solid-server 5.6.9-beta

package/lib/handlers/patch.js

@@ -0,0 +1,203 @@
+// Express handler for LDP PATCH requests
+
+module.exports = handler
+
+const bodyParser = require('body-parser')
+const fs = require('fs')
+const debug = require('../debug').handlers
+const error = require('../http-error')
+const $rdf = require('rdflib')
+const crypto = require('crypto')
+const { overQuota, getContentType } = require('../utils')
+const withLock = require('../lock')
+
+// Patch parsers by request body content type
+const PATCH_PARSERS = {
+  'application/sparql-update': require('./patch/sparql-update-parser.js'),
+  'application/sparql-update-single-match': require('./patch/sparql-update-parser.js'),
+  'text/n3': require('./patch/n3-patch-parser.js')
+}
+
+const DEFAULT_FOR_NEW_CONTENT_TYPE = 'text/turtle'
+
+// Handles a PATCH request
+async function patchHandler (req, res, next) {
+  debug(`PATCH -- ${req.originalUrl}`)
+  res.header('MS-Author-Via', 'SPARQL')
+  try {
+    // Obtain details of the target resource
+    const ldp = req.app.locals.ldp
+    let path, contentType
+    let resourceExists = true
+    try {
+      // First check if the file already exists
+      ({ path, contentType } = await ldp.resourceMapper.mapUrlToFile({ url: req }))
+    } catch (err) {
+      // If the file doesn't exist, request one to be created with the default content type
+      ({ path, contentType } = await ldp.resourceMapper.mapUrlToFile(
+        { url: req, createIfNotExists: true, contentType: DEFAULT_FOR_NEW_CONTENT_TYPE }))
+      // check if a folder with same name exists
+      await ldp.checkItemName(req)
+      resourceExists = false
+    }
+    const { url } = await ldp.resourceMapper.mapFileToUrl({ path, hostname: req.hostname })
+    const resource = { path, contentType, url }
+    debug('PATCH -- Target <%s> (%s)', url, contentType)
+
+    // Obtain details of the patch document
+    const patch = {}
+    patch.text = req.body ? req.body.toString() : ''
+    patch.uri = `${url}#patch-${hash(patch.text)}`
+    patch.contentType = getContentType(req.headers)
+    debug('PATCH -- Received patch (%d bytes, %s)', patch.text.length, patch.contentType)
+    const parsePatch = PATCH_PARSERS[patch.contentType]
+    if (!parsePatch) {
+      throw error(415, `Unsupported patch content type: ${patch.contentType}`)
+    }
+
+    // Parse the patch document and verify permissions
+    const patchObject = await parsePatch(url, patch.uri, patch.text)
+    await checkPermission(req, patchObject, resourceExists)
+
+    // Create the enclosing directory, if necessary
+    await ldp.createDirectory(path, req.hostname)
+
+    // Patch the graph and write it back to the file
+    const result = await withLock(path, async () => {
+      const graph = await readGraph(resource)
+      await applyPatch(patchObject, graph, url)
+      return writeGraph(graph, resource, ldp.resourceMapper.resolveFilePath(req.hostname), ldp.serverUri)
+    })
+
+    // Send the result to the client
+    res.send(result)
+  } catch (err) {
+    return next(err)
+  }
+  return next()
+}
+
+// Reads the request body and calls the actual patch handler
+function handler (req, res, next) {
+  readEntity(req, res, () => patchHandler(req, res, next))
+}
+
+const readEntity = bodyParser.text({ type: () => true })
+
+// Reads the RDF graph in the given resource
+function readGraph (resource) {
+  // Read the resource's file
+  return new Promise((resolve, reject) =>
+    fs.readFile(resource.path, { encoding: 'utf8' }, function (err, fileContents) {
+      if (err) {
+        // If the file does not exist, assume empty contents
+        // (it will be created after a successful patch)
+        if (err.code === 'ENOENT') {
+          fileContents = ''
+          // Fail on all other errors
+        } else {
+          return reject(error(500, `Original file read error: ${err}`))
+        }
+      }
+      debug('PATCH -- Read target file (%d bytes)', fileContents.length)
+      resolve(fileContents)
+    })
+  )
