Reserve admin webid for internal use

Author: acoburn

components/app-triplestore/src/test/java/org/trellisldp/app/triplestore/TrellisApplicationTest.java

@@ -239,6 +239,11 @@ public String getUser2Credentials() {
             return "user:password";
         }
 
+        @Override
+        public String getAdminWebId() {
+            return "http://admin.example.com/#me";
+        }
+
         @Override
         public String getJwtSecret() {
             return TrellisApplicationTest.this.JWT_KEY;

components/app-triplestore/src/test/resources/trellis-config.yml

@@ -27,6 +27,7 @@ baseUrl:
 hubUrl:
 
 auth:
+    adminUsers: ["http://admin.example.com/#me"]
     webac:
         enabled: true
     jwt:

components/test/src/main/java/org/trellisldp/test/AbstractApplicationAuthTests.java

@@ -37,7 +37,6 @@
 import org.junit.jupiter.api.Nested;
 import org.junit.jupiter.api.TestInstance;
 import org.trellisldp.vocabulary.LDP;
-import org.trellisldp.vocabulary.Trellis;
 
 /**
  * A convenience class for running the Auth tests.
@@ -74,15 +73,20 @@ public abstract class AbstractApplicationAuthTests {
      */
     public abstract String getUser2Credentials();
 
+    /**
+     * Get the WebID for an admin-level user.
+     * @return the admin webid
+     */
+    public abstract String getAdminWebId();
+
     @Nested
     @DisplayName("Administrator JWT Auth tests")
     @TestInstance(PER_CLASS)
     public class AdministratorTests extends BasicTests implements AuthAdministratorTests {
 
         @Override
         public String getAuthorizationHeader() {
-            return buildJwt(Trellis.AdministratorAgent.getIRIString(),
-                    AbstractApplicationAuthTests.this.getJwtSecret());
+            return buildJwt(getAdminWebId(), AbstractApplicationAuthTests.this.getJwtSecret());
         }
     }
 
@@ -258,8 +262,7 @@ private void setGroupContainerChild(final String location) {
         protected void setUp() {
             final String acl = "acl";
             final String prefixAcl = "PREFIX acl: <http://www.w3.org/ns/auth/acl#>\n\n";
-            final String jwt = buildJwt(Trellis.AdministratorAgent.getIRIString(),
-                    AbstractApplicationAuthTests.this.getJwtSecret());
+            final String jwt = buildJwt(getAdminWebId(), AbstractApplicationAuthTests.this.getJwtSecret());
 
             final String containerContent = getResourceAsString("/basicContainer.ttl");
             final String container;

core/http/src/main/java/org/trellisldp/http/AgentAuthorizationFilter.java

@@ -33,6 +33,7 @@
 import javax.ws.rs.core.SecurityContext;
 import javax.ws.rs.ext.Provider;
 
+import org.apache.commons.rdf.api.IRI;
 import org.slf4j.Logger;
 import org.trellisldp.api.AgentService;
 import org.trellisldp.http.impl.HttpSession;
@@ -91,7 +92,13 @@ public void filter(final ContainerRequestContext ctx) throws IOException {
         if (adminUsers.contains(name)) {
             ctx.setProperty(SESSION_PROPERTY, new HttpSession(AdministratorAgent));
         } else {
-            ctx.setProperty(SESSION_PROPERTY, new HttpSession(agentService.asAgent(name)));
+            final IRI webid = agentService.asAgent(name);
+            // don't permit admin agent to be generated from the agent service
+            if (AdministratorAgent.equals(webid)) {
+                ctx.setProperty(SESSION_PROPERTY, new HttpSession());
+            } else {
+                ctx.setProperty(SESSION_PROPERTY, new HttpSession(webid));
+            }
         }
     }
 

core/http/src/test/java/org/trellisldp/http/AgentAuthorizationFilterTest.java

@@ -71,4 +71,14 @@ public void testFilterMissingAgent() throws Exception {
         verify(mockContext).setProperty(eq(SESSION_PROPERTY), sessionArgument.capture());
         assertEquals(Trellis.AnonymousAgent, sessionArgument.getValue().getAgent(), "Unexpected agent IRI!");
     }
+
+    @Test
+    public void testFilterAdminAgent() throws Exception {
+        when(mockPrincipal.getName()).thenReturn("admin");
+        when(mockAgentService.asAgent(any())).thenReturn(Trellis.AdministratorAgent);
+        final AgentAuthorizationFilter filter = new AgentAuthorizationFilter(mockAgentService);
+        filter.filter(mockContext);
+        verify(mockContext).setProperty(eq(SESSION_PROPERTY), sessionArgument.capture());
+        assertEquals(Trellis.AnonymousAgent, sessionArgument.getValue().getAgent(), "Unexpected agent IRI!");
+    }
 }

platform/webapp/build.gradle

@@ -57,4 +57,5 @@ test {
     systemProperty 'trellis.namespaces.path', "$buildDir/namespaces.json"
     systemProperty 'trellis.io.jsonld.profiles', 'http://www.w3.org/ns/anno.jsonld'
     systemProperty 'trellis.triplestore.rdf.location', "$buildDir/data/rdf-" + new Random().nextInt(1000)
+    systemProperty 'trellis.http.agent.adminusers', 'http://admin.example.com/#me'
 }

platform/webapp/src/test/java/org/trellisldp/webapp/TrellisApplicationTest.java

@@ -118,6 +118,11 @@ public String getUser2Credentials() {
         public String getJwtSecret() {
             return "EEPPbd/7llN/chRwY2UgbdcyjFdaGjlzaupd3AIyjcu8hMnmMCViWoPUBb5FphGLxBlUlT/G5WMx0WcDq/iNKA==";
         }
+
+        @Override
+        public String getAdminWebId() {
+            return "http://admin.example.com/#me";
+        }
     }
 
     @Nested