Target host fix

VERSION

@@ -1,6 +1,6 @@
 ## deployable containers have a semantic and build tag
 # semantic version tag: major.minor
 # build version tag: timestamp
-VERSION="1.1.7"
+VERSION="1.1.8"
 TAGS="${VERSION} ${VERSION}-$(date -u +"%Y%m%dT%H%M%S")"
 unset VERSION

src/main/java/net/canfar/storage/web/resources/FileItemServerResource.java

@@ -164,7 +164,7 @@ public void download() throws Exception {
     }
 
     void download(final DataNode dataNode) throws Exception {
-        final Subject subject = getCurrentSubject();
+        final Subject subject = getVOSpaceCallingSubject();
         final VOSURI dataNodeVOSURI = toURI(dataNode);
         final AuthMethod authMethod = AuthenticationUtil.getAuthMethodFromCredentials(subject);
         final URL baseURL = lookupDownloadEndpoint(dataNodeVOSURI.getServiceURI(), authMethod);

src/main/java/net/canfar/storage/web/resources/FolderItemServerResource.java

@@ -231,7 +231,7 @@ private void move(final VOSURI source, final VOSURI destination) throws Exceptio
         final Transfer transfer = getTransfer(source, destination);
 
         try {
-            Subject.doAs(getCurrentSubject(),
+            Subject.doAs(getVOSpaceCallingSubject(),
                          (PrivilegedExceptionAction<Void>) () -> {
                              final ClientTransfer clientTransfer = voSpaceClient.createTransfer(transfer);
                              clientTransfer.setMonitor(true);

src/main/java/net/canfar/storage/web/resources/GroupNameServerResource.java

@@ -69,6 +69,10 @@
 
 package net.canfar.storage.web.resources;
 
+import ca.nrc.cadc.auth.AuthMethod;
+import ca.nrc.cadc.reg.Standards;
+import ca.nrc.cadc.reg.client.RegistryClient;
+import java.net.URL;
 import net.canfar.storage.web.config.StorageConfiguration;
 import net.canfar.storage.web.restlet.JSONRepresentation;
 
@@ -102,13 +106,11 @@ public GroupNameServerResource() {
 
     @Get("json")
     public Representation getGroupNames() throws Exception {
-        final Subject voSpaceUser = getCurrentSubject();
-
         return new JSONRepresentation() {
             @Override
             public void write(final JSONWriter writer) throws JSONException {
                 try {
-                    final List<String> groupNames = queryGroupNames(voSpaceUser);
+                    final List<String> groupNames = queryGroupNames();
 
                     Collections.sort(groupNames);
 
@@ -120,13 +122,19 @@ public void write(final JSONWriter writer) throws JSONException {
                     writer.endArray();
                 } catch (PrivilegedActionException e) {
                     throw new JSONException(e.getException());
+                } catch (Exception e) {
+                    // This will likely come from the token store, which the user would not have control over.
+                    throw new RuntimeException(e.getMessage(), e);
                 }
             }
         };
     }
 
-    final List<String> queryGroupNames(final Subject voSpaceUser) throws PrivilegedActionException {
-        return Subject.doAs(voSpaceUser, (PrivilegedExceptionAction<List<String>>) () -> {
+    final List<String> queryGroupNames() throws Exception {
+        final RegistryClient registryClient = getRegistryClient();
+        final URL gmsServiceURL = registryClient.getServiceURL(storageConfiguration.getGMSServiceURI(), Standards.GMS_SEARCH_10, AuthMethod.TOKEN);
+        final Subject gmsCallingSubject = getCallingSubject(gmsServiceURL);
+        return Subject.doAs(gmsCallingSubject, (PrivilegedExceptionAction<List<String>>) () -> {
             if (storageConfiguration.isOIDCConfigured()) {
                 LOGGER.debug("Getting only Group Names that user is a member of.");
                 final IvoaGroupClient ivoaGroupClient = getIvoaGroupClient();

