Adding user authentication to SAS

.github/bin/waitHttp.sh

@@ -0,0 +1,11 @@
+#!/bin/bash
+
+http_code=100
+while [ "$http_code" != "200" ]
+do 
+    sleep 5
+    http_code=`curl --write-out %{http_code} --silent --output /dev/null "$1"`
+    echo "$http_code";
+done
+
+

.github/workflows/elastic.yml

@@ -0,0 +1,23 @@
+name: Elastic
+
+on: [push]
+
+jobs:
+  build:
+    runs-on: ubuntu-latest
+
+    steps:
+      - uses: actions/checkout@v2
+      - name: Set up JDK 11
+        uses: actions/setup-java@v2
+        with:
+          java-version: '11'
+          distribution: 'temurin'
+          cache: maven
+      - name: Starting ElasticSearch
+        run: docker compose -f docker/sas-elastic/compose.yaml --project-directory . up -d elastic
+      - name: Wait for Elastic to start
+        run: .github/bin/waitHttp.sh "http://localhost:9200/_cluster/health?wait_for_status=yellow&timeout=50s"
+      - name: Run Tests
+        run: export "config=elastic.properties" && mvn test
+

.github/workflows/jena.yml

@@ -0,0 +1,22 @@
+name: Jena
+
+on: [push]
+
+jobs:
+  build:
+    runs-on: ubuntu-latest
+
+    steps:
+      - uses: actions/checkout@v2
+      - name: Set up JDK 11
+        uses: actions/setup-java@v2
+        with:
+          java-version: '11'
+          distribution: 'temurin'
+          cache: maven
+
+      - name: Selecting Jena config
+        run: export "config=Jena.properties"
+
+      - name: Run Tests
+        run: mvn test

.github/workflows/solr-cloud.yml

@@ -0,0 +1,21 @@
+name: SOLR Cloud
+
+on: [push]
+
+jobs:
+  build:
+    runs-on: ubuntu-latest
+
+    steps:
+      - uses: actions/checkout@v2
+
+      - name: Starting SOLR
+        run: docker compose -f docker/sas-solr-cloud/compose.yaml --project-directory . up -d 
+
+      - name: Wait for SOLR to start
+        run:  docker exec -t solr1 /opt/docker-solr/scripts/wait-for-solr.sh --max-attempts 10 --wait-seconds 5 --solr-url http://0.0.0.0:8983/
+
+        # Due to the way docker-compose and SOLR works we can't access the SOLR cloud
+        # from this machine. Instead we have to run the test within the cluster
+      - name: Run Tests
+        run: docker exec --workdir /usr/src/sas simpleannotationserver_web_1 /usr/bin/mvn -q test

.github/workflows/solr.yml

@@ -0,0 +1,27 @@
+name: SOLR
+
+on: [push]
+
+jobs:
+  build:
+    runs-on: ubuntu-latest
+
+    steps:
+      - uses: actions/checkout@v2
+      - name: Set up JDK 11
+        uses: actions/setup-java@v2
+        with:
+          java-version: '11'
+          distribution: 'temurin'
+          cache: maven
+      - name: Starting SOLR
+        run:  mkdir solr-data && chmod 777 solr-data && docker compose -f docker/sas-solr/compose.yaml --project-directory . up -d solr
+
+      - name: checking docker
+        run:  docker ps && docker logs sas_solr
+
+      - name: Wait for SOLR to start
+        run:  docker exec -t sas_solr /opt/docker-solr/scripts/wait-for-solr.sh --max-attempts 10 --wait-seconds 10 --solr-url http://0.0.0.0:8983/
+
+      - name: Run Tests
+        run: export "config=solr.properties" && mvn test

