General Information

This is a place to record thoughts on the interaction of resource versions and WAC authorization in the context of the Fedora API alignment sprint.

JIRA issue:  Unable to locate Jira server for this macro. It may be due to Application Link configuration.

• If we are preserving ACLs as part of a version rather than using the original resource's, then for resources without an assigned or inherited ACLs Fedora would need to record the Default ACL at the time of the snapshot somehow. 5.3 Inheritance and Default ACLs
  • Similarly, an inherited ACL would also need to be recorded for the snapshot.

Design Questions

Open Questions

• Do we need a separate memento ontology or can we use PROV-O for most things?  There are examples of what a memento and LDPCv might look like here: 
• For information about TimeMap and TimeGate can these resources not list them explicity and just use some known url formatting for this?  We may not need the pointers to the TimeGate  / TimeMap inside the resources.
  • Timegate is LDPRv URL
  • TimeMap is LDPRv URL + "/fcr:versions"  
  • The code that retrieves the memento can construct the "original", "timemap" and "timegate" link headers from it's own URL – is that okay to do?
• If the mementos have containment triples which point to other resource (either LDPRs or LDPRm's) how do we avoid an issue of the child being in two containers? 
  • LDPRm Creation Example
  • Discussed by a subgroup – decided that we need to research this more. 

Answered Questions:

• Fedora Modeshape implementation will cleanup inbound references upon deletion of an object.  How do we keep the mementos intact and immutable if something they reference disappears? 
  • Handling Deletion of Referenced Resources / Mementos

        One way to fix this is to update the system so that links to other resources are URIs and not node references

• Should Fedora Modeshape allow snapshot (tree) versioning? What modeshape currently does in that scenario does not create actual mementos for ldp:contained resources.

        The initial version of this change will not allow snapshot(tree) versioning.  The first pass at spec compliance will only include versioning one resource at a time. 

• Should the mementos that have ldp containment triples reference the current resource in those triples or a memento of those resources?  Some of it depends on how the memento was created (as a tree or solo resource). 
  • i.e., should </a/fcr:versions/vnum> ldp:contains </a/b> or ldp:contains </a/b/fcr:versions/vnum>

        The discussion was to have the ldp:containment triples reference the cannonical URL of the resources.  

• When versioning a tree of resources, what happens if one of the resources in the tree does not have the version interaction model attached to it?

        Given that we will not be doing snapshot (tree) versioning at this point, this should not be an issue to consider at the present time. 

Delta Documentation

For versioning: Versioning Delta/Specification Notes

For authorization: TBD

Design

Before reading through this, it would be good to review the Fedora Specification Versioning Section as well as understand the Memento Terminology. 

This design relates specifically to how versioning could be done in the Modeshape Implementation of Fedora 4

Players 

• LDPR - original resource
• LDPRv - same as LDPR, but it has the versioning interaction model turned on (http://fedora.info/definitions/fcrepo#VersionedResource). This implies that it is a TimeGate and has a TimeMap.
• TimeGate - a resource which provides access to LDPRms belonging to a LDPRv via datetime negotiation.  This is the LDPRv.
  
• LDPCv - a LDP container that contains the LDPRms associated with a LDPRv.  Since the TimeMap response is generated from this information the LDPCv and TimeMap are generally considered to be the same, but the LDPCv may contain more information than what is delivered in a TimeMap response. 
• TimeMap - a resource from which a list of URIs of Mementos of the Original Resource is available.
  
• LDPRm - a specific version/memento of a LDPR.  The LDPRv is not a LDPRm itself.

RESTful Interactions

1. Enable Versioning on a LDPR

   1. A PUT or POST request to create an object will make a resource versionable if it includes header Link: rel="type" with type of http://fedora.info/definitions/fcrepo#VersionedResource

      1. A LDPR will be created as a LDPRv with the versioning type.

      2. A LDPCv will be created, from which a TimeMap can be generated.

      3. A LDPRm will be generated, contained by the LDPCv.

      4. Any subsequent responses from the LDPRv will include the appropriate memento links in the header: Timegate, Timemap

   2. A PUT request to an Existing LDPR will make a resource versionable if it includes header Link: rel="type" with type of http://fedora.info/definitions/fcrepo#VersionedResource

      1. The versioning type will be added to the LDPR, making it a LDPRv.

      2. A LDPCv will be created, from which a TimeMap can be generated.

      3. A LDPRm will be generated, contained by the LDPCv.

      4. Any subsequent responses from the LDPRv will include the appropriate memento links in the header: timegate, timemap

2. Check if a resource is versionable and discover the TimeMap/LDPCv

   1. A HEAD request on the LDPRv will return response with Link rel="type" http://fedora.info/definitions/fcrepo#VersionedResource which indicates versioning support and a 'Link rel="timemap"' points to the URL of the LDPCv/TimeMap.