+  // Parse the resource's file contents
+    .then((fileContents) => {
+      const graph = $rdf.graph()
+      debug('PATCH -- Reading %s with content type %s', resource.url, resource.contentType)
+      try {
+        $rdf.parse(fileContents, graph, resource.url, resource.contentType)
+      } catch (err) {
+        throw error(500, `Patch: Target ${resource.contentType} file syntax error: ${err}`)
+      }
+      debug('PATCH -- Parsed target file')
+      return graph
+    })
+}
+
+// Verifies whether the user is allowed to perform the patch on the target
+async function checkPermission (request, patchObject, resourceExists) {
+  // If no ACL object was passed down, assume permissions are okay.
+  if (!request.acl) return Promise.resolve(patchObject)
+  // At this point, we already assume append access,
+  // as this can be checked upfront before parsing the patch.
+  // Now that we know the details of the patch,
+  // we might need to perform additional checks.
+  let modes = []
+  // acl:default Write is required for create
+  if (!resourceExists) modes = ['Write']
+  const { acl, session: { userId } } = request
+  // Read access is required for DELETE and WHERE.
+  // If we would allows users without read access,
+  // they could use DELETE or WHERE to trigger 200 or 409,
+  // and thereby guess the existence of certain triples.
+  // DELETE additionally requires write access.
+  if (patchObject.delete) {
+    // ACTUALLY Read not needed by solid/test-suite only Write
+    modes = ['Read', 'Write']
+    // checks = [acl.can(userId, 'Read'), acl.can(userId, 'Write')]
+  } else if (patchObject.where) {
+    modes = modes.concat(['Read'])
+    // checks = [acl.can(userId, 'Read')]
+  }
+  const allowed = await Promise.all(modes.map(mode => acl.can(userId, mode, request.method, resourceExists)))
+  const allAllowed = allowed.reduce((memo, allowed) => memo && allowed, true)
+  if (!allAllowed) {
+    // check owner with Control
+    const ldp = request.app.locals.ldp
+    if (request.path.endsWith('.acl') && userId === await ldp.getOwner(request.hostname)) return Promise.resolve(patchObject)
+
+    const errors = await Promise.all(modes.map(mode => acl.getError(userId, mode)))
+    const error = errors.filter(error => !!error)
+      .reduce((prevErr, err) => prevErr.status > err.status ? prevErr : err, { status: 0 })
+    return Promise.reject(error)
+  }
+  return Promise.resolve(patchObject)
+}
+
+// Applies the patch to the RDF graph
+function applyPatch (patchObject, graph, url) {
+  debug('PATCH -- Applying patch')
+  return new Promise((resolve, reject) =>
+    graph.applyPatch(patchObject, graph.sym(url), (err) => {
+      if (err) {
+        const message = err.message || err // returns string at the moment
+        debug(`PATCH -- FAILED. Returning 409. Message: '${message}'`)
+        return reject(error(409, `The patch could not be applied. ${message}`))
+      }
+      resolve(graph)
+    })
+  )
+}
+
+// Writes the RDF graph to the given resource
+function writeGraph (graph, resource, root, serverUri) {
+  debug('PATCH -- Writing patched file')
+  return new Promise((resolve, reject) => {
+    const resourceSym = graph.sym(resource.url)
+    const serialized = $rdf.serialize(resourceSym, graph, resource.url, resource.contentType)
+
+    // First check if we are above quota
+    overQuota(root, serverUri).then((isOverQuota) => {
+      if (isOverQuota) {
+        return reject(error(413,
+          'User has exceeded their storage quota'))
+      }
+
+      fs.writeFile(resource.path, serialized, { encoding: 'utf8' }, function (err) {
+        if (err) {
+          return reject(error(500, `Failed to write file after patch: ${err}`))
+        }
+        debug('PATCH -- applied successfully')
+        resolve('Patch applied successfully.\n')
+      })
+    }).catch(() => reject(error(500, 'Error finding user quota')))
+  })
+}
+
+// Creates a hash of the given text
+function hash (text) {
+  return crypto.createHash('md5').update(text).digest('hex')
+}

