mirror of
https://github.com/CommunitySolidServer/CommunitySolidServer.git
synced 2024-10-03 14:55:10 +00:00
docs: Document ACP-related changes
This commit is contained in:
parent
56b7e63843
commit
c73ef50e48
@ -4,7 +4,8 @@
|
|||||||
|
|
||||||
### New features
|
### New features
|
||||||
|
|
||||||
- ...
|
- The server can be configured to use [ACP](https://solidproject.org/TR/acp) instead of WebACL.
|
||||||
|
`config/file-acp.json` is an example of a configuration that uses this authorization scheme instead.
|
||||||
|
|
||||||
### Data migration
|
### Data migration
|
||||||
|
|
||||||
@ -28,6 +29,13 @@ The following changes are relevant for v5 custom configs that replaced certain f
|
|||||||
- `/app/main/general/templates.json` was added to configure a generic template engine handler.
|
- `/app/main/general/templates.json` was added to configure a generic template engine handler.
|
||||||
- `/app/main/default.json` now imports the above config file.
|
- `/app/main/default.json` now imports the above config file.
|
||||||
- All files configuring template engines.
|
- All files configuring template engines.
|
||||||
|
- Several minor changes due to support ACP.
|
||||||
|
- `ldp/authorization/*`
|
||||||
|
- Resource generation was changed to there is 1 reusable resource generator.
|
||||||
|
- `init/initializers/*`
|
||||||
|
- `setup/handlers/setup.json`
|
||||||
|
- `identity/access/initializers/*`
|
||||||
|
- `identity/pod/*`
|
||||||
|
|
||||||
### Interface changes
|
### Interface changes
|
||||||
|
|
||||||
@ -36,6 +44,12 @@ These changes are relevant if you wrote custom modules for the server that depen
|
|||||||
- `AgentGroupAccessChecker` no longer accepts any input parameters.
|
- `AgentGroupAccessChecker` no longer accepts any input parameters.
|
||||||
- The functions in `Vocabularies.ts` were renamed,
|
- The functions in `Vocabularies.ts` were renamed,
|
||||||
the typings have been made more precise and several utility types were added.
|
the typings have been made more precise and several utility types were added.
|
||||||
|
- Several changes to support ACP.
|
||||||
|
- `WebAclAuxiliaryReader` was renamed to `AuthAuxiliaryReader`.
|
||||||
|
- `OwnerPermissionReader` input parameter `aclStrategy` was renamed to `authStrategy`.
|
||||||
|
- `TemplatedResourcesGenerator` has been renamed to `BaseResourcesGenerator` and has a different interface now.
|
||||||
|
- `CredentialSet` was replaced by a single `Credentials` interface.
|
||||||
|
This impacts all authentication and authorization related classes.
|
||||||
|
|
||||||
## v5.0.0
|
## v5.0.0
|
||||||
|
|
||||||
|
@ -52,11 +52,10 @@ flowchart TD
|
|||||||
Both of the WebID extractors make use of
|
Both of the WebID extractors make use of
|
||||||
the [`access-token-verifier`](https://github.com/CommunitySolidServer/access-token-verifier) library
|
the [`access-token-verifier`](https://github.com/CommunitySolidServer/access-token-verifier) library
|
||||||
to parse incoming tokens based on the [Solid-OIDC specification](https://solid.github.io/solid-oidc/).
|
to parse incoming tokens based on the [Solid-OIDC specification](https://solid.github.io/solid-oidc/).
|
||||||
Besides those there are always the public credentials, which everyone has.
|
|
||||||
All these credentials then get combined into a single union object.
|
All these credentials then get combined into a single union object.
|
||||||
|
|
||||||
If successful, a `CredentialsExtractor` will return a key/value map
|
If successful, a `CredentialsExtractor` will return an object containing all the information extracted,
|
||||||
linking the type of credentials to their specific values.
|
such as the WebID of the agent, or the issuer of the token.
|
||||||
|
|
||||||
There are also debug configuration options available that can be used to simulate credentials.
|
There are also debug configuration options available that can be used to simulate credentials.
|
||||||
These can be enabled as different options through the `config/ldp/authentication` imports.
|
These can be enabled as different options through the `config/ldp/authentication` imports.
