Version 5.x (#210)

* Regex match fix to account for the fact that SPARQL.js 2.x does *not* wrap the literal's datatype URI into `<>`

* Debug RDF/XML data during `PATCH` request

* Added `s` flag to `matches()` and `regex` in order to allow newlines in literals
Simplified `xsl:analyze-string` logic (avoid calling it twice)

* Fixing container mode for queries

* Pass `$block` to `ldh:RenderRow` instead of `$block-uri`

* Debug `$query-uri`

* Fixed var name

* Fix `$query-uri` value

* Fixed `$block-uri` usage

* Updated chart rendering in `ldh:RenderRow` mode

* Build `$chart-html` in the `.btn-save-chart` handler

* Fixed `xsl:for-each` syntax

* Fixed `$chat-html`

* Apply `bs2:RowForm` on `$constructed-doc`

* Added missing `$resource` definition

* Define `$method`

* Defined `$doc-uri`

* Added `@rdf:nodeID` to chart resource in the constructor

* Try to insert `$row-form` after `$block` by calling `Element.after()`

* Added `$form-actions` param to `bs2:Chart` mode

* Copy following siblings of the `$block` and re-insert them after the `$row-form`

* Trace `$row-form`

* Added default `xmlns="http://www.w3.org/1999/xhtml"` namespace to (X)HTML stylesheets
Web-Client bumped to 4.0.17-SNAPSHOT
SNAPSHOT bump

* Try `cdata-section-elements="script"`

* Added `CDATA` escaping hack for `<script>` elements with inline JS

* Wrap `<![CDATA[` into `<xsl:text disable-output-escaping="yes">`

* More `<xsl:text disable-output-escaping="yes">`

* More `<xsl:text disable-output-escaping="yes">`

* More `disable-output-escaping="yes"`

* Refactored `.add-constructor` handler to call `Element.before()`

* Don't call `ldh:RenderRowForm`

* Apply client-side templates on the appended row form (now following sibling of the `$block`)

* Apply `ldh:RenderRowForm` on the inserted row form

* Store `$block-html` when `.btn-edit` is clicked (HTML before editing mode was enabled)

* Fixed var name

* Commented out unused code

* Create new `window.LinkedDataHub.contents[$about]` object if it doesn't exist

* Fixed the type of `$block-html`

* Restore snapshot of block HTML that was captured before entering editing mode

* Fixed var name

* Debug `$block`

* Debug `.btn-edit $block`

* Store `$block-html` as a clone of `$block`

* Make a deep clone of `$block` instead of shallow one

* Remove the `$block-html` value after it has been used

* Attempt to handle `.btn-cancel` with a single template in form.xsl

* Cleanup

* Getting rid of `bs2:RowContent` mode

* Re-introduced `$main-class` param to `bs2:Row` mode
SNAPSHOT bump

* Stripping namespaces in `ldh:XHTMLContent` mode should not be necessary now that the output is XHTML (`xmlns="http://www.w3.org/1999/xhtml"`)

* Don't copy namespaces in the `ldh:XHTMLContent` identity transform

* Replaced `VARNISH_TTL` env var (which has no effect) with `command: -t 86400`

* Fixing Varnish's `command`

* Added `$@` to the varnish entrypoint

* Escaped `$`

* Try to fix Varnish entrypoint

* Escape `$`

* Another attempt to fix entrypoint

* Fix entrypoints of other Varnish services

* Default Varnish VCL template only allows cookies in the admin app (for login etc.)

* Changed VCL

* Add `req.http.Client-Cert` value to the Varnish hash instead of passing requests that contain it

* Include SHA-256 hash of the `Client-Cert` header in the cache key

* Don't use digest, hash `req.http.Client-Cert` directly

* Removed usage of `remote` clients in the VCL

* Include `LinkedDataHub.id_token` cookie value in the VCL hash, if it exists

* Hash user-specific content only when (X)HTML is returned

* Revert the `vcl_hash()` logic. Authenticated (X)HTML requests are not cacheable (since they're user-specific)

* Do not cache (X)HTML requests that have a `LinkedDataHub.id_token` cookie value

* `ldh:View` is now a "normal" resource, not a content block

* Transclude `ldh:View` instances via `ldh:Object`

* Dataset fixes

* Debug `ldh:LoadBlockObjectMetadata`

* Fix `$block` expression in view's `bs2:RenderRow` mode

* Added icon for `.btn-view`

* Removed the unused `Reserialize` Saxon function (replaced with a pure XSLT function)
No-cert client sets `ClientProperties.REQUEST_ENTITY_PROCESSING` to `BUFFERED` as well

* Moved the `ldh:reserialize` function to server-side

* Optimized authorization query

* Auth query optimization

* Take care not to load unnecessary documents over HTTP when the response is an error response

* Fixed `$block-values` expression?

