Merge branch 'development'

CMakeLists.txt

@@ -2,9 +2,9 @@ cmake_minimum_required(VERSION 2.8.12)
 
 project(davrods C)
 
-set(IRODSRT_VERSION "4.2.7" CACHE STRING "iRODS client library version")
+set(IRODSRT_VERSION "4.2.8" CACHE STRING "iRODS client library version")
 
-set(DAVRODS_FEATURE     "1.4.2")
+set(DAVRODS_FEATURE     "1.5.0")
 set(DAVRODS_VERSION     "${IRODSRT_VERSION}_${DAVRODS_FEATURE}")
 set(DAVRODS_VERSION_DEB "${IRODSRT_VERSION}-${DAVRODS_FEATURE}")
 
@@ -57,6 +57,7 @@ link_libraries(irods_client)
 
 add_compile_options(-Wall
                     -Wextra
+                    -pedantic
                     -Wno-unused-parameter
                     -Wno-missing-field-initializers
                     -Wno-format # Due to APR/iRODS format specifier oddities.
@@ -84,6 +85,7 @@ set(SOURCES
     src/prop.c
     src/propdb.c
     src/repo.c
+    src/listing.c
     src/lock_local.c
     src/byterange.c)
 
@@ -114,7 +116,7 @@ if(SYSTEM_LOOKS_LIKE STREQUAL "CentOS7")
                         aux/common/listing/README.md
             DESTINATION /etc/httpd/irods/)
 
-    install(FILES       README.md COPYING COPYING.LESSER changelog.txt
+    install(FILES       README.md README.advanced.md COPYING COPYING.LESSER changelog.txt
             DESTINATION /usr/share/doc/davrods-${DAVRODS_VERSION}/)
 
     install(DIRECTORY
@@ -141,7 +143,7 @@ elseif(SYSTEM_LOOKS_LIKE STREQUAL "Debian")
                         aux/common/listing/README.md
             DESTINATION /etc/apache2/irods/)
 
-    install(FILES       README.md COPYING COPYING.LESSER changelog.txt
+    install(FILES       README.md README.advanced.md COPYING COPYING.LESSER changelog.txt
             DESTINATION /usr/share/doc/davrods-${DAVRODS_VERSION}/)
 
     install(DIRECTORY
@@ -173,6 +175,7 @@ if(SYSTEM_LOOKS_LIKE STREQUAL "CentOS7")
 
     set(CPACK_RPM_USER_FILELIST
         "%doc /usr/share/doc/davrods-${DAVRODS_VERSION}/README.md"
+        "%doc /usr/share/doc/davrods-${DAVRODS_VERSION}/README.advanced.md"
         "%doc /usr/share/doc/davrods-${DAVRODS_VERSION}/COPYING"
         "%doc /usr/share/doc/davrods-${DAVRODS_VERSION}/COPYING.LESSER"
         "%doc /usr/share/doc/davrods-${DAVRODS_VERSION}/changelog.txt"

