[WIP] JWT Auth integration

classes/Conf/class.xoctConfFormGUI.php

@@ -557,6 +557,15 @@ protected function initGroupsRolesSection(): void
 
     protected function initSecuritySection(): void
     {
+        $strings = (object) [
+            'show' => $this->getLocaleString(PluginConfig::F_JWT_SECURITY_PK . '_show_icon'),
+            'hide' => $this->getLocaleString(PluginConfig::F_JWT_SECURITY_PK . '_hide_icon'),
+            'hidden_element_title' => $this->getLocaleString(PluginConfig::F_JWT_SECURITY_PK . '_hidden_element_title')
+        ];
+        $strings = json_encode($strings);
+        $code = "il.Opencast.Form.passwordToggle.initTextarea('" . PluginConfig::F_JWT_SECURITY_PK . "', '" . $strings . "');";
+        $this->main_tpl->addOnLoadCode($code);
+
         $this->main_tpl->setOnScreenMessage('info', $this->getLocaleString('security_info'), true);
         $h = new ilFormSectionHeaderGUI();
         $h->setTitle($this->getLocaleString('security'));
@@ -658,6 +667,53 @@ protected function initSecuritySection(): void
         );
         $cb->setInfo($this->getLocaleString(PluginConfig::F_PRESIGN_LINKS . '_info'));
         $this->addItem($cb);
+
+        // JWT enabled.
+        $cb = new ilCheckboxInputGUI(
+            $this->getLocaleString(PluginConfig::F_JWT_SECURITY_ENABLED),
+            PluginConfig::F_JWT_SECURITY_ENABLED
+        );
+        $cb->setInfo($this->getLocaleString(PluginConfig::F_JWT_SECURITY_ENABLED . '_info'));
+        $this->addItem($cb);
+
+        // JWT Private Key.
+        $te_cb_sub = new ilTextAreaInputGUI($this->getLocaleString(PluginConfig::F_JWT_SECURITY_PK), PluginConfig::F_JWT_SECURITY_PK);
+        $te_cb_sub->setInfo($this->getLocaleString(PluginConfig::F_JWT_SECURITY_PK . '_info'));
+        $te_cb_sub->setRequired(true);
+        $cb->addSubItem($te_cb_sub);
+
+        //JWT Expiration.
+        $nu_cb_sub = new ilNumberInputGUI($this->getLocaleString(PluginConfig::F_JWT_SECURITY_EXP), PluginConfig::F_JWT_SECURITY_EXP);
+        $nu_cb_sub->setMinValue(1, true);
+        $nu_cb_sub->setValue((string) PluginConfig::getConfig(PluginConfig::F_JWT_SECURITY_EXP) ?? "15");
+        $nu_cb_sub->setInfo($this->getLocaleString(PluginConfig::F_JWT_SECURITY_EXP . '_info'));
+        $cb->addSubItem($nu_cb_sub);
+
+        // JWT Algorithm.
+        $se_cb_sub = new ilSelectInputGUI($this->getLocaleString(PluginConfig::F_JWT_SECURITY_ALG), PluginConfig::F_JWT_SECURITY_ALG);
+        $se_cb_sub->setInfo($this->getLocaleString(PluginConfig::F_JWT_SECURITY_ALG . '_info'));
+        $algorithms = [];
+        foreach (array_keys(\OpencastApi\Auth\JWT\OcJwtHandler::SUPPORTED_ALGORITHMS) as $alg) {
+            $algorithms[$alg] = $alg;
+        }
+        $default = \OpencastApi\Auth\JWT\OcJwtHandler::DEFAULT_ALGORITHM;
+        $se_cb_sub->setOptions($algorithms);
+        $se_cb_sub->setValue(PluginConfig::getConfig(PluginConfig::F_JWT_SECURITY_EXP) ?? $default);
+        $cb->addSubItem($se_cb_sub);
+
+        // JWT Studio Roles.
+        $te_studio_cb_sub = new ilTextInputGUI($this->getLocaleString('jwt_security_studio_roles'), PluginConfig::F_JWT_SECURITY_STUDIO_ROLES);
+        $te_studio_cb_sub->setInfo($this->getLocaleString('jwt_security_studio_roles_info'));
+        $te_studio_cb_sub->setMulti(true);
+        $te_studio_cb_sub->setInlineStyle('min-width:250px');
+        $cb->addSubItem($te_studio_cb_sub);
+
+        // JWT Editor Roles.
+        $te_editor_cb_sub = new ilTextInputGUI($this->getLocaleString('jwt_security_editor_roles'), PluginConfig::F_JWT_SECURITY_EDITOR_ROLES);
+        $te_editor_cb_sub->setInfo($this->getLocaleString('jwt_security_editor_roles_info'));
+        $te_editor_cb_sub->setMulti(true);
+        $te_editor_cb_sub->setInlineStyle('min-width:250px');
+        $cb->addSubItem($te_editor_cb_sub);
     }
 
