From d5bcec704cc00a240634e3860e998f2bd861cf12 Mon Sep 17 00:00:00 2001 From: Joachim Van Herwegen Date: Wed, 29 Jun 2022 11:01:53 +0200 Subject: [PATCH] feat: Update configs based on all permission changes --- config/ldp/authorization/readers/acl.json | 28 +++++++++----- .../ldp/authorization/readers/ownership.json | 3 +- config/ldp/authorization/webacl.json | 37 ++++++++++--------- config/ldp/modes/default.json | 10 ++++- 4 files changed, 49 insertions(+), 29 deletions(-) diff --git a/config/ldp/authorization/readers/acl.json b/config/ldp/authorization/readers/acl.json index de093bfd4..734ac42bf 100644 --- a/config/ldp/authorization/readers/acl.json +++ b/config/ldp/authorization/readers/acl.json @@ -7,17 +7,27 @@ ], "@graph": [ { + "comment": "Adds parent container checks needed for create/delete permissions.", + "@id": "urn:solid-server:default:WrappedWebAclReader", + "@type": "ParentContainerReader", + "identifierStrategy": { "@id": "urn:solid-server:default:IdentifierStrategy" }, + "reader": { "@id": "urn:solid-server:default:WebAclAuxiliaryReader" } + }, + { + "comment": "Reinterprets Control permissions as Read/Write on the ACL document.", + "@id": "urn:solid-server:default:WebAclAuxiliaryReader", + "@type": "WebAclAuxiliaryReader", + "aclStrategy": { "@id": "urn:solid-server:default:AclStrategy" }, + "reader": { "@id": "urn:solid-server:default:WebAclReader" } + }, + { + "comment": "Reads out permissions from an ACL document for subject resources.", "@id": "urn:solid-server:default:WebAclReader", "@type": "WebAclReader", - "aclStrategy": { - "@id": "urn:solid-server:default:AclStrategy" - }, - "aclStore": { - "@id": "urn:solid-server:default:ResourceStore" - }, - "identifierStrategy": { - "@id": "urn:solid-server:default:IdentifierStrategy" - }, + "aclStrategy": { "@id": "urn:solid-server:default:AclStrategy" }, + "resourceSet": { "@id": "urn:solid-server:default:CachedResourceSet" }, + "aclStore": { "@id": "urn:solid-server:default:ResourceStore" }, + "identifierStrategy": { "@id": "urn:solid-server:default:IdentifierStrategy" }, "accessChecker": { "@type": "BooleanHandler", "handlers": [ diff --git a/config/ldp/authorization/readers/ownership.json b/config/ldp/authorization/readers/ownership.json index ccfc4ac71..f3cee17d1 100644 --- a/config/ldp/authorization/readers/ownership.json +++ b/config/ldp/authorization/readers/ownership.json @@ -6,7 +6,8 @@ "@id": "urn:solid-server:default:OwnerPermissionReader", "@type": "OwnerPermissionReader", "accountStore": { "@id": "urn:solid-server:auth:password:AccountStore" }, - "aclStrategy": { "@id": "urn:solid-server:default:AclStrategy" } + "aclStrategy": { "@id": "urn:solid-server:default:AclStrategy" }, + "identifierStrategy": { "@id": "urn:solid-server:default:IdentifierStrategy" } } ] } diff --git a/config/ldp/authorization/webacl.json b/config/ldp/authorization/webacl.json index db577479d..1c99d93ee 100644 --- a/config/ldp/authorization/webacl.json +++ b/config/ldp/authorization/webacl.json @@ -6,25 +6,26 @@ ], "@graph": [ { - "comment": "Uses Web Access Control for authorization.", + "comment": "Requests permissions on subject resources for auxiliary resources.", "@id": "urn:solid-server:default:PermissionReader", - "@type": "UnionPermissionReader", - "readers": [ - { - "comment": "This PermissionReader will be used to prevent external access to containers used for internal storage.", - "@id": "urn:solid-server:default:PathBasedReader", - "@type": "PathBasedReader", - "baseUrl": { "@id": "urn:solid-server:default:variable:baseUrl" } - }, - { "@id": "urn:solid-server:default:OwnerPermissionReader" }, - { - "comment": "This PermissionReader makes sure that for auxiliary resources, the main reader gets called with the associated identifier.", - "@type": "AuxiliaryReader", - "resourceReader": { "@id": "urn:solid-server:default:WebAclReader" }, - "auxiliaryStrategy": { "@id": "urn:solid-server:default:AuxiliaryStrategy" } - }, - { "@id": "urn:solid-server:default:WebAclReader" } - ] + "@type": "AuxiliaryReader", + "auxiliaryStrategy": { "@id": "urn:solid-server:default:AuxiliaryStrategy" }, + "reader": { + "@type": "UnionPermissionReader", + "readers": [ + { + "comment": "This PermissionReader will be used to prevent external access to containers used for internal storage.", + "@id": "urn:solid-server:default:PathBasedReader", + "@type": "PathBasedReader", + "baseUrl": { "@id": "urn:solid-server:default:variable:baseUrl" } + }, + { "@id": "urn:solid-server:default:OwnerPermissionReader" }, + { + "comment": "Uses Web Access Control for authorization.", + "@id": "urn:solid-server:default:WrappedWebAclReader" + } + ] + } }, { "comment": "In case of WebACL authorization the ACL resources determine authorization.", diff --git a/config/ldp/modes/default.json b/config/ldp/modes/default.json index 8b90e8814..e2606fb7c 100644 --- a/config/ldp/modes/default.json +++ b/config/ldp/modes/default.json @@ -2,8 +2,16 @@ "@context": "https://linkedsoftwaredependencies.org/bundles/npm/@solid/community-server/^5.0.0/components/context.jsonld", "@graph": [ { - "comment": "Determines required modes based on HTTP methods.", + "comment": "Checks if an operation on a resource requires permissions on intermediate resources (such as newly created parent containers).", "@id": "urn:solid-server:default:ModesExtractor", + "@type": "IntermediateCreateExtractor", + "resourceSet": { "@id": "urn:solid-server:default:CachedResourceSet" }, + "strategy": { "@id": "urn:solid-server:default:IdentifierStrategy" }, + "source": { "@id": "urn:solid-server:default:HttpModesExtractor" } + }, + { + "comment": "Determines required modes based on HTTP methods.", + "@id": "urn:solid-server:default:HttpModesExtractor", "@type": "WaterfallHandler", "handlers": [ {