Addresses #148 Add Apache service for running CGI under Docker

Dockerfile

@@ -1,4 +1,4 @@
-FROM debian:bullseye
+FROM debian:bullseye AS crms-base
 
 RUN sed -i 's/main.*/main contrib non-free/' /etc/apt/sources.list
 
@@ -167,3 +167,24 @@ RUN wget -O /usr/local/bin/wait-for https://github.com/eficode/wait-for/releases
 RUN mkdir -p $ROOTDIR
 COPY . $ROOTDIR
 WORKDIR $ROOTDIR
+
+FROM crms-base AS apache
+
+RUN apt-get -y install apache2 libapache2-mod-perl2
+
+RUN a2dissite '*'
+RUN a2disconf other-vhosts-access-log
+RUN a2dismod 'mpm_*'
+RUN a2enmod headers \
+            mpm_prefork \
+            rewrite \
+            proxy \
+            proxy_http \
+            cgi
+
+COPY apache/000-default.conf /etc/apache2/sites-enabled
+STOPSIGNAL SIGWINCH
+
+COPY apache/apache.sh /
+RUN chmod +x /apache.sh
+ENTRYPOINT ["/apache.sh"]

apache/000-default.conf

@@ -0,0 +1,73 @@
+ServerName apache
+ErrorLog /dev/stdout
+CustomLog /dev/stdout combined
+Listen 8080
+
+<VirtualHost *:8080>
+  ServerAdmin hathitrust@localhost
+  DocumentRoot /htapps/babel
+
+  LogLevel debug
+  ErrorLog /dev/stdout
+  CustomLog /dev/stdout combined
+
+  RewriteEngine On
+
+  ## SetEnv/SetEnvIf for environment variables
+  SetEnv SDRROOT /htapps/babel
+  SetEnv SDRDATAROOT /sdr1
+  SetEnv ASSERTION_EMAIL [email protected]
+  SetEnv HT_DEV www-data
+  # SetEnv HT_IGNORE_GEOIP true
+
+  <Directory "/htapps/babel">
+    Options Indexes FollowSymLinks
+    AllowOverride All
+    Require all granted
+  </Directory>
+
+  ### CGI SCRIPTS
+
+  <DirectoryMatch "^/htapps/babel/crms/cgi/">
+    Options +ExecCGI
+    SetHandler cgi-script
+    <FilesMatch "^[^\.]+$">
+      SetHandler cgi-script
+    </FilesMatch>
+    PassEnv CRMS_DB_HOST
+    PassEnv CRMS_DB_HOST_DEVELOPMENT
+    PassEnv CRMS_HT_DB_HOST
+    PassEnv CRMS_REMOTE_USER
+  </DirectoryMatch>
+
+
+  RewriteCond %{DOCUMENT_ROOT}/$1/web/$2 -f
+  RewriteRule ^/([^/]+)/(.*)       /$1/web/$2        [last]
+
+  RewriteCond %{DOCUMENT_ROOT}/$1/web/ -d
+  RewriteRule ^/([^/]+)/?$ /$1/web/ [last]
+
+  RewriteCond   %{DOCUMENT_ROOT}/$2/cgi/$3 -f
+  RewriteRule   ^/(cgi)/([^/]+)/([^/]+)(.*)$  /$2/cgi/$3$4        [skip]
+
+  RewriteCond   %{DOCUMENT_ROOT}/$2/cgi/$2 -f
+  RewriteRule   ^/(cgi)/([^/]+)(.*)$    /$2/cgi/$2$3
+
+  #RewriteCond   %{DOCUMENT_ROOT}/$1/cgi/$3.choke -f
+  #RewriteRule   ^/([^/]+)/(cgi)/([^/]+)(.*)$  /$1/cgi/$3.choke$4      [last]
+
+  # If we matched one of the above CGI rules, but DIDN'T match the choke rule;
+  # we should now match this; this should ensure we don't then fall through to
+  # try the catalog rules.
+  RewriteCond   %{DOCUMENT_ROOT}/$1/cgi/$3 -f
+  RewriteRule   ^/([^/]+)/(cgi)/([^/]+)(.*)$  /$1/cgi/$3$4      [last]
+
+  AliasMatch    ^/favicon.ico$ /htapps/babel/firebird-common/dist/favicon.ico
+
+
+  ### AUTH
+
+  IncludeOptional "auth/active_auth.conf"
+
+
+</VirtualHost>

