Compare commits
3 Commits
89f309abd2
..
1.18
| Author | SHA1 | Date | |
|---|---|---|---|
| 93d29982a6 | |||
| 59a1bdfb1c | |||
| 056a92b068 |
-36
@@ -1,36 +0,0 @@
|
||||
# Nutze ein schlankes Python-Image
|
||||
FROM python:3.13-slim-bullseye
|
||||
|
||||
ENV PYTHONUNBUFFERED 1
|
||||
|
||||
WORKDIR /konova
|
||||
|
||||
# Installiere System-Abhängigkeiten
|
||||
RUN apt-get update && apt-get install -y --no-install-recommends \
|
||||
gdal-bin redis-server nginx \
|
||||
&& rm -rf /var/lib/apt/lists/* # Platz sparen
|
||||
|
||||
# Erstelle benötigte Verzeichnisse & setze Berechtigungen
|
||||
RUN mkdir -p /var/log/nginx /var/log/gunicorn /var/lib/nginx /tmp/nginx_client_body \
|
||||
&& touch /var/log/nginx/access.log /var/log/nginx/error.log \
|
||||
&& chown -R root:root /var/log/nginx /var/lib/nginx /tmp/nginx_client_body
|
||||
|
||||
# Kopiere und installiere Python-Abhängigkeiten
|
||||
COPY ./requirements.txt /konova/
|
||||
RUN pip install --upgrade pip && pip install --no-cache-dir -r requirements.txt
|
||||
|
||||
# Entferne Standard-Nginx-Site und ersetze sie durch eigene Config
|
||||
RUN rm -rf /etc/nginx/sites-enabled/default
|
||||
COPY ./nginx.conf /etc/nginx/conf.d
|
||||
|
||||
# Kopiere restliche Projektdateien
|
||||
COPY . /konova/
|
||||
|
||||
# Sammle statische Dateien
|
||||
RUN python manage.py collectstatic --noinput
|
||||
|
||||
# Exponiere Ports
|
||||
#EXPOSE 80 6379 8000
|
||||
|
||||
# Setze Entrypoint
|
||||
ENTRYPOINT ["/konova/docker-entrypoint.sh"]
|
||||
@@ -4,7 +4,6 @@ the database postgresql and the css library bootstrap as well as the icon packag
|
||||
fontawesome for a modern look, following best practices from the industry.
|
||||
|
||||
## Background processes
|
||||
### !!! For non-docker run
|
||||
Konova uses celery for background processing. To start the worker you need to run
|
||||
```shell
|
||||
$ celery -A konova worker -l INFO
|
||||
@@ -19,58 +18,3 @@ Technical documention is provided in the projects git wiki.
|
||||
A user documentation is not available (and not needed, yet).
|
||||
|
||||
|
||||
# Docker
|
||||
To run the docker-compose as expected, you need to take the following steps:
|
||||
|
||||
1. Create a database containing docker, using an appropriate Dockerfile, e.g. the following
|
||||
```
|
||||
version: '3.3'
|
||||
services:
|
||||
postgis:
|
||||
image: postgis/postgis
|
||||
restart: always
|
||||
container_name: postgis-docker
|
||||
ports:
|
||||
- 5433:5432
|
||||
volumes:
|
||||
- db-volume:/var/lib/postgresql/data
|
||||
environment:
|
||||
- POSTGRES_PASSWORD=postgres
|
||||
- POSTGRES_USER=postgres
|
||||
networks:
|
||||
- db-network-bridge
|
||||
|
||||
networks:
|
||||
db-network-bridge:
|
||||
driver: "bridge"
|
||||
|
||||
volumes:
|
||||
db-volume:
|
||||
```
|
||||
This Dockerfile creates a Docker container running postgresql and postgis, creates the default superuser postgres,
|
||||
creates a named volume for persisting the database and creates a new network bridge, which **must be used by any other
|
||||
container, which wants to write/read on this database**.
|
||||
|
||||
2. Make sure the name of the network bridge above matches the network in the konova docker-compose.yml
|
||||
3. Get into the running postgis container (`docker exec -it postgis-docker bash`) and create new databases, users and so on. Make sure the database `konova` exists now!
|
||||
4. Replace all `CHANGE_ME_xy` values inside of konova/docker-compose.yml for your installation. Make sure the `SSO_HOST` holds the proper SSO host, e.g. for the arnova project `arnova.example.org` (Arnova must be installed and the webserver configured as well, of course)
|
||||
5. Take a look on konova/settings.py and konova/sub_settings/django_settings.py. Again: Replace all occurences of `CHANGE_ME` with proper values for your installation.
