[pull] main from geoserver:main

.gitignore

@@ -42,3 +42,5 @@ src/release/installer/win/target/
 # spotless up to date checks
 .spotless-index
 
+# Eclipse stuff
+src/web/app/.temp-Start*

doc/en/api/1.0.0/rat.yaml

@@ -101,4 +101,33 @@ paths:
         404:
           description: No PAM dataset found
         400:
-          description: Invalid parameters used (e.g., band or classification not found)
+          description: Invalid parameters used (e.g., band or classification not found)
+  /workspaces/{workspace}/coveragestores/{store}/coverages/{coverage}/pam/reload:
+    post:
+      operationId: reloadPAMDataset
+      summary: Reloads/recomputes the PAM dataset
+      description: The PAM is often cached, this operation forces the source to reload it, eventually recomputing it, if for example it's a mosaic with a summary PAM dataset obtained from all its sources
+      tags:
+        - RasterAttributeTable
+      parameters:
+        - name: workspace
+          in: path
+          description: The name of the workspace
+          required: true
+          type: string
+        - name: store
+          in: path
+          description: The name of the coverage datastore
+          required: true
+          type: string
+        - name: coverage
+          in: path
+          description: The name of the coverage
+          required: true
+          type: string
+      responses:
+        200:
+          description: OK
+        404:
+          description: No PAM dataset found
+

doc/en/developer/source/policies/committing.rst

@@ -8,9 +8,16 @@ Getting commit access
 
 All contributors are asked to provide an assignment agreement for working on the project:
 
-* `corporate_contributor <https://www.osgeo.org/resources/corporate-contributor-license/>`__
 * `individual_contributor <https://www.osgeo.org/resources/individual-contributor-license/>`__
 
+  Individual contributor agreement.
+
+* `corporate_contributor <https://www.osgeo.org/resources/corporate-contributor-license/>`__
+
+  Corporate contributor agreement to authorize employees to work on project. May also be used as a software grant to donate software to the project.
+
+GeoServer is grateful that organizations of all shapes and sizes support our project with in-kind participation of their employees. Extending commit access is made to individuals directly based on their expertise demonstrated over time.
+
 This agreement can be printed, signed, scanned and emailed to `[email protected] <mailto:[email protected]>`_ at Open Source Geospatial Foundation (OSGeo). `OSGeo <http://www.osgeo.org/content/foundation/about.html>`_ is the  non-profit which holds the GeoServer codebase for the community.
 
 The `contribution licenses <http://www.osgeo.org/content/foundation/legal/licenses.html>`_ are used by OSGeo projects seeking to assign copyright directly to the foundation. These licenses are directly derived from the Apache code contribution licenses (CLA V2.0 and CCLA v r190612).
@@ -59,7 +66,7 @@ The process of getting community commit access is as follows:
 Core commit access
 ^^^^^^^^^^^^^^^^^^
 
-The second allows a developer to make commits to the core modules of geoserver.
+The second stage allows a developer to make commits to the core modules of GeoServer.
 Being granted this stage of access takes time, and is obtained only after the
 developer has gained the trust of the other core committers.
 

doc/en/developer/source/policies/community-modules.rst

@@ -163,11 +163,9 @@ Requirements
 
 The following properties must hold true in order to promote a community module:
 
-#. **The module has at least a "handful" of users**
+#. **The module is not site-specific and can be configured for use by the general GeoServer community.**
 
-   In order to avoid cluttering the main code base, only those community 
-   modules which are of interest to at least 3 users (this may include the 
-   maintainer) are promoted.
+   A community module of interest to multiple users would meet this goal; while a community module that has hard-coded a domain name would not.
 
