OAuth login refactoring (#257)

* Login with ORCID ID

* Refactored OAuth and access requests

They have all moved to the end-user dataspace and do not need to extend `GraphStoreImpl` or `SPARQLEndpointImpl` anymore

* Commented out secrets

* `AuthorizationParams` fix

Also fixed access modal form

* Test fixes

* CORS filter for static assets

Context URL fixes

* CORS tests

* `id_token` is returned via URL fragment

Fixed CORS on `/static/` files

* Filter out public authorizations

* Undo system.trig changes

* Removed file

Author: namedgraph

docker-compose.yml

@@ -5,10 +5,14 @@ secrets:
     file: ./secrets/secretary_cert_password.txt
   client_truststore_password:
     file: ./secrets/client_truststore_password.txt
-  #google_client_id:
-  #  file: ./secrets/google_client_id.txt
-  #google_client_secret:
-  #  file: ./secrets/google_client_secret.txt
+  # google_client_id:
+  #   file: ./secrets/google/client_id.txt
+  # google_client_secret:
+  #   file: ./secrets/google/client_secret.txt
+  # orcid_client_id:
+  #   file: ./secrets/orcid/client_id.txt
+  # orcid_client_secret:
+  #   file: ./secrets/orcid/client_secret.txt
 volumes:
   varnish_frontend_cache:
 services:
@@ -76,8 +80,10 @@ services:
       - owner_cert_password
       - secretary_cert_password
       - client_truststore_password
-      #- google_client_id
-      #- google_client_secret
+      # - google_client_id
+      # - google_client_secret
+      # - orcid_client_id
+      # - orcid_client_secret
     volumes:
       - /var/linkeddatahub/oidc
       - ./ssl/server:/var/linkeddatahub/ssl/server:ro
@@ -362,6 +368,15 @@ configs:
       }
 
       sub vcl_backend_response {
+          /* Add Vary: Origin for static files to enable proper CORS caching */
+          if (bereq.url ~ "^/static/") {
+              if (beresp.http.Vary) {
+                  set beresp.http.Vary = beresp.http.Vary + ", Origin";
+              } else {
+                  set beresp.http.Vary = "Origin";
+              }
+          }
+          
           /* purge URLs after updates */
           if ((beresp.status == 200 || beresp.status == 201 || beresp.status == 204) && bereq.method ~ "POST|PUT|DELETE|PATCH") {
               set beresp.http.X-LinkedDataHub = "Banned";

http-tests/access/POST-request-access.sh

@@ -30,5 +30,5 @@ curl -w "%{http_code}\n" -o /dev/null -k -s \
   --data-urlencode "ol=Access request by Test Agent" \
   --data-urlencode "pu=http://www.w3.org/ns/auth/acl#agent" \
   --data-urlencode "ou=${AGENT_URI}" \
-  "${ADMIN_BASE_URL}access/request" \
+  "${END_USER_BASE_URL}access/request" \
 | grep -q "$STATUS_OK"

http-tests/access/group-authorization.sh

@@ -16,7 +16,7 @@ ntriples=$(curl -k -s -G \
   -E "$AGENT_CERT_FILE":"$AGENT_CERT_PWD" \
   -H "Accept: application/n-triples" \
   --data "this=${container}" \
-  "${ADMIN_BASE_URL}access"
+  "${END_USER_BASE_URL}access"
 )
 
 if echo "$ntriples" | grep -q "<http://www.w3.org/ns/auth/acl#agentGroup> <${ADMIN_BASE_URL}acl/groups/writers/#this>"; then
@@ -47,7 +47,7 @@ ntriples=$(curl -k -s -G \
   -E "$AGENT_CERT_FILE":"$AGENT_CERT_PWD" \
   -H "Accept: application/n-triples" \
   --data "this=${container}" \
-  "${ADMIN_BASE_URL}access"
+  "${END_USER_BASE_URL}access"
 )
 
 if ! echo "$ntriples" | grep -q "<http://www.w3.org/ns/auth/acl#agentGroup> <${ADMIN_BASE_URL}acl/groups/writers/#this>"; then

http-tests/access/owner-authorization.sh

@@ -33,7 +33,7 @@ ntriples=$(curl -k -s -G \
   -E "$AGENT_CERT_FILE":"$AGENT_CERT_PWD" \
   -H "Accept: application/n-triples" \
   --data "this=${container}" \
-  "${ADMIN_BASE_URL}access"
+  "${END_USER_BASE_URL}access"
 )
 
