Feature: add tests for 'Origin' header

[ylebre]

There are currently no checks for this part of the spec: http://solid.github.io/web-access-control-spec/#referring-to-origins-ie-web-apps

[michielbdejong]

Correct! I just totally forgot to write those. We don't need to test for the acl:trustedApp mechanism since that was always considered a bit of a stop-gap. But we should add tests for acl:origin, for instance this ACL doc:

@prefix : <#>.
@prefix n0: <http://www.w3.org/ns/auth/acl#>.
@prefix priv: <./>.
@prefix c: </profile/card#>.

:ControlReadWrite
    a n0:Authorization;
    n0:accessTo priv:;
    n0:agent c:me;
    n0:default priv:;
    n0:mode n0:Control, n0:Read, n0:Write.
:Read
    a n0:Authorization;
    n0:accessTo priv:;
    n0:default priv:;
    n0:mode n0:Read;
    n0:origin <https://chat.inrupt.app>.

which is the ACL of my private folder, means that I have:

• full read/write/control when not coming cross-origin
• read only when coming specifically from origin https://chat.inrupt.app
• no access when coming from any other origin

So the authorizations add up, and you need to be authorized for both your identity and (if you come cross-origin) for your origin.

[edwardsph]

So to make sure I understand, the origin authorization applies to all agent authorizations in the same ACL. There is no need to specify any agent in the origin authorization. This is what you mean by saying they add up. So if we added an authorization for the agent Bob to read this folder, then he would also only be able to do that from origin https://chat.inrupt.app.

[michielbdejong]

Ah wait, now I'm not sure anymore. It could either by that you need >=1 authorization for your origin and >=1 for your webid, but it could also be that you need >=1 authorization that combines the two in a single authorization.

https://github.com/solid/web-access-control-spec says "If the Origin is allowed by [any authorization in] the ACL" so that would imply "If the Origin is allowed by [any authorization in] the ACL", not necessarily "If the Origin is allowed by [that same authorization in] the ACL".

But to play it safe you could create two tests:

• it("allows access if the origin is mentioned in the same Authorization", ...
• it("allows access if the origin is mentioned in a different Authorization in the same ACL", ...

@csarven do you think that is correct? Is there anything you want to add?

[ylebre]

Just for clarification, consider the following acl rules:

@prefix acl: <http://www.w3.org/ns/auth/acl#>.

:ControlReadWrite
    a acl:Authorization;
    acl:agent </alice/profile/card#me>;
    acl:default <./>;
    acl:accessTo <./>;
    acl:mode acl:Control, acl:Read, acl:Write.

:Read
    a acl:Authorization;
    acl:origin <https://chat.app>
    acl:default <./>;
    acl:accessTo <./>;
    acl:mode acl:Read.

:BobReadWrite
    a acl:Authorization;
    acl:agent </alice/profile/card#me>;
    acl:origin <https://another-chat.app>;
    acl:default <./>;
    acl:accessTo <./>;
    acl:mode acl:Write acl:Read.

The grants from the acl file are: Agent Alice has Read, Write, Control Agent Bob has Read, Write Origin chat.app has Read Origin another-chat.app has Read, Write

So combined with the origin, this would be: Without origin:

Agent alice (without origin) has Read, Write, Control Agent Bob (without origin) has Read, Write

With origin chat.app:

Agent alice, from Origin chat.app has Read Agent Bob, from Origin chat.app has Read

With origin another-chat.app:

Agent alice, from Origin another-chat.app has Read, Write Agent Bob, from Origin another-chat.app has Read, Write

Is this the right interpretation?