small config changes; added env variable to enable temp login in prod… #145
Conversation
config/initializers/omniauth.rb
Outdated
@@ -12,7 +12,7 @@ | |||
}, | |||
name: 'CCID' | |||
|
|||
provider :developer unless Rails.env.production? | |||
provider :developer unless (Rails.env.production? && !ENV['ENABLE_TMP_LOGINS']) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think it would be a little more straightforward to test for the positive instead of the negation.
provider :developer unless (Rails.env.production? || ENV['ENABLE_TMP_LOGINS'].present?)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
You can also forget about the parentheses as rubocop will complain to you about them.
config/initializers/omniauth.rb:15:30: C: Style/ParenthesesAroundCondition: Don't use parentheses around the condition of an unless. (https://github.com/bbatsov/ruby-style-guide#no-parens-around-condition)
provider :developer unless (Rails.env.production? && !ENV['ENABLE_TMP_LOGINS'])
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Just an aside, unrelated to the PR: it might be personal taste, but I think the version with parenthesis is more easily readable.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Actually can we fix that cop? I'd generally rather have parenthesis around post-conditionals. I've been bitten at least once by less-than-intuitive precedence when they're removed (because, naturally, rubocop complained about them).
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
agreed with @cwant. If we can fix that rule that would be great.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Regarding:
return true unless (method_possibly_throwing_exception rescue nil)
I would say that shouldn't be on one line?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
🚲
Honestly this is why rubocop is both great and terrible. I don't want parentheses in
unless foo && bar
do_thing
end
But I DO want them in
do_thing unless (foo && bar)
because you can more easily get into precedence issues with the latter. I don't think rubocop treats them differently, so it might be better to just drop the cop and watch for the former manually.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Fair enough the people have spoken. Submit a PR/issue for it then or have it added to this one. ¯_(ツ)_/¯
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Add
Style/ParenthesesAroundCondition:
Enabled: false
to rubocop.yml
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It's not so much that that example is great style or needs to be on one line (although it does take 7 lines to unroll it), it's just that it's an example where Rubocop will blindly tell you to break your code. This cop bugs me because it doesn't really understand the Ruby parse tree and it's easy-ish to get into situations where it will tell you to do the Wrong Thing™, which isn't great when not everyone will recognize situations where it's wrong.
I'll submit a PR to disable it, but I'll still consider it bad style to submit PRs which use parantheses around "normal" if/elsif/unless statements.
@@ -1,6 +1,6 @@ | |||
class Users::OmniauthCallbacksController < ApplicationController | |||
# TODO: Remove this once we figure out IST, this is only required for the omniauth developer provider | |||
skip_before_action :verify_authenticity_token, only: :complete unless Rails.env.production? | |||
skip_before_action :verify_authenticity_token, only: :complete unless (Rails.env.production? && !ENV['ENABLE_TMP_LOGINS']) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I don't think we need this for the login form, as this just worked around an issue with TestShib.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yeah this is needed for the developer login form, as it's form doesn't send CSRF tokens with it 👎 .
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
That's terrible. Where is the form generated & can we fix it?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Comes from ominauth gem (which probably doesn't have a dependency on Rails so thats why no CSRF token) . So probably not. It's honestly a hidden feature. Not documented at all and etc. AKA we shouldn't be using it much more then some quick dev testing
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
We could override the view to add the token? I dunno, it's not a deal breaker but it make me nervous anytime something is potentially disabling the auth_token checks. Thumbs down, omniauth devs. Add a soft-check for the method definition
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Since apparently we have to keep this, I think we want the logic to be:
skip_before_action :verify_authenticity_token, only: :complete unless (Rails.env.production? || ENV['ENABLE_TMP_LOGINS'].present?)
