Update to GeoServer 2.12

.dockerignore

@@ -0,0 +1 @@
+Dockerfile

Dockerfile

@@ -3,19 +3,16 @@ LABEL maintainer="Tyler Battle <[email protected]>"
 
 # COPY m2 /root/.m2
 COPY geoserver-geonode-ext /geoserver-geonode-ext
-WORKDIR /geoserver-geonode-ext
+WORKDIR /geoserver-geonode-ext/geoserver
 RUN mvn dependency:go-offline
-RUN mvn install -P boundless -DskipTests -Dmaven.gitcommitid.skip=true
+RUN mvn install -DskipTests -Dmaven.gitcommitid.skip=true
 
 COPY ms-gs-plugins /ms-gs-plugins
 WORKDIR /ms-gs-plugins
 RUN mvn dependency:go-offline
 RUN set -ex \
     && mvn install -DskipTests -Dmaven.gitcommitid.skip=true \
-    && cp target/*.jar /geoserver-geonode-ext/target/geoserver/WEB-INF/lib/
-
-# Remove any geofence configuration
-RUN rm -rf target/geoserver/data/security/auth/geofence
+    && cp target/*.jar /geoserver-geonode-ext/geoserver/web-app/target/geoserver/WEB-INF/lib/
 
 
 FROM tomcat:9-jre8 AS runner
@@ -53,7 +50,7 @@ RUN set -ex \
     && rm -rf /var/lib/apt/lists/*
 
 # Install GeoServer WAR
-COPY --from=builder /geoserver-geonode-ext/target/geoserver $WEBAPPS_DIR/geoserver
+COPY --from=builder /geoserver-geonode-ext/geoserver/web-app/target/geoserver $WEBAPPS_DIR/geoserver
 
 RUN mkdir /tmp/mapstory && mkdir /tmp/mapstory/geoserver
 

config.hcl

@@ -10,15 +10,39 @@ template {
   perms = 0644
 }
 
+template {
+  source = "templates/geofence_config.xml.ctmpl"
+  destination = "{{ env "GEOSERVER_DATA_DIR" }}/security/auth/geofence/config.xml"
+  perms = 0644
+}
+
+template {
+  source = "templates/geofence.properties.ctmpl"
+  destination = "{{ env "GEOSERVER_DATA_DIR" }}/geofence/geofence.properties"
+  perms = 0644
+}
+
+template {
+  source = "templates/geofence-server.properties.ctmpl"
+  destination = "{{ env "GEOSERVER_DATA_DIR" }}/geofence/geofence-server.properties"
+  perms = 0644
+}
+
 template {
   source = "templates/geogigconfig.ctmpl"
   destination = "/usr/share/tomcat/.geogigconfig"
   perms = 0644
 }
 
 template {
-  source = "templates/geonodeAuthProvider_config.xml.ctmpl"
-  destination = "{{ env "GEOSERVER_DATA_DIR" }}/security/auth/geonodeAuthProvider/config.xml"
+  source = "templates/geonode-oauth2_config.xml.ctmpl"
+  destination = "{{ env "GEOSERVER_DATA_DIR" }}/security/filter/geonode-oauth2/config.xml"
+  perms = 0644
+}
+
+template {
+  source = "templates/geonodeRESTRoleService_config.xml.ctmpl"
+  destination = "{{ env "GEOSERVER_DATA_DIR" }}/security/role/geonode REST role service/config.xml"
   perms = 0644
 }
 

run.sh

@@ -12,21 +12,22 @@ for secret in /run/secrets/env_*; do
 done
 
 export SESSION_COOKIE_DOMAIN=$PUBLIC_HOST
-export GEOSERVER_PROXY_URL=${PUBLIC_PROTOCOL}://${PUBLIC_HOST}/geoserver/
+export PUBLIC_URL=${PUBLIC_PROTOCOL}://${PUBLIC_HOST}
+export GEOSERVER_PROXY_URL=${PUBLIC_URL}/geoserver/
 
 # If the data directory doesn't exist, copy the one embedded in the WAR.
 [ ! -e $GEOSERVER_DATA_DIR/global.xml ] && cp -r $WEBAPPS_DIR/geoserver/data/* /var/lib/geoserver/data/
 
-# Remove any geofence configuration
-rm -rf $GEOSERVER_DATA_DIR/security/auth/geofence
-
 # Remove the data directory embedded in the WAR.
 rm -rf $WEBAPPS_DIR/geoserver/data
 
