Merge pull request #9 from JPL-Devin/devin/1776748059-collection-ref-validation

dlamoris · web-flow · commit c755238964e3 · 2026-04-26T15:09:03.000-07:00
Add ref existence and admin permission validation for collection creation
diff --git a/src/main/kotlin/org/openmbee/flexo/mms/UserQuery.kt b/src/main/kotlin/org/openmbee/flexo/mms/UserQuery.kt
@@ -157,7 +157,9 @@ suspend fun AnyLayer1Context.processAndSubmitUserQuery(queryRequest: SparqlQuery
     } else {
         graphIris.add(targetGraphIri)
     }
-
+    if (graphIris.isEmpty()) {
+        //TODO return empty, otherwise user query will be made against triple store's default graph
+    }
     // parse user query
     val userQuery = try {
         if(baseIri != null) {
diff --git a/src/main/kotlin/org/openmbee/flexo/mms/routes/ldp/CollectionWrite.kt b/src/main/kotlin/org/openmbee/flexo/mms/routes/ldp/CollectionWrite.kt
@@ -1,6 +1,8 @@
 package org.openmbee.flexo.mms.routes.ldp
 
 import io.ktor.http.*
+import kotlinx.serialization.json.jsonObject
+import kotlinx.serialization.json.jsonPrimitive
 import org.apache.jena.vocabulary.RDF
 import org.openmbee.flexo.mms.*
 import org.openmbee.flexo.mms.server.LdpDcLayer1Context
@@ -71,7 +73,108 @@ suspend fun <TResponseContext: LdpMutateResponse> LdpDcLayer1Context<TResponseCo
 
     // retrieve the resolved collects URIs
     val collectsUris = call.attributes[COLLECTS_URIS_KEY]
-    //TODO check user has admin permission on the refs
+
+    // Step 1: Verify all refs exist and determine their types
+    val valuesClause = collectsUris.joinToString(" ") { "<$it>" }
+
+    val refExistenceQuery = """
+        select ?ref ?refType where {
+            values ?ref { $valuesClause }
+            #graph m-graph:Cluster { ## having the filter and binding doesn't work and returns nothing?
+            #    ?repo a mms:Repo .
+            #    filter(strstarts(str(?ref), concat(str(?repo), "/")))
+            #}
+            # derive the repo metadata graph IRI from the repo IRI
+            #bind(iri(concat(str(?repo), "/graphs/Metadata")) as ?repoMetaGraph)
+            graph ?repoMetaGraph {
+                ?ref a ?refType .
+                filter(?refType in (mms:Branch, mms:Lock, mms:Scratch))
+            }
+        }
+    """.trimIndent()
+
+    val existenceResults = executeSparqlSelectOrAsk(refExistenceQuery) {
+        prefixes(prefixes)
+    }
+    val existenceBindings = parseSparqlResultsJsonSelect(existenceResults)
+    val foundRefTypes = existenceBindings.mapNotNull { binding ->
+        val ref = binding["ref"]?.jsonObject?.get("value")?.jsonPrimitive?.content
+        val refType = binding["refType"]?.jsonObject?.get("value")?.jsonPrimitive?.content
+        if (ref != null && refType != null) ref to refType else null
+    }.toMap()
+
+    for (uri in collectsUris) {
+        if (uri !in foundRefTypes) {
+            throw Http404Exception("Ref <$uri> does not exist")
+        }
+    }
+
+    // Step 2: Verify admin permission on each ref, correlating ref type with required permission
+    // Derive repo and org scope URIs from the ref URI to avoid the Cluster graph lookup
+    // (Fuseki does not reliably evaluate filter(strstarts) with VALUES-bound variables)
+    val clusterUri = prefixes["m"]!!
+    val refPermissionValues = foundRefTypes.entries.joinToString("\n") { (ref, refType) ->
+        val requiredPerm = when {
+            refType.endsWith("Branch") -> "mms-object:Permission.UpdateBranch"
+            refType.endsWith("Lock") -> "mms-object:Permission.UpdateLock"
+            refType.endsWith("Scratch") -> "mms-object:Permission.UpdateScratch"
+            else -> throw Http400Exception("Unknown ref type: $refType")
+        }
+        val repoUri = ref.replace(Regex("/(branches|locks|scratches)/.*$"), "")
+        val orgUri = repoUri.replace(Regex("/repos/.*$"), "")
+        "( <$ref> $requiredPerm <$repoUri> <$orgUri> <$clusterUri> )"
+    }
+
+    val permissionQuery = """
+        select ?ref where {
+            values (?ref ?requiredPerm ?repoScope ?orgScope ?clusterScope) { $refPermissionValues }
+            
+            graph m-graph:AccessControl.Policies {
+                ?policy a mms:Policy ;
+                    mms:scope ?scope ;
+                    mms:role ?role .
+            }
+            
+            {
+                graph m-graph:AccessControl.Policies {
+                    ?policy mms:subject mu: .
+                }
+            } union {
+                graph m-graph:AccessControl.Agents {
+                    ?group a mms:Group ;
+                        mms:id ?groupId .
+                    values ?groupId {
+                        # @values groupId
+                    }
+                }
+                graph m-graph:AccessControl.Policies {
+                    ?policy mms:subject ?group .
+                }
+            }
+            
+            filter(?scope = ?ref || ?scope = ?repoScope || ?scope = ?orgScope || ?scope = ?clusterScope)
+            
+            graph m-graph:AccessControl.Definitions {
+                ?role a mms:Role ;
+                    mms:permits ?permission .
+                ?permission a mms:Permission ;
+                    mms:implies* ?requiredPerm .
+            }
+        }
+    """.trimIndent()
+
+    val permissionResults = executeSparqlSelectOrAsk(permissionQuery) {
+        prefixes(prefixes)
+    }
+    val permissionBindings = parseSparqlResultsJsonSelect(permissionResults)
+    val permittedRefs = permissionBindings.mapNotNull { it["ref"]?.jsonObject?.get("value")?.jsonPrimitive?.content }.toSet()
+
+    for (uri in collectsUris) {
+        if (uri !in permittedRefs) {
+            throw Http403Exception(this, "Ref <$uri>")
+        }
+    }
+
     // resolve ambiguity
     if(intentIsAmbiguous) {
         // ask if collection exists
diff --git a/src/test/kotlin/org/openmbee/flexo/mms/CollectionLdpDc.kt b/src/test/kotlin/org/openmbee/flexo/mms/CollectionLdpDc.kt
@@ -57,7 +57,7 @@ fun TriplesAsserter.validateCreatedCollectionTriples(
 