README.advanced.md

@@ -0,0 +1,217 @@
+Advanced Davrods configuration
+==============================
+
+The [vhost templates](./aux/rpm/davrods-vhost.conf) installed by the
+default Davrods distribution provide for most common Davrods use cases.
+Some more interesting configurations are possible using more advanced
+Apache features, detailed in this document.
+
+The examples in this document assume Davrods version `4.2.8_1.5.0` or
+newer.
+
+## Setting per-user Davrods options ##
+
+[Apache expressions](https://httpd.apache.org/docs/2.4/expr.html) can be
+used to set certain Davrods configuration options depending on the HTTP
+Basic auth username, such as the iRODS auth scheme, default resource or
+exposed root.
+
+Below we provide an example of how to accomplish this:
+
+```apache
+<VirtualHost ...>
+  ...
+
+  # Parse the Authorization header for a username.
+  SetEnvIfExpr "req_novary('Authorization') =~ /^Basic +(.*)/"          DAVRODS_BASIC_CREDS64=$1
+  SetEnvIfExpr "unbase64(reqenv('DAVRODS_BASIC_CREDS64')) =~ /(.*:.*)/" DAVRODS_BASIC_CREDS=$1
+  SetEnvIfExpr "reqenv('DAVRODS_BASIC_CREDS') =~ /^([^:]*):/"           DAVRODS_USERNAME=$1
+
+  # Davrods directives in these If blocks override directives/defaults
+  # in the Location block below it, but only if the condition matches.
+
+  <If "reqenv('DAVRODS_USERNAME') =~ /@/">
+    # Use iRODS PAM auth for usernames that look like e-mail addresses.
+    DavrodsAuthScheme Pam
+  </If>
+  <If "reqenv('DAVRODS_USERNAME') == 'rods'">
+    # Expose a higher level collection for user rods.
+    DavrodsExposedRoot /
+  </If>
+  ...
+
+  <Location />
+    # ... enable Davrods etc. ...
+
+    DavrodsAuthScheme  Native
+    DavrodsExposedRoot User
+    ...
+  </Location>
+</VirtualHost>
+```
+
+## Enabling iRODS ticket support ##
+
+Davrods optionally allows using
+[iRODS tickets](https://docs.irods.org/4.2.8/icommands/tickets/)
+to obtain read-only access to collections and data objects.
+In order to make use of this feature, special configuration is needed.
+Since this configuration is relatively complex and very use-case
+dependent, it is not included in the provided
+[vhost templates](aux/deb/davrods-vhost.conf).
+When no such configuration is present, ticket support is completely
+disabled as in previous Davrods versions.
+Note: Davrods does not support using tickets for *write* operations
+(including creating, deleting, moving or copying files).
+
+WebDAV has no concept of tickets, except for an
+[expired IETF draft](https://tools.ietf.org/html/draft-ito-dav-ticket-00)
+that no client implements.
+There are a few possible methods to still fit iRODS tickets in the
+protocol, in a way that is usable for clients:
+
+1. Embedding tickets in query strings (e.g. `?ticket=SECRET` at the end of all URLs)
+2. Sending tickets in a custom HTTP header (e.g. `X-Davrods-Ticket: SECRET`)
+3. Embedding tickets in Basic authentication (e.g. user=ticket, password=SECRET)
+
+Each method has its own advantages and disadvantages, and none of these
+methods work across all WebDAV clients and for every use case.
+
+Davrods makes no assumptions regarding clients and use-cases, and
+therefore it leaves it up to the administrator to configure a chosen
+method, if they wish to use tickets.
+
+The way this works is as follows:
+
+First of all, ticket support must be enabled by setting
+`DavrodsTickets ReadOnly` in the vhost's location block.
+
+Then, using standard Apache config directives such as `SetEnv`, a
+request environment variable `DAVRODS_TICKET` can be set. When Davrods
+reads this variable, it sends the value as a ticket to iRODS.
+
+The tricky part then, is to use only Apache config directives to extract
+the ticket from WebDAV requests. For the three methods described above,
+we provide example code that can be inserted into Davrods vhost
+configuration files.
+
+As shown in the examples below, the configuration directives should be
+placed in the VirtualHost section. They may be combined in a single
+vhost by placing them one after the other.
+
+### Using query strings ###
+
+This method makes for good read-only web browser usability and allows
+linking directly to ticket-accessible locations. HTML Directory listing
+links will have `?ticket=...` appended automatically if a ticket is used
+to access a collection in a web browser.
+
+Regular WebDAV clients are unable to use this method.
+
+```apache
+<VirtualHost ...>
+  ...
+
+  RewriteEngine on
+
+  # If the URL query string contains a ticket, strip it and pass it to Davrods.
+  RewriteCond expr "%{QUERY_STRING} =~ /(?:^|&)ticket=([^&]*)/"
+  RewriteCond expr "unescape($1) =~ /(.+)/"
+  RewriteRule .* - [E=DAVRODS_TICKET:%1,QSD,L]
+
+  <Location />
+    ...
+
+    # Enable tickets, and automatically append '?ticket=...' to links in
+    # web browser directory listings.
+    DavrodsTickets ReadOnly
+    DavrodsHtmlEmitTickets On
+
+    ...
+  </Location>
+</VirtualHost>
+```
+
+### Using a custom HTTP header ###
+
+This is not usable in any commonly used WebDAV client or web browser,
+but may be used by curl and custom clients.
+
+```apache
+<VirtualHost ...>
+  ...
+
+  RewriteEngine on
+
+  # If header X-Davrods-Ticket exists, pass it to Davrods.
+  RewriteCond "%{HTTP:X-Davrods-Ticket}" "(.+)"
+  RewriteRule .* - [E=DAVRODS_TICKET:%1,L]
+
+  <Location />
+    ...
+
+    DavrodsTickets ReadOnly
+
+    ...
+  </Location>
+</VirtualHost>
+```
+
+### Using a special-cased Basic auth username ###
+
+The third method is usable in both WebDAV clients and web browsers, but
+does not allow combining tickets with a regular iRODS username/password.
+It works by switching Davrods to anonymous mode only when a specific
+HTTP Basic auth username (e.g. 'ticket') is used.
+
+This involves some trickery, and will not work for anonymous vhosts (as
+many clients will not send credentials unless prompted to by the HTTP
+server - which means Basic auth needs to be enabled).
+We cannot guarantee to support this method in future versions, but it's
+here if you need it.
+
+```apache
+<VirtualHost ...>
+  ...
+
+  # If HTTP basic auth username is "ticket", override Davrods to use
+  # anonymous mode for this request and use the provided password as a
+  # ticket value.
+  # (below you can replace 'ticket:' with whichever username you prefer,
+  # followed by a colon. e.g. 'anonymous:')
+
+  SetEnvIfExpr "req_novary('Authorization') =~ /^Basic +(.*)/"          DAVRODS_BASIC_CREDS64=$1
+  SetEnvIfExpr "unbase64(reqenv('DAVRODS_BASIC_CREDS64')) =~ /(.*:.*)/" DAVRODS_BASIC_CREDS=$1
+  SetEnvIfExpr "reqenv('DAVRODS_BASIC_CREDS') =~ /^ticket:(.*)/"        DAVRODS_BASIC_TICKET=$1
+  SetEnvIfExpr "reqenv('DAVRODS_BASIC_TICKET') =~ /^(.*)$/"             DAVRODS_TICKET=$1
+
+  <If "-n reqenv('DAVRODS_BASIC_TICKET')">
+    # These settings override settings in the <Location> section below for
+    # the current request, but only if the condition matches (i.e. a client
+    # has submitted a ticket via Basic auth).
+    # This requires Basic auth to be enabled in the Location section
+    # below, as most clients will not send an Authorization header
+    # unless asked to by the HTTP server.
+
+    # Make sure the Authorization header is ignored by Apache,
+    # mod_auth_basic, and Davrods.
+    AuthType None
+    Require  all granted
+    DavrodsAuthScheme Native
+    DavrodsAnonymousMode On
+    DavrodsAnonymousLogin "anonymous" ""
+
+    # If a ticket is submitted via Basic auth, we should not embed it in HTML listings.
+    # (follow-up web browser requests will re-send the ticket via auth anyway)
+    DavrodsHtmlEmitTickets Off
+  </If>
+
+  <Location />
+    ...
+
+    DavrodsTickets ReadOnly
+
+    ...
+  </Location>
+</VirtualHost>
+```

