The admin app moved to the admin. subdomain instead of the admin/ path

Dockerfile

@@ -22,7 +22,7 @@ RUN mvn -Pstandalone clean install
 
 # ==============================
 
-FROM atomgraph/letsencrypt-tomcat:10.1.34
+FROM atomgraph/letsencrypt-tomcat:10.1.46
 
 LABEL maintainer="[email protected]"
 
@@ -72,14 +72,12 @@ ENV OWNER_CERT_ALIAS=root-owner
 ENV OWNER_KEYSTORE=/var/linkeddatahub/ssl/owner/keystore.p12
 ENV OWNER_CERT=/var/linkeddatahub/ssl/owner/cert.pem
 ENV OWNER_PUBLIC_KEY=/var/linkeddatahub/ssl/owner/public.pem
-ENV OWNER_PRIVATE_KEY=/var/linkeddatahub/ssl/owner/private.key
 
 ENV SECRETARY_COMMON_NAME=LinkedDataHub
 ENV SECRETARY_CERT_ALIAS=root-secretary
 ENV SECRETARY_KEYSTORE=/var/linkeddatahub/ssl/secretary/keystore.p12
 ENV SECRETARY_CERT=/var/linkeddatahub/ssl/secretary/cert.pem
 ENV SECRETARY_PUBLIC_KEY=/var/linkeddatahub/ssl/secretary/public.pem
-ENV SECRETARY_PRIVATE_KEY=/var/linkeddatahub/ssl/secretary/private.key
 
 ENV CLIENT_KEYSTORE_MOUNT=/var/linkeddatahub/ssl/secretary/keystore.p12
 ENV CLIENT_KEYSTORE="$CATALINA_HOME/webapps/ROOT/WEB-INF/keystore.p12"
@@ -147,12 +145,16 @@ COPY platform/import-letsencrypt-stg-roots.sh import-letsencrypt-stg-roots.sh
 
 COPY platform/select-root-services.rq select-root-services.rq
 
-# copy the metadata of the built-in secretary agent
+# copy the metadata of built-in agents
 
 COPY platform/root-secretary.trig.template root-secretary.trig.template
 
 COPY platform/root-owner.trig.template root-owner.trig.template
 
+# copy the metadata of the namespace ontology
+
+COPY platform/namespace-ontology.trig.template namespace-ontology.trig.template
+
 # copy default datasets
 
 COPY platform/datasets/admin.trig /var/linkeddatahub/datasets/admin.trig
@@ -197,7 +199,7 @@ RUN useradd --no-log-init -U ldh && \
 RUN ./import-letsencrypt-stg-roots.sh
 
 HEALTHCHECK --start-period=80s --retries=5 \
-    CMD curl -f -I "http://localhost:${HTTP_PORT}/ns" -H "Accept: application/n-triples" || exit 1 # relies on public access to the namespace document
+    CMD curl -f -I "http://localhost:7070/ns" -H "Accept: application/n-triples" || exit 1 # relies on public access to the namespace document
 
 USER ldh
 

bin/admin/acl/make-public.sh

@@ -58,7 +58,13 @@ if [ -z "$base" ] ; then
     exit 1
 fi
 
-target="${base}admin/acl/authorizations/public/"
+admin_uri() {
+    local uri="$1"
+    echo "$uri" | sed 's|://|://admin.|'
+}
+
+admin_base=$(admin_uri "$base")
+target="${admin_base}acl/authorizations/public/"
 
 if [ -n "$proxy" ]; then
     # rewrite target hostname to proxy hostname
@@ -73,7 +79,7 @@ curl -X PATCH \
     -H "Content-Type: application/sparql-update" \
     "$target" \
      --data-binary @- <<EOF
-BASE <${base}admin/>
+BASE <${admin_base}>
 
 PREFIX  acl: <http://www.w3.org/ns/auth/acl#>
 PREFIX  def: <https://w3id.org/atomgraph/linkeddatahub/default#>
@@ -84,10 +90,10 @@ PREFIX  foaf: <http://xmlns.com/foaf/0.1/>
 INSERT
 {
   <acl/authorizations/public/#this> acl:accessToClass def:Root, dh:Container, dh:Item, nfo:FileDataObject ;
-      acl:accessTo <../sparql> .
+      acl:accessTo <${base}sparql> .
 
