refactor: Refactor WebAclAuthorizer

Co-Authored-By: Ludovico Granata <Ludogranata@gmail.com>
2024-10-03 14:55:10 +00:00 · 2021-08-17 16:51:50 +02:00 · 2021-08-17 16:51:50 +02:00 · 16ebfb329f
commit 16ebfb329f
parent 73867f0827
12 changed files with 252 additions and 135 deletions
--- a/config/ldp/authorization/authorizers/access-checkers/agent-class.json
+++ b/config/ldp/authorization/authorizers/access-checkers/agent-class.json
@ -0,0 +1,10 @@
 {
  "@context": "https://linkedsoftwaredependencies.org/bundles/npm/@solid/community-server/^1.0.0/components/context.jsonld",
  "@graph": [
    {
      "comment": "Checks access based on the agent being authenticated or not.",
      "@id": "urn:solid-server:default:AgentClassAccessChecker",
      "@type": "AgentClassAccessChecker"
    }
  ]
 }
--- a/config/ldp/authorization/authorizers/access-checkers/agent.json
+++ b/config/ldp/authorization/authorizers/access-checkers/agent.json
@ -0,0 +1,10 @@
 {
  "@context": "https://linkedsoftwaredependencies.org/bundles/npm/@solid/community-server/^1.0.0/components/context.jsonld",
  "@graph": [
    {
      "comment": "Checks if a specific WebID has access.",
      "@id": "urn:solid-server:default:AgentAccessChecker",
      "@type": "AgentAccessChecker"
    }
  ]
 }
--- a/config/ldp/authorization/authorizers/acl.json
+++ b/config/ldp/authorization/authorizers/acl.json
@ -1,5 +1,9 @@
 {
  "@context": "https://linkedsoftwaredependencies.org/bundles/npm/@solid/community-server/^1.0.0/components/context.jsonld",
  "import": [
    "files-scs:config/ldp/authorization/authorizers/access-checkers/agent.json",
    "files-scs:config/ldp/authorization/authorizers/access-checkers/agent-class.json"
  ],
  "@graph": [
    {
      "@id": "urn:solid-server:default:WebAclAuthorizer",
@ -12,6 +16,13 @@
      },
      "identifierStrategy": {
        "@id": "urn:solid-server:default:IdentifierStrategy"
      },
      "accessChecker": {
        "@type": "BooleanHandler",
        "handlers": [
          { "@id": "urn:solid-server:default:AgentAccessChecker" },
          { "@id": "urn:solid-server:default:AgentClassAccessChecker" }
        ]
      }
    }
  ]
--- a/src/authorization/WebAclAuthorizer.ts
+++ b/src/authorization/WebAclAuthorizer.ts
@ -16,15 +16,22 @@ import { NotImplementedHttpError } from '../util/errors/NotImplementedHttpError'
 import { UnauthorizedHttpError } from '../util/errors/UnauthorizedHttpError';
 import type { IdentifierStrategy } from '../util/identifiers/IdentifierStrategy';
 import { readableToQuads } from '../util/StreamUtil';
-import { ACL, FOAF } from '../util/Vocabularies';
+import { ACL, RDF } from '../util/Vocabularies';
 import type { AccessChecker } from './access-checkers/AccessChecker';
 import type { AuthorizerArgs } from './Authorizer';
 import { Authorizer } from './Authorizer';
 import { WebAclAuthorization } from './WebAclAuthorization';
 const modesMap: Record<string, keyof PermissionSet> = {
  [ACL.Read]: 'read',
  [ACL.Write]: 'write',
  [ACL.Append]: 'append',
  [ACL.Control]: 'control',
 } as const;
 /**
- * Handles most web access control predicates such as
+ * Handles authorization according to the WAC specification.
- * `acl:mode`, `acl:agentClass`, `acl:agent`, `acl:default` and `acl:accessTo`.
+ * Specific access checks are done by the provided {@link AccessChecker}.
 * Does not support `acl:agentGroup`, `acl:origin` and `acl:trustedApp` yet.