 #. **The module has a designated and active maintainer**
 

doc/en/user/source/community/index.rst

@@ -63,7 +63,6 @@ officially part of the GeoServer releases. They are however built along with the
    opensearch-eo/index
    pgraster/pgraster
    proxy-base-ext/index
-   rat/index
    remote-wps/index
    s3-geotiff/index
    schemaless-features/index

doc/en/user/source/community/jwt-headers/configuration.rst

@@ -156,6 +156,12 @@ For example, a conversion map like `GeoserverAdministrator=ROLE_ADMINISTRATOR` w
 
 In our example, the user has two roles "GeoserverAdministrator" and "GeonetworkAdministrator".  If the "Only allow External Roles that are explicitly named above" is checked, then GeoServer will only see the "ROLE_ADMINISTRATOR" role.  If unchecked, it will see "ROLE_ADMINISTRATOR" and "GeonetworkAdministrator".  In neither case will it see the converted "GeoserverAdministrator" roles.
 
+You can also have multiple GeoServer roles from one external (OIDC) role.  For example, this role conversion:
+
+`GeoserverAdministrator=ROLE_ADMINISTRATOR;GeoserverAdministrator=ADMIN`
+
+Will give users with the OIDC role `GeoserverAdministrator` two GeoServer roles - `ROLE_ADMINISTRATOR` and `ADMIN`.
+
 
 JWT Validation
 ^^^^^^^^^^^^^^

doc/en/user/source/configuration/properties/index.rst

@@ -91,7 +91,7 @@ GeoServer Property Reference
      - x
    * - org.geoserver.catalog.loadingThreads
 
-       Number of treads used to load catalogue (Default 4).
+       Number of threads used to load catalogue (Default 4).
      - x
      - x
      - x
@@ -109,7 +109,7 @@ GeoServer Property Reference
      - x
    * - GEOSERVER_XSTREAM_WHITELIST
 
-       Used to restrict catalogue persistance.
+       Used to restrict catalogue persistence.
      - x
      - x
      - x
@@ -316,20 +316,20 @@ Using ``GEOSERVER_DATA_DIR`` as an example:
 
       -DGEOSERVER_DATA_DIR=/var/lib/geoserver_data
 
-   * For Tomcat on linux edit :file:`setenv.sh` to append additional java system properties:
+   * For Tomcat on Linux edit :file:`setenv.sh` to append additional java system properties:
 
      .. code-block:: bash
 
         # Append system properties
         CATALINA_OPTS="${CATALINA_OPTS} -DGEOSERVER_DATA_DIR=/var/lib/geoserver_data"
 
-   * For Tomcat on windows use :command:`Apache Tomcat Properties` application, navigating to the :guilabel:`Java` tab to edit :guilabel:`Java Options`:
+   * For Tomcat on Windows use :command:`Apache Tomcat Properties` application, navigating to the :guilabel:`Java` tab to edit :guilabel:`Java Options`:
 
      .. code-block:: text
 
         -DGEOSERVER_DATA_DIR=C:\ProgramData\GeoServer\data
 
-   While not commonly used for GEOSERVER_DATA_DIR, this approach is a popular way to enable/disable optional geoserver functionality.
+   While not commonly used for GEOSERVER_DATA_DIR, this approach is a popular way to enable/disable optional GeoServer functionality.
 
 2. Web Application context parameter:
 
@@ -342,11 +342,11 @@ Using ``GEOSERVER_DATA_DIR`` as an example:
                      value="/var/opt/geoserver/data" override="false"/>
         </Context>
 
-     .. note:: Tomcat management of application properties as using ``overide="false"`` is not the most straight forward to understand. This setting prevents parameter defined in :file:`WEB-INF/web.xml` (from the :file:`geoserver.war` ) to overide the provided file location.
+     .. note:: Tomcat management of application properties as using ``override="false"`` is not the most straight forward to understand. This setting prevents parameter defined in :file:`WEB-INF/web.xml` (from the :file:`geoserver.war` ) to override the provided file location.
 
-        Other application servers provide a user inteface to manage web application properties and are more intuitive.
+        Other application servers provide a user interface to manage web application properties and are more intuitive.
 
