From 25d910cef75e89ada8de4941341dc48970a32ef9 Mon Sep 17 00:00:00 2001
From: stakost <aa@bbbbb.cc>
Date: Sun, 1 Jun 2025 14:03:16 +0300
Subject: [PATCH] Fix Vault integration and ALLOWED_USER_IDS handling

---
 __pycache__/vault_client.cpython-313.pyc | Bin 0 -> 4682 bytes
 bot.py                                   |  57 ++++++++++-----
 docker-compose.portainer.yml             |  72 +++++++++----------
 docker-compose.production.yml            |  46 +++++++++++++
 test_vault.py                            |  40 +++++++++++
 vault_client.py                          |  84 +++++++++++++++++++++++
 6 files changed, 247 insertions(+), 52 deletions(-)
 create mode 100644 __pycache__/vault_client.cpython-313.pyc
 create mode 100644 docker-compose.production.yml
 create mode 100644 test_vault.py
 create mode 100644 vault_client.py

diff --git a/__pycache__/vault_client.cpython-313.pyc b/__pycache__/vault_client.cpython-313.pyc
new file mode 100644
index 0000000000000000000000000000000000000000..6ce4709debed1e7a9ecd1c43a58769c0bbe4cebb
GIT binary patch
literal 4682
zcmb_fZ)_9E6(8HX{ujrABw#xMvI&8nBZ!krLPH2#oIhL$cgfY8P-qaV#dZ=O#`evw
zX)nhipzYPt(W7@N0$=|)d@12eoBlzdqerFm3m?}?B+?~P5k-~mQ*#%ptJ*JpZ`XDl
zNKPl(kvu!|-prdf<M;c`o8{6{JArbrsdM6=4nqEhoqS<(jpZ(ATp>K+4TlNUzXod1
z`bKJmuko;HfT7F)OIeP%Ngd%$RfK2SjJgGC9yfT|&#*J-HL6T+Bq*!ap@bZX$HZt*
zAEei8uCsg+8du11g6qH<25RDsltH_c<(cE=RwK_=kvAD?fu8la?YRB8z14`*@dsM7
zrY!+&kq+b*P43{Wv~=9&wW}pZ#AH<NiAKUP`7;a5O`=1}$I4yhj&e)+G<%U#{-E5=
zUgomrl^Nx?%DwEx?E75y0@p7}6Oo=cO>mkCF8d?p7L2*2+~)j=L?9jwbIMHi``L@S
z8Rbs)2Vn9Oki7@(4}u0*CtvWaP4HXZ1JWyGG%qKC+!+=G&<NyDsYu8hcw_#&M@STH
zY2^hhnc8xmft`E|yog6kk)49aFW?W$n~Qd4&hLyT;2-{BS{Wx^%b;pM;vac!Sn&7u
z1|~O6$a12?=ZnUJVss)d$sO%4H#MoH`jEiTYkk6@UbRf`@_jvlzF`z>TqStJKiog*
zmcl_AmVF^n7Ja89r)XS`oZ5XdE_<!2F)pc=aO_Nk#$&2!JS?mBGZ;{U7z$C<LLmx-
zNJzEmCa_tOYbHc_LS^Onsc_6|P#Gy49h30jIknX{B892sJLTgea#->Sad`sz!m71>
z`Z7T+a2peEt5!jX#3HgFsFg(_-I$jm&Lu?Ed9qlwCDV{@$TX%Kr?)8I9Gt5fN->wp
z7G0jJlOIlAJ@?_csra0056B#gp6X0hx+=3Ry-j&(@0_OtgwDn4t(lH=N9I8KfYPvE
zdF9w#^><Rtyw$z1$&+G!Y+uHIL^Z>aC24F`m}3}dVg6Gs%tuH7hdxtY%Js#K1peZ+
z0FWOM0?HaKgcfhe2OLMnjoWZ;Ay`(HZ~{5C7-NRD*Is))o@q43jHA}Pm4HT?`JVo*
