Shibboleth: Remote Authentication Phase 1

doc/sphinx-guides/source/_static/installation/files/etc/httpd/conf.d/shibtest.dataverse.org.conf → doc/sphinx-guides/source/_static/installation/files/etc/httpd/conf.d/dataverse.example.edu.conf

@@ -1,6 +1,6 @@
 <VirtualHost *:80>
 
-ServerName shibtest.dataverse.org
+ServerName dataverse.example.edu
 
 # From https://wiki.apache.org/httpd/RewriteHTTPToHTTPS
 

doc/sphinx-guides/source/_static/installation/files/etc/httpd/conf.d/ssl.conf

@@ -75,7 +75,7 @@ SSLCryptoDevice builtin
 
 # General setup for the virtual host, inherited from global configuration
 #DocumentRoot "/var/www/html"
-ServerName shibtest.dataverse.org:443
+ServerName dataverse.example.edu:443
 
 # Use separate log files for the SSL virtual host; note that LogLevel
 # is not inherited from httpd.conf.
@@ -102,14 +102,14 @@ SSLCipherSuite ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM:+LOW
 # the certificate is encrypted, then you will be prompted for a
 # pass phrase.  Note that a kill -HUP will prompt again.  A new
 # certificate can be generated using the genkey(1) command.
-SSLCertificateFile /etc/pki/tls/certs/shibtest.dataverse.org.crt
+SSLCertificateFile /etc/pki/tls/certs/dataverse.example.edu.crt
 
 #   Server Private Key:
 #   If the key is not combined with the certificate, use this
 #   directive to point at the key file.  Keep in mind that if
 #   you've both a RSA and a DSA private key you can configure
 #   both in parallel (to also allow the use of DSA ciphers, etc.)
-SSLCertificateKeyFile /etc/pki/tls/private/shibtest.dataverse.org.key
+SSLCertificateKeyFile /etc/pki/tls/private/dataverse.example.edu.key
 
 #   Server Certificate Chain:
 #   Point SSLCertificateChainFile at a file containing the
@@ -118,7 +118,7 @@ SSLCertificateKeyFile /etc/pki/tls/private/shibtest.dataverse.org.key
 #   the referenced file can be the same as SSLCertificateFile
 #   when the CA certificates are directly appended to the server
 #   certificate for convinience.
-SSLCertificateChainFile /etc/pki/tls/certs/shibtest.dataverse.org_server-chain.crt
+SSLCertificateChainFile /etc/pki/tls/certs/dataverse.example.edu_server-chain.crt
 
 #   Certificate Authority (CA):
 #   Set the CA certificate verification path where to find CA

doc/sphinx-guides/source/_static/installation/files/etc/shibboleth/shibGroupTestShib.json

@@ -0,0 +1,5 @@
+{
+  "name": "All testshib.org Shibboleth Users",
+  "attribute": "Shib-Identity-Provider",
+  "pattern": "https://idp.testshib.org/idp/shibboleth"
+}

doc/sphinx-guides/source/_static/installation/files/etc/shibboleth/shibboleth2.xml

@@ -12,7 +12,7 @@ https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPConfiguration
     clockSkew="1800">
 
     <!-- FIXME: change the entityID to your hostname. -->
-    <ApplicationDefaults entityID="https://shibtest.dataverse.org/sp"
+    <ApplicationDefaults entityID="https://dataverse.example.edu/sp"
         REMOTE_USER="eppn" attributePrefix="AJP_">
 
         <!-- You should use secure cookies if at all possible.  See cookieProps in this Wiki article. -->
@@ -30,7 +30,7 @@ https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPConfiguration
             <!--
                 Handlers allow you to interact with the SP and gather more information.  Try them out!
                 Attribute values received by the SP through SAML will be visible at:
-                http://shibtest.dataverse.org/Shibboleth.sso/Session
+                http://dataverse.example.edu/Shibboleth.sso/Session
             -->
 
             <!-- Extension service that generates "approximate" metadata based on SP configuration. -->

doc/sphinx-guides/source/api/native-api.rst

@@ -239,7 +239,10 @@ Remove a single role assignee from an explicit group::
 
   DELETE http://$server/api/dataverses/$dv/groups/$groupAlias/roleAssignees/$roleAssigneeIdentifier
 
+Shibboleth Groups
+~~~~~~~~~~~~~~~~~
 
+Management of Shibboleth groups via API is documented in the :doc:`/installation/shibboleth` section of the Installation Guide.
 
