[ Dynapi ] Fix dynapi model factory

api/src/main/java/edu/cornell/mannlib/vitro/webapp/dynapi/DynamicAPIDocumentation.java

@@ -26,7 +26,7 @@
 import edu.cornell.mannlib.vitro.webapp.dynapi.components.ResourceAPIKey;
 import edu.cornell.mannlib.vitro.webapp.dynapi.components.Version;
 import edu.cornell.mannlib.vitro.webapp.dynapi.components.serialization.ArraySerializationType;
-import edu.cornell.mannlib.vitro.webapp.dynapi.components.serialization.JsonObjectSerializationType;
+import edu.cornell.mannlib.vitro.webapp.dynapi.components.serialization.JsonContainerSerializationType;
 import edu.cornell.mannlib.vitro.webapp.dynapi.components.serialization.PrimitiveSerializationType;
 import edu.cornell.mannlib.vitro.webapp.dynapi.components.serialization.SerializationType;
 import edu.cornell.mannlib.vitro.webapp.dynapi.request.ApiRequestPath;
@@ -644,15 +644,15 @@ private void buildObjectSchema(ObjectSchema objectSchema, Parameters parameters)
 
                 objectSchema.addProperties(parameterName, primitiveParameter);
 
-            } else if (serializationType instanceof JsonObjectSerializationType) {
+            } else if (serializationType instanceof JsonContainerSerializationType) {
 
                 ObjectSchema objectParameter = new ObjectSchema();
 
                 objectParameter.setDescription(parameter.getDescription());
 
                 objectSchema.addProperties(parameterName, objectParameter);
 
-                buildObjectSchema(objectParameter, ((JsonObjectSerializationType) serializationType).getInternalElements());
+                buildObjectSchema(objectParameter, ((JsonContainerSerializationType) serializationType).getInternalElements());
 
             } else if (serializationType instanceof ArraySerializationType) {
 
@@ -676,14 +676,14 @@ private void buildArraySchema(ArraySchema arraySchema, Parameter parameter) {
 
         if (arrayParameterType instanceof PrimitiveSerializationType) {
             primitiveParameter = toPrimativeSchema(arrayParameterType);
-        } else if (arrayParameterType instanceof JsonObjectSerializationType) {
+        } else if (arrayParameterType instanceof JsonContainerSerializationType) {
 
             primitiveParameter = new ObjectSchema();
 
             primitiveParameter.setDescription(parameter.getDescription());
 
             buildObjectSchema((ObjectSchema) primitiveParameter,
-                    ((JsonObjectSerializationType) arrayParameterType).getInternalElements());
+                    ((JsonContainerSerializationType) arrayParameterType).getInternalElements());
 
         } else if (parameterType instanceof ArraySerializationType) {
 

api/src/main/java/edu/cornell/mannlib/vitro/webapp/dynapi/RESTEndpoint.java

@@ -13,6 +13,7 @@
 import org.apache.commons.logging.Log;
 import org.apache.commons.logging.LogFactory;
 
+import edu.cornell.mannlib.vitro.webapp.beans.UserAccount;
 import edu.cornell.mannlib.vitro.webapp.controller.VitroHttpServlet;
 import edu.cornell.mannlib.vitro.webapp.dynapi.components.Action;
 import edu.cornell.mannlib.vitro.webapp.dynapi.components.DefaultResourceAPI;
@@ -141,6 +142,11 @@ private void process(HttpServletRequest request, HttpServletResponse response) {
             actionPool.printKeys();
         }
         Action action = actionPool.get(actionName);
+		UserAccount user = (UserAccount) request.getSession(false).getAttribute("user");
+        if (!action.hasPermissions(user)) {
+        	OperationResult.notAuthorized().prepareResponse(response);
+        	return;
+        } 
         DataStore dataStore = new DataStore();
         if (requestPath.isResourceRequest()) {
             dataStore.setResourceID(requestPath.getResourceId());

api/src/main/java/edu/cornell/mannlib/vitro/webapp/dynapi/RPCEndpoint.java

@@ -9,6 +9,7 @@
 import org.apache.commons.logging.Log;
 import org.apache.commons.logging.LogFactory;
 