   <acl/authorizations/public/#sparql-post> a acl:Authorization ;
-      acl:accessTo <../sparql> ;
+      acl:accessTo <${base}sparql> ;
       acl:mode acl:Append ;
       acl:agentClass foaf:Agent, acl:AuthenticatedAgent . # hacky way to allow queries over POST
 }

bin/webid-keygen-pem.sh

@@ -4,7 +4,7 @@
 
 if [ "$#" -ne 6 ]; then
   echo "Usage:   $0" '$alias $cert_file $keystore_password $key_password $webid_uri $validity' >&2
-  echo "Example: $0 martynas martynas.localhost.p12 Martynas Martynas https://localhost:4443/admin/acl/agents/ce84eb31-cc1e-41f4-9e29-dacd417b9818/#this 365" >&2
+  echo "Example: $0 martynas martynas.localhost.p12 Martynas Martynas https://admin.localhost:4443/acl/agents/ce84eb31-cc1e-41f4-9e29-dacd417b9818/#this 365" >&2
   exit 1
 fi
 

bin/webid-keygen.sh

@@ -4,7 +4,7 @@
 
 if [ "$#" -ne 6 ]; then
   echo "Usage:   $0" '$alias $cert_file $keystore_password $key_password $webid_uri $validity' >&2
-  echo "Example: $0 martynas martynas.localhost.p12 Password Password https://localhost:4443/admin/acl/agents/ce84eb31-cc1e-41f4-9e29-dacd417b9818/#this 3650" >&2
+  echo "Example: $0 martynas martynas.localhost.p12 Password Password https://admin.localhost:4443/acl/agents/ce84eb31-cc1e-41f4-9e29-dacd417b9818/#this 3650" >&2
   exit 1
 fi
 

config/system.trig

@@ -1,4 +1,5 @@
 @prefix lapp:	<https://w3id.org/atomgraph/linkeddatahub/apps#> .
+@prefix ldh:	<https://w3id.org/atomgraph/linkeddatahub#> .
 @prefix a:	<https://w3id.org/atomgraph/core#> .
 @prefix ac:	<https://w3id.org/atomgraph/client#> .
 @prefix rdf:	<http://www.w3.org/1999/02/22-rdf-syntax-ns#> .
@@ -16,7 +17,8 @@
 
 <urn:linkeddatahub:apps/admin> a lapp:Application, lapp:AdminApplication ;
     dct:title "LinkedDataHub admin" ;
-    ldt:base <admin/> ;
+    # ldt:base <https://admin.localhost:4443/> ;
+    ldh:origin <https://admin.localhost:4443> ;
     ldt:ontology <https://w3id.org/atomgraph/linkeddatahub/admin#> ;
     ldt:service <urn:linkeddatahub:services/admin> ;
     ac:stylesheet <static/com/atomgraph/linkeddatahub/xsl/bootstrap/2.3.2/admin/layout.xsl> ;
@@ -35,8 +37,9 @@
 
 <urn:linkeddatahub:apps/end-user> a lapp:Application, lapp:EndUserApplication ;
     dct:title "LinkedDataHub" ;
-    ldt:base <> ;
-    ldt:ontology <ns#> ;
+    # ldt:base <https://localhost:4443/> ;
+    ldh:origin <https://localhost:4443> ;
+    ldt:ontology <https://localhost:4443/ns#> ;
     ldt:service <urn:linkeddatahub:services/end-user> ;
     lapp:adminApplication <urn:linkeddatahub:apps/admin> ;
     lapp:frontendProxy <http://varnish-frontend:6060/> ;

docker-compose.yml

@@ -56,6 +56,11 @@ services:
       - MAIL_SMTP_HOST=email-server
       - MAIL_SMTP_PORT=25
       - MAIL_USER=linkeddatahub@localhost
+      - REMOTE_IP_VALVE=true
+      - REMOTE_IP_VALVE_PROTOCOL_HEADER=X-Forwarded-Proto
+      - REMOTE_IP_VALVE_PORT_HEADER=X-Forwarded-Port
+      - REMOTE_IP_VALVE_REMOTE_IP_HEADER=X-Forwarded-For
+      - REMOTE_IP_VALVE_HOST_HEADER=X-Forwarded-Host
       - OWNER_MBOX=${OWNER_MBOX}
       #- OWNER_URI=${OWNER_URI}
       - OWNER_GIVEN_NAME=${OWNER_GIVEN_NAME}
@@ -163,7 +168,7 @@ configs:
           # server with optional client cert authentication
           server {
               listen 8443 ssl;
-              server_name ${HOST};
+              server_name *.${HOST} ${HOST};
               ssl_certificate /etc/nginx/ssl/server.crt;
               ssl_certificate_key /etc/nginx/ssl/server.key;
               ssl_session_cache shared:SSL:1m;
@@ -175,6 +180,11 @@ configs:
                   #proxy_cache backcache;
                   limit_req zone=linked_data burst=30 nodelay;
 