* Separate VCL template for `varnish-end-user`/`varnish-admin`

* Set `mem_limit` on `linkeddatahub` service
Set a custom `HttpRequestRetryHandler` lambda on the `ApacheConnector`

* `ldh:ViewQueryLoad` now sets both `$this` and `$about` on the view query

* `$about` in the query gets set to the `@about` of the *parent* block

* Fixed `$select-string` expression

* Fixed var name in `$template-query`

* Attempt to unify `bs2:Row` templates

* Attempt to fix `bs2:Row`

* `$about` param is unused

* Set unique `@about` for blocks loaded from `ldh:template`s

* Fixed `$about` expression

* Set `@id` on blocks from `$block-values`

* Fixed `$id` value

* SNAPSHOT bump

* Updated the `ldh:ChildrenViewContructor` as well as the CLI script to match the new `ldh:View` structure (embedded via `ldh:Object`)

* chmod script

* Made `$title` arg optional in `add-object-block` CLI script

* Fixed `$form-actions` cardinality

* Typo fix

* If there is no block, the chart is rendering the current document

* Don't hide the progress bar when `ldh:Object` finishes loading

* Make sure view and chart rendering hides the row with the block controls

* Fix the `div.span12` expression

* Do not set `z-index`

* Attempt to fix progress bar expression

* Hide progress bar in default `ldh:RenderRow`

* Try to fix XPath

* Attempt to hide the progress bar by adding an override of `ldh:RenderRow` in object.xsl

* Try to fix `@typeof` pattern

* Removed `[@about]` from the chart match pattern in `ldh:RenderRow` mode

Block's inner content is always `.row-fluid`

Fix all progress bar selectors

Attempt to fix the progress bar selector

Change `@class` value depending on `$show-row-block-controls`

Pass `$show-row-block-controls` client-side

Blocks nested within `ldh:Object` do not show their own progress bars

Hide progress bar of query blocks

Fixed XPath syntax

Only ldh:Object can nest blocks

Query/chart blocks also get progress bar <div>s

* Debug anchor onclick template match

* XPath fix

* In the `ldh:base-uri` function, make sure to strip the fragment ID from the `location.href` value

* Undo debug output

* Set `mem_limit` on `linkeddatahub` service
Set a custom `HttpRequestRetryHandler` lambda on the `ApacheConnector`

* Define `MAX_REQUEST_RETRIES` in the Dockerfile and pass it to `Application::getClient` via context.xsl

* SNAPSHOT bump

* SNAPSHOT bump
Web-Client SNAPSHOT bump
Removed unused functions

* Fixing HTTP tests to reflect the fact that `application/xhtml+xml` is now the preferred media type for XHTML output

* Fixed `xhtml:DefinitionDescription` RDFa override for language-tagged literals

* Attempt to fix block drag-and-drop by only allowing it on top-level blocks (children of `div[@id = 'content-body']`)

* Drag start fix

* Debug `ondragstart`

* Debug `ixsl:ondragstart`

* Get the top-level block for this block (could be self) and use its URI

* Blocks nested within `ldh:Object` are not draggable

* Debug `ondragstart` block

* `ixsl:ondragstart` refactoring

* `atomgraph/letsencrypt-tomcat` base image bump (now multi-platform!)

* GitHub workflow that builds a multi-platform Docker image and pushes it to Docker Hub

* `atomgraph/fuseki` image bump

* Refactored entrypoint to generate owner and secretary keystore/cert/public key internally (#201)

* fix: modal-form max-height

* Refactored entrypoint to generate SSL keystore/cert/public key

The cert setup script is no longer necessary.
Using secrets to store passwords.

