solid-server 5.7.7 → 5.7.9-alpha

package/.github/workflows/ci.yml

@@ -17,7 +17,7 @@ jobs:
 
     strategy:
       matrix:
-        node-version: [12.x, 14.x, 16.x]
+        node-version: [16.x, 18.x]
         os: [ubuntu-latest]
 
     steps:
@@ -97,4 +97,4 @@ jobs:
           build-args: SOLID_SERVER_VERSION=${{ steps.tagName.outputs.version }}
           push: true
           tags: ${{ steps.meta.outputs.tags }}
-          labels: ${{ steps.meta.outputs.labels }}
+          labels: ${{ steps.meta.outputs.labels }}

package/README.md

@@ -9,6 +9,8 @@
 
 `solid-server` lets you run a Solid server on top of the file-system. You can use it as a [command-line tool](https://github.com/solid/node-solid-server/blob/master/README.md#command-line-usage) (easy) or as a [library](https://github.com/solid/node-solid-server/blob/master/README.md#library-usage) (advanced).
 
+The [solid test suite](https://github.com/nodeSolidServer/node-solid-server/blob/main/test/surface/run-solid-test-suite.sh) runs as part of GitHub Actions on this repository, ensuring that this server is always (to the best of our knowledge) fully spec compliant.
+
 ## Solid Features supported
 - [x] [Linked Data Platform](http://www.w3.org/TR/ldp/)
 - [x] [Web Access Control](http://www.w3.org/wiki/WebAccessControl)

package/lib/acl-checker.js

@@ -28,7 +28,14 @@ class ACLChecker {
   constructor (resource, options = {}) {
     this.resource = resource
     this.resourceUrl = new URL(resource)
-    this.agentOrigin = options.strictOrigin && options.agentOrigin ? rdf.sym(options.agentOrigin) : null
+    this.agentOrigin = null
+    try {
+      if (options.strictOrigin && options.agentOrigin) {
+        this.agentOrigin = rdf.sym(options.agentOrigin)
+      }
+    } catch (e) {
+      // noop
+    }
     this.fetch = options.fetch
     this.fetchGraph = options.fetchGraph
     this.trustedOrigins = options.strictOrigin && options.trustedOrigins ? options.trustedOrigins.map(trustedOrigin => rdf.sym(trustedOrigin)) : null

package/lib/handlers/allow.js

@@ -72,9 +72,10 @@ function allow (mode) {
       }
     }
 
-    // check user is owner. Find owner from /.meta
-    if (resourceUrl.endsWith('.acl') && userId === await ldp.getOwner(req.hostname)) return next()
-
+    // check if user is owner. Check isOwner from /.meta
+    try {
+      if (resourceUrl.endsWith('.acl') && (await ldp.isOwner(userId, req.hostname))) return next()
+    } catch (err) {}
     const error = req.authError || await req.acl.getError(userId, mode)
     debug(`${mode} access denied to ${userId || '(none)'}: ${error.status} - ${error.message}`)
     next(error)

package/lib/handlers/patch.js

@@ -53,7 +53,11 @@ async function patchHandler (req, res, next) {
       ({ path, contentType } = await ldp.resourceMapper.mapUrlToFile(
         { url: req, createIfNotExists: true, contentType: contentTypeForNew(req) }))
       // check if a folder with same name exists
-      await ldp.checkItemName(req)
+      try {
+        await ldp.checkItemName(req)
+      } catch (err) {
+        return next(err)
+      }
       resourceExists = false
     }
     const { url } = await ldp.resourceMapper.mapFileToUrl({ path, hostname: req.hostname })
@@ -143,8 +147,6 @@ async function checkPermission (request, patchObject, resourceExists) {
   // Now that we know the details of the patch,
   // we might need to perform additional checks.
   let modes = []
-  // acl:default Write is required for create
-  if (!resourceExists) modes = ['Write']
   const { acl, session: { userId } } = request
   // Read access is required for DELETE and WHERE.
   // If we would allows users without read access,
@@ -164,7 +166,7 @@ async function checkPermission (request, patchObject, resourceExists) {
   if (!allAllowed) {
     // check owner with Control
     const ldp = request.app.locals.ldp
-    if (request.path.endsWith('.acl') && userId === await ldp.getOwner(request.hostname)) return Promise.resolve(patchObject)
+    if (request.path.endsWith('.acl') && await ldp.isOwner(userId, request.hostname)) return Promise.resolve(patchObject)
 