package/lib/handlers/post.js

@@ -0,0 +1,99 @@
+module.exports = handler
+
+const Busboy = require('busboy')
+const debug = require('debug')('solid:post')
+const path = require('path')
+const header = require('../header')
+const patch = require('./patch')
+const error = require('../http-error')
+const { extensions } = require('mime-types')
+const getContentType = require('../utils').getContentType
+
+async function handler (req, res, next) {
+  const ldp = req.app.locals.ldp
+  const contentType = getContentType(req.headers)
+  debug('content-type is ', contentType)
+  // Handle SPARQL(-update?) query
+  if (contentType === 'application/sparql' ||
+      contentType === 'application/sparql-update') {
+    debug('switching to sparql query')
+    return patch(req, res, next)
+  }
+
+  // Handle container path
+  let containerPath = req.path
+  if (containerPath[containerPath.length - 1] !== '/') {
+    containerPath += '/'
+  }
+
+  // Check if container exists
+  let stats
+  try {
+    const ret = await ldp.exists(req.hostname, containerPath, false)
+    if (ret) {
+      stats = ret.stream
+    }
+  } catch (err) {
+    return next(error(err, 'Container not valid'))
+  }
+
+  // Check if container is a directory
+  if (stats && !stats.isDirectory()) {
+    debug('Path is not a container, 405!')
+    return next(error(405, 'Requested resource is not a container'))
+  }
+
+  // Dispatch to the right handler
+  if (req.is('multipart/form-data')) {
+    multi()
+  } else {
+    one()
+  }
+
+  function multi () {
+    debug('receving multiple files')
+
+    const busboy = new Busboy({ headers: req.headers })
+    busboy.on('file', async function (fieldname, file, filename, encoding, mimetype) {
+      debug('One file received via multipart: ' + filename)
+      const { url: putUrl } = await ldp.resourceMapper.mapFileToUrl(
+        { path: ldp.resourceMapper._rootPath + path.join(containerPath, filename), hostname: req.hostname })
+      try {
+        await ldp.put(putUrl, file, mimetype)
+      } catch (err) {
+        busboy.emit('error', err)
+      }
+    })
+    busboy.on('error', function (err) {
+      debug('Error receiving the file: ' + err.message)
+      next(error(500, 'Error receiving the file'))
+    })
+
+    // Handled by backpressure of streams!
+    busboy.on('finish', function () {
+      debug('Done storing files')
+      res.sendStatus(200)
+      next()
+    })
+    req.pipe(busboy)
+  }
+
+  function one () {
+    debug('Receving one file')
+    const { slug, link, 'content-type': contentType } = req.headers
+    const links = header.parseMetadataFromHeader(link)
+    const mimeType = contentType ? contentType.replace(/\s*;.*/, '') : ''
+    const extension = mimeType in extensions ? `.${extensions[mimeType][0]}` : ''
+
+    ldp.post(req.hostname, containerPath, req,
+      { slug, extension, container: links.isBasicContainer, contentType }).then(
+      resourcePath => {
+        debug('File stored in ' + resourcePath)
+        header.addLinks(res, links)
+        res.set('Location', resourcePath)
+        res.sendStatus(201)
+        next()
+      },
+      err => next(err))
+  }
+}

package/lib/handlers/put.js

@@ -0,0 +1,56 @@
+module.exports = handler
+
+const bodyParser = require('body-parser')
+const debug = require('debug')('solid:put')
+const getContentType = require('../utils').getContentType
+const HTTPError = require('../http-error')
+const { stringToStream } = require('../utils')
+
+async function handler (req, res, next) {
+  debug(req.originalUrl)
+  res.header('MS-Author-Via', 'SPARQL')
+
+  const contentType = req.get('content-type')
+  if (isAuxiliary(req)) {
+    if (contentType === 'text/turtle') {
+      return bodyParser.text({ type: () => true })(req, res, () => putAuxiliary(req, res, next))
+    } else return next(new HTTPError(415, 'RDF file contains invalid syntax'))
+  }
+  return putStream(req, res, next)
+}
+
+// TODO could be renamed as putResource (it now covers container and non-container)
+async function putStream (req, res, next, stream = req) {
+  const ldp = req.app.locals.ldp
+  try {
+    debug('test ' + req.get('content-type') + getContentType(req.headers))
+    await ldp.put(req, stream, getContentType(req.headers))
+    debug('succeded putting the file/folder')
+    res.sendStatus(201)
+    return next()
+  } catch (err) {
+    debug('error putting the file/folder:' + err.message)
+    err.message = 'Can\'t write file/folder: ' + err.message
+    return next(err)
+  }
+}
+
+// needed to avoid breaking access with bad acl
+// or breaking containement triples for meta
+function putAuxiliary (req, res, next) {
+  const ldp = req.app.locals.ldp
+  const contentType = req.get('content-type')
+  const requestUri = ldp.resourceMapper.getRequestUrl(req)
+
+  if (ldp.isValidRdf(req.body, requestUri, contentType)) {
+    const stream = stringToStream(req.body)
+    return putStream(req, res, next, stream)
+  }
+  next(new HTTPError(400, 'RDF file contains invalid syntax'))
+}
+
+function isAuxiliary (req) {
+  const originalUrlParts = req.originalUrl.split('.')
+  const ext = originalUrlParts[originalUrlParts.length - 1]
+  return (ext === 'acl' || ext === 'meta')
+}

