Merge branch 'release/0.4.4'

README.rst

@@ -183,6 +183,16 @@ DB Models
 Changelog
 =========
 
+v. 0.4.4
+--------
+
+* Data import updates (`#44 <https://github.com/libris/xl_auth/issues/44>`_)
+* UI adjustments; irrelevant permissions no longer shown to cataloging admins, using
+  term "sigel" instead of "kod"
+* Ansible provisioning updated to use Nginx reverse proxy and SSL
+  (`#39 <https://github.com/libris/xl_auth/issues/39>`_)
+
+
 v. 0.4.3
 --------
 

ansible/deployment.yml

@@ -6,6 +6,7 @@
   roles:
     - common
     - docker
+    - nginx
     - xl_auth
 
 ...

ansible/roles/nginx/defaults/main.yml

@@ -0,0 +1,5 @@
+---
+
+upstream_port: "5000"
+
+...

ansible/roles/nginx/handlers/main.yml

@@ -0,0 +1,7 @@
+---
+
+- name: restart nginx
+  service: name=nginx state=restarted
+  check_mode: no
+
+...

ansible/roles/nginx/meta/main.yml

@@ -0,0 +1,18 @@
+galaxy_info:
+  author: Mats Blomdahl
+  description: Provision of Nginx reverse proxy
+  company: National Library of Sweden
+
+  license: Apache-2.0
+
+  min_ansible_version: 2.4
+
+  platforms:
+    - name: EL
+      versions:
+        - 7
+
+  galaxy_tags:
+    - nginx
+
+dependencies: []

ansible/roles/nginx/tasks/firewall-update.yml

@@ -0,0 +1,9 @@
+---
+
+- name: allow incoming http traffic (firewalld)
+  firewalld: service=http permanent=True state=enabled immediate=yes
+
+- name: allow incoming https traffic (firewalld)
+  firewalld: service=https permanent=True state=enabled immediate=yes
+
+...

ansible/roles/nginx/tasks/main.yml

@@ -0,0 +1,47 @@
+---
+
+- name: set nginx_ssl_enabled fact
+  set_fact:
+    nginx_ssl_enabled: "{{ '.kb.se' in inventory_hostname }}"
+  tags: nginx
+
+- name: nginx repo
+  yum_repository:
+    name: nginx
+    description: nginx repo
+    baseurl: http://nginx.org/packages/centos/$releasever/$basearch/
+    gpgkey: http://nginx.org/keys/nginx_signing.key
+  tags: nginx
+
+- name: install nginx
+  yum: name=nginx state=present
+  tags: nginx
+
+- name: default nginx conf removed
+  file: path=/etc/nginx/conf.d/default.conf state=absent
+  tags: nginx
+
+- name: template nginx proxy.conf
+  template:
+    src: "{{ 'ssl.conf.j2' if nginx_ssl_enabled else 'http.conf.j2' }}"
+    dest: "/etc/nginx/conf.d/proxy.conf"
+    validate: "/usr/sbin/nginx -T -g '#%s'"
+  notify: restart nginx
+  tags: nginx
+
+- name: update firewall
+  import_tasks: firewall-update.yml
+  tags: nginx, firewall
+
+- name: selinux must allow nginx proxying
+  seboolean:
+    name: httpd_can_network_connect
+    state: yes
+    persistent: yes
+  tags: nginx, selinux
+
+- name: nginx running and enabled
+  service: name=nginx state=started enabled=yes
+  tags: nginx
+
+...

ansible/roles/nginx/templates/http.conf.j2

@@ -0,0 +1,20 @@
+# -*- coding: utf-8 -*-
+
+server {
+    listen         80 default_server;
+    server_name    _;
+    server_tokens  off;
+    charset        utf-8;
+    gzip           on;
+
+    proxy_set_header  Host $host;
+    proxy_set_header  X-Real-IP $remote_addr;
+    proxy_set_header  X-Forwarded-For $proxy_add_x_forwarded_for;
+
+    location / {
+        proxy_pass  http://127.0.0.1:{{ upstream_port }};
+    }
+
+    access_log  /var/log/nginx/access.log;
+    error_log   /var/log/nginx/error.log;
+}

ansible/roles/nginx/templates/ssl.conf.j2

@@ -0,0 +1,34 @@
+# -*- coding: utf-8 -*-
+
+server {
+    listen         80;
+    server_name    _;
+    server_tokens  off;
+
+    location / {
+        return  301 https://{{ inventory_hostname }}$request_uri;
+    }
+}
+
+server {
+    listen         443 default_server;
+    server_name    {{ inventory_hostname }};
+    server_tokens  off;
+    charset        utf-8;
+    gzip           on;
+
+    ssl                  on;
+    ssl_certificate      /etc/pki/tls/certs/{{ inventory_hostname }}.pem;
+    ssl_certificate_key  /etc/pki/tls/private/{{ inventory_hostname }}.key;
+
+    proxy_set_header  Host $host;
+    proxy_set_header  X-Real-IP $remote_addr;
+    proxy_set_header  X-Forwarded-For $proxy_add_x_forwarded_for;
+
+    location / {
+        proxy_pass  http://127.0.0.1:{{ upstream_port }};
+    }
+
+    access_log  /var/log/nginx/access.log;
+    error_log   /var/log/nginx/error.log;
+}

