feat: Let CredentialsExtractors specify what type of Credentials they generate

2024-10-03 14:55:10 +00:00 · 2021-09-17 11:17:43 +02:00
parent 34a44d1636
commit c3fa74de78
21 changed files with 115 additions and 81 deletions
--- a/src/authentication/BearerWebIdExtractor.ts
+++ b/src/authentication/BearerWebIdExtractor.ts
@@ -4,12 +4,10 @@ import { getLoggerFor } from '../logging/LogUtil';
 import type { HttpRequest } from '../server/HttpRequest';
 import { BadRequestHttpError } from '../util/errors/BadRequestHttpError';
 import { NotImplementedHttpError } from '../util/errors/NotImplementedHttpError';
-import type { Credentials } from './Credentials';
+import { CredentialGroup } from './Credentials';
+import type { CredentialSet } from './Credentials';
 import { CredentialsExtractor } from './CredentialsExtractor';

-/**
- * Credentials extractor that extracts a WebID from a Bearer access token.
- */
 export class BearerWebIdExtractor extends CredentialsExtractor {
  protected readonly logger = getLoggerFor(this);
  private readonly verify: SolidTokenVerifierFunction;
@@ -26,13 +24,13 @@ export class BearerWebIdExtractor extends CredentialsExtractor {
    }
  }

-  public async handle(request: HttpRequest): Promise<Credentials> {
+  public async handle(request: HttpRequest): Promise<CredentialSet> {
    const { headers: { authorization }} = request;

    try {
      const { webid: webId } = await this.verify(authorization!);
      this.logger.info(`Verified WebID via Bearer access token: ${webId}`);
-      return { webId };
+      return { [CredentialGroup.agent]: { webId }};
    } catch (error: unknown) {
      const message = `Error verifying WebID via Bearer access token: ${(error as Error).message}`;
      this.logger.warn(message);
--- a/src/authentication/Credentials.ts
+++ b/src/authentication/Credentials.ts
@@ -1,6 +1,19 @@
 /**
 * Credentials identifying an entity accessing or owning data.
 */
-export interface Credentials {
+export interface Credential {
  webId?: string;
 }
+
+/**
+ * Specific groups that can have credentials.
+ */
+export enum CredentialGroup {
+  public = 'public',
+  agent = 'agent',
+}
+
+/**
+ * A combination of multiple credentials, where their group is specified by the key.
+ */
+export type CredentialSet = Partial<Record<CredentialGroup, Credential>>;
--- a/src/authentication/CredentialsExtractor.ts
+++ b/src/authentication/CredentialsExtractor.ts
@@ -1,8 +1,8 @@
 import type { HttpRequest } from '../server/HttpRequest';
 import { AsyncHandler } from '../util/handlers/AsyncHandler';
-import type { Credentials } from './Credentials';
+import type { CredentialSet } from './Credentials';

 /**
 * Responsible for extracting credentials from an incoming request.
 */
-export abstract class CredentialsExtractor extends AsyncHandler<HttpRequest, Credentials> {}
+export abstract class CredentialsExtractor extends AsyncHandler<HttpRequest, CredentialSet> {}
--- a/src/authentication/DPoPWebIdExtractor.ts
+++ b/src/authentication/DPoPWebIdExtractor.ts
@@ -5,7 +5,8 @@ import { getLoggerFor } from '../logging/LogUtil';
 import type { HttpRequest } from '../server/HttpRequest';
 import { BadRequestHttpError } from '../util/errors/BadRequestHttpError';
 import { NotImplementedHttpError } from '../util/errors/NotImplementedHttpError';
-import type { Credentials } from './Credentials';
+import { CredentialGroup } from './Credentials';
+import type { CredentialSet } from './Credentials';
 import { CredentialsExtractor } from './CredentialsExtractor';

 /**
@@ -31,7 +32,7 @@ export class DPoPWebIdExtractor extends CredentialsExtractor {
    }
  }

