CRUDPAQ

Maybe you noticed that Matt has been building a foundation for common ForgeRock REST APIs. What makes the APIs common is that they all let you do the same seven kinds of operations.

1. Create: Add a resource that does not yet exist
2. Read: Retrieve a single resource
3. Update: Replace an existing resource
4. Delete: Remove an existing resource
5. Patch: Modify part of an existing resource
6. Action: Perform a predefined action
7. Query: List a set of resources

When you hear someone from ForgeRock talking about CRUDPAQ, there’s nothing dirty involved. Just a mnemonic device.

(Note: In practice, action operations depend on the resource server, so actions might differ from server to server. Also, some bits of work remain. For example, patch is still to be finished as of this writing.)

Matt put together a JSON Resource Java library. With that he built a JSON Resource Servlet, which implements an in-memory store for your resources. (See the project page for instructions on getting JSON Resource Servlet up and running.) JSON Resource Servlet provides a simple example of how these common REST APIs are likely to look and feel.

Matt included two endpoints by default, /users and /groups. Objects in this version do not have schema, so you can add whatever you like. I’ve played with arrays of SCIM-like users and groups based on the traditional example data we use in the directory server world.

The advantage of this is that it’s all language independent. Take your pick.

After getting a rise out of Jake’s cool work, especially on the OpenIDM UI, I felt it was high time to learn some JavaScript.

Even with my beginner’s confusion about JavaScript, it did not take long to write CRUD and Q functions for use in building a web page. (Creating a page that doesn’t look like I pulled it out of a time capsule from 1996 is a different story, however. My stance with respect to modern web development is 2nd or 3rd order ignorance, depending on the topic.) There are slicker ways to do this, but as you can see, it is not hard to…

Create a resource from an object and a resource URI (ending in the resource ID like /users/bjensen, or more likely /users/e7fa64c0-70dc-47fb-b102-7106ee480421):

function create(object, uri) {
    var xhr = new XMLHttpRequest();
    xhr.open('PUT', uri, false);
    xhr.setRequestHeader("Content-Type", "application/json");
    xhr.setRequestHeader("If-None-Match", "*");
    xhr.send(JSON.stringify(object));
    return xhr.responseText;
}

Read a resource, optionally limiting the resource fields in the response (check the response field “_id” for the resource ID):

function read(uri, fields) {
    fields = (typeof fields === "undefined") ? [] : fields;

    var args = "";
    if (fields.length > 0) {
        args = "?_fields=" + fields[0];
        for (var i = 1; i < fields.length; i++) {
            args = args + "," + fields[i];
        }
    }
    uri = uri + args;

    var xhr = new XMLHttpRequest();
    xhr.open('GET', uri, false);
    xhr.send("");
    return xhr.responseText;
}

Update a resource, for which you need the revision (check the resource “_rev” field):

function update(object, revision, uri) {
    var xhr = new XMLHttpRequest();
    xhr.open('PUT', uri, false);
    xhr.setRequestHeader("Content-Type", "application/json");
    xhr.setRequestHeader("If-Match", revision);
    xhr.send(JSON.stringify(object));
    return xhr.responseText;
}

Delete a resource:

function remove(uri) { // delete is a keyword
    var xhr = new XMLHttpRequest();
    xhr.open('DELETE', uri, false);
    xhr.setRequestHeader("Content-Type", "application/json");
    xhr.send("");
    return xhr.responseText;
}

Query resources. Query lets you do a lot more than this example (filters, sorting, paging, … Scroll down the JSON Resource Servlet page to the section on Querying/listing resources). This one just lists resources. Here containerUri is /users, or /groups:

function queryObjects(containerUri, fields) {
    fields = (typeof fields === "undefined") ? [] : fields;

    var query = containerUri + "?_filter=true";
    var args = "";
    if (fields.length > 0) {
        args = "&_fields=" + fields[0];
        for (var i = 1; i < fields.length; i++) {
            args = args + "," + fields[i];
        }
        query = query + args;
    }

    var xhr = new XMLHttpRequest();
    xhr.open('GET', query, false);
    xhr.send("");

    var allObjects = [];
    if (xhr.status === 200) { // OK
        allObjects = JSON.parse(xhr.responseText);
        if (allObjects.result.length > 0) {
            allObjects = allObjects.result;
        } else {
            allObjects = [];
        }
    }
    return allObjects;
}

