Refer to X.509 for API credentials, not (x|X)509

- it's more technically correct, the best kind of correct
- brings API credentials in line with other (#294) around
  user credentials and account linking
- this does "break" API access for existing credentials (until
  they next get edited), so we should release it:
  - after #260
  - maybe after #294
  - at the same as #284, as users will have to edit API
    credentials anyway

INSTALL.md

@@ -22,7 +22,7 @@ This file is best viewed using a browser-plugin for markdown `.md` files.
 
 * [Apache Http](#apache-and-x509-host-cert)
   * Version 2.2 or higher with `mod_ssl` module
-  * X509 host certificate.
+  * X.509 host certificate.
 
 * [Database server](#database-server)
   * Oracle 11g+ or MariaDB/MySQL
@@ -108,7 +108,7 @@ update your php.ini by adding `extension=[php_]timezonedb.so|dll` (note, Win pre
 * All dates are stored as UTC in the DB and converted from local timezones.
 * Do not forget to configure your timezone settings correctly.
 
-### Apache and x509 Host cert <a id="apache"></a>
+### Apache and X.509 Host cert <a id="apache"></a>
 
 A sample Apache config file is provided `config/gocdbssl.conf`. This file
 defines a sample apache virtual host for serving your GocDB portal, including URL mappings/aliases and SSL settings.
@@ -557,7 +557,7 @@ and editing which URL page mappings use the `rejectIfNotAuthenticated()` invocat
 ### Authentication
 
 Authentication is handled by the `lib/Authentication` package, and is configured
-for x509 client certificate authentication by default. Different authentication
+for X.509 client certificate authentication by default. Different authentication
 schemes can be configured using the abstractions in this package such as SAML2
 for integration with Federated Identity Management.
 See `lib/Authentication/README.md` for details.

config/gocdb_schema.xml

@@ -604,7 +604,7 @@
         <field>
             <fname>TYPE</fname>
             <length>255</length>
-            <regex>/^(X509|OIDC Subject)$/</regex>
+            <regex>/^(X.509|OIDC Subject)$/</regex>
         </field>
 		<field>
 			<fname>ALLOW_WRITE</fname>

htdocs/PI/index.php

@@ -390,7 +390,7 @@ function authByCert() {
             // Check if it is registered API Authentication credential.
 
             $authEntServ = \Factory::getAPIAuthenticationService();
-            $authEnt = $authEntServ->getAPIAuthentication($this->dn, "X509");
+            $authEnt = $authEntServ->getAPIAuthentication($this->dn, "X.509");
 
             if (!is_null($authEnt)) {
                 $authEntServ->updateLastUseTime($authEnt);

htdocs/PI/write/PIWriteRequest.php

@@ -118,7 +118,7 @@ public function __construct() {
    * @param  string $requestUrl url used to access API, only the last section
    * @param  string|null $requestContents contents of the request (JSON String or null)
    * @param  Site $siteService Site Service
-   * @param array ('userIdentifier'=><Identifier of user>,'userIdentifierType'=><Type of identifier e.g. X509>)
+   * @param array ('userIdentifier'=><Identifier of user>,'userIdentifierType'=><Type of identifier e.g. X.509>)
    * @return array ('httpResponseCode'=><code>,'returnObject'=><object to return to user>)
    */
   public function processRequest($method, $requestUrl, $requestContents, Site $siteService, $authArray) {
@@ -620,10 +620,10 @@ private function setAuthInfo($authArray) {
    */
   private function checkUserAuthenticated () {
     if (empty($this->userIdentifier)) {
-      #yes 403 - 401 is not appropriate for X509 authentication
+      #yes 403 - 401 is not appropriate for X.509 authentication
       $this->exceptionWithResponseCode(403,
         "You need to be authenticated to access this resource. " .
-        "Please provide a valid IGTF X509 Certificate"
+        "Please provide a valid IGTF X.509 Certificate"
       );
     }
   }
@@ -632,7 +632,7 @@ private function checkAuthorisation (Site $siteService, \Site $site, $identifier
     try {
       $siteService->checkAuthorisedAPIIdentifier($site, $identifier, $indentifierType);
     } catch (\Exception $e) {
-      #yes 403 - 401 is not appropriate for X509 authentication
+      #yes 403 - 401 is not appropriate for X.509 authentication
       $this->httpResponseCode = 403;
       throw $e;
     }

htdocs/PI/write/utils.php

@@ -52,7 +52,7 @@ function returnJsonWriteAPIResult ($httpResponseCode, $object) {
 function getAuthenticationInfo () {
   require_once __DIR__ . '/../../web_portal/components/Get_User_Principle.php';
   #Check if associated cert/token is set to define identifier type
-  if(isset($_SERVER['SSL_CLIENT_CERT'])){$identifierType = 'X509';}
+  if(isset($_SERVER['SSL_CLIENT_CERT'])){$identifierType = 'X.509';}
   if(isset($_SERVER['OIDC_access_token'])){$identifierType = 'OIDC Subject';}
 
   #This will return null if no cert is presented

htdocs/web_portal/components/Get_User_Principle.php

@@ -4,7 +4,7 @@
  * File: Get_User_Principle.php
  * Author: David Meredith
  * Description: Returns the user's principle ID string or AuthToken for the user that's currently
- *				connected (for x509 this is a DN).
+ *				connected (for X.509 this is a DN).
  *
  * License information
  *
@@ -137,7 +137,7 @@ function Get_User_AuthType() {
 }
 
