porsche/vmis
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

feat(vmis): 租戶自動開通完整流程 + Admin Portal SSO + NC 行事曆訂閱

Browse Source 
Backend:
- schedule_tenant: NC 新容器自動 pgsql 安裝 (_nc_db_check 全新容器處理)
- schedule_tenant: NC 初始化加入 Redis + APCu memcache 設定 (修正 OIDC invalid_state)
- schedule_tenant: 新租戶 KC realm 自動設定 accessCodeLifespan=600s (修正 authentication_expired)
- schedule_account: NC Mail 帳號自動設定 (nc_mail_result/nc_mail_done_at)
- schedule_account: NC 台灣國定假日行事曆自動訂閱 (CalDAV MKCALENDAR)
- nextcloud_client: 新增 subscribe_calendar() CalDAV 訂閱方法
- settings: 新增系統設定 API (site_title/version/timezone/SSO/Keycloak)
- models/result: 新增 nc_mail_result, nc_mail_done_at 欄位
- alembic: 遷移 002(system_settings) 003(keycloak_admin) 004(nc_mail_result)

Frontend (Admin Portal):
- 新增完整管理後台 (index/tenants/accounts/servers/schedules/logs/settings/system-status)
- api.js: Keycloak JS Adapter SSO 整合 (PKCE/S256, fallback KC JS 來源, 自動 token 更新)
- index.html: Promise.allSettled 取代 Promise.all,防止單一 API 失敗影響整頁
- 所有頁面加入 try/catch + toast 錯誤處理
- 新增品牌 LOGO 與 favicon

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
This commit is contained in:
VMIS Developer
2026-03-15 15:31:37 +08:00
parent 42d1420f9c
commit 62baadb06f
53 changed files with 5638 additions and 195 deletions
Download Patch File Download Diff File Expand all files Collapse all files