 # Copy in the defaults styles.
 mkdir -p $GEOSERVER_DATA_DIR/styles
 cp /tmp/styles/* $GEOSERVER_DATA_DIR/styles/
 
+touch $GEOSERVER_DATA_DIR/geofence/geofence-datasource-ovr.properties
+touch $GEOSERVER_DATA_DIR/geofence/geofence.properties
+
 cd /opt
 # Resolve the template for the config file so that paths are correct
 ./consul-template -template "config.hcl:config-new.hcl" -once

templates/geofence-server.properties.ctmpl

@@ -0,0 +1,24 @@
+### GeoFence Module configuration file
+###
+### GeoServer will read this file at boot time.
+### This file may be automatically regenerated by GeoServer, so any changes beside the property values may be lost.
+
+### GeoFence main configuration
+
+instanceName=default-gs
+servicesUrl=internal:/
+allowRemoteAndInlineLayers=true
+allowDynamicStyles=true
+grantWriteToWorkspacesToAuthenticatedUsers=true
+useRolesToFilter=false
+acceptedRoles=
+
+
+### Cache configuration
+
+cacheSize=500000
+cacheRefresh=6000000
+cacheExpire=6000000
+
+gwc.context.suffix=gwc
+org.geoserver.rest.DefaultUserGroupServiceName=geonode REST role service

templates/geofence.properties.ctmpl

@@ -0,0 +1,2 @@
+gwc.context.suffix=gwc
+org.geoserver.rest.DefaultUserGroupServiceName=geonode REST role service

templates/geofence_config.xml.ctmpl

@@ -0,0 +1,5 @@
+<geofence>
+  <id>-6c153d14:158ced62d5d:-7ff5</id>
+  <name>geofence</name>
+  <className>org.geoserver.geoserver.authentication.auth.GeoFenceAuthenticationProvider</className>
+</geofence>

templates/geonode-oauth2_config.xml.ctmpl

@@ -0,0 +1,32 @@
+<geoNodeOauth2Authentication>
+  <id>-313f4319:15766e137c9:-8000</id>
+  <name>geonode-oauth2</name>
+  <className>org.geoserver.security.oauth2.GeoNodeOAuthAuthenticationFilter</className>
+  <roleSource class="org.geoserver.security.config.PreAuthenticatedUserNameFilterConfig$PreAuthenticatedUserNameRoleSource">RoleService</roleSource>
+  <userGroupServiceName>default</userGroupServiceName>
+  <roleServiceName>geonode REST role service</roleServiceName>
+  <cliendId>{{ env "OAUTH_CLIENT_ID" }}</cliendId>
+  <clientSecret>{{ env "OAUTH_CLIENT_SECRET" }}</clientSecret>
+
+  <!-- GeoNode accessTokenUri -->
+  <accessTokenUri>{{ env "PUBLIC_URL" }}/o/token/</accessTokenUri>
+
+  <!-- GeoNode userAuthorizationUri -->
+  <userAuthorizationUri>{{ env "PUBLIC_URL" }}/o/authorize/</userAuthorizationUri>
+
+  <!-- GeoServer Public URL -->
+  <redirectUri>{{ env "GEOSERVER_PROXY_URL" }}</redirectUri>
+
+  <!-- GeoNode checkTokenEndpointUrl -->
+  <checkTokenEndpointUrl>{{ env "PUBLIC_URL" }}/api/o/v4/tokeninfo/</checkTokenEndpointUrl>
+
+  <!-- GeoNode logoutUri -->
+  <logoutUri>{{ env "PUBLIC_URL" }}/account/logout/</logoutUri>
+
+  <scopes>read,write,groups</scopes>
+  <enableRedirectAuthenticationEntryPoint>false</enableRedirectAuthenticationEntryPoint>
+  <forceAccessTokenUriHttps>false</forceAccessTokenUriHttps>
+  <forceUserAuthorizationUriHttps>false</forceUserAuthorizationUriHttps>
+  <loginEndpoint>/j_spring_oauth2_geonode_login</loginEndpoint>
+  <logoutEndpoint>/j_spring_oauth2_geonode_logout</logoutEndpoint>
+</geoNodeOauth2Authentication>

