triannon 2.0.1 → 3.0.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: ebfe9c918d54957dd9840f3cca19729075b1f0e9
-  data.tar.gz: aa9007f6543d8604a0be0a0b876c33e65be2168d
+  metadata.gz: 8bbca5b2eeb46df56a16905386aa0896e32edc1d
+  data.tar.gz: 4057efb53bd40de5dd20a637b0e6eeaa581e3274
 SHA512:
-  metadata.gz: 55ce6508e866549664f1c359cb311d479054319377fad1f8af2a17dcea20dc097b2a3b1e30f016e4cea33900d76c4477c31e2803d0822f4410b350e2a1ece7a1
-  data.tar.gz: 492c6fac232ae72b213ebc339bc9b519c4b39b4ca22ccd8e8724e7ecbd764209519524b9232dc3b08022ed4067184f88ecb016eb1870abcfab01131097292bd1
+  metadata.gz: ade73d1212e2d5ef3fb815946279af50e58a018999ebb0b1c7d8c8db9a5f56d85ddb4a42d9472d5c142e2ea1e1079646889fac21859afe61370ca47c85dae552
+  data.tar.gz: db831b37c53215465bb6441ea599dca56722c467a9968c477e7b2a0780d2070c7d8d2b717be6b645a1bff23d1c5a0ceb70578294c05a5535e5d3dd11057b2e22

data/app/controllers/triannon/application_controller.rb

@@ -1,4 +1,132 @@
 module Triannon
   class ApplicationController < ActionController::Base
+
+    before_action :authorize
+
+    #--- Authentication methods
+    #
+    # The #access_token_data method is generally available to the
+    # application.  The #access_token_generate and #access_token_validate?
+    # methods are consolidated here to provide a unified view of these methods,
+    # although the application generally may not need to call them.  They are
+    # used specifically in the auth_controller and these methods are tested
+    # in the auth_controller_spec.
+
+    # construct and encrypt an access token, using login data
+    # save the token into session[:access_token]
+    def access_token_generate(data)
+      timestamp = Time.now.to_i.to_s # seconds since epoch
+      salt  = SecureRandom.base64(64)
+      key   = ActiveSupport::KeyGenerator.new(timestamp).generate_key(salt)
+      crypt = ActiveSupport::MessageEncryptor.new(key)
+      session[:access_data] = [timestamp, salt]
+      session[:access_token] = crypt.encrypt_and_sign([data, timestamp])
+    end
+
+    # decrypt, parse and validate access token
+    def access_token_valid?(code)
+      begin
+        if code == session[:access_token]
+          identity, salt = session[:access_data]
+          key = ActiveSupport::KeyGenerator.new(identity).generate_key(salt)
+          crypt = ActiveSupport::MessageEncryptor.new(key)
+          data, timestamp = crypt.decrypt_and_verify(code)
+          elapsed = Time.now.to_i - timestamp.to_i  # sec since token was issued
+          return data if elapsed < Triannon.config[:access_token_expiry]
+        end
+      rescue ActiveSupport::MessageVerifier::InvalidSignature
+        # This is an invalid code, so return nil (a falsy value).
+      end
+    end
+
+    # Extract access login data from Authorization header, if it is valid.
+    # @param headers [Hash] request.headers with 'Authorization'
+    # @return login_data [Hash|nil]
+    def access_token_data(headers)
+      auth = headers['Authorization']
+      unless auth.nil? || auth !~ /^Bearer/
+        token = auth.split.last
+        access_token_valid?(token)
+      end
+    end
+
+
+    private
+
+    def authorize
+      # Require authorization on POST and DELETE requests.
+      auth_methods = ['POST','DELETE']
+      return true unless auth_methods.include? request.method
+      # Allow any requests to the /auth paths; provided that an
+      # anno root container cannot start with 'auth' in the name
+      # (which is controlled by the routes constraints).
+      return true if request.path =~ /^\/auth/
+      authorized_workgroup?
+    end
+
+    def authorized_workgroup?
+      # If the request does not map to a configured container, allow access.
+      container_auth = container_authorization
+      return true if container_auth.empty?
+      if request.headers['Authorization'].nil?
+        render401
+        return false
+      end
+      # Identify an intersection of the user and the authorized workgroups.
+      container_groups = container_auth['workgroups'] || []
+      match = container_groups & user_workgroups
+      if match.empty?
+        render403
+        false
+      else
+        true
+      end
+    end
+
+    # Extract container authorization from the configuration parameters
+    # @return authorization [Hash]
+    def container_authorization
+      container_config = request_container_config
+      if container_config.instance_of? Hash
+        container_config['auth'] || {}
+      else
+        {}
+      end
+    end
+
+    # Map the request root container to config parameters;
+    # assume that a request can only map to one root container.
+    # If this mapping fails, assume that authorization is OK.
+    def request_container_config
+      # TODO: refine the matching algorithm, esp if there is more than one
+      # match rather than assume it can only match one container.
+      request_container = params['anno_root']
+      configs = Triannon.config[:ldp]['anno_containers']
+      configs[request_container]
+    end
+
+    # Extract user workgroups from the access token
+    # @return workgroups [Array<String>]
+    def user_workgroups
+      access_data = access_token_data(request.headers)
+      if access_data.instance_of? Hash
+        access_data['workgroups'] || []
+      else
+        []
+      end
+    end
+
+    def render401
+      respond_to do |format|
+        format.all { head :unauthorized }
+      end
+    end
+
+    def render403
+      respond_to do |format|
+        format.all { head :forbidden }
+      end
+    end
+
   end
 end