123
backend/app/services/docker_client.py
View File

@@ -1,6 +1,7 @@
"""
DockerClient — docker-py (本機 Docker socket) + paramiko SSH (遠端 docker compose)
管理租戶的 NC / OO 容器
DockerClient — paramiko SSH (遠端 docker / traefik 查詢)
所有容器都在 10.1.0.254,透過 SSH 操作
3-state 回傳: None=未設定(灰), True=正常(綠), False=異常(紅)
"""
import logging
from typing import Optional
@@ -12,70 +13,74 @@ logger = logging.getLogger(__name__)
class DockerClient:
def __init__(self):
self._docker = None
def _get_docker(self):
if self._docker is None:
import docker
self._docker = docker.from_env()
return self._docker
def _ssh(self):
"""建立 SSH 連線到 10.1.0.254"""
import paramiko
client = paramiko.SSHClient()
client.set_missing_host_key_policy(paramiko.AutoAddPolicy())
client.connect(
settings.DOCKER_SSH_HOST,
username=settings.DOCKER_SSH_USER,
timeout=15,
)
return client
def check_traefik_route(self, domain: str) -> bool:
def check_traefik_domain(self, domain: str) -> Optional[bool]:
"""
Traefik API: GET http://localhost:8080/api/http/routers
驗證 routers 中包含 domain且 routers 數量 > 0
None = domain 在 Traefik 沒有路由設定(灰)
True = 路由存在且服務存活(綠)
False = 路由存在但服務不通(紅)
"""
try:
resp = httpx.get("http://localhost:8080/api/overview", timeout=5.0)
resp = httpx.get(f"http://{settings.DOCKER_SSH_HOST}:8080/api/http/routers", timeout=5.0)
if resp.status_code != 200:
return False
data = resp.json()
# Verify actual routes exist (functional check)
http_count = data.get("http", {}).get("routers", {}).get("total", 0)
if http_count == 0:
routers = resp.json()
route_found = any(domain in str(r.get("rule", "")) for r in routers)
if not route_found:
return None
# Route exists — probe the service
try:
probe = httpx.get(
f"https://{domain}",
timeout=5.0,
follow_redirects=True,
)
return probe.status_code < 500
except Exception:
return False
# Check domain-specific router
routers_resp = httpx.get("http://localhost:8080/api/http/routers", timeout=5.0)
if routers_resp.status_code != 200:
return False
routers = routers_resp.json()
return any(domain in str(r.get("rule", "")) for r in routers)
except Exception as e:
logger.warning(f"Traefik check failed for {domain}: {e}")
return False
def ensure_container_running(self, container_name: str, tenant_code: str, realm: str) -> bool:
"""Check container status; start if exited; deploy via SSH if not found."""
def check_container_ssh(self, container_name: str) -> Optional[bool]:
"""
SSH 到 10.1.0.254 查詢容器狀態。
None = 容器不存在(未部署)
True = 容器正在執行
False = 容器存在但未執行exited/paused
"""
try:
docker_client = self._get_docker()
container = docker_client.containers.get(container_name)
if container.status == "running":
return True
elif container.status == "exited":
container.start()
container.reload()
return container.status == "running"
except Exception as e:
if "Not Found" in str(e) or "404" in str(e):
return self._ssh_compose_up(tenant_code, realm)
logger.error(f"Docker check failed for {container_name}: {e}")
return False
return False
def _ssh_compose_up(self, tenant_code: str, realm: str) -> bool:
"""SSH into 10.1.0.254 and run docker compose up -d"""
try:
import paramiko
client = paramiko.SSHClient()
client.set_missing_host_key_policy(paramiko.AutoAddPolicy())
client.connect(
settings.DOCKER_SSH_HOST,
username=settings.DOCKER_SSH_USER,
timeout=15,
client = self._ssh()
_, stdout, _ = client.exec_command(
f"docker inspect --format='{{{{.State.Status}}}}' {container_name} 2>/dev/null"
)
output = stdout.read().decode().strip()
client.close()
if not output:
return None
return output == "running"
except Exception as e:
logger.error(f"SSH container check failed for {container_name}: {e}")
return False
def ssh_compose_up(self, tenant_code: str) -> bool:
"""SSH 到 10.1.0.254 執行 docker compose up -d"""
try:
client = self._ssh()
deploy_dir = f"{settings.TENANT_DEPLOY_BASE}/{tenant_code}"
stdin, stdout, stderr = client.exec_command(
_, stdout, _ = client.exec_command(
f"cd {deploy_dir} && docker compose up -d 2>&1"
)
exit_status = stdout.channel.recv_exit_status()
@@ -84,3 +89,19 @@ class DockerClient:
except Exception as e:
logger.error(f"SSH compose up failed for {tenant_code}: {e}")
return False
def get_oo_disk_usage_gb(self, container_name: str) -> Optional[float]:
"""取得 OO 容器磁碟使用量GB容器不存在回傳 None"""
try:
client = self._ssh()
_, stdout, _ = client.exec_command(
f"docker exec {container_name} df -B1 / 2>/dev/null | awk 'NR==2 {{print $3}}'"
)
output = stdout.read().decode().strip()
client.close()
if output.isdigit():
return round(int(output) / (1024 ** 3), 3)
return None
except Exception as e:
logger.warning(f"OO disk usage check failed for {container_name}: {e}")
return None