zBS*`5cCRsJ8ZiY*SL?9XmJ@LV^kwVoW6TJ{n{iXT1#1ZM!n#F!wHEEwR!c_9^A;^c
zbQ2O|i^keVSSM*QuFR+*d`XP;v*SknJ7yRo`%N`u%;0q-ePBuX$-2A+Jop^XC3|7c
z<6m6jR$+?+wgVE)2@440luwmg9N51A%s2y`d&=)%98&H32PZfC&NTbPq&(ph6A45Q
z;CDO{^BO5c1EIK0M9Z5Jz>UFiszZl>pdl%V$Nc!`Kg?0`SMV?F16)x41e~1$CuWBA
zsjvy<mms+VOb=B36%39$L!@_bgI@cJcPg8pk(f+3fFr7vhTlqtC0SCL1Tc`gfr=3+
zER4meAjzVfl;{@RRV9wK^?ffG*6u{FnQqc%<NkysjjA@Sh5Umir9?a?h1C*G2wiYO
zHH0M$c1|mFGfsD)9&WWrP?W=}yO<P;HF&Pluc10m9+g#GK70A>RO^icHx4X1HY(*u
z=N-ouD%?xVMw@4$YFoya_9>nQrJ+l4`BVLms%tWx>CT0%wV4y?6Q8ptk27`XshzmF
ztM7jF?$pt&>p-f1!BP3Zu_No)G4J@sqpG^h?)2`T`BH}$JoQsYvYuVjC$gT-RPUt$
zZM{SDj)8>=*T0^WxtEF2=0RcQq5HM>E0prr=N*HK74H8mv7q?31W`_A{H@(P$m|Y#
zkHs|WbM_cbe>SqvUYm5ze+|+J!O;N;6z)%0Bv<kPE|3pc8#io&>}PE%X)<UeQ@BC%
zb_hWVf;nrFQ;X?q5KS%5{GW)1)rdx`fif@@v;sFSUPVxVuGo6A2Emw%Mq5VA&k>9v
zX7)qg$7|mrg0UtW!K{)2*xv;N0+#^#Ak%`33Ywo_0tLJPoPhLkTZh=-Wa-h}TKw)F
z#`|)TL6!g>uuO!-5L}HagV;#!2g?Y4<@$;#%+-p4evbpp7p)EYm4%Xf(86;ZuxbM2
zZonPSINQMi2Ox~87b^rmt-y-I3hAEKVWq*n23y;q@>(>Y(_PS3?YX=F@J@H4AfG5`
zu(#-1iDLLknD*#U=X9)>K;|LjhN!M$s23?3aOw)uCofM<)jz0f$=0<zsB6pCwE^&!
zm@=Dt!L@Um`HlUiUD@1{dUat7ml;YADb>5CduJ*iH2bs7ex<2f@${qyp15kRp8e?T
z)IiqNwLa1}*G}!sZuU+?)tq|u3G&Lf<{g2BimKFL9_elk=>zwh?{8Pi2j?9_ixn;n
z>24kAH~r1s)nvBX-o4*6yTjStZklapp}h*}h$t<+n9U<S7sVhilst|BorXM?#U4Pt
zVJ+0JBo*uE3)kv8dQ%=r>*xzvGS4<L^~LE-5e7#KToEWF1BDH($yU52zwQgnEhHB&
zFxU1!tZUED)z89PlEnOQ4X%Kz`5xp8_@4Sbpc@`$_@;szIeUQ{6Qj|SV(=8^88cii
zH9rmaAa_Qj5%FX+EU7j~-t~k*EurzG9Hs)k5DJ|n<lkypPLmKN>AP_n@-nKeduUh~
z9y;7NsFnnVMuz(WLjMpyT<DDOeF3#Br+LHA^WPo{^d|dZ6OTWh`p2EioN`UeIgo!Y
zDYwD(58yR<0SIMHKRL*Z{s?@CnbJL-3TZnSqkFOHz-k{<UY0gvTca6`TrmHnPE;9n
zhG~MfgilE>M;LbGg<w2378zGJKg$=oybI_23aayD$xJF-56bJZ<#luA^(o8WOUfT@
zt<Q|6N2jajwze(Q?99BAerJ0BT+QB9?d=UW_Fdnn_`2q{`#-m_mChx?mO7tqAU3Ds
zJUVYZ_GIOKF<mm}X)StMOz)nnZhx*{Q=6GgPiD@g&nb<s%++*()eUyAYO_-hxC%#6
z$P;w})<_xoc+l&_H&RSI9fmiOT@X&kLrHj@393U7-b#wmoTf|=#v)XbqmfuR76-LO
z5JK^wAW#=rQJItRcvNS3yxJ-9jcSr)s{aR_*xe*(>0Kl!h_Xy0Cn3NjLAXgY7d67B
z2xzTBDwlwM$a~~3%;_%}maSTHx>(P(&{G1RrI#yN_qC%_q3M<x({%gwSaxgMQv$N3
zU6ri;TJKcFRB+0j9{dty`VnYW;bzfdfWu|*(oxOw+lfeQT=SP|o@*`~!~uA6`aNRp
r)KBFA#h^v@l(s^(WHJ~G4~gv|DSJpt{z_`UG{0^z*uNlHYt#P={VAXs