data/app/controllers/triannon/auth_controller.rb

@@ -0,0 +1,436 @@
+require_dependency "triannon/application_controller"
+
+module Triannon
+  # Adapted from http://image-auth.iiif.io/api/image/2.1/authentication.html
+  class AuthController < ApplicationController
+    include RdfResponseFormats
+
+    # HTTP request methods accepted by /auth/login
+    # TODO: enable GET when triannon supports true user authentication
+    LOGIN_ACCEPT = 'OPTIONS, POST'
+
+    # OPTIONS /auth/login
+    def options
+      # The request MUST use HTTP OPTIONS
+      case request.request_method
+      when 'OPTIONS'
+        if cookies[:login_user]
+          info = service_info_logout
+        else
+          info = service_info_login
+        end
+        # TODO: include optional info, such as service_info_client_identity
+        json_response(info, 200)
+      else
+        # The routes should prevent any execution here.
+        request_method_error(LOGIN_ACCEPT)
+      end
+    end
+
+    # POST to /auth/login
+    # http://image-auth.iiif.io/api/image/2.1/authentication.html#login-service
+    def login
+      # The service must set a Cookie for the Access Token Service to retrieve
+      # to determine the user information provided by the authentication system.
+      case request.request_method
+      when 'POST'
+        login_handler_post
+      else
+        # The routes should prevent any execution here.
+        request_method_error(LOGIN_ACCEPT)
+      end
+    end
+
+    # GET /auth/logout
+    # http://image-auth.iiif.io/api/image/2.1/authentication.html#logout-service
+    def logout
+      case request.request_method
+      when 'GET'
+        cookies.delete(:login_user)
+        reset_session
+        redirect_to root_url, notice: 'Successfully logged out.'
+      else
+        # The routes should prevent any execution here.
+        request_method_error('GET')
+      end
+    end
+
+    # POST /auth/client_identity
+    # A request MUST carry a body with:
+    # { "clientId" : "ID", "clientSecret" : "SECRET" }
+    # http://image-auth.iiif.io/api/image/2.1/authentication.html#client-identity-service
+    # http://image-auth.iiif.io/api/image/2.1/authentication.html#error-conditions
+    # return json body [String] containing: { "authorizationCode": code }
+    def client_identity
+      return unless process_post?
+      return unless process_json?
+      data = JSON.parse(request.body.read)
+      required_fields = ['clientId', 'clientSecret']
+      identity = parse_identity(data, required_fields)
+      if identity['clientId'] && identity['clientSecret']
+        if authorized_client? identity
+          id = identity['clientId']
+          pass = identity['clientSecret']
+          code = { authorizationCode: auth_code_generate(id, pass) }
+          json_response(code, 200)
+        else
+          err = {
+            error: 'invalidClient',
+            errorDescription: 'Invalid client credentials',
+            errorUri: 'http://image-auth.iiif.io/api/image/2.1/authentication.html'
+          }
+          json_response(err, 401)
+        end
+      else
+        err = {
+          error: 'invalidClient',
+          errorDescription: 'Insufficient client data for authentication',
+          errorUri: 'http://image-auth.iiif.io/api/image/2.1/authentication.html'
+        }
+        json_response(err, 401)
+      end
+    end
+
+
+    # GET /auth/access_token
+    # http://image-auth.iiif.io/api/image/2.1/authentication.html#access-token-service
+    # http://image-auth.iiif.io/api/image/2.1/authentication.html#error-conditions
+    def access_token
+      # The cookie established via the login service must be passed to this
+      # service. The service should delete the cookie from the login service
+      # and create a new cookie that allows the user to access content.
+      if session[:login_data]
