Merge pull request #13 from maartenplieger/master

 [AUTOWMS] Extra extensions are now supported: png, h5, hdf5, nc, nc4, geojson

.settings/org.eclipse.wst.common.component

@@ -1,5 +1,5 @@
 <?xml version="1.0" encoding="UTF-8"?><project-modules id="moduleCoreId" project-version="1.5.0">
-    <wb-module deploy-name="adaguc-services-1.0.3">
+    <wb-module deploy-name="adaguc-services-1.0.8">
         <wb-resource deploy-path="/" source-path="/target/m2e-wtp/web-resources"/>
         <wb-resource deploy-path="/" source-path="/src/main/webapp" tag="defaultRootSource"/>
         <wb-resource deploy-path="/WEB-INF/classes" source-path="/src/main/java"/>

Dockerfile

@@ -1,4 +1,5 @@
-FROM centos:7
+FROM centos/devtoolset-7-toolchain-centos7:7
+USER root
 
 MAINTAINER Adaguc Team at KNMI <[email protected]>
 

pom.xml

@@ -5,7 +5,7 @@
 
 	<groupId>nl.knmi.adagucservices</groupId>
 	<artifactId>adaguc-services</artifactId>
-	<version>1.0.5</version>
+	<version>1.0.8</version>
 	<packaging>war</packaging>
 
 	<name>adaguc-services</name>
@@ -146,14 +146,18 @@
 			<version>4.2.2.RELEASE</version>
 		</dependency>
 		<dependency>
+			<!-- <groupId>nl.knmi.adaguc.tools</groupId>
+			<artifactId>adaguc-services-tools</artifactId>-->
 			<groupId>com.github.maartenplieger</groupId>
 			<artifactId>nl.knmi.adaguc.tools</artifactId>
-			<version>1.0.4</version>
+			<version>1.0.11</version>
 		</dependency>
 		<dependency>
 			<groupId>com.github.maartenplieger</groupId>
 			<artifactId>nl.knmi.adaguc.config</artifactId>
-			<version>1.0.8</version>
+			<!-- <groupId>nl.knmi.adaguc.config</groupId>
+			<artifactId>adaguc-services-config</artifactId> -->
+			<version>1.0.11</version>
 			<exclusions>
 				<exclusion>
 					<groupId>com.github.maartenplieger</groupId>

src/main/java/nl/knmi/adaguc/security/AuthenticatorImpl.java

@@ -49,20 +49,31 @@ public synchronized void init(HttpServletRequest request) {
 		if (request == null ) {
 			return;
 		}
-		//		Debug.println("Init");
+		/* Get user from session */
 		String sessionId = null;
 		HttpSession session = request.getSession();
 		if (session!=null) {
 			sessionId = (String) session.getAttribute("user_identifier");
 		}
-
-
 		if (sessionId!=null) {
 			x509 = new PemX509Tools().new X509Info(sessionId, sessionId);
 			Debug.println("Got userid from session");
 			return;
-		} else {
-			Debug.println("No userinfo from session");
+		}
+
+		/* Get user from header (Set by SSL client cert verification in NGINX)*/
+		try {
+			String userHeader = SecurityConfigurator.getUserHeader();
+			if (userHeader != null) {
+				String userIdFromHeader = request.getHeader(userHeader);
+				if (userIdFromHeader != null && userIdFromHeader.length() > 4) {
+					String userID = new PemX509Tools().getUserIdFromSubjectDN(userIdFromHeader);
+					Debug.println("Found user from header: " + userID);
+					x509 = new PemX509Tools().new X509Info(userID, userID);
+					return;
+				}
+			}
+		} catch (ElementNotFoundException e) {
 		}
 
 		x509 = new PemX509Tools().getUserIdFromCertificate(request);

src/main/java/nl/knmi/adaguc/security/PemX509Tools.java

@@ -146,7 +146,7 @@ public static PrivateKey readPrivateKeyFromPEM (String fileName) throws IOExcept
 			PrivateKeyInfo ukp = (PrivateKeyInfo) object;
 			return converter.getPrivateKey(ukp);
 		}
-	
+
 	}
 