README.md

@@ -10,14 +10,15 @@ protocol, `mod_dav`, for compliance with the WebDAV Class 2 standard.
 
 Notable features include:
 
-- Supports WebDAV Class 2. Locks are local to the Apache server.
-- Supports PAM and Native (a.k.a. STANDARD) iRODS authentication.
-- Supports SSL encryption for the entire iRODS connection.
-- Easy to configure using Apache configuration directives.
-- Supports an anonymous access mode for password-less public access.
-- Supports themeable directory listings for read-only web browser access.
-- Supports partial file up- and downloads and resumes (HTTP byte-ranges)
-- Supports iRODS server versions 4+ and is backwards compatible with 3.3.1.
+- WebDAV Class 2 support, with locks local to the Apache server
+- Connects to iRODS server versions 4+
+- PAM and Native (a.k.a. STANDARD) iRODS authentication
+- Optional negotiated SSL encryption for the entire iRODS connection
+- Configurable using Apache configuration directives
+- Optional anonymous access mode for password-less public access
+- Themeable directory listings for read-only web browser access.
+- Partial file up- and downloads and resumes (HTTP byte-ranges)
+- iRODS ticket-based access
 
 Themeable listings and anonymous access were inspired by Simon Tyrrell's
 [work](https://github.com/billyfish/eirods-dav) at Earlham Institute.
@@ -35,6 +36,7 @@ Please choose the right version for your platform:
 
 | Date        | Davrods ver. | iRODS runtime ver. | Packages                                                                          |
 | ----------- | ------------ | ------------------ | --------------------------------------------------------------------------------- |
+| 2020-06-02  | 1.5.0        | 4.2.8              | [RPM, DEB](https://github.com/UtrechtUniversity/davrods/releases/tag/4.2.8_1.5.0) |
 | 2019-12-20  | 1.4.2        | 4.2.7              | [RPM, DEB](https://github.com/UtrechtUniversity/davrods/releases/tag/4.2.7_1.4.2) |
 | 2019-06-20  | 1.4.2        | 4.2.6              | [RPM, DEB](https://github.com/UtrechtUniversity/davrods/releases/tag/4.2.6_1.4.2) |
 | 2019-04-03  | 1.4.2        | 4.2.5              | [RPM, DEB](https://github.com/UtrechtUniversity/davrods/releases/tag/4.2.5_1.4.2) |
@@ -79,9 +81,9 @@ package using the RPM or DEB file from the
 Download the Davrods package for your platform and install it using your
 package manager, for example:
 