|
||||
1. Make sure you have the proper host strings added to `ALLOWED_HOSTS` inside of django_settings.py.
|
||||
6. Build and run the docker setup using `docker-compose build` and `docker-compose start` from the main directory of this project (where the docker-compose.yml lives)
|
||||
7. Run migrations! To do so, get into the konova service container (`docker exec -it konova-docker bash`) and run the needed commands (`python manage.py makemigrations LIST_OF_ALL_MIGRATABLE_APPS`, then `python manage.py migrate`)
|
||||
8. Run the setup command `python manage.py setup` and follow the instructions on the CLI
|
||||
9. To enable **SMTP** mail support, make sure your host machine (the one where the docker container run) has the postfix service configured properly. Make sure the `mynetworks` variable is xtended using the docker network bridge ip, created in the postgis container and used by the konova services.
|
||||
1. **Hint**: You can find out this easily by trying to perform a test mail in the running konova web application (which will fail, of course). Then take a look to the latest entries in `/var/log/mail.log` on your host machine. The failed IP will be displayed there.
|
||||
2. **Please note**: This installation guide is based on SMTP using postfix!
|
||||
3. Restart the postfix service on your host machine to reload the new configuration (`service postfix restart`)
|
||||
10. Finally, make sure your host machine webserver passes incoming requests properly to the docker nginx webserver of konova. A proper nginx config for the host machine may look like this:
|
||||
```
|
||||
server {
|
||||
server_name konova.domain.org;
|
||||
|
||||
location / {
|
||||
proxy_pass http://localhost:KONOVA_NGINX_DOCKER_PORT/;
|
||||
proxy_set_header Host $host;
|
||||
}
|
||||
}
|
||||
```
|
||||
@@ -30,4 +30,22 @@ class ExternalIdentifier(models.Model):
|
||||
)
|
||||
|
||||
def __str__(self):
|
||||
return f"{self.external_id} -> {self.internal_id}"
|
||||
return f"{self.external_id} -> {self.internal_id}"
|
||||
|
||||
@staticmethod
|
||||
def resolve_external_identifier(external_identifier: str):
|
||||
""" Returns a ExternalIdentifier object, if the given parameter could be resolved as an external identifier.
|
||||
|
||||
Args:
|
||||
external_identifier (str): An external identifier.
|
||||
|
||||
Returns:
|
||||
ExternalIdentifier | None
|
||||
"""
|
||||
if external_identifier:
|
||||
try:
|
||||
obj = ExternalIdentifier.objects.get(external_id=external_identifier)
|
||||
return obj
|
||||
except ExternalIdentifier.DoesNotExist:
|
||||
pass
|
||||
return None
|
||||
|
||||
@@ -31,9 +31,10 @@ class APIV1SharingTestCase(BaseAPIV1TestCase):
|
||||
def setUpTestData(cls):
|
||||
super().setUpTestData()
|
||||
|
||||
def _run_share_request(self, url, user_list: list):
|
||||
def _run_share_request(self, url, user_list: list, team_list: list):
|
||||
data = {
|
||||
"users": user_list
|
||||
"users": user_list,
|
||||
"teams": team_list
|
||||
}
|
||||
data = json.dumps(data)
|
||||
response = self.client.put(
|
||||
@@ -58,16 +59,22 @@ class APIV1SharingTestCase(BaseAPIV1TestCase):
|
||||
self.superuser.username,
|
||||
self.user.username,
|
||||
]
|
||||
team_list = [
|
||||
str(self.team.id),
|
||||
]
|
||||
|
||||
response = self._run_share_request(url, user_list)
|
||||
response = self._run_share_request(url, user_list, team_list)
|
||||
|
||||
# Must fail, since performing user has no access on requested object
|
||||
self.assertEqual(response.status_code, 500)
|
||||
self.assertTrue(len(json.loads(response.content.decode("utf-8")).get("errors", [])) > 0)
|
||||
|
||||
# Add performing user to shared access users and rerun the request
|
||||
# Add performing user to shared access users, switch from team id to team name and rerun the request
|
||||
obj.users.add(self.superuser)
|
||||
response = self._run_share_request(url, user_list)
|
||||
team_list = [
|
||||
self.team.name
|
||||
]
|
||||
response = self._run_share_request(url, user_list, team_list)
|
||||
|
||||
shared_users = obj.shared_users