 class CollectionLdpDc : CollectionAny() {
     init {
-        "PUT $demoCollectionPath - create valid collection" {
+        "PUT collection - create valid collection" {
             testApplication {
                 httpPut(demoCollectionPath) {
                     setTurtleBody(withAllTestPrefixes(validCollectionBody))
@@ -67,7 +67,7 @@ class CollectionLdpDc : CollectionAny() {
             }
         }
 
-        "PUT $demoCollectionPath - replace existing collection" {
+        "PUT collection - replace existing collection" {
             testApplication {
                 // create initial collection
                 httpPut(demoCollectionPath) {
@@ -88,15 +88,15 @@ class CollectionLdpDc : CollectionAny() {
             }
         }
 
-        "GET $demoCollectionPath - non-existent" {
+        "GET collection - non-existent" {
             testApplication {
                 httpGet(demoCollectionPath) {}.apply {
                     this shouldHaveStatus HttpStatusCode.NotFound
                 }
             }
         }
 
-        "GET $demoCollectionPath - valid" {
+        "GET collection - valid" {
             testApplication {
                 httpPut(demoCollectionPath) {
                     setTurtleBody(withAllTestPrefixes(validCollectionBody))
@@ -111,7 +111,7 @@ class CollectionLdpDc : CollectionAny() {
             }
         }
 
-        "HEAD $demoCollectionPath - valid" {
+        "HEAD collection - valid" {
             testApplication {
                 httpPut(demoCollectionPath) {
                     setTurtleBody(withAllTestPrefixes(validCollectionBody))
@@ -123,7 +123,7 @@ class CollectionLdpDc : CollectionAny() {
             }
         }
 
