diff --git a/.circleci/config.yml b/.circleci/config.yml index 98427ac2..1551a290 100644 --- a/.circleci/config.yml +++ b/.circleci/config.yml @@ -8,7 +8,7 @@ jobs: - checkout - run: sudo apt install shellcheck - - run: cat <(git grep -El '^#!.*sh\b') <(git ls-files | grep -E '.sh$') | sort -u | grep -v '/wait-for-it.sh$' | xargs shellcheck --exclude=SC2016 + - run: cat <(git grep -El '^#!.*sh\b') <(git ls-files | grep -E '.sh$') | sort -u | xargs shellcheck --exclude=SC2016 - run: git submodule update -i diff --git a/.env.template b/.env.template index 049afcd9..ca710a43 100644 --- a/.env.template +++ b/.env.template @@ -29,6 +29,12 @@ HTTPS_PORT=443 # EMAIL_USER= # EMAIL_PASSWORD= +# Optional: configure Single Sign-on with OpenID Connect +# OIDC_ENABLED= +# OIDC_ISSUER_URL= +# OIDC_CLIENT_ID= +# OIDC_CLIENT_SECRET= + # Optional: configure error reporting # SENTRY_ORG_SUBDOMAIN= # SENTRY_KEY= diff --git a/.gitignore b/.gitignore index 3d744a41..6a1c9041 100644 --- a/.gitignore +++ b/.gitignore @@ -9,4 +9,9 @@ /files/postgres14/upgrade/* !/files/postgres14/upgrade/check-available-space -/files/local/customssl/*.pem \ No newline at end of file +/files/local/customssl/*.pem + +/files/mail/rsa.private +/files/mail/rsa.public + +/files/dkim/* diff --git a/client b/client index 676b63a6..95326b9a 160000 --- a/client +++ b/client @@ -1 +1 @@ -Subproject commit 676b63a62652cec57b06b622a0ef36a58fa6d6e4 +Subproject commit 95326b9ad66ec31c93bdb68c29f8797975d93fd2 diff --git a/docker-compose.yml b/docker-compose.yml index 47649d55..2b176674 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -27,12 +27,12 @@ services: POSTGRES_PASSWORD: odk POSTGRES_DATABASE: odk mail: - image: "ixdotai/smtp:v0.2.0" + image: "ixdotai/smtp:v0.5.1" volumes: - - ./files/dkim/config:/etc/exim4/_docker_additional_macros:ro - - ./files/dkim/rsa.private:/etc/exim4/domain.key:ro + - ./files/mail/rsa.private:/etc/exim4/dkim.key.temp:ro environment: - MAILNAME=${DOMAIN} + - DKIM_KEY_PATH=/etc/exim4/dkim.key.temp restart: always service: build: @@ -51,29 +51,35 @@ services: - DOMAIN=${DOMAIN} - SYSADMIN_EMAIL=${SYSADMIN_EMAIL} - HTTPS_PORT=${HTTPS_PORT:-443} - - NODE_OPTIONS=${SERVICE_NODE_OPTIONS:-''} + - NODE_OPTIONS=${SERVICE_NODE_OPTIONS:-} - DB_HOST=${DB_HOST:-postgres14} - DB_USER=${DB_USER:-odk} - DB_PASSWORD=${DB_PASSWORD:-odk} - DB_NAME=${DB_NAME:-odk} - DB_SSL=${DB_SSL:-null} - - EMAIL_FROM=${EMAIL_FROM:-no-reply@${DOMAIN}} + - EMAIL_FROM=${EMAIL_FROM:-no-reply@$DOMAIN} - EMAIL_HOST=${EMAIL_HOST:-mail} - EMAIL_PORT=${EMAIL_PORT:-25} - EMAIL_SECURE=${EMAIL_SECURE:-false} - EMAIL_IGNORE_TLS=${EMAIL_IGNORE_TLS:-true} - - EMAIL_USER=${EMAIL_USER:-''} - - EMAIL_PASSWORD=${EMAIL_PASSWORD:-''} + - EMAIL_USER=${EMAIL_USER:-} + - EMAIL_PASSWORD=${EMAIL_PASSWORD:-} + - OIDC_ENABLED=${OIDC_ENABLED:-false} + - OIDC_ISSUER_URL=${OIDC_ISSUER_URL:-} + - OIDC_CLIENT_ID=${OIDC_CLIENT_ID:-} + - OIDC_CLIENT_SECRET=${OIDC_CLIENT_SECRET:-} - SENTRY_ORG_SUBDOMAIN=${SENTRY_ORG_SUBDOMAIN:-o130137} - SENTRY_KEY=${SENTRY_KEY:-3cf75f54983e473da6bd07daddf0d2ee} - SENTRY_PROJECT=${SENTRY_PROJECT:-1298632} - command: [ "./wait-for-it.sh", "${DB_HOST:-postgres14}:5432", "--", "./start-odk.sh" ] + command: [ "wait-for-it", "${DB_HOST:-postgres14}:5432", "--", "./start-odk.sh" ] restart: always logging: driver: local nginx: build: context: . + args: + - OIDC_ENABLED=${OIDC_ENABLED:-false} dockerfile: nginx.dockerfile depends_on: - service @@ -96,7 +102,7 @@ services: options: max-file: "30" pyxform: - image: 'ghcr.io/getodk/pyxform-http:v1.12.1' + image: 'ghcr.io/getodk/pyxform-http:v1.12.2' restart: always secrets: volumes: @@ -121,7 +127,7 @@ services: - SUPPORT_EMAIL=${SYSADMIN_EMAIL} - HTTPS_PORT=${HTTPS_PORT:-443} enketo_redis_main: - image: redis:7.0 + image: redis:7.2 volumes: - ./files/enketo/redis-enketo-main.conf:/usr/local/etc/redis/redis.conf:ro - enketo_redis_main:/data @@ -130,7 +136,7 @@ services: - /usr/local/etc/redis/redis.conf restart: always enketo_redis_cache: - image: redis:7.0 + image: redis:7.2 volumes: - ./files/enketo/redis-enketo-cache.conf:/usr/local/etc/redis/redis.conf:ro - enketo_redis_cache:/data diff --git a/enketo.dockerfile b/enketo.dockerfile index 6bd66225..fff7884c 100644 --- a/enketo.dockerfile +++ b/enketo.dockerfile @@ -1,4 +1,4 @@ -FROM ghcr.io/enketo/enketo-express:6.2.0 +FROM ghcr.io/enketo/enketo-express:6.2.2 ENV ENKETO_SRC_DIR=/srv/src/enketo_express WORKDIR ${ENKETO_SRC_DIR} diff --git a/files/dkim/config.disabled b/files/dkim/config.disabled deleted file mode 100644 index 73346dc8..00000000 --- a/files/dkim/config.disabled +++ /dev/null @@ -1,5 +0,0 @@ -DKIM_DOMAIN = ${lc:${domain:$h_from:}} -DKIM_KEY_FILE = /etc/exim4/domain.key -DKIM_PRIVATE_KEY = ${if exists{DKIM_KEY_FILE}{DKIM_KEY_FILE}{0}} -DKIM_SELECTOR = dkim -DKIM_CANON = simple diff --git a/files/mail/rsa.private b/files/mail/rsa.private new file mode 100644 index 00000000..e69de29b diff --git a/files/postgres14/upgrade/check-available-space b/files/postgres14/upgrade/check-available-space index 46f90b84..d1fd5839 100755 --- a/files/postgres14/upgrade/check-available-space +++ b/files/postgres14/upgrade/check-available-space @@ -15,7 +15,14 @@ fi dockerRootDir="$(docker info --format '{{print .DockerRootDir}}')" free="$(df --output=avail "$dockerRootDir/volumes" | tail -n+2)" -containerName="central_postgres_1" +# Support both Docker Compose v1 & v2 container names. +# See: https://docs.docker.com/compose/migrate/#service-container-names +if ! docker compose version >/dev/null 2>/dev/null; then + containerName="central_postgres_1" +else + containerName="central-postgres-1" +fi + # The --format argument is a Go template. Adding spaces between the # curlies seems to affect the output. For more info on this # wonderful language, see: diff --git a/files/prebuild/build-frontend.sh b/files/prebuild/build-frontend.sh index 6122c321..041cdac6 100755 --- a/files/prebuild/build-frontend.sh +++ b/files/prebuild/build-frontend.sh @@ -1,4 +1,4 @@ #!