 Metadata Blocks
 ~~~~~~~~~~~~~~~
@@ -309,7 +312,31 @@ Creates a global role in the Dataverse installation. The data POSTed are assumed
 
     POST http://$SERVER/api/admin/roles
 
-Toggles superuser mode on the ``AuthenticatedUser`` whose ``identifier`` is passed. ::
+List all users::
+
+    GET http://$SERVER/api/admin/authenticatedUsers
+
+List user whose ``identifier`` (without the ``@`` sign) is passed::
+
+    GET http://$SERVER/api/admin/authenticatedUsers/$identifier
+
+Sample output using "dataverseAdmin" as the ``identifier``::
+
+    {
+      "authenticationProviderId": "builtin",
+      "persistentUserId": "dataverseAdmin",
+      "position": "Admin",
+      "id": 1,
+      "identifier": "@dataverseAdmin",
+      "displayName": "Dataverse Admin",
+      "firstName": "Dataverse",
+      "lastName": "Admin",
+      "email": "dataverse@mailinator.com",
+      "superuser": true,
+      "affiliation": "Dataverse.org"
+    }
+
+Toggles superuser mode on the ``AuthenticatedUser`` whose ``identifier`` (without the ``@`` sign) is passed. ::
 
     POST http://$SERVER/api/admin/superuser/$identifier
 

doc/sphinx-guides/source/user/account.rst

@@ -3,10 +3,10 @@ Account Creation & Management
 
 As a registered user, you can:
 
--  Create your own dataverse and customize it.
+-  Create your own dataverse and customize it
 -  Add datasets to dataverses, if available
 -  Contribute to existing datasets, if available
--  Request access to restricted files, if available.
+-  Request access to restricted files, if available
 
 Create User Account
 ===================
@@ -17,18 +17,50 @@ Create User Account
 Edit Your Account 
 ==================
 #. To edit your account after you have logged in, click on your account name in the header on the right hand side and click on Account Information.
-#. On the top right of your account page, click on the "Edit Account" button and from there you can select to edit either your Account Information or your Account Password. 
+#. On the top right of your account page, click on the "Edit Account" button and from there you can select to edit either your Account Information or your Account Password.
 #. Select "Save Changes" when you are done.
 
-Generate Your API Token
+Institutional Log In
 ========================
-#. To generate your API token, click on your name in the hearder on right hand side and then click on Account Information.
-#. On the top right of your account page, click on the "Edit Account" button and click on API Token in the list.
-#. Your API Token is located on that page. 
+
+
+Institutional log in allows you to use your log in information for your university (e.g. HarvardKey at Harvard) to log into your Dataverse account. By using your institutional log in, you won't have to remember your password for Dataverse or manage another account.
+
+How to create a new Dataverse account using Institutional Log In
+-------------------------------------------------------------------------------------------------
+
+#. Go to “Log In” in the upper right corner of Dataverse.
+#. Find this Institutional Log In box:|image1|
+#. Using the dropdown menu, select your institution then click the Continue button.
+#. You will be brought to your institution's log in page. After you put in your institutional information successfully, you will be brought back to Dataverse to confirm your account. |image2|
+
+How to use your Institutional Log In for your Dataverse account
+-------------------------------------------------------------------------------------------------
+
+If you already have a Dataverse account, but you want to change it to use your institutional log in, you can easily do so as long as your account uses an email address from that institution.
+
+#. Go to the Account Information page to confirm your account email address is the same as your institution email address. If not, you will need to update your account email address to be the same as your institution email address.
+#. Log out of Dataverse.
+#. Go to “Log In” in the upper right corner of Dataverse.
+#. Find this Institutional Log In box: |image1|
+#. Using the dropdown menu, select your institution then click the Continue button.
