Merge branch '2020-06-12_public_1.0.0'

.env.template

@@ -56,8 +56,11 @@ FITS_PATH=/fits/fits-1.3.0/fits.sh
 FITS_VERSION=fits-1.3.0
 UPLOADS_PATH=/shared/uploads/
 CACHE_PATH=/shared/cache/
+BRAND_PATH=/data/public/branding
 DEFAULT_DATE_FORMAT=%d/%m/%Y
-NOTIFICATIONS_EMAIL_DEFAULT_FROM_ADDRESS="no-reply@mailboxer.com"
+NOTIFICATIONS_EMAIL_DEFAULT_FROM_ADDRESS=no-reply@mailboxer.com
+ERROR_NOTIFICATION_RECIPIENT_EMAIL=error-notification@example.org
+ERROR_NOTIFICATION_SUBJECT_PREFIX=mdr-development
 USER_MANAGEMENT_EMAIL_FROM_ADDRESS=repo-admin@example.org
 CONTACT_FORM_SUBJECT_PREFIX=Hyrax Contact form:
 CONTACT_EMAIL=
@@ -69,14 +72,6 @@ CONFIG_IIIF_IMAGE_ENDPOINT=
 # If the rails server is configured to serve requests in https, set this to true
 IIIF_TO_SERVE_SSL_URLS=false
 
-# errbit setup
-# Host where errbit server is installed. Start with http or https
-AIRBRAKE_HOST=
-# Any positive integer should work
-AIRBRAKE_PROJECT_ID=
-# The project key to authorize loggint with errbit server
-AIRBRAKE_PROJECT_KEY=
-
 # Browse Everything credentials
 GOOGLE_DRIVE_CLIENT_ID=
 GOOGLE_DRIVE_CLIENT_SECRET=
@@ -85,8 +80,9 @@ BOX_CLIENT_SECRET=
 
 # Choose one of the following authentication methods.
 # (database_authenticatable is pre-configured and useful for a development environment)
-MDR_DEVISE_AUTH_MODULE=ldap_authenticatable
-# MDR_DEVISE_AUTH_MODULE=database_authenticatable
+MDR_DEVISE_AUTH_MODULE=database_authenticatable
+# MDR_DEVISE_AUTH_MODULE=ldap_authenticatable
+# MDR_DEVISE_AUTH_MODULE=cas_authenticatable
 
 LDAP_HOST=***REMOVED***
 LDAP_PORT=443
@@ -100,3 +96,31 @@ SMTP_HOST=
 SMTP_PORT=
 
 MDR_HOST=
+
+CAS_BASE_URL=https://cas.nims.go.jp/
+
+# For local docker-based setup for development, use:
+# CAS_BASE_URL=https://cas.mdr.nims.test:8443/cas/
+# and add the following two localhost pointers to your system's /etc/hosts file:
+# 127.0.0.1       mdr.nims.test         # <-- MDR website
+# 127.0.0.1       cas.mdr.nims.test     # <-- CAS server
+# and also trust the SSL certificate for cas.mdr.nims.test
+
+# CAS_VALIDATE_URL may need to be set depending on how MDR is configured
+# CAS_VALIDATE_URL=https://cas:8443/cas/serviceValidate
+# CAS_DESTINATION_URL=https://portal.nims.test/
+
+# OAI config used in config/initializers/oai_config.rb
+OAI_REPOSTIORY_NAME='NIMS MDR'
+OAI_REPOSITORY_URL=http://localhost:3000/catalog/oai
+OAI_RECORD_PREFIX=nims_mdr
+OAI_ADMIN_EMAIL=***REMOVED***
+
+# User Authorisation LDAP (runs after database / LDAP / CAS authentication)
+USER_AUTHORISATION_LDAP_HOST=
+USER_AUTHORISATION_LDAP_PORT=389
+USER_AUTHORISATION_LDAP_ATTRIBUTE=uid
+USER_AUTHORISATION_LDAP_BASE=
+
+WIKIBASE_BASE_URL=https://wikibase.example.jp
+WIKIBASE_SPARQL_QUERY_SYNONYM=/query/example?query=some_sparql_query

.gitignore

@@ -351,3 +351,4 @@ $RECYCLE.BIN/
 .env
 /hyrax/.fedora-test.pid
 /hyrax/.solr-test.pid
+cas/.mvn/jvm.config

README.md

@@ -2,6 +2,11 @@
 
 [Nims-Hyrax](https://github.com/antleaf/nims-hyrax/) is an implementation of the Hyrax stack by [Cottage Labs](http://cottagelabs.com/) and [AntLeaf](http://antleaf.com/). It is built with Docker containers, which simplify development and deployment onto live services.
 