|
||||||
@ -106,13 +105,13 @@ In both cases it will parse the bodies to determine what the impact would be of
|
|||||||
|
|
||||||
## Permission reading
|
## Permission reading
|
||||||
|
|
||||||
`PermissionReaders` take the input of the above to determine which permissions are available for which credentials.
|
`PermissionReader`s take the input of the above to determine which permissions are available.
|
||||||
The modes from the previous step are not yet needed,
|
The modes from the previous step are not yet needed,
|
||||||
but can be used as optimization as we only need to know if we have permission on those modes.
|
but can be used as optimization as we only need to know if we have permission on those modes.
|
||||||
Each reader returns all the information it can find based on the resources and modes it receives.
|
Each reader returns all the information it can find based on the resources and modes it receives.
|
||||||
In the default configuration the following readers are combined when WebACL is enabled as authorization method.
|
In most of the default configuration the following readers are combined when WebACL is enabled as authorization method.
|
||||||
In case authorization is disabled by changing the authorization import to `config/ldp/authorization/allow-all.json`,
|
In case authorization is disabled by changing the authorization import to `config/ldp/authorization/allow-all.json`,
|
||||||
this diagram is just a class that always returns all permissions.
|
the diagram would be a single class that always returns all permissions.
|
||||||
|
|
||||||
```mermaid
|
```mermaid
|
||||||
flowchart TD
|
flowchart TD
|
||||||
@ -126,7 +125,7 @@ flowchart TD
|
|||||||
WrappedWebAclReader("<strong>WrappedWebAclReader</strong><br>ParentContainerReader")
|
WrappedWebAclReader("<strong>WrappedWebAclReader</strong><br>ParentContainerReader")
|
||||||
end
|
end
|
||||||
|
|
||||||
WrappedWebAclReader --> WebAclAuxiliaryReader("<strong>WebAclAuxiliaryReader</strong><br>WebAclAuxiliaryReader")
|
WrappedWebAclReader --> WebAclAuxiliaryReader("<strong>WebAclAuxiliaryReader</strong><br>AuthAuxiliaryReader")
|
||||||
WebAclAuxiliaryReader --> WebAclReader("<strong>WebAclReader</strong><br>WebAclReader")
|
WebAclAuxiliaryReader --> WebAclReader("<strong>WebAclReader</strong><br>WebAclReader")
|
||||||
```
|
```
|
||||||
|
|
||||||
@ -152,13 +151,20 @@ while deleting a resource requires `write` permissions there.
|
|||||||
|
|
||||||
In case the target is an ACL resource, `control` permissions need to be checked,
|
In case the target is an ACL resource, `control` permissions need to be checked,
|
||||||
no matter what mode was generated by the `ModesExtractor`.
|
no matter what mode was generated by the `ModesExtractor`.
|
||||||
The `WebAclAuxiliaryReader` makes sure this conversion happens.
|
The `AuthAuxiliaryReader` makes sure this conversion happens.
|
||||||
|
|
||||||
Finally, the `WebAclReader` implements
|
Finally, the `WebAclReader` implements
|
||||||
the [efffective ACL resource algorithm](https://solidproject.org/TR/2021/wac-20210711#effective-acl-resource)
|
the [efffective ACL resource algorithm](https://solidproject.org/TR/2021/wac-20210711#effective-acl-resource)
|
||||||
and returns the permissions it finds in that resource.
|
and returns the permissions it finds in that resource.
|
||||||
In case no ACL resource is found this indicates a configuration error and no permissions will be granted.
|
In case no ACL resource is found this indicates a configuration error and no permissions will be granted.
|
||||||
|
|
||||||
|
### ACP
|
||||||
|
|
||||||
|
It is also possible to use ACP as authorization method instead of WebACL.
|
||||||
|
In that case the diagram is very similar,
|
||||||
|
except the `AuthAuxiliaryReader` is configured for Access Control Resources,
|
||||||
|
and it points to a `AcpReader` instead.
|
||||||
|
|
||||||
## Authorization
|
## Authorization
|
||||||
|
|
||||||
All the results of the previous steps then get combined in the `PermissionBasedAuthorizer` to either allow or reject a request.
|
All the results of the previous steps then get combined in the `PermissionBasedAuthorizer` to either allow or reject a request.
|
||||||
|
Loading…
x
Reference in New Issue
Block a user