From 66f9ce36148be1c8d71b0920d275b660b87d2d15 Mon Sep 17 00:00:00 2001 From: pika Date: Tue, 25 Mar 2025 23:41:13 +0100 Subject: [PATCH] batman --- .env.example | 31 ++++ Dockerfile | 33 ++++ Readme.md | 173 ++++++++++++++++++++ app/__init__.py | 62 ++++++++ app/api/__init__.py | 8 + app/api/routes.py | 134 ++++++++++++++++ app/auth/__init__.py | 8 + app/auth/forms.py | 95 +++++++++++ app/auth/routes.py | 127 +++++++++++++++ app/config.py | 61 +++++++ app/core/__init__.py | 8 + app/core/forms.py | 95 +++++++++++ app/core/routes.py | 151 ++++++++++++++++++ app/extensions.py | 28 ++++ app/models/network.py | 175 ++++++++++++++++++++ app/models/user.py | 106 +++++++++++++ app/templates/auth/login.html | 79 +++++++++ app/templates/base.html | 166 +++++++++++++++++++ app/templates/core/dashboard.html | 0 app/templates/core/network_view.html | 194 +++++++++++++++++++++++ app/templates/emails/reset_password.html | 75 +++++++++ app/templates/emails/reset_password.txt | 14 ++ app/templates/errors/403.html | 23 +++ app/templates/errors/404.html | 23 +++ app/templates/errors/500.html | 0 app/utils/commands.py | 49 ++++++ app/utils/email.py | 56 +++++++ app/utils/error_handlers.py | 32 ++++ app/utils/security.py | 71 +++++++++ app/utils/visualization.py | 90 +++++++++++ docker-compose.yml | 60 +++++++ requirements-dev.txt | 7 + requirements.txt | 37 +++++ 33 files changed, 2271 insertions(+) create mode 100644 .env.example create mode 100644 Dockerfile create mode 100644 Readme.md create mode 100644 app/__init__.py create mode 100644 app/api/__init__.py create mode 100644 app/api/routes.py create mode 100644 app/auth/__init__.py create mode 100644 app/auth/forms.py create mode 100644 app/auth/routes.py create mode 100644 app/config.py create mode 100644 app/core/__init__.py create mode 100644 app/core/forms.py create mode 100644 app/core/routes.py create mode 100644 app/extensions.py create mode 100644 app/models/network.py create mode 100644 app/models/user.py create mode 100644 app/templates/auth/login.html create mode 100644 app/templates/base.html create mode 100644 app/templates/core/dashboard.html create mode 100644 app/templates/core/network_view.html create mode 100644 app/templates/emails/reset_password.html create mode 100644 app/templates/emails/reset_password.txt create mode 100644 app/templates/errors/403.html create mode 100644 app/templates/errors/404.html create mode 100644 app/templates/errors/500.html create mode 100644 app/utils/commands.py create mode 100644 app/utils/email.py create mode 100644 app/utils/error_handlers.py create mode 100644 app/utils/security.py create mode 100644 app/utils/visualization.py create mode 100644 docker-compose.yml create mode 100644 requirements-dev.txt create mode 100644 requirements.txt diff --git a/.env.example b/.env.example new file mode 100644 index 0000000..f0e4abb --- /dev/null +++ b/.env.example @@ -0,0 +1,31 @@ +# Flask Configuration +FLASK_APP=app +FLASK_ENV=development +SECRET_KEY=change_this_to_a_secure_random_string +SECURITY_PASSWORD_SALT=change_this_too + +# Database Configuration +DATABASE_URL=sqlite:///netviz.db +# For PostgreSQL with Docker: +# DATABASE_URL=postgresql://netviz:netviz_password@db:5432/netviz + +# Rate Limiting +RATELIMIT_STORAGE_URL=memory:// +RATELIMIT_DEFAULT=200/day;50/hour;10/minute + +# Mail Configuration (for password reset) +MAIL_SERVER=smtp.example.com +MAIL_PORT=587 +MAIL_USE_TLS=True +MAIL_USERNAME=your_username +MAIL_PASSWORD=your_password +MAIL_DEFAULT_SENDER=noreply@netviz.example.com + +# Session Configuration +SESSION_TYPE=filesystem +# For Redis with Docker: +# SESSION_TYPE=redis +# SESSION_REDIS=redis://redis:6379/0 + +# Security Headers +SECURE_HEADERS_ENABLED=True \ No newline at end of file diff --git a/Dockerfile b/Dockerfile new file mode 100644 index 0000000..d417ff9 --- /dev/null +++ b/Dockerfile @@ -0,0 +1,33 @@ +# Use Python 3.9 slim image +FROM python:3.9-slim + +# Set working directory +WORKDIR /app + +# Set environment variables +ENV PYTHONDONTWRITEBYTECODE 1 +ENV PYTHONUNBUFFERED 1 +ENV FLASK_APP app +ENV FLASK_ENV production + +# Install dependencies +RUN apt-get update && apt-get install -y --no-install-recommends \ + gcc \ + libpq-dev \ + && apt-get clean \ + && rm -rf /var/lib/apt/lists/* + +# Install Python packages +COPY requirements.txt . +RUN pip install --no-cache-dir -r requirements.txt + +# Copy application code +COPY . . + +# Create a non-root user to run the application +RUN adduser --disabled-password --gecos "" netviz +RUN chown -R netviz:netviz /app +USER netviz + +# Run gunicorn with 4 workers +CMD gunicorn --bind 0.0.0.0:5000 --workers 4 "app:create_app()" \ No newline at end of file diff --git a/Readme.md b/Readme.md new file mode 100644 index 0000000..ae00633 --- /dev/null +++ b/Readme.md @@ -0,0 +1,173 @@ +# NetViz: Secure Network Documentation & Visualization Tool + +A security-focused web application for documenting, visualizing, and managing network topologies with minimal JavaScript and a modern UI. + +## Features + +- **Security-First Architecture** + - OWASP Top 10 protections + - Secure session management + - CSRF protection + - Bcrypt password hashing + - Rate limiting for auth endpoints + - SQL injection protection + +- **Modern, Minimal UI** + - HTMX for dynamic functionality + - Tailwind CSS with dark/light mode + - Responsive, mobile-first design + - Accessible components + +- **Core Functionality** + - User authentication system + - Network topology management + - Interactive visualization + - Firewall rule documentation + - Data import/export (JSON, CSV) + +- **Deployment Ready** + - Docker and docker-compose configuration + - PostgreSQL integration + - Comprehensive logging + - Health check endpoints + +## Project Structure + +``` +/netviz/ +├── app/ +│ ├── auth/ # Authentication blueprints and views +│ ├── core/ # Core application functionality +│ ├── api/ # API endpoints +│ ├── models/ # SQLAlchemy models +│ ├── templates/ # Jinja2 templates +│ ├── static/ # Static assets +│ ├── utils/ # Utility functions +│ ├── __init__.py # Application factory +│ ├── extensions.py # Flask extensions +│ └── config.py # Configuration classes +├── tests/ # Pytest test suite +├── migrations/ # Alembic database migrations +├── docker/ # Docker-related files +├── .env.sample # Sample environment variables +├── requirements.txt # Python dependencies +├── requirements-dev.txt # Development dependencies +├── Dockerfile # Production Dockerfile +├── docker-compose.yml # Docker Compose configuration +└── README.md # Project documentation +``` + +## Getting Started + +### Prerequisites + +- Python 3.9+ +- Docker and Docker Compose +- Git + +### Local Development Setup + +1. Clone the repository + ```bash + git clone https://github.com/yourusername/netviz.git + cd netviz + ``` + +2. Create and activate a virtual environment + ```bash + python -m venv venv + source venv/bin/activate # On Windows: venv\Scripts\activate + ``` + +3. Install dependencies + ```bash + pip install -r requirements.txt + pip install -r requirements-dev.txt + ``` + +4. Set up environment variables + ```bash + cp .env.sample .env + # Edit .env with your configuration + ``` + +5. Initialize the database + ```bash + flask db upgrade + ``` + +6. Run the development server + ```bash + flask run --debug + ``` + +### Docker Deployment + +1. Build and start the containers + ```bash + docker-compose up -d + ``` + +2. Access the application at http://localhost:5000 + +## Security Features + +- **Authentication** + - Bcrypt password hashing + - Session-based authentication with secure cookies + - Password reset functionality + - Account lockout after failed attempts + +- **Protection Mechanisms** + - CSRF tokens for all forms + - Content Security Policy (CSP) + - XSS protection + - SQL injection prevention + - Rate limiting + - Input validation and sanitization + +## Development Guidelines + +- Follow PEP 8 style guide +- Include type hints for all functions +- Write docstrings for all modules, classes, and functions +- Maintain test coverage above 90% +- Use atomic commits with descriptive messages + +## Testing + +Run the test suite with pytest: + +```bash +pytest +``` + +Generate a coverage report: + +```bash +pytest --cov=app --cov-report=html +``` + +## Color Scheme + +The application uses a professional color palette that works well in both light and dark modes: + +- **Primary**: #3B82F6 (blue-500) +- **Secondary**: #10B981 (emerald-500) +- **Accent**: #8B5CF6 (violet-500) +- **Dark Background**: #111827 (gray-900) +- **Light Background**: #F9FAFB (gray-50) +- **Dark