pvarki · rambo · Jan 25, 2025 · Jan 25, 2025 · Jan 26, 2025 · Jan 26, 2025
diff --git a/.bumpversion.cfg b/.bumpversion.cfg
@@ -1,5 +1,5 @@
 [bumpversion]
-current_version = 1.6.0
+current_version = 1.7.0
 commit = False
 tag = False
 

diff --git a/api b/api
diff --git a/docker-compose-dev.yml b/docker-compose-dev.yml
@@ -2,7 +2,7 @@
 #   `docker-compose -p rmdev -f docker-compose-local.yml -f docker-compose-dev.yml up -d`
 
 x-nginxbuilds: &nginxbuildinfo
-  image: pvarki/nginx:1.25${DOCKER_TAG_EXTRA:-}
+  image: pvarki/nginx:1.27${DOCKER_TAG_EXTRA:-}
   build:
     context: ./nginx
     dockerfile: Dockerfile
@@ -39,6 +39,7 @@ services:
       SERVER_DOMAIN: ${SERVER_DOMAIN:-localmaeher.dev.pvarki.fi}
       API_PORT: ${NGINX_HTTPS_PORT:-4439}
       VITE_ASSET_SET: ${VITE_ASSET_SET:-neutral}
+      RELEASE_TAG: "localdev"
     networks:
       - intranet
     ports:  # REMINDER Do not expose these in production

diff --git a/docker-compose-local.yml b/docker-compose-local.yml
@@ -71,15 +71,15 @@ x-keycloakinit_users_env: &keycloakinit_users_env
   KEYCLOAK_PASSWORD: *kcadminpass # pragma: allowlist secret
 
 x-takbuilds: &takbuildinfo
-  image: &takimage "pvarki/takserver:${TAK_RELEASE:-5.2-RELEASE-30}${DOCKER_TAG_EXTRA:-}"
+  image: &takimage "pvarki/takserver:${TAK_RELEASE:-5.3-RELEASE-24}${DOCKER_TAG_EXTRA:-}"
   build:
     context: ./takserver
     dockerfile: Dockerfile
     args:
-      TAK_RELEASE: ${TAK_RELEASE:-5.2-RELEASE-30}
+      TAK_RELEASE: ${TAK_RELEASE:-5.3-RELEASE-24}
 
 x-nginxbuilds: &nginxbuildinfo
-  image: pvarki/nginx:1.25${DOCKER_TAG_EXTRA:-}
+  image: pvarki/nginx:1.27${DOCKER_TAG_EXTRA:-}
   build:
     context: ./nginx
     dockerfile: Dockerfile
@@ -120,10 +120,13 @@ services:
       target: production
     environment:
       MW_DOMAIN: *serverdomain
-      MW_PRODUCTS: "tak,kc,fake"
+      MW_PRODUCTS: "tak,kc,fake,bl"
       MW_RASENMAEHER__API_PORT: *apiport
+      MW_RASENMAEHER__USER_PORT: *apiport
       MW_FAKE__API_PORT: *productport
+      MW_FAKE__USER_PORT: *productport
       MW_TAK__API_PORT: *takapiport
+      MW_TAK__USER_PORT: 8443
       CAROOT: "/data/persistent/mkcert"
       MW_LE_EMAIL: "[email protected]"
       MW_LE_TEST: "true"
@@ -399,6 +402,10 @@ services:
       RM_KC_USERNAME: *kcadminuser
       RM_KC_PASSWORD: *kcadminpass  # pragma: allowlist secret
       RM_KC_REALM: *kc_realm
+      UVICORN_LOG_LEVEL: "debug"
+      RM_LOG_LEVEL: "DEBUG"
+      RM_LOG_LEVEL_INT: "10"
+      RELEASE_TAG: "local"
     networks:
       - apinet
       - kcnet
@@ -441,6 +448,7 @@ services:
       target: production
       args:
         VITE_ASSET_SET: ${VITE_ASSET_SET:-neutral}
+        RELEASE_TAG: "local"
     volumes:
       - rmui_files:/deliver
 
