Simplified system datasets

http-tests/admin/packages/install-uninstall-package-ontology.sh

@@ -58,4 +58,4 @@ fi
 curl -k -w "%{http_code}\n" -o /dev/null -s \
   -E "$OWNER_CERT_FILE":"$OWNER_CERT_PWD" \
   "${ADMIN_BASE_URL}ontologies/${package_ontology_hash}/" \
-| grep -q "$STATUS_FORBIDDEN"
+| grep -q "$STATUS_NOT_FOUND"

http-tests/document-hierarchy/DELETE-no-parent-403.sh → http-tests/document-hierarchy/DELETE-404.sh

@@ -15,11 +15,20 @@ add-agent-to-group.sh \
   --agent "$AGENT_URI" \
   "${ADMIN_BASE_URL}acl/groups/writers/"
 
-# check that graph without parent is forbidden
+# check that non-existing document is not found
+
+curl -k -w "%{http_code}\n" -o /dev/null -s -G \
+  -E "$AGENT_CERT_FILE":"$AGENT_CERT_PWD" \
+  -X DELETE \
+  -H "Accept: application/n-triples" \
+  "${END_USER_BASE_URL}non-existing/" \
+| grep -q "$STATUS_NOT_FOUND"
+
+# check that document without parent is not found
 
 curl -k -w "%{http_code}\n" -o /dev/null -s -G \
   -E "$AGENT_CERT_FILE":"$AGENT_CERT_PWD" \
   -X DELETE \
   -H "Accept: application/n-triples" \
   "${END_USER_BASE_URL}parent/non-existing/" \
-| grep -q "$STATUS_FORBIDDEN"
+| grep -q "$STATUS_NOT_FOUND"

http-tests/document-hierarchy/DELETE.sh

@@ -45,4 +45,4 @@ curl -k -w "%{http_code}\n" -o /dev/null -s -G \
   -E "$AGENT_CERT_FILE":"$AGENT_CERT_PWD" \
   -H "Accept: application/n-triples" \
   "$container" \
-| grep -q "$STATUS_FORBIDDEN"
+| grep -q "$STATUS_NOT_FOUND"

http-tests/document-hierarchy/DELETE-non-existing-403.sh → http-tests/document-hierarchy/GET-404.sh

@@ -15,11 +15,10 @@ add-agent-to-group.sh \
   --agent "$AGENT_URI" \
   "${ADMIN_BASE_URL}acl/groups/writers/"
 
-# check that access to non-existing graph is forbidden
+# check that non-existing document is not found
 
 curl -k -w "%{http_code}\n" -o /dev/null -s -G \
   -E "$AGENT_CERT_FILE":"$AGENT_CERT_PWD" \
-  -X DELETE \
   -H "Accept: application/n-triples" \
   "${END_USER_BASE_URL}non-existing/" \
-| grep -q "$STATUS_FORBIDDEN"
+| grep -q "$STATUS_NOT_FOUND"

http-tests/document-hierarchy/PATCH-non-existing-403.sh → http-tests/document-hierarchy/PATCH-404.sh

@@ -37,4 +37,4 @@ curl -k -w "%{http_code}\n" -o /dev/null -s \
   "${END_USER_BASE_URL}non-existing/" \
    --data-binary "$update"
 ) \
-| grep -q "$STATUS_FORBIDDEN"
+| grep -q "$STATUS_NOT_FOUND"

http-tests/document-hierarchy/PATCH-empty-container.sh

@@ -32,11 +32,11 @@ container=$(create-container.sh \
 update=$(cat <<EOF
 DELETE
 {
-  <${container}> ?p ?o
+  ?s ?p ?o
 }
 WHERE
 {
-  <${container}> ?p ?o
+  ?s ?p ?o
 }
 EOF
 )
@@ -55,4 +55,4 @@ curl -k -w "%{http_code}\n" -o /dev/null -s \
   -E "$AGENT_CERT_FILE":"$AGENT_CERT_PWD" \
   -H "Accept: application/n-triples" \
   "$container" \
-| grep -q "$STATUS_FORBIDDEN"
+| grep -q "$STATUS_NOT_FOUND"

http-tests/document-hierarchy/PATCH-empty-item.sh

@@ -32,11 +32,11 @@ item=$(create-item.sh \
 update=$(cat <<EOF
 DELETE
 {
-  <${item}> ?p ?o
+  ?s ?p ?o
 }
 WHERE
 {
-  <${item}> ?p ?o
+  ?s ?p ?o
 }
 EOF
 )
@@ -55,4 +55,4 @@ curl -k -w "%{http_code}\n" -o /dev/null -s \
   -E "$AGENT_CERT_FILE":"$AGENT_CERT_PWD" \
   -H "Accept: application/n-triples" \
   "$item" \
-| grep -q "$STATUS_FORBIDDEN"
+| grep -q "$STATUS_NOT_FOUND"

http-tests/document-hierarchy/POST-non-existing-403.sh → http-tests/document-hierarchy/POST-404.sh