ansible/roles/xl_auth/tasks/main.yml

@@ -26,7 +26,7 @@
     links:
       - postgres
     ports:
-      - 80:5000
+      - 5000:5000
     env:
       FLASK_DEBUG: 0
       SQLALCHEMY_DATABASE_URI: postgresql://xl_auth:xl_auth@postgres/prod
@@ -71,8 +71,8 @@
     image: "{{ xl_auth_docker }}"
     interactive: yes
     tty: yes
-    auto_remove: yes
-    command: import_data --verbose --admin-email [email protected]
+    detach: no
+    command: import_data --verbose --admin-email [email protected] --wipe-permissions
     links:
       - postgres
     env:

messages.pot

@@ -6,9 +6,9 @@
 #, fuzzy
 msgid ""
 msgstr ""
-"Project-Id-Version: xl_auth 0.4.3\n"
+"Project-Id-Version: xl_auth 0.4.4\n"
 "Report-Msgid-Bugs-To: EMAIL@ADDRESS\n"
-"POT-Creation-Date: 2017-10-24 06:53+0200\n"
+"POT-Creation-Date: 2017-10-25 13:18+0200\n"
 "PO-Revision-Date: YEAR-MO-DA HO:MI+ZONE\n"
 "Last-Translator: FULL NAME <EMAIL@ADDRESS>\n"
 "Language-Team: LANGUAGE <[email protected]>\n"
@@ -115,16 +115,16 @@ msgstr ""
 #: tests/end2end/test_editing_user.py:45 xl_auth/templates/permissions/home.html:30
 #: xl_auth/templates/permissions/home.html:31 xl_auth/templates/permissions/home.html:32
 #: xl_auth/templates/users/home.html:33 xl_auth/templates/users/home.html:76
-#: xl_auth/templates/users/profile.html:55 xl_auth/templates/users/profile.html:58
-#: xl_auth/templates/users/profile.html:61
+#: xl_auth/templates/users/profile.html:58 xl_auth/templates/users/profile.html:61
+#: xl_auth/templates/users/profile.html:65
 msgid "Yes"
 msgstr ""
 
 #: tests/end2end/test_editing_user.py:45 xl_auth/templates/permissions/home.html:30
 #: xl_auth/templates/permissions/home.html:31 xl_auth/templates/permissions/home.html:32
 #: xl_auth/templates/users/home.html:33 xl_auth/templates/users/home.html:76
-#: xl_auth/templates/users/profile.html:55 xl_auth/templates/users/profile.html:58
-#: xl_auth/templates/users/profile.html:61
+#: xl_auth/templates/users/profile.html:58 xl_auth/templates/users/profile.html:61
+#: xl_auth/templates/users/profile.html:65
 msgid "No"
 msgstr ""
 
@@ -295,17 +295,17 @@ msgid "Collection"
 msgstr ""
 
 #: xl_auth/permission/forms.py:22 xl_auth/templates/permissions/home.html:18
-#: xl_auth/templates/users/profile.html:44
+#: xl_auth/templates/users/profile.html:45
 msgid "Registrant"
 msgstr ""
 
 #: xl_auth/permission/forms.py:23 xl_auth/templates/permissions/home.html:19
-#: xl_auth/templates/users/profile.html:45
+#: xl_auth/templates/users/profile.html:46
 msgid "Cataloger"
 msgstr ""
 
 #: xl_auth/permission/forms.py:24 xl_auth/templates/permissions/home.html:20
-#: xl_auth/templates/users/profile.html:46
+#: xl_auth/templates/users/profile.html:48
 msgid "Cataloguing Administrator"
 msgstr ""
 
@@ -534,7 +534,7 @@ msgstr ""
 
 #: xl_auth/templates/users/profile.html:35
 msgid ""
-"Note: <em>Cataloguing Admin</em> is a new privilege that, in the tear future, will allow you to "
+"Note: <em>Cataloguing Admin</em> is a new privilege that, in the near future, will allow you to "
 "create new user accounts and grant registrant/cataloger privileges to others. "
 msgstr ""
 

package.json

@@ -1,6 +1,6 @@
 {
   "name": "xl_auth",
-  "version": "0.4.3",
+  "version": "0.4.4",
   "author": "National Library of Sweden",
   "license": "Apache-2.0",
   "description": "OAuth2 authorization for LibrisXL, replacing BibDB counterpart",