mirror of
https://github.com/CommunitySolidServer/CommunitySolidServer.git
synced 2024-10-03 14:55:10 +00:00
feat: Add more extensive permission parsing support
This commit is contained in:
Joachim Van Herwegen
parent
769b49293c
commit
e06d0bc8c5
@ -5,6 +5,7 @@ import yargs from 'yargs';
|
||||
import {
|
||||
AcceptPreferenceParser,
|
||||
AuthenticatedLdpHandler,
|
||||
BasePermissionsExtractor,
|
||||
CompositeAsyncHandler,
|
||||
ExpressHttpServer,
|
||||
HttpRequest,
|
||||
@ -19,7 +20,6 @@ import {
|
||||
SimpleExtensionAclManager,
|
||||
SimpleGetOperationHandler,
|
||||
SimplePatchOperationHandler,
|
||||
SimplePermissionsExtractor,
|
||||
SimplePostOperationHandler,
|
||||
SimplePutOperationHandler,
|
||||
SimpleRequestParser,
|
||||
@ -29,6 +29,7 @@ import {
|
||||
SimpleSparqlUpdatePatchHandler,
|
||||
SimpleTargetExtractor,
|
||||
SingleThreadedResourceLocker,
|
||||
SparqlPatchPermissionsExtractor,
|
||||
TurtleToQuadConverter,
|
||||
UrlContainerManager,
|
||||
} from '..';
|
||||
@ -56,7 +57,10 @@ const requestParser = new SimpleRequestParser({
|
||||
});
|
||||
|
||||
const credentialsExtractor = new SimpleCredentialsExtractor();
|
||||
const permissionsExtractor = new SimplePermissionsExtractor();
|
||||
const permissionsExtractor = new CompositeAsyncHandler([
|
||||
new BasePermissionsExtractor(),
|
||||
new SparqlPatchPermissionsExtractor(),
|
||||
]);
|
||||
|
||||
// Will have to see how to best handle this
|
||||
const store = new SimpleResourceStore(base);
|
||||
|
||||
3
index.ts
3
index.ts
@ -38,7 +38,8 @@ export * from './src/ldp/operations/SimplePutOperationHandler';
|
||||
// LDP/Permissions
|
||||
export * from './src/ldp/permissions/PermissionSet';
|
||||
export * from './src/ldp/permissions/PermissionsExtractor';
|
||||
export * from './src/ldp/permissions/SimplePermissionsExtractor';
|
||||
export * from './src/ldp/permissions/BasePermissionsExtractor';
|
||||
export * from './src/ldp/permissions/SparqlPatchPermissionsExtractor';
|
||||
|
||||
// LDP/Representation
|
||||
export * from './src/ldp/representation/BinaryRepresentation';
|
||||
|
||||
@ -1,5 +1,5 @@
|
||||
import { Algebra } from 'sparqlalgebrajs';
|
||||
import { Patch } from './Patch';
|
||||
import { Update } from 'sparqlalgebrajs/lib/algebra';
|
||||
|
||||
/**
|
||||
* A specific type of {@link Patch} corresponding to a SPARQL update.
|
||||
@ -8,5 +8,5 @@ export interface SparqlUpdatePatch extends Patch {
|
||||
/**
|
||||
* Algebra corresponding to the SPARQL update.
|
||||
*/
|
||||
algebra: Update;
|
||||
algebra: Algebra.Update;
|
||||
}
|
||||
|
||||
32
src/ldp/permissions/BasePermissionsExtractor.ts
Normal file
32
src/ldp/permissions/BasePermissionsExtractor.ts
Normal file
@ -0,0 +1,32 @@
|
||||
import { Operation } from '../operations/Operation';
|
||||
import { PermissionSet } from './PermissionSet';
|
||||
import { PermissionsExtractor } from './PermissionsExtractor';
|
||||
import { UnsupportedHttpError } from '../../util/errors/UnsupportedHttpError';
|
||||
|
||||
/**
|
||||
* Generates permissions for the base set of methods that always require the same permissions.