177
backend/app/services/keycloak_client.py
View File

@@ -1,34 +1,36 @@
"""
KeycloakClient — 直接呼叫 Keycloak REST API不使用 python-keycloak 套件。
管理租戶 realm 及帳號的建立/查詢
使用 master realm admin 帳密取得管理 token管理租戶 realm 及帳號。
"""
import logging
from typing import Optional
import httpx
from app.core.config import settings
logger = logging.getLogger(__name__)
TIMEOUT = 10.0
class KeycloakClient:
def __init__(self):
self._base = settings.KEYCLOAK_URL.rstrip("/")
def __init__(self, base_url: str, admin_user: str, admin_pass: str):
self._base = base_url.rstrip("/")
self._admin_user = admin_user
self._admin_pass = admin_pass
self._admin_token: Optional[str] = None
def _get_admin_token(self) -> str:
"""取得 vmis-admin realm 的 admin access token"""
url = f"{self._base}/realms/{settings.KEYCLOAK_ADMIN_REALM}/protocol/openid-connect/token"
"""取得 master realm 的 admin access tokenResource Owner Password"""
url = f"{self._base}/realms/master/protocol/openid-connect/token"
resp = httpx.post(
url,
data={
"grant_type": "client_credentials",
"client_id": settings.KEYCLOAK_ADMIN_CLIENT_ID,
"client_secret": settings.KEYCLOAK_ADMIN_CLIENT_SECRET,
"grant_type": "password",
"client_id": "admin-cli",
"username": self._admin_user,
"password": self._admin_pass,
},
timeout=TIMEOUT,
verify=False,
)
resp.raise_for_status()
return resp.json()["access_token"]
@@ -43,7 +45,12 @@ class KeycloakClient:
def realm_exists(self, realm: str) -> bool:
try:
resp = httpx.get(self._admin_url(realm), headers=self._headers(), timeout=TIMEOUT)
resp = httpx.get(
self._admin_url(realm),
headers=self._headers(),
timeout=TIMEOUT,
verify=False,
)
return resp.status_code == 200
except Exception:
return False
@@ -60,21 +67,58 @@ class KeycloakClient:
json=payload,
headers=self._headers(),
timeout=TIMEOUT,
verify=False,
)
return resp.status_code in (201, 204)
def update_realm_token_settings(self, realm: str, access_code_lifespan: int = 600) -> bool:
"""設定 realm 的授權碼有效期(秒),預設 10 分鐘"""
resp = httpx.put(
self._admin_url(realm),
json={
"accessCodeLifespan": access_code_lifespan,
"actionTokenGeneratedByUserLifespan": access_code_lifespan,
},
headers=self._headers(),
timeout=TIMEOUT,
verify=False,
)
return resp.status_code in (200, 204)
def send_welcome_email(self, realm: str, user_id: str) -> bool:
"""寄送歡迎信(含設定密碼連結)給新使用者"""
try:
resp = httpx.put(
self._admin_url(f"{realm}/users/{user_id}/execute-actions-email"),
json=["UPDATE_PASSWORD"],
headers=self._headers(),
timeout=TIMEOUT,
verify=False,
)
return resp.status_code in (200, 204)
except Exception as e:
logger.error(f"KC send_welcome_email({realm}/{user_id}) failed: {e}")
return False
def get_user_uuid(self, realm: str, username: str) -> Optional[str]:
resp = httpx.get(
self._admin_url(f"{realm}/users"),
params={"username": username, "exact": "true"},
headers=self._headers(),
timeout=TIMEOUT,
verify=False,
)
resp.raise_for_status()
users = resp.json()
return users[0]["id"] if users else None
def create_user(self, realm: str, username: str, email: str, password: Optional[str]) -> Optional[str]:
def create_user(
self,
realm: str,
username: str,
email: str,
password: Optional[str],
) -> Optional[str]:
payload = {
"username": username,
"email": email,
@@ -82,14 +126,121 @@ class KeycloakClient:
"emailVerified": True,
}
if password:
payload["credentials"] = [{"type": "password", "value": password, "temporary": True}]
payload["credentials"] = [
{"type": "password", "value": password, "temporary": True}
]
resp = httpx.post(
self._admin_url(f"{realm}/users"),
json=payload,
headers=self._headers(),
timeout=TIMEOUT,
verify=False,
)
if resp.status_code == 201:
location = resp.headers.get("Location", "")
return location.rstrip("/").split("/")[-1]
return None
def create_public_client(self, realm: str, client_id: str) -> str:
"""建立 Public Client。回傳 'exists' / 'created' / 'failed'"""
resp = httpx.get(
self._admin_url(f"{realm}/clients"),
params={"clientId": client_id},
headers=self._headers(),
timeout=TIMEOUT,
verify=False,
)
resp.raise_for_status()
if resp.json():
return "exists"
payload = {
"clientId": client_id,
"name": client_id,
"enabled": True,
"publicClient": True,
"standardFlowEnabled": True,
"directAccessGrantsEnabled": False,
"redirectUris": ["*"],
"webOrigins": ["*"],
}
resp = httpx.post(
self._admin_url(f"{realm}/clients"),
json=payload,
headers=self._headers(),
timeout=TIMEOUT,
verify=False,
)
return "created" if resp.status_code in (201, 204) else "failed"
def create_confidential_client(self, realm: str, client_id: str, redirect_uris: list[str]) -> str:
"""建立 Confidential Client用於 NC OIDC。回傳 'exists' / 'created' / 'failed'"""
resp = httpx.get(
self._admin_url(f"{realm}/clients"),
params={"clientId": client_id},
headers=self._headers(),
timeout=TIMEOUT,
verify=False,
)
resp.raise_for_status()
if resp.json():
return "exists"
origin = redirect_uris[0].rstrip("/*") if redirect_uris else "*"
payload = {
"clientId": client_id,
"name": client_id,
"enabled": True,
"publicClient": False,
"standardFlowEnabled": True,
"directAccessGrantsEnabled": False,
"redirectUris": redirect_uris,
"webOrigins": [origin],
"protocol": "openid-connect",
}
resp = httpx.post(
self._admin_url(f"{realm}/clients"),
json=payload,
headers=self._headers(),
timeout=TIMEOUT,
verify=False,
)
return "created" if resp.status_code in (201, 204) else "failed"
def get_client_secret(self, realm: str, client_id: str) -> Optional[str]:
"""取得 Confidential Client 的 Secret"""
resp = httpx.get(
self._admin_url(f"{realm}/clients"),
params={"clientId": client_id},
headers=self._headers(),
timeout=TIMEOUT,
verify=False,
)
resp.raise_for_status()
clients = resp.json()
if not clients:
return None
client_uuid = clients[0]["id"]
resp = httpx.get(
self._admin_url(f"{realm}/clients/{client_uuid}/client-secret"),
headers=self._headers(),
timeout=TIMEOUT,
verify=False,
)
if resp.status_code == 200:
return resp.json().get("value")
return None
def get_keycloak_client() -> KeycloakClient:
"""Factory: reads credentials from system settings DB."""
from app.core.database import SessionLocal
from app.models.settings import SystemSettings
db = SessionLocal()
try:
s = db.query(SystemSettings).first()
if s:
return KeycloakClient(s.keycloak_url, s.keycloak_admin_user, s.keycloak_admin_pass)
finally:
db.close()
# Fallback to defaults
return KeycloakClient("https://auth.lab.taipei", "admin", "")