 	/**
@@ -182,6 +182,17 @@ public X509Info getUserIdFromCertificate(HttpServletRequest request){
 		return null;
 	}
 
+	public String getUserIdFromSubjectDN (String subjectDN) {
+		String[] dnItems = subjectDN.split(", ");
+		for (int j = 0; j < dnItems.length; j++) {
+			int CNIndex = dnItems[j].indexOf("CN");
+			if (CNIndex != -1) {
+				return dnItems[j].substring("CN=".length()
+						+ CNIndex);
+			}
+		}
+		return null;
+	}
 	/**
 	 * Returns information about the given certificate, like CN and serial number. This method does not verify
 	 * the certificate against trustroots. 
@@ -194,15 +205,7 @@ public X509Info getUserIdFromCertificate(X509Certificate cert){
 		String uniqueId = null;
 		uniqueId = "x509_"+cert.getSerialNumber();
 		String subjectDN = cert.getSubjectDN().toString();
-		//Debug.println("getSubjectDN: " + subjectDN);
-		String[] dnItems = subjectDN.split(", ");
-		for (int j = 0; j < dnItems.length; j++) {
-			int CNIndex = dnItems[j].indexOf("CN");
-			if (CNIndex != -1) {
-				CertOpenIdIdentifier = dnItems[j].substring("CN=".length()
-						+ CNIndex);
-			}
-		}
+		CertOpenIdIdentifier = getUserIdFromSubjectDN(subjectDN);
 		if(CertOpenIdIdentifier == null || uniqueId == null){
 			return null;
 		}
@@ -230,33 +233,33 @@ public static X509Certificate signCSR(PKCS10CertificationRequest csr, X509Certif
 		Calendar notBefore = Calendar.getInstance();
 		//notBefore.add(Calendar., -1);
 
-		
+
 		JcaPKCS10CertificationRequest jcaRequest = new JcaPKCS10CertificationRequest(csr);
 		X509v3CertificateBuilder certificateBuilder = new JcaX509v3CertificateBuilder(caCert,
 				BigInteger.valueOf(System.currentTimeMillis()), notBefore.getTime(), notAfter.getTime(), jcaRequest.getSubject(), jcaRequest.getPublicKey());
 
