Separated documentTypeQuery from documentOwnerQuery

Some `try/finally` refactoring
New HTTP tests for the `Access` endpoint

Author: namedgraph

http-tests/access/acl-owner-authorization.sh

@@ -0,0 +1,45 @@
+#!/usr/bin/env bash
+set -euo pipefail
+
+initialize_dataset "$END_USER_BASE_URL" "$TMP_END_USER_DATASET" "$END_USER_ENDPOINT_URL"
+initialize_dataset "$ADMIN_BASE_URL" "$TMP_ADMIN_DATASET" "$ADMIN_ENDPOINT_URL"
+purge_cache "$END_USER_VARNISH_SERVICE"
+purge_cache "$ADMIN_VARNISH_SERVICE"
+purge_cache "$FRONTEND_VARNISH_SERVICE"
+
+# add agent to the writers group
+
+add-agent-to-group.sh \
+  -f "$OWNER_CERT_FILE" \
+  -p "$OWNER_CERT_PWD" \
+  --agent "$AGENT_URI" \
+  "${ADMIN_BASE_URL}acl/groups/writers/"
+
+# create container
+
+slug="test"
+
+container=$(create-container.sh \
+  -f "$AGENT_CERT_FILE" \
+  -p "$AGENT_CERT_PWD" \
+  -b "$END_USER_BASE_URL" \
+  --title "Test" \
+  --slug "$slug" \
+  --parent "$END_USER_BASE_URL")
+
+# check that the access metadata for the container URI inclused owner authorization for the agent
+
+ntriples=$(curl -k -s -G \
+  -E "$AGENT_CERT_FILE":"$AGENT_CERT_PWD" \
+  -H "Accept: application/n-triples" \
+  --data "this=${container}" \
+  "${ADMIN_BASE_URL}access"
+)
+
+auth1=$(cat "$ntriples" | grep "<http://www.w3.org/1999/02/22-rdf-syntax-ns#> <https://w3id.org/atomgraph/linkeddatahub/admin/acl#OwnerAuthorization>" | cut -d' ' -f1 | head -n1)
+auth2=$(cat "$ntriples" | grep "<http://www.w3.org/ns/auth/acl#agent> <${AGENT_URI}>" | cut -d' ' -f1 | head -n1)
+
+# if the subjects of the two triples are different, the agent is not the owner of the container
+if [ "$auth1" != "$auth2" ]; then
+  exit 1
+fi

http-tests/document-hierarchy/acl-owner-container.sh

@@ -27,7 +27,7 @@ container=$(create-container.sh \
   --slug "$slug" \
   --parent "$END_USER_BASE_URL")
 
-# check that the item was created at the expected URL and attached to the document hierarchy
+# check that the created container has the agent as owner
 
 get.sh \
   -f "$AGENT_CERT_FILE" \

http-tests/document-hierarchy/acl-owner-item.sh

@@ -27,7 +27,7 @@ item=$(create-item.sh \
   --slug "$slug" \
   --container "$END_USER_BASE_URL")
 
-# check that the item was created at the expected URL and attached to the document hierarchy
+# check that the created item has the agent as owner
 
 get.sh \
   -f "$AGENT_CERT_FILE" \

http-tests/document-hierarchy/create-container.sh

@@ -27,7 +27,7 @@ container=$(create-container.sh \
   --slug "$slug" \
   --parent "$END_USER_BASE_URL")
 
-# check that the item was created at the expected URL and attached to the document hierarchy
+# check that the container was created at the expected URL and attached to the document hierarchy
 
 get.sh \
   -f "$AGENT_CERT_FILE" \

src/main/java/com/atomgraph/linkeddatahub/resource/acl/Access.java

@@ -119,22 +119,23 @@ public Response get(@QueryParam(QUERY) Query query,
         try
         {
             if (!getUriInfo().getQueryParameters().containsKey(SPIN.THIS_VAR_NAME)) throw new BadRequestException("?this query param is not provided");
+            
             Resource accessTo = ResourceFactory.createResource(new URI(getUriInfo().getQueryParameters().getFirst(SPIN.THIS_VAR_NAME)).toString()); // ?this query param needs to be passed
             if (log.isDebugEnabled()) log.debug("Loading current agent's authorizations for the <{}> document", accessTo);
 
