Merge pull request #457 from getodk/next

Release v2023.4
getodk · Sep 25, 2023 · 65d38c5 · 65d38c5
2 parents f09c50b + 28dad0a
commit 65d38c5
Show file tree

Hide file tree

Showing 18 changed files with 58 additions and 230 deletions.
diff --git a/.circleci/config.yml b/.circleci/config.yml
@@ -8,7 +8,7 @@ jobs:
       - checkout
 
       - run: sudo apt install shellcheck
-      - run: cat <(git grep -El '^#!.*sh\b') <(git ls-files | grep -E '.sh$') | sort -u | grep -v '/wait-for-it.sh$' | xargs shellcheck --exclude=SC2016
+      - run: cat <(git grep -El '^#!.*sh\b') <(git ls-files | grep -E '.sh$') | sort -u | xargs shellcheck --exclude=SC2016
 
       - run: git submodule update -i
 

diff --git a/.env.template b/.env.template
@@ -29,6 +29,12 @@ HTTPS_PORT=443
 # EMAIL_USER=
 # EMAIL_PASSWORD=
 
+# Optional: configure Single Sign-on with OpenID Connect
+# OIDC_ENABLED=
+# OIDC_ISSUER_URL=
+# OIDC_CLIENT_ID=
+# OIDC_CLIENT_SECRET=
+
 # Optional: configure error reporting
 # SENTRY_ORG_SUBDOMAIN=
 # SENTRY_KEY=

diff --git a/.gitignore b/.gitignore
@@ -9,4 +9,9 @@
 /files/postgres14/upgrade/*
 !/files/postgres14/upgrade/check-available-space
 
-/files/local/customssl/*.pem
+/files/local/customssl/*.pem
+
+/files/mail/rsa.private
+/files/mail/rsa.public
+
+/files/dkim/*
diff --git a/client b/client
diff --git a/docker-compose.yml b/docker-compose.yml
@@ -27,12 +27,12 @@ services:
       POSTGRES_PASSWORD: odk
       POSTGRES_DATABASE: odk
   mail:
-    image: "ixdotai/smtp:v0.2.0"
+    image: "ixdotai/smtp:v0.5.1"
     volumes:
-      - ./files/dkim/config:/etc/exim4/_docker_additional_macros:ro
-      - ./files/dkim/rsa.private:/etc/exim4/domain.key:ro
+      - ./files/mail/rsa.private:/etc/exim4/dkim.key.temp:ro
     environment:
       - MAILNAME=${DOMAIN}
+      - DKIM_KEY_PATH=/etc/exim4/dkim.key.temp
     restart: always
   service:
     build:
@@ -51,29 +51,35 @@ services:
       - DOMAIN=${DOMAIN}
       - SYSADMIN_EMAIL=${SYSADMIN_EMAIL}
       - HTTPS_PORT=${HTTPS_PORT:-443}
-      - NODE_OPTIONS=${SERVICE_NODE_OPTIONS:-''}
+      - NODE_OPTIONS=${SERVICE_NODE_OPTIONS:-}
       - DB_HOST=${DB_HOST:-postgres14}
       - DB_USER=${DB_USER:-odk}
       - DB_PASSWORD=${DB_PASSWORD:-odk}
       - DB_NAME=${DB_NAME:-odk}
       - DB_SSL=${DB_SSL:-null}
-      - EMAIL_FROM=${EMAIL_FROM:-no-reply@${DOMAIN}}
+      - EMAIL_FROM=${EMAIL_FROM:-no-reply@$DOMAIN}
       - EMAIL_HOST=${EMAIL_HOST:-mail}
       - EMAIL_PORT=${EMAIL_PORT:-25}
       - EMAIL_SECURE=${EMAIL_SECURE:-false}
       - EMAIL_IGNORE_TLS=${EMAIL_IGNORE_TLS:-true}
-      - EMAIL_USER=${EMAIL_USER:-''}
-      - EMAIL_PASSWORD=${EMAIL_PASSWORD:-''}
+      - EMAIL_USER=${EMAIL_USER:-}
+      - EMAIL_PASSWORD=${EMAIL_PASSWORD:-}
+      - OIDC_ENABLED=${OIDC_ENABLED:-false}
+      - OIDC_ISSUER_URL=${OIDC_ISSUER_URL:-}
+      - OIDC_CLIENT_ID=${OIDC_CLIENT_ID:-}
+      - OIDC_CLIENT_SECRET=${OIDC_CLIENT_SECRET:-}
       - SENTRY_ORG_SUBDOMAIN=${SENTRY_ORG_SUBDOMAIN:-o130137}
       - SENTRY_KEY=${SENTRY_KEY:-3cf75f54983e473da6bd07daddf0d2ee}
       - SENTRY_PROJECT=${SENTRY_PROJECT:-1298632}
-    command: [ "./wait-for-it.sh", "${DB_HOST:-postgres14}:5432", "--", "./start-odk.sh" ]
+    command: [ "wait-for-it", "${DB_HOST:-postgres14}:5432", "--", "./start-odk.sh" ]
     restart: always
     logging:
       driver: local
   nginx:
     build:
       context: .
+      args:
+        - OIDC_ENABLED=${OIDC_ENABLED:-false}
       dockerfile: nginx.dockerfile
     depends_on:
       - service
@@ -96,7 +102,7 @@ services:
       options:
         max-file: "30"
   pyxform:
-    image: 'ghcr.io/getodk/pyxform-http:v1.12.1'
+    image: 'ghcr.io/getodk/pyxform-http:v1.12.2'
     restart: always
   secrets:
     volumes:
@@ -121,7 +127,7 @@ services:
       - SUPPORT_EMAIL=${SYSADMIN_EMAIL}
       - HTTPS_PORT=${HTTPS_PORT:-443}
   enketo_redis_main:
-    image: redis:7.0
+    image: redis:7.2
     volumes:
       - ./files/enketo/redis-enketo-main.conf:/usr/local/etc/redis/redis.conf:ro
       - enketo_redis_main:/data
@@ -130,7 +136,7 @@ services:
       - /usr/local/etc/redis/redis.conf
     restart: always
   enketo_redis_cache:
-    image: redis:7.0
+    image: redis:7.2
     volumes:
       - ./files/enketo/redis-enketo-cache.conf:/usr/local/etc/redis/redis.conf:ro
       - enketo_redis_cache:/data