-  public async handle(request: HttpRequest): Promise<Credentials> {
+  public async handle(request: HttpRequest): Promise<CredentialSet> {
    const { headers: { authorization, dpop }, method } = request;
    if (!dpop) {
      throw new BadRequestHttpError('No DPoP header specified.');
@@ -53,7 +54,7 @@ export class DPoPWebIdExtractor extends CredentialsExtractor {
        },
      );
      this.logger.info(`Verified WebID via DPoP-bound access token: ${webId}`);
-      return { webId };
+      return { [CredentialGroup.agent]: { webId }};
    } catch (error: unknown) {
      const message = `Error verifying WebID via DPoP-bound access token: ${(error as Error).message}`;
      this.logger.warn(message);
--- a/src/authentication/EmptyCredentialsExtractor.ts
+++ b/src/authentication/EmptyCredentialsExtractor.ts
@@ -1,6 +1,7 @@
 import type { HttpRequest } from '../server/HttpRequest';
 import { NotImplementedHttpError } from '../util/errors/NotImplementedHttpError';
-import type { Credentials } from './Credentials';
+import { CredentialGroup } from './Credentials';
+import type { CredentialSet } from './Credentials';
 import { CredentialsExtractor } from './CredentialsExtractor';

 /**
@@ -14,7 +15,7 @@ export class EmptyCredentialsExtractor extends CredentialsExtractor {
    }
  }

-  public async handle(): Promise<Credentials> {
-    return {};
+  public async handle(): Promise<CredentialSet> {
+    return { [CredentialGroup.public]: {}};
  }
 }
--- a/src/authentication/UnsecureConstantCredentialsExtractor.ts
+++ b/src/authentication/UnsecureConstantCredentialsExtractor.ts
@@ -1,5 +1,6 @@
 import { getLoggerFor } from '../logging/LogUtil';
-import type { Credentials } from './Credentials';
+import { CredentialGroup } from './Credentials';
+import type { Credential, CredentialSet } from './Credentials';
 import { CredentialsExtractor } from './CredentialsExtractor';

 /**
@@ -7,18 +8,18 @@ import { CredentialsExtractor } from './CredentialsExtractor';
 * (useful for development or debugging purposes).
 */
 export class UnsecureConstantCredentialsExtractor extends CredentialsExtractor {
-  private readonly agent: Credentials;
+  private readonly credentials: CredentialSet;
  private readonly logger = getLoggerFor(this);

  public constructor(agent: string);
-  public constructor(agent: Credentials);
-  public constructor(agent: string | Credentials) {
+  public constructor(agent: Credential);
+  public constructor(agent: string | Credential) {
    super();
-    this.agent = typeof agent === 'string' ? { webId: agent } : agent;
+    this.credentials = { [CredentialGroup.agent]: typeof agent === 'string' ? { webId: agent } : agent };
  }

-  public async handle(): Promise<Credentials> {
-    this.logger.info(`Agent unsecurely claims to be ${this.agent.webId}`);
-    return this.agent;
+  public async handle(): Promise<CredentialSet> {
+    this.logger.info(`Agent unsecurely claims to be ${this.credentials.agent!.webId}`);
+    return this.credentials;
  }
 }
--- a/src/authentication/UnsecureWebIdExtractor.ts
+++ b/src/authentication/UnsecureWebIdExtractor.ts
@@ -1,7 +1,8 @@
 import { getLoggerFor } from '../logging/LogUtil';
 import type { HttpRequest } from '../server/HttpRequest';
 import { NotImplementedHttpError } from '../util/errors/NotImplementedHttpError';
-import type { Credentials } from './Credentials';
+import { CredentialGroup } from './Credentials';
+import type { CredentialSet } from './Credentials';
 import { CredentialsExtractor } from './CredentialsExtractor';

 /**
@@ -17,9 +18,9 @@ export class UnsecureWebIdExtractor extends CredentialsExtractor {
    }
  }

-  public async handle({ headers }: HttpRequest): Promise<Credentials> {
+  public async handle({ headers }: HttpRequest): Promise<CredentialSet> {
    const webId = /^WebID\s+(.*)/u.exec(headers.authorization!)![1];
    this.logger.info(`Agent unsecurely claims to be ${webId}`);
-    return { webId };
+    return { [CredentialGroup.agent]: { webId }};
  }
 }
--- a/src/authorization/Authorizer.ts
+++ b/src/authorization/Authorizer.ts
@@ -1,20 +1,14 @@
-import type { Credentials } from '../authentication/Credentials';
+import type { CredentialSet } from '../authentication/Credentials';
 import type { PermissionSet } from '../ldp/permissions/PermissionSet';
 import type { ResourceIdentifier } from '../ldp/representation/ResourceIdentifier';
 import { AsyncHandler } from '../util/handlers/AsyncHandler';
 import type { Authorization } from './Authorization';