|
||||
self.assertEqual(response.status_code, 200)
|
||||
@@ -84,14 +91,14 @@ class APIV1SharingTestCase(BaseAPIV1TestCase):
|
||||
share_url = reverse("api:v1:intervention-share", args=(self.intervention.id,))
|
||||
# Expect the first request to work properly
|
||||
self.intervention.users.add(self.superuser)
|
||||
response = self._run_share_request(share_url, [self.superuser.username])
|
||||
response = self._run_share_request(share_url, [self.superuser.username], [str(self.team.id)])
|
||||
self.assertEqual(response.status_code, 200)
|
||||
|
||||
# Change the token
|
||||
self.header_data["HTTP_ksptoken"] = f"{self.superuser.api_token.token}__X"
|
||||
|
||||
# Expect the request to fail now
|
||||
response = self._run_share_request(share_url, [self.superuser.username])
|
||||
response = self._run_share_request(share_url, [self.superuser.username], [])
|
||||
self.assertEqual(response.status_code, 403)
|
||||
|
||||
def test_api_intervention_sharing(self):
|
||||
@@ -144,11 +151,11 @@ class APIV1SharingTestCase(BaseAPIV1TestCase):
|
||||
self.assertEqual(self.intervention.users.count(), 1)
|
||||
|
||||
# Try to add another user via API -> must work!
|
||||
response = self._run_share_request(share_url, [self.superuser.username, self.user.username])
|
||||
response = self._run_share_request(share_url, [self.superuser.username, self.user.username], [])
|
||||
self.assertEqual(response.status_code, 200)
|
||||
self.assertEqual(self.intervention.users.count(), 2)
|
||||
|
||||
# Now try to remove the user again -> expect no changes at all to the shared user list
|
||||
response = self._run_share_request(share_url, [self.superuser.username])
|
||||
response = self._run_share_request(share_url, [self.superuser.username], [])
|
||||
self.assertEqual(response.status_code, 200)
|
||||
self.assertEqual(self.intervention.users.count(), 2)
|
||||
|
||||
@@ -179,13 +179,7 @@ class AbstractModelAPISerializerV1(AbstractModelAPISerializer):
|
||||
Returns:
|
||||
ExternalIdentifier | None
|
||||
"""
|
||||
if external_identifier:
|
||||
try:
|
||||
obj = ExternalIdentifier.objects.get(external_id=external_identifier)
|
||||
return obj
|
||||
except ObjectDoesNotExist:
|
||||
pass
|
||||
return None
|
||||
return ExternalIdentifier.resolve_external_identifier(external_identifier)
|
||||
|
||||
def _check_external_identifier_on_entry_creation(self, external_identifier):
|
||||
""" Special check for POST processing:
|
||||
|
||||
+68
-19
@@ -6,13 +6,14 @@ Created on: 21.01.22
|
||||
|
||||
"""
|
||||
import json
|
||||
import uuid
|
||||
|
||||
from django.db.models import QuerySet
|
||||
from django.db.models import QuerySet, Q
|
||||
from django.http import JsonResponse, HttpRequest
|
||||
from django.views import View
|
||||
from django.views.decorators.csrf import csrf_exempt
|
||||
|
||||
from api.models import APIUserToken
|
||||
from api.models import APIUserToken, ExternalIdentifier
|
||||
from api.settings import KSP_TOKEN_HEADER_IDENTIFIER, KSP_USER_HEADER_IDENTIFIER
|
||||
from compensation.models import EcoAccount
|
||||
from ema.models import Ema
|
||||
@@ -205,6 +206,10 @@ class AbstractModelShareAPIView(AbstractAPIView):
|
||||
|
||||
"""
|
||||
try:
|
||||
external_identifier = ExternalIdentifier.resolve_external_identifier(id)
|
||||
if external_identifier:
|
||||
id = external_identifier.internal_id
|
||||
|
||||
users = self._get_shared_users_of_object(id)
|
||||
teams = self._get_shared_teams_of_object(id)
|
||||
except Exception as e:
|
||||
@@ -237,6 +242,9 @@ class AbstractModelShareAPIView(AbstractAPIView):
|
||||
"""
|
||||
|
||||
try:
|
||||
external_identifier = ExternalIdentifier.resolve_external_identifier(id)
|
||||
if external_identifier:
|
||||
id = external_identifier.internal_id
|
||||
success = self._process_put_body(request.body, id)
|
||||
except Exception as e:
|
||||
return self._return_error_response(e)
|
||||
@@ -309,22 +317,36 @@ class AbstractModelShareAPIView(AbstractAPIView):
|
||||
raise ValueError("Shared user list must not be empty!")