     const errors = await Promise.all(modes.map(mode => acl.getError(userId, mode)))
     const error = errors.filter(error => !!error)

package/lib/handlers/put.js

@@ -9,10 +9,17 @@ const { stringToStream } = require('../utils')
 async function handler (req, res, next) {
   debug(req.originalUrl)
   res.header('MS-Author-Via', 'SPARQL')
-
   const contentType = req.get('content-type')
+
+  // check if a folder or resource with same name exists
+  try {
+    const ldp = req.app.locals.ldp
+    await ldp.checkItemName(req)
+  } catch (e) {
+    return next(e)
+  }
   // check for valid rdf content for auxiliary resource and /profile/card
-  // in future we may check that /profile/card is a minimal valid WebID card
+  // TODO check that /profile/card is a minimal valid WebID card
   if (isAuxiliary(req) || req.originalUrl === '/profile/card') {
     if (contentType === 'text/turtle') {
       return bodyParser.text({ type: () => true })(req, res, () => putValidRdf(req, res, next))
@@ -21,17 +28,51 @@ async function handler (req, res, next) {
   return putStream(req, res, next)
 }
 
+// Verifies whether the user is allowed to perform Append PUT on the target
+async function checkPermission (request, resourceExists) {
+  // If no ACL object was passed down, assume permissions are okay.
+  if (!request.acl) return Promise.resolve()
+  // At this point, we already assume append access,
+  // we might need to perform additional checks.
+  let modes = []
+  // acl:default Write is required for PUT when Resource Exists
+  if (resourceExists) modes = ['Write']
+  // if (resourceExists && request.originalUrl.endsWith('.acl')) modes = ['Control']
+  const { acl, session: { userId } } = request
+
+  const allowed = await Promise.all(modes.map(mode => acl.can(userId, mode, request.method, resourceExists)))
+  const allAllowed = allowed.reduce((memo, allowed) => memo && allowed, true)
+  if (!allAllowed) {
+    // check owner with Control
+    // const ldp = request.app.locals.ldp
+    // if (request.path.endsWith('.acl') && userId === await ldp.getOwner(request.hostname)) return Promise.resolve()
+
+    const errors = await Promise.all(modes.map(mode => acl.getError(userId, mode)))
+    const error = errors.filter(error => !!error)
+      .reduce((prevErr, err) => prevErr.status > err.status ? prevErr : err, { status: 0 })
+    return Promise.reject(error)
+  }
+  return Promise.resolve()
+}
+
 // TODO could be renamed as putResource (it now covers container and non-container)
 async function putStream (req, res, next, stream = req) {
   const ldp = req.app.locals.ldp
+  // try {
+  // Obtain details of the target resource
+  let resourceExists = true
+  try {
+    // First check if the file already exists
+    await ldp.resourceMapper.mapUrlToFile({ url: req })
+  } catch (err) {
+    resourceExists = false
+  }
   try {
-    debug('test ' + req.get('content-type') + getContentType(req.headers))
+    if (!req.originalUrl.endsWith('.acl')) await checkPermission(req, resourceExists)
     await ldp.put(req, stream, getContentType(req.headers))
-    debug('succeded putting the file/folder')
     res.sendStatus(201)
     return next()
   } catch (err) {
-    debug('error putting the file/folder:' + err.message)
     err.message = 'Can\'t write file/folder: ' + err.message
     return next(err)
   }