templates/geonodeRESTRoleService_config.xml.ctmpl

@@ -0,0 +1,15 @@
+<authKeyRESTRoleService>
+  <id>-50305e8:158ced8e2ff:-7ff5</id>
+  <name>geonode REST role service</name>
+  <className>org.geoserver.security.GeoServerRestRoleService</className>
+  <baseUrl>http://django:8000</baseUrl>
+  <rolesRESTEndpoint>/api/roles</rolesRESTEndpoint>
+  <adminRoleRESTEndpoint>/api/adminRole</adminRoleRESTEndpoint>
+  <usersRESTEndpoint>/api/users</usersRESTEndpoint>
+  <rolesJSONPath>$.groups</rolesJSONPath>
+  <adminRoleJSONPath>$.adminRole</adminRoleJSONPath>
+  <usersJSONPath>$.users[0].groups</usersJSONPath>
+  <cacheConcurrencyLevel>0</cacheConcurrencyLevel>
+  <cacheMaximumSize>0</cacheMaximumSize>
+  <cacheExpirationTime>0</cacheExpirationTime>
+</authKeyRESTRoleService>

templates/global.xml.ctmpl

@@ -5,9 +5,7 @@
     <charset>UTF-8</charset>
     <numDecimals>8</numDecimals>
     <onlineResource>http://geoserver.org</onlineResource>
-    <!--
     <proxyBaseUrl>{{ env "GEOSERVER_PROXY_URL" }}</proxyBaseUrl>
-    -->
     <verbose>false</verbose>
     <verboseExceptions>false</verboseExceptions>
     <localWorkspaceIncludesPrefix>false</localWorkspaceIncludesPrefix>

templates/rest.properties.ctmpl

@@ -1,5 +1,3 @@
-/rest/process/batchdownload/download/*;GET=IS_AUTHENTICATED_ANONYMOUSLY
-
 # the following are allowed so that clients have a way to find out if a particular layer is
 # backed by geogig. Ideally, we would like the getCapabilities request include a metadata
 # specifying the geogig endpoint corresponding to a layer so that we don't need the rest endpoint.
@@ -9,9 +7,14 @@
 # allow anyone to edit its data anonymously or logged in. making sure the needed rest endpoints are
 # accessible by ROLE_ANONYMOUS will allow such layer. otherwise, they would still be asked to
 # authenticate on a remote for which they do not have any credentials.
+/rest/process/batchdownload/download/*;GET=IS_AUTHENTICATED_ANONYMOUSLY
 /rest/layers/*;GET=ROLE_ANONYMOUS,IS_AUTHENTICATED_ANONYMOUSLY
 /rest/workspaces/*/datastores/*;GET=ROLE_ANONYMOUS,IS_AUTHENTICATED_ANONYMOUSLY
 /rest/workspaces/*/datastores/*/featuretypes/*;GET=ROLE_ANONYMOUS,IS_AUTHENTICATED_ANONYMOUSLY
+/rest/monitor/*;GET=ROLE_ADMINISTRATOR
+/rest/security/*;GET,POST,DELETE,PUT=ROLE_ADMINISTRATOR
+/rest/br/*;GET,POST,DELETE,PUT=ROLE_ADMINISTRATOR
+/geofence/rest/*;GET,POST,DELETE,PUT=ROLE_ADMINISTRATOR
 
 /geogig/*/repo/manifest;GET=IS_AUTHENTICATED_ANONYMOUSLY
 /geogig/*/repo/**;GET,POST,DELETE,PUT=ROLE_ADMINISTRATOR

