Backport master -> develop

.dockerignore

@@ -77,5 +77,9 @@ docs/_build/
 # PyBuilder
 target/
 
-#Ipython Notebook
+# Ipython Notebook
 .ipynb_checkpoints
+
+# SSO
+*.pem
+*.crt

deployment/common/nginx.conf

@@ -58,3 +58,4 @@ server {
      alias   /data/;
    }
  }
+

deployment/common/ssl-proxy.conf

@@ -1,63 +1,63 @@
 
-    server {
-        listen       80;
-        server_name merginmaps.company.com;  # FIXME
+server {
+    listen       80;
+    server_name merginmaps.company.com;  # FIXME
 
-        if ($scheme != "https") {
-                return 301 https://$host$request_uri;
-        }
+    if ($scheme != "https") {
+            return 301 https://$host$request_uri;
     }
-
-    upstream app_server {
-        # route to the application proxy
-        server 127.0.0.1:8080 fail_timeout=0;
-    }
-
-    server {
-        listen              443 ssl;
-        server_name         merginmaps.company.com; # FIXME
-        client_max_body_size 4G;
-
-        ssl_certificate_key /etc/letsencrypt/live/merginmaps.company.com/privkey.pem; # FIXME
-        ssl_certificate     /etc/letsencrypt/live/merginmaps.company.com/fullchain.pem; # FIXME
-
-        # Don't show version information
-        server_tokens off;
-
-        # Enable gzip compression
-        gzip on;
-        gzip_min_length 10240;
-        gzip_comp_level 1;
-        gzip_vary on;
-        gzip_proxied any;
-        gzip_types
-            text/css
-            text/javascript
-            application/javascript
-            application/x-javascript;
-
-        # Prevent crawlers from indexing and following links for all content served from the mergin app
-        add_header X-Robots-Tag "none";
-
-        # Protect against clickjacking iframe
-        add_header Content-Security-Policy "frame-ancestors 'self';" always;
-
-        # Add a HSTS policy to prevent plain http from browser
-        add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
-
-        # Set cookies security flags
-        proxy_cookie_flags ~ secure httponly samesite=strict;
-
-        location / {
-            root /var/www/html;
-
-            # The lines below were copied from application proxy
-            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
-            proxy_set_header X-Forwarded-Proto $scheme;
-            proxy_set_header Host $http_host;
-            # we don't want nginx trying to do something clever with
-            # redirects, we set the Host: header above already.
-            proxy_redirect off;
-            proxy_pass http://app_server;
-        }
+}
+
+upstream app_server {
+    # route to the application proxy
+    server 127.0.0.1:8080 fail_timeout=0;
+}
+
+server {
+    listen              443 ssl;
+    server_name         merginmaps.company.com; # FIXME
+    client_max_body_size 4G;
+
+    ssl_certificate_key /etc/letsencrypt/live/merginmaps.company.com/privkey.pem; # FIXME
+    ssl_certificate     /etc/letsencrypt/live/merginmaps.company.com/fullchain.pem; # FIXME
+
+    # Don't show version information
+    server_tokens off;
+
+    # Enable gzip compression
+    gzip on;
+    gzip_min_length 10240;
+    gzip_comp_level 1;
+    gzip_vary on;
+    gzip_proxied any;
+    gzip_types
+        text/css
+        text/javascript
+        application/javascript
+        application/x-javascript;
+
+    # Prevent crawlers from indexing and following links for all content served from the mergin app
+    add_header X-Robots-Tag "none";
+
+    # Protect against clickjacking iframe
+    add_header Content-Security-Policy "frame-ancestors 'self';" always;
+
+    # Add a HSTS policy to prevent plain http from browser
+    add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
+
+    # Set cookies security flags
+    proxy_cookie_flags ~ secure httponly samesite=strict;
+
+    location / {
+        root /var/www/html;
+
+        # The lines below were copied from application proxy
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_set_header X-Forwarded-Proto $scheme;
+        proxy_set_header Host $http_host;
+        # we don't want nginx trying to do something clever with
+        # redirects, we set the Host: header above already.
+        proxy_redirect off;
+        proxy_pass http://app_server;
     }
+}

deployment/community/.env.template

@@ -1,17 +1,19 @@
 # This file should contain a set of Mergin Maps configuration definitions along with their default values
 
