Fix longitude window in process forms.

CHANGES.rst

@@ -1,6 +1,8 @@
 Changes
 *******
 
+* Use released owslib=0.21
+
 0.11.0 (2020-02-04)
 ===================
 

Makefile

@@ -64,7 +64,7 @@ init: custom.cfg downloads
 
 bootstrap-buildout.py:
 	@echo "Update buildout bootstrap-buildout.py ..."
-	@test -f boostrap-buildout.py || curl https://bootstrap.pypa.io/bootstrap-buildout.py --insecure --silent --output bootstrap-buildout.py
+	@test -f bootstrap-buildout.py || curl https://bootstrap.pypa.io/bootstrap-buildout.py --insecure --silent --output bootstrap-buildout.py
 
 ## Build targets
 

buildout.cfg

@@ -29,7 +29,7 @@ versions = versions
 birdhousebuilder.recipe.celery = 0.2.0
 birdhousebuilder.recipe.conda = 0.4.0
 birdhousebuilder.recipe.mongodb = 0.4.0
-birdhousebuilder.recipe.nginx = 0.4.0
+birdhousebuilder.recipe.nginx = 0.4.2
 birdhousebuilder.recipe.supervisor = 0.4.0
 collective.recipe.template = 2.1
 zc.recipe.deployment = 1.3.0
@@ -38,15 +38,19 @@ zc.recipe.egg = 2.0.7
 [settings]
 prefix =  ${environment:HOME}/birdhouse
 user = ${environment:USER}
+group = 
 etc-user = ${:user}
 hostname = localhost
 http-port = 8081
 https-port = 8443
+ssl-client-certificate = cert.pem
+ssl-certificate-key = cert.pem
 project = Phoenix
 version = 0.10.dev
 phoenix-debug = false
 phoenix-secret = f4e044d933767d6d0e022d1020508db3
 phoenix-password = qwerty
+local-user-management = true
 log-level = WARNING
 mongodb-host = localhost
 mongodb-port = 27027
@@ -73,6 +77,8 @@ keycloak-client-secret =
 twitcher-url = http://localhost:8000
 twitcher-client-id =
 twitcher-client-secret =
+file-upload-storage-dir = /tmp
+file-upload-max-size-mb = 250
 
 [deployment]
 recipe = zc.recipe.deployment
@@ -151,12 +157,16 @@ user = ${deployment:user}
 etc-user = ${deployment:etc-user}
 input = ${buildout:directory}/templates/nginx.conf
 socket = ${phoenix_config:socket}
-hostname =  ${settings:hostname}
+hostname = ${settings:hostname}
 http-port = ${settings:http-port}
 https-port = ${settings:https-port}
 client_max_body_size = ${phoenix_config:max_file_size}m
 storage_path = ${phoenix_config:storage_path}
+group = ${settings:group}
 twitcher_url = ${settings:twitcher-url}
+ssl-client-certificate = ${settings:ssl-client-certificate}
+ssl-certificate-key = ${settings:ssl-certificate-key}
+ssl-trusted-certificate = ${settings:ssl-trusted-certificate}
 
 [celery]
 recipe = birdhousebuilder.recipe.celery

environment.yml

@@ -28,30 +28,14 @@ dependencies:
   - pyyaml
   - pygments
   - pytz
-  - owslib=0.19
+  - owslib>=0.21.0
   - transaction
   - genshi=0.7
   - pyjwt
 # celery
   - celery=3.1
   - kombu=3.0
 # mongodb
-  - pymongo=3
+  - pymongo>=3.3.0
   - mongodb>=3.4
-  - pip:
-      - pyramid
-      - pyramid-beaker
-      - Beaker
-      - pyramid-deform
-      - deform
-      - pyramid-chameleon
-      - pyramid-mako
-      - pyramid-layout
-      - pyramid-celery==3.0.0
-      - pyramid-storage
-      - pyramid-rpc
-      - colander
-      - Authomatic==0.1.0.post1
-      - python-openid2==3.0
-      - WebHelpers2
-      - WebHelpers2_grid
+

phoenix/__init__.py

@@ -1,5 +1,10 @@
 __version__ = '0.11.0'
 