     protected function initAdvancedSection(): void

classes/Event/class.xoctEventGUI.php

@@ -7,6 +7,7 @@
 use ILIAS\DI\Container;
 use ILIAS\UI\Component\Input\Field\UploadHandler;
 use ILIAS\UI\Renderer;
+use srag\Plugins\Opencast\API\OpencastAPI;
 use srag\Plugins\Opencast\Model\ACL\ACLUtils;
 use srag\Plugins\Opencast\Model\Config\PluginConfig;
 use srag\Plugins\Opencast\Model\Event\Event;
@@ -893,7 +894,20 @@ public function opencaststudio(): void
         // Append the query string to the studio link.
         $studio_link .= '?' . $combined_query_string;
 
-        $this->ctrl->redirectToURL($studio_link);
+        if (empty(PluginConfig::getConfig(PluginConfig::F_JWT_SECURITY_ENABLED))) {
+            $this->ctrl->redirectToURL($studio_link);
+            return;
+        }
+
+        $encoded_studio_link = $base . '/studio?' . http_build_query($query_params);
+
+        $redirect_url = $base . '/redirect/get';
+        $jwt = $this->api->issueExternalServicesJwtFor(OpencastAPI::JWT_SERVICE_STUDIO);
+        $temp = $this->plugin->getTemplate('default/tpl.jwt_redirect.html', false, false);
+        $temp->setVariable('ACTION', $redirect_url);
+        $temp->setVariable('JWT', $jwt);
+        $temp->setVariable('TARGET_URL', $encoded_studio_link);
+        $this->main_tpl->setContent($temp->get());
     }
 
 
@@ -912,7 +926,20 @@ public function cut(): void
 
         // redirect
         $cutting_link = $event->publications()->getCuttingLink();
-        $this->ctrl->redirectToURL($cutting_link);
+
+        if (empty(PluginConfig::getConfig(PluginConfig::F_JWT_SECURITY_ENABLED))) {
+            $this->ctrl->redirectToURL($cutting_link);
+            return;
+        }
+
+        $base = rtrim((string) PluginConfig::getConfig(PluginConfig::F_API_BASE), "/");
+        $redirect_url = str_replace('/api', '/redirect/get', $base);
+        $jwt = $this->api->issueExternalServicesJwtFor(OpencastAPI::JWT_SERVICE_EDITOR);
+        $temp = $this->plugin->getTemplate('default/tpl.jwt_redirect.html', false, false);
+        $temp->setVariable('ACTION', $redirect_url);
+        $temp->setVariable('JWT', $jwt);
+        $temp->setVariable('TARGET_URL', $cutting_link);
+        $this->main_tpl->setContent($temp->get());
     }
 
     private function retrieveQuery(string $q): ?string

classes/class.xoctException.php

@@ -16,6 +16,7 @@ class xoctException extends Exception
     public const NO_USER_MAPPING = 40;
     public const INTERNAL_ERROR = 50;
     public const NO_STREAMING_DATA = 60;
+    public const JWT_TOKEN_ISSUE_FAILED = 70;
     public const API_CALL_STATUS_500 = 500;
     public const API_CALL_STATUS_403 = 403;
     public const API_CALL_STATUS_404 = 404;
@@ -38,6 +39,7 @@ class xoctException extends Exception
         self::API_CALL_BAD_CREDENTIALS => 'The OpenCast-Server cannot be accessed at the moment.',
         self::INTERNAL_ERROR => 'A plugin-internal error occured.',
         self::NO_STREAMING_DATA => 'No streaming data found.',
+        self::JWT_TOKEN_ISSUE_FAILED => 'Opencast JWT: An error occurred while generating token',
     ];
 
     /**

classes/class.xoctSecureLink.php

@@ -24,6 +24,10 @@ class xoctSecureLink
      */
     protected static function sign(string $url, ?string $valid_until = null, ?bool $restict_ip = false)
     {
+        // JWT takes precedence.
+        if (!empty(PluginConfig::getConfig(PluginConfig::F_JWT_SECURITY_ENABLED))) {
+            return $url;
+        }
         $opencastContainer = Init::init();
         if (str_contains((string) $url, 'policy=') && str_contains((string) $url, 'signature=')) {
             // already signed, e.g. when presigning is active

composer.json

@@ -19,7 +19,7 @@
   "require": {
     "php": ">=8.1 <8.3",
     "ext-dom": "*",
-    "elan-ev/opencast-api": "1.9.0"
+    "elan-ev/opencast-api": "2.0.0"
   },
   "autoload": {
     "exclude-from-classmap": ["vendor/guzzlehttp/", "vendor/ralouphie/", "vendor/psr/http-message", "vendor/psr/http-factory", "vendor/psr/http-client"],