|
||||
* Specifically: GET, HEAD, POST, PUT and DELETE.
|
||||
*/
|
||||
export class BasePermissionsExtractor extends PermissionsExtractor {
|
||||
public async canHandle(input: Operation): Promise<void> {
|
||||
if (!/^(?:HEAD|GET|POST|PUT|DELETE)$/u.test(input.method)) {
|
||||
throw new UnsupportedHttpError(`Unsupported method: ${input.method}`);
|
||||
}
|
||||
}
|
||||
|
||||
public async handle(input: Operation): Promise<PermissionSet> {
|
||||
const requiredPermissions = {
|
||||
read: /^(?:HEAD|GET)$/u.test(input.method),
|
||||
append: false,
|
||||
write: /^(?:POST|PUT|DELETE)$/u.test(input.method),
|
||||
};
|
||||
|
||||
const read = /^(?:HEAD|GET)$/u.test(input.method);
|
||||
const write = /^(?:POST|PUT|DELETE)$/u.test(input.method);
|
||||
|
||||
// Since `append` is a specific type of write, it is true if `write` is true.
|
||||
const append = requiredPermissions.write;
|
||||
|
||||
return { read, append, write };
|
||||
}
|
||||
}
|
||||
@ -1,22 +0,0 @@
|
||||
import { Operation } from '../operations/Operation';
|
||||
import { PermissionSet } from './PermissionSet';
|
||||
import { PermissionsExtractor } from './PermissionsExtractor';
|
||||
|
||||
/**
|
||||
* Makes some simplified assumption based on the {@link Operation} method to generate a {@link PermissionSet}.
|
||||
*/
|
||||
export class SimplePermissionsExtractor extends PermissionsExtractor {
|
||||
public async canHandle(): Promise<void> {
|
||||
// Supports all operations
|
||||
}
|
||||
|
||||
public async handle(input: Operation): Promise<PermissionSet> {
|
||||
const result = {
|
||||
read: input.method === 'GET',
|
||||
append: false,
|
||||
write: input.method === 'POST' || input.method === 'PUT' || input.method === 'DELETE',
|
||||
};
|
||||
result.append = result.write;
|
||||
return result;
|
||||
}
|
||||
}
|
||||
58
src/ldp/permissions/SparqlPatchPermissionsExtractor.ts
Normal file
58
src/ldp/permissions/SparqlPatchPermissionsExtractor.ts
Normal file
@ -0,0 +1,58 @@
|
||||
import { Algebra } from 'sparqlalgebrajs';
|
||||
import { Operation } from '../operations/Operation';
|
||||
import { PermissionSet } from './PermissionSet';
|
||||
import { PermissionsExtractor } from './PermissionsExtractor';
|
||||
import { Representation } from '../representation/Representation';
|
||||
import { SparqlUpdatePatch } from '../http/SparqlUpdatePatch';
|
||||
import { UnsupportedHttpError } from '../../util/errors/UnsupportedHttpError';
|
||||
|
||||
/**
|
||||
* Generates permissions for a SPARQL DELETE/INSERT patch.
|
||||
* Updates with only an INSERT can be done with just append permissions,
|
||||
* while DELETEs require write permissions as well.