.gitignore

@@ -5,5 +5,10 @@ src/main/webapp/demo.html
 /data
 cache
 index-2.6.1.html
-src/main/webapp/stats
+src/main/webapp/stats/*.json
 .aws-credentials
+auth.json
+*auth.json
+node
+node_modules
+solr-data

buildspec.yml

@@ -6,6 +6,8 @@ phases:
       - echo Logging in to Amazon ECR...
       - aws --version
       - $(aws ecr get-login --region $AWS_DEFAULT_REGION --no-include-email)
+      - echo Logging in to Docker Hub...
+      - echo $DOCKERHUB_PASSWORD | docker login --username $DOCKERHUB_USERNAME --password-stdin
       - IMAGE_NAME="sas"
       - REPOSITORY_URI=082101253860.dkr.ecr.eu-west-2.amazonaws.com/sas
       - IMAGE_TAG=prod_$(echo $CODEBUILD_RESOLVED_SOURCE_VERSION | cut -c 1-7)
@@ -14,13 +16,13 @@ phases:
       - echo Build started on `date`
       - echo Building the Docker image...
       - echo Image_tag $IMAGE_TAG
-      - docker build -t $REPOSITORY_URI:$IMAGE_TAG -f docker/sas-tomcat/Dockerfile .
-      - docker tag $REPOSITORY_URI:$IMAGE_TAG $REPOSITORY_URI:latest 
+      - docker build --build-arg AUTH_JSON_LOCATION=$AUTH_JSON_LOCATION --build-arg AWS_DEFAULT_REGION=$AWS_DEFAULT_REGION --build-arg AWS_CONTAINER_CREDENTIALS_RELATIVE_URI=$AWS_CONTAINER_CREDENTIALS_RELATIVE_URI -t $REPOSITORY_URI:$IMAGE_TAG -t $REPOSITORY_URI:latest -f docker/sas-auth/Dockerfile .
   post_build:
     commands:
       - echo Build completed on `date`
       - echo Pushing the Docker images...
-      - docker push $REPOSITORY_URI
+      - docker push $REPOSITORY_URI:latest 
+      - docker push $REPOSITORY_URI:$IMAGE_TAG
       - echo Writing image definitions file...
       - printf '[{"name":"SAS","imageUri":"%s"}]' $REPOSITORY_URI:$IMAGE_TAG > imagedefinitions.json
 artifacts:

doc/Auth.md

@@ -0,0 +1,143 @@
+# Authentication
+
+The SimpleAnnotationServer now supports Authentication through OAuth. This allows users to login using Google, GitHub or other OAuth provider and to work on a private workspace of Annotations, Manifests and Collections. 
+
+## Configuration
+
+The presence of a file called `auth.json` in the `src/main/webapp/WEB-INF` is enough for SAS to know that it should use authentication for all requests. The `auth.json` file has settings for OAuth providers and should be kept secret and outside of GitHub. An example configuration for Google is shown below:
+
+```
+[{
+    "id":"google",
+    "class": "com.github.scribejava.apis.GoogleApi20",
+    "clientId": "**google_client_id**",
+    "clientSecret": "**google_client_secret",
+    "scope": "profile email",
+    "additionalParam": {
+        "access_type": "offline"    
+    },
+    "button": {
+        "logo": "/images/GoogleLogo.svg",
+        "text": "Sign in with Google"
+    },
+    "userMapping": {
+        "endpoint": "https://www.googleapis.com/oauth2/v3/userinfo",
+        "responseKeys": {
+            "id":"sub",
+            "name": "name",
+            "email": "email",
+            "pic": "picture"
+        }
+    }
+}]
+```
+
+The file is split into three sections; OAuth settings, button config and userMappings and details for each section can be seen below. To offer multiple login options it is possible to add extra configs to this file as the root of the JSON is a list. 
+
+### OAuth Settings
+
+The OAuth settings from above are copied below for convenience: 
+
+```
+"id":"google",
+"class": "com.github.scribejava.apis.GoogleApi20",
+"clientId": "**google_client_id**",
+"clientSecret": "**google_client_secret",
+"scope": "profile email",
+"additionalParam": {
+    "access_type": "offline"    
+},
+```
+
+The files are:
+
+ * __id__ this should be unique in the file and be used to identify the authentication method
+ * __class__ this is the [ScribeJava](https://github.com/scribejava/scribejava) OAuth library class which implements this authentication method. The ScribeJava github site gives examples with lots of different OAuth providers. 
+ * __clientId__ and __clientSecret__ these are generated by Google and you can apply for a set of keys by going to the [Google Developer Console](https://console.developers.google.com/apis/credentials). When you apply for keys you will need to add a Authorized redirect URI to the SAS system. This is the URL google will return the user if they authenticated correctly. The redirect URI should be:
+
+https://example.com/login-callback
+
+where example.com is the public domain name you are using to host SAS.
+
+ * __scope__ this is the information SAS is asking the user to give permission for. To find out what is required for your OAuth provider check the ScribeJava examples.
+ * __additionalParam__ some OAuth providers also require extra parameters. Again check ScribeJava to see if this is required. 
+
+### Button config
+When you login to SAS it will present you with a login page where users are asked to choose which login service they would like to register with. The button config allows customisation of the logo and text that is offered to the user for this authentication method:
+
+```
+"button": {
+    "logo": "/images/GoogleLogo.svg",
+    "text": "Sign in with Google"
+},
+```
+
+### User Mapping
+Once a user has been authenticated then SAS will request the name, email and profile picture from the OAuth provider. This is usually done using a standard API that returns a JSON list of keys. The Key mapping configuration maps the OAuth User JSON to SAS's users. 
+
+```
+"userMapping": {
+    "endpoint": "https://www.googleapis.com/oauth2/v3/userinfo",
+    "responseKeys": {
+        "id":"sub",
+        "name": "name",
+        "email": "email",
+        "pic": "picture"
+    }
+}
+```
+
+## Extra customisation
+
+As well as the general configuration above its also possible to customise the authentication in the following ways.
+
+
+
+## Deployment with Docker
+
+If you are working with SAS in the cloud you will need to make sure the that the auth.json doesn't end up in GitHub where it will be public. There is an example [Dockerfile](../docker/sas-auth/Dockerfile) in the sas-auth directory which will work with a `auth.json` held in an Amazon S3 bucket. To get this to work you will need to ensure the Code Pipeline role has the following permissions:
+
+
+Codepipeline Service role to access s3:
+
+Build project -> build details -> Service role ARN
+
+Ensure ROLE has this:
+```
+{
+    "Action": [
+        "s3:GetObject",
+        "s3:GetObjectVersion",
+        "s3:GetBucketVersioning"
+    ],
+    "Resource": [
+        "arn:aws:s3:::sasconfig*"
+    ],
+    "Effect": "Allow"
+},
+{
+    "Effect": "Allow",
+    "Action": [
+        "kms:Decrypt",
+        "kms:GenerateDataKey",
+        "kms:GenerateDataKeyWithoutPlaintext",
+        "kms:GenerateDataKeyPairWithoutPlaintext",
+        "ssm:GetParameters",
+        "kms:GenerateDataKeyPair",
+        "ssm:GetParameter"
+    ],
+    "Resource": [
+        "arn:aws:kms:$REGION:$AWS_ACCOUNT_ID:key/$ENCRYPT_KEY",
+        "arn:aws:ssm:$REGION:$AWS_ACCOUNT_ID:parameter/$PARAM_KEYS/*"
+    ]
+}
+```
+
+To find the relevant service role you can navigate to your Code Builder project where you can see the history of your build. At the top there is a tab called 'Build Details'. Click this then scroll down until you see a clickable link for the "Service role".
+
+For your configuration you to will need to change `$REGION`, `$AWS_ACCOUNT_ID`, `$ENCRYPT_KEY` and $PARAM_KEYS to fit your AWS account details. To setup the required parameters there is a great write up here:
+
+https://medium.com/rockedscience/fixing-docker-hub-rate-limiting-errors-in-ci-cd-pipelines-ea3c80017acb
+
+## Migrating from previous versions of SAS
+SAS previously hasn't had the concept of users or Authentication so this version will be a breaking change and any annotations created using previous versions of SAS will no longer be accessible because they are not associated with a user. Ensure you have backed up any annotations you would like to keep and it is advisable to use a new ElasticSearch or SOLR index to run this version of SAS.