Text**: #1F2937 (gray-800) +- **Light Text**: #F9FAFB (gray-50) + +## License + +[MIT License](LICENSE) + +## Contributing + +1. Fork the repository +2. Create a feature branch +3. Make your changes +4. Run tests +5. Submit a pull request diff --git a/app/__init__.py b/app/__init__.py new file mode 100644 index 0000000..699add8 --- /dev/null +++ b/app/__init__.py @@ -0,0 +1,62 @@ +""" +NetViz application factory. +""" +import os +from flask import Flask +from flask_talisman import Talisman +from flask_seasurf import SeaSurf + +from app.extensions import db, migrate, login_manager, limiter, mail, session +from app.utils.security import get_secure_headers + + +def create_app(test_config=None): + """Create and configure the Flask application using the factory pattern.""" + app = Flask(__name__, instance_relative_config=True) + + # Load config + if test_config is None: + app.config.from_object("app.config.Config") + else: + app.config.from_mapping(test_config) + + # Ensure instance folder exists + try: + os.makedirs(app.instance_path) + except OSError: + pass + + # Initialize extensions + db.init_app(app) + migrate.init_app(app, db) + login_manager.init_app(app) + limiter.init_app(app) + mail.init_app(app) + session.init_app(app) + + # Security headers + if app.config.get("SECURE_HEADERS_ENABLED", False): + Talisman(app, **get_secure_headers()) + + # CSRF protection + csrf = SeaSurf(app) + + # Register blueprints + from app.auth import auth_bp + app.register_blueprint(auth_bp) + + from app.core import core_bp + app.register_blueprint(core_bp) + + from app.api import api_bp + app.register_blueprint(api_bp) + + # Error handlers + from app.utils.error_handlers import register_error_handlers + register_error_handlers(app) + + # CLI commands + from app.utils.commands import register_commands + register_commands(app) + + return app \ No newline at end of file diff --git a/app/api/__init__.py b/app/api/__init__.py new file mode 100644 index 0000000..58435e5 --- /dev/null +++ b/app/api/__init__.py @@ -0,0 +1,8 @@ +""" +API blueprint for JSON endpoints. +""" +from flask import Blueprint + +api_bp = Blueprint("api", __name__, url_prefix="/api/v1") + +from app.api import routes # noqa \ No newline at end of file diff --git a/app/api/routes.py b/app/api/routes.py new file mode 100644 index 0000000..f145401 --- /dev/null +++ b/app/api/routes.py @@ -0,0 +1,134 @@ +""" +API routes for the NetViz application. +""" +from flask import jsonify, request, abort +from flask_login import login_required, current_user + +from app.api import api_bp +from app.models.network import Network, Subnet, Device, FirewallRule +from app.extensions import db, limiter + + +@api_bp.route("/health") +def health_check(): + """Health check endpoint.""" + return jsonify({"status": "ok"}) + + +@api_bp.route("/networks") +@login_required +@limiter.limit("60/minute") +def get_networks(): + """Get all networks for the current user.""" + networks = Network.query.filter_by(user_id=current_user.id).all() + return jsonify([{ + "id": network.id, + "name": network.name, + "description": network.description, + "created_at": network.created_at.isoformat(), + "updated_at": network.updated_at.isoformat(), + "subnet_count": len(network.subnets), + "device_count": len(network.devices) + } for network in networks]) + + +@api_bp.route("/networks/") +@login_required +@limiter.limit("60/minute") +def get_network(network_id): + """Get a specific network.""" + network = Network.query.get_or_404(network_id) + + # Security check + if network.user_id != current_user.id: + abort(403) + + return jsonify(network.to_dict()) + + +@api_bp.route("/networks//export") +@login_required +@limiter.limit("10/minute") +def export_network(network_id): + """Export a network as JSON.""" + network = Network.query.get_or_404(network_id) + + # Security check + if network.user_id != current_user.id: + abort(403) + + return jsonify(network.to_dict()) + + +@api_bp.route("/networks/import", methods=["POST"]) +@login_required +@limiter.limit("5/minute") +def import_network(): + """Import a network from JSON.""" + if not request.is_json: + return jsonify({"error": "Request must be JSON"}), 400 + + data = request.get_json() + + try: + # Create network + network = Network.from_dict(data, current_user.id) + db.session.add(network) + db.session.flush() # Get ID without committing + + # Create subnets + for subnet_data in data.get("subnets", []): + subnet = Subnet( + name=subnet_data["name"], + cidr=subnet_data["cidr"], + vlan=subnet_data.get("vlan"), + description=subnet_data.get("description", ""), + network_id=network.id + ) + db.session.add(subnet) + + db.session.flush() + + # Create devices + for device_data in data.get("devices", []): + device = Device( + name=device_data["name"], + ip_address=device_data.get("ip_address"), + mac_address=device_data.get("mac_address"), + device_type=device_data.get("device_type"), + os=device_data.get("os"), + description=device_data.get("description", ""), + network_id=network.id, + subnet_id=device_data.get("subnet_id") + ) + if "properties" in device_data: + device.set_properties(device_data["properties"]) + db.session.add(device) + + # Create firewall rules + for rule_data in data.get("firewall_rules", []): + rule = FirewallRule( + name=rule_data["name"], + source=rule_data["source"], + destination=rule_data["destination"], + protocol=rule_data.get("protocol"), + port_range=rule_data.get("port_range"), + action=rule_data["action"], + description=rule_data.get("description", ""), + network_id=network.id + ) + db.session.add(rule) + + db.session.commit() + + return jsonify({ + "message": "Network imported successfully", + "network_id": network.id + }), 201 + + except KeyError as e: + db.session.rollback() + return jsonify({"error": f"Missing required field: {str(e)}"}), 400 + except Exception as e: + db.session.rollback() + return jsonify({"error": str(e)}), 400 \ No newline at end of file diff --git a/app/auth/__init__.py b/app/auth/__init__.py new file mode 100644 index 0000000..a68ec65 --- /dev/null +++ b/app/auth/__init__.py @@ -0,0 +1,8 @@ +""" +Authentication blueprint for user management. +""" +from flask import Blueprint + +auth_bp = Blueprint("auth", __name__, url_prefix="/auth") + +from app.auth import routes # noqa \ No newline at end of file diff --git a/app/auth/forms.py b/app/auth/forms.py new file mode 100644 index 0000000..d72d314 --- /dev/null +++ b/app/auth/forms.py @@ -0,0 +1,95 @@ +""" +Forms for authentication and user management. +""" +from flask_wtf import FlaskForm +from wtforms import StringField, PasswordField, BooleanField, SubmitField +from wtforms.validators import DataRequired, Length, Email, EqualTo, ValidationError + +from app.models.user import User + + +class LoginForm(FlaskForm): + """Form for user login.""" + username = StringField("Username", validators=[DataRequired()]) + password = PasswordField("Password", validators=[DataRequired()]) + remember_me = BooleanField("Remember Me") + submit = SubmitField("Sign In") + + +class RegistrationForm(FlaskForm): + """Form for user registration.""" + username = StringField("Username", validators=[ + DataRequired(), + Length(min=3, max=64) + ]) + email = StringField("Email", validators=[ + DataRequired(), + Email(), + Length(max=120) + ]) + password = PasswordField("Password", validators=[ + DataRequired(), + Length(min=8, message="Password must be at least 8 characters long") + ]) + password2 = PasswordField("Confirm Password", validators=[ + DataRequired(), + EqualTo("password", message="Passwords must match") + ]) + submit = SubmitField("Register") + + def validate_username(self, username): + """Validate that the username is not already taken.""" + user = User.query.filter_by(username=username.data).first() + if user is not None: + raise ValidationError("Username already taken. Please choose a different one.") + + def validate_email(self, email): + """Validate that the email is not already registered.""" + user = User.query.filter_by(email=email.data).first() + if user is not None: + raise ValidationError("Email already registered. Please use a different email or reset your password.") + + def validate_password(self, password): + """Validate password complexity.""" + pwd = password.data + + # Check for minimum complexity + has_upper = any(c.isupper() for c in pwd) + has_lower = any(c.islower() for c in pwd) + has_digit = any(c.isdigit() for c in pwd) + has_special = any(not c.isalnum() for c in pwd) + + if not (has_upper and has_lower and has_digit): + raise ValidationError("Password must contain uppercase, lowercase, and digit