Mirroristas/CommunitySolidServer
2
0
Fork 0
mirror of https://github.com/CommunitySolidServer/CommunitySolidServer.git synced 2024-10-03 14:55:10 +00:00
Code Issues Packages Projects Releases Wiki Activity

feat: Split WebAclReader behaviour over multiple classes

Browse Source
This commit is contained in:
Joachim Van Herwegen
2022-06-29 11:00:35 +02:00
parent 0ff05fd420
commit 7996fe5c3b
7 changed files with 598 additions and 346 deletions
Download Patch File Download Diff File Expand all files Collapse all files

114
test/unit/authorization/ParentContainerReader.test.ts Normal file
View File

@@ -0,0 +1,114 @@
import type { CredentialSet } from '../../../src/authentication/Credentials';
import { ParentContainerReader } from '../../../src/authorization/ParentContainerReader';
import type { PermissionReader } from '../../../src/authorization/PermissionReader';
import type { AccessMap, PermissionMap } from '../../../src/authorization/permissions/Permissions';
import { AccessMode } from '../../../src/authorization/permissions/Permissions';
import { SingleRootIdentifierStrategy } from '../../../src/util/identifiers/SingleRootIdentifierStrategy';
import { IdentifierMap, IdentifierSetMultiMap } from '../../../src/util/map/IdentifierMap';
import { joinUrl } from '../../../src/util/PathUtil';
import { compareMaps } from '../../util/Util';
describe('A ParentContainerReader', (): void => {
const baseUrl = 'http://example.com/';
const parent1 = { path: joinUrl(baseUrl, 'foo/') };
const target1 = { path: joinUrl(parent1.path, 'foo') };
const parent2 = { path: joinUrl(baseUrl, 'bar/') };
const target2 = { path: joinUrl(parent2.path, 'bar') };
const parent3 = { path: joinUrl(baseUrl, 'baz/') };
const target3 = { path: joinUrl(parent3.path, 'baz') };
const credentials: CredentialSet = { public: {}};
let requestedModes: AccessMap;
let sourceResult: PermissionMap;
const identifierStrategy = new SingleRootIdentifierStrategy(baseUrl);
let source: jest.Mocked<PermissionReader>;
let reader: ParentContainerReader;
beforeEach(async(): Promise<void> => {
requestedModes = new IdentifierSetMultiMap();
sourceResult = new IdentifierMap([[{ path: joinUrl(baseUrl, 'test') }, { public: { read: true }}]]);
source = { handleSafe: jest.fn().mockResolvedValue(sourceResult) } as any;
reader = new ParentContainerReader(source, identifierStrategy);
});
it('requires parent append permissions to create resources.', async(): Promise<void> => {
requestedModes.set(target1, new Set([ AccessMode.create ]));
requestedModes.set(target2, new Set([ AccessMode.create ]));
sourceResult.set(parent1, { public: { append: true }});
const result = await reader.handle({ requestedModes, credentials });
expect(result.get(target1)).toEqual({ public: { create: true }});
expect(result.get(target2)).toEqual({ });
const updatedMap = new IdentifierSetMultiMap(requestedModes);
updatedMap.set(parent1, AccessMode.append);
updatedMap.set(parent2, AccessMode.append);
expect(source.handleSafe).toHaveBeenCalledTimes(1);
expect(source.handleSafe.mock.calls[0][0].credentials).toBe(credentials);
compareMaps(source.handleSafe.mock.calls[0][0].requestedModes, updatedMap);
expect(source.handleSafe.mock.calls[0][0].requestedModes).not.toEqual(requestedModes);
});
it('requires write and parent write permissions to delete resources.', async(): Promise<void> => {
requestedModes.set(target1, new Set([ AccessMode.delete ]));
requestedModes.set(target2, new Set([ AccessMode.delete ]));
requestedModes.set(target3, new Set([ AccessMode.delete ]));
sourceResult.set(parent1, { public: { write: true }});
sourceResult.set(parent2, { public: { write: true }});
sourceResult.set(target1, { public: { write: true }});
sourceResult.set(target3, { public: { write: true }});
