MIDRC-425 OCC-69 Add restricted download jupyter

.github/workflows/build_and_push_python_image.yml

@@ -1,14 +1,14 @@
-name: Build Python Images and Push to Quay and ECR
+name: Build and Push python3.9-data-science
 
 on:
   push:
     paths:
-    - python3.9-data-science/Dockerfile
+    - python3.9-data-science/**
     - .github/workflows/build_and_push_python_image.yml
 
 jobs:
   python_3-9:
-    name: Python 3.9 Build and Push
+    name: Build and Push python3.9-data-science
     uses: uc-cdis/.github/.github/workflows/image_build_push.yaml@master
     with:
       DOCKERFILE_LOCATION: "./python3.9-data-science/Dockerfile"

.github/workflows/build_azlinux_jupyter_scipy_image.yml

@@ -3,7 +3,7 @@ name: Build and push AmazonLinux jupyter-scipy
 on:
   push:
     paths:
-    - azlinux-jupyter-scipy/Dockerfile
+    - azlinux-jupyter-scipy/**
     - .github/workflows/build_azlinux_jupyter_scipy_image.yml
 
 jobs:

.github/workflows/build_jupyter_nextflow_image.yml

@@ -3,7 +3,7 @@ name: Build and Push Jupyter-Nextflow image
 on:
   push:
     paths:
-    - jupyter-nextflow
+    - jupyter-nextflow/**
     - .github/workflows/build_jupyter_nextflow_image.yml
 
 jobs:

.github/workflows/build_jupyter_restricted_download_image.yml

@@ -0,0 +1,22 @@
+name: Build and Push jupyter-restricted-download
+
+on:
+  push:
+    paths:
+    - jupyter-restricted-download/**
+    - .github/workflows/build_jupyter_restricted_download_image.yml
+
+jobs:
+  jupyter-restricted-download:
+    name: Build and Push jupyter-restricted-download
+    uses: uc-cdis/.github/.github/workflows/image_build_push.yaml@master
+    with:
+      DOCKERFILE_LOCATION: "./jupyter-restricted-download/Dockerfile"
+      DOCKERFILE_BUILD_CONTEXT: "./jupyter-restricted-download"
+      OVERRIDE_REPO_NAME: "jupyter-notebook"
+      OVERRIDE_TAG_NAME: "restricted-download-$(echo ${GITHUB_REF#refs/*/} | tr / _)"
+    secrets:
+      ECR_AWS_ACCESS_KEY_ID: ${{ secrets.ECR_AWS_ACCESS_KEY_ID }}
+      ECR_AWS_SECRET_ACCESS_KEY: ${{ secrets.ECR_AWS_SECRET_ACCESS_KEY }}
+      QUAY_USERNAME: ${{ secrets.QUAY_USERNAME }}
+      QUAY_ROBOT_TOKEN: ${{ secrets.QUAY_ROBOT_TOKEN }}

.github/workflows/build_vadc_notebook_image.yml

@@ -4,6 +4,7 @@ on:
   push:
     paths:
     - jupyter-vadc/**
+    - .github/workflows/build_vadc_notebook_image.yml
 
 jobs:
   push-image:

.github/workflows/build_vlmd_submission_python_image.yml

@@ -1,4 +1,4 @@
-name: Build Python Image and Push to Quay and ECR
+name: Build VLMD Image
 
 on:
   push:
@@ -8,7 +8,7 @@ on:
 
 jobs:
   ci:
-    name: Build Image and Push to Quay
+    name: Build VLMD Image
     uses: uc-cdis/.github/.github/workflows/image_build_push.yaml@master
     with:
       DOCKERFILE_LOCATION: "./vlmd-submission-tools/Dockerfile"

jupyter-restricted-download/.env

@@ -0,0 +1,3 @@
+SERVICE_PORT=9880
+USER_VOLUME=./user-volume
+DATA_VOLUME=./data-volume

