feat: Add acl support

2024-10-03 14:55:10 +00:00 · 2020-08-07 11:54:27 +02:00
parent 011822e859
commit 0545ca121e
14 changed files with 524 additions and 13 deletions
--- a/test/unit/authorization/SimpleAclAuthorizer.test.ts
+++ b/test/unit/authorization/SimpleAclAuthorizer.test.ts
@@ -0,0 +1,170 @@
+import { AclManager } from '../../../src/authorization/AclManager';
+import { ContainerManager } from '../../../src/storage/ContainerManager';
+import { Credentials } from '../../../src/authentication/Credentials';
+import { ForbiddenHttpError } from '../../../src/util/errors/ForbiddenHttpError';
+import { NotFoundHttpError } from '../../../src/util/errors/NotFoundHttpError';
+import { PermissionSet } from '../../../src/ldp/permissions/PermissionSet';
+import { Representation } from '../../../src/ldp/representation/Representation';
+import { ResourceIdentifier } from '../../../src/ldp/representation/ResourceIdentifier';
+import { ResourceStore } from '../../../src/storage/ResourceStore';
+import { SimpleAclAuthorizer } from '../../../src/authorization/SimpleAclAuthorizer';
+import streamifyArray from 'streamify-array';
+import { UnauthorizedHttpError } from '../../../src/util/errors/UnauthorizedHttpError';
+import { namedNode, quad } from '@rdfjs/data-model';
+
+const nn = namedNode;
+
+const acl = 'http://www.w3.org/ns/auth/acl#';
+
+describe('A SimpleAclAuthorizer', (): void => {
+  let authorizer: SimpleAclAuthorizer;
+  const aclManager: AclManager = {
+    getAcl: async(id: ResourceIdentifier): Promise<ResourceIdentifier> =>
+      id.path.endsWith('.acl') ? id : { path: `${id.path}.acl` },
+    isAcl: async(id: ResourceIdentifier): Promise<boolean> => id.path.endsWith('.acl'),
+  };
+  const containerManager: ContainerManager = {
+    getContainer: async(id: ResourceIdentifier): Promise<ResourceIdentifier> =>
+      ({ path: new URL('..', id.path).toString() }),
+  };
+  let permissions: PermissionSet;
+  let credentials: Credentials;
+  let identifier: ResourceIdentifier;
+
+  beforeEach(async(): Promise<void> => {
+    permissions = {
+      read: true,
+      append: false,
+      write: false,
+    };
+    credentials = {};
+    identifier = { path: 'http://test.com/foo' };
+  });
+
+  it('handles all inputs.', async(): Promise<void> => {
+    authorizer = new SimpleAclAuthorizer(aclManager, containerManager, null as any);
+    await expect(authorizer.canHandle()).resolves.toBeUndefined();
+  });
+
+  it('allows access if the acl file allows all agents.', async(): Promise<void> => {
+    const store = {
+      getRepresentation: async(): Promise<Representation> => ({ data: streamifyArray([
+        quad(nn('auth'), nn(`${acl}agentClass`), nn('http://xmlns.com/foaf/0.1/Agent')),
+        quad(nn('auth'), nn(`${acl}accessTo`), nn(identifier.path)),
+        quad(nn('auth'), nn(`${acl}mode`), nn(`${acl}Read`)),
+      ]) } as Representation),
+    } as unknown as ResourceStore;
+    authorizer = new SimpleAclAuthorizer(aclManager, containerManager, store);
+    await expect(authorizer.handle({ identifier, permissions, credentials })).resolves.toBeUndefined();
+  });
+
+  it('allows access if there is a parent acl file allowing all agents.', async(): Promise<void> => {
+    const store = {
+      async getRepresentation(id: ResourceIdentifier): Promise<Representation> {
+        if (id.path.endsWith('foo.acl')) {
+          throw new NotFoundHttpError();
+        }
+        return {
+          data: streamifyArray([
+            quad(nn('auth'), nn(`${acl}agentClass`), nn('http://xmlns.com/foaf/0.1/Agent')),
+            quad(nn('auth'), nn(`${acl}default`), nn((await containerManager.getContainer(identifier)).path)),
+            quad(nn('auth'), nn(`${acl}mode`), nn(`${acl}Read`)),
+          ]),
+        } as Representation;
+      },
+    } as unknown as ResourceStore;
+    authorizer = new SimpleAclAuthorizer(aclManager, containerManager, store);
+    await expect(authorizer.handle({ identifier, permissions, credentials })).resolves.toBeUndefined();
+  });
+
+  it('allows access to authorized agents if the acl files allows all authorized users.', async(): Promise<void> => {
+    const store = {
+      getRepresentation: async(): Promise<Representation> => ({ data: streamifyArray([
+        quad(nn('auth'), nn(`${acl}agentClass`), nn('http://xmlns.com/foaf/0.1/AuthenticatedAgent')),
+        quad(nn('auth'), nn(`${acl}accessTo`), nn(identifier.path)),
