Implement support for access controls directly on binary resources

Resolves: https://jira.duraspace.org/browse/FCREPO-1791
fcrepo4 · Nov 1, 2015 · fbd4520 · fbd4520
1 parent fa718f2
commit fbd4520
Show file tree

Hide file tree

Showing 2 changed files with 19 additions and 13 deletions.
diff --git a/src/main/java/org/fcrepo/auth/webac/WebACRolesProvider.java b/src/main/java/org/fcrepo/auth/webac/WebACRolesProvider.java
@@ -17,6 +17,7 @@
 
 import static java.util.Collections.unmodifiableList;
 import static com.hp.hpl.jena.rdf.model.ModelFactory.createDefaultModel;
+import static org.apache.commons.lang3.StringUtils.substringBeforeLast;
 import static org.fcrepo.auth.webac.URIConstants.FOAF_AGENT_VALUE;
 import static org.fcrepo.auth.webac.URIConstants.FOAF_MEMBER_VALUE;
 import static org.fcrepo.auth.webac.URIConstants.FOAF_GROUP;
@@ -28,7 +29,10 @@
 import static org.fcrepo.auth.webac.URIConstants.WEBAC_AUTHORIZATION;
 import static org.fcrepo.auth.webac.URIConstants.WEBAC_MODE_VALUE;
 import static org.fcrepo.auth.webac.URIConstants.WEBAC_NAMESPACE_VALUE;
+import static org.fcrepo.kernel.api.FedoraJcrTypes.JCR_CONTENT;
 import static org.fcrepo.kernel.api.utils.UncheckedFunction.uncheck;
+import static org.fcrepo.kernel.modeshape.identifiers.NodeResourceConverter.nodeConverter;
+import static org.fcrepo.kernel.modeshape.utils.FedoraTypesUtils.isNonRdfSourceDescription;
 import static org.slf4j.LoggerFactory.getLogger;
 
 import java.net.URI;
@@ -54,6 +58,7 @@
 import org.fcrepo.http.commons.session.SessionFactory;
 import org.fcrepo.kernel.api.identifiers.IdentifierConverter;
 import org.fcrepo.kernel.api.models.FedoraResource;
+import org.fcrepo.kernel.api.models.NonRdfSourceDescription;
 import org.fcrepo.kernel.api.services.NodeService;
 import org.fcrepo.kernel.modeshape.rdf.impl.DefaultIdentifierTranslator;
 import org.fcrepo.kernel.modeshape.rdf.impl.PropertiesRdfContext;
@@ -114,7 +119,10 @@ private Map<String, List<String>> getAgentRoles(final FedoraResource resource) {
         LOGGER.debug("Getting agent roles for: {}", resource.getPath());
 
         // Get the effective ACL by searching the target node and any ancestors.
-        final Optional<Pair<URI, FedoraResource>> effectiveAcl = getEffectiveAcl(resource);
+        final Optional<Pair<URI, FedoraResource>> effectiveAcl = getEffectiveAcl(
+                isNonRdfSourceDescription.test(resource.getNode()) ?
+                    ((NonRdfSourceDescription)nodeConverter.convert(resource.getNode())).getDescribedResource() :
+                     resource);
 
         // Construct a list of acceptable acl:accessTo values for the target resource.
         final List<String> resourcePaths = new ArrayList<>();
@@ -301,7 +309,8 @@ private List<WebACAuthorization> getAuthorizations(final String location) {
                          .forEachRemaining(t -> {
                             aclTriples.putIfAbsent(t.getPredicate().getURI(), new ArrayList<>());
                              if (t.getObject().isURI()) {
-                                aclTriples.get(t.getPredicate().getURI()).add(t.getObject().getURI());
+                                 aclTriples.get(t.getPredicate().getURI()).add(
+                                     substringBeforeLast(t.getObject().getURI(), "/" + JCR_CONTENT));
                              } else if (t.getObject().isLiteral()) {
                                 aclTriples.get(t.getPredicate().getURI()).add(
                                     t.getObject().getLiteralValue().toString());
@@ -345,6 +354,7 @@ private static Optional<Pair<URI, FedoraResource>> getEffectiveAcl(final FedoraR
                 .forEachRemaining(t -> {
                     acls.add(t.getObject().getURI());
                 });
+
             if (!acls.isEmpty()) {
                 if (acls.size() > 1) {
                     LOGGER.warn("Found multiple ACLs defined for this node. Using: {}", acls.get(0));

diff --git a/src/test/java/org/fcrepo/integration/auth/webac/WebACRecipesIT.java b/src/test/java/org/fcrepo/integration/auth/webac/WebACRecipesIT.java
@@ -417,7 +417,6 @@ public void testAccessToRoot() throws IOException {
     }
 
     @Test
-    @Ignore("FAILING")
     public void testAccessToBinary() throws IOException {
         // Block access to "book"
         final String idBook = "/rest/book";
@@ -431,20 +430,17 @@ public void testAccessToBinary() throws IOException {
                 "/acls/07/authorization.ttl",
                 "/acls/07/authorization-book.ttl");
 
-        linkToAcl(idBook, acl);
+        linkToAcl(id + "/fcr:metadata", acl);
 
         logger.debug("Anonymous can't read");
-        final HttpGet request = getObjMethod(id);
-        try (final CloseableHttpResponse response = execute(request)) {
-            assertEquals(HttpStatus.SC_FORBIDDEN, getStatus(response));
-        }
+        final HttpGet requestGet1 = getObjMethod(id);
+        assertEquals(HttpStatus.SC_FORBIDDEN, getStatus(requestGet1));
 
         logger.debug("Can username 'smith123' read {}", testObj);
-        final HttpGet requestGet1 = getObjMethod(id);
-        setAuth(requestGet1, "smith123");
-        try (final CloseableHttpResponse response = execute(requestGet1)) {
-            assertEquals(HttpStatus.SC_OK, getStatus(response));
-        }
+        final HttpGet requestGet2 = getObjMethod(id);
+
+        setAuth(requestGet2, "smith123");
+        assertEquals(HttpStatus.SC_OK, getStatus(requestGet2));
     }
 
     @Test