+        if session[:client_data]
+          # When an authorization code was obtained using /auth/client_identity,
+          # that code must be passed to the Access Token Service as well.
+          auth_code = params[:code]
+          if auth_code.nil?
+            auth_code_required
+          elsif auth_code_valid?(auth_code)
+            access_token_granted
+          else
+            auth_code_invalid
+          end
+        else
+          # Without an authentication code, a login session is sufficient for
+          # granting an access token.  However, the only way to enable a login
+          # session is for an authorized client to provide user data in POST
+          # /auth/login, which requires the client to first obtain an
+          # authentication code.  Hence, this block of code should never get
+          # executed (unless login requirements change).
+          access_token_granted
+        end
+      else
+        login_required
+      end
+    end
+
+    # GET /auth/access_validate
+    # Authorize access based on validating an access token
+    def access_validate
+      auth = request.headers['Authorization']
+      if auth.nil? || auth !~ /Bearer/
+        access_token_invalid
+      else
+        token = auth.split[1]
+        if access_token_valid?(token)
+          response.status = 200
+          render nothing: true
+        else
+          access_token_invalid
+        end
+      end
+    end
+
+    private
+
+    # --------------------------------------------------------------------
+    # Access tokens
+
+    # Grant an access token for authorized access
+    def access_token_granted
+      cookies.delete(:login_user)
+      login_data = session.delete(:login_data)
+      access_token_generate(login_data) # saves to session[:access_token]
+      data = {
+        accessToken: session[:access_token],
+        tokenType: 'Bearer',
+        expiresIn: Triannon.config[:access_token_expiry]
+      }
+      json_response(data, 200)
+    end
+
+    # Issue a 401 to challenge for a client access token
+    def access_token_invalid
+      err = {
+        error: 'invalidAccess',
+        errorDescription: 'invalid access token',
+        errorUri: ''
+      }
+      json_response(err, 401)
+    end
+
+
+    # --------------------------------------------------------------------
+    # User authentication
+
+    # Handles POST /auth/login
+    # The request MUST include a URI parameter 'code=client_token' where
+    # the 'client_token' has been obtained from /auth/client_identity and
+    # the request MUST carry a body with the following JSON template:
+    # { "userId" : "ID", "workgroups" : "wgA, wgB" }
+    # Note that the current 'SearchWorks' requirements do not specify
+    # a 'userSecret' (it's not available).
+    def login_handler_post
+      return unless process_post?
+      return unless process_json?
+      auth_code = params[:code]
+      if auth_code.nil?
+        auth_code_required
+      elsif auth_code_valid?(auth_code)
+        begin
+          data = JSON.parse(request.body.read)
+          required_fields = ['userId', 'workgroups']
+          identity = parse_identity(data, required_fields)
+          # When an authorized client POSTs user data, it is simply accepted.
+          if identity['userId'] && identity['workgroups']
+            # Coerce workgroups into an Array.
+            wg = identity['workgroups'] || []
+            wg = wg.split(',') if wg.instance_of? String
+            wg.delete_if {|e| e.empty? }
+            identity['workgroups'] = wg
+            # Save the login_data until an access token is requested.
+            # Note that session data must be JSON compatible.
+            identity.to_json # check JSON compatibility
+            cookies[:login_user] = identity['userId']
+            session[:login_data] = identity