docker/sas-auth/Dockerfile

@@ -0,0 +1,28 @@
+# build stage
+FROM maven:3-jdk-11 AS buildstage
+WORKDIR /usr/src/sas
+COPY . /usr/src/sas
+ARG MVN_ARGS="-DskipTests"
+# build SAS using maven
+RUN mvn $MVN_ARGS package
+
+# runnable container stage
+FROM tomcat:9-jre11 AS runstage
+ARG AWS_DEFAULT_REGION
+ARG AWS_CONTAINER_CREDENTIALS_RELATIVE_URI
+ARG AUTH_JSON_LOCATION
+# remove tomcat default webapps and create data directory
+RUN rm -rf /usr/local/tomcat/webapps/* 
+# copy SAS from build image
+COPY --from=buildstage /usr/src/sas/target/simpleAnnotationStore /usr/local/tomcat/webapps/ROOT
+# copy properties
+COPY docker/sas-auth/sas.properties /usr/local/tomcat/webapps/ROOT/WEB-INF
+
+# Download auth config
+# Install the AWS CLI
+RUN apt-get update && \
+        apt-get -y install awscli 
+RUN aws --region eu-west-2 s3 cp $AUTH_JSON_LOCATION /usr/local/tomcat/webapps/ROOT/WEB-INF/
+# For testing locally:
+#COPY docker/sas-auth/auth.json /usr/local/tomcat/webapps/ROOT/WEB-INF/
+# use default port and entrypoint

docker/sas-auth/compose.yaml

@@ -0,0 +1,20 @@
+version: '3'
+services:
+  web:
+    container_name: sas 
+    build: 
+        context: .
+        dockerfile: docker/sas-auth/Dockerfile
+    ports:
+      - "8888:8080"
+  elastic:
+    image: "elasticsearch:7.8.1"
+    container_name: elasticsearch
+    environment:
+      - discovery.type=single-node
+    ulimits:
+      memlock:
+        soft: -1
+        hard: -1
+    ports:
+      - 9200:9200

docker/sas-auth/sas.properties

@@ -0,0 +1,36 @@
+# Generic properties
+# ==================
+
+# Uncomment this if you are behind a proxy or want a public URI
+# baseURI=http://dev.llgc.org.uk/annotation/
+
+# Uncomment this if you would like to use an encoder which will work on
+# the annotation before its stored in the triplestore
+# encoder=uk.org.llgc.annotation.store.encoders.BookOfPeaceEncode
+
+# if you are using Mirador versions greater than 2.1.4 then you need to uncomment the following
+# as the annotation structure changed between versions
+#encoder=uk.org.llgc.annotation.store.encoders.Mirador214
+
+# Store configuration
+# ==================
+
+# Uncomment this if you would like to use Jena as a backend
+#store=jena
+#data_dir=/annotation-data
+
+# Uncomment the following if you want to use Sesame
+# store=sesame
+# repo_url=http://localhost:8080/openrdf-sesame/repositories/test-anno
+
+# Uncomment the following if you want to use SOLR cores
+#store=solr
+#solr_connection=http://solr:8983/solr/annotations
+
+# Uncomment the following if you want to use SOLR collections (Cloud)
+#store=solr-cloud
+#solr_connection=http://solr:8983/solr,http://solr:7574/solr
+#solr_collection=annotations
+
+store=elastic
+elastic_connection=http://elasticsearch:9200/annotations

docker/sas-elastic/Dockerfile

@@ -9,11 +9,11 @@ RUN mvn $MVN_ARGS package
 # runnable container stage
 FROM tomcat:9-jre11 AS runstage
 # remove tomcat default webapps and create data directory
-RUN rm -r /usr/local/tomcat/webapps/* && \
+RUN rm -rf /usr/local/tomcat/webapps/* && \
   mkdir /annotation-data
 # copy SAS from build image
 COPY --from=buildstage /usr/src/sas/target/simpleAnnotationStore /usr/local/tomcat/webapps/ROOT
 # copy properties
-COPY docker/sas-tomcat/sas.properties /usr/local/tomcat/webapps/ROOT/WEB-INF
+COPY docker/sas-elastic/sas.properties /usr/local/tomcat/webapps/ROOT/WEB-INF
 
 # use default port and entrypoint