+import os, ssl
+if (not os.environ.get('PYTHONHTTPSVERIFY', '') and
+    getattr(ssl, '_create_unverified_context', None)):
+    ssl._create_default_https_context = ssl._create_unverified_context
+
 
 def main(global_config, **settings):
     """

phoenix/account/__init__.py

@@ -4,6 +4,7 @@
 
 def includeme(config):
     config.add_route('sign_in', '/account/login')
+    config.add_route('sign_in_admin', '/admin')
     config.add_route('account_logout', '/account/logout')
     config.add_route('account_auth', '/account/auth/{provider}')
     config.add_route('account_register', '/account/register')

phoenix/account/base.py

@@ -88,7 +88,7 @@ def login_success(self, login_id, provider=None, token=None):
         user['provider'] = provider
         user['last_login'] = datetime.now()
         self.collection.update({'login_id': login_id}, user)
-        self.session.flash("Hello <strong>{0}</strong>. Welcome to Phoenix.".format(escape(login_id)), queue='info')
+        self.session.flash("Hello <strong>{0}</strong>. Welcome to CEDA WPS.".format(escape(login_id)), queue='info')
         if provider != 'keycloak':
             # generate_access_token(self.request.registry, userid=user['identifier'])
             pass

phoenix/account/local.py

@@ -11,13 +11,21 @@
 class LocalSchema(deform.schema.CSRFSchema):
     password = colander.SchemaNode(
         colander.String(),
-        title='Admin password',
-        description='If you have not configured your password yet then it is likely to be "qwerty"',
+        title='password',
         validator=colander.Length(min=6),
         widget=deform.widget.PasswordWidget())
 
 
 class LocalAccount(Account):
+    def schema(self):
+        return deform.schema.CSRFSchema()
+
+    @view_config(route_name='sign_in', renderer='phoenix:account/templates/account/sign_in.pt')
+    def sign_in(self):
+        return self.login()
+
+
+class AdminAccount(Account):
 
     def schema(self):
         return LocalSchema().bind(request=self.request)
@@ -28,6 +36,6 @@ def _handle_appstruct(self, appstruct):
             return self.login_success(login_id="admin", provider='local')
         return self.login_failure()
 
-    @view_config(route_name='sign_in', renderer='phoenix:account/templates/account/sign_in.pt')
+    @view_config(route_name='sign_in_admin', renderer='phoenix:account/templates/account/sign_in_admin.pt')
     def sign_in(self):
         return self.login()

phoenix/account/templates/account/sign_in.pt

@@ -27,10 +27,6 @@
                    class="btn btn-warning btn-lg"><icon class="fa fa-globe"></icon> Sign in with CEDA</a>
                 <br/><br/>
               </div>
-              <span class="text-muted">OR</span>
-              <br/><br/>
-              <tal:form replace="structure form">The form will render here</tal:form>
-              <!-- a href="${request.route_path('account_register')}" class="btn btn-link">Register for an account</a -->
             </div>
           </div><!-- panel -->
         </div>

phoenix/account/templates/account/sign_in_admin.pt

@@ -0,0 +1,23 @@
+<metal:block use-macro="main_template">
+  <div metal:fill-slot="javascript">
+    <script src="${request.static_path('phoenix:static/phoenix/js/authomatic.js')}"></script>
+  </div>
+
+  <div metal:fill-slot="content">
+    <div class="container">
+      <br/>
+      <div class="row">
+        <div class="col-md-4 col-md-offset-4">
+          <div class="panel panel-success text-center">
+            <div class="panel-body">
+              <h2>Sign In</h2>
+              <tal:form replace="structure form">The form will render here</tal:form>
+              <!-- a href="${request.route_path('account_register')}" class="btn btn-link">Register for an account</a -->
+            </div>
+          </div><!-- panel -->
+        </div>
+      </div><!-- row -->
+    </div><!-- container -->
+  </div>
+
+</metal:block>