literal 0
HcmV?d00001

diff --git a/bot.py b/bot.py
index cefcb91..f75a556 100644
--- a/bot.py
+++ b/bot.py
@@ -9,29 +9,45 @@ from librouteros.exceptions import TrapError
 from fastapi import FastAPI, Request
 import uvicorn
 from db import init_db, upsert_client, start_session, update_session, close_session, get_history, get_clients, get_stats
+from vault_client import VaultClient
 
 load_dotenv()
 
-TG_BOT_TOKEN = os.getenv("TG_BOT_TOKEN")
-MT_API_HOST = os.getenv("MT_API_HOST")
-MT_API_USER = os.getenv("MT_API_USER")
-MT_API_PASS = os.getenv("MT_API_PASS")
-ALLOWED_USER_IDS = set(map(int, os.getenv("ALLOWED_USER_IDS", "").split(",")))
+# Получаем конфигурацию из Vault или environment variables
+vault = VaultClient()
+config = vault.get_config()
 
-bot = Bot(token=TG_BOT_TOKEN)
+# Используем правильные имена переменных
+BOT_TOKEN = config.get('BOT_TOKEN') or os.getenv("BOT_TOKEN")
+ROUTER_HOST = config.get('ROUTER_HOST') or os.getenv("ROUTER_HOST")
+ROUTER_USER = config.get('ROUTER_USER') or os.getenv("ROUTER_USER") 
+ROUTER_PASSWORD = config.get('ROUTER_PASSWORD') or os.getenv("ROUTER_PASSWORD")
+
+# Безопасная обработка ALLOWED_USER_IDS
+allowed_ids_str = os.getenv("ALLOWED_USER_IDS", "")
+if allowed_ids_str.strip():
+    ALLOWED_USER_IDS = set(map(int, allowed_ids_str.split(",")))
+else:
+    # Если не установлено, используем пустое множество или значение по умолчанию
+    ALLOWED_USER_IDS = set()
+    print("⚠️ ALLOWED_USER_IDS не установлено - доступ для всех пользователей!")
+
+bot = Bot(token=BOT_TOKEN)
 dp = Dispatcher()
 
 # Авторизация по user_id
 async def check_user(message: types.Message) -> bool:
+    # Если список пуст, разрешаем всем (для тестирования)
+    if not ALLOWED_USER_IDS:
+        return True
     if message.from_user.id not in ALLOWED_USER_IDS:
         await message.answer("⛔️ Нет доступа")
         return False
     return True
 
 # Подключение к MikroTik API
-
 def get_mt_api():
-    return connect(username=MT_API_USER, password=MT_API_PASS, host=MT_API_HOST)
+    return connect(username=ROUTER_USER, password=ROUTER_PASSWORD, host=ROUTER_HOST)
 
 @dp.message(Command("start"))
 async def start_cmd(msg: types.Message):
@@ -111,8 +127,10 @@ async def event(request: Request):
     # Сохраняем клиента и сессию (fetch)
     await upsert_client(mac, name=None)
     await start_session(mac, ip, source='fetch')
-    for uid in ALLOWED_USER_IDS:
-        await bot.send_message(uid, text)
+    # Отправляем уведомления только если есть разрешённые пользователи
+    if ALLOWED_USER_IDS:
+        for uid in ALLOWED_USER_IDS:
+            await bot.send_message(uid, text)
     return {"status": "ok"}
 
