Merge branch 'fresh-beaker-key'

okfn · Jan 30, 2023 · 4746d8c · 4746d8c
2 parents 0b21f49 + 5257b8a
commit 4746d8c
Show file tree

Hide file tree

Showing 15 changed files with 92 additions and 3 deletions.
diff --git a/.env.example b/.env.example
@@ -6,6 +6,10 @@ DATASTORE_READONLY_PASSWORD=datastore
 CKAN_SITE_ID=default
 CKAN_SITE_URL=http://ckan:5000
 CKAN_PORT=5000
+CKAN___BEAKER__SESSION__SECRET=CHANGE_ME
+# See https://docs.ckan.org/en/latest/maintaining/configuration.html#api-token-settings
+CKAN___API_TOKEN__JWT__ENCODE__SECRET=string:CHANGE_ME
+CKAN___API_TOKEN__JWT__DECODE__SECRET=string:CHANGE_ME
 CKAN_SYSADMIN_NAME=ckan_admin
 CKAN_SYSADMIN_PASSWORD=test1234
 CKAN_SYSADMIN_EMAIL=your_email@example.com

diff --git a/README.md b/README.md
@@ -42,7 +42,7 @@ The site is configured via env vars (the base CKAN image loads [ckanext-envvars]
 
 Copy the included `.env.example` and rename it to `.env` to modify it depending on your own needs.
 
-Using the default values on the `.env.example` file will get you a working CKAN instance. There is a sysadmin user created by default with the values defined in `CKAN_SYSADMIN_NAME` and `CKAN_SYSADMIN_PASSWORD`(`ckan_admin` and `test1234` by default). I shouldn't be telling you this but obviously don't run any public CKAN instance with the default settings.
+Using the default values on the `.env.example` file will get you a working CKAN instance. There is a sysadmin user created by default with the values defined in `CKAN_SYSADMIN_NAME` and `CKAN_SYSADMIN_PASSWORD`(`ckan_admin` and `test1234` by default). I shouldn't be telling you this but obviously don't run any public CKAN instance with the default settings. Make sure to set up proper passwords and secret keys in your `.env` file.
 
 To build the images:
 

diff --git a/ckan-base/2.10/Dockerfile b/ckan-base/2.10/Dockerfile
@@ -69,12 +69,12 @@ COPY common/supervisord.conf /etc
 RUN pip3 install -e git+${GIT_URL}@${GIT_BRANCH}#egg=ckan && \
     cd ${SRC_DIR}/ckan && \
     cp who.ini ${APP_DIR} && \
-    pip3 install -r requirement-setuptools.txt && \
     pip3 install --no-binary markdown -r requirements.txt && \
     # Install CKAN envvars to support loading config from environment variables
     pip3 install -e git+https://github.com/okfn/ckanext-envvars.git#egg=ckanext-envvars && \
     # Create and update CKAN config
     ckan generate config ${CKAN_INI} && \
+    ckan config-tool ${CKAN_INI} "beaker.session.secret = " && \
     ckan config-tool ${CKAN_INI} "ckan.plugins = ${CKAN__PLUGINS}"
 
 # Create a local user and group to run the app

diff --git a/ckan-base/2.10/setup/start_ckan.sh b/ckan-base/2.10/setup/start_ckan.sh
@@ -4,6 +4,18 @@
 # will be updated later
 ckan config-tool $CKAN_INI ckan.datapusher.api_token=xxx
 
+# Set up the Secret key used by Beaker and Flask
+# This can be overriden using a CKAN___BEAKER__SESSION__SECRET env var
+if grep -E "beaker.session.secret ?= ?$" ckan.ini
+then
+    echo "Setting beaker.session.secret in ini file"
+    ckan config-tool $CKAN_INI "beaker.session.secret=$(python3 -c 'import secrets; print(secrets.token_urlsafe())')"
+    ckan config-tool $CKAN_INI "WTF_CSRF_SECRET_KEY=$(python3 -c 'import secrets; print(secrets.token_urlsafe())')"
+    JWT_SECRET=$(python3 -c 'import secrets; print("string:" + secrets.token_urlsafe())')
+    ckan config-tool $CKAN_INI "api_token.jwt.encode.secret=$JWT_SECRET"
+    ckan config-tool $CKAN_INI "api_token.jwt.decode.secret=$JWT_SECRET"
+fi
+
 # Run the prerun script to init CKAN and create the default admin user
 sudo -u ckan -EH python3 prerun.py
 

diff --git a/ckan-base/2.8/Dockerfile b/ckan-base/2.8/Dockerfile
@@ -64,6 +64,7 @@ RUN pip install -e git+${GIT_URL}@${GIT_BRANCH}#egg=ckan && \
     pip install -e git+https://github.com/okfn/ckanext-envvars.git#egg=ckanext-envvars && \
     # Create and update CKAN config
     paster --plugin=ckan make-config ckan ${CKAN_INI} && \
+    paster --plugin=ckan config-tool ${CKAN_INI} "beaker.session.secret = " && \
     paster --plugin=ckan config-tool ${CKAN_INI} "ckan.plugins = ${CKAN__PLUGINS}" && \
     paster --plugin=ckan config-tool ${CKAN_INI} "ckan.site_url = ${CKAN__SITE_URL}"
 

diff --git a/ckan-base/2.8/setup/start_ckan.sh b/ckan-base/2.8/setup/start_ckan.sh
@@ -1,5 +1,13 @@
 #!/bin/bash
 