-            QuerySolutionMap docTypeQsm = new QuerySolutionMap();
-            docTypeQsm.add(SPIN.THIS_VAR_NAME, accessTo);
-            ResultSetRewindable docTypes = loadResultSet(getEndUserService(), getDocumentTypeQuery(), docTypeQsm);
+            QuerySolutionMap thisQsm = new QuerySolutionMap();
+            thisQsm.add(SPIN.THIS_VAR_NAME, accessTo);
+            ResultSetRewindable docTypesResult = loadResultSet(getEndUserService(), getDocumentTypeQuery(), thisQsm);
+            
             try
             {
                 authPss.setParams(new AuthorizationParams(getApplication().getBase(), accessTo, agent).get());
-                query = new SetResultSetValues().apply(authPss.asQuery(), docTypes);
+                query = new SetResultSetValues().apply(authPss.asQuery(), docTypesResult);
                 assert query.toString().contains("VALUES");
-                docTypes.reset();
 
                 Model authModel = getEndpointAccessor().loadModel(query, defaultGraphUris, namedGraphUris);
                 // special case where the agent is the owner of the requested document - automatically grant acl:Read/acl:Append/acl:Write access
-                if (isOwner(docTypes, agent))
+                if (isOwner(accessTo, agent))
                 {
                     log.debug("Agent <{}> is the owner of <{}>, granting acl:Read/acl:Append/acl:Write access", agent, accessTo);
                     authModel.add(createOwnerAuthorization(accessTo, agent).getModel());
@@ -144,7 +145,7 @@ public Response get(@QueryParam(QUERY) Query query,
             }
             finally
             {
-                docTypes.close();
+                docTypesResult.close();
             }
         }
         catch (URISyntaxException ex)
@@ -188,21 +189,47 @@ protected ResultSetRewindable loadResultSet(com.atomgraph.linkeddatahub.model.Se
     /**
      * Checks if the given agent is the <code>acl:owner</code> of the document.
      * 
-     * @param docTypes The result set containing document metadata.
-     * @param agent The agent whose ownership is checked.
+     * @param accessTo the document URI
+     * @param agent the agent whose ownership is checked.
      * @return true if the agent is the owner, false otherwise.
      */
-    protected boolean isOwner(ResultSetRewindable docTypes, Resource agent)
+    protected boolean isOwner(Resource accessTo, Resource agent)
     {
+        QuerySolutionMap qsm = new QuerySolutionMap();
+        qsm.add(SPIN.THIS_VAR_NAME, accessTo);
+
+        ResultSetRewindable docOwnerResult = loadResultSet(getApplication().getService(), getDocumentOwnerQuery(), qsm); // could use ASK query in principle
+        try
+        {
+            return isOwner(docOwnerResult, agent);
+        }
+        finally
+        {
+            docOwnerResult.close();
+        }
+    }
+    
+    /**
+     * Checks if the given agent is the <code>acl:owner</code> of the document.
+     * 
+     * @param docOwnerResult the result set containing document metadata
+     * @param agent the agent whose ownership is checked
+     * @return true if the agent is the owner, false otherwise.
+     */
+    protected boolean isOwner(ResultSetRewindable docOwnerResult, Resource agent)
+    {
+        if (docOwnerResult == null) throw new IllegalArgumentException("ResultSet cannot be null");
+        if (agent == null) throw new IllegalArgumentException("Agent resource cannot be null");
+
         Resource owner = null;
 
-        while (docTypes.hasNext())
+        while (docOwnerResult.hasNext())
         {
-            QuerySolution qs = docTypes.next();
+            QuerySolution qs = docOwnerResult.next();
             if (owner == null && qs.contains("owner")) owner = qs.getResource("owner");
         }
 
-        docTypes.reset();
+        docOwnerResult.reset();
 
         return owner != null && owner.equals(agent);
     }
@@ -303,4 +330,15 @@ public ParameterizedSparqlString getDocumentTypeQuery()
         return documentTypeQuery.copy();
     }
 