+        quad(nn('auth'), nn(`${acl}mode`), nn(`${acl}Read`)),
+      ]) } as Representation),
+    } as unknown as ResourceStore;
+    authorizer = new SimpleAclAuthorizer(aclManager, containerManager, store);
+    credentials.webID = 'http://test.com/user';
+    await expect(authorizer.handle({ identifier, permissions, credentials })).resolves.toBeUndefined();
+  });
+
+  it('errors if authorization is required but the agent is not authorized.', async(): Promise<void> => {
+    const store = {
+      getRepresentation: async(): Promise<Representation> => ({ data: streamifyArray([
+        quad(nn('auth'), nn(`${acl}agentClass`), nn('http://xmlns.com/foaf/0.1/AuthenticatedAgent')),
+        quad(nn('auth'), nn(`${acl}accessTo`), nn(identifier.path)),
+        quad(nn('auth'), nn(`${acl}mode`), nn(`${acl}Read`)),
+      ]) } as Representation),
+    } as unknown as ResourceStore;
+    authorizer = new SimpleAclAuthorizer(aclManager, containerManager, store);
+    await expect(authorizer.handle({ identifier, permissions, credentials })).rejects.toThrow(UnauthorizedHttpError);
+  });
+
+  it('allows access to specific agents if the acl files identifies them.', async(): Promise<void> => {
+    credentials.webID = 'http://test.com/user';
+    const store = {
+      getRepresentation: async(): Promise<Representation> => ({ data: streamifyArray([
+        quad(nn('auth'), nn(`${acl}agent`), nn(credentials.webID!)),
+        quad(nn('auth'), nn(`${acl}accessTo`), nn(identifier.path)),
+        quad(nn('auth'), nn(`${acl}mode`), nn(`${acl}Read`)),
+      ]) } as Representation),
+    } as unknown as ResourceStore;
+    authorizer = new SimpleAclAuthorizer(aclManager, containerManager, store);
+    await expect(authorizer.handle({ identifier, permissions, credentials })).resolves.toBeUndefined();
+  });
+
+  it('errors if a specific agents wants to access files not assigned to them.', async(): Promise<void> => {
+    credentials.webID = 'http://test.com/user';
+    const store = {
+      getRepresentation: async(): Promise<Representation> => ({ data: streamifyArray([
+        quad(nn('auth'), nn(`${acl}agent`), nn('http://test.com/differentUser')),
+        quad(nn('auth'), nn(`${acl}accessTo`), nn(identifier.path)),
+        quad(nn('auth'), nn(`${acl}mode`), nn(`${acl}Read`)),
+      ]) } as Representation),
+    } as unknown as ResourceStore;
+    authorizer = new SimpleAclAuthorizer(aclManager, containerManager, store);
+    await expect(authorizer.handle({ identifier, permissions, credentials })).rejects.toThrow(ForbiddenHttpError);
+  });
+
+  it('allows access to the acl file if control is allowed.', async(): Promise<void> => {
+    credentials.webID = 'http://test.com/user';
+    identifier.path = 'http://test.com/foo';
+    const store = {
+      getRepresentation: async(): Promise<Representation> => ({ data: streamifyArray([
+        quad(nn('auth'), nn(`${acl}agent`), nn(credentials.webID!)),
+        quad(nn('auth'), nn(`${acl}accessTo`), nn(identifier.path)),
+        quad(nn('auth'), nn(`${acl}mode`), nn(`${acl}Control`)),
+      ]) } as Representation),
+    } as unknown as ResourceStore;
+    identifier = await aclManager.getAcl(identifier);
+    authorizer = new SimpleAclAuthorizer(aclManager, containerManager, store);
+    await expect(authorizer.handle({ identifier, permissions, credentials })).resolves.toBeUndefined();
+  });
+
+  it('errors if an agent tries to edit the acl file without control permissions.', async(): Promise<void> => {
+    credentials.webID = 'http://test.com/user';
+    identifier.path = 'http://test.com/foo';
+    const store = {
+      getRepresentation: async(): Promise<Representation> => ({ data: streamifyArray([
+        quad(nn('auth'), nn(`${acl}agent`), nn(credentials.webID!)),
+        quad(nn('auth'), nn(`${acl}accessTo`), nn(identifier.path)),
+        quad(nn('auth'), nn(`${acl}mode`), nn(`${acl}Read`)),
+      ]) } as Representation),
+    } as unknown as ResourceStore;
+    identifier = await aclManager.getAcl(identifier);
+    authorizer = new SimpleAclAuthorizer(aclManager, containerManager, store);
+    await expect(authorizer.handle({ identifier, permissions, credentials })).rejects.toThrow(ForbiddenHttpError);
+  });
+
+  it('passes errors of the ResourceStore along.', async(): Promise<void> => {
+    const store = {
+      async getRepresentation(): Promise<Representation> {
+        throw new Error('TEST!');
