Request access modal form (#204)

* New endpoint that show's agents ACL authorizations

* Modal access request form

* Reloading access matrix when agent select changes

* RDF/POST inputs in form-request-access

* Access request endpoint

* Moved access endpoints to the admin app

* Fixed authorization request form

* CSS fixes

* Request access form fixes

SPARQL endpoint is now read-only accessible for authenticated agents

* Check acl:mode in AuthorizationFilter instead of authQuery

* Access endpoint uses SPARQL query to load document types and injects them into the ACL query

* `AuthorizationFilter` uses new `SERVICE`-less queries and gets `VALUES ?Type` injected

All endpoints now have to be described in RDF with types (otherwise empty `VALUES` makes the ACL query return empty result)

* If accessTo document does not exist (has no types), retry PUT authorization with a parent URI

* ACL query fixes

* AuthorizationFilter fixes

* Restored $base binding

* Included nfo:FileDataObject case in the document type query

* Include `ontologies/namespace/` as a special case in ownerAclQuery

* Fixrd ACL for the `admin/clear` endpoint

* Only containers allow child documents

* Only root *and* containers allow child documents

* Fixed parent type value

* Aligned HTTP tests with the new `AuthorizationFilter` behavior

* HTTP test fixes

* Cleanup

* Improved Java syntax

* Removed `$Container` bindings

* XSLT cleanup

* Create document owner authorization on the fly

`xhtml:Input` and `ldh:parse-rdf-post` fixes

* Check owner of parent document after checking its type

* Extracted common utility functions from `AuthorizationFilter` and the `Access` endpoint

* Moved document type/owner query into the web.xml config

* Access endpoint returns `lacl:OwnerAuthorization` as well

Author: namedgraph

http-tests/admin/POST-request-access.sh

@@ -13,27 +13,20 @@ curl -w "%{http_code}\n" -o /dev/null -k -s \
   --data-urlencode "rdf=" \
   --data-urlencode "sb=request" \
   --data-urlencode "pu=http://www.w3.org/1999/02/22-rdf-syntax-ns#type" \
-  --data-urlencode "ou=https://w3id.org/atomgraph/linkeddatahub/admin/acl#AuthorizationRequest" \
-  --data-urlencode "pu=https://w3id.org/atomgraph/linkeddatahub/admin/acl#requestAccessTo" \
+  --data-urlencode "ou=http://www.w3.org/ns/auth/acl#Authorization" \
+  --data-urlencode "pu=http://www.w3.org/ns/auth/acl#accessTo" \
   --data-urlencode "ou=${END_USER_BASE_URL}sparql" \
-  --data-urlencode "pu=https://w3id.org/atomgraph/linkeddatahub/admin/acl#requestAccessToClass" \
+  --data-urlencode "pu=http://www.w3.org/ns/auth/acl#accessToClass" \
   --data-urlencode "ou=https://w3id.org/atomgraph/linkeddatahub/default#Root" \
   --data-urlencode "ou=https://www.w3.org/ns/ldt/document-hierarchy#Container" \
   --data-urlencode "ou=https://www.w3.org/ns/ldt/document-hierarchy#Item" \
   --data-urlencode "ou=http://www.semanticdesktop.org/ontologies/2007/03/22/nfo#FileDataObject" \
-  --data-urlencode "pu=https://w3id.org/atomgraph/linkeddatahub/admin/acl#requestMode" \
+  --data-urlencode "pu=http://www.w3.org/ns/auth/acl#mode" \
   --data-urlencode "ou=http://www.w3.org/ns/auth/acl#Read" \
   --data-urlencode "ou=http://www.w3.org/ns/auth/acl#Write" \
   --data-urlencode "pu=http://www.w3.org/2000/01/rdf-schema#label" \
   --data-urlencode "ol=Access request by Test Agent" \
-  --data-urlencode "pu=https://w3id.org/atomgraph/linkeddatahub/admin/acl#requestAgent" \
+  --data-urlencode "pu=http://www.w3.org/ns/auth/acl#agent" \
   --data-urlencode "ou=${AGENT_URI}" \
-  --data-urlencode "sb=request-item" \
-  --data-urlencode "pu=http://www.w3.org/1999/02/22-rdf-syntax-ns#type" \
-  --data-urlencode "ou=https://www.w3.org/ns/ldt/document-hierarchy#Item" \
-  --data-urlencode "pu=http://rdfs.org/sioc/ns#has_container" \
-  --data-urlencode "ou=${ADMIN_BASE_URL}acl/authorization-requests/" \
-  --data-urlencode "pu=http://xmlns.com/foaf/0.1/primaryTopic" \
-  --data-urlencode "ob=request" \
-  "${ADMIN_BASE_URL}request%20access" \
-| grep -q "$STATUS_CREATED"
+  "${ADMIN_BASE_URL}access/request" \
+| grep -q "$STATUS_OK"