@@ -611,7 +619,7 @@ services:
       - taknet
       - dbnet
     volumes:
-      - ./takserver/updates:/opt/tak/webcontent/update
+      - ./takserver/update:/opt/tak/webcontent/update
       - kraftwerk_shared_tak:/pvarki
       - tak_data:/opt/tak/data
       - le_certs:/le_certs
@@ -626,7 +634,7 @@ services:
       takinit:
           condition: service_completed_successfully
     volumes:
-      - ./takserver/updates:/opt/tak/webcontent/update
+      - ./takserver/update:/opt/tak/webcontent/update
       - tak_data:/opt/tak/data
       - ca_public:/ca_public
       - le_certs:/le_certs
@@ -663,7 +671,7 @@ services:
       takconfig:
         condition: service_healthy
     volumes:
-      - ./takserver/updates:/opt/tak/webcontent/update
+      - ./takserver/update:/opt/tak/webcontent/update
       - tak_data:/opt/tak/data
       - ca_public:/ca_public
       - le_certs:/le_certs
@@ -687,7 +695,7 @@ services:
       takmsg:
         condition: service_healthy
     volumes:
-      - ./takserver/updates:/opt/tak/webcontent/update
+      - ./takserver/update:/opt/tak/webcontent/update
       - tak_data:/opt/tak/data
       - ca_public:/ca_public
       - le_certs:/le_certs
@@ -711,7 +719,7 @@ services:
       takmsg:
         condition: service_healthy
     volumes:
-      - ./takserver/updates:/opt/tak/webcontent/update
+      - ./takserver/update:/opt/tak/webcontent/update
       - tak_data:/opt/tak/data
       - ca_public:/ca_public
     network_mode: "service:takconfig"
@@ -734,7 +742,7 @@ services:
       takapi:
         condition: service_healthy
     volumes:
-      - ./takserver/updates:/opt/tak/webcontent/update
+      - ./takserver/update:/opt/tak/webcontent/update
       - tak_data:/opt/tak/data
       - ca_public:/ca_public
     network_mode: "service:takconfig"
@@ -748,7 +756,7 @@ services:
     restart: unless-stopped
 
   takrmapi:
-    image: pvarki/takrmapi:local${DOCKER_TAG_EXTRA:-}-tak${TAK_RELEASE:-5.2-RELEASE-30}
+    image: pvarki/takrmapi:local${DOCKER_TAG_EXTRA:-}-tak${TAK_RELEASE:-5.3-RELEASE-24}
     build:
       context: ./takintegration
       dockerfile: Dockerfile
@@ -758,6 +766,8 @@ services:
     network_mode: "service:takconfig"
     environment:
       LOG_CONSOLE_FORMATTER: "local"
+      UVICORN_LOG_LEVEL: "debug"
+      TI_LOG_LEVEL: "10"
     volumes:
       - ca_public:/ca_public
       - le_certs:/le_certs

diff --git a/docker-compose.yml b/docker-compose.yml
@@ -68,15 +68,15 @@ x-keycloakinit_users_env: &keycloakinit_users_env
   KEYCLOAK_PASSWORD: *kcadminpass # pragma: allowlist secret
 
 x-takbuilds: &takbuildinfo
-  image: &takimage "pvarki/takserver:${TAK_RELEASE:-5.2-RELEASE-30}-d${RELEASE_TAG:-1.6.0}${DOCKER_TAG_EXTRA:-}"
+  image: &takimage "pvarki/takserver:${TAK_RELEASE:-5.3-RELEASE-24}-d${RELEASE_TAG:-1.7.0}${DOCKER_TAG_EXTRA:-}"
   build:
     context: ./takserver
     dockerfile: Dockerfile
     args:
-      TAK_RELEASE: ${TAK_RELEASE:-5.2-RELEASE-30}
+      TAK_RELEASE: ${TAK_RELEASE:-5.3-RELEASE-24}
 
 x-nginxbuilds: &nginxbuildinfo
-  image: pvarki/nginx:1.25-d${RELEASE_TAG:-1.6.0}${DOCKER_TAG_EXTRA:-}
+  image: pvarki/nginx:1.27-d${RELEASE_TAG:-1.7.0}${DOCKER_TAG_EXTRA:-}
   build:
     context: ./nginx
     dockerfile: Dockerfile
@@ -115,20 +115,24 @@ x-takserver_env: &takserver_env
 