Not shown here are actions. The JSON Resource Servlet for example lets you create a resource and let the servlet create the ID. (Hint: Use a POST with ?_action=create to the container URI.)

As you can see, the basic operations are fairly easy to use.

By the way, not all ForgeRock REST APIs will look like this. The REST API for OAuth 2.0 in OpenAM will not, for example, because that API is already clearly defined at the IETF. But there’s a good chance that many APIs will follow this pattern.

forgerock-doc-maven-plugin 1.1.0 released

It’s always satisfying to release something, even if you’re just scratching your own itch. Today the ForgeRock doc build plugin reached 1.1.0.

As mentioned on the mailing list, “This release fixes a few issues, and includes a number of improvements that have already been visible in the documentation for a while now.” Basically, it’s something stable before we embark on 2.0.0, which I hope will reach release in the fall next year, and include many significant improvements to doc layout and usability.

JCite and DocBook Together

Peter Arrenbrecht‘s JCite – Java Source Code Citation System – looks like something we could use to keep our DocBook-based developer documentation in sync with Java examples.

One of JCite’s strengths is in generating HTML content with <span>s for syntax highlighting. Yet, JCite also supports “plain” citations, pulling in content without extra markup, instead only escaping special characters like <, >, and &.

I tried it with a small sample DocBook <chapter>, chap-jcite.xml. That chapter uses JCite to cite Java code from a Test class. (Sorry, no, I haven’t yet worked out how to plug JCite for DocBook into WordPress.)

 <para>The following example cites an entire Java class.</para>

 <programlisting language="java"
 >[jcp:org.forgerock.doc.jcite.test.Test]</programlisting>

 <para>The following example cites a single Java method.</para>

 <programlisting language="java"
 >[jcp:org.forgerock.doc.jcite.test.Test:--- mainMethod]</programlisting>

When the file is processed, the output contains cited code from Test.java

 <programlisting language="java"
 >package org.forgerock.doc.jcite.test;

/**
 * Test class for trying JCite.
 */
public final class Test {
    /**
     * Print a message, then print args one per line.
     * @param args Program arguments.
     */
  // --- mainMethod
    public static void main(final String[] args) {
        System.out.println(&quot;This is just a test.&quot;);
        for (String arg : args) {
            System.out.println(&quot;\t&quot; + arg);
        }
    }
  // --- mainMethod
}</programlisting>

 <para>The following example cites a single Java method.</para>

 <programlisting language="java"
 >public static void main(final String[] args) {
    System.out.println(&quot;This is just a test.&quot;);
    for (String arg : args) {
        System.out.println(&quot;\t&quot; + arg);
    }
}</programlisting>

Pretty nifty. The ForgeRock doc build plugin gets syntax highlighting elsewhere, so in principle this should work for ForgeRock docs.

Where’s the JCite Maven plugin?

Maven doc plugin: Single chapter output

As Lana mentioned to me the other day, if you make small changes to core docs, it can be painful to wait for the entire documentation set to generate just to see how your changes look in HTML or PDF for example. The fix for DOCS-29 lets you generate output for a single format. You can use the documentSrcName parameter to restrict what gets built to a single file, such as an individual chapter.

The following command generates PDF only for a single chapter of the forgerock-doc-maven-plugin-test project.

$ mvn -DdocumentSrcName=chap-one.xml -Dinclude=pdf clean pre-site

Find the pre-site output under target/docbkx/.