-   * Not recommended: Hand editing the `webapps/geoservere/WEB-INF/web.xml` file:
+   * Not recommended: Hand editing the `webapps/geoserver/WEB-INF/web.xml` file:
 
      .. code-block:: xml
 
@@ -397,4 +397,4 @@ The HTTP client library respects the following java system properties::
 
 Reference:
 
-* `HttpClientBuilder <https://hc.apache.org/httpcomponents-client-4.5.x/current/httpclient/apidocs/index.html?org/apache/http/impl/client/HttpClientBuilder.html>`__
+* `HttpClientBuilder <https://hc.apache.org/httpcomponents-client-4.5.x/current/httpclient/apidocs/index.html?org/apache/http/impl/client/HttpClientBuilder.html>`__

doc/en/user/source/data/cascaded/wms.rst

@@ -41,6 +41,12 @@ To connect to an external WMS, it is necessary to load it as a new store.  To st
      - If the WMS requires authentication, the user name to connect as.
    * - :guilabel:`Password`
      - If the WMS requires authentication, the password to connect with.
+   * - :guilabel:`HTTP header name`
+     - If the WMS requires a custom HTTP header, the header name.
+   * - :guilabel:`HTTP header value`
+     - If the WMS requires a custom HTTP header, the header value.
+   * - :guilabel:`AuthKey/API key`
+     - If the WMS requires an Authentication key in the querystring, provide a key=value pair.
    * - :guilabel:`Max concurrent connections`
      - The maximum number of persistent connections to keep for this WMS.
 

doc/en/user/source/data/cascaded/wmts.rst

@@ -51,6 +51,8 @@ To connect to an external WMTS, it is necessary to load it as a new store.  To s
      - If the WMTS requires a custom HTTP header, the header name.
    * - :guilabel:`HTTP header value`
      - If the WMTS requires a custom HTTP header, the header value.
+   * - :guilabel:`AuthKey/API key`
+     - If the WMTS requires an Authentication key in the querystring, provide a key=value pair.
    * - :guilabel:`Max concurrent connections`
      - The maximum number of persistent connections to keep for this WMTS.
 

doc/en/user/source/extensions/index.rst

@@ -43,3 +43,4 @@ This section describes most of the extensions available for GeoServer. Other dat
    csw-iso/index
    metadata/index
    iau/index
+   rat/index

doc/en/user/source/community/rat/installing.rst → doc/en/user/source/extensions/rat/installing.rst

@@ -5,7 +5,9 @@ Installing the RAT module
 
 To install the Raster Attribute Table support:
 
-#. Download the **rat** community extension from the appropriate `nightly build <https://build.geoserver.org/geoserver/>`_. The file name is called :file:`geoserver-*-rat-plugin.zip`, where ``*`` matches the version number of GeoServer you are using.
+#. From the :website:`website download <download>` page, locate your release, and download:  :download_extension:`rat`
+
+   .. warning:: Make sure to match the version of the extension to the version of GeoServer.
 
 #. Extract this these files and place the JARs in ``WEB-INF/lib``.
 

doc/en/user/source/gettingstarted/postgis-quickstart/index.rst

@@ -68,6 +68,8 @@ Creating a store
 Once the workspace is created, we are ready to add a new store. The store tells GeoServer how to connect to the database. 
 
 #. Navigate to :menuselection:`Data-->Stores`.
+
+#. Click on ``Add new Store``.
 
 #. You should see a list of stores, including the type of store and the workspace that the store belongs to.
 

doc/en/user/source/production/config.rst

@@ -26,7 +26,7 @@ Suggestions:
 
   This message is be shown to visitors at the top of welcome page. The contact details and organisation information are included in the welcome page, and used to describe each web service in the capabilities documents.
 