characters.") + + +class ResetPasswordRequestForm(FlaskForm): + """Form to request a password reset.""" + email = StringField("Email", validators=[DataRequired(), Email()]) + submit = SubmitField("Request Password Reset") + + +class ResetPasswordForm(FlaskForm): + """Form to reset password.""" + password = PasswordField("New Password", validators=[ + DataRequired(), + Length(min=8, message="Password must be at least 8 characters long") + ]) + password2 = PasswordField("Confirm New Password", validators=[ + DataRequired(), + EqualTo("password", message="Passwords must match") + ]) + submit = SubmitField("Reset Password") + + def validate_password(self, password): + """Validate password complexity.""" + pwd = password.data + + # Check for minimum complexity + has_upper = any(c.isupper() for c in pwd) + has_lower = any(c.islower() for c in pwd) + has_digit = any(c.isdigit() for c in pwd) + has_special = any(not c.isalnum() for c in pwd) + + if not (has_upper and has_lower and has_digit): + raise ValidationError("Password must contain uppercase, lowercase, and digit characters.") \ No newline at end of file diff --git a/app/auth/routes.py b/app/auth/routes.py new file mode 100644 index 0000000..789f078 --- /dev/null +++ b/app/auth/routes.py @@ -0,0 +1,127 @@ +""" +Authentication routes for user management. +""" +from datetime import datetime +from flask import render_template, redirect, url_for, flash, request, current_app +from flask_login import login_user, logout_user, login_required, current_user +from werkzeug.urls import url_parse + +from app.auth import auth_bp +from app.auth.forms import LoginForm, RegistrationForm, ResetPasswordRequestForm, ResetPasswordForm +from app.models.user import User +from app.extensions import db, limiter +from app.utils.email import send_password_reset_email + + +@auth_bp.route("/login", methods=["GET", "POST"]) +@limiter.limit("10/minute") +def login(): + """User login route.""" + if current_user.is_authenticated: + return redirect(url_for("core.index")) + + form = LoginForm() + if form.validate_on_submit(): + user = User.query.filter_by(username=form.username.data).first() + + if user is None or not user.check_password(form.password.data): + if user: + user.record_login(success=False) + flash("Invalid username or password", "danger") + return render_template("auth/login.html", form=form) + + if not user.active: + flash("This account has been deactivated", "danger") + return render_template("auth/login.html", form=form) + + if user.is_account_locked(): + flash("This account is temporarily locked due to too many failed login attempts", "danger") + return render_template("auth/login.html", form=form) + + user.record_login(success=True) + login_user(user, remember=form.remember_me.data) + + next_page = request.args.get("next") + if not next_page or url_parse(next_page).netloc != "": + next_page = url_for("core.index") + + return redirect(next_page) + + return render_template("auth/login.html", form=form) + + +@auth_bp.route("/logout") +@login_required +def logout(): + """User logout route.""" + logout_user() + flash("You have been logged out", "info") + return redirect(url_for("auth.login")) + + +@auth_bp.route("/register", methods=["GET", "POST"]) +@limiter.limit("5/hour") +def register(): + """User registration route.""" + if current_user.is_authenticated: + return redirect(url_for("core.index")) + + form = RegistrationForm() + if form.validate_on_submit(): + user = User( + username=form.username.data, + email=form.email.data + ) + user.set_password(form.password.data) + + db.session.add(user) + db.session.commit() + + flash("Registration successful! You can now log in.", "success") + return redirect(url_for("auth.login")) + + return render_template("auth/register.html", form=form) + + +@auth_bp.route("/reset-password-request", methods=["GET", "POST"]) +@limiter.limit("5/hour") +def reset_password_request(): + """Request a password reset.""" + if current_user.is_authenticated: + return redirect(url_for("core.index")) + + form = ResetPasswordRequestForm() + if form.validate_on_submit(): + user = User.query.filter_by(email=form.email.data).first() + if user: + send_password_reset_email(user) + + # Always show the same message to prevent user enumeration + flash("If your email address is registered, you will receive instructions to reset your password", "info") + return redirect(url_for("auth.login")) + + return render_template("auth/reset_password_request.html", form=form) + + +@auth_bp.route("/reset-password/", methods=["GET", "POST"]) +@limiter.limit("5/hour") +def reset_password(token): + """Reset password with token.""" + if current_user.is_authenticated: + return redirect(url_for("core.index")) + + user = User.query.filter_by(reset_token=token).first() + + if not user or not user.is_reset_token_valid(token): + flash("The password reset link is invalid or has expired", "danger") + return redirect(url_for("auth.login")) + + form = ResetPasswordForm() + if form.validate_on_submit(): + user.set_password(form.password.data) + user.clear_reset_token() + + flash("Your password has been reset", "success") + return redirect(url_for("auth.login")) + + return render_template("auth/reset_password.html", form=form) \ No newline at end of file diff --git a/app/config.py b/app/config.py new file mode 100644 index 0000000..a590aa7 --- /dev/null +++ b/app/config.py @@ -0,0 +1,61 @@ +""" +Configuration settings for the NetViz application. +""" +import os +from datetime import timedelta +from dotenv import load_dotenv + +# Load environment variables from .env file +load_dotenv() + + +class Config: + """Base configuration class.""" + # Flask + SECRET_KEY = os.environ.get("SECRET_KEY", "dev-key-not-for-production") + SECURITY_PASSWORD_SALT = os.environ.get("SECURITY_PASSWORD_SALT", "dev-salt-not-for-production") + + # Database + SQLALCHEMY_DATABASE_URI = os.environ.get("DATABASE_URL", "sqlite:///netviz.db") + SQLALCHEMY_TRACK_MODIFICATIONS = False + + # Session + SESSION_TYPE = os.environ.get("SESSION_TYPE", "filesystem") + SESSION_PERMANENT = True + SESSION_USE_SIGNER = True + PERMANENT_SESSION_LIFETIME = timedelta(days=1) + + if SESSION_TYPE == "redis": + SESSION_REDIS = os.environ.get("SESSION_REDIS") + + # Security headers + SECURE_HEADERS_ENABLED = os.environ.get("SECURE_HEADERS_ENABLED", "False").lower() == "true" + + # Rate limiting + RATELIMIT_STORAGE_URL = os.environ.get("RATELIMIT_STORAGE_URL", "memory://") + RATELIMIT_DEFAULT = os.environ.get("RATELIMIT_DEFAULT", "200/day;50/hour;10/minute") + RATELIMIT_HEADERS_ENABLED = True + + # Mail + MAIL_SERVER = os.environ.get("MAIL_SERVER") + MAIL_PORT = int(os.environ.get("MAIL_PORT", 587)) + MAIL_USE_TLS = os.environ.get("MAIL_USE_TLS", "True").lower() == "true" + MAIL_USE_SSL = os.environ.get("MAIL_USE_SSL", "False").lower() == "true" + MAIL_USERNAME = os.environ.get("MAIL_USERNAME") + MAIL_PASSWORD = os.environ.get("MAIL_PASSWORD") + MAIL_DEFAULT_SENDER = os.environ.get("MAIL_DEFAULT_SENDER") + + # Application settings + MAX_NETWORKS_PER_USER = 50 + MAX_HOSTS_PER_NETWORK = 500 + PASSWORD_RESET_TIMEOUT = 3600 # seconds + ACCOUNT_LOCKOUT_THRESHOLD = 5 # attempts + ACCOUNT_LOCKOUT_DURATION = 1800 # seconds + + +class TestConfig(Config): + """Test configuration.""" + TESTING = True + SQLALCHEMY_DATABASE_URI = "sqlite:///:memory:" + WTF_CSRF_ENABLED = False + RATELIMIT_ENABLED = False \ No newline at end of file diff --git a/app/core/__init__.py b/app/core/__init__.py new file mode 100644 index 0000000..1c60b24 --- /dev/null +++ b/app/core/__init__.py @@ -0,0 +1,8 @@ +""" +Core functionality blueprint for the NetViz application. +""" +from flask import Blueprint + +core_bp = Blueprint("core", __name__) + +from app.core import routes # noqa \ No newline at end of file diff --git a/app/core/forms.py b/app/core/forms.py new file mode 100644 index 0000000..78a4789 --- /dev/null +++ b/app/core/forms.py @@ -0,0 +1,95 @@ +""" +Forms for the core functionality of the NetViz application. +""" +from flask_wtf import FlaskForm +from wtforms import StringField, TextAreaField, IntegerField, SelectField, SubmitField +from wtforms.validators import DataRequired, Length, Optional, NumberRange, ValidationError +import ipaddress + + +class NetworkForm(FlaskForm): + """Form for creating and editing networks.""" + name = StringField("Network Name", validators=[ + DataRequired(), + Length(min=3, max=128) + ]) + description = TextAreaField("Description", validators=[Optional()]) + submit = SubmitField("Save Network") + + +class SubnetForm(FlaskForm): + """Form for creating and editing subnets.""" + name = StringField("Subnet Name", validators=[ + DataRequired(), + Length(min=3, max=128) + ]) + cidr = StringField("CIDR Notation", validators=[DataRequired()]) + vlan = IntegerField("VLAN ID", validators=[ + Optional(), + NumberRange(min=0, max=4095) + ]) + description = TextAreaField("Description", validators=[Optional()]) + submit = SubmitField("Save Subnet") + + def validate_cidr(self, cidr): + """Validate CIDR notation.""" + try: + ipaddress.IPv4Network(cidr.data, strict=False) + except ValueError: + try: + ipaddress.IPv6Network(cidr.data, strict=False) + except ValueError: + raise ValidationError("Invalid CIDR notation. Example formats: 192.168.1.0/24 or 2001:db8::/64") + + +class DeviceForm(FlaskForm): + """Form for creating and editing devices.""" + name = StringField("Device Name", validators=[ + DataRequired(), + Length(min=3, max=128) + ]) + ip_address = StringField("IP Address", validators=[Optional()]) + mac_address = StringField("MAC Address", validators=[Optional()]) + device_type = SelectField("Device Type", choices=[ + ("server", "Server"), + ("router", "Router"), + ("switch", "Switch"), + ("firewall", "Firewall"), + ("client", "Client"), + ("other", "Other") + ]) + os = StringField("Operating System", validators=[Optional()]) + subnet_id = SelectField("Subnet", coerce=int, validators=[Optional()]) + description = TextAreaField("Description", validators=[Optional()]) + submit = SubmitField("Save Device") + + def validate_ip_address(self, ip_address): + """Validate IP address format.""" + if ip_address.data: + try: + ipaddress.ip_address(ip_address.data) + except ValueError: + raise ValidationError("Invalid IP address format") + + +class FirewallRuleForm(FlaskForm): + """Form for creating and editing firewall rules.""" + name = StringField("Rule Name", validators=[ + DataRequired(), + Length(min=3, max=128) + ]) + source = StringField("Source", validators=[DataRequired()]) + destination = StringField("Destination", validators=[DataRequired()]) + protocol = SelectField("Protocol", choices=[ + ("any", "Any"), + ("tcp", "TCP"), + ("udp", "UDP"), + ("icmp", "ICMP") + ]) + port_range = StringField("Port Range", validators=[Optional()]) + action = SelectField("Action", choices=[ + ("allow", "Allow"), + ("deny", "Deny") + ]) + description = TextAreaField("Description", validators=[Optional()]) + submit = SubmitField("Save Rule") \ No newline at end of file diff --git a/app/core/routes.py b/app/core/routes.py new file mode 100644 index 0000000..4e1466b --- /dev/null +++ b/app/core/routes.py @@ -0,0 +1,151 @@ +""" +Core routes for the NetViz application. +""" +from flask import render_template, redirect, url_for, flash, request, current_app, abort +from flask_login import login_required, current_user + +from app.core import core_bp +from app.core.forms import NetworkForm, SubnetForm, DeviceForm, FirewallRuleForm +from app.models.network import Network, Subnet, Device, FirewallRule +from app.extensions import db +from app.utils.visualization import generate_network_diagram + + +@core_bp.route("/") +def index(): + """Landing page route.""" + if current_user.is_authenticated: + networks = Network.query.filter_by(user_id=current_user.id).all() + return render_template("core/dashboard.html", networks=networks) + + return render_template("core/index.html") + + +@core_bp.route("/dashboard") +@login_required +def dashboard(): + """User dashboard route.""" + networks = Network.query.filter_by(user_id=current_user.id).all() + return render_template("core/dashboard.html", networks=networks) + + +# Network CRUD routes +@core_bp.route("/networks/new", methods=["GET", "POST"]) +@login_required +def create_network(): + """Create a new network.""" + form = NetworkForm() + + if form.validate_on_submit(): + network = Network( + name=form.name.data, + description=form.description.data, + user_id=current_user.id + ) + + db.session.add(network) + db.session.commit() + + flash("Network created successfully", "success") + return redirect(url_for("core.view_network", network_id=network.id)) + + return render_template("core/network_form.html", form=form, title="Create Network") + + +@core_bp.route("/networks/") +@login_required +def view_network(network_id): + """View a network and its details.""" + network = Network.query.get_or_404(network_id) + + # Check if the user owns this network + if network.user_id != current_user.id: + abort(403) + + # Generate network visualization + diagram = generate_network_diagram(network) + + return render_template( + "core/network_view.html", + network=network, + diagram=diagram, + subnets=network.subnets, + devices=network.devices, + firewall_rules=network.firewall_rules + ) + + +@core_bp.route("/networks//edit", methods=["GET", "POST"]) +@login_required +def edit_network(network_id): + """Edit an existing network.""" + network = Network.query.get_or_404(network_id) + + # Check if the user owns this network + if network.user_id != current_user.id: + abort(403) + + form = NetworkForm(obj=network) + + if form.validate_on_submit(): + network.name = form.name.data + network.description = form.description.data + + db.session.commit() + + flash("Network updated successfully", "success") + return redirect(url_for("core.view_network", network_id=network.id)) + + return render_template("core/network_form.html", form=form, title="Edit Network", network=network) + + +@core_bp.route("/networks//delete", methods=["POST"]) +@login_required +def delete_network(network_id): + """Delete a network.""" + network = Network.query.get_or_404(network_id) + + # Check if the user owns this network + if network.user_id != current_user.id: + abort(403) + + db.session.delete(network) + db.session.commit() + + flash("Network deleted successfully", "success") + return redirect(url_for("core.dashboard")) + + +# Subnet routes +@core_bp.route("/networks//subnets/new", methods=["GET", "POST"]) +@login_required +def create_subnet(network_id): + """Create a new subnet within a network.""" + network = Network.query.get_or_404(network_id) + + # Check if the user owns this network + if network.user_id != current_user.id: + abort(403) + + form = SubnetForm() + + if form.validate_on_submit(): + subnet = Subnet( + name=form.name.data, + cidr=form.cidr.data, + vlan=form.vlan.data, + description=form.description.data, + network_id=network.id + ) + + db.session.add(subnet) + db.session.commit() + + flash("Subnet created successfully", "success") + return redirect(url_for("core.view_network", network_id=network.id)) + + return render_template("core/subnet_form.html", form=form, title="Create Subnet", network=network) + + +# Similar routes for devices, firewall rules, etc. +# For brevity, not all routes are shown here but would follow the same pattern \ No newline at end of file diff --git a/app/extensions.py b/app/extensions.py new file mode 100644 index 0000000..e32e5b0 --- /dev/null +++ b/app/extensions.py @@ -0,0 +1,28 @@ +""" +Flask extensions for the NetViz application. +""" +from flask_sqlalchemy import SQLAlchemy +from flask_migrate import Migrate +from flask_login import LoginManager +from flask_limiter import Limiter +from flask_limiter.util import get_remote_address +from flask_mail import Mail +from flask_session import Session + +# Database +db = SQLAlchemy() +migrate = Migrate() + +# Authentication +login_manager = LoginManager() +login_manager.login_view = "auth.login" +login_manager.login_message_category = "info" + +# Rate limiting +limiter = Limiter(key_func=get_remote_address) + +# Email +mail = Mail() + +# Server-side sessions +session = Session() diff --git a/app/models/network.py b/app/models/network.py new file mode 100644 index 0000000..44ffc0c --- /dev/null +++ b/app/models/network.py @@ -0,0 +1,175 @@ +""" +Network models for topology visualization. +""" +from datetime import datetime +from typing import Dict, List, Any, Optional +import json + +from app.extensions import db + + +class Network(db.Model): + """Network model representing a network topology.""" + __tablename__ = "networks" + + id = db.Column(db.Integer, primary_key=True) + name = db.Column(db.String(128), nullable=False) + description = db.Column(db.Text) + created_at = db.Column(db.DateTime, default=datetime.utcnow, nullable=False) + updated_at = db.Column(db.DateTime, default=datetime.utcnow, onupdate=datetime.utcnow, nullable=False) + + # Ownership + user_id = db.Column(db.Integer, db.ForeignKey("users.id"), nullable=False) + owner = db.relationship("User", back_populates="networks") + + # Related objects + subnets = db.relationship("Subnet", back_populates="network", cascade="all, delete-orphan") + devices = db.relationship("Device", back_populates="network", cascade="all, delete-orphan") + firewall_rules = db.relationship("FirewallRule", back_populates="network", cascade="all, delete-orphan") + + def to_dict(self) -> Dict[str, Any]: + """Convert network to dictionary for API responses and exports.""" + return { + "id": self.id, + "name": self.name, + "description": self.description, + "created_at": self.created_at.isoformat(), + "updated_at": self.updated_at.isoformat(), + "subnets": [subnet.to_dict() for subnet in self.subnets], + "devices": [device.to_dict() for device in self.devices], + "firewall_rules": [rule.to_dict() for rule in self.firewall_rules] + } + + def to_json(self) -> str: + """Convert network to JSON string for exports.""" + return json.dumps(self.to_dict(), indent=2) + + @classmethod + def from_dict(cls, data: Dict[str, Any], user_id: int) -> "Network": + """Create a network from a dictionary (for imports).""" + network = cls( + name=data["name"], + description=data.get("description", ""), + user_id=user_id + ) + + return network + + def __repr__(self) -> str: + return f"" + + +class Subnet(db.Model): + """Subnet model representing a network subnet.""" + __tablename__ = "subnets" + + id = db.Column(db.Integer, primary_key=True) + name = db.Column(db.String(128), nullable=False) + cidr = db.Column(db.String(64), nullable=False) + vlan = db.Column(db.Integer) + description = db.Column(db.Text) + + # Parent network + network_id = db.Column(db.Integer, db.ForeignKey("networks.id"), nullable=False) + network = db.relationship("Network", back_populates="subnets") + + # Devices in this subnet + devices = db.relationship("Device", back_populates="subnet") + + def to_dict(self) -> Dict[str, Any]: + """Convert subnet to dictionary.""" + return { + "id": self.id, + "name": self.name, + "cidr": self.cidr, + "vlan": self.vlan, + "description": self.description + } + + def __repr__(self) -> str: + return f"" + + +class Device(db.Model): + """Device model representing a network device or host.""" + __tablename__ = "devices" + + id = db.Column(db.Integer, primary_key=True) + name = db.Column(db.String(128), nullable=False) + ip_address = db.Column(db.String(64)) + mac_address = db.Column(db.String(64)) + device_type = db.Column(db.String(64)) # server, router, switch, etc. + os = db.Column(db.String(128)) + description = db.Column(db.Text) + + # Parent network + network_id = db.Column(db.Integer, db.ForeignKey("networks.id"), nullable=False) + network = db.relationship("Network", back_populates="devices") + + # Subnet membership + subnet_id = db.Column(db.Integer, db.ForeignKey("subnets.id")) + subnet = db.relationship("Subnet", back_populates="devices") + + # Additional properties stored as JSON + properties = db.Column(db.Text) + + def get_properties(self) -> Dict[str, Any]: + """Get device properties from JSON field.""" + if not self.properties: + return {} + return json.loads(self.properties) + + def set_properties(self, properties: Dict[str, Any]) -> None: + """Set device properties as JSON.""" + self.properties = json.dumps(properties) + + def to_dict(self) -> Dict[str, Any]: + """Convert device to dictionary.""" + return { + "id": self.id, + "name": self.name, + "ip_address": self.ip_address, + "mac_address": self.mac_address, + "device_type": self.device_type, + "os": self.os, + "description": self.description, + "subnet_id": self.subnet_id, + "properties": self.get_properties() + } + + def __repr__(self) -> str: + return f"" + + +class FirewallRule(db.Model): + """Firewall rule model for documenting network security policies.""" + __tablename__ = "firewall_rules" + + id = db.Column(db.Integer, primary_key=True) + name = db.Column(db.String(128), nullable=False) + source = db.Column(db.String(128), nullable=False) + destination = db.Column(db.String(128), nullable=False) + protocol = db.Column(db.String(16)) # tcp, udp, icmp, any + port_range = db.Column(db.String(64)) # e.g., "80,443" or "1024-2048" + action = db.Column(db.String(16), nullable=False) # allow, deny + description = db.Column(db.Text) + + # Parent network + network_id = db.Column(db.Integer, db.ForeignKey("networks.id"), nullable=False) + network = db.relationship("Network", back_populates="firewall_rules") + + def to_dict(self) -> Dict[str, Any]: + """Convert firewall rule to dictionary.""" + return { + "id": self.id, + "name": self.name, + "source": self.source, + "destination": self.destination, + "protocol": self.protocol, + "port_range": self.port_range, + "action": self.action, + "description": self.description + } + + def __repr__(self) -> str: + return f"" \ No newline at end of file diff --git a/app/models/user.py b/app/models/user.py new file mode 100644 index 0000000..5c2c416 --- /dev/null +++ b/app/models/user.py @@ -0,0 +1,106 @@ +""" +User model for authentication and authorization. +""" +import bcrypt +from datetime import datetime, timedelta +from typing import Optional, List +import uuid + +from flask_login import UserMixin + +from app.extensions import db, login_manager + + +class User(UserMixin, db.Model): + """User model for authentication and authorization.""" + __tablename__ = "users" + + id = db.Column(db.Integer, primary_key=True) + username = db.Column(db.String(64), unique=True, nullable=False, index=True) + email = db.Column(db.String(120), unique=True, nullable=False, index=True) + password_hash = db.Column(db.String(128), nullable=False) + active = db.Column(db.Boolean, default=True, nullable=False) + is_admin = db.Column(db.Boolean, default=False, nullable=False) + created_at = db.Column(db.DateTime, default=datetime.utcnow, nullable=False) + updated_at = db.Column(db.DateTime, default=datetime.utcnow, onupdate=datetime.utcnow, nullable=False) + last_login = db.Column(db.DateTime) + + # For account lockout/security + failed_login_count = db.Column(db.Integer, default=0) + locked_until = db.Column(db.DateTime) + + # Password reset + reset_token = db.Column(db.String(64), unique=True, index=True) + reset_token_expires_at = db.Column(db.DateTime) + + # Relationships + networks = db.relationship("Network", back_populates="owner", cascade="all, delete-orphan") + + def set_password(self, password: str) -> None: + """Hash and set the user's password.""" + # Generate a salt and hash the password + self.password_hash = bcrypt.hashpw( + password.encode("utf-8"), bcrypt.gensalt() + ).decode("utf-8") + + def check_password(self, password: str) -> bool: + """Verify the provided password against the stored hash.""" + return bcrypt.checkpw( + password.encode("utf-8"), self.password_hash.encode("utf-8") + ) + + def generate_reset_token(self, expires_in: int = 3600) -> str: + """Generate a password reset token that expires after the specified time.""" + self.reset_token = str(uuid.uuid4()) + self.reset_token_expires_at = datetime.utcnow() + timedelta(seconds=expires_in) + db.session.commit() + return self.reset_token + + def clear_reset_token(self) -> None: + """Clear the reset token after it's been used.""" + self.reset_token = None + self.reset_token_expires_at = None + db.session.commit() + + def is_reset_token_valid(self, token: str) -> bool: + """Check if the provided reset token is valid and not expired.""" + return ( + self.reset_token == token + and self.reset_token_expires_at is not None + and self.reset_token_expires_at > datetime.utcnow() + ) + + def record_login(self, success: bool) -> None: + """Record a login attempt.""" + if success: + self.last_login = datetime.utcnow() + self.failed_login_count = 0 + self.locked_until = None + else: + self.failed_login_count += 1 + if self.failed_login_count >= 5: # Threshold from config + self.locked_until = datetime.utcnow() + timedelta(minutes=30) # Duration from config + + db.session.commit() + + def is_account_locked(self) -> bool: + """Check if the account is locked due to too many failed login attempts.""" + if self.locked_until is None: + return False + + if datetime.utcnow() > self.locked_until: + self.failed_login_count = 0 + self.locked_until = None + db.session.commit() + return False + + return True + + def __repr__(self) -> str: + return f"" + + +@login_manager.user_loader +def load_user(user_id: str) -> Optional[User]: + """Load a user from the database by ID.""" + return User.query.get(int(user_id)) diff --git a/app/templates/auth/login.html b/app/templates/auth/login.html new file mode 100644 index 0000000..b69122f --- /dev/null +++ b/app/templates/auth/login.html @@ -0,0 +1,79 @@ +{% extends "base.html" %} + +{% block title %}Login - NetViz{% endblock %} + +{% block content %} +
+
+
+

