Change Tomcat Valve to servlet Filter #11

whikloj · 2018-01-21T04:40:47Z

GitHub Issue: Islandora/documentation#736

Depends on: Islandora/documentation#84
Depends on: Islandora/Crayfish-Commons#15

What does this Pull Request do?

Converts the Tomcat Valve to a Filter
Replaces the XML configuration with a YAML one.
Changes some of the JWT claims to use standard ones.
Makes the SettingsParser parse the config only once and then supply the 3 maps from the internal Config object.

What's new?

The servletfilter will fail to initialize if it can't access it's settings file or the settings file is invalid.
In theory this filter should work on non-Tomcat container, but I haven't tried that.
The claim changes are
- id -> webid
- name -> sub
- url -> iss
Does this change require documentation to be updated? Documentation has been updated
Does this change add any new dependencies? no
Does this change require any other modifications to be made to the repository (ie. Regeneration activity, etc.)?
Could this change impact execution of existing code?

How should this be tested?

There is no easy way to test this, it will require uninstalling Islandora. But this should hopefully work.

Make sure you have a current version of master from claw-playbook.
Delete your roles/external directory if it exists.
Download this patch to the main claw-playbook directory and apply with git patch <patchfile>.
Run ansible-galaxy install --role-file=requirements.yml --roles-path=roles/external
Now for some manual editing in roles/external/Islandora-Devops.fcrepo-syn
1. defaults/main.yml change fcrepo_syn_version: 0.1.0 to fcrepo_syn_version: 0.1.1
2. tasks/install.yml change url: https://github.com/Islandora-CLAW/Syn/releases/download/v{{ fcrepo_syn_version }}/islandora-syn-{{ fcrepo_syn_version }}-all.jar to url: https://github.com/whikloj/Syn/releases/download/v{{ fcrepo_syn_version }}/islandora-syn-{{ fcrepo_syn_version }}-all.jar
Run vagrant up
Once the VM is up and running, log in vagrant ssh
Download and run this script.
When it tells you its ready for testing. Then please test.

You should be able to create a collection or image in Drupal and have it sync to Fedora.

But you should not be able to PUT/POST to fedora without a valid JWT or token. Like

ubuntu@claw:~$ curl -i -XPUT http://localhost:8080/fcrepo/rest/breaking
HTTP/1.1 401 Unauthorized
Server: Apache-Coyote/1.1
Content-Type: text/html;charset=utf-8
Content-Language: en
Content-Length: 1068
Date: Tue, 23 Jan 2018 16:51:21 GMT

<!DOCTYPE html><html><head><title>Apache Tomcat/8.0.32 (Ubuntu) - Error report</title><style type="text/css">H1 {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-size:22px;} H2 {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-size:16px;} H3 {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-size:14px;} BODY {font-family:Tahoma,Arial,sans-serif;color:black;background-color:white;} B {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;} P {font-family:Tahoma,Arial,sans-serif;background:white;color:black;font-size:12px;}A {color : black;}A.name {color : black;}.line {height: 1px; background-color: #525D76; border: none;}</style> </head><body><h1>HTTP Status 401 - Token authentication failed.</h1><div class="line"></div><p><b>type</b> Status report</p><p><b>message</b> <u>Token authentication failed.</u></p><p><b>description</b> <u>This request requires HTTP authentication.</u></p><hr class="line"><h3>Apache Tomcat/8.0.32 (Ubuntu)</h3></body></html>

Additional Notes:

Any additional information that you think would be helpful when reviewing this PR.

Interested parties

Tag (@ mention) interested parties or, if unsure, @Islandora-CLAW/committers

codecov · 2018-01-21T04:42:52Z

Codecov Report

Merging #11 into master will increase coverage by 3.35%.
The diff coverage is 92.3%.