+# Required for access of your server from the internet in email links
+#MERGIN_BASE_URL=http://localhost:5000
+MERGIN_BASE_URL=fixme.example.com
 
-FLASK_APP=application
+# fixme: administrator email address for notifications and application initialisation
+CONTACT_EMAIL=admin@example.com
 
-# Required for access of your server
-#MERGIN_BASE_URL=http://localhost:5000
+# Flask application related
+
+FLASK_APP=application
 
 #DEBUG=FLASK_DEBUG | False
 FLASK_DEBUG=0
 
-#LOCAL_PROJECTS=os.path.join(config_dir, os.pardir, os.pardir, 'projects')  # for local storage type
-LOCAL_PROJECTS=/data
-
 #MAINTENANCE_FILE=os.path.join(LOCAL_PROJECTS, 'MAINTENANCE')  # locking file when backups are created
 MAINTENANCE_FILE=/data/MAINTENANCE
 
@@ -104,6 +106,9 @@ MAIL_SUPPRESS_SEND=0
 
 # data sync
 
+#LOCAL_PROJECTS=os.path.join(config_dir, os.pardir, os.pardir, 'projects')  # for local storage type
+LOCAL_PROJECTS=/data
+
 #BLACKLIST='.mergin/, .DS_Store, .directory'  # cast=Csv()
 
 #FILE_EXPIRATION=48 * 3600  # for clean up of old files where diffs were applied, in seconds

deployment/enterprise/.env.template

@@ -1,36 +1,32 @@
 # This file should contain a full set of Mergin Maps configuration
 # definitions along with their default values
 
-FLASK_APP=application
-GEODIFF_LOGGER_LEVEL=2
-CONTACT_EMAIL=fixme
+# Base URL of your deployment, required for access of your server from the internet in email links
+#MERGIN_BASE_URL=http://localhost:5000
+MERGIN_BASE_URL=fixme.example.com
 
+# fixme: administrator email address for notifications and application initialisation
+CONTACT_EMAIL=admin@example.com
 
-# ALL VERSIONS #########################################################################################################
+# Flask application related
 
-#DEBUG=FLASK_DEBUG | False
+FLASK_APP=application
+GEODIFF_LOGGER_LEVEL=2
 
-#LOCAL_PROJECTS=os.path.join(config_dir, os.pardir, os.pardir, 'projects')  # for local storage type
-LOCAL_PROJECTS=/data
+#DEBUG=FLASK_DEBUG | False
 
 #MAINTENANCE_FILE=os.path.join(LOCAL_PROJECTS, 'MAINTENANCE')  # locking file when backups are created
 MAINTENANCE_FILE=/data/MAINTENANCE
 
 #PROXY_FIX=True
 
-#SECRET_KEY=NODEFAULT
-SECRET_KEY=fix-me
-
 #SWAGGER_UI=False  # to enable swagger UI console (for test only)
 
 #TEMP_DIR=gettempdir()  # trash dir for temp files being cleaned regularly
 TEMP_DIR=/data/tmp
 
 #TESTING=False
 
-#USER_SELF_REGISTRATION=True
-
-
 # Mergin DB related
 
 #DB_APPLICATION_NAME=mergin
@@ -59,10 +55,20 @@ DB_PORT=5432
 
 # auth related
 
+#USER_SELF_REGISTRATION=True
+
+#SECRET_KEY=NODEFAULT
+SECRET_KEY=fixme
+
 #BEARER_TOKEN_EXPIRATION=3600 * 12  # in seconds
 
+#SECURITY_BEARER_SALT=NODEFAULT
 SECURITY_BEARER_SALT=fixme
+
+#SECURITY_EMAIL_SALT=NODEFAULT
 SECURITY_EMAIL_SALT=fixme
+
+#SECURITY_PASSWORD_SALT=NODEFAULT
 SECURITY_PASSWORD_SALT=fixme
 