+ Sign in to your account +

+

+ Or + + register a new account + +

+
+
+ {{ form.csrf_token }} + +
+
+ + {{ form.username(class="appearance-none rounded-none relative block w-full px-3 py-2 border border-gray-300 + dark:border-gray-700 placeholder-gray-500 dark:placeholder-gray-400 text-gray-900 dark:text-white + dark:bg-gray-800 rounded-t-md focus:outline-none focus:ring-primary focus:border-primary focus:z-10 + sm:text-sm", placeholder="Username") }} + {% if form.username.errors %} +

{{ form.username.errors[0] }}

+ {% endif %} +
+
+ + {{ form.password(class="appearance-none rounded-none relative block w-full px-3 py-2 border border-gray-300 + dark:border-gray-700 placeholder-gray-500 dark:placeholder-gray-400 text-gray-900 dark:text-white + dark:bg-gray-800 rounded-b-md focus:outline-none focus:ring-primary focus:border-primary focus:z-10 + sm:text-sm", placeholder="Password") }} + {% if form.password.errors %} +

{{ form.password.errors[0] }}

+ {% endif %} +
+
+ +
+
+ {{ form.remember_me(class="h-4 w-4 text-primary focus:ring-primary border-gray-300 dark:border-gray-700 + rounded") }} + +
+ +
+ + Forgot your password? + +
+
+ +
+ +
+
+
+
+{% endblock %} \ No newline at end of file diff --git a/app/templates/base.html b/app/templates/base.html new file mode 100644 index 0000000..561198e --- /dev/null +++ b/app/templates/base.html @@ -0,0 +1,166 @@ + + + + + + + {% block title %}NetViz{% endblock %} + + + + + + + + + + + + + {% block head %}{% endblock %} + + + +
+ +
+ +
+ + {% with messages = get_flashed_messages(with_categories=true) %} + {% if messages %} +
+ {% for category, message in messages %} +
+ {{ message }} +
+ {% endfor %} +
+ {% endif %} + {% endwith %} + + + {% block content %}{% endblock %} +
+ +
+
+
+

+ © {{ current_year }} NetViz. All rights reserved. +

+
+
+
+ + + + + {% block scripts %}{% endblock %} + + + \ No newline at end of file diff --git a/app/templates/core/dashboard.html b/app/templates/core/dashboard.html new file mode 100644 index 0000000..e69de29 diff --git a/app/templates/core/network_view.html b/app/templates/core/network_view.html new file mode 100644 index 0000000..50a9a7b --- /dev/null +++ b/app/templates/core/network_view.html @@ -0,0 +1,194 @@ +{% extends "base.html" %} + +{% block title %}{{ network.name }} - NetViz{% endblock %} + +{% block content %} +
+
+
+

+ {{ network.name }} +

+

+ Created: {{ network.created_at.strftime('%Y-%m-%d %H:%M') }} | + Last updated: {{ network.updated_at.strftime('%Y-%m-%d %H:%M') }} +

+
+
+ + Edit + +
+ +
+ +
+
+ +
+
+
+

+ Network Details +

+

+ {{ network.description or "No description provided." }} +

+
+ + +
+
+

Network Visualization

+
+ Network Diagram +
+
+
+ + +
+
+
+

Subnets

+ + Add Subnet + +
+ + {% if subnets %} +
+
+
+
+ + + + + + + + + + + + {% for subnet in subnets %} + + + + + + + + {% endfor %} + +
+ Name + + CIDR + + VLAN + + Description + + Actions +
+ {{ subnet.name }} + + {{ subnet.cidr }} + + {{ subnet.vlan or "-" }} + + {{ subnet.description or "-" }} + + Edit +
+
+
+
+
+ {% else %} +
+

No subnets defined yet.

