invenio.cfg

"""
InvenioRDM settings for CaltechDATA project.

This file was automatically generated by 'invenio-cli init'.

For the full list of settings and their values, see
https://inveniordm.docs.cern.ch/reference/configuration/.
"""

from invenio_saml.handlers import acs_handler_factory

# NOTE: Per Tom's conversation with community the following
# end point do not need to be changed, they are internal to Invenio RDM
SSO_SAML_DEFAULT_BLUEPRINT_PREFIX = '/saml'
"""Base URL for the extensions endpoint."""

SSO_SAML_DEFAULT_METADATA_ROUTE = '/metadata/<idp>'
"""URL route for the metadata request."""

SSO_SAML_DEFAULT_SSO_ROUTE = '/login/<idp>'
"""URL route for the SP login."""

SSO_SAML_DEFAULT_ACS_ROUTE = '/authorized/<idp>'
"""URL route to handle the IdP login request."""

SSO_SAML_DEFAULT_SLO_ROUTE = '/slo/<idp>'
"""URL route for the SP logout."""

SSO_SAML_DEFAULT_SLS_ROUTE = '/sls/<idp>'
"""URL route to handle the IdP logout request."""

# NOTE: This section needs to be updated to 
# replace site settings.
SSO_SAML_IDPS = {

    # name your authentication provider
    'caltechdata_sso': {

        # Basic info
        "title": "access.caltech",
        "description": "SAML Authentication Service",
        "icon": "",

        # path to the file i.e. "./saml/sp.crt"
        'sp_cert_file': './saml/sp.crt',

        # path to the file i.e. "./saml/sp.key"
        'sp_key_file': './saml/sp.key',

        'settings': {
            # If strict is True, then the Python Toolkit will reject unsigned
            # or unencrypted messages if it expects them to be signed or encrypted.
            # Also it will reject the messages if the SAML standard is not strictly
            # followed. Destination, NameId, Conditions ... are validated too.
            'strict': True,

            # Enable debug mode (outputs errors).
            'debug': True,

            # Service Provider Data that we are deploying.
            'sp': {

                # Specifies the constraints on the name identifier to be used to
                # represent the requested subject.
                # Take a look on https://github.com/onelogin/python-saml/blob/master/src/onelogin/saml2/constants.py
                # to see the NameIdFormat that are supported.
                'NameIDFormat': 'urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified',
                #'NameIDFormat': 'urn:oasis:names:tc:SAML:2.0:nameid-format:transient',
                #'NameIDFormat': 'urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress',
            },

            # Identity Provider Data that we want connected with our SP.
            'idp': {

                # Identifier of the IdP entity  (must be a URI)
                'entityId': 'https://idp.caltech.edu/idp/shibboleth',

                # SSO endpoint info of the IdP. (Authentication Request protocol)
                'singleSignOnService': {

                    # URL Target of the IdP where the Authentication Request Message
                    # will be sent.
                    'url': 'https://idp.caltech.edu/idp/profile/SAML2/Redirect/SSO',

                    # SAML protocol binding to be used when returning the <Response>
                    # message. OneLogin Toolkit supports the HTTP-Redirect binding
                    # only for this endpoint.
                    'binding':
                        'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect'
                },

                # SLO endpoint info of the IdP.
                'singleLogoutService': {

                    # URL Location where the <LogoutRequest> from the IdP will be sent (IdP-initiated logout)
                    'url': 'https://idp.caltech.edu/idp/profile/Logout',

