From 7b94b71e7ed087ee065608d300b8bae9989642b7 Mon Sep 17 00:00:00 2001
From: Joachim Van Herwegen <joachimvh@gmail.com>
Date: Tue, 27 Jul 2021 13:27:31 +0200
Subject: [PATCH] feat: Prevent access to internal storage containers

---
 config/default.json                          |  2 +-
 config/dynamic.json                          |  2 +-
 config/example-https-file.json               |  2 +-
 config/file.json                             |  2 +-
 config/ldp/authorization/webacl.json         |  6 ++++++
 config/memory-subdomains.json                |  2 +-
 config/path-routing.json                     |  2 +-
 config/sparql-endpoint.json                  |  2 +-
 config/storage/key-value/resource-store.json | 14 ++++++++++++++
 9 files changed, 27 insertions(+), 7 deletions(-)

diff --git a/config/default.json b/config/default.json
index 6a213cd47..ad353cdf5 100644
--- a/config/default.json
+++ b/config/default.json
@@ -19,7 +19,7 @@
     "files-scs:config/ldp/metadata-writer/default.json",
     "files-scs:config/ldp/permissions/acl.json",
     "files-scs:config/storage/backend/memory.json",
-    "files-scs:config/storage/key-value/memory.json",
+    "files-scs:config/storage/key-value/resource-store.json",
     "files-scs:config/storage/middleware/default.json",
     "files-scs:config/util/auxiliary/acl.json",
     "files-scs:config/util/identifiers/suffix.json",
diff --git a/config/dynamic.json b/config/dynamic.json
index eb1429a15..bdcd5e865 100644
--- a/config/dynamic.json
+++ b/config/dynamic.json
@@ -19,7 +19,7 @@
     "files-scs:config/ldp/metadata-writer/default.json",
     "files-scs:config/ldp/permissions/acl.json",
     "files-scs:config/storage/backend/dynamic.json",
-    "files-scs:config/storage/key-value/memory.json",
+    "files-scs:config/storage/key-value/resource-store.json",
     "files-scs:config/storage/middleware/default.json",
     "files-scs:config/util/auxiliary/acl.json",
     "files-scs:config/util/identifiers/suffix.json",
diff --git a/config/example-https-file.json b/config/example-https-file.json
index bb913f216..00ecbf0ff 100644
--- a/config/example-https-file.json
+++ b/config/example-https-file.json
@@ -19,7 +19,7 @@
     "files-scs:config/ldp/metadata-writer/default.json",
     "files-scs:config/ldp/permissions/acl.json",
     "files-scs:config/storage/backend/file.json",
-    "files-scs:config/storage/key-value/memory.json",
+    "files-scs:config/storage/key-value/resource-store.json",
     "files-scs:config/storage/middleware/default.json",
     "files-scs:config/util/auxiliary/acl.json",
     "files-scs:config/util/identifiers/suffix.json",
diff --git a/config/file.json b/config/file.json
index befd58868..d64336f23 100644
--- a/config/file.json
+++ b/config/file.json
@@ -19,7 +19,7 @@
     "files-scs:config/ldp/metadata-writer/default.json",
     "files-scs:config/ldp/permissions/acl.json",
     "files-scs:config/storage/backend/file.json",
-    "files-scs:config/storage/key-value/memory.json",
+    "files-scs:config/storage/key-value/resource-store.json",
     "files-scs:config/storage/middleware/default.json",
     "files-scs:config/util/auxiliary/acl.json",
     "files-scs:config/util/identifiers/suffix.json",
diff --git a/config/ldp/authorization/webacl.json b/config/ldp/authorization/webacl.json
index 6026d8cfa..655481116 100644
--- a/config/ldp/authorization/webacl.json
+++ b/config/ldp/authorization/webacl.json
@@ -9,6 +9,12 @@
       "@id": "urn:solid-server:default:Authorizer",
       "@type": "WaterfallHandler",
       "handlers": [
+        {
+          "comment": "This authorizer will be used to prevent external access to containers used for internal storage.",
+          "@id": "urn:solid-server:default:PathBasedAuthorizer",
+          "@type": "PathBasedAuthorizer",
+          "baseUrl": { "@id": "urn:solid-server:default:variable:baseUrl" }
+        },
         {
           "comment": "This authorizer makes sure that for auxiliary resources, the main authorizer gets called with the associated identifier.",
           "@type": "AuxiliaryAuthorizer",
diff --git a/config/memory-subdomains.json b/config/memory-subdomains.json
index 2a495e03d..b1f35cab5 100644
--- a/config/memory-subdomains.json
+++ b/config/memory-subdomains.json
@@ -19,7 +19,7 @@
     "files-scs:config/ldp/metadata-writer/default.json",
     "files-scs:config/ldp/permissions/acl.json",
     "files-scs:config/storage/backend/memory.json",
-    "files-scs:config/storage/key-value/memory.json",
+    "files-scs:config/storage/key-value/resource-store.json",
     "files-scs:config/storage/middleware/default.json",
     "files-scs:config/util/auxiliary/acl.json",
     "files-scs:config/util/identifiers/subdomain.json",
diff --git a/config/path-routing.json b/config/path-routing.json
index 67e3df917..1da9fc335 100644
--- a/config/path-routing.json
+++ b/config/path-routing.json
@@ -19,7 +19,7 @@
     "files-scs:config/ldp/metadata-writer/default.json",
     "files-scs:config/ldp/permissions/acl.json",
     "files-scs:config/storage/backend/regex.json",
-    "files-scs:config/storage/key-value/memory.json",
+    "files-scs:config/storage/key-value/resource-store.json",
     "files-scs:config/storage/middleware/default.json",
     "files-scs:config/util/auxiliary/acl.json",
     "files-scs:config/util/identifiers/suffix.json",
diff --git a/config/sparql-endpoint.json b/config/sparql-endpoint.json
index 284d41bae..5966d1c05 100644
--- a/config/sparql-endpoint.json
+++ b/config/sparql-endpoint.json
@@ -19,7 +19,7 @@
     "files-scs:config/ldp/metadata-writer/default.json",
     "files-scs:config/ldp/permissions/acl.json",
     "files-scs:config/storage/backend/sparql.json",
-    "files-scs:config/storage/key-value/memory.json",
+    "files-scs:config/storage/key-value/resource-store.json",
     "files-scs:config/storage/middleware/default.json",
     "files-scs:config/util/auxiliary/acl.json",
     "files-scs:config/util/identifiers/suffix.json",
diff --git a/config/storage/key-value/resource-store.json b/config/storage/key-value/resource-store.json
index 3394b2d40..b522ec7af 100644
--- a/config/storage/key-value/resource-store.json
+++ b/config/storage/key-value/resource-store.json
@@ -22,6 +22,20 @@
       "source": { "@id": "urn:solid-server:default:ResourceStore" },
       "baseUrl": { "@id": "urn:solid-server:default:variable:baseUrl" },
       "container": "/idp/data/"
+    },
+    {
+      "comment": "Block external access to the storage containers to avoid exposing internal data.",
+      "@id": "urn:solid-server:default:PathBasedAuthorizer",
+      "PathBasedAuthorizer:_paths": [
+        {
+          "PathBasedAuthorizer:_paths_key": "^/locks(/.*)?$",
+          "PathBasedAuthorizer:_paths_value": { "@type": "DenyAllAuthorizer" }
+        },
+        {
+          "PathBasedAuthorizer:_paths_key": "^/idp/data(/.*)?$",
+          "PathBasedAuthorizer:_paths_value": { "@type": "DenyAllAuthorizer" }
+        }
+      ]
     }
   ]
 }