* Attempt to fix the http-tests workflow using secrets

* http-tests workflow fixes

* Generating server certificate in the http-tests workflow

* Fixed .env arg for server-cert-gen.sh

* Server cert generation fix

* Fix test owner cert mount

* Validate OWNER_URI and SECRETARY_URI

* Debug cert file permissions

* Debug permissions

* Mount ownrr/secretary datasets

* Debug cert permissions

* Execute webid-uri.sh as sudo

* Run the whole test suite as sudo

* Attempt to fix $JENA_HOME error

* Debug $JENA_HOME

* Set JENA_HOME in GITHUB_ENV

* YAML fix

* Pass $PATH to sudo script

* Mount datasets folder

* Script cleanup

* Removed `-s` flag from `realpath` calls to make them MacOS-compatible

* Unprivileged user

Removed `sudo` usage
Fixed `$OIDC_REFRESH_TOKENS` volume permission problem

* Debug permissions

* Attempt to fix cert.pem permissions

* Try sudo

* Fix secretary cert permissions

* Removed Mac-specific file

* Debug user

* Debug UID and GID

* Debug GID

* Local user is back to `root`

* Removed `-s` flag from `realpath` calls to make them MacOS-compatible

* Removed IMPORT_KEEPALIVE param

* SNAPSHOT bumped to 5.0.8-SNAPSHOT

* README update

* README update

* Scripts on $PATH (#202)

* Scripts moved to bin and added to PATH

* Fixed script path

* Add bin to $PATH as well

* Debug dir

* Debug dir

* Debug dir

* Use find instead of for

* Fixed ./create-file.sh call

* Fixed put.sh call

* Updated script usage in README

* README update

* Web-Client bump

* Revert "Fixing HTTP tests to reflect the fact that `application/xhtml+xml` is now the preferred media type for XHTML output"

This reverts commit 5c4af3d.

* Rate-limited LinkedDataClient (#203)

* Attempt to handle 429 responses by respecting `Retry-After` headers

* Attempt to handle 429 responses in LinkedDataClient using RetryAfterHelper

* Wrap `LinkedDataClient` methods into `RetryAfterHelper`

* Comment

* Comment

* Max retry count support in RetryAfterHelper

* Replaced HEAD requests with PUT If-None-Match: *

* Fixed if/else condition

* SNAPSHOT bump

* Evaluate preconditions as soon as we have the `existingModel`

* Comment

* Simplified pre-condition evaluation

* Fixed `lastModified` NPEs

* HTTP tests for conditional `PUT` requests

* HTTP test fixes

* Web-Client bump
Server bump

* Fixed `getVariants()` call

* Use HTMLMediaTypePredicate

* Use getInternalResponse() to evaluate the preconditions

* Override getResponseBuilder

* Fixed test

* New HTTP scripts for conditional requests

* More HTTP tests for conditional requests

* Request access modal form (#204)

* New endpoint that show's agents ACL authorizations

* Modal access request form

* Reloading access matrix when agent select changes

* RDF/POST inputs in form-request-access

* Access request endpoint

* Moved access endpoints to the admin app

* Fixed authorization request form

* CSS fixes

* Request access form fixes

SPARQL endpoint is now read-only accessible for authenticated agents

* Check acl:mode in AuthorizationFilter instead of authQuery

* Access endpoint uses SPARQL query to load document types and injects them into the ACL query

* `AuthorizationFilter` uses new `SERVICE`-less queries and gets `VALUES ?Type` injected

All endpoints now have to be described in RDF with types (otherwise empty `VALUES` makes the ACL query return empty result)

* If accessTo document does not exist (has no types), retry PUT authorization with a parent URI

* ACL query fixes

* AuthorizationFilter fixes

* Restored $base binding

* Included nfo:FileDataObject case in the document type query

* Include `ontologies/namespace/` as a special case in ownerAclQuery

* Fixrd ACL for the `admin/clear` endpoint

* Only containers allow child documents

* Only root *and* containers allow child documents

* Fixed parent type value

* Aligned HTTP tests with the new `AuthorizationFilter` behavior

* HTTP test fixes

* Cleanup

* Improved Java syntax

* Removed `$Container` bindings

* XSLT cleanup

* Create document owner authorization on the fly

`xhtml:Input` and `ldh:parse-rdf-post` fixes

* Check owner of parent document after checking its type

* Extracted common utility functions from `AuthorizationFilter` and the `Access` endpoint