$ ls target/docbkx/pdf/*.pdf 
target/docbkx/pdf/ForgeRock-Bogus-Guide.pdf

Caveats:

• If you defined <excludes>, then you cannot use <include> in the same configuration.
• If you have multiple chapters with the same name, this might not work as expected. My guess is the last one wins.
• The documentSrcName must correspond to a file. You cannot currently generate output for a part of a file, nor for several arbitrary files.

Searching ForgeRock Community Sites

Someone said it is hard to find the search box on the *.forgerock.org community sites. Also, the searches were scoped too narrowly to look in the mailing lists.

Before the changes the search box is tucked away in the left menu, and scoped to site:<project>.forgerock.org.

OpenDJ Before: Search box in left menu

The new, improved version has a more obvious search box. Searches now cover everything at site:forgerock.org.

OpenAM After: Search box top right, now with colors

OpenAM: Changing Log Levels

Tucked away in the admin guide in a section on Debug Logging by Service, you are told that you can login as amadmin, access Debug.jsp (for example http://openam.example.com:8080/openam/Debug.jsp), and set the log levels for different services on the fly. This feature is actually more handy than its location in the admin guide suggests.

The Debug.jsp page shows you what is affected when you submit a change.

Then you can tail the logs  (for example, $HOME/openam/openam/log/*) or debug logs (for example, $HOME/openam/openam/debug/*) to see what the service thinks is happening. Turn it up to Message if you want details. You can turn it back down once you have found what you are looking for.

OpenAM: Permanent Links Between Federated Accounts

In reading about SAML 2.0, I see SAML 2.0 federation does not require any sort of permanent or even persistent connection between accounts at the identity provider and the service provider. If however you do want to make permanent connections for a list of identity provider and service provider accounts, then the ssoadm bulk federation commands can help.

Before You Start

Before you can run the bulk federation commands, first establish the relationship between accounts, and also set up the providers including installation of the ssoadm command.

Consider a case where the identity provider is at idp.example.org and the service provider is at sp.example.com. A demo user account has the Universal ID, id=demo,ou=user,dc=example,dc=org, on the identity provider. That maps to the Universal ID, id=demo,ou=user,dc=example,dc=com, on the service provider.

The ssoadm command then needs a file that maps local user IDs to remote user IDs, one per line, separated by the vertical bar character |. Each line of the file looks like this:

local-user-ID|remote-user-ID

In this example, starting on the service provider side, the line for the demo user reads:

id=demo,ou=user,dc=example,dc=com|id=demo,ou=user,dc=example,dc=org

All the users’ accounts mapped in your file must exist at the identity provider and the service provider when you run the commands to link them.

See the OpenAM Installation Guide for details on installing OpenAM and the ssoadm command. The OpenAM Administration Guide describes how to create hosted providers and register remote providers.

Linking Federated Accounts in Bulk

After everything is set up, you can link the accounts using the ssoadm bulk federation commands.

1. Prepare the data with the ssoadm do-bulk-federation command.
   This example starts on the service provider side.

   $ cat /tmp/user-map.txt
   id=demo,ou=user,dc=example,dc=com|id=demo,ou=user,dc=example,dc=org
   $ ssoadm do-bulk-federation --metaalias /sp \
    --remoteentityid http://idp.example.org:8080/openam \
    --useridmapping /tmp/user-map.txt \
    --nameidmapping /tmp/name-map.txt \
    --adminid amadmin --password-file /tmp/pwd.txt \
    --spec saml2
   
   Bulk Federation for this host was completed. To complete the
   federation, name Id mapping file should be loaded to remote
   provider.

2. Copy the name ID mapping output file to the other provider.

   $ scp /tmp/name-map.txt idp.example.org:/tmp/name-map.txt
   openam@idp.example.org's password: 
   name-map.txt                     100%  177     0.2KB/s   00:00

3. Import the name ID mapping file with the ssoadm import-bulk-fed-data command.
   In this example, this step takes place on the identity provider side.