apache/apache.sh

@@ -0,0 +1,21 @@
+#! /bin/bash
+
+# Apache gets grumpy about PID files pre-existing
+if [ ! -d /tmp/apache2 ]
+then
+  mkdir -p /tmp/apache2/{run,lock,log}
+fi
+
+rm -f /tmp/apache2/apache2*.pid
+
+export APACHE_PID_FILE=/tmp/apache2/run/apache2.pid
+export APACHE_RUN_DIR=/tmp/apache2/run
+export APACHE_LOCK_DIR=/tmp/apache2/lock
+export APACHE_LOG_DIR=/tmp/apache2/log
+
+# Won't be effective if we pass user from docker-compose; that's OK - hence
+# shenanigans above
+export APACHE_RUN_USER=www-data
+export APACHE_RUN_GROUP=www-data
+
+exec apache2 -DFOREGROUND

apache/auth/000_none.conf

@@ -0,0 +1 @@
+# none: no auth headers

apache/auth/emergency_access_affiliate.conf

@@ -0,0 +1,8 @@
+# emergency_access_affiliate: user with institution with ETAS enabled
+SetEnv AUTH_TYPE shibboleth
+SetEnv REMOTE_USER [email protected]
+SetEnv Shib_Identity_Provider https://idp.etas.example/
+SetEnv affiliation [email protected]
+SetEnv displayName "ETAS Testuser"
+SetEnv email [email protected]
+SetEnv eppn [email protected]

apache/auth/enhanced_text_user.conf

@@ -0,0 +1,8 @@
+# enhanced_text_user: user with affiliation [email protected]
+SetEnv AUTH_TYPE shibboleth
+SetEnv REMOTE_USER [email protected]
+SetEnv Shib_Identity_Provider pumex-idp
+SetEnv affiliation [email protected]
+SetEnv displayName "NFB User"
+SetEnv email [email protected]
+SetEnv eppn [email protected]

apache/auth/ht_affiliate_hathitrust_member.conf

@@ -0,0 +1,8 @@
+# ht_affiliate: hathitrust user with eduPersonScopedAffiliation [email protected]
+SetEnv AUTH_TYPE shibboleth
+SetEnv REMOTE_USER [email protected]
+SetEnv Shib_Identity_Provider https://idp.hathitrust.org/entity
+SetEnv affiliation [email protected]
+SetEnv displayName "HathiTrust Testuser"
+SetEnv email [email protected]
+SetEnv eppn [email protected]

apache/auth/ht_affiliate_umich_entitlement.conf

@@ -0,0 +1,9 @@
+# ht_affiliate: umich user with common-lib-terms entitlement & no affiliation
+SetEnv AUTH_TYPE shibboleth
+SetEnv REMOTE_USER https://shibboleth.umich.edu/idp/shibboleth!http://www.hathitrust.org/shibboleth-sp!dW1pY2h0ZXN0dXNlcg==
+SetEnv Shib_Identity_Provider https://shibboleth.umich.edu/idp/shibboleth
+SetEnv displayName "Umich Test-Entitlement"
+SetEnv email [email protected]
+SetEnv entitlement urn:mace:dir:entitlement:common-lib-terms
+SetEnv eppn [email protected]
+SetEnv persistent_id https://shibboleth.umich.edu/idp/shibboleth!http://www.hathitrust.org/shibboleth-sp!dW1pY2h0ZXN0dXNlcg==

apache/auth/ht_affiliate_umich_member.conf

@@ -0,0 +1,10 @@
+# ht_affiliate: umich user with eduPersonScopedAffiliation [email protected]
+SetEnv AUTH_TYPE shibboleth
+SetEnv REMOTE_USER https://shibboleth.umich.edu/idp/shibboleth!http://www.hathitrust.org/shibboleth-sp!dW1pY2h0ZXN0dXNlcg==
+SetEnv umichCosignFactor UMICH.EDU
+SetEnv Shib_Identity_Provider https://shibboleth.umich.edu/idp/shibboleth
+SetEnv affiliation [email protected]
+SetEnv displayName "Umich Testuser"
+SetEnv email [email protected]
+SetEnv eppn [email protected]
+SetEnv persistent_id https://shibboleth.umich.edu/idp/shibboleth!http://www.hathitrust.org/shibboleth-sp!dW1pY2h0ZXN0dXNlcg==

