v2.0.0

CHANGELOG.md

@@ -6,6 +6,32 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
 and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
 For releases `< 1.0.0` minor version steps may indicate breaking changes too.
 
+## [2.0.0] - 2023-10-19
+
+### Breaking
+
+- Added [ckanext-password-policy](https://github.com/keitaroinc/ckanext-password-policy/tree/montreal).
+  This may break existing installations. The default password policy settings are:
+
+  - `ckanext.password_policy.password_length=12`
+  - `ckanext.password_policy.failed_logins=3`
+  - `ckanext.password_policy.user_locked_time=600`
+
+### Added
+
+- Changed default basemap in map views, see ckan/ckanext-spatial#317
+- Added new resource preview - [webpage view](webpage_view)
+
+### Security
+
+This release contains several security relevant changes and fixes.
+The issues are discussed in #40.
+
+- Updated dependencies in [ckanext-datesearch](https://github.com/tum-gis/ckanext-datesearch), tum-gis/ckanext-datesearch#1
+- Several fixes in [ckanext-grouphierarchy-sddi](https://github.com/tum-gis/ckanext-grouphierarchy-sddi)
+- Limit emails sent for the "Forgot your password?" function
+- Added Cross-Site-Scripting protection
+
 ## [1.2.0] - 2023-08-21
 
 ### Added
@@ -104,7 +130,7 @@ for production environments.**
 - Added `CKAN_INI` env var for CKAN config.ini file path for better compatibility with
   official CKAN images
 - Set timezone using `TZ` env var
-- Allow setting runtime base image with ` BASEIMAGE_REPOSITORY` build arg
+- Allow setting runtime base image with `BASEIMAGE_REPOSITORY` build arg
 
 ### Changed
 
@@ -186,7 +212,8 @@ for production environments.**
 
 ### Known issues
 
-[Unreleased]: https://github.com/tum-gis/ckan-docker/compare/1.2.0...HEAD
+[Unreleased]: https://github.com/tum-gis/ckan-docker/compare/2.0.0...HEAD
+[2.0.0]: https://github.com/tum-gis/ckan-docker/compare/1.2.0...2.0.0
 [1.2.0]: https://github.com/tum-gis/ckan-docker/compare/1.1.3...1.2.0
 [1.1.3]: https://github.com/tum-gis/ckan-docker/compare/1.1.2...1.1.3
 [1.1.2]: https://github.com/tum-gis/ckan-docker/compare/1.1.1...1.1.2

README.md

@@ -179,18 +179,19 @@ are alway pinned to a stable release number or commit hash.
 
