webgate 0.1.0__py3-none-any.whl

webgate/__init__.py

@@ -0,0 +1 @@
+"""webgate — self-hosted SSH terminal and SFTP file browser."""

webgate/__main__.py

@@ -0,0 +1,18 @@
+import uvicorn
+
+from webgate.config import settings
+
+
+def main() -> None:
+    uvicorn.run(
+        "webgate.app:create_app",
+        factory=True,
+        host=settings.host,
+        port=settings.port,
+        log_level=settings.log_level,
+        reload=False,
+    )
+
+
+if __name__ == "__main__":
+    main()

webgate/app.py

@@ -0,0 +1,58 @@
+from collections.abc import AsyncGenerator
+from contextlib import asynccontextmanager
+
+from fastapi import FastAPI
+from fastapi.middleware.cors import CORSMiddleware
+from fastapi.staticfiles import StaticFiles
+
+from slowapi import _rate_limit_exceeded_handler
+from slowapi.errors import RateLimitExceeded
+
+from webgate.auth.routes import limiter
+from webgate.auth.routes import router as auth_router
+from webgate.auth.service import seed_admin
+from webgate.config import settings
+from webgate.db.engine import async_session_factory, close_db, init_db
+from webgate.files.pool import sftp_pool
+from webgate.files.routes import router as files_router
+from webgate.servers.routes import router as servers_router
+from webgate.terminal.routes import router as terminal_router
+
+
+@asynccontextmanager
+async def lifespan(app: FastAPI) -> AsyncGenerator[None]:
+    await init_db()
+    async with async_session_factory() as session:
+        await seed_admin(session)
+    await sftp_pool.start()
+    yield
+    await sftp_pool.stop()
+    await close_db()
+
+
+def create_app() -> FastAPI:
+    app = FastAPI(title="webgate", version="0.1.0", lifespan=lifespan)
+    app.state.limiter = limiter
+    app.add_exception_handler(RateLimitExceeded, _rate_limit_exceeded_handler)
+
+    origins = [o.strip() for o in settings.allowed_origins.split(",")]
+    app.add_middleware(
+        CORSMiddleware,
+        allow_origins=origins,
+        allow_credentials=True,
+        allow_methods=["*"],
+        allow_headers=["*"],
+    )
+
+    @app.get("/api/health")
+    async def health() -> dict[str, str]:  # pyright: ignore[reportUnusedFunction]
+        return {"status": "ok"}
+
+    app.include_router(auth_router)
+    app.include_router(servers_router)
+    app.include_router(terminal_router)
+    app.include_router(files_router)
+
+    app.mount("/", StaticFiles(directory=str(settings.static_dir), html=True), name="static")
+
+    return app

webgate/audit/models.py

@@ -0,0 +1,31 @@
+from datetime import datetime
+
+from pydantic import BaseModel
+from sqlalchemy import DateTime, Integer, String, Text, func
+from sqlalchemy.orm import Mapped, mapped_column
+
+from webgate.db.engine import Base
+
+
+class AuditEntry(Base):
+    __tablename__ = "audit_log"
+
+    id: Mapped[int] = mapped_column(primary_key=True, autoincrement=True)
+    user_id: Mapped[int] = mapped_column(Integer)
+    username: Mapped[str] = mapped_column(String(150))
+    action: Mapped[str] = mapped_column(String(50))  # login, ssh_connect, sftp_ls, server_create, etc.
+    detail: Mapped[str] = mapped_column(Text, default="")
+    ip_address: Mapped[str] = mapped_column(String(45), default="")
+    created_at: Mapped[datetime] = mapped_column(DateTime, server_default=func.now())
+
+
+class AuditOut(BaseModel):
+    id: int
+    user_id: int
+    username: str
+    action: str
+    detail: str
+    ip_address: str
+    created_at: datetime
+
+    model_config = {"from_attributes": True}