 */
 export class WebAclAuthorizer extends Authorizer {
  protected readonly logger = getLoggerFor(this);
@ -32,13 +39,15 @@ export class WebAclAuthorizer extends Authorizer {
  private readonly aclStrategy: AuxiliaryIdentifierStrategy;
  private readonly resourceStore: ResourceStore;
  private readonly identifierStrategy: IdentifierStrategy;
  private readonly accessChecker: AccessChecker;
  public constructor(aclStrategy: AuxiliaryIdentifierStrategy, resourceStore: ResourceStore,
-    identifierStrategy: IdentifierStrategy) {
+    identifierStrategy: IdentifierStrategy, accessChecker: AccessChecker) {
    super();
    this.aclStrategy = aclStrategy;
    this.resourceStore = resourceStore;
    this.identifierStrategy = identifierStrategy;
    this.accessChecker = accessChecker;
  }
  public async canHandle({ identifier }: AuthorizerArgs): Promise<void> {
@ -59,7 +68,7 @@ export class WebAclAuthorizer extends Authorizer {
    // Determine the full authorization for the agent granted by the applicable ACL
    const acl = await this.getAclRecursive(identifier);
-    const authorization = this.createAuthorization(credentials, acl);
+    const authorization = await this.createAuthorization(credentials, acl);
    // Verify that the authorization allows all required modes
    for (const mode of modes) {
@ -82,11 +91,11 @@ export class WebAclAuthorizer extends Authorizer {
   * @param agent - Agent whose credentials will be used for the `user` field.
   * @param acl - Store containing all relevant authorization triples.
   */
-  private createAuthorization(agent: Credentials, acl: Store): WebAclAuthorization {
+  private async createAuthorization(agent: Credentials, acl: Store): Promise<WebAclAuthorization> {
-    const publicPermissions = this.determinePermissions({}, acl);
+    const publicPermissions = await this.determinePermissions({}, acl);
-    const userPermissions = this.determinePermissions(agent, acl);
+    const agentPermissions = await this.determinePermissions(agent, acl);
-    return new WebAclAuthorization(userPermissions, publicPermissions);
+    return new WebAclAuthorization(agentPermissions, publicPermissions);
  }
  /**
@ -94,16 +103,34 @@ export class WebAclAuthorizer extends Authorizer {
   * @param credentials - Credentials to find the permissions for.
   * @param acl - Store containing all relevant authorization triples.
   */
-  private determinePermissions(credentials: Credentials, acl: Store): PermissionSet {
+  private async determinePermissions(credentials: Credentials, acl: Store): Promise<PermissionSet> {
-    const permissions: PermissionSet = {
+    const permissions = {
      read: false,
      write: false,
      append: false,
      control: false,
    };
-    for (const mode of (Object.keys(permissions) as (keyof PermissionSet)[])) {
+
-      permissions[mode] = this.hasPermission(credentials, acl, mode);
+    // Apply all ACL rules
    const aclRules = acl.getSubjects(RDF.type, ACL.Authorization, null);
    for (const rule of aclRules) {
      const hasAccess = await this.accessChecker.handleSafe({ acl, rule, credentials });
      if (hasAccess) {
        // Set all allowed modes to true
        const modes = acl.getObjects(rule, ACL.mode, null);
        for (const { value: mode } of modes) {
          if (mode in modesMap) {
            permissions[modesMap[mode]] = true;
          }
        }
      }
    }
    if (permissions.write) {
      // Write permission implies Append permission
      permissions.append = true;
    }
    return permissions;
  }
@ -130,75 +157,6 @@ export class WebAclAuthorizer extends Authorizer {
    }
  }
  /**
   * Checks if the given agent has permission to execute the given mode based on the triples in the ACL.
   * @param agent - Agent that wants access.
   * @param acl - A store containing the relevant triples for authorization.
   * @param mode - Which mode is requested.
   */
  private hasPermission(agent: Credentials, acl: Store, mode: keyof PermissionSet): boolean {
    // Collect all authorization blocks for this specific mode
    const modeString = ACL[this.capitalize(mode) as 'Write' | 'Read' | 'Append' | 'Control'];
    const auths = this.getModePermissions(acl, modeString);
    // Append permissions are implied by Write permissions
    if (modeString === ACL.Append) {
      auths.push(...this.getModePermissions(acl, ACL.Write));
    }
    // Check if any collected authorization block allows the specific agent
    return auths.some((term): boolean => this.hasAccess(agent, term, acl));
  }
  /**
   * Capitalizes the input string.
   * @param mode - String to transform.
   *
   * @returns The capitalized string.
