Mirroristas/CommunitySolidServer
2
0
Fork 0
mirror of https://github.com/CommunitySolidServer/CommunitySolidServer.git synced 2024-10-03 14:55:10 +00:00
Code Issues Packages Projects Releases Wiki Activity

feat: Extract set of required modes instead of PermissionSet

Browse Source
This commit is contained in:
Joachim Van Herwegen
2021-09-27 14:00:29 +02:00
parent ba1886ab85
commit e8dedf5c23
40 changed files with 183 additions and 254 deletions
Download Patch File Download Diff File Expand all files Collapse all files

33
test/unit/authorization/AuxiliaryAuthorizer.test.ts
View File

@@ -1,7 +1,7 @@
import type { Authorizer } from '../../../src/authorization/Authorizer';
import { AuxiliaryAuthorizer } from '../../../src/authorization/AuxiliaryAuthorizer';
import type { AuxiliaryIdentifierStrategy } from '../../../src/ldp/auxiliary/AuxiliaryIdentifierStrategy';
import type { PermissionSet } from '../../../src/ldp/permissions/PermissionSet';
import { AccessMode } from '../../../src/ldp/permissions/PermissionSet';
import type { ResourceIdentifier } from '../../../src/ldp/representation/ResourceIdentifier';
import { NotImplementedHttpError } from '../../../src/util/errors/NotImplementedHttpError';
@@ -10,18 +10,13 @@ describe('An AuxiliaryAuthorizer', (): void => {
const credentials = {};
const associatedIdentifier = { path: 'http://test.com/foo' };
const auxiliaryIdentifier = { path: 'http://test.com/foo.dummy' };
let permissions: PermissionSet;
let modes: Set<AccessMode>;
let source: Authorizer;
let strategy: AuxiliaryIdentifierStrategy;
let authorizer: AuxiliaryAuthorizer;
beforeEach(async(): Promise<void> => {
permissions = {
read: true,
write: true,
append: true,
control: false,
};
modes = new Set([ AccessMode.read, AccessMode.write, AccessMode.append ]);
source = {
canHandle: jest.fn(),
@@ -38,39 +33,39 @@ describe('An AuxiliaryAuthorizer', (): void => {
});
it('can handle auxiliary resources if the source supports the associated resource.', async(): Promise<void> => {
await expect(authorizer.canHandle({ identifier: auxiliaryIdentifier, credentials, permissions }))
await expect(authorizer.canHandle({ identifier: auxiliaryIdentifier, credentials, modes }))
.resolves.toBeUndefined();
expect(source.canHandle).toHaveBeenLastCalledWith(
{ identifier: associatedIdentifier, credentials, permissions },
{ identifier: associatedIdentifier, credentials, modes },
);
await expect(authorizer.canHandle({ identifier: associatedIdentifier, credentials, permissions }))
await expect(authorizer.canHandle({ identifier: associatedIdentifier, credentials, modes }))
.rejects.toThrow(NotImplementedHttpError);
source.canHandle = jest.fn().mockRejectedValue(new Error('no source support'));
await expect(authorizer.canHandle({ identifier: auxiliaryIdentifier, credentials, permissions }))
await expect(authorizer.canHandle({ identifier: auxiliaryIdentifier, credentials, modes }))
.rejects.toThrow('no source support');
});
it('handles resources by sending the updated parameters to the source.', async(): Promise<void> => {
await expect(authorizer.handle({ identifier: auxiliaryIdentifier, credentials, permissions }))
await expect(authorizer.handle({ identifier: auxiliaryIdentifier, credentials, modes }))
.resolves.toBeUndefined();
expect(source.handle).toHaveBeenLastCalledWith(
{ identifier: associatedIdentifier, credentials, permissions },
{ identifier: associatedIdentifier, credentials, modes },
);
// Safety checks are not present when calling `handle`
await expect(authorizer.handle({ identifier: associatedIdentifier, credentials, permissions }))
await expect(authorizer.handle({ identifier: associatedIdentifier, credentials, modes }))
.rejects.toThrow(NotImplementedHttpError);
});
it('combines both checking and handling when calling handleSafe.', async(): Promise<void> => {
await expect(authorizer.handleSafe({ identifier: auxiliaryIdentifier, credentials, permissions }))
await expect(authorizer.handleSafe({ identifier: auxiliaryIdentifier, credentials, modes }))
.resolves.toBeUndefined();
expect(source.handleSafe).toHaveBeenLastCalledWith(
{ identifier: associatedIdentifier, credentials, permissions },
{ identifier: associatedIdentifier, credentials, modes },
);
await expect(authorizer.handleSafe({ identifier: associatedIdentifier, credentials, permissions }))
await expect(authorizer.handleSafe({ identifier: associatedIdentifier, credentials, modes }))
.rejects.toThrow(NotImplementedHttpError);
source.handleSafe = jest.fn().mockRejectedValue(new Error('no source support'));
await expect(authorizer.handleSafe({ identifier: auxiliaryIdentifier, credentials, permissions }))
await expect(authorizer.handleSafe({ identifier: auxiliaryIdentifier, credentials, modes }))
.rejects.toThrow('no source support');
});
});