 #WTF_CSRF_ENABLED=True
@@ -93,11 +99,14 @@ MAIL_SERVER=fixme
 #MAIL_USE_TLS=True
 
 #MAIL_USERNAME=NODEFAULT
-MAIL_USERNAME=fix-me
+MAIL_USERNAME=fixme
 
 
 # data sync
 
+#LOCAL_PROJECTS=os.path.join(config_dir, os.pardir, os.pardir, 'projects')  # for local storage type
+LOCAL_PROJECTS=/data
+
 #BLACKLIST='.mergin/, .DS_Store, .directory'  # cast=Csv()
 
 #FILE_EXPIRATION=48 * 3600  # for clean up of old files where diffs were applied, in seconds
@@ -216,5 +225,27 @@ VECTOR_TILES_STYLE_URL=https://tiles-ee.merginmaps.com//styles/default.json
 
 #OVERVIEW_MAX_FILE_SIZE=1048576 # 1MB
 
-# Diagnostic logs from Mobile and QGIS Plugin
+### Diagnostic logs from Mobile and QGIS Plugin
 DIAGNOSTIC_LOGS_DIR=/diagnostic_logs
+
+### SSO ################################################################################################################
+SSO_ENABLED=False
+
+# public URL of the SSO server, used for redirecting users to SSO login page
+SSO_SERVER_URL=http://localhost:8081
+
+# api key used for internal calls to SSO server.
+# SSO_SERVER_API_KEY=fixme
+
+# internal URL of the api server, used for internal calls to polis API
+# SSO_SERVER_API_URL=http://merginmaps-proxy:8081
+
+# internal URL of the SSO server, used for internal calls to polis Oauth API
+# SSO_SERVER_INTERNAL_URL=http://merginmaps-proxy:8081
+
+# by default token is alive for 14 days (use seconds as unit
+# SSO_SESSION_EXPIRATION=14 * 24 * 3600
+
+# This should be the same as SSO connection Product field in admin panel.
+# Default value is mergin-maps-product string
+# SSO_SERVER_PRODUCT_ID=mergin-maps-product

deployment/enterprise/.sso.env.template

@@ -0,0 +1,36 @@
+# Environment variables for Ory Polis SSO server
+# for full list check https://www.ory.sh/docs/polis/deploy/env-variables
+
+# need to be base64 encoded values
+# JACKSON_API_KEYS=
+# DB_ENCRYPTION_KEY=
+# NEXTAUTH_JWT_SIGNING_PRIVATE_KEY=
+# NEXTAUTH_SECRET=
+# these comes from key pair
+# PRIVATE_KEY=
+# PUBLIC_KEY=
+
+NEXTAUTH_ACL=
+# fixme with proper credentials
+NEXTAUTH_ADMIN_CREDENTIALS=admin@boxy.com:boxy
+
+# Add some not real domain here. It will be used for SAML application initialization. For more details see: https://www.ory.sh/docs/polis/deploy/env-variables#saml_audience
+SAML_AUDIENCE=https://saml.merginmaps.com
+
+# Chnage in production to real domain where Polis will be deployed
+EXTERNAL_URL=http://localhost:8081
+NEXTAUTH_URL=http://localhost:8081
+# beware it should use different db and user in production
+DB_URL=postgres://postgres:postgres@db:5432/jackson
+DB_ENGINE=sql
+DB_TYPE=postgres
+DB_TTL=300
+DB_CLEANUP_LIMIT=1000
+DB_MANUAL_MIGRATION=false
+BOXYHQ_NO_TELEMETRY=true
+BOXYHQ_NO_ANALYTICS=true
+DO_NOT_TRACK=true
+IDP_ENABLED=false
+ADMIN_PORTAL_HIDE_AUDIT_LOGS=true
+ADMIN_PORTAL_HIDE_IDENTITY_FEDERATION=true
+ADMIN_PORTAL_HIDE_DIRECTORY_SYNC=true