* Moved document type/owner query into the web.xml config

* Access endpoint returns `lacl:OwnerAuthorization` as well

* SNAPSHOT bump

Don't show `acl:Control` in the access form

* Added tests for `acl:owner` triples on created documents

* Separated `documentTypeQuery` from `documentOwnerQuery`

Some `try/finally` refactoring
New HTTP tests for the `Access` endpoint

* chnod test scripts

* Added access endpoint tests

* Refactored `Access` endpoint to use `getEndpointAccessor()`

* Fixed NPE

* Improved Java syntax

* Fixed more NPEs

* `isOwner` improvements

* `documentOwnerQuery` moved to web.xml

* Fixed missing `reset()`

* Removed the inner `try`/`finally`

* Make sure to load document types and owner from then end-user service

* Fixed owner ACL test

* New HTTP test for the `Access` endpoint

* Bump SNAPSHOT version

* Moved test

* Disable empty values in RDF/POST parser again

Except for `su` which are relative subject URIs

* Removed debug output from XSLT stylesheets

* Handle empty resource

* `google_client_id`/`google_client_secret` data now as secrets

Fixed Properties mode in views

* HTTP test for the `Transform` endpoint

Fixed ACL of `<admin/transform>`

* Child documents can be created only if the current document is the Root or a container

* purge_cache

* Fixed multipart form callback

Also fixed query error response rendering

* RDFS-specific XSLT import

* New HTTP test for the `Add` endpoint

* Enforce trailing slash with redirect

Graph `PUT` method returns `308 Permanent Redirect` with `Locatioon` instead of `422 Unprocessable Entity`

* Fixed HTTP test

* Fixed test runner

* New HTTP tests for relative URIs in `PUT` request body

SNAPSHOT bump
Server & Web-Client SNAPSHOT bumps

* `xsd:dateTime` literal rendering as `datetime-local` moved to the server-side

* `Graph::put` does not allow double slashes in request URIs

Added HTTP test for that as well

* SaxonJS upgraded to 3.x (#206)

* Saxon 2.7 upgraded to 3.0 beta

Refactoring named template callbacks as XPath functions

* Fixed command name

* Refactoring named templates as functions

* More named template callbacks converted to functions

* Moved generic HTTP promises to functions.xsl

* Cleanup

* Fixed container CSS in object block fallback case

* New HTTP test for `PUT` with empty request body

Increased burst limit for static files

* Fixed status code in test

* Use `ldh:LoadBlockObjectMetadata` only for local resources

* `bs2:FormControl` fix for `datetime-local`

* Improved callback promise composition

* Removed unnecessary `ixsl:http-request` arguments

* Fixed `$classes` in `bs2:Row`

* `$classes` fix in `bs2:Row`

* Document editing form (#207)

* Modal editing form for the document resource

* Hide RDF sequence properties

* Replaced `ldh:LoadEditedResource` and `ldh:LoadTypeMetadata` named templates with functioons

* Context map passing

Map as the common promise contract allowed to improve their composition

* More promise composition

* XSLT fixes

* Refactores view using promises

* Function cleanup

* View map mode fix

* Refactored error promise functions

* Undone server-side query rendering

New `ldh:uri-po-pattern` function

* Custom `WHERE` pattern for the document editing `PATCH` update

* Multipart file upload fix

* Removed unnecessary `use-when`

* More `on-failure` on promises

* Dataset fixes

* Removed secret envs from Dockerfile

* Unified form response callbacks

* New `ldh:RenderViewResults` template

* Render object metadata only if the view's SPARQL endpoint is local

* `$view-container` fix

* CSS fixes

Refactored object rendering using promises

* Chart rendering refactored using promises

Also `ldh:rdf-document-response`

* Fixed chart creation from query

Views have optional titles now

* SNAPSHOT bump

* IXSL refactoring

* Suspended promise tree (#209)

* Refactored chart rendering using "suspended promise tree" approach

* Promise thunk refactoring

* View thunk refactoring

* Object block loading fixed

* Fixed query view mode

* Fixed view navigation

* ldh:view-object-metadata-thunk

* Reverted `ldh:RenderViewResults` changes

* Web-Client bump
Server bump

* Fix search bar URI value

* `ldh:href` function fixes

* `ldh:href` invocation fixes

* Downgraded Node.js in frontend-maven-plugin

* Removed child thunks (#211)