96
backend/app/services/mail_client.py
View File

@@ -1,24 +1,36 @@
"""
MailClient — 呼叫 Docker Mailserver Admin API (http://10.1.0.254:8080)
管理 mail domain 和 mailbox 的建立/查詢。
建立 domain 前必須驗證 MX DNS 設定(對 active 租戶)
MailClient — 透過 SSH + docker exec mailserver 管理 docker-mailserver。
domain 在 docker-mailserver 中是隱式的(由 mailbox 決定),
所以 domain_exists 檢查是否有任何 @domain 的 mailbox
"""
import logging
from typing import Optional
import httpx
import dns.resolver
from app.core.config import settings
logger = logging.getLogger(__name__)
TIMEOUT = 10.0
MAILSERVER_CONTAINER = "mailserver"
class MailClient:
def __init__(self):
self._base = settings.MAIL_ADMIN_API_URL.rstrip("/")
self._headers = {"X-API-Key": settings.MAIL_ADMIN_API_KEY}
def _ssh_exec(self, cmd: str) -> tuple[int, str]:
"""SSH 到 10.1.0.254 執行指令,回傳 (exit_code, stdout)"""
import paramiko
client = paramiko.SSHClient()
client.set_missing_host_key_policy(paramiko.AutoAddPolicy())
client.connect(
settings.DOCKER_SSH_HOST,
username=settings.DOCKER_SSH_USER,
timeout=15,
)
_, stdout, _ = client.exec_command(cmd)
output = stdout.read().decode().strip()
exit_code = stdout.channel.recv_exit_status()
client.close()
return exit_code, output
def check_mx_dns(self, domain: str) -> bool:
"""驗證 domain 的 MX record 是否指向正確的 mail server"""
@@ -33,49 +45,65 @@ class MailClient:
return False
def domain_exists(self, domain: str) -> bool:
"""檢查 mailserver 是否有任何 @domain 的 mailboxdocker-mailserver 的 domain 由 mailbox 決定)"""
try:
resp = httpx.get(
f"{self._base}/api/v1/domains/{domain}",
headers=self._headers,
timeout=TIMEOUT,
code, output = self._ssh_exec(
f"docker exec {MAILSERVER_CONTAINER} setup email list 2>/dev/null | grep -q '@{domain}' && echo yes || echo no"
)
return resp.status_code == 200
except Exception:
return output.strip() == "yes"
except Exception as e:
logger.warning(f"domain_exists({domain}) SSH failed: {e}")
return False
def create_domain(self, domain: str) -> bool:
"""
docker-mailserver 不需要顯式建立 domainmailbox 新增時自動處理)。
新增一個 postmaster@ 系統帳號來確保 domain 被識別。
"""
try:
resp = httpx.post(
f"{self._base}/api/v1/domains",
json={"domain": domain},
headers=self._headers,
timeout=TIMEOUT,
import secrets
passwd = secrets.token_urlsafe(16)
code, output = self._ssh_exec(
f"docker exec {MAILSERVER_CONTAINER} setup email add postmaster@{domain} {passwd} 2>&1"
)
return resp.status_code in (200, 201, 204)
if code == 0:
logger.info(f"create_domain({domain}): postmaster account created")
return True
# 若帳號已存在視為成功
if "already exists" in output.lower():
return True
logger.error(f"create_domain({domain}) failed (exit {code}): {output}")
return False
except Exception as e:
logger.error(f"create_domain({domain}) failed: {e}")
logger.error(f"create_domain({domain}) SSH failed: {e}")
return False
def mailbox_exists(self, email: str) -> bool:
try:
resp = httpx.get(
f"{self._base}/api/v1/mailboxes/{email}",
headers=self._headers,
timeout=TIMEOUT,
code, output = self._ssh_exec(
f"docker exec {MAILSERVER_CONTAINER} setup email list 2>/dev/null | grep -q '{email}' && echo yes || echo no"
)
return resp.status_code == 200
except Exception:
return output.strip() == "yes"
except Exception as e:
logger.warning(f"mailbox_exists({email}) SSH failed: {e}")
return False
def create_mailbox(self, email: str, password: Optional[str], quota_gb: int = 20) -> bool:
try:
resp = httpx.post(
f"{self._base}/api/v1/mailboxes",
json={"email": email, "password": password or "", "quota": quota_gb},
headers=self._headers,
timeout=TIMEOUT,
import secrets
passwd = password or secrets.token_urlsafe(16)
quota_mb = quota_gb * 1024
code, output = self._ssh_exec(
f"docker exec {MAILSERVER_CONTAINER} setup email add {email} {passwd} 2>&1"
)
return resp.status_code in (200, 201, 204)
if code != 0 and "already exists" not in output.lower():
logger.error(f"create_mailbox({email}) failed (exit {code}): {output}")
return False
# 設定配額
self._ssh_exec(
f"docker exec {MAILSERVER_CONTAINER} setup quota set {email} {quota_mb}M 2>/dev/null"
)
return True
except Exception as e:
logger.error(f"create_mailbox({email}) failed: {e}")
logger.error(f"create_mailbox({email}) SSH failed: {e}")
return False