 | Extension | Version | `sddi-base` | `sddi` | `sddi-social` | Description |
 |---|---|:---:|:---:|:---:|---|
-| [`scheming`](https://github.com/MarijaKnezevic/ckanext-scheming) | `5c30bba` | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | Configure and share CKAN dataset metadata forms. |
+| [`scheming`](https://github.com/MarijaKnezevic/ckanext-scheming) | `8548240` | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | Configure and share CKAN dataset metadata forms. |
 | [`hierarchy`](https://github.com/ckan/ckanext-hierarchy) | `v1.2.0` | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | Allows to organize organizations and groups in a hierarchy tree (nested groups/orgs). |
-| [`grouphierarchysddi`](https://github.com/tum-gis/ckanext-grouphierarchy-sddi) |  `1.1.2` | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | Extends `hierarchy` with pre-defined groups and topics of the SDDI concept. |
-| [`relation`](https://github.com/tum-gis/ckanext-relation-sddi) | `1.0.2` | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | Enables to create and visualize different types of relations (*realated_to*, *depends_on*, *part_of*) between catalog entries. |
-| [`spatial`](https://github.com/MarijaKnezevic/ckanext-spatial) | `90ba354` | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | Provides the ability to search for datasets according to a given spatial extent. |
-| [`datesearch`](https://github.com/MarijaKnezevic/ckanext-datesearch) | `1.0.1` | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | Provides the ability to search for datasets according to a given time frame. The search includes all datasets, in which the time of validity overlaps in at least one second with the search time frame. |
+| [`grouphierarchysddi`](https://github.com/tum-gis/ckanext-grouphierarchy-sddi) |  `1.1.3` | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | Extends `hierarchy` with pre-defined groups and topics of the SDDI concept. |
+| [`relation`](https://github.com/tum-gis/ckanext-relation-sddi) | `1.0.3` | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | Enables to create and visualize different types of relations (*realated_to*, *depends_on*, *part_of*) between catalog entries. |
+| [`spatial`](https://github.com/MarijaKnezevic/ckanext-spatial) | `c2118b9` | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | Provides the ability to search for datasets according to a given spatial extent. |
+| [`datesearch`](https://github.com/MarijaKnezevic/ckanext-datesearch) | `1.0.2` | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | Provides the ability to search for datasets according to a given time frame. The search includes all datasets, in which the time of validity overlaps in at least one second with the search time frame. |
 | [`repeating`](https://github.com/MarijaKnezevic/ckanext-repeating) | `1.0.0` | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | This extension provides a way to store repeating fields in CKAN datasets, resources, organizations and groups. |
 | [`composite`](https://github.com/EnviDat/ckanext-composite) | `1e6d7bb` | :heavy_check_mark: | :heavy_check_mark: | :heavy_check_mark: | The extension allows to store structured dataset metadata, single or multiple fields. Only one level of subfields is possible. The subfields can be basic text, date type or dropboxes. |
 | [`restricted`](https://github.com/MarijaKnezevic/ckanext-restricted) | `1.0.0` |  | :heavy_check_mark: | :heavy_check_mark: | CKAN extension to restrict the accessibility to the resources of a dataset. This way the package metadata is accesible but not the data itself (resource). The resource access restriction level can be individualy defined for every package. |
 | [`dcat`](https://github.com/ckan/ckanext-dcat) | `v1.4.0` |  | :heavy_check_mark: | :heavy_check_mark: | Allow CKAN to expose and consume metadata from other catalogs using RDF documents serialized using DCAT. |
 | [`geoview`](https://github.com/ckan/ckanext-geoview) | `v0.0.20` |  | :heavy_check_mark: | :heavy_check_mark: | This extension contains view plugins to display geospatial files and services in CKAN. |
 | [`disqus`](https://github.com/ckan/ckanext-disqus) |  |  |  | :heavy_check_mark: | The Disqus extension allows site visitors to comment on individual packages using an AJAX-based commenting system. The downsides of this plugin are that comments are not stored locally and user information is not shared between CKAN and the commenting system. |
+| [`password_policy`](https://github.com/keitaroinc/ckanext-password-policy") | `master`|:heavy_check_mark:  |:heavy_check_mark:| :heavy_check_mark: | CKAN extension that adds password policy for all the users. |
 
 ## :rocket: Usage
 

sddi-base/Dockerfile

@@ -24,7 +24,7 @@ RUN set -ex && \
   ls -lah /wheels
 
 # ckanext-grouphierarchy ######################################################
-ARG CKANEXT_SDDI_VERSION="1.1.2"
+ARG CKANEXT_SDDI_VERSION="1.1.3"
 ENV CKANEXT_SDDI_VERSION=${CKANEXT_SDDI_VERSION}
 
 RUN set -ex && \
@@ -37,7 +37,7 @@ RUN set -ex && \
   ls -lah /wheels
 
 # ckanext-relation ############################################################
-ARG CKANEXT_RELATION_VERSION="1.0.2"
+ARG CKANEXT_RELATION_VERSION="1.0.3"
 ENV CKANEXT_RELATION_VERSION=${CKANEXT_RELATION_VERSION}
 
 RUN set -ex && \
@@ -50,7 +50,7 @@ RUN set -ex && \
   ls -lah /wheels
 
 # ckanext-scheming ############################################################
-ARG CKANEXT_SCHEMING_VERSION="5c30bba"
+ARG CKANEXT_SCHEMING_VERSION="8548240"
 ENV CKANEXT_SCHEMING_VERSION=${CKANEXT_SCHEMING_VERSION}
 ENV CKANEXT_SCHEMING_GITHUB_URL="https://github.com/MarijaKnezevic/ckanext-scheming"
 
@@ -59,7 +59,7 @@ RUN set -ex && \
     git+${CKANEXT_SCHEMING_GITHUB_URL}.git@${CKANEXT_SCHEMING_VERSION}#egg=ckanext-scheming
 