-        "GET $basePathCollections - all collections" {
+        "GET collections - all collections" {
             testApplication {
                 httpPut(demoCollectionPath) {
                     setTurtleBody(withAllTestPrefixes(validCollectionBody))
@@ -135,7 +135,7 @@ class CollectionLdpDc : CollectionAny() {
             }
         }
 
-        "PUT $demoCollectionPath - reject missing mms:collects" {
+        "PUT collection - reject missing mms:collects" {
             testApplication {
                 httpPut(demoCollectionPath) {
                     setTurtleBody(withAllTestPrefixes("""
@@ -147,7 +147,7 @@ class CollectionLdpDc : CollectionAny() {
             }
         }
 
-        "POST $basePathCollections - create valid collection" {
+        "POST collections - create valid collection" {
             testApplication {
                 httpPost(basePathCollections) {
                     header(HttpHeaders.SLUG, demoCollectionId)
diff --git a/src/test/kotlin/org/openmbee/flexo/mms/CollectionQueryTest.kt b/src/test/kotlin/org/openmbee/flexo/mms/CollectionQueryTest.kt
@@ -12,7 +12,7 @@ class CollectionQueryTest : CollectionAny() {
     override val logger = LoggerFactory.getLogger(CollectionQueryTest::class.java)
 
     init {
-        "POST $demoCollectionPath/query - non-existent collection returns 404" {
+        "POST collection query - non-existent collection returns 404" {
             testApplication {
                 httpPost("$demoCollectionPath/query") {
                     setSparqlQueryBody(queryPersonNames)
@@ -22,7 +22,7 @@ class CollectionQueryTest : CollectionAny() {
             }
         }
 
-        "POST $demoCollectionPath/query - query across branch and lock returns union" {
+        "POST collection query - query across branch and lock returns union" {
             testApplication {
                 // insert Alice into first repo's master branch
                 commitModel(masterBranchPath, insertAlice)
@@ -57,7 +57,7 @@ class CollectionQueryTest : CollectionAny() {
             }
         }
 
-        "POST $demoCollectionPath/query - query across branch and scratch returns union" {
+        "POST collection query - query across branch and scratch returns union" {
             testApplication {
                 // insert Alice into the master branch
                 commitModel(masterBranchPath, insertAlice)
@@ -91,7 +91,7 @@ class CollectionQueryTest : CollectionAny() {
             }
         }
 
-        "POST $demoCollectionPath/query - query across branch, lock, and scratch returns full union" {
+        "POST collection query - query across branch, lock, and scratch returns full union" {
             testApplication {
                 // insert Alice into first repo's master branch
                 commitModel(masterBranchPath, insertAlice)
@@ -134,7 +134,7 @@ class CollectionQueryTest : CollectionAny() {
             }
         }
 
-        "POST $demoCollectionPath/query - ASK query returns true when data exists" {
+        "POST collection query - ASK query returns true when data exists" {
             testApplication {
                 // insert Alice into the master branch
                 commitModel(masterBranchPath, insertAlice)
@@ -161,7 +161,7 @@ class CollectionQueryTest : CollectionAny() {
             }
         }
 
-        "POST $demoCollectionPath/query - ASK query returns false when no matching data" {
+        "POST collection query - ASK query returns false when no matching data" {
             testApplication {
                 // insert Bob (not Alice) into the master branch
                 commitModel(masterBranchPath, insertBob)
@@ -188,7 +188,7 @@ class CollectionQueryTest : CollectionAny() {
             }
         }
 
-        "POST $demoCollectionPath/query - CONSTRUCT returns union triples" {
+        "POST collection query - CONSTRUCT returns union triples" {
             testApplication {
                 // insert Alice into master branch
                 commitModel(masterBranchPath, insertAlice)
@@ -222,7 +222,7 @@ class CollectionQueryTest : CollectionAny() {
             }
         }
 
-        "POST $demoCollectionPath/query - FROM clause rejected with 403" {
+        "POST collection query - FROM clause rejected with 403" {
             testApplication {
                 // create collection
                 httpPut(demoCollectionPath) {
@@ -246,7 +246,7 @@ class CollectionQueryTest : CollectionAny() {
             }
         }
 
-        "POST $demoCollectionPath/query - FROM NAMED clause rejected with 403" {
+        "POST collection query - FROM NAMED clause rejected with 403" {
             testApplication {
                 // create collection
                 httpPut(demoCollectionPath) {
@@ -272,7 +272,7 @@ class CollectionQueryTest : CollectionAny() {
             }
         }
 