-/**
- * Verifies if the given credentials have access to the given permissions on the given resource.
- * An {@link Error} with the necessary explanation will be thrown when permissions are not granted.
- */
-export abstract class Authorizer extends AsyncHandler<AuthorizerArgs, Authorization> {}
-
-export interface AuthorizerArgs {
+export interface AuthorizerInput {
  /**
   * Credentials of the entity that wants to use the resource.
   */
-  credentials: Credentials;
+  credentials: CredentialSet;
  /**
   * Identifier of the resource that will be read/modified.
   */
@@ -24,3 +18,9 @@ export interface AuthorizerArgs {
   */
  permissions: PermissionSet;
 }
+
+/**
+ * Verifies if the given credentials have access to the given permissions on the given resource.
+ * An {@link Error} with the necessary explanation will be thrown when permissions are not granted.
+ */
+export abstract class Authorizer extends AsyncHandler<AuthorizerInput, Authorization> {}
--- a/src/authorization/AuxiliaryAuthorizer.ts
+++ b/src/authorization/AuxiliaryAuthorizer.ts
@@ -2,7 +2,7 @@ import type { AuxiliaryIdentifierStrategy } from '../ldp/auxiliary/AuxiliaryIden
 import { getLoggerFor } from '../logging/LogUtil';
 import { NotImplementedHttpError } from '../util/errors/NotImplementedHttpError';
 import type { Authorization } from './Authorization';
-import type { AuthorizerArgs } from './Authorizer';
+import type { AuthorizerInput } from './Authorizer';
 import { Authorizer } from './Authorizer';

 /**
@@ -22,24 +22,24 @@ export class AuxiliaryAuthorizer extends Authorizer {
    this.auxiliaryStrategy = auxiliaryStrategy;
  }

-  public async canHandle(auxiliaryAuth: AuthorizerArgs): Promise<void> {
+  public async canHandle(auxiliaryAuth: AuthorizerInput): Promise<void> {
    const resourceAuth = this.getRequiredAuthorization(auxiliaryAuth);
    return this.resourceAuthorizer.canHandle(resourceAuth);
  }

-  public async handle(auxiliaryAuth: AuthorizerArgs): Promise<Authorization> {
+  public async handle(auxiliaryAuth: AuthorizerInput): Promise<Authorization> {
    const resourceAuth = this.getRequiredAuthorization(auxiliaryAuth);
    this.logger.debug(`Checking auth request for ${auxiliaryAuth.identifier.path} on ${resourceAuth.identifier.path}`);
    return this.resourceAuthorizer.handle(resourceAuth);
  }

-  public async handleSafe(auxiliaryAuth: AuthorizerArgs): Promise<Authorization> {
+  public async handleSafe(auxiliaryAuth: AuthorizerInput): Promise<Authorization> {
    const resourceAuth = this.getRequiredAuthorization(auxiliaryAuth);
    this.logger.debug(`Checking auth request for ${auxiliaryAuth.identifier.path} to ${resourceAuth.identifier.path}`);
    return this.resourceAuthorizer.handleSafe(resourceAuth);
  }

-  private getRequiredAuthorization(auxiliaryAuth: AuthorizerArgs): AuthorizerArgs {
+  private getRequiredAuthorization(auxiliaryAuth: AuthorizerInput): AuthorizerInput {
    if (!this.auxiliaryStrategy.isAuxiliaryIdentifier(auxiliaryAuth.identifier)) {
      throw new NotImplementedHttpError('AuxiliaryAuthorizer only supports auxiliary resources.');
    }
--- a/src/authorization/PathBasedAuthorizer.ts
+++ b/src/authorization/PathBasedAuthorizer.ts
@@ -1,7 +1,7 @@
 import { NotImplementedHttpError } from '../util/errors/NotImplementedHttpError';
 import { ensureTrailingSlash, trimTrailingSlashes } from '../util/PathUtil';
 import type { Authorization } from './Authorization';
-import type { AuthorizerArgs } from './Authorizer';
+import type { AuthorizerInput } from './Authorizer';
 import { Authorizer } from './Authorizer';

