pass 6 out of 16

Tim Berners-Lee · Tim Berners-Lee · commit 3b70e3aeb4df · 2018-09-03T21:20:50.000-04:00
diff --git a/src/acl-check.js b/src/acl-check.js
@@ -22,76 +22,79 @@ function publisherTrustedApp (kb, doc, aclDoc, modesRequired, origin, docAuths)
 
 function checkAccess (kb, doc, directory, aclDoc, agent, modesRequired, origin, trustedOrigins) {
   var auths = kb.each(null, ACL('accessTo'), doc, aclDoc)
+  console.log(`checkAccess: checking access to ${doc} by ${agent}`)
+  if (auths.length) console.log(`   ${auths.length} authentications apply directly to doc`)
   if (directory) {
     auths = auths.concat(null, (ACL('defaultForNew'), directory)) // Deprecated but keep for ages
     auths = auths.concat(null, (ACL('default'), directory))
+    if (auths.length) console.log(`   ${auths.length} total relevant authentications`)
   }
   if (origin && trustedOrigins && trustedOrigins.includes(origin)) {
     console.log('Origin ' + origin + ' is trusted')
     origin = null // stop worrying about origin
+    console.log(`  checkAccess: Origin ${origin} is trusted.`)
   }
   function agentOrGroupOK (auth, agent) {
-    if (kb.holds(auth, ACL('accessToClass'), FOAF('Agent'), aclDoc)) return true
-    if (!agent) return false
-    return kb.holds(auth, ACL('accessToClass'), ACL('AuthenticatedAgent'), aclDoc) ||
-      kb.holds(auth, ACL('agent'), agent, aclDoc) ||
-      kb.each(auth, ACL('accessToGroup'), null, aclDoc).some(group => kb.holds(agent, VCARD('member'), group, group.doc()))
-  }
-  function originOK (auth, origin) {
-    return kb.holds(auth, ACL('origin'), origin, aclDoc)
-  }
-  return modesRequired.every(mode =>
-    auths.filter(auth => kb.holds(auth, ACL('mode'), mode, aclDoc)).some(
-      auth => (agentOrGroupOK(auth, agent)) && (!origin || originOK(auth, origin)))
-  )
-}
+    console.log(`   Checking auth ${auth} with agent ${agent}`)
+    if (kb.holds(auth, ACL('accessToClass'), FOAF('Agent'), aclDoc)) {
+      console.log(`    Agent or group: Ok, its public.`)
+      return true
+    }
+    if (!agent) {
+      console.log(`    Agent or group: Fail: not public and not logged on.`)
+      return false
+    }
+    if (kb.holds(auth, ACL('accessToClass'), ACL('AuthenticatedAgent'), aclDoc)) {
+      console.log('    AuthenticatedAgent: logged in, looks good')
+      return true
+    }
+    if (kb.holds(auth, ACL('agent'), agent, aclDoc) ) {
+      console.log('    Agent explicitly authenticated.')
+      return true
+    }
+    if (kb.each(auth, ACL('accessToGroup'), null, aclDoc).some(
+      group => kb.holds(agent, VCARD('member'), group, group.doc()))) {
+      console.log('    Agent is member of group which has accees.')
+      return true
+    }
+    console.log('    Agent or group access fails for this authentication.')
+    return false
+  } // Agent or group
 