3
test/unit/authorization/PathBasedAuthorizer.test.ts
View File

@@ -1,5 +1,6 @@
import type { Authorizer, AuthorizerInput } from '../../../src/authorization/Authorizer';
import { PathBasedAuthorizer } from '../../../src/authorization/PathBasedAuthorizer';
import { AccessMode } from '../../../src/ldp/permissions/PermissionSet';
import { NotImplementedHttpError } from '../../../src/util/errors/NotImplementedHttpError';
describe('A PathBasedAuthorizer', (): void => {
@@ -11,7 +12,7 @@ describe('A PathBasedAuthorizer', (): void => {
beforeEach(async(): Promise<void> => {
input = {
identifier: { path: `${baseUrl}first` },
permissions: { read: true, append: false, write: false, control: false },
modes: new Set([ AccessMode.read ]),
credentials: {},
};

36
test/unit/authorization/WebAclAuthorizer.test.ts
View File

@@ -5,7 +5,7 @@ import type { AccessChecker } from '../../../src/authorization/access-checkers/A
import { WebAclAuthorization } from '../../../src/authorization/WebAclAuthorization';
import { WebAclAuthorizer } from '../../../src/authorization/WebAclAuthorizer';
import type { AuxiliaryIdentifierStrategy } from '../../../src/ldp/auxiliary/AuxiliaryIdentifierStrategy';
import type { PermissionSet } from '../../../src/ldp/permissions/PermissionSet';
import { AccessMode } from '../../../src/ldp/permissions/PermissionSet';
import type { Representation } from '../../../src/ldp/representation/Representation';
import type { ResourceIdentifier } from '../../../src/ldp/representation/ResourceIdentifier';
import type { ResourceStore } from '../../../src/storage/ResourceStore';
@@ -31,19 +31,14 @@ describe('A WebAclAuthorizer', (): void => {
} as any;
let store: jest.Mocked<ResourceStore>;
const identifierStrategy = new SingleRootIdentifierStrategy('http://test.com/');
let permissions: PermissionSet;
let modes: Set<AccessMode>;
let credentials: CredentialSet;
let identifier: ResourceIdentifier;
let authorization: WebAclAuthorization;
let accessChecker: jest.Mocked<AccessChecker>;
beforeEach(async(): Promise<void> => {
permissions = {
read: true,
append: false,
write: true,
control: false,
};
modes = new Set([ AccessMode.read, AccessMode.write ]);
credentials = { [CredentialGroup.public]: {}, [CredentialGroup.agent]: {}};
identifier = { path: 'http://test.com/foo' };
authorization = new WebAclAuthorization(
@@ -73,7 +68,7 @@ describe('A WebAclAuthorizer', (): void => {
});
it('handles all non-acl inputs.', async(): Promise<void> => {
await expect(authorizer.canHandle({ identifier, credentials, permissions })).resolves.toBeUndefined();
await expect(authorizer.canHandle({ identifier, credentials, modes })).resolves.toBeUndefined();
await expect(authorizer.canHandle({ identifier: aclStrategy.getAuxiliaryIdentifier(identifier) } as any))
.rejects.toThrow(NotImplementedHttpError);
});
@@ -89,7 +84,7 @@ describe('A WebAclAuthorizer', (): void => {
]) } as Representation);
Object.assign(authorization.everyone, { read: true, write: true, append: true, control: false });
Object.assign(authorization.user, { read: true, write: true, append: true, control: false });
await expect(authorizer.handle({ identifier, permissions, credentials })).resolves.toEqual(authorization);
await expect(authorizer.handle({ identifier, modes, credentials })).resolves.toEqual(authorization);
});
it('allows access if the acl file allows all agents.', async(): Promise<void> => {
@@ -102,7 +97,7 @@ describe('A WebAclAuthorizer', (): void => {
]) } as Representation);
Object.assign(authorization.everyone, { read: true, write: true, append: true });
Object.assign(authorization.user, { read: true, write: true, append: true });
