Work in progress - want to rebase

Author: megoth

lib/acl-checker.js

@@ -4,8 +4,10 @@ const PermissionSet = require('solid-permissions').PermissionSet
 const rdf = require('rdflib')
 const debug = require('./debug').ACL
 const HTTPError = require('./http-error')
+const aclCheck = require('acl-check')
 
 const DEFAULT_ACL_SUFFIX = '.acl'
+const ACL = rdf.Namespace('http://www.w3.org/ns/auth/acl#')
 
 // An ACLChecker exposes the permissions on a specific resource
 class ACLChecker {
@@ -22,34 +24,77 @@ class ACLChecker {
 
   // Returns a fulfilled promise when the user can access the resource
   // in the given mode, or rejects with an HTTP error otherwise
-  can (user, mode) {
+  async can (user, mode) {
     // If this is an ACL, Control mode must be present for any operations
     if (this.isAcl(this.resource)) {
       mode = 'Control'
     }
 
     // Obtain the permission set for the resource
-    if (!this._permissionSet) {
-      this._permissionSet = this.getNearestACL()
-        .then(acl => this.getPermissionSet(acl))
-    }
+    // this.acl.graph
+    // this.resource
+    // this.acl.isContainer ? this.resource : null
+    // this.acl.acl
+    // user
+    // ACL(mode)
+    // this.origin
+    // this.trustedOrigins
+
+    // console.log('ACL', this.origin, this.trustedOrigins)
+    // console.log(aclCheck.accessDenied)
+    // if (!this._permissionSet) {
+    //   this._permissionSet = this.getNearestACL()
+    //     .then(acl => this.getPermissionSet(acl))
+    // }
+
+    // aclCheck.checkAccess(acl.graph, this.resource)
 
     // Check the resource's permissions
-    return this._permissionSet
-      .then(acls => this.checkAccess(acls, user, mode))
-      .catch(() => {
-        if (!user) {
-          throw new HTTPError(401, `Access to ${this.resource} requires authorization`)
-        } else {
-          throw new HTTPError(403, `Access to ${this.resource} denied for ${user}`)
-        }
-      })
+    this.acl = this.acl || await this.getNearestACL()
+    const resource = rdf.sym(this.resource)
+    // const directory = this.acl.isContainer ? this.resource : null
+    const directory = this.acl.isContainer ? rdf.sym(ACLChecker.getDirectory(this.acl.acl)) : null
+    // console.log(ACLChecker.getDirectory(this.acl.acl))
+    const aclFile = rdf.sym(this.acl.acl)
+    // const agent = rdf.sym(user)
+    const agent = user ? rdf.sym(user) : null
+    // console.log('ACL agent', agent)
+    // console.log('ACL FILE', this.resource, this.acl.acl)
+    const modes = [ACL(mode)]
+    const origin = this.origin ? rdf.sym(this.origin) : null
+    const trustedOrigins = this.trustedOrigins ? this.trustedOrigins.map(trustedOrigin => rdf.sym(trustedOrigin)) : null
+    const accessDenied = aclCheck.accessDenied(this.acl.graph, resource, directory, aclFile, agent, modes, origin, trustedOrigins)
+    console.log('ACCESS DENIED', accessDenied, '\n\n')
+    if (accessDenied && user) {
+      throw new HTTPError(403, `Access to ${this.resource} denied for ${user}`)
+    } else if (accessDenied) {
+      throw new HTTPError(401, `Access to ${this.resource} requires authorization`)
+    }
+    return Promise.resolve(true)
+  }
+
+  // return Promise.resolve(true)
+  // return this._permissionSet
+  //   .then(acls => this.checkAccess(acls, user, mode))
+  //   .catch(() => {
+  //     if (!user) {
+  //       throw new HTTPError(401, `Access to ${this.resource} requires authorization`)
+  //     } else {
+  //       throw new HTTPError(403, `Access to ${this.resource} denied for ${user}`)
+  //     }
+  //   })
+
+  static getDirectory (aclFile) {
+    const parts = aclFile.split('/')
+    parts.pop()
+    return `${parts.join('/')}/`
   }
 
-  // Gets the ACL that applies to the resource
-  getNearestACL () {
+// Gets the ACL that applies to the resource
+  async getNearestACL () {
     const { resource } = this
     let isContainer = false
+    // let directory = null
     // Create a cascade of reject handlers (one for each possible ACL)
     const nearestACL = this.getPossibleACLs().reduce((prevACL, acl) => {
       return prevACL.catch(() => new Promise((resolve, reject) => {
@@ -68,11 +113,11 @@ class ACLChecker {
     return nearestACL.catch(e => { throw new Error('No ACL resource found') })
   }
 
-  // Gets all possible ACL paths that apply to the resource
+// Gets all possible ACL paths that apply to the resource
   getPossibleACLs () {
     // Obtain the resource URI and the length of its base
     let { resource: uri, suffix } = this
-    const [ { length: base } ] = uri.match(/^[^:]+:\/*[^/]+/)
+    const [{ length: base }] = uri.match(/^[^:]+:\/*[^/]+/)
 