const result = await reader.handle({ requestedModes, credentials });
expect(result.get(target1)).toEqual({ public: { delete: true, write: true }});
expect(result.get(target2)).toEqual({ public: {}});
expect(result.get(target3)).toEqual({ public: { write: true }});
const updatedMap = new IdentifierSetMultiMap(requestedModes);
updatedMap.set(parent1, AccessMode.write);
updatedMap.set(parent2, AccessMode.write);
updatedMap.set(parent3, AccessMode.write);
expect(source.handleSafe).toHaveBeenCalledTimes(1);
expect(source.handleSafe.mock.calls[0][0].credentials).toBe(credentials);
compareMaps(source.handleSafe.mock.calls[0][0].requestedModes, updatedMap);
});
it('does not allow create/delete if the source explicitly forbids it.', async(): Promise<void> => {
requestedModes.set(target1, new Set([ AccessMode.create, AccessMode.delete ]));
requestedModes.set(target2, new Set([ AccessMode.create, AccessMode.delete ]));
sourceResult.set(parent1, { public: { write: true, append: true }});
sourceResult.set(parent2, { public: { write: true, append: true }});
sourceResult.set(target1, { public: { write: true }});
sourceResult.set(target2, { public: { write: true, create: false, delete: false }});
const result = await reader.handle({ requestedModes, credentials });
expect(result.get(target1)).toEqual({ public: { write: true, create: true, delete: true }});
expect(result.get(target2)).toEqual({ public: { write: true, create: false, delete: false }});
const updatedMap = new IdentifierSetMultiMap(requestedModes);
updatedMap.set(parent1, new Set([ AccessMode.write, AccessMode.append ]));
updatedMap.set(parent2, new Set([ AccessMode.write, AccessMode.append ]));
expect(source.handleSafe).toHaveBeenCalledTimes(1);
expect(source.handleSafe.mock.calls[0][0].credentials).toBe(credentials);
compareMaps(source.handleSafe.mock.calls[0][0].requestedModes, updatedMap);
});
it('combines the modes with the parent resource if it is also being requested.', async(): Promise<void> => {
requestedModes.set(target1, AccessMode.create);
requestedModes.set(parent1, AccessMode.write);
sourceResult.set(parent1, { public: { write: true, append: true }});
sourceResult.set(target1, { public: { write: true }});
const result = await reader.handle({ requestedModes, credentials });
expect(result.get(target1)).toEqual({ public: { write: true, create: true, delete: true }});
expect(result.get(parent1)).toEqual({ public: { write: true, append: true }});
const updatedMap = new IdentifierSetMultiMap(requestedModes);
updatedMap.set(parent1, new Set([ AccessMode.write, AccessMode.append ]));
expect(source.handleSafe).toHaveBeenCalledTimes(1);
expect(source.handleSafe.mock.calls[0][0].credentials).toBe(credentials);
compareMaps(source.handleSafe.mock.calls[0][0].requestedModes, updatedMap);
expect(source.handleSafe.mock.calls[0][0].requestedModes.get(parent1))
.toEqual(new Set([ AccessMode.write, AccessMode.append ]));
});
});

72
test/unit/authorization/WebAclAuxiliaryReader.test.ts Normal file
View File

@@ -0,0 +1,72 @@
import type { CredentialSet } from '../../../src/authentication/Credentials';
import type { PermissionReader } from '../../../src/authorization/PermissionReader';
import { AclMode } from '../../../src/authorization/permissions/AclPermission';
import type { AccessMap, PermissionMap, PermissionSet } from '../../../src/authorization/permissions/Permissions';
import { AccessMode } from '../../../src/authorization/permissions/Permissions';
import { WebAclAuxiliaryReader } from '../../../src/authorization/WebAclAuxiliaryReader';
import type { AuxiliaryStrategy } from '../../../src/http/auxiliary/AuxiliaryStrategy';
import type { ResourceIdentifier } from '../../../src/http/representation/ResourceIdentifier';
