# HG changeset patch
# User robcast
# Date 1462212850 -7200
# Node ID b213cf27152bab466b4f2a5f1b87a6c4b3a43900
# Parent  e7e38e1f68df6132aa3297f390fcc7ae28e388d1# Parent  b3d81e4581a74137c66be87727b344a841c41916
merge

diff -r b3d81e4581a7 -r b213cf27152b servlet/src/main/java/digilib/auth/IpAuthnOps.java
--- a/servlet/src/main/java/digilib/auth/IpAuthnOps.java	Sun May 01 12:03:03 2016 +0200
+++ b/servlet/src/main/java/digilib/auth/IpAuthnOps.java	Mon May 02 20:14:10 2016 +0200
@@ -41,7 +41,7 @@
 import digilib.util.XMLMapLoader;
 
 /**
- * Implements AuthnOps using paths defined in an XML config file.
+ * Implements AuthnOps using IP adresses defined in an XML config file.
  * 
  * The name of the configuration file is read from the digilib config parameter "auth-file".
  * <p/>
@@ -112,7 +112,6 @@
     public List<String> getUserRoles(DigilibRequest dlRequest) throws AuthOpException {
         HttpServletRequest request = ((DigilibServletRequest) dlRequest).getServletRequest();
         String ip = request.getRemoteAddr();
-        logger.debug("Getting roles for ip "+ip);
         List<String> provided = null;
         if (ip.contains(":")) {
             // IPv6
@@ -121,6 +120,7 @@
             // IPv4
             provided = authIP4s.match(ip);
         }        
+        logger.debug("Roles provided by ip "+ip+": "+provided);
         return provided;
     }
 
diff -r b3d81e4581a7 -r b213cf27152b servlet/src/main/java/digilib/auth/IpOpenIdAuthnOps.java
--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/servlet/src/main/java/digilib/auth/IpOpenIdAuthnOps.java	Mon May 02 20:14:10 2016 +0200
@@ -0,0 +1,96 @@
+package digilib.auth;
+
+/*
+ * #%L
+ * Authentication class implementation using IP addresses and Servlet user information
+ * 
+ * Digital Image Library servlet components
+ * 
+ * %%
+ * Copyright (C) 2016 MPIWG Berlin
+ * %%
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU Lesser General Public License as 
+ * published by the Free Software Foundation, either version 3 of the 
+ * License, or (at your option) any later version.
+ * 
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU General Lesser Public License for more details.
+ * 
+ * You should have received a copy of the GNU General Lesser Public 
+ * License along with this program.  If not, see
+ * <http://www.gnu.org/licenses/lgpl-3.0.html>.
+ * #L%
+ * Author: Robert Casties (robcast@berlios.de)
+ */
+
+import java.util.List;
+
+import digilib.conf.DigilibConfiguration;
+import digilib.conf.DigilibRequest;
+
+/**
+ * Implements AuthnOps using IP adresses defined in an XML config file and an OpenId Connect ID token.
+ * 
+ * The name of the configuration file is read from the digilib config parameter "auth-file".
+ * <p/>
+ * The tags "digilib-adresses" and "digilib-oauth" are read from the configuration file:
+ * <pre>  
+ * {@code
+ * <digilib-addresses>
+ *   <address ip="130.92.68" role="eastwood-coll,ptolemaios-geo" />
+ *   <address ip="130.92.151" role="wtwg" />
+ *   <address ip="0:0:0:0:0:0:0:1" role="local" />
+ * </digilib-addresses>
+ * 
+ * <digilib-oauth>
+ *   <openid issuer="https://id.some.where" clientid="myclient" roles="someusers" keytype="jwk">
+ *     {"kty":"RSA","e":"AQAB","kid":"rsa1","n":"qjQ5U3wXzamg9R...idGpIiVilMDVBs"}
+ *   </openid>
+ * </digilib-oauth>
+ * }
+ * </pre>
+ * A computer with an ip address that matches "ip" is automatically granted all roles under "role".
+ * The ip address is matched from the left (in full quads). Roles under "role" must be separated by comma only (no spaces).
+ * 
+ * If roles provided by IP are not sufficient it uses the "id_token" parameter containing a valid token signed with the configured key
+ * including the configured issuer (iss) and clientid (aud) to grant the configured roles.
+ */
+public class IpOpenIdAuthnOps extends IpAuthnOps {
+
+    protected OpenIdAuthnOps openIdAuthnOps;
+    
+    /* (non-Javadoc)
+     * @see digilib.auth.IpAuthnOps#init(digilib.conf.DigilibConfiguration)
+     */
+    @Override
+    public void init(DigilibConfiguration dlConfig) throws AuthOpException {
+        // init IpAuthnOps
+        super.init(dlConfig);
+        // init openIdAuthnOps
+        openIdAuthnOps = new OpenIdAuthnOps();
+        openIdAuthnOps.init(dlConfig);
+    }
+
+    /* (non-Javadoc)
+     * @see digilib.auth.IpAuthnOps#getUserRoles(digilib.conf.DigilibRequest)
+     */
+    @Override
+    public List<String> getUserRoles(DigilibRequest dlRequest) throws AuthOpException {
+        List<String> roles = super.getUserRoles(dlRequest);
+        if (roles == null) {
+            // no IP roles
+            roles = openIdAuthnOps.getUserRoles(dlRequest);
+        } else {
+            List<String> idRoles = openIdAuthnOps.getUserRoles(dlRequest);
+            if (idRoles != null) {
+                // add OpenID roles at the end
+                roles.addAll(idRoles);
+            }
+        }
+        return roles;
+    }
+
+}
diff -r b3d81e4581a7 -r b213cf27152b servlet/src/main/java/digilib/auth/IpServletAuthnOps.java
--- a/servlet/src/main/java/digilib/auth/IpServletAuthnOps.java	Sun May 01 12:03:03 2016 +0200
+++ b/servlet/src/main/java/digilib/auth/IpServletAuthnOps.java	Mon May 02 20:14:10 2016 +0200
@@ -34,7 +34,7 @@
 import digilib.conf.DigilibServletRequest;
 
