Merge branch 'main' into feature/4292-ollama-based-recommender

* main:
  #4328 - HTML files are not rendered if they use the HTML namespace
  #4326 - Upgrade dependencies
  #4324 - Allow configuring UID GID etc in Kubernetes

inception/inception-doc/src/main/resources/META-INF/asciidoc/admin-guide.adoc

@@ -46,6 +46,8 @@ include::{include-dir}installation_ssl_caddy.adoc[leveloffset=+2]
 
 include::{include-dir}installation_docker.adoc[leveloffset=+1]
 
+include::{include-dir}installation_kubernetes.adoc[leveloffset=+1]
+
 include::{include-dir}installation_unsupervised.adoc[leveloffset=+1]
 
 <<<

inception/inception-doc/src/main/resources/META-INF/asciidoc/admin-guide/installation_docker.adoc

@@ -1,7 +1,3 @@
-// Copyright 2015
-// Ubiquitous Knowledge Processing (UKP) Lab and FG Language Technology
-// Technische Universität Darmstadt
-// 
 // Licensed to the Technische Universität Darmstadt under one
 // or more contributor license agreements.  See the NOTICE file
 // distributed with this work for additional information

inception/inception-doc/src/main/resources/META-INF/asciidoc/admin-guide/installation_kubernetes.adoc

@@ -0,0 +1,54 @@
+// Licensed to the Technische Universität Darmstadt under one
+// or more contributor license agreements.  See the NOTICE file
+// distributed with this work for additional information
+// regarding copyright ownership.  The Technische Universität Darmstadt 
+// licenses this file to you under the Apache License, Version 2.0 (the
+// "License"); you may not use this file except in compliance
+// with the License.
+//  
+// http://www.apache.org/licenses/LICENSE-2.0
+// 
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+[[sect_kubernetes]]
+= Running via Kubernetes
+
+NOTE: This is a **very rough** guide on how {application-name} could be deployed using
+      Kubernetes. If you are familiar with Kubernetes and cloud deployment, you will
+      probably find a lot here that can be improved. Great! Best help us improving this
+      guide by sending us your improvement suggestions through 
+      link:https://github.com/inception-project/inception[GitHub].
+
+The following Kubernetes file sets up {application-name} along with a few volumes.
+It does currently **NOT** set up a database container but instead uses the built-in
+database **which is not recommended for production environments**. Also, it uses
+folders on the host system for volumes. It is only meant as an illustration.
+**Be sure to adjust this to your environment and to use a proper database!**
+
+[source,text,subs="+attributes"]
+.Kubernetes deployment descriptor
+----
+include::scripts/kubernetes.yml[]
+----
+
+To deploy an {application-name} service copy this to a file called `inception.yml` and then run it using
+
+[source,text]
+.Create Kubernetes environment
+----
+$ kubectl create -f inception.yml
+----
+
+To delete the service again, use
+
+[source,text]
+.Delete Kubernetes environment
+----
+$ kubectl delete -f inception.yml
+----
+
+This can be tested e.g. using the Kubernetes support built into recent Docker Desktop. If you experience problems, make sure you run the latest version of Docker Desktop.

inception/inception-doc/src/main/resources/META-INF/asciidoc/admin-guide/scripts/kubernetes.yml

