feat: Prevent access to internal storage containers

2024-10-03 14:55:10 +00:00 · 2021-07-27 13:27:31 +02:00 · 2021-07-27 13:27:31 +02:00 · 7b94b71e7e
commit 7b94b71e7e
parent f4833d2534
9 changed files with 27 additions and 7 deletions
--- a/config/default.json
+++ b/config/default.json
@ -19,7 +19,7 @@
    "files-scs:config/ldp/metadata-writer/default.json",
    "files-scs:config/ldp/permissions/acl.json",
    "files-scs:config/storage/backend/memory.json",
-    "files-scs:config/storage/key-value/memory.json",
+    "files-scs:config/storage/key-value/resource-store.json",
    "files-scs:config/storage/middleware/default.json",
    "files-scs:config/util/auxiliary/acl.json",
    "files-scs:config/util/identifiers/suffix.json",
--- a/config/dynamic.json
+++ b/config/dynamic.json
@ -19,7 +19,7 @@
    "files-scs:config/ldp/metadata-writer/default.json",
    "files-scs:config/ldp/permissions/acl.json",
    "files-scs:config/storage/backend/dynamic.json",
-    "files-scs:config/storage/key-value/memory.json",
+    "files-scs:config/storage/key-value/resource-store.json",
    "files-scs:config/storage/middleware/default.json",
    "files-scs:config/util/auxiliary/acl.json",
    "files-scs:config/util/identifiers/suffix.json",
--- a/config/example-https-file.json
+++ b/config/example-https-file.json
@ -19,7 +19,7 @@
    "files-scs:config/ldp/metadata-writer/default.json",
    "files-scs:config/ldp/permissions/acl.json",
    "files-scs:config/storage/backend/file.json",
-    "files-scs:config/storage/key-value/memory.json",
+    "files-scs:config/storage/key-value/resource-store.json",
    "files-scs:config/storage/middleware/default.json",
    "files-scs:config/util/auxiliary/acl.json",
    "files-scs:config/util/identifiers/suffix.json",
--- a/config/file.json
+++ b/config/file.json
@ -19,7 +19,7 @@
    "files-scs:config/ldp/metadata-writer/default.json",
    "files-scs:config/ldp/permissions/acl.json",
    "files-scs:config/storage/backend/file.json",
-    "files-scs:config/storage/key-value/memory.json",
+    "files-scs:config/storage/key-value/resource-store.json",
    "files-scs:config/storage/middleware/default.json",
    "files-scs:config/util/auxiliary/acl.json",
    "files-scs:config/util/identifiers/suffix.json",
--- a/config/ldp/authorization/webacl.json
+++ b/config/ldp/authorization/webacl.json
@ -9,6 +9,12 @@
      "@id": "urn:solid-server:default:Authorizer",
      "@type": "WaterfallHandler",
      "handlers": [
+        {
+          "comment": "This authorizer will be used to prevent external access to containers used for internal storage.",
+          "@id": "urn:solid-server:default:PathBasedAuthorizer",
+          "@type": "PathBasedAuthorizer",
+          "baseUrl": { "@id": "urn:solid-server:default:variable:baseUrl" }
+        },
        {
          "comment": "This authorizer makes sure that for auxiliary resources, the main authorizer gets called with the associated identifier.",
          "@type": "AuxiliaryAuthorizer",
--- a/config/memory-subdomains.json
+++ b/config/memory-subdomains.json
@ -19,7 +19,7 @@
    "files-scs:config/ldp/metadata-writer/default.json",
    "files-scs:config/ldp/permissions/acl.json",
    "files-scs:config/storage/backend/memory.json",
-    "files-scs:config/storage/key-value/memory.json",
+    "files-scs:config/storage/key-value/resource-store.json",
    "files-scs:config/storage/middleware/default.json",
    "files-scs:config/util/auxiliary/acl.json",
    "files-scs:config/util/identifiers/subdomain.json",
--- a/config/path-routing.json
+++ b/config/path-routing.json
@ -19,7 +19,7 @@
    "files-scs:config/ldp/metadata-writer/default.json",
    "files-scs:config/ldp/permissions/acl.json",
    "files-scs:config/storage/backend/regex.json",
-    "files-scs:config/storage/key-value/memory.json",
+    "files-scs:config/storage/key-value/resource-store.json",
    "files-scs:config/storage/middleware/default.json",
    "files-scs:config/util/auxiliary/acl.json",
    "files-scs:config/util/identifiers/suffix.json",
--- a/config/sparql-endpoint.json
+++ b/config/sparql-endpoint.json
@ -19,7 +19,7 @@
    "files-scs:config/ldp/metadata-writer/default.json",
    "files-scs:config/ldp/permissions/acl.json",
    "files-scs:config/storage/backend/sparql.json",
-    "files-scs:config/storage/key-value/memory.json",
+    "files-scs:config/storage/key-value/resource-store.json",
    "files-scs:config/storage/middleware/default.json",
    "files-scs:config/util/auxiliary/acl.json",
    "files-scs:config/util/identifiers/suffix.json",
--- a/config/storage/key-value/resource-store.json
+++ b/config/storage/key-value/resource-store.json
@ -22,6 +22,20 @@
      "source": { "@id": "urn:solid-server:default:ResourceStore" },
      "baseUrl": { "@id": "urn:solid-server:default:variable:baseUrl" },
      "container": "/idp/data/"
+    },
+    {
+      "comment": "Block external access to the storage containers to avoid exposing internal data.",
+      "@id": "urn:solid-server:default:PathBasedAuthorizer",
+      "PathBasedAuthorizer:_paths": [
+        {
+          "PathBasedAuthorizer:_paths_key": "^/locks(/.*)?$",
+          "PathBasedAuthorizer:_paths_value": { "@type": "DenyAllAuthorizer" }
+        },
+        {
+          "PathBasedAuthorizer:_paths_key": "^/idp/data(/.*)?$",
+          "PathBasedAuthorizer:_paths_value": { "@type": "DenyAllAuthorizer" }
+        }
+      ]
    }
  ]
 }