                    # SAML protocol binding to be used when returning the <Response>
                    # message. OneLogin Toolkit supports the HTTP-Redirect binding
                    # only for this endpoint.
                    'binding':
                        'urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect'
                },
                # Public X.509 certificate of the IdP
                'x509cert': '''-----BEGIN CERTIFICATE-----
MIIDJzCCAg+gAwIBAgIUC0Z5A7Hz0aGgHdvfgWBw/TW939IwDQYJKoZIhvcNAQEF
BQAwGjEYMBYGA1UEAxMPaWRwLmNhbHRlY2guZWR1MB4XDTEwMDIwNDAwMzgxNFoX
DTMwMDIwNDAwMzgxNFowGjEYMBYGA1UEAxMPaWRwLmNhbHRlY2guZWR1MIIBIjAN
BgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAjUfvISEj5BkXO8k4dKr7C1NdlDIs
osNxbjP39/8oVwgGaMSnkfMhY6xct9gnxTzCRXe49MU+UyVRlljTqTeIJf8VG0K2
aPSRk9xpzWje/fEkUHgpOjLDM0TNB2tWIQbHQwHz7HsuB/Au870PBMv4EfVz4us8
yTmYvY2ZJPe192BnIbNyLub138HXjr7TrLBxMg7KulnanGnN75UrVjueRzAvFZlE
lAZ+shDsjVYAoceEaFn7TF37ehVdjbXwOegtu+vU0kjjCS3cQUXXOs1Ojz6Vood/
oP1SOisW3bEhboKMUCWEcDckUXHVd/qCekbUsJEt5KAK6Gmf5Ygha748kQIDAQAB
o2UwYzBCBgNVHREEOzA5gg9pZHAuY2FsdGVjaC5lZHWGJmh0dHBzOi8vaWRwLmNh
bHRlY2guZWR1L2lkcC9zaGliYm9sZXRoMB0GA1UdDgQWBBRlqKQBRnVFASGfdigd
a/ihuq365zANBgkqhkiG9w0BAQUFAAOCAQEAck8P9JfpOWTpgc4LCyaY3WiJFIGe
WT25D+6Gj7ADxj7+o2UZCcB2sI5LvyFJaetQSB/7p0F+hmU8/csunwoWARnbOcJt
SmbyiJQ6eKUXOklOEqxEpGZRa2MbRwukfVx+v6U3N75JxoyuNfqC/G3tKzOIo4qz
uxiE+1ntesuGTmWuLx9dIKILJ6XuD/rmGSkeKWljLC1jNQEjHioskqIFhcF1JxDv
qnn8IBfnaoc4GX6AV3fEHifdQEOu7GdicUeA8o+cKqddCZf1PoUTSPby1NcFeDO6
PPYq4pWYGD1Sc8SOXB+99YOD8hJObGIcskF0VRwv1Kg7rrTBqPLic7kcRA==
-----END CERTIFICATE-----'''
            },

            # Security settings
            # more on https://github.com/onelogin/python-saml
            'security': {
                'authnRequestsSigned': False,
                'failOnAuthnContextMismatch': False,
                'logoutRequestSigned': False,
                'logoutResponseSigned': False,
                'metadataCacheDuration': None,
                'metadataValidUntil': None,
                'nameIdEncrypted': False,
                'requestedAuthnContext': False,
                'requestedAuthnContextComparison': 'exact',
                'signMetadata': False,
                'signatureAlgorithm':
                    'http://www.w3.org/2001/04/xmldsig-more#rsa-sha256',
                'wantAssertionsEncrypted': False,
                'wantAssertionsSigned': False,
                'wantAttributeStatement': False,
                'wantMessagesSigned': False,
                'wantNameId': True,
                'wantNameIdEncrypted': False,
                'digestAlgorithm':
                    'http://www.w3.org/2001/04/xmlenc#sha256'
            },
        },

        # Account Mapping
        # Based on URN to OID mapping found at UCLA
        # https://spaces.ais.ucla.edu/display/iamucladocs/Mapping+of+URN+Attributes+and+OID+Attributes
        # And U. Bamberg's kind help.
        "mappings": {
            # EMail maps to mail in our attribute list.
            "email": "urn:oid:0.9.2342.19200300.100.1.3",
            # Name is "givenName" value?
            "name": "urn:oid:2.5.4.42",
            # In Bamberg example this maps to "sn", which I think is surname
            # in our attributes.
            "surname": "urn:oid:2.5.4.4",
            # In Bamberg example this looks like LDAP "cn" or commonName?
            # Trying eduPersonPrincipleName (e.g. rsdoiel@caltech.edu)
            #"external_id": "urn:oid:2.5.4.3",
	    "external_id": "urn:oid:1.3.6.1.4.1.5923.1.1.1.6",
        },