import { IdentifierMap, IdentifierSetMultiMap } from '../../../src/util/map/IdentifierMap';
import { joinUrl } from '../../../src/util/PathUtil';
import { compareMaps } from '../../util/Util';
describe('A WebAclAuxiliaryReader', (): void => {
const baseUrl = 'http://example.com/';
const subject1 = { path: joinUrl(baseUrl, 'foo/') };
const acl1 = { path: joinUrl(subject1.path, '.acl') };
const subject2 = { path: joinUrl(baseUrl, 'bar/') };
const acl2 = { path: joinUrl(subject2.path, '.acl') };
const credentials: CredentialSet = { public: {}};
let requestedModes: AccessMap;
let sourceResult: PermissionMap;
let aclStrategy: jest.Mocked<AuxiliaryStrategy>;
let source: jest.Mocked<PermissionReader>;
let reader: WebAclAuxiliaryReader;
beforeEach(async(): Promise<void> => {
requestedModes = new IdentifierSetMultiMap();
sourceResult = new IdentifierMap();
aclStrategy = {
isAuxiliaryIdentifier: jest.fn((identifier): boolean => identifier.path.endsWith('.acl')),
getSubjectIdentifier: jest.fn((identifier): ResourceIdentifier => ({ path: identifier.path.slice(0, -4) })),
} as any;
source = { handleSafe: jest.fn().mockResolvedValue(sourceResult) } as any;
reader = new WebAclAuxiliaryReader(source, aclStrategy);
});
it('requires control permissions on the subject resource to do everything.', async(): Promise<void> => {
requestedModes.set(acl1, AccessMode.read);
requestedModes.set(acl2, AccessMode.read);
sourceResult.set(subject1, { public: { control: true }} as PermissionSet);
const result = await reader.handle({ requestedModes, credentials });
expect(result.get(acl1)).toEqual({ public: { read: true, append: true, write: true, control: true }});
expect(result.get(acl2)).toEqual({ });
const updatedMap = new IdentifierMap();
updatedMap.set(subject1, new Set([ AclMode.control ]));
updatedMap.set(subject2, new Set([ AclMode.control ]));
expect(source.handleSafe).toHaveBeenCalledTimes(1);
expect(source.handleSafe.mock.calls[0][0].credentials).toBe(credentials);
compareMaps(source.handleSafe.mock.calls[0][0].requestedModes, updatedMap);
expect(source.handleSafe.mock.calls[0][0].requestedModes).not.toEqual(requestedModes);
});
it('combines the modes with the subject resource if it is also being requested.', async(): Promise<void> => {
requestedModes.set(acl1, AccessMode.read);
requestedModes.set(subject1, AccessMode.write);
const resultSet = { public: { read: true, write: true, control: true }} as PermissionSet;
sourceResult.set(subject1, resultSet);
const resultMap: PermissionMap = new IdentifierMap([
[ acl1, { public: { read: true, write: true, control: true, append: true }} as PermissionSet ],
[ subject1, resultSet ],
]);
compareMaps(await reader.handle({ credentials, requestedModes }), resultMap);
expect(source.handleSafe.mock.calls[0][0].requestedModes.get(subject1))
.toEqual(new Set([ AccessMode.write, AclMode.control ]));
});
});

288
test/unit/authorization/WebAclReader.test.ts
View File

@@ -4,20 +4,22 @@ import { CredentialGroup } from '../../../src/authentication/Credentials';
import type { AccessChecker } from '../../../src/authorization/access/AccessChecker';
import type { PermissionReaderInput } from '../../../src/authorization/PermissionReader';
import { AclMode } from '../../../src/authorization/permissions/AclPermission';
import type { AccessMap, PermissionSet } from '../../../src/authorization/permissions/Permissions';
import { AccessMode } from '../../../src/authorization/permissions/Permissions';
import { WebAclReader } from '../../../src/authorization/WebAclReader';
import type { AuxiliaryIdentifierStrategy } from '../../../src/http/auxiliary/AuxiliaryIdentifierStrategy';
import { BasicRepresentation } from '../../../src/http/representation/BasicRepresentation';