+    public ParameterizedSparqlString getDocumentOwnerQuery()
+    {
+        return new ParameterizedSparqlString("PREFIX  acl:  <http://www.w3.org/ns/auth/acl#>\n" +
+"\n" +
+"SELECT  ?owner\n" +
+"WHERE\n" +
+"  { GRAPH $this\n" +
+"      { $this  acl:owner  ?owner }\n" +
+"  }");
+    }
+    
 }

src/main/java/com/atomgraph/linkeddatahub/server/filter/request/AuthorizationFilter.java

@@ -166,53 +166,60 @@ public Resource authorize(ContainerRequestContext request, Resource agent, Resou
     {
         Resource accessTo = ResourceFactory.createResource(request.getUriInfo().getAbsolutePath().toString());
 
-        QuerySolutionMap docTypeQsm = new QuerySolutionMap();
-        docTypeQsm.add(SPIN.THIS_VAR_NAME, accessTo);
-        ResultSetRewindable docTypes = loadResultSet(getApplication().getService(), getDocumentTypeQuery(), docTypeQsm);
+        // special case where the agent is the owner of the requested document - automatically grant acl:Read/acl:Append/acl:Write access
+        if (agent != null && isOwner(accessTo, agent))
+        {
+            log.debug("Agent <{}> is the owner of <{}>, granting acl:Read/acl:Append/acl:Write access", agent, accessTo);
+            return createOwnerAuthorization(accessTo, agent);
+        }
+        
+        QuerySolutionMap thisQsm = new QuerySolutionMap();
+        thisQsm.add(SPIN.THIS_VAR_NAME, accessTo);
 
+        ResultSetRewindable docTypesResult = loadResultSet(getApplication().getService(), getDocumentTypeQuery(), thisQsm);
         try
         {
-            // special case where the agent is the owner of the requested document - automatically grant acl:Read/acl:Append/acl:Write access
-            if (isOwner(docTypes, agent))
-            {
-                log.debug("Agent <{}> is the owner of <{}>, granting acl:Read/acl:Append/acl:Write access", agent, accessTo);
-                return createOwnerAuthorization(accessTo, agent);
-            }
-
-            if (!docTypes.hasNext()) // if the document resource has no types, we assume the document does not exist
+            if (!docTypesResult.hasNext()) // if the document resource has no types, we assume the document does not exist
             {
                 // special case for PUT requests to non-existing document: allow if the agent has acl:Write acess to the *parent* URI
                 if (request.getMethod().equals(HttpMethod.PUT) && accessMode.equals(ACL.Write))
                 {
                     URI parentURI = URI.create(accessTo.getURI()).resolve("..");
                     log.debug("Requested document <{}> not found, falling back to parent URI <{}>", accessTo, parentURI);
                     accessTo = ResourceFactory.createResource(parentURI.toString());
-                    
-                    docTypeQsm = new QuerySolutionMap();
-                    docTypeQsm.add(SPIN.THIS_VAR_NAME, accessTo);
-                    docTypes.close();
-                    docTypes = loadResultSet(getApplication().getService(), getDocumentTypeQuery(), docTypeQsm);
-                    
-                    Set<Resource> parentTypes = new HashSet<>();
-                    docTypes.forEachRemaining(qs -> parentTypes.add(qs.getResource("Type")));
-                    
-                    // only root and containers allow child documents
-                    if (Collections.disjoint(parentTypes, Set.of(Default.Root, DH.Container))) return null;
-                    
-                    docTypes.reset(); // rewind result set to the beginning
-                    
+
+                    thisQsm = new QuerySolutionMap();
+                    thisQsm.add(SPIN.THIS_VAR_NAME, accessTo);
+
                     // special case where the agent is the owner of the requested document - automatically grant acl:Read/acl:Append/acl:Write access
-                    if (isOwner(docTypes, agent))
+                    if (agent != null && isOwner(accessTo, agent))
                     {
                         log.debug("Agent <{}> is the owner of <{}>, granting acl:Read/acl:Append/acl:Write access", agent, accessTo);
                         return createOwnerAuthorization(accessTo, agent);
                     }
+
+                    docTypesResult.close();
+                    docTypesResult = loadResultSet(getApplication().getService(), getDocumentTypeQuery(), thisQsm);
+                    try
+                    {
+                        Set<Resource> parentTypes = new HashSet<>();
+                        docTypesResult.forEachRemaining(qs -> parentTypes.add(qs.getResource("Type")));
+
+                        // only root and containers allow child documents
+                        if (Collections.disjoint(parentTypes, Set.of(Default.Root, DH.Container))) return null;
+
+                        docTypesResult.reset(); // rewind result set to the beginning
+                    }
+                    finally
+                    {
+                        docTypesResult.close(); 
+                    }
                 }
                 else return null;
             }
 