     // If the URI points to a file, append the file's ACL
     const possibleAcls = []
@@ -87,7 +132,7 @@ class ACLChecker {
     return possibleAcls
   }
 
-  // Tests whether the permissions allow a given operation
+// Tests whether the permissions allow a given operation
   checkAccess (permissionSet, user, mode) {
     const options = { fetchGraph: this.fetchGraph }
     return permissionSet.checkAccess(this.resource, user, mode, options)
@@ -100,7 +145,7 @@ class ACLChecker {
       })
   }
 
-  // Gets the permission set for the given ACL
+// Gets the permission set for the given ACL
   getPermissionSet ({ acl, graph, isContainer }) {
     if (!graph || graph.length === 0) {
       debug('ACL ' + acl + ' is empty')

lib/api/authn/webid-oidc.js

@@ -87,9 +87,7 @@ function middleware (oidc) {
   // Static assets related to authentication
   const authAssets = [
     ['/.well-known/solid/login/', '../static/popup-redirect.html', false],
-    ['/common/', 'solid-auth-client/dist-popup/popup.html'],
-    ['/common/js/', 'solid-auth-client/dist-lib/solid-auth-client.bundle.js'],
-    ['/common/js/', 'solid-auth-client/dist-lib/solid-auth-client.bundle.js.map']
+    ['/common/', 'solid-auth-client/dist-popup/popup.html']
   ]
   authAssets.map(args => routeResolvedFile(router, ...args))
 

lib/create-app.js

@@ -64,6 +64,8 @@ function createApp (argv = {}) {
   app.use('/common', express.static(path.join(__dirname, '../common')))
   routeResolvedFile(app, '/common/js/', 'mashlib/dist/mashlib.min.js')
   routeResolvedFile(app, '/common/js/', 'mashlib/dist/mashlib.min.js.map')
+  routeResolvedFile(app, '/common/js/', 'solid-auth-client/dist-lib/solid-auth-client.bundle.js.map')
+  routeResolvedFile(app, '/common/js/', 'solid-auth-client/dist-lib/solid-auth-client.bundle.js.map')
   app.use('/.well-known', express.static(path.join(__dirname, '../common/well-known')))
 
   // Serve bootstrap from it's node_module directory

lib/handlers/allow.js

@@ -36,7 +36,7 @@ function allow (mode) {
     // Obtain and store the ACL of the requested resource
     req.acl = new ACL(rootUrl + reqPath, {
       origin: req.get('origin'),
-      host: req.protocol + '://' + req.get('host'),
+      host: req.get('host'),
       fetch: fetchFromLdp(ldp.resourceMapper, ldp),
       fetchGraph: (uri, options) => {
         // first try loading from local fs

test/unit/acl-checker-test.js

@@ -7,27 +7,27 @@ chai.use(require('chai-as-promised'))
 const options = { fetch: (url, callback) => {} }
 
 describe('ACLChecker unit test', () => {
-  let acl
+  // let acl
 
-  beforeEach(() => {
-    acl = new ACLChecker('http://ex.com/.acl', options)
-  })
+  // beforeEach(() => {
+  //   acl = new ACLChecker('http://ex.com/.acl', options)
+  // })
 
-  describe('checkAccess', () => {
-    it('should callback with null on grant success', () => {
-      let acls = { checkAccess: () => Promise.resolve(true) }
-      return expect(acl.checkAccess(acls)).to.eventually.be.true
-    })
-    it('should callback with error on grant failure', () => {
-      let acls = { checkAccess: () => Promise.resolve(false) }
-      return expect(acl.checkAccess(acls))
-      .to.be.rejectedWith('ACL file found but no matching policy found')
-    })
-    it('should callback with error on grant error', () => {
-      let acls = { checkAccess: () => Promise.reject(new Error('my error')) }
-      return expect(acl.checkAccess(acls)).to.be.rejectedWith('my error')
-    })
-  })
+  // describe('checkAccess', () => {
+  //   it('should callback with null on grant success', () => {
+  //     let acls = { checkAccess: () => Promise.resolve(true) }
+  //     return expect(acl.checkAccess(acls)).to.eventually.be.true
+  //   })
+  //   it('should callback with error on grant failure', () => {
+  //     let acls = { checkAccess: () => Promise.resolve(false) }
+  //     return expect(acl.checkAccess(acls))
+  //     .to.be.rejectedWith('ACL file found but no matching policy found')
+  //   })
+  //   it('should callback with error on grant error', () => {
+  //     let acls = { checkAccess: () => Promise.reject(new Error('my error')) }
+  //     return expect(acl.checkAccess(acls)).to.be.rejectedWith('my error')
+  //   })
+  // })
 
   describe('getPossibleACLs', () => {
     it('returns all possible ACLs of the root', () => {