import type { Representation } from '../../../src/http/representation/Representation';
import type { ResourceIdentifier } from '../../../src/http/representation/ResourceIdentifier';
import type { ResourceSet } from '../../../src/storage/ResourceSet';
import type { ResourceStore } from '../../../src/storage/ResourceStore';
import { INTERNAL_QUADS } from '../../../src/util/ContentTypes';
import { ForbiddenHttpError } from '../../../src/util/errors/ForbiddenHttpError';
import { InternalServerError } from '../../../src/util/errors/InternalServerError';
import { NotFoundHttpError } from '../../../src/util/errors/NotFoundHttpError';
import { SingleRootIdentifierStrategy } from '../../../src/util/identifiers/SingleRootIdentifierStrategy';
import { ensureTrailingSlash } from '../../../src/util/PathUtil';
import { guardedStreamFrom } from '../../../src/util/StreamUtil';
import { IdentifierMap, IdentifierSetMultiMap } from '../../../src/util/map/IdentifierMap';
import { compareMaps } from '../../util/Util';
const { namedNode: nn, quad } = DataFactory;
@@ -31,23 +33,31 @@ describe('A WebAclReader', (): void => {
isAuxiliaryIdentifier: (id: ResourceIdentifier): boolean => id.path.endsWith('.acl'),
getSubjectIdentifier: (id: ResourceIdentifier): ResourceIdentifier => ({ path: id.path.slice(0, -4) }),
} as any;
let resourceSet: jest.Mocked<ResourceSet>;
let store: jest.Mocked<ResourceStore>;
const identifierStrategy = new SingleRootIdentifierStrategy('http://test.com/');
const identifierStrategy = new SingleRootIdentifierStrategy('http://example.com/');
let credentials: CredentialSet;
let identifier: ResourceIdentifier;
let modes: Set<AccessMode>;
let accessMap: AccessMap;
let input: PermissionReaderInput;
let accessChecker: jest.Mocked<AccessChecker>;
beforeEach(async(): Promise<void> => {
credentials = { [CredentialGroup.public]: {}, [CredentialGroup.agent]: {}};
identifier = { path: 'http://test.com/foo' };
identifier = { path: 'http://example.com/foo' };
modes = new Set<AccessMode | AclMode>([
AccessMode.read, AccessMode.write, AccessMode.append, AclMode.control,
]) as Set<AccessMode>;
accessMap = new IdentifierSetMultiMap([
[ identifier, AccessMode.read ],
[ identifier, AccessMode.write ],
[ identifier, AccessMode.append ],
[ identifier, AclMode.control ] as any,
]);
input = { credentials, identifier, modes };
input = { credentials, requestedModes: accessMap };
resourceSet = {
hasResource: jest.fn().mockResolvedValue(true),
};
store = {
getRepresentation: jest.fn().mockResolvedValue(new BasicRepresentation([
@@ -59,7 +69,7 @@ describe('A WebAclReader', (): void => {
handleSafe: jest.fn().mockResolvedValue(true),
} as any;
reader = new WebAclReader(aclStrategy, store, identifierStrategy, accessChecker);
reader = new WebAclReader(aclStrategy, resourceSet, store, identifierStrategy, accessChecker);
});
it('handles all input.', async(): Promise<void> => {
@@ -68,258 +78,158 @@ describe('A WebAclReader', (): void => {
it('returns undefined permissions for undefined credentials.', async(): Promise<void> => {
input.credentials = {};
await expect(reader.handle(input)).resolves.toEqual({
compareMaps(await reader.handle(input), new IdentifierMap([[ identifier, {
[CredentialGroup.public]: {},
[CredentialGroup.agent]: {},
});
}]]));
});
it('reads the accessTo value of the acl resource.', async(): Promise<void> => {
credentials.agent = { webId: 'http://test.com/user' };
store.getRepresentation.mockResolvedValue({ data: guardedStreamFrom([
store.getRepresentation.mockResolvedValue(new BasicRepresentation([
quad(nn('auth'), nn(`${rdf}type`), nn(`${acl}Authorization`)),
quad(nn('auth'), nn(`${acl}accessTo`), nn(identifier.path)),
quad(nn('auth'), nn(`${acl}mode`), nn(`${acl}Read`)),