+
+ {% endif %} +
+
+ + +
+
+
+ + + +{% endblock %} + +{% block scripts %} + +{% endblock %} \ No newline at end of file diff --git a/app/templates/emails/reset_password.html b/app/templates/emails/reset_password.html new file mode 100644 index 0000000..3964a33 --- /dev/null +++ b/app/templates/emails/reset_password.html @@ -0,0 +1,75 @@ + + + + + + + + +
+

NetViz Password Reset

+
+
+

Hello {{ user.username }},

+ +

We received a request to reset your password for your NetViz account. If you made this request, please click the + button below to reset your password:

+ +

+ Reset Password +

+ +

This link will expire in 1 hour.

+ +

If you did not request a password reset, please ignore this email or contact support if you have concerns about + your account security.

+ +

Best regards,
The NetViz Team

+
+
+

This is an automated message, please do not reply to this email.

+
+ + + \ No newline at end of file diff --git a/app/templates/emails/reset_password.txt b/app/templates/emails/reset_password.txt new file mode 100644 index 0000000..bc00faa --- /dev/null +++ b/app/templates/emails/reset_password.txt @@ -0,0 +1,14 @@ +Hello {{ user.username }}, + +We received a request to reset your password for your NetViz account. If you made this request, please click on the link below to reset your password: + +{{ reset_url }} + +This link will expire in 1 hour. + +If you did not request a password reset, please ignore this email or contact support if you have concerns about your account security. + +Best regards, +The NetViz Team + +This is an automated message, please do not reply to this email. \ No newline at end of file diff --git a/app/templates/errors/403.html b/app/templates/errors/403.html new file mode 100644 index 0000000..55b00da --- /dev/null +++ b/app/templates/errors/403.html @@ -0,0 +1,23 @@ +{% extends "base.html" %} + +{% block title %}Forbidden - NetViz{% endblock %} + +{% block content %} +
+
+

403

+

+ Access Denied +

+

+ You don't have permission to access this resource. +

+
+ + Return to Home + +
+
+
+{% endblock %} \ No newline at end of file diff --git a/app/templates/errors/404.html b/app/templates/errors/404.html new file mode 100644 index 0000000..16590af --- /dev/null +++ b/app/templates/errors/404.html @@ -0,0 +1,23 @@ +{% extends "base.html" %} + +{% block title %}Page Not Found - NetViz{% endblock %} + +{% block content %} +
+
+