* Removing child thunks

* View object-metadata refactoring

* Promise error handling fixes

* SNAPSHOT bump

* Fixed `transform` endpoint access

Cleaned up comments in XSLT

* Fixed `201 Created` handling after form submission

* Fixed `$row-form` construction

Author: namedgraph

.github/workflows/http-tests.yml

@@ -7,37 +7,49 @@ jobs:
     name: Build Docker image and run HTTP test suite against it
     runs-on: ubuntu-latest
     env:
-      ASF_ARCHIVE: http://archive.apache.org/dist/
+      ASF_ARCHIVE: https://archive.apache.org/dist/
       JENA_VERSION: 4.7.0
       BASE_URI: https://localhost:4443/
-      OWNER_CERT_PWD: changeit
-      SECRETARY_CERT_PWD: LinkedDataHub
     steps:
       - name: Install Linux packages
         run: sudo apt-get update && sudo apt-get install -qq raptor2-utils && sudo apt-get install curl
       - name: Download Jena
-        run: curl -sS --fail "${{env.ASF_ARCHIVE}}jena/binaries/apache-jena-${{env.JENA_VERSION}}.tar.gz" -o "${{runner.temp}}/jena.tar.gz"
+        run: curl -sS --fail "${{ env.ASF_ARCHIVE }}jena/binaries/apache-jena-${{ env.JENA_VERSION }}.tar.gz" -o "${{ runner.temp }}/jena.tar.gz"
       - name: Unpack Jena
         run: tar -zxf jena.tar.gz
-        working-directory: ${{runner.temp}}
-      - run: echo "$JENA_HOME/bin" >> $GITHUB_PATH
-        env:
-            JENA_HOME: "${{runner.temp}}/apache-jena-${{env.JENA_VERSION}}"
+        working-directory: ${{ runner.temp }}
+      - name: Set JENA_HOME and update PATH
+        run: |
+          echo "${{ runner.temp }}/apache-jena-${{ env.JENA_VERSION }}/bin" >> $GITHUB_PATH
       - name: Checkout code
         uses: actions/checkout@v3
-      - name: Generate owner's and secretary's certificates/public keys
-        run: ../scripts/setup.sh .env ssl "${{env.OWNER_CERT_PWD}}" "${{env.SECRETARY_CERT_PWD}}" 3650
-        shell: bash
+      - name: Add bin/ and its subdirectories to PATH
+        run: |
+          find "$GITHUB_WORKSPACE/bin" -type d >> "$GITHUB_PATH"
+      - name: Generating server certificate
+        run: |
+          server-cert-gen.sh .env nginx ssl
         working-directory: http-tests
+      - name: Writing secrets to files
+        run: |
+          mkdir -p ./secrets
+          printf "%s" "${{ secrets.HTTP_TEST_OWNER_CERT_PASSWORD }}" > ./secrets/owner_cert_password.txt
+          printf "%s" "${{ secrets.HTTP_TEST_SECRETARY_CERT_PASSWORD }}" > ./secrets/secretary_cert_password.txt
+          printf "%s" "${{ secrets.HTTP_TEST_SECRETARY_CERT_PASSWORD }}" > ./secrets/client_truststore_password.txt
+        shell: bash
       - name: Build Docker image & Run Docker containers
-        run: docker-compose -f docker-compose.yml -f ./http-tests/docker-compose.http-tests.yml --env-file ./http-tests/.env up --build -d
+        run: docker compose -f docker-compose.yml -f ./http-tests/docker-compose.http-tests.yml --env-file ./http-tests/.env up --build -d
       - name: Wait for the server to start...
         run: while ! (status=$(curl -k -s -w "%{http_code}\n" https://localhost:4443 -o /dev/null) && echo "$status" && echo "$status" | grep "403") ; do sleep 1 ; done # wait for the webapp to start (returns 403 by default)
+      - name: Fix certificate permissions on the host
+        run: |
+          sudo chmod 644 ./ssl/owner/cert.pem ./ssl/secretary/cert.pem
+        working-directory: http-tests
       - name: Run HTTP test scripts
-        run: ./run.sh "$PWD/ssl/owner/cert.pem" "${{env.OWNER_CERT_PWD}}" "$PWD/ssl/secretary/cert.pem" "${{env.SECRETARY_CERT_PWD}}"
+        run: ./run.sh "$PWD/ssl/owner/cert.pem" "${{ secrets.HTTP_TEST_OWNER_CERT_PASSWORD }}" "$PWD/ssl/secretary/cert.pem" "${{ secrets.HTTP_TEST_SECRETARY_CERT_PASSWORD }}"
         shell: bash
         working-directory: http-tests
       - name: Stop Docker containers
-        run: docker-compose --env-file ./http-tests/.env down
+        run: docker compose --env-file ./http-tests/.env down
       - name: Remove Docker containers
-        run: docker-compose --env-file ./http-tests/.env rm -f
+        run: docker compose --env-file ./http-tests/.env rm -f