+            redirect_to root_url, notice: 'Successfully logged in.'
+          else
+            login_required
+          end
+        rescue
+          login_required(422)
+        end
+      else
+        auth_code_invalid
+      end
+    end
+
+    def login_required(status=401)
+      if request.format == :html
+        request_http_basic_authentication
+      elsif request.format == :json
+        # response.headers["WWW-Authenticate"] = %(Basic realm="Application")
+        if status == 401
+          err = {
+            error: '401 Unauthorized',
+            errorDescription: 'login credentials required',
+            errorUri: 'http://image-auth.iiif.io/api/image/2.1/authentication.html'
+          }
+        end
+        if status == 422
+          err = {
+            error: '422 Unprocessable Entity',
+            errorDescription: 'login credentials cannot be parsed',
+            errorUri: 'http://image-auth.iiif.io/api/image/2.1/authentication.html'
+          }
+        end
+        json_response(err, status)
+      end
+    end
+
+
+    # --------------------------------------------------------------------
+    # Client authentication
+
+    # Authenticates known clients
+    # @param identity [Hash] with fields 'clientId' and 'clientSecret'
+    def authorized_client?(identity)
+      @clients ||= Triannon.config[:authorized_clients]
+      @clients[identity['clientId']] == identity['clientSecret']
+    end
+
+    # --------------------------------------------------------------------
+    # Authentication tokens
+
+    # construct and encrypt an authorization code
+    def auth_code_generate(id, pass)
+      identity = "#{id};;;#{pass}"
+      timestamp = Time.now.to_i.to_s # seconds since epoch
+      salt  = SecureRandom.base64(64)
+      key   = ActiveSupport::KeyGenerator.new(identity).generate_key(salt)
+      crypt = ActiveSupport::MessageEncryptor.new(key)
+      session[:client_data] = [identity, salt]
+      session[:client_token] = crypt.encrypt_and_sign([id, timestamp])
+    end
+
+    # decrypt, parse and validate authorization code
+    def auth_code_valid?(code)
+      begin
+        if code == session[:client_token]
+          identity, salt = session[:client_data]
+          key = ActiveSupport::KeyGenerator.new(identity).generate_key(salt)
+          crypt = ActiveSupport::MessageEncryptor.new(key)
+          data, timestamp = crypt.decrypt_and_verify(code)
+          elapsed = Time.now.to_i - timestamp.to_i  # sec since code was issued
+          return data if elapsed < Triannon.config[:client_token_expiry]
+        end
+      rescue ActiveSupport::MessageVerifier::InvalidSignature
+        # This is an invalid code, so return nil (a falsy value).
+      end
+    end
+
+    # Issue a 403 for invalid client authorization codes
+    def auth_code_invalid
+      err = {
+        error: 'invalidClient',
+        errorDescription: 'Unable to validate authorization code',
+        errorUri: ''
+      }
+      json_response(err, 403)
+    end
+
+    # Issue a 401 to challenge for a client authorization code
+    def auth_code_required
+      err = {
+        error: 'invalidClient',
+        errorDescription: 'authorization code is required',
+        errorUri: ''
+      }
+      json_response(err, 401)
+    end
+
+
+    # --------------------------------------------------------------------
+    # Service information data
+    # TODO: evaluate whether we need this data
+
+    # return uri [String] the configured Triannon host URI
+    def service_base_uri
+      uri = RDF::URI.new(Triannon.config[:triannon_base_url])
+      uri.to_s.sub(uri.path,'')
+    end
+
+    # http://image-auth.iiif.io/api/image/2.1/authentication.html#access-token-service
+    # return info [Hash] access token service information
+    def service_info_access_token
+      {
+        service: {
+          "@id" => service_base_uri + '/auth/access_token',