   */
  private capitalize(mode: string): string {
    return `${mode[0].toUpperCase()}${mode.slice(1).toLowerCase()}`;
  }
  /**
   * Returns the identifiers of all authorizations that grant the given mode access for a resource.
   * @param acl - The store containing the quads of the ACL resource.
   * @param aclMode - A valid acl mode (ACL.Write/Read/...)
   */
  private getModePermissions(acl: Store, aclMode: string): Term[] {
    return acl.getQuads(null, ACL.mode, aclMode, null).map((quad: Quad): Term => quad.subject);
  }
  /**
   * Checks if the given agent has access to the modes specified by the given authorization.
   * @param agent - Credentials of agent that needs access.
   * @param auth - acl:Authorization that needs to be checked.
   * @param acl - A store containing the relevant triples of the authorization.
   *
   * @returns If the agent has access.
   */
  private hasAccess(agent: Credentials, auth: Term, acl: Store): boolean {
    // Check if public access is allowed
    if (acl.countQuads(auth, ACL.agentClass, FOAF.Agent, null) !== 0) {
      return true;
    }
    // Check if authenticated access is allowed
    if (this.isAuthenticated(agent)) {
      // Check if any authenticated agent is allowed
      if (acl.countQuads(auth, ACL.agentClass, ACL.AuthenticatedAgent, null) !== 0) {
        return true;
      }
      // Check if this specific agent is allowed
      if (acl.countQuads(auth, ACL.agent, agent.webId, null) !== 0) {
        return true;
      }
    }
    // Neither unauthenticated nor authenticated access are allowed
    return false;
  }
  /**
   * Returns the ACL triples that are relevant for the given identifier.
   * These can either be from a corresponding ACL document or an ACL document higher up with defaults.
--- a/src/authorization/access-checkers/AccessChecker.ts
+++ b/src/authorization/access-checkers/AccessChecker.ts
@ -0,0 +1,25 @@
 import type { Store, Term } from 'n3';
 import type { Credentials } from '../../authentication/Credentials';
 import { AsyncHandler } from '../../util/handlers/AsyncHandler';
 /**
 * Performs an authorization check against the given acl resource.
 */
 export abstract class AccessChecker extends AsyncHandler<AccessCheckerArgs, boolean> {}
 export interface AccessCheckerArgs {
  /**
   *  A store containing the relevant triples of the authorization.
   */
  acl: Store;
  /**
   * Authorization rule to be processed.
   */
  rule: Term;
  /**
   * Credentials of the entity that wants to use the resource.
   */
  credentials: Credentials;
 }
--- a/src/authorization/access-checkers/AgentAccessChecker.ts
+++ b/src/authorization/access-checkers/AgentAccessChecker.ts
@ -0,0 +1,15 @@
 import { ACL } from '../../util/Vocabularies';
 import type { AccessCheckerArgs } from './AccessChecker';
 import { AccessChecker } from './AccessChecker';
 /**
 * Checks if the given WebID has been given access.
 */
 export class AgentAccessChecker extends AccessChecker {
  public async handle({ acl, rule, credentials }: AccessCheckerArgs): Promise<boolean> {
    if (typeof credentials.webId === 'string') {
      return acl.countQuads(rule, ACL.terms.agent, credentials.webId, null) !== 0;
    }
    return false;
  }
 }
--- a/src/authorization/access-checkers/AgentClassAccessChecker.ts
+++ b/src/authorization/access-checkers/AgentClassAccessChecker.ts
@ -0,0 +1,20 @@
 import { ACL, FOAF } from '../../util/Vocabularies';
 import type { AccessCheckerArgs } from './AccessChecker';
 import { AccessChecker } from './AccessChecker';
 /**
 * Checks access based on the agent class.
