From 8ad618187b98895f32476e85912148d9d538d67e Mon Sep 17 00:00:00 2001
From: M Kundegorski <mikolaj.kundegorski@gmail.com>
Date: Wed, 27 Nov 2024 10:58:10 +0200
Subject: [PATCH] WRC130 Various small changes (#40)

502 problem mitigation, new bucket policy and some variables
---
 group_vars/all/all.yml                        |  3 +-
 roles/ckan/templates/ckan/ckan-uwsgi.ini      |  2 +-
 roles/ckan/templates/ckan/ckan_production.ini |  8 +++--
 roles/ckan/templates/ckan/ckan_who.ini        |  9 +++--
 .../templates/giftless_s3_policy.json         | 34 ++++++++-----------
 5 files changed, 28 insertions(+), 28 deletions(-)

diff --git a/group_vars/all/all.yml b/group_vars/all/all.yml
index 389a436..3e0a726 100644
--- a/group_vars/all/all.yml
+++ b/group_vars/all/all.yml
@@ -142,4 +142,5 @@ who_authenticators: |-
       ckan.lib.authenticator:UsernamePasswordAuthenticator
 
 storage_class_name: "efs-client"
-ckan_login_form_url: "/user/login"
+ckan_login_form_view: "user.login"
+ckan_cache_expires: "0"
diff --git a/roles/ckan/templates/ckan/ckan-uwsgi.ini b/roles/ckan/templates/ckan/ckan-uwsgi.ini
index 09a4c43..4dbd09b 100644
--- a/roles/ckan/templates/ckan/ckan-uwsgi.ini
+++ b/roles/ckan/templates/ckan/ckan-uwsgi.ini
@@ -1,6 +1,6 @@
 [uwsgi]
 
-http = :5000
+http11-socket = :5000
 http-keepalive = 1
 http-auto-chunked = true
 add-header = Connection: Keep-Alive
diff --git a/roles/ckan/templates/ckan/ckan_production.ini b/roles/ckan/templates/ckan/ckan_production.ini
index 0145311..1450b30 100644
--- a/roles/ckan/templates/ckan/ckan_production.ini
+++ b/roles/ckan/templates/ckan/ckan_production.ini
@@ -42,7 +42,7 @@ beaker.session.secret = {{ ckan_beaker_secret }}
 ## https://github.com/ckan/ckan/issues/8547
 ## SESSION_TYPE = redis
 ## SESSION_COOKIE_NAME = ckan
-## SESSION_PERMANENT = true 
+## SESSION_PERMANENT = true
 ## PERMANENT_SESSION_LIFETIME = 86400
 # The secret token that is used for session management and other security related tasks as well
 SECRET_KEY = {{ ckan_secret_key }}
@@ -91,6 +91,7 @@ ckan.auth.public_user_details = true
 ckan.auth.public_activity_stream_detail = true
 ckan.auth.allow_dataset_collaborators = {{ ckan_collaborators }}
 ckan.auth.create_default_api_keys = false
+ckan.auth.login_view = {{ ckan_login_form_view }}
 
 ## API Token Settings
 api_token.nbytes = 60
@@ -122,6 +123,9 @@ solr_timeout = 60
 # cors.origin_whitelist is a space separated list of allowed domains.
 # ckan.cors.origin_whitelist = http://example1.com http://example2.com
 
+## Cache settings that are set by CKAN core
+
+ckan.cache_expires = {{ ckan_cache_expires }}
 
 ## Plugins Settings
 
@@ -224,7 +228,7 @@ ckan.hide_activity_from_users = {{ ckan_hide_activity_from_users }}
 ## Email settings
 
 # email_to = {{ ckan_error_email_to }}
-# error_email_from = {{ ckan_error_email_from }} 
+# error_email_from = {{ ckan_error_email_from }}
 smtp.server = {{ ckan_smtp_server }}
 smtp.starttls = {{ ckan_smtp_starttls }}
 smtp.mail_from = {{ ckan_smtp_mail_from }}
diff --git a/roles/ckan/templates/ckan/ckan_who.ini b/roles/ckan/templates/ckan/ckan_who.ini
index 41b0149..2a8ea78 100644
--- a/roles/ckan/templates/ckan/ckan_who.ini
+++ b/roles/ckan/templates/ckan/ckan_who.ini
@@ -4,12 +4,11 @@ use = ckan.lib.repoze_plugins.auth_tkt:make_plugin
 #secret = somesecret
 [plugin:friendlyform]
 use = ckan.lib.repoze_plugins.friendly_form:FriendlyFormPlugin
-login_form_url={{ ckan_login_form_url }}
-login_handler_path = /login_generic
-logout_handler_path = /user/logout
+login_handler_path = /login_generic #possibly deprecated in 2.10/2.11
+logout_handler_path = /user/logout  #possibly deprecated in 2.10/2.11
 rememberer_name = auth_tkt
-post_login_url = /user/logged_in
-post_logout_url = /user/logged_out
+post_login_url = /user/logged_in #possibly deprecated in 2.10/2.11
+post_logout_url = /user/logged_out #possibly deprecated in 2.10/2.11
 charset = utf-8
 [general]
 request_classifier = repoze.who.classifiers:default_request_classifier
diff --git a/roles/setup-eks/templates/giftless_s3_policy.json b/roles/setup-eks/templates/giftless_s3_policy.json
index 7226edb..e844402 100644
--- a/roles/setup-eks/templates/giftless_s3_policy.json
+++ b/roles/setup-eks/templates/giftless_s3_policy.json
@@ -1,22 +1,18 @@
 {
-  "Version": "2012-10-17",
-  "Statement": [
-    {
-      "Effect": "Allow",
-      "Principal": "*",
-      "Action": "s3:*",
-      "Resource": [
-        "arn:aws:s3:::{{ giftless_s3_bucket }}",
-        "arn:aws:s3:::{{ giftless_s3_bucket }}/*"
-      ],
-      "Condition": {
-        "StringNotLike": {
-          "aws:userId": [
-            "{{ sso_admin_role_arn[0] }}*",
-            "{{ eks_worker_role_arn }}"
-          ]
+    "Version": "2012-10-17",
+    "Statement": [
+        {
+            "Effect": "Allow",
+            "Principal": {
+                "AWS": [
+                    "{{ eks_worker_role_arn }}"
+                ]
+            },
+            "Action": "s3:*",
+            "Resource": [
+                "arn:aws:s3:::{{ giftless_s3_bucket }}",
+                "arn:aws:s3:::{{ giftless_s3_bucket }}/*"
+            ]
         }
-      }
-    }
-  ]
+    ]
 }