.github/workflows/image.yml

@@ -0,0 +1,44 @@
+name: ci
+
+on:
+  push:
+    tags:
+      - '*'
+
+jobs:
+  docker:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Login to Docker Hub
+        uses: docker/login-action@v3
+        with:
+          username: ${{ vars.DOCKERHUB_USERNAME }}
+          password: ${{ secrets.DOCKERHUB_TOKEN }}
+
+      - name: Set up QEMU
+        uses: docker/setup-qemu-action@v3
+
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v3
+
+      - name: Extract version parts
+        id: version
+        run: |
+          VERSION="${{ github.ref_name }}"
+          MAJOR="${VERSION%%.*}"
+          MINOR="${VERSION%.*}"
+          MINOR="${MINOR#*.}"
+          echo "MAJOR=$MAJOR" >> $GITHUB_ENV
+          echo "MINOR=$MAJOR.$MINOR" >> $GITHUB_ENV
+          echo "FULL_VERSION=$VERSION" >> $GITHUB_ENV
+
+      - name: Build and push
+        uses: docker/build-push-action@v6
+        with:
+          platforms: linux/amd64,linux/arm64
+          push: true
+          tags: |
+            atomgraph/linkeddatahub:latest
+            atomgraph/linkeddatahub:${{ env.FULL_VERSION }}
+            atomgraph/linkeddatahub:${{ env.MINOR }}
+            atomgraph/linkeddatahub:${{ env.MAJOR }}

.gitignore

@@ -1,10 +1,15 @@
+.DS_Store
 /target
-/certs
 /.env
 /data
 /uploads
 /nb-configuration.xml
 /node
 /node_modules
 /docker-compose.override.yml
+/secrets
+/datasets
 /ssl
+/http-tests/ssl
+/http-tests/datasets
+/http-tests/uploads

Dockerfile

@@ -1,4 +1,4 @@
-FROM maven:3.8.4-openjdk-17 as maven
+FROM maven:3.8.4-openjdk-17 AS maven
 
 # download and extract Jena
 
@@ -22,7 +22,7 @@ RUN mvn -Pstandalone clean install
 
 # ==============================
 
-FROM atomgraph/letsencrypt-tomcat:10.1.4
+FROM atomgraph/letsencrypt-tomcat:10.1.34
 
 LABEL maintainer="martynas@atomgraph.com"
 
@@ -38,10 +38,6 @@ ENV SOURCE_COMMIT=$SOURCE_COMMIT
 
 WORKDIR $CATALINA_HOME
 
-# add XSLT stylesheet that makes changes to ROOT.xml
-
-COPY platform/context.xsl conf/context.xsl
-
 ENV CACHE_MODEL_LOADS=true
 
 ENV STYLESHEET=static/com/atomgraph/linkeddatahub/xsl/bootstrap/2.3.2/layout.xsl
@@ -72,17 +68,26 @@ ENV HTTPS=false
 
 ENV SERVER_CERT=/var/linkeddatahub/ssl/server/server.crt
 
-ENV SECRETARY_CERT=/var/linkeddatahub/ssl/secretary/cert.pem
+ENV OWNER_CERT_ALIAS=root-owner
+ENV OWNER_KEYSTORE=/var/linkeddatahub/ssl/owner/keystore.p12
+ENV OWNER_CERT=/var/linkeddatahub/ssl/owner/cert.pem
+ENV OWNER_PUBLIC_KEY=/var/linkeddatahub/ssl/owner/public.pem
+ENV OWNER_PRIVATE_KEY=/var/linkeddatahub/ssl/owner/private.key
 
-ENV SECRETARY_CERT_ALIAS=secretary
+ENV SECRETARY_COMMON_NAME=LinkedDataHub
+ENV SECRETARY_CERT_ALIAS=root-secretary
+ENV SECRETARY_KEYSTORE=/var/linkeddatahub/ssl/secretary/keystore.p12
+ENV SECRETARY_CERT=/var/linkeddatahub/ssl/secretary/cert.pem
+ENV SECRETARY_PUBLIC_KEY=/var/linkeddatahub/ssl/secretary/public.pem
+ENV SECRETARY_PRIVATE_KEY=/var/linkeddatahub/ssl/secretary/private.key
 
 ENV CLIENT_KEYSTORE_MOUNT=/var/linkeddatahub/ssl/secretary/keystore.p12
-
 ENV CLIENT_KEYSTORE="$CATALINA_HOME/webapps/ROOT/WEB-INF/keystore.p12"
-
 ENV CLIENT_TRUSTSTORE="$CATALINA_HOME/webapps/ROOT/WEB-INF/client.truststore"
 
