add user prov

Dockerfile

@@ -5,7 +5,6 @@ FROM php:8.2-apache-buster
 ARG DEBIAN_FRONTEND=noninteractive
 
 
-
 # Install Webserver dep
 RUN apt-get update -qq && \
     apt-get -yq --no-install-recommends install \
@@ -20,8 +19,11 @@ RUN apt-get update -qq && \
     zip \
     ghostscript \
     libmagickwand-dev \
+    libyaml-dev \
     # cron req
     busybox-static \
+    # yaml support for user prov
+    && pecl install yaml \
     # INSTALL IMAGICK
     && pecl install imagick \
     && docker-php-ext-enable imagick \
@@ -65,7 +67,8 @@ ENV REDCAP_SUSPEND_SITE_ADMIN=false
 
 # USER Provisioning
 ENV ENABLE_USER_PROV=true
-ENV USER_PROV_YAML_DIR=/opt/redcap-docker/users
+ENV USER_PROV_FILE_DIR=/opt/redcap-docker/users
+RUN mkdir -p $USER_PROV_FILE_DIR
 ENV USER_PROV_OVERWRITE_EXISTING=false
 # Application default config
 ENV RCCONF_redcap_base_url=http://localhost

README.md

@@ -20,11 +20,13 @@ Yet another try to containerize [REDCap](https://www.project-redcap.org/) but wi
     - [REDCap Application configuration](#redcap-application-configuration)
     - [Email configuration](#email-configuration)
     - [Cron mode](#cron-mode)
+    - [User provisioning](#user-provisioning)
   - [Volume/Pathes](#volumepathes)
     - [REDCap php scripts aka apache document root dir](#redcap-php-scripts-aka-apache-document-root-dir)
     - [Custom php ini config](#custom-php-ini-config)
     - [Custom apache virtual host directives](#custom-apache-virtual-host-directives)
     - [Custom install SQL Script](#custom-install-sql-script)
+    - [User provisioning files](#user-provisioning-files)
 - [Troubleshooting](#troubleshooting)
   - [I get a "permission denied" error, when trying to visit my new REDCap instance](#i-get-a-permission-denied-error-when-trying-to-visit-my-new-redcap-instance)
 
@@ -49,11 +51,11 @@ This is our try, to containerize REDCap in a way, we can deploy a new instance,
 * Automated basic routine task like deactivating the default admin (Optionaly)
 * Provide simple mail setup (msmtprc config via env vars)
 * "Cron mode" to run the same image as REDCap cronjob manager
+* User provisioning via env vars and/or yaml files
 
 # Roadmap
 
 * Testing if REDCap upgrades work with this setup
-* User provisioning via env vars and/or yaml files
 
 # Ideas
 
@@ -94,6 +96,13 @@ Just set the env var `CRON_MODE`to true.
 see [config_vars_list.md#cron](config_vars_list.md#msmtp) for all env var options  
 see [Cron example compose](examples/instance_with_cron) how to configure it next to a REDCap instance
 
+### User provisioning
+
+This container image can prefill your REDCap instance with table users.
+
+See the manual at [USER_PROV.md](USER_PROV.md) for more details.  
+See the list of env vars concerning user provisiong at [USER_PROV.md](config_vars_list.md#user-provisioning) for more details.  
+Have a look at the [docker compose exmaple](examples/local_instance_with_user_prov) how it works in action.  
 
 ## Volume/Pathes
 
@@ -133,6 +142,10 @@ This dir can be changed via env var `REDCAP_INSTALL_SQL_SCRIPT_PATH`
 
 If the file is not provided, we will just pull a generic version it from the REDCap sources you provided.
 