404

+

+ Page Not Found +

+

+ The page you're looking for doesn't exist or has been moved. +

+
+ + Return to Home + +
+
+
+{% endblock %} \ No newline at end of file diff --git a/app/templates/errors/500.html b/app/templates/errors/500.html new file mode 100644 index 0000000..e69de29 diff --git a/app/utils/commands.py b/app/utils/commands.py new file mode 100644 index 0000000..384f9c7 --- /dev/null +++ b/app/utils/commands.py @@ -0,0 +1,49 @@ +""" +CLI commands for the NetViz application. +""" +import click +from flask.cli import with_appcontext +from werkzeug.security import generate_password_hash + +from app.extensions import db +from app.models.user import User + + +def register_commands(app): + """ + Register CLI commands with the Flask application. + + Args: + app: The Flask application + """ + @app.cli.command("create-admin") + @click.argument("username") + @click.argument("email") + @click.password_option() + @with_appcontext + def create_admin(username, email, password): + """Create an admin user.""" + user = User.query.filter_by(username=username).first() + + if user: + click.echo(f"User {username} already exists.") + return + + user = User( + username=username, + email=email, + is_admin=True + ) + user.set_password(password) + + db.session.add(user) + db.session.commit() + + click.echo(f"Admin user {username} created successfully.") + + @app.cli.command("init-db") + @with_appcontext + def init_db(): + """Initialize the database.""" + db.create_all() + click.echo("Database initialized.") \ No newline at end of file diff --git a/app/utils/email.py b/app/utils/email.py new file mode 100644 index 0000000..5c6647c --- /dev/null +++ b/app/utils/email.py @@ -0,0 +1,56 @@ +""" +Email utilities for the NetViz application. +""" +from flask import current_app, render_template +from flask_mail import Message +from threading import Thread + +from app.extensions import mail +from app.models.user import User + + +def send_async_email(app, msg): + """Send email asynchronously.""" + with app.app_context(): + mail.send(msg) + + +def send_email(subject, sender, recipients, text_body, html_body): + """ + Send an email. + + Args: + subject: Email subject + sender: Sender email address + recipients: List of recipient email addresses + text_body: Plain text email body + html_body: HTML email body + """ + msg = Message(subject, sender=sender, recipients=recipients) + msg.body = text_body + msg.html = html_body + + # Send email asynchronously to not block the request + Thread( + target=send_async_email, + args=(current_app._get_current_object(), msg) + ).start() + + +def send_password_reset_email(user: User): + """ + Send a password reset email to a user. + + Args: + user: The user requesting password reset + """ + token = user.generate_reset_token() + reset_url = f"{current_app.config['SERVER_NAME']}/auth/reset-password/{token}" + + send_email( + subject="[NetViz] Reset Your Password", + sender=current_app.config['MAIL_DEFAULT_SENDER'], + recipients=[user.email], + text_body=render_template("email/reset_password.txt", user=user, reset_url=reset_url), + html_body=render_template("email/reset_password.html", user=user, reset_url=reset_url) + ) \ No newline at end of file diff --git a/app/utils/error_handlers.py b/app/utils/error_handlers.py new file mode 100644 index 0000000..50244b3 --- /dev/null +++ b/app/utils/error_handlers.py @@ -0,0 +1,32 @@ +""" +Error handlers for the NetViz application. +""" +import traceback +from flask import render_template, current_app + + +def register_error_handlers(app): + """ + Register error handlers for the application. + + Args: + app: The Flask application + """ + @app.errorhandler(403) + def forbidden_error(error): + return render_template('errors/403.html'), 403 + + @app.errorhandler(404) + def not_found_error(error): + return render_template('errors/404.html'), 404 + + @app.errorhandler(500) + def internal_error(error): + # Log the error + current_app.logger.error(f"Server Error: {error}") + current_app.logger.error(traceback.format_exc()) + return render_template('errors/500.html'), 500 + + @app.errorhandler(429) + def ratelimit_error(error): + return render_template('errors/429.html'), 429 \ No newline at end of file diff --git a/app/utils/security.py b/app/utils/security.py new file mode 100644 index 0000000..c13d41f --- /dev/null +++ b/app/utils/security.py @@ -0,0 +1,71 @@ +""" +Security utilities for the NetViz application. +""" +from typing import Dict, Any +import secrets +import string + + +def get_secure_headers() -> Dict[str, Any]: + """ + Get secure headers configuration for Flask-Talisman. + + Returns: + Dict with security header configuration + """ + return { + 'content_security_policy': { + 'default-src': "'self'", + 'img-src': "'self' data:", + 'style-src': "'self' 'unsafe-inline'", # Needed for Tailwind + 'script-src': "'self' 'unsafe-inline'", # Needed for HTMX + 'font-src': "'self'" + }, + 'force_https': False, # Set to True in production + 'strict_transport_security': True, + 'strict_transport_security_max_age': 31536000, + 'strict_transport_security_include_subdomains': True, + 'referrer_policy': 'strict-origin-when-cross-origin', + 'frame_options': 'DENY', + 'session_cookie_secure': False, # Set to True in production + 'session_cookie_http_only': True + } + + +def generate_password() -> str: + """ + Generate a secure random password. + + Returns: + A secure random password string + """ + alphabet = string.ascii_letters + string.digits + string.punctuation + password = ''.join(secrets.choice(alphabet) for _ in range(16)) + return password + + +def sanitize_input(input_string: str) -> str: + """ + Sanitize user input to prevent XSS attacks. + + Args: + input_string: The input string to sanitize + + Returns: + Sanitized string + """ + # Replace problematic characters with HTML entities + replacements = { + '<': '<', + '>': '>', + '"': '"', + "'": ''', + '/': '/', + '\\': '\', + '\n': '
', + } + + for char, replacement in replacements.items(): + input_string = input_string.replace(char, replacement) + + return input_string \ No newline at end of file diff --git a/app/utils/visualization.py b/app/utils/visualization.py new file mode 100644 index 0000000..93ff9f9 --- /dev/null +++ b/app/utils/visualization.py @@ -0,0 +1,90 @@ +""" +Network visualization utilities for the NetViz application. +""" +import networkx as nx +import matplotlib.pyplot as plt +import io +import base64 +from typing import Dict, Any + +from app.models.network import Network + + +def generate_network_diagram(network: Network) -> str: + """ + Generate a network diagram for visualization. + + Args: + network: The Network object to visualize + + Returns: + Base64 encoded PNG image of the network diagram + """ + # Create a directed graph + G = nx.DiGraph() + + # Add nodes for subnets + for subnet in network.subnets: + G.add_node(f"subnet-{subnet.id}", + label=f"{subnet.name}\n{subnet.cidr}", + type="subnet") + + # Add nodes for devices + for device in network.devices: + G.add_node(f"device-{device.id}", + label=f"{device.name}\n{device.ip_address or ''}", + type="device") + + # Connect devices to their subnets + if device.subnet_id: + G.add_edge(f"device-{device.id}", f"subnet-{device.subnet_id}") + + # Add firewall rules as edges + for rule in network.firewall_rules: + # For simplicity, we're assuming source and destination are device IPs + # In a real implementation, you'd need to resolve these to actual devices + source_devices = [d for d in network.devices if d.ip_address == rule.source] + dest_devices = [d for d in network.devices if d.ip_address == rule.destination] + + for src in source_devices: + for dst in dest_devices: + G.add_edge(f"device-{src.id}", f"device-{dst.id}", + label=f"{rule.protocol}/{rule.port_range}\n{rule.action}", + color="green" if rule.action == "allow" else "red") + + # Set node colors based on type + node_colors = [] + for node in G.nodes(): + node_type = G.nodes[node].get("type") + if node_type == "subnet": + node_colors.append("skyblue") + elif node_type == "device": + node_colors.append("lightgreen") + else: + node_colors.append("lightgray") + + # Create the plot + plt.figure(figsize=(12, 8)) + pos = nx.spring_layout(G) + + # Draw nodes + nx.draw_networkx_nodes(G, pos, node_color=node_colors, node_size=500) + + # Draw edges + edge_colors = [G.edges[edge].get("color", "black") for edge in G.edges()] + nx.draw_networkx_edges(G, pos, edge_color=edge_colors, arrowstyle='->', arrowsize=15) + + # Draw labels + node_labels = {node: G.nodes[node].get("label", node) for node in G.nodes()} + nx.draw_networkx_labels(G, pos, labels=node_labels, font_size=10) + + # Save the plot to a bytes buffer + buf = io.BytesIO() + plt.savefig(buf, format='png', dpi=100, bbox_inches='tight') + plt.close() + + # Encode the image as base64 for embedding in HTML + buf.seek(0) + image_base64 = base64.b64encode(buf.getvalue()).decode('utf-8') + + return f"data:image/png;base64,{image_base64}" \ No newline at end of file diff --git a/docker-compose.yml b/docker-compose.yml new file mode 100644 index 0000000..922a313 --- /dev/null +++ b/docker-compose.yml @@ -0,0 +1,60 @@ +version: '3.8' + +services: + web: + build: . + restart: always + ports: + - "5000:5000" + depends_on: + - db + - redis + environment: + - FLASK_APP=app + - FLASK_ENV=production + - DATABASE_URL=postgresql://netviz:netviz_password@db:5432/netviz + - SECRET_KEY=${SECRET_KEY:-change_this_to_a_secure_random_string} + - SECURITY_PASSWORD_SALT=${SECURITY_PASSWORD_SALT:-change_this_too} + - SESSION_TYPE=redis + - SESSION_REDIS=redis://redis:6379/0 + - RATELIMIT_STORAGE_URL=redis://redis:6379/1 + - SECURE_HEADERS_ENABLED=True + volumes: + - ./app:/app/app + - ./migrations:/app/migrations + healthcheck: + test: [ "CMD", "curl", "-f", "http://localhost:5000/health" ] + interval: 30s + timeout: 10s + retries: 3 + start_period: 40s + + db: + image: postgres:14-alpine + restart: always + environment: + - POSTGRES_USER=netviz + - POSTGRES_PASSWORD=netviz_password + - POSTGRES_DB=netviz + volumes: + - postgres_data:/var/lib/postgresql/data + healthcheck: + test: [ "CMD-SHELL", "pg_isready -U netviz" ] + interval: 10s + timeout: 5s + retries: 5 + + redis: + image: redis:6-alpine + restart: always + volumes: + - redis_data:/data + healthcheck: + test: [ "CMD", "redis-cli", "ping" ] + interval: 10s + timeout: 5s + retries: 5 + +volumes: + postgres_data: + redis_data: diff --git a/requirements-dev.txt b/requirements-dev.txt new file mode 100644 index 0000000..59a292f --- /dev/null +++ b/requirements-dev.txt @@ -0,0 +1,7 @@ +pytest==7.4.3 +pytest-cov==4.1.0 +pytest-flask==1.3.0 +black==23.10.1 +flake8==6.1.0 +mypy==1.6.1 +bandit==1.7.5 diff --git a/requirements.txt b/requirements.txt new file mode 100644 index 0000000..b2dc106 --- /dev/null +++ b/requirements.txt @@ -0,0 +1,37 @@ +# Flask and Extensions +Flask==2.3.3 +Flask-SQLAlchemy==3.1.1 +Flask-Migrate==4.0.5 +Flask-Login==0.6.3 +Flask-WTF==1.2.1 +Flask-Limiter==3.5.0 +Flask-Mail==0.9.1 +Flask-Session==0.5.0 +Flask-Talisman==1.1.0 +flask-seasurf==1.1.1 + +# Database +SQLAlchemy==2.0.23 +psycopg2-binary==2.9.9 +alembic==1.12.1 + +# Security +bcrypt==4.0.1 +pyjwt==2.8.0 +python-dotenv==1.0.0 +secure==0.3.0 + +# UI +Jinja2==3.1.2 +WTForms==3.1.1 +email-validator==2.1.0 + +# Utils +gunicorn==21.2.0 +python-dateutil==2.8.2 +PyYAML==6.0.1 +requests==2.31.0 + +# Visualization +networkx==3.2.1 +matplotlib==3.8.0 \ No newline at end of file