Support Single-Lock Access for Legal Deposit Restrictions

[ikreymer]

Add support in pywb to allow 'single session access' to every top-level page, but not embedded resources.

Current workflow to be supported:

• A user visits, and is given a session that is stored using a browser cookie.
• Each timestamp+URL combination the user visits is ‘locked’ to that session. If another user requests the same URL and the same timestamp, they should get a suitable error page.
• There should be ‘logoff’ page that expires the cookie and releases the locks.
• There should be a page for administrators that lists all the session, and the items locked by each session, and provides a link where a session can be logged off (the cookie expired and all locks released).
• It is sufficient that the locks are held in RAM. e.g. using a HashMap. They do not need to be stored permanently.
• All locks should expire overnight. This can be done within pywb or the service could provide a ‘release all locks’ URL that can be initiated from outside.

EDIT Some clarifications:

• Not all UKWA deployments need this feature, so it should be configuration per deployment.
• If it helps, the 'reference implementation' is here
• The above was implemented as a servlet filter, and uses a series of checks as to whether to lock specific resources, e.g. embeds/transclusions are not locked

[ikreymer]

A preliminary version is now part of the integration test. A 403 Not Allowed message should be shown if a page is locked.

It is sufficient that the locks are held in RAM. e.g. using a HashMap. They do not need to be stored permanently.

Using Redis instead so locks can persist across pywb restarts and support multiple instances.
All locks expire in Redis automatically, though separate endpoint can also be added to flush all locks.

[ikreymer]

Added to integration deployment.
http://localhost:8081/_locks can be used to view current list of locks, clear by session and by individual url

[anjackson]

I added a few additional notes to this ticket.

Ideally, it would be good to have some kind of automated test running on the integration test docker images, but I'm not quite sure how best to achieve that.

[anjackson]

Okay, I managed to use the Python Robot Framework to set up Selinium tests to check the lock. If it's possible to add a hook to clear all locks, that would make the testing a bit more robust.

[ikreymer]

Ah ok, was going to suggest headless chome/ff and selenium.. haven't used robot before, seems like a nice integration.

Can add the clear all and update the tests. It's also possible to set the timeout interval via SESSION_LOCK_INTERVAL, can set it to be short to test auto-expiration.

[ikreymer]

Updated the tests to ensure only one lock created and that it expires. May be good to test with more complex pages as well.

[ikreymer]

The detection of embedded resources has also been improved, though not perfect. It's not possible to detect conclusively just on basis of the modifier or url placement, so I think currently system, errs on side of being considered an embedded resource.

One alternative/addition to looking at url modifier (im_, js_, cs_ etc..) is to assume an embedded resource, unless it has been loaded in the top frame, eg. set the lock not when resource is being loaded, but via a special message from the top frame.

[ikreymer]

Updated integration tests, see #8

Also supports basic auth for all lock admin ops if LOGIN_USER and LOGIN_PASSWORD is set.

Additional unit tests can be run via py.test -vv ./ukwa_pywb/test_sessionlimit.py