Update base images

Add recaptcha support

Author: joecorall

Dockerfile

@@ -1,4 +1,4 @@
-FROM islandora/nginx:6.0.10@sha256:57f9e680cc7515ba0025c2e5ba5f1f16dc6bb0810810684556805431af5fd962
+FROM islandora/nginx:6.2.3@sha256:1e85a1f0a222289a3079d5740ce8156d36c325c1f8477fb96806fa157cfb666b
 
 SHELL ["/bin/ash", "-eo", "pipefail", "-c"]
 
@@ -12,11 +12,11 @@ ARG \
     # renovate: datasource=repology depName=alpine_3_22/ghostscript
     GHOSTSCRIPT_VERSION=10.05.1-r0 \
     # renovate: datasource=repology depName=alpine_3_22/npm
-    NPM_VERSION=11.4.2-r0 \
+    NPM_VERSION=11.6.4-r0 \
     # renovate: datasource=github-tags depName=ojs packageName=pkp/ojs
     OJS_VERSION=3_5_0rc2 \
     # renovate: datasource=repology depName=alpine_3_22/php83
-    PHP_VERSION=8.3.27-r0 \
+    PHP_VERSION=8.3.29-r0 \
     # renovate: datasource=repology depName=alpine_3_22/poppler-utils
     POPPLER_VERSION=25.04.0-r0
 
@@ -28,11 +28,15 @@ RUN apk add --no-cache \
     php83-ftp=="${PHP_VERSION}" \
     php83-gettext=="${PHP_VERSION}" \
     poppler-utils=="${POPPLER_VERSION}" \
+    patch \
     && cleanup.sh
 
+COPY patches /patches
+
 RUN git clone https://github.com/pkp/ojs.git . \
     && git checkout "${OJS_VERSION}" \
     && git submodule update --init --recursive \
+    && for patch in /patches/*.patch; do patch -p1 < "$patch"; done \
     && rm -rf .github tests docs \
     && composer -d lib/pkp install \
     && composer -d plugins/generic/citationStyleLanguage install \

Makefile

@@ -3,7 +3,7 @@
 DOCKER_IMAGE=ghcr.io/libops/ojs:main
 
 deps:
-	docker compose pull
+	docker compose pull --ignore-buildable
 
 build: deps
 	docker compose build

docker-compose.yaml

@@ -1,4 +1,6 @@
 ---
+networks:
+  default:
 volumes:
   mariadb-data: {}
   ojs-cache: {}
@@ -21,7 +23,7 @@ secrets:
 
 services:
   init:
-    image: islandora/base:6.0.10@sha256:00f16e56a20950f7b85e690b03c1e6e167625236bc77c56f4cd121dafd9ef578
+    image: islandora/base:6.2.3@sha256:010f7e422ad4563f91335106215a72c7485635b0a1125c651b4e76cb6d7efbd4
     restart: no
     volumes:
       - ./secrets:/secrets:rw
@@ -32,12 +34,16 @@ services:
   ojs:
     image: ghcr.io/libops/ojs:main
     build: .
+    networks:
+      - default
     ports:
       - 80:80
     environment:
       OJS_OAI_REPOSITORY_ID: ${DOMAIN:-localhost}
       OJS_ENABLE_BEACON: 1
       OJS_SMTP_SERVER: ${OJS_SMTP_SERVER:-}
+      OJS_ENABLE_HTTPS: "true"
+      OJS_BASE_URL: "https://${DOMAIN:-localhost}"
     secrets:
       - source: DB_ROOT_PASSWORD
       - source: OJS_API_KEY_SECRET
@@ -54,7 +60,9 @@ services:
       mariadb:
         condition: service_started
   mariadb:
-    image: islandora/mariadb:6.0.10@sha256:a89a1152abe0fc3d5de66d071b4391dd8f18e5f4883bfa32a82caf45a46d96da
+    image: islandora/mariadb:6.2.3@sha256:3c6e7cbed734310f4d9fea7a4f08e7e282ecb1a5e73aec0ab79b4167930380ab
+    networks:
+      - default
     volumes:
       - mariadb-data:/var/lib/mysql:rw
     secrets:

patches/update_ror_registry_dataset.patch

@@ -0,0 +1,40 @@
+diff --git a/lib/pkp/classes/task/UpdateRorRegistryDataset.php b/lib/pkp/classes/task/UpdateRorRegistryDataset.php
+index 5b1af95424c..a033f250ae6 100644
+--- a/lib/pkp/classes/task/UpdateRorRegistryDataset.php
++++ b/lib/pkp/classes/task/UpdateRorRegistryDataset.php
+@@ -84,7 +84,7 @@ class UpdateRorRegistryDataset extends ScheduledTask
+     private string $urlVersions = 'https://zenodo.org/api/communities/ror-data/records?q=&sort=newest';
+ 
+     /** @var string The file contains the following text in the name. */
+-    private string $csvNameContains = 'ror-data_schema_v2.csv';
++    private string $csvNameContains = 'ror-data.csv';
+ 
+     /** @var string The prefix used for the temporary zip file and the extracted directory. */
+     private string $prefix = 'TemporaryRorRegistryCache';
+@@ -135,7 +135,7 @@ public function executeActions(): bool
+             }
+ 
+             $pathCsv = $this->getPathCsv($pathZipDir);
+-            if (empty($pathCsv || !$this->fileManager->fileExists($pathCsv))) {
++            if (empty($pathCsv) || !$this->fileManager->fileExists($pathCsv)) {
+                 return false;
+             }
+ 
+@@ -175,7 +175,7 @@ private function getDownloadUrl(): string
+             }
+ 
+             return '';
+-        } catch (GuzzleException|Exception $e) {
++        } catch (GuzzleException | Exception $e) {
+             $this->addExecutionLogEntry(
+                 $e->getMessage(),
+                 ScheduledTaskHelper::SCHEDULED_TASK_MESSAGE_TYPE_ERROR
+@@ -210,7 +210,7 @@ private function downloadAndExtract(string $downloadUrl, string $pathZipFile, st
+             }
+ 
+             return true;
+-        } catch (GuzzleException|Exception $e) {
++        } catch (GuzzleException | Exception $e) {
+             $this->addExecutionLogEntry(
+                 $e->getMessage(),
+                 ScheduledTaskHelper::SCHEDULED_TASK_MESSAGE_TYPE_ERROR

rootfs/etc/confd/conf.d/ojs.conf.toml

@@ -0,0 +1,7 @@
+[template]
+src = "ojs.conf.tmpl"
+dest = "/etc/nginx/shared/ojs.conf"
+uid = 0
+gid = 0
+mode = "0644"
+keys = [ "/" ]

rootfs/etc/confd/templates/config.inc.tmpl

@@ -102,7 +102,7 @@ restful_urls = On
 {{- $cleaned := replace $temp "http://"  "" -1 -}}
 
 {{- $host  := index (split $cleaned "/") 0 -}}
-{{- $domain := index (split $host    ":") 0 -}}
+{{ $domain := index (split $host    ":") 0 }}
 allowed_hosts = '["localhost", "{{ $domain }}"]'
 
 
@@ -431,45 +431,13 @@ page_links = 10
 [captcha]
 
 ; Whether or not to enable ReCaptcha
-recaptcha = off
-
-; Public key for reCaptcha (see http://www.google.com/recaptcha)
-recaptcha_public_key = your_public_key
-
-; Private key for reCaptcha (see http://www.google.com/recaptcha)
-recaptcha_private_key = your_private_key
-
-; Whether or not to use Captcha on user registration
+recaptcha = {{ if getenv "RECAPTCHA_PUBLIC_KEY" }}on{{ else }}off{{ end }}
+recaptcha_public_key = {{ getenv "RECAPTCHA_PUBLIC_KEY" }}
+recaptcha_private_key = {{ getenv "RECAPTCHA_PRIVATE_KEY" }}
 captcha_on_register = on
-
-; Whether or not to use Captcha on user login
 captcha_on_login = on
-
-; Validate the hostname in the ReCaptcha response
 recaptcha_enforce_hostname = Off
 
-; ALTCHA is a free and open-source alternative to Google's ReCaptcha
-; The options below will manage all the required configurations used to
-; work with ALTCHA instead of ReCaptcha on system
-
-; Whether or not to enable ALTCHA
-altcha = off
-
-; Private key for ALTCHA
-altcha_hmackey = 'Example key'
-
-; Whether or not to use ALTCHA on user registration
-altcha_on_register = on
-
-; Whether or not to use ALTCHA on user login
-altcha_on_login = on
-
-; Whether or not to use ALTCHA on user lost password
-altcha_on_lost_password = on
-
-; The quantity of encryption cycles performed by the ALTCHA system
-altcha_encrypt_number = 10000
-
 ;;;;;;;;;;;;;;;;;;;;;
 ; External Commands ;
 ;;;;;;;;;;;;;;;;;;;;;