 */
 export class AgentClassAccessChecker extends AccessChecker {
  public async handle({ acl, rule, credentials }: AccessCheckerArgs): Promise<boolean> {
    // Check if unauthenticated agents have access
    if (acl.countQuads(rule, ACL.terms.agentClass, FOAF.terms.Agent, null) !== 0) {
      return true;
    }
    // Check if the agent is authenticated and if authenticated agents have access
    if (typeof credentials.webId === 'string') {
      return acl.countQuads(rule, ACL.terms.agentClass, ACL.terms.AuthenticatedAgent, null) !== 0;
    }
    return false;
  }
 }
--- a/src/index.ts
+++ b/src/index.ts
@ -17,6 +17,11 @@ export * from './authorization/PathBasedAuthorizer';
 export * from './authorization/WebAclAuthorization';
 export * from './authorization/WebAclAuthorizer';
 // Authorization/access-checkers
 export * from './authorization/access-checkers/AccessChecker';
 export * from './authorization/access-checkers/AgentAccessChecker';
 export * from './authorization/access-checkers/AgentClassAccessChecker';
 // Identity/Configuration
 export * from './identity/configuration/IdentityProviderFactory';
 export * from './identity/configuration/ProviderFactory';
--- a/src/util/Vocabularies.ts
+++ b/src/util/Vocabularies.ts
@ -60,6 +60,7 @@ export const ACL = createUriAndTermNamespace('http://www.w3.org/ns/auth/acl#',
  'agent',
  'agentClass',
  'AuthenticatedAgent',
  'Authorization',
  'default',
  'mode',
--- a/test/unit/authorization/WebAclAuthorizer.test.ts
+++ b/test/unit/authorization/WebAclAuthorizer.test.ts
@ -1,5 +1,6 @@
 import { namedNode, quad } from '@rdfjs/data-model';
 import type { Credentials } from '../../../src/authentication/Credentials';
 import type { AccessChecker } from '../../../src/authorization/access-checkers/AccessChecker';
 import { WebAclAuthorization } from '../../../src/authorization/WebAclAuthorization';
 import { WebAclAuthorizer } from '../../../src/authorization/WebAclAuthorizer';
 import type { AuxiliaryIdentifierStrategy } from '../../../src/ldp/auxiliary/AuxiliaryIdentifierStrategy';
@ -18,6 +19,7 @@ import { guardedStreamFrom } from '../../../src/util/StreamUtil';
 const nn = namedNode;
 const acl = 'http://www.w3.org/ns/auth/acl#';
 const rdf = 'http://www.w3.org/1999/02/22-rdf-syntax-ns#';
 describe('A WebAclAuthorizer', (): void => {
  let authorizer: WebAclAuthorizer;
@ -26,12 +28,13 @@ describe('A WebAclAuthorizer', (): void => {
    isAuxiliaryIdentifier: (id: ResourceIdentifier): boolean => id.path.endsWith('.acl'),
    getAssociatedIdentifier: (id: ResourceIdentifier): ResourceIdentifier => ({ path: id.path.slice(0, -4) }),
  } as any;
-  let store: ResourceStore;
+  let store: jest.Mocked<ResourceStore>;
  const identifierStrategy = new SingleRootIdentifierStrategy('http://test.com/');
  let permissions: PermissionSet;
  let credentials: Credentials;
  let identifier: ResourceIdentifier;
  let authorization: WebAclAuthorization;
  let accessChecker: jest.Mocked<AccessChecker>;
  beforeEach(async(): Promise<void> => {
    permissions = {
@ -60,18 +63,38 @@ describe('A WebAclAuthorizer', (): void => {
    store = {
      getRepresentation: jest.fn(),
    } as any;
-    authorizer = new WebAclAuthorizer(aclStrategy, store, identifierStrategy);
+
    accessChecker = {
      handleSafe: jest.fn().mockResolvedValue(true),
    } as any;
    authorizer = new WebAclAuthorizer(aclStrategy, store, identifierStrategy, accessChecker);
  });
  it('handles all non-acl inputs.', async(): Promise<void> => {
-    authorizer = new WebAclAuthorizer(aclStrategy, null as any, identifierStrategy);
+    authorizer = new WebAclAuthorizer(aclStrategy, null as any, identifierStrategy, accessChecker);
    await expect(authorizer.canHandle({ identifier } as any)).resolves.toBeUndefined();
    await expect(authorizer.canHandle({ identifier: aclStrategy.getAuxiliaryIdentifier(identifier) } as any))
      .rejects.toThrow(NotImplementedHttpError);
  });
  it('handles all valid modes and ignores other ones.', async(): Promise<void> => {