webgate/audit/service.py

@@ -0,0 +1,44 @@
+from __future__ import annotations
+
+from sqlalchemy import select
+from sqlalchemy.ext.asyncio import AsyncSession
+
+from webgate.audit.models import AuditEntry, AuditOut
+from webgate.db.engine import async_session_factory
+
+
+async def log_action(
+    user_id: int,
+    username: str,
+    action: str,
+    detail: str = "",
+    ip_address: str = "",
+) -> None:
+    """Fire-and-forget audit log entry."""
+    async with async_session_factory() as session:
+        entry = AuditEntry(
+            user_id=user_id,
+            username=username,
+            action=action,
+            detail=detail,
+            ip_address=ip_address,
+        )
+        session.add(entry)
+        await session.commit()
+
+
+async def get_audit_log(
+    session: AsyncSession,
+    limit: int = 100,
+    offset: int = 0,
+    username: str | None = None,
+    action: str | None = None,
+) -> list[AuditOut]:
+    stmt = select(AuditEntry).order_by(AuditEntry.created_at.desc())
+    if username:
+        stmt = stmt.where(AuditEntry.username == username)
+    if action:
+        stmt = stmt.where(AuditEntry.action == action)
+    stmt = stmt.offset(offset).limit(limit)
+    result = await session.execute(stmt)
+    return [AuditOut.model_validate(e) for e in result.scalars().all()]

webgate/auth/models.py

@@ -0,0 +1,70 @@
+import json
+from datetime import datetime
+
+from pydantic import BaseModel, field_validator
+from sqlalchemy import Boolean, DateTime, String, Text, func
+from sqlalchemy.orm import Mapped, mapped_column
+
+from webgate.db.engine import Base
+
+
+class User(Base):
+    __tablename__ = "users"
+
+    id: Mapped[int] = mapped_column(primary_key=True, autoincrement=True)
+    username: Mapped[str] = mapped_column(String(150), unique=True, index=True)
+    hashed_password: Mapped[str] = mapped_column(String(255))
+    is_admin: Mapped[bool] = mapped_column(Boolean, default=False)
+    must_change_password: Mapped[bool] = mapped_column(Boolean, default=False)
+    allowed_groups: Mapped[str] = mapped_column(Text, default="[]")  # JSON array of group names
+    created_at: Mapped[datetime] = mapped_column(DateTime, server_default=func.now())
+
+
+class UserCreate(BaseModel):
+    username: str
+    password: str
+
+
+class UserLogin(BaseModel):
+    username: str
+    password: str
+
+
+class UserOut(BaseModel):
+    id: int
+    username: str
+    is_admin: bool
+    must_change_password: bool = False
+    allowed_groups: list[str] = []
+
+    model_config = {"from_attributes": True}
+
+    @field_validator("allowed_groups", mode="before")
+    @classmethod
+    def parse_groups(cls, v: object) -> list[str]:
+        if isinstance(v, str):
+            try:
+                parsed = json.loads(v)
+                return parsed if isinstance(parsed, list) else []
+            except (json.JSONDecodeError, TypeError):
+                return []
+        return v if isinstance(v, list) else []
+
+
+class UserManage(BaseModel):
+    username: str
+    password: str = ""
+    allowed_groups: list[str] = []
+
+
+class UserUpdateGroups(BaseModel):
+    allowed_groups: list[str]
+
+
+class ChangePassword(BaseModel):
+    new_password: str
+
+
+class TokenOut(BaseModel):
+    access_token: str
+    token_type: str = "bearer"