        # Inject your remote_app to handler
        # Note: keep in mind the string should match
        # given name for authentication provider
        'acs_handler': acs_handler_factory('caltechdata_sso'),
	'auto_confirm': True,
    }
}

from datetime import datetime
from flask_babelex import lazy_gettext as _

# Setup for migration
RATELIMIT_AUTHENTICATED_USER = "25000 per hour;500 per minute"

# Setup deposit form quota
APP_RDM_DEPOSIT_FORM_QUOTA = {
    "maxFiles": 100,
    "maxStorage": 500000000000,
}

# Flask
# =====
# See https://flask.palletsprojects.com/en/1.1.x/config/

# Since HAProxy and Nginx route all requests no matter the host header
# provided, the allowed hosts variable is set to localhost. In production it
# should be set to the correct host and it is strongly recommended to only
# route correct hosts to the application.
APP_ALLOWED_HOSTS = ['data.caltech.edu']


# Flask-SQLAlchemy
# ================
# See https://flask-sqlalchemy.palletsprojects.com/en/2.x/config/

# TODO: Set
SQLALCHEMY_DATABASE_URI="postgresql+psycopg2://caltechdata:caltechdata@localhost/caltechdata"


# Invenio-App
# ===========
# See https://invenio-app.readthedocs.io/en/latest/configuration.html

APP_DEFAULT_SECURE_HEADERS = {
    'content_security_policy': {
        'default-src': [
            "'self'",
            'data:', # for fonts
            "'unsafe-inline'",  # for inline scripts and styles
            "blob:",            # for pdf preview
            # Add your own policies here (e.g. analytics)
        ],
    },
    'content_security_policy_report_only': False,
    'content_security_policy_report_uri': None,
    'force_file_save': False,
    'force_https': True,
    'force_https_permanent': False,
    'frame_options': 'sameorigin',
    'frame_options_allow_from': None,
    'session_cookie_http_only': True,
    'session_cookie_secure': True,
    'strict_transport_security': True,
    'strict_transport_security_include_subdomains': True,
    'strict_transport_security_max_age': 31556926,  # One year in seconds
    'strict_transport_security_preload': False,
}


# Flask-Babel
# ===========
# See https://flask-babel.tkte.ch/#configuration

# Default locale (language)
BABEL_DEFAULT_LOCALE = 'en'
# Default time zone
BABEL_DEFAULT_TIMEZONE = 'UTC'


# Invenio-I18N
# ============
# See https://invenio-i18n.readthedocs.io/en/latest/configuration.html

# Other supported languages (do not include BABEL_DEFAULT_LOCALE in list).
I18N_LANGUAGES = [
    # ('de', _('German')),
    # ('tr', _('Turkish')),
]


# Invenio-Theme
# =============
# See https://invenio-theme.readthedocs.io/en/latest/configuration.html

#: Site name.
THEME_SITENAME = "CaltechDATA"
# Frontpage title
THEME_FRONTPAGE_TITLE = "CaltechDATA"
# Header logo
THEME_LOGO = 'images/CaltechDATA-by-Caltech-Library-blue-with-padding.svg'
THEME_TRACKINGCODE_TEMPLATE = './invenio_theme/trackingcode.html'
# Allow matomo endpoint in the CSP rules
APP_DEFAULT_SECURE_HEADERS['content_security_policy']['default-src'].append(
    'https://cdn.matomo.cloud'
)
APP_DEFAULT_SECURE_HEADERS['content_security_policy']['default-src'].append(
    'https://caltechlibrary.matomo.cloud'
)
THEME_GOOGLE_SITE_VERIFICATION = ['S9ahhSTJNJrGXH8CLzN9O29lYE5sbaFyCLkdCXHU24U']

# Invenio-App-RDM
# ===============
# See https://invenio-app-rdm.readthedocs.io/en/latest/configuration.html

# Instance's theme entrypoint file. Path relative to the ``assets/`` folder.
INSTANCE_THEME_FILE = './less/theme.less'

# Invenio-Files-Rest
# ==================
FILES_REST_STORAGE_FACTORY='invenio_s3.s3fs_storage_factory'

# Invenio-S3
# ==========
S3_ENDPOINT_URL='https://s3.us-west-2.amazonaws.com/'
S3_REGION_NAME='us-west-2'

# Allow S3 endpoint in the CSP rules
APP_DEFAULT_SECURE_HEADERS['content_security_policy']['default-src'].append(
    S3_ENDPOINT_URL
)