 # ckanext datesearch ##########################################################
-ARG CKANEXT_DATESEARCH_VERSION="1.0.1"
+ARG CKANEXT_DATESEARCH_VERSION="1.0.2"
 ENV CKANEXT_DATESEARCH_VERSION=${CKANEXT_DATESEARCH_VERSION}
 ENV CKANEXT_DATESEARCH_VERSION_GITHUB_URL="https://github.com/MarijaKnezevic/ckanext-datesearch"
 
@@ -87,10 +87,23 @@ RUN set -ex && \
   pip wheel --wheel-dir=/wheels \
     git+${CKANEXT_REPEATING_GITHUB_URL}.git@${CKANEXT_REPEATING_VERSION}#egg=ckanext-repeating
 
+# ckanext-password-policy #####################################################
+ARG CKANEXT_PASSWORD_POLICY_VERSION="5618dc9"
+ENV CKANEXT_PASSWORD_POLICY_VERSION=${CKANEXT_PASSWORD_POLICY_VERSION}
+ENV CKANEXT_PASSWORD_POLICY_GITHUB_URL="https://github.com/keitaroinc/ckanext-password-policy"
+
+RUN set -ex && \
+  pip install -r \
+    https://raw.githubusercontent.com/keitaroinc/ckanext-password-policy/${CKANEXT_PASSWORD_POLICY_VERSION}/requirements.txt && \
+  curl -o /wheels/ckanext-password-policy.txt \
+    https://raw.githubusercontent.com/keitaroinc/ckanext-password-policy/${CKANEXT_PASSWORD_POLICY_VERSION}/requirements.txt && \
+  pip wheel --wheel-dir=/wheels \
+    git+${CKANEXT_PASSWORD_POLICY_GITHUB_URL}.git@${CKANEXT_PASSWORD_POLICY_VERSION}#egg=ckanext-password-policy
+
 # ckanext-spatial #############################################################
 FROM ghcr.io/keitaroinc/ckan:${CKAN_VERSION_BUILD_SPATIAL} as extbuild-spatial
 
-ARG CKANEXT_SPATIAL_VERSION="90ba354"
+ARG CKANEXT_SPATIAL_VERSION="c2118b9"
 ENV CKANEXT_SPATIAL_VERSION=${CKANEXT_SPATIAL_VERSION}
 
 USER root
@@ -121,9 +134,10 @@ RUN set -ex && \
 ###############################################################################
 FROM ghcr.io/keitaroinc/ckan:${CKAN_VERSION_RUNTIME_STAGE} as runtime
 
-ENV CKAN__PLUGINS "image_view text_view recline_view datastore datapusher \
+ENV CKAN__PLUGINS "image_view text_view recline_view webpage_view datastore datapusher \
   hierarchy_display hierarchy_form display_group relation \
   spatial_metadata spatial_query datesearch repeating composite scheming_datasets \
+  password_policy \
   envvars"
 
 # Extra env for compatibility with ckan/base Docker images for downstream k8s
@@ -182,8 +196,14 @@ RUN set -ex && \
 RUN set -ex && \
   pip install --no-index --find-links=${APP_DIR}/ext_wheels ckanext-repeating
 
+# ckanext-password-policy #####################################################
+RUN set -ex && \
+  pip install -r ${APP_DIR}/ext_wheels/ckanext-password-policy.txt && \
+  pip install --no-index --find-links=${APP_DIR}/ext_wheels ckanext-password-policy
+
 # Copy init scripts and additional files
 COPY --chown=ckan:ckan initScripts/ ${APP_DIR}/docker-afterinit.d
+COPY --chown=ckan:ckan who.ini ${APP_DIR}/who.ini
 
