From 4f81baf02fc1458b28861e9916edd41668b1e5b7 Mon Sep 17 00:00:00 2001
From: Disassembler <disassembler@dasm.cz>
Date: Fri, 1 Mar 2019 12:23:22 +0100
Subject: [PATCH] Upgrade OpenDataKit Aggregate to 2.0 + switch to Tomcat 8.5

---
 .../srv/opendatakit/conf/security.properties  | 41 ++-----------------
 .../install/srv/opendatakit/conf/server.xml   | 41 +++++++++++++++----
 opendatakit/lxcfile                           | 26 ++++--------
 opendatakit/meta                              |  2 +-
 4 files changed, 46 insertions(+), 64 deletions(-)

diff --git a/opendatakit/install/srv/opendatakit/conf/security.properties b/opendatakit/install/srv/opendatakit/conf/security.properties
index 0295a7e..b8231a9 100644
--- a/opendatakit/install/srv/opendatakit/conf/security.properties
+++ b/opendatakit/install/srv/opendatakit/conf/security.properties
@@ -1,45 +1,10 @@
-# Either basic or digest
-security.server.deviceAuthentication=basic
-
-# Choose whether to secure everything with https or allow http access.
-#
-# NOTE: changes also needed to:
-# -- server.xml (Tomcat configuration file) to set up the secure channel
-#
-# issue 648 - REQUIRES_INSECURE_CHANNEL is now the default instead of ANY_CHANNEL
-# there are various edge cases that have not been tested in the UI for
-# allowing arbitrary accesses, as the session cookie and authentication
-# do get set for a specific http: or https: scheme and are not transferrable.
-#
-# should be REQUIRES_SECURE_CHANNEL but can't unless SSL is available.
+security.server.deviceAuthentication=digest
 security.server.secureChannelType=REQUIRES_SECURE_CHANNEL
-
-# either REQUIRES_INSECURE_CHANNEL to secure nothing
-# or REQUIRES_SECURE_CHANNEL to secure everything
-# or perhaps ANY_CHANNEL when running through a proxy server
 security.server.channelType=ANY_CHANNEL
-
-# When running under Tomcat, you need to set the hostname and port for
-# the server so that the background tasks can generate properly-constructed
-# links in their documents and in their publications to the
-# external services.
-#
-# This is configured during install.  If blank, discovers an IP address
+security.server.forceHttpsLinks=false
 security.server.hostname=
 security.server.port=80
 security.server.securePort=443
-
-wink.handlersFactoryClass=org.opendatakit.aggregate.odktables.impl.api.wink.AppEngineHandlersFactory
-
-# e-mail of designated superuser. This must be a user that has an OAuth2
-# login hosted by a remote server (i.e., this must be a gmail account).
-# this should be of the form: 'mailto:user@gmail.com'
-security.server.superUser=
-
-# Define a superUserUsername to insert an OPENDATAKIT Aggregate username that can
-# access the server.  The initial password for this username is 'aggregate'
 security.server.superUserUsername=${OPENDATAKIT_ADMIN_USER}
-
-# realm definition
-# realmString -- what should be sent to users when BasicAuth or DigestAuth is done
 security.server.realm.realmString=${OPENDATAKIT_ADMIN_REALM}
+security.server.checkHostnames=false
diff --git a/opendatakit/install/srv/opendatakit/conf/server.xml b/opendatakit/install/srv/opendatakit/conf/server.xml
index 9c464d4..1401139 100644
--- a/opendatakit/install/srv/opendatakit/conf/server.xml
+++ b/opendatakit/install/srv/opendatakit/conf/server.xml
@@ -1,4 +1,4 @@
-<?xml version='1.0' encoding='utf-8'?>
+<?xml version="1.0" encoding="UTF-8"?>
 <!--
   Licensed to the Apache Software Foundation (ASF) under one or more
   contributor license agreements.  See the NOTICE file distributed with
@@ -61,7 +61,7 @@
 
