Refactored. modesAllowed() surfcaed. passed 28/28 tests.

Tim Berners-Lee · Tim Berners-Lee · commit d6f1bb4f85dc · 2018-09-04T10:59:38.000-06:00
diff --git a/README.md b/README.md
@@ -25,9 +25,13 @@ let dirAclDoc = $rdf.sym('https://alice.example.com/stuff/')
 let agent = $rdf.sym('https://alice.example.com/card.ttl#me')
 let modesRequired = [ ACL('Read'), ACL('Write'), ACL('Control') ]
 
-await fetcher.load([aclDoc, dirAclDoc]) // Load the ACL documents into kb
+await fetcher.load(aclDoc) // Load the ACL documents into kb
 
-let allow = aclCheck.checkAccess(kb, doc, directory, aclDoc, agent, modesRequired, origin, trustedOrigins)
+let allow = aclCheck.checkAccess(kb, resource, null, aclDoc, agent, modesRequired, origin, trustedOrigins)
+
+// When there is no direct ACL file, find the closest container ACL file in the tree above then...
+await fetcher.load(dirAclDoc) // Load the directory ACL documents into kb
+let allow = aclCheck.checkAccess(kb, resource, directory, dirAclDoc, agent, modesRequired, origin, trustedOrigins)
 
 console.log('Access allowed? ' + allow)
 // OWTTE
diff --git a/src/acl-check.js b/src/acl-check.js
@@ -20,19 +20,43 @@ function publisherTrustedApp (kb, doc, aclDoc, modesRequired, origin, docAuths)
   // modesRequired.every(mode => appAuths.some(auth => kb.holds(auth, ACL('mode'), mode, aclDoc)))
 }
 
+/* Function checkAccess
+** @param kb A quadstore
+** @param doc the resource (A named node) or directory for which ACL applies
+*/
 function checkAccess (kb, doc, directory, aclDoc, agent, modesRequired, origin, trustedOrigins) {
-  var auths = kb.each(null, ACL('accessTo'), doc, aclDoc)
-  console.log(`checkAccess: checking access to ${doc} by ${agent}`)
-  if (auths.length) console.log(`   ${auths.length} authentications apply directly to doc`)
-  if (directory) {
-    auths = auths.concat(null, (ACL('defaultForNew'), directory)) // Deprecated but keep for ages
-    auths = auths.concat(null, (ACL('default'), directory))
-    if (auths.length) console.log(`   ${auths.length} total relevant authentications`)
+  let modeURIs = modesAllowed(kb, doc, directory, aclDoc, agent, origin, trustedOrigins)
+  let ok = true
+  console.log(`CheckAccess: modeURIs: ${modeURIs.size}`)
+  modesRequired.forEach(mode => {
+    console.log(` checking ` + mode)
+    if (modeURIs.has(mode.uri)) {
+      console.log('  Mode required and allowed:' + mode)
+    } else if (mode.sameTerm(ACL('Append')) && modeURIs.has(ACL('Write').uri)) {
+      console.log('  Append required and Write allowed. OK')
+    } else {
+      console.log('  MODE REQUIRED NOT ALLOWED:' + mode)
+      ok = false
+    }
+  })
+  return ok
+}
+
+function modesAllowed (kb, doc, directory, aclDoc, agent, modesRequired, origin, trustedOrigins) {
+  console.log(`modesAllowed: checking access to ${doc} by ${agent}`)
+  var auths
+  if (!directory) { // Normal case, ACL for a file
+    auths = kb.each(null, ACL('accessTo'), doc, aclDoc)
+    console.log(`   ${auths.length} direct authentications about ${doc}`)
+  } else {
+    auths = kb.each(null, ACL('default'), directory, null)
+    auths = auths.concat(kb.each(null, ACL('defaultForNew'), directory, null)) // Deprecated but keep for ages
+    console.log(`   ${auths.length}  default authentications about ${directory} in ${aclDoc}`)
   }
   if (origin && trustedOrigins && trustedOrigins.includes(origin)) {
     console.log('Origin ' + origin + ' is trusted')
     origin = null // stop worrying about origin
-    console.log(`  checkAccess: Origin ${origin} is trusted.`)
+    console.log(`  modesAllowed: Origin ${origin} is trusted.`)
   }
   function agentOrGroupOK (auth, agent) {
     console.log(`   Checking auth ${auth} with agent ${agent}`)
@@ -64,37 +88,37 @@ function checkAccess (kb, doc, directory, aclDoc, agent, modesRequired, origin,
   function originOK (auth, origin) {
     return kb.holds(auth, ACL('origin'), origin, aclDoc)
   }
-  let allowed = modesRequired.every(mode => {
-    console.log(' Checking needed mode ' + mode)
-    let modeAuths = auths.filter(auth => kb.holds(auth, ACL('mode'), mode, aclDoc))
-    if (mode.sameTerm(ACL('Append'))) { // If you want append, Write will work too.
-      let writeAuths = auths.filter(auth => kb.holds(auth, ACL('mode'), ACL('Write'), aclDoc))
-      console.log(`   Authorizations that work with Write: ${writeAuths.length}`)
-      modeAuths = modeAuths.concat(writeAuths)
+
+  function agentAndAppOK (auth) {
+    if (!agentOrGroupOK(auth, agent)) {
+      console.log('     The agent/group/public check fails')
+      return false
     }
-    console.log(`   Authorizations that work with mode: ${modeAuths.length}`)
-    let modeResult = modeAuths.some(auth => {
-      if (!agentOrGroupOK(auth, agent)) {
-        console.log('     The agent/group/public check fails')
-        return false
-      }
-      if (!origin) {
-        console.log('     Origin check not needed: no origin.')
-        return true
-      }
-      if (originOK(auth, origin)) {
-        console.log('     Origin check succeeded.')
-        return true
-      }
-      console.log('     Origin check FAILED. Origin not tested.')
+    if (!origin) {
+      console.log('     Origin check not needed: no origin.')
       return true
+    }
+    if (originOK(auth, origin)) {
+      console.log('     Origin check succeeded.')
+      return true
+    }
+    console.log('     Origin check FAILED. Origin not trusted.')
+    return false // @@ look for other trusted apps
+  }
+
+  auths = auths.filter(agentAndAppOK)
+  console.log('  auths with good who and what: ' + auths.length)
+  var modeURIs = new Set()
+  auths.forEach(auth => {
+    let modes = kb.each(auth, ACL('mode'), null, aclDoc)
+    modes.forEach(mode => {
+      console.log('      Mode allowed: ' + mode)
+      modeURIs.add(mode.uri)
     })
-    console.log(' Mode result ' + modeResult)
-    return modeResult
   })
-  console.log('Overall result:' + allowed)
-  return allowed
+  return modeURIs
 }
 
