#13 add authorization test in server, make drive public by default

Author: joepio

lib/src/db.rs

@@ -396,7 +396,7 @@ impl Storelike for Db {
             .map_err(|e| format!("Failed to populate default store. {}", e))?;
         // This is a potentially expensive operation, but is needed to make TPF queries work with the models created in here
         self.build_index(true)?;
-        crate::populate::populate_hierarchy(self)
+        crate::populate::create_drive(self)
             .map_err(|e| format!("Failed to populate hierarcy. {}", e))?;
         crate::populate::populate_collections(self)
             .map_err(|e| format!("Failed to populate collections. {}", e))?;

lib/src/hierarchy.rs

@@ -62,11 +62,15 @@ pub fn check_rights(
 ) -> AtomicResult<bool> {
     // Check if the resource's write rights explicitly refers to the agent or the public agent
     if let Ok(arr_val) = resource.get(&right.to_string()) {
-        if arr_val.to_subjects(None)?.iter().any(|s| match s.as_str() {
-            urls::PUBLIC_AGENT => true,
-            for_agent => s == for_agent,
-        }) {
-            return Ok(true);
+        for s in arr_val.to_subjects(None)? {
+            match s.as_str() {
+                urls::PUBLIC_AGENT => return Ok(true),
+                agent => {
+                    if agent == for_agent {
+                        return Ok(true);
+                    }
+                }
+            };
         }
     }
     // Try the parents recursively

lib/src/populate.rs

@@ -141,10 +141,8 @@ pub fn populate_base_models(store: &impl Storelike) -> AtomicResult<()> {
     Ok(())
 }
 
-/// Adds the hierarchy related items (Drive, default Folder) to the Store.
-/// Sets the home page as the top level node, and gives write rights to the default agent.
-/// Requires a `self_url` to be set in the store.
-pub fn populate_hierarchy(store: &impl Storelike) -> AtomicResult<()> {
+/// Creates a Drive resource at the base URL. Does not set rights. Use set_drive_rights for that.
+pub fn create_drive(store: &impl Storelike) -> AtomicResult<()> {
     let self_url = store
         .get_self_url()
         .ok_or("No self_url set, cannot populate store with Drive")?;
@@ -156,24 +154,12 @@ pub fn populate_hierarchy(store: &impl Storelike) -> AtomicResult<()> {
         base_url.host_str().ok_or("Can't use current base URL")?,
         store,
     )?;
-    // The root agent does not yet exist
-    // let root_agent = store.get_default_agent()?.subject;
-    // drive.set_propval(
-    //     urls::READ.into(),
-    //     Value::ResourceArray(vec![root_agent.clone()]),
-    //     store,
-    // )?;
-    // drive.set_propval(
-    //     urls::WRITE.into(),
-    //     Value::ResourceArray(vec![root_agent]),
-    //     store,
-    // )?;
     drive.save_locally(store)?;
     Ok(())
 }
 
 /// Get the Drive resource (base URL), set agent as the Root user, provide write and read access to the Root user. Also, by default, makes the Root publicly visible.
-pub fn set_up_drive(store: &impl Storelike) -> AtomicResult<()> {
+pub fn set_drive_rights(store: &impl Storelike) -> AtomicResult<()> {
     // Now let's add the agent as the Root user and provide write access
     let mut drive = store.get_resource(store.get_base_url())?;
     let write_agents = vec![store.get_default_agent()?.subject];

server/src/appstate.rs

@@ -52,16 +52,17 @@ pub fn init(config: Config) -> AtomicServerResult<AppState> {
     set_default_agent(&config, &store)?;
     if config.initialize {
         log::info!("Running populate commands...");
-        atomic_lib::populate::populate_hierarchy(&store)
+        atomic_lib::populate::create_drive(&store)
             .map_err(|e| format!("Failed to populate hierarchy. {}", e))?;
+        atomic_lib::populate::set_drive_rights(&store)
+            .map_err(|e| format!("Failed to set drive rights. {}", e))?;
         atomic_lib::populate::populate_collections(&store)
             .map_err(|e| format!("Failed to populate collections. {}", e))?;
         atomic_lib::populate::populate_endpoints(&store)
             .map_err(|e| format!("Failed to populate endpoints. {}", e))?;
         set_up_initial_invite(&store)?;
         // This means that editing the .env does _not_ grant you the rights to edit the Drive.
         log::info!("Setting rights to Drive {}", store.get_base_url());
-        atomic_lib::populate::set_up_drive(&store)?;
     }
 
     // Initialize search constructs

server/src/tests.rs

@@ -8,8 +8,10 @@ use super::*;
 use actix_web::{
     dev::{Body, ResponseBody},
     test::{self, TestRequest},
-    web, App,
+    web::Data,
+    App,
 };
+use atomic_lib::urls;
 
 trait BodyTest {
     fn as_str(&self) -> &str;
@@ -19,11 +21,11 @@ impl BodyTest for ResponseBody<Body> {
     fn as_str(&self) -> &str {
         match self {
             ResponseBody::Body(ref b) => match b {
-                Body::Bytes(ref by) => std::str::from_utf8(&by).unwrap(),
+                Body::Bytes(ref by) => std::str::from_utf8(by).unwrap(),
                 _ => panic!(),
             },
             ResponseBody::Other(ref b) => match b {
-                Body::Bytes(ref by) => std::str::from_utf8(&by).unwrap(),
+                Body::Bytes(ref by) => std::str::from_utf8(by).unwrap(),
                 _ => panic!(),
             },
         }
@@ -55,13 +57,14 @@ async fn init_server() {
         .map_err(|e| format!("Initialization failed: {}", e))
         .expect("failed init config");
     let appstate = crate::appstate::init(config.clone()).expect("failed init appstate");
-    let data = web::Data::new(std::sync::Mutex::new(appstate.clone()));
+    let data = Data::new(std::sync::Mutex::new(appstate.clone()));
     let mut app = test::init_service(
         App::new()
             .app_data(data)
             .configure(|app| crate::routes::config_routes(app, &appstate.config)),
     )
     .await;
+    let store = &appstate.store;
 
     // Does not work, unfortunately, because the server is not accessible.
     // let fetched =
@@ -71,17 +74,33 @@ async fn init_server() {
     // Get HTML page
     let req = build_request_authenticated("/", &appstate).header("Accept", "application/html");
     let mut resp = test::call_service(&mut app, req.to_request()).await;
-    println!("response: {:?}", resp);
     assert!(resp.status().is_success());
     let body = resp.take_body();
     assert!(body.as_str().contains("html"), "no html in response");
 
+    // Should 200 (public)
+    let req = test::TestRequest::with_uri("/properties").header("Accept", "application/ad+json");
+    let resp = test::call_service(&mut app, req.to_request()).await;
+    assert_eq!(resp.status().as_u16(), 200, "resource should be public");
+
+    // Edit the properties collection - let's make it hidedn
+    let mut drive = store.get_resource(&appstate.config.local_base_url).unwrap();
+    drive
+        .set_propval(
+            urls::READ.into(),
+            vec![appstate.store.get_default_agent().unwrap().subject].into(),
+            &appstate.store,
+        )
+        .unwrap();
+    drive.save(store).unwrap();
+
     // Should 401 (Unauthorized)
     let req = test::TestRequest::with_uri("/properties").header("Accept", "application/ad+json");
     let resp = test::call_service(&mut app, req.to_request()).await;
-    assert!(
-        resp.status().is_client_error(),
-        "resource should return 401 unauthorized"
+    assert_eq!(
+        resp.status().as_u16(),
+        401,
+        "resource should not be authorized for public"
     );
 
     // Get JSON-AD