mirror of
https://github.com/CommunitySolidServer/CommunitySolidServer.git
synced 2024-10-03 14:55:10 +00:00
refactor: Refactor WebAclAuthorizer
Co-Authored-By: Ludovico Granata <Ludogranata@gmail.com>
This commit is contained in:
Simone Persiani
committed by
Joachim Van Herwegen
Joachim Van Herwegen
parent
73867f0827
commit
16ebfb329f
@@ -1,5 +1,6 @@
|
||||
import { namedNode, quad } from '@rdfjs/data-model';
|
||||
import type { Credentials } from '../../../src/authentication/Credentials';
|
||||
import type { AccessChecker } from '../../../src/authorization/access-checkers/AccessChecker';
|
||||
import { WebAclAuthorization } from '../../../src/authorization/WebAclAuthorization';
|
||||
import { WebAclAuthorizer } from '../../../src/authorization/WebAclAuthorizer';
|
||||
import type { AuxiliaryIdentifierStrategy } from '../../../src/ldp/auxiliary/AuxiliaryIdentifierStrategy';
|
||||
@@ -18,6 +19,7 @@ import { guardedStreamFrom } from '../../../src/util/StreamUtil';
|
||||
const nn = namedNode;
|
||||
|
||||
const acl = 'http://www.w3.org/ns/auth/acl#';
|
||||
const rdf = 'http://www.w3.org/1999/02/22-rdf-syntax-ns#';
|
||||
|
||||
describe('A WebAclAuthorizer', (): void => {
|
||||
let authorizer: WebAclAuthorizer;
|
||||
@@ -26,12 +28,13 @@ describe('A WebAclAuthorizer', (): void => {
|
||||
isAuxiliaryIdentifier: (id: ResourceIdentifier): boolean => id.path.endsWith('.acl'),
|
||||
getAssociatedIdentifier: (id: ResourceIdentifier): ResourceIdentifier => ({ path: id.path.slice(0, -4) }),
|
||||
} as any;
|
||||
let store: ResourceStore;
|
||||
let store: jest.Mocked<ResourceStore>;
|
||||
const identifierStrategy = new SingleRootIdentifierStrategy('http://test.com/');
|
||||
let permissions: PermissionSet;
|
||||
let credentials: Credentials;
|
||||
let identifier: ResourceIdentifier;
|
||||
let authorization: WebAclAuthorization;
|
||||
let accessChecker: jest.Mocked<AccessChecker>;
|
||||
|
||||
beforeEach(async(): Promise<void> => {
|
||||
permissions = {
|
||||
@@ -60,18 +63,38 @@ describe('A WebAclAuthorizer', (): void => {
|
||||
store = {
|
||||
getRepresentation: jest.fn(),
|
||||
} as any;
|
||||
authorizer = new WebAclAuthorizer(aclStrategy, store, identifierStrategy);
|
||||
|
||||
accessChecker = {
|
||||
handleSafe: jest.fn().mockResolvedValue(true),
|
||||
} as any;
|
||||
|
||||
authorizer = new WebAclAuthorizer(aclStrategy, store, identifierStrategy, accessChecker);
|
||||
});
|
||||
|
||||
it('handles all non-acl inputs.', async(): Promise<void> => {
|
||||
authorizer = new WebAclAuthorizer(aclStrategy, null as any, identifierStrategy);
|
||||
authorizer = new WebAclAuthorizer(aclStrategy, null as any, identifierStrategy, accessChecker);
|
||||
await expect(authorizer.canHandle({ identifier } as any)).resolves.toBeUndefined();
|
||||
await expect(authorizer.canHandle({ identifier: aclStrategy.getAuxiliaryIdentifier(identifier) } as any))
|
||||
.rejects.toThrow(NotImplementedHttpError);
|
||||
});
|
||||
|
||||
it('handles all valid modes and ignores other ones.', async(): Promise<void> => {
|
||||
credentials.webId = 'http://test.com/user';
|
||||
store.getRepresentation.mockResolvedValue({ data: guardedStreamFrom([
|
||||
quad(nn('auth'), nn(`${rdf}type`), nn(`${acl}Authorization`)),
|
||||
quad(nn('auth'), nn(`${acl}accessTo`), nn(identifier.path)),
|
||||
quad(nn('auth'), nn(`${acl}mode`), nn(`${acl}Read`)),
|
||||
quad(nn('auth'), nn(`${acl}mode`), nn(`${acl}Write`)),
|
||||
quad(nn('auth'), nn(`${acl}mode`), nn(`${acl}fakeMode1`)),
|
||||
]) } as Representation);
|
||||
Object.assign(authorization.everyone, { read: true, write: true, append: true, control: false });
|
||||
Object.assign(authorization.user, { read: true, write: true, append: true, control: false });
|
||||
await expect(authorizer.handle({ identifier, permissions, credentials })).resolves.toEqual(authorization);
|
||||
});
|
||||
|
||||