 /**
- * Implements AuthnOps using paths defined in an XML config file and Servlet API isUserInRole().
+ * Implements AuthnOps using IP adresses defined in an XML config file and Servlet API isUserInRole().
  * 
  * The name of the configuration file is read from the digilib config parameter "auth-file".
  * <p/>
diff -r b3d81e4581a7 -r b213cf27152b servlet/src/main/java/digilib/auth/MetaAccessAuthzOps.java
--- a/servlet/src/main/java/digilib/auth/MetaAccessAuthzOps.java	Sun May 01 12:03:03 2016 +0200
+++ b/servlet/src/main/java/digilib/auth/MetaAccessAuthzOps.java	Mon May 02 20:14:10 2016 +0200
@@ -33,8 +33,6 @@
 import java.util.List;
 import java.util.Map;
 
-import javax.servlet.http.HttpServletRequest;
-
 import digilib.conf.DigilibConfiguration;
 import digilib.conf.DigilibServletConfiguration;
 import digilib.conf.DigilibServletRequest;
@@ -52,22 +50,25 @@
  * 
  * The name of the configuration file is read from the digilib config parameter "auth-file".
  * <p/>
- * Tags "digilib-access" and "digilib-adresses" are read from the configuration file:
+ * The tag "digilib-access" is read from the auth-file configuration file:
  * <pre>
  * {@code
  * <digilib-access>
  *   <access type="group:mpiwg" role="mpiwg-user"/>
+ *   <access type="default" role=""/>
  * </digilib-access>
  * }
  * </pre>
  * A user must supply one of the roles under "role" to access any object with the metadata "access" type of "type".
  * Roles under "role" must be separated by comma only (no spaces).
+ * Access type "default" applies to objects without metadata access tag.
  * 
  */
 public class MetaAccessAuthzOps extends AuthzOpsImpl {
 
