JCL-417: Validate LDP containment data in SolidContainer::getResources (#571)

* JCL-417: Validate LDP containment data in SolidContainer::getResources method

* Use verify mechanism

Author: acoburn

api/src/main/java/com/inrupt/client/ValidationResult.java

@@ -38,8 +38,18 @@ public class ValidationResult {
      * @param messages the messages from validation method
      */
     public ValidationResult(final boolean valid, final String... messages) {
+        this(valid, Arrays.asList(messages));
+    }
+
+    /**
+     * Create a ValidationResult object.
+     *
+     * @param valid the result from validation
+     * @param messages the messages from validation method
+     */
+    public ValidationResult(final boolean valid, final List<String> messages) {
         this.valid = valid;
-        this.result = Arrays.asList(messages);
+        this.result = messages;
     }
 
     /**

solid/src/main/java/com/inrupt/client/solid/SolidContainer.java

@@ -20,21 +20,26 @@
  */
 package com.inrupt.client.solid;
 
+import com.inrupt.client.ValidationResult;
 import com.inrupt.client.vocabulary.LDP;
 import com.inrupt.client.vocabulary.RDF;
 import com.inrupt.rdf.wrapping.commons.ValueMappings;
 import com.inrupt.rdf.wrapping.commons.WrapperIRI;
 
 import java.net.URI;
+import java.util.ArrayList;
 import java.util.Collections;
+import java.util.List;
 import java.util.Set;
+import java.util.function.Predicate;
 import java.util.stream.Collectors;
 import java.util.stream.Stream;
 
 import org.apache.commons.rdf.api.Dataset;
 import org.apache.commons.rdf.api.Graph;
 import org.apache.commons.rdf.api.IRI;
 import org.apache.commons.rdf.api.RDFTerm;
+import org.apache.commons.rdf.api.Triple;
 
 /**
  * A Solid Container Object.
@@ -77,15 +82,43 @@ public SolidContainer(final URI identifier, final Dataset dataset, final Metadat
      * @return the contained resources
      */
     public Set<SolidResource> getResources() {
-        final Node node = new Node(rdf.createIRI(getIdentifier().toString()), getGraph());
-        try (final Stream<Node.TypedNode> stream = node.getResources()) {
-            return stream.map(child -> {
-                final Metadata.Builder builder = Metadata.newBuilder();
-                getMetadata().getStorage().ifPresent(builder::storage);
-                child.getTypes().forEach(builder::type);
-                return new SolidResourceReference(URI.create(child.getIRIString()), builder.build());
-            }).collect(Collectors.collectingAndThen(Collectors.toSet(), Collections::unmodifiableSet));
+        final String container = normalize(getIdentifier());
+        // As defined by the Solid Protocol, containers always end with a slash.
+        if (container.endsWith("/")) {
+            final Node node = new Node(rdf.createIRI(getIdentifier().toString()), getGraph());
+            try (final Stream<Node.TypedNode> stream = node.getResources()) {
+                return stream.filter(child -> verifyContainmentIri(container, child)).map(child -> {
+                    final Metadata.Builder builder = Metadata.newBuilder();
+                    getMetadata().getStorage().ifPresent(builder::storage);
+                    child.getTypes().forEach(builder::type);
+                    return new SolidResourceReference(URI.create(child.getIRIString()), builder.build());
+                }).collect(Collectors.collectingAndThen(Collectors.toSet(), Collections::unmodifiableSet));
+            }
+        }
+        return Collections.emptySet();
+    }
+
+    @Override
+    public ValidationResult validate() {
+        // Get the normalized container URI
+        final String container = normalize(getIdentifier());
+        final List<String> messages = new ArrayList<>();
+        // Verify that the container URI path ends with a slash
+        if (!container.endsWith("/")) {
+            messages.add("Container URI does not end in a slash");
+        }
+
+        // Verify that all ldp:contains triples align with Solid expectations
+        getGraph().stream(null, rdf.createIRI(LDP.contains.toString()), null)
+            .collect(Collectors.partitioningBy(verifyContainmentTriple(container)))
+            .get(false) // we are only concerned with the invalid triples
+            .forEach(triple -> messages.add("Invalid containment triple: " + triple.getSubject().ntriplesString() +
+                        " ldp:contains " + triple.getObject().ntriplesString() + " ."));
+
+        if (messages.isEmpty()) {
+            return new ValidationResult(true);
         }
+        return new ValidationResult(false, messages);
     }
 