 services:
   miniwerk:
-    image: pvarki/miniwerk:1.1.0-d${RELEASE_TAG:-1.6.0}${DOCKER_TAG_EXTRA:-}
+    image: pvarki/miniwerk:1.3.0-d${RELEASE_TAG:-1.7.0}${DOCKER_TAG_EXTRA:-}
     build:
       context: ./miniwerk
       dockerfile: Dockerfile
       target: production
     environment:
       MW_DOMAIN: *serverdomain
       MW_RASENMAEHER__API_PORT: *apiport
+      MW_RASENMAEHER__USER_PORT: *apiport
       MW_FAKE__API_PORT: *productport
+      MW_FAKE__USER_PORT: *productport
       MW_TAK__API_PORT: *takapiport
+      MW_TAK__USER_PORT: 8443
       MW_LE_EMAIL: ${MW_LE_EMAIL?LE contact email must be defined}
       MW_LE_TEST: ${MW_LE_TEST:-true}  # see example_env.sh
       MW_MKCERT: ${MW_MKCERT:-false}  # When LetEncrypt cannot be used set to "true"
       MW_KEYTYPE: "rsa"
+      #MW_PRODUCTS: "tak,kc,bl"
       MW_PRODUCTS: "tak,kc"
     volumes:
       - kraftwerk_shared_fake:/pvarkishares/fake
@@ -141,7 +145,7 @@ services:
       - "80:80"
 
   cfssl:
-    image: pvarki/cfssl:api-1.2.0-d${RELEASE_TAG:-1.6.0}${DOCKER_TAG_EXTRA:-}
+    image: pvarki/cfssl:api-1.2.0-d${RELEASE_TAG:-1.7.0}${DOCKER_TAG_EXTRA:-}
     build:
       context: ./cfssl
       dockerfile: Dockerfile
@@ -164,7 +168,7 @@ services:
     restart: unless-stopped
 
   ocsp:
-    image: pvarki/cfssl:ocsp-1.2.0-d${RELEASE_TAG:-1.6.0}${DOCKER_TAG_EXTRA:-}
+    image: pvarki/cfssl:ocsp-1.2.0-d${RELEASE_TAG:-1.7.0}${DOCKER_TAG_EXTRA:-}
     build:
       context: ./cfssl
       dockerfile: Dockerfile
@@ -190,7 +194,7 @@ services:
     restart: unless-stopped
 
   ocsprest:
-    image: pvarki/cfssl:ocsprest-1.0.4-d${RELEASE_TAG:-1.6.0}${DOCKER_TAG_EXTRA:-}
+    image: pvarki/cfssl:ocsprest-1.0.4-d${RELEASE_TAG:-1.7.0}${DOCKER_TAG_EXTRA:-}
     build:
       context: ./cfssl
       dockerfile: Dockerfile
@@ -250,7 +254,7 @@ services:
         condition: service_completed_successfully
 
   openldap:
-    image: pvarki/openldap:1.0.0-d${RELEASE_TAG:-1.6.0}${DOCKER_TAG_EXTRA:-}
+    image: pvarki/openldap:1.0.0-d${RELEASE_TAG:-1.7.0}${DOCKER_TAG_EXTRA:-}
     build:
       context: ./keycloak/openldap
       dockerfile: Dockerfile
@@ -360,7 +364,7 @@ services:
         condition: service_healthy
 
   rmapi:
-    image: pvarki/rmapi:1.5.0-d${RELEASE_TAG:-1.6.0}${DOCKER_TAG_EXTRA:-}
+    image: pvarki/rmapi:1.6.1-d${RELEASE_TAG:-1.7.0}${DOCKER_TAG_EXTRA:-}
     build:
       context: ./api
       dockerfile: Dockerfile
@@ -381,6 +385,8 @@ services:
       RM_KC_USERNAME: *kcadminuser
       RM_KC_PASSWORD: *kcadminpass  # pragma: allowlist secret
       RM_KC_REALM: *kc_realm
+      RM_LOG_LEVEL: "INFO"
+      RELEASE_TAG: ${RELEASE_TAG:-1.7.0}
     networks:
       - apinet
       - kcnet
@@ -414,18 +420,19 @@ services:
     restart: unless-stopped
 
   rmui:
-    image: pvarki/rmui:1.3.0-${VITE_ASSET_SET:-neutral}-d${RELEASE_TAG:-1.6.0}${DOCKER_TAG_EXTRA:-}
+    image: pvarki/rmui:1.3.0-${VITE_ASSET_SET:-neutral}-d${RELEASE_TAG:-1.7.0}${DOCKER_TAG_EXTRA:-}
     build:
       context: ./ui
       dockerfile: Dockerfile
       target: production
       args:
         VITE_ASSET_SET: ${VITE_ASSET_SET:-neutral}
+        RELEASE_TAG: ${RELEASE_TAG:-1.7.0}
     volumes:
       - rmui_files:/deliver
 
   nginx_templates:
-    image: pvarki/nginx:templates-d${RELEASE_TAG:-1.6.0}${DOCKER_TAG_EXTRA:-}
+    image: pvarki/nginx:templates-d${RELEASE_TAG:-1.7.0}${DOCKER_TAG_EXTRA:-}
     build:
       context: ./nginx
       dockerfile: Dockerfile
@@ -484,7 +491,7 @@ services:
     restart: unless-stopped
 