To be consistent with the other change
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yeah we could override it or something. Code lives here:
https://github.com/omniauth/omniauth/blob/master/lib/omniauth/strategies/developer.rb
https://github.com/omniauth/omniauth/blob/master/lib/omniauth/form.rb
I am hoping this is temporary anyways. Hopefully testshib/IST SAML will replace the need for this code
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Inline form HTML inside methods 🙀
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Build is failing because of rubocop errors. Make sure you run rubocop to catch some code style stuff. https://travis-ci.org/ualbertalib/Hydranorth2/builds/218592996
config/solr.yml
Outdated
@@ -4,4 +4,4 @@ development: | |||
test: | |||
url: <%= ENV['SOLR_TEST_URL'] || 'http://localhost:8985/solr/hydra-test' %> | |||
production: | |||
url: http://your.production.server:8080/bl_solr/core0 | |||
url: <%= ENV['SOLR_PROD_URL'] || 'http://your.production.server:8080/bl_solr/core0' %> |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Is having a different ENV VAR for each environment needed (e.g SOLR_<ENVIRONMENT>_URL
)? Can a single ENV VAR of SOLR_URL
be used? Same comment applies to blacklight.yml.
Looking at Hyku they do this: https://github.com/projecthydra-labs/hyku/blob/master/config/solr.yml
and Plum does this: https://github.com/pulibrary/plum/blob/master/config/solr.yml
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
OK, sounds like a good idea will fix it
.rubocop.yml
Outdated
@@ -80,3 +80,7 @@ RSpec/ExampleLength: | |||
|
|||
RSpec/MultipleExpectations: | |||
Enabled: false | |||
|
|||
# as discussed in issue#144 | |||
Style/ParenthesesAroundCondition: |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@mbarnett already fixed this in Master haha. Not sure if that was clear sorry alex.
https://github.com/ualbertalib/Hydranorth2/blob/master/.rubocop.yml#L74-L75
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@astrilet this is already fixed, you don't need to include it in your PR.
config/initializers/omniauth.rb
Outdated
@@ -12,7 +12,8 @@ | |||
}, | |||
name: 'CCID' | |||
|
|||
provider :developer unless Rails.env.production? | |||
provider :developer unless (Rails.env.production? || | |||
ENV['ENABLE_TMP_LOGINS'].present?) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This conditional logic is still not quite right.
Previously it was unless (Rails.env.production? && !ENV['ENABLE_TMP_LOGINS'])
which means it will only be enabled if it was both not in production AND the env var was set. Which isn't correct as it should be OR.
Now its unless (Rails.env.production? || ENV['ENABLE_TMP_LOGINS'].present?)
which means its only enabled if its not in production OR ENV VAR is not present. Which is not true as we want the setting of the ENV VAR in production to allow this to be turned on?
Also unless
gets very confusing when you have complicated conditionals (with &&
, ||
) so maybe it be easier if you switched it to an if
?
Basically you want if !Rails.env.production? || ENV['ENABLE_TMP_LOGINS'].present?
or maybe if Rails.env.development? || ENV['ENABLE_TMP_LOGINS'].present?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
You are right unless gets very confusing, I will switch it to if statement
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@astrilet I am not sure if the two docker related files really belong here. didocker-hydranorth2 is probably the better home for it (and I saw it's already there).
Dockerfile
Outdated
RUN cd /app && rake assets:precompile | ||
ADD bin/start_hn2.sh /usr/local/bin | ||
|
||
EXPOSE 3000 |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
With Nginx configured, do we still need to expose port 3000 explicitly?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yes we need to expose it inside docker image. This instruction means that other containers can connect to this one to the port 3000. This is what Nginx will do - will connect to instance of hydranorth2 running container and redirect port 3000 to its own port 80 which in turn will be redirected to atomic host port pointed by HOSTPORT environment variable.
bin/start_hn2.sh
Outdated
|
||
#check if db has been migrated | ||
if [ ! -e /db/initialized ]; then | ||
sleep 10 && rake db:migrate && touch /db/initialized; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
same question as @murny mentioned on the didocker-hydranorth2 repo, is the check here needed? db:migrate can be run as many times as you need.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
OK, good point will remove that.
@astrilet I've found this comment here docker/compose#374: Here's a way to do it with healthcheck and docker-compose 2.1+: version: "2.1" This can probably be investigated and incorporated in if possible to avoid the use of additional script. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@astrilet Did you have a chance to take a look at Avalon's docker repo https://github.com/avalonmediasystem/avalon-docker. How they organize their project makes sense to me. Maybe we should not keep the Dockerfile in the application code repo.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Other than the change in .rubocop.yml, others look good as we discussed.
Please also update your PR description to include the Dockerfile change. |
1 config changes
2 added env variable ENABLE_TMP_LOGINS to enable temp logins in production mode
3 added Dockerfile to build docker image