     /**
@@ -99,6 +132,49 @@ public Stream<SolidResource> getContainedResources() {
         return getResources().stream();
     }
 
+    static String normalize(final IRI iri) {
+        return normalize(URI.create(iri.getIRIString()));
+    }
+
+    static String normalize(final URI uri) {
+        return uri.normalize().toString().split("#")[0].split("\\?")[0];
+    }
+
+    static Predicate<Triple> verifyContainmentTriple(final String container) {
+        final IRI subject = rdf.createIRI(container);
+        return triple -> {
+            if (!triple.getSubject().equals(subject)) {
+                // Out-of-domain containment triple subject
+                return false;
+            }
+            if (triple.getObject() instanceof IRI) {
+                return verifyContainmentIri(container, (IRI) triple.getObject());
+            }
+            // Non-URI containment triple object
+            return false;
+        };
+    }
+
+    static boolean verifyContainmentIri(final String container, final IRI object) {
+        if (!object.getIRIString().startsWith(container)) {
+            // Out-of-domain containment triple object
+            return false;
+        } else {
+            final String relativePath = object.getIRIString().substring(container.length());
+            final String normalizedPath = relativePath.endsWith("/") ?
+                relativePath.substring(0, relativePath.length() - 1) : relativePath;
+            if (normalizedPath.isEmpty()) {
+                // Containment triple subject and object cannot be the same
+                return false;
+            }
+            if (normalizedPath.contains("/")) {
+                // Containment cannot skip intermediate nodes
+                return false;
+            }
+        }
+        return true;
+    }
+
     @SuppressWarnings("java:S2160") // Wrapper equality is correctly delegated to underlying node
     static final class Node extends WrapperIRI {
         private final IRI ldpContains = rdf.createIRI(LDP.contains.toString());

solid/src/test/java/com/inrupt/client/solid/SolidClientTest.java

@@ -25,9 +25,11 @@
 
 import com.inrupt.client.ClientProvider;
 import com.inrupt.client.Headers;
+import com.inrupt.client.Request;
 import com.inrupt.client.Response;
 import com.inrupt.client.auth.Session;
 import com.inrupt.client.spi.RDFFactory;
+import com.inrupt.client.util.URIBuilder;
 
 import java.io.ByteArrayInputStream;
 import java.io.IOException;
@@ -36,6 +38,7 @@
 import java.util.*;
 import java.util.concurrent.CompletableFuture;
 import java.util.concurrent.CompletionException;
+import java.util.stream.Collectors;
 import java.util.stream.Stream;
 
 import org.apache.commons.rdf.api.RDF;
@@ -161,7 +164,7 @@ void testGetResource() throws IOException, InterruptedException {
 
     @Test
     void testGetContainer() throws IOException, InterruptedException {
-        final URI uri = URI.create(config.get("solid_resource_uri") + "/playlist");
+        final URI uri = URI.create(config.get("solid_resource_uri") + "/playlists/");
 
         client.read(uri, SolidContainer.class).thenAccept(container -> {
             try (final SolidContainer c = container) {
@@ -216,6 +219,31 @@ void testGetBinaryCreate() {
         }).toCompletableFuture().join();
     }
 
