roadforest 0.5 → 0.7

data/lib/roadforest/remote-host.rb

@@ -3,11 +3,22 @@ require 'roadforest/source-rigor/credence-annealer'
 require 'roadforest/source-rigor/rigorous-access'
 require 'roadforest/source-rigor/graph-store' #XXX
 require 'roadforest/graph/graph-focus'
+require 'roadforest/graph/post-focus'
 require 'roadforest/http/user-agent'
 require 'roadforest/http/graph-transfer'
 require 'roadforest/http/adapters/excon'
+require 'addressable/template'
 
 module RoadForest
+  # This is a client's main entry point in RoadForest - we instantiate a
+  # RemoteHost to represent the server in the local program and interact with
+  # it. The design goal is that, having created a RemoteHost object, you should
+  # be able to forget that it isn't, in fact, part of your program. So, the
+  # details of TCP (or indeed HTTP, or whatever the network is doing) become
+  # incidental to the abstraction.
+  #
+  # One consequence being that you should be able to use a mock host for
+  # testing.
   class RemoteHost
     include Graph::Normalization
 
@@ -15,6 +26,8 @@ module RoadForest
       self.url = well_known_url
     end
     attr_reader :url
+    attr_accessor :grant_list_pattern
+    attr_writer :http_client
 
     def url=(string)
       @url = normalize_resource(string)
@@ -24,14 +37,18 @@ module RoadForest
       SourceRigor::GraphStore.new
     end
 
-    attr_writer :http_client
     def http_client
       @http_client ||= HTTP::ExconAdapter.new(url)
     end
 
-    def trace=(target)
+    def http_trace=(target)
       user_agent.trace = target
     end
+    alias trace= http_trace=
+
+    def graph_trace=(target)
+      graph_transfer.trace = target
+    end
 
     def user_agent
       @user_agent ||= HTTP::UserAgent.new(http_client)
@@ -41,8 +58,25 @@ module RoadForest
       @graph_transfer ||= HTTP::GraphTransfer.new(user_agent)
     end
 
+    def use_ca_cert(cert)
+      http_client.connection_defaults.merge!(:ssl_ca_file => cert)
+      http_client.reset_connections
+    end
+
+    def use_client_tls(key, cert)
+      http_client.connection_defaults.merge!(:client_key => key, :client_cert => cert)
+      http_client.reset_connections
+    end
+
+    def prepared_credential_source
+      @prepared_credential_source ||=
+        HTTP::PreparedCredentialSource.new.tap do |prepd|
+        user_agent.keychain.add_source(prepd)
+        end
+    end
+
     def add_credentials(username, password)
-      user_agent.keychain.add(url, username, password)
+      prepared_credential_source.add(url, username, password)
     end
 
     def source_rigor
@@ -59,63 +93,153 @@ module RoadForest
     end
 
     def anneal(focus)
-      graph = build_graph_store
+      graph = focus.access_manager.source_graph
       annealer = SourceRigor::CredenceAnnealer.new(graph)
       annealer.resolve do
+        focus.reset
         yield focus
       end
     end
 
-    def putting(&block)
+    class AuthorizationDecider
+      include Graph::Normalization
 
-      graph = build_graph_store
-      access = SourceRigor::UpdateManager.new
-      access.rigor = source_rigor
-      access.source_graph = graph
-      updater = Graph::GraphFocus.new(access, url)
+      def initialize(remote_host, focus)
+        @graph = SourceRigor::RetrieveManager.new
+        graph.rigor = remote_host.source_rigor
+        graph.source_graph = focus.access_manager.source_graph
 
-      annealer = SourceRigor::CredenceAnnealer.new(graph)
+        @resource = focus.subject
+        @keychain = remote_host.user_agent.keychain
+      end
 
-      annealer.resolve do
-        access.target_graph = ::RDF::Repository.new
-        yield updater
+      attr_reader :graph, :resource, :keychain, :grant_list_pattern
+
+      def forbidden?(method)
+        annealer = SourceRigor::CredenceAnnealer.new(graph.source_graph)
+
+        permissions = []
+        annealer.resolve do
+          permissions.clear
+          @grant_list_pattern = nil
+
+          graph.query(authby_query(method)) do |solution|
+            permissions << solution[:authz]
+          end
+          permissions.each do |grant|
+            return false if have_grant?(grant)
+          end
+        end
+
+        return false if permissions.empty?
+        return true
       end
 