62
backend/app/services/nextcloud_client.py
View File

@@ -47,6 +47,20 @@ class NextcloudClient:
logger.error(f"NC create_user({username}) failed: {e}")
return False
def set_user_quota(self, username: str, quota_gb: int) -> bool:
try:
resp = httpx.put(
f"{self._base}/ocs/v1.php/cloud/users/{username}",
auth=self._auth,
headers=OCS_HEADERS,
data={"key": "quota", "value": f"{quota_gb}GB"},
timeout=TIMEOUT,
)
return resp.status_code == 200
except Exception as e:
logger.error(f"NC set_user_quota({username}) failed: {e}")
return False
def get_user_quota_used_gb(self, username: str) -> Optional[float]:
try:
resp = httpx.get(
@@ -57,11 +71,57 @@ class NextcloudClient:
)
if resp.status_code != 200:
return None
used_bytes = resp.json().get("ocs", {}).get("data", {}).get("quota", {}).get("used", 0)
quota = resp.json().get("ocs", {}).get("data", {}).get("quota", {})
if not isinstance(quota, dict):
return 0.0
used_bytes = quota.get("used", 0) or 0
return round(used_bytes / 1073741824, 4)
except Exception:
return None
def subscribe_calendar(
self,
username: str,
cal_slug: str,
display_name: str,
ics_url: str,
color: str = "#e9322d",
) -> bool:
"""
為使用者建立訂閱行事曆CalDAV MKCALENDAR with calendarserver source
已存在(405)視為成功201=新建成功。
"""
try:
body = (
'<?xml version="1.0" encoding="UTF-8"?>\n'
'<x1:mkcalendar xmlns:x1="urn:ietf:params:xml:ns:caldav">\n'
' <x0:set xmlns:x0="DAV:">\n'
' <x0:prop>\n'
f' <x0:displayname>{display_name}</x0:displayname>\n'
f' <x2:calendar-color xmlns:x2="http://apple.com/ns/ical/">{color}</x2:calendar-color>\n'
' <x3:source xmlns:x3="http://calendarserver.org/ns/">\n'
f' <x0:href>{ics_url}</x0:href>\n'
' </x3:source>\n'
' </x0:prop>\n'
' </x0:set>\n'
'</x1:mkcalendar>'
)
url = f"{self._base}/remote.php/dav/calendars/{username}/{cal_slug}/"
resp = httpx.request(
"MKCALENDAR",
url,
auth=self._auth,
content=body.encode("utf-8"),
headers={"Content-Type": "application/xml; charset=utf-8"},
timeout=TIMEOUT,
verify=False,
)
# 201=建立成功, 405=已存在(Method Not Allowed on existing resource)
return resp.status_code in (201, 405)
except Exception as e:
logger.error(f"NC subscribe_calendar({username}, {cal_slug}) failed: {e}")
return False
def get_total_quota_used_gb(self) -> Optional[float]:
"""Sum all users' quota usage"""
try:

24
backend/app/services/scheduler/runner.py
View File

@@ -17,28 +17,33 @@ def dispatch_schedule(schedule_id: int, log_id: int = None, db: Session = None):
When called from manual API, creates its own session and log.
"""
own_db = db is None
own_log = False
log_obj = None
if own_db:
db = SessionLocal()
if log_id is None:
from datetime import datetime
from app.core.utils import now_tw
from app.models.schedule import ScheduleLog, Schedule
schedule = db.get(Schedule, schedule_id)
if not schedule:
if own_db:
db.close()
return
log = ScheduleLog(
log_obj = ScheduleLog(
schedule_id=schedule_id,
schedule_name=schedule.name,
started_at=datetime.utcnow(),
started_at=now_tw(),
status="running",
)
db.add(log)
db.add(log_obj)
db.commit()
db.refresh(log)
log_id = log.id
db.refresh(log_obj)
log_id = log_obj.id
own_log = True
final_status = "error"
try:
if schedule_id == 1:
from app.services.scheduler.schedule_tenant import run_tenant_check
@@ -51,9 +56,16 @@ def dispatch_schedule(schedule_id: int, log_id: int = None, db: Session = None):
run_system_status(log_id, db)
else:
logger.warning(f"Unknown schedule_id: {schedule_id}")
final_status = "ok"
except Exception as e:
logger.exception(f"dispatch_schedule({schedule_id}) error: {e}")
raise
finally:
# When called from manual trigger (own_log), finalize the log entry
if own_log and log_obj is not None:
from app.core.utils import now_tw
log_obj.ended_at = now_tw()
log_obj.status = final_status
db.commit()
if own_db:
db.close()