-* When setting up a workspace you can provide more more detailed service metadata and contact information.
+* When setting up a workspace you can provide more detailed service metadata and contact information.
 * Serve your data with your own namespace (and provide a correct URI)
 * Remove default layers (such as ``topp:states``)
 
@@ -358,7 +358,7 @@ GeoServer provides a number of facilities to control external entity resolution:
   Access is provided to the proxy base url from global settings.
   Access to local `file` references remains restricted.
 
-* To allow all `http` and `https` entity resolution ise `*` wildcard::
+* To allow all `http` and `https` entity resolution use `*` wildcard::
 
      -DENTITY_RESOLUTION_ALLOWLIST=*
 

src/community/jwt-headers/gs-jwt-headers/src/main/java/org/geoserver/security/jwtheaders/filter/GeoServerJwtHeadersFilterConfig.java

@@ -116,7 +116,12 @@ public SecurityConfig clone(boolean allowEnvParametrization) {
     /** what formats we support for roles in the header. */
     public enum JWTHeaderRoleSource implements RoleSource {
         JSON,
-        JWT;
+        JWT,
+
+        // From: PreAuthenticatedUserNameFilterConfig
+        Header,
+        UserGroupService,
+        RoleService;
 
         @Override
         public boolean equals(RoleSource other) {

src/community/jwt-headers/gs-jwt-headers/src/main/java/org/geoserver/security/jwtheaders/web/JwtHeadersAuthFilterPanel.html

@@ -45,16 +45,21 @@
                 visibilityDiv.style.display = "none";
         }
 
-        // When the page is loaded, we hide  the username "json path" input if its not needed.
-        window.addEventListener('load', function () {
+        function reset() {
             usernameFormatChanged();
             showTokenValidationChanged();
             toggleVisible(document.getElementById('validateTokenSignature'),'validateTokenSignatureURLDiv');
             toggleVisible(document.getElementById('validateTokenAgainstURL'),'validateTokenAgainstURLDiv');
             toggleVisible(document.getElementById('validateTokenAudience'),'validateTokenAudienceDiv');
+        }
 
-
+        // When the page is loaded, we hide  the username "json path" input if its not needed.
+        window.addEventListener('load', function () {
+                reset();
         });
+
+        // when creating a new jwt headers filter, we need to "kick" it.
+        setTimeout(reset,100);
     </script>
 </wicket:head>
 <wicket:extend>

src/community/jwt-headers/jwt-headers-util/pom.xml

@@ -38,7 +38,7 @@
       <groupId>com.nimbusds</groupId>
       <artifactId>nimbus-jose-jwt</artifactId>
       <version>9.37.3</version>
-      <scope>compile</scope>
+      <scope>provided</scope>
     </dependency>
     <dependency>
       <groupId>com.jayway.jsonpath</groupId>

src/community/jwt-headers/jwt-headers-util/src/main/java/org/geoserver/security/jwtheaders/JwtConfiguration.java

@@ -1,7 +1,13 @@
+/* (c) 2024 Open Source Geospatial Foundation - all rights reserved
+ * This code is licensed under the GPL 2.0 license, available at the root
+ * application directory.
+ */
 package org.geoserver.security.jwtheaders;
 
 import java.io.Serializable;
+import java.util.ArrayList;
 import java.util.HashMap;
+import java.util.List;
 import java.util.Map;
 
 public class JwtConfiguration implements Serializable {
@@ -58,8 +64,8 @@ public class JwtConfiguration implements Serializable {
     // convert string of the form:
     // "externalRoleName1=GeoServerRoleName1;externalRoleName2=GeoServerRoleName2"
     // To a Map<String,String>
-    public Map<String, String> getRoleConverterAsMap() {
-        Map<String, String> result = new HashMap<>();
+    public Map<String, List<String>> getRoleConverterAsMap() {
+        Map<String, List<String>> result = new HashMap<>();
 
         if (roleConverterString == null || roleConverterString.isBlank()) return result; // empty
 