     <!-- A "Connector" represents an endpoint by which requests are received
          and responses are returned. Documentation at :
-         Java HTTP Connector: /docs/config/http.html (blocking & non-blocking)
+         Java HTTP Connector: /docs/config/http.html
          Java AJP  Connector: /docs/config/ajp.html
          APR (HTTP/AJP) Connector: /docs/apr.html
          Define a non-SSL/TLS HTTP/1.1 Connector on port 8080
@@ -80,14 +80,39 @@
                redirectPort="8443" />
     -->
     <!-- Define a SSL/TLS HTTP/1.1 Connector on port 8443
-         This connector uses the NIO implementation that requires the JSSE
-         style configuration. When using the APR/native implementation, the
-         OpenSSL style configuration is required as described in the APR/native
-         documentation -->
+         This connector uses the NIO implementation. The default
+         SSLImplementation will depend on the presence of the APR/native
+         library and the useOpenSSL attribute of the
+         AprLifecycleListener.
+         Either JSSE or OpenSSL style configuration may be used regardless of
+         the SSLImplementation selected. JSSE style configuration is used below.
+    -->
     <!--
     <Connector port="8443" protocol="org.apache.coyote.http11.Http11NioProtocol"
-               maxThreads="150" SSLEnabled="true" scheme="https" secure="true"
-               clientAuth="false" sslProtocol="TLS" />
+               maxThreads="150" SSLEnabled="true">
+        <SSLHostConfig>
+            <Certificate certificateKeystoreFile="conf/localhost-rsa.jks"
+                         type="RSA" />
+        </SSLHostConfig>
+    </Connector>
+    -->
+    <!-- Define a SSL/TLS HTTP/1.1 Connector on port 8443 with HTTP/2
+         This connector uses the APR/native implementation which always uses
+         OpenSSL for TLS.
+         Either JSSE or OpenSSL style configuration may be used. OpenSSL style
+         configuration is used below.
+    -->
+    <!--
+    <Connector port="8443" protocol="org.apache.coyote.http11.Http11AprProtocol"
+               maxThreads="150" SSLEnabled="true" >
+        <UpgradeProtocol className="org.apache.coyote.http2.Http2Protocol" />
+        <SSLHostConfig>
+            <Certificate certificateKeyFile="conf/localhost-rsa-key.pem"
+                         certificateFile="conf/localhost-rsa-cert.pem"
+                         certificateChainFile="conf/localhost-rsa-chain.pem"
+                         type="RSA" />
+        </SSLHostConfig>
+    </Connector>
     -->
 
     <!-- Define an AJP 1.3 Connector on port 8009 -->
diff --git a/opendatakit/lxcfile b/opendatakit/lxcfile
index ce3e3c5..65dfba9 100644
--- a/opendatakit/lxcfile
+++ b/opendatakit/lxcfile
@@ -1,25 +1,18 @@
 IMAGE opendatakit
 LAYER shared/alpine3.9
 LAYER shared/alpine3.9-java8
-LAYER shared/alpine3.9-tomcat8
+LAYER shared/alpine3.9-tomcat8.5
 LAYER opendatakit/opendatakit
 
 RUN EOF
-    # Install build dependencies
-    apk --no-cache add --virtual .deps git git-lfs openjdk8
-
-    # Clone ODK aggregate
-    git clone --depth 1000 https://github.com/opendatakit/aggregate.git /srv/opendatakit
-    git -C /srv/opendatakit checkout c285f1c
-
-    # Compile Java web archive
-    cd /srv/opendatakit
-    cp gradle.properties.example gradle.properties
-    ./gradlew war
-
-    # Deploy web archive
+    # Download OpenDataKit
+    wget https://github.com/opendatakit/aggregate/releases/download/v2.0.0/ODK-Aggregate-v2.0.0.war -O /tmp/odk.war
     mkdir /srv/tomcat/webapps/ROOT
-    unzip build/libs/aggregate-*.war -d /srv/tomcat/webapps/ROOT
+    unzip /tmp/odk.war -d /srv/tomcat/webapps/ROOT
+
+    # Update Postgres JDBC driver
+    rm /srv/tomcat/webapps/ROOT/WEB-INF/lib/postgresql-42.1.4.jre7.jar
+    wget https://jdbc.postgresql.org/download/postgresql-42.2.5.jar -O /srv/tomcat/webapps/ROOT/WEB-INF/lib/postgresql-42.2.5.jar
 
     # Create OS user
     addgroup -S -g 8015 odk
@@ -27,8 +20,7 @@ RUN EOF
     chown -R odk:odk /srv/tomcat/conf /srv/tomcat/logs /srv/tomcat/temp /srv/tomcat/webapps /srv/tomcat/work
 
     # Cleanup
-    apk --no-cache del .deps
-    rm -rf /root/.gradle /root/.java /srv/opendatakit
+    rm /tmp/odk.war
 EOF
 
 MOUNT FILE /srv/opendatakit/conf/server.xml srv/tomcat/conf/server.xml
diff --git a/opendatakit/meta b/opendatakit/meta
index 0774b8a..aeb50a3 100644
--- a/opendatakit/meta
+++ b/opendatakit/meta
@@ -6,5 +6,5 @@
     "version": "0.0.1",
     "release": "0",
     "license": "GPL",
-    "depends": ["alpine3.9-tomcat8", "postgres"]
+    "depends": ["alpine3.9-tomcat8.5", "postgres"]
 }