+          "profile" => "http://iiif.io/api/image/2/auth/token",
+          "label" => "Request Access Token for Triannon"
+        }
+      }
+    end
+
+    # http://image-auth.iiif.io/api/image/2.1/authentication.html#client-identity-service
+    # return info [Hash] client identity service information
+    def service_info_client_identity
+      {
+        service: {
+          "@id" => service_base_uri + '/auth/client_identity',
+          "profile" => "http://iiif.io/api/image/2/auth/clientId"
+        }
+      }
+    end
+
+    # http://image-auth.iiif.io/api/image/2.1/authentication.html#login-service
+    # return info [Hash] login service information
+    def service_info_login
+      {
+        service: {
+          "@id" => service_base_uri + '/auth/login',
+          "profile" => "http://iiif.io/api/image/2/auth/login",
+          "label" => "Login to Triannon"
+        }
+      }
+    end
+
+    # http://image-auth.iiif.io/api/image/2.1/authentication.html#logout-service
+    # return info [Hash] logout service information
+    def service_info_logout
+      {
+        service: {
+          "@id" => service_base_uri + '/auth/logout',
+          "profile" => "http://iiif.io/api/image/2/auth/logout",
+          "label" => "Logout of Triannon"
+        }
+      }
+    end
+
+
+    # --------------------------------------------------------------------
+    # Utility methods
+
+
+    # @param data [Hash] Hash.to_json is rendered
+    # @param status [Integer] HTTP status code
+    def json_response(data, status)
+      render json: data.to_json, content_type: json_type_accepted, status: status
+    end
+
+    # Response content type to match an HTTP accept type for JSON formats
+    def json_type_accepted
+      mime_type_from_accept(['application/json', 'text/x-json', 'application/jsonrequest'])
+    end
+
+    # Parse POST JSON data to ensure it contains required fields
+    # @param fields [Array<String>] an array of required fields
+    def parse_identity(data, fields)
+      identity = Hash[fields.map {|f| [f, nil]}]
+      if fields.map {|f| data.key? f }.all?
+        fields.each {|f| identity[f] = data[f] }
+      end
+      identity
+    end
+
+    # Is the request content type JSON?  If not, issue a 415 error.
+    def process_json?
+      if request.headers['Content-Type'] =~ /json/
+        true
+      else
+        logger.debug "Rejected Content-Type: #{request.headers['Content-Type']}"
+        render nothing: true, status: 415
+        false
+      end
+    end
+
+    # Is the request method POST?  If not, issue a 405 error.
+    def process_post?
+      if request.post?
+        true
+      else
+        logger.debug "Rejected Request Method: #{request.request_method}"
+        err = {
+          error: 'invalidRequest',
+          errorDescription: "#{request.path} accepts POST requests, not #{request.request_method}",
+          errorUri: 'http://image-auth.iiif.io/api/image/2.1/authentication.html'
+        }
+        response.headers.merge!({'Allow' => 'POST'})
+        json_response(err, 405)
+        false
+      end
+    end
+
+    # @param accept [String] a csv for request methods accepted
+    def request_method_error(accept)
+      logger.debug "Rejected Request Method: #{request.request_method}"
+      response.status = 405
+      response.headers.merge!(Allow: accept)
+      respond_to do |format|
+        format.json {
+          err = {
+            error: 'invalidRequest',
+            errorDescription: "#{request.path} accepts: #{accept}",
+            errorUri: 'http://image-auth.iiif.io/api/image/2.1/authentication.html'
+          }
+          render json: err.to_json, content_type: json_type_accepted
+        }
+        format.html {
+          render nothing: true
+        }
+      end
+    end
+
+  end # AuthController
+end # Triannon