]) } as Representation);
await expect(reader.handle(input)).resolves.toEqual({
], INTERNAL_QUADS));
compareMaps(await reader.handle(input), new IdentifierMap([[ identifier, {
[CredentialGroup.public]: { read: true },
[CredentialGroup.agent]: { read: true },
});
}]]));
});
it('ignores accessTo fields pointing to different resources.', async(): Promise<void> => {
credentials.agent = { webId: 'http://test.com/user' };
store.getRepresentation.mockResolvedValue({ data: guardedStreamFrom([
store.getRepresentation.mockResolvedValue(new BasicRepresentation([
quad(nn('auth'), nn(`${rdf}type`), nn(`${acl}Authorization`)),
quad(nn('auth'), nn(`${acl}accessTo`), nn('somewhereElse')),
quad(nn('auth'), nn(`${acl}mode`), nn(`${acl}Read`)),
]) } as Representation);
await expect(reader.handle(input)).resolves.toEqual({
], INTERNAL_QUADS));
compareMaps(await reader.handle(input), new IdentifierMap([[ identifier, {
[CredentialGroup.public]: {},
[CredentialGroup.agent]: {},
});
}]]));
});
it('handles all valid modes and ignores other ones.', async(): Promise<void> => {
credentials.agent = { webId: 'http://test.com/user' };
store.getRepresentation.mockResolvedValue({ data: guardedStreamFrom([
store.getRepresentation.mockResolvedValue(new BasicRepresentation([
quad(nn('auth'), nn(`${rdf}type`), nn(`${acl}Authorization`)),
quad(nn('auth'), nn(`${acl}accessTo`), nn(identifier.path)),
quad(nn('auth'), nn(`${acl}mode`), nn(`${acl}Read`)),
quad(nn('auth'), nn(`${acl}mode`), nn(`${acl}fakeMode1`)),
]) } as Representation);
await expect(reader.handle(input)).resolves.toEqual({
], INTERNAL_QUADS));
compareMaps(await reader.handle(input), new IdentifierMap([[ identifier, {
[CredentialGroup.public]: { read: true },
[CredentialGroup.agent]: { read: true },
});
}]]));
});
it('reads the default value of a parent if there is no direct acl resource.', async(): Promise<void> => {
store.getRepresentation.mockImplementation(async(id: ResourceIdentifier): Promise<Representation> => {
if (id.path.endsWith('foo.acl')) {
throw new NotFoundHttpError();
}
return new BasicRepresentation([
quad(nn('auth'), nn(`${rdf}type`), nn(`${acl}Authorization`)),
quad(nn('auth'), nn(`${acl}agentClass`), nn('http://xmlns.com/foaf/0.1/Agent')),
quad(nn('auth'), nn(`${acl}default`), nn(identifierStrategy.getParentContainer(identifier).path)),
quad(nn('auth'), nn(`${acl}mode`), nn(`${acl}Read`)),
], INTERNAL_QUADS);
});
await expect(reader.handle(input)).resolves.toEqual({
resourceSet.hasResource.mockImplementation(async(id): Promise<boolean> => !id.path.endsWith('foo.acl'));
store.getRepresentation.mockResolvedValue(new BasicRepresentation([
quad(nn('auth'), nn(`${rdf}type`), nn(`${acl}Authorization`)),
quad(nn('auth'), nn(`${acl}agentClass`), nn('http://xmlns.com/foaf/0.1/Agent')),
quad(nn('auth'), nn(`${acl}default`), nn(identifierStrategy.getParentContainer(identifier).path)),
quad(nn('auth'), nn(`${acl}mode`), nn(`${acl}Read`)),
], INTERNAL_QUADS));
compareMaps(await reader.handle(input), new IdentifierMap([[ identifier, {
[CredentialGroup.public]: { read: true },
[CredentialGroup.agent]: { read: true },
});
}]]));
});
it('does not use default authorizations for the resource itself.', async(): Promise<void> => {
input.identifier = { path: ensureTrailingSlash(input.identifier.path) };
store.getRepresentation.mockImplementation(async(): Promise<Representation> =>
new BasicRepresentation([
quad(nn('auth'), nn(`${rdf}type`), nn(`${acl}Authorization`)),
quad(nn('auth'), nn(`${acl}agentClass`), nn('http://xmlns.com/foaf/0.1/Agent')),
quad(nn('auth'), nn(`${acl}default`), nn(input.identifier.path)),
quad(nn('auth'), nn(`${acl}mode`), nn(`${acl}Read`)),
quad(nn('auth2'), nn(`${rdf}type`), nn(`${acl}Authorization`)),