webgate/auth/routes.py

@@ -0,0 +1,175 @@
+from typing import Annotated
+
+from fastapi import APIRouter, Depends, HTTPException, Request, status
+from fastapi.security import HTTPAuthorizationCredentials, HTTPBearer
+from slowapi import Limiter
+from slowapi.util import get_remote_address
+from sqlalchemy.ext.asyncio import AsyncSession
+
+limiter = Limiter(key_func=get_remote_address)
+
+from webgate.audit.models import AuditOut
+from webgate.audit.service import get_audit_log, log_action
+from webgate.auth.models import (
+    ChangePassword,
+    TokenOut,
+    UserLogin,
+    UserManage,
+    UserOut,
+    UserUpdateGroups,
+)
+from webgate.auth.service import (
+    create_access_token,
+    create_user,
+    decode_access_token,
+    delete_user,
+    get_user_by_id,
+    get_user_by_username,
+    list_users,
+    update_user_groups,
+    update_user_password,
+    verify_password,
+)
+from webgate.db.engine import get_session
+
+router = APIRouter(prefix="/api/auth", tags=["auth"])
+security = HTTPBearer()
+
+SessionDep = Annotated[AsyncSession, Depends(get_session)]
+AuthDep = Annotated[HTTPAuthorizationCredentials, Depends(security)]
+
+
+async def get_current_user(credentials: AuthDep, session: SessionDep) -> UserOut:
+    payload = decode_access_token(credentials.credentials)
+    if payload is None:
+        raise HTTPException(status_code=status.HTTP_401_UNAUTHORIZED, detail="Invalid token")
+    user_id = payload.get("sub")
+    if user_id is None:
+        raise HTTPException(status_code=status.HTTP_401_UNAUTHORIZED, detail="Invalid token")
+    user = await get_user_by_id(session, int(user_id))
+    if user is None:
+        raise HTTPException(status_code=status.HTTP_401_UNAUTHORIZED, detail="User not found")
+    return UserOut.model_validate(user)
+
+
+CurrentUserDep = Annotated[UserOut, Depends(get_current_user)]
+
+
+def _require_admin(user: UserOut) -> None:
+    if not user.is_admin:
+        raise HTTPException(status_code=status.HTTP_403_FORBIDDEN, detail="Admin only")
+
+
+@router.post("/login", response_model=TokenOut)
+@limiter.limit("10/minute")
+async def login(request: Request, body: UserLogin, session: SessionDep) -> TokenOut:
+    user = await get_user_by_username(session, body.username)
+    if not user or not verify_password(body.password, user.hashed_password):
+        raise HTTPException(
+            status_code=status.HTTP_401_UNAUTHORIZED, detail="Invalid credentials"
+        )
+    token = create_access_token({"sub": str(user.id), "username": user.username})
+    await log_action(user.id, user.username, "login", ip_address=request.client.host if request.client else "")
+    return TokenOut(access_token=token)
+
+
+@router.get("/me", response_model=UserOut)
+async def me(current_user: CurrentUserDep) -> UserOut:
+    return current_user
+
+
+@router.post("/change-password", response_model=UserOut)
+@limiter.limit("5/minute")
+async def change_password(
+    request: Request, body: ChangePassword, session: SessionDep, current_user: CurrentUserDep
+) -> UserOut:
+    if len(body.new_password) < 4:
+        raise HTTPException(
+            status_code=status.HTTP_400_BAD_REQUEST, detail="Password too short (min 4 chars)"
+        )
+    user = await get_user_by_id(session, current_user.id)
+    if not user:
+        raise HTTPException(status_code=status.HTTP_404_NOT_FOUND, detail="User not found")
+    updated = await update_user_password(session, user, body.new_password)
+    updated.must_change_password = False
+    await session.commit()
+    await session.refresh(updated)
+    return UserOut.model_validate(updated)
+
+
+# ---- Admin: user management ----
+
+
+@router.get("/users", response_model=list[UserOut])
+async def get_users(session: SessionDep, current_user: CurrentUserDep) -> list[UserOut]:
+    _require_admin(current_user)
+    users = await list_users(session)
+    return [UserOut.model_validate(u) for u in users]
+
+
+@router.post("/users", response_model=UserOut, status_code=status.HTTP_201_CREATED)
+async def create_new_user(
+    body: UserManage, session: SessionDep, current_user: CurrentUserDep
+) -> UserOut:
+    _require_admin(current_user)
+    existing = await get_user_by_username(session, body.username)
+    if existing:
+        raise HTTPException(status_code=status.HTTP_409_CONFLICT, detail="Username already taken")
+    if not body.password:
+        raise HTTPException(status_code=status.HTTP_400_BAD_REQUEST, detail="Password required")
+    user = await create_user(
+        session, body.username, body.password, allowed_groups=body.allowed_groups
+    )
+    return UserOut.model_validate(user)
+
+
+@router.put("/users/{user_id}/groups", response_model=UserOut)
+async def set_user_groups(
+    user_id: int, body: UserUpdateGroups, session: SessionDep, current_user: CurrentUserDep
+) -> UserOut:
+    _require_admin(current_user)
+    user = await get_user_by_id(session, user_id)
+    if not user:
+        raise HTTPException(status_code=status.HTTP_404_NOT_FOUND, detail="User not found")
+    if user.is_admin:
+        raise HTTPException(status_code=status.HTTP_400_BAD_REQUEST, detail="Cannot modify admin")
+    updated = await update_user_groups(session, user, body.allowed_groups)
+    return UserOut.model_validate(updated)
+
+
+@router.put("/users/{user_id}/password", response_model=UserOut)
+async def reset_user_password(
+    user_id: int, body: UserLogin, session: SessionDep, current_user: CurrentUserDep
+) -> UserOut:
+    _require_admin(current_user)
+    user = await get_user_by_id(session, user_id)
+    if not user:
+        raise HTTPException(status_code=status.HTTP_404_NOT_FOUND, detail="User not found")
+    updated = await update_user_password(session, user, body.password)
+    return UserOut.model_validate(updated)
+
+
+@router.delete("/users/{user_id}", status_code=status.HTTP_204_NO_CONTENT)
+async def remove_user(
+    user_id: int, session: SessionDep, current_user: CurrentUserDep
+) -> None:
+    _require_admin(current_user)
+    user = await get_user_by_id(session, user_id)
+    if not user:
+        raise HTTPException(status_code=status.HTTP_404_NOT_FOUND, detail="User not found")
+    if user.is_admin:
+        raise HTTPException(status_code=status.HTTP_400_BAD_REQUEST, detail="Cannot delete admin")
+    await delete_user(session, user)
+
+
+@router.get("/audit", response_model=list[AuditOut])
+async def audit_log_endpoint(
+    session: SessionDep,
+    current_user: CurrentUserDep,
+    limit: int = 100,
+    offset: int = 0,
+    username: str | None = None,
+    action: str | None = None,
+) -> list[AuditOut]:
+    _require_admin(current_user)
+    return await get_audit_log(session, limit=limit, offset=offset, username=username, action=action)