 module.exports.checkAccess = checkAccess
+module.exports.modesAllowed = modesAllowed
 module.exports.publisherTrustedApp = publisherTrustedApp
diff --git a/test/unit/check-access-test.js b/test/unit/check-access-test.js
@@ -80,13 +80,14 @@ test('acl-check checkAccess() test - default/inherited', function (t) {
   let file2 = $rdf.sym('https://alice.example.com/docs/stuff/file2')
   var result
   const store = $rdf.graph()
+  /*
   let ACLtext = prefixes + ` <#auth> a acl:Authorization;
     acl:mode acl:Read;
     acl:agent bob:me;
     acl:accessTo <${file1.uri}> .
 `
   $rdf.parse(ACLtext, store, containerAcl.uri, 'text/turtle')
-
+*/
   let containerAclText = prefixes + ` <#auth> a acl:Authorization;
       acl:mode acl:Read;
       acl:agent alice:me;
@@ -106,6 +107,41 @@ test('acl-check checkAccess() test - default/inherited', function (t) {
   t.end()
 })
 
+// Inheriting permissions from directory defaults -- OLD version defaultForNew
+test('acl-check checkAccess() test - default/inherited', function (t) {
+  let container = $rdf.sym('https://alice.example.com/docs/')
+  let containerAcl = $rdf.sym('https://alice.example.com/docs/.acl')
+  let file1 = $rdf.sym('https://alice.example.com/docs/file1')
+  let file2 = $rdf.sym('https://alice.example.com/docs/stuff/file2')
+  var result
+  const store = $rdf.graph()
+  /*
+  let ACLtext = prefixes + ` <#auth> a acl:Authorization;
+    acl:mode acl:Read;
+    acl:agent bob:me;
+    acl:accessTo <${file1.uri}> .
+`
+  $rdf.parse(ACLtext, store, containerAcl.uri, 'text/turtle')
+*/
+  let containerAclText = prefixes + ` <#auth> a acl:Authorization;
+      acl:mode acl:Read;
+      acl:agent alice:me;
+      acl:defaultForNew <${container.uri}> .
+`
+  $rdf.parse(containerAclText, store, containerAcl.uri, 'text/turtle')
+
+  result = aclLogic.checkAccess(store, file1, container, containerAcl, alice, [ ACL('Read')])
+  t.ok(result, 'Alice should have Read acces inherited')
+
+  result = aclLogic.checkAccess(store, file2, container, containerAcl, alice, [ ACL('Read')])
+  t.ok(result, 'Alice should have Read acces inherited 2')
+
+  result = !aclLogic.checkAccess(store, file2, container, containerAcl, alice, [ ACL('Write')])
+  t.ok(result, 'Alice should NOT have Write acces inherited')
+
+  t.end()
+})
+
 ///////////////////////////////////////// Public access VESRIONS OF THESE
 // Append access implied by Write acecss -PUBLIC
 test('aclCheck checkAccess() test - Append access implied by Public Write acecss', t => {
@@ -171,20 +207,21 @@ test('acl-check checkAccess() test - default/inherited', function (t) {
   let file2 = $rdf.sym('https://alice.example.com/docs/stuff/file2')
   var result
   const store = $rdf.graph()
+  /*
   let ACLtext = prefixes + ` <#auth> a acl:Authorization;
     acl:mode acl:Read;
     acl:agent bob:me;
     acl:accessTo <${file1.uri}> .
-`
+    `
   $rdf.parse(ACLtext, store, containerAcl.uri, 'text/turtle')
-
+*/
   let containerAclText = prefixes + ` <#auth> a acl:Authorization;
       acl:mode acl:Read;
       acl:agentClass foaf:Agent;
       acl:default <${container.uri}> .
 `
   $rdf.parse(containerAclText, store, containerAcl.uri, 'text/turtle')
-
+  console.log('@@' + containerAclText + '@@@')
   result = aclLogic.checkAccess(store, file1, container, containerAcl, alice, [ ACL('Read')])
   t.ok(result, 'Alice should have Read acces inherited - Public')
 