…p-tests/admin/GET-request-access-html.sh …p-tests/document-hierarchy/DELETE-403.shhttp-tests/admin/GET-request-access-html.sh renamed to http-tests/document-hierarchy/DELETE-403.sh http-tests/admin/GET-request-access-html.sh renamed to http-tests/document-hierarchy/DELETE-403.sh

@@ -5,13 +5,13 @@ initialize_dataset "$END_USER_BASE_URL" "$TMP_END_USER_DATASET" "$END_USER_ENDPO
 initialize_dataset "$ADMIN_BASE_URL" "$TMP_ADMIN_DATASET" "$ADMIN_ENDPOINT_URL"
 purge_cache "$END_USER_VARNISH_SERVICE"
 purge_cache "$ADMIN_VARNISH_SERVICE"
+purge_cache "$FRONTEND_VARNISH_SERVICE"
 
-# test the "Request access" HTML form
+# check that write access without authorization is forbidden
 
-curl -k -w "%{http_code}\n" -o /dev/null -f -s \
-  -G \
+curl -k -w "%{http_code}\n" -o /dev/null -s \
+  -X DELETE \
   -E "$AGENT_CERT_FILE":"$AGENT_CERT_PWD" \
-  -H 'Accept: text/html' \
-  --data-urlencode "access-to=${END_USER_BASE_URL}" \
-  "${ADMIN_BASE_URL}request%20access" \
-| grep -q "$STATUS_OK"
+  -H "Accept: application/n-triples" \
+    "$END_USER_BASE_URL" \
+| grep -q "$STATUS_FORBIDDEN"

…p-tests/document-hierarchy/DELETE-404.sh …ent-hierarchy/DELETE-non-existing-403.shhttp-tests/document-hierarchy/DELETE-404.sh renamed to http-tests/document-hierarchy/DELETE-non-existing-403.sh http-tests/document-hierarchy/DELETE-404.sh renamed to http-tests/document-hierarchy/DELETE-non-existing-403.sh

@@ -15,11 +15,11 @@ add-agent-to-group.sh \
   --agent "$AGENT_URI" \
   "${ADMIN_BASE_URL}acl/groups/writers/"
 
-# check that access to graph with parent is allowed, but the graph is not found
+# check that access to non-existing graph is forbidden
 
 curl -k -w "%{http_code}\n" -o /dev/null -s -G \
   -E "$AGENT_CERT_FILE":"$AGENT_CERT_PWD" \
   -X DELETE \
   -H "Accept: application/n-triples" \
   "${END_USER_BASE_URL}non-existing/" \
-| grep -q "$STATUS_NOT_FOUND"
+| grep -q "$STATUS_FORBIDDEN"

http-tests/document-hierarchy/DELETE.sh

@@ -45,4 +45,4 @@ curl -k -w "%{http_code}\n" -o /dev/null -s -G \
   -E "$AGENT_CERT_FILE":"$AGENT_CERT_PWD" \
   -H "Accept: application/n-triples" \
   "$container" \
-| grep -q "$STATUS_NOT_FOUND"
+| grep -q "$STATUS_FORBIDDEN"

http-tests/document-hierarchy/GET-403.sh

@@ -7,9 +7,9 @@ purge_cache "$END_USER_VARNISH_SERVICE"
 purge_cache "$ADMIN_VARNISH_SERVICE"
 purge_cache "$FRONTEND_VARNISH_SERVICE"
 