package/lib/header.js

@@ -128,7 +128,7 @@ async function addPermissions (req, res, next) {
     getPermissionsFor(acl, null, req),
     getPermissionsFor(acl, session.userId, req)
   ])
-  if (resource.endsWith('.acl') && userPerms === '' && session.userId === await ldp.getOwner(req.hostname)) userPerms = 'control'
+  if (resource.endsWith('.acl') && userPerms === '' && await ldp.isOwner(session.userId, req.hostname)) userPerms = 'control'
   debug.ACL(`Permissions on ${resource} for ${session.userId || '(none)'}: ${userPerms}`)
   debug.ACL(`Permissions on ${resource} for public: ${publicPerms}`)
   res.set('WAC-Allow', `user="${userPerms}",public="${publicPerms}"`)

package/lib/ldp-middleware.js

@@ -25,7 +25,7 @@ function LdpMiddleware (corsSettings) {
   router.get('/*', index, allow('Read'), header.addPermissions, get)
   router.post('/*', allow('Append'), post)
   router.patch('/*', allow('Append'), patch)
-  router.put('/*', allow('Write'), put)
+  router.put('/*', allow('Append'), put)
   router.delete('/*', allow('Write'), del)
 
   return router

package/lib/ldp.js

@@ -157,37 +157,13 @@ class LDP {
     if (container) {
       extension = ''
     }
-    // Check for file or folder with same name
-    let testName, fileName
-    try {
-      // check for defaulted slug in NSS POST (slug with extension)
-      fileName = slug.endsWith(extension) || slug.endsWith(this.suffixAcl) || slug.endsWith(this.suffixMeta) ? slug : slug + extension
-      fileName = container ? fileName : fileName + '/'
-      const { url: testUrl } = await this.resourceMapper.mapFileToUrl({ hostname, path: containerPath + fileName })
-      const { path: testPath } = await this.resourceMapper.mapUrlToFile({ url: testUrl })
-      testName = container ? fs.lstatSync(testPath).isFile() : fs.lstatSync(testPath).isDirectory()
-    } catch (err) { testName = false }
-
-    if (testName) {
-      throw error(404, 'Container and resource cannot have the same name in URI')
-    }
 
-    // TODO: possibly package this in ldp.post
-    let resourceUrl = await ldp.getAvailableUrl(hostname, containerPath, { slug, extension })
+    // allways return a valid URL.
+    const resourceUrl = await ldp.getAvailableUrl(hostname, containerPath, { slug, extension, container })
     debug.handlers('POST -- Will create at: ' + resourceUrl)
-    let originalUrl = resourceUrl
-
-    if (container) {
-      // Create directory by an LDP PUT to the container's .meta resource
-      resourceUrl = `${resourceUrl}${resourceUrl.endsWith('/') ? '' : '/'}` // ${ldp.suffixMeta}`
-      if (originalUrl && !originalUrl.endsWith('/')) {
-        originalUrl += '/'
-      }
-    }
-    // const { url: putUrl } = await this.resourceMapper.mapFileToUrl({ path: resourceUrl, hostname })
 
     await ldp.put(resourceUrl, stream, contentType)
-    return URL.parse(originalUrl).path
+    return URL.parse(resourceUrl).path
   }
 
   isAuxResource (slug, extension) {
@@ -243,8 +219,11 @@ class LDP {
         'PUT request requires a content-type via the Content-Type header')
     }
 
-    // check if a folder or file with same name exists
-    await this.checkItemName(url)
+    // reject resource with percent-encoded $ extension
+    const dollarExtensionRegex = /%(?:24)\.[^%(?:24)]*$/ // /\$\.[^$]*$/
+    if ((url.url || url).match(dollarExtensionRegex)) {
+      throw error(400, 'Resource with a $.ext is not allowed by the server')
+    }
 
     // First check if we are above quota
     let isOverQuota
@@ -348,19 +327,30 @@ class LDP {
     } catch (err) { }
   }
 