115
backend/app/services/scheduler/schedule_account.py
View File

@@ -4,6 +4,7 @@ Schedule 2 — 帳號檢查(每 3 分鐘)
"""
import logging
from datetime import datetime
from app.core.utils import now_tw
from sqlalchemy.orm import Session
from app.models.account import Account
@@ -13,16 +14,17 @@ logger = logging.getLogger(__name__)
def run_account_check(schedule_log_id: int, db: Session):
from app.services.keycloak_client import KeycloakClient
from app.services.mail_client import MailClient
from app.services.nextcloud_client import NextcloudClient
from app.services.keycloak_client import get_keycloak_client
accounts = (
db.query(Account)
.filter(Account.is_active == True)
.all()
)
kc = KeycloakClient()
kc = get_keycloak_client()
mail = MailClient()
for account in accounts:
@@ -32,7 +34,7 @@ def run_account_check(schedule_log_id: int, db: Session):
schedule_log_id=schedule_log_id,
account_id=account.id,
sso_account=account.sso_account,
recorded_at=datetime.utcnow(),
recorded_at=now_tw(),
)
fail_reasons = []
@@ -45,15 +47,19 @@ def run_account_check(schedule_log_id: int, db: Session):
if not account.sso_uuid:
account.sso_uuid = sso_uuid
else:
sso_uuid = kc.create_user(realm, account.sso_account, account.email, account.default_password)
kc_email = account.notification_email or account.email
sso_uuid = kc.create_user(realm, account.sso_account, kc_email, account.default_password)
result.sso_result = sso_uuid is not None
result.sso_uuid = sso_uuid
if sso_uuid and not account.sso_uuid:
account.sso_uuid = sso_uuid
result.sso_done_at = datetime.utcnow()
# 新使用者:寄送歡迎信(含設定密碼連結)
if account.notification_email:
kc.send_welcome_email(realm, sso_uuid)
result.sso_done_at = now_tw()
except Exception as e:
result.sso_result = False
result.sso_done_at = datetime.utcnow()
result.sso_done_at = now_tw()
fail_reasons.append(f"sso: {e}")
# [2] Mailbox check (skip if mail domain not ready)
@@ -65,30 +71,113 @@ def run_account_check(schedule_log_id: int, db: Session):
else:
created = mail.create_mailbox(email, account.default_password, account.quota_limit)
result.mailbox_result = created
result.mailbox_done_at = datetime.utcnow()
result.mailbox_done_at = now_tw()
except Exception as e:
result.mailbox_result = False
result.mailbox_done_at = datetime.utcnow()
result.mailbox_done_at = now_tw()
fail_reasons.append(f"mailbox: {e}")
# [3] NC user check
try:
nc = NextcloudClient(tenant.domain)
from app.core.config import settings as _cfg
nc = NextcloudClient(tenant.domain, _cfg.NC_ADMIN_USER, _cfg.NC_ADMIN_PASSWORD)
nc_exists = nc.user_exists(account.sso_account)
if nc_exists:
result.nc_result = True
else:
created = nc.create_user(account.sso_account, account.default_password, account.quota_limit)
result.nc_result = created
result.nc_done_at = datetime.utcnow()
# 確保 quota 設定正確(無論新建或已存在)
if result.nc_result and account.quota_limit:
nc.set_user_quota(account.sso_account, account.quota_limit)
result.nc_done_at = now_tw()
except Exception as e:
result.nc_result = False
result.nc_done_at = datetime.utcnow()
result.nc_done_at = now_tw()
fail_reasons.append(f"nc: {e}")
# [4] Quota
# [3.5] NC 台灣國定假日行事曆訂閱
# 前置條件NC 帳號已存在MKCALENDAR 為 idempotent已存在回傳 405 視為成功)
TW_HOLIDAYS_ICS_URL = "https://www.officeholidays.com/ics-clean/taiwan"
if result.nc_result:
try:
cal_ok = nc.subscribe_calendar(
account.sso_account,
"taiwan-public-holidays",
"台灣國定假日",
TW_HOLIDAYS_ICS_URL,
"#e9322d",
)
if cal_ok:
logger.info(f"NC calendar subscribed [{account.sso_account}]: taiwan-public-holidays")
else:
logger.warning(f"NC calendar subscribe failed [{account.sso_account}]")
except Exception as e:
logger.warning(f"NC calendar subscribe error [{account.sso_account}]: {e}")
# [4] NC Mail 帳號設定
# 前置條件NC 帳號已建立 + mailbox 已建立
try:
nc = NextcloudClient(tenant.domain)
if result.nc_result and result.mailbox_result:
import paramiko
from app.core.config import settings as _cfg
is_active = tenant.status == "active"
nc_container = f"nc-{tenant.code}" if is_active else f"nc-{tenant.code}-test"
email = account.email or f"{account.sso_account}@{tenant.domain}"
ssh = paramiko.SSHClient()
ssh.set_missing_host_key_policy(paramiko.AutoAddPolicy())
ssh.connect(_cfg.DOCKER_SSH_HOST, username=_cfg.DOCKER_SSH_USER, timeout=15)
def _ssh_run(cmd, timeout=60):
"""執行 SSH 指令並回傳輸出,超時返回空字串"""
_, stdout, _ = ssh.exec_command(cmd)
stdout.channel.settimeout(timeout)
try:
out = stdout.read().decode().strip()
except Exception:
out = ""
return out
# 確認是否已設定occ mail:account:export 回傳帳號列表)
export_out = _ssh_run(
f"docker exec -u www-data {nc_container} "
f"php /var/www/html/occ mail:account:export {account.sso_account} 2>/dev/null"
)
already_set = len(export_out) > 10 and "imap" in export_out.lower()
if already_set:
result.nc_mail_result = True
else:
display = account.legal_name or account.sso_account
create_cmd = (
f"docker exec -u www-data {nc_container} "
f"php /var/www/html/occ mail:account:create "
f"'{account.sso_account}' '{display}' '{email}' "
f"10.1.0.254 143 none '{email}' '{account.default_password}' "
f"10.1.0.254 587 none '{email}' '{account.default_password}' 2>&1"
)
out_text = _ssh_run(create_cmd)
logger.info(f"NC mail:account:create [{account.sso_account}]: {out_text}")
result.nc_mail_result = (
"error" not in out_text.lower() and "exception" not in out_text.lower()
)
ssh.close()
else:
result.nc_mail_result = False
fail_reasons.append(
f"nc_mail: skipped (nc={result.nc_result}, mailbox={result.mailbox_result})"
)
result.nc_mail_done_at = now_tw()
except Exception as e:
result.nc_mail_result = False
result.nc_mail_done_at = now_tw()
fail_reasons.append(f"nc_mail: {e}")
# [5] Quota
try:
nc = NextcloudClient(tenant.domain, _cfg.NC_ADMIN_USER, _cfg.NC_ADMIN_PASSWORD)
result.quota_usage = nc.get_user_quota_used_gb(account.sso_account)
except Exception as e:
logger.warning(f"Quota check failed for {account.account_code}: {e}")