templates/security_config.xml.ctmpl

@@ -1,53 +1,66 @@
 <security>
   <roleServiceName>default</roleServiceName>
   <authProviderNames>
-    <string>geonodeAuthProvider</string>
     <string>default</string>
+    <string>geofence</string>
   </authProviderNames>
   <configPasswordEncrypterName>pbePasswordEncoder</configPasswordEncrypterName>
   <encryptingUrlParams>false</encryptingUrlParams>
   <filterChain>
     <filters name="web" class="org.geoserver.security.HtmlLoginFilterChain" interceptorName="interceptor" exceptionTranslationName="exception" path="/web/**,/gwc/rest/web/**,/" disabled="false" allowSessionCreation="true" ssl="false" matchHTTPMethod="false">
-      <filter>geonodeCookieFilter</filter>
-      <filter>basic</filter>
-      <filter>geonodeAnonymousFilter</filter>
+      <filter>geonode-oauth2</filter>
       <filter>rememberme</filter>
       <filter>form</filter>
       <filter>anonymous</filter>
     </filters>
-    <filters name="webLogin" class="org.geoserver.security.ConstantFilterChain" path="/j_spring_security_check,/j_spring_security_check/,/login" disabled="false" allowSessionCreation="true" ssl="false" matchHTTPMethod="false">
+    <filters name="webLogin" class="org.geoserver.security.ConstantFilterChain" path="/j_spring_security_check,/j_spring_security_check/,/j_spring_oauth2_geonode_login,/j_spring_oauth2_geonode_login/" disabled="false" allowSessionCreation="false" ssl="false" matchHTTPMethod="false">
       <filter>form</filter>
     </filters>
-    <filters name="webLogout" class="org.geoserver.security.LogoutFilterChain" path="/j_spring_security_logout,/j_spring_security_logout/,/logout" disabled="false" allowSessionCreation="true" ssl="false" matchHTTPMethod="false">
+    <filters name="webLogout" class="org.geoserver.security.LogoutFilterChain" path="/j_spring_security_logout,/j_spring_security_logout/,/j_spring_oauth2_geonode_logout,/j_spring_oauth2_geonode_logout/" disabled="false" allowSessionCreation="false" ssl="false" matchHTTPMethod="false">
       <filter>formLogout</filter>
     </filters>
     <filters name="geogig" class="org.geoserver.security.ServiceLoginFilterChain" interceptorName="restInterceptor" exceptionTranslationName="exception" path="/geogig**,/geogig/**" disabled="false" allowSessionCreation="false" ssl="false" matchHTTPMethod="false">
-      <filter>geonodeCookieFilter</filter>
       <filter>basic</filter>
-      <filter>geonodeAnonymousFilter</filter>
+      <filter>geonode-oauth2</filter>
       <filter>anonymous</filter>
     </filters>
     <filters name="rest" class="org.geoserver.security.ServiceLoginFilterChain" interceptorName="restInterceptor" exceptionTranslationName="exception" path="/rest/**" disabled="false" allowSessionCreation="false" ssl="false" matchHTTPMethod="false">
-      <filter>geonodeCookieFilter</filter>
       <filter>basic</filter>
-      <filter>geonodeAnonymousFilter</filter>
+      <filter>geonode-oauth2</filter>
       <filter>anonymous</filter>
     </filters>
-    <filters name="gwc" class="org.geoserver.security.ServiceLoginFilterChain" interceptorName="restInterceptor" exceptionTranslationName="exception" path="/gwc/rest/**" disabled="false" allowSessionCreation="false" ssl="false" matchHTTPMethod="false">
-      <filter>geonodeCookieFilter</filter>
+    <filters name="gwc" class="org.geoserver.security.ServiceLoginFilterChain" interceptorName="restInterceptor" exceptionTranslationName="exception" path="/gwc/**" disabled="false" allowSessionCreation="false" ssl="false" matchHTTPMethod="false">
       <filter>basic</filter>
-      <filter>geonodeAnonymousFilter</filter>
+      <filter>geonode-oauth2</filter>
       <filter>anonymous</filter>
     </filters>
     <filters name="default" class="org.geoserver.security.ServiceLoginFilterChain" interceptorName="interceptor" exceptionTranslationName="exception" path="/**" disabled="false" allowSessionCreation="false" ssl="false" matchHTTPMethod="false">
-      <filter>geonodeCookieFilter</filter>
       <filter>basic</filter>
-      <filter>geonodeAnonymousFilter</filter>
+      <filter>geonode-oauth2</filter>
+      <filter>anonymous</filter>
+    </filters>
+    <filters name="geofence-rest" class="org.geoserver.security.ServiceLoginFilterChain" interceptorName="restInterceptor" exceptionTranslationName="exception" path="/geofence/rest/**" disabled="false" allowSessionCreation="false" ssl="false" matchHTTPMethod="false">
+      <filter>basic</filter>
+      <filter>geonode-oauth2</filter>
+      <filter>anonymous</filter>
+    </filters>
+    <filters name="geofence" class="org.geoserver.security.ServiceLoginFilterChain" interceptorName="interceptor" exceptionTranslationName="exception" path="/geofence/**" disabled="false" allowSessionCreation="false" ssl="false" matchHTTPMethod="false">
+      <filter>basic</filter>
+      <filter>geonode-oauth2</filter>
       <filter>anonymous</filter>
     </filters>
   </filterChain>
   <rememberMeService>
     <className>org.geoserver.security.rememberme.GeoServerTokenBasedRememberMeServices</className>
     <key>geoserver</key>
   </rememberMeService>
-</security>
+  <bruteForcePrevention>
+    <enabled>true</enabled>
+    <minDelaySeconds>1</minDelaySeconds>
+    <maxDelaySeconds>5</maxDelaySeconds>
+    <maxBlockedThreads>100</maxBlockedThreads>
+    <whitelistedMasks>
+      <string>127.0.0.1</string>
+    </whitelistedMasks>
+  </bruteForcePrevention>
+</security>