opencadc · pdowler · Feb 29, 2024 · Feb 29, 2024 · Feb 29, 2024 · Feb 29, 2024
diff --git a/cadc-test-vos/build.gradle b/cadc-test-vos/build.gradle
@@ -16,7 +16,7 @@ sourceCompatibility = 1.8
 
 group = 'org.opencadc'
 
-version = '2.1.6'
+version = '2.1.7'
 
 description = 'OpenCADC VOSpace test library'
 def git_url = 'https://github.com/opencadc/vos'

diff --git a/cadc-test-vos/src/main/java/org/opencadc/conformance/vos/NodesTest.java b/cadc-test-vos/src/main/java/org/opencadc/conformance/vos/NodesTest.java
@@ -1010,9 +1010,26 @@ public void testPermissions() throws Exception {
                 201, putAction.getResponseCode());
         Assert.assertNull("expected PUT throwable == null", putAction.getThrowable());
 
-        log.debug("Delete node " + childURL);
+        // test owner of root directory fails to read and delete due to a lack of explicit permission
+        getAction = new HttpGet(childURL, true);
+        Subject.doAs(authSubject, new RunnableAction(getAction));
+        Assert.assertEquals(403, getAction.getResponseCode());
         HttpDelete deleteAction = new HttpDelete(childURL, true);
-        Subject.doAs(groupMember, new RunnableAction(deleteAction));
+        Subject.doAs(authSubject, new RunnableAction(deleteAction));
+        Assert.assertEquals(403, getAction.getResponseCode());
+
+        // Allocation owners have read and write access over their tree allocation.
+        // Make root node an allocation node by adding the quota properties and test that the owner of
+        // that node (authSubject) in their new role can now perform the above actions.
+        testNode.getProperties().add(new NodeProperty(VOS.PROPERTY_URI_QUOTA));
+        post(nodeURL, nodeURI, testNode);
+
+        getAction = new HttpGet(childURL, true);
+        Subject.doAs(authSubject, new RunnableAction(getAction));
+        Assert.assertEquals(200, getAction.getResponseCode());
+        log.debug("Delete node " + childURL);
+        deleteAction = new HttpDelete(childURL, true);
+        Subject.doAs(authSubject, new RunnableAction(deleteAction));
         log.debug("DELETE responseCode: " + deleteAction.getResponseCode());
         Assert.assertEquals("expected PUT response code = 200",
                 200, deleteAction.getResponseCode());

diff --git a/cadc-vos-server/build.gradle b/cadc-vos-server/build.gradle
@@ -16,7 +16,7 @@ sourceCompatibility = 1.8
 
 group = 'org.opencadc'
 
-version = '2.0.9'
+version = '2.0.10'
 
 description = 'OpenCADC VOSpace server'
 def git_url = 'https://github.com/opencadc/vos'

diff --git a/cadc-vos-server/src/main/java/org/opencadc/vospace/server/auth/VOSpaceAuthorizer.java b/cadc-vos-server/src/main/java/org/opencadc/vospace/server/auth/VOSpaceAuthorizer.java
@@ -182,6 +182,11 @@ public boolean hasSingleNodeReadPermission(Node node, Subject subject) {
                 return true; // OK
             }
 
+            if (isAllocationOwner(node, subject)) {
+                log.debug("Allocation owner granted read permission.");
+                return true; // OK
+            }
+
             checkDelegation(node, subject);
 
             if (log.isDebugEnabled()) {
@@ -228,6 +233,11 @@ public boolean hasSingleNodeWritePermission(Node node, Subject subject) {
                 return true; // OK
             }
 
+            if (isAllocationOwner(node, subject)) {
+                log.debug("Allocation owner granted write permission");
+                return true; // OK
+            }
+
             checkDelegation(node, subject);
 
             if (log.isDebugEnabled()) {
@@ -339,6 +349,25 @@ private boolean isOwner(Node node, Subject subject) {
         return false;
     }
 
+    /**
+     * Check if the specified subject is the owner of the allocation a node belongsto. Allocation owner
+     * is identified as the owner of the first node in the path that has an associated quota attribute set.
+     * @param node
+     * @param subject
+     * @return
+     */
+    private boolean isAllocationOwner(Node node, Subject subject) {
+
+        Node parent = node.parent;
+        while (parent != null) {
+            if (parent.getProperty(VOS.PROPERTY_URI_QUOTA) != null) {
+                return isOwner(parent, subject);
+            }
+            parent = parent.parent;
+        }
+        return false;
+    }
+
     /**
      * check for delegation cookie and, if present, does an authorization
      * against it.

diff --git a/cavern/src/test/resources/cadc-registry.properties b/cavern/src/test/resources/cadc-registry.properties
@@ -1,6 +1,6 @@
 # configure RegistryClient bootstrap
 ## BUG / HACK: this gets pulled into the intTest target so needs a legit value
-ca.nrc.cadc.reg.client.RegistryClient.baseURL = https://haproxy.cadc.dao.nrc.ca/reg/
+ca.nrc.cadc.reg.client.RegistryClient.baseURL = https://localhost.cadc.dao.nrc.ca/reg/
 
 # local authority map
 # <base standardID> = <authority>