From aae399e8a67e8a5c86f5c21796303c900c63fdf8 Mon Sep 17 00:00:00 2001
From: Nicola Fulvio Calabria <nicola.calabria@inaf.it>
Date: Wed, 13 Jan 2021 14:06:29 +0100
Subject: [PATCH] Include ownership in write privilege check in
 CreateNodeController. Changed separator for group_write property to " " in
 CreateNodeController for consistency with NodeDAO

---
 .../oats/vospace/CreateNodeController.java    | 36 ++++++++++++++-----
 .../vospace/CreateNodeControllerTest.java     |  4 +--
 2 files changed, 30 insertions(+), 10 deletions(-)

diff --git a/src/main/java/it/inaf/oats/vospace/CreateNodeController.java b/src/main/java/it/inaf/oats/vospace/CreateNodeController.java
index ebf2c02..27e971d 100644
--- a/src/main/java/it/inaf/oats/vospace/CreateNodeController.java
+++ b/src/main/java/it/inaf/oats/vospace/CreateNodeController.java
@@ -32,14 +32,17 @@ public class CreateNodeController extends BaseNodeController {
 
         List<String> userGroups = principal.getGroups();
 
+        // Validate payload node URI
         if (!isValidURI(node.getUri())) {
             throw new InvalidURIException(node.getUri());
         }
 
+        // Check if payload URI is consistent with http request
         if (!isUrlConsistentWithPayloadURI(node.getUri(), path)) {
             throw new InvalidURIException(node.getUri(), path);
         }
 
+        // Check if another node is already present at specified path
         // This checks if the user is trying to insert the root node at "/" too
         if (nodeDao.listNode(path).isPresent()) {
             throw new DuplicateNodeException(path);
@@ -49,26 +52,30 @@ public class CreateNodeController extends BaseNodeController {
         Node parentNode = nodeDao.listNode(getParentPath(path))
                 .orElseThrow(() -> new ContainerNotFoundException(getParentPath(path)));
 
-        List<String> groupWritePropValues = parentNode.getProperties().stream()
-                .filter((i) -> i.getUri()
-                .equals("ivo://ivoa.net/vospace/core#groupwrite"))
-                .map((i) -> i.getValue())
-                .collect(Collectors.toList());
+        // Check user write/ownership privilege against parent node
+        List<String> groupWritePropValues
+                = getNodePropertyByURI(parentNode, "ivo://ivoa.net/vospace/core#groupwrite");
 
         if (groupWritePropValues.isEmpty()) {
             throw new PermissionDeniedException(path);
         }
 
         List<String> nodeGroups
-                = Arrays.asList(groupWritePropValues.get(0).split(",", -1));
+                = Arrays.asList(groupWritePropValues.get(0).split(" ", -1));
 
         if (!nodeGroups.stream().anyMatch((i) -> userGroups.contains(i))) {
-            throw new PermissionDeniedException(path);
+            // If groups don't match check ownership at least
+            List<String> nodeOwner
+                    = getNodePropertyByURI(parentNode, "ivo://ivoa.net/vospace/core#creator");
+
+            if (nodeOwner.isEmpty()
+                    || !nodeOwner.get(0).equals(principal.getName())) {
+                throw new PermissionDeniedException(path);
+            }
         }
 
         // Check if parent node is not a Container node and in case throw
         // appropriate exception
-
         if (!parentNode.getType().equals("vos:ContainerNode")) {
             if (parentNode.getType().equals("vos:LinkNode")) {
                 throw new LinkFoundException(getParentPath(path));
@@ -117,4 +124,17 @@ public class CreateNodeController extends BaseNodeController {
 
         return sb.toString();
     }
+
+    // Returns all properties stored inside the node under the requested
+    // property URI.    
+    private List<String> getNodePropertyByURI(Node node, String propertyURI) {
+
+        List<String> propertyList = node.getProperties().stream()
+                .filter((i) -> i.getUri()
+                .equals(propertyURI))
+                .map((i) -> i.getValue())
+                .collect(Collectors.toList());
+
+        return propertyList;
+    }
 }
diff --git a/src/test/java/it/inaf/oats/vospace/CreateNodeControllerTest.java b/src/test/java/it/inaf/oats/vospace/CreateNodeControllerTest.java
index dc807a1..fdb2a9a 100644
--- a/src/test/java/it/inaf/oats/vospace/CreateNodeControllerTest.java
+++ b/src/test/java/it/inaf/oats/vospace/CreateNodeControllerTest.java
@@ -48,7 +48,7 @@ public class CreateNodeControllerTest {
         // Set groupwrite property
         Property groups = new Property();
         groups.setUri("ivo://ivoa.net/vospace/core#groupwrite");
-        groups.setValue("test1,test2");
+        groups.setValue("test1 test2");
         parentNode.setProperties(List.of(groups));
         return parentNode;
     }
@@ -60,7 +60,7 @@ public class CreateNodeControllerTest {
         // Set groupwrite property
         Property groups = new Property();
         groups.setUri("ivo://ivoa.net/vospace/core#groupwrite");
-        groups.setValue("test1,test2");
+        groups.setValue("test1 test2");
         parentNode.setProperties(List.of(groups));
         return parentNode;
     }
-- 
GitLab