   $ ssoadm import-bulk-fed-data \
    --adminid amadmin --password-file /tmp/pwd.txt \
    --metaalias /idp --bulk-data-file /tmp/name-map.txt 
   
   Bulk Federation for this host was completed.

The accounts are now linked.

DocBook XSL: A floating, set-level TOC?

One of Google’s summer of code projects this year involves work on the webhelp stylesheets. You can make nice looking output with webhelp.

Last time I tried webhelp, it worked with book-sized pieces, however, rather than set-sized pieces. Looking at an issue in my list, I see that a sufficient solution would be a floating, hideable, left-menu, <set>-level table of contents.

I’m imagining separate HTML (one for single-page output, one for chunked) that gets pulled in on the client side. Who has already done this using the open source stylesheets? (Maybe starting with the olink database?)

Decoding SAML Messages

Peter Major mentioned the SAML 2.0 Debugger to me a while ago. It’s a helpful tool when trying to understand what’s happening when you are playing with a Fedlet, for example.

If you notice SAML messages, for example in a POST URL, and want to decode something like SAMLRequest=nVRNj9owEL3vr4h8h4QAgVqAREFVkbbdLKE99DZxJl1Lju3azkL%2Ffe1sFlHtilacLD1PZt7HOAsLjdB03bonucdfLVoXRadGSEu7myVpjaQKLLdUQoOWOkaL9Zd7mg4Tqo1yiilB7nbbJbHpqK7LEifZeArpZIrJvJ7OsBwBZvNsBmU5%2FpDMYDxhJPqOxnIll8S3IdHO2hZ30jqQzkPJKB0k2SCZHEYZTUY0zX6QaOupcQmu%2B%2BrJOU3jWGn0pIZ4gkYLHDLV0HkyT3o8LoqHPVbcIHNxgw7WgoONeaVJ9EkZhp3qJalBWAwkcrCWP%2BMZyXt5H7msuPx53YvypcjSz4dDPsgfigOJ1taiCYw3Stq2QVOgeeYMv%2B3vzxqOx%2BNbATVWAl1%2FgNaCs045Wd0tQi60c8xcJHWdHLwSIat%2Fj13EFyP6gZp%2B9U1321x5Kr9vWZFgeQPuenVAeDWou1LqDEjLUToSFXmY%2F9iC4DVH8z%2FuefuFUMeNQXA%2BU2daJKsXbX%2BrOUvsHwBW3WL4zBye3C1SN6rRYLgNq%2BrZMecHd55eNt4In8oe61tCvFrGKAutPRwW%2BqhMFRbZPwKsDsFRrcxrxu%2FxOXv0rh3erPjtP2P1Bw%3D%3D, copy the value and paste it into the SAML 2.0 Debugger, then click Decode SAML message:

<samlp:AuthnRequest  xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
ID="s21ffbbe4635a245e08f57eb1ae6867abb3907a34c" Version="2.0" IssueInstant="2012-06-04T16:01:26Z" Destination="http://openam.example.com:8080/openam/SSORedirect/metaAlias/idp" ForceAuthn="false" IsPassive="false" ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" AssertionConsumerServiceURL="http://www.example.com:8080/fedlet/fedletapplication">
<saml:Issuer xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">http://www.example.com:8080/fedlet</saml:Issuer>
<samlp:NameIDPolicy  xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" Format="urn:oasis:names:tc:SAML:2.0:nameid-format:transient" SPNameQualifier="http://www.example.com:8080/fedlet" AllowCreate="true"></samlp:NameIDPolicy>
<samlp:RequestedAuthnContext xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" Comparison="exact"><saml:AuthnContextClassRef xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</saml:AuthnContextClassRef></samlp:RequestedAuthnContext>
</samlp:AuthnRequest>

Still a bit complex, but a lot easier to read than the version above.

docbkx-tools: Testing DocBook XSL 1.77.0

DocBook XSL 1.77.0 has been out for a couple of weeks. I have not found anything unexpected, yet.