-    yum install davrods-4.2.7_1.4.2-1.rpm
+    yum install davrods-4.2.8_1.5.0-1.rpm
     --or--
-    apt install davrods-4.2.7_1.4.2.deb
+    apt install davrods-4.2.8_1.5.0.deb
 
 Now see the __Configuration__ section for instructions on how to
 configure Davrods once it has been installed.
@@ -145,18 +147,22 @@ The binary distribution installs the `irods_environment.json` file in
 `/etc/httpd/irods`. In most iRODS setups, this file can be used as
 is.
 
-Importantly, the first seven options (from `irods_host` up to and
-including `irods_zone_name`) are **not** read from this file. These
-settings are taken from their equivalent Davrods configuration
-directives in the vhost file instead.
+Importantly, options such as `irods_host` and `irods_zone_name` are
+**not** read from this file (and are omitted for that reason).
+These settings are taken from their equivalent Davrods configuration
+directives in the vhost config file instead.
 
-The options in the provided environment file starting from
-`irods_client_server_negotiation` *do* affect the behaviour of
-Davrods. See the official documentation for help on these settings at:
-https://docs.irods.org/4.2.1/system_overview/configuration/#irodsirods_environmentjson
+Options in `irods_environment.json` that are known to affect Davrods
+behavior are the negotiation, ssl and encryption settings.
 
-For instance, if you want Davrods to connect to iRODS 3.3.1, the
-`irods_client_server_negotiation` option must be set to `"none"`.
+See the official documentation for more information on these settings:
+https://docs.irods.org/4.2.7/system_overview/configuration/#irodsirods_environmentjson
+
+### Ticket-based access ###
+
+Ticket access is disabled by default, and requires special configuration
+to enable, depending on your use case. Please see
+[README.advanced.md](./README.advanced.md) for more information.
 
 ## Building from source ##
 
@@ -269,7 +275,7 @@ page.
 
 ## License ##
 
-Copyright (c) 2016 - 2019, Utrecht University.
+Copyright (c) 2016 - 2020, Utrecht University.
 
 Davrods is licensed under the GNU Lesser General Public License version
 3 or higher (LGPLv3+). See the COPYING.LESSER file for details.

aux/common/irods_environment.json

@@ -1,25 +1,9 @@
 {
-    "irods_host": "localhost",
-    "irods_port": 1247,
-    "irods_default_resource": "",
-    "irods_home": "/tempZone/home/rods",
-    "irods_cwd": "/tempZone/home/rods",
-    "irods_user_name": "rods",
-    "irods_zone_name": "tempZone",
     "irods_client_server_negotiation": "request_server_negotiation",
     "irods_client_server_policy": "CS_NEG_DONT_CARE",
     "irods_encryption_key_size": 32,
     "irods_encryption_salt_size": 8,
     "irods_encryption_num_hash_rounds": 16,
     "irods_encryption_algorithm": "AES-256-CBC",
-    "irods_default_hash_scheme": "SHA256",
-    "irods_match_hash_policy": "compatible",
-    "irods_server_control_plane_port": 1248,
-    "irods_server_control_plane_key": "TEMPORARY__32byte_ctrl_plane_key",
-    "irods_server_control_plane_encryption_num_hash_rounds": 16,
-    "irods_server_control_plane_encryption_algorithm": "AES-256-CBC",
-    "irods_maximum_size_for_single_buffer_in_megabytes": 32,
-    "irods_default_number_of_transfer_threads": 4,
-    "irods_transfer_buffer_size_for_parallel_transfer_in_megabytes": 4,
     "irods_ssl_verify_server": "hostname"
 }

aux/common/listing/README.md

@@ -2,8 +2,8 @@ HTML directory listing files
 ============================
 
 Themed directory listings can be enabled with the vhost configuration
-directives `DavRodsHtmlHead`, `DavRodsHtmlHeader` and
-`DavRodsHtmlFooter`.
+directives `DavrodsHtmlHead`, `DavrodsHtmlHeader` and
+`DavrodsHtmlFooter`.
 
 The HTML files in this directory are provided as an example
 configuration for themed listings. Edit them before use.