+#. You will be brought to your institution's log in page. After you successfully input your institutional information, you will be brought back to Dataverse to review your account information. Enter your previous password for your Dataverse account to ensure that you have changed your login. |image3|
+#. Once you click Change/Convert Account, you will have completed changing your Dataverse account to you use your institutional log in.
+
+How to change your Dataverse account to no longer use Institutional Log In
+-------------------------------------------------------------------------------------------------
+
+If you are leaving your institution and need to change your account back to a Dataverse account, you will need to contact support for the Dataverse installation you are using. On your account page, there is a link that will open the contact form for Support: |image4|
+
+
+Create Your API Token
+========================
+#. To create your API token, click on your name in the header on right hand side and then click on API Token.
+#. In this tab, you can create your API Token for the first time as well as recreate it if you need a new API Token or your API Token becomes compromised.
 
 My Data
 ========================
-The My Data section of your account page displays a listing of all the dataverses, datasets, and files you have either created, uploaded or that you have access to edit. You are able to filter through all the dataverses, datasets, and files listed there using the filter box or use the facets on the left side to only view a specific Publication Status or Role.  
+The My Data section of your account page displays a listing of all the dataverses, datasets, and files you have either created, uploaded or that you have access to edit. You are able to filter through all the dataverses, datasets, and files listed there using the filter box. You may also use the facets on the left side to only view a specific Publication Status or Role.
 
 Notifications: Setup & Maintainance
 ===================================
@@ -44,6 +76,12 @@ Dataverse will email your unread notifications once a day. Notifications will on
 
 Reset Your Account Password
 ==============================
-If you cannot remember the password for your Dataverse account, click on Log In in the top right corner of any page. Once on that page, click on the Forgot Password? link below where you would enter your username and password. Enter your email address and click Submit Password Request to receive an email with a link to reset your password. 
+If you cannot remember the password for your Dataverse account, click on Log In in the top right corner of any page. Once on that page, click on the "Forgot Password?" link below where you would enter your username and password. Enter your email address and click "Submit Password Request" to receive an email with a link to reset your password.
 
 \*Note: if you have forgotten your username, you can do this same process to receive your username in an email.
+
+
+.. |image1| image:: ./img/image1institutional.png
+.. |image2| image:: ./img/image2institutional.png  
+.. |image3| image:: ./img/image3institutional.png
+.. |image4| image:: ./img/image4institutional.png

pom.xml

@@ -318,6 +318,11 @@
             <artifactId>jacoco-maven-plugin</artifactId>
             <version>0.7.5.201505241946</version>
         </dependency>
+        <dependency>
+            <groupId>org.mockito</groupId>
+            <artifactId>mockito-core</artifactId>
+            <version>1.10.19</version>
+        </dependency>
         <!-- Added for DataCite -->
         <dependency>
             <groupId>org.slf4j</groupId>

src/main/java/Bundle.properties

@@ -72,7 +72,9 @@ header.logOut=Log Out
 header.accountInfo=Account Information
 header.user.selectTab.dataRelated=My Data
 header.user.selectTab.notifications=Notifications
+header.user.selectTab.accountInfo=Account Information
 header.user.selectTab.groupsAndRoles=Groups + Roles
+header.user.selectTab.apiToken=API Token
 
 # dataverse_template.xhtml
 
@@ -116,8 +118,10 @@ contact.contact=Contact
 