@@ -72,7 +78,13 @@ public Map<String, String> getRoleConverterAsMap() {
             String key = goodCharacters(keyValue[0]);
             String val = goodCharacters(keyValue[1]);
             if (key.isBlank() || val.isBlank()) continue;
-            result.put(key, val);
+            if (!result.containsKey(key)) {
+                var list = new ArrayList<String>();
+                list.add(val);
+                result.put(key, list);
+            } else {
+                result.get(key).add(val);
+            }
         }
         return result;
     }

src/community/jwt-headers/jwt-headers-util/src/main/java/org/geoserver/security/jwtheaders/roles/RoleConverter.java

@@ -16,7 +16,7 @@
  */
 public class RoleConverter {
 
-    Map<String, String> conversionMap;
+    Map<String, List<String>> conversionMap;
 
     boolean externalNameMustBeListed;
 
@@ -39,11 +39,11 @@ public List<String> convert(List<String> externalRoles) {
         if (externalRoles == null) return result; // empty
 
         for (String externalRole : externalRoles) {
-            String gsRole = conversionMap.get(externalRole);
+            List<String> gsRole = conversionMap.get(externalRole);
             if (gsRole == null && !externalNameMustBeListed) {
                 result.add(externalRole);
             } else if (gsRole != null) {
-                result.add(gsRole);
+                result.addAll(gsRole);
             }
         }
         return result;

src/community/jwt-headers/jwt-headers-util/src/main/java/org/geoserver/security/jwtheaders/token/TokenValidator.java

@@ -31,6 +31,10 @@ public TokenValidator(JwtConfiguration config) {
 
     public void validate(String accessToken) throws Exception {
 
+        accessToken = accessToken.replaceFirst("^Bearer", "");
+        accessToken = accessToken.replaceFirst("^bearer", "");
+        accessToken = accessToken.trim();
+
         if (!jwtHeadersConfig.isValidateToken()) {
             return;
         }

src/community/jwt-headers/jwt-headers-util/src/main/java/org/geoserver/security/jwtheaders/username/JwtHeaderUserNameExtractor.java

@@ -34,7 +34,12 @@ public static Object getClaim(Map<String, Object> map, String path) {
     // if this is trivial (single item in pathList), return the value.
     // otherwise, go into the map one level (pathList[0]) and recurse on the result.
     private static Object getClaim(Map<String, Object> map, List<String> pathList) {
-        if (pathList.size() == 1) return map.get(pathList.get(0));
+        if (map == null) {
+            return null;
+        }
+        if (pathList.size() == 1) {
+            return map.get(pathList.get(0));
+        }
 
         String first = pathList.get(0);
         pathList.remove(0);

src/community/jwt-headers/jwt-headers-util/src/test/java/org/geoserver/security/jwtheaders/roles/JwtHeadersRolesExtractorTest.java

@@ -39,6 +39,24 @@ public void testSimpleJwt() throws ParseException {
         Assert.assertEquals("GeoserverAdministrator", roles.get(0));
     }
 
