adding nginx to wts

.secrets.baseline

@@ -7,9 +7,6 @@
     {
       "name": "AWSKeyDetector"
     },
-    {
-      "name": "AzureStorageKeyDetector"
-    },
     {
       "name": "Base64HighEntropyString",
       "limit": 4.5
@@ -20,15 +17,9 @@
     {
       "name": "CloudantDetector"
     },
-    {
-      "name": "DiscordBotTokenDetector"
-    },
-    {
-      "name": "GitHubTokenDetector"
-    },
     {
       "name": "HexHighEntropyString",
-      "limit": 3.0
+      "limit": 3
     },
     {
       "name": "IbmCloudIamDetector"
@@ -46,24 +37,15 @@
     {
       "name": "MailchimpDetector"
     },
-    {
-      "name": "NpmDetector"
-    },
     {
       "name": "PrivateKeyDetector"
     },
-    {
-      "name": "SendGridDetector"
-    },
     {
       "name": "SlackDetector"
     },
     {
       "name": "SoftlayerDetector"
     },
-    {
-      "name": "SquareOAuthDetector"
-    },
     {
       "name": "StripeDetector"
     },
@@ -75,6 +57,10 @@
     {
       "path": "detect_secrets.filters.allowlist.is_line_allowlisted"
     },
+    {
+      "path": "detect_secrets.filters.common.is_baseline_file",
+      "filename": ".secrets.baseline"
+    },
     {
       "path": "detect_secrets.filters.common.is_ignored_due_to_verification_policies",
       "min_level": 2
@@ -105,18 +91,15 @@
     },
     {
       "path": "detect_secrets.filters.heuristic.is_templated_secret"
+    },
+    {
+      "path": "detect_secrets.filters.regex.should_exclude_file",
+      "pattern": [
+        "^.secrets.baseline$"
+      ]
     }
   ],
   "results": {
-    ".github/workflows/ci.yaml": [
-      {
-        "type": "Secret Keyword",
-        "filename": ".github/workflows/ci.yaml",
-        "hashed_secret": "3e26d6750975d678acb8fa35a0f69237881576b0",
-        "is_verified": false,
-        "line_number": 13
-      }
-    ],
     "README.md": [
       {
         "type": "Secret Keyword",
@@ -181,15 +164,8 @@
         "hashed_secret": "109f4b3c50d7b0df729d299bc6f8e9ef9066971f",
         "is_verified": false,
         "line_number": 13
-      },
-      {
-        "type": "Secret Keyword",
-        "filename": "tests/test_settings.json",
-        "hashed_secret": "3ebfa301dc59196f18593c45e519287a23297589",
-        "is_verified": false,
-        "line_number": 28
       }
     ]
   },
-  "generated_at": "2024-07-25T20:59:28Z"
+  "generated_at": "2023-09-19T21:25:48Z"
 }

Dockerfile

@@ -1,43 +1,38 @@
-# To run: docker run -v /path/to/wsgi.py:/var/www/wts/wsgi.py --name=wts -p 81:80 wts
-# To check running container: docker exec -it wts /bin/bash
+ARG AZLINUX_BASE_VERSION=master
 
-FROM quay.io/cdis/python:python3.9-buster-2.0.0
-
-RUN apt-get update \
-    && apt-get install -y --no-install-recommends curl bash git vim
+# Base stage with python-build-base
+FROM quay.io/cdis/python-nginx-al:${AZLINUX_BASE_VERSION} AS base
 
 ENV appname=wts
 
-COPY . /$appname
-COPY ./deployment/uwsgi/uwsgi.ini /etc/uwsgi/uwsgi.ini
-COPY ./deployment/uwsgi/wsgi.py /$appname/wsgi.py
-WORKDIR /$appname
+WORKDIR /${appname}
+
+RUN chown -R gen3:gen3 /${appname}
+
+# Builder stage
+FROM base AS builder
+
+USER gen3
+
+COPY poetry.lock pyproject.toml /${appname}/
 
-RUN COMMIT=`git rev-parse HEAD` && echo "COMMIT=\"${COMMIT}\"" >$appname/version_data.py \
-    && VERSION=`git describe --always --tags` && echo "VERSION=\"${VERSION}\"" >>$appname/version_data.py
+RUN poetry install -vv --without dev --no-interaction
 
-RUN pip install --upgrade pip
-RUN pip install --upgrade poetry
+COPY --chown=gen3:gen3 . /${appname}
+COPY --chown=gen3:gen3 ./deployment/wsgi/wsgi.py /${appname}/wsgi.py
 
-COPY poetry.lock pyproject.toml /$appname/
-RUN poetry config virtualenvs.create false \
-    && poetry install -vv --no-dev --no-interaction \
-    && poetry show -v
+# Run poetry again so this app itself gets installed too
+RUN poetry install --without dev --no-interaction
 
-RUN mkdir -p /var/www/$appname \
-    && mkdir -p /var/www/.cache/Python-Eggs/ \
-    && mkdir /run/nginx/ \
-    && ln -sf /dev/stdout /var/log/nginx/access.log \
-    && ln -sf /dev/stderr /var/log/nginx/error.log \
-    && chown nginx -R /var/www/.cache/Python-Eggs/ \
-    && chown nginx /var/www/$appname
+RUN git config --global --add safe.directory /${appname} && COMMIT=`git rev-parse HEAD` && echo "COMMIT=\"${COMMIT}\"" > /${appname}/version_data.py \
+    && VERSION=`git describe --always --tags` && echo "VERSION=\"${VERSION}\"" >> /${appname}/version_data.py
 
-# py httpx in authlib wants to access $HOME/.netrc -
-# there is nothing secret in /root
-RUN touch /root/.netrc && chmod -R a+rX /root
+# Final stage
+FROM base
 
-EXPOSE 80
+COPY --from=builder /${appname} /${appname}
 
-WORKDIR /var/www/$appname
+# Switch to non-root user 'gen3' for the serving process
+USER gen3
 
-CMD /dockerrun.sh
+CMD ["/bin/bash", "-c", "/wts/dockerrun.bash"]

deployment/wsgi/gunicorn.conf.py

@@ -0,0 +1,6 @@
+wsgi_app = "deployment.wsgi.wsgi:application"
+bind = "0.0.0.0:8000"
+workers = 1
+user = "gen3"
+group = "gen3"
+timeout = 300

dockerrun.bash

@@ -0,0 +1,4 @@
+#!/bin/bash
+
+nginx
+poetry run gunicorn -c "/wts/deployment/wsgi/gunicorn.conf.py"