+                  proxy_set_header Host $$host;
+                  proxy_set_header X-Forwarded-Host $$host;
+                  proxy_set_header X-Forwarded-Proto $$scheme;
+                  proxy_set_header X-Forwarded-Port ${HTTPS_PORT};
+
                   proxy_set_header Client-Cert '';
                   proxy_set_header Client-Cert $$ssl_client_escaped_cert;
 
@@ -185,6 +195,11 @@ configs:
                   proxy_pass http://linkeddatahub;
                   limit_req zone=static_files burst=20 nodelay;
 
+                  proxy_set_header Host $$host;
+                  proxy_set_header X-Forwarded-Host $$host;
+                  proxy_set_header X-Forwarded-Proto $$scheme;
+                  proxy_set_header X-Forwarded-Port ${HTTPS_PORT};
+
                   proxy_set_header Client-Cert '';
                   proxy_set_header Client-Cert $$ssl_client_escaped_cert;
 
@@ -202,7 +217,7 @@ configs:
           # server with client cert authentication on
           server {
               listen 9443 ssl;
-              server_name ${HOST};
+              server_name *.${HOST} ${HOST};
               ssl_certificate /etc/nginx/ssl/server.crt;
               ssl_certificate_key /etc/nginx/ssl/server.key;
               ssl_session_cache shared:SSL:1m;  
@@ -214,6 +229,11 @@ configs:
                   #proxy_cache backcache;
                   limit_req zone=linked_data burst=30 nodelay;
 
+                  proxy_set_header Host $$host;
+                  proxy_set_header X-Forwarded-Host $$host;
+                  proxy_set_header X-Forwarded-Proto $$scheme;
+                  proxy_set_header X-Forwarded-Port ${HTTPS_PORT};
+
                   proxy_set_header Client-Cert '';
                   proxy_set_header Client-Cert $$ssl_client_escaped_cert;
               }
@@ -226,7 +246,7 @@ configs:
 
           server {
               listen 8080;
-              server_name ${HOST};
+              server_name *.${HOST} ${HOST};
 
               location / {
                   return 301 https://$$server_name:${HTTPS_PORT}$$request_uri;

http-tests/access/group-authorization.sh

@@ -19,7 +19,7 @@ ntriples=$(curl -k -s -G \
   "${ADMIN_BASE_URL}access"
 )
 
-if echo "$ntriples" | grep -q '<http://www.w3.org/ns/auth/acl#agentGroup> <https://localhost:4443/admin/acl/groups/writers/#this>'; then
+if echo "$ntriples" | grep -q "<http://www.w3.org/ns/auth/acl#agentGroup> <${ADMIN_BASE_URL}acl/groups/writers/#this>"; then
   exit 1
 fi
 
@@ -50,6 +50,6 @@ ntriples=$(curl -k -s -G \
   "${ADMIN_BASE_URL}access"
 )
 
-if ! echo "$ntriples" | grep -q '<http://www.w3.org/ns/auth/acl#agentGroup> <https://localhost:4443/admin/acl/groups/writers/#this>'; then
+if ! echo "$ntriples" | grep -q "<http://www.w3.org/ns/auth/acl#agentGroup> <${ADMIN_BASE_URL}acl/groups/writers/#this>"; then
   exit 1
 fi

http-tests/run.sh

@@ -110,7 +110,7 @@ export HTTP_TEST_ROOT="$PWD"
 export END_USER_ENDPOINT_URL="http://localhost:3031/ds/"
 export ADMIN_ENDPOINT_URL="http://localhost:3030/ds/"
 export END_USER_BASE_URL="https://localhost:4443/"
-export ADMIN_BASE_URL="https://localhost:4443/admin/"
+export ADMIN_BASE_URL="https://admin.localhost:4443/"
 export END_USER_VARNISH_SERVICE="varnish-end-user"
 export ADMIN_VARNISH_SERVICE="varnish-admin"
 export FRONTEND_VARNISH_SERVICE="varnish-frontend"

platform/datasets/admin.trig

@@ -391,7 +391,6 @@ WHERE
 
 ### ADMIN-SPECIFIC
 
-@prefix ns:	<../ns#> .
 @prefix lacl:	<https://w3id.org/atomgraph/linkeddatahub/admin/acl#> .
 @prefix adm:	<https://w3id.org/atomgraph/linkeddatahub/admin#> .
 @prefix rdfs:	<http://www.w3.org/2000/01/rdf-schema#> .
@@ -637,44 +636,6 @@ WHERE
 