|
||||
new_teams = content.get("teams", [])
|
||||
|
||||
self.__process_user_sharing(new_users, obj)
|
||||
self.__process_team_sharing(new_teams, obj)
|
||||
|
||||
return True
|
||||
|
||||
def __process_user_sharing(self, user_list: list, obj):
|
||||
""" Processes API sharing for user payload
|
||||
|
||||
Args:
|
||||
user_list (list): A list of users to share the obj with
|
||||
obj (BaseObject): The shareable object
|
||||
|
||||
Returns:
|
||||
|
||||
"""
|
||||
# Eliminate duplicates
|
||||
new_users = list(dict.fromkeys(new_users))
|
||||
new_teams = list(dict.fromkeys(new_teams))
|
||||
new_users = list(dict.fromkeys(user_list))
|
||||
|
||||
# Make sure each of these names exist as a user
|
||||
new_users_objs = []
|
||||
for user in new_users:
|
||||
new_users_objs.append(User.objects.get(username=user))
|
||||
|
||||
# Make sure each of these names exist as a user
|
||||
new_teams_objs = []
|
||||
for team_name in new_teams:
|
||||
new_teams_objs.append(Team.objects.get(name=team_name))
|
||||
try:
|
||||
user_obj = User.objects.get(username=user)
|
||||
except User.DoesNotExist:
|
||||
raise AssertionError(f"User with username {user} does not exist")
|
||||
new_users_objs.append(user_obj)
|
||||
|
||||
if self.user.is_default_group_only():
|
||||
# Default only users are not allowed to remove other users from having access. They can only add new ones!
|
||||
# So we need to keep the ones that already have access from being removed!
|
||||
new_users_to_be_added = User.objects.filter(
|
||||
username__in=new_users
|
||||
).exclude(
|
||||
@@ -332,17 +354,44 @@ class AbstractModelShareAPIView(AbstractAPIView):
|
||||
)
|
||||
new_users_objs = obj.shared_users.union(new_users_to_be_added)
|
||||
|
||||
new_teams_to_be_added = Team.objects.filter(
|
||||
name__in=new_teams
|
||||
).exclude(
|
||||
id__in=obj.shared_teams
|
||||
)
|
||||
new_teams_objs = obj.shared_teams.union(new_teams_to_be_added)
|
||||
|
||||
obj.share_with_user_list(new_users_objs)
|
||||
obj.share_with_team_list(new_teams_objs)
|
||||
return True
|
||||
|
||||
def __process_team_sharing(self, team_list: list, obj):
|
||||
""" Processes API sharing for team payload
|
||||
|
||||
Args:
|
||||
team_list (list): A list of teams to share the obj with
|
||||
obj (BaseObject): The shareable object
|
||||
|
||||
Returns:
|
||||
|
||||
"""
|
||||
# Eliminate duplicates
|
||||
new_teams = list(dict.fromkeys(team_list))
|
||||
|
||||
# Resolve team names or ids into objects
|
||||
new_team_ids = []
|
||||
for team in new_teams:
|
||||
try:
|
||||
uuid.UUID(team)
|
||||
try:
|
||||
new_team_ids.append(Team.objects.get(id=team).id)
|
||||
except Team.DoesNotExist:
|
||||
raise AssertionError(f"Team with id {team} does not exist!")
|
||||
except ValueError:
|
||||
# entry is a name and not a uuid -> try to resolve as name!
|
||||
try:
|
||||
new_team_ids.append(Team.objects.get(name=team).id)
|
||||
except Team.DoesNotExist:
|
||||
raise AssertionError(f"Team with name {team} does not exist!")
|
||||
|
||||
new_team_objs = Team.objects.filter(id__in=new_team_ids)
|
||||
if self.user.is_default_group_only():
|
||||
# Default only users are not allowed to remove other users from having access. They can only add new ones!
|
||||
# So we need to keep the ones that already have access from being removed!
|
||||
new_team_objs = obj.shared_teams.union(new_team_objs)
|
||||
|
||||
obj.share_with_team_list(new_team_objs)
|
||||
|
||||
class InterventionAPIShareView(AbstractModelShareAPIView):
|
||||
model = Intervention
|
||||
|
||||
@@ -1,21 +0,0 @@
|
||||
services:
|
||||
konova:
|
||||
external_links:
|
||||
- postgis:db
|
||||
- arnova-nginx-server:arnova
|
||||
build: .