ForgeRock core docs have three layers to build between the stylesheets and the docs that use forgerock-doc-maven-plugin. Here is what I did in order to enable testing:

1. Get the DocBook Maven project, https://docbook.svn.sourceforge.net/svnroot/docbook/trunk/maven, update the versions to pull the latest stylesheets, and mvn install a local copy.

   $ svn diff
   Index: docbook-xsl/pom.xml
   ===================================================================
   --- docbook-xsl/pom.xml	(revision 9386)
   +++ docbook-xsl/pom.xml	(working copy)
   @@ -5,7 +5,7 @@
      <artifactId>docbook-xsl</artifactId>
      <name>DocBook XSL Stylesheets</name>
      <packaging>pom</packaging>
   -  <version>1.76.1</version>
   +  <version>1.77.0</version>
      <description>These are XSL stylesheets for transforming DocBook XML document instances into various output formats.
      </description>
      <url>http://sourceforge.net/projects/docbook/</url>
   @@ -18,8 +18,8 @@
   
      <properties>
   -    <docbook.xsl.release>docbook-xsl-1.76.1</docbook.xsl.release>
   -    <docbook.xslns.release>docbook-xsl-ns-1.76.1</docbook.xslns.release>
   +    <docbook.xsl.release>docbook-xsl-1.77.0</docbook.xsl.release>
   +    <docbook.xslns.release>docbook-xsl-ns-1.77.0</docbook.xslns.release>
      </properties>
   
      <build>

2. Get docbkx-tools, http://docbkx-tools.googlecode.com/svn/trunk, update the stylesheet version, and mvn install a local copy.

   $ svn diff
   Index: docbkx-maven-plugin/pom.xml
   ===================================================================
   --- docbkx-maven-plugin/pom.xml	(revision 258)
   +++ docbkx-maven-plugin/pom.xml	(working copy)
   @@ -62,7 +62,7 @@
        <dependency>
          <groupId>net.sf.docbook</groupId>
          <artifactId>docbook-xsl</artifactId>
   -      <version>1.76.1</version>
   +      <version>1.77.0</version>
          <type>zip</type>
          <classifier>ns-resources</classifier>
        </dependency>

3. Get forgerock-doc-maven-plugin, https://svn.forgerock.org/commons/forgerock-doc-maven-plugin/trunk, update the docbkx-tools version, and mvn install a local copy.
   Update: Thanks to Chris Ridd. Also need to change AbstractBuildMojo.java as shown.

   $ svn diff
   Index: src/main/java/org/forgerock/doc/maven/AbstractBuildMojo.java
   ===================================================================
   --- src/main/java/org/forgerock/doc/maven/AbstractBuildMojo.java	(revision 311)
   +++ src/main/java/org/forgerock/doc/maven/AbstractBuildMojo.java	(working copy)
   @@ -32,7 +32,7 @@
         * Docbkx Tools plugin version to use. Executions seem to hit an NPE when
         * the version is not specified.
         *
   -     * @parameter default-value="2.0.14" expression="${docbkxVersion}
   +     * @parameter default-value="2.0.15-SNAPSHOT" expression="${docbkxVersion}
         * @required
         */
        private String docbkxVersion;
   Index: pom.xml
   ===================================================================
   --- pom.xml	(revision 312)
   +++ pom.xml	(working copy)
   @@ -61,7 +61,7 @@
     </licenses>
   
     <properties>
   -  <docbkxVersion>2.0.14</docbkxVersion>
   +  <docbkxVersion>2.0.15-SNAPSHOT</docbkxVersion>
      <project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
      <maven.compiler.target>1.6</maven.compiler.target>
      <maven.compiler.source>1.6</maven.compiler.source>

4. Use your local Maven installation to build your test documentation.