/bin/bash -eu cd client npm clean-install --no-audit --fund=false --update-notifier=false -npm run build +VUE_APP_OIDC_ENABLED="$OIDC_ENABLED" npm run build diff --git a/files/service/config.json.template b/files/service/config.json.template index 1e1f9d53..c4500224 100644 --- a/files/service/config.json.template +++ b/files/service/config.json.template @@ -33,6 +33,12 @@ "domain": "${BASE_URL}", "sysadminAccount": "${SYSADMIN_EMAIL}" }, + "oidc": { + "enabled": ${OIDC_ENABLED}, + "issuerUrl": "${OIDC_ISSUER_URL}", + "clientId": "${OIDC_CLIENT_ID}", + "clientSecret": "${OIDC_CLIENT_SECRET}" + }, "external": { "sentry": { "orgSubdomain": "${SENTRY_ORG_SUBDOMAIN}", diff --git a/files/service/scripts/start-odk.sh b/files/service/scripts/start-odk.sh index 86a6b35b..dd92d804 100755 --- a/files/service/scripts/start-odk.sh +++ b/files/service/scripts/start-odk.sh @@ -4,7 +4,7 @@ echo "generating local service configuration.." ENKETO_API_KEY=$(cat /etc/secrets/enketo-api-key) \ BASE_URL=$( [ "${HTTPS_PORT}" = 443 ] && echo https://"${DOMAIN}" || echo https://"${DOMAIN}":"${HTTPS_PORT}" ) \ -envsubst '$DOMAIN $BASE_URL $SYSADMIN_EMAIL $ENKETO_API_KEY $DB_HOST $DB_USER $DB_PASSWORD $DB_NAME $DB_SSL $EMAIL_FROM $EMAIL_HOST $EMAIL_PORT $EMAIL_SECURE $EMAIL_IGNORE_TLS $EMAIL_USER $EMAIL_PASSWORD $SENTRY_ORG_SUBDOMAIN $SENTRY_KEY $SENTRY_PROJECT' \ +envsubst '$DOMAIN $BASE_URL $SYSADMIN_EMAIL $ENKETO_API_KEY $DB_HOST $DB_USER $DB_PASSWORD $DB_NAME $DB_SSL $EMAIL_FROM $EMAIL_HOST $EMAIL_PORT $EMAIL_SECURE $EMAIL_IGNORE_TLS $EMAIL_USER $EMAIL_PASSWORD $OIDC_ENABLED $OIDC_ISSUER_URL $OIDC_CLIENT_ID $OIDC_CLIENT_SECRET $SENTRY_ORG_SUBDOMAIN $SENTRY_KEY $SENTRY_PROJECT' \ < /usr/share/odk/config.json.template \ > /usr/odk/config/local.json diff --git a/files/service/scripts/wait-for-it.sh b/files/service/scripts/wait-for-it.sh deleted file mode 100755 index b5725e4c..00000000 --- a/files/service/scripts/wait-for-it.sh +++ /dev/null @@ -1,200 +0,0 @@ -#!/usr/bin/env bash -# Use this script to test if a given TCP host/port are available -# -# Source: https://github.com/vishnubob/wait-for-it -# -# The MIT License (MIT) -# Copyright (c) 2016 Giles Hall -# -# Permission is hereby granted, free of charge, to any person obtaining a copy of -# this software and associated documentation files (the "Software"), to deal in -# the Software without restriction, including without limitation the rights to -# use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies -# of the Software, and to permit persons to whom the Software is furnished to do -# so, subject to the following conditions: -# -# The above copyright notice and