+## Code Status
+
+[![Codeship Status for antleaf/nims-hyrax](https://app.codeship.com/projects/d4cc8560-e430-0136-fffd-6a7889452552/status?branch=develop)](https://app.codeship.com/projects/319029)
+
+[![Coverage Status](https://coveralls.io/repos/github/antleaf/nims-hyrax/badge.svg?branch=develop)](https://coveralls.io/github/antleaf/nims-hyrax?branch=develop)
 
 ## Getting Started
 
@@ -212,6 +217,54 @@ $ curl -L https://github.com/docker/compose/releases/download/[INSERT_DESIRED_DO
 4. Open a console and try running `docker -h` and `docker-compose -h` to verify they are both accessible.
 
 
+### Using a local Docker-based CAS server for Single Sign-On and Single Sign-Off
+
+If you would like to use a local Docker-based CAS server for single sign-on and sign off, a little more configuration is 
+required. Note that these steps are optional: you could use database authentication or LDAP authentication, or a remote 
+CAS server instead.
+
+1. In your system's `/etc/hosts` file, add the following two entries which will redirect the specified hostnames to localhost:
+
+    ```
+    127.0.0.1       mdr.nims.test
+    127.0.0.1       cas.mdr.nims.test
+    ``` 
+
+2. In your `.env` file, set the following variables:
+
+    ```
+    MDR_DEVISE_AUTH_MODULE=cas_authenticatable
+    CAS_BASE_URL=https://cas.mdr.nims.test:8443/cas/
+    ```
+
+3. Now build and run the `web` and `cas` containers:
+
+    ```bash
+    docker-compose build web cas
+    docker-compose up web cas
+    ```
+
+4. Open a browser and goto the MDR website: http://mdr.nims.test:3000/
+    Click on Login and you should be directed to https://cas.mdr.nims.test:8443/cas/
+
+    At this point your web browser will likely complain that the SSL certificate is invalid / untrusted. Grant the 
+    certificate `cas.mdr.nims.test` full trust:
+ 
+    * In Chrome, view the certificate and export it (or drag it) to your desktop
+    * Next, double-click on the certificate file (`cas.mdr.nims.test.cer`) and mark it as Always Trust (see: https://support.apple.com/en-gb/guide/keychain-access/kyca11871/mac)
+    * Check that reloading https://cas.mdr.nims.test:8443/cas/ should now present the valid CAS website without any certificate warnings or other errors
+
+5. To test single sign-on, open a browser window and go to to the MDR website: http://mdr.nims.test:3000/
+    
+    * Click on "login" and you will be redirected to the CAS website. 
+    * Log in as `user1` / `password`.
+    * After completing the login on the CAS website you will be redirected back to the MDR website and now logged in as `user1`
+    
+6. To test single sign-off, after logging in as `user1` on MDR (see previous step), open an extra browser window and navigate directly to the CAS website: https://cas.mdr.nims.test:8443/cas
+    
+    * Logout of the CAS system (by clicking on "log out" in "please log out and exit your web browser")
+    * Then reload the *other* browser window which had the user logged in to MDR and verify that they are now logged out.
+
 ## Backups
 
 There is [docker documentation](https://docs.docker.com/storage/volumes/#backup-restore-or-migrate-data-volumes) advising how to back up volumes and their data.
@@ -221,9 +274,3 @@ There is [docker documentation](https://docs.docker.com/storage/volumes/#backup-
 * As mentioned above, there is a `.env` file containing application secrets. This **must not** be checked into version control!
 * The system is configured on start-up using the `docker-entrypoint.sh` script, which configures users in the `seed/setup.json` file.
 * Importers are run manually in the container using the rails console. See [The project wiki](https://github.com/antleaf/nims-hyrax/wiki) for more information.
-
-## Code Status
-
-[![Codeship Status for antleaf/nims-hyrax](https://app.codeship.com/projects/d4cc8560-e430-0136-fffd-6a7889452552/status?branch=develop)](https://app.codeship.com/projects/319029)
-
-[![Coverage Status](https://coveralls.io/repos/github/antleaf/nims-hyrax/badge.svg?branch=develop)](https://coveralls.io/github/antleaf/nims-hyrax?branch=develop)