it('allows access if the acl file allows all agents.', async(): Promise<void> => {
|
||||
store.getRepresentation = async(): Promise<Representation> => ({ data: guardedStreamFrom([
|
||||
store.getRepresentation.mockResolvedValue({ data: guardedStreamFrom([
|
||||
quad(nn('auth'), nn(`${rdf}type`), nn(`${acl}Authorization`)),
|
||||
quad(nn('auth'), nn(`${acl}agentClass`), nn('http://xmlns.com/foaf/0.1/Agent')),
|
||||
quad(nn('auth'), nn(`${acl}accessTo`), nn(identifier.path)),
|
||||
quad(nn('auth'), nn(`${acl}mode`), nn(`${acl}Read`)),
|
||||
@@ -83,101 +106,71 @@ describe('A WebAclAuthorizer', (): void => {
|
||||
});
|
||||
|
||||
it('allows access if there is a parent acl file allowing all agents.', async(): Promise<void> => {
|
||||
store.getRepresentation = async(id: ResourceIdentifier): Promise<Representation> => {
|
||||
store.getRepresentation.mockImplementation(async(id: ResourceIdentifier): Promise<Representation> => {
|
||||
if (id.path.endsWith('foo.acl')) {
|
||||
throw new NotFoundHttpError();
|
||||
}
|
||||
return {
|
||||
data: guardedStreamFrom([
|
||||
quad(nn('auth'), nn(`${rdf}type`), nn(`${acl}Authorization`)),
|
||||
quad(nn('auth'), nn(`${acl}agentClass`), nn('http://xmlns.com/foaf/0.1/Agent')),
|
||||
quad(nn('auth'), nn(`${acl}default`), nn(identifierStrategy.getParentContainer(identifier).path)),
|
||||
quad(nn('auth'), nn(`${acl}mode`), nn(`${acl}Read`)),
|
||||
quad(nn('auth'), nn(`${acl}mode`), nn(`${acl}Write`)),
|
||||
]),
|
||||
} as Representation;
|
||||
};
|
||||
});
|
||||
Object.assign(authorization.everyone, { read: true, write: true, append: true });
|
||||
Object.assign(authorization.user, { read: true, write: true, append: true });
|
||||
await expect(authorizer.handle({ identifier, permissions, credentials })).resolves.toEqual(authorization);
|
||||
});
|
||||
|
||||
it('allows access to authorized agents if the acl files allows all authorized users.', async(): Promise<void> => {
|
||||
store.getRepresentation = async(): Promise<Representation> => ({ data: guardedStreamFrom([
|
||||
quad(nn('auth'), nn(`${acl}agentClass`), nn(`${acl}AuthenticatedAgent`)),
|
||||
it('throws a ForbiddenHttpError if access is not granted and credentials have a WebID.', async(): Promise<void> => {
|
||||
accessChecker.handleSafe.mockResolvedValue(false);
|
||||
store.getRepresentation.mockResolvedValue({ data: guardedStreamFrom([
|
||||
quad(nn('auth'), nn(`${rdf}type`), nn(`${acl}Authorization`)),
|
||||
quad(nn('auth'), nn(`${acl}accessTo`), nn(identifier.path)),
|
||||
quad(nn('auth'), nn(`${acl}mode`), nn(`${acl}Read`)),
|
||||
quad(nn('auth'), nn(`${acl}mode`), nn(`${acl}Write`)),
|
||||
]) } as Representation);
|
||||
credentials.webId = 'http://test.com/user';
|
||||
Object.assign(authorization.user, { read: true, write: true, append: true });
|
||||
await expect(authorizer.handle({ identifier, permissions, credentials })).resolves.toEqual(authorization);
|
||||
credentials.webId = 'http://test.com/alice/profile/card#me';
|
||||
await expect(authorizer.handle({ identifier, permissions, credentials })).rejects.toThrow(ForbiddenHttpError);
|
||||
});
|
||||
|
||||
it('errors if authorization is required but the agent is not authorized.', async(): Promise<void> => {
|
||||
store.getRepresentation = async(): Promise<Representation> => ({ data: guardedStreamFrom([
|
||||
quad(nn('auth'), nn(`${acl}agentClass`), nn(`${acl}AuthenticatedAgent`)),
|
||||
it('throws an UnauthorizedHttpError if access is not granted there are no credentials.', async(): Promise<void> => {
|
||||
accessChecker.handleSafe.mockResolvedValue(false);
|
||||
store.getRepresentation.mockResolvedValue({ data: guardedStreamFrom([
|
||||
quad(nn('auth'), nn(`${rdf}type`), nn(`${acl}Authorization`)),
|
||||
quad(nn('auth'), nn(`${acl}accessTo`), nn(identifier.path)),
|
||||
quad(nn('auth'), nn(`${acl}mode`), nn(`${acl}Read`)),
|
||||