-function checkAccess1 (kb, doc, directory, aclDoc, agent, modesRequired, origin, trustedOrigins) {
-  var auths = kb.each(null, ACL('accessTo'), doc, aclDoc)
-  if (directory) {
-    auths = auths.concat(null, (ACL('defaultForNew'), doc)) // Deprecated but keep for ages
-    auths = auths.concat(null, (ACL('default'), doc))
-  }
-  if (origin && trustedOrigins && trustedOrigins.includes(origin)) {
-    console.log('Origin ' + origin + ' is trusted')
-    origin = null // stop worrying about origin
-  }
-  function agentOrGroupOK (auth, agent) {
-    if (kb.holds(auth, ACL('accessToClass'), FOAF('Agent'), aclDoc)) return true
-    if (!agent) return false
-    return kb.holds(auth, ACL('accessToClass'), ACL('AuthenticatedAgent'), aclDoc) ||
-      kb.holds(auth, ACL('agent'), agent, aclDoc) ||
-      kb.each(auth, ACL('accessToGroup'), null, aclDoc).some(group => kb.holds(agent, VCARD('member'), group, group.doc()))
-  }
   function originOK (auth, origin) {
     return kb.holds(auth, ACL('origin'), origin, aclDoc)
   }
-  return modesRequired.every(mode =>
-    auths.filter(auth => kb.holds(auth, ACL('mode'), mode, aclDoc)).some(
-      auth => (agentOrGroupOK(auth, agent)) && (!origin || originOK(auth, origin)))
-  )
-}
-
-function checkAccess0 (kb, doc, directory, aclDoc, agent, modesRequired, origin, trustedOrigins) {
-  var auths = kb.each(null, ACL('accessTo'), doc)
-  if (directory) {
-    auths = auths.concat(null, (ACL('defaultForNew'), doc)) // Deprecated but keep for ages
-    auths = auths.concat(null, (ACL('default'), doc))
-  }
-  if (origin && trustedOrigins && trustedOrigins.includes(origin)) {
-    console.log('Origin ' + origin + ' is trusted')
-    origin = null // stop worrying about origin
-  }
-  return modesRequired.every(mode =>
-     auths.some(auth =>
-       kb.holds(auth, ACL('agent'), agent) && kb.holds(auth, ACL('mode'), mode)) &&
-       (!origin ||
-      auths.some(auth => kb.holds(auth, ACL('origin'), origin) && kb.holds(auth, ACL('mode'), mode))
-    )
-  )
+  let allowed = modesRequired.every(mode => {
+    console.log(' Checking needed mode ' + mode)
+    let modeAuths = auths.filter(auth => kb.holds(auth, ACL('mode'), mode, aclDoc))
+    if (mode.sameTerm(ACL('Append'))) { // If you want append, Write will work too.
+      let writeAuths = auths.filter(auth => kb.holds(auth, ACL('mode'), ACL('Write'), aclDoc))
+      console.log(`   Authorizations that work with Write: ${writeAuths.length}`)
+      modeAuths = modeAuths.concat(writeAuths)
+    }
+    console.log(`   Authorizations that work with mode: ${modeAuths.length}`)
+    let modeResult = modeAuths.some(auth => {
+      if (!agentOrGroupOK(auth, agent)) {
+        console.log('     The agent/group/public check fails')
+        return false
+      }
+      if (!origin) {
+        console.log('     Origin check not needed: no origin.')
+        return true
+      }
+      if (originOK(auth, origin)) {
+        console.log('     Origin check succeeded.')
+        return true
+      }
+      console.log('     Origin check FAILED. Origin not tested.')
+      return true
+    })
+    console.log(' Mode result ' + modeResult)
+    return modeResult
+  })
+  console.log('Overall result:' + allowed)
+  return allowed
 }
 
 module.exports.checkAccess = checkAccess
-module.exports.checkAccess0 = checkAccess0
-module.exports.checkAccess1 = checkAccess1
 module.exports.publisherTrustedApp = publisherTrustedApp
diff --git a/test/unit/check-access-test.js b/test/unit/check-access-test.js
@@ -12,10 +12,9 @@ const FOAF = $rdf.Namespace('http://xmlns.com/foaf/0.1/')
 
 const prefixes = `@prefix acl: <http://www.w3.org/ns/auth/acl#> .
 @prefix foaf: <http://xmlns.com/foaf/0.1/>.
-@prefix alice: <https://alice.example.com/>.
+@prefix alice: <https://alice.example.com/#>.
 @prefix bob: <https://bob.example.com/#>.
 `
-const aliceWebId = 'https://alice.example.com/#me'
 const alice = $rdf.sym('https://alice.example.com/#me')
 const bob = $rdf.sym('https://bob.example.com/#me')
 const malory = $rdf.sym('https://someone.else.example.com/')
@@ -26,22 +25,22 @@ test('aclCheck checkAccess() test - Append access implied by Write acecss', t =>
   let aclUrl = 'https://alice.example.com/docs/.acl'
   let aclDoc = $rdf.sym(aclUrl)
 