rootfs/etc/confd/templates/ojs.conf.tmpl

@@ -0,0 +1,42 @@
+root /var/www/ojs;
+index index.php;
+
+error_log /dev/stderr;
+access_log /dev/stdout combined;
+
+error_log /dev/stderr;
+access_log /dev/stdout combined;
+
+# API rewrite with redirect
+location ~ ^/api/v1(.*)$ {
+    return 307 /index.php/api/v1$1;
+}
+
+# Main location block
+location / {
+    # Try to serve file directly, otherwise pass to index.php
+    try_files $uri $uri/ /index.php/$uri?$query_string;
+}
+
+# PHP processing
+location ~ \.php(/|$) {
+    fastcgi_split_path_info ^(.+?\.php)(/.*)$;
+    if (!-f $document_root$fastcgi_script_name) {
+        return 404;
+    }
+
+    fastcgi_pass unix:/var/run/php-fpm83/php-fpm83.sock;
+    {{ if eq (getenv "OJS_ENABLE_HTTPS") "true" }}
+    fastcgi_param HTTPS on;
+    fastcgi_param HTTP_SCHEME https;
+    {{ end }}
+    fastcgi_index index.php;
+    fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
+    fastcgi_param PATH_INFO $fastcgi_path_info;
+    include fastcgi_params;
+}
+
+# Deny access to hidden files
+location ~ /\. {
+    deny all;
+}

rootfs/etc/nginx/shared/fpm.conf

@@ -0,0 +1,24 @@
+# Used to validate that PHP-FPM is in a ready state.
+# Not accessible outside of the container.
+location ~ ^/(status|ping)$ {
+    access_log off;
+    allow 127.0.0.1;
+    allow ::1;
+    deny all;
+    fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
+    fastcgi_index index.php;
+    include fastcgi_params;
+    fastcgi_pass unix:/var/run/php-fpm83/php-fpm83.sock;
+}
+
+location = /opcache_stat.php {
+    access_log off;
+    allow 127.0.0.1;
+    allow ::1;
+    allow 128.180.0.0/16;
+    deny all;
+    fastcgi_pass unix:/var/run/php-fpm83/php-fpm83.sock;
+    fastcgi_index index.php;
+    fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
+    include fastcgi_params;
+}

rootfs/etc/s6-overlay/scripts/ojs-setup.sh

@@ -59,31 +59,29 @@ function install_ojs {
         echo "OJS Installation Complete!"
         echo "=========================================="
         rm /tmp/ojs-install.log
+        set_ojs_installed
     else
         echo "=========================================="
         echo "OJS Installation Failed!"
         echo "=========================================="
         cat /tmp/ojs-install.log
         echo "=========================================="
     fi
-    set_ojs_installed
 }
 
 function main {
-    mysql_create_database
-
     # wait for nginx
     if ! timeout 300 wait-for-open-port.sh localhost 80; then
       echo "Could not connect to nginx at localhost:80"
       exit 1
     fi
-
-    if ! check_ojs_installed; then
-        install_ojs &
-        echo "OJS installation started."
-    else
-        echo "OJS is already installed. Skipping installation."
-        set_ojs_installed
+    if [ "${DB_HOST}" = "mariadb" ]; then
+      mysql_create_database
+      install_ojs &
+      echo "OJS installation started."
+      exit 0
     fi
+
+    set_ojs_installed
 }
 main

scripts/generate-secrets.sh

@@ -16,3 +16,16 @@ yq -r '.secrets[].file' docker-compose.yaml | uniq | while read -r SECRET; do
     (grep -ao "${CHARACTERS}" < /dev/urandom || true) | head "-${LENGTH}" | tr -d '\n' > "${SECRET}"
   fi
 done
+
+if [ -f docker-compose.override.yaml ]; then
+  yq -r '.secrets[].file' docker-compose.override.yaml | uniq | while read -r SECRET; do
+    if [ ! -f "${SECRET}" ]; then
+      echo "Creating: ${SECRET}" >&2
+      DIR=$(dirname "${SECRET}")
+      if [ ! -d "${DIR}" ]; then
+        mkdir -p "$DIR"
+      fi
+      (grep -ao "${CHARACTERS}" < /dev/urandom || true) | head "-${LENGTH}" | tr -d '\n' > "${SECRET}"
+    fi
+  done
+fi