@@             Coverage Diff              @@
##             master      #11      +/-   ##
============================================
+ Coverage     86.11%   89.47%   +3.35%     
+ Complexity      116      112       -4     
============================================
  Files             6        9       +3     
  Lines           353      323      -30     
  Branches         65       53      -12     
============================================
- Hits            304      289      -15     
+ Misses           24       12      -12     
+ Partials         25       22       -3

Impacted Files	Coverage Δ	Complexity Δ
src/main/java/ca/islandora/syn/settings/Site.java	`100% <ø> (ø)`	`15 <0> (ø)`	⬇️
...java/ca/islandora/syn/valve/SynRequestWrapper.java	`100% <100%> (ø)`	`3 <3> (?)`
...slandora/syn/settings/SettingsParserException.java	`100% <100%> (ø)`	`2 <2> (?)`
...rc/main/java/ca/islandora/syn/settings/Config.java	`100% <100%> (ø)`	`7 <4> (ø)`	⬇️
.../ca/islandora/syn/token/InvalidTokenException.java	`100% <100%> (ø)`	`2 <2> (?)`
src/main/java/ca/islandora/syn/token/Verifier.java	`100% <100%> (+31.25%)`	`10 <5> (+1)`	⬆️
src/main/java/ca/islandora/syn/settings/Token.java	`93.75% <100%> (ø)`	`7 <2> (ø)`	⬇️
...java/ca/islandora/syn/settings/SettingsParser.java	`80% <83.33%> (-1.94%)`	`43 <17> (-7)`
...rc/main/java/ca/islandora/syn/valve/SynFilter.java	`92.22% <92.22%> (ø)`	`23 <23> (?)`
... and 4 more

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update 4b3ed30...7f2a556. Read the comment docs.

whikloj · 2018-01-22T02:39:36Z

Pinging @acoburn and @ajs6f help to reveal my mistake.

I setup the Filter to attempt to load a relative location of the settings file by using getResource() from the classloader to find it inside the classpath. But the sample test file left in src/test/resource is not located as you can see in this test.

I had to ignore the test it as I am at a loss why this is not working. Alternatively, I'll just required the path to be absolute.

DiegoPino · 2018-01-22T03:37:42Z

@whikloj this will sound silly, but, I think, maven puts test resources at the root of your classpath (right?) by default but maybe gradle needs to be told where to look at?, It defines two different resource locations, main v/s tests..

Maybe you need in your build.gradle, for src/test/resources/exampleSettings.yaml to be found
, something like?

sourceSets.test {
    resources.srcDirs = ["src/test"]
}

or something like ?

test { 
    setClasspath(sourceSets.test.runtimeClasspath) 
}

I'm guessing really here 😢 , you know java is like lava for me, can't swim there but looks tempting and glowing...

I feel it all depends on the output of running SynFilter.class.getClassLoader().getResource(".") and see what that points to when running the tests.

As always dismiss if all this is just me confused and you tried that. good night

ajs6f · 2018-01-22T14:42:17Z

I'm going to defer to @acoburn here, who knows more about Gradle in his little finger than I do in my whole body.

I will offer that loading editable config from the web app itself is generally not a good idea for a Java webapp. Better to have a config location outside the web app. Ideally, the web app itself (on the filesystem) never changes at all and can be deployed packed and operated packed.

ajs6f

Looks basically good to me, code-wise. I ran out of time but generally there are a lot of things called testXml that aren't XML and there are a good number of Autocloseable things that aren't being used in try-with-resource and there are a number of for loops that ought to be Iterable::forEachcalls, but these are all niceties that won't affect the operation of the code significantly.

ajs6f · 2018-01-22T14:43:07Z

src/test/java/ca/islandora/syn/valves/SynFilterTest.java

+        assertEquals(username, requestCaptor.getValue().getUserPrincipal().getName());
+
+        for (final String role : finalRoles) {
+            assertTrue(requestCaptor.getValue().isUserInRole(role));


Unless order is important, prefer finalRoles.forEach(role -> assertTrue(requestCaptor.getValue().isUserInRole(role)))

ajs6f · 2018-01-22T14:43:53Z