-    private File configFile;
-    private Map<String, List<String>> rolesMap;
+    protected File configFile;
+    protected Map<String, List<String>> rolesMap;
+    protected List<String> defaultRoles = null;
 
     /**
      * Initialize authentication operations.
@@ -84,7 +85,7 @@
         logger.debug("IpRoleServletAuthops.init (" + configFile + ")");
         Map<String, String> roleList = null;
         try {
-            // load role mappings
+            // load access role mappings
             XMLMapLoader roleLoader = new XMLMapLoader("digilib-access", "access", "type", "role");
             roleList = roleLoader.loadUri(configFile.toURI());
         } catch (Exception e) {
@@ -98,9 +99,15 @@
         for (String k : roleList.keySet()) {
             String rs = roleList.get(k);
             String[] ra = rs.split(",");
-            rolesMap.put(k, Arrays.asList(ra));
+            if (k.equalsIgnoreCase("default") && !rs.isEmpty()) {
+                // set default roles
+                defaultRoles = Arrays.asList(ra);
+            } else {
+                // add access roles to map
+                rolesMap.put(k, Arrays.asList(ra));
+            }
         }
-        // set authentication
+        // set authentication ops
         this.authnOps = (AuthnOps) dlConfig.getValue(DigilibServletConfiguration.AUTHN_OP_KEY);
     }
 
@@ -120,7 +127,6 @@
      */
     @Override
     public List<String> rolesForPath(DigilibServletRequest dlRequest) throws AuthOpException {
-        HttpServletRequest request = dlRequest.getServletRequest();
         DocuDirent imgs;
         try {
             // try to get image file from JobDescription
@@ -143,19 +149,33 @@
         try {
             imgs.checkMeta();
             MetadataMap meta = imgs.getMeta().getFileMeta();
-            access = meta.get("access");
+            if (meta != null) {
+                access = meta.get("access");
+            }
         } catch (Exception e) {
             logger.error("Error getting access meta for file!");
         }
         if (access == null) {
-            // no access restriction - allow
-            logger.debug("rolesForPath (" + imgs.getName() + ") by [" + request.getRemoteAddr() + "]: (none)");
+            // no access tag - use default
+            logger.debug("Roles required for " + imgs.getName() + ": "+defaultRoles+"(default)");
+            return defaultRoles;
+        } else if (access.equalsIgnoreCase("free")) {
+            // access free
+            logger.debug("Roles required for " + imgs.getName() + ": (free)");
             return null;
         }
         // get required roles
-        List<String> required = rolesMap.get(access);
-        logger.debug("rolesForPath (" + imgs.getName() + ") by [" + request.getRemoteAddr() + "]: "+required);
-        return required;
+        if (rolesMap.containsKey(access)) {
+            List<String> required = rolesMap.get(access);
+            logger.debug("Roles required for " + imgs.getName() + ": "+required);
+            return required;
+        } else {
+            // no mapping to role
+            logger.error("Error: no role for access type '"+access+"'");
+            // use default
+            logger.debug("Roles required for " + imgs.getName() + ": "+defaultRoles+"(substituted default)");
+            return defaultRoles;            
+        }
     }
 
 }
diff -r b3d81e4581a7 -r b213cf27152b servlet/src/main/java/digilib/auth/OpenIdAuthnOps.java
--- a/servlet/src/main/java/digilib/auth/OpenIdAuthnOps.java	Sun May 01 12:03:03 2016 +0200
+++ b/servlet/src/main/java/digilib/auth/OpenIdAuthnOps.java	Mon May 02 20:14:10 2016 +0200
@@ -172,7 +172,7 @@
         }
         
         // set token cookie name
-        tokenCookieName = dlConfig.getAsString("auth-token-cookie");
+        tokenCookieName = dlConfig.getAsString("authn-token-cookie");
     }
 