package/lib/handlers/restrict-to-top-domain.js

@@ -0,0 +1,13 @@
+const HTTPError = require('../http-error')
+
+module.exports = function (req, res, next) {
+  const locals = req.app.locals
+  const ldp = locals.ldp
+  const serverUri = locals.host.serverUri
+  const hostname = ldp.resourceMapper.resolveUrl(req.hostname)
+  if (hostname === serverUri) {
+    return next()
+  }
+  const isLoggedIn = !!(req.session && req.session.userId)
+  return next(new HTTPError(isLoggedIn ? 403 : 401, 'Not allowed to access top-level APIs on accounts'))
+}

package/lib/header.js

@@ -0,0 +1,136 @@
+module.exports.addLink = addLink
+module.exports.addLinks = addLinks
+module.exports.parseMetadataFromHeader = parseMetadataFromHeader
+module.exports.linksHandler = linksHandler
+module.exports.addPermissions = addPermissions
+
+const li = require('li')
+const path = require('path')
+const metadata = require('./metadata.js')
+const debug = require('./debug.js')
+const utils = require('./utils.js')
+const error = require('./http-error')
+
+const MODES = ['Read', 'Write', 'Append', 'Control']
+const PERMISSIONS = MODES.map(m => m.toLowerCase())
+
+function addLink (res, value, rel) {
+  const oldLink = res.get('Link')
+  if (oldLink === undefined) {
+    res.set('Link', '<' + value + '>; rel="' + rel + '"')
+  } else {
+    res.set('Link', oldLink + ', ' + '<' + value + '>; rel="' + rel + '"')
+  }
+}
+
+function addLinks (res, fileMetadata) {
+  if (fileMetadata.isResource) {
+    addLink(res, 'http://www.w3.org/ns/ldp#Resource', 'type')
+  }
+  if (fileMetadata.isSourceResource) {
+    addLink(res, 'http://www.w3.org/ns/ldp#RDFSource', 'type')
+  }
+  if (fileMetadata.isContainer) {
+    addLink(res, 'http://www.w3.org/ns/ldp#Container', 'type')
+  }
+  if (fileMetadata.isBasicContainer) {
+    addLink(res, 'http://www.w3.org/ns/ldp#BasicContainer', 'type')
+  }
+  if (fileMetadata.isDirectContainer) {
+    addLink(res, 'http://www.w3.org/ns/ldp#DirectContainer', 'type')
+  }
+}
+
+async function linksHandler (req, res, next) {
+  const ldp = req.app.locals.ldp
+  let filename
+  try {
+    // Hack: createIfNotExists is set to true for PUT or PATCH requests
+    // because the file might not exist yet at this point.
+    // But it will be created afterwards.
+    // This should be improved with the new server architecture.
+    ({ path: filename } = await ldp.resourceMapper
+      .mapUrlToFile({ url: req, createIfNotExists: req.method === 'PUT' || req.method === 'PATCH' }))
+  } catch (e) {
+    // Silently ignore errors here
+    // Later handlers will error as well, but they will be able to given a more concrete error message (like 400 or 404)
+    return next()
+  }
+
+  if (path.extname(filename) === ldp.suffixMeta) {
+    debug.metadata('Trying to access metadata file as regular file.')
+
+    return next(error(404, 'Trying to access metadata file as regular file'))
+  }
+  const fileMetadata = new metadata.Metadata()
+  if (filename.endsWith('/')) {
+    fileMetadata.isContainer = true
+    fileMetadata.isBasicContainer = true
+  } else {
+    fileMetadata.isResource = true
+  }
+  // Add LDP-required Accept-Post header for OPTIONS request to containers
+  if (fileMetadata.isContainer && req.method === 'OPTIONS') {
+    res.header('Accept-Post', '*/*')
+  }
+  // Add ACL and Meta Link in header