   kwinit:  # Mostly to make sure it's built
-    image: pvarki/kw_product_init:1.0.0-d${RELEASE_TAG:-1.6.0}${DOCKER_TAG_EXTRA:-}
+    image: pvarki/kw_product_init:1.0.0-d${RELEASE_TAG:-1.7.0}${DOCKER_TAG_EXTRA:-}
     build:
       context: ./kw_product_init
       dockerfile: Dockerfile
@@ -515,7 +522,7 @@ services:
       - taknet
       - dbnet
     volumes:
-      - ./takserver/updates:/opt/tak/webcontent/update
+      - ./takserver/update:/opt/tak/webcontent/update
       - kraftwerk_shared_tak:/pvarki
       - tak_data:/opt/tak/data
       - le_certs:/le_certs
@@ -530,7 +537,7 @@ services:
       takinit:
           condition: service_completed_successfully
     volumes:
-      - ./takserver/updates:/opt/tak/webcontent/update
+      - ./takserver/update:/opt/tak/webcontent/update
       - tak_data:/opt/tak/data
       - ca_public:/ca_public
       - le_certs:/le_certs
@@ -563,7 +570,7 @@ services:
       takconfig:
         condition: service_healthy
     volumes:
-      - ./takserver/updates:/opt/tak/webcontent/update
+      - ./takserver/update:/opt/tak/webcontent/update
       - tak_data:/opt/tak/data
       - ca_public:/ca_public
       - le_certs:/le_certs
@@ -587,7 +594,7 @@ services:
       takmsg:
         condition: service_healthy
     volumes:
-      - ./takserver/updates:/opt/tak/webcontent/update
+      - ./takserver/update:/opt/tak/webcontent/update
       - tak_data:/opt/tak/data
       - ca_public:/ca_public
       - le_certs:/le_certs
@@ -611,7 +618,7 @@ services:
       takmsg:
         condition: service_healthy
     volumes:
-      - ./takserver/updates:/opt/tak/webcontent/update
+      - ./takserver/update:/opt/tak/webcontent/update
       - tak_data:/opt/tak/data
       - ca_public:/ca_public
     network_mode: "service:takconfig"
@@ -634,7 +641,7 @@ services:
       takapi:
         condition: service_healthy
     volumes:
-      - ./takserver/updates:/opt/tak/webcontent/update
+      - ./takserver/update:/opt/tak/webcontent/update
       - tak_data:/opt/tak/data
       - ca_public:/ca_public
     network_mode: "service:takconfig"
@@ -648,13 +655,16 @@ services:
     restart: unless-stopped
 
   takrmapi:
-    image: pvarki/takrmapi:1.3.0-tak${TAK_RELEASE:-5.2-RELEASE-30}-d${RELEASE_TAG:-1.6.0}${DOCKER_TAG_EXTRA:-}
+    image: pvarki/takrmapi:1.4.1-tak${TAK_RELEASE:-5.3-RELEASE-24}-d${RELEASE_TAG:-1.7.0}${DOCKER_TAG_EXTRA:-}
     build:
       context: ./takintegration
       dockerfile: Dockerfile
       target: production
       args:
         TAKSERVER_IMAGE: *takimage
+    environment:
+      UVICORN_LOG_LEVEL: "info"
+      TI_LOG_LEVEL: "20"
     labels:
         - "autoheal=true"
     network_mode: "service:takconfig"

diff --git a/miniwerk b/miniwerk
diff --git a/nginx/Dockerfile b/nginx/Dockerfile
@@ -11,7 +11,7 @@ RUN chmod a+x /entrypoint_deliver.sh \
 ENTRYPOINT ["/entrypoint_deliver.sh"]
 
 # Actual NGinx container
-FROM nginx:1.27.4-alpine as production
+FROM nginx:1.27-alpine as production
 COPY entrypoint_templates.sh /
 COPY crl_watcher.sh /usr/local/bin
 RUN apk add --no-cache inotify-tools bash procps

diff --git a/nginx/templates_rasenmaeher/default.conf.template b/nginx/templates_rasenmaeher/default.conf.template
@@ -109,7 +109,7 @@ server {
 
     location /api {
         if ($ssl_client_verify != SUCCESS) {
-            return 302 https://${NGINX_HOST}:${NGINX_HTTPS_PORT}/error?code=mtls_fail;
+            return 302 https://${NGINX_HOST}:${NGINX_HTTPS_PORT}/error?code=mtls_fail&exta=$ssl_client_verify;
         }
         proxy_pass  http://${NGINX_UPSTREAM}:${NGINX_UPSTREAM_PORT}/api;
         proxy_redirect                      off;
@@ -123,14 +123,14 @@ server {
     }
 