    credentials.webId = 'http://test.com/user';
    store.getRepresentation.mockResolvedValue({ data: guardedStreamFrom([
      quad(nn('auth'), nn(`${rdf}type`), nn(`${acl}Authorization`)),
      quad(nn('auth'), nn(`${acl}accessTo`), nn(identifier.path)),
      quad(nn('auth'), nn(`${acl}mode`), nn(`${acl}Read`)),
      quad(nn('auth'), nn(`${acl}mode`), nn(`${acl}Write`)),
      quad(nn('auth'), nn(`${acl}mode`), nn(`${acl}fakeMode1`)),
    ]) } as Representation);
    Object.assign(authorization.everyone, { read: true, write: true, append: true, control: false });
    Object.assign(authorization.user, { read: true, write: true, append: true, control: false });
    await expect(authorizer.handle({ identifier, permissions, credentials })).resolves.toEqual(authorization);
  });
  it('allows access if the acl file allows all agents.', async(): Promise<void> => {
-    store.getRepresentation = async(): Promise<Representation> => ({ data: guardedStreamFrom([
+    store.getRepresentation.mockResolvedValue({ data: guardedStreamFrom([
      quad(nn('auth'), nn(`${rdf}type`), nn(`${acl}Authorization`)),
      quad(nn('auth'), nn(`${acl}agentClass`), nn('http://xmlns.com/foaf/0.1/Agent')),
      quad(nn('auth'), nn(`${acl}accessTo`), nn(identifier.path)),
      quad(nn('auth'), nn(`${acl}mode`), nn(`${acl}Read`)),
@ -83,101 +106,71 @@ describe('A WebAclAuthorizer', (): void => {
  });
  it('allows access if there is a parent acl file allowing all agents.', async(): Promise<void> => {
-    store.getRepresentation = async(id: ResourceIdentifier): Promise<Representation> => {
+    store.getRepresentation.mockImplementation(async(id: ResourceIdentifier): Promise<Representation> => {
      if (id.path.endsWith('foo.acl')) {
        throw new NotFoundHttpError();
      }
      return {
        data: guardedStreamFrom([
          quad(nn('auth'), nn(`${rdf}type`), nn(`${acl}Authorization`)),
          quad(nn('auth'), nn(`${acl}agentClass`), nn('http://xmlns.com/foaf/0.1/Agent')),
          quad(nn('auth'), nn(`${acl}default`), nn(identifierStrategy.getParentContainer(identifier).path)),
          quad(nn('auth'), nn(`${acl}mode`), nn(`${acl}Read`)),
          quad(nn('auth'), nn(`${acl}mode`), nn(`${acl}Write`)),
        ]),
      } as Representation;
-    };
+    });
    Object.assign(authorization.everyone, { read: true, write: true, append: true });
    Object.assign(authorization.user, { read: true, write: true, append: true });
    await expect(authorizer.handle({ identifier, permissions, credentials })).resolves.toEqual(authorization);
  });
-  it('allows access to authorized agents if the acl files allows all authorized users.', async(): Promise<void> => {
+  it('throws a ForbiddenHttpError if access is not granted and credentials have a WebID.', async(): Promise<void> => {
-    store.getRepresentation = async(): Promise<Representation> => ({ data: guardedStreamFrom([
+    accessChecker.handleSafe.mockResolvedValue(false);
-      quad(nn('auth'), nn(`${acl}agentClass`), nn(`${acl}AuthenticatedAgent`)),
+    store.getRepresentation.mockResolvedValue({ data: guardedStreamFrom([
      quad(nn('auth'), nn(`${rdf}type`), nn(`${acl}Authorization`)),
      quad(nn('auth'), nn(`${acl}accessTo`), nn(identifier.path)),
      quad(nn('auth'), nn(`${acl}mode`), nn(`${acl}Read`)),
      quad(nn('auth'), nn(`${acl}mode`), nn(`${acl}Write`)),
    ]) } as Representation);
-    credentials.webId = 'http://test.com/user';
+    credentials.webId = 'http://test.com/alice/profile/card#me';
-    Object.assign(authorization.user, { read: true, write: true, append: true });
+    await expect(authorizer.handle({ identifier, permissions, credentials })).rejects.toThrow(ForbiddenHttpError);
    await expect(authorizer.handle({ identifier, permissions, credentials })).resolves.toEqual(authorization);
  });
-  it('errors if authorization is required but the agent is not authorized.', async(): Promise<void> => {
+  it('throws an UnauthorizedHttpError if access is not granted there are no credentials.', async(): Promise<void> => {