cas/Dockerfile

@@ -0,0 +1,15 @@
+FROM apereo/cas:v5.3.10
+COPY pom.xml /cas-overlay/
+COPY .mvn/ /cas-overlay/.mvn/
+RUN build.sh package
+
+RUN keytool -genkeypair -alias cas -keyalg RSA -keypass changeit \
+            -storepass changeit -keystore /cas-overlay/etc/cas/thekeystore \
+            -dname "CN=cas.mdr.nims.test,OU=MDR,OU=NIMS,OU=Test,C=JP" \
+            -ext SAN="dns:cas.mdr.nims.test,dns:localhost,ip:127.0.0.1" \
+            -validity 365
+COPY etc/cas/config/* /cas-overlay/etc/cas/config/
+COPY etc/cas/services/* /cas-overlay/etc/cas/services/
+COPY etc/cas/users.json /cas-overlay/etc/cas/
+COPY pom.xml /cas-overlay/
+RUN build.sh copy

cas/etc/cas/config/cas.properties

@@ -0,0 +1,22 @@
+# Required CAS settings
+cas.server.name: https://cas.mdr.nims.test:8443
+cas.server.prefix: https://cas.mdr.nims.test:8443/cas
+
+cas.httpWebRequest.header.hsts=false
+cas.adminPagesSecurity.ip=127\.0\.0\.1
+cas.logout.followServiceRedirects=true
+cas.logout.redirectParameter=service
+
+logging.config: file:/etc/cas/config/log4j2.xml
+
+# Service Registry
+cas.serviceRegistry.initFromJson: false
+cas.serviceRegistry.json.location: file:/etc/cas/services
+
+# Disable authentication with a static list of credentials
+cas.authn.accept.users=
+
+# Use JSON file for authentication
+cas.authn.json.location=file:///etc/cas/users.json
+cas.authn.json.name=
+# cas.authn.json.passwordPolicy=