|
||||
*/
|
||||
export class SparqlPatchPermissionsExtractor extends PermissionsExtractor {
|
||||
public async canHandle(input: Operation): Promise<void> {
|
||||
if (input.method !== 'PATCH') {
|
||||
throw new UnsupportedHttpError('Only PATCH operations are supported.');
|
||||
}
|
||||
if (!input.body) {
|
||||
throw new UnsupportedHttpError('PATCH body is required to determine permissions.');
|
||||
}
|
||||
if (!this.isSparql(input.body)) {
|
||||
throw new UnsupportedHttpError('Only SPARQL update PATCHes are supported.');
|
||||
}
|
||||
if (!this.isDeleteInsert(input.body.algebra)) {
|
||||
throw new UnsupportedHttpError('Only DELETE/INSERT SPARQL update operations are supported.');
|
||||
}
|
||||
}
|
||||
|
||||
public async handle(input: Operation): Promise<PermissionSet> {
|
||||
// Verified in `canHandle` call
|
||||
const op = (input.body as SparqlUpdatePatch).algebra as Algebra.DeleteInsert;
|
||||
|
||||
const read = false;
|
||||
const write = this.needsWrite(op);
|
||||
|
||||
// Since `append` is a specific type of write, it is true if `write` is true.
|
||||
const append = write || this.needsAppend(op);
|
||||
|
||||
return { read, write, append };
|
||||
}
|
||||
|
||||
private isSparql(data: Representation): data is SparqlUpdatePatch {
|
||||
return Boolean((data as SparqlUpdatePatch).algebra);
|
||||
}
|
||||
|
||||
private isDeleteInsert(op: Algebra.Operation): op is Algebra.DeleteInsert {
|
||||
return op.type === Algebra.types.DELETE_INSERT;
|
||||
}
|
||||
|
||||
private needsAppend(update: Algebra.DeleteInsert): boolean {
|
||||
return Boolean(update.insert && update.insert.length > 0);
|
||||
}
|
||||
|
||||
private needsWrite(update: Algebra.DeleteInsert): boolean {
|
||||
return Boolean(update.delete && update.delete.length > 0);
|
||||
}
|
||||
}
|
||||
@ -1,5 +1,6 @@
|
||||
import { AcceptPreferenceParser } from '../../src/ldp/http/AcceptPreferenceParser';
|
||||
import { AuthenticatedLdpHandler } from '../../src/ldp/AuthenticatedLdpHandler';
|
||||
import { BasePermissionsExtractor } from '../../src/ldp/permissions/BasePermissionsExtractor';
|
||||
import { BodyParser } from '../../src/ldp/http/BodyParser';
|
||||
import { call } from '../util/Util';
|
||||
import { CompositeAsyncHandler } from '../../src/util/CompositeAsyncHandler';
|
||||
@ -18,7 +19,6 @@ import { SimpleCredentialsExtractor } from '../../src/authentication/SimpleCrede
|
||||
import { SimpleDeleteOperationHandler } from '../../src/ldp/operations/SimpleDeleteOperationHandler';
|
||||
import { SimpleGetOperationHandler } from '../../src/ldp/operations/SimpleGetOperationHandler';
|
||||
import { SimplePatchOperationHandler } from '../../src/ldp/operations/SimplePatchOperationHandler';
|
||||
import { SimplePermissionsExtractor } from '../../src/ldp/permissions/SimplePermissionsExtractor';
|
||||
import { SimplePostOperationHandler } from '../../src/ldp/operations/SimplePostOperationHandler';
|
||||
import { SimpleRequestParser } from '../../src/ldp/http/SimpleRequestParser';
|
||||
import { SimpleResourceStore } from '../../src/storage/SimpleResourceStore';
|
||||
@ -27,6 +27,7 @@ import { SimpleSparqlUpdateBodyParser } from '../../src/ldp/http/SimpleSparqlUpd
|
||||
import { SimpleSparqlUpdatePatchHandler } from '../../src/storage/patch/SimpleSparqlUpdatePatchHandler';
|
||||
import { SimpleTargetExtractor } from '../../src/ldp/http/SimpleTargetExtractor';
