[feature] Added logging to the Flask app

Co-authored-by: Gagan Deep <pandafy.dev@gmail.com>
openwisp · Feb 8, 2024 · 37d60f0 · 37d60f0
1 parent 89cc92f
commit 37d60f0
Show file tree

Hide file tree

Showing 3 changed files with 57 additions and 1 deletion.
diff --git a/README.md b/README.md
@@ -190,6 +190,9 @@ Below are listed all the variables you can customize
     openwisp2_wireguard_flask_port: 8081
     # Host where Flask endpoint is run
     openwisp2_wireguard_flask_host: 0.0.0.0
+    # Set the log level for flask logging.
+    # Allowed values are "INFO", "WARNING" and "ERROR"
+    openwisp2_wireguard_logging_level: "WARNING"
     # Command used to run uwsgi from supervisor
     openwisp2_wireguard_uwsgi_command: "{{ openwisp2_wireguard_path }}/env/bin/uwsgi uwsgi.ini"
 

diff --git a/defaults/main.yml b/defaults/main.yml
@@ -12,6 +12,9 @@ openwisp2_wireguard_flask_key: false
 openwisp2_wireguard_flask_port: 8081
 openwisp2_wireguard_flask_host: 0.0.0.0
 openwisp2_wireguard_flask_endpoint: "/trigger-update"
+# Set the log level for flask logging.
+# Allowed values are "INFO", "WARNING" and "ERROR"
+openwisp2_wireguard_logging_level: "WARNING"
 openwisp2_wireguard_uwsgi_command: "{{ openwisp2_wireguard_path }}/env/bin/uwsgi uwsgi.ini"
 
 openwisp2_wireguard_vxlan_ipv4_method: link-local

diff --git a/templates/flask/vpn_updater.py b/templates/flask/vpn_updater.py
@@ -1,3 +1,5 @@
+import hmac
+import logging
 import subprocess
 
 from flask import Flask, Response, request
@@ -10,6 +12,12 @@
 ]
 
 
+# Configure logging
+app.logger.setLevel(
+    getattr(logging, '{{ openwisp2_wireguard_logging_level }}', 'WARNING')
+)
+
+
 def _exec_command(command):
     process = subprocess.Popen(
         command.split(' '),
@@ -23,17 +31,59 @@ def _exec_command(command):
         raise subprocess.SubprocessError()
 
 
+def _log(level, message, request):
+    client_info = {
+        'ip_address': request.remote_addr,
+        'user_agent': request.user_agent.string,
+        'requested_url': request.url,
+        'http_method': request.method,
+    }
+    getattr(app.logger, level)(f'{message} Client info: {client_info}')
+
+
 @app.route('{{ openwisp2_wireguard_flask_endpoint }}', methods=['POST'])
 def update_vpn_config():
-    if request.args.get('key') != KEY:
+    _log('info', 'Received request to update VPN config', request)
+    request_key = request.args.get('key')
+    if not request_key or not hmac.compare_digest(request_key, KEY):
+        _log(
+            'warning',
+            'Authentication failed - invalid or missing key provided.',
+            request,
+        )
         return Response(status=403)
     for script in UPDATER_SCRIPTS:
         try:
             _exec_command(script)
         except subprocess.SubprocessError:
+            _log('error', f'Failed to execute script: "{script}"', request)
             return Response(status=500)
+        else:
+            _log('info', 'Script executed successfully', request)
     return Response(status=200)
 
 
+@app.errorhandler(500)
+def handle_500_error(exception):
+    app.logger.error("An internal error occurred: %s", str(exception))
+    return Response(status=500)
+
+
+@app.after_request
+def set_security_headers(response):
+    security_headers = {
+        "Content-Security-Policy": "default-src 'self'",
+        "X-Frame-Options": "SAMEORIGIN",
+        "X-Content-Type-Options": "nosniff",
+        "Strict-Transport-Security": "max-age=31536000; includeSubDomains",
+        "X-XSS-Protection": "1; mode=block",
+        "Referrer-Policy": "strict-origin-when-cross-origin",
+    }
+
+    for header, value in security_headers.items():
+        response.headers[header] = value
+    return response
+
+
 if __name__ == '__main__':
     app.run()