-        "POST $demoCollectionPath/query/inspect - inspect generated query" {
+        "POST collection query inspect - inspect generated query" {
             testApplication {
                 // insert data and create collection
                 commitModel(masterBranchPath, insertAlice)
@@ -291,7 +291,7 @@ class CollectionQueryTest : CollectionAny() {
             }
         }
 
-        "GET $demoCollectionPath/graph - get union graph across branch and lock" {
+        "GET collection graph - get union graph across branch and lock" {
             testApplication {
                 // insert Alice into first repo
                 commitModel(masterBranchPath, insertAlice)
@@ -324,7 +324,7 @@ class CollectionQueryTest : CollectionAny() {
             }
         }
 
-        "POST $demoCollectionPath/query - single branch collection returns only that branch's data" {
+        "POST collection query - single branch collection returns only that branch's data" {
             testApplication {
                 // insert Alice into master
                 commitModel(masterBranchPath, insertAlice)
@@ -350,7 +350,7 @@ class CollectionQueryTest : CollectionAny() {
             }
         }
 
-        "POST $demoCollectionPath/query - lock preserves snapshot at time of locking" {
+        "POST collection query - lock preserves snapshot at time of locking" {
             testApplication {
                 // insert Alice, then lock
                 commitModel(masterBranchPath, insertAlice)
diff --git a/src/test/kotlin/org/openmbee/flexo/mms/CollectionValidationTest.kt b/src/test/kotlin/org/openmbee/flexo/mms/CollectionValidationTest.kt
diff --git a/src/test/kotlin/org/openmbee/flexo/mms/util/Requests.kt b/src/test/kotlin/org/openmbee/flexo/mms/util/Requests.kt