-# check that non-existing graph is forbidden
+# check that read access without authorization is forbidden
 
 curl -k -w "%{http_code}\n" -o /dev/null -s -G \
   -E "$AGENT_CERT_FILE":"$AGENT_CERT_PWD" \
-  "${END_USER_BASE_URL}non-existing/" \
+  "$END_USER_BASE_URL" \
 | grep -q "$STATUS_FORBIDDEN"

http-tests/document-hierarchy/GET-404.sh …cument-hierarchy/GET-non-existing-403.shhttp-tests/document-hierarchy/GET-404.sh renamed to http-tests/document-hierarchy/GET-non-existing-403.sh http-tests/document-hierarchy/GET-404.sh renamed to http-tests/document-hierarchy/GET-non-existing-403.sh

@@ -21,4 +21,4 @@ curl -k -w "%{http_code}\n" -o /dev/null -s -G \
   -E "$AGENT_CERT_FILE":"$AGENT_CERT_PWD" \
   -H "Accept: application/n-triples" \
   "${END_USER_BASE_URL}non-existing/" \
-| grep -q "$STATUS_NOT_FOUND"
+| grep -q "$STATUS_FORBIDDEN"

http-tests/document-hierarchy/GET.sh

@@ -15,7 +15,7 @@ add-agent-to-group.sh \
   --agent "$AGENT_URI" \
   "${ADMIN_BASE_URL}acl/groups/readers/"
 
-# GET the graph (use Chrome's default Accept value)
+# GET the graph
 
 curl -k -w "%{http_code}\n" -o /dev/null -f -s -G \
   -E "$AGENT_CERT_FILE":"$AGENT_CERT_PWD" \

http-tests/document-hierarchy/PATCH-403.sh

@@ -0,0 +1,30 @@
+#!/usr/bin/env bash
+set -euo pipefail
+
+initialize_dataset "$END_USER_BASE_URL" "$TMP_END_USER_DATASET" "$END_USER_ENDPOINT_URL"
+initialize_dataset "$ADMIN_BASE_URL" "$TMP_ADMIN_DATASET" "$ADMIN_ENDPOINT_URL"
+purge_cache "$END_USER_VARNISH_SERVICE"
+purge_cache "$ADMIN_VARNISH_SERVICE"
+purge_cache "$FRONTEND_VARNISH_SERVICE"
+
+# check that write access without authorization is forbidden
+
+update=$(cat <<EOF
+PREFIX  rdf:  <http://www.w3.org/1999/02/22-rdf-syntax-ns#>
+
+INSERT
+{
+  <${END_USER_BASE_URL}> rdf:_2 <${END_USER_BASE_URL}#whateverest>
+}
+WHERE
+{}
+EOF
+)
+
+curl -k -w "%{http_code}\n" -o /dev/null -s \
+  -E "$AGENT_CERT_FILE":"$AGENT_CERT_PWD" \
+  -X PATCH \
+  -H "Content-Type: application/sparql-update" \
+  "$END_USER_BASE_URL" \
+   --data-binary "$update" \
+| grep -q "$STATUS_FORBIDDEN"

…tp-tests/document-hierarchy/PATCH-404.sh …ment-hierarchy/PATCH-non-existing-403.shhttp-tests/document-hierarchy/PATCH-404.sh renamed to http-tests/document-hierarchy/PATCH-non-existing-403.sh http-tests/document-hierarchy/PATCH-404.sh renamed to http-tests/document-hierarchy/PATCH-non-existing-403.sh

@@ -15,7 +15,7 @@ add-agent-to-group.sh \
   --agent "$AGENT_URI" \
   "${ADMIN_BASE_URL}acl/groups/writers/"
 
-# check that access to graph with parent is allowed, but the graph is not found
+# check that write access to non-existing graph is forbidden
 
 update=$(cat <<EOF
 PREFIX  rdf:  <http://www.w3.org/1999/02/22-rdf-syntax-ns#>
@@ -37,4 +37,4 @@ curl -k -w "%{http_code}\n" -o /dev/null -s \
   "${END_USER_BASE_URL}non-existing/" \
    --data-binary "$update"
 ) \
-| grep -q "$STATUS_NOT_FOUND"
+| grep -q "$STATUS_FORBIDDEN"

http-tests/document-hierarchy/POST-403.sh

@@ -7,7 +7,7 @@ purge_cache "$END_USER_VARNISH_SERVICE"
 purge_cache "$ADMIN_VARNISH_SERVICE"
 purge_cache "$FRONTEND_VARNISH_SERVICE"
 
-# check that non-existing graph is forbidden
+# check that append access without authorization is forbidden
 
 (
 curl -k -w "%{http_code}\n" -o /dev/null -s \