     /* (non-Javadoc)
@@ -226,9 +226,9 @@
             secondPassJwtConsumer.processContext(jwtContext);
             JwtClaims claims = jwtContext.getJwtClaims();
             String sub = claims.getSubject();
-            logger.debug("id_token authenticated user '"+sub+"'");
             // get roles
             List<String> provided = idpRoles.get(issuer);
+            logger.debug("Roles provided by id_token (sub='"+sub+"'): "+provided);
             return provided;
             
         } catch (InvalidJwtException | MalformedClaimException e) {
diff -r b3d81e4581a7 -r b213cf27152b servlet/src/main/java/digilib/auth/PathAuthzOps.java
--- a/servlet/src/main/java/digilib/auth/PathAuthzOps.java	Sun May 01 12:03:03 2016 +0200
+++ b/servlet/src/main/java/digilib/auth/PathAuthzOps.java	Mon May 02 20:14:10 2016 +0200
@@ -103,9 +103,9 @@
      */
     public List<String> rolesForPath(DigilibServletRequest dlRequest) throws digilib.auth.AuthOpException {
         String filepath = dlRequest.getFilePath();
-        logger.debug("rolesForPath: " + filepath);
         // which roles are required?
         List<String> required = authPaths.match(filepath);
+        logger.debug("Roles required for "+filepath+": "+required);
         return required;
     }
 
diff -r b3d81e4581a7 -r b213cf27152b servlet/src/main/java/digilib/conf/DigilibServletConfiguration.java
--- a/servlet/src/main/java/digilib/conf/DigilibServletConfiguration.java	Sun May 01 12:03:03 2016 +0200
+++ b/servlet/src/main/java/digilib/conf/DigilibServletConfiguration.java	Mon May 02 20:14:10 2016 +0200
@@ -170,7 +170,7 @@
         // DocuDirectory implementation
         newParameter("docudirectory-class", "digilib.io.BaseDirDocuDirectory", null, 'f');
         // name of cookie with authentication token
-        newParameter("auth-token-cookie", "id_token", null, 'f');
+        newParameter("authn-token-cookie", "id_token", null, 'f');
     }
 
     /**
diff -r b3d81e4581a7 -r b213cf27152b webapp/src/main/webapp/WEB-INF/digilib-auth.xml.template
--- a/webapp/src/main/webapp/WEB-INF/digilib-auth.xml.template	Sun May 01 12:03:03 2016 +0200
+++ b/webapp/src/main/webapp/WEB-INF/digilib-auth.xml.template	Mon May 02 20:14:10 2016 +0200
@@ -4,6 +4,7 @@
 
   <digilib-paths>
     <!-- 
+      (authzops-class = "digilib.auth.PathAuthzOps")
       A user must supply one of the roles under "role"
       to access the directory "name".
       Roles under "role" must be separated by comma only (no spaces).  
@@ -12,8 +13,21 @@
     <path name="ptolemaios_geo" role="ptolemaios-geo" />
   </digilib-paths>
 
+  <digilib-access>
+    <!-- 
+      (authzops-class = "digilib.auth.MetaAccessAuthzOps")
+      A user must supply one of the roles under "role" to access any object 
+      with the metadata "access" type of "type".
+      Roles under "role" must be separated by comma only (no spaces).
+      Access type "default" applies to objects without metadata access tag.
+    -->
+    <access type="group:mpiwg" role="mpiwg-user"/>
+    <access type="default" role=""/>
+  </digilib-access>
+
   <digilib-addresses>
     <!-- 
+      (authnops-class = "digilib.auth.IpAuthnOps")
       A computer with an ip address that matches "ip"
       is automatically granted all roles under "role".
       The ip address is matched from the left (in full quads).
@@ -26,6 +40,7 @@
 
   <digilib-oauth>
     <!-- 
+      (authnops-class = "digilib.auth.OpenIdAuthnOps")
       A request with an "id_token" parameter containing a valid token 
       signed with the configured key including the configured issuer (iss)
       and clientid (aud) is granted the configured roles.