-      target_graph = access.target_graph
-      target_graph.each_context do |context|
-        graph = ::RDF::Graph.new(context, :data => target_graph)
-        graph_transfer.put(context, graph)
+      def have_grant?(url)
+        creds = keychain.credentials_for(url)
+        if grant_list_pattern.nil? or creds.nil?
+          direct_check(url)
+        else
+          grant_list(creds).include?(url)
+        end
+      end
+
+      def direct_check(url)
+        statements = graph.query(:subject => url)
+        if !statements.empty?
+          return true
+        else
+          annealer = SourceRigor::CredenceAnnealer.new(graph.source_graph)
+          annealer.resolve do
+            graph.query(list_pattern_query(url)) do |solution|
+              @grant_list_pattern = solution[:pattern].value
+            end
+          end
+          return false
+        end
+      end
+
+      def grant_list(creds)
+        return [] if grant_list_pattern.nil?
+        template = Addressable::Template.new(grant_list_pattern)
+        grant_list_url = uri(template.expand( :username => creds.user.to_s ).to_s)
+        graph.query_resource_pattern(grant_list_url, :subject => grant_list_url, :predicate => Graph::Af.grants).map do |stmt|
+          stmt.object
+        end
+      end
+
+      def list_pattern_query(url)
+        SourceRigor::ResourceQuery.new([], :subject_context => url) do
+          pattern [:af, ::RDF.type, Graph::Af.Navigate]
+          pattern [:af, Graph::Af.target, :pnode]
+          pattern [:pnode, Graph::Af.pattern, :pattern]
+        end
+      end
+
+      def affordance_type(method)
+        case method.downcase
+        when "get"
+          Graph::Af.Navigate
+        when "post"
+          Graph::Af.Create
+        when "put"
+          Graph::Af.Update
+        when "delete"
+          Graph::Af.Destroy
+        else
+          Graph::Af[method] #allow passthrough
+        end
+      end
+
+      def authby_query(method)
+        af_type = affordance_type(method)
+        resource = self.resource
+        SourceRigor::ResourceQuery.new([], {:subject_context => resource}) do
+          pattern [:aff, Graph::Af.target, resource]
+          pattern [:aff, ::RDF.type, af_type]
+          pattern [:aff, Graph::Af.authorizedBy, :authz]
+        end
       end
     end
 
-    def posting(&block)
-      require 'roadforest/graph/post-focus'
+    def forbidden?(method, focus)
+      decider = AuthorizationDecider.new(self, focus)
 
+      decider.forbidden?(method)
+    end
+
+    def transaction(manager_class, focus_class, &block)
       graph = build_graph_store
-      access = SourceRigor::PostManager.new
+      access = manager_class.new
       access.rigor = source_rigor
       access.source_graph = graph
-      poster = Graph::PostFocus.new(access, url)
+      focus = focus_class.new(access, url)
 
-      graphs = {}
-      poster.graphs = graphs
+      anneal(focus, &block)
 
-      anneal(poster, &block)
+      return focus
+    end
 
-      graphs.each_pair do |url, graph|
-        graph_transfer.post(url, graph)
+    def putting(&block)
+      update = transaction(SourceRigor::UpdateManager, Graph::GraphFocus, &block)
+
+      access = update.access_manager
+
+      access.each_target do |context, graph|
+        graph_transfer.put(context, graph)
       end
     end
 
-    def getting(&block)
+    def posting(&block)
+      poster = transaction(SourceRigor::PostManager, Graph::PostFocus, &block)
 
-      graph = build_graph_store
-      access = SourceRigor::RetrieveManager.new
-      access.rigor = source_rigor
-      access.source_graph = graph
-      reader = Graph::GraphFocus.new(access, url)
+      poster.graphs.each_pair do |url, graph|
+        graph_transfer.post(url, graph)
+      end
+    end
 
-      anneal(reader, &block)
+    def getting(&block)
+      transaction(SourceRigor::RetrieveManager, Graph::GraphFocus, &block)
     end
 
     def put_file(destination, type, io)
@@ -124,7 +248,7 @@ module RoadForest
       elsif destination.respond_to?(:to_s)
         destination = destination.to_s
       end
-      response = user_agent.make_request("PUT", destination, {"Content-Type" => type}, io)
+      user_agent.make_request("PUT", destination, {"Content-Type" => type}, io)
     end
 
     #TODO:

data/lib/roadforest/resource/read-only.rb

@@ -20,9 +20,9 @@ module RoadForest
         ### RoadForest interface
 
         def params
-          params = Application::Parameters.new do |params|
+          Application::Parameters.new do |params|
             params.path_info = @request.path_info
-            params.query_params = @request.query_params
+            params.query_params = @request.query
             params.path_tokens = @request.path_tokens
           end
         end
@@ -84,12 +84,16 @@ module RoadForest
 
         def content_types_provided
           content_engine.renderers.type_map
-        rescue => ex
+        rescue
           super
         end
 