webgate/auth/service.py

@@ -0,0 +1,115 @@
+from __future__ import annotations
+
+import json
+import logging
+from datetime import UTC, datetime, timedelta
+from typing import Any
+
+import bcrypt
+from jose import JWTError, jwt
+from sqlalchemy import func, select
+from sqlalchemy.ext.asyncio import AsyncSession
+
+from webgate.auth.models import User
+from webgate.config import settings
+
+logger = logging.getLogger(__name__)
+
+
+def hash_password(password: str) -> str:
+    return bcrypt.hashpw(password.encode(), bcrypt.gensalt()).decode()
+
+
+def verify_password(plain: str, hashed: str) -> bool:
+    return bcrypt.checkpw(plain.encode(), hashed.encode())
+
+
+def create_access_token(data: dict[str, Any]) -> str:
+    to_encode = data.copy()
+    expire = datetime.now(UTC) + timedelta(minutes=settings.jwt_expire_minutes)
+    to_encode["exp"] = expire
+    return jwt.encode(to_encode, settings.secret_key, algorithm=settings.jwt_algorithm)
+
+
+def decode_access_token(token: str) -> dict[str, Any] | None:
+    try:
+        payload: dict[str, Any] = jwt.decode(
+            token, settings.secret_key, algorithms=[settings.jwt_algorithm]
+        )
+        return payload
+    except JWTError:
+        return None
+
+
+async def get_user_by_username(session: AsyncSession, username: str) -> User | None:
+    result = await session.execute(select(User).where(User.username == username))
+    return result.scalar_one_or_none()
+
+
+async def get_user_by_id(session: AsyncSession, user_id: int) -> User | None:
+    result = await session.execute(select(User).where(User.id == user_id))
+    return result.scalar_one_or_none()
+
+
+async def get_user_count(session: AsyncSession) -> int:
+    result = await session.execute(select(func.count()).select_from(User))
+    count = result.scalar_one()
+    return int(count)
+
+
+async def create_user(
+    session: AsyncSession,
+    username: str,
+    password: str,
+    is_admin: bool = False,
+    allowed_groups: list[str] | None = None,
+) -> User:
+    user = User(
+        username=username,
+        hashed_password=hash_password(password),
+        is_admin=is_admin,
+        allowed_groups=json.dumps(allowed_groups or []),
+    )
+    session.add(user)
+    await session.commit()
+    await session.refresh(user)
+    return user
+
+
+async def seed_admin(session: AsyncSession) -> None:
+    """Create default admin user if no users exist."""
+    count = await get_user_count(session)
+    if count > 0:
+        return
+    user = await create_user(session, "admin", "admin", is_admin=True)
+    user.must_change_password = True
+    await session.commit()
+    logger.info("Created default admin user (admin/admin) — password change required on first login")
+
+
+async def list_users(session: AsyncSession) -> list[User]:
+    result = await session.execute(select(User).order_by(User.username))
+    return list(result.scalars().all())
+
+
+async def update_user_groups(
+    session: AsyncSession, user: User, groups: list[str]
+) -> User:
+    user.allowed_groups = json.dumps(groups)
+    await session.commit()
+    await session.refresh(user)
+    return user
+
+
+async def update_user_password(
+    session: AsyncSession, user: User, new_password: str
+) -> User:
+    user.hashed_password = hash_password(new_password)
+    await session.commit()
+    await session.refresh(user)
+    return user
+
+
+async def delete_user(session: AsyncSession, user: User) -> None:
+    await session.delete(user)
+    await session.commit()

