import { AclManager } from '../../../src/authorization/AclManager'; import { ContainerManager } from '../../../src/storage/ContainerManager'; import { Credentials } from '../../../src/authentication/Credentials'; import { ForbiddenHttpError } from '../../../src/util/errors/ForbiddenHttpError'; import { NotFoundHttpError } from '../../../src/util/errors/NotFoundHttpError'; import { PermissionSet } from '../../../src/ldp/permissions/PermissionSet'; import { Representation } from '../../../src/ldp/representation/Representation'; import { ResourceIdentifier } from '../../../src/ldp/representation/ResourceIdentifier'; import { ResourceStore } from '../../../src/storage/ResourceStore'; import { SimpleAclAuthorizer } from '../../../src/authorization/SimpleAclAuthorizer'; import streamifyArray from 'streamify-array'; import { UnauthorizedHttpError } from '../../../src/util/errors/UnauthorizedHttpError'; import { namedNode, quad } from '@rdfjs/data-model'; const nn = namedNode; const acl = 'http://www.w3.org/ns/auth/acl#'; describe('A SimpleAclAuthorizer', (): void => { let authorizer: SimpleAclAuthorizer; const aclManager: AclManager = { getAcl: async(id: ResourceIdentifier): Promise => id.path.endsWith('.acl') ? id : { path: `${id.path}.acl` }, isAcl: async(id: ResourceIdentifier): Promise => id.path.endsWith('.acl'), }; const containerManager: ContainerManager = { getContainer: async(id: ResourceIdentifier): Promise => ({ path: new URL('..', id.path).toString() }), }; let permissions: PermissionSet; let credentials: Credentials; let identifier: ResourceIdentifier; beforeEach(async(): Promise => { permissions = { read: true, append: false, write: false, }; credentials = {}; identifier = { path: 'http://test.com/foo' }; }); it('handles all inputs.', async(): Promise => { authorizer = new SimpleAclAuthorizer(aclManager, containerManager, null as any); await expect(authorizer.canHandle()).resolves.toBeUndefined(); }); it('allows access if the acl file allows all agents.', async(): Promise => { const store = { getRepresentation: async(): Promise => ({ data: streamifyArray([ quad(nn('auth'), nn(`${acl}agentClass`), nn('http://xmlns.com/foaf/0.1/Agent')), quad(nn('auth'), nn(`${acl}accessTo`), nn(identifier.path)), quad(nn('auth'), nn(`${acl}mode`), nn(`${acl}Read`)), ]) } as Representation), } as unknown as ResourceStore; authorizer = new SimpleAclAuthorizer(aclManager, containerManager, store); await expect(authorizer.handle({ identifier, permissions, credentials })).resolves.toBeUndefined(); }); it('allows access if there is a parent acl file allowing all agents.', async(): Promise => { const store = { async getRepresentation(id: ResourceIdentifier): Promise { if (id.path.endsWith('foo.acl')) { throw new NotFoundHttpError(); } return { data: streamifyArray([ quad(nn('auth'), nn(`${acl}agentClass`), nn('http://xmlns.com/foaf/0.1/Agent')), quad(nn('auth'), nn(`${acl}default`), nn((await containerManager.getContainer(identifier)).path)), quad(nn('auth'), nn(`${acl}mode`), nn(`${acl}Read`)), ]), } as Representation; }, } as unknown as ResourceStore; authorizer = new SimpleAclAuthorizer(aclManager, containerManager, store); await expect(authorizer.handle({ identifier, permissions, credentials })).resolves.toBeUndefined(); }); it('allows access to authorized agents if the acl files allows all authorized users.', async(): Promise => { const store = { getRepresentation: async(): Promise => ({ data: streamifyArray([ quad(nn('auth'), nn(`${acl}agentClass`), nn('http://xmlns.com/foaf/0.1/AuthenticatedAgent')), quad(nn('auth'), nn(`${acl}accessTo`), nn(identifier.path)), quad(nn('auth'), nn(`${acl}mode`), nn(`${acl}Read`)), ]) } as Representation), } as unknown as ResourceStore; authorizer = new SimpleAclAuthorizer(aclManager, containerManager, store); credentials.webID = 'http://test.com/user'; await