+  addLink(res, utils.pathBasename(req.path) + ldp.suffixAcl, 'acl')
+  addLink(res, utils.pathBasename(req.path) + ldp.suffixMeta, 'describedBy')
+  // Add other Link headers
+  addLinks(res, fileMetadata)
+  next()
+}
+
+function parseMetadataFromHeader (linkHeader) {
+  const fileMetadata = new metadata.Metadata()
+  if (linkHeader === undefined) {
+    return fileMetadata
+  }
+  const links = linkHeader.split(',')
+  for (const linkIndex in links) {
+    const link = links[linkIndex]
+    const parsedLinks = li.parse(link)
+    for (const rel in parsedLinks) {
+      if (rel === 'type') {
+        if (parsedLinks[rel] === 'http://www.w3.org/ns/ldp#Resource') {
+          fileMetadata.isResource = true
+        } else if (parsedLinks[rel] === 'http://www.w3.org/ns/ldp#RDFSource') {
+          fileMetadata.isSourceResource = true
+        } else if (parsedLinks[rel] === 'http://www.w3.org/ns/ldp#Container') {
+          fileMetadata.isContainer = true
+        } else if (parsedLinks[rel] === 'http://www.w3.org/ns/ldp#BasicContainer') {
+          fileMetadata.isBasicContainer = true
+        } else if (parsedLinks[rel] === 'http://www.w3.org/ns/ldp#DirectContainer') {
+          fileMetadata.isDirectContainer = true
+        }
+      }
+    }
+  }
+  return fileMetadata
+}
+
+// Adds a header that describes the user's permissions
+async function addPermissions (req, res, next) {
+  const { acl, session } = req
+  if (!acl) return next()
+
+  // Turn permissions for the public and the user into a header
+  const ldp = req.app.locals.ldp
+  const resource = ldp.resourceMapper.resolveUrl(req.hostname, req.path)
+  let [publicPerms, userPerms] = await Promise.all([
+    getPermissionsFor(acl, null, req),
+    getPermissionsFor(acl, session.userId, req)
+  ])
+  if (resource.endsWith('.acl') && userPerms === '' && session.userId === await ldp.getOwner(req.hostname)) userPerms = 'control'
+  debug.ACL(`Permissions on ${resource} for ${session.userId || '(none)'}: ${userPerms}`)
+  debug.ACL(`Permissions on ${resource} for public: ${publicPerms}`)
+  res.set('WAC-Allow', `user="${userPerms}",public="${publicPerms}"`)
+  next()
+}
+
+// Gets the permissions string for the given user and resource
+async function getPermissionsFor (acl, user, req) {
+  const accesses = MODES.map(mode => acl.can(user, mode))
+  const allowed = await Promise.all(accesses)
+  return PERMISSIONS.filter((mode, i) => allowed[i]).join(' ')
+}

package/lib/http-error.js

@@ -0,0 +1,34 @@
+module.exports = HTTPError
+
+function HTTPError (status, message) {
+  if (!(this instanceof HTTPError)) {
+    return new HTTPError(status, message)
+  }
+
+  // Error.captureStackTrace(this, this.constructor)
+  this.name = this.constructor.name
+
+  // If status is an object it will be of the form:
+  // {status: , message: }
+  if (typeof status === 'number') {
+    this.message = message || 'Error occurred'
+    this.status = status
+  } else {
+    const err = status
+    let _status
+    let _code
+    let _message
+    if (err && err.status) {
+      _status = err.status
+    }
+    if (err && err.code) {
+      _code = err.code
+    }
+    if (err && err.message) {
+      _message = err.message
+    }
+    this.message = message || _message
+    this.status = _status || _code === 'ENOENT' ? 404 : 500
+  }
+}
+require('util').inherits(module.exports, Error)