Original file line number	Diff line number	Diff line change
`@@ -57,7 +57,7 @@ fun TriplesAsserter.validateCreatedCollectionTriples(`
`57`	`57`
`58`	`58`	`class CollectionLdpDc : CollectionAny() {`
`59`	`59`	`init {`
`60`		`- "PUT $demoCollectionPath - create valid collection" {`
	`60`	`+ "PUT collection - create valid collection" {`
`61`	`61`	`testApplication {`
`62`	`62`	`httpPut(demoCollectionPath) {`
`63`	`63`	`setTurtleBody(withAllTestPrefixes(validCollectionBody))`
`@@ -67,7 +67,7 @@ class CollectionLdpDc : CollectionAny() {`
`67`	`67`	`}`
`68`	`68`	`}`
`69`	`69`
`70`		`- "PUT $demoCollectionPath - replace existing collection" {`
	`70`	`+ "PUT collection - replace existing collection" {`
`71`	`71`	`testApplication {`
`72`	`72`	`// create initial collection`
`73`	`73`	`httpPut(demoCollectionPath) {`
`@@ -88,15 +88,15 @@ class CollectionLdpDc : CollectionAny() {`
`88`	`88`	`}`
`89`	`89`	`}`
`90`	`90`
`91`		`- "GET $demoCollectionPath - non-existent" {`
	`91`	`+ "GET collection - non-existent" {`
`92`	`92`	`testApplication {`
`93`	`93`	`httpGet(demoCollectionPath) {}.apply {`
`94`	`94`	`this shouldHaveStatus HttpStatusCode.NotFound`
`95`	`95`	`}`
`96`	`96`	`}`
`97`	`97`	`}`
`98`	`98`
`99`		`- "GET $demoCollectionPath - valid" {`
	`99`	`+ "GET collection - valid" {`
`100`	`100`	`testApplication {`
`101`	`101`	`httpPut(demoCollectionPath) {`
`102`	`102`	`setTurtleBody(withAllTestPrefixes(validCollectionBody))`
`@@ -111,7 +111,7 @@ class CollectionLdpDc : CollectionAny() {`
`111`	`111`	`}`
`112`	`112`	`}`
`113`	`113`
`114`		`- "HEAD $demoCollectionPath - valid" {`
	`114`	`+ "HEAD collection - valid" {`
`115`	`115`	`testApplication {`
`116`	`116`	`httpPut(demoCollectionPath) {`
`117`	`117`	`setTurtleBody(withAllTestPrefixes(validCollectionBody))`
`@@ -123,7 +123,7 @@ class CollectionLdpDc : CollectionAny() {`
`123`	`123`	`}`
`124`	`124`	`}`
`125`	`125`
`126`		`- "GET $basePathCollections - all collections" {`
	`126`	`+ "GET collections - all collections" {`
`127`	`127`	`testApplication {`
`128`	`128`	`httpPut(demoCollectionPath) {`
`129`	`129`	`setTurtleBody(withAllTestPrefixes(validCollectionBody))`
`@@ -135,7 +135,7 @@ class CollectionLdpDc : CollectionAny() {`
`135`	`135`	`}`
`136`	`136`	`}`
`137`	`137`
`138`		`- "PUT $demoCollectionPath - reject missing mms:collects" {`
	`138`	`+ "PUT collection - reject missing mms:collects" {`
`139`	`139`	`testApplication {`
`140`	`140`	`httpPut(demoCollectionPath) {`
`141`	`141`	`setTurtleBody(withAllTestPrefixes("""`
`@@ -147,7 +147,7 @@ class CollectionLdpDc : CollectionAny() {`
`147`	`147`	`}`
`148`	`148`	`}`
`149`	`149`
`150`		`- "POST $basePathCollections - create valid collection" {`
	`150`	`+ "POST collections - create valid collection" {`
`151`	`151`	`testApplication {`
`152`	`152`	`httpPost(basePathCollections) {`
`153`	`153`	`header(HttpHeaders.SLUG, demoCollectionId)`
Original file line number	Diff line number	Diff line change
`@@ -12,7 +12,7 @@ class CollectionQueryTest : CollectionAny() {`
`12`	`12`	`override val logger = LoggerFactory.getLogger(CollectionQueryTest::class.java)`
`13`	`13`
`14`	`14`	`init {`
`15`		`- "POST $demoCollectionPath/query - non-existent collection returns 404" {`
	`15`	`+ "POST collection query - non-existent collection returns 404" {`
`16`	`16`	`testApplication {`
`17`	`17`	`httpPost("$demoCollectionPath/query") {`
`18`	`18`	`setSparqlQueryBody(queryPersonNames)`
`@@ -22,7 +22,7 @@ class CollectionQueryTest : CollectionAny() {`
`22`	`22`	`}`
`23`	`23`	`}`
`24`	`24`
`25`		`- "POST $demoCollectionPath/query - query across branch and lock returns union" {`
	`25`	`+ "POST collection query - query across branch and lock returns union" {`
`26`	`26`	`testApplication {`
`27`	`27`	`// insert Alice into first repo's master branch`
`28`	`28`	`commitModel(masterBranchPath, insertAlice)`
`@@ -57,7 +57,7 @@ class CollectionQueryTest : CollectionAny() {`
`57`	`57`	`}`
`58`	`58`	`}`
`59`	`59`
`60`		`- "POST $demoCollectionPath/query - query across branch and scratch returns union" {`
	`60`	`+ "POST collection query - query across branch and scratch returns union" {`
`61`	`61`	`testApplication {`
`62`	`62`	`// insert Alice into the master branch`