diff --git a/enketo.dockerfile b/enketo.dockerfile
@@ -1,4 +1,4 @@
-FROM ghcr.io/enketo/enketo-express:6.2.0
+FROM ghcr.io/enketo/enketo-express:6.2.2
 
 ENV ENKETO_SRC_DIR=/srv/src/enketo_express
 WORKDIR ${ENKETO_SRC_DIR}

diff --git a/files/dkim/config.disabled b/files/dkim/config.disabled
diff --git a/files/mail/rsa.private b/files/mail/rsa.private
diff --git a/files/postgres14/upgrade/check-available-space b/files/postgres14/upgrade/check-available-space
@@ -15,7 +15,14 @@ fi
 dockerRootDir="$(docker info --format '{{print .DockerRootDir}}')"
 free="$(df --output=avail "$dockerRootDir/volumes" | tail -n+2)"
 
-containerName="central_postgres_1"
+# Support both Docker Compose v1 & v2 container names.
+# See: https://docs.docker.com/compose/migrate/#service-container-names
+if ! docker compose version >/dev/null 2>/dev/null; then
+  containerName="central_postgres_1"
+else
+  containerName="central-postgres-1"
+fi
+
 # The --format argument is a Go template.  Adding spaces between the
 # curlies seems to affect the output.  For more info on this
 # wonderful language, see:

diff --git a/files/prebuild/build-frontend.sh b/files/prebuild/build-frontend.sh
@@ -1,4 +1,4 @@
 #!/bin/bash -eu
 cd client
 npm clean-install --no-audit --fund=false --update-notifier=false
-npm run build
+VUE_APP_OIDC_ENABLED="$OIDC_ENABLED" npm run build
diff --git a/files/service/config.json.template b/files/service/config.json.template
@@ -33,6 +33,12 @@
       "domain": "${BASE_URL}",
       "sysadminAccount": "${SYSADMIN_EMAIL}"
     },
+    "oidc": {
+      "enabled": ${OIDC_ENABLED},
+      "issuerUrl": "${OIDC_ISSUER_URL}",
+      "clientId": "${OIDC_CLIENT_ID}",
+      "clientSecret": "${OIDC_CLIENT_SECRET}"
+    },
     "external": {
       "sentry": {
         "orgSubdomain": "${SENTRY_ORG_SUBDOMAIN}",

diff --git a/files/service/scripts/start-odk.sh b/files/service/scripts/start-odk.sh
@@ -4,7 +4,7 @@ echo "generating local service configuration.."
 
 ENKETO_API_KEY=$(cat /etc/secrets/enketo-api-key) \
 BASE_URL=$( [ "${HTTPS_PORT}" = 443 ] && echo https://"${DOMAIN}" || echo https://"${DOMAIN}":"${HTTPS_PORT}" ) \
-envsubst '$DOMAIN $BASE_URL $SYSADMIN_EMAIL $ENKETO_API_KEY $DB_HOST $DB_USER $DB_PASSWORD $DB_NAME $DB_SSL $EMAIL_FROM $EMAIL_HOST $EMAIL_PORT $EMAIL_SECURE $EMAIL_IGNORE_TLS $EMAIL_USER $EMAIL_PASSWORD $SENTRY_ORG_SUBDOMAIN $SENTRY_KEY $SENTRY_PROJECT' \
+envsubst '$DOMAIN $BASE_URL $SYSADMIN_EMAIL $ENKETO_API_KEY $DB_HOST $DB_USER $DB_PASSWORD $DB_NAME $DB_SSL $EMAIL_FROM $EMAIL_HOST $EMAIL_PORT $EMAIL_SECURE $EMAIL_IGNORE_TLS $EMAIL_USER $EMAIL_PASSWORD $OIDC_ENABLED $OIDC_ISSUER_URL $OIDC_CLIENT_ID $OIDC_CLIENT_SECRET $SENTRY_ORG_SUBDOMAIN $SENTRY_KEY $SENTRY_PROJECT' \
     < /usr/share/odk/config.json.template \
     > /usr/odk/config/local.json
 

diff --git a/files/service/scripts/wait-for-it.sh b/files/service/scripts/wait-for-it.sh
diff --git a/nginx.dockerfile b/nginx.dockerfile
@@ -1,8 +1,9 @@
-FROM node:16.20 as intermediate
+FROM node:18.17 as intermediate
 
 COPY ./ ./
 RUN files/prebuild/write-version.sh
-RUN files/prebuild/build-frontend.sh
+ARG OIDC_ENABLED
+RUN OIDC_ENABLED="$OIDC_ENABLED" files/prebuild/build-frontend.sh
 
 # when upgrading, look for upstream changes to redirector.conf
 # also, confirm setup-odk.sh strips out HTTP-01 ACME challenge location

diff --git a/postgres14.dockerfile b/postgres14.dockerfile
@@ -1,4 +1,4 @@
-FROM postgres:14.8
+FROM postgres:14.9
 
 COPY files/postgres14/start-postgres.sh /usr/local/bin/