+      },
+    } as unknown as ResourceStore;
+    authorizer = new SimpleAclAuthorizer(aclManager, containerManager, store);
+    await expect(authorizer.handle({ identifier, permissions, credentials })).rejects.toThrow('TEST!');
+  });
+});
--- a/test/unit/authorization/SimpleExtensionAclManager.test.ts
+++ b/test/unit/authorization/SimpleExtensionAclManager.test.ts
@@ -0,0 +1,20 @@
+import { SimpleExtensionAclManager } from '../../../src/authorization/SimpleExtensionAclManager';
+
+describe('A SimpleExtensionAclManager', (): void => {
+  const manager = new SimpleExtensionAclManager();
+
+  it('generates acl URLs by adding an .acl extension.', async(): Promise<void> => {
+    await expect(manager.getAcl({ path: '/foo/bar' })).resolves.toEqual({ path: '/foo/bar.acl' });
+  });
+
+  it('returns the identifier if the input is already an acl file.', async(): Promise<void> => {
+    await expect(manager.getAcl({ path: '/foo/bar.acl' })).resolves.toEqual({ path: '/foo/bar.acl' });
+  });
+
+  it('checks if a resource is an acl file by looking at the extension.', async(): Promise<void> => {
+    await expect(manager.isAcl({ path: '/foo/bar' })).resolves.toBeFalsy();
+    await expect(manager.isAcl({ path: '/foo/bar/' })).resolves.toBeFalsy();
+    await expect(manager.isAcl({ path: '/foo/bar.acl' })).resolves.toBeTruthy();
+    await expect(manager.isAcl({ path: '/foo/bar.acl/' })).resolves.toBeTruthy();
+  });
+});
--- a/test/unit/ldp/permissions/SimplePermissionsExtractor.test.ts
+++ b/test/unit/ldp/permissions/SimplePermissionsExtractor.test.ts
@@ -13,34 +13,30 @@ describe('A SimplePermissionsExtractor', (): void => {
      read: true,
      append: false,
      write: false,
-      delete: false,
    });
  });

  it('requires write for POST operations.', async(): Promise<void> => {
    await expect(extractor.handle({ method: 'POST' } as Operation)).resolves.toEqual({
      read: false,
-      append: false,
+      append: true,
      write: true,
-      delete: false,
    });
  });

  it('requires write for PUT operations.', async(): Promise<void> => {
    await expect(extractor.handle({ method: 'PUT' } as Operation)).resolves.toEqual({
      read: false,
-      append: false,
+      append: true,
      write: true,
-      delete: false,
    });
  });

-  it('requires delete for DELETE operations.', async(): Promise<void> => {
+  it('requires write for DELETE operations.', async(): Promise<void> => {
    await expect(extractor.handle({ method: 'DELETE' } as Operation)).resolves.toEqual({
      read: false,
-      append: false,
-      write: false,
-      delete: true,
+      append: true,
+      write: true,
    });
  });
 });
--- a/test/unit/storage/UrlContainerManager.test.ts
+++ b/test/unit/storage/UrlContainerManager.test.ts
@@ -0,0 +1,31 @@
+import { UrlContainerManager } from '../../../src/storage/UrlContainerManager';
+
+describe('An UrlContainerManager', (): void => {
+  it('returns the parent URl for a single call.', async(): Promise<void> => {
+    const manager = new UrlContainerManager('http://test.com/foo/');
+    await expect(manager.getContainer({ path: 'http://test.com/foo/bar' }))
+      .resolves.toEqual({ path: 'http://test.com/foo/' });
+    await expect(manager.getContainer({ path: 'http://test.com/foo/bar/' }))
+      .resolves.toEqual({ path: 'http://test.com/foo/' });
+  });
+
+  it('errors when getting the container of root.', async(): Promise<void> => {
+    let manager = new UrlContainerManager('http://test.com/foo/');
+    await expect(manager.getContainer({ path: 'http://test.com/foo/' }))
+      .rejects.toThrow('Root does not have a container.');
+    await expect(manager.getContainer({ path: 'http://test.com/foo' }))
+      .rejects.toThrow('Root does not have a container.');
+
+    manager = new UrlContainerManager('http://test.com/foo');
+    await expect(manager.getContainer({ path: 'http://test.com/foo/' }))
+      .rejects.toThrow('Root does not have a container.');
+    await expect(manager.getContainer({ path: 'http://test.com/foo' }))
+      .rejects.toThrow('Root does not have a container.');
+  });
+
+  it('errors when the root of an URl is reached that does not match the input root.', async(): Promise<void> => {
+    const manager = new UrlContainerManager('http://test.com/foo/');
+    await expect(manager.getContainer({ path: 'http://test.com/' }))
+      .rejects.toThrow('URL root reached.');
+  });
+});