[Access control] New operator "select query results not contain" (#432)

* created SPARQL_SELECT_QUERY_RESULTS_NOT_CONTAIN operator, renamed operator SPARQL_SELECT_QUERY_CONTAINS to SPARQL_SELECT_QUERY_RESULTS_CONTAIN

* Use any uri or literal result values for SPARQL Query results checks

* renamed individual access-individual:SparqlSelectQueryContains to access-individual:SparqlSelectQueryResultContain

* fix for prev commit

---------

Co-authored-by: Georgy Litvinov <[email protected]>

api/src/main/java/edu/cornell/mannlib/vitro/webapp/auth/checks/AbstractCheck.java

@@ -85,7 +85,10 @@ private void adjustComputationCost(CheckType testType) {
             case STARTS_WITH:
                 computationalCost += 1000;
                 return;
-            case SPARQL_SELECT_QUERY_CONTAINS:
+            case SPARQL_SELECT_QUERY_RESULTS_CONTAIN:
+                computationalCost += 10000;
+                return;
+            case SPARQL_SELECT_QUERY_RESULTS_NOT_CONTAIN:
                 computationalCost += 10000;
                 return;
             default:

api/src/main/java/edu/cornell/mannlib/vitro/webapp/auth/checks/AttributeValueChecker.java

@@ -29,8 +29,10 @@ static boolean test(Check attr, AuthorizationRequest ar, String... values) {
                 return !contains(attr, values);
             case STARTS_WITH:
                 return startsWith(attr, values);
-            case SPARQL_SELECT_QUERY_CONTAINS:
+            case SPARQL_SELECT_QUERY_RESULTS_CONTAIN:
                 return sparqlQueryContains(attr, ar, values);
+            case SPARQL_SELECT_QUERY_RESULTS_NOT_CONTAIN:
+                return !sparqlQueryContains(attr, ar, values);
             default:
                 return false;
         }

api/src/main/java/edu/cornell/mannlib/vitro/webapp/auth/checks/CheckType.java

@@ -8,5 +8,6 @@ public enum CheckType {
     ONE_OF,
     NOT_ONE_OF,
     STARTS_WITH,
-    SPARQL_SELECT_QUERY_CONTAINS
+    SPARQL_SELECT_QUERY_RESULTS_CONTAIN,
+    SPARQL_SELECT_QUERY_RESULTS_NOT_CONTAIN
 }

api/src/main/java/edu/cornell/mannlib/vitro/webapp/auth/checks/ProximityChecker.java

@@ -4,6 +4,7 @@
 
 import java.util.ArrayList;
 import java.util.HashMap;
+import java.util.Iterator;
 import java.util.List;
 
 import org.apache.commons.logging.Log;
@@ -16,6 +17,7 @@
 import org.apache.jena.query.QuerySolution;
 import org.apache.jena.query.ResultSet;
 import org.apache.jena.rdf.model.Model;
+import org.apache.jena.rdf.model.RDFNode;
 
 public class ProximityChecker {
     private static final Log log = LogFactory.getLog(ProximityChecker.class);
@@ -39,8 +41,7 @@ private static List<String> getRelatedUris(Model model, String personUri, String
         if (queryMap.containsKey(queryMapKey)) {
             return queryMap.get(queryMapKey);
         }
-
-        List<String> resourceUris = new ArrayList<>();
+        List<String> results = new ArrayList<>();
         ParameterizedSparqlString pss = new ParameterizedSparqlString();
         pss.setCommandText(queryTemplate);
         pss.setIri("personUri", personUri);
@@ -52,15 +53,28 @@ private static List<String> getRelatedUris(Model model, String personUri, String
             ResultSet resultSet = queryExecution.execSelect();
             while (resultSet.hasNext()) {
                 QuerySolution qs = resultSet.nextSolution();
-                resourceUris.add(qs.getResource("resourceUri").getURI());
+                addSolutionValues(results, qs);
             }
         } finally {
             queryExecution.close();
         }
-        debug("query results: " + resourceUris);
-        queryMap.put(queryMapKey, resourceUris);
+        debug("query results: " + results);
+        queryMap.put(queryMapKey, results);
         QueryResultsMapCache.update(queryMap);
-        return resourceUris;
+        return results;
+    }
+
+    private static void addSolutionValues(List<String> results, QuerySolution qs) {
+        Iterator<String> names = qs.varNames();
+        while (names.hasNext()) {
+            String name = names.next();
+            RDFNode node = qs.get(name);
+            if (node.isURIResource()) {
+                results.add(node.asResource().getURI());
+            } else if (node.isLiteral()) {
+                results.add(node.asLiteral().toString());
+            }
+        }
     }
 
     private static void debug(String queryText) {

api/src/test/java/edu/cornell/mannlib/vitro/webapp/auth/rules/AccessRuleTest.java