-//		JcaX509ExtensionUtils extUtils = new JcaX509ExtensionUtils();
-//		certificateBuilder.addExtension(Extension.authorityKeyIdentifier, false, extUtils.createAuthorityKeyIdentifier(caCert))
-//		.addExtension(Extension.subjectKeyIdentifier, false, extUtils.createSubjectKeyIdentifier(jcaRequest.getPublicKey()))
-//		.addExtension(Extension.basicConstraints, true, new BasicConstraints(0))
-//		.addExtension(Extension.keyUsage, true, new KeyUsage(KeyUsage.digitalSignature | KeyUsage.keyEncipherment))
-//		.addExtension(Extension.extendedKeyUsage, true, new ExtendedKeyUsage(KeyPurposeId.id_kp_serverAuth));
-
-//		// add pkcs extensions
-//		Attribute[] attributes = csr.getAttributes();
-//		for (Attribute attr : attributes) {
-//			// process extension request
-//			if (attr.getAttrType().equals(PKCSObjectIdentifiers.pkcs_9_at_extensionRequest)) {
-//				Extensions extensions = Extensions.getInstance(attr.getAttrValues().getObjectAt(0));
-//				@SuppressWarnings("unchecked")
-//				Enumeration<ASN1ObjectIdentifier> e = (Enumeration<ASN1ObjectIdentifier>  )extensions.oids();
-//				while (e.hasMoreElements()) {
-//					ASN1ObjectIdentifier oid =  e.nextElement();
-//					Extension ext = extensions.getExtension(oid);
-//					certificateBuilder.addExtension(oid, ext.isCritical(), ext.getParsedValue());
-//				}
-//			}
-//		}
+		//		JcaX509ExtensionUtils extUtils = new JcaX509ExtensionUtils();
+		//		certificateBuilder.addExtension(Extension.authorityKeyIdentifier, false, extUtils.createAuthorityKeyIdentifier(caCert))
+		//		.addExtension(Extension.subjectKeyIdentifier, false, extUtils.createSubjectKeyIdentifier(jcaRequest.getPublicKey()))
+		//		.addExtension(Extension.basicConstraints, true, new BasicConstraints(0))
+		//		.addExtension(Extension.keyUsage, true, new KeyUsage(KeyUsage.digitalSignature | KeyUsage.keyEncipherment))
+		//		.addExtension(Extension.extendedKeyUsage, true, new ExtendedKeyUsage(KeyPurposeId.id_kp_serverAuth));
+
+		//		// add pkcs extensions
+		//		Attribute[] attributes = csr.getAttributes();
+		//		for (Attribute attr : attributes) {
+		//			// process extension request
+		//			if (attr.getAttrType().equals(PKCSObjectIdentifiers.pkcs_9_at_extensionRequest)) {
+		//				Extensions extensions = Extensions.getInstance(attr.getAttrValues().getObjectAt(0));
+		//				@SuppressWarnings("unchecked")
+		//				Enumeration<ASN1ObjectIdentifier> e = (Enumeration<ASN1ObjectIdentifier>  )extensions.oids();
+		//				while (e.hasMoreElements()) {
+		//					ASN1ObjectIdentifier oid =  e.nextElement();
+		//					Extension ext = extensions.getExtension(oid);
+		//					certificateBuilder.addExtension(oid, ext.isCritical(), ext.getParsedValue());
+		//				}
+		//			}
+		//		}
 
 		ContentSigner signer = new JcaContentSignerBuilder("SHA256withRSA").setProvider("BC").build(caPrivateKey);
 		return new JcaX509CertificateConverter().setProvider("BC").getCertificate(certificateBuilder.build(signer));
@@ -286,7 +289,7 @@ public static String certificateToPemString(Object certHolder) throws IOExceptio
 	public static void writeCertificateToPemFile(Object certHolder, String fileName) throws IOException {
 		Tools.writeFile(fileName, certificateToPemString(certHolder));		
 	}
-	
+
 	public static void writePrivateKeyToPemFile(PrivateKey certHolder, String fileName) throws IOException {
 		Tools.writeFile(fileName, privateKeyToPemString(certHolder));		
 	}
@@ -436,27 +439,27 @@ public X509UserCertAndKey setupSLCertificateUser(String clientId, X509Certificat
 
 		/* Step 5 - Generate CSR */
 		PKCS10CertificationRequest csr = PemX509Tools.createCSR("CN="+clientId, keyPairCSR);
-		
-//		 try {
-//			PemX509Tools.writeCertificateToPemFile(csr, "/tmp/_usercsr.csr");
-//			PemX509Tools.writeCertificateToPemFile(caCertificate, "/tmp/_ca.pem");
-//			PemX509Tools.writePrivateKeyToPemFile(privateKey, "/tmp/_ca.key");
-//		} catch (IOException e) {
-//			// TODO Auto-generated catch block
-//			e.printStackTrace();
-//		}
+
+		//		 try {
+		//			PemX509Tools.writeCertificateToPemFile(csr, "/tmp/_usercsr.csr");
+		//			PemX509Tools.writeCertificateToPemFile(caCertificate, "/tmp/_ca.pem");
+		//			PemX509Tools.writePrivateKeyToPemFile(privateKey, "/tmp/_ca.key");
+		//		} catch (IOException e) {
+		//			// TODO Auto-generated catch block
+		//			e.printStackTrace();
+		//		}
 