data/app/models/triannon/annotation.rb

@@ -40,7 +40,7 @@ module Triannon
     # Instance Methods ----------------------------------------------------------------
 
     def save
-      _run_save_callbacks do
+      run_callbacks :save do
         # TODO: check if valid anno?
         @id = Triannon::LdpWriter.create_anno(self, root_container) if graph && graph.size > 2
         # reload from storage to get the anno id within the graph
@@ -51,7 +51,7 @@ module Triannon
     end
 
     def destroy
-      _run_destroy_callbacks do
+      run_callbacks :destroy do
         Triannon::LdpWriter.delete_anno "#{root_container}/#{id}"
       end
     end

data/config/routes.rb

@@ -1,5 +1,14 @@
 Triannon::Engine.routes.draw do
 
+  # Authentication routes; these must precede '/:anno_root/*' and they
+  # preclude the use of an anno root named 'auth'.
+  match '/auth/login', to: 'auth#options', via: [:options]
+  match '/auth/login', to: 'auth#login', via: [:post]
+  get '/auth/logout', to: 'auth#logout'
+  get '/auth/access_token', to: 'auth#access_token'
+  get '/auth/access_validate', to: 'auth#access_validate'
+  post '/auth/client_identity', to: 'auth#client_identity'
+
   # 1. can't use resourceful routing because of :anno_root (dynamic path segment)
 
   # 2. couldn't figure out how to exclude specific values with regexp constraint since beginning and end regex matchers
@@ -8,75 +17,49 @@ Triannon::Engine.routes.draw do
   # get -> new action
   get '/annotations/:anno_root/new', to: 'annotations#new'
   get '/:anno_root/new', to: 'annotations#new',
-    constraints: lambda { |request|
-      anno_root = request.path_parameters[:anno_root]
-      id = request.path_parameters[:id]
-      anno_root !~ /^annotations$/ && anno_root !~ /^search$/ && anno_root !~ /^new$/ && id !~ /^search$/ && id !~ /^new$/
-    }
+    constraints: lambda { |r| anno_root_filter(r) }
 
   # get -> search controller find action
   get '/annotations/:anno_root/search', to: 'search#find'
   get '/annotations/search', to: 'search#find'
   get '/:anno_root/search', to: 'search#find',
-    constraints: lambda { |request|
-      anno_root = request.path_parameters[:anno_root]
-      anno_root !~ /^annotations$/ && anno_root !~ /^search$/ && anno_root !~ /^new$/
-    }
+    constraints: lambda { |r| anno_root_filter(r) }
   get '/search', to: 'search#find'
 
-  # get w id -> show action
+  # get + id -> show action
   get '/annotations/:anno_root/:id(.:format)', to: 'annotations#show',
-    constraints: lambda { |request|
-      anno_root = request.path_parameters[:anno_root]
-      anno_root !~ /^search$/ && anno_root !~ /^new$/
-    }
+    constraints: lambda { |r| anno_root_filter(r) && id_filter(r) }
   get '/:anno_root/:id(.:format)', to: 'annotations#show',
-    constraints: lambda { |request|
-      anno_root = request.path_parameters[:anno_root]
-      id = request.path_parameters[:id]
-      anno_root !~ /^annotations$/ && anno_root !~ /^search$/ && anno_root !~ /^new$/ && id !~ /^search$/ && id !~ /^new$/
-    }
+    constraints: lambda { |r| anno_root_filter(r) && id_filter(r) }
 
-  # get no id -> index action
+  # get - id -> index action
   get '/annotations/:anno_root', to: 'annotations#index',
-    constraints: lambda { |request|
-      anno_root = request.path_parameters[:anno_root]
-      anno_root !~ /^search$/ && anno_root !~ /^new$/
-    }
+    constraints: lambda { |r| anno_root_filter(r) }
   get '/:anno_root', to: 'annotations#index',
-    constraints: lambda { |request|
-      anno_root = request.path_parameters[:anno_root]
-      anno_root !~ /^annotations$/ && anno_root !~ /^search$/ && anno_root !~ /^new$/
-    }
+    constraints: lambda { |r| anno_root_filter(r) }
 
   # post -> create action
   post '/annotations/:anno_root', to: 'annotations#create',
-    constraints: lambda { |request|
-      anno_root = request.path_parameters[:anno_root]
-      id = request.path_parameters[:id]
-      anno_root !~ /^search$/ && anno_root !~ /^new$/ && id !~ /^search$/ && id !~ /^new$/
-    }
+    constraints: lambda { |r| anno_root_filter(r) }
   post '/:anno_root', to: 'annotations#create',
-    constraints: lambda { |request|
-      anno_root = request.path_parameters[:anno_root]
-      anno_root !~ /^annotations$/ && anno_root !~ /^search$/ && anno_root !~ /^new$/
-    }
+    constraints: lambda { |r| anno_root_filter(r) }
 