 /**
@@ -23,12 +23,12 @@ export class PathBasedAuthorizer extends Authorizer {
    this.paths = new Map(entries);
  }

-  public async canHandle(input: AuthorizerArgs): Promise<void> {
+  public async canHandle(input: AuthorizerInput): Promise<void> {
    const authorizer = this.findAuthorizer(input.identifier.path);
    await authorizer.canHandle(input);
  }

-  public async handle(input: AuthorizerArgs): Promise<Authorization> {
+  public async handle(input: AuthorizerInput): Promise<Authorization> {
    const authorizer = this.findAuthorizer(input.identifier.path);
    return authorizer.handle(input);
  }
--- a/src/authorization/WebAclAuthorizer.ts
+++ b/src/authorization/WebAclAuthorizer.ts
@@ -1,6 +1,6 @@
 import type { Quad, Term } from 'n3';
 import { Store } from 'n3';
-import type { Credentials } from '../authentication/Credentials';
+import type { Credential, CredentialSet } from '../authentication/Credentials';
 import type { AuxiliaryIdentifierStrategy } from '../ldp/auxiliary/AuxiliaryIdentifierStrategy';
 import type { PermissionSet } from '../ldp/permissions/PermissionSet';
 import type { Representation } from '../ldp/representation/Representation';
@@ -18,7 +18,7 @@ import type { IdentifierStrategy } from '../util/identifiers/IdentifierStrategy'
 import { readableToQuads } from '../util/StreamUtil';
 import { ACL, RDF } from '../util/Vocabularies';
 import type { AccessChecker } from './access-checkers/AccessChecker';
-import type { AuthorizerArgs } from './Authorizer';
+import type { AuthorizerInput } from './Authorizer';
 import { Authorizer } from './Authorizer';
 import { WebAclAuthorization } from './WebAclAuthorization';

@@ -50,7 +50,7 @@ export class WebAclAuthorizer extends Authorizer {
    this.accessChecker = accessChecker;
  }

-  public async canHandle({ identifier }: AuthorizerArgs): Promise<void> {
+  public async canHandle({ identifier }: AuthorizerInput): Promise<void> {
    if (this.aclStrategy.isAuxiliaryIdentifier(identifier)) {
      throw new NotImplementedHttpError('WebAclAuthorizer does not support permissions on auxiliary resources.');
    }
@@ -61,20 +61,22 @@ export class WebAclAuthorizer extends Authorizer {
   * Will throw an error if this is not the case.
   * @param input - Relevant data needed to check if access can be granted.
   */
-  public async handle({ identifier, permissions, credentials }: AuthorizerArgs): Promise<WebAclAuthorization> {
+  public async handle({ identifier, permissions, credentials }: AuthorizerInput):
+  Promise<WebAclAuthorization> {
    // Determine the required access modes
    const modes = (Object.keys(permissions) as (keyof PermissionSet)[]).filter((key): boolean => permissions[key]);
-    this.logger.debug(`Checking if ${credentials.webId} has ${modes.join()} permissions for ${identifier.path}`);
+    this.logger.debug(`Checking if ${credentials.agent?.webId} has ${modes.join()} permissions for ${identifier.path}`);

    // Determine the full authorization for the agent granted by the applicable ACL
    const acl = await this.getAclRecursive(identifier);
    const authorization = await this.createAuthorization(credentials, acl);

    // Verify that the authorization allows all required modes
+    const agent = credentials.agent ?? credentials.public ?? {};
    for (const mode of modes) {
-      this.requirePermission(credentials, authorization, mode);
+      this.requirePermission(agent, authorization, mode);
    }
-    this.logger.debug(`${credentials.webId} has ${modes.join()} permissions for ${identifier.path}`);
+    this.logger.debug(`${agent.webId} has ${modes.join()} permissions for ${identifier.path}`);
    return authorization;
  }

@@ -82,34 +84,45 @@ export class WebAclAuthorizer extends Authorizer {
   * Checks whether the agent is authenticated (logged in) or not (public/anonymous).
   * @param agent - Agent whose credentials will be checked.
   */
-  private isAuthenticated(agent: Credentials): agent is ({ webId: string }) {
+  private isAuthenticated(agent: Credential): agent is ({ webId: string }) {
    return typeof agent.webId === 'string';
  }