@@ -15,7 +15,7 @@ add-agent-to-group.sh \
   --agent "$AGENT_URI" \
   "${ADMIN_BASE_URL}acl/groups/writers/"
 
-# check that access to non-existing graph is forbidden
+# check that non-existing document is not found
 
 (
 curl -k -w "%{http_code}\n" -o /dev/null -s \
@@ -27,4 +27,4 @@ curl -k -w "%{http_code}\n" -o /dev/null -s \
 <http://s> <http://p> <http://o> .
 EOF
 ) \
-| grep -q "$STATUS_FORBIDDEN"
+| grep -q "$STATUS_NOT_FOUND"

http-tests/document-hierarchy/PUT-double-slash-uri-400.sh

@@ -15,9 +15,20 @@ add-agent-to-group.sh \
   --agent "$AGENT_URI" \
   "${ADMIN_BASE_URL}acl/groups/writers/"
 
+# create a container - IRIx resolves ".." on "new-item//" to "new-item/" (one segment per slash),
+# so the parent container must exist for authorization to pass and reach the // validation in put()
+
+container=$(create-container.sh \
+  -f "$AGENT_CERT_FILE" \
+  -p "$AGENT_CERT_PWD" \
+  -b "$END_USER_BASE_URL" \
+  --title "Test Container" \
+  --slug "new-item" \
+  --parent "$END_USER_BASE_URL")
+
 # creating new document fails because URIs with double slashes are not allowed
 
-item="${END_USER_BASE_URL}new-item//"
+item="${container}/"
 
 (
 curl -k -w "%{http_code}\n" -o /dev/null -s \

http-tests/document-hierarchy/PUT-no-slash-308.sh

@@ -7,6 +7,14 @@ purge_cache "$END_USER_VARNISH_SERVICE"
 purge_cache "$ADMIN_VARNISH_SERVICE"
 purge_cache "$FRONTEND_VARNISH_SERVICE"
 
+# add agent to the writers group
+
+add-agent-to-group.sh \
+  -f "$OWNER_CERT_FILE" \
+  -p "$OWNER_CERT_PWD" \
+  --agent "$AGENT_URI" \
+  "${ADMIN_BASE_URL}acl/groups/writers/"
+
 # add an explicit read/write authorization for the parent since the child document will inherit it
 
 create-authorization.sh \
@@ -19,10 +27,10 @@ create-authorization.sh \
   --read \
   --write
 
-invalid_item="${END_USER_BASE_URL}no-slash"
-
 # check URI without trailing slash gets redirected
 
+invalid_item="${END_USER_BASE_URL}no-slash"
+
 (
 curl -k -w "%{http_code}\n" -o /dev/null -s \
   -E "$AGENT_CERT_FILE":"$AGENT_CERT_PWD" \

http-tests/proxy/GET-proxied-403.sh → http-tests/proxy/GET-proxied-404.sh

@@ -17,20 +17,14 @@ add-agent-to-group.sh \
 
 # Test that status codes are correctly proxied through
 # Generate a random UUID for a non-existing resource
-random_uuid=$(cat /proc/sys/kernel/random/uuid 2>/dev/null || uuidgen)
-non_existing_uri="${END_USER_BASE_URL}${random_uuid}/"
+uuid=$(cat /proc/sys/kernel/random/uuid 2>/dev/null || uuidgen)
+non_existing_uri="${END_USER_BASE_URL}${uuid}/"
 
 # Attempt to proxy a non-existing document on the END_USER_BASE_URL
-# This should return 403 Forbidden (not found resources return 403 in LinkedDataHub)
-http_status=$(curl -k -s -o /dev/null -w "%{http_code}" \
+curl -k -s -o /dev/null -w "%{http_code}" \
   -G \
   -E "$AGENT_CERT_FILE":"$AGENT_CERT_PWD" \
   -H 'Accept: application/n-triples' \
   --data-urlencode "uri=${non_existing_uri}" \
-  "$END_USER_BASE_URL" || true)
-
-# Verify that the proxied status code matches the backend status code (403)
-if [ "$http_status" != "403" ]; then
-    echo "Expected HTTP 403 Forbidden for non-existing proxied document, got: $http_status"
-    exit 1
-fi
+  "$END_USER_BASE_URL" \
+| grep -q "$STATUS_NOT_FOUND"

platform/datasets/admin.trig

@@ -1,11 +1,6 @@
 @prefix def:	<https://w3id.org/atomgraph/linkeddatahub/default#> .
 @prefix ldh:	<https://w3id.org/atomgraph/linkeddatahub#> .
-@prefix ac:	    <https://w3id.org/atomgraph/client#> .
 @prefix rdf:	<http://www.w3.org/1999/02/22-rdf-syntax-ns#> .
-@prefix xsd:	<http://www.w3.org/2001/XMLSchema#> .
-@prefix dh:	    <https://www.w3.org/ns/ldt/document-hierarchy#> .
-@prefix sd:     <http://www.w3.org/ns/sparql-service-description#> .
-@prefix sp:	    <http://spinrdf.org/sp#> .
 @prefix sioc:	<http://rdfs.org/sioc/ns#> .
 @prefix foaf:	<http://xmlns.com/foaf/0.1/> .
 @prefix dct:	<http://purl.org/dc/terms/> .
@@ -23,54 +18,21 @@
 