src/main/java/net/canfar/storage/web/resources/PageServerResource.java

@@ -96,7 +96,7 @@ public Representation represent() throws Exception {
                                 : null;
         final Integer pageSize = StringUtil.hasLength(pageSizeParameterValue) ? Integer.parseInt(pageSizeParameterValue)
                                                                               : null;
-        final Subject currentSubject = getCurrentSubject();
+        final Subject currentSubject = getVOSpaceCallingSubject();
 
         return new WriterRepresentation(MediaType.TEXT_CSV) {
             @Override

src/main/java/net/canfar/storage/web/resources/SecureServerResource.java

@@ -73,9 +73,9 @@
 import ca.nrc.cadc.auth.AuthenticationUtil;
 import ca.nrc.cadc.auth.AuthorizationToken;
 import ca.nrc.cadc.auth.AuthorizationTokenPrincipal;
-import ca.nrc.cadc.auth.IdentityManager;
 import ca.nrc.cadc.auth.SSOCookieCredential;
 import ca.nrc.cadc.reg.client.RegistryClient;
+import java.net.URL;
 import net.canfar.storage.web.config.StorageConfiguration;
 import net.canfar.storage.web.config.VOSpaceServiceConfigManager;
 import net.canfar.storage.web.restlet.StorageApplication;
@@ -90,7 +90,6 @@
 import javax.security.auth.Subject;
 import javax.servlet.ServletContext;
 import java.io.IOException;
-import java.net.URI;
 import java.util.Collections;
 import java.util.Map;
 import java.util.NoSuchElementException;
@@ -129,7 +128,7 @@ RegistryClient getRegistryClient() {
         return new RegistryClient();
     }
 
-    Subject getCurrentSubject() throws Exception {
+    Subject getCallingSubject(final URL target) throws Exception {
         final Cookie firstPartyCookie =
                 getRequest().getCookies().getFirst(StorageConfiguration.FIRST_PARTY_COOKIE_NAME);
         final Subject subject = AuthenticationUtil.getCurrentSubject();
@@ -142,9 +141,7 @@ Subject getCurrentSubject() throws Exception {
                                                                             AuthenticationUtil.CHALLENGE_TYPE_BEARER
                                                                             + " " + accessToken));
                 subject.getPublicCredentials().add(
-                        new AuthorizationToken(AuthenticationUtil.CHALLENGE_TYPE_BEARER, accessToken,
-                                               Collections.singletonList(
-                                                       URI.create(getRequest().getResourceRef().toString()).getHost())));
+                        new AuthorizationToken(AuthenticationUtil.CHALLENGE_TYPE_BEARER, accessToken, Collections.singletonList(target.getHost())));
 
                 if (!subject.getPrincipals(AuthorizationTokenPrincipal.class).isEmpty()) {
                     // Ensure it's clean first.
@@ -183,11 +180,6 @@ Subject getCurrentSubject() throws Exception {
         return subject;
     }
 
-    protected String getDisplayName() throws Exception {
-        final IdentityManager identityManager = AuthenticationUtil.getIdentityManager();
-        return identityManager.toDisplayString(getCurrentSubject());
-    }
-
     ServletContext getServletContext() {
         final Map<String, Object> attributes = getApplication().getContext().getAttributes();
         return (ServletContext) attributes.get(StorageApplication.SERVLET_CONTEXT_ATTRIBUTE_KEY);

src/main/java/net/canfar/storage/web/resources/StorageItemServerResource.java

@@ -68,9 +68,12 @@
 
 package net.canfar.storage.web.resources;
 
+import ca.nrc.cadc.auth.AuthenticationUtil;
+import ca.nrc.cadc.auth.IdentityManager;
 import ca.nrc.cadc.auth.NotAuthenticatedException;
 import ca.nrc.cadc.net.RemoteServiceException;
 import ca.nrc.cadc.util.StringUtil;
+import java.net.URL;
 import net.canfar.storage.PathUtils;
 import net.canfar.storage.web.config.StorageConfiguration;
 import net.canfar.storage.web.config.VOSpaceServiceConfigManager;
@@ -399,7 +402,7 @@ private URI resolveLink(final LinkNode linkNode) throws NodeNotFoundException {
      */
     private void setNodeRecursiveSecure(final Node newNode) throws Exception {
         try {
-            Subject.doAs(getCurrentSubject(), (PrivilegedExceptionAction<Void>) () -> {
+            Subject.doAs(getVOSpaceCallingSubject(), (PrivilegedExceptionAction<Void>) () -> {
                 final RecursiveSetNode rj = voSpaceClient.createRecursiveSetNode(toURI(newNode), newNode);
 