     # Even though users sees code 400 the code is 495 http://nginx.org/en/docs/http/ngx_http_ssl_module.html#errors
-    error_page 495 https://${NGINX_HOST}:${NGINX_HTTPS_PORT}/error?code=mtls_fail;
+    error_page 495 =302 https://${NGINX_HOST}:${NGINX_HTTPS_PORT}/error?code=mtls_fail&exta=$ssl_client_verify;
 
     location / {
         if ($redir_uri != "") {
             return 301 $redir_uri$request_uri;
         }
         if ($ssl_client_verify != SUCCESS) {
-            return 302 https://${NGINX_HOST}:${NGINX_HTTPS_PORT}/error?code=mtls_fail;
+            return 302 https://${NGINX_HOST}:${NGINX_HTTPS_PORT}/error?code=mtls_fail&exta=$ssl_client_verify;
         }
         index index.html;
         root /rmui_files;

diff --git a/takintegration b/takintegration
diff --git a/takserver b/takserver
+1 −1		.bumpversion.cfg
+7 −4		Dockerfile
+321 −167		poetry.lock
+4 −2		pyproject.toml
+1 −1		src/rasenmaeher_api/__init__.py
+3 −9		src/rasenmaeher_api/console.py
+4 −4		src/rasenmaeher_api/db/__init__.py
+22 −56		src/rasenmaeher_api/db/base.py
+3 −1		src/rasenmaeher_api/db/config.py
+51 −0		src/rasenmaeher_api/db/dbinit.py
+59 −0		src/rasenmaeher_api/db/engine.py
+129 −104		src/rasenmaeher_api/db/enrollments.py
+46 −39		src/rasenmaeher_api/db/logincodes.py
+11 −47		src/rasenmaeher_api/db/middleware.py
+16 −10		src/rasenmaeher_api/db/nonces.py
+121 −101		src/rasenmaeher_api/db/people.py
+11 −9		src/rasenmaeher_api/kchelpers.py
+1 −1		src/rasenmaeher_api/web/api/enrollment/views.py
+4 −2		src/rasenmaeher_api/web/api/healthcheck/schema.py
+6 −1		src/rasenmaeher_api/web/api/healthcheck/views.py
+1 −1		src/rasenmaeher_api/web/api/middleware/user.py
+1 −0		src/rasenmaeher_api/web/api/people/schema.py
+62 −4		src/rasenmaeher_api/web/api/people/views.py
+3 −4		src/rasenmaeher_api/web/application.py
+3 −5		tests/conftest.py
+48 −36		tests/test_db.py
+0 −3		tests/test_descriptions.py
+0 −3		tests/test_enrollment.py
+1 −1		tests/test_healthcheck.py
+1 −1		tests/test_rasenmaeher_api.py
+0 −3		tests/test_tokens.py
+1 −1		.bumpversion.cfg
+17 −6		.pre-commit-config.yaml
+6 −4		Dockerfile
+1 −0		docker/entrypoint-test.sh
+1 −2		docker/entrypoint.sh
+1,751 −1,420		poetry.lock
+12 −12		pyproject.toml
+2 −1		src/takrmapi/__init__.py
+1 −0		src/takrmapi/api/__init__.py
+1 −0		src/takrmapi/api/admininfo.py
+3 −1		src/takrmapi/api/clientinfo.py
+1 −0		src/takrmapi/api/description.py
+1 −0		src/takrmapi/api/healthcheck.py
+1 −0		src/takrmapi/api/instructions.py
+1 −0		src/takrmapi/api/usercrud.py
+1 −0		src/takrmapi/app.py
+5 −2		src/takrmapi/config.py
+1 −0		src/takrmapi/console.py
+104 −41		src/takrmapi/tak_helpers.py
+1 −0		src/takrmapi/tak_init.py
+1 −0		src/takrmapi/tak_schema.py
+1 −0		tests/conftest.py
+1 −0		tests/test_console.py
+1 −0		tests/test_crud.py
+1 −0		tests/test_fragment.py
+1 −0		tests/test_openapi.py
+2 −1		tests/test_takrmapi.py
+1 −1		Dockerfile
+10 −0		build_compose.yml
+2 −2		docker-compose.yml
+1 −1		scripts/enable_admin.sh
+1 −1		scripts/enable_user.sh
+0 −0		update/.keep