quad(nn('auth'), nn(`${acl}mode`), nn(`${acl}Write`)),
|
||||
]) } as Representation);
|
||||
await expect(authorizer.handle({ identifier, permissions, credentials })).rejects.toThrow(UnauthorizedHttpError);
|
||||
});
|
||||
|
||||
it('allows access to specific agents if the acl files identifies them.', async(): Promise<void> => {
|
||||
credentials.webId = 'http://test.com/user';
|
||||
store.getRepresentation = async(): Promise<Representation> => ({ data: guardedStreamFrom([
|
||||
quad(nn('auth'), nn(`${acl}agent`), nn(credentials.webId!)),
|
||||
quad(nn('auth'), nn(`${acl}accessTo`), nn(identifier.path)),
|
||||
quad(nn('auth'), nn(`${acl}mode`), nn(`${acl}Read`)),
|
||||
quad(nn('auth'), nn(`${acl}mode`), nn(`${acl}Write`)),
|
||||
]) } as Representation);
|
||||
Object.assign(authorization.user, { read: true, write: true, append: true });
|
||||
await expect(authorizer.handle({ identifier, permissions, credentials })).resolves.toEqual(authorization);
|
||||
});
|
||||
|
||||
it('errors if a specific agents wants to access files not assigned to them.', async(): Promise<void> => {
|
||||
credentials.webId = 'http://test.com/user';
|
||||
store.getRepresentation = async(): Promise<Representation> => ({ data: guardedStreamFrom([
|
||||
quad(nn('auth'), nn(`${acl}agent`), nn('http://test.com/differentUser')),
|
||||
quad(nn('auth'), nn(`${acl}accessTo`), nn(identifier.path)),
|
||||
quad(nn('auth'), nn(`${acl}mode`), nn(`${acl}Read`)),
|
||||
quad(nn('auth'), nn(`${acl}mode`), nn(`${acl}Write`)),
|
||||
]) } as Representation);
|
||||
await expect(authorizer.handle({ identifier, permissions, credentials })).rejects.toThrow(ForbiddenHttpError);
|
||||
});
|
||||
|
||||
it('re-throws ResourceStore errors as internal errors.', async(): Promise<void> => {
|
||||
store.getRepresentation = async(): Promise<Representation> => {
|
||||
throw new Error('TEST!');
|
||||
};
|
||||
store.getRepresentation.mockRejectedValue(new Error('TEST!'));
|
||||
const promise = authorizer.handle({ identifier, permissions, credentials });
|
||||
await expect(promise).rejects.toThrow(`Error reading ACL for ${identifier.path}: TEST!`);
|
||||
await expect(promise).rejects.toThrow(InternalServerError);
|
||||
});
|
||||
|
||||
it('errors if the root container has no corresponding acl document.', async(): Promise<void> => {
|
||||
store.getRepresentation = async(): Promise<Representation> => {
|
||||
throw new NotFoundHttpError();
|
||||
};
|
||||
store.getRepresentation.mockRejectedValue(new NotFoundHttpError());
|
||||
const promise = authorizer.handle({ identifier, permissions, credentials });
|
||||
await expect(promise).rejects.toThrow('No ACL document found for root container');
|
||||
await expect(promise).rejects.toThrow(ForbiddenHttpError);
|
||||
});
|
||||
|
||||
it('allows an agent to append if they have write access.', async(): Promise<void> => {
|
||||
credentials.webId = 'http://test.com/user';
|
||||
identifier.path = 'http://test.com/foo';
|
||||
permissions = {
|
||||
read: false,
|
||||
write: false,
|
||||
append: true,
|
||||
control: false,
|
||||
};
|
||||
store.getRepresentation = async(): Promise<Representation> => ({ data: guardedStreamFrom([
|
||||
quad(nn('auth'), nn(`${acl}agent`), nn(credentials.webId!)),
|
||||
store.getRepresentation.mockResolvedValue({ data: guardedStreamFrom([
|
||||
quad(nn('auth'), nn(`${rdf}type`), nn(`${acl}Authorization`)),
|
||||
quad(nn('auth'), nn(`${acl}accessTo`), nn(identifier.path)),
|
||||
quad(nn('auth'), nn(`${acl}mode`), nn(`${acl}Write`)),
|
||||
]) } as Representation);
|
||||
Object.assign(authorization.everyone, { write: true, append: true });
|
||||
Object.assign(authorization.user, { write: true, append: true });
|
||||
await expect(authorizer.handle({ identifier, permissions, credentials })).resolves.toEqual(authorization);
|
||||
});
|
||||
|
||||
@@ -0,0 +1,32 @@
|
||||
