# -*- coding: utf-8 -*- # # Copyright (C) 2020 Mojib Wali. # # invenio-config-tugraz is free software; you can redistribute it and/or # modify it under the terms of the MIT License; see LICENSE file for more # details. """invenio module that adds tugraz configs.""" from flask_babelex import gettext as _ INVENIO_CONFIG_TUGRAZ_SHIBBOLETH = True """Set True if SAML is configured""" INVENIO_CONFIG_TUGRAZ_SINGLE_IP = [] """Allows access to users whose IP address is listed. INVENIO_CONFIG_TUGRAZ_SINGLE_IP = ["127.0.0.1", "127.0.0.2"] """ INVENIO_CONFIG_TUGRAZ_IP_RANGES = [] """Allows access to users whose range of IP address is listed. INVENIO_CONFIG_TUGRAZ_IP_RANGES = [["127.0.0.2", "127.0.0.99"], ["127.0.1.3", "127.0.1.5"]] """ # Invenio-App # =========== # See https://invenio-app.readthedocs.io/en/latest/configuration.html APP_ALLOWED_HOSTS = ['0.0.0.0', 'localhost', '127.0.0.1', 'invenio-dev01.tugraz.at', 'invenio-test.tugraz.at' ] """Allowed Hosts""" APP_DEFAULT_SECURE_HEADERS = { 'content_security_policy': { 'default-src': [ "'self'", 'fonts.googleapis.com', '*.gstatic.com', 'data:', "'unsafe-inline'", "'unsafe-eval'", "blob:", ], }, 'content_security_policy_report_only': False, 'content_security_policy_report_uri': None, 'force_file_save': False, 'force_https': True, 'force_https_permanent': False, 'frame_options': 'sameorigin', 'frame_options_allow_from': None, 'session_cookie_http_only': True, 'session_cookie_secure': True, 'strict_transport_security': True, 'strict_transport_security_include_subdomains': True, 'strict_transport_security_max_age': 31556926, # One year in seconds 'strict_transport_security_preload': False, } # Invenio-Mail # =========== # See https://invenio-mail.readthedocs.io/en/latest/configuration.html MAIL_SERVER = 'localhost' """Domain ip where mail server is running.""" SECURITY_EMAIL_SENDER = "info@invenio-test.tugraz.at" """Email address used as sender of account registration emails.""" """Domain name should match the domain used in web server.""" SECURITY_EMAIL_SUBJECT_REGISTER = _("Welcome to RDM!") """Email subject for account registration emails.""" MAIL_SUPPRESS_SEND = True """Enable email sending by default. Set this to False when sending actual emails. """ # CORS - Cross-origin resource sharing # =========== # Uncomment to enable the CORS # CORS_RESOURCES = '*' # CORS_SEND_WILDCARD = True # CORS_EXPOSE_HEADERS = [ # 'ETag', # 'Link', # 'X-RateLimit-Limit', # 'X-RateLimit-Remaining', # 'X-RateLimit-Reset', # 'Content-Type', # ] # REST_ENABLE_CORS = True # Invenio-shibboleth # =========== # See https://invenio-shibboleth.readthedocs.io/en/latest/configuration.html USERPROFILES_EXTEND_SECURITY_FORMS = True """Set True in order to register user_profile. This also forces user to add username and fullname when register. """ SSO_SAML_IDPS = {} """Configuration of IDPS. Actual values can be find in to invenio.cfg file""" SSO_SAML_DEFAULT_BLUEPRINT_PREFIX = '/shibboleth' """Base URL for the extensions endpoint.""" SSO_SAML_DEFAULT_METADATA_ROUTE = '/metadata/' """URL route for the metadata request.""" """This is also SP entityID https://domain/shibboleth/metadata/""" SSO_SAML_DEFAULT_SSO_ROUTE = '/login/' """URL route for the SP login.""" SSO_SAML_DEFAULT_ACS_ROUTE = '/authorized/' """URL route to handle the IdP login request.""" SSO_SAML_DEFAULT_SLO_ROUTE = '/slo/' """URL route for the SP logout.""" SSO_SAML_DEFAULT_SLS_ROUTE = '/sls/' """URL route to handle the IdP logout request.""" # Invenio-accounts # =========== # See https://invenio-accounts.readthedocs.io/en/latest/configuration.html SECURITY_CHANGEABLE = False """Allow password change by users.""" SECURITY_RECOVERABLE = False """Allow password recovery by users.""" SECURITY_REGISTERABLE = True """"Allow users to register. With this variable set to "False" users will not be able to register, or to navigate to /sigup page. """ SECURITY_CONFIRMABLE = False """Allow user to confirm their email address. Instead user will get a welcome email. """ ACCOUNTS = True """Tells if the templates should use the accounts module. If False, you won't be able to login via the web UI. Instead if you have a overriden template somewhere in your config.py: like this: SECURITY_LOGIN_USER_TEMPLATE = 'invenio_theme_tugraz/accounts/login.html' then you can remove this condition from header_login.htm: {%- if config.ACCOUNTS %} to render your overriden login.html """ # Accounts # ======== # Actual values can be find in to invenio.cfg file #: Recaptcha public key (change to enable). RECAPTCHA_PUBLIC_KEY = None #: Recaptcha private key (change to enable). RECAPTCHA_PRIVATE_KEY = None # invenio-records-permissions # ======= # See: # https://invenio-records-permissions.readthedocs.io/en/latest/configuration.html # """" Default policies for records: .. code-block:: python # Read access given to everyone. can_search = [AnyUser()] # Create action given to no one (Not even superusers) bc Deposits should # be used. can_create = [Disable()] # Read access given to everyone if public record/files and owners always. can_read = [AnyUserIfPublic(), RecordOwners()] # Update access given to record owners. can_update = [RecordOwners()] # Delete access given to admins only. can_delete = [Admin()] # Associated files permissions (which are really bucket permissions) can_read_files = [AnyUserIfPublic(), RecordOwners()] can_update_files = [RecordOwners()] """ """" How to override default policies for records. Using Custom Generator for a policy: .. code-block:: python from invenio_rdm_records.permissions import RDMRecordPermissionPolicy from invenio_config_tugraz import RecordIp class TUGRAZPermissionPolicy(RDMRecordPermissionPolicy): # Delete access given to RecordIp only. can_delete = [RecordIp()] RECORDS_PERMISSIONS_RECORD_POLICY = TUGRAZPermissionPolicy """