@@ -0,0 +1,142 @@
+kind: PersistentVolume
+apiVersion: v1
+metadata:
+  name: inception-data-pv
+  labels:
+    type: local
+spec:
+  storageClassName: standard
+  capacity:
+    storage: 5Gi
+  accessModes:
+    - ReadWriteOnce
+  hostPath:
+    path: "/srv/inception-kubernetes/data"
+---
+kind: PersistentVolume
+apiVersion: v1
+metadata:
+  name: inception-log-pv
+  labels:
+    type: local
+spec:
+  storageClassName: standard
+  capacity:
+    storage: 5Gi
+  accessModes:
+    - ReadWriteOnce
+  hostPath:
+    path: "/srv/inception-kubernetes/data"
+---
+kind: PersistentVolume
+apiVersion: v1
+metadata:
+  name: inception-tmp-pv
+  labels:
+    type: local
+spec:
+  storageClassName: standard
+  capacity:
+    storage: 5Gi
+  accessModes:
+    - ReadWriteOnce
+  hostPath:
+    path: "/srv/inception-kubernetes/data"
+---
+kind: PersistentVolumeClaim
+apiVersion: v1
+metadata:
+  name: inception-data-pvc
+spec:
+  storageClassName: standard
+  accessModes:
+    - ReadWriteOnce
+  resources:
+    requests:
+      storage: 5Gi
+---
+kind: PersistentVolumeClaim
+apiVersion: v1
+metadata:
+  name: inception-tmp-pvc
+spec:
+  storageClassName: standard
+  accessModes:
+    - ReadWriteOnce
+  resources:
+    requests:
+      storage: 5Gi
+---
+kind: PersistentVolumeClaim
+apiVersion: v1
+metadata:
+  name: inception-log-pvc
+spec:
+  storageClassName: standard
+  accessModes:
+    - ReadWriteOnce
+  resources:
+    requests:
+      storage: 5Gi
+---
+apiVersion: v1
+kind: Service
+metadata:
+   name: inception-svc
+   labels:
+     app: inception
+spec:
+   type: NodePort
+   ports:
+   - protocol: TCP
+     port: 8080
+     targetPort: 8080
+     nodePort: 32000
+   selector:
+     app: inception
+---     
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: inception
+spec:
+  selector:
+    matchLabels:
+      app: inception
+  replicas: 1
+  template:
+    metadata:
+      labels:
+        app: inception
+    spec:
+      securityContext:
+        runAsUser: 2000
+        runAsGroup: 2000
+        fsGroup: 2000
+        runAsNonRoot: true
+      containers:
+      - name: inception
+        image: "ghcr.io/inception-project/inception-snapshots:{revnumber}"
+        imagePullPolicy: Always
+        ports:
+        - containerPort: 8080
+        securityContext:
+          readOnlyRootFilesystem: true
+          privileged: false
+        volumeMounts:
+        - mountPath: /export
+          name: inception-data-pv
+        - mountPath: /tmp
+          name: inception-tmp-pv
+        - mountPath: /var/log
+          name: inception-log-pv
+      volumes:
+      - name: inception-data-pv
+        persistentVolumeClaim:
+          claimName: inception-data-pvc
+      - name: inception-tmp-pv
+        persistentVolumeClaim:
+          claimName: inception-tmp-pvc
+      - name: inception-log-pv
+        persistentVolumeClaim:
+          claimName: inception-log-pvc

inception/inception-docker/src/main/docker/Dockerfile

@@ -46,6 +46,8 @@ RUN groupadd -g ${APP_GID} ${APP_GROUP} \
 # Set up application data folder
 RUN mkdir /export
 VOLUME /export
+VOLUME /tmp
+VOLUME /var/log
 
 # Launch application
 ENV JAVA_OPTS="-Xmx750m"

inception/inception-docker/src/main/docker/launch.sh

@@ -17,19 +17,26 @@
 
 set -x
 
-# Update the user and group IDs for an existing user
-echo "Updating UID [$APP_UID] and GID [$APP_GID] for user [$APP_USER] and group [$APP_GROUP]..."
-usermod -u "$APP_UID" "$APP_USER"
-groupmod -g "$APP_GID" "$APP_GROUP"
-
-# Change the ownership of application files
-echo "Updating file ownership user inception - this may take a moment..."
-chown -R "$APP_USER":"$APP_GROUP" /opt/inception
-chown -R "$APP_USER":"$APP_GROUP" /export
-
-# Run application as the application user
-echo "Launching application..."
-COMMAND="$(which $1)" 
-shift
-ARGUMENTS="$(printf "\"%s\" " "$@")"
-exec su -p -c "${COMMAND} ${ARGUMENTS}" "$APP_USER"
+if [ "$(id -u)" = "0" ]; then
+  # Update the user and group IDs for an existing user
+  echo "Updating UID [$APP_UID] and GID [$APP_GID] for user [$APP_USER] and group [$APP_GROUP]..."
+  usermod -u "$APP_UID" "$APP_USER"
+  groupmod -g "$APP_GID" "$APP_GROUP"
+
+  # Change the ownership of application files
+  echo "Updating file ownership user inception - this may take a moment..."
+  chown -R "$APP_USER":"$APP_GROUP" /opt/inception
+  chown -R "$APP_USER":"$APP_GROUP" /export
+
+  # Drop privileges and run the application as the non-privileged user
+  # (e.g. when running via simple `docker run ...`
+  echo "Launching application..."
+  COMMAND="$(which $1)" 
+  shift
+  ARGUMENTS="$(printf "\"%s\" " "$@")"
+  exec su -p -c "${COMMAND} ${ARGUMENTS}" "$APP_USER"
+else
+  # Privileges have already been dropped by the caller so we run as the
+  # current user (e.g. in a typical Kubernetes deployment)
+  exec $@
+fi

inception/inception-external-editor/src/main/java/de/tudarmstadt/ukp/inception/externaleditor/policy/DefaultHtmlDocumentPolicy.yaml

@@ -19,6 +19,7 @@ version: 1.0
 case_sensitive: false
 default_attribute_action: DROP
 default_element_action: DROP
+default_namespace: http://www.w3.org/1999/xhtml
 debug: true
 policies:
   - action: PASS

inception/inception-external-editor/src/test/java/de/tudarmstadt/ukp/inception/externaleditor/policy/DefaultHtmlDocumentPolicyTest.java

@@ -41,7 +41,7 @@ void thatOverrideFileIsPickedUp(@TempDir Path aTemp) throws Exception
 
         var sut = new DefaultHtmlDocumentPolicy();
 
