Trying another approach to acl.can

Not throwing errors, but caching error messages for later use

Author: megoth

lib/acl-checker.js

@@ -1,6 +1,6 @@
 'use strict'
 
-const PermissionSet = require('solid-permissions').PermissionSet
+// const PermissionSet = require('solid-permissions').PermissionSet
 const rdf = require('rdflib')
 const debug = require('./debug').ACL
 const HTTPError = require('./http-error')
@@ -14,32 +14,29 @@ class ACLChecker {
   constructor (resource, options = {}) {
     this.resource = resource
     this.host = options.host
-    this.origin = options.origin
+    this.agentOrigin = options.origin
     this.fetch = options.fetch
     this.fetchGraph = options.fetchGraph
     this.strictOrigin = options.strictOrigin
     this.trustedOrigins = options.trustedOrigins
     this.suffix = options.suffix || DEFAULT_ACL_SUFFIX
+    this.aclCached = {}
+    this.messagesCached = {}
   }
 
   // Returns a fulfilled promise when the user can access the resource
   // in the given mode, or rejects with an HTTP error otherwise
   async can (user, mode) {
+    const cacheKey = `${mode}-${user}`
+    if (this.aclCached[cacheKey]) {
+      return this.aclCached[cacheKey]
+    }
+    this.messagesCached[cacheKey] = this.messagesCached[cacheKey] || []
     // If this is an ACL, Control mode must be present for any operations
     if (this.isAcl(this.resource)) {
       mode = 'Control'
     }
 
-    // Obtain the permission set for the resource
-    // this.acl.graph
-    // this.resource
-    // this.acl.isContainer ? this.resource : null
-    // this.acl.acl
-    // user
-    // ACL(mode)
-    // this.origin
-    // this.trustedOrigins
-
     // console.log('ACL', this.origin, this.trustedOrigins)
     // console.log(aclCheck.accessDenied)
     // if (!this._permissionSet) {
@@ -50,30 +47,56 @@ class ACLChecker {
     // aclCheck.checkAccess(acl.graph, this.resource)
 
     // Check the resource's permissions
+<<<<<<< 2740f8873bfe7d7edcf0c2c31f927a106dc0abc7
     this.acl = this.acl || await this.getNearestACL().catch(err => {
       throw new HTTPError(500, `Found no ACL file:\n${err}`)
     })
+=======
+    const acl = await this.getNearestACL()
+      .catch(err => {
+        this.messagesCached[cacheKey].push(new HTTPError(500, err))
+      })
+    if (!acl) {
+      this.aclCached[cacheKey] = Promise.resolve(false)
+      return this.aclCached[cacheKey]
+    }
+>>>>>>> Trying another approach to acl.can
     // console.log('TEST', this.acl)
     const resource = rdf.sym(this.resource)
-    // const directory = this.acl.isContainer ? this.resource : null
-    const directory = this.acl.isContainer ? rdf.sym(ACLChecker.getDirectory(this.acl.acl)) : null
-    // console.log(ACLChecker.getDirectory(this.acl.acl))
-    const aclFile = rdf.sym(this.acl.acl)
+    // const directory = acl.isContainer ? this.resource : null
+    const directory = acl.isContainer ? rdf.sym(ACLChecker.getDirectory(acl.acl)) : null
+    // console.log(ACLChecker.getDirectory(acl.acl))
+    const aclFile = rdf.sym(acl.acl)
     // const agent = rdf.sym(user)
     const agent = user ? rdf.sym(user) : null
     // console.log('ACL agent', agent)
-    // console.log('ACL FILE', this.resource, this.acl.acl)
+    // console.log('ACL FILE', this.resource, acl.acl)
     const modes = [ACL(mode)]
-    const origin = this.origin ? rdf.sym(this.origin) : null
+    const agentOrigin = this.agentOrigin ? rdf.sym(this.agentOrigin) : null
     const trustedOrigins = this.trustedOrigins ? this.trustedOrigins.map(trustedOrigin => rdf.sym(trustedOrigin)) : null
-    const accessDenied = aclCheck.accessDenied(this.acl.graph, resource, directory, aclFile, agent, modes, origin, trustedOrigins)
-    console.log('ACCESS DENIED', accessDenied, '\n\n')
+    const accessDenied = aclCheck.accessDenied(acl.graph, resource, directory, aclFile, agent, modes, agentOrigin, trustedOrigins)
+    console.log('BAR', accessDenied)
     if (accessDenied && user) {
+<<<<<<< 2740f8873bfe7d7edcf0c2c31f927a106dc0abc7
       throw new HTTPError(403, accessDenied)
     } else if (accessDenied) {
       throw new HTTPError(401, 'Unauthenticated')
+=======
+      this.messagesCached[cacheKey].push(new HTTPError(403, `Access to ${this.resource} denied for ${user}: ${accessDenied}`))
+    } else if (accessDenied) {
+      this.messagesCached[cacheKey].push(new HTTPError(401, `Access to ${this.resource} requires authorization: ${accessDenied}`))
+>>>>>>> Trying another approach to acl.can
     }
-    return Promise.resolve(true)
+    console.log('ACCESS ALLOWED', !accessDenied, user, '\n\n')
+    this.aclCached[cacheKey] = Promise.resolve(!accessDenied)
+    return this.aclCached
+  }
+
+  async getError (mode, user) {
+    const cacheKey = `${mode}-${user}`
+    this.aclCached[cacheKey] = this.aclCached[cacheKey] || this.can(user, mode)
+    const isAllowed = await this.aclCached[cacheKey]
+    return isAllowed ? null : this.messagesCached[cacheKey].reduce((prevMsg, msg) => msg.status > prevMsg.status ? msg : prevMsg, { status: 0 })
   }
 
