mirror of
https://github.com/CommunitySolidServer/CommunitySolidServer.git
synced 2024-10-03 14:55:10 +00:00
refactor: Refactor WebAclAuthorizer
Co-Authored-By: Ludovico Granata <Ludogranata@gmail.com>
This commit is contained in:
Simone Persiani
committed by
Joachim Van Herwegen
Joachim Van Herwegen
parent
73867f0827
commit
16ebfb329f
@@ -1,5 +1,6 @@
|
||||
import { namedNode, quad } from '@rdfjs/data-model';
|
||||
import type { Credentials } from '../../../src/authentication/Credentials';
|
||||
import type { AccessChecker } from '../../../src/authorization/access-checkers/AccessChecker';
|
||||
import { WebAclAuthorization } from '../../../src/authorization/WebAclAuthorization';
|
||||
import { WebAclAuthorizer } from '../../../src/authorization/WebAclAuthorizer';
|
||||
import type { AuxiliaryIdentifierStrategy } from '../../../src/ldp/auxiliary/AuxiliaryIdentifierStrategy';
|
||||
@@ -18,6 +19,7 @@ import { guardedStreamFrom } from '../../../src/util/StreamUtil';
|
||||
const nn = namedNode;
|
||||
|
||||
const acl = 'http://www.w3.org/ns/auth/acl#';
|
||||
const rdf = 'http://www.w3.org/1999/02/22-rdf-syntax-ns#';
|
||||
|
||||
describe('A WebAclAuthorizer', (): void => {
|
||||
let authorizer: WebAclAuthorizer;
|
||||
@@ -26,12 +28,13 @@ describe('A WebAclAuthorizer', (): void => {
|
||||
isAuxiliaryIdentifier: (id: ResourceIdentifier): boolean => id.path.endsWith('.acl'),
|
||||
getAssociatedIdentifier: (id: ResourceIdentifier): ResourceIdentifier => ({ path: id.path.slice(0, -4) }),
|
||||
} as any;
|
||||
let store: ResourceStore;
|
||||
let store: jest.Mocked<ResourceStore>;
|
||||
const identifierStrategy = new SingleRootIdentifierStrategy('http://test.com/');
|
||||
let permissions: PermissionSet;
|
||||
let credentials: Credentials;
|
||||
let identifier: ResourceIdentifier;
|
||||
let authorization: WebAclAuthorization;
|
||||
let accessChecker: jest.Mocked<AccessChecker>;
|
||||
|
||||
beforeEach(async(): Promise<void> => {
|
||||
permissions = {
|
||||
@@ -60,18 +63,38 @@ describe('A WebAclAuthorizer', (): void => {
|
||||
store = {
|
||||
getRepresentation: jest.fn(),
|
||||
} as any;
|
||||
authorizer = new WebAclAuthorizer(aclStrategy, store, identifierStrategy);
|
||||
|
||||
accessChecker = {
|
||||
handleSafe: jest.fn().mockResolvedValue(true),
|
||||
} as any;
|
||||
|
||||
authorizer = new WebAclAuthorizer(aclStrategy, store, identifierStrategy, accessChecker);
|
||||
});
|
||||
|
||||
it('handles all non-acl inputs.', async(): Promise<void> => {
|
||||
authorizer = new WebAclAuthorizer(aclStrategy, null as any, identifierStrategy);
|
||||
authorizer = new WebAclAuthorizer(aclStrategy, null as any, identifierStrategy, accessChecker);
|
||||
await expect(authorizer.canHandle({ identifier } as any)).resolves.toBeUndefined();
|
||||
await expect(authorizer.canHandle({ identifier: aclStrategy.getAuxiliaryIdentifier(identifier) } as any))
|
||||
.rejects.toThrow(NotImplementedHttpError);
|
||||
});
|
||||
|
||||
it('handles all valid modes and ignores other ones.', async(): Promise<void> => {
|
||||
credentials.webId = 'http://test.com/user';
|
||||
store.getRepresentation.mockResolvedValue({ data: guardedStreamFrom([
|
||||
quad(nn('auth'), nn(`${rdf}type`), nn(`${acl}Authorization`)),
|
||||
quad(nn('auth'), nn(`${acl}accessTo`), nn(identifier.path)),
|
||||
quad(nn('auth'), nn(`${acl}mode`), nn(`${acl}Read`)),
|
||||
quad(nn('auth'), nn(`${acl}mode`), nn(`${acl}Write`)),
|
||||
quad(nn('auth'), nn(`${acl}mode`), nn(`${acl}fakeMode1`)),
|
||||
]) } as Representation);
|
||||
Object.assign(authorization.everyone, { read: true, write: true, append: true, control: false });
|
||||
Object.assign(authorization.user, { read: true, write: true, append: true, control: false });
|
||||
await expect(authorizer.handle({ identifier, permissions, credentials })).resolves.toEqual(authorization);
|
||||
});
|
||||
|
||||
