feat: Add permissions extractor for acl resources

2024-10-03 14:55:10 +00:00 · 2021-01-29 16:48:09 +01:00
parent 758f5ed083
commit 8339413ab4
8 changed files with 94 additions and 26 deletions
--- a/test/integration/LdpHandlerWithAuth.test.ts
+++ b/test/integration/LdpHandlerWithAuth.test.ts
@@ -59,8 +59,7 @@ describe.each(stores)('An LDP handler with auth using %s', (name, { storeUrn, te
    await teardown();
  });

-  it('can add a file to the store, read it and delete it if allowed.', async():
-  Promise<void> => {
+  it('can add a file to the store, read it and delete it if allowed.', async(): Promise<void> => {
    // Set acl
    await aclHelper.setSimpleAcl({ read: true, write: true, append: true, control: false }, 'agent');

@@ -82,8 +81,7 @@ describe.each(stores)('An LDP handler with auth using %s', (name, { storeUrn, te
    await resourceHelper.shouldNotExist(id);
  });

-  it('can not add a file to the store if not allowed.', async():
-  Promise<void> => {
+  it('can not add a file to the store if not allowed.', async(): Promise<void> => {
    // Set acl
    await aclHelper.setSimpleAcl({ read: true, write: true, append: true, control: false }, 'authenticated');

@@ -94,8 +92,7 @@ describe.each(stores)('An LDP handler with auth using %s', (name, { storeUrn, te
    expect(response.statusCode).toBe(401);
  });

-  it('can not add/delete, but only read files if allowed.', async():
-  Promise<void> => {
+  it('can not add/delete, but only read files if allowed.', async(): Promise<void> => {
    // Set acl
    await aclHelper.setSimpleAcl({ read: true, write: false, append: false, control: false }, 'agent');

@@ -135,4 +132,20 @@ describe.each(stores)('An LDP handler with auth using %s', (name, { storeUrn, te
    );
    expect(response.statusCode).toBe(401);
  });
+
+  it('can not access an acl file if no control rights are provided.', async(): Promise<void> => {
+    // Set acl
+    await aclHelper.setSimpleAcl({ read: true, write: true, append: true, control: false }, 'agent');
+
+    const response = await resourceHelper.performRequest(new URL('http://test.com/.acl'), 'GET', { accept: '*/*' });
+    expect(response.statusCode).toBe(401);
+  });
+
+  it('can only access an acl file if control rights are provided.', async(): Promise<void> => {
+    // Set acl
+    await aclHelper.setSimpleAcl({ read: false, write: false, append: false, control: true }, 'agent');
+
+    const response = await resourceHelper.performRequest(new URL('http://test.com/.acl'), 'GET', { accept: '*/*' });
+    expect(response.statusCode).toBe(200);
+  });
 });
--- a/test/unit/authorization/WebAclAuthorizer.test.ts
+++ b/test/unit/authorization/WebAclAuthorizer.test.ts
@@ -120,18 +120,6 @@ describe('A WebAclAuthorizer', (): void => {
    await expect(authorizer.handle({ identifier, permissions, credentials })).rejects.toThrow(ForbiddenHttpError);
  });

-  it('allows access to the acl file if control is allowed.', async(): Promise<void> => {
-    credentials.webId = 'http://test.com/user';
-    identifier.path = 'http://test.com/foo';
-    store.getRepresentation = async(): Promise<Representation> => ({ data: streamifyArray([
-      quad(nn('auth'), nn(`${acl}agent`), nn(credentials.webId!)),
-      quad(nn('auth'), nn(`${acl}accessTo`), nn(identifier.path)),
-      quad(nn('auth'), nn(`${acl}mode`), nn(`${acl}Control`)),
-    ]) } as Representation);
-    const aclIdentifier = aclStrategy.getAuxiliaryIdentifier(identifier);
-    await expect(authorizer.handle({ identifier: aclIdentifier, permissions, credentials })).resolves.toBeUndefined();
-  });
-
  it('errors if an agent tries to edit the acl file without control permissions.', async(): Promise<void> => {
    credentials.webId = 'http://test.com/user';
    identifier.path = 'http://test.com/foo';
--- a/test/unit/ldp/permissions/AclPermissionsExtractor.test.ts
+++ b/test/unit/ldp/permissions/AclPermissionsExtractor.test.ts
@@ -0,0 +1,30 @@
+import type { AuxiliaryIdentifierStrategy } from '../../../../src/ldp/auxiliary/AuxiliaryIdentifierStrategy';
+import { AclPermissionsExtractor } from '../../../../src/ldp/permissions/AclPermissionsExtractor';
+import { NotImplementedHttpError } from '../../../../src/util/errors/NotImplementedHttpError';
+
+describe('An AclPermissionsExtractor', (): void => {
+  let extractor: AclPermissionsExtractor;
+
+  beforeEach(async(): Promise<void> => {
+    const aclStrategy = {
+      isAuxiliaryIdentifier: (id): boolean => id.path.endsWith('.acl'),
+    } as AuxiliaryIdentifierStrategy;
+    extractor = new AclPermissionsExtractor(aclStrategy);
+  });
+
+  it('can only handle acl files.', async(): Promise<void> => {
+    await expect(extractor.canHandle({ target: { path: 'http://test.com/foo' }} as any))
+      .rejects.toThrow(NotImplementedHttpError);
+    await expect(extractor.canHandle({ target: { path: 'http://test.com/foo.acl' }} as any))
+      .resolves.toBeUndefined();
+  });
+
+  it('returns control permissions.', async(): Promise<void> => {
+    await expect(extractor.handle()).resolves.toEqual({
+      read: false,
+      write: false,
+      append: false,
+      control: true,
+    });
+  });
+});
--- a/test/util/TestHelpers.ts
+++ b/test/util/TestHelpers.ts
@@ -29,12 +29,11 @@ export class AclHelper {
      '<http://test.com/#auth> a acl:Authorization',
    ];

-    for (const perm of [ 'Read', 'Append', 'Write', 'Delete' ]) {
+    for (const perm of [ 'Read', 'Append', 'Write', 'Control' ]) {
      if (permissions[perm.toLowerCase() as keyof PermissionSet]) {
        acl.push(`;\n acl:mode acl:${perm}`);
      }
    }
-    acl.push(';\n acl:mode acl:Control');
    acl.push(`;\n acl:accessTo <${this.id}>`);
    acl.push(`;\n acl:default <${this.id}>`);
    acl.push(