+  // check if a document (or container) has the same name than a document (or container)
   async checkItemName (url) {
-    let testName
-    const itemUrl = (url.url || url)
+    let testName, testPath
+    const { hostname, pathname } = this.resourceMapper._parseUrl(url) // (url.url || url)
+    let itemUrl = this.resourceMapper.resolveUrl(hostname, pathname)
     const container = itemUrl.endsWith('/')
     try {
       const testUrl = container ? itemUrl.slice(0, -1) : itemUrl + '/'
       const { path: testPath } = await this.resourceMapper.mapUrlToFile({ url: testUrl })
-      // testName = fs.lstatSync(testPath).isDirectory()
       testName = container ? fs.lstatSync(testPath).isFile() : fs.lstatSync(testPath).isDirectory()
-    } catch (err) { testName = false }
-
+    } catch (err) {
+      testName = false
+
+      // item does not exist, check one level up the tree
+      if (itemUrl.endsWith('/')) itemUrl = itemUrl.substring(0, itemUrl.length - 1)
+      itemUrl = itemUrl.substring(0, itemUrl.lastIndexOf('/') + 1)
+      const { pathname } = this.resourceMapper._parseUrl(itemUrl) // (url.url || url)
+      // check not at root
+      if (pathname !== '/') {
+        return await this.checkItemName(itemUrl)
+      }
+    }
     if (testName) {
-      throw error(200, 'Container and resource cannot have the same name in URI')
+      throw error(404, `${testPath}: Container and resource cannot have the same name in URI`)
     }
   }
 
@@ -437,7 +427,7 @@ class LDP {
   // this is a hack to replace solid:owner, using solid:account in /.meta to avoid NSS migration
   // this /.meta has no functionality in actual NSS
   // comment https://github.com/solid/node-solid-server/pull/1604#discussion_r652903546
-  async getOwner (hostname) {
+  async isOwner (webId, hostname) {
     // const ldp = req.app.locals.ldp
     const rootUrl = this.resourceMapper.resolveUrl(hostname)
     let graph
@@ -445,8 +435,8 @@ class LDP {
       // TODO check for permission ?? Owner is a MUST
       graph = await this.getGraph(rootUrl + '/.meta')
       const SOLID = $rdf.Namespace('http://www.w3.org/ns/solid/terms#')
-      const owner = await graph.any(null, SOLID('account'), $rdf.sym(rootUrl + '/'))
-      return owner.uri
+      const owner = await graph.statementsMatching($rdf.sym(webId), SOLID('account'), $rdf.sym(rootUrl + '/'))
+      return owner.length
     } catch (error) {
       throw new Error(`Failed to get owner from ${rootUrl}/.meta, got ` + error)
     }
@@ -589,17 +579,26 @@ class LDP {
     }
   }
 
-  async getAvailableUrl (hostname, containerURI, { slug = uuid.v1(), extension }) {
+  async getAvailableUrl (hostname, containerURI, { slug = uuid.v1(), extension, container }) {
     let requestUrl = this.resourceMapper.resolveUrl(hostname, containerURI)
-    requestUrl = requestUrl.replace(/\/*$/, '/')
+    requestUrl = requestUrl.replace(/\/*$/, '/') // ??? what for
 
-    const { path: containerFilePath } = await this.resourceMapper.mapUrlToFile({ url: requestUrl })
-    let fileName = slug.endsWith(extension) || slug.endsWith(this.suffixAcl) || slug.endsWith(this.suffixMeta) ? slug : slug + extension
-    if (await promisify(fs.exists)(utilPath.join(containerFilePath, fileName))) {
-      fileName = `${uuid.v1()}-${fileName}`
-    }
-
-    return requestUrl + fileName
+    let itemName = slug.endsWith(extension) || slug.endsWith(this.suffixAcl) || slug.endsWith(this.suffixMeta) ? slug : slug + extension
+    try {
+      // check resource exists
+      const context = container ? '/' : ''
+      await this.resourceMapper.mapUrlToFile({ url: (requestUrl + itemName + context) })
+      itemName = `${uuid.v1()}-${itemName}`
+    } catch (e) {
+      try {
+        // check resource with same name exists
+        const context = !container ? '/' : ''
+        await this.resourceMapper.mapUrlToFile({ url: (requestUrl + itemName + context) })
+        itemName = `${uuid.v1()}-${itemName}`
+      } catch (e) {}
+    }
+    if (container) itemName += '/'
+    return requestUrl + itemName
   }
 