 		/* Step 6 - Sign CSR with CA */		
 		X509Certificate signedCrt = PemX509Tools.signCSR(csr, caCertificate, privateKey);
 
-//		try {
-//			PemX509Tools.writeCertificateToPemFile(signedCrt, "/tmp/_user.crt");
-//			PemX509Tools.writePrivateKeyToPemFile(keyPairCSR.getPrivate(), "/tmp/_user.key");
-//		} catch (IOException e) {
-//			// TODO Auto-generated catch block
-//			e.printStackTrace();
-//		}
-		
+		//		try {
+		//			PemX509Tools.writeCertificateToPemFile(signedCrt, "/tmp/_user.crt");
+		//			PemX509Tools.writePrivateKeyToPemFile(keyPairCSR.getPrivate(), "/tmp/_user.key");
+		//		} catch (IOException e) {
+		//			// TODO Auto-generated catch block
+		//			e.printStackTrace();
+		//		}
+
 
 		return new X509UserCertAndKey(signedCrt, keyPairCSR.getPrivate());
 	}
@@ -495,7 +498,7 @@ public CloseableHttpClient getHTTPClientForPEMBasedClientAuthPEM(
 		}
 		return getHTTPClientForPEMBasedClientAuth(trustStoreLocation,trustStorePassword,certAndKey);
 	}
-	
+
 	/**
 	 * 
 	 * @param trustStoreLocation

src/main/java/nl/knmi/adaguc/security/SecurityConfigurator.java

@@ -2,6 +2,7 @@
 
 import java.util.Vector;
 
+import lombok.Synchronized;
 import nl.knmi.adaguc.config.ConfigurationReader;
 import nl.knmi.adaguc.services.oauth2.OAuthConfigurator.Oauth2Settings;
 import nl.knmi.adaguc.tools.Debug;
@@ -39,20 +40,23 @@ public class SecurityConfigurator implements nl.knmi.adaguc.config.ConfiguratorI
 	private static String keyStorePassword=null;
 	private static String keyStoreType="JKS";
 	private static String keyAlias="tomcat";
+	private static String userHeader=null;	
 	private static String caCertificate = null;
 	private static String caPrivateKey = null;		
 
 	public static class ComputeNode {
 		public String url = null;
+		public String name = null;
 	};
 
 	static Vector<ComputeNode> computeNodes = new Vector<ComputeNode>();
 
 	static ConfigurationReader configurationReader = new ConfigurationReader ();
 
+	@Synchronized
 	@Override
 	public void doConfig(XMLElement  configReader){
-
+		
 		if(configReader.getNodeValue ("adaguc-services.security")==null){
 			Debug.println("adaguc-services.security is not configured");
 			return;
@@ -63,20 +67,24 @@ public void doConfig(XMLElement  configReader){
 		keyStore=configReader.getNodeValue("adaguc-services.security.keystore");
 		keyStorePassword=configReader.getNodeValue("adaguc-services.security.keystorepassword");
 		keyStoreType=configReader.getNodeValue("adaguc-services.security.keystoretype");
+		computeNodes.clear();
 		keyAlias=configReader.getNodeValue("adaguc-services.security.keyalias");
+		userHeader=configReader.getNodeValue("adaguc-services.security.userheader");
+
 		if (configReader.getNodeValue("adaguc-services.security.tokenapi")!=null){
 			caCertificate=configReader.getNodeValue("adaguc-services.security.tokenapi.cacertificate");
 			caPrivateKey=configReader.getNodeValue("adaguc-services.security.tokenapi.caprivatekey");
 			if (configReader.getNodeValue("adaguc-services.security.tokenapi.remote-instances")!=null){
 				try {
-					Vector<XMLElement> computeNodeElements = configReader.get("adaguc-services").get("security").get("tokenapi").getList("remote-instances");
+					Vector<XMLElement> computeNodeElements = configReader.get("adaguc-services").get("security").get("tokenapi").get("remote-instances").getList("adaguc-service");
 					for(int j=0;j<computeNodeElements.size();j++){
 						XMLElement computeNodeElement = computeNodeElements.get(j);
 