-  const kb = $rdf.graph() // Quad store
+  const store = $rdf.graph() // Quad store
   const ACLtext = prefixes +
   ` <#auth> a acl:Authorization;
-    acl:mode acl:Read;
+    acl:mode acl:Write;
     acl:agent alice:me;
     acl:accessTo <${resource.uri}> .
   `
-  $rdf.parse(ACLtext, kb, aclUrl, 'text/turtle')
+  $rdf.parse(ACLtext, store, aclUrl, 'text/turtle')
 
   const agent = alice
   const directory = null
   const modesRequired = [ ACL('Append')]
   const trustedOrigins = null
   const origin = null
 
-  const result = aclLogic.checkAccess(kb, resource, directory, aclDoc, agent, modesRequired, origin, trustedOrigins)
+  const result = aclLogic.checkAccess(store, resource, directory, aclDoc, agent, modesRequired, origin, trustedOrigins)
   if (result) {
     t.ok(result, 'Alice should have Append access implied by Write access')
   } else {
@@ -56,30 +55,30 @@ test('acl-check checkAccess() test - accessTo', function (t) {
   let containerAclUrl = 'https://alice.example.com/docs/.acl'
   let containerAcl = $rdf.sym(containerAclUrl)
 
-  const kb = $rdf.graph() // Quad store
+  const store = $rdf.graph() // Quad store
   const ACLtext = prefixes +
   ` <#auth> a acl:Authorization;
     acl:mode acl:Read, acl:Write;
     acl:agent alice:me;
     acl:accessTo <${container.uri}> .
   `
-  $rdf.parse(ACLtext, kb, containerAclUrl, 'text/turtle')
+  $rdf.parse(ACLtext, store, containerAclUrl, 'text/turtle')
 
-  var result = aclLogic.checkAccess(kb, container, null, containerAcl, alice, [ ACL('Read')])
+  var result = aclLogic.checkAccess(store, container, null, containerAcl, alice, [ ACL('Read')])
   if (result) {
     t.ok(result, 'Alice should have Read acces')
   } else {
     t.fail('Alice s....')
   }
 
-  result = aclLogic.checkAccess(kb, container, null, containerAcl, alice, [ ACL('Write')])
+  result = aclLogic.checkAccess(store, container, null, containerAcl, alice, [ ACL('Write')])
   if (result) {
     t.ok(result, 'Alice should have Write acces')
   } else {
     t.fail('Alice s....')
   }
 
-  result = aclLogic.checkAccess(kb, container, null, containerAcl, bob, [ ACL('Write')])
+  result = aclLogic.checkAccess(store, container, null, containerAcl, bob, [ ACL('Write')])
   if (!result) {
     t.ok(result, 'Bob should not have Write acces')
   } else {
@@ -96,36 +95,36 @@ test('acl-check checkAccess() test - default/inherited', function (t) {
   let file1 = $rdf.sym('https://alice.example.com/docs/file1')
   let file2 = $rdf.sym('https://alice.example.com/docs/stuff/file2')
   var result
-  const kb = $rdf.graph()
+  const store = $rdf.graph()
   let ACLtext = prefixes + ` <#auth> a acl:Authorization;
     acl:mode acl:Read;
     acl:agent bob:me;
     acl:accessTo <${file1.uri}> .
 `
-  $rdf.parse(ACLtext, kb, containerAcl.uri, 'text/turtle')
+  $rdf.parse(ACLtext, store, containerAcl.uri, 'text/turtle')
 
   let containerAclText = prefixes + ` <#auth> a acl:Authorization;
       acl:mode acl:Read;
       acl:agent alice:me;
       acl:default <${container.uri}> .
 `
-  $rdf.parse(containerAclText, kb, containerAcl.uri, 'text/turtle')
+  $rdf.parse(containerAclText, store, containerAcl.uri, 'text/turtle')
 