jupyter-restricted-download/Dockerfile

@@ -0,0 +1,91 @@
+ARG ROOT_CONTAINER=quay.io/cdis/ubuntu:focal
+
+FROM $ROOT_CONTAINER
+
+LABEL maintainer="Jupyter Project <[email protected]>"
+
+# Fix DL4006
+SHELL ["/bin/bash", "-o", "pipefail", "-c"]
+
+USER root
+
+# Install all OS dependencies for the notebook server that starts but lacks all
+# features (e.g., download as all possible file formats)
+ENV DEBIAN_FRONTEND noninteractive
+RUN apt-get update --yes && \
+    apt-get install --yes --no-install-recommends \
+    python3.9 \
+    python3-pip \
+    tini \
+    wget \
+    git \
+    curl \
+    ca-certificates \
+    sudo \
+    locales \
+    fonts-liberation \
+    vim \
+    run-one && \
+    apt-get clean && rm -rf /var/lib/apt/lists/* && \
+    echo "en_US.UTF-8 UTF-8" > /etc/locale.gen && \
+    locale-gen
+
+# Set Python 3.9 as the default Python version
+RUN ln -s /usr/bin/python3.9 /usr/bin/python
+
+# Add the Python 3.9 executable path to the PATH environment variable
+ENV PATH="/usr/bin/python3.9:$PATH"
+
+# Upgrade pip to ensure it's associated with Python 3.9.5
+RUN python3.9 -m pip install --upgrade pip
+
+# Remove /usr/bin/pip3 if it exists
+RUN rm -f /usr/bin/pip3
+
+# Create a symbolic link from pip3 to pip
+RUN ln -s /usr/bin/pip /usr/bin/pip3
+
+RUN pip install JPype1 jupyter
+
+RUN jupyter notebook --generate-config
+
+# this is where we disable downloads
+RUN jupyter labextension disable @jupyterlab/docmanager-extension:download \
+    && jupyter labextension disable @jupyterlab/filebrowser-extension:download
+
+RUN pip install pandas numpy seaborn scipy matplotlib pyNetLogo SALib boto3 awscli --upgrade
+
+# RUN pip install PyYAML==5.3.1 --upgrade
+RUN pip install gen3==4.18.0 --upgrade
+
+RUN pip install jupyter --upgrade
+
+RUN pip uninstall nbconvert --yes
+# Create a non-root user for Jupyter without copying /bin or /bin/bash
+ARG NB_USER=jupyter
+ARG NB_UID=1000
+RUN useradd -m -s /bin/bash -N -u $NB_UID $NB_USER
+RUN chown -R $NB_USER:users /home/$NB_USER
+RUN chmod -R u+rwx /home/$NB_USER
+
+# Expose port 8888 for JupyterLab
+EXPOSE 8888
+
+ARG COVID_TOOLS_BRANCH=master
+ADD --chown=$NB_USER:users https://raw.githubusercontent.com/uc-cdis/covid19-tools/$COVID_TOOLS_BRANCH/covid19-notebooks/welcome.html /home/$NB_USER/
+RUN touch /home/$NB_USER/welcome.html
+
+# Add local files as late as possible to avoid cache busting
+COPY start.sh /usr/local/bin/
+COPY start-notebook.sh /usr/local/bin/
+COPY start-singleuser.sh /usr/local/bin/
+RUN chmod +x /usr/local/bin/*.sh
+
+COPY resources/custom.js /home/$NB_USER/.jupyter/custom/
+COPY resources/jupyter_notebook_config.py /home/$NB_USER/.jupyter/tmp.py
+RUN cat /home/$NB_USER/.jupyter/tmp.py >> /home/$NB_USER/.jupyter/jupyter_notebook_config.py && rm /home/$NB_USER/.jupyter/tmp.py
+
+# Set the default command to start JupyterLab
+USER $NB_USER
+WORKDIR /home/$NB_USER
+ENTRYPOINT ["jupyter", "lab", "--allow-root", "--ip=0.0.0.0", "--port=8888", "--no-browser"]

jupyter-restricted-download/README.md

@@ -0,0 +1,3 @@
+# jupyter-restricted-download
+
+A "restricted" build of `jupyter-slim`.  Basically the same as `../jupyter-slim/`, but it prevents users from downloading anything from the jupyter lab

jupyter-restricted-download/resources/custom.js

@@ -0,0 +1,3 @@
+define(['base/js/namespace'], function(Jupyter){
+    Jupyter._target = '_self';
+})