-    store.getRepresentation = async(): Promise<Representation> => ({ data: guardedStreamFrom([
+    accessChecker.handleSafe.mockResolvedValue(false);
-      quad(nn('auth'), nn(`${acl}agentClass`), nn(`${acl}AuthenticatedAgent`)),
+    store.getRepresentation.mockResolvedValue({ data: guardedStreamFrom([
      quad(nn('auth'), nn(`${rdf}type`), nn(`${acl}Authorization`)),
      quad(nn('auth'), nn(`${acl}accessTo`), nn(identifier.path)),
      quad(nn('auth'), nn(`${acl}mode`), nn(`${acl}Read`)),
      quad(nn('auth'), nn(`${acl}mode`), nn(`${acl}Write`)),
    ]) } as Representation);
    await expect(authorizer.handle({ identifier, permissions, credentials })).rejects.toThrow(UnauthorizedHttpError);
  });
  it('allows access to specific agents if the acl files identifies them.', async(): Promise<void> => {
    credentials.webId = 'http://test.com/user';
    store.getRepresentation = async(): Promise<Representation> => ({ data: guardedStreamFrom([
      quad(nn('auth'), nn(`${acl}agent`), nn(credentials.webId!)),
      quad(nn('auth'), nn(`${acl}accessTo`), nn(identifier.path)),
      quad(nn('auth'), nn(`${acl}mode`), nn(`${acl}Read`)),
      quad(nn('auth'), nn(`${acl}mode`), nn(`${acl}Write`)),
    ]) } as Representation);
    Object.assign(authorization.user, { read: true, write: true, append: true });
    await expect(authorizer.handle({ identifier, permissions, credentials })).resolves.toEqual(authorization);
  });
  it('errors if a specific agents wants to access files not assigned to them.', async(): Promise<void> => {
    credentials.webId = 'http://test.com/user';
    store.getRepresentation = async(): Promise<Representation> => ({ data: guardedStreamFrom([
      quad(nn('auth'), nn(`${acl}agent`), nn('http://test.com/differentUser')),
      quad(nn('auth'), nn(`${acl}accessTo`), nn(identifier.path)),
      quad(nn('auth'), nn(`${acl}mode`), nn(`${acl}Read`)),
      quad(nn('auth'), nn(`${acl}mode`), nn(`${acl}Write`)),
    ]) } as Representation);
    await expect(authorizer.handle({ identifier, permissions, credentials })).rejects.toThrow(ForbiddenHttpError);
  });
  it('re-throws ResourceStore errors as internal errors.', async(): Promise<void> => {
-    store.getRepresentation = async(): Promise<Representation> => {
+    store.getRepresentation.mockRejectedValue(new Error('TEST!'));
      throw new Error('TEST!');
    };
    const promise = authorizer.handle({ identifier, permissions, credentials });
    await expect(promise).rejects.toThrow(`Error reading ACL for ${identifier.path}: TEST!`);
    await expect(promise).rejects.toThrow(InternalServerError);
  });
  it('errors if the root container has no corresponding acl document.', async(): Promise<void> => {
-    store.getRepresentation = async(): Promise<Representation> => {
+    store.getRepresentation.mockRejectedValue(new NotFoundHttpError());
      throw new NotFoundHttpError();
    };
    const promise = authorizer.handle({ identifier, permissions, credentials });
    await expect(promise).rejects.toThrow('No ACL document found for root container');
    await expect(promise).rejects.toThrow(ForbiddenHttpError);
  });
  it('allows an agent to append if they have write access.', async(): Promise<void> => {
    credentials.webId = 'http://test.com/user';
    identifier.path = 'http://test.com/foo';
    permissions = {
      read: false,
      write: false,
      append: true,
      control: false,
    };
-    store.getRepresentation = async(): Promise<Representation> => ({ data: guardedStreamFrom([
+    store.getRepresentation.mockResolvedValue({ data: guardedStreamFrom([
-      quad(nn('auth'), nn(`${acl}agent`), nn(credentials.webId!)),
+      quad(nn('auth'), nn(`${rdf}type`), nn(`${acl}Authorization`)),
      quad(nn('auth'), nn(`${acl}accessTo`), nn(identifier.path)),
      quad(nn('auth'), nn(`${acl}mode`), nn(`${acl}Write`)),
    ]) } as Representation);
    Object.assign(authorization.everyone, { write: true, append: true });