webgate/config.py

@@ -0,0 +1,28 @@
+from pathlib import Path
+
+from pydantic_settings import BaseSettings
+
+
+class Settings(BaseSettings):
+    model_config = {"env_prefix": "WEBGATE_"}
+
+    host: str = "0.0.0.0"
+    port: int = 8443
+    secret_key: str = "change-me-in-production"
+    db_url: str = "sqlite+aiosqlite:///./webgate.db"
+    allowed_origins: str = "*"
+    log_level: str = "info"
+    session_timeout: int = 3600
+    max_upload_size: int = 104857600  # 100MB
+    first_run: bool = True
+
+    # JWT settings
+    jwt_algorithm: str = "HS256"
+    jwt_expire_minutes: int = 1440  # 24 hours
+
+    @property
+    def static_dir(self) -> Path:
+        return Path(__file__).parent / "static"
+
+
+settings = Settings()

webgate/db/engine.py

@@ -0,0 +1,36 @@
+from collections.abc import AsyncGenerator
+
+from sqlalchemy import MetaData
+from sqlalchemy.ext.asyncio import AsyncSession, async_sessionmaker, create_async_engine
+from sqlalchemy.orm import DeclarativeBase
+
+from webgate.config import settings
+
+engine = create_async_engine(settings.db_url, echo=False)
+async_session_factory = async_sessionmaker(engine, expire_on_commit=False)
+
+convention = {
+    "ix": "ix_%(column_0_label)s",
+    "uq": "uq_%(table_name)s_%(column_0_name)s",
+    "ck": "ck_%(table_name)s_%(constraint_name)s",
+    "fk": "fk_%(table_name)s_%(column_0_name)s_%(referred_table_name)s",
+    "pk": "pk_%(table_name)s",
+}
+
+
+class Base(DeclarativeBase):
+    metadata = MetaData(naming_convention=convention)
+
+
+async def get_session() -> AsyncGenerator[AsyncSession]:
+    async with async_session_factory() as session:
+        yield session
+
+
+async def init_db() -> None:
+    async with engine.begin() as conn:
+        await conn.run_sync(Base.metadata.create_all)
+
+
+async def close_db() -> None:
+    await engine.dispose()

webgate/files/models.py

@@ -0,0 +1,36 @@
+from pydantic import BaseModel
+
+
+class FileEntry(BaseModel):
+    name: str
+    path: str
+    is_dir: bool
+    size: int
+    permissions: str
+    owner: str
+    group: str
+    modified: str
+
+
+class DirectoryListing(BaseModel):
+    path: str
+    entries: list[FileEntry]
+
+
+class FileWriteRequest(BaseModel):
+    path: str
+    content: str
+
+
+class MkdirRequest(BaseModel):
+    path: str
+
+
+class RenameRequest(BaseModel):
+    old_path: str
+    new_path: str
+
+
+class ChmodRequest(BaseModel):
+    path: str
+    mode: str