Refact authentication handling

Needed to add @AuthRequired. CEDAR based authentication is moved to
ArpCedarApiKeyAuthMechanism via CompoundAuthMechanism, which seems to be
the new authentication approach.

src/main/java/edu/harvard/iq/dataverse/api/AbstractApiBean.java

@@ -337,10 +337,6 @@ protected User getRequestUser(ContainerRequestContext crc) {
      */
     protected AuthenticatedUser getRequestAuthenticatedUserOrDie(ContainerRequestContext crc) throws WrappedResponse {
         User requestUser = (User) crc.getProperty(ApiConstants.CONTAINER_REQUEST_CONTEXT_USER);
-        // Try as CEDAR token
-        if (requestUser == null) {
-            requestUser = cedarAuthSvc.lookupUser(getRequestApiKey());
-        }
         if (requestUser.isAuthenticated()) {
             return (AuthenticatedUser) requestUser;
         } else {

src/main/java/edu/harvard/iq/dataverse/api/arp/ArpApi.java

@@ -7,6 +7,7 @@
 import com.google.gson.*;
 import edu.harvard.iq.dataverse.*;
 import edu.harvard.iq.dataverse.api.AbstractApiBean;
+import edu.harvard.iq.dataverse.api.auth.AuthRequired;
 import edu.harvard.iq.dataverse.arp.*;
 import edu.harvard.iq.dataverse.authorization.Permission;
 import edu.harvard.iq.dataverse.authorization.users.AuthenticatedUser;
@@ -139,6 +140,7 @@ public Response checkCedarTemplateCall(String templateJson) {
     @Path("/cedarToMdb/{dvIdtf}") // TODO: should be importMdbFromCedar, used iin CEDAR template editor
     @Consumes("application/json")
     @Produces("text/tab-separated-values")
+    @AuthRequired
     public Response cedarToMdb(
             @Context ContainerRequestContext crc,
             @PathParam("dvIdtf") String dvIdtf,
@@ -220,6 +222,7 @@ public Response convertMdbToTsv(
     @Path("/exportMdbToCedar/{mdbIdtf}")
     @Consumes("application/json")
     @Produces("application/json")
+    @AuthRequired
     public Response exportMdbToCedar(
             @Context ContainerRequestContext crc,
             @PathParam("mdbIdtf") String mdbIdtf,
@@ -295,6 +298,7 @@ public Response convertTsvToCedarTemplate(String mdbTsv)
     @Path("/exportTsvToCedar/")
     @Consumes("application/json")
     @Produces("application/json")
+    @AuthRequired
     public Response exportTsvToCedar(
             @Context ContainerRequestContext crc,
             ExportTsvToCedarData cedarDataAndTsv
@@ -610,6 +614,7 @@ public Response updateMdb(@PathParam("dvIdtf") String dvIdtf, File file) {
     @GET
     @Path("/rocrate/{persistentId : .+}")
     @Produces("application/json")
+    @AuthRequired
     public Response getRoCrate(
             @Context ContainerRequestContext crc,
             @QueryParam("version") String version,
@@ -720,6 +725,7 @@ private boolean needToRegenerate(JsonObject roCrateJson) {
     @Path("/rocrate/{persistentId : .+}")
     @Consumes("application/json")
     @Produces("application/json")
+    @AuthRequired
     public Response updateRoCrate(
             @Context ContainerRequestContext crc,
             @PathParam("persistentId") String persistentId,

src/main/java/edu/harvard/iq/dataverse/api/auth/ArpCedarApiKeyAuthMechanism.java

@@ -0,0 +1,41 @@
+package edu.harvard.iq.dataverse.api.auth;
+
+import edu.harvard.iq.dataverse.arp.ArpCedarAuthenticationServiceBean;
+import edu.harvard.iq.dataverse.authorization.users.User;
+
+import javax.ejb.EJB;
+import javax.servlet.http.HttpServletRequest;
+import javax.ws.rs.container.ContainerRequestContext;
+import javax.ws.rs.core.Context;
+import java.util.logging.Logger;
+
+/**
+ * AuthMechanism to allow using apiKey header o key query param with a CEDAR provided token
+ * as associated with a Dataverse user via AuthenticatedUserArp.
+ *
+ * Note: while this is not an annotated EJB, this will be injected as an EJB into CompoundAuthMechanism
+ * and so we can use @EJB and @Context inside it.
+ */
+public class ArpCedarApiKeyAuthMechanism implements AuthMechanism
+{
+    private static final Logger logger = Logger.getLogger(ArpCedarApiKeyAuthMechanism.class.getCanonicalName());
+
+    @EJB
+    protected ArpCedarAuthenticationServiceBean cedarAuthSvc;
+
+    @Context
+    protected HttpServletRequest httpRequest;
+
+    @Override
+    public User findUserFromRequest(ContainerRequestContext crc) throws WrappedAuthErrorResponse
+    {
+        return cedarAuthSvc.lookupUser(getRequestApiKey(crc));
+    }
+
+    private String getRequestApiKey(ContainerRequestContext containerRequestContext) {
+        String headerParamApiKey = containerRequestContext.getHeaderString(ApiKeyAuthMechanism.DATAVERSE_API_KEY_REQUEST_HEADER_NAME);
+        String queryParamApiKey = containerRequestContext.getUriInfo().getQueryParameters().getFirst(ApiKeyAuthMechanism.DATAVERSE_API_KEY_REQUEST_PARAM_NAME);
+
+        return headerParamApiKey != null ? headerParamApiKey : queryParamApiKey;
+    }
+}

src/main/java/edu/harvard/iq/dataverse/api/auth/CompoundAuthMechanism.java

@@ -19,9 +19,11 @@ public class CompoundAuthMechanism implements AuthMechanism {
     private final List<AuthMechanism> authMechanisms = new ArrayList<>();
 
     @Inject
-    public CompoundAuthMechanism(ApiKeyAuthMechanism apiKeyAuthMechanism, WorkflowKeyAuthMechanism workflowKeyAuthMechanism, SignedUrlAuthMechanism signedUrlAuthMechanism, SessionCookieAuthMechanism sessionCookieAuthMechanism, BearerTokenAuthMechanism bearerTokenAuthMechanism) {
+    public CompoundAuthMechanism(ApiKeyAuthMechanism apiKeyAuthMechanism, WorkflowKeyAuthMechanism workflowKeyAuthMechanism, SignedUrlAuthMechanism signedUrlAuthMechanism, SessionCookieAuthMechanism sessionCookieAuthMechanism, BearerTokenAuthMechanism bearerTokenAuthMechanism, ArpCedarApiKeyAuthMechanism arpCedarApiKeyAuthMechanism) {
         // Auth mechanisms should be ordered by priority here
-        add(apiKeyAuthMechanism, workflowKeyAuthMechanism, signedUrlAuthMechanism, sessionCookieAuthMechanism,bearerTokenAuthMechanism);
+        // arpCedarApiKeyAuthMechanism must come first, as it used the same header/query param as apiKeyAuthMechanism
+        // but for matching CEDAR keys
+        add(arpCedarApiKeyAuthMechanism, apiKeyAuthMechanism, workflowKeyAuthMechanism, signedUrlAuthMechanism, sessionCookieAuthMechanism,bearerTokenAuthMechanism);
     }
 
     public CompoundAuthMechanism(AuthMechanism... authMechanisms) {