Redo #1122 on top of latest release branch

megoth · michielbdejong · commit a8b917cf52f0 · 2019-03-15T12:47:44.000+01:00
diff --git a/lib/acl-checker.js b/lib/acl-checker.js
@@ -57,7 +57,8 @@ class ACLChecker {
     const modes = [ACL(mode)]
     const agentOrigin = this.agentOrigin
     const trustedOrigins = this.trustedOrigins
-    const accessDenied = aclCheck.accessDenied(acl.graph, resource, directory, aclFile, agent, modes, agentOrigin, trustedOrigins)
+    const originTrustedModes = agent && agentOrigin ? await this.getOriginTrustedModes(agent, agentOrigin) : []
+    const accessDenied = aclCheck.accessDenied(acl.graph, resource, directory, aclFile, agent, modes, agentOrigin, trustedOrigins, originTrustedModes)
 
     if (accessDenied && user) {
       this.messagesCached[cacheKey].push(HTTPError(403, accessDenied))
@@ -68,6 +69,26 @@ class ACLChecker {
     return this.aclCached[cacheKey]
   }
 
+  async getOriginTrustedModes (agent, agentOrigin) {
+    let agentStore
+    try {
+      this.requests[agent.uri] = this.requests[agent.uri] || this.fetch(agent.uri)
+      agentStore = await this.requests[agent.uri]
+    } catch (err) {
+      if (err && (err.code === 'ENOENT' || err.status === 404)) {
+        // If we're unable to resolve the agent, we conclude that origin has no trusted modes
+        this.requests[agent.uri] = Promise.resolve(null)
+        return Promise.resolve([])
+      }
+      debug(err)
+      throw err
+    }
+    if (agentStore) {
+      return aclCheck.getTrustedModesForOrigin(agentStore, agent, agentOrigin)
+    }
+    return Promise.resolve([])
+  }
+
   async getError (user, mode) {
     const cacheKey = `${mode}-${user}`
     this.aclCached[cacheKey] = this.aclCached[cacheKey] || this.can(user, mode)
diff --git a/test/integration/authentication-oidc-test.js b/test/integration/authentication-oidc-test.js
@@ -35,6 +35,8 @@ describe('Authentication API (OIDC)', () => {
   let bobDbPath = path.join(__dirname,
     '../resources/accounts-scenario/bob/db')
 
+  const trustedAppUri = 'https://trusted.app'
+
   const serverConfig = {
     sslKey: path.join(__dirname, '../keys/key.pem'),
     sslCert: path.join(__dirname, '../keys/cert.pem'),
@@ -437,6 +439,48 @@ describe('Authentication API (OIDC)', () => {
             expect(response).to.have.property('status', 401)
           })
         })
+
+        describe('with trusted app and no cookie', () => {
+          before(done => {
+            alice.get('/private-for-alice.txt')
+                 .set('Origin', trustedAppUri)
+                 .end((err, res) => {
+                   response = res
+                   done(err)
+                 })
+          })
+
+          it('should return a 401', () => expect(response).to.have.property('status', 401))
+        })
+
+        describe('with trusted app and malicious cookie', () => {
+          before(done => {
+            var malcookie = cookie.replace(/connect\.sid=(\S+)/, 'connect.sid=l33th4x0rzp0wn4g3;')
+            alice.get('/private-for-alice.txt')
+                 .set('Cookie', malcookie)
+                 .set('Origin', trustedAppUri)
+                 .end((err, res) => {
+                   response = res
+                   done(err)
+                 })
+          })
+
+          it('should return a 401', () => expect(response).to.have.property('status', 401))
+        })
+
+        describe('with trusted app and correct cookie', () => {
+          before(done => {
+            alice.get('/private-for-alice.txt')
+                 .set('Cookie', cookie)
+                 .set('Origin', trustedAppUri)
+                 .end((err, res) => {
+                   response = res
+                   done(err)
+                 })
+          })
+
+          it('should return a 200', () => expect(response).to.have.property('status', 200))
+        })
       })
     })
 
diff --git a/test/integration/authentication-oidc-with-strict-origins-turned-off-test.js b/test/integration/authentication-oidc-with-strict-origins-turned-off-test.js
@@ -35,6 +35,8 @@ describe('Authentication API (OIDC) - With strict origins turned off', () => {
   const bobServerUri = `https://localhost:${bobServerPort}`
   let bobDbPath = path.join(__dirname, '../resources/accounts-strict-origin-off/bob/db')
 
+  const trustedAppUri = 'https://trusted.app'
+
   const serverConfig = {
     sslKey: path.join(__dirname, '../keys/key.pem'),
     sslCert: path.join(__dirname, '../keys/cert.pem'),
@@ -194,6 +196,18 @@ describe('Authentication API (OIDC) - With strict origins turned off', () => {
                    })
             })
 
+            it('should return a 401', () => expect(response).to.have.property('status', 401))
+          })
+          describe('and trusted app', () => {
+            before(done => {
+              alice.get('/private-for-alice.txt')
+                   .set('Origin', trustedAppUri)
+                   .end((err, res) => {
+                     response = res
+                     done(err)
+                   })
+            })
+
             it('should return a 401', () => expect(response).to.have.property('status', 401))
           })
         })
@@ -251,6 +265,21 @@ describe('Authentication API (OIDC) - With strict origins turned off', () => {
             // Even if origin checking is disabled, then this should return a 401 because cookies should not be trusted cross-origin
             it('should return a 401', () => expect(response).to.have.property('status', 401))
           })
+
+          describe('and trusted app', () => {
+            // Trusted apps are not supported when strictOrigin check is turned off
+            before(done => {
+              alice.get('/private-for-alice.txt')
+                   .set('Cookie', cookie)
+                   .set('Origin', trustedAppUri)
+                   .end((err, res) => {
+                     response = res
+                     done(err)
+                   })
+            })
+
+            it('should return a 401', () => expect(response).to.have.property('status', 401))
+          })
         })
 
         describe('with malicious cookie', () => {
@@ -310,6 +339,20 @@ describe('Authentication API (OIDC) - With strict origins turned off', () => {
 
             it('should return a 401', () => expect(response).to.have.property('status', 401))
           })
+
+          describe('and trusted app', () => {
+            before(done => {
+              alice.get('/private-for-alice.txt')
+                   .set('Cookie', malcookie)
+                   .set('Origin', trustedAppUri)
+                   .end((err, res) => {
+                     response = res
+                     done(err)
+                   })
+            })
+
+            it('should return a 401', () => expect(response).to.have.property('status', 401))
+          })
         })
       })
     })
diff --git a/test/resources/accounts-scenario/alice/profile/card$.ttl b/test/resources/accounts-scenario/alice/profile/card$.ttl
@@ -0,0 +1,4 @@
+@prefix acl: <http://www.w3.org/ns/auth/acl#>.
+
+<#me> acl:trustedApp [  acl:origin <https://trusted.app>;
+                        acl:mode    acl:Read, acl:Write, acl:Append, acl:Control].
diff --git a/test/resources/accounts-strict-origin-off/alice/profile/card$.ttl b/test/resources/accounts-strict-origin-off/alice/profile/card$.ttl
@@ -0,0 +1,4 @@
+@prefix acl: <http://www.w3.org/ns/auth/acl#>.
+
+<#me> acl:trustedApp [  acl:origin <https://trusted.app>;
+                        acl:mode    acl:Read, acl:Write, acl:Append, acl:Control].
