Merge pull request #1924 from edx/max/profile-images

Add edxapp profile image config

playbooks/roles/aws/tasks/main.yml

@@ -24,6 +24,11 @@
 #
 # Start dealing with Jumbo frames issue in mixed MTU deployements in AWS
 #
+- name: gather ec2 facts for use in other roles
+  action: ec2_facts
+  tags: 
+    - deploy
+
 - shell: >
     /sbin/ifconfig eth0 mtu 1500 up
   when: ansible_distribution in common_debian_variants

playbooks/roles/edxapp/defaults/main.yml

@@ -184,7 +184,7 @@ EDXAPP_BOOK_URL: ""
 EDXAPP_SITE_NAME: 'localhost'
 EDXAPP_LMS_SITE_NAME: "{{ EDXAPP_SITE_NAME }}"
 EDXAPP_CMS_SITE_NAME: 'localhost'
-EDXAPP_MEDIA_URL:  ""
+EDXAPP_MEDIA_URL:  "/media"
 EDXAPP_ANALYTICS_SERVER_URL:  ""
 EDXAPP_FEEDBACK_SUBMISSION_EMAIL: ""
 EDXAPP_CELERY_BROKER_HOSTNAME: ""
@@ -449,6 +449,35 @@ PERFORMANCE_GRAPHITE_URL: 'SetPerformanceGraphiteHostName'
 EDXAPP_ECOMMERCE_API_URL: 'http://localhost:18130'
 EDXAPP_ECOMMERCE_API_SIGNING_KEY: 'SET-ME-PLEASE'
 
+#To use AWS S3 as your backend, you need different kwargs:
+# EDXAPP_PROFILE_IMAGE_BACKEND_CONFIG:
+#   storage_class: storages.backends.s3boto.S3BotoStorage
+#   storage_kwargs:
+#     location: /path/to/images
+#     bucket: mybucket
+#     custom_domain: mybucket.s3.amazonaws.com
+#     access_key: XXXAWS_ACCESS_KEYXXX
+#     secret_key: XXXAWS_SECRETY_KEYXXX
+#     headers:
+#       Cache-Control: max-age-{{ EDXAPP_PROFILE_IMAGE_MAX_AGE }}
+#NB: access_key and secret_key are unneccessary if you use IAM roles
+#NB2: custom_domain is REQUIRED. Otherwise, boto will generate a 
+# temporary URL whenever asked for the URL of a specific file.
+EDXAPP_PROFILE_IMAGE_BACKEND:
+  class: storages.backends.overwrite.OverwriteStorage
+  options:
+    location: "{{ edxapp_media_dir }}/profile-images/"
+    base_url: "{{ EDXAPP_MEDIA_URL }}/profile-images/"
+
+EDXAPP_PROFILE_IMAGE_MAX_AGE: 31536000
+
+# used to salt hashed usernames for profile image filenames
+EDXAPP_PROFILE_IMAGE_SECRET_KEY: placeholder_secret_key
+
+# In bytes
+EDXAPP_PROFILE_IMAGE_MAX_BYTES: 1048576
+EDXAPP_PROFILE_IMAGE_MIN_BYTES: 100
+
 #-------- Everything below this line is internal to the role ------------
 
 #Use YAML references (& and *) and hash merge <<: to factor out shared settings
@@ -470,6 +499,7 @@ edxapp_node_bin: "{{ edxapp_code_dir }}/node_modules/.bin"
 edxapp_user: edxapp
 edxapp_deploy_path: "{{ edxapp_venv_bin }}:{{ edxapp_code_dir }}/bin:{{ edxapp_rbenv_bin }}:{{ edxapp_rbenv_shims }}:{{ edxapp_gem_bin }}:{{ edxapp_node_bin }}:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
 edxapp_staticfile_dir: "{{ edxapp_data_dir }}/staticfiles"
+edxapp_media_dir: "{{ edxapp_data_dir }}/media"
 edxapp_course_static_dir: "{{ edxapp_data_dir }}/course_static"
 edxapp_course_data_dir: "{{ edxapp_data_dir }}/data"
 edxapp_upload_dir: "{{ edxapp_data_dir }}/uploads"
@@ -685,7 +715,11 @@ generic_env_config:  &edxapp_generic_env
   WIKI_ENABLED: true
   SYSLOG_SERVER:  "{{ EDXAPP_SYSLOG_SERVER }}"
   LOG_DIR:  "{{ COMMON_DATA_DIR }}/logs/edx"
-  MEDIA_URL:  "{{ EDXAPP_MEDIA_URL }}"
+  
+  #must end in slash (https://docs.djangoproject.com/en/1.4/ref/settings/#media-url)
+  MEDIA_URL:  "{{ EDXAPP_MEDIA_URL }}/"
+  MEDIA_ROOT: "{{ edxapp_media_dir }}/"
+
   ANALYTICS_SERVER_URL:  "{{ EDXAPP_ANALYTICS_SERVER_URL }}"
   FEEDBACK_SUBMISSION_EMAIL: "{{ EDXAPP_FEEDBACK_SUBMISSION_EMAIL }}"
   TIME_ZONE: "{{ EDXAPP_TIME_ZONE }}"
@@ -765,6 +799,7 @@ lms_auth_config:
   CC_PROCESSOR_NAME: "{{ EDXAPP_CC_PROCESSOR_NAME }}"
   CC_PROCESSOR: "{{ EDXAPP_CC_PROCESSOR }}"
   TRACKING_SEGMENTIO_WEBHOOK_SECRET: "{{ EDXAPP_TRACKING_SEGMENTIO_WEBHOOK_SECRET }}"
+  PROFILE_IMAGE_SECRET_KEY: "{{ EDXAPP_PROFILE_IMAGE_SECRET_KEY }}"
 