+    @Test
+    void testSolidContainerWithInvalidData() {
+        final URI uri = URI.create(config.get("solid_resource_uri") + "/container/");
+        final CompletionException err = assertThrows(CompletionException.class,
+                client.read(uri, SolidContainer.class).toCompletableFuture()::join);
+        assertInstanceOf(DataMappingException.class, err.getCause());
+    }
+
+    @Test
+    void testLowLevelSolidContainer() {
+        final URI uri = URI.create(config.get("solid_resource_uri") + "/container/");
+
+        final Set<URI> expected = new HashSet<>();
+        expected.add(URIBuilder.newBuilder(uri).path("newContainer/").build());
+        expected.add(URIBuilder.newBuilder(uri).path("test.txt").build());
+        expected.add(URIBuilder.newBuilder(uri).path("test2.txt").build());
+
+        client.send(Request.newBuilder(uri).build(), SolidResourceHandlers.ofSolidContainer())
+            .thenAccept(response -> {
+                final SolidContainer container = response.body();
+                assertEquals(expected, container.getResources().stream()
+                        .map(SolidResource::getIdentifier).collect(Collectors.toSet()));
+            }).toCompletableFuture().join();
+    }
+
     @Test
     void testBinaryCreate() throws IOException {
         final URI uri = URI.create(config.get("solid_resource_uri") + "/binary");

solid/src/test/java/com/inrupt/client/solid/SolidMockHttpService.java

@@ -80,6 +80,25 @@ private void setupMocks() {
             )
         );
 
+        wireMockServer.stubFor(get(urlEqualTo("/container/"))
+            .withHeader("User-Agent", equalTo(USER_AGENT))
+            .willReturn(aResponse()
+                .withStatus(200)
+                .withHeader("Content-Type", "text/turtle")
+                .withHeader("Link", Link.of(LDP.BasicContainer, "type").toString())
+                .withHeader("Link", Link.of(URI.create("http://acl.example/solid/"), "acl").toString())
+                .withHeader("Link", Link.of(URI.create("http://storage.example/"),
+                        PIM.storage).toString())
+                .withHeader("Link", Link.of(URI.create("https://history.test/"), "timegate").toString())
+                .withHeader("WAC-Allow", "user=\"read write\",public=\"read\"")
+                .withHeader("Allow", "POST, PUT, PATCH")
+                .withHeader("Accept-Post", "application/ld+json, text/turtle")
+                .withHeader("Accept-Put", "application/ld+json, text/turtle")
+                .withHeader("Accept-Patch", "application/sparql-update, text/n3")
+                .withBodyFile("container.ttl")
+            )
+        );
+
         wireMockServer.stubFor(get(urlEqualTo("/recipe"))
             .withHeader("User-Agent", equalTo(USER_AGENT))
             .willReturn(aResponse()
@@ -130,6 +149,40 @@ private void setupMocks() {
             .willReturn(aResponse()
                 .withStatus(204)));
 
+        wireMockServer.stubFor(get(urlEqualTo("/playlists/"))
+            .withHeader("User-Agent", equalTo(USER_AGENT))
+            .willReturn(aResponse()
+                .withStatus(200)
+                .withHeader("Content-Type", "text/turtle")
+                .withHeader("Link", Link.of(LDP.BasicContainer, "type").toString())
+                .withHeader("Link", Link.of(URI.create("http://storage.example/"),
+                        PIM.storage).toString())
+                .withHeader("Link", Link.of(URI.create("https://history.test/"), "timegate").toString())
+                .withHeader("Link", Link.of(URI.create("http://acl.example/playlists"), "acl").toString())
+                .withHeader("WAC-Allow", "user=\"read write\",public=\"read\"")
+                .withHeader("Allow", "POST, PUT, PATCH")
+                .withHeader("Accept-Post", "application/ld+json, text/turtle")
+                .withHeader("Accept-Put", "application/ld+json, text/turtle")
+                .withHeader("Accept-Patch", "application/sparql-update, text/n3")
+                .withBodyFile("playlist.ttl")
+            )
+        );
+
+        wireMockServer.stubFor(put(urlEqualTo("/playlists/"))
+            .withHeader("User-Agent", equalTo(USER_AGENT))
+            .withHeader("Content-Type", containing("text/turtle"))
+            .withRequestBody(containing(
+                    "<https://library.test/12345/song1.mp3>"))
+            .willReturn(aResponse()
+                .withStatus(204)));
+
+        wireMockServer.stubFor(delete(urlEqualTo("/playlists/"))
+            .withHeader("User-Agent", equalTo(USER_AGENT))
+            .willReturn(aResponse()
+                .withStatus(204)));
+
+
+
 