             ParameterizedSparqlString pss = getApplication().canAs(EndUserApplication.class) ? getACLQuery() : getOwnerACLQuery();
-            Query query = new SetResultSetValues().apply(pss.asQuery(), docTypes);
+            Query query = new SetResultSetValues().apply(pss.asQuery(), docTypesResult);
             pss = new ParameterizedSparqlString(query.toString()); // make sure VALUES are now part of the query string
             assert pss.toString().contains("VALUES");
 
@@ -221,7 +228,7 @@ public Resource authorize(ContainerRequestContext request, Resource agent, Resou
         }
         finally
         {
-            docTypes.close();
+            docTypesResult.close();
         }
     }
 
@@ -248,21 +255,47 @@ public Resource getAuthorizationByMode(Model authModel, Resource accessMode)
     /**
      * Checks if the given agent is the <code>acl:owner</code> of the document.
      * 
-     * @param docTypes The result set containing document metadata.
-     * @param agent The agent whose ownership is checked.
+     * @param accessTo the document URI
+     * @param agent the agent whose ownership is checked.
      * @return true if the agent is the owner, false otherwise.
      */
-    protected boolean isOwner(ResultSetRewindable docTypes, Resource agent)
+    protected boolean isOwner(Resource accessTo, Resource agent)
     {
+        QuerySolutionMap qsm = new QuerySolutionMap();
+        qsm.add(SPIN.THIS_VAR_NAME, accessTo);
+
+        ResultSetRewindable docOwnerResult = loadResultSet(getApplication().getService(), getDocumentOwnerQuery(), qsm); // could use ASK query in principle
+        try
+        {
+            return isOwner(docOwnerResult, agent);
+        }
+        finally
+        {
+            docOwnerResult.close();
+        }
+    }
+    
+    /**
+     * Checks if the given agent is the <code>acl:owner</code> of the document.
+     * 
+     * @param docOwnerResult the result set containing document metadata
+     * @param agent the agent whose ownership is checked
+     * @return true if the agent is the owner, false otherwise.
+     */
+    protected boolean isOwner(ResultSetRewindable docOwnerResult, Resource agent)
+    {
+        if (docOwnerResult == null) throw new IllegalArgumentException("ResultSet cannot be null");
+        if (agent == null) throw new IllegalArgumentException("Agent resource cannot be null");
+
         Resource owner = null;
 
-        while (docTypes.hasNext())
+        while (docOwnerResult.hasNext())
         {
-            QuerySolution qs = docTypes.next();
+            QuerySolution qs = docOwnerResult.next();
             if (owner == null && qs.contains("owner")) owner = qs.getResource("owner");
         }
 
-        docTypes.reset();
+        docOwnerResult.reset();
 
         return owner != null && owner.equals(agent);
     }
@@ -363,6 +396,17 @@ public ParameterizedSparqlString getDocumentTypeQuery()
         return documentTypeQuery.copy();
     }
 
+    public ParameterizedSparqlString getDocumentOwnerQuery()
+    {
+        return new ParameterizedSparqlString("PREFIX  acl:  <http://www.w3.org/ns/auth/acl#>\n" +
+"\n" +
+"SELECT  ?owner\n" +
+"WHERE\n" +
+"  { GRAPH $this\n" +
+"      { $this  acl:owner  $owner }\n" +
+"  }");
+    }
+    
     /**
      * Returns the SPARQL service for agent data.
      *