   // return Promise.resolve(true)
@@ -93,13 +116,14 @@ class ACLChecker {
     return `${parts.join('/')}/`
   }
 
-// Gets the ACL that applies to the resource
+  // Gets the ACL that applies to the resource
   async getNearestACL () {
     const { resource } = this
     let isContainer = false
     // let directory = null
     // Create a cascade of reject handlers (one for each possible ACL)
     const possibleACLs = this.getPossibleACLs()
+<<<<<<< 2740f8873bfe7d7edcf0c2c31f927a106dc0abc7
     const nearestACL = possibleACLs.reduce((prevACL, acl) => {
       return prevACL.catch(() => new Promise((resolve, reject) => {
         this.fetch(acl, (err, graph) => {
@@ -118,6 +142,47 @@ class ACLChecker {
       }))
     }, Promise.reject())
     return nearestACL.catch(e => { throw new Error(`No ACL resource found, searched in \n- ${possibleACLs.join('\n- ')}`) })
+=======
+    const acls = [...possibleACLs]
+    let returnAcl = null
+    while (possibleACLs.length > 0 && !returnAcl) {
+      const acl = possibleACLs.shift()
+      try {
+        const graph = await this.fetch(acl)
+        const relative = resource.replace(acl.replace(/[^/]+$/, ''), './')
+        debug(`Using ACL ${acl} for ${relative}`)
+        returnAcl = { acl, graph, isContainer }
+      } catch (err) {
+        if (err && err.code === 'ENOENT') {
+          isContainer = true
+          return
+        } else if (err) {
+          console.error('ERROR IN getNearestACL', err)
+          debug(err)
+          throw err
+        }
+      }
+    }
+    if (!returnAcl) {
+      throw new Error(`No ACL found for ${resource}, searched in \n- ${acls.join('\n- ')}`)
+    }
+    return returnAcl
+    // const nearestACL = possibleACLs.reduce((prevACL, acl) => {
+    //   return prevACL.catch(() => new Promise((resolve, reject) => {
+    //     this.fetch(acl, (err, graph) => {
+    //       if (err && err.code !== 'ENOENT') {
+    //         isContainer = true
+    //         reject(err)
+    //       } else {
+    //         const relative = resource.replace(acl.replace(/[^/]+$/, ''), './')
+    //         debug(`Using ACL ${acl} for ${relative}`)
+    //         resolve({ acl, graph, isContainer })
+    //       }
+    //     })
+    //   }))
+    // }, Promise.reject())
+    // return nearestACL.catch(e => { throw new Error(`No ACL resource found, searched in \n- ${possibleACLs.join('\n- ')}`) })
+>>>>>>> Trying another approach to acl.can
   }
 
 // Gets all possible ACL paths that apply to the resource
@@ -140,41 +205,41 @@ class ACLChecker {
   }
 
 // Tests whether the permissions allow a given operation
-  checkAccess (permissionSet, user, mode) {
-    const options = { fetchGraph: this.fetchGraph }
-    return permissionSet.checkAccess(this.resource, user, mode, options)
-      .then(hasAccess => {
-        if (hasAccess) {
-          return true
-        } else {
-          throw new Error('ACL file found but no matching policy found')
-        }
-      })
-  }
+//   checkAccess (permissionSet, user, mode) {
+//     const options = { fetchGraph: this.fetchGraph }
+//     return permissionSet.checkAccess(this.resource, user, mode, options)
+//       .then(hasAccess => {
+//         if (hasAccess) {
+//           return true
+//         } else {
+//           throw new Error('ACL file found but no matching policy found')
+//         }
+//       })
+//   }
 