-  result = aclLogic.checkAccess(kb, file1, container, containerAcl, alice, [ ACL('Read')])
+  result = aclLogic.checkAccess(store, file1, container, containerAcl, alice, [ ACL('Read')])
   if (result) {
     t.ok(result, 'Alice should have Read acces inherited')
   } else {
     t.fail('Alice s....')
   }
 
-  result = aclLogic.checkAccess(kb, file2, container, containerAcl, alice, [ ACL('Read')])
+  result = aclLogic.checkAccess(store, file2, container, containerAcl, alice, [ ACL('Read')])
   if (result) {
     t.ok(result, 'Alice should have Read acces inherited 2')
   } else {
     t.fail('Alice s....')
   }
 
-  result = aclLogic.checkAccess(kb, file2, container, containerAcl, alice, [ ACL('Read')])
+  result = aclLogic.checkAccess(store, file2, container, containerAcl, alice, [ ACL('Read')])
   if (result) {
     t.ok(result, 'Mallory should NOT have Read acces inherited')
   } else {
@@ -142,26 +141,26 @@ test('aclCheck checkAccess() test - Append access implied by Public Write acecss
   let aclUrl = 'https://alice.example.com/docs/.acl'
   let aclDoc = $rdf.sym(aclUrl)
 
-  const kb = $rdf.graph() // Quad store
+  const store = $rdf.graph() // Quad store
   const ACLtext = prefixes +
   ` <#auth> a acl:Authorization;
     acl:mode acl:Read;
     acl:agentClass foaf:Agent;
     acl:accessTo <${resource.uri}> .
   `
-  $rdf.parse(ACLtext, kb, aclUrl, 'text/turtle')
+  $rdf.parse(ACLtext, store, aclUrl, 'text/turtle')
 
   const agent = alice
   const directory = null
   const modesRequired = [ ACL('Append')]
   const trustedOrigins = null
   const origin = null
 
-  const result = aclLogic.checkAccess(kb, resource, directory, aclDoc, agent, modesRequired, origin, trustedOrigins)
+  const result = aclLogic.checkAccess(store, resource, directory, aclDoc, agent, modesRequired, origin, trustedOrigins)
   if (result) {
-    t.ok(result, 'Alice should have Append access implied by Write access')
+    t.ok(result, 'Alice should have Append access implied by Write access - Public')
   } else {
-    t.fail('Alice should have Append access implied by Write access')
+    t.fail('Alice should have Append access implied by Write access - Public')
   }
   t.end()
 })
@@ -172,32 +171,46 @@ test('acl-check checkAccess() test - accessTo', function (t) {
   let containerAclUrl = 'https://alice.example.com/docs/.acl'
   let containerAcl = $rdf.sym(containerAclUrl)
 
-  const kb = $rdf.graph() // Quad store
+  const store = $rdf.graph() // Quad store
   const ACLtext = prefixes +
   ` <#auth> a acl:Authorization;
     acl:mode acl:Read, acl:Write;
     acl:agentClass foaf:Agent;
     acl:accessTo <${container.uri}> .
   `
-  $rdf.parse(ACLtext, kb, containerAclUrl, 'text/turtle')
+  $rdf.parse(ACLtext, store, containerAclUrl, 'text/turtle')
 
-  var result = aclLogic.checkAccess(kb, container, null, containerAcl, alice, [ ACL('Read')])
+  var result = aclLogic.checkAccess(store, container, null, containerAcl, alice, [ ACL('Read')])
   if (result) {
-    t.ok(result, 'Alice should have Read acces')
+    t.ok(result, 'Alice should have Read acces - Public')
   } else {
     t.fail('Alice s....')
   }
 