 # --- Периодический polling MikroTik API для сбора статистики ---
@@ -167,8 +185,7 @@ async def history_cmd(msg: types.Message):
 
 @dp.callback_query(lambda c: c.data.startswith("history_"))
 async def history_period(callback: types.CallbackQuery):
-    if callback.from_user.id not in ALLOWED_USER_IDS:
-        await callback.answer("⛔️ Нет доступа", show_alert=True)
+    if not await check_user_callback(callback):
         return
     parts = callback.data.split("_")
     days = int(parts[1])
@@ -219,8 +236,7 @@ async def clients_cmd(msg: types.Message):
 
 @dp.callback_query(lambda c: c.data.startswith("clients_"))
 async def clients_page_cb(callback: types.CallbackQuery):
-    if callback.from_user.id not in ALLOWED_USER_IDS:
-        await callback.answer("⛔️ Нет доступа", show_alert=True)
+    if not await check_user_callback(callback):
         return
     parts = callback.data.split("_")
     page = int(parts[1]) if len(parts) > 1 else 1
@@ -272,8 +288,7 @@ async def stats_cmd(msg: types.Message):
 
 @dp.callback_query(lambda c: c.data.startswith("stats_"))
 async def stats_period(callback: types.CallbackQuery):
-    if callback.from_user.id not in ALLOWED_USER_IDS:
-        await callback.answer("⛔️ Нет доступа", show_alert=True)
+    if not await check_user_callback(callback):
         return
     parts = callback.data.split("_")
     days = int(parts[1])
@@ -313,5 +328,15 @@ async def send_stats_page(message, period_days, page, edit=False, callback=None)
     else:
         await message.answer(text, parse_mode="HTML", reply_markup=kb)
 
+# Добавляем вспомогательную функцию для проверки callback'ов
+async def check_user_callback(callback: types.CallbackQuery) -> bool:
+    # Если список пуст, разрешаем всем
+    if not ALLOWED_USER_IDS:
+        return True
+    if callback.from_user.id not in ALLOWED_USER_IDS:
+        await callback.answer("⛔️ Нет доступа", show_alert=True)
+        return False
+    return True
+
 if __name__ == "__main__":
     asyncio.run(main()) 
\ No newline at end of file
diff --git a/docker-compose.portainer.yml b/docker-compose.portainer.yml
index f4ce3bb..2025f57 100644
--- a/docker-compose.portainer.yml
+++ b/docker-compose.portainer.yml
@@ -1,44 +1,44 @@
 version: '3.8'
-services:
-  telegram-bot:
-    build: .
-    container_name: mikrotik-telegram-bot
-    env_file:
-      - .env
-    restart: unless-stopped
-    volumes:
-      - ./data:/app/data
-      - /var/run/docker.sock:/var/run/docker.sock:ro  # для watchtower
-    labels:
-      - "com.centurylinklabs.watchtower.enable=true"
-      - "com.centurylinklabs.watchtower.scope=mikrotik-bot"
-    healthcheck:
-      test: ["CMD", "curl", "-f", "http://localhost:8000/health"]
-      interval: 30s
-      timeout: 10s
-      retries: 3
-      start_period: 15s
-    networks:
-      - mikrotik-net
 