apache/auth/ht_total_user.conf

@@ -0,0 +1,8 @@
+# ht_total_user: REMOTE_USER matches user in ht_users with ht_users.access=total
+SetEnv AUTH_TYPE shibboleth
+SetEnv REMOTE_USER [email protected]
+SetEnv Shib_Identity_Provider https://idp.hathitrust.org/entity
+SetEnv affiliation [email protected]
+SetEnv displayName "HathiTrust Totaluser"
+SetEnv email [email protected]
+SetEnv eppn [email protected]

apache/auth/library_ipaddr_user.conf

@@ -0,0 +1,3 @@
+# library_ipaddr_user: "in-library' user - SDRINST and SDRLIB both non-blank
+SetEnv SDRINST umich
+SetEnv SDRLIB umich

apache/auth/ordinary_user_google.conf

@@ -0,0 +1,7 @@
+# ordinary user: user with Google login
+SetEnv AUTH_TYPE shibboleth
+SetEnv REMOTE_USER [email protected]
+SetEnv Shib_Identity_Provider https://google.cirrusidentity.com/gateway
+SetEnv displayName "Google Testuser"
+SetEnv email [email protected]
+SetEnv eppn [email protected]

apache/auth/ordinary_user_umich_friend.conf

@@ -0,0 +1,9 @@
+# ordinary_user: umich friend account
+SetEnv AUTH_TYPE shibboleth
+SetEnv REMOTE_USER https://shibboleth.umich.edu/idp/shibboleth!http://www.hathitrust.org/shibboleth-sp!dW1pY2hmcmllbmQ=
+SetEnv umichCosignFactor friend
+SetEnv Shib_Identity_Provider https://shibboleth.umich.edu/idp/shibboleth
+SetEnv displayName "Umich Friend"
+SetEnv email [email protected]
+SetEnv eppn [email protected]
+SetEnv persistent_id https://shibboleth.umich.edu/idp/shibboleth!http://www.hathitrust.org/shibboleth-sp!dW1pY2hmcmllbmQ=

apache/auth/ssd_proxy_user.conf

@@ -0,0 +1,8 @@
+# ssd_proxy_user: REMOTE_USER matches user in ht_users with ht_users.role=ssdproxy
+SetEnv AUTH_TYPE shibboleth
+SetEnv REMOTE_USER [email protected]
+SetEnv Shib_Identity_Provider https://idp.hathitrust.org/entity
+SetEnv affiliation [email protected]
+SetEnv displayName "HathiTrust Ssdproxy"
+SetEnv email [email protected]
+SetEnv eppn [email protected]

apache/auth/ssd_user.conf

@@ -0,0 +1,8 @@
+# ssd_user: REMOTE_USER matches user in ht_users with ht_users.role=ssd
+SetEnv AUTH_TYPE shibboleth
+SetEnv REMOTE_USER [email protected]
+SetEnv Shib_Identity_Provider https://idp.hathitrust.org/entity
+SetEnv affiliation [email protected]
+SetEnv displayName "HathiTrust Ssduser"
+SetEnv email [email protected]
+SetEnv eppn [email protected]

cgi/CRMS.pm

@@ -52,15 +52,20 @@ sub new
   $self->ClearErrors();
   $self->set('verbose',  $args{'verbose'});
   # Only need to authorize when running as CGI.
-  if ($ENV{'GATEWAY_INTERFACE'})
-  {
+  if ($ENV{'GATEWAY_INTERFACE'}) {
     $CGI::LIST_CONTEXT_WARN = 0;
     my $cgi = $args{'cgi'};
     print "<strong>Warning: no CGI passed to <code>CRMS->new()</code>\n" unless $cgi;
     $self->set('cgi',      $cgi);
     $self->set('debugSql', $args{'debugSql'});
     $self->set('debugVar', $args{'debugVar'});
-    $self->SetupUser();
+    if ($ENV{CRMS_REMOTE_USER}) {
+      #print STDERR "CRMS_REMOTE_USER\n";
+      $self->set('user', $ENV{CRMS_REMOTE_USER});
+      $self->set('remote_user', $ENV{CRMS_REMOTE_USER});
+    } else {
+      $self->SetupUser();
+    }
   }
   $self->DebugVar('self', $self);
   return $self;
@@ -6091,16 +6096,10 @@ sub GetUserIPs
 