   # delete -> destroy action
   delete '/annotations/:anno_root/:id(.:format)', to: 'annotations#destroy',
-    constraints: lambda { |request|
-      anno_root = request.path_parameters[:anno_root]
-      id = request.path_parameters[:id]
-      anno_root !~ /^search$/ && anno_root !~ /^new$/ && id !~ /^search$/ && id !~ /^new$/
-    }
+    constraints: lambda { |r| anno_root_filter(r) && id_filter(r) }
   delete '/:anno_root/:id(.:format)', to: 'annotations#destroy',
-    constraints: lambda { |request|
-      anno_root = request.path_parameters[:anno_root]
-      anno_root !~ /^annotations$/ && anno_root !~ /^search$/ && anno_root !~ /^new$/
-    }
-
+    constraints: lambda { |r| anno_root_filter(r) && id_filter(r) }
 
   get '/annotations', to: 'search#find'
   root to: 'search#find'
 
 end
+
+
+def anno_root_filter(request)
+  request.path_parameters[:anno_root] !~ /^annotations$|^auth$|^new$|^search$/
+end
+
+def id_filter(request)
+  request.path_parameters[:id] !~ /^new$|^search$/
+end

data/config/triannon.yml

@@ -1,3 +1,5 @@
+# http://www.yaml.org/YAML_for_ruby.html
+
 development:
   ldp:
     url: http://your.ldp_store_url.here
@@ -7,32 +9,67 @@ development:
     #  the container names here will also map to paths in the triannon url, e.g.
     #  "foo" here will mean you add a foo anno by POST to http://your.triannon-server.com/annotations/foo
     #  and you get the foo anno by GET to http://your.triannon-server.com/annotations/foo/(anno_uuid)
+    # auth: this configures access for POST and DELETE requests; when it is
+    #   missing or the 'users' or 'workgroups' are empty, all access is OK.
+    #   otherwise, the client must submit an access token containing data
+    #   to be compared against these configuration parameters.
     anno_containers:
-      - foo
-      - blah
+      foo:
+      bar:
+        auth:
+          users: []
+          workgroups:
+          - org:wg-A
+          - org:wg-B
   solr_url: http://your.triannon_solr_url.here
   # triannon_base_url:  the prefix for the urls for your annos
   triannon_base_url: http://your.triannon-server.com/annotations/
   max_solr_retries: 5
   base_sleep_seconds: 1
   max_sleep_seconds: 5
+  authorized_clients:
+    clientA: secretA
+    clientB: secretB
+  # expiry values are in seconds
+  client_token_expiry: 60
+  access_token_expiry: 3600
 
 test: &test
   ldp:
     url: http://your.ldp_store_url.here
     uber_container:  anno
     anno_containers:
-      - foo
-      - blah
+      foo:
+      bar:
+        auth:
+          users: []
+          workgroups:
+          - org:wg-A
+          - org:wg-B
   solr_url: http://your.triannon_solr_url.here
   triannon_base_url: http://your.triannon-server.com/annotations/
+  authorized_clients:
+    clientA: secretA
+    clientB: secretB
+  # expiry values are in seconds
+  client_token_expiry: 60
+  access_token_expiry: 3600
 
 production:
   ldp:
     url: http://your.ldp_store_url.here
     uber_container:  anno
     anno_containers:
-      - foo
-      - blah
+      foo:
+      bar:
+        auth:
+          users: []
+          workgroups:
+          - org:wg-A
+          - org:wg-B
   solr_url: http://your.triannon_solr_url.here
   triannon_base_url: http://your.triannon-server.com/annotations/
+  authorized_clients:
+  # expiry values are in seconds
+  client_token_expiry: 60
+  access_token_expiry: 3600