expect(authorizer.handle({ identifier, permissions, credentials })).resolves.toBeUndefined(); }); it('errors if authorization is required but the agent is not authorized.', async(): Promise => { const store = { getRepresentation: async(): Promise => ({ data: streamifyArray([ quad(nn('auth'), nn(`${acl}agentClass`), nn('http://xmlns.com/foaf/0.1/AuthenticatedAgent')), quad(nn('auth'), nn(`${acl}accessTo`), nn(identifier.path)), quad(nn('auth'), nn(`${acl}mode`), nn(`${acl}Read`)), ]) } as Representation), } as unknown as ResourceStore; authorizer = new SimpleAclAuthorizer(aclManager, containerManager, store); await expect(authorizer.handle({ identifier, permissions, credentials })).rejects.toThrow(UnauthorizedHttpError); }); it('allows access to specific agents if the acl files identifies them.', async(): Promise => { credentials.webID = 'http://test.com/user'; const store = { getRepresentation: async(): Promise => ({ data: streamifyArray([ quad(nn('auth'), nn(`${acl}agent`), nn(credentials.webID!)), quad(nn('auth'), nn(`${acl}accessTo`), nn(identifier.path)), quad(nn('auth'), nn(`${acl}mode`), nn(`${acl}Read`)), ]) } as Representation), } as unknown as ResourceStore; authorizer = new SimpleAclAuthorizer(aclManager, containerManager, store); await expect(authorizer.handle({ identifier, permissions, credentials })).resolves.toBeUndefined(); }); it('errors if a specific agents wants to access files not assigned to them.', async(): Promise => { credentials.webID = 'http://test.com/user'; const store = { getRepresentation: async(): Promise => ({ data: streamifyArray([ quad(nn('auth'), nn(`${acl}agent`), nn('http://test.com/differentUser')), quad(nn('auth'), nn(`${acl}accessTo`), nn(identifier.path)), quad(nn('auth'), nn(`${acl}mode`), nn(`${acl}Read`)), ]) } as Representation), } as unknown as ResourceStore; authorizer = new SimpleAclAuthorizer(aclManager, containerManager, store); await expect(authorizer.handle({ identifier, permissions, credentials })).rejects.toThrow(ForbiddenHttpError); }); it('allows access to the acl file if control is allowed.', async(): Promise => { credentials.webID = 'http://test.com/user'; identifier.path = 'http://test.com/foo'; const store = { getRepresentation: async(): Promise => ({ data: streamifyArray([ quad(nn('auth'), nn(`${acl}agent`), nn(credentials.webID!)), quad(nn('auth'), nn(`${acl}accessTo`), nn(identifier.path)), quad(nn('auth'), nn(`${acl}mode`), nn(`${acl}Control`)), ]) } as Representation), } as unknown as ResourceStore; identifier = await aclManager.getAcl(identifier); authorizer = new SimpleAclAuthorizer(aclManager, containerManager, store); await expect(authorizer.handle({ identifier, permissions, credentials })).resolves.toBeUndefined(); }); it('errors if an agent tries to edit the acl file without control permissions.', async(): Promise => { credentials.webID = 'http://test.com/user'; identifier.path = 'http://test.com/foo'; const store = { getRepresentation: async(): Promise => ({ data: streamifyArray([ quad(nn('auth'), nn(`${acl}agent`), nn(credentials.webID!)), quad(nn('auth'), nn(`${acl}accessTo`), nn(identifier.path)), quad(nn('auth'), nn(`${acl}mode`), nn(`${acl}Read`)), ]) } as Representation), } as unknown as ResourceStore; identifier = await aclManager.getAcl(identifier); authorizer = new SimpleAclAuthorizer(aclManager, containerManager, store); await expect(authorizer.handle({ identifier, permissions, credentials })).rejects.toThrow(ForbiddenHttpError); }); it('passes errors of the ResourceStore along.', async(): Promise => { const store = { async getRepresentation(): Promise { throw new Error('TEST!'); }, } as unknown as ResourceStore; authorizer = new SimpleAclAuthorizer(aclManager, containerManager, store); await expect(authorizer.handle({ identifier, permissions, credentials })).rejects.toThrow('TEST!'); }); });