   my $sql = 'SELECT iprestrict,mfa FROM ht_users WHERE userid=? OR email=?'.
             ' ORDER BY IF(role="crms",1,0) DESC';
-  my $sdr_dbh = $self->get('ht_repository');
-  if (!defined $sdr_dbh)
-  {
-    $sdr_dbh = $self->ConnectToSdrDb('ht_repository');
-    $self->set('ht_repository', $sdr_dbh) if defined $sdr_dbh;
-  }
   my ($ipr, $mfa);
   my $t1 = Time::HiRes::time();
   eval {
-    my $ref = $sdr_dbh->selectall_arrayref($sql, undef, $user, $user);
+    my $ref = $self->SelectAllSDR($sql, $user, $user);
     my $t2 = Time::HiRes::time();
     $self->DebugSql($sql, 1000.0*($t2-$t1), $ref, 'ht_repository', $user, $user);
     $ipr = $ref->[0]->[0];
@@ -6173,14 +6172,8 @@ sub IsUserExpired
             ' FROM ht_users WHERE userid=? OR email=?'.
             ' ORDER BY IF(role="crms",1,0) DESC';
   #print "$sql<br/>\n";
-  my $sdr_dbh = $self->get('ht_repository');
-  if (!defined $sdr_dbh)
-  {
-    $sdr_dbh = $self->ConnectToSdrDb('ht_repository');
-    $self->set('ht_repository', $sdr_dbh) if defined $sdr_dbh;
-  }
   eval {
-    my $ref = $sdr_dbh->selectall_arrayref($sql, undef, $user, $user);
+    my $ref = $self->SelectAllSDR($sql, $user, $user);
     $data{'expires'} = $ref->[0]->[0];
     $data{'status'} = $ref->[0]->[1];
     $data{'days'} = $ref->[0]->[2];

docker-compose.yml

@@ -18,6 +18,29 @@ services:
     ports:
       - 3307:3306
 
+  apache:
+    build:
+      context: .
+      target: apache
+    user: ${CURRENT_USER}
+    volumes:
+      - .:/htapps/babel/crms
+      - ./apache/000-default.conf:/etc/apache2/sites-enabled/000-default.conf
+      - ./apache/auth:/etc/apache2/auth
+    environment:
+      SDRROOT: /htapps/babel
+      CRMS_DB_HOST: mariadb
+      CRMS_DB_HOST_DEVELOPMENT: mariadb
+      CRMS_HT_DB_HOST: mariadb_ht
+      CRMS_REMOTE_USER: autocrms
+    depends_on:
+      - mariadb
+      - mariadb_ht
+    ports:
+      - "8080:8080"
+      - "5173:5173"
+      - "8173:8173"
+
   test:
     build: .
     volumes:

docker/db/sql/001_crms_schema.sql

@@ -728,7 +728,7 @@ CREATE TABLE `institutions` (
   `suffix` varchar(31) DEFAULT NULL,
   `report` tinyint(1) NOT NULL DEFAULT '0',
   PRIMARY KEY (`id`)
-) ENGINE=InnoDB AUTO_INCREMENT=105 DEFAULT CHARSET=utf8;
+) ENGINE=InnoDB DEFAULT CHARSET=utf8;
 /*!40101 SET character_set_client = @saved_cs_client */;
 