+# Set up the Secret key used by Beaker and Flask
+# This can be overriden using a CKAN___BEAKER__SESSION__SECRET env var
+if grep -E "beaker.session.secret ?= ?$" ckan.ini
+then
+    echo "Setting beaker.session.secret in ini file"
+    paster --plugin=ckan config-tool $CKAN_INI "beaker.session.secret=$(python -c 'import secrets; print(secrets.token_urlsafe())')"
+fi
+
 # Run the prerun script to init CKAN and create the default admin user
 sudo -u ckan -EH python prerun.py
 

diff --git a/ckan-base/2.9/Dockerfile b/ckan-base/2.9/Dockerfile
@@ -75,6 +75,7 @@ RUN pip3 install -e git+${GIT_URL}@${GIT_BRANCH}#egg=ckan && \
     pip3 install -e git+https://github.com/okfn/ckanext-envvars.git#egg=ckanext-envvars && \
     # Create and update CKAN config
     ckan generate config ${CKAN_INI} && \
+    ckan config-tool ${CKAN_INI} "beaker.session.secret = " && \
     ckan config-tool ${CKAN_INI} "ckan.plugins = ${CKAN__PLUGINS}"
 
 # Create a local user and group to run the app

diff --git a/ckan-base/2.9/Dockerfile.py2 b/ckan-base/2.9/Dockerfile.py2
@@ -69,6 +69,7 @@ RUN pip2 install -e git+${GIT_URL}@${GIT_BRANCH}#egg=ckan && \
     pip2 install -e git+https://github.com/okfn/ckanext-envvars.git#egg=ckanext-envvars && \
     # Create and update CKAN config
     ckan generate config ${CKAN_INI} && \
+    ckan config-tool ${CKAN_INI} "beaker.session.secret = " && \
     ckan config-tool ${CKAN_INI} "ckan.plugins = ${CKAN__PLUGINS}"
 
 # Create a local user and group to run the app

diff --git a/ckan-base/2.9/setup/start_ckan-py2.sh b/ckan-base/2.9/setup/start_ckan-py2.sh
@@ -1,5 +1,16 @@
 #!/bin/bash
 
+# Set up the Secret key used by Beaker and Flask
+# This can be overriden using a CKAN___BEAKER__SESSION__SECRET env var
+if grep -E "beaker.session.secret ?= ?$" ckan.ini
+then
+    echo "Setting secrets in ini file"
+    ckan config-tool $CKAN_INI "beaker.session.secret=$(python -c 'import secrets; print(secrets.token_urlsafe())')"
+    JWT_SECRET=$(python3 -c 'import secrets; print("string:" + secrets.token_urlsafe())')
+    ckan config-tool $CKAN_INI "api_token.jwt.encode.secret=$JWT_SECRET"
+    ckan config-tool $CKAN_INI "api_token.jwt.decode.secret=$JWT_SECRET"
+fi
+
 # Run the prerun script to init CKAN and create the default admin user
 sudo -u ckan -EH python2 prerun.py
 

diff --git a/ckan-base/2.9/setup/start_ckan.sh b/ckan-base/2.9/setup/start_ckan.sh
@@ -1,5 +1,16 @@
 #!/bin/bash
 
+# Set up the Secret key used by Beaker and Flask
+# This can be overriden using a CKAN___BEAKER__SESSION__SECRET env var
+if grep -E "beaker.session.secret ?= ?$" ckan.ini
+then
+    echo "Setting secrets in ini file"
+    ckan config-tool $CKAN_INI "beaker.session.secret=$(python3 -c 'import secrets; print(secrets.token_urlsafe())')"
+    JWT_SECRET=$(python3 -c 'import secrets; print("string:" + secrets.token_urlsafe())')
+    ckan config-tool $CKAN_INI "api_token.jwt.encode.secret=$JWT_SECRET"
+    ckan config-tool $CKAN_INI "api_token.jwt.decode.secret=$JWT_SECRET"
+fi
+
 # Run the prerun script to init CKAN and create the default admin user
 sudo -u ckan -EH python3 prerun.py
 

diff --git a/ckan-base/master/Dockerfile b/ckan-base/master/Dockerfile
@@ -69,7 +69,6 @@ COPY common/supervisord.conf /etc
 RUN pip3 install -e git+${GIT_URL}@${GIT_BRANCH}#egg=ckan && \
     cd ${SRC_DIR}/ckan && \
     cp who.ini ${APP_DIR} && \
-    pip3 install -r requirement-setuptools.txt && \
     pip3 install -r requirements.txt && \
     # Install CKAN envvars to support loading config from environment variables
     pip3 install -e git+https://github.com/okfn/ckanext-envvars.git#egg=ckanext-envvars && \

diff --git a/ckan-dev/2.10/setup/start_ckan_development.sh b/ckan-dev/2.10/setup/start_ckan_development.sh
@@ -49,6 +49,17 @@ ckan config-tool $CKAN_INI -s DEFAULT "debug = true"
 # will be updated later
 ckan config-tool $CKAN_INI ckan.datapusher.api_token=xxx
 