    Object.assign(authorization.user, { write: true, append: true });
    await expect(authorizer.handle({ identifier, permissions, credentials })).resolves.toEqual(authorization);
  });
--- a/test/unit/authorization/access-checkers/AgentAccessChecker.test.ts
+++ b/test/unit/authorization/access-checkers/AgentAccessChecker.test.ts
@ -0,0 +1,32 @@
 import { DataFactory, Store } from 'n3';
 import type { AccessCheckerArgs } from '../../../../src/authorization/access-checkers/AccessChecker';
 import { AgentAccessChecker } from '../../../../src/authorization/access-checkers/AgentAccessChecker';
 import { ACL } from '../../../../src/util/Vocabularies';
 import namedNode = DataFactory.namedNode;
 describe('A AgentAccessChecker', (): void => {
  const webId = 'http://test.com/alice/profile/card#me';
  const acl = new Store();
  acl.addQuad(namedNode('match'), ACL.terms.agent, namedNode(webId));
  acl.addQuad(namedNode('noMatch'), ACL.terms.agent, namedNode('http://test.com/bob'));
  const checker = new AgentAccessChecker();
  it('can handle all requests.', async(): Promise<void> => {
    await expect(checker.canHandle(null as any)).resolves.toBeUndefined();
  });
  it('returns true if a match is found for the given WebID.', async(): Promise<void> => {
    const input: AccessCheckerArgs = { acl, rule: namedNode('match'), credentials: { webId }};
    await expect(checker.handle(input)).resolves.toBe(true);
  });
  it('returns false if no match is found.', async(): Promise<void> => {
    const input: AccessCheckerArgs = { acl, rule: namedNode('noMatch'), credentials: { webId }};
    await expect(checker.handle(input)).resolves.toBe(false);
  });
  it('returns false if the credentials contain no WebID.', async(): Promise<void> => {
    const input: AccessCheckerArgs = { acl, rule: namedNode('match'), credentials: {}};
    await expect(checker.handle(input)).resolves.toBe(false);
  });
 });
--- a/test/unit/authorization/access-checkers/AgentClassAccessChecker.test.ts
+++ b/test/unit/authorization/access-checkers/AgentClassAccessChecker.test.ts
@ -0,0 +1,37 @@
 import { DataFactory, Store } from 'n3';
 import type { AccessCheckerArgs } from '../../../../src/authorization/access-checkers/AccessChecker';
 import { AgentClassAccessChecker } from '../../../../src/authorization/access-checkers/AgentClassAccessChecker';
 import { ACL, FOAF } from '../../../../src/util/Vocabularies';
 import namedNode = DataFactory.namedNode;
 describe('An AgentClassAccessChecker', (): void => {
  const webId = 'http://test.com/alice/profile/card#me';
  const acl = new Store();
  acl.addQuad(namedNode('agentMatch'), ACL.terms.agentClass, FOAF.terms.Agent);
  acl.addQuad(namedNode('authenticatedMatch'), ACL.terms.agentClass, ACL.terms.AuthenticatedAgent);
  const checker = new AgentClassAccessChecker();
  it('can handle all requests.', async(): Promise<void> => {
    await expect(checker.canHandle(null as any)).resolves.toBeUndefined();
  });
  it('returns true if the rule contains foaf:agent as supported class.', async(): Promise<void> => {
    const input: AccessCheckerArgs = { acl, rule: namedNode('agentMatch'), credentials: {}};
    await expect(checker.handle(input)).resolves.toBe(true);
  });
  it('returns true for authenticated users with an acl:AuthenticatedAgent rule.', async(): Promise<void> => {
    const input: AccessCheckerArgs = { acl, rule: namedNode('authenticatedMatch'), credentials: { webId }};
    await expect(checker.handle(input)).resolves.toBe(true);
  });
  it('returns false for unauthenticated users with an acl:AuthenticatedAgent rule.', async(): Promise<void> => {
    const input: AccessCheckerArgs = { acl, rule: namedNode('authenticatedMatch'), credentials: {}};
    await expect(checker.handle(input)).resolves.toBe(false);
  });
  it('returns false if no class rule is found.', async(): Promise<void> => {
    const input: AccessCheckerArgs = { acl, rule: namedNode('noMatch'), credentials: {}};
    await expect(checker.handle(input)).resolves.toBe(false);
  });
 });