 --

docker/db/sql/001a_mysqlrep_schema.sql

@@ -0,0 +1,40 @@
+CREATE DATABASE IF NOT EXISTS mysqlrep;
+USE mysqlrep;
+
+/*!40101 SET @OLD_CHARACTER_SET_CLIENT=@@CHARACTER_SET_CLIENT */;
+/*!40101 SET @OLD_CHARACTER_SET_RESULTS=@@CHARACTER_SET_RESULTS */;
+/*!40101 SET @OLD_COLLATION_CONNECTION=@@COLLATION_CONNECTION */;
+/*!40101 SET NAMES utf8 */;
+/*!40103 SET @OLD_TIME_ZONE=@@TIME_ZONE */;
+/*!40103 SET TIME_ZONE='+00:00' */;
+/*!40014 SET @OLD_UNIQUE_CHECKS=@@UNIQUE_CHECKS, UNIQUE_CHECKS=0 */;
+/*!40014 SET @OLD_FOREIGN_KEY_CHECKS=@@FOREIGN_KEY_CHECKS, FOREIGN_KEY_CHECKS=0 */;
+/*!40101 SET @OLD_SQL_MODE=@@SQL_MODE, SQL_MODE='NO_AUTO_VALUE_ON_ZERO' */;
+/*!40111 SET @OLD_SQL_NOTES=@@SQL_NOTES, SQL_NOTES=0 */;
+
+--
+-- Table structure for table `delay`
+--
+
+DROP TABLE IF EXISTS `delay`;
+/*!40101 SET @saved_cs_client     = @@character_set_client */;
+/*!40101 SET character_set_client = utf8 */;
+CREATE TABLE `delay` (
+  `client` varchar(32) NOT NULL,
+  `seconds` int(11) DEFAULT NULL,
+  `time` timestamp /* mariadb-5.3 */ NOT NULL DEFAULT current_timestamp(),
+  PRIMARY KEY (`client`)
+) ENGINE=MyISAM DEFAULT CHARSET=latin1 COLLATE=latin1_swedish_ci;
+/*!40101 SET character_set_client = @saved_cs_client */;
+
+/*!40103 SET TIME_ZONE=@OLD_TIME_ZONE */;
+
+/*!40101 SET SQL_MODE=@OLD_SQL_MODE */;
+/*!40014 SET FOREIGN_KEY_CHECKS=@OLD_FOREIGN_KEY_CHECKS */;
+/*!40014 SET UNIQUE_CHECKS=@OLD_UNIQUE_CHECKS */;
+/*!40101 SET CHARACTER_SET_CLIENT=@OLD_CHARACTER_SET_CLIENT */;
+/*!40101 SET CHARACTER_SET_RESULTS=@OLD_CHARACTER_SET_RESULTS */;
+/*!40101 SET COLLATION_CONNECTION=@OLD_COLLATION_CONNECTION */;
+/*!40111 SET SQL_NOTES=@OLD_SQL_NOTES */;
+
+GRANT ALL PRIVILEGES ON `mysqlrep`.* TO 'crms'@'%' IDENTIFIED BY 'crms';

docker/db/sql/006_crms_institutions.sql

@@ -0,0 +1,7 @@
+use crms;
+
+LOCK TABLES `institutions` WRITE;
+/*!40000 ALTER TABLE `institutions` DISABLE KEYS */;
+INSERT INTO `institutions` VALUES (0,'University of Michigan','UM','umich.edu',0);
+/*!40000 ALTER TABLE `institutions` ENABLE KEYS */;
+UNLOCK TABLES;

docker/db/sql/007_crms_users.sql

@@ -0,0 +1,7 @@
+use crms;
+
+LOCK TABLES `users` WRITE;
+/*!40000 ALTER TABLE `users` DISABLE KEYS */;
+INSERT INTO `users` VALUES ('autocrms',NULL,'Default User',1,1,1,1,NULL,'',1,NULL,NULL);
+/*!40000 ALTER TABLE `users` ENABLE KEYS */;
+UNLOCK TABLES;

docker/db/sql/008_crms_menus.sql

@@ -0,0 +1,11 @@
+USE crms;
+
+LOCK TABLES `menus` WRITE;
+/*!40000 ALTER TABLE `menus` DISABLE KEYS */;
+INSERT INTO `menus` VALUES (0,'Review','minor',NULL,0,NULL),
+  (1,'Search/Browse','major',NULL,1,NULL),
+  (2,'Documentation','total',NULL,2,1),
+  (3,'Stats/Reports','orange',NULL,3,NULL),
+  (4,'Administrative','red',NULL,4,NULL);
+/*!40000 ALTER TABLE `menus` ENABLE KEYS */;
+UNLOCK TABLES;