Merge pull request #5 from onaio/add-7.4

Author: ukanga

.github/workflows/ci.yaml

@@ -11,13 +11,13 @@ jobs:
     runs-on: ubuntu-latest
     env:
       python_version: "3.9.x"
-      IMAGE: praekeltfoundation/rapidpro
-      REGISTRY_USER: rapidproautomation
+      IMAGE: rapidpro:ci
       REPO: rapidpro/rapidpro
+      OIDC_VERSION: v1.1.1
       GREP_TIMEOUT: 360
     strategy:
       matrix:
-        VERSION: [v7.2.4, v7.4.2]
+        VERSION: [v8.0.1]
     steps:
       - uses: actions/checkout@v2
       - uses: actions/setup-python@v2
@@ -43,6 +43,7 @@ jobs:
           build-args: |
             RAPIDPRO_VERSION=${{matrix.VERSION}}
             RAPIDPRO_REPO=${{env.REPO}}
+            OIDC_VERSION=${{env.OIDC_VERSION}}
       - name: Test Rapidpro Image
         run: |
           docker run --name rapidpro --env-file docker.envfile --link postgis --publish 8000:8000 --detach "${{ env.IMAGE }}"
@@ -59,34 +60,3 @@ jobs:
         if: always()
         run: |
           docker logs rapidpro
-      - name: construct image metadata
-        uses: docker/metadata-action@v3
-        id: meta
-        with:
-          images: |
-            praekeltfoundation/rapidpro
-            ghcr.io/praekeltfoundation/rapidpro-docker
-          tags: |
-            type=pep440,pattern=v{{major}},value=${{matrix.VERSION}}
-            type=pep440,pattern=v{{major}}.{{minor}},value=${{matrix.VERSION}}
-            type=pep440,pattern=v{{version}},value=${{matrix.VERSION}}
-      - name: login to ghcr
-        uses: docker/login-action@v1
-        with:
-          registry: ghcr.io
-          username: ${{github.actor}}
-          password: ${{secrets.GITHUB_TOKEN}}
-      - name: login to docker hub
-        uses: docker/login-action@v1
-        with:
-          username: ${{secrets.DOCKER_USERNAME}}
-          password: ${{secrets.DOCKER_PASSWORD}}
-      - name: build and push
-        uses: docker/build-push-action@v2
-        with:
-          push: ${{github.event_name != 'pull_request'}}
-          tags: ${{steps.meta.outputs.tags}}
-          context: .
-          build-args: |
-            RAPIDPRO_VERSION=${{matrix.VERSION}}
-            RAPIDPRO_REPO=${{env.REPO}}

.travis.yml

@@ -1,11 +1,11 @@
-FROM ghcr.io/praekeltfoundation/python-base-nw:3.9-bullseye as builder
+FROM python:3.10.16-slim-bookworm as builder
 
 ENV PIP_RETRIES=120 \
     PIP_TIMEOUT=400 \
     PIP_DEFAULT_TIMEOUT=400 \
     C_FORCE_ROOT=1
 
-RUN apt-get-install.sh wget tar build-essential
+RUN apt update && apt install -y wget tar build-essential git
 
 WORKDIR /rapidpro
 
@@ -18,25 +18,36 @@ RUN echo "Downloading RapidPro ${RAPIDPRO_VERSION} from https://github.com/$RAPI
     tar -xf rapidpro.tar.gz --strip-components=1 && \
     rm rapidpro.tar.gz
 
-RUN pip install -U pip && pip install -U poetry
+RUN pip install -U pip && pip install -U poetry packaging
 
 # Build Python virtualenv
 RUN python3 -m venv /venv
 ENV PATH="/venv/bin:$PATH"
 ENV VIRTUAL_ENV="/venv"
 
 # Install configuration related dependencies
-RUN /venv/bin/pip install --upgrade pip && poetry install --no-interaction --no-dev && poetry add \
-        "django-getenv==1.3.2" \
-        "django-cache-url==3.2.3" \
-        "uwsgi==2.0.20" \
-        "whitenoise==5.3.0" \
-        "flower==1.0.0"
+RUN /venv/bin/pip install --trusted-host pypi.python.org --trusted-host files.pythonhosted.org --trusted-host pypi.org --upgrade pip && \
+/venv/bin/pip install --no-cache-dir \
+"django-getenv==1.3.2" \
+"django-cache-url==3.2.3" \
+"uwsgi==2.0.22" \
+"whitenoise==5.3.0" \
+"flower==1.2.0" \
+"sentry-sdk==2.5.1"
 