 account.info=Account Information
 account.edit=Edit Account
-apiTaken=API Token
-user.toEditDetail=You are logged in through your institution. If you need to update any of this information, please contact your institution.
+account.apiToken=API Token
+user.isShibUser=Account information cannot be edited when logged in through an institutional account.
+user.helpShibUserMigrateOffShibBeforeLink=Leaving your institution? Please contact
+user.helpShibUserMigrateOffShibAfterLink=for assistance.
 user.lostPasswdTip=If you have lost or forgotten your password, please enter your username or email address below and click Submit. We will send you an e-mail with your new password.
 user.dataRelatedToMe=My Data
 wasCreatedIn=, was created in
@@ -181,29 +185,37 @@ user.updatePassword.password=Create a password that is minimum six characters lo
 authenticationProvidersAvailable.tip={0}There are no active authentication providers{1}If you are a system administrator, please enable one using the API.{2}If you are not a system administrator, please contact the one for your institution.
 login.System=Login System
 login.forgot.text=Forgot your password?
-login.institution=Institution Log In
+login.builtin=Dataverse Account Log In
+login.institution=Institutional Log In
+login.institution.blurb=Use Dataverse with your institutional log in instead of creating an account. <a href="{0}/{1}/user/account.html" target="_blank">Learn More</a>.
+login.institution.support.beforeLink=Leaving your institution? Please contact
+login.institution.support.afterLink=for assistance.
 login.builtin.credential.usernameOrEmail=Username/Email
 login.builtin.credential.password=Password
 login.builtin.invalidUsernameEmailOrPassword=The username, email address, or password you entered is invalid. Need assistance accessing your account?
 # how do we exercise login.error? Via a password upgrade failure? See https://github.com/IQSS/dataverse/pull/2922
 login.error=Error validating the username, email address, or password. Please try again. If the problem persists, contact an administrator.
 
 #shib.xhtml
-shib.btn.acceptAndConvert=Accept Terms and Convert Account
-shib.btn.acceptAndCreate=Accept Terms and Create Account
-shib.welcome=Welcome,
-shib.welcomeExistingUserMessage=The email provided by {0} authentication matches an existing Dataverse account. If you would like to associate your existing Dataverse account with {0} authentication, please enter the password of your existing Dataverse account, review the General Terms of Use, and then click the Accept Terms and Convert Account button.
+shib.btn.convertAccount=Convert Account
+shib.btn.createAccount=Create Account
+shib.askToConvert=Would you like to convert your Dataverse account to always use your institutional log in?
+# Bundle file editors, please note that "shib.welcomeExistingUserMessage" is used in a unit test
+shib.welcomeExistingUserMessage=Your institutional log in for {0} matches an email address already being used for a Dataverse account. By entering your current Dataverse password below, your existing Dataverse account can be converted to use your institutional log in. After converting, you will only need to use your institutional log in.
+# Bundle file editors, please note that "shib.welcomeExistingUserMessageDefaultInstitution" is used in a unit test
+shib.welcomeExistingUserMessageDefaultInstitution=your institution
 shib.dataverseUsername=Dataverse Username
 shib.currentDataversePassword=Current Dataverse Password
 shib.accountInformation=Account Information
-shib.offerToCreateNewAccount=Please agree to the Dataverse Terms of Use to create your account.
-shib.passwordRejected=Your account can only be converted if you provide the correct password for your existing account.
+shib.offerToCreateNewAccount=This information is provided by your institution and will be used to create your Dataverse account.
+shib.passwordRejected=<strong>Validation Error</strong> - Your account can only be converted if you provide the correct password for your existing account.
 
-#apitoken.xhtml
+# tab on dataverseuser.xhtml
 apitoken.title=API Token
-apitoken.message=Here is your API Token. Check out our {0}API Guide{1} for more information.