-  result = aclLogic.checkAccess(kb, container, null, containerAcl, alice, [ ACL('Write')])
+  result = aclLogic.checkAccess(store, container, null, containerAcl, alice, [ ACL('Write')])
   if (result) {
     t.ok(result, 'Alice should have Write acces')
   } else {
     t.fail('Alice s....')
   }
 
-  result = aclLogic.checkAccess(kb, container, null, containerAcl, bob, [ ACL('Write')])
-  if (!result) {
-    t.ok(result, 'Bob should not have Write acces')
+  var result = aclLogic.checkAccess(store, container, null, containerAcl, null, [ ACL('Read')])
+  if (result) {
+    t.ok(result, 'Anonymous should have Read acces to public thing - Public')
+  } else {
+    t.fail('Alice s....')
+  }
+
+  result = aclLogic.checkAccess(store, container, null, containerAcl, null, [ ACL('Write')])
+  if (result) {
+    t.ok(result, 'Anonymous should have Write acces - Public')
+  } else {
+    t.fail('Alice s....')
+  }
+
+  result = aclLogic.checkAccess(store, container, null, containerAcl, bob, [ ACL('Write')])
+  if (result) {
+    t.ok(result, 'Bob should have Write acces to public write - Public')
   } else {
     t.fail('Alice s....')
   }
@@ -212,38 +225,38 @@ test('acl-check checkAccess() test - default/inherited', function (t) {
   let file1 = $rdf.sym('https://alice.example.com/docs/file1')
   let file2 = $rdf.sym('https://alice.example.com/docs/stuff/file2')
   var result
-  const kb = $rdf.graph()
+  const store = $rdf.graph()
   let ACLtext = prefixes + ` <#auth> a acl:Authorization;
     acl:mode acl:Read;
     acl:agent bob:me;
     acl:accessTo <${file1.uri}> .
 `
-  $rdf.parse(ACLtext, kb, containerAcl.uri, 'text/turtle')
+  $rdf.parse(ACLtext, store, containerAcl.uri, 'text/turtle')
 
   let containerAclText = prefixes + ` <#auth> a acl:Authorization;
       acl:mode acl:Read;
       acl:agentClass foaf:Agent;
       acl:default <${container.uri}> .
 `
-  $rdf.parse(containerAclText, kb, containerAcl.uri, 'text/turtle')
+  $rdf.parse(containerAclText, store, containerAcl.uri, 'text/turtle')
 
-  result = aclLogic.checkAccess(kb, file1, container, containerAcl, alice, [ ACL('Read')])
+  result = aclLogic.checkAccess(store, file1, container, containerAcl, alice, [ ACL('Read')])
   if (result) {
-    t.ok(result, 'Alice should have Read acces inherited')
+    t.ok(result, 'Alice should have Read acces inherited - Public')
   } else {
     t.fail('Alice s....')
   }
 
-  result = aclLogic.checkAccess(kb, file2, container, containerAcl, alice, [ ACL('Read')])
+  result = aclLogic.checkAccess(store, file2, container, containerAcl, alice, [ ACL('Read')])
   if (result) {
-    t.ok(result, 'Alice should have Read acces inherited 2')
+    t.ok(result, 'Alice should have Read acces inherited 2  - Public')
   } else {
     t.fail('Alice s....')
   }
 
-  result = aclLogic.checkAccess(kb, file2, container, containerAcl, alice, [ ACL('Read')])
+  result = aclLogic.checkAccess(store, file2, container, containerAcl, alice, [ ACL('Read')])
   if (result) {
-    t.ok(result, 'Mallory should NOT have Read acces inherited')
+    t.ok(result, 'Mallory should NOT have Read acces inherited  - Public')
   } else {
     t.fail('Alice s....')
   }
