API-X can't load services/ontologies when Fcrepo is behind authentication

[whikloj]

Still working on Fedora 5.0.0. Fcrepo-api-x-jena can't create the /apix/services, /apix/ontologies and /apix/extensions containers.

java.lang.RuntimeException: Error executing HttpPut request to http://localhost:8080/fcrepo/rest/apix/extensions
	at org.fcrepo.apix.jena.impl.LdpContainerRegistry.put(LdpContainerRegistry.java:240)
	at org.fcrepo.apix.jena.impl.LdpContainerRegistry.lambda$init$8(LdpContainerRegistry.java:135)
	at org.fcrepo.apix.jena.impl.InitMgr$1.lambda$$11(InitMgr.java:70)
	at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511)[:1.8.0_191]
	at java.util.concurrent.FutureTask.run(FutureTask.java:266)[:1.8.0_191]
	at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)[:1.8.0_191]
	at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)[:1.8.0_191]
	at java.lang.Thread.run(Thread.java:748)[:1.8.0_191]
Caused by: java.lang.RuntimeException: Resource creation failed: HTTP/1.1 403 Forbidden; <!DOCTYPE html><html><head><title>Apache Tomcat/8.0.32 (Ubuntu) - Error report</title><style type="text/css">H1 {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-size:22px;} H2 {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-size:16px;} H3 {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-size:14px;} BODY {font-family:Tahoma,Arial,sans-serif;color:black;background-color:white;} B {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;} P {font-family:Tahoma,Arial,sans-serif;background:white;color:black;font-size:12px;}A {color : black;}A.name {color : black;}.line {height: 1px; background-color: #525D76; border: none;}</style> </head><body><h1>HTTP Status 403 - </h1><div class="line"></div><p><b>type</b> Status report</p><p><b>message</b> <u></u></p><p><b>description</b> <u>Access to the specified resource has been forbidden.</u></p><hr class="line"><h3>Apache Tomcat/8.0.32 (Ubuntu)</h3></body></html>
	at org.fcrepo.apix.jena.impl.LdpContainerRegistry.lambda$put$9(LdpContainerRegistry.java:234)
	at org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:223)[158:org.apache.httpcomponents.httpclient:4.5.3]
	at org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:165)[158:org.apache.httpcomponents.httpclient:4.5.3]
	at org.apache.http.impl.client.CloseableHttpClient.execute(CloseableHttpClient.java:140)[158:org.apache.httpcomponents.httpclient:4.5.3]
	at org.fcrepo.apix.jena.impl.LdpContainerRegistry.put(LdpContainerRegistry.java:226)
	... 7 more

I remember @dannylamb and @ajs6f had to do some fancy footwork to GET JWTs passed through API-X before, but not sure if this was where.

[whikloj]

Related to #966

[ajs6f]

What happened last time was that we ended up sending a PR to API-X to allow it to be configured with a custom HTTP client. Then in CLAW, we configured API-X with an HTTP client that is pre-equipped to understand authN. I don't know what is different now-- are you sure the changes aren't in the Fedora product?

[whikloj]

No I don't know that for sure. Where are we configuring the HTTP client for API-X? Maybe I need to make some changes there.

[ajs6f]

I don't know, but I would guess it's in the XML config. Doesn't API-X use Spring? Do we have a fork of it somewhere?

[whikloj]

@dannylamb just showed my in IRC we do it in Alpaca and assume it gets picked up as the default. https://github.com/Islandora-CLAW/Alpaca/tree/master/islandora-http-client
I'll try trace the incoming requests from the Fedora side and see if they are using our client or if something else is happening.

[ajs6f]

Here looks to be where the service is declared. If API-X is still looking for the type org.apache.http.client.HttpClient to inject (and @birkland would know, and I don't know why that would have changed) then I'd be more inclined to look at the Fedora application to find the problem.

[ajs6f]

This section of API-X does look more complex than I remember. Maybe something has changed?

[birkland]

Nothing has changed on the API-X end so far as I am aware. The factory referenced would be ignored/unused if an HttpClient provided as a service. It'll just latch onto the one that was published to OSGi.

Tracing the requests is a good idea @whikloj to see if the requests are what you think they are (i.e. they have the appropriate Authorization)

That being said, this is a 403. Usually, that happens when authentication is OK, but the server spikes the request due to authz (i.e. an ACL). That sticks in my head as a possibility here

[dannylamb]

The interceptor that @ajs6f wrote uses that static "Bearer islandora" token instead of an actual JWT, so I'm thinking it may be interplay with how we handle that in Syn and Fedora 5

[whikloj]

Ohhhhh thank you all. I've got it.

With the updates to Syn I assign the "fedoraAdmin" user role only to users that come in with that role, so I need to update the claw-playbook to have the "islandora" token have a "fedoraAdmin" role.

I'm working on the same thing for the "admin" Drupal user, they need to have a "fedoraAdmin" role to get super-user access (otherwise we'll need to add a default WebAC ruleset).

So that is the problem, the user is coming in with a "fedoraUser" role and no permissions to write. This is not an issue at all and I will update the claw-playbook config as part of my PRs.

Good job team

[ajs6f]

https://www.youtube.com/watch?v=enw6kcU3niY