-  # Автообновление контейнеров при изменении кода
-  watchtower:
-    image: containrrr/watchtower:latest
-    container_name: watchtower-mikrotik
+services:
+  mikrotik-bot:
+    image: 10.10.30.121:5000/mikrotik-bot:latest
+    container_name: mikrotik-bot-production
     restart: unless-stopped
     environment:
-      - WATCHTOWER_CLEANUP=true
-      - WATCHTOWER_POLL_INTERVAL=300  # проверка каждые 5 мин
-      - WATCHTOWER_SCOPE=mikrotik-bot
-      - WATCHTOWER_INCLUDE_STOPPED=true
-      - WATCHTOWER_REVIVE_STOPPED=true
+      # Vault AppRole credentials (безопасно)
+      - VAULT_ADDR=http://10.10.30.121:8200
+      - VAULT_ROLE_ID=ba8d3d21-263e-4d92-8ffe-ef803017cef5
+      - VAULT_SECRET_ID=6b3ecc3c-9436-7f04-022f-8b1ce0ac09ee
+      - VAULT_SECRET_PATH=secret/data/mikrotik-bot
+      - DATABASE_PATH=/app/data/bot.db
+    volumes:
+      - mikrotik_bot_data:/app/data
+    ports:
+      - "8001:8000"  # Health check endpoint
+    networks:
+      - bot-network
+    labels:
+      - "com.centurylinklabs.watchtower.enable=true"
+      
+  # Автоматические обновления
+  watchtower:
+    image: containrrr/watchtower
+    container_name: watchtower-mikrotik
+    restart: unless-stopped
     volumes:
       - /var/run/docker.sock:/var/run/docker.sock
-    labels:
-      - "com.centurylinklabs.watchtower.scope=mikrotik-bot"
+    environment:
+      - WATCHTOWER_POLL_INTERVAL=60  # Проверять каждые 60 секунд
+      - WATCHTOWER_LABEL_ENABLE=true
+      - WATCHTOWER_CLEANUP=true
+    command: --interval 60 --label-enable --cleanup
     networks:
-      - mikrotik-net
-
+      - bot-network
+      
 networks:
-  mikrotik-net:
-    driver: bridge 
\ No newline at end of file
+  bot-network:
+    driver: bridge
+    
+volumes:
+  mikrotik_bot_data: 
\ No newline at end of file
diff --git a/docker-compose.production.yml b/docker-compose.production.yml
new file mode 100644
index 0000000..3a94535
--- /dev/null
+++ b/docker-compose.production.yml
@@ -0,0 +1,46 @@
+version: '3.8'
+
+services:
+  mikrotik-bot:
+    image: 10.10.30.121:5000/mikrotik-bot:latest
+    container_name: mikrotik-bot-production
+    restart: unless-stopped
+    environment:
+      # Vault AppRole credentials (безопасно)
+      - VAULT_ADDR=http://10.10.30.121:8200
+      - VAULT_ROLE_ID=ba8d3d21-263e-4d92-8ffe-ef803017cef5
+      - VAULT_SECRET_ID=6b3ecc3c-9436-7f04-022f-8b1ce0ac09ee
+      - VAULT_SECRET_PATH=secret/data/mikrotik-bot
+      - DATABASE_PATH=/app/data/bot.db
+    volumes:
+      - mikrotik_bot_data:/app/data
+    ports:
+      - "8000:8000"  # Health check endpoint
+    networks:
+      - bot-network
+    depends_on:
+      - watchtower
+    labels:
+      - "com.centurylinklabs.watchtower.enable=true"
+      
+  # Автоматические обновления
+  watchtower:
+    image: containrrr/watchtower
+    container_name: watchtower-mikrotik
+    restart: unless-stopped
+    volumes:
+      - /var/run/docker.sock:/var/run/docker.sock
+    environment:
+      - WATCHTOWER_POLL_INTERVAL=60  # Проверять каждые 60 секунд
+      - WATCHTOWER_LABEL_ENABLE=true
+      - WATCHTOWER_CLEANUP=true
+    command: --interval 60 --label-enable --cleanup
+    networks:
+      - bot-network
+      
+networks:
+  bot-network:
+    driver: bridge
+    
+volumes:
+  mikrotik_bot_data: 
\ No newline at end of file
diff --git a/test_vault.py b/test_vault.py
new file mode 100644
index 0000000..137a65e
--- /dev/null
+++ b/test_vault.py
@@ -0,0 +1,40 @@
+#!/usr/bin/env python3
+
+from vault_client import VaultClient
+import os
+
+# Устанавливаем переменные окружения для тестирования
+os.environ['VAULT_ADDR'] = 'http://10.10.30.121:8200'
+os.environ['VAULT_ROLE_ID'] = 'ba8d3d21-263e-4d92-8ffe-ef803017cef5'
+os.environ['VAULT_SECRET_ID'] = '6b3ecc3c-9436-7f04-022f-8b1ce0ac09ee'
+os.environ['VAULT_SECRET_PATH'] = 'secret/data/mikrotik-bot'
+
+def test_vault_secrets():
+    """Тестирование получения секретов из Vault"""
+    print('🔍 Проверка получения секретов из Vault:')
+    print('=' * 50)
+    
+    vault = VaultClient()