 /**
- * Get the user's principle string (x509 DN from certificate or from SAML attribute).
+ * Get the user's principle string (X.509 DN from certificate or from SAML attribute).
  * <p>
  * Called from the portal to allow authentication.
  * This method serves as the global integration point for all authentication requests.
@@ -204,7 +204,7 @@ function Get_User_Principle(){
 }
 
 /**
- * Get the DN from an x509 cert, Principle from oidc token, or null if neither can be loaded.
+ * Get the DN from an X.509 cert, Principle from oidc token, or null if neither can be loaded.
  * Called from the PI to authenticate requests using certificates or oidc.
  * @return string or null if can't authenticate request
  */

htdocs/web_portal/controllers/site/add_api_auth.php

@@ -58,7 +58,7 @@ function draw(\User $user = null, \Site $site = null) {
 
     $params['site'] = $site;
     $params['authTypes'] = array();
-    $params['authTypes'][]='X509';
+    $params['authTypes'][]='X.509';
     $params['authTypes'][]='OIDC Subject';
     $params['user'] = $user;
     $params['allowWrite'] = false;

htdocs/web_portal/controllers/site/edit_api_auth.php

@@ -66,7 +66,7 @@ function draw(\User $user = null, \APIAuthentication $authEnt = null, \Site $sit
     $params['site'] = $site;
     $params['authEnt'] = $authEnt;
     $params['authTypes'] = array();
-    $params['authTypes'][]='X509';
+    $params['authTypes'][]='X.509';
     $params['authTypes'][]='OIDC Subject';
     $params['user'] = $user;
 

lib/Authentication/AuthProviders/GOCDBAuthProvider.php

@@ -77,7 +77,7 @@ private function authenticateAgainstDB($auth){
         // between the returned $userDetails object and the given $auth token.
         // Note, getPassword() never returns null, even for auth mechanisms that
         // don't use a password in which case an empty string is returned. This
-        // allows the same auth logic across different mechanisms (e.g. x509).
+        // allows the same auth logic across different mechanisms (e.g. X.509).
         if($userDetails->getUsername() == $auth->getPrinciple() &&
                 $userDetails->getPassword() == $auth->getCredentials()){
 

lib/Authentication/AuthTokens/X509AuthenticationToken.php

@@ -7,7 +7,7 @@
 //use Monolog\Handler\StreamHandler;
 
 /**
- * An implementation of <code>IAuthentication</code> for use with X509 certificates.
+ * An implementation of <code>IAuthentication</code> for use with X.509 certificates.
  *
  * @see IAuthentication
  * @author David Meredith
@@ -45,18 +45,18 @@ public static function isPreAuthenticating() {
 
     /**
      * {@see IAuthentication::getCredentials()}
-     * @return string An empty string as passwords are not used in X509.
+     * @return string An empty string as passwords are not used in X.509.
      */
     public function getCredentials() {
         return "";
     }
 
     /**
      * {@see IAuthentication::eraseCredentials()}
-     * Does nothing, passwords not ussed in X509.
+     * Does nothing, passwords not ussed in X.509.
      */
     public function eraseCredentials() {
-        // do nothing, password not used for X509
+        // do nothing, password not used for X.509
     }
 
     /**
@@ -153,4 +153,3 @@ public function setAuthorities($authorities) {
 
 
 }
-

lib/Authentication/IAuthentication.php

@@ -33,7 +33,7 @@ public static function isStateless();
      * resolution process for automatic submission to
      * <code>AuthenticationManager.authenticate(Authentication)</code>.
      * <p>
-     * X509 is an example of a pre-authentication token - the server establishes
+     * X.509 is an example of a pre-authentication token - the server establishes
      * that the user has provided a valid and trustworthy certificate before
      * reaching the underlying app (which means the token can be automatically
      * created during token resolution and authenticated).
@@ -50,7 +50,7 @@ public static function isPreAuthenticating();
      * The identity of the principal being authenticated.
      * Note, this will vary according to differet authentication mechansisms.
      * In the case of an authentication request (<code>IAuthenticationManager.authentication($authToken)</code>)
-     * with username and password, this would be the username. For X509
+     * with username and password, this would be the username. For X.509
      * it would be the certificate DN. Callers are expected to populate the
      * principal for an authentication request (<code>IAuthenticationManager.authentication($authToken)</code>).
      * <p>
@@ -65,7 +65,7 @@ public function getPrinciple();
 
     /**
      * Get current principal's credentials (usually a password). Never null. When a password is not
-     * used for the chosen auth scheme (e.g. X509), return an empty string.
+     * used for the chosen auth scheme (e.g. X.509), return an empty string.
      * @return object never null
      */
     public function getCredentials();
@@ -113,7 +113,7 @@ public function setAuthorities($authorities);
     * Implementations MUST throw an AuthenticationException if the token's internal state becomes
     * invalid due to whatever change (required since instances are mutable).
     * <p>
-    * For example, in the case of a cached x509 token, the client may freely change
+    * For example, in the case of a cached X.509 token, the client may freely change
     * their certificate in their browser by clearing the browser ssl
     * cache and refreshing the page. In this case, the DN may change from the
     * initial DN used when constructing the token.

lib/Authentication/IUserDetailsService.php

@@ -12,7 +12,7 @@ interface IUserDetailsService {
     /**
      * Locates the user based on the given username string.
      * The username string must uniquely identify the user (its format can differ
-     * depending on the authentication mechanism e.g. could be a DN string for x509).
+     * depending on the authentication mechanism e.g. could be a DN string for X.509).
      *
      * @param string $username the user string identifying the user whose data is required.
      * @return IUserDetails implementation (never <code>null</code>)