+import edu.cornell.mannlib.vitro.webapp.beans.UserAccount;
 import edu.cornell.mannlib.vitro.webapp.controller.VitroHttpServlet;
 import edu.cornell.mannlib.vitro.webapp.dynapi.components.Action;
 import edu.cornell.mannlib.vitro.webapp.dynapi.components.OperationResult;
@@ -20,7 +21,7 @@
 @WebServlet(name = "RPCEndpoint", urlPatterns = { RPC_SERVLET_PATH + "/*" })
 public class RPCEndpoint extends VitroHttpServlet {
 
-    private static final Log log = LogFactory.getLog(RESTEndpoint.class);
+    private static final Log log = LogFactory.getLog(RPCEndpoint.class);
 
     private ActionPool actionPool = ActionPool.getInstance();
 
@@ -37,13 +38,18 @@ public void doPost(HttpServletRequest request, HttpServletResponse response) {
                 actionPool.printKeys();
             }
             Action action = actionPool.get(requestPath.getActionName());
+			UserAccount user = (UserAccount) request.getSession(false).getAttribute("user");
+	        if (!action.hasPermissions(user)) {
+	        	OperationResult.notAuthorized().prepareResponse(response);
+	        	return;
+	        } 
             DataStore dataStore = new DataStore();
             if (requestPath.isResourceRequest()) {
                 dataStore.setResourceID(requestPath.getResourceId());
             }
             try {
             	Converter.convert(request, action, dataStore);
-            } catch (ConversionException e) {
+            } catch (Exception e) {
             	log.error(e,e);
             	response.setStatus(500);
             	return;

api/src/main/java/edu/cornell/mannlib/vitro/webapp/dynapi/access/AccessWhitelist.java

@@ -0,0 +1,11 @@
+package edu.cornell.mannlib.vitro.webapp.dynapi.access;
+
+import edu.cornell.mannlib.vitro.webapp.beans.UserAccount;
+
+public interface AccessWhitelist {
+
+	public boolean isAuthorized(UserAccount user);
+
+	public void setActionName(String name);
+
+}

api/src/main/java/edu/cornell/mannlib/vitro/webapp/dynapi/access/GroupAccessWhitelist.java

@@ -0,0 +1,44 @@
+package edu.cornell.mannlib.vitro.webapp.dynapi.access;
+
+import java.util.HashMap;
+import java.util.Map;
+import java.util.Set;
+
+import org.apache.commons.logging.Log;
+import org.apache.commons.logging.LogFactory;
+
+import edu.cornell.mannlib.vitro.webapp.beans.UserAccount;
+import edu.cornell.mannlib.vitro.webapp.utils.configuration.Property;
+
+public class GroupAccessWhitelist implements AccessWhitelist {
+
+    private static final Log log = LogFactory.getLog(GroupAccessWhitelist.class);
+	private Map<String, UserGroup> groups = new HashMap<String, UserGroup>();
+	private String actionName = "action name not provided";
+
+    @Property(uri = "https://vivoweb.org/ontology/vitro-dynamic-api#userGroup")
+    public void addAccessFilter(UserGroup userGroup) {
+    	groups.put(userGroup.getName(), userGroup);
+    }
+
+	@Override
+	public boolean isAuthorized(UserAccount user) {
+		Set<String> uris = user.getPermissionSetUris();
+		for (String uri : uris) {
+			UserGroup userGroup = groups.get(uri);
+			if (groups.containsKey(uri)) {
+				log.debug("Group '" + userGroup.getLabel() + "' membership allows '" + user.getEmailAddress() + "' to access action '" + actionName + "'");
+				return true;
+			}
+			log.debug("Group '" + userGroup.getLabel() + "' membership doesn't allow '" + user.getEmailAddress() + "' to access action '" + actionName + "'");
+		}
+		log.debug("Whitelist is doesn't allow user '" + user.getEmailAddress() + "' to access action '" + actionName + "'");
+		return false;
+	}
+
+	@Override
+	public void setActionName(String name) {
+		this.actionName  = name;
+	}
+
+}

api/src/main/java/edu/cornell/mannlib/vitro/webapp/dynapi/access/UserGroup.java

@@ -0,0 +1,31 @@
+package edu.cornell.mannlib.vitro.webapp.dynapi.access;
+
+import edu.cornell.mannlib.vitro.webapp.utils.configuration.Property;
+
+public class UserGroup {
+
+	private String name;
+	private String label;
+
+
+    @Property(uri = "http://www.w3.org/2000/01/rdf-schema#label")
+    public void setLabel(String label) {
+    	this.label  = label;
+    }
+
+    public String getLabel() {
+    	if (label != null) {
+    		return label;
+    	}
+    	return name;
+    }
+
+    @Property(uri = "https://vivoweb.org/ontology/vitro-dynamic-api#name", minOccurs = 1, maxOccurs = 1)
+    public void setName(String name) {
+    	this.name  = name;
+    }
+
+	public String getName() {
+		return name; 
+	}
+}

api/src/main/java/edu/cornell/mannlib/vitro/webapp/dynapi/authentication/LoginController.java