|
||||
import { SingleThreadedResourceLocker } from '../../src/storage/SingleThreadedResourceLocker';
|
||||
import { SparqlPatchPermissionsExtractor } from '../../src/ldp/permissions/SparqlPatchPermissionsExtractor';
|
||||
import { TurtleToQuadConverter } from '../../src/storage/conversion/TurtleToQuadConverter';
|
||||
import { namedNode, quad } from '@rdfjs/data-model';
|
||||
import * as url from 'url';
|
||||
@ -40,7 +41,7 @@ describe('An integrated AuthenticatedLdpHandler', (): void => {
|
||||
});
|
||||
|
||||
const credentialsExtractor = new SimpleCredentialsExtractor();
|
||||
const permissionsExtractor = new SimplePermissionsExtractor();
|
||||
const permissionsExtractor = new BasePermissionsExtractor();
|
||||
const authorizer = new SimpleAuthorizer();
|
||||
|
||||
const store = new SimpleResourceStore('http://test.com/');
|
||||
@ -108,7 +109,10 @@ describe('An integrated AuthenticatedLdpHandler', (): void => {
|
||||
});
|
||||
|
||||
const credentialsExtractor = new SimpleCredentialsExtractor();
|
||||
const permissionsExtractor = new SimplePermissionsExtractor();
|
||||
const permissionsExtractor = new CompositeAsyncHandler([
|
||||
new BasePermissionsExtractor(),
|
||||
new SparqlPatchPermissionsExtractor(),
|
||||
]);
|
||||
const authorizer = new SimpleAuthorizer();
|
||||
|
||||
const store = new SimpleResourceStore('http://test.com/');
|
||||
|
||||
@ -1,5 +1,6 @@
|
||||
import { AcceptPreferenceParser } from '../../src/ldp/http/AcceptPreferenceParser';
|
||||
import { AuthenticatedLdpHandler } from '../../src/ldp/AuthenticatedLdpHandler';
|
||||
import { BasePermissionsExtractor } from '../../src/ldp/permissions/BasePermissionsExtractor';
|
||||
import { BodyParser } from '../../src/ldp/http/BodyParser';
|
||||
import { call } from '../util/Util';
|
||||
import { CompositeAsyncHandler } from '../../src/util/CompositeAsyncHandler';
|
||||
@ -17,7 +18,6 @@ import { SimpleCredentialsExtractor } from '../../src/authentication/SimpleCrede
|
||||
import { SimpleDeleteOperationHandler } from '../../src/ldp/operations/SimpleDeleteOperationHandler';
|
||||
import { SimpleExtensionAclManager } from '../../src/authorization/SimpleExtensionAclManager';
|
||||
import { SimpleGetOperationHandler } from '../../src/ldp/operations/SimpleGetOperationHandler';
|
||||
import { SimplePermissionsExtractor } from '../../src/ldp/permissions/SimplePermissionsExtractor';
|
||||
import { SimplePostOperationHandler } from '../../src/ldp/operations/SimplePostOperationHandler';
|
||||
import { SimplePutOperationHandler } from '../../src/ldp/operations/SimplePutOperationHandler';
|
||||
import { SimpleRequestParser } from '../../src/ldp/http/SimpleRequestParser';
|
||||
@ -88,7 +88,7 @@ describe('A server with authorization', (): void => {
|
||||
const convertingStore = new RepresentationConvertingStore(store, converter);
|
||||
|
||||
const credentialsExtractor = new SimpleCredentialsExtractor();
|
||||
const permissionsExtractor = new SimplePermissionsExtractor();
|
||||
const permissionsExtractor = new BasePermissionsExtractor();
|
||||
const authorizer = new SimpleAclAuthorizer(
|
||||
new SimpleExtensionAclManager(),
|
||||
new UrlContainerManager('http://test.com/'),
|
||||
|
||||
56
test/unit/ldp/permissions/BasePermissionsExtractor.test.ts
Normal file
56
test/unit/ldp/permissions/BasePermissionsExtractor.test.ts
