11'use strict'
22
3- // const PermissionSet = require('solid-permissions').PermissionSet
43const rdf = require ( 'rdflib' )
54const debug = require ( './debug' ) . ACL
65const HTTPError = require ( './http-error' )
76const aclCheck = require ( 'acl-check' )
87const { URL } = require ( 'url' )
9- // const fetch = require('node-fetch')
108
119const DEFAULT_ACL_SUFFIX = '.acl'
1210const ACL = rdf . Namespace ( 'http://www.w3.org/ns/auth/acl#' )
@@ -36,68 +34,36 @@ class ACLChecker {
3634 }
3735 this . messagesCached [ cacheKey ] = this . messagesCached [ cacheKey ] || [ ]
3836
39- // Obtain the permission set for the resource
40- // this.acl.graph
41- // this.resource
42- // this.acl.isContainer ? this.resource : null
43- // this.acl.acl
44- // user
45- // ACL(mode)
46- // this.origin
47- // this.trustedOrigins
48-
49- // console.log('ACL', this.origin, this.trustedOrigins)
50- // console.log(aclCheck.accessDenied)
51- // if (!this._permissionSet) {
52- // this._permissionSet = this.getNearestACL()
53- // .then(acl => this.getPermissionSet(acl))
54- // }
55-
56- // aclCheck.checkAccess(acl.graph, this.resource)
57-
58- // Check the resource's permissions
5937 const acl = await this . getNearestACL ( ) . catch ( err => {
6038 this . messagesCached [ cacheKey ] . push ( new HTTPError ( err . status || 500 , err . message || err ) )
6139 } )
6240 if ( ! acl ) {
6341 this . aclCached [ cacheKey ] = Promise . resolve ( false )
6442 return this . aclCached [ cacheKey ]
6543 }
66- // console.log('TEST', this.acl)
6744 let resource = rdf . sym ( this . resource )
6845 if ( this . resource . endsWith ( '/' + this . suffix ) ) {
69- // Then, the ACL file is for a directory
7046 resource = rdf . sym ( ACLChecker . getDirectory ( this . resource ) )
7147 }
7248 // If this is an ACL, Control mode must be present for any operations
7349 if ( this . isAcl ( this . resource ) ) {
7450 mode = 'Control'
7551 resource = rdf . sym ( this . resource . substring ( 0 , this . resource . length - this . suffix . length ) )
7652 }
77- // const directory = acl.isContainer ? this.resource : null
7853 const directory = acl . isContainer ? rdf . sym ( ACLChecker . getDirectory ( acl . acl ) ) : null
79- // console.log(ACLChecker.getDirectory(acl.acl))
8054 const aclFile = rdf . sym ( acl . acl )
81- // const agent = rdf.sym(user)
8255 const agent = user ? rdf . sym ( user ) : null
83- // console.log('ACL agent', agent)
84- // console.log('ACL FILE', this.resource, acl.acl)
8556 const modes = [ ACL ( mode ) ]
8657 const agentOrigin = this . agentOrigin ? rdf . sym ( this . agentOrigin ) : null
8758 const trustedOrigins = this . trustedOrigins ? this . trustedOrigins . map ( trustedOrigin => rdf . sym ( trustedOrigin ) ) : null
88- console . log ( 'TRUSTED ORIGINS' , trustedOrigins , agentOrigin )
8959 const accessDenied = aclCheck . accessDenied ( acl . graph , resource , directory , aclFile , agent , modes , agentOrigin , trustedOrigins )
90- console . log ( 'ACCESS DENIED MESSAGE' , accessDenied )
91- console . log ( 'DOMAIN' , this . resourceUrl . origin , this . agentOrigin )
92- console . log ( 'USER' , user )
9360 if ( accessDenied && this . agentOrigin && this . resourceUrl . origin !== this . agentOrigin ) {
9461 this . messagesCached [ cacheKey ] . push ( new HTTPError ( 403 , accessDenied ) )
9562 } else if ( accessDenied && user ) {
9663 this . messagesCached [ cacheKey ] . push ( new HTTPError ( 403 , accessDenied ) )
9764 } else if ( accessDenied ) {
9865 this . messagesCached [ cacheKey ] . push ( new HTTPError ( 401 , accessDenied ) )
9966 }
100- console . log ( 'ACCESS ALLOWED' , ! accessDenied , user , '\n\n' )
10167 this . aclCached [ cacheKey ] = Promise . resolve ( ! accessDenied )
10268 return this . aclCached [ cacheKey ]
10369 }
@@ -109,17 +75,6 @@ class ACLChecker {
10975 return isAllowed ? null : this . messagesCached [ cacheKey ] . reduce ( ( prevMsg , msg ) => msg . status > prevMsg . status ? msg : prevMsg , { status : 0 } )
11076 }
11177
112- // return Promise.resolve(true)
113- // return this._permissionSet