 RUN set -ex && \
   ckan config-tool "${CKAN_INI}" "ckan.plugins = ${CKAN__PLUGINS}" && \
@@ -193,6 +213,12 @@ RUN set -ex && \
   ckan config-tool "${CKAN_INI}" "scheming.presets = ckanext.scheming:presets.json ckanext.repeating:presets.json ckanext.composite:presets.json" && \
   ckan config-tool "${CKAN_INI}" "scheming.dataset_fallback = false" && \
   ckan config-tool "${CKAN_INI}" "licenses_group_url = https://raw.githubusercontent.com/tum-gis/ckanext-grouphierarchy-sddi/main/ckanext/grouphierarchy/licenses_SDDI.json" && \
+  ckan config-tool "${CKAN_INI}" "ckanext.password_policy.password_length = 12" && \
+  ckan config-tool "${CKAN_INI}" "ckanext.password_policy.failed_logins = 3" && \
+  ckan config-tool "${CKAN_INI}" "ckanext.password_policy.user_locked_time = 600" && \
+  ckan config-tool "${CKAN_INI}" "ckanext.spatial.common_map.type = custom" && \
+  ckan config-tool "${CKAN_INI}" "ckanext.spatial.common_map.custom.url = https://b.tiles.mapbox.com/styles/v1/mapbox/satellite-streets-v11/tiles/{z}/{x}/{y}?access_token=pk.eyJ1Ijoid2RlaWdlbGUiLCJhIjoiY2tiNWxhNmRxMHF0cTJ0bzI4Zjhua2JmZSJ9.UMGtDXPfs2z2Smc1N0p9Qw" && \
+  ckan config-tool "${CKAN_INI}" "ckanext.spatial.common_map.attribution = Tiles by <a href="http://mapbox.com">MapBox</a>" && \
   echo "${TZ}" > /etc/timezone && \
   mkdir -p ${CKAN_STORAGE_PATH} && \
   chown -R ckan:ckan ${APP_DIR} ${CKAN_STORAGE_PATH} && \

sddi-base/who.ini

@@ -0,0 +1,35 @@
+[plugin:auth_tkt]
+use = ckan.lib.repoze_plugins.auth_tkt:make_plugin
+# If no secret key is defined here, beaker.session.secret will be used
+#secret = somesecret
+
+# [plugin:friendlyform]
+# use = ckan.lib.repoze_plugins.friendly_form:FriendlyFormPlugin
+
+[plugin:friendlyform]
+use = ckanext.password_policy.views:FriendlyFormPlugin_
+login_form_url= /user/login
+login_handler_path = /login_generic
+logout_handler_path = /user/logout
+rememberer_name = auth_tkt
+post_login_url = /user/logged_in
+post_logout_url = /user/logged_out
+charset = utf-8
+
+[general]
+request_classifier = repoze.who.classifiers:default_request_classifier
+challenge_decider = repoze.who.classifiers:default_challenge_decider
+
+[identifiers]
+plugins =
+    friendlyform;browser
+    auth_tkt
+
+[authenticators]
+plugins =
+    auth_tkt
+    ckan.lib.authenticator:UsernamePasswordAuthenticator
+
+[challengers]
+plugins =
+    friendlyform;browser

sddi-social/Dockerfile

@@ -26,10 +26,10 @@ FROM ${BASEIMAGE_REPOSITORY}:${BASEIMAGE_VERSION} as runtime
 
 USER root
 
-ENV CKAN__PLUGINS "image_view text_view recline_view datastore datapusher \
+ENV CKAN__PLUGINS "image_view text_view recline_view webpage_view datastore datapusher \
   hierarchy_display hierarchy_form display_group relation \
   spatial_metadata spatial_query datesearch repeating composite scheming_datasets \
-  resource_proxy geo_view geojson_view wmts_view shp_view \
+  password_policy resource_proxy geo_view geojson_view wmts_view shp_view \
   dcat dcat_json_interface structured_data \
   restricted \
   disqus \

sddi/Dockerfile

@@ -52,10 +52,10 @@ FROM ${BASEIMAGE_REPOSITORY}:${BASEIMAGE_VERSION} as runtime
 
 USER root
 
-ENV CKAN__PLUGINS "image_view text_view recline_view datastore datapusher \
+ENV CKAN__PLUGINS "image_view text_view recline_view webpage_view datastore datapusher \
   hierarchy_display hierarchy_form display_group relation \
   spatial_metadata spatial_query datesearch repeating composite scheming_datasets \
-  resource_proxy geo_view geojson_view wmts_view shp_view \
+  password_policy resource_proxy geo_view geojson_view wmts_view shp_view \
   dcat dcat_json_interface structured_data \
   restricted \
   envvars"