  /**
   * Creates an Authorization object based on the quads found in the ACL.
-   * @param agent - Agent whose credentials will be used for the `user` field.
+   * @param credentials - Credentials to check permissions for.
   * @param acl - Store containing all relevant authorization triples.
   */
-  private async createAuthorization(agent: Credentials, acl: Store): Promise<WebAclAuthorization> {
-    const publicPermissions = await this.determinePermissions({}, acl);
-    const agentPermissions = await this.determinePermissions(agent, acl);
+  private async createAuthorization(credentials: CredentialSet, acl: Store):
+  Promise<WebAclAuthorization> {
+    const publicPermissions = await this.determinePermissions(acl, credentials.public);
+    const agentPermissions = await this.determinePermissions(acl, credentials.agent);
+
+    // Agent at least has the public permissions
+    // This can be relevant when no agent is provided
+    for (const [ key, value ] of Object.entries(agentPermissions) as [keyof PermissionSet, boolean][]) {
+      agentPermissions[key] = value || publicPermissions[key];
+    }

    return new WebAclAuthorization(agentPermissions, publicPermissions);
  }

  /**
   * Determines the available permissions for the given credentials.
-   * @param credentials - Credentials to find the permissions for.
+   * Will deny all permissions if credentials are not defined
   * @param acl - Store containing all relevant authorization triples.
+   * @param credentials - Credentials to find the permissions for.
   */
-  private async determinePermissions(credentials: Credentials, acl: Store): Promise<PermissionSet> {
+  private async determinePermissions(acl: Store, credentials?: Credential): Promise<PermissionSet> {
    const permissions = {
      read: false,
      write: false,
      append: false,
      control: false,
    };
+    if (!credentials) {
+      return permissions;
+    }

    // Apply all ACL rules
    const aclRules = acl.getSubjects(RDF.type, ACL.Authorization, null);
@@ -142,7 +155,7 @@ export class WebAclAuthorizer extends Authorizer {
   * @param authorization - An Authorization containing the permissions the agent has on the resource.
   * @param mode - Which mode is requested.
   */
-  private requirePermission(agent: Credentials, authorization: WebAclAuthorization, mode: keyof PermissionSet): void {
+  private requirePermission(agent: Credential, authorization: WebAclAuthorization, mode: keyof PermissionSet): void {
    if (!authorization.user[mode]) {
      if (this.isAuthenticated(agent)) {
        this.logger.warn(`Agent ${agent.webId} has no ${mode} permissions`);
--- a/src/authorization/access-checkers/AccessChecker.ts
+++ b/src/authorization/access-checkers/AccessChecker.ts
@@ -1,5 +1,5 @@
 import type { Store, Term } from 'n3';
-import type { Credentials } from '../../authentication/Credentials';
+import type { Credential } from '../../authentication/Credentials';
 import { AsyncHandler } from '../../util/handlers/AsyncHandler';

 /**
@@ -21,5 +21,5 @@ export interface AccessCheckerArgs {
  /**
   * Credentials of the entity that wants to use the resource.
   */
-  credentials: Credentials;
+  credentials: Credential;
 }
--- a/src/ldp/AuthenticatedLdpHandler.ts
+++ b/src/ldp/AuthenticatedLdpHandler.ts
@@ -1,4 +1,4 @@
-import type { Credentials } from '../authentication/Credentials';
+import type { CredentialSet } from '../authentication/Credentials';
 import type { CredentialsExtractor } from '../authentication/CredentialsExtractor';
 import type { Authorizer } from '../authorization/Authorizer';
 import { BaseHttpHandler } from '../server/BaseHttpHandler';
@@ -78,8 +78,8 @@ export class AuthenticatedLdpHandler extends BaseHttpHandler {
   *  - Executing the operation.
   */
  protected async handleOperation(operation: Operation, request: HttpRequest): Promise<ResponseDescription> {
-    const credentials: Credentials = await this.credentialsExtractor.handleSafe(request);
-    this.logger.verbose(`Extracted credentials: ${credentials.webId}`);
+    const credentials: CredentialSet = await this.credentialsExtractor.handleSafe(request);
+    this.logger.verbose(`Extracted credentials: ${JSON.stringify(credentials)}`);

    const permissions: PermissionSet = await this.permissionsExtractor.handleSafe(operation);
    const { read, write, append } = permissions;