         wireMockServer.stubFor(get(urlEqualTo("/playlist"))
             .withHeader("User-Agent", equalTo(USER_AGENT))
@@ -140,7 +193,7 @@ private void setupMocks() {
                 .withHeader("Link", Link.of(URI.create("http://storage.example/"),
                         PIM.storage).toString())
                 .withHeader("Link", Link.of(URI.create("https://history.test/"), "timegate").toString())
-                .withHeader("Link", Link.of(URI.create("http://acl.example/playlist"), "acl").toString())
+                .withHeader("Link", Link.of(URI.create("http://acl.example/playlists"), "acl").toString())
                 .withHeader("WAC-Allow", "user=\"read write\",public=\"read\"")
                 .withHeader("Allow", "POST, PUT, PATCH")
                 .withHeader("Accept-Post", "application/ld+json, text/turtle")

solid/src/test/java/com/inrupt/client/solid/SolidSyncClientTest.java

@@ -134,7 +134,7 @@ void testGetResource() {
 
     @Test
     void testGetContainer() {
-        final URI uri = URI.create(config.get("solid_resource_uri") + "/playlist");
+        final URI uri = URI.create(config.get("solid_resource_uri") + "/playlists/");
 
         try (final SolidContainer container = client.read(uri, SolidContainer.class)) {
             assertEquals(uri, container.getIdentifier());
@@ -156,6 +156,12 @@ void testGetContainer() {
         }
     }
 
+    @Test
+    void testGetContainerDataMappingError() {
+        final URI uri = URI.create(config.get("solid_resource_uri") + "/playlist");
+        assertThrows(DataMappingException.class, () -> client.read(uri, SolidContainer.class));
+    }
+
     @Test
     void testGetInvalidType() {
         final URI uri = URI.create(config.get("solid_resource_uri") + "/playlist");

solid/src/test/resources/__files/container.ttl

@@ -0,0 +1,25 @@
+@prefix dct: <http://purl.org/dc/terms/>.
+@prefix ldp: <http://www.w3.org/ns/ldp#>.
+@prefix xsd: <http://www.w3.org/2001/XMLSchema#>.
+@prefix pl: <http://www.w3.org/ns/iana/media-types/text/plain#>.
+
+<>
+    a ldp:BasicContainer ;
+    dct:modified "2022-11-25T10:36:36Z"^^xsd:dateTime;
+    ldp:contains <newContainer/>, <test.txt>, <test2.txt> .
+<newContainer/>
+    a ldp:BasicContainer ;
+    dct:modified "2022-11-25T10:36:36Z"^^xsd:dateTime .
+<test.txt>
+    a pl:Resource, ldp:NonRDFSource;
+    dct:modified "2022-11-25T10:34:14Z"^^xsd:dateTime .
+<test2.txt>
+    a pl:Resource, ldp:NonRDFSource;
+    dct:modified "2022-11-25T10:37:06Z"^^xsd:dateTime .
+
+# These containment triples should not be included in a getResources response
+<>
+    ldp:contains <https://example.com/other> , <newContainer/child> , <> , <./> .
+<https://example.test/container/>
+    a ldp:BasicContainer ;
+    ldp:contains <https://example.test/container/external> .