_pw,
'Admin': True,
'active_ausleihung': None,
'name': 'Admin',
'last_name': 'User',
'IsStudent': False,
'PermissionPreset': 'full_access',
'ActionPermissions': {
'can_borrow': True,
'can_insert': True,
'can_edit': True,
'can_delete': True,
'can_manage_users': True,
'can_manage_settings': True,
'can_view_logs': True,
},
'PagePermissions': {
'home': True,
'tutorial_page': True,
'my_borrowed_items': True,
'notifications_view': True,
'impressum': True,
'license': True,
'library_view': True,
'terminplan': True,
'home_admin': True,
'upload_admin': True,
'library_admin': True,
'admin_borrowings': True,
'library_loans_admin': True,
'admin_damaged_items': True,
'admin_audit_dashboard': True,
'logs': True,
'manage_filters': True,
'manage_locations': True,
},
})
print(f'Tenant {sys.argv[1]} database initialized. Default admin: admin / admin123')
" "$TENANT_ID"
echo "Tenant '$TENANT_ID' successfully added. Ready to use."
else
echo "Warning: Application container is not running. Please start the multi-tenant system first."
echo "Data will be initialized upon first access by the tenant."
fi
;; ;;
trial) trial)
TENANT_ID="${2:-}"
if [ -z "$TENANT_ID" ]; then if [ -z "$TENANT_ID" ]; then
echo "Error: Please provide a tenant_id." echo "Error: Please provide a tenant_id."
exit 1 exit 1
@@ -691,9 +645,13 @@ print(f'Tenant {sys.argv[1]} database initialized. Default admin: admin / admin1
remove) remove)
FORCE_REMOVE=false FORCE_REMOVE=false
if [ "${2:-}" = "--yes" ] || [ "${2:-}" = "-y" ]; then TENANT_ARG="${2:-}"
if [ "$TENANT_ARG" = "--yes" ] || [ "$TENANT_ARG" = "-y" ]; then
FORCE_REMOVE=true FORCE_REMOVE=true
TENANT_ID="${3:-}" TENANT_ID="${3:-}"
else
TENANT_ID="$TENANT_ARG"
fi fi
if [ -z "$TENANT_ID" ]; then if [ -z "$TENANT_ID" ]; then
@@ -713,17 +671,32 @@ print(f'Tenant {sys.argv[1]} database initialized. Default admin: admin / admin1
echo "Removing tenant '$TENANT_ID'..." echo "Removing tenant '$TENANT_ID'..."
APP_CONTAINER=$(docker ps -qf "name=app" | head -n 1) APP_CONTAINER=$(docker ps -qf "name=app" | head -n 1)
port_to_remove="" port_to_remove=""
if [ -n "$APP_CONTAINER" ]; then if [ -n "$APP_CONTAINER" ]; then
# Zuerst die Datenbank via PyMongo hart droppen (Erzwungenes Löschen)
port_to_remove="$(docker exec "$APP_CONTAINER" python3 - "$TENANT_ID" <<'PY' port_to_remove="$(docker exec "$APP_CONTAINER" python3 - "$TENANT_ID" <<'PY'
import sys import sys, re
sys.path.insert(0, '/app') sys.path.insert(0, '/app')
sys.path.insert(0, '/app/Web') sys.path.insert(0, '/app/Web')
from tenant import delete_tenant, get_tenant_config from tenant import delete_tenant, get_tenant_config
from Web.modules.database import settings
from pymongo import MongoClient
tenant_id = sys.argv[1] tenant_id = sys.argv[1]
tenant_cfg = get_tenant_config(tenant_id) tenant_cfg = get_tenant_config(tenant_id)
port = tenant_cfg.get('port') port = tenant_cfg.get('port')
# Datenbanknamen exakt rekonstruieren
sanitized = "".join(c for c in tenant_id if c.isalnum() or c == "_")
db_name = f"inventar_{sanitized}"
try:
client = MongoClient(settings.MONGODB_HOST, int(settings.MONGODB_PORT))
client.drop_database(db_name)
print(f"MongoDB database '{db_name}' dropped successfully.", file=sys.stderr)
except Exception as e:
print(f"Warning: Could not drop database '{db_name}': {e}", file=sys.stderr)
if not delete_tenant(tenant_id): if not delete_tenant(tenant_id):
print(f'Error: failed to delete tenant {tenant_id}', file=sys.stderr) print(f'Error: failed to delete tenant {tenant_id}', file=sys.stderr)
sys.exit(1) sys.exit(1)
@@ -757,20 +730,19 @@ PY
;; ;;
restart-tenant) restart-tenant)
TENANT_ID="${2:-}"
if [ -z "$TENANT_ID" ]; then if [ -z "$TENANT_ID" ]; then
echo "Error: Please provide a tenant_id." echo "Error: Please provide a tenant_id."
exit 1 exit 1
fi fi
echo "Restarting tenant '$TENANT_ID' (clearing session/cache)..." echo "Restarting tenant '$TENANT_ID' (clearing session/cache)..."
# To restart a single tenant without restarting the global python processes,
# we can invalidate their cache or drop their sessions collection to sign everyone out
APP_CONTAINER=$(docker ps -qf "name=app" | head -n 1) APP_CONTAINER=$(docker ps -qf "name=app" | head -n 1)
if [ -n "$APP_CONTAINER" ]; then if [ -n "$APP_CONTAINER" ]; then
docker exec $APP_CONTAINER python3 -c " docker exec $APP_CONTAINER python3 -c "
import sys; sys.path.insert(0, '/app'); sys.path.insert(0, '/app/Web'); from Web.modules.database import settings; from pymongo import MongoClient import sys; sys.path.insert(0, '/app'); sys.path.insert(0, '/app/Web'); from Web.modules.database import settings; from pymongo import MongoClient
client = MongoClient(settings.MONGODB_HOST, int(settings.MONGODB_PORT)) client = MongoClient(settings.MONGODB_HOST, int(settings.MONGODB_PORT))
db = client[f'{settings.MONGODB_DB}_{sys.argv[1]}'] db = client[f'{settings.MONGODB_DB}_{sys.argv[1]}']
db.sessions.drop() # Force sign-out / session clear db.sessions.drop()
print(f'Tenant {sys.argv[1]} session cache cleared. Tenant restarted.') print(f'Tenant {sys.argv[1]} session cache cleared. Tenant restarted.')
" "$TENANT_ID" " "$TENANT_ID"
echo "Tenant '$TENANT_ID' has been refreshed without impacting others." echo "Tenant '$TENANT_ID' has been refreshed without impacting others."
@@ -833,12 +805,12 @@ PY
;; ;;
module) module)
TENANT_ID="${2:-}"
if [ -z "$TENANT_ID" ] || [ -z "${3:-}" ]; then if [ -z "$TENANT_ID" ] || [ -z "${3:-}" ]; then
echo "Error: Usage: manage-tenant.sh module <tenant_id> <module_name>=<on|off> [...]" echo "Error: Usage: manage-tenant.sh module <tenant_id> <module_name>=<on|off> [...]"
exit 1 exit 1
fi fi
# Pass all remaining arguments to python script
shift 2 shift 2
if python3 - "$CONFIG_FILE" "$TENANT_ID" "$@" <<'PY' if python3 - "$CONFIG_FILE" "$TENANT_ID" "$@" <<'PY'
@@ -914,4 +886,4 @@ PY
;; ;;
esac esac
exit 0 exit 0