phoenix/catalog.py

@@ -1,4 +1,5 @@
 from mako.template import Template
+import re
 import uuid
 from os.path import join, dirname
 from collections import namedtuple
@@ -87,7 +88,21 @@ def __init__(self, collection):
         self.collection = collection
 
     def get_record_by_id(self, identifier):
-        return doc2record(self.collection.find_one({'identifier': identifier}))
+        """
+        Gets database record by identifier or title.
+
+        If the identifier does not match, then a case-insensitive
+        match is made on the title (replacing "_" with " "). This
+        enables _deterministic_ URLs in which the WPS can be identified
+        by a meaningful string as well as the standard long identifier.
+        """
+        doc = self.collection.find_one({'identifier': identifier})
+
+        if not doc:
+            title_regex = re.compile('^' + re.escape(identifier.replace('_', ' ')) + '$', re.IGNORECASE)
+            doc = self.collection.find_one({'title': title_regex}) 
+
+        return doc2record(doc)
 
     def delete_record(self, identifier):
         self.collection.delete_one({'identifier': identifier})

phoenix/ceda_security.py

@@ -0,0 +1,83 @@
+import json
+
+from sqlalchemy import create_engine
+
+import logging
+LOGGER = logging.getLogger("PHOENIX")
+
+
+CEDA_ROLE_MAP_CONFIG = "/usr/local/birdhouse/etc/phoenix/ceda_process_role_map.json"
+
+
+def check_ceda_permissions(request, user, processid):
+    """
+    Check if the user has permission to access the process.
+    Return a boolean:
+     - True:  allow access
+     - False: deny access
+    """
+    role_mappings = _get_process_role_mappings()
+    restricted_procs = role_mappings["restricted_by_role"]
+
+    if processid in role_mappings.get("open", []):
+        # If open, everyone can access
+        return True
+
+    if user is None or user.get("login_id") in role_mappings["suspended_users"]:
+        # the user is not logged or is suspended so we return False
+        return False
+
+    if processid in role_mappings.get("restricted_to_ceda_users", []):
+        # the process is available to all CEDA users
+        return True
+
+    if user.get("login_id") in role_mappings["restricted_by_user_id"].get(processid, []):
+        # the process is available to this specific user
+        return True
+
+    users_roles = _get_user_roles(request, user.get("login_id"))
+
+    for role in users_roles:
+        if role in restricted_procs.get(processid, []):
+            return True
+
+    return False
+
+
+def _get_process_role_mappings():
+    """
+    Load the role mappings from the config file.
+    """
+    try:
+        with open(CEDA_ROLE_MAP_CONFIG) as reader:
+           return json.load(reader)
+    except Exception:
+        # If cannot read it, set defaults
+        return {"restricted_by_role": {}, "restricted_to_ceda_users": [], 
+                "open": [], "suspended_users": [], "restricted_by_user_id": {}}
+
+
+def _get_user_roles(request, user_id):
+    """
+    Call out to the DB to get the users rolls.
+    """
+    connection_credentials = request.registry.settings.get("ceda.db.creds")
+    engine = create_engine(connection_credentials)
+
+    with engine.connect() as conn:
+        query = request.registry.settings.get("ceda.db.query")
+        query = query.replace("{user_id}", user_id)
+        roles = set(_get_response(conn, query))
+        roles = sorted(
+            [r for r in roles if not r.startswith("gws_") and not r.startswith("vm_")]
+        )
+
+    return roles
+
+
+def _get_response(conn, query, get_one=False):
+    rs = conn.execute(query)
+    results = [item[0] for item in rs]
+    if get_one:
+        results = results[0]
+    return results