 auth1=$(echo "$ntriples" | grep -F "<http://www.w3.org/1999/02/22-rdf-syntax-ns#type> <https://w3id.org/atomgraph/linkeddatahub/admin/acl#OwnerAuthorization>" | cut -d' ' -f1)

http-tests/document-hierarchy/GET-children.sh

@@ -0,0 +1,40 @@
+#!/usr/bin/env bash
+set -euo pipefail
+
+initialize_dataset "$END_USER_BASE_URL" "$TMP_END_USER_DATASET" "$END_USER_ENDPOINT_URL"
+initialize_dataset "$ADMIN_BASE_URL" "$TMP_ADMIN_DATASET" "$ADMIN_ENDPOINT_URL"
+purge_cache "$END_USER_VARNISH_SERVICE"
+purge_cache "$ADMIN_VARNISH_SERVICE"
+purge_cache "$FRONTEND_VARNISH_SERVICE"
+
+# add agent to the writers group
+
+add-agent-to-group.sh \
+  -f "$OWNER_CERT_FILE" \
+  -p "$OWNER_CERT_PWD" \
+  --agent "$AGENT_URI" \
+  "${ADMIN_BASE_URL}acl/groups/writers/"
+
+# create container
+
+slug="test-children-query"
+
+container=$(create-container.sh \
+  -f "$AGENT_CERT_FILE" \
+  -p "$AGENT_CERT_PWD" \
+  -b "$END_USER_BASE_URL" \
+  --title "Test Children Query" \
+  --slug "$slug" \
+  --parent "$END_USER_BASE_URL")
+
+# execute SPARQL query to retrieve children of the end-user base URL
+
+query="DESCRIBE * WHERE { SELECT DISTINCT ?child ?thing WHERE { GRAPH ?childGraph { { ?child <http://rdfs.org/sioc/ns#has_parent> <${END_USER_BASE_URL}>. } UNION { ?child <http://rdfs.org/sioc/ns#has_container> <${END_USER_BASE_URL}>. } ?child <http://www.w3.org/1999/02/22-rdf-syntax-ns#type> ?Type. OPTIONAL { ?child <http://purl.org/dc/terms/title> ?title. } OPTIONAL { ?child <http://xmlns.com/foaf/0.1/primaryTopic> ?thing. } } } ORDER BY (?title) LIMIT 20 }"
+
+curl -k -f -s \
+  -G \
+  -E "$AGENT_CERT_FILE":"$AGENT_CERT_PWD" \
+  -H 'Accept: application/n-triples' \
+  --data-urlencode "query=$query" \
+  "${END_USER_BASE_URL}sparql" \
+| grep -q "<${container}>"

http-tests/misc/cors-jaxrs.sh

@@ -0,0 +1,53 @@
+#!/usr/bin/env bash
+set -euo pipefail
+
+initialize_dataset "$END_USER_BASE_URL" "$TMP_END_USER_DATASET" "$END_USER_ENDPOINT_URL"
+initialize_dataset "$ADMIN_BASE_URL" "$TMP_ADMIN_DATASET" "$ADMIN_ENDPOINT_URL"
+purge_cache "$END_USER_VARNISH_SERVICE"
+purge_cache "$ADMIN_VARNISH_SERVICE"
+purge_cache "$FRONTEND_VARNISH_SERVICE"
+
+# Test JAX-RS CORSFilter on dynamic content (GET request)
+
+response=$(curl -i -k -s \
+  -H "Origin: https://example.com" \
+  -H "Accept: text/turtle" \
+  "$END_USER_BASE_URL")
+
+# Verify Access-Control-Allow-Origin header is present
+if ! echo "$response" | grep -q "Access-Control-Allow-Origin: \*"; then
+  echo "CORS header 'Access-Control-Allow-Origin' not found in GET response"
+  exit 1
+fi
+
+# Verify Access-Control-Allow-Methods header is present
+if ! echo "$response" | grep -q "Access-Control-Allow-Methods:"; then
+  echo "CORS header 'Access-Control-Allow-Methods' not found in GET response"
+  exit 1
+fi
+
+# Test OPTIONS preflight request
+
+preflight=$(curl -i -k -s \
+  -X OPTIONS \
+  -H "Origin: https://example.com" \
+  -H "Access-Control-Request-Method: POST" \
+  "$END_USER_BASE_URL")
+
+# Verify preflight response has CORS headers
+if ! echo "$preflight" | grep -q "Access-Control-Allow-Origin: \*"; then
+  echo "CORS header 'Access-Control-Allow-Origin' not found in OPTIONS response"
+  exit 1
+fi
+
+# Verify preflight response has Access-Control-Max-Age
+if ! echo "$preflight" | grep -q "Access-Control-Max-Age:"; then
+  echo "CORS header 'Access-Control-Max-Age' not found in OPTIONS response"
+  exit 1
+fi
+
+# Verify OPTIONS request returns 204 No Content
+if ! echo "$preflight" | grep -q "HTTP/.* 204"; then
+  echo "OPTIONS preflight did not return 204 No Content"
+  exit 1
+fi