@@ -2,7 +2,7 @@
 
 import static edu.cornell.mannlib.vitro.webapp.auth.checks.CheckType.EQUALS;
 import static edu.cornell.mannlib.vitro.webapp.auth.checks.CheckType.ONE_OF;
-import static edu.cornell.mannlib.vitro.webapp.auth.checks.CheckType.SPARQL_SELECT_QUERY_CONTAINS;
+import static edu.cornell.mannlib.vitro.webapp.auth.checks.CheckType.SPARQL_SELECT_QUERY_RESULTS_CONTAIN;
 import static org.junit.Assert.assertEquals;
 
 import java.util.List;
@@ -23,7 +23,7 @@ public void testAttributeOrderByComputationalCost() {
         Check affordableAttribute = uriCheck("test:affordableAttributeUri", value("test:objectUri"));
         cheapAttribute.setType(ONE_OF);
         Check expensiveAttribute = uriCheck("test:expensiveAttributeUri", value("test:objectUri"));
-        cheapAttribute.setType(SPARQL_SELECT_QUERY_CONTAINS);
+        cheapAttribute.setType(SPARQL_SELECT_QUERY_RESULTS_CONTAIN);
         rule.addCheck(affordableAttribute);
         rule.addCheck(expensiveAttribute);
         rule.addCheck(cheapAttribute);

api/src/test/resources/edu/cornell/mannlib/vitro/webapp/auth/rules/proximity_test_policy.n3

@@ -15,7 +15,7 @@ access-individual:AllowPersonEditOwnPublication rdf:type access:Rule ;
     access:requiresCheck access-individual:PublicationInProximityAttribute .
 
 access-individual:PublicationInProximityAttribute rdf:type access:Check ;
-    access:useOperator access-individual:SparqlSelectQueryContains ;
+    access:useOperator access-individual:SparqlSelectQueryResultsContain ;
     access:hasTypeToCheck access-individual:StatementSubjectUri ;
     access:value access-individual:PublicationProximityToPerson .
 

home/src/main/resources/rdf/accessControl/firsttime/operators.n3

@@ -18,5 +18,8 @@ access-individual:NotOneOf a access:Operator;
 access-individual:StartsWith a access:Operator;
     access:id "STARTS_WITH" .
 
-access-individual:SparqlSelectQueryContains a access:Operator;
-    access:id "SPARQL_SELECT_QUERY_CONTAINS" .
+access-individual:SparqlSelectQueryResultsContain a access:Operator;
+    access:id "SPARQL_SELECT_QUERY_RESULTS_CONTAIN" .
+
+access-individual:SparqlSelectQueryResultsNotContain a access:Operator;
+    access:id "SPARQL_SELECT_QUERY_RESULTS_NOT_CONTAIN" .

home/src/main/resources/rdf/accessControl/firsttime/policy_related_editable_pages.n3

@@ -37,7 +37,7 @@
     access:value :SomeUri .
 
 :SubjectUriIsProfileRelatedResource a access:Check ;
-    access:useOperator access-individual:SparqlSelectQueryContains ;
+    access:useOperator access-individual:SparqlSelectQueryResultsContain ;
     access:hasTypeToCheck access-individual:StatementSubjectUri ;
     access:value access-individual:PersonProfileProximityToResourceUri .
 

home/src/main/resources/rdf/accessControl/firsttime/template_update_related_allowed_property.n3

@@ -229,7 +229,7 @@
     .
 
 :RelationCheck a access:Check ;
-    access:useOperator access-individual:SparqlSelectQueryContains ;
+    access:useOperator access-individual:SparqlSelectQueryResultsContain ;
     access:hasTypeToCheck access-individual:StatementSubjectUri ;
     access:value access-individual:PersonProfileProximityToResourceUri .