+# Set up the Secret key used by Beaker and Flask
+# This can be overriden using a CKAN___BEAKER__SESSION__SECRET env var
+if grep -E "beaker.session.secret ?= ?$" ckan.ini
+then
+    echo "Setting beaker.session.secret in ini file"
+    ckan config-tool $CKAN_INI "beaker.session.secret=$(python3 -c 'import secrets; print(secrets.token_urlsafe())')"
+    JWT_SECRET=$(python3 -c 'import secrets; print("string:" + secrets.token_urlsafe())')
+    ckan config-tool $CKAN_INI "api_token.jwt.encode.secret=$JWT_SECRET"
+    ckan config-tool $CKAN_INI "api_token.jwt.decode.secret=$JWT_SECRET"
+fi
+
 # Update the plugins setting in the ini file with the values defined in the env var
 echo "Loading the following plugins: $CKAN__PLUGINS"
 ckan config-tool $CKAN_INI "ckan.plugins = $CKAN__PLUGINS"

diff --git a/ckan-dev/2.8/setup/start_ckan_development.sh b/ckan-dev/2.8/setup/start_ckan_development.sh
@@ -45,6 +45,14 @@ done
 echo "Enabling debug mode"
 paster --plugin=ckan config-tool $CKAN_INI -s DEFAULT "debug = true"
 
+# Set up the Secret key used by Beaker and Flask
+# This can be overriden using a CKAN___BEAKER__SESSION__SECRET env var
+if grep -E "beaker.session.secret ?= ?$" ckan.ini
+then
+    echo "Setting beaker.session.secret in ini file"
+    paster --plugin=ckan config-tool $CKAN_INI "beaker.session.secret=$(python -c 'import secrets; print(secrets.token_urlsafe())')"
+fi
+
 # Update the plugins setting in the ini file with the values defined in the env var
 echo "Loading the following plugins: $CKAN__PLUGINS"
 paster --plugin=ckan config-tool $CKAN_INI "ckan.plugins = $CKAN__PLUGINS"

diff --git a/ckan-dev/2.9/setup/start_ckan_development-py2.sh b/ckan-dev/2.9/setup/start_ckan_development-py2.sh
@@ -49,6 +49,17 @@ done
 echo "Enabling debug mode"
 ckan config-tool $CKAN_INI -s DEFAULT "debug = true"
 
+# Set up the Secret key used by Beaker and Flask
+# This can be overriden using a CKAN___BEAKER__SESSION__SECRET env var
+if grep -E "beaker.session.secret ?= ?$" ckan.ini
+then
+    echo "Setting secrets in ini file"
+    ckan config-tool $CKAN_INI "beaker.session.secret=$(python -c 'import secrets; print(secrets.token_urlsafe())')"
+    JWT_SECRET=$(python3 -c 'import secrets; print("string:" + secrets.token_urlsafe())')
+    ckan config-tool $CKAN_INI "api_token.jwt.encode.secret=$JWT_SECRET"
+    ckan config-tool $CKAN_INI "api_token.jwt.decode.secret=$JWT_SECRET"
+fi
+
 # Update the plugins setting in the ini file with the values defined in the env var
 echo "Loading the following plugins: $CKAN__PLUGINS"
 ckan config-tool $CKAN_INI "ckan.plugins = $CKAN__PLUGINS"

diff --git a/ckan-dev/2.9/setup/start_ckan_development.sh b/ckan-dev/2.9/setup/start_ckan_development.sh
@@ -45,6 +45,17 @@ done
 echo "Enabling debug mode"
 ckan config-tool $CKAN_INI -s DEFAULT "debug = true"
 
+# Set up the Secret key used by Beaker and Flask
+# This can be overriden using a CKAN___BEAKER__SESSION__SECRET env var
+if grep -E "beaker.session.secret ?= ?$" ckan.ini
+then
+    echo "Setting secrets in ini file"
+    ckan config-tool $CKAN_INI "beaker.session.secret=$(python3 -c 'import secrets; print(secrets.token_urlsafe())')"
+    JWT_SECRET=$(python3 -c 'import secrets; print("string:" + secrets.token_urlsafe())')
+    ckan config-tool $CKAN_INI "api_token.jwt.encode.secret=$JWT_SECRET"
+    ckan config-tool $CKAN_INI "api_token.jwt.decode.secret=$JWT_SECRET"
+fi
+
 # Update the plugins setting in the ini file with the values defined in the env var
 echo "Loading the following plugins: $CKAN__PLUGINS"
 ckan config-tool $CKAN_INI "ckan.plugins = $CKAN__PLUGINS"