 }
 
-# public namespace
-
-<acl/authorizations/public-namespace/>
-{
-
-    <acl/authorizations/public-namespace/> a dh:Item ;
-        sioc:has_container <acl/authorizations/> ;
-        dct:title "Public namespace access" ;
-        foaf:primaryTopic <acl/authorizations/public-namespace/#this> .
-
-    <acl/authorizations/public-namespace/#this> a acl:Authorization ;
-        rdfs:label "Public namespace access" ;
-        rdfs:comment "Allows non-authenticated access" ;
-        acl:accessTo <../ns> ; # end-user ontologies are public
-        acl:mode acl:Read, acl:Append ; # allow queries over GET as well as POST
-        acl:agentClass foaf:Agent, acl:AuthenticatedAgent .
-
-}
-
-# SPARQL endpoint
-
-<acl/authorizations/sparql-endpoint/>
-{
-
-    <acl/authorizations/sparql-endpoint/> a dh:Item ;
-        sioc:has_container <acl/authorizations/> ;
-        dct:title "SPARQL endpoint access" ;
-        foaf:primaryTopic <acl/authorizations/sparql-endpoint/#this> .
-
-    <acl/authorizations/sparql-endpoint/#this> a acl:Authorization ;
-        rdfs:label "SPARQL endpoint access" ;
-        rdfs:comment "Allows only authenticated access" ;
-        acl:accessTo <../sparql> ;
-        acl:mode acl:Read, acl:Append ; # allow queries over GET as well as POST
-        acl:agentClass acl:AuthenticatedAgent .
-
-}
-
 # access endpoint
 
 <acl/authorizations/access/>
@@ -804,52 +765,12 @@ WHERE
         rdfs:label "Full control" ;
         rdfs:comment "Allows full read/write access to all application resources" ;
         acl:accessToClass dh:Item, dh:Container, def:Root ;
-        acl:accessTo <../sparql>, <../importer>, <../add>, <../generate>, <../ns>, <clear>, <transform> ;
+        acl:accessTo <clear>, <transform> ;
         acl:mode acl:Read, acl:Append, acl:Write, acl:Control ;
         acl:agentGroup <acl/groups/owners/#this> .
 
 }
 
-# write/append access
-
-<acl/authorizations/write-append/>
-{
-
-    <acl/authorizations/write-append/> a dh:Item ;
-        sioc:has_container <acl/authorizations/> ;
-        dct:title "Write/append access" ;
-        foaf:primaryTopic <acl/authorizations/write-append/#this> .
-
-    <acl/authorizations/write-append/#this> a acl:Authorization ;
-        rdfs:label "Write/append access" ;
-        rdfs:comment "Allows write access to all documents and containers" ;
-        acl:accessToClass dh:Item, dh:Container, def:Root ;
-        acl:accessTo <../sparql>, <../importer>, <../add>, <../generate>, <../ns> ;
-        acl:mode acl:Write, acl:Append ;
-        acl:agentGroup <acl/groups/owners/#this>, <acl/groups/writers/#this> .
-
-}
-
-# read access
-
-<acl/authorizations/read/>
-{
-
-    <acl/authorizations/read/> a dh:Item ;
-        sioc:has_container <acl/authorizations/> ;
-        dct:title "Read access" ;
-        foaf:primaryTopic <acl/authorizations/read/#this> .
-
-    <acl/authorizations/read/#this> a acl:Authorization ;
-        rdfs:label "Read access" ;
-        rdfs:comment "Allows read access to all resources" ;
-        acl:accessToClass dh:Item, dh:Container, def:Root, <http://www.semanticdesktop.org/ontologies/2007/03/22/nfo#FileDataObject> ;
-        acl:accessTo <../sparql> ;
-        acl:mode acl:Read ;
-        acl:agentGroup <acl/groups/owners/#this>, <acl/groups/writers/#this>, <acl/groups/readers/#this> .
-
-}
-
 # GROUPS
 
 # owners
@@ -917,24 +838,3 @@ WHERE
         rdf:value ldh:ChildrenView .
 
 }
-
-# ONTOLOGIES
-
-# namespace
-
-<ontologies/namespace/>
-{
-
-    <ontologies/namespace/> a dh:Item ;
-        sioc:has_container <ontologies/> ;
-        dct:title "Namespace" ;
-        foaf:primaryTopic ns: .
-
-    ns: a owl:Ontology ;
-        rdfs:label "Namespace" ;
-        rdfs:comment "Namespace of the application" ;
-        foaf:isPrimaryTopicOf <../ns> ;
-        owl:imports <https://w3id.org/atomgraph/linkeddatahub/default#> ;
-        owl:versionInfo "1.0-SNAPSHOT" .
-
-}