From e0119d36e3cd1d6f58f4c7bf8f723eeb7c74542a Mon Sep 17 00:00:00 2001
From: Christopher Cave-Ayland <c.cave-ayland@imperial.ac.uk>
Date: Wed, 16 Aug 2023 16:50:07 +0100
Subject: [PATCH] Build app docker image in CI with production settings

---
 .github/workflows/ci.yml      |   4 +-
 docker/invenio_production.cfg | 226 ++++++++++++++++++++++++++++++++++
 2 files changed, 229 insertions(+), 1 deletion(-)
 create mode 100644 docker/invenio_production.cfg

diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index 612790d..cd2c6f7 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -13,6 +13,7 @@ jobs:
     if: github.ref == 'refs/heads/main'
     needs: qa
     steps:
+      - uses: actions/checkout@v3
       - name: Login to GitHub Container Registry
         uses: docker/login-action@v2
         with:
@@ -24,12 +25,13 @@ jobs:
         uses: docker/metadata-action@v4
         with:
           images: ghcr.io/${{ github.repository }}
+      - run: cp docker/invenio_production.cfg ./invenio.cfg
       - name: Build and push Docker image
         uses: docker/build-push-action@v4
         with:
+          context: .
           push: true
           tags: ${{steps.meta.outputs.tags }}
-      - uses: actions/checkout@v3
       - name: Get image frontend metadata
         id: frontend-meta
         uses: docker/metadata-action@v4
diff --git a/docker/invenio_production.cfg b/docker/invenio_production.cfg
new file mode 100644
index 0000000..8e37e10
--- /dev/null
+++ b/docker/invenio_production.cfg
@@ -0,0 +1,226 @@
+"""
+InvenioRDM settings for Imperial Fair Data Repository project.
+
+This file was automatically generated by 'invenio-cli init'.
+
+For the full list of settings and their values, see
+https://inveniordm.docs.cern.ch/reference/configuration/.
+"""
+
+import os
+from datetime import datetime
+from flask_babelex import lazy_gettext as _
+
+
+def _(x):  # needed to avoid start time failure with lazy strings
+    return x
+
+# Flask
+# =====
+# See https://flask.palletsprojects.com/en/1.1.x/config/
+
+# Define the value of the cache control header `max-age` returned by the server when serving
+# public files. Files will be cached by the browser for the provided number of seconds.
+# See flask documentation for more information:
+# https://flask.palletsprojects.com/en/2.1.x/config/#SEND_FILE_MAX_AGE_DEFAULT
+SEND_FILE_MAX_AGE_DEFAULT = 300
+
+# SECURITY WARNING: keep the secret key used in production secret!
+# Do not commit it to a source code repository.
+# TODO: Set
+SECRET_KEY = "CHANGEME"
+
+# Since HAProxy and Nginx route all requests no matter the host header
+# provided, the allowed hosts variable is set to localhost. In production it
+# should be set to the correct host and it is strongly recommended to only
+# route correct hosts to the application.
+APP_ALLOWED_HOSTS = ["invenio.rcs.ic.ac.uk"]
+
+
+# Flask-SQLAlchemy
+# ================
+# See https://flask-sqlalchemy.palletsprojects.com/en/2.x/config/
+
+# TODO: Set
+SQLALCHEMY_DATABASE_URI="postgresql+psycopg2://ic-data-repo:ic-data-repo@localhost/ic-data-repo"
+
+
+# Invenio-App
+# ===========
+# See https://invenio-app.readthedocs.io/en/latest/configuration.html
+
+APP_DEFAULT_SECURE_HEADERS = {
+    'content_security_policy': {
+        'default-src': [
+            "'self'",
+            'data:', # for fonts
+            "'unsafe-inline'",  # for inline scripts and styles
+            "blob:",            # for pdf preview
+            # Add your own policies here (e.g. analytics)
+        ],
+    },
+    'content_security_policy_report_only': False,
+    'content_security_policy_report_uri': None,
+    'force_file_save': False,
+    'force_https': True,
+    'force_https_permanent': False,
+    'frame_options': 'sameorigin',
+    'frame_options_allow_from': None,
+    'session_cookie_http_only': True,
+    'session_cookie_secure': True,
+    'strict_transport_security': True,
+    'strict_transport_security_include_subdomains': True,
+    'strict_transport_security_max_age': 31556926,  # One year in seconds
+    'strict_transport_security_preload': False,
+}
+
+
+# Flask-Babel
+# ===========
+# See https://python-babel.github.io/flask-babel/#configuration
+
+# Default locale (language)
+BABEL_DEFAULT_LOCALE = 'en'
+# Default time zone
+BABEL_DEFAULT_TIMEZONE = 'Europe/Zurich'
+
+
+# Invenio-I18N
+# ============
+# See https://invenio-i18n.readthedocs.io/en/latest/configuration.html
+
+# Other supported languages (do not include BABEL_DEFAULT_LOCALE in list).
+I18N_LANGUAGES = [
+    # ('de', _('German')),
+    # ('tr', _('Turkish')),
+]
+
+
+# Invenio-Theme
+# =============
+# See https://invenio-theme.readthedocs.io/en/latest/configuration.html
+
+# Frontpage title
+THEME_FRONTPAGE_TITLE = "Imperial Fair Data Repository"
+# Header logo
+THEME_LOGO = 'images/imperial_logo_white.svg'
+
+
+# Invenio-App-RDM
+# ===============
+# See https://invenio-app-rdm.readthedocs.io/en/latest/configuration.html
+
+# Instance's theme entrypoint file. Path relative to the ``assets/`` folder.