+### User provisioning files
+
+`/opt/redcap-docker/users` directory that will be scanned for user data to be provisioned. See [User provisioning](#user-provisioning) for more details.
+
 # Troubleshooting
 
 ## I get a "permission denied" error, when trying to visit my new REDCap instance

USER_PROV.md

@@ -0,0 +1,289 @@
+# DZD Docker REDCap User Provisioning
+
+This container images has a feature to pre fill the REDCap database with table users.
+The users will be created on container boot and optionally updated if allready existent on container boot.
+
+# Enable or disable user provisioning
+
+You can set the environment variable `ENABLE_USER_PROV` to true or false to enable or disable the user provisioning feature.
+
+> [!TIP]
+> Table user only make sense when there is table based authentification system enabled in REDCap. One way to use this container images environment variable `RCCONF_auth_meth_global` (e.g. `RCCONF_auth_meth_global=table`)
+
+# Update existing user
+
+You can set the environment variable `USER_PROV_OVERWRITE_EXISTING` to true or false to enable or disable overwriting if existing users.
+
+"Existing" means there is a user with the same `username` as in the user provisioning data.
+
+
+# User data structure/model
+
+The user data need to be provided in json or yaml. One user entry needs to have at least the following attributes:
+
+* `username`
+* `user_email`
+* `user_firstname`
+* `user_lastname`
+
+Following attributes can be provied optionaly:
+
+* `password`
+* `user_email2`
+* `user_email3`
+* `user_phone`
+* `user_phone_sms`
+* `user_inst_id`
+* `super_user`
+* `account_manager`
+* `access_system_config`
+* `access_system_upgrade`
+* `access_external_module_install`
+* `admin_rights`
+* `access_admin_dashboards`
+* `user_sponsor`
+* `user_comments`
+* `allow_create_db`
+* `email_verify_code`
+* `email2_verify_code`
+* `email3_verify_code`
+* `datetime_format`
+* `number_format_decimal`
+* `number_format_thousands_sep`
+* `csv_delimiter`
+* `two_factor_auth_secret`
+* `two_factor_auth_enrolled`
+* `display_on_email_users`
+* `two_factor_auth_twilio_prompt_phone`
+* `two_factor_auth_code_expiration`
+* `api_token`
+* `messaging_email_preference`
+* `messaging_email_urgent_all`
+* `messaging_email_general_system`
+* `messaging_email_queue_time`
+* `ui_state`
+* `api_token_auto_request`
+* `fhir_data_mart_create_project`
+
+## Example
+
+### Simple User
+
+A simple user entry that will not be able to login until an admin provides a way to set the password
+
+**Json**
+```json
+{
+    "username": "r.jorden",
+    "user_firstname": "Rebecca",
+    "last_name": "Jorden",
+    "user_email": "r.jorden@lv-426.exo"
+}
+```
+
+**YAML**
+```yaml
+username: r.jorden
+user_firstname: Rebecca
+last_name: Jorden
+user_email: r.jorden@lv-426.exo
+```
+
+### Simple User with password
+
+A simple user that is allowed to login from the getgo
+
+**Json**
+```json
+{
+    "username": "r.frost",
+    "user_firstname": "Ricco",
+    "last_name": "Frost",
+    "user_email": "r.frost@uss-sulaco.space",
+    "password": "do-not-tell-anyone"
+}
+```
+
+**YAML**
+```yaml
+- username: r.frost
+  user_firstname: Ricco
+  last_name: Frost
+  user_email: r.frost@uss-sulaco.space
+  password: do-not-tell-anyone
+```
+
+### User admin user with password
+
+An low level REDCap admin that can manage user accounts
+
+**Json**
+```json
+{
+    "username": "s.gorman",
+    "user_firstname": "Scott",
+    "last_name": "Gorman",
+    "user_email": "r.gorman@lv-426.exo",
+    "password": "pssst1234",
+    "admin_rights": 1,
+    "account_manager": 1
+}
+```
+
+**YAML**
+```yaml
+- username: s.gorman
+  user_firstname: Scott
+  last_name: Gorman
+  user_email: r.gorman@lv-426.exo
+  password: pssst1234
+  admin_rights: 1
+  account_manager: 1
+```
+
+### Super user
+
+A full blown admin that can do anything
+
+**Json**
+```json
+{
+    "username": "bishop",
+    "user_firstname": "Lance",
+    "last_name": "Bishop",
+    "user_email": "bishop@hyperdyne.sys",