   getTrustedOrigins (req) {

package/package.json

@@ -1,7 +1,7 @@
 {
   "name": "solid-server",
   "description": "Solid server on top of the file-system",
-  "version": "5.7.7",
+  "version": "5.7.9-alpha",
   "author": {
     "name": "Tim Berners-Lee",
     "email": "timbl@w3.org"
@@ -69,7 +69,7 @@
     "cached-path-relative": "^1.1.0",
     "camelize": "^1.0.1",
     "cheerio": "^1.0.0-rc.12",
-    "colorette": "^2.0.19",
+    "colorette": "^2.0.20",
     "commander": "^8.3.0",
     "cors": "^2.8.5",
     "debug": "^4.3.4",
@@ -82,27 +82,27 @@
     "get-folder-size": "^2.0.1",
     "glob": "^7.2.3",
     "global-tunnel-ng": "^2.7.1",
-    "handlebars": "^4.7.7",
+    "handlebars": "^4.7.8",
     "http-proxy-middleware": "^2.0.6",
-    "inquirer": "^8.2.5",
+    "inquirer": "^8.2.6",
     "into-stream": "^6.0.0",
     "ip-range-check": "0.2.0",
     "is-ip": "^3.1.0",
     "li": "^1.3.0",
-    "mashlib": "^1.8.8",
+    "mashlib": "^1.8.9",
     "mime-types": "^2.1.35",
     "negotiator": "^0.6.3",
-    "node-fetch": "^2.6.9",
+    "node-fetch": "^2.7.0",
     "node-forge": "^1.3.1",
     "node-mailer": "^0.1.1",
-    "nodemailer": "^6.9.1",
+    "nodemailer": "^6.9.7",
     "oidc-op-express": "^0.0.3",
     "owasp-password-strength-test": "^1.3.0",
     "recursive-readdir": "^2.2.3",
     "request": "^2.88.2",
     "rimraf": "^3.0.2",
     "solid-auth-client": "^2.5.6",
-    "solid-namespace": "^0.5.2",
+    "solid-namespace": "^0.5.3",
     "solid-ws": "^0.4.3",
     "text-encoder-lite": "^2.0.0",
     "the-big-username-blacklist": "^1.5.2",
@@ -110,26 +110,26 @@
     "urijs": "^1.19.11",
     "uuid": "^8.3.2",
     "valid-url": "^1.0.9",
-    "validator": "^13.9.0",
+    "validator": "^13.11.0",
     "vhost": "^3.0.2"
   },
   "devDependencies": {
-    "@solid/solid-auth-oidc": "^0.3.0",
-    "chai": "^4.3.7",
+    "@solid/solid-auth-oidc": "0.3.0",
+    "chai": "^4.3.10",
     "chai-as-promised": "7.1.1",
     "cross-env": "7.0.3",
     "dirty-chai": "2.0.1",
     "eslint": "^7.32.0",
     "localstorage-memory": "1.0.3",
-    "mocha": "^9.2.2",
-    "nock": "^13.3.0",
-    "node-mocks-http": "^1.12.2",
+    "mocha": "^10.2.0",
+    "nock": "^13.4.0",
+    "node-mocks-http": "^1.14.0",
     "nyc": "15.1.0",
     "pre-commit": "1.2.2",
     "randombytes": "2.1.0",
     "sinon": "12.0.1",
     "sinon-chai": "3.7.0",
-    "snyk": "^1.1119.0",
+    "snyk": "^1.1264.0",
     "standard": "16.0.4",
     "supertest": "^6.3.3",
     "turtle-validator": "1.1.1",