 lms_env_config:
   <<: *edxapp_generic_env
@@ -786,6 +821,10 @@ lms_env_config:
   PDF_RECEIPT_TAX_ID_LABEL: "{{ EDXAPP_PDF_RECEIPT_TAX_ID_LABEL }}"
   PDF_RECEIPT_COBRAND_LOGO_PATH: "{{ EDXAPP_PDF_RECEIPT_COBRAND_LOGO_PATH }}"
   PDF_RECEIPT_LOGO_PATH: "{{ EDXAPP_PDF_RECEIPT_LOGO_PATH }}"
+  PROFILE_IMAGE_BACKEND: "{{ EDXAPP_PROFILE_IMAGE_BACKEND }}"
+  PROFILE_IMAGE_MIN_BYTES: $EDXAPP_PROFILE_IMAGE_MIN_BYTES
+  PROFILE_IMAGE_MAX_BYTES: $EDXAPP_PROFILE_IMAGE_MAX_BYTES
+
 cms_auth_config:
   <<: *edxapp_generic_auth
   SEGMENT_IO_KEY: "{{ EDXAPP_SEGMENT_IO_KEY }}"

playbooks/roles/edxapp/tasks/main.yml

@@ -15,13 +15,18 @@
     - "{{ edxapp_app_dir }}"
     # needed for the ansible 1.5 git module
     - "{{ edxapp_app_dir }}/.ssh"
-    - "{{ edxapp_data_dir }}"
     - "{{ edxapp_venvs_dir }}"
     - "{{ edxapp_theme_dir }}"
     - "{{ edxapp_staticfile_dir }}"
     - "{{ edxapp_course_static_dir }}"
     - "{{ edxapp_course_data_dir }}"
 
+# var should have more permissive permissions than the rest
+- name: create edxapp var dir
+  file: >
+    path={{ edxapp_data_dir }} state=directory mode=0775
+    owner="{{ edxapp_user }}" group="{{ common_web_group }}"
+
 # This is a symlink that has to exist because
 # we currently can't override the DATA_DIR var
 # in edx-platform. TODO: This can be removed once

playbooks/roles/nginx/templates/edx/app/nginx/sites-available/lms.j2

@@ -120,6 +120,12 @@ error_page {{ k }} {{ v }};
     try_files $uri @proxy_to_lms_app;
   }
 
+  # Need a separate location for the image uploads endpoint to limit upload sizes
+  location ~ ^/api/profile_images/[^/]*/[^/]*/upload$ {
+    try_files $uri @proxy_to_lms_app;
+    client_max_body_size {{ EDXAPP_PROFILE_IMAGE_MAX_BYTES }};
+  }
+
   location /notifier_api {
     try_files $uri @proxy_to_lms_app;
   }
@@ -154,6 +160,12 @@ error_page {{ k }} {{ v }};
     try_files $uri @proxy_to_lms_app;
   }
 
+location ~ ^{{ EDXAPP_MEDIA_URL }}/(?P<file>.*) {
+    root {{ edxapp_media_dir }};
+    try_files /$file =404;
+    expires {{ EDXAPP_PROFILE_IMAGE_MAX_AGE }}s;
+}
+
   {% include "robots.j2" %}
   {% include "static-files.j2" %}