it('allows access if the acl file allows all agents.', async(): Promise<void> => {
|
||||
store.getRepresentation = async(): Promise<Representation> => ({ data: guardedStreamFrom([
|
||||
store.getRepresentation.mockResolvedValue({ data: guardedStreamFrom([
|
||||
quad(nn('auth'), nn(`${rdf}type`), nn(`${acl}Authorization`)),
|
||||
quad(nn('auth'), nn(`${acl}agentClass`), nn('http://xmlns.com/foaf/0.1/Agent')),
|
||||
quad(nn('auth'), nn(`${acl}accessTo`), nn(identifier.path)),
|
||||
quad(nn('auth'), nn(`${acl}mode`), nn(`${acl}Read`)),
|
||||
@@ -83,101 +106,71 @@ describe('A WebAclAuthorizer', (): void => {
|
||||
});
|
||||
|
||||
it('allows access if there is a parent acl file allowing all agents.', async(): Promise<void> => {
|
||||
store.getRepresentation = async(id: ResourceIdentifier): Promise<Representation> => {
|
||||
store.getRepresentation.mockImplementation(async(id: ResourceIdentifier): Promise<Representation> => {
|
||||
if (id.path.endsWith('foo.acl')) {
|
||||
throw new NotFoundHttpError();
|
||||
}
|
||||
return {
|
||||
data: guardedStreamFrom([
|
||||
quad(nn('auth'), nn(`${rdf}type`), nn(`${acl}Authorization`)),
|
||||
quad(nn('auth'), nn(`${acl}agentClass`), nn('http://xmlns.com/foaf/0.1/Agent')),
|
||||
quad(nn('auth'), nn(`${acl}default`), nn(identifierStrategy.getParentContainer(identifier).path)),
|
||||
quad(nn('auth'), nn(`${acl}mode`), nn(`${acl}Read`)),
|
||||
quad(nn('auth'), nn(`${acl}mode`), nn(`${acl}Write`)),
|
||||
]),
|
||||
} as Representation;
|
||||
};
|
||||
});
|
||||
Object.assign(authorization.everyone, { read: true, write: true, append: true });
|
||||
Object.assign(authorization.user, { read: true, write: true, append: true });
|
||||
await expect(authorizer.handle({ identifier, permissions, credentials })).resolves.toEqual(authorization);
|
||||
});
|
||||
|
||||
it('allows access to authorized agents if the acl files allows all authorized users.', async(): Promise<void> => {
|
||||
store.getRepresentation = async(): Promise<Representation> => ({ data: guardedStreamFrom([
|
||||
quad(nn('auth'), nn(`${acl}agentClass`), nn(`${acl}AuthenticatedAgent`)),
|
||||
it('throws a ForbiddenHttpError if access is not granted and credentials have a WebID.', async(): Promise<void> => {
|
||||
accessChecker.handleSafe.mockResolvedValue(false);
|
||||
store.getRepresentation.mockResolvedValue({ data: guardedStreamFrom([
|
||||
quad(nn('auth'), nn(`${rdf}type`), nn(`${acl}Authorization`)),
|
||||
quad(nn('auth'), nn(`${acl}accessTo`), nn(identifier.path)),
|
||||
quad(nn('auth'), nn(`${acl}mode`), nn(`${acl}Read`)),
|
||||
quad(nn('auth'), nn(`${acl}mode`), nn(`${acl}Write`)),
|
||||
]) } as Representation);
|
||||
credentials.webId = 'http://test.com/user';
|
||||
Object.assign(authorization.user, { read: true, write: true, append: true });
|
||||
await expect(authorizer.handle({ identifier, permissions, credentials })).resolves.toEqual(authorization);
|
||||
credentials.webId = 'http://test.com/alice/profile/card#me';
|
||||
await expect(authorizer.handle({ identifier, permissions, credentials })).rejects.toThrow(ForbiddenHttpError);
|
||||
});
|
||||
|
||||
it('errors if authorization is required but the agent is not authorized.', async(): Promise<void> => {
|
||||
store.getRepresentation = async(): Promise<Representation> => ({ data: guardedStreamFrom([
|
||||
quad(nn('auth'), nn(`${acl}agentClass`), nn(`${acl}AuthenticatedAgent`)),
|
||||
it('throws an UnauthorizedHttpError if access is not granted there are no credentials.', async(): Promise<void> => {
|
||||
accessChecker.handleSafe.mockResolvedValue(false);
|
||||
store.getRepresentation.mockResolvedValue({ data: guardedStreamFrom([
|
||||
quad(nn('auth'), nn(`${rdf}type`), nn(`${acl}Authorization`)),
|
||||
quad(nn('auth'), nn(`${acl}accessTo`), nn(identifier.path)),
|
||||
quad(nn('auth'), nn(`${acl}mode`), nn(`${acl}Read`)),
|
||||