quad(nn('auth2'), nn(`${acl}agentClass`), nn('http://xmlns.com/foaf/0.1/Agent')),
quad(nn('auth2'), nn(`${acl}accessTo`), nn(input.identifier.path)),
quad(nn('auth2'), nn(`${acl}mode`), nn(`${acl}Append`)),
], INTERNAL_QUADS));
await expect(reader.handle(input)).resolves.toEqual({
store.getRepresentation.mockResolvedValue(new BasicRepresentation([
quad(nn('auth'), nn(`${rdf}type`), nn(`${acl}Authorization`)),
quad(nn('auth'), nn(`${acl}agentClass`), nn('http://xmlns.com/foaf/0.1/Agent')),
quad(nn('auth'), nn(`${acl}default`), nn(identifier.path)),
quad(nn('auth'), nn(`${acl}mode`), nn(`${acl}Read`)),
quad(nn('auth2'), nn(`${rdf}type`), nn(`${acl}Authorization`)),
quad(nn('auth2'), nn(`${acl}agentClass`), nn('http://xmlns.com/foaf/0.1/Agent')),
quad(nn('auth2'), nn(`${acl}accessTo`), nn(identifier.path)),
quad(nn('auth2'), nn(`${acl}mode`), nn(`${acl}Append`)),
], INTERNAL_QUADS));
compareMaps(await reader.handle(input), new IdentifierMap([[ identifier, {
[CredentialGroup.public]: { append: true },
[CredentialGroup.agent]: { append: true },
});
}]]));
});
it('re-throws ResourceStore errors as internal errors.', async(): Promise<void> => {
store.getRepresentation.mockRejectedValue(new Error('TEST!'));
const promise = reader.handle(input);
await expect(promise).rejects.toThrow(`Error reading ACL for ${identifier.path}: TEST!`);
await expect(promise).rejects.toThrow(`Error reading ACL resource ${identifier.path}.acl: TEST!`);
await expect(promise).rejects.toThrow(InternalServerError);
});
it('errors if the root container has no corresponding acl document.', async(): Promise<void> => {
store.getRepresentation.mockRejectedValue(new NotFoundHttpError());
resourceSet.hasResource.mockResolvedValue(false);
const promise = reader.handle(input);
await expect(promise).rejects.toThrow('No ACL document found for root container');
await expect(promise).rejects.toThrow(ForbiddenHttpError);
});
it('allows an agent to append/create/delete if they have write access.', async(): Promise<void> => {
store.getRepresentation.mockResolvedValue({ data: guardedStreamFrom([
quad(nn('auth'), nn(`${rdf}type`), nn(`${acl}Authorization`)),
quad(nn('auth'), nn(`${acl}accessTo`), nn(identifier.path)),
quad(nn('auth'), nn(`${acl}mode`), nn(`${acl}Write`)),
]) } as Representation);
await expect(reader.handle(input)).resolves.toEqual({
[CredentialGroup.public]: { write: true, append: true, create: true, delete: true },
[CredentialGroup.agent]: { write: true, append: true, create: true, delete: true },
});
});
it('allows everything on an acl resource if control permissions are granted.', async(): Promise<void> => {
store.getRepresentation.mockResolvedValue({ data: guardedStreamFrom([
quad(nn('auth'), nn(`${rdf}type`), nn(`${acl}Authorization`)),
quad(nn('auth'), nn(`${acl}accessTo`), nn(identifier.path)),
quad(nn('auth'), nn(`${acl}mode`), nn(`${acl}Control`)),
]) } as Representation);
input.identifier = { path: `${identifier.path}.acl` };
await expect(reader.handle(input)).resolves.toEqual({
[CredentialGroup.public]: { read: true, write: true, append: true, create: true, delete: true, control: true },
[CredentialGroup.agent]: { read: true, write: true, append: true, create: true, delete: true, control: true },
});
});
it('rejects everything on an acl resource if there are no control permissions.', async(): Promise<void> => {
store.getRepresentation.mockResolvedValue({ data: guardedStreamFrom([
quad(nn('auth'), nn(`${rdf}type`), nn(`${acl}Authorization`)),
quad(nn('auth'), nn(`${acl}accessTo`), nn(identifier.path)),
quad(nn('auth'), nn(`${acl}mode`), nn(`${acl}Read`)),
]) } as Representation);
input.identifier = { path: `${identifier.path}.acl` };
await expect(reader.handle(input)).resolves.toEqual({