+INSTANCE_THEME_FILE = './less/theme.less'
+
+
+# Invenio-Records-Resources
+# =========================
+# See https://github.com/inveniosoftware/invenio-records-resources/blob/master/invenio_records_resources/config.py
+
+# TODO: Set with your own hostname when deploying to production
+SITE_UI_URL = "https://invenio.rcs.ic.ac.uk"
+
+SITE_API_URL = "https://invenio.rcs.ic.ac.uk/api"
+
+APP_RDM_DEPOSIT_FORM_DEFAULTS = {
+    "publication_date": lambda: datetime.now().strftime("%Y-%m-%d"),
+    "rights": [
+        {
+            "id": "cc-by-4.0",
+            "title": "Creative Commons Attribution 4.0 International",
+            "description": ("The Creative Commons Attribution license allows "
+                            "re-distribution and re-use of a licensed work "
+                            "on the condition that the creator is "
+                            "appropriately credited."),
+            "link": "https://creativecommons.org/licenses/by/4.0/legalcode",
+        }
+    ],
+    "publisher": "Imperial Fair Data Repository",
+}
+
+# See https://github.com/inveniosoftware/invenio-app-rdm/blob/master/invenio_app_rdm/config.py
+APP_RDM_DEPOSIT_FORM_AUTOCOMPLETE_NAMES = 'search' # "search_only" or "off"
+
+# Invenio-RDM-Records
+# ===================
+# See https://inveniordm.docs.cern.ch/customize/dois/
+DATACITE_ENABLED = False
+DATACITE_USERNAME = ""
+DATACITE_PASSWORD = ""
+DATACITE_PREFIX = ""
+DATACITE_TEST_MODE = True
+DATACITE_DATACENTER_SYMBOL = ""
+
+# Authentication - Invenio-Accounts and Invenio-OAuthclient
+# =========================================================
+# See: https://inveniordm.docs.cern.ch/customize/authentication/
+
+# Invenio-Accounts
+# ----------------
+# See https://github.com/inveniosoftware/invenio-accounts/blob/master/invenio_accounts/config.py
+ACCOUNTS_LOCAL_LOGIN_ENABLED = True  # enable local login
+SECURITY_REGISTERABLE = False  # local login: allow users to register
+SECURITY_RECOVERABLE = False  # local login: allow users to reset the password
+SECURITY_CHANGEABLE = False  # local login: allow users to change psw
+SECURITY_CONFIRMABLE = True  # local login: users can confirm e-mail address
+SECURITY_LOGIN_WITHOUT_CONFIRMATION = False # require users to confirm email before being able to login
+SECURITY_LOGIN_USER_TEMPLATE = "ic_data_repo/login_user.html"
+
+# Invenio-OAuthclient
+# -------------------
+# See https://github.com/inveniosoftware/invenio-oauthclient/blob/master/invenio_oauthclient/config.py
+
+OAUTHCLIENT_REMOTE_APPS = {}  # configure external login providers
+
+from invenio_oauthclient.views.client import auto_redirect_login
+ACCOUNTS_LOGIN_VIEW_FUNCTION = auto_redirect_login  # autoredirect to external login if enabled
+OAUTHCLIENT_AUTO_REDIRECT_TO_EXTERNAL_LOGIN = False  # autoredirect to external login
+
+# Invenio-UserProfiles
+# --------------------
+USERPROFILES_READ_ONLY = True  # allow users to change profile info (name, email, etc...)
+
+# OAI-PMH
+# =======
+# See https://github.com/inveniosoftware/invenio-oaiserver/blob/master/invenio_oaiserver/config.py
+
+OAISERVER_ID_PREFIX = "invenio.rcs.ic.ac.uk"
+"""The prefix that will be applied to the generated OAI-PMH ids."""
+
+# Invenio-Search
+# --------------
+
+SEARCH_INDEX_PREFIX = "ic-data-repo-"
+
+THEME_SHOW_FRONTPAGE_INTRO_SECTION = False
+
+from invenio_saml.handlers import acs_handler_factory, default_sls_handler
+
+SSO_SAML_IDPS = dict(
+    icl=dict(
+        sp_cert_file="app_data/certificates/saml.cert",
+        sp_key_file="app_data/certificates/saml.key",
+        settings_url="https://login.microsoftonline.com/2b897507-ee8c-4575-830b-4f8267c3d307/federationmetadata/2007-06/federationmetadata.xml",
+        settings=dict(
+            strict=True,
+            debug=False,
+            idp=dict(
+                x509cert="",
+            ),
+            sp=dict(
+                NameIDFormat='urn:oasis:names:tc:SAML:2.0:nameid-format:transient',
+                entityId='api://06ccf553-edc8-4ab1-8958-30088a2eb0b7',
+            ),
+        ),
+        mappings=dict(
+            email="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name",
+            name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname",
+            surname="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname",
+            external_id="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name",
+        ),
+        acs_handler=acs_handler_factory('icl'),
+        sls_handler=default_sls_handler,
+        auto_confirm=True,
+    )
+)