feat: Use PermissionReaders to determine available permissions

These readers will determine which permissions are available for the incoming credentials. Their results then get combined in a UnionReader and authorized in a PermissionBasedAuthorizer
2024-10-03 14:55:10 +00:00 · 2021-09-20 11:24:38 +02:00
parent e8dedf5c23
commit bf28c83ffa
50 changed files with 714 additions and 445 deletions
--- a/config/ldp/authorization/allow-all.json
+++ b/config/ldp/authorization/allow-all.json
@@ -7,7 +7,11 @@
        "Always allows all operations."
      ],
      "@id": "urn:solid-server:default:Authorizer",
-      "@type": "AllowAllAuthorizer"
+      "@type": "PermissionBasedAuthorizer",
+      "reader": {
+        "@type": "AllStaticReader",
+        "allow": true
+      }
    }
  ]
 }
--- a/config/ldp/authorization/authorizers/access-checkers/agent-class.json
+++ b/config/ldp/authorization/authorizers/access-checkers/agent-class.json
--- a/config/ldp/authorization/authorizers/access-checkers/agent-group.json
+++ b/config/ldp/authorization/authorizers/access-checkers/agent-group.json
--- a/config/ldp/authorization/authorizers/access-checkers/agent.json
+++ b/config/ldp/authorization/authorizers/access-checkers/agent.json
--- a/config/ldp/authorization/authorizers/acl.json
+++ b/config/ldp/authorization/authorizers/acl.json
@@ -1,14 +1,14 @@
 {
  "@context": "https://linkedsoftwaredependencies.org/bundles/npm/@solid/community-server/^1.0.0/components/context.jsonld",
  "import": [
-    "files-scs:config/ldp/authorization/authorizers/access-checkers/agent.json",
-    "files-scs:config/ldp/authorization/authorizers/access-checkers/agent-class.json",
-    "files-scs:config/ldp/authorization/authorizers/access-checkers/agent-group.json"
+    "files-scs:config/ldp/authorization/readers/access-checkers/agent.json",
+    "files-scs:config/ldp/authorization/readers/access-checkers/agent-class.json",
+    "files-scs:config/ldp/authorization/readers/access-checkers/agent-group.json"
  ],
  "@graph": [
    {
-      "@id": "urn:solid-server:default:WebAclAuthorizer",
-      "@type": "WebAclAuthorizer",
+      "@id": "urn:solid-server:default:WebAclReader",
+      "@type": "WebAclReader",
      "aclStrategy": {
        "@id": "urn:solid-server:default:AclStrategy"
      },
--- a/config/ldp/authorization/webacl.json
+++ b/config/ldp/authorization/webacl.json
@@ -1,28 +1,31 @@
 {
  "@context": "https://linkedsoftwaredependencies.org/bundles/npm/@solid/community-server/^1.0.0/components/context.jsonld",
  "import": [
-    "files-scs:config/ldp/authorization/authorizers/acl.json"
+    "files-scs:config/ldp/authorization/readers/acl.json"
  ],
  "@graph": [
    {
      "comment": "Uses Web Access Control for authorization.",
      "@id": "urn:solid-server:default:Authorizer",
-      "@type": "WaterfallHandler",
-      "handlers": [
-        {
-          "comment": "This authorizer will be used to prevent external access to containers used for internal storage.",
-          "@id": "urn:solid-server:default:PathBasedAuthorizer",
-          "@type": "PathBasedAuthorizer",
-          "baseUrl": { "@id": "urn:solid-server:default:variable:baseUrl" }
-        },
-        {
-          "comment": "This authorizer makes sure that for auxiliary resources, the main authorizer gets called with the associated identifier.",
-          "@type": "AuxiliaryAuthorizer",
-          "resourceAuthorizer": { "@id": "urn:solid-server:default:WebAclAuthorizer" },
-          "auxiliaryStrategy": { "@id": "urn:solid-server:default:AuxiliaryStrategy" }
-        },
-        { "@id": "urn:solid-server:default:WebAclAuthorizer" }
-      ]
+      "@type": "PermissionBasedAuthorizer",
+      "reader": {
+        "@type": "UnionPermissionReader",
+        "readers": [
+          {
+            "comment": "This PermissionReader will be used to prevent external access to containers used for internal storage.",
+            "@id": "urn:solid-server:default:PathBasedReader",
+            "@type": "PathBasedReader",
+            "baseUrl": { "@id": "urn:solid-server:default:variable:baseUrl" }
+          },
+          {
+            "comment": "This PermissionReader makes sure that for auxiliary resources, the main reader gets called with the associated identifier.",
+            "@type": "AuxiliaryReader",
+            "resourceReader": { "@id": "urn:solid-server:default:WebAclReader" },
+            "auxiliaryStrategy": { "@id": "urn:solid-server:default:AuxiliaryStrategy" }
+          },
+          { "@id": "urn:solid-server:default:WebAclReader" }
+        ]
+      }
    }
  ]
 }
--- a/config/storage/key-value/resource-store.json
+++ b/config/storage/key-value/resource-store.json
@@ -57,11 +57,14 @@
    },
    {
      "comment": "Block external access to the storage containers to avoid exposing internal data.",
-      "@id": "urn:solid-server:default:PathBasedAuthorizer",
-      "PathBasedAuthorizer:_paths": [
+      "@id": "urn:solid-server:default:PathBasedReader",
+      "PathBasedReader:_paths": [
        {
-          "PathBasedAuthorizer:_paths_key": "^/.internal(/.*)?$",
-          "PathBasedAuthorizer:_paths_value": { "@type": "DenyAllAuthorizer" }
+          "PathBasedReader:_paths_key": "^/.internal(/.*)?$",
+          "PathBasedReader:_paths_value": {
+            "@type": "AllStaticReader",
+            "allow": false
+          }
        }
      ]
    },