+    config = vault.get_config()
+    
+    if not config:
+        print('❌ Не удалось получить конфигурацию')
+        return False
+    
+    success = True
+    for key, value in config.items():
+        if value:
+            masked_value = value[:10] + '...' if len(value) > 10 else value
+            print(f'✅ {key}: {masked_value}')
+        else:
+            print(f'❌ {key}: не найден')
+            success = False
+    
+    return success
+
+if __name__ == '__main__':
+    if test_vault_secrets():
+        print('\n🎉 Все секреты успешно получены!')
+        print('✅ Готов к production deployment')
+    else:
+        print('\n❌ Есть проблемы с получением секретов') 
\ No newline at end of file
diff --git a/vault_client.py b/vault_client.py
new file mode 100644
index 0000000..0c2da88
--- /dev/null
+++ b/vault_client.py
@@ -0,0 +1,84 @@
+import os
+import requests
+import json
+from typing import Dict, Optional
+
+
+class VaultClient:
+    """Клиент для работы с HashiCorp Vault через AppRole аутентификацию"""
+    
+    def __init__(self):
+        self.vault_addr = os.environ.get('VAULT_ADDR', 'http://localhost:8200')
+        self.role_id = os.environ.get('VAULT_ROLE_ID')
+        self.secret_id = os.environ.get('VAULT_SECRET_ID')
+        self.secret_path = os.environ.get('VAULT_SECRET_PATH', 'secret/data/mikrotik-bot')
+        self.token = None
+        
+    def authenticate(self) -> bool:
+        """Аутентификация через AppRole"""
+        if not self.role_id or not self.secret_id:
+            print("❌ VAULT_ROLE_ID или VAULT_SECRET_ID не установлены")
+            return False
+            
+        try:
+            auth_url = f"{self.vault_addr}/v1/auth/approle/login"
+            auth_data = {
+                "role_id": self.role_id,
+                "secret_id": self.secret_id
+            }
+            
+            response = requests.post(auth_url, json=auth_data)
+            response.raise_for_status()
+            
+            auth_result = response.json()
+            self.token = auth_result['auth']['client_token']
+            print("✅ Vault аутентификация успешна")
+            return True
+            
+        except Exception as e:
+            print(f"❌ Ошибка аутентификации Vault: {e}")
+            return False
+    
+    def get_secrets(self) -> Optional[Dict[str, str]]:
+        """Получение секретов из Vault"""
+        if not self.token and not self.authenticate():
+            return None
+            
+        try:
+            headers = {"X-Vault-Token": self.token}
+            secret_url = f"{self.vault_addr}/v1/{self.secret_path}"
+            
+            response = requests.get(secret_url, headers=headers)
+            response.raise_for_status()
+            
+            secret_data = response.json()
+            secrets = secret_data['data']['data']
+            
+            print("✅ Секреты успешно получены из Vault")
+            return secrets
+            
+        except Exception as e:
+            print(f"❌ Ошибка получения секретов: {e}")
+            return None
+    
+    def get_config(self) -> Dict[str, str]:
+        """Получение конфигурации с fallback на environment variables"""
+        # Сначала пытаемся получить из Vault
+        secrets = self.get_secrets()
+        
+        if secrets:
+            return {
+                'BOT_TOKEN': secrets.get('bot_token'),
+                'ROUTER_HOST': secrets.get('router_host'),
+                'ROUTER_USER': secrets.get('router_user'),
+                'ROUTER_PASSWORD': secrets.get('router_password'),
+            }
+        
+        # Fallback на environment variables
+        print("⚠️ Используются environment variables вместо Vault")
+        return {
+            'BOT_TOKEN': os.environ.get('BOT_TOKEN'),
+            'ROUTER_HOST': os.environ.get('ROUTER_HOST'),
+            'ROUTER_USER': os.environ.get('ROUTER_USER'),
+            'ROUTER_PASSWORD': os.environ.get('ROUTER_PASSWORD'),
+        } 
\ No newline at end of file