 // Gets the permission set for the given ACL
-  getPermissionSet ({ acl, graph, isContainer }) {
-    if (!graph || graph.length === 0) {
-      debug('ACL ' + acl + ' is empty')
-      throw new Error('No policy found - empty ACL')
-    }
-    const aclOptions = {
-      aclSuffix: this.suffix,
-      graph: graph,
-      host: this.host,
-      origin: this.origin,
-      rdf: rdf,
-      strictOrigin: this.strictOrigin,
-      trustedOrigins: this.trustedOrigins,
-      isAcl: uri => this.isAcl(uri),
-      aclUrlFor: uri => this.aclUrlFor(uri)
-    }
-    return new PermissionSet(this.resource, acl, isContainer, aclOptions)
-  }
-
-  aclUrlFor (uri) {
-    return this.isAcl(uri) ? uri : uri + this.suffix
-  }
+//   getPermissionSet ({ acl, graph, isContainer }) {
+//     if (!graph || graph.length === 0) {
+//       debug('ACL ' + acl + ' is empty')
+//       throw new Error('No policy found - empty ACL')
+//     }
+//     const aclOptions = {
+//       aclSuffix: this.suffix,
+//       graph: graph,
+//       host: this.host,
+//       origin: this.origin,
+//       rdf: rdf,
+//       strictOrigin: this.strictOrigin,
+//       trustedOrigins: this.trustedOrigins,
+//       isAcl: uri => this.isAcl(uri),
+//       aclUrlFor: uri => this.aclUrlFor(uri)
+//     }
+//     return new PermissionSet(this.resource, acl, isContainer, aclOptions)
+//   }
+
+  // aclUrlFor (uri) {
+  //   return this.isAcl(uri) ? uri : uri + this.suffix
+  // }
 
   isAcl (resource) {
     return resource.endsWith(this.suffix)

lib/handlers/allow.js

@@ -36,26 +36,29 @@ function allow (mode) {
     // Obtain and store the ACL of the requested resource
     req.acl = new ACL(rootUrl + reqPath, {
       origin: req.get('origin'),
-      host: req.get('host'),
+      // host: req.get('host'),
       fetch: fetchFromLdp(ldp.resourceMapper, ldp),
-      fetchGraph: (uri, options) => {
-        // first try loading from local fs
-        return ldp.getGraph(uri, options.contentType)
-        // failing that, fetch remote graph
-          .catch(() => ldp.fetchGraph(uri, options))
-      },
+      // fetchGraph: (uri, options) => {
+      //   // first try loading from local fs
+      //   return ldp.getGraph(uri, options.contentType)
+      //     // failing that, fetch remote graph
+      //     .catch(() => ldp.fetchGraph(uri, options))
+      // },
       suffix: ldp.suffixAcl,
       strictOrigin: ldp.strictOrigin,
       trustedOrigins: ldp.trustedOrigins
     })
 
     // Ensure the user has the required permission
     const userId = req.session.userId
-    req.acl.can(userId, mode)
-      .then(() => next(), err => {
-        debug(`${mode} access denied to ${userId || '(none)'}`)
-        next(err)
-      })
+    const isAllowed = await req.acl.can(userId, mode)
+    if (isAllowed) {
+      return next()
+    }
+    const error = await req.acl.getError(mode, userId)
+    console.log('ERROR', error)
+    debug(`${mode} access denied to ${userId || '(none)'}: ${error.status} - ${error.message}`)
+    res.status(error.status).send(error.message)
   }
 }
 
@@ -68,7 +71,7 @@ function allow (mode) {
  * @return {Function} Returns a `fetch(uri, callback)` handler
  */
 function fetchFromLdp (mapper, ldp) {
-  return function fetch (url, callback) {
-    ldp.getGraph(url).then(g => callback(null, g), callback)
+  return async function fetch (url) {
+    return ldp.getGraph(url)
   }
 }

lib/header.js

@@ -117,8 +117,8 @@ function addPermissions (req, res, next) {
   // Turn permissions for the public and the user into a header
   const resource = req.app.locals.ldp.resourceMapper.resolveUrl(req.hostname, req.path)
   Promise.all([
-    getPermissionsFor(acl, null, resource),
-    getPermissionsFor(acl, session.userId, resource)
+    getPermissionsFor(acl, null, req),
+    getPermissionsFor(acl, session.userId, req)
   ])
   .then(([publicPerms, userPerms]) => {
     debug.ACL(`Permissions on ${resource} for ${session.userId || '(none)'}: ${userPerms}`)
@@ -129,7 +129,8 @@ function addPermissions (req, res, next) {
 }
 
 // Gets the permissions string for the given user and resource
-function getPermissionsFor (acl, user, resource) {
-  return Promise.all(MODES.map(mode => acl.can(user, mode).catch(e => false)))
-  .then(allowed => PERMISSIONS.filter((_, i) => allowed[i]).join(' '))
+function getPermissionsFor (acl, user, req) {
+  const accesses = MODES.map(mode => acl.can(user, mode))
+  return Promise.all(accesses)
+    .then(allowed => PERMISSIONS.filter((_, i) => allowed[i]).join(' '))
 }