+    /**
+     * Test Tokens that start with "Bearer ".
+     *
+     * @throws ParseException
+     */
+    @Test
+    public void testSimpleJwtBearer() throws ParseException {
+        String accessToken =
+                "Bearer eyJhbGciOiJSUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICItWEdld190TnFwaWRrYTl2QXNJel82WEQtdnJmZDVyMlNWTWkwcWMyR1lNIn0.eyJleHAiOjE3MDcxNTMxNDYsImlhdCI6MTcwNzE1Mjg0NiwiYXV0aF90aW1lIjoxNzA3MTUyNjQ1LCJqdGkiOiJlMzhjY2ZmYy0zMWNjLTQ0NmEtYmU1Yy04MjliNDE0NTkyZmQiLCJpc3MiOiJodHRwczovL2xvZ2luLWxpdmUtZGV2Lmdlb2NhdC5saXZlL3JlYWxtcy9kYXZlLXRlc3QyIiwiYXVkIjoiYWNjb3VudCIsInN1YiI6ImVhMzNlM2NjLWYwZTEtNDIxOC04OWNiLThkNDhjMjdlZWUzZCIsInR5cCI6IkJlYXJlciIsImF6cCI6ImxpdmUta2V5MiIsIm5vbmNlIjoiQldzc2M3cTBKZ0tHZC1OdFc1QlFhVlROMkhSa25LQmVIY0ZMTHZ5OXpYSSIsInNlc3Npb25fc3RhdGUiOiIxY2FiZmU1NC1lOWU0LTRjMmMtODQwNy03NTZiMjczZmFmZmIiLCJhY3IiOiIwIiwicmVhbG1fYWNjZXNzIjp7InJvbGVzIjpbImRlZmF1bHQtcm9sZXMtZGF2ZS10ZXN0MiIsIm9mZmxpbmVfYWNjZXNzIiwidW1hX2F1dGhvcml6YXRpb24iXX0sInJlc291cmNlX2FjY2VzcyI6eyJsaXZlLWtleTIiOnsicm9sZXMiOlsiR2Vvc2VydmVyQWRtaW5pc3RyYXRvciJdfSwiYWNjb3VudCI6eyJyb2xlcyI6WyJtYW5hZ2UtYWNjb3VudCIsIm1hbmFnZS1hY2NvdW50LWxpbmtzIiwidmlldy1wcm9maWxlIl19fSwic2NvcGUiOiJvcGVuaWQgcGhvbmUgb2ZmbGluZV9hY2Nlc3MgbWljcm9wcm9maWxlLWp3dCBwcm9maWxlIGFkZHJlc3MgZW1haWwiLCJzaWQiOiIxY2FiZmU1NC1lOWU0LTRjMmMtODQwNy03NTZiMjczZmFmZmIiLCJ1cG4iOiJkYXZpZC5ibGFzYnlAZ2VvY2F0Lm5ldCIsImVtYWlsX3ZlcmlmaWVkIjpmYWxzZSwiYWRkcmVzcyI6e30sIm5hbWUiOiJkYXZpZCBibGFzYnkiLCJncm91cHMiOlsiZGVmYXVsdC1yb2xlcy1kYXZlLXRlc3QyIiwib2ZmbGluZV9hY2Nlc3MiLCJ1bWFfYXV0aG9yaXphdGlvbiJdLCJwcmVmZXJyZWRfdXNlcm5hbWUiOiJkYXZpZC5ibGFzYnlAZ2VvY2F0Lm5ldCIsImdpdmVuX25hbWUiOiJkYXZpZCIsImZhbWlseV9uYW1lIjoiYmxhc2J5IiwiZW1haWwiOiJkYXZpZC5ibGFzYnlAZ2VvY2F0Lm5ldCJ9.fHzXd7oISnqWb09ah9wikfP2UOBeiOA3vd_aDg3Bw-xcfv9aD3CWhAK5FUDPYSPyj4whAcknZbUgUzcm0qkaI8V_aS65F3Fug4jt4nC9YPL4zMSJ5an4Dp6jlQ3OQhrKFn4FwaoW61ndMmScsZZWEQyj6gzHnn5cknqySB26tVydT6q57iTO7KQFcXRdbXd6GWIoFGS-ud9XzxQMUdNfYmsDD7e6hoWhe9PJD9Zq4KT6JN13hUU4Dos-Z5SBHjRa6ieHoOe9gqkjKyA1jT1NU42Nqr-mTV-ql22nAoXuplpvOYc5-09-KDDzSDuVKFwLCNMN3ZyRF1wWuydJeU-gOQ";
+
+        List<String> roles =
+                getExtractor(JWT.toString(), "", "resource_access.live-key2.roles")
+                        .getRoles(accessToken).stream()
+                        .collect(Collectors.toList());
+        Assert.assertEquals(1, roles.size());
+        Assert.assertEquals("GeoserverAdministrator", roles.get(0));
+    }
+
     @Test
     public void testSimpleJson() throws ParseException {
         String json =