Normal file
@ -0,0 +1,56 @@
|
||||
import { BasePermissionsExtractor } from '../../../../src/ldp/permissions/BasePermissionsExtractor';
|
||||
import { Operation } from '../../../../src/ldp/operations/Operation';
|
||||
import { UnsupportedHttpError } from '../../../../src/util/errors/UnsupportedHttpError';
|
||||
|
||||
describe('A BasePermissionsExtractor', (): void => {
|
||||
const extractor = new BasePermissionsExtractor();
|
||||
|
||||
it('can handle HEAD/GET/POST/PUT/DELETE.', async(): Promise<void> => {
|
||||
await expect(extractor.canHandle({ method: 'HEAD' } as Operation)).resolves.toBeUndefined();
|
||||
await expect(extractor.canHandle({ method: 'GET' } as Operation)).resolves.toBeUndefined();
|
||||
await expect(extractor.canHandle({ method: 'POST' } as Operation)).resolves.toBeUndefined();
|
||||
await expect(extractor.canHandle({ method: 'PUT' } as Operation)).resolves.toBeUndefined();
|
||||
await expect(extractor.canHandle({ method: 'DELETE' } as Operation)).resolves.toBeUndefined();
|
||||
await expect(extractor.canHandle({ method: 'PATCH' } as Operation)).rejects.toThrow(UnsupportedHttpError);
|
||||
});
|
||||
|
||||
it('requires read for HEAD operations.', async(): Promise<void> => {
|
||||
await expect(extractor.handle({ method: 'HEAD' } as Operation)).resolves.toEqual({
|
||||
read: true,
|
||||
append: false,
|
||||
write: false,
|
||||
});
|
||||
});
|
||||
|
||||
it('requires read for GET operations.', async(): Promise<void> => {
|
||||
await expect(extractor.handle({ method: 'GET' } as Operation)).resolves.toEqual({
|
||||
read: true,
|
||||
append: false,
|
||||
write: false,
|
||||
});
|
||||
});
|
||||
|
||||
it('requires write for POST operations.', async(): Promise<void> => {
|
||||
await expect(extractor.handle({ method: 'POST' } as Operation)).resolves.toEqual({
|
||||
read: false,
|
||||
append: true,
|
||||
write: true,
|
||||
});
|
||||
});
|
||||
|
||||
it('requires write for PUT operations.', async(): Promise<void> => {
|
||||
await expect(extractor.handle({ method: 'PUT' } as Operation)).resolves.toEqual({
|
||||
read: false,
|
||||
append: true,
|
||||
write: true,
|
||||
});
|
||||
});
|
||||
|
||||
it('requires write for DELETE operations.', async(): Promise<void> => {
|
||||
await expect(extractor.handle({ method: 'DELETE' } as Operation)).resolves.toEqual({
|
||||
read: false,
|
||||
append: true,
|
||||
write: true,
|
||||
});
|
||||
});
|
||||
});
|
||||
@ -1,42 +0,0 @@
|
||||
import { Operation } from '../../../../src/ldp/operations/Operation';
|
||||
import { SimplePermissionsExtractor } from '../../../../src/ldp/permissions/SimplePermissionsExtractor';
|
||||
|
||||
describe('A SimplePermissionsExtractor', (): void => {
|
||||
const extractor = new SimplePermissionsExtractor();
|
||||
|
||||
it('can handle all input.', async(): Promise<void> => {
|
||||
await expect(extractor.canHandle()).resolves.toBeUndefined();
|
||||
});
|
||||
|
||||
it('requires read for GET operations.', async(): Promise<void> => {
|
||||
await expect(extractor.handle({ method: 'GET' } as Operation)).resolves.toEqual({
|
||||
read: true,
|
||||
append: false,
|
||||
write: false,
|
||||
});
|
||||
});
|
||||
|
||||
it('requires write for POST operations.', async(): Promise<void> => {
|
||||
await expect(extractor.handle({ method: 'POST' } as Operation)).resolves.toEqual({
|
||||
read: false,
|
||||
