Added getTrustedModesForOrigin and added optional param for accessDenied

Makes use of the proposed feature app:trustedApp

Author: megoth

package.json

@@ -15,7 +15,7 @@
     "postversion": "git push --follow-tags",
     "prepublish": "npm test && npm run build",
     "standard": "standard *.js src/*.js",
-    "tape": "tape test/unit/check-access-test.js test/unit/access-denied-test.js test/unit/configure-logger-test.js",
+    "tape": "tape test/unit/check-access-test.js test/unit/access-denied-test.js test/unit/configure-logger-test.js test/unit/get-trusted-modes-for-origin-test.js",
     "test": "npm run standard && npm run tape"
   },
   "repository": {

src/acl-check.js

@@ -20,9 +20,9 @@ function publisherTrustedApp (kb, doc, aclDoc, modesRequired, origin, docAuths)
   // modesRequired.every(mode => appAuths.some(auth => kb.holds(auth, ACL('mode'), mode, aclDoc)))
 }
 
-function accessDenied (kb, doc, directory, aclDoc, agent, modesRequired, origin, trustedOrigins) {
+function accessDenied (kb, doc, directory, aclDoc, agent, modesRequired, origin, trustedOrigins, originTrustedModes = []) {
   log(`accessDenied: checking access to ${doc} by ${agent} and origin ${origin}`)
-  let modeURIorReasons = modesAllowed(kb, doc, directory, aclDoc, agent, origin, trustedOrigins)
+  const modeURIorReasons = modesAllowed(kb, doc, directory, aclDoc, agent, origin, trustedOrigins, originTrustedModes)
   let ok = false
   log('accessDenied: modeURIorReasons: ' + JSON.stringify(Array.from(modeURIorReasons)))
   modesRequired.forEach(mode => {
@@ -44,6 +44,36 @@ function accessDenied (kb, doc, directory, aclDoc, agent, modesRequired, origin,
   return ok
 }
 
+async function getTrustedModesForOrigin (kb, agent, origin) {
+  if (!kb || !origin) {
+    return Promise.resolve({})
+  }
+  const queryString = `
+  SELECT ?mode WHERE {
+    ${agent} ${ACL('trustedApp')} ?trustedOrigin.
+    ?trustedOrigin  ${ACL('origin')} ${origin};
+                    ${ACL('mode')} ?mode .
+  }`
+  const results = await query(queryString, kb)
+  return results.map(result => result['?mode'])
+}
+
+async function query (queryString, store) {
+  return new Promise((resolve, reject) => {
+    try {
+      const query = $rdf.SPARQLToQuery(queryString, true, store)
+      const results = []
+      store.query(query, (result) => {
+        results.push(result)
+      }, null, () => {
+        resolve(results)
+      })
+    } catch (err) {
+      reject(err)
+    }
+  })
+}
+
 /* Function checkAccess
 ** @param kb A quadstore
 ** @param doc the resource (A named node) or directory for which ACL applies
@@ -52,7 +82,7 @@ function checkAccess (kb, doc, directory, aclDoc, agent, modesRequired, origin,
   return !accessDenied(kb, doc, directory, aclDoc, agent, modesRequired, origin, trustedOrigins)
 }
 
-function modesAllowed (kb, doc, directory, aclDoc, agent, origin, trustedOrigins) {
+function modesAllowed (kb, doc, directory, aclDoc, agent, origin, trustedOrigins, originTrustedModes = []) {
   var auths
   if (!directory) { // Normal case, ACL for a file
     auths = kb.each(null, ACL('accessTo'), doc, aclDoc)
@@ -62,7 +92,7 @@ function modesAllowed (kb, doc, directory, aclDoc, agent, origin, trustedOrigins
     auths = auths.concat(kb.each(null, ACL('defaultForNew'), directory, null)) // Deprecated but keep for ages
     log(`   ${auths.length}  default authentications about ${directory} in ${aclDoc}`)
   }
-  if (origin && trustedOrigins && trustedOriginsIncludeOrigin(trustedOrigins, origin)) {
+  if (origin && trustedOrigins && nodesIncludeNode(trustedOrigins, origin)) {
     log('Origin ' + origin + ' is trusted')
     origin = null // stop worrying about origin
     log(`  modesAllowed: Origin ${origin} is trusted.`)
@@ -108,6 +138,10 @@ function modesAllowed (kb, doc, directory, aclDoc, agent, origin, trustedOrigins
       log('     Origin check not needed: no origin.')
       return false
     }
+    if (originTrustedModes && originTrustedModes.length > 0) {
+      log(`     Origin might have access (${originTrustedModes.join(', ')})`)
+      return false
+    }
     if (originOK(auth, origin)) {
       log('     Origin check succeeded.')
       return false
@@ -125,6 +159,9 @@ function modesAllowed (kb, doc, directory, aclDoc, agent, origin, trustedOrigins
       modeURIorReasons.add(agentAndAppStatus)
     } else {
       let modes = kb.each(auth, ACL('mode'), null, aclDoc)
+      if (originTrustedModes && originTrustedModes.length > 0) {
+        modes = modes.filter(mode => nodesIncludeNode(originTrustedModes, mode))
+      }
       modes.forEach(mode => {
         log('      Mode allowed: ' + mode)
         modeURIorReasons.add(mode.uri)
@@ -134,9 +171,8 @@ function modesAllowed (kb, doc, directory, aclDoc, agent, origin, trustedOrigins
   return modeURIorReasons
 }
 