+    "password": "pw341-B",
+    "super_user": 1,
+    "account_manager": 1,
+    "access_system_config": 1,
+    "access_system_upgrade": 1,
+    "access_external_module_install": 1,
+    "access_admin_dashboards": 1
+}
+```
+
+**YAML**
+```yaml
+- username: bishop
+  user_firstname: Lance
+  last_name: Bishop
+  user_email: bishop@hyperdyne.sys
+  password: pw341-B
+  super_user: 1
+  account_manager: 1
+  access_system_config: 1
+  access_system_upgrade: 1
+  access_external_module_install: 1
+  access_admin_dashboards: 1
+```
+
+# Provide user data
+
+There are 3 different options to provide the user data.
+
+## Option 1 - Json list in environment variable
+
+You can provide a one lined json list with multiple user data objects into the environment variable `USER_PROV`.
+
+e.g.
+```env
+USER_PROV='[{"username": "user1","user_firstname": "userone","user_lastname": "mcone","user_email": "one@test.com"},{"username": "user12","user_firstname": "usertwo","user_lastname": "mctwo","user_email": "two@test.com"}]'
+```
+
+## Option 2 - json in multiple indexed environment variable
+
+As option one will be messy very quickly the next best option is to index the env var `USER_PROV` with a `_` + sequentiel numbers. e.g.:  
+e.g.
+```env
+USER_PROV_1='{"username": "user1","user_firstname": "userone","user_lastname": "mcone","user_email": "one@test.com"}'
+USER_PROV_2='{"username": "user12","user_firstname": "usertwo","user_lastname": "mctwo","user_email": "two@test.com"}'
+```
+
+## Option 3 - Yaml or json files
+
+As both option 1 and 2 are hard to read as soon as we hit a certain numbers of user, the best option is to provide the users in files.
+
+The expected file structure is a yaml or json object that has the root key `REDCapUserList` which should container a list of user objects.
+
+You can have multiple files. the REDCap docker container images scan the directory defined in the env var `USER_PROV_FILE_DIR` which will be `/opt/redcap-docker/users` by default.
+
+**Json file example:**
+
+```json
+{
+  "REDCapUserList": [
+    {
+      "username": "r.jorden",
+      "user_firstname": "Rebecca",
+      "last_name": "Jorden",
+      "user_email": "r.jorden@lv-426.exo"
+    },
+    {
+      "username": "r.frost",
+      "user_firstname": "Ricco",
+      "last_name": "Frost",
+      "user_email": "r.frost@uss-sulaco.space",
+      "password": "do-not-tell-anyone"
+    },
+    {
+      "username": "s.gorman",
+      "user_firstname": "Scott",
+      "last_name": "Gorman",
+      "user_email": "r.gorman@lv-426.exo",
+      "password": "pssst1234",
+      "admin_rights": 1,
+      "account_manager": 1
+    },
+    {
+      "username": "bishop",
+      "user_firstname": "Lance",
+      "last_name": "Bishop",
+      "user_email": "bishop@hyperdyne.sys",
+      "password": "pw341-B",
+      "super_user": 1,
+      "account_manager": 1,
+      "access_system_config": 1,
+      "access_system_upgrade": 1,
+      "access_external_module_install": 1,
+      "access_admin_dashboards": 1
+    }
+  ]
+}
+```
+
+**Yaml file example:**
+
+```yaml
+REDCapUserList:
+- username: r.jorden
+  user_firstname: Rebecca
+  last_name: Jorden
+  user_email: r.jorden@lv-426.exo
+- username: r.frost
+  user_firstname: Ricco
+  last_name: Frost
+  user_email: r.frost@uss-sulaco.space
+  password: do-not-tell-anyone
+- username: s.gorman
+  user_firstname: Scott
+  last_name: Gorman
+  user_email: r.gorman@lv-426.exo
+  password: pssst1234
+  admin_rights: 1
+  account_manager: 1
+- username: bishop
+  user_firstname: Lance
+  last_name: Bishop
+  user_email: bishop@hyperdyne.sys
+  password: pw341-B
+  super_user: 1
+  account_manager: 1
+  access_system_config: 1
+  access_system_upgrade: 1
+  access_external_module_install: 1
+  access_admin_dashboards: 1
+```
+
+
+Have a look at the directory at [examples/local_instance_with_user_prov](examples/local_instance_with_user_prov) for a fully working docker compose exmaple that uses user provisioning 
+