-FROM ghcr.io/praekeltfoundation/python-base-nw:3.9-bullseye
+RUN poetry install --no-interaction --no-ansi --only main
+
+# Install the Ona OIDC pip package.
+ARG OIDC_VERSION=v1.1.1
+ENV OIDC_VERSION=${OIDC_VERSION:-v1.1.1}
+RUN /venv/bin/pip install -e "git+https://github.com/onaio/ona-oidc.git@${OIDC_VERSION}#egg=ona-oidc"
+
+FROM python:3.10.16-slim-bookworm
 
 ARG RAPIDPRO_VERSION
+ARG RAPIDPRO_REPO
 ENV RAPIDPRO_VERSION=${RAPIDPRO_VERSION:-master}
+ENV RAPIDPRO_REPO=${RAPIDPRO_REPO:-rapidpro/rapidpro}
 
 # Copy rapidpro and venv from builder
 COPY --from=builder /rapidpro /rapidpro
@@ -49,14 +60,17 @@ ENV VIRTUAL_ENV="/venv"
 # `pcre` is needed for uwsgi
 # `geos`, `gdal`, and `proj` are needed for `manage.py download_geojson` and `manage.py import_geojson`
 # `npm` for static file generation
-RUN apt-get-install.sh \
+RUN apt-get update -q && \
+    apt-get install -y --no-install-recommends \
         postgresql-client \
         libmagic-dev \
         libpcre3 \
-        libgeos-c1v5 \
-        libgdal28 \
-        libproj19 \
-        npm
+        libgeos-dev \
+        libgdal-dev \
+        libproj-dev \
+        npm && \
+    apt-get clean && \
+    rm -rf /var/lib/apt/lists/*
 
 WORKDIR /rapidpro
 
@@ -76,6 +90,17 @@ COPY stack/clear-compressor-cache.py /rapidpro/
 EXPOSE 8000
 COPY stack/startup.sh /
 
+# Drop privileges — run as a non-root user (uid 1000) with a real $HOME and
+# no login shell. uid 1000 is what Kubernetes' restricted Pod Security
+# Standard expects (runAsUser >= 1000) so the container's UID does not
+# overlap with privileged host system accounts.
+RUN groupadd -g 1000 rapidpro && \
+    useradd -m -u 1000 -g rapidpro -s /sbin/nologin rapidpro && \
+    chmod +x /startup.sh && \
+    chown rapidpro:rapidpro /startup.sh && \
+    chown -R rapidpro:rapidpro /rapidpro /venv
+USER rapidpro
+
 LABEL org.label-schema.name="RapidPro" \
       org.label-schema.description="RapidPro allows organizations to visually build scalable interactive messaging applications." \
       org.label-schema.url="https://www.rapidpro.io/" \

Dockerfile

@@ -1,20 +1,10 @@
 RapidPro Docker
 ===============
 
-[![Build Status](https://travis-ci.org/praekeltfoundation/rapidpro-docker.svg?branch=master)](https://travis-ci.org/praekeltfoundation/rapidpro-docker)
-[![Docker Version](https://images.microbadger.com/badges/version/praekeltfoundation/rapidpro.svg)](https://hub.docker.com/r/praekeltfoundation/rapidpro/tags/ "Get the latest version from Docker Hub")
-
-This repository's sole purpose is to build docker images versioned off of
-git tags published in rapidpro/rapidpro and upload them to Docker Hub.
-
-The idea is:
-
-  1. Set up Travis Cron job to run every 24 hours
-  3. The Travis build script should download the latest rapidpro/rapidpro
-     tagged release matching `^v[0-9\.]$`
-  4. Build the docker image and tag with the latest git tag.
-  5. Push the docker image to Docker hub using credentials stored in
-     Travis' secrets vault.
+This repository builds docker images of RapidPro versioned off git tags
+published in rapidpro/rapidpro and uploads them to Docker Hub via
+GitHub Actions (see `.github/workflows/ci.yaml`). The set of versions
+built is the `VERSION` matrix in that workflow.
 