|
||||
image: "ksp/konova:x.y"
|
||||
container_name: "konova-docker"
|
||||
command: ./docker-entrypoint.sh
|
||||
restart: always
|
||||
volumes:
|
||||
- /data/apps/konova/uploaded_files:/konova_uploaded_files
|
||||
ports:
|
||||
- "1337:80"
|
||||
|
||||
# Instead of an own, new network, we need to connect to the existing one, which is provided by the postgis container
|
||||
# NOTE: THIS NETWORK MUST EXIST
|
||||
networks:
|
||||
default:
|
||||
name: postgis_nat_it_backend
|
||||
external: true
|
||||
@@ -1,27 +0,0 @@
|
||||
#!/bin/bash
|
||||
|
||||
set -e # Beende Skript bei Fehlern
|
||||
set -o pipefail # Fehler in Pipelines nicht ignorieren
|
||||
|
||||
# Starte Redis
|
||||
redis-server --daemonize yes
|
||||
|
||||
# Starte Celery Worker im Hintergrund
|
||||
celery -A konova worker --loglevel=info &
|
||||
|
||||
# Starte Nginx als Hintergrundprozess
|
||||
nginx -g "daemon off;" &
|
||||
|
||||
# Setze Gunicorn Worker-Anzahl (Standard: (2*CPUs)+1)
|
||||
WORKERS=${GUNICORN_WORKERS:-$((2 * $(nproc) + 1))}
|
||||
|
||||
# Stelle sicher, dass Logs existieren
|
||||
mkdir -p /var/log/gunicorn
|
||||
touch /var/log/gunicorn/access.log /var/log/gunicorn/error.log
|
||||
|
||||
# Starte Gunicorn als Hauptprozess
|
||||
exec gunicorn --workers="$WORKERS" konova.wsgi:application \
|
||||
--bind=0.0.0.0:8000 \
|
||||
--access-logfile /var/log/gunicorn/access.log \
|
||||
--error-logfile /var/log/gunicorn/error.log \
|
||||
--access-logformat '%({x-real-ip}i)s via %(h)s %(l)s %(u)s %(t)s "%(r)s" %(s)s %(b)s "%(f)s" "%(a)s"'
|
||||
@@ -191,10 +191,11 @@ STATICFILES_DIRS = [
|
||||
]
|
||||
|
||||
# EMAIL (see https://docs.djangoproject.com/en/dev/topics/email/)
|
||||
|
||||
# CHANGE_ME !!! ONLY FOR DEVELOPMENT !!!
|
||||
if DEBUG:
|
||||
# ONLY FOR DEVELOPMENT NEEDED
|
||||
EMAIL_BACKEND = 'django.core.mail.backends.filebased.EmailBackend'
|
||||
EMAIL_FILE_PATH = '/tmp/app-messages'
|
||||
EMAIL_FILE_PATH = '/tmp/app-messages' # change this to a proper location
|
||||
|
||||
DEFAULT_FROM_EMAIL = env("DEFAULT_FROM_EMAIL") # The default email address for the 'from' element
|
||||
SERVER_EMAIL = DEFAULT_FROM_EMAIL # The default email sender address, which is used by Django to send errors via mail
|
||||
|
||||
-25
@@ -1,25 +0,0 @@
|
||||
server {
|
||||
listen 80;
|
||||
client_max_body_size 25M;
|
||||
|
||||
location / {
|
||||
proxy_pass http://127.0.0.1:8000;
|
||||
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
||||
proxy_set_header X-Real-IP $remote_addr;
|
||||
proxy_set_header Host $host;
|
||||
proxy_redirect off;
|
||||
proxy_cache_bypass $http_upgrade;
|
||||
}
|
||||
|
||||
location /static/ {
|
||||
alias /konova/static/;
|
||||
access_log /var/log/nginx/access.log;
|
||||
autoindex off;
|
||||
types {
|
||||
text/css css;
|
||||
application/javascript js;
|
||||
}
|
||||
}
|
||||
|
||||
error_log /var/log/nginx/error.log;
|
||||
}
|
||||
Reference in New Issue
Block a user