-function trustedOriginsIncludeOrigin (trustedOrigins, origin) {
-  return trustedOrigins.filter(
-    trustedOrigin => trustedOrigin.termType === origin.termType && trustedOrigin.value === origin.value).length > 0
+function nodesIncludeNode (nodes, node) {
+  return nodes.some(trustedOrigin => trustedOrigin.termType === node.termType && trustedOrigin.value === node.value)
 }
 
 function configureLogger (logger) {
@@ -147,9 +183,10 @@ function log (...msgs) {
   return (_logger || console.log).apply(_logger, msgs)
 }
 
+module.exports.accessDenied = accessDenied
 module.exports.checkAccess = checkAccess
 module.exports.configureLogger = configureLogger
+module.exports.getTrustedModesForOrigin = getTrustedModesForOrigin
 module.exports.log = log
-module.exports.accessDenied = accessDenied
 module.exports.modesAllowed = modesAllowed
 module.exports.publisherTrustedApp = publisherTrustedApp

test/unit/access-denied-test.js

@@ -6,6 +6,7 @@ const $rdf = require('rdflib')
 
 const ACL = $rdf.Namespace('http://www.w3.org/ns/auth/acl#')
 const FOAF = $rdf.Namespace('http://xmlns.com/foaf/0.1/')
+const ALICE = $rdf.Namespace('https://alice.example.com/')
 
 const prefixes = `@prefix acl: <http://www.w3.org/ns/auth/acl#> .
 @prefix foaf: <http://xmlns.com/foaf/0.1/>.
@@ -403,3 +404,34 @@ test('aclCheck accessDenied() test - With trustedOrigins', t => {
   t.end()
 })
 
+test('aclCheck accessDenied() test - with use of acl:trustedApp', t => {
+  const resource = ALICE('docs/file1')
+  const aclDoc = ALICE('docs/.acl')
+  const aclUrl = aclDoc.uri
+
+  const origin = $rdf.sym('https://apps.example.com')
+  const aclStore = $rdf.graph()
+  // grants read, write and control access to Alice
+  const ACLtext = `${prefixes}
+  <#auth> a acl:Authorization;
+    acl:mode acl:Read, acl:Write, acl:Control;
+    acl:agent alice:me;
+    acl:accessTo ${resource} .
+  `
+  $rdf.parse(ACLtext, aclStore, aclUrl, 'text/turtle')
+
+  const agent = alice
+  const directory = null
+  const trustedOrigins = []
+  const originTrustedModes = [ACL('Read'), ACL('Write')]
+
+  const readWriteModeRequired = [ACL('Read'), ACL('Write')]
+  const readWriteModeResult = aclLogic.accessDenied(aclStore, resource, directory, aclDoc, agent, readWriteModeRequired, origin, trustedOrigins, originTrustedModes)
+  t.ok(!readWriteModeResult, 'Should get access to modes when origin is listed as trusted app')
+
+  const controlModeRequired = [ACL('Control')]
+  const controlModeResult = aclLogic.accessDenied(aclStore, resource, directory, aclDoc, agent, controlModeRequired, origin, trustedOrigins, originTrustedModes)
+  t.ok(controlModeResult, 'All Required Access Modes Not Granted', 'Correct reason')
+
+  t.end()
+})

test/unit/get-trusted-modes-for-origin-test.js

@@ -0,0 +1,30 @@
+'use strict'
+
+const test = require('tape')
+const aclLogic = require('../../src/acl-check')
+const $rdf = require('rdflib')
+
+const ACL = $rdf.Namespace('http://www.w3.org/ns/auth/acl#')
+const ALICE = $rdf.Namespace('https://alice.example.com/')
+const alice = ALICE('#me')
+
+const prefixes = `
+@prefix acl: ${ACL()} .
+@prefix alice: ${ALICE('#')} .
+`
+
+test('aclCheck getTrustedModesForOirign() test', t => {
+  const origin = $rdf.sym('https://apps.example.com')
+  const agent = alice
+  const agentStore = $rdf.graph()
+  const agentText = `${prefixes}
+  ${agent} acl:trustedApp [  acl:origin ${origin};
+                             acl:mode acl:Read, acl:Write].
+  `
+  $rdf.parse(agentText, agentStore, agent.uri, 'text/turtle')
+
+  aclLogic.getTrustedModesForOrigin(agentStore, agent, origin).then(result => {
+    t.deepEqual(result, [ACL('Read'), ACL('Write')], 'Should get a list of modes')
+    t.end()
+  })
+})