+        def required_grants(method)
+          @interface.required_grants(method)
+        end
+
         def is_authorized?(header)
-          @authorization = @interface.authorization(request.method, header)
+          @authorization = @interface.authorization(request)
           if(@authorization == :public || @authorization == :granted)
             return true
           end
@@ -98,6 +102,21 @@ module RoadForest
 
         #XXX Add cache-control headers here
         def finish_request
+          if (400..499).include? response.code
+            set_error_body(response.code)
+          end
+        end
+
+        def error_data(status)
+          @interface.error_data(status)
+        end
+
+        def set_error_body(status)
+          data= error_data(status)
+          return "" if data.nil?
+          renderer = content_engine.choose_renderer(request.headers["Accept"])
+          response.headers["Content-Type"] = renderer.type.content_type_header
+          response.body = renderer.local_to_network(request_uri, data)
         end
 
         def resource_exists?

data/lib/roadforest/server.rb

@@ -3,16 +3,17 @@ require 'roadforest/application'
 require 'roadforest/interfaces'
 
 module RoadForest
-  def self.serve(application, services)
+  def self.serve(services)
     require 'webrick/accesslog'
-    application.services = services
+
+    application = RoadForest::Application.new(services)
 
     logfile = services.logger
     logfile.info("#{Time.now.to_s}: Starting Roadforest server")
 
     application.configure do |config|
       config.adapter_options = {
-        :Logger => WEBrick::Log.new(logfile),
+        :Logger => WEBrick::Log.new(logfile, WEBrick::BasicLog::DEBUG ),
         :AccessLog => [
           [logfile, WEBrick::AccessLog::COMMON_LOG_FORMAT ],
           [logfile, WEBrick::AccessLog::REFERER_LOG_FORMAT ]
@@ -22,4 +23,32 @@ module RoadForest
     end
     application.run
   end
+
+  module SSL
+    class << self
+      def enable(config, key, cert)
+        require 'webrick/https'
+        key = OpenSSL::PKey::RSA.new(File.read(key))
+        cert = OpenSSL::X509::Certificate.new(File.read(cert))
+        config.adapter_options.merge!( :SSLEnable => true, :SSLPrivateKey => key, :SSLCertificate => cert,
+                                      :SSLCertName => [["CN", WEBrick::Utils::getservername]]
+                                     )
+      end
+      def add_ca_cert(config, cert_file)
+        config.adapter_options.merge!( :SSLCACertificateFile => cert_file)
+      end
+
+      module ClientCert
+        def client_cert
+          wreq = @body.instance_variable_get("@request")
+          wreq.client_cert
+        end
+      end
+
+      def add_client_verify(config)
+        Webmachine::Request.instance_eval{include(ClientCert)}
+        config.adapter_options.merge!( :SSLEnable => true, :SSLVerifyClient => OpenSSL::SSL::VERIFY_PEER)
+      end
+    end
+  end
 end

data/lib/roadforest/source-rigor/graph-store.rb

@@ -122,8 +122,6 @@ module RoadForest
     end
 
     def insert_statement(statement)
-      #puts "\n#{__FILE__}:#{__LINE__} => #{[self.object_id,
-      #statement].inspect}"
       repository.insert(statement)
 
       repository.delete([statement.context, expand_curie([:rf, "impulse"]), nil])

data/lib/roadforest/source-rigor/rigorous-access.rb

@@ -2,10 +2,13 @@ require 'roadforest/graph/access-manager'
 require 'roadforest/source-rigor/resource-query'
 require 'roadforest/source-rigor/resource-pattern'
 require 'roadforest/source-rigor/parcel'
+require 'roadforest/path-matcher'
 
 module RoadForest
   module SourceRigor
     module Rigorous
+      Af = Graph::Af
+
       attr_accessor :rigor
 
       def dup
@@ -30,9 +33,21 @@ module RoadForest
         execute_search(query, &block)
       end
 
+      def resource_pattern_from(pattern, resource = nil)
+        ResourcePattern.from(pattern, {:context_roles => {:subject => (resource || self.resource)}, :source_rigor => rigor})
+      end
+
+      def query_resource_pattern(resource, pattern, &block)
+        execute_search(resource_pattern_from(pattern, resource), &block)
+      end
+
       def query_pattern(pattern, &block)
-        pattern = ResourcePattern.from(pattern, {:context_roles => {:subject => resource}, :source_rigor => rigor})
-        execute_search(pattern, &block)
+        execute_search(resource_pattern_from(pattern), &block)
+      end
+
+      def delete(statement)
+        statement = resource_pattern_from(statement)
+        destination_graph.delete(statement)
       end
     end
 