5
backend/app/services/scheduler/schedule_system.py
View File

@@ -5,6 +5,7 @@ Part B: 伺服器 ping 檢查
"""
import logging
from datetime import datetime
from app.core.utils import now_tw
from sqlalchemy.orm import Session
from app.models.server import SystemStatusLog, ServerStatusLog, Server
@@ -64,7 +65,7 @@ def run_system_status(schedule_log_id: int, db: Session):
service_desc=svc["service_desc"],
result=result,
fail_reason=fail_reason,
recorded_at=datetime.utcnow(),
recorded_at=now_tw(),
))
# Part B: Server ping
@@ -87,7 +88,7 @@ def run_system_status(schedule_log_id: int, db: Session):
result=result,
response_time=response_time,
fail_reason=fail_reason,
recorded_at=datetime.utcnow(),
recorded_at=now_tw(),
))
db.commit()

996
backend/app/services/scheduler/schedule_tenant.py
View File

File diff suppressed because it is too large Load Diff

13
backend/app/services/scheduler/watchdog.py
View File

@@ -4,6 +4,7 @@ Watchdog: APScheduler BackgroundScheduler每 3 分鐘掃描 schedules 表。
"""
import logging
from datetime import datetime
from app.core.utils import now_tw
from apscheduler.schedulers.background import BackgroundScheduler
from croniter import croniter
from sqlalchemy import update
@@ -24,7 +25,7 @@ def _watchdog_tick():
db.query(Schedule)
.filter(
Schedule.status == "Waiting",
Schedule.next_run_at <= datetime.utcnow(),
Schedule.next_run_at <= now_tw(),
)
.all()
)
@@ -44,7 +45,7 @@ def _watchdog_tick():
log = ScheduleLog(
schedule_id=schedule.id,
schedule_name=schedule.name,
started_at=datetime.utcnow(),
started_at=now_tw(),
status="running",
)
db.add(log)
@@ -60,12 +61,12 @@ def _watchdog_tick():
final_status = "error"
# Update log
log.ended_at = datetime.utcnow()
log.ended_at = now_tw()
log.status = final_status
# Recalculate next_run_at
# Recalculate next_run_at (5-field cron: 分 時 日 月 週)
try:
cron = croniter(schedule.cron_timer, datetime.utcnow())
cron = croniter(schedule.cron_timer, now_tw())
next_run = cron.get_next(datetime)
except Exception:
next_run = None
@@ -76,7 +77,7 @@ def _watchdog_tick():
.where(Schedule.id == schedule.id)
.values(
status="Waiting",
last_run_at=datetime.utcnow(),
last_run_at=now_tw(),
next_run_at=next_run,
last_status=final_status,
)

15
backend/app/services/seed.py
View File

@@ -1,9 +1,11 @@
"""Initial data seed: schedules + servers"""
"""Initial data seed: schedules + servers + system settings"""
from datetime import datetime
from app.core.utils import now_tw, configure_timezone
from croniter import croniter
from sqlalchemy.orm import Session
from app.models.schedule import Schedule
from app.models.server import Server
from app.models.settings import SystemSettings
INITIAL_SCHEDULES = [
@@ -26,7 +28,7 @@ INITIAL_SERVERS = [
def _calc_next_run(cron_timer: str) -> datetime:
# croniter: six-field cron (sec min hour day month weekday)
cron = croniter(cron_timer, datetime.utcnow())
cron = croniter(cron_timer, now_tw())
return cron.get_next(datetime)
@@ -46,4 +48,13 @@ def seed_initial_data(db: Session) -> None:
if not db.get(Server, sv["id"]):
db.add(Server(**sv))
# Seed default system settings (id=1)
if not db.get(SystemSettings, 1):
db.add(SystemSettings(id=1))
db.commit()
# Apply timezone from settings
s = db.get(SystemSettings, 1)
if s:
configure_timezone(s.timezone)