import { DataFactory, Store } from 'n3';
|
||||
import type { AccessCheckerArgs } from '../../../../src/authorization/access-checkers/AccessChecker';
|
||||
import { AgentAccessChecker } from '../../../../src/authorization/access-checkers/AgentAccessChecker';
|
||||
import { ACL } from '../../../../src/util/Vocabularies';
|
||||
import namedNode = DataFactory.namedNode;
|
||||
|
||||
describe('A AgentAccessChecker', (): void => {
|
||||
const webId = 'http://test.com/alice/profile/card#me';
|
||||
const acl = new Store();
|
||||
acl.addQuad(namedNode('match'), ACL.terms.agent, namedNode(webId));
|
||||
acl.addQuad(namedNode('noMatch'), ACL.terms.agent, namedNode('http://test.com/bob'));
|
||||
const checker = new AgentAccessChecker();
|
||||
|
||||
it('can handle all requests.', async(): Promise<void> => {
|
||||
await expect(checker.canHandle(null as any)).resolves.toBeUndefined();
|
||||
});
|
||||
|
||||
it('returns true if a match is found for the given WebID.', async(): Promise<void> => {
|
||||
const input: AccessCheckerArgs = { acl, rule: namedNode('match'), credentials: { webId }};
|
||||
await expect(checker.handle(input)).resolves.toBe(true);
|
||||
});
|
||||
|
||||
it('returns false if no match is found.', async(): Promise<void> => {
|
||||
const input: AccessCheckerArgs = { acl, rule: namedNode('noMatch'), credentials: { webId }};
|
||||
await expect(checker.handle(input)).resolves.toBe(false);
|
||||
});
|
||||
|
||||
it('returns false if the credentials contain no WebID.', async(): Promise<void> => {
|
||||
const input: AccessCheckerArgs = { acl, rule: namedNode('match'), credentials: {}};
|
||||
await expect(checker.handle(input)).resolves.toBe(false);
|
||||
});
|
||||
});
|
||||
@@ -0,0 +1,37 @@
|
||||
import { DataFactory, Store } from 'n3';
|
||||
import type { AccessCheckerArgs } from '../../../../src/authorization/access-checkers/AccessChecker';
|
||||
import { AgentClassAccessChecker } from '../../../../src/authorization/access-checkers/AgentClassAccessChecker';
|
||||
import { ACL, FOAF } from '../../../../src/util/Vocabularies';
|
||||
import namedNode = DataFactory.namedNode;
|
||||
|
||||
describe('An AgentClassAccessChecker', (): void => {
|
||||
const webId = 'http://test.com/alice/profile/card#me';
|
||||
const acl = new Store();
|
||||
acl.addQuad(namedNode('agentMatch'), ACL.terms.agentClass, FOAF.terms.Agent);
|
||||
acl.addQuad(namedNode('authenticatedMatch'), ACL.terms.agentClass, ACL.terms.AuthenticatedAgent);
|
||||
const checker = new AgentClassAccessChecker();
|
||||
|
||||
it('can handle all requests.', async(): Promise<void> => {
|
||||
await expect(checker.canHandle(null as any)).resolves.toBeUndefined();
|
||||
});
|
||||
|
||||
it('returns true if the rule contains foaf:agent as supported class.', async(): Promise<void> => {
|
||||
const input: AccessCheckerArgs = { acl, rule: namedNode('agentMatch'), credentials: {}};
|
||||
await expect(checker.handle(input)).resolves.toBe(true);
|
||||
});
|
||||
|
||||
it('returns true for authenticated users with an acl:AuthenticatedAgent rule.', async(): Promise<void> => {
|
||||
const input: AccessCheckerArgs = { acl, rule: namedNode('authenticatedMatch'), credentials: { webId }};
|
||||
await expect(checker.handle(input)).resolves.toBe(true);
|
||||
});
|
||||
|
||||
it('returns false for unauthenticated users with an acl:AuthenticatedAgent rule.', async(): Promise<void> => {
|
||||
const input: AccessCheckerArgs = { acl, rule: namedNode('authenticatedMatch'), credentials: {}};
|
||||
await expect(checker.handle(input)).resolves.toBe(false);
|
||||
});
|
||||
|
||||
it('returns false if no class rule is found.', async(): Promise<void> => {
|
||||
const input: AccessCheckerArgs = { acl, rule: namedNode('noMatch'), credentials: {}};
|
||||
await expect(checker.handle(input)).resolves.toBe(false);
|
||||
});
|
||||
});
|
||||
Reference in New Issue
Block a user