# Invenio-Records-Resources
# =========================
# See https://github.com/inveniosoftware/invenio-records-resources/blob/master/invenio_records_resources/config.py

# TODO: Set with your own hostname when deploying to production
SITE_UI_URL = "https://data.caltech.edu"

SITE_API_URL = "https://data.caltech.edu/api"

APP_RDM_DEPOSIT_FORM_DEFAULTS = {
    "publication_date": lambda: datetime.now().strftime("%Y-%m-%d"),
    "rights": [
        {
            "id": "cc0-1.0",
            "title": "Creative Commons Zero v1.0 Universal",
            "description": ("CC0 waives copyright interest in a work you've "
            " created and dedicates it to the world-wide public domain. CC0 "
            " is recommended for datasets to ensure your work has the "
            " widest reach."),
            "link": "https://creativecommons.org/publicdomain/zero/1.0/legalcode",
        }
    ],
    "publisher": "CaltechDATA",
}

# See https://github.com/inveniosoftware/invenio-app-rdm/blob/master/invenio_app_rdm/config.py
APP_RDM_DEPOSIT_FORM_AUTOCOMPLETE_NAMES = 'search' # "search_only" or "off"

RDM_CITATION_STYLES = [
     ('apa', _('APA')),
     ('american-chemical-society', _('ACS')),
     ('ieee', _('IEEE')),
     ('chicago-author-date', _('Chicago')), 
     ('science', _('Science')),
     ('bibtex', _('Bibtex')),

]

RDM_SEARCH = {
    # Supported values: access_status, is_published, language, resource_type,
    # subject, subject_nested
    "facets": ["resource_type", "subject"],
    # Supported values: bestmatch, newest, oldest, version, updated-desc,
    # updated-asc
    "sort": ["bestmatch", "newest", "oldest", "version"] #, "updated-desc", "updated-asc"]
}

# Invenio-RDM-Records
# ===================
# See https://inveniordm.docs.cern.ch/customize/dois/
DATACITE_ENABLED = True
DATACITE_USERNAME = "CALTECH.DATA"
DATACITE_PREFIX = "10.22002"
DATACITE_TEST_MODE = False
DATACITE_DATACENTER_SYMBOL = ""

# Authentication - Invenio-Accounts and Invenio-OAuthclient
# =========================================================
# See: https://inveniordm.docs.cern.ch/customize/authentication/

# Invenio-Accounts
# ----------------
# See https://github.com/inveniosoftware/invenio-accounts/blob/master/invenio_accounts/config.py
ACCOUNTS_LOCAL_LOGIN_ENABLED = True  # enable local login
SECURITY_REGISTERABLE = False  # local login: allow users to register
SECURITY_RECOVERABLE = True  # local login: allow users to reset the password
SECURITY_CHANGEABLE = True  # local login: allow users to change psw
SECURITY_CONFIRMABLE = True  # local login: users can confirm e-mail address
SECURITY_LOGIN_WITHOUT_CONFIRMATION = True # require users to confirm email before being able to login

# Invenio-OAuthclient
# -------------------
# See https://github.com/inveniosoftware/invenio-oauthclient/blob/master/invenio_oauthclient/config.py

OAUTHCLIENT_REMOTE_APPS = {}  # configure external login providers

from invenio_oauthclient.views.client import auto_redirect_login
ACCOUNTS_LOGIN_VIEW_FUNCTION = auto_redirect_login  # autoredirect to external login if enabled
OAUTHCLIENT_AUTO_REDIRECT_TO_EXTERNAL_LOGIN = True  # autoredirect to external login
OAUTHCLIENT_LOGIN_USER_TEMPLATE = "invenio_saml/login_user.html"

# Invenio-UserProfiles
# --------------------
USERPROFILES_READ_ONLY = False  # allow users to change profile info (name, email, etc...)

# OAI-PMH
# =======
# See https://github.com/inveniosoftware/invenio-oaiserver/blob/master/invenio_oaiserver/config.py

OAISERVER_ID_PREFIX = "data.caltech.edu"
"""The prefix that will be applied to the generated OAI-PMH ids."""