3. Check if the client can create versions

   1. An OPTIONS request on LDPCv/TimeMap that contains an "Allow: POST" header indicates that versions can be created by a client.

4. Creating a new version of a LDPRv 

   • Note: when creating a new version of the LDPRv, only the single resource itself will be versioned. There is no concept of "tree" snapshots anymore. 

   1. A POST request to the LDPCv with an empty body and no "Memento-Datetime" header will cause a new memento of the LDPRv to be created with current date/time. 

   2. A POST request to the LDPCv with header "Memento-Datetime" and no body will create a historic verision with current state of the LDPRv with the specificed date/time. 

   3. A POST request to the LDPCv with header "Memento-Datetime" and a body will create a historic version with the specified body and date/time.

   4. A POST request to the LDPCv with a body and no "Memento-Datetime" header to create a version with the specified body and the current datetime.

5. Access the TimeMap (LDPCv) to see what versions exist

   1. A GET request to the LDPCv with the "Accept: application/link-format" header will cause the TimeMap to be returned. 

   2. A GET request to the LDPCv with no "Accept:" header, or one specificying an RDF format will result in the LDPCv being returned in rdf format. 

   3. The response from the GET will include a "Vary-Post: Memento-Datetime" to indicate that a client can request a specific time be associated with a memento when it's created via a POST. 

6. Access an existing version (LDPRm)

   1. A GET request to the TimeGate Resource (the LDPRv itself) with "Accept-Datetime" header specified will return the LDPRm associated with that datetime, or the closest one if there is not an exact match. 

      • example header usage:  "Accept-Datetime: Thu, 31 May 2007 20:35:00 GMT"

      • a Link header will be in the response to show the TimeGate URI 

   2. A GET request to LDPRm/Memento (if the LDPRm/Memento has its own URI), will result in the memento being returned if it exists.

   3. See: Datetime negotiation algorithm example for Accept-Datetime negotiation details.

   4. Any response from the LDPRv will include link relation headers of type "timegate" (referring to the LDPRv), "original" (also referring to this LDPRv), and "timemap" (referencing the URI of the LDPCv). 

7. Delete an existing version (LDPRm)

   1. A DELETE request to LDPRm/Memento will result in that memento being deleted. 

8. Restore an existing version (LDPRm) 

   • Note: This interaction still needs to be ironed out as this is currently under discussion in Spec Issue 217

   1. A PUT request to LDPRv/TimeGate with header (can't be Content-Location, but something like it) pointing to the LDPRm/Memento URI to indicate the version to restore
      - OR - A PATCH request to LDPRv/TimeGate with no body and a "Memento-Datetime"  header indicating the version to restore, will result in the memento that relates to that date/time being restored. 

Internal Interactions / Algorithms

Finding the ACL on a LDPRm (memento)

Memento and Security

Memento has very little to say about security, mainly just that it is up to the server in terms of how access to previous versions work (most likely we want it to behave the same way it behaved at the point of the snapshot, but that is something that needs to be decided), and what memento headers to expose during authentication:

https://tools.ietf.org/html/rfc7089#section-7

There are three separate entities when looking at ACLs.  

1. LDPRv - the original resource. Potentially has it's own ACL or has one via inheritance.
2. LDPCv - is a full LDPR in and of itself and should have it's own ACL because it's a means of discovery for finding information about mementos.
3. LDPRm - is a full LDPR as well, but the existing ACL that it references should maybe not be it's ACL anymore, so that an admin can further change azn to the mementos w/o affecting the original LDPR. 

Use Cases: 

1. user has access to the LDRPv but not the mementos, but can they see the TimeMap? 
   1. This imples that the LDPRv has different ACL then the LDPRm's.  The LDPCv would probably have a different one as well.  
2. user has access to the LDPRv and the mementos - they can see everything
3. user has access to the mementos, but not the LDPRv. They can see the TimeMap and mementos.  