this permission notice shall be included in all -# copies or substantial portions of the Software. -# -# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR -# IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, -# FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE -# AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER -# LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, -# OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE -# SOFTWARE. - -cmdname=$(basename $0) - -echoerr() { if [[ $QUIET -ne 1 ]]; then echo "$@" 1>&2; fi } - -usage() -{ - cat << USAGE >&2 -Usage: - $cmdname host:port [-s] [-t timeout] [-- command args] - -h HOST | --host=HOST Host or IP under test - -p PORT | --port=PORT TCP port under test - Alternatively, you specify the host and port as host:port - -s | --strict Only execute subcommand if the test succeeds - -q | --quiet Don't output any status messages - -t TIMEOUT | --timeout=TIMEOUT - Timeout in seconds, zero for no timeout - -- COMMAND ARGS Execute command with args after the test finishes -USAGE - exit 1 -} - -wait_for() -{ - if [[ $TIMEOUT -gt 0 ]]; then - echoerr "$cmdname: waiting $TIMEOUT seconds for $HOST:$PORT" - else - echoerr "$cmdname: waiting for $HOST:$PORT without a timeout" - fi - start_ts=$(date +%s) - while : - do - if [[ $ISBUSY -eq 1 ]]; then - nc -z $HOST $PORT - result=$? - else - (echo > /dev/tcp/$HOST/$PORT) >/dev/null 2>&1 - result=$? - fi - if [[ $result -eq 0 ]]; then - end_ts=$(date +%s) - echoerr "$cmdname: $HOST:$PORT is available after $((end_ts - start_ts)) seconds" - break - fi - sleep 1 - done - return $result -} - -wait_for_wrapper() -{ - # In order to support SIGINT during timeout: http://unix.stackexchange.com/a/57692 - if [[ $QUIET -eq 1 ]]; then - timeout $BUSYTIMEFLAG $TIMEOUT $0 --quiet --child --host=$HOST --port=$PORT --timeout=$TIMEOUT & - else - timeout $BUSYTIMEFLAG $TIMEOUT $0 --child --host=$HOST --port=$PORT --timeout=$TIMEOUT & - fi - PID=$! - trap "kill -INT -$PID" INT - wait $PID - RESULT=$? - if [[ $RESULT -ne 0 ]]; then - echoerr "$cmdname: timeout occurred after waiting $TIMEOUT seconds for $HOST:$PORT" - fi - return $RESULT -} - -# process arguments -while [[ $# -gt 0 ]] -do - case "$1" in - *:* ) - hostport=(${1//:/ }) - HOST=${hostport[0]} - PORT=${hostport[1]} - shift 1 - ;; - --child) - CHILD=1 - shift 1 - ;; - -q | --quiet) - QUIET=1 - shift 1 - ;; - -s | --strict) - STRICT=1 - shift 1 - ;; - -h) - HOST="$2" - if [[ $HOST == "" ]]; then break; fi - shift 2 - ;; - --host=*) - HOST="${1#*=}" - shift 1 - ;; - -p) - PORT="$2" - if [[ $PORT == "" ]]; then break; fi - shift 2 - ;; - --port=*) - PORT="${1#*=}" - shift 1 - ;; - -t) - TIMEOUT="$2" - if [[ $TIMEOUT == "" ]]; then break; fi - shift 2 - ;; - --timeout=*) - TIMEOUT="${1#*=}" - shift 1 - ;; - --) - shift - CLI=("$@") - break - ;; - --help) - usage - ;; - *) - echoerr "Unknown argument: $1" - usage - ;; - esac -done - -if [[ "$HOST" == "" || "$PORT" == "" ]]; then - echoerr "Error: you need to provide a host and port to test." - usage -fi - -TIMEOUT=${TIMEOUT:-15} -STRICT=${STRICT:-0} -CHILD=${CHILD:-0} -QUIET=${QUIET:-0} - -# check to see if timeout is from busybox? -# check to see if timeout is from busybox? -TIMEOUT_PATH=$(realpath $(which timeout)) -if [[ $TIMEOUT_PATH =~ "busybox" ]]; then - ISBUSY=1 - BUSYTIMEFLAG="-t" -else - ISBUSY=0 - BUSYTIMEFLAG="" -fi - -if [[ $CHILD -gt 0 ]]; then - wait_for - RESULT=$? - exit $RESULT -else - if [[ $TIMEOUT -gt 0 ]]; then - wait_for_wrapper - RESULT=$? - else - wait_for - RESULT=$? - fi -fi - -if [[ $CLI != "" ]]; then - if [[ $RESULT -ne 0 && $STRICT -eq 1 ]]; then - echoerr "$cmdname: strict mode, refusing to execute subprocess" - exit $RESULT - fi - exec "${CLI[@]}" -else - exit $RESULT -fi diff --git a/nginx.dockerfile b/nginx.dockerfile index 0e1e43f1..cced9345 100644 --- a/nginx.dockerfile +++ b/nginx.dockerfile @@ -1,8 +1,9 @@ -FROM node:16.20 as intermediate +FROM node:18.17 as intermediate COPY ./ ./ RUN files/prebuild/write-version.sh -RUN files/prebuild/build-frontend.sh +ARG OIDC_ENABLED +RUN OIDC_ENABLED="$OIDC_ENABLED" files/prebuild/build-frontend.sh # when upgrading, look for upstream changes to redirector.conf # also, confirm setup-odk.sh strips out HTTP-01 ACME challenge location diff --git a/postgres14.dockerfile b/postgres14.dockerfile index 2888353b..cc214fd0 100644 --- a/postgres14.dockerfile +++ b/postgres14.dockerfile @@ -1,4 +1,4 @@ -FROM postgres:14.8 +FROM postgres:14.9 COPY files/postgres14/start-postgres.sh /usr/local/bin/ diff --git a/secrets.dockerfile b/secrets.dockerfile index f0fee644..b200d26b 100644 --- a/secrets.dockerfile +++ b/secrets.dockerfile @@ -1,2 +1,2 @@ -FROM node:16.20 -COPY files/enketo/generate-secrets.sh ./ \ No newline at end of file +FROM node:18.17 +COPY files/enketo/generate-secrets.sh ./ diff --git a/server b/server index ba6ee474..63fdf150 160000 --- a/server +++ b/server @@ -1 +1 @@ -Subproject commit ba6ee474f431b48e885fb035c9266792f06d0ad7 +Subproject commit 63fdf150e1ed81e3b1059050f7b1ba323931ab24 diff --git a/service.dockerfile b/service.dockerfile index af8fd7f1..11f5e280 100644 --- a/service.dockerfile +++ b/service.dockerfile @@ -1,4 +1,4 @@ -ARG node_version=16.20 +ARG node_version=18.17 FROM node:${node_version} as intermediate COPY . . @@ -13,6 +13,8 @@ FROM node:${node_version} WORKDIR /usr/odk +RUN apt-get update && apt-get install wait-for-it && rm -rf /var/lib/apt/lists/* + RUN echo "deb http://apt.postgresql.org/pub/repos/apt/ $(grep -oP 'VERSION_CODENAME=\K\w+' /etc/os-release)-pgdg main" | tee /etc/apt/sources.list.d/pgdg.list && \ curl https://www.postgresql.org/media/keys/ACCC4CF8.asc | gpg --dearmor > /etc/apt/trusted.gpg.d/apt.postgresql.org.gpg && \ apt-get update && \