114- // .then(acls => this.checkAccess(acls, user, mode))
115- // .catch(() => {
116- // if (!user) {
117- // throw new HTTPError(401, `Access to ${this.resource} requires authorization`)
118- // } else {
119- // throw new HTTPError(403, `Access to ${this.resource} denied for ${user}`)
120- // }
121- // })
122-
12378 static getDirectory ( aclFile ) {
12479 const parts = aclFile . split ( '/' )
12580 parts . pop ( )
@@ -130,8 +85,6 @@ class ACLChecker {
13085 async getNearestACL ( ) {
13186 const { resource } = this
13287 let isContainer = false
133- // let directory = null
134- // Create a cascade of reject handlers (one for each possible ACL)
13588 const possibleACLs = this . getPossibleACLs ( )
13689 const acls = [ ...possibleACLs ]
13790 let returnAcl = null
@@ -146,7 +99,6 @@ class ACLChecker {
14699 isContainer = true
147100 continue
148101 }
149- console . error ( 'ERROR IN getNearestACL' , err . code , err )
150102 debug ( err )
151103 throw err
152104 }
@@ -157,35 +109,18 @@ class ACLChecker {
157109 if ( ! returnAcl ) {
158110 throw new HTTPError ( 500 , `No ACL found for ${ resource } ${ acls . join ( '\n- ' ) } )
159111 }
160- console . log ( '>>>> GRAPH WITHOUT GROUPS' , returnAcl . graph . length )
161112 const groupUrls = returnAcl . graph
162113 . statementsMatching ( null , ACL ( 'agentGroup' ) , null )
163114 . map ( node => node . object . value . split ( '#' ) [ 0 ] )
164115 await Promise . all ( groupUrls . map ( groupUrl => {
165116 this . requests [ groupUrl ] = this . requests [ groupUrl ] || this . fetch ( groupUrl , returnAcl . graph )
166117 return this . requests [ groupUrl ]
167118 } ) )
168- console . log ( '>>>> GRAPH WITH GROUPS' , returnAcl . graph )
169119
170120 return returnAcl
171- // const nearestACL = possibleACLs.reduce((prevACL, acl) => {
172- // return prevACL.catch(() => new Promise((resolve, reject) => {
173- // this.fetch(acl, (err, graph) => {
174- // if (err && err.code !== 'ENOENT') {
175- // isContainer = true
176- // reject(err)
177- // } else {
178- // const relative = resource.replace(acl.replace(/[^/]+$/, ''), './')
179- // debug(`Using ACL ${acl} for ${relative}`)
180- // resolve({ acl, graph, isContainer })
181- // }
182- // })
183- // }))
184- // }, Promise.reject())
185- // return nearestACL.catch(e => { throw new Error(`No ACL resource found, searched in \n- ${possibleACLs.join('\n- ')}`) })
186121 }
187122
188- // Gets all possible ACL paths that apply to the resource
123+ // Gets all possible ACL paths that apply to the resource
189124 getPossibleACLs ( ) {
190125 // Obtain the resource URI and the length of its base
191126 let { resource : uri , suffix } = this
@@ -204,43 +139,6 @@ class ACLChecker {
204139 return possibleAcls
205140 }
206141
207- // Tests whether the permissions allow a given operation
208- // checkAccess (permissionSet, user, mode) {
209- // const options = { fetchGraph: this.fetchGraph }
210- // return permissionSet.checkAccess(this.resource, user, mode, options)
211- // .then(hasAccess => {
212- // if (hasAccess) {
213- // return true
214- // } else {
215- // throw new Error('ACL file found but no matching policy found')
216- // }
217- // })
218- // }
219-
220- // Gets the permission set for the given ACL
221- // getPermissionSet ({ acl, graph, isContainer }) {
222- // if (!graph || graph.length === 0) {
223- // debug('ACL ' + acl + ' is empty')
224- // throw new Error('No policy found - empty ACL')
225- // }
226- // const aclOptions = {
227- // aclSuffix: this.suffix,
228- // graph: graph,
229- // host: this.host,
230- // origin: this.origin,
231- // rdf: rdf,
232- // strictOrigin: this.strictOrigin,
233- // trustedOrigins: this.trustedOrigins,
234- // isAcl: uri => this.isAcl(uri),
235- // aclUrlFor: uri => this.aclUrlFor(uri)
236- // }
237- // return new PermissionSet(this.resource, acl, isContainer, aclOptions)
238- // }
239-
240- // aclUrlFor (uri) {
241- // return this.isAcl(uri) ? uri : uri + this.suffix
242- // }
243-
244142 isAcl ( resource ) {
245143 return resource . endsWith ( this . suffix )
246144 }
0 commit comments