http-tests/misc/cors-static.sh

@@ -0,0 +1,35 @@
+#!/usr/bin/env bash
+set -euo pipefail
+
+# Test Tomcat CorsFilter on static files
+# The Tomcat filter only adds CORS headers when Origin header is present
+
+response=$(curl -i -k -s \
+  -H "Origin: https://example.com" \
+  "${END_USER_BASE_URL}static/com/atomgraph/linkeddatahub/css/bootstrap.css")
+
+# Verify Access-Control-Allow-Origin header is present
+if ! echo "$response" | grep -q "Access-Control-Allow-Origin: \*"; then
+  echo "CORS header 'Access-Control-Allow-Origin' not found on static file"
+  exit 1
+fi
+
+# Verify the static file was served successfully
+if ! echo "$response" | grep -q "HTTP/.* 200"; then
+  echo "Static file request did not return 200 OK"
+  exit 1
+fi
+
+# Test OPTIONS request on static files
+
+preflight=$(curl -i -k -s \
+  -X OPTIONS \
+  -H "Origin: https://example.com" \
+  -H "Access-Control-Request-Method: GET" \
+  "${END_USER_BASE_URL}static/com/atomgraph/linkeddatahub/css/bootstrap.css")
+
+# Verify preflight response has CORS headers
+if ! echo "$preflight" | grep -q "Access-Control-Allow-Origin: \*"; then
+  echo "CORS header 'Access-Control-Allow-Origin' not found in OPTIONS response for static file"
+  exit 1
+fi

platform/context.xsl

@@ -4,13 +4,15 @@
     <!ENTITY ac     "https://w3id.org/atomgraph/client#">
     <!ENTITY ldhc   "https://w3id.org/atomgraph/linkeddatahub/config#">
     <!ENTITY google "https://w3id.org/atomgraph/linkeddatahub/services/google#">
+    <!ENTITY orcid  "https://w3id.org/atomgraph/linkeddatahub/services/orcid#">
 ]>
 <xsl:stylesheet version="1.0"
 xmlns:xsl="http://www.w3.org/1999/XSL/Transform"
 xmlns:a="&a;"
 xmlns:ac="&ac;"
 xmlns:ldhc="&ldhc;"
 xmlns:google="&google;"
+xmlns:orcid="&orcid;"
 >
 
     <xsl:output method="xml" indent="yes"/>
@@ -48,6 +50,8 @@ xmlns:google="&google;"
     <xsl:param name="mail.password"/>
     <xsl:param name="google:clientID"/>
     <xsl:param name="google:clientSecret"/>
+    <xsl:param name="orcid:clientID"/>
+    <xsl:param name="orcid:clientSecret"/>
 
     <xsl:template match="@*|node()">
         <xsl:copy>
@@ -158,6 +162,12 @@ xmlns:google="&google;"
             <xsl:if test="$google:clientSecret">
                 <Parameter name="&google;clientSecret" value="{$google:clientSecret}" override="false"/>
             </xsl:if>
+            <xsl:if test="$orcid:clientID">
+                <Parameter name="&orcid;clientID" value="{$orcid:clientID}" override="false"/>
+            </xsl:if>
+            <xsl:if test="$orcid:clientSecret">
+                <Parameter name="&orcid;clientSecret" value="{$orcid:clientSecret}" override="false"/>
+            </xsl:if>
 
             <xsl:apply-templates select="node()"/>
         </xsl:copy>