search

LD4P / sinopia_acl

node.js based code to interact with WebACL data on sinopia server
Apache License 2.0
0 stars 0 forks source link

integration test: change root container webACL to write/control for admin user only #19

Closed ndushay closed 5 years ago

ndushay commented 5 years ago

essentially, we want only the admin webid(s) to be enabled for Control and Write for webACL of root container. We do want world read access, tho.

I believe the sequence would be something like:

  1. create correct graph for webACL (see below)
  2. spin up testing instance of server using docker-compose (with default root webACL?)
  3. write ttl from correct graph to server. (requires #25)
  4. get root container webACL ttl back from server and assert it is correct (requires #26)
    • use WebAccessControl class to parse the webACL into graph; then assert graph has expected contents.

what is the correct graph?

So the ttl would look something like

@prefix acl:  <http://www.w3.org/ns/auth/acl#> .

<http://platform:8080/#control>
        acl:mode      acl:Read ;
        acl:mode      acl:Write ;
        acl:mode      acl:Control ;
        acl:agent     <adminUser1WebId> ;
        acl:agent     <adminUser2WebId> ;
        acl:accessTo  <http://platform:8080/> .

<http://platform:8080/#read>
        acl:mode        acl:Read ;
        acl:agentClass  <http://xmlns.com/foaf/0.1/Agent> ;
        acl:accessTo    <http://platform:8080/> .

Not sure it makes sense to do this as a function (See #22) or if we should have a fixture file that only needs the agent triples added based on settings for admin user webid(s) in config/default.js.

If we use the fixture file approach, the fixture file would be:

@prefix acl:  <http://www.w3.org/ns/auth/acl#> .

<http://platform:8080/#control>
        acl:mode      acl:Read ;
        acl:mode      acl:Write ;
        acl:mode      acl:Control ;
        acl:accessTo  <http://platform:8080/> .

<http://platform:8080/#read>
        acl:mode        acl:Read ;
        acl:agentClass  <http://xmlns.com/foaf/0.1/Agent> ;
        acl:accessTo    <http://platform:8080/> .

auth/auth concerns

See #5

Note that in production, we will need to use a real webid string and use JWT to pass accessToken to cognito; it is possible this is figured out in LD4P/sinopia_server#77. If there is no straightforward way to do this yet, we could use basic auth and cmharlow webid as admin user for now, and split this into separate ticket.

Note that we probably want Michelle and the devs with admin access (as default config setting)

ndushay commented 5 years ago

Note that at this time, we have __tests__/__fixtures__/stanfordGroupAcl_2Users.ttl that can be used as a fixture for playing; we would want a better fixture to use for realz, or to create the graph via a function (#22)

ndushay commented 5 years ago

@mjgiarlo I believe this is done so I am closing. Please reopen if i am wrong.