append: true,
|
||||
write: true,
|
||||
});
|
||||
});
|
||||
|
||||
it('requires write for PUT operations.', async(): Promise<void> => {
|
||||
await expect(extractor.handle({ method: 'PUT' } as Operation)).resolves.toEqual({
|
||||
read: false,
|
||||
append: true,
|
||||
write: true,
|
||||
});
|
||||
});
|
||||
|
||||
it('requires write for DELETE operations.', async(): Promise<void> => {
|
||||
await expect(extractor.handle({ method: 'DELETE' } as Operation)).resolves.toEqual({
|
||||
read: false,
|
||||
append: true,
|
||||
write: true,
|
||||
});
|
||||
});
|
||||
});
|
||||
@ -0,0 +1,52 @@
|
||||
import { Factory } from 'sparqlalgebrajs';
|
||||
import { Operation } from '../../../../src/ldp/operations/Operation';
|
||||
import { SparqlPatchPermissionsExtractor } from '../../../../src/ldp/permissions/SparqlPatchPermissionsExtractor';
|
||||
import { SparqlUpdatePatch } from '../../../../src/ldp/http/SparqlUpdatePatch';
|
||||
import { UnsupportedHttpError } from '../../../../src/util/errors/UnsupportedHttpError';
|
||||
|
||||
describe('A SparqlPatchPermissionsExtractor', (): void => {
|
||||
const extractor = new SparqlPatchPermissionsExtractor();
|
||||
const factory = new Factory();
|
||||
|
||||
it('can only handle SPARQL DELETE/INSERT PATCH operations.', async(): Promise<void> => {
|
||||
const operation = { method: 'PATCH', body: { algebra: factory.createDeleteInsert() }} as unknown as Operation;
|
||||
await expect(extractor.canHandle(operation)).resolves.toBeUndefined();
|
||||
await expect(extractor.canHandle({ ...operation, method: 'GET' }))
|
||||
.rejects.toThrow(new UnsupportedHttpError('Only PATCH operations are supported.'));
|
||||
await expect(extractor.canHandle({ ...operation, body: undefined }))
|
||||
.rejects.toThrow(new UnsupportedHttpError('PATCH body is required to determine permissions.'));
|
||||
await expect(extractor.canHandle({ ...operation, body: {} as SparqlUpdatePatch }))
|
||||
.rejects.toThrow(new UnsupportedHttpError('Only SPARQL update PATCHes are supported.'));
|
||||
await expect(extractor.canHandle({ ...operation,
|
||||
body: { algebra: factory.createMove('DEFAULT', 'DEFAULT') } as unknown as SparqlUpdatePatch }))
|
||||
.rejects.toThrow(new UnsupportedHttpError('Only DELETE/INSERT SPARQL update operations are supported.'));
|
||||
});
|
||||
|
||||
it('requires append for INSERT operations.', async(): Promise<void> => {
|
||||
const operation = {
|
||||
method: 'PATCH',
|
||||
body: { algebra: factory.createDeleteInsert(undefined, [
|
||||
factory.createPattern(factory.createTerm('<s>'), factory.createTerm('<p>'), factory.createTerm('<o>')),
|
||||
]) },
|
||||
} as unknown as Operation;
|
||||
await expect(extractor.handle(operation)).resolves.toEqual({
|
||||
read: false,
|
||||
append: true,
|
||||
write: false,
|
||||
});
|
||||
});
|
||||
|
||||
it('requires write for DELETE operations.', async(): Promise<void> => {
|
||||
const operation = {
|
||||
method: 'PATCH',
|
||||
body: { algebra: factory.createDeleteInsert([
|
||||
factory.createPattern(factory.createTerm('<s>'), factory.createTerm('<p>'), factory.createTerm('<o>')),
|
||||
]) },
|
||||
} as unknown as Operation;
|
||||
await expect(extractor.handle(operation)).resolves.toEqual({
|
||||
read: false,
|
||||
append: true,
|
||||
write: true,
|
||||
});
|
||||
});
|
||||
});
|
||||
Loading…
x
Reference in New Issue
Block a user