[CredentialGroup.public]: {},
[CredentialGroup.agent]: {},
});
});
it('ignores rules where no access is granted.', async(): Promise<void> => {
credentials.agent = { webId: 'http://test.com/user' };
// CredentialGroup.public gets true on auth1, CredentialGroup.agent on auth2
accessChecker.handleSafe.mockImplementation(async({ rule, credential: cred }): Promise<boolean> =>
(rule.value === 'auth1') === !cred.webId);
store.getRepresentation.mockResolvedValue({ data: guardedStreamFrom([
store.getRepresentation.mockResolvedValue(new BasicRepresentation([
quad(nn('auth1'), nn(`${rdf}type`), nn(`${acl}Authorization`)),
quad(nn('auth1'), nn(`${acl}accessTo`), nn(identifier.path)),
quad(nn('auth1'), nn(`${acl}mode`), nn(`${acl}Read`)),
quad(nn('auth2'), nn(`${rdf}type`), nn(`${acl}Authorization`)),
quad(nn('auth2'), nn(`${acl}accessTo`), nn(identifier.path)),
quad(nn('auth2'), nn(`${acl}mode`), nn(`${acl}Control`)),
]) } as Representation);
quad(nn('auth2'), nn(`${acl}mode`), nn(`${acl}Append`)),
], INTERNAL_QUADS));
await expect(reader.handle(input)).resolves.toEqual({
compareMaps(await reader.handle(input), new IdentifierMap<PermissionSet>([[ identifier, {
[CredentialGroup.public]: { read: true },
[CredentialGroup.agent]: { control: true },
});
[CredentialGroup.agent]: { append: true },
}]]));
});
it('requires append permissions on the parent container to create resources.', async(): Promise<void> => {
store.getRepresentation.mockImplementation(async(id): Promise<Representation> => {
const subject = id.path.slice(0, -4);
if (subject === input.identifier.path) {
throw new NotFoundHttpError();
it('combines ACL representation requests for resources when possible.', async(): Promise<void> => {
const identifier2 = { path: 'http://example.com/bar/' };
const identifier3 = { path: 'http://example.com/bar/baz' };
resourceSet.hasResource.mockImplementation(async(id): Promise<boolean> =>
id.path === 'http://example.com/.acl' || id.path === 'http://example.com/bar/.acl');
store.getRepresentation.mockImplementation(async(id: ResourceIdentifier): Promise<Representation> => {
if (id.path === 'http://example.com/.acl') {
return new BasicRepresentation([
quad(nn('auth'), nn(`${rdf}type`), nn(`${acl}Authorization`)),
quad(nn('auth'), nn(`${acl}agentClass`), nn('http://xmlns.com/foaf/0.1/Agent')),
quad(nn('auth'), nn(`${acl}default`), nn('http://example.com/')),
quad(nn('auth'), nn(`${acl}mode`), nn(`${acl}Read`)),
], INTERNAL_QUADS);
}
return new BasicRepresentation([
quad(nn('auth'), nn(`${rdf}type`), nn(`${acl}Authorization`)),
quad(nn('auth'), nn(`${acl}accessTo`), nn(subject)),
quad(nn('auth'), nn(`${acl}mode`), nn(`${acl}Append`)),
], 'internal/quads');
});
input.modes.add(AccessMode.create);
await expect(reader.handle(input)).resolves.toEqual({
[CredentialGroup.public]: { create: true },
[CredentialGroup.agent]: { create: true },
});
});
it('requires write permissions on the parent container to delete resources.', async(): Promise<void> => {
store.getRepresentation.mockImplementation(async(id): Promise<Representation> => new BasicRepresentation([
quad(nn('auth'), nn(`${rdf}type`), nn(`${acl}Authorization`)),
quad(nn('auth'), nn(`${acl}accessTo`), nn(id.path.slice(0, -4))),
quad(nn('auth'), nn(`${acl}mode`), nn(`${acl}Write`)),
], 'internal/quads'));
input.modes.add(AccessMode.delete);
await expect(reader.handle(input)).resolves.toEqual({
[CredentialGroup.public]: { append: true, write: true, delete: true, create: true },
[CredentialGroup.agent]: { append: true, write: true, delete: true, create: true },
});
});
it('can use the same acl resource for both target and parent.', async(): Promise<void> => {
store.getRepresentation.mockImplementation(async(id): Promise<Representation> => {