`63`	`63`	`commitModel(masterBranchPath, insertAlice)`
`@@ -91,7 +91,7 @@ class CollectionQueryTest : CollectionAny() {`
`91`	`91`	`}`
`92`	`92`	`}`
`93`	`93`
`94`		`- "POST $demoCollectionPath/query - query across branch, lock, and scratch returns full union" {`
	`94`	`+ "POST collection query - query across branch, lock, and scratch returns full union" {`
`95`	`95`	`testApplication {`
`96`	`96`	`// insert Alice into first repo's master branch`
`97`	`97`	`commitModel(masterBranchPath, insertAlice)`
`@@ -134,7 +134,7 @@ class CollectionQueryTest : CollectionAny() {`
`134`	`134`	`}`
`135`	`135`	`}`
`136`	`136`
`137`		`- "POST $demoCollectionPath/query - ASK query returns true when data exists" {`
	`137`	`+ "POST collection query - ASK query returns true when data exists" {`
`138`	`138`	`testApplication {`
`139`	`139`	`// insert Alice into the master branch`
`140`	`140`	`commitModel(masterBranchPath, insertAlice)`
`@@ -161,7 +161,7 @@ class CollectionQueryTest : CollectionAny() {`
`161`	`161`	`}`
`162`	`162`	`}`
`163`	`163`
`164`		`- "POST $demoCollectionPath/query - ASK query returns false when no matching data" {`
	`164`	`+ "POST collection query - ASK query returns false when no matching data" {`
`165`	`165`	`testApplication {`
`166`	`166`	`// insert Bob (not Alice) into the master branch`
`167`	`167`	`commitModel(masterBranchPath, insertBob)`
`@@ -188,7 +188,7 @@ class CollectionQueryTest : CollectionAny() {`
`188`	`188`	`}`
`189`	`189`	`}`
`190`	`190`
`191`		`- "POST $demoCollectionPath/query - CONSTRUCT returns union triples" {`
	`191`	`+ "POST collection query - CONSTRUCT returns union triples" {`
`192`	`192`	`testApplication {`
`193`	`193`	`// insert Alice into master branch`
`194`	`194`	`commitModel(masterBranchPath, insertAlice)`
`@@ -222,7 +222,7 @@ class CollectionQueryTest : CollectionAny() {`
`222`	`222`	`}`
`223`	`223`	`}`
`224`	`224`
`225`		`- "POST $demoCollectionPath/query - FROM clause rejected with 403" {`
	`225`	`+ "POST collection query - FROM clause rejected with 403" {`
`226`	`226`	`testApplication {`
`227`	`227`	`// create collection`
`228`	`228`	`httpPut(demoCollectionPath) {`
`@@ -246,7 +246,7 @@ class CollectionQueryTest : CollectionAny() {`
`246`	`246`	`}`
`247`	`247`	`}`
`248`	`248`
`249`		`- "POST $demoCollectionPath/query - FROM NAMED clause rejected with 403" {`
	`249`	`+ "POST collection query - FROM NAMED clause rejected with 403" {`
`250`	`250`	`testApplication {`
`251`	`251`	`// create collection`
`252`	`252`	`httpPut(demoCollectionPath) {`
`@@ -272,7 +272,7 @@ class CollectionQueryTest : CollectionAny() {`
`272`	`272`	`}`
`273`	`273`	`}`
`274`	`274`
`275`		`- "POST $demoCollectionPath/query/inspect - inspect generated query" {`
	`275`	`+ "POST collection query inspect - inspect generated query" {`
`276`	`276`	`testApplication {`
`277`	`277`	`// insert data and create collection`
`278`	`278`	`commitModel(masterBranchPath, insertAlice)`
`@@ -291,7 +291,7 @@ class CollectionQueryTest : CollectionAny() {`
`291`	`291`	`}`
`292`	`292`	`}`
`293`	`293`
`294`		`- "GET $demoCollectionPath/graph - get union graph across branch and lock" {`
	`294`	`+ "GET collection graph - get union graph across branch and lock" {`
`295`	`295`	`testApplication {`
`296`	`296`	`// insert Alice into first repo`
`297`	`297`	`commitModel(masterBranchPath, insertAlice)`
`@@ -324,7 +324,7 @@ class CollectionQueryTest : CollectionAny() {`
`324`	`324`	`}`
`325`	`325`	`}`
`326`	`326`
`327`		`- "POST $demoCollectionPath/query - single branch collection returns only that branch's data" {`
	`327`	`+ "POST collection query - single branch collection returns only that branch's data" {`
`328`	`328`	`testApplication {`
`329`	`329`	`// insert Alice into master`
`330`	`330`	`commitModel(masterBranchPath, insertAlice)`
`@@ -350,7 +350,7 @@ class CollectionQueryTest : CollectionAny() {`
`350`	`350`	`}`
`351`	`351`	`}`
`352`	`352`
`353`		`- "POST $demoCollectionPath/query - lock preserves snapshot at time of locking" {`
	`353`	`+ "POST collection query - lock preserves snapshot at time of locking" {`
`354`	`354`	`testApplication {`
`355`	`355`	`// insert Alice, then lock`
`356`	`356`	`commitModel(masterBranchPath, insertAlice)`