-ENV OWNER_PUBLIC_KEY=/var/linkeddatahub/ssl/owner/public.pem
+ENV CERT_VALIDITY=3650
+
+ENV SIGN_UP_CERT_VALIDITY=
 
 ENV LOAD_DATASETS=
 
@@ -102,11 +107,13 @@ ENV MAX_CONN_PER_ROUTE=20
 
 ENV MAX_TOTAL_CONN=40
 
+ENV MAX_REQUEST_RETRIES=3
+
 ENV IMPORT_KEEPALIVE=
 
-ENV GOOGLE_CLIENT_ID=
+ENV MAX_IMPORT_THREADS=10
 
-ENV GOOGLE_CLIENT_SECRET=
+ENV SERVLET_NAME=
 
 ENV GENERATE_SITEMAP=true
 
@@ -120,6 +127,14 @@ RUN apt-get update --allow-releaseinfo-change && \
     rm -rf webapps/* && \
     rm -rf /var/lib/apt/lists/*
 
+# add XSLT stylesheet that makes changes to ROOT.xml
+
+COPY platform/context.xsl /var/linkeddatahub/xsl/context.xsl
+
+# add XSLT stylesheet that makes changes to web.xml
+
+COPY platform/web.xsl /var/linkeddatahub/xsl/web.xsl
+
 # copy entrypoint
 
 COPY platform/entrypoint.sh entrypoint.sh
@@ -172,6 +187,7 @@ ENV PATH="${PATH}:${JENA_HOME}/bin"
 
 RUN useradd --no-log-init -U ldh && \
     chown -R ldh:ldh . && \
+    mkdir -p "$(dirname "$OIDC_REFRESH_TOKENS")" && \
     chown -R ldh:ldh /var/linkeddatahub && \
     mkdir -p "${UPLOAD_ROOT}/${UPLOAD_CONTAINER_PATH}" && \
     chown -R ldh:ldh "$UPLOAD_ROOT" && \
@@ -180,7 +196,7 @@ RUN useradd --no-log-init -U ldh && \
 
 RUN ./import-letsencrypt-stg-roots.sh
 
-HEALTHCHECK --start-period=80s --interval=20s --timeout=10s \
+HEALTHCHECK --start-period=80s --retries=5 \
     CMD curl -f -I "http://localhost:${HTTP_PORT}/ns" -H "Accept: application/n-triples" || exit 1 # relies on public access to the namespace document
 
 USER ldh

README.md

@@ -57,19 +57,23 @@ It takes a few clicks and filling out a form to install the product into your ow
      OWNER_STATE_OR_PROVINCE=Denmark
      OWNER_COUNTRY_NAME=DK
      ```
-  3. Setup SSL certificates/keys by running this from command line (replace `$owner_cert_pwd` and `$secretary_cert_pwd` with your own passwords):
-     ```
-     ./scripts/setup.sh .env ssl $owner_cert_pwd $secretary_cert_pwd 3650
+  3. Setup server's SSL certificates by running this from command line:
+     ```shell
+     ./scripts/server-cert-gen.sh .env nginx ssl
      ```
      The script will create an `ssl` sub-folder where the SSL certificates and/or public keys will be placed.
   4. Launch the application services by running this from command line:
-     ```
+     ```shell
      docker-compose up --build
      ```
      It will build LinkedDataHub's Docker image, start its container and mount the following sub-folders:
+     - `ssl`
+       * `owner` stores root owner's WebID certificate, keystore, and public key
+       * `secretary` stores root application's WebID certificate, keystore, and public key
+       * `server` stores the server's certificate (also used by nginx)
      - `data` where the triplestore(s) will persist RDF data
      - `uploads` where LDH stores content-hashed file uploads
-     The first should take around half a minute as datasets are being loaded into triplestores. After a successful startup, the last line of the Docker log should read something like:
+     It should take up to half a minute as datasets are being loaded into triplestores. After a successful startup, the last line of the Docker log should read something like:
      ```
      linkeddatahub_1     | 09-Feb-2021 14:18:10.536 INFO [main] org.apache.catalina.startup.Catalina.start Server startup in [32609] milliseconds
      ```
@@ -78,7 +82,15 @@ It takes a few clicks and filling out a form to install the product into your ow
      - Mozilla Firefox: `Options > Privacy > Security > View Certificates... > Import...`
      - Apple Safari: The file is installed directly into the operating system. Open the file and import it using the [Keychain Access](https://support.apple.com/guide/keychain-access/what-is-keychain-access-kyca1083/mac) tool (drag it to the `local` section).
      - Microsoft Edge: Does not support certificate management, you need to install the file into Windows. [Read more here](https://social.technet.microsoft.com/Forums/en-US/18301fff-0467-4e41-8dee-4e44823ed5bf/microsoft-edge-browser-and-ssl-certificates?forum=win10itprogeneral).
-  6. Open **https://localhost:4443/** in that web browser
+  6. For authenticated API access use the `ssl/owner/cert.pem` HTTPS client certificate.
+     If you are running Linux with user other than `root`, you might need to fix the certificate permissions because Docker bind mounts are owned by `root` by default. For example:
+     ```shell
+     sudo setfacl -m u:$(whoami):r ./ssl/owner/*
+     ```
+  7. Open **https://localhost:4443/** in the web browser or use `curl` for API access, for example:
+     ```shell
+     curl -k -E ./ssl/owner/cert.pem:<your cert password> -H "Accept: text/turtle" 'https://localhost:4443/'
+     ```
 