 }
 
-# ENDPOINTS
-
-<sparql>
-{
-
-    <sparql> a foaf:Document ;
-        dct:title "SPARQL endpoint" .
-
-}
-
-<ns>
-{
-
-    <ns> a foaf:Document ;
-        dct:title "Namespace endpoint" .
-
-}
-
-<add>
-{
-
-    <add> a foaf:Document ;
-        dct:title "Add data endpoint" .
-
-}
-
-<generate>
-{
-
-    <generate> a foaf:Document ;
-        dct:title "Generate data endpoint" .
-
-}
-
 ### ADMIN-SPECIFIC
 
 @prefix lacl:	<https://w3id.org/atomgraph/linkeddatahub/admin/acl#> .
 @prefix adm:	<https://w3id.org/atomgraph/linkeddatahub/admin#> .
+@prefix dh:	    <https://www.w3.org/ns/ldt/document-hierarchy#> .
 @prefix rdfs:	<http://www.w3.org/2000/01/rdf-schema#> .
 @prefix owl:	<http://www.w3.org/2002/07/owl#> .
 @prefix acl:	<http://www.w3.org/ns/auth/acl#> .
 @prefix cert:	<http://www.w3.org/ns/auth/cert#> .
-@prefix spin:	<http://spinrdf.org/spin#> .
+@prefix sp:	    <http://spinrdf.org/sp#> .
 
 <sign%20up>
 {
 
-    <sign%20up> a adm:SignUp ;
+    <sign%20up> a foaf:Document ;
         dct:title "Sign up" ;
         rdf:_1 <sign%20up#content> .
 
@@ -288,44 +250,6 @@ WHERE
 
 }
 
-# access endpoint
-
-<acl/authorizations/access/>
-{
-
-    <acl/authorizations/access/> a dh:Item ;
-        sioc:has_container <acl/authorizations/> ;
-        dct:title "Access description access" ;
-        foaf:primaryTopic <acl/authorizations/access/#this> .
-
-    <acl/authorizations/access/#this> a acl:Authorization ;
-        rdfs:label "Access description access" ;
-        rdfs:comment "Allows non-authenticated access" ;
-        acl:accessToClass ldh:Access ;
-        acl:mode acl:Read ;
-        acl:agentClass foaf:Agent, acl:AuthenticatedAgent .
-
-}
-
-# access request endpoint
-
-<acl/authorizations/access-request/>
-{
-
-    <acl/authorizations/access-request/> a dh:Item ;
-        sioc:has_container <acl/authorizations/> ;
-        dct:title "Access request access" ;
-        foaf:primaryTopic <acl/authorizations/access-request/#this> .
-
-    <acl/authorizations/access-request/#this> a acl:Authorization ;
-        rdfs:label "Access request access" ;
-        rdfs:comment "Allows non-authenticated access" ;
-        acl:accessToClass ldh:AccessRequest ;
-        acl:mode acl:Append ;
-        acl:agentClass foaf:Agent, acl:AuthenticatedAgent .
-
-}
-
 # sign up
 
 <acl/authorizations/sign-up/>
@@ -339,8 +263,7 @@ WHERE
     <acl/authorizations/sign-up/#this> a acl:Authorization ;
         rdfs:label "Signup access" ;
         rdfs:comment "Required to enable public signup" ;
-        acl:accessTo <ns> ; # TO-DO: only allow <ns> access by the secretary agent?
-        acl:accessToClass adm:SignUp ;
+        acl:accessTo <ns>, <sign%20up> ; # TO-DO: only allow <ns> access by the secretary agent?
         acl:mode acl:Read, acl:Append ;
         acl:agentClass foaf:Agent .
 
@@ -359,7 +282,7 @@ WHERE
     <acl/authorizations/oauth2-login/#this> a acl:Authorization ;
         rdfs:label "OAuth2 login access" ;
         rdfs:comment "Required to enable public OAuth2 login" ;
-        acl:accessToClass ldh:OAuthLogin ;
+        acl:accessToClass <oauth2/login/google>, <oauth2/login/orcid> ;
         acl:mode acl:Read ;
         acl:agentClass foaf:Agent .
 
@@ -378,7 +301,7 @@ WHERE
     <acl/authorizations/oauth2-authorize/#this> a acl:Authorization ;
         rdfs:label "OAuth2 authorization" ;
         rdfs:comment "Required to enable public OAuth2 login" ;
-        acl:accessToClass ldh:OAuthAuthorize ;
+        acl:accessTo <oauth2/authorize/google>, <oauth2/authorize/orcid> ;
         acl:mode acl:Read ;
         acl:agentClass foaf:Agent .