To find the ACL that relates to a LDPRm, follow this algorithm:

1. First look at the LDPCv for the LDPRm to see if it has an access control triple for memento items associated with it ('memento:accessControl').  If so, stop there and honor that ACL as it will apply to all mementos it contains.
2. Otherwise follow the pattern specified by the SOLID WebAC specification for finding an ACL for a LDPRv:
   
   1. Use the document's (LDPR/LDPRv) own ACL resource if it exists (in which case, stop here).
   2. Otherwise, look for authorizations to inherit from the ACL of the (LDPRv) document's container. If those are found, stop here.
   3. Failing that, check the LDPRv container's parent container to see if that has its own ACL file, and see if there are any permissions to inherit.
   4. Failing that, move up the container hierarchy for the LDPRv until you find a container with an existing ACL file, which has some permissions to inherit.
   5. The root container of a user's account MUST have an ACL resource specified. (If all else fails, the search stops there.)
      1. For fedora, there is no root container for a user - but there is a default ACL applied to the server overall.  Should this algorithm fail to find an ACL at the root of the LDPRv's tree, it shall default to this system wide default ACL. 

Given this, the following is then true: 

• LDPCv's can have an ACL applied to them. If not, then the LDPRv's ACL applies to all the mementos in the LDPCv.
• LDPRv and it's mementos can have different ACLs.  

Internal Representation of resources

Here's an example of a LDPRv - what signifies that it is a LDPRv is that a request on the LDPRv returns memento related 'Link' headers in the reponse.  These 'Link' headers point to the TimeMap and TimeGate for this resource . The current behavior is that a 'hasVersions' triple is returned when a LDPR is requested. 

$ curl http://localhost:8080/rest/xyz


HTTP/1.1 200 OK
Date: Mon, 18 Sep 2017 14:58:26 GMT
Link: <http://localhost:8080/rest/xyz>; rel="original timegate"
Link: <http://localhost:8080/rest/xyz/fcr:versions>; rel="timemap"; from="Fri, 8 Sep 2017 21:35:19 GMT"; until="Mon, 11 Sep 2017 15:41:04 GMT";

@prefix premis:  <http://www.loc.gov/premis/rdf/v1#> .
@prefix rdfs:  <http://www.w3.org/2000/01/rdf-schema#> .
@prefix rdf:  <http://www.w3.org/1999/02/22-rdf-syntax-ns#> .
@prefix fedora:  <http://fedora.info/definitions/v4/repository#> .
@prefix ldp:  <http://www.w3.org/ns/ldp#> .

<http://localhost:8080/rest/xyz>
        rdf:type               fedora:Container ;
        rdf:type               fedora:Resource ;
        rdf:type               ldp:RDFSource ;
        rdf:type               ldp:Container ;
        fedora:lastModifiedBy  "bypassAdmin"^^<http://www.w3.org/2001/XMLSchema#string> ;
        fedora:createdBy       "bypassAdmin"^^<http://www.w3.org/2001/XMLSchema#string> ;
        fedora:lastModified    "2017-09-18T20:01:33.501Z"^^<http://www.w3.org/2001/XMLSchema#dateTime> ;
        fedora:created         "2017-09-15T21:19:49.731Z"^^<http://www.w3.org/2001/XMLSchema#dateTime> ;
        fedora:writable        "true"^^<http://www.w3.org/2001/XMLSchema#boolean> ;
        fedora:hasParent       <http://localhost:8080/rest> ;
        ldp:contains           <http://localhost:8080/rest/xyz/abc> ;

LDPCv - Memento Container (TimeMap)

@prefix acl:  <http://www.w3.org/ns/auth/acl#> .
@prefix iana:  <http://www.iana.org/assignments/relation/> .
@prefix ldp:  <http://www.w3.org/ns/ldp#> .
@prefix memento:  <http://example.com/memento#> .
@prefix rdf:  <http://www.w3.org/1999/02/22-rdf-syntax-ns#> .
@prefix time: <http://www.w3.org/2006/time#> .

</path/to/resource/xyz/fcr:versions> a ldp:Container ;
   acl:hasAccessControl </path/to/acls> ;    # this is for the LDPCv itself, for the TimeMap retrieval
   prov:startedAtTime "2017-09-08T21:35:19Z"^^xsd:dateTime ;  # first memento
   prov:endedAtTime   "2017-09-11T15:41:04Z"^^xsd:dateTime ;  # last memento


   memento:hasAccessControl </path/to/acls> ;
   memento:hasOriginalResource  </path/to/orig/resource/xyz> ;  # how else can we represent this? is this a given based on url? 
   memento:hasTimeGate </path/to/orig/resource/xyz> ;           # how else can we represent this? is this a given based on url?
  
   iana:first </path/to/resource/xyz/fcr:versions/12344> ;
   iana:last </path/to/resource/xyz/fcr:versions/12347> ;
   ldp:contains </path/to/resource/xyz/fcr:versions/12344>, </path/to/resource/xyz/fcr:versions/12345>, 
      </path/to/resource/xyz/fcr:versions/12347>, </path/to/resource/xyz/fcr:versions/12346> .

