Merge pull request #11787 from GlobalDataverseCommunityConsortium/Anubis_fix

SignedUrl Fix when using http connector

Author: landreev

doc/release-notes/11787-signed-url-improvement.md

@@ -0,0 +1 @@
+In prior versions of Dataverse, configuring a proxy to forward to Dataverse over an http connection could result in failure of signed Urls (e.g. for external tools). This version of Dataverse supports having a proxy send an X-Forwarded-Proto header set to https to avoid this issue. 

doc/sphinx-guides/source/api/external-tools.rst

@@ -174,6 +174,10 @@ The signed URL mechanism is more secure than exposing API tokens and therefore r
 - For tools invoked via a GET call, Dataverse will include a callback query parameter with a Base64 encoded value. The decoded value is a signed URL that can be called to retrieve a JSON response containing all of the queryParameters and allowedApiCalls specified in the manfiest.
 - For tools invoked via POST, Dataverse will send a JSON body including the requested queryParameters and allowedApiCalls. Dataverse expects the response to the POST to indicate a redirect which Dataverse will use to open the tool.
 
+.. note::
+
+   **For Dataverse site administrators:** When Dataverse is behind a proxy, signed URLs may not work correctly due to protocol mismatches (HTTP vs HTTPS). Please refer to the :ref:`signed-urls-forwarded-proto-header` section to ensure signed URLs work properly in proxy environments.
+
 API Token
 ^^^^^^^^^
 

doc/sphinx-guides/source/installation/config.rst

@@ -94,6 +94,16 @@ First of all, confirm that access is denied! If you are in fact able to access t
 
 Still feel like activating this option in your configuration? - Have fun and be safe!
 
+.. _signed-urls-forwarded-proto-header:
+
+Using X-Forwarded-Proto for Signed URLs
++++++++++++++++++++++++++++++++++++++++
+
+If you use a proxy such as Apache or Nginx, or have a firewall such as Anubis, and they are configured to forward traffic to Dataverse over HTTP
+(i.e. your proxy receives user calls over HTTPS but forwards locally to Dataverse over HTTP), signed URLs, used by external tools and 
+upload apps (such as DVWebloader), are likely to fail unless you configure your proxy to send an X-Forwarded-Proto HTTP Header.
+This allows Dataverse to recognize that the communication from the user was over HTTPS and that validation of signed URLs should assume 
+they started with https:// (rather than http:// as received from the proxy).
 
 .. _PrivacyConsiderations:
 

src/main/java/edu/harvard/iq/dataverse/api/auth/SignedUrlAuthMechanism.java

@@ -16,6 +16,7 @@
 
 import java.net.URLDecoder;
 import java.nio.charset.StandardCharsets;
+import java.util.logging.Logger;
 
 import static edu.harvard.iq.dataverse.util.UrlSignerUtil.SIGNED_URL_TOKEN;
 import static edu.harvard.iq.dataverse.util.UrlSignerUtil.SIGNED_URL_USER;
@@ -33,6 +34,8 @@ public class SignedUrlAuthMechanism implements AuthMechanism {
     @Inject
     protected PrivateUrlServiceBean privateUrlSvc;
 
+    private static final Logger logger = Logger.getLogger(SignedUrlAuthMechanism.class.getCanonicalName());
+
     @Override
     public User findUserFromRequest(ContainerRequestContext containerRequestContext) throws WrappedAuthErrorResponse {
         String signedUrlRequestParameter = getSignedUrlRequestParameter(containerRequestContext);
@@ -72,6 +75,18 @@ private User getAuthenticatedUserFromSignedUrl(ContainerRequestContext container
         }
         if (targetUser != null && userApiToken != null) {
             String signedUrl = URLDecoder.decode(uriInfo.getRequestUri().toString(), StandardCharsets.UTF_8);
+            
+            logger.fine("Original URL: " + containerRequestContext.getUriInfo().getRequestUri().toString());
+            String forwardedProto = containerRequestContext.getHeaderString("X-Forwarded-Proto");
+            logger.fine("X-Forwarded-Proto is: " + forwardedProto);
+            
+
+            if (forwardedProto != null && !forwardedProto.isEmpty()) {
+                if ("https".equalsIgnoreCase(forwardedProto) && signedUrl.toLowerCase().startsWith("http:")) {
+                    signedUrl = "https" + signedUrl.substring(4);
+                }
+            }
+
             String requestMethod = containerRequestContext.getMethod();
             String signedUrlSigningKey = JvmSettings.API_SIGNING_SECRET.lookupOptional().orElse("") + userApiToken.getTokenString();
             boolean isSignedUrlValid = UrlSignerUtil.isValidUrl(signedUrl, userId, requestMethod, signedUrlSigningKey);