cas/etc/cas/config/log4j2.xml

@@ -0,0 +1,117 @@
+<?xml version="1.0" encoding="UTF-8" ?>
+<!-- Specify the refresh internal in seconds. -->
+<Configuration monitorInterval="5" packages="org.apereo.cas.logging">
+  <Properties>
+    <!--
+    Default log directory is the current directory but that can be overridden with -Dcas.log.dir=<logdir>
+    Or you can change this property to a new default
+    -->
+    <Property name="cas.log.dir" >.</Property>
+    <!-- To see more CAS specific logging, adjust this property to info or debug or run server with -Dcas.log.leve=debug -->
+    <Property name="cas.log.level" >debug</Property>
+  </Properties>
+  <Appenders>
+    <Console name="console" target="SYSTEM_OUT">
+      <PatternLayout pattern="%d %p [%c] - &lt;%m&gt;%n"/>
+    </Console>
+    <RollingFile name="file" fileName="${sys:cas.log.dir}/cas.log" append="true"
+                 filePattern="${sys:cas.log.dir}/cas-%d{yyyy-MM-dd-HH}-%i.log">
+      <PatternLayout pattern="%d %p [%c] - &lt;%m&gt;%n"/>
+      <Policies>
+        <OnStartupTriggeringPolicy />
+        <SizeBasedTriggeringPolicy size="10 MB"/>
+        <TimeBasedTriggeringPolicy />
+      </Policies>
+    </RollingFile>
+    <RollingFile name="auditlogfile" fileName="${sys:cas.log.dir}/cas_audit.log" append="true"
+                 filePattern="${sys:cas.log.dir}/cas_audit-%d{yyyy-MM-dd-HH}-%i.log">
+      <PatternLayout pattern="%d %p [%c] - %m%n"/>
+      <Policies>
+        <OnStartupTriggeringPolicy />
+        <SizeBasedTriggeringPolicy size="10 MB"/>
+        <TimeBasedTriggeringPolicy />
+      </Policies>
+    </RollingFile>
+
+    <RollingFile name="perfFileAppender" fileName="${sys:cas.log.dir}/perfStats.log" append="true"
+                 filePattern="${sys:cas.log.dir}/perfStats-%d{yyyy-MM-dd-HH}-%i.log">
+      <PatternLayout pattern="%m%n"/>
+      <Policies>
+        <OnStartupTriggeringPolicy />
+        <SizeBasedTriggeringPolicy size="10 MB"/>
+        <TimeBasedTriggeringPolicy />
+      </Policies>
+    </RollingFile>
+
+    <CasAppender name="casAudit">
+      <AppenderRef ref="auditlogfile" />
+    </CasAppender>
+    <CasAppender name="casFile">
+      <AppenderRef ref="file" />
+    </CasAppender>
+    <CasAppender name="casConsole">
+      <AppenderRef ref="console" />
+    </CasAppender>
+    <CasAppender name="casPerf">
+      <AppenderRef ref="perfFileAppender" />
+    </CasAppender>
+  </Appenders>
+  <Loggers>
+    <!-- If adding a Logger with level set higher than warn, make category as selective as possible -->
+    <!-- Loggers inherit appenders from Root Logger unless additivity is false -->
+    <AsyncLogger name="org.apereo" level="${sys:cas.log.level}" includeLocation="true"/>
+    <AsyncLogger name="org.apereo.services.persondir" level="${sys:cas.log.level}" includeLocation="true"/>
+    <AsyncLogger name="org.apereo.cas.web.flow" level="info" includeLocation="true"/>
+    <AsyncLogger name="org.apache" level="warn" />
+    <AsyncLogger name="org.apache.http" level="error" />
+    <AsyncLogger name="org.springframework" level="warn" />
+    <AsyncLogger name="org.springframework.cloud.server" level="warn" />
+    <AsyncLogger name="org.springframework.cloud.client" level="warn" />
+    <AsyncLogger name="org.springframework.cloud.bus" level="warn" />
+    <AsyncLogger name="org.springframework.aop" level="warn" />
+    <AsyncLogger name="org.springframework.boot" level="warn" />
+    <AsyncLogger name="org.springframework.boot.actuate.autoconfigure" level="warn" />
+    <AsyncLogger name="org.springframework.webflow" level="warn" />
+    <AsyncLogger name="org.springframework.session" level="warn" />
+    <AsyncLogger name="org.springframework.amqp" level="error" />
+    <AsyncLogger name="org.springframework.integration" level="warn" />
+    <AsyncLogger name="org.springframework.messaging" level="warn" />
+    <AsyncLogger name="org.springframework.web" level="warn" />
+    <AsyncLogger name="org.springframework.orm.jpa" level="warn" />
+    <AsyncLogger name="org.springframework.scheduling" level="warn" />
+    <AsyncLogger name="org.springframework.context.annotation" level="error" />
+    <AsyncLogger name="org.springframework.boot.devtools" level="error" />
+    <AsyncLogger name="org.springframework.web.socket" level="warn" />
+    <AsyncLogger name="org.thymeleaf" level="warn" />
+    <AsyncLogger name="org.pac4j" level="warn" />
+    <AsyncLogger name="org.opensaml" level="warn"/>
+    <AsyncLogger name="net.sf.ehcache" level="warn" />
+    <AsyncLogger name="com.couchbase" level="warn" includeLocation="true"/>
+    <AsyncLogger name="com.ryantenney.metrics" level="warn" />
+    <AsyncLogger name="net.jradius" level="warn" />
+    <AsyncLogger name="org.openid4java" level="warn" />
+    <AsyncLogger name="org.ldaptive" level="warn" />
+    <AsyncLogger name="com.hazelcast" level="warn" />
+    <AsyncLogger name="org.apereo.spring" level="warn" />
+
+    <!-- Log perf stats only to perfStats.log -->
+    <AsyncLogger name="perfStatsLogger" level="info" additivity="false" includeLocation="true">
+      <AppenderRef ref="casPerf"/>
+    </AsyncLogger>
+
+    <!-- Log audit to all root appenders, and also to audit log (additivity is not false) -->
+    <AsyncLogger name="org.apereo.inspektr.audit.support" level="info" includeLocation="true" >
+      <AppenderRef ref="casAudit"/>
+    </AsyncLogger>
+
+    <!-- All Loggers inherit appenders specified here, unless additivity="false" on the Logger -->
+    <AsyncRoot level="warn">
+      <AppenderRef ref="casFile"/>
+      <!--
+           For deployment to an application server running as service,
+           delete the casConsole appender below
+      -->
+      <AppenderRef ref="casConsole"/>
+    </AsyncRoot>
+  </Loggers>
+</Configuration>

cas/etc/cas/services/casmdrnimstest-1.json

@@ -0,0 +1,8 @@
+{
+  "@class" : "org.apereo.cas.services.RegexRegisteredService",
+  "serviceId" :  "^(https|http)://.*",
+  "name" : "cas.mdr.nims.test",
+  "id" : 1,
+  "logoutType" : "BACK_CHANNEL",
+  "logoutUrl" : "http://mdr.nims.test:3000/users/service"
+}

cas/etc/cas/users.json

@@ -0,0 +1,14 @@
+{
+  "@class" : "java.util.LinkedHashMap",
+  "user1" : {
+    "@class" : "org.apereo.cas.adaptors.generic.CasUserAccount",
+    "password" : "password",
+    "attributes" : {
+      "@class" : "java.util.LinkedHashMap",
+      "firstName" : "Apereo",
+      "lastName" : "CAS"
+    },
+    "status" : "OK",
+    "expirationDate" : "2022-01-19"
+  }
+}