jupyter-restricted-download/resources/jupyter_notebook_config.py

@@ -0,0 +1,3 @@
+c.NotebookApp.tornado_settings = {
+    "headers": {"Content-Security-Policy": "frame-ancestors 'self'"}
+}

jupyter-restricted-download/start-notebook.sh

@@ -0,0 +1,7 @@
+#!/bin/bash
+# Copyright (c) Jupyter Development Team.
+# Distributed under the terms of the Modified BSD License.
+
+set -e
+
+. /usr/local/bin/start.sh jupyter notebook --no-browser --port 8888 --ip=* --NotebookApp.token='' --NotebookApp.disable_check_xsrf=True $*

jupyter-restricted-download/start-singleuser.sh

@@ -0,0 +1,43 @@
+#!/bin/bash
+# Copyright (c) Jupyter Development Team.
+# Distributed under the terms of the Modified BSD License.
+
+set -e
+
+# set default ip to 0.0.0.0
+if [[ "$NOTEBOOK_ARGS $@" != *"--ip="* ]]; then
+  NOTEBOOK_ARGS="--ip=0.0.0.0 $NOTEBOOK_ARGS"
+fi
+
+# handle some deprecated environment variables
+# from DockerSpawner < 0.8.
+# These won't be passed from DockerSpawner 0.9,
+# so avoid specifying --arg=empty-string
+if [ ! -z "$NOTEBOOK_DIR" ]; then
+  NOTEBOOK_ARGS="--notebook-dir='$NOTEBOOK_DIR' $NOTEBOOK_ARGS"
+fi
+if [ ! -z "$JPY_PORT" ]; then
+  NOTEBOOK_ARGS="--port=$JPY_PORT $NOTEBOOK_ARGS"
+fi
+if [ ! -z "$JPY_USER" ]; then
+  NOTEBOOK_ARGS="--user=$JPY_USER $NOTEBOOK_ARGS"
+fi
+if [ ! -z "$JPY_COOKIE_NAME" ]; then
+  NOTEBOOK_ARGS="--cookie-name=$JPY_COOKIE_NAME $NOTEBOOK_ARGS"
+fi
+if [ ! -z "$JPY_BASE_URL" ]; then
+  NOTEBOOK_ARGS="--base-url=$JPY_BASE_URL $NOTEBOOK_ARGS"
+fi
+if [ ! -z "$JPY_HUB_PREFIX" ]; then
+  NOTEBOOK_ARGS="--hub-prefix=$JPY_HUB_PREFIX $NOTEBOOK_ARGS"
+fi
+if [ ! -z "$JPY_HUB_API_URL" ]; then
+  NOTEBOOK_ARGS="--hub-api-url=$JPY_HUB_API_URL $NOTEBOOK_ARGS"
+fi
+if [ ! -z "$JUPYTER_ENABLE_LAB" ]; then
+  NOTEBOOK_BIN="jupyter labhub"
+else
+  NOTEBOOK_BIN=jupyterhub-singleuser
+fi
+
+. /usr/local/bin/start.sh $NOTEBOOK_BIN $NOTEBOOK_ARGS $@

jupyter-restricted-download/start.sh

@@ -0,0 +1,25 @@
+#!/bin/bash
+# Copyright (c) Jupyter Development Team.
+# Distributed under the terms of the Modified BSD License.
+
+set -e
+
+# Handle special flags if we're root
+if [ $UID == 0 ] ; then
+    # Change UID of NB_USER to NB_UID if it does not match
+    if [ "$NB_UID" != $(id -u $NB_USER) ] ; then
+        usermod -u $NB_UID $NB_USER
+        chown -R $NB_UID $CONDA_DIR .
+    fi
+
+    # Enable sudo if requested
+    if [ ! -z "$GRANT_SUDO" ]; then
+        echo "$NB_USER ALL=(ALL) NOPASSWD:ALL" > /etc/sudoers.d/notebook #pragma: allowlist secret
+    fi
+
+    # Exec the command as NB_USER
+    exec su $NB_USER -c "env PATH=$PATH $*"
+else
+    # Exec the command
+    exec $*
+fi