 						try {
 							ComputeNode computeNode = new ComputeNode();
-							computeNode.url = computeNodeElement.get("adaguc-service").getValue();
-							Debug.println("Added remote instance " + computeNode.url);
+							computeNode.url = computeNodeElement.getValue();
+							computeNode.name = computeNodeElement.getAttrValue("name");
+//							Debug.println("Added remote instance " + computeNode.url + " with name " + computeNode.name);
 							computeNodes.add(computeNode);
 						} catch (Exception e) {
 							Debug.printStackTrace(e);
@@ -142,6 +150,11 @@ public static Object getKeyAlias() throws ElementNotFoundException {
 		configurationReader.readConfig();
 		return keyAlias;
 	}
+
+	public static String getUserHeader() throws ElementNotFoundException {
+		configurationReader.readConfig();
+		return userHeader;
+	}
 }
 
 

src/main/java/nl/knmi/adaguc/security/token/TokenManager.java

@@ -49,7 +49,6 @@ public String getTokenFromPath(String path){
 		if (matcher.find())	{
 		    return matcher.group();
 		}
-		Debug.println("No access token set in PATH URL via .../accesstoken/...");
 		return null;
 	}
 	public synchronized static Token registerToken(User user) throws IOException, ElementNotFoundException, AuthenticationException, ParseException{

src/main/java/nl/knmi/adaguc/services/adagucserver/ADAGUCRequestMapper.java

@@ -13,6 +13,7 @@
 import com.fasterxml.jackson.databind.ObjectMapper;
 import com.fasterxml.jackson.databind.SerializationFeature;
 
+import nl.knmi.adaguc.tools.Debug;
 import nl.knmi.adaguc.tools.JSONResponse;
 
 @RestController
@@ -29,7 +30,7 @@ public MappingJackson2HttpMessageConverter mappingJackson2HttpMessageConverter()
 	@CrossOrigin
 	@RequestMapping("wms")
 	public void ADAGUCSERVERWMS(HttpServletResponse response, HttpServletRequest request){
-
+		Debug.println("/wms");
 		try {
 			ADAGUCServer.runADAGUCWMS(request,response,null,null);
 		} catch (Exception e) {
@@ -47,7 +48,7 @@ public void ADAGUCSERVERWMS(HttpServletResponse response, HttpServletRequest req
 	@CrossOrigin
 	@RequestMapping("adagucserver")
 	public void ADAGUCSERVER(HttpServletResponse response, HttpServletRequest request){
-
+		Debug.println("/adagucserver");
 		try {
 			ADAGUCServer.runADAGUCWMS(request,response,null,null);
 		} catch (Exception e) {
@@ -62,9 +63,10 @@ public void ADAGUCSERVER(HttpServletResponse response, HttpServletRequest reques
 
 	}
 	@ResponseBody
+	@CrossOrigin
 	@RequestMapping("wcs")
 	public void ADAGUCSERVERWCS(HttpServletResponse response, HttpServletRequest request){
-
+		Debug.println("/wcs");
 		try {
 			ADAGUCServer.runADAGUCWCS(request,response,null,null);
 		} catch (Exception e) {
@@ -79,9 +81,10 @@ public void ADAGUCSERVERWCS(HttpServletResponse response, HttpServletRequest req
 
 	}
 	@ResponseBody
+	@CrossOrigin
 	@RequestMapping("adagucopendap/**")
 	public void ADAGUCSERVEROPENDAP(HttpServletResponse response, HttpServletRequest request){
-
+		Debug.println("/adagucopendap");
 		try {
 			ADAGUCServer.runADAGUCOpenDAP(request,response,null,null);
 		} catch (Exception e) {