 Running RapidPro in Docker
 --------------------------
@@ -267,3 +257,57 @@ v6.0 to v6.2:
 v6.4 to v7.0:
   - Clear the sitestatic folder/S3 bucket and regenerate static files (otherwise icons don't work)
   - Ensure you're calling celery in the new CLI format, ie. `celery --app=temba beat`, not `celery beat --app=temba`
+
+RapidPro 8.0.1 with OIDC
+------------------------
+
+The `v8.0.1` build matrix entry produces an image with built-in OIDC support
+via the [`onaio/ona-oidc`](https://github.com/onaio/ona-oidc) Django app and
+Sentry telemetry via `sentry-sdk`. The image runs as the non-root `rapidpro`
+user (uid 1000) and uses `python:3.10.16-slim-bookworm` as its base.
+
+Build:
+
+    $ docker build \
+        --build-arg RAPIDPRO_VERSION=v8.0.1 \
+        --build-arg RAPIDPRO_REPO=rapidpro/rapidpro \
+        --build-arg OIDC_VERSION=v1.1.1 \
+        -t onaio/rapidpro:v8.0.1-oidc .
+
+Build args:
+
+  - `RAPIDPRO_VERSION` — git tag of `rapidpro/rapidpro` to build (default `master`).
+  - `RAPIDPRO_REPO` — source repo (default `rapidpro/rapidpro`).
+  - `OIDC_VERSION` — git tag of `onaio/ona-oidc` to install (default `v1.1.1`).
+
+Additional environment variables specific to this build:
+
+*ENABLE_OIDC*
+  Set to ``on`` to enable OIDC login (loads the `oidc` app and adds
+  `/oidc/<server>/login/` and `/oidc/<server>/logout/` routes). Defaults to ``off``.
+
+*OPENID_CONNECT_VIEWSET_CONFIG*
+  JSON-encoded config for the OIDC viewset (see `ona-oidc` README). Required when
+  `ENABLE_OIDC=on`.
+
+*OPENID_CONNECT_AUTH_SERVERS*
+  JSON-encoded auth-server config for OIDC. Required when `ENABLE_OIDC=on`.
+
+*OPENID_CONNECT_DEFAULT_AUTH_SERVER*
+  Slug of the default auth server defined in `OPENID_CONNECT_AUTH_SERVERS`.
+  Defaults to ``default``.
+
+*SENTRY_DSN*
+  DSN for Sentry error reporting. Optional; if unset, Sentry is not initialised.
+
+*CSRF_TRUSTED_ORIGINS*
+  Comma-separated list of origins to trust for CSRF (Django 4+). Example:
+  ``https://app.example.org/*,https://api.example.org/*``. Optional.
+
+*NON_ISO6391_LANGUAGES*
+  Comma-separated ISO 639-3 language codes to allow in addition to the built-in
+  ISO 639-1 set (e.g. ``ach,nus,zne``). Optional.
+
+*API_THROTTLE_V2_BROADCASTS*
+  Throttle for v2 broadcast API (in addition to the existing
+  ``API_THROTTLE_V2_*`` family).

README.md

@@ -5,11 +5,18 @@ MANAGEPY_COLLECTSTATIC=on
 MANAGEPY_COMPRESS=on
 MANAGEPY_INIT_DB=on
 MANAGEPY_MIGRATE=on
-# Since we're not setting up OAuth tokens builds are subject
-# to IP based rate limiting on GitHub for TravisCI IPs which
-# can result in unpredictable builds.
+# GeoJSON import calls the GitHub API; without an auth token, builds
+# are subject to GitHub's per-IP rate limit and can fail unpredictably
+# when shared CI runners hit the limit.
 #
 # Set this to `on` if you really want to test this.
 MANAGEPY_IMPORT_GEOJSON=on
 # Use Uganda Relation ID can be used as a test
 OSM_RELATION_IDS=192796
+# enable oidc auth
+ENABLE_OIDC=on
+OIDC_VERSION=v1.1.1
+# OIDC viewset and auth-server configs; populate per deployment when
+# ENABLE_OIDC=on. Empty dicts are appropriate for the CI smoke test.
+OPENID_CONNECT_VIEWSET_CONFIG={}
+OPENID_CONNECT_AUTH_SERVERS={}