@@ -58,7 +58,7 @@ private void process(HttpServletRequest request, HttpServletResponse response) {
             return;
         }
 
-        request.getSession().setAttribute("logged_in_user", user);
+        request.getSession().setAttribute("user", user);
         response.setStatus(200);
     }
 

api/src/main/java/edu/cornell/mannlib/vitro/webapp/dynapi/components/Action.java

@@ -2,6 +2,8 @@
 
 import java.util.Collections;
 import java.util.HashSet;
+import java.util.LinkedList;
+import java.util.List;
 import java.util.Map;
 import java.util.Set;
 import java.util.concurrent.ConcurrentHashMap;
@@ -10,6 +12,8 @@
 import org.apache.commons.logging.Log;
 import org.apache.commons.logging.LogFactory;
 
+import edu.cornell.mannlib.vitro.webapp.beans.UserAccount;
+import edu.cornell.mannlib.vitro.webapp.dynapi.access.AccessWhitelist;
 import edu.cornell.mannlib.vitro.webapp.dynapi.computation.AutoConfiguration;
 import edu.cornell.mannlib.vitro.webapp.dynapi.computation.StepInfo;
 import edu.cornell.mannlib.vitro.webapp.dynapi.data.DataStore;
@@ -28,20 +32,23 @@ public class Action extends Operation implements Poolable<String>, StepInfo {
     private Parameters outputParams = new Parameters();
     private Parameters inputParams = new Parameters();
     private Parameters internalParams = new Parameters();
+    private List<AccessWhitelist> accessWhitelists = new LinkedList<AccessWhitelist>();
 
     @Override
     public void dereference() {
-        firstStep.dereference();
-        firstStep = null;
-        rpc.dereference();
-        rpc = null;
     }
 
     @Override
     public OperationResult run(DataStore dataStore) {
         return firstStep.run(dataStore);
     }
 
+    @Property(uri = "https://vivoweb.org/ontology/vitro-dynamic-api#accessWhiteList")
+    public void addAccessFilter(AccessWhitelist whiteList) {
+        accessWhitelists.add(whiteList);
+        whiteList.setActionName(rpc.getName());
+    }
+
     @Property(uri = "https://vivoweb.org/ontology/vitro-dynamic-api#hasFirstStep", minOccurs = 1, maxOccurs = 1)
     public void setStep(Step step) {
         this.firstStep = step;
@@ -177,4 +184,26 @@ public String getOutputPath() {
 		return "";
 	}
 
+	public boolean hasPermissions(UserAccount user) {
+		if (isPublicAccessible()) {
+			return true;
+		}
+		if (user == null) {
+			return false;
+		}
+		if (user.isRootUser()) {
+			return true;
+		}
+		for (AccessWhitelist filter : accessWhitelists) {
+			if (filter.isAuthorized(user)) {
+				return true;
+			}
+		}
+		return false;
+	}
+
+	private boolean isPublicAccessible() {
+		return false;
+	}
+
 }

api/src/main/java/edu/cornell/mannlib/vitro/webapp/dynapi/components/ModelWriter.java

@@ -56,8 +56,8 @@ public OperationResult run(DataStore dataStore) {
 			return OperationResult.internalServerError();
 		}
 
-		List<Model> additions = ModelView.getModels(additionModelParams, dataStore);
-		List<Model> retractions = ModelView.getModels(retractionModelParams, dataStore);
+		List<Model> additions = ModelView.getExistingModels(additionModelParams, dataStore);
+		List<Model> retractions = ModelView.getExistingModels(retractionModelParams, dataStore);
 		Model target = ModelView.getModel(dataStore, targetModelParam);
 		AdditionsAndRetractions changes = new AdditionsAndRetractions(additions, retractions);
 		//TODO: set editor uri instead of ""

api/src/main/java/edu/cornell/mannlib/vitro/webapp/dynapi/components/OperationResult.java