await expect(authorizer.handle({ identifier, permissions, credentials })).resolves.toEqual(authorization);
await expect(authorizer.handle({ identifier, modes, credentials })).resolves.toEqual(authorization);
});
it('allows access if there is a parent acl file allowing all agents.', async(): Promise<void> => {
@@ -122,7 +117,7 @@ describe('A WebAclAuthorizer', (): void => {
});
Object.assign(authorization.everyone, { read: true, write: true, append: true });
Object.assign(authorization.user, { read: true, write: true, append: true });
await expect(authorizer.handle({ identifier, permissions, credentials })).resolves.toEqual(authorization);
await expect(authorizer.handle({ identifier, modes, credentials })).resolves.toEqual(authorization);
});
it('throws a ForbiddenHttpError if access is not granted and credentials have a WebID.', async(): Promise<void> => {
@@ -132,7 +127,7 @@ describe('A WebAclAuthorizer', (): void => {
quad(nn('auth'), nn(`${acl}accessTo`), nn(identifier.path)),
]) } as Representation);
credentials.agent = { webId: 'http://test.com/alice/profile/card#me' };
await expect(authorizer.handle({ identifier, permissions, credentials })).rejects.toThrow(ForbiddenHttpError);
await expect(authorizer.handle({ identifier, modes, credentials })).rejects.toThrow(ForbiddenHttpError);
});
it('throws an UnauthorizedHttpError if access is not granted there are no credentials.', async(): Promise<void> => {
@@ -142,30 +137,25 @@ describe('A WebAclAuthorizer', (): void => {
quad(nn('auth'), nn(`${rdf}type`), nn(`${acl}Authorization`)),
quad(nn('auth'), nn(`${acl}accessTo`), nn(identifier.path)),
]) } as Representation);
await expect(authorizer.handle({ identifier, permissions, credentials })).rejects.toThrow(UnauthorizedHttpError);
await expect(authorizer.handle({ identifier, modes, credentials })).rejects.toThrow(UnauthorizedHttpError);
});
it('re-throws ResourceStore errors as internal errors.', async(): Promise<void> => {
store.getRepresentation.mockRejectedValue(new Error('TEST!'));
const promise = authorizer.handle({ identifier, permissions, credentials });
const promise = authorizer.handle({ identifier, modes, credentials });
await expect(promise).rejects.toThrow(`Error reading ACL for ${identifier.path}: TEST!`);
await expect(promise).rejects.toThrow(InternalServerError);
});
it('errors if the root container has no corresponding acl document.', async(): Promise<void> => {
store.getRepresentation.mockRejectedValue(new NotFoundHttpError());
const promise = authorizer.handle({ identifier, permissions, credentials });
const promise = authorizer.handle({ identifier, modes, credentials });
await expect(promise).rejects.toThrow('No ACL document found for root container');
await expect(promise).rejects.toThrow(ForbiddenHttpError);
});
it('allows an agent to append if they have write access.', async(): Promise<void> => {
permissions = {
read: false,
write: false,
append: true,
control: false,
};
modes = new Set([ AccessMode.append ]);
store.getRepresentation.mockResolvedValue({ data: guardedStreamFrom([
quad(nn('auth'), nn(`${rdf}type`), nn(`${acl}Authorization`)),
quad(nn('auth'), nn(`${acl}accessTo`), nn(identifier.path)),
@@ -173,6 +163,6 @@ describe('A WebAclAuthorizer', (): void => {
]) } as Representation);
Object.assign(authorization.everyone, { write: true, append: true });
Object.assign(authorization.user, { write: true, append: true });
await expect(authorizer.handle({ identifier, permissions, credentials })).resolves.toEqual(authorization);
await expect(authorizer.handle({ identifier, modes, credentials })).resolves.toEqual(authorization);
});
});