const subject = id.path.slice(0, -4);
if (subject === input.identifier.path) {
throw new NotFoundHttpError();
if (id.path === 'http://example.com/bar/.acl') {
return new BasicRepresentation([
quad(nn('auth'), nn(`${rdf}type`), nn(`${acl}Authorization`)),
quad(nn('auth'), nn(`${acl}agentClass`), nn('http://xmlns.com/foaf/0.1/Agent')),
quad(nn('auth'), nn(`${acl}default`), nn(identifier2.path)),
quad(nn('auth'), nn(`${acl}mode`), nn(`${acl}Append`)),
quad(nn('auth2'), nn(`${rdf}type`), nn(`${acl}Authorization`)),
quad(nn('auth2'), nn(`${acl}agentClass`), nn('http://xmlns.com/foaf/0.1/Agent')),
quad(nn('auth2'), nn(`${acl}accessTo`), nn(identifier2.path)),
quad(nn('auth2'), nn(`${acl}mode`), nn(`${acl}Read`)),
], INTERNAL_QUADS);
}
return new BasicRepresentation([
quad(nn('auth'), nn(`${rdf}type`), nn(`${acl}Authorization`)),
quad(nn('auth'), nn(`${acl}accessTo`), nn(subject)),
quad(nn('auth'), nn(`${acl}default`), nn(subject)),
quad(nn('auth'), nn(`${acl}mode`), nn(`${acl}Write`)),
], 'internal/quads');
throw new NotFoundHttpError();
});
input.modes.add(AccessMode.create);
await expect(reader.handle(input)).resolves.toEqual({
[CredentialGroup.public]: { append: true, write: true, delete: true, create: true },
[CredentialGroup.agent]: { append: true, write: true, delete: true, create: true },
});
});
input.requestedModes.set(identifier2, new Set([ AccessMode.read ]));
input.requestedModes.set(identifier3, new Set([ AccessMode.append ]));
it('does not grant create permission if the parent does not have append rights.', async(): Promise<void> => {
store.getRepresentation.mockImplementation(async(id): Promise<Representation> => {
const subject = id.path.slice(0, -4);
if (subject === input.identifier.path) {
throw new NotFoundHttpError();
}
return new BasicRepresentation([
quad(nn('auth'), nn(`${rdf}type`), nn(`${acl}Authorization`)),
quad(nn('auth'), nn(`${acl}default`), nn(subject)),
quad(nn('auth'), nn(`${acl}mode`), nn(`${acl}Write`)),
quad(nn('auth2'), nn(`${rdf}type`), nn(`${acl}Authorization`)),
quad(nn('auth2'), nn(`${acl}accessTo`), nn(subject)),
quad(nn('auth2'), nn(`${acl}mode`), nn(`${acl}Read`)),
], 'internal/quads');
});
input.modes.add(AccessMode.create);
await expect(reader.handle(input)).resolves.toEqual({
[CredentialGroup.public]: { append: true, write: true },
[CredentialGroup.agent]: { append: true, write: true },
});
});
it('can use a grandparent acl resource for both target and parent.', async(): Promise<void> => {
input.identifier = { path: 'http://test.com/foo/bar/' };
store.getRepresentation.mockImplementation(async(id): Promise<Representation> => {
const subject = id.path.slice(0, -4);
if (subject !== 'http://test.com/') {
throw new NotFoundHttpError();
}
return new BasicRepresentation([
quad(nn('auth'), nn(`${rdf}type`), nn(`${acl}Authorization`)),
quad(nn('auth'), nn(`${acl}default`), nn(subject)),
quad(nn('auth'), nn(`${acl}mode`), nn(`${acl}Write`)),
], 'internal/quads');
});
input.modes.add(AccessMode.create);
await expect(reader.handle(input)).resolves.toEqual({
[CredentialGroup.public]: { append: true, write: true, delete: true, create: true },
[CredentialGroup.agent]: { append: true, write: true, delete: true, create: true },
});
compareMaps(await reader.handle(input), new IdentifierMap([
[ identifier, { [CredentialGroup.public]: { read: true }, [CredentialGroup.agent]: { read: true }}],
[ identifier2, { [CredentialGroup.public]: { read: true }, [CredentialGroup.agent]: { read: true }}],
[ identifier3, { [CredentialGroup.public]: { append: true }, [CredentialGroup.agent]: { append: true }}],
]));
// http://example.com/.acl and http://example.com/bar/.acl
expect(store.getRepresentation).toHaveBeenCalledTimes(2);
});
});