   ### Notes
 
@@ -87,11 +99,11 @@ It takes a few clicks and filling out a form to install the product into your ow
     * If this option does not appear in Chrome (as observed on some MacOS), you can open `chrome://flags/#allow-insecure-localhost`, switch `Allow invalid certificates for resources loaded from localhost` to `Enabled` and restart Chrome
   * `.env_sample` and `.env` files might be invisible in MacOS Finder which hides filenames starting with a dot. You should be able to [create it using Terminal](https://stackoverflow.com/questions/5891365/mac-os-x-doesnt-allow-to-name-files-starting-with-a-dot-how-do-i-name-the-hta) however.
   * On Linux your user may need to be a member of the `docker` group. Add it using
-  ```
+  ```shell
   sudo usermod -aG docker ${USER}
   ```
   and re-login with your user. An alternative, but not recommended, is to run
-  ```
+  ```shell
   sudo docker-compose up
   ```
 </details>
@@ -152,7 +164,7 @@ The options are described in more detail in the [configuration documentation](ht
   ## Reset
 
   If you need to start fresh and wipe the existing setup (e.g. after configuring a new base URI), you can do that using
-  ```
+  ```shell
   sudo rm -rf data uploads && docker-compose down -v
   ```
 
@@ -169,11 +181,15 @@ _:warning: This will **remove the persisted data and files** as well as Docker v
 
 LinkedDataHub CLI wraps the HTTP API into a set of shell scripts with convenient parameters. The scripts can be used for testing, automation, scheduled execution and such. It is usually much quicker to perform actions using CLI rather than the user interface, as well as easier to reproduce.
 
-The scripts can be found in the [`scripts`](https://github.com/AtomGraph/LinkedDataHub/tree/master/scripts) subfolder.
+The scripts can be found in the [`bin`](https://github.com/AtomGraph/LinkedDataHub/tree/master/bin) subfolder. In order to use them, add the `bin` folder and its subfolders to the `$PATH`. For example:
+
+```shell
+export PATH="$(find bin -type d -exec realpath {} \; | tr '\n' ':')$PATH"
+```
 
 _:warning: The CLI scripts internally use [Jena's CLI commands](https://jena.apache.org/documentation/tools/). Set up the Jena environment before running the scripts._
 
-An environment variable `JENA_HOME` is used by all the command line tools to configure the class path automatically for you. You can set this up as follows:
+The environment variable `JENA_HOME` is used by all the command line tools to configure the class path automatically for you. You can set this up as follows:
 
 **On Linux / Mac**
 
@@ -189,11 +205,7 @@ An environment variable `JENA_HOME` is used by all the command line tools to con
 
 ### [Demo apps](https://github.com/AtomGraph/LinkedDataHub-Apps)
 
-These demo applications can be installed into a LinkedDataHub instance using the provided CLI scripts.
-
-_:warning: Before running app installation scripts that use LinkedDataHub's CLI scripts, set the `SCRIPT_ROOT` environmental variable to the [`scripts`](https://github.com/AtomGraph/LinkedDataHub/tree/master/scripts) subfolder of your LinkedDataHub fork or clone._ For example:
-
-    export SCRIPT_ROOT="/c/Users/namedgraph/WebRoot/AtomGraph/LinkedDataHub/scripts"
+These demo applications can be installed into a LinkedDataHub instance using `make install`. You will need to provide the path to your WebID certificate as well as its password.
 
 ## How to get involved