@@ -49,53 +64,155 @@ module RoadForest
 
       def initialize
         @copied_contexts = {}
+        @inserts = Hash.new{|h,k| h[k] = []}
+        @deletes = Hash.new{|h,k| h[k] = []}
+      end
+
+      def reset
+        super
+
+        @copied_contexts.clear
+        @inserts.clear
+        @deletes.clear
+
+        source_graph.each_statement do |stmt|
+          target_graph << stmt
+        end
       end
 
-      attr_accessor :copied_contexts
+      attr_accessor :copied_contexts, :inserts, :deletes
 
       def dup
         other = super
         other.copied_contexts = self.copied_contexts
+        other.inserts = self.inserts
+        other.deletes = self.deletes
         other.target_graph = self.target_graph
         return other
       end
 
       def execute_search(search, &block)
-        enum = search.execute(destination_graph)
-        if enum.any?{ true }
-          enum.each(&block)
-          return enum
-        end
-        search.execute(origin_graph, &block)
+        destination_enum = search.execute(destination_graph)
+        source_enum = search.execute(origin_graph)
+
+        enum = destination_enum.any?{ true } ? destination_enum : source_enum
+
+        enum.each(&block)
+        return enum
+      end
+
+      def record_insert(statement)
+        @inserts[statement] << resource
+      end
+
+      def record_delete(statement)
+        @deletes[statement] << resource
+      end
+
+      def statement_from(statement)
+        ::RDF::Statement.from(statement)
       end
 
       def insert(statement)
-        copy_context
+        statement = statement_from(statement)
+        record_insert(statement)
+        statement.context ||= ::RDF::URI.intern("urn:local-insert")
         super
       end
 
       def delete(statement)
-        copy_context
+        statement = statement_from(statement)
+        record_delete(statement)
         super
       end
 
+      def each_payload
+        update_payload_query = ::RDF::Query.new do
+          pattern [ :affordance, Af.target, :resource ]
+          pattern [ :affordance, Af.payload, :pattern_root ]
+          pattern [ :affordance, RDF.type, Af.Update ]
+        end
+        query(update_payload_query).each do |solution|
+          yield(solution[:resource], solution[:pattern_root], parceller.graph_for(solution[:pattern_root]))
+        end
+      end
+
+      def each_target
+        all_subjects = Hash[destination_graph.subjects.map{|s| [s,true]}]
+        source_graph.subjects.each do |s|
+          all_subjects[s] = true
+        end
+        check_inserts = inserts.dup
+        check_deletes = deletes.dup
+        marked_inserts = []
+        marked_deletes = []
+
+        each_payload do |root, pattern_root, graph_pattern|
+          next unless all_subjects.has_key?(root)
+
+          marked_inserts.clear
+          marked_deletes.clear
+
+          matcher = PathMatcher.new
+          matcher.pattern = graph_pattern
+          matcher.pattern_root = pattern_root
+
+          source_match = matcher.match(root, source_graph)
+
+          dest_match = matcher.match(root, destination_graph)
+
+          if dest_match.successful?
+            check_inserts.each_key do |stmt|
+              if dest_match.graph.has_statement?(stmt)
+                marked_inserts << stmt
+              end
+            end
+          end
+
+          if source_match.successful?
+            check_deletes.each_key do |stmt|
+              if source_match.graph.has_statement?(stmt)
+                marked_deletes << stmt
+              end
+            end
+          end
+
+          if dest_match.successful?
+            if !source_match.successful? || (source_match.graph != dest_match.graph)
+
+              yield(root, dest_match.graph)
+
+              marked_inserts.each do |stmt|
+                check_inserts.delete(stmt)
+              end
+              marked_deletes.each do |stmt|
+                check_deletes.delete(stmt)
+              end
+            end
+          end
+        end
+
+        fallback_needed = {}
+        check_inserts.each_value do|resources|
+          resources.each {|resource| fallback_needed[resource] = true }
+        end
+        check_deletes.each_value do|resources|
+          resources.each {|resource| fallback_needed[resource] = true }
+        end
+
+        fallback_needed.each_key do |key|
+          yield(key, parceller.graph_for(key))
+        end
+      end
+
       def parceller
         @parceller ||=
           begin
             parceller = Parcel.new
-            parceller.graph = source_graph
+            parceller.graph = destination_graph
             parceller
           end
       end
-
-      def copy_context
-        return if copied_contexts[resource]
-        parceller.graph_for(resource).each_statement do |statement|
-          statement.context = resource
-          destination_graph << statement
-        end
-        copied_contexts[resource] = true
-      end
     end
   end
 end