data/lib/generators/triannon/install_generator.rb

@@ -20,32 +20,59 @@ development:
     #  "foo" here will mean you add a foo anno by POST to http://your.triannon-server.com/annotations/foo
     #  and you get the foo anno by GET to http://your.triannon-server.com/annotations/foo/(anno_uuid)
     anno_containers:
-      - foo
-      - blah
+      foo:
+      bar:
+        auth:
+          users: []
+          workgroups:
+          - org:wg-A
+          - org:wg-B
   solr_url: http://localhost:8983/solr/triannon
   triannon_base_url: http://your.triannon-server.com/annotations/
   max_solr_retries: 5
   base_sleep_seconds: 1
   max_sleep_seconds: 5
+  authorized_clients:
+    clientA: secretA
+    clientB: secretB
+  # expiry values are in seconds
+  client_token_expiry: 60
+  access_token_expiry: 3600
 test: &test
   ldp:
     url: http://localhost:8983/fedora/rest
     uber_container:  anno
     anno_containers:
-      - foo
-      - blah
+      foo:
+      bar:
+        auth:
+          users: []
+          workgroups:
+          - org:wg-A
+          - org:wg-B
   solr_url: http://localhost:8983/solr/triannon
   triannon_base_url: http://your.triannon-server.com/annotations/
+  authorized_clients:
+    clientA: secretA
+    clientB: secretB
+  # expiry values are in seconds
+  client_token_expiry: 60
+  access_token_expiry: 3600
 production:
   ldp:
     url:
     uber_container:  anno
     anno_containers:
-      - foo
-      - blah
+      foo:
+      bar:
+        auth:
+          users: []
+          workgroups:
+          - org:wg-A
+          - org:wg-B
   solr_url:
   triannon_base_url:
-      YML
+YML
       create_file 'config/triannon.yml', default_yml
     end
 

data/lib/tasks/triannon_tasks.rake

@@ -40,8 +40,10 @@ namespace :triannon do
       puts "ERROR:  Triannon config file missing: #{Triannon.triannon_file} - are you in the rails app root directory?"
       raise "Triannon config file missing: #{Triannon.triannon_file}"
     end
-    Triannon.config[:ldp]['anno_containers'].each { |container_name|
-	    Triannon::LdpWriter.create_basic_container(Triannon.config[:ldp]['uber_container'], container_name)
+    uber_container = Triannon.config[:ldp]['uber_container']
+    containers = Triannon.config[:ldp]['anno_containers'].keys
+    containers.each { |c|
+	    Triannon::LdpWriter.create_basic_container(uber_container, c.dup)
     }
   end
 end # namespace triannon

data/lib/triannon/version.rb

@@ -1,3 +1,3 @@
 module Triannon
-  VERSION = "2.0.1"
+  VERSION = "3.0.0"
 end

metadata

@@ -1,15 +1,16 @@
 --- !ruby/object:Gem::Specification
 name: triannon
 version: !ruby/object:Gem::Version
-  version: 2.0.1
+  version: 3.0.0
 platform: ruby
 authors:
 - Naomi Dushay
 - Willy Mene
+- Darren Weber
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2015-06-12 00:00:00.000000000 Z
+date: 2015-07-22 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: rails
@@ -235,6 +236,48 @@ dependencies:
     - - ">="
       - !ruby/object:Gem::Version
         version: '0'
+- !ruby/object:Gem::Dependency
+  name: pry
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: pry-doc
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: pry-rails
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
 - !ruby/object:Gem::Dependency
   name: rubocop
   requirement: !ruby/object:Gem::Requirement
@@ -321,6 +364,7 @@ files:
 - app/controllers/concerns/rdf_response_formats.rb
 - app/controllers/triannon/annotations_controller.rb
 - app/controllers/triannon/application_controller.rb
+- app/controllers/triannon/auth_controller.rb
 - app/controllers/triannon/search_controller.rb
 - app/helpers/triannon/application_helper.rb
 - app/models/triannon/annotation.rb
@@ -372,7 +416,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
       version: '0'
 requirements: []
 rubyforge_project: 
-rubygems_version: 2.4.3
+rubygems_version: 2.4.8
 signing_key: 
 specification_version: 4
 summary: Rails engine for working with OpenAnnotations stored in Fedora4