-apitoken.generateBtn=Generate Token
-apitoken.regenerateBtn=Regenerate Token
+apitoken.message=Your API Token is displayed below after it has been created. Check out our {0}API Guide{1} for more information on using your API Token with the Dataverse APIs. 
+apitoken.notFound=API Token for {0} has not been created.
+apitoken.generateBtn=Create Token
+apitoken.regenerateBtn=Recreate Token
 
 #MailServiceBean.java
 

src/main/java/edu/harvard/iq/dataverse/ApiTokenPage.java

@@ -3,16 +3,21 @@
 import edu.harvard.iq.dataverse.authorization.AuthenticationServiceBean;
 import edu.harvard.iq.dataverse.authorization.users.ApiToken;
 import edu.harvard.iq.dataverse.authorization.users.AuthenticatedUser;
-import static edu.harvard.iq.dataverse.util.JsfHelper.JH;
+import edu.harvard.iq.dataverse.util.BundleUtil;
 import java.sql.Timestamp;
+import java.util.ArrayList;
 import java.util.Calendar;
+import java.util.List;
 import java.util.logging.Logger;
 import javax.ejb.EJB;
-import javax.faces.application.FacesMessage;
 import javax.faces.view.ViewScoped;
 import javax.inject.Inject;
 import javax.inject.Named;
 
+/**
+ * @todo Rename this to ApiTokenFragment? The separate page is being taken out
+ * per https://github.com/IQSS/dataverse/issues/3086
+ */
 @ViewScoped
 @Named("ApiTokenPage")
 public class ApiTokenPage implements java.io.Serializable {
@@ -45,9 +50,12 @@ public String getApiToken() {
             if (apiToken != null) {
                 return apiToken.getTokenString();
             } else {
-                return "API token for " + au.getName() + " not found";
+                List<String> arguments = new ArrayList<>();
+                arguments.add(au.getName());
+                return BundleUtil.getStringFromBundle("apitoken.notFound", arguments);
             }
         } else {
+            // It should be impossible to get here from the UI.
             return "Only authenticated users can have API tokens.";
         }
 

src/main/java/edu/harvard/iq/dataverse/DataverseHeaderFragment.java

@@ -265,31 +265,4 @@ public DvObject getDvObject() {
         }
 
     }
-
-    private Boolean debugShibboleth = null;
-
-    public boolean isDebugShibboleth() {
-        if (debugShibboleth != null) {
-            return debugShibboleth;
-        }
-        debugShibboleth = systemConfig.isDebugEnabled();
-        return debugShibboleth;
-    }
-
-    public List<String> getGroups(User user) {
-        List<String> groups = new ArrayList<>();
-        Set<Group> groupsForUser = groupService.groupsFor(user, null);
-        for (Group group : groupsForUser) {
-            groups.add(group.getDisplayName() + " (" + group.getIdentifier() + ")");
-        }
-        return groups;
-    }
-
-    public List<String> getPermissions(User user, Dataverse dataverse) {
-        List<String> permissions = new ArrayList<>();
-        for (Permission permission : permissionService.permissionsFor(user, dataverse)) {
-            permissions.add(permission.name());
-        }
-        return permissions;
-    }
 }

src/main/java/edu/harvard/iq/dataverse/EMailValidator.java

@@ -33,9 +33,18 @@ public static boolean isEmailValid(String value, ConstraintValidatorContext cont
             //we'll let someone else decide if it's required
             return true;
         }
+        /**
+         * @todo Why are we validating the trimmed value rather than the value
+         * itself? Which are we persisting to the database, the trimmed value or
+         * the non-trimmed value? See also
+         * https://github.com/IQSS/dataverse/issues/2945 and
+         * https://github.com/IQSS/dataverse/issues/3044
+         */
         boolean isValid = EmailValidator.getInstance().isValid(value.trim());
         if (!isValid) {
-            context.buildConstraintViolationWithTemplate(value + " is not a valid email address.").addConstraintViolation();
+            if (context != null) {
+                context.buildConstraintViolationWithTemplate(value + " is not a valid email address.").addConstraintViolation();
+            }
             return false;
         }
         return true;