# Customize Vocabularies
# ---------
# Customize vocabularies that are system variables

import idutils

def always_valid(identifier):
    """Gives every identifier as valid."""
    return True

RDM_RECORDS_IDENTIFIERS_SCHEMES = {
    "ark": {"label": _("ARK"), "validator": idutils.is_ark, "datacite": "ARK"},
    "arxiv": {"label": _("arXiv"), "validator": idutils.is_arxiv, "datacite": "arXiv"},
    "bibcode": {
        "label": _("Bibcode"),
        "validator": idutils.is_ads,
        "datacite": "bibcode",
    },
    "doi": {"label": _("DOI"), "validator": idutils.is_doi, "datacite": "DOI"},
    "ean13": {"label": _("EAN13"), "validator": idutils.is_ean13, "datacite": "EAN13"},
    "eissn": {"label": _("EISSN"), "validator": idutils.is_issn, "datacite": "EISSN"},
    "handle": {
        "label": _("Handle"),
        "validator": idutils.is_handle,
        "datacite": "Handle",
    },
    "igsn": {"label": _("IGSN"), "validator": always_valid, "datacite": "IGSN"},
    "isbn": {"label": _("ISBN"), "validator": idutils.is_isbn, "datacite": "ISBN"},
    "issn": {"label": _("ISSN"), "validator": idutils.is_issn, "datacite": "ISSN"},
    "istc": {"label": _("ISTC"), "validator": idutils.is_istc, "datacite": "ISTC"},
    "lissn": {"label": _("LISSN"), "validator": idutils.is_issn, "datacite": "LISSN"},
    "lsid": {"label": _("LSID"), "validator": idutils.is_lsid, "datacite": "LSID"},
    "pmid": {"label": _("PMID"), "validator": idutils.is_pmid, "datacite": "PMID"},
    "purl": {"label": _("PURL"), "validator": idutils.is_purl, "datacite": "PURL"},
    "upc": {"label": _("UPC"), "validator": always_valid, "datacite": "UPC"},
    "url": {"label": _("URL"), "validator": idutils.is_url, "datacite": "URL"},
    "urn": {"label": _("URN"), "validator": idutils.is_urn, "datacite": "URN"},
    "w3id": {"label": _("W3ID"), "validator": always_valid, "datacite": "w3id"},
    "cdid": {"label": _("CALTECHDATA_ID"), "validator": always_valid, "datacite": "cdid"},
    "dsa-110-id": {"label": _("DSA_110_ID"), "validator": always_valid, "datacite": "dsa-110-id"},
    "tiltid": {"label": _("TILT_SERIES_ID"), "validator": always_valid, "datacite": "tiltid"},
}
"""These are used for main, alternate and related identifiers."""

SECURITY_EMAIL_SENDER = "repositories@library.caltech.edu"
MAIL_SERVER = "smtp.gmail.com"
MAIL_USERNAME = "repositories@library.caltech.edu"
MAIL_USE_SSL = True
MAIL_PORT = 465

MAIL_SUPPRESS_SEND = False

PREVIEWER_PREFERENCE = [
    "csv_dthreejs",
    "iiif_simple", # Enables IIIF preview.
    "simple_image",
    "json_prismjs",
    "xml_prismjs",
    "mistune",
    "pdfjs",
    "ipynb",
    "zip",
    "txt",
]
"""Preferred previewers."""

IIIF_SIMPLE_PREVIEWER_NATIVE_EXTENSIONS = ["gif", "png", "jpg"]
"""Images are converted to JPEG for preview, unless listed here."""

IIIF_SIMPLE_PREVIEWER_SIZE = "!400,400"
"""Size of image in IIIF preview window. Must be a valid IIIF Image API size parameter."""

import sentry_sdk
from flask import Flask
from sentry_sdk.integrations.flask import FlaskIntegration

sentry_sdk.init(
    dsn="https://81545f7568417c8ebb7f2dc160c4f4e7@o4505830343245824.ingest.sentry.io/4505834416177152",
    integrations=[FlaskIntegration()],
    # Set traces_sample_rate to 1.0 to capture 100%
    # of transactions for performance monitoring.
    # We recommend adjusting this value in production.
    traces_sample_rate=0.01,
)

app = Flask(__name__)