quad(nn('auth'), nn(`${acl}mode`), nn(`${acl}Write`)),
|
||||
]) } as Representation);
|
||||
await expect(authorizer.handle({ identifier, permissions, credentials })).rejects.toThrow(UnauthorizedHttpError);
|
||||
});
|
||||
|
||||
it('allows access to specific agents if the acl files identifies them.', async(): Promise<void> => {
|
||||
credentials.webId = 'http://test.com/user';
|
||||
store.getRepresentation = async(): Promise<Representation> => ({ data: guardedStreamFrom([
|
||||
quad(nn('auth'), nn(`${acl}agent`), nn(credentials.webId!)),
|
||||
quad(nn('auth'), nn(`${acl}accessTo`), nn(identifier.path)),
|
||||
quad(nn('auth'), nn(`${acl}mode`), nn(`${acl}Read`)),
|
||||
quad(nn('auth'), nn(`${acl}mode`), nn(`${acl}Write`)),
|
||||
]) } as Representation);
|
||||
Object.assign(authorization.user, { read: true, write: true, append: true });
|
||||
await expect(authorizer.handle({ identifier, permissions, credentials })).resolves.toEqual(authorization);
|
||||
});
|
||||
|
||||
it('errors if a specific agents wants to access files not assigned to them.', async(): Promise<void> => {
|
||||
credentials.webId = 'http://test.com/user';
|
||||
store.getRepresentation = async(): Promise<Representation> => ({ data: guardedStreamFrom([
|
||||
quad(nn('auth'), nn(`${acl}agent`), nn('http://test.com/differentUser')),
|
||||
quad(nn('auth'), nn(`${acl}accessTo`), nn(identifier.path)),
|
||||
quad(nn('auth'), nn(`${acl}mode`), nn(`${acl}Read`)),
|
||||
quad(nn('auth'), nn(`${acl}mode`), nn(`${acl}Write`)),
|
||||
]) } as Representation);
|
||||
await expect(authorizer.handle({ identifier, permissions, credentials })).rejects.toThrow(ForbiddenHttpError);
|
||||
});
|
||||
|
||||
it('re-throws ResourceStore errors as internal errors.', async(): Promise<void> => {
|
||||
store.getRepresentation = async(): Promise<Representation> => {
|
||||
throw new Error('TEST!');
|
||||
};
|
||||
store.getRepresentation.mockRejectedValue(new Error('TEST!'));
|
||||
const promise = authorizer.handle({ identifier, permissions, credentials });
|
||||
await expect(promise).rejects.toThrow(`Error reading ACL for ${identifier.path}: TEST!`);
|
||||
await expect(promise).rejects.toThrow(InternalServerError);
|
||||
});
|
||||
|
||||
it('errors if the root container has no corresponding acl document.', async(): Promise<void> => {
|
||||
store.getRepresentation = async(): Promise<Representation> => {
|
||||
throw new NotFoundHttpError();
|
||||
};
|
||||
store.getRepresentation.mockRejectedValue(new NotFoundHttpError());
|
||||
const promise = authorizer.handle({ identifier, permissions, credentials });
|
||||
await expect(promise).rejects.toThrow('No ACL document found for root container');
|
||||
await expect(promise).rejects.toThrow(ForbiddenHttpError);
|
||||
});
|
||||
|
||||
it('allows an agent to append if they have write access.', async(): Promise<void> => {
|
||||
credentials.webId = 'http://test.com/user';
|
||||
identifier.path = 'http://test.com/foo';
|
||||
permissions = {
|
||||
read: false,
|
||||
write: false,
|
||||
append: true,
|
||||
control: false,
|
||||
};
|
||||
store.getRepresentation = async(): Promise<Representation> => ({ data: guardedStreamFrom([
|
||||
quad(nn('auth'), nn(`${acl}agent`), nn(credentials.webId!)),
|
||||
store.getRepresentation.mockResolvedValue({ data: guardedStreamFrom([
|
||||
quad(nn('auth'), nn(`${rdf}type`), nn(`${acl}Authorization`)),
|
||||
quad(nn('auth'), nn(`${acl}accessTo`), nn(identifier.path)),
|
||||
quad(nn('auth'), nn(`${acl}mode`), nn(`${acl}Write`)),
|
||||
]) } as Representation);
|
||||
Object.assign(authorization.everyone, { write: true, append: true });
|
||||
Object.assign(authorization.user, { write: true, append: true });
|
||||
await expect(authorizer.handle({ identifier, permissions, credentials })).resolves.toEqual(authorization);
|
||||
});
|
||||
|
||||
Reference in New Issue
Block a user