-        assertThat(sut.getPolicy().getElementPolicies()).hasSize(74);
+        assertThat(sut.getPolicy().getElementPolicies()).hasSize(148);
 
         write(policyFile.toFile(), "policies: []", UTF_8);
         assertThat(policyFile).exists();
@@ -54,6 +54,6 @@ void thatOverrideFileIsPickedUp(@TempDir Path aTemp) throws Exception
 
         Files.delete(policyFile);
         assertThat(policyFile).doesNotExist();
-        assertThat(sut.getPolicy().getElementPolicies()).hasSize(74);
+        assertThat(sut.getPolicy().getElementPolicies()).hasSize(148);
     }
 }

inception/inception-support/src/main/java/de/tudarmstadt/ukp/inception/support/xml/sanitizer/ExternalPolicyCollection.java

@@ -32,6 +32,7 @@ public class ExternalPolicyCollection
     private boolean debug;
     private ElementAction defaultElementAction;
     private AttributeAction defaultAttributeAction;
+    private String defaultNamespace;
 
     public String getName()
     {
@@ -102,4 +103,14 @@ public AttributeAction getDefaultAttributeAction()
     {
         return defaultAttributeAction;
     }
+
+    public String getDefaultNamespace()
+    {
+        return defaultNamespace;
+    }
+
+    public void setDefaultNamespace(String aDefaultNamespace)
+    {
+        defaultNamespace = aDefaultNamespace;
+    }
 }

inception/inception-support/src/main/java/de/tudarmstadt/ukp/inception/support/xml/sanitizer/PolicyCollectionBuilder.java

@@ -19,6 +19,7 @@
 
 import static de.tudarmstadt.ukp.inception.support.xml.XmlParserUtils.caseInsensitiveQNameComparator;
 import static de.tudarmstadt.ukp.inception.support.xml.sanitizer.ElementAction.PASS;
+import static org.apache.commons.lang3.StringUtils.isEmpty;
 
 import java.lang.invoke.MethodHandles;
 import java.util.LinkedHashMap;
@@ -46,6 +47,8 @@ public class PolicyCollectionBuilder
     private ElementAction defaultElementAction = ElementAction.DROP;
     private AttributeAction defaultAttributeAction = AttributeAction.DROP;
 
+    private String defaultNamespace;
+
     public static PolicyCollectionBuilder caseSensitive()
     {
         return new PolicyCollectionBuilder(LinkedHashMap::new);
@@ -66,6 +69,12 @@ public PolicyCollectionBuilder(Supplier<? extends Map> aMapSupplier)
         globalAttributePolicies = mapSupplier.get();
     }
 
+    public PolicyCollectionBuilder defaultNamespace(String aDefaultNamespace)
+    {
+        defaultNamespace = aDefaultNamespace;
+        return this;
+    }
+
     public PolicyCollectionBuilder defaultAttributeAction(AttributeAction aDefaultAttributeAction)
     {
         defaultAttributeAction = aDefaultAttributeAction;
@@ -137,6 +146,10 @@ PolicyCollectionBuilder elementPolicy(QName aElement, ElementAction aAction)
         elementPolicyBuilders.put(aElement,
                 new ElementPolicyBuilder(aElement, aAction, mapSupplier));
 
+        if (isEmpty(aElement.getNamespaceURI()) && defaultNamespace != null) {
+            elementPolicy(new QName(defaultNamespace, aElement.getLocalPart()), aAction);
+        }
+
         return this;
     }
 
@@ -201,6 +214,12 @@ void attributePolicy(QName aElementName, QName aAttributeName, AttributePolicy a
                         aElementName, aAttributeName, oldPolicy, aPolicy);
             }
         }
+
+        if (isEmpty(aElementName.getNamespaceURI()) && isEmpty(aAttributeName.getNamespaceURI())
+                && defaultNamespace != null) {
+            attributePolicy(new QName(defaultNamespace, aElementName.getLocalPart()),
+                    new QName(defaultNamespace, aAttributeName.getLocalPart()), aPolicy);
+        }
     }
 
     public void allowAttribute(QName aAttribute, Pattern aPattern)

inception/inception-support/src/main/java/de/tudarmstadt/ukp/inception/support/xml/sanitizer/PolicyCollectionIOUtils.java

@@ -53,6 +53,9 @@ public static PolicyCollection loadPolicies(InputStream aIs) throws IOException
             policyCollectionBuilder
                     .defaultAttributeAction(externalCollection.getDefaultAttributeAction());
         }
+        if (externalCollection.getDefaultNamespace() != null) {
+            policyCollectionBuilder.defaultNamespace(externalCollection.getDefaultNamespace());
+        }
 
         for (ExternalPolicy policy : externalCollection.getPolicies()) {
             var isElementPolicy = policy.getElements() != null;