                 // Fire & forget is 'false'. 'true' will mean the run job does not return until it's finished.
@@ -459,7 +462,7 @@ void createNode(final Node newNode) throws Exception {
 
     <T> T executeSecurely(final PrivilegedExceptionAction<T> runnable) throws Exception {
         try {
-            return executeSecurely(getCurrentSubject(), runnable);
+            return executeSecurely(getVOSpaceCallingSubject(), runnable);
         } catch (PrivilegedActionException e) {
             throw e.getException();
         }
@@ -473,6 +476,15 @@ <T> T executeSecurely(final Subject subject, final PrivilegedExceptionAction<T>
         }
     }
 
+    String getDisplayName() throws Exception {
+        final IdentityManager identityManager = AuthenticationUtil.getIdentityManager();
+        return identityManager.toDisplayString(getVOSpaceCallingSubject());
+    }
+
+    Subject getVOSpaceCallingSubject() throws Exception {
+        return super.getCallingSubject(new URL(this.voSpaceClient.getBaseURL()));
+    }
+
     @Delete
     public void deleteNode() throws Exception {
         executeSecurely((PrivilegedExceptionAction<Void>) () -> {

src/test/java/net/canfar/storage/web/resources/FileItemServerResourceTest.java

@@ -150,7 +150,7 @@ RegistryClient getRegistryClient() {
             }
 
             @Override
-            Subject getCurrentSubject() {
+            Subject getVOSpaceCallingSubject() {
                 return testUser;
             }
 

src/test/java/net/canfar/storage/web/resources/FolderItemServerResourceTest.java

@@ -131,7 +131,7 @@ VOSURI getCurrentItemURI() {
             }
 
             @Override
-            Subject getCurrentSubject() {
+            Subject getVOSpaceCallingSubject() {
                 return new Subject();
             }
 
@@ -333,7 +333,7 @@ public Context getContext() {
             }
 
             @Override
-            Subject getCurrentSubject() {
+            Subject getVOSpaceCallingSubject() {
                 return new Subject();
             }
 

src/test/java/net/canfar/storage/web/resources/GroupNameServerResourceTest.java

@@ -67,6 +67,7 @@
  */
 package net.canfar.storage.web.resources;
 
+import java.net.URL;
 import net.canfar.storage.web.config.StorageConfiguration;
 import net.canfar.storage.web.restlet.JSONRepresentation;
 import ca.nrc.cadc.reg.client.RegistryClient;
@@ -110,7 +111,7 @@ RegistryClient getRegistryClient() {
             }
 
             @Override
-            Subject getCurrentSubject() {
+            Subject getCallingSubject(final URL target) {
                 return new Subject();
             }
 

src/test/java/net/canfar/storage/web/resources/LinkItemServerResourceTest.java

@@ -126,7 +126,7 @@ RegistryClient getRegistryClient() {
             }
 
             @Override
-            Subject getCurrentSubject() {
+            Subject getVOSpaceCallingSubject() {
                 return new Subject();
             }
 
@@ -197,7 +197,7 @@ RegistryClient getRegistryClient() {
             }
 
             @Override
-            Subject getCurrentSubject() {
+            Subject getVOSpaceCallingSubject() {
                 return new Subject();
             }
 

src/test/java/net/canfar/storage/web/resources/MainPageServerResourceTest.java

@@ -139,7 +139,7 @@ FreeMarkerConfiguration getFreeMarkerConfiguration() {
             }
 
             @Override
-            Subject getCurrentSubject() {
+            Subject getVOSpaceCallingSubject() {
                 return new Subject();
             }