@@ -11,6 +11,7 @@ public class OperationResult {
     private static final OperationResult OK = new OperationResult(HttpServletResponse.SC_OK);
 	private static final OperationResult INTERNAL_SERVER_ERROR = new OperationResult(HttpServletResponse.SC_INTERNAL_SERVER_ERROR);
 	private static final OperationResult METHOD_NOT_ALLOWED = new OperationResult(HttpServletResponse.SC_METHOD_NOT_ALLOWED);
+	private static final OperationResult NOT_AUTHORIZED = new OperationResult(HttpServletResponse.SC_UNAUTHORIZED);
 	private static final OperationResult NOT_FOUND = new OperationResult(HttpServletResponse.SC_NOT_FOUND);
 	private static final OperationResult BAD_REQUEST = new OperationResult(HttpServletResponse.SC_BAD_REQUEST);
 	private int responseCode;
@@ -51,6 +52,10 @@ public static OperationResult internalServerError() {
         return INTERNAL_SERVER_ERROR;
     }
 
+    public static OperationResult notAuthorized() {
+        return NOT_AUTHORIZED;
+    }
+
     public static OperationResult ok() {
         return OK;
     }

api/src/main/java/edu/cornell/mannlib/vitro/webapp/dynapi/components/Parameter.java

@@ -12,8 +12,10 @@ public class Parameter implements Removable {
 	private String description;
 	private Validators validators = new Validators();
 	private ParameterType type;
+	private String defaultValue;
+	private Boolean internal;
 
-	public String getName() {
+    public String getName() {
 		return name;
 	}
 
@@ -27,6 +29,16 @@ public ParameterType getType() {
 		return type;
 	}
 
+	@Property(uri = "https://vivoweb.org/ontology/vitro-dynamic-api#defaultValue", minOccurs = 0, maxOccurs = 1)
+    public void setDefaultValue(String defaultValue) {
+        this.defaultValue = defaultValue;
+    }
+
+    @Property(uri = "https://vivoweb.org/ontology/vitro-dynamic-api#isInternal", minOccurs = 0, maxOccurs = 1)
+	public void setInternal(boolean internal) {
+	    this.internal = internal;
+    }
+
 	@Property(uri = "https://vivoweb.org/ontology/vitro-dynamic-api#name", minOccurs = 1, maxOccurs = 1)
 	public void setName(String name) {
 		this.name = name;
@@ -56,6 +68,9 @@ public void dereference() {
 	}
 
 	public boolean isInternal() {
+	    if (internal != null) {
+	        return internal;
+	    }
 		return type.isInternal();
 	}
 
@@ -75,7 +90,14 @@ public boolean isOptional() {
 		return false;
 	}
 
-	public boolean isJsonObject() {
-		return type.isJsonObject();
+	public boolean isJsonContainer() {
+		return type.isJsonContainer();
 	}
+
+    public String getDefaultValue() {
+        if (defaultValue != null) {
+            return defaultValue;
+        }
+        return type.getImplementationType().getDefaultValue();
+    }
 }

api/src/main/java/edu/cornell/mannlib/vitro/webapp/dynapi/components/Parameters.java

@@ -46,22 +46,6 @@ public boolean contains(String name) {
 		return params.containsKey(name);
 	}
 
-	/*
-	 * // Substitute IRI parameters with their values in specific request public
-	 * Map<String, List<String>> substituteIRIVariables(DataStore input) { return
-	 * params.values().stream() .filter(value -> value.getType().isUri()).collect(
-	 * Collectors.toMap(param -> param.getName(), param ->
-	 * Arrays.asList(input.get(param.getName())))); }
-	 * 
-	 * // Substitute parameters that represent RDF literals with their values in //
-	 * specific request public Map<String, List<Literal>>
-	 * substituteLiteralVariables(DataStore input) { return params.values().stream()
-	 * .filter(value -> value.getType().isLiteral()) .collect(Collectors.toMap(param
-	 * -> param.getName(), param ->
-	 * Arrays.asList(ResourceFactory.createTypedLiteral(input.get(param.getName())[0
-	 * ], param.getType().getRdfType().getRDFDataType())))); }
-	 */
-
 	@Override
 	public void dereference() {
 		for (String name : params.keySet()) {