The use of IANA may or may not work here - esp if the original object's snapshot is in this LDPRm directly - we need to make sure that triples don't overlap. If we stick with all memento triples, then we can strip them out and have the version of the resource the user is after.  

LDPRm - Memento

@prefix acl:  <http://www.w3.org/ns/auth/acl#> .
@prefix iana:  <http://www.iana.org/assignments/relation/> .
@prefix ldp:  <http://www.w3.org/ns/ldp#> .
@prefix memento:  <http://example.com/memento#> .
@prefix rdf:  <http://www.w3.org/1999/02/22-rdf-syntax-ns#> .
@prefix time: <http://www.w3.org/2006/time#> .

</path/to/resource/xyz/fcr:versions/12345> a ldp:RDFSource , prov:InstantaneousEvent;
    prov:atTime "2012-04-30T20:40:40"^^xsd:dateTime;
    memento:hasTimegate </path/to/orig/resource/xyz> ;    # how else can we represent this? is this this a given based on url?
    memento:hasOriginalResource </path/to/orig/resource/xyz> ;   # how else can we represent this? Is this a given based on url? 
    iana:next </path/to/xyz/fcr:versions/12346> ;   # to memento
    iana:prev </path/to/xyz/fcr:versions/12344> ;   # to memento
    
   ... triples from original resource at the time of versioning... 
 
 or, if we keep them separate, it might look like this:
(I'm not clear on how a binary and it's metadata would be represented)
    ldp:contains </path/to/xyz/fcr:versions/12345/version> ,
        </path/to/xyz/fcr:versions/12345/version/fcr:metadata> ;   
    

Use Cases

Versioning/Authorization Use-Cases

Issues / Concerns:

URIs in LDPRm, and the "multiple parent" problem

It seems to be difficult to determine the identity of the "parent" of a resource via ldp:contains with versioning.  

1. LDPR contains LDPR (without versioning).  This one is simple.  A ldp:contains A/B.  A/B has exactly one parent:  A.
2. LDPRv contains LDPRv.  This one is also pretty simple.  A ldp:contains A/B, A/B has exactly one parent: A.
3. LDPRm contains LDPRv.  This one is a little less straightforward.  There could be multiple resources that assert they contain B:  What does a client need to know the identity of the resource that contains B?
   1. A_m1 (an LDPRm for A):  <A_m1> <ldp:contains> <B> 
   2. A_m2 (a different LDPRm for A): <A_m2> <ldp:contaiins> <B>
   3. A (an LDPRv): <A> <ldp:contains> <B>
4. LDPRm contains LDPRm. This one causes problems due to the fact that an LDPRm MUST be contained by an LDPCv as well.  For memento B_m1 of resource B What does a client need to know in order to determine which one is B_m1's parent via containment?:
   1. A_m1 (an LDPRm for A):  <A_m1> <ldp:contains> <B_m1> 
   2. A_m2 (a different LDPRm for A): <A_m2> <ldp:contaiins> <B_m1>
   3. B_cv (The LDPCv for B):  <B_cv> <ldp:contains> <B_m1>

Snapshot Versioning (problem ?)

The current fedora implementation creates (and links to) new LDPRs when a non-empty LDPRv is versioned. These resources are neither an LDPRv, nor LDPRm

For example, consider a container A  and A/B where A ldp:contains B.

Creating a version v1 of <A> creates a resource <A/fcr:versions/v1>.  This is essentially an LDPRm, and contains triple <A/fcr:versions/v1> ldp:contains <A/fcr:versions/v1/B>.  

Issues are:

1. <A/fcr:versions/v1/B> is a new LDPR, bit its relationship to versioning is not defined in any spec.  It is not an LDPRv, nor an LDPRm.  It does not the have equivalent of an LDPCv associated with it.
2. There is no explicit or implicit relationship between <A/fcr:versions/v1/B> and <B>

All of this may be fine, but it lies outside of any specification.  Essentially, "when you create a new version of a resource, that resource versions now points new and different things that it didn't previously point to, and have nothing to do with versioning"