Open ylebre opened 3 years ago
Correct! I just totally forgot to write those. We don't need to test for the acl:trustedApp
mechanism since that was always considered a bit of a stop-gap. But we should add tests for acl:origin
, for instance this ACL doc:
@prefix : <#>.
@prefix n0: <http://www.w3.org/ns/auth/acl#>.
@prefix priv: <./>.
@prefix c: </profile/card#>.
:ControlReadWrite
a n0:Authorization;
n0:accessTo priv:;
n0:agent c:me;
n0:default priv:;
n0:mode n0:Control, n0:Read, n0:Write.
:Read
a n0:Authorization;
n0:accessTo priv:;
n0:default priv:;
n0:mode n0:Read;
n0:origin <https://chat.inrupt.app>.
which is the ACL of my private folder, means that I have:
So the authorizations add up, and you need to be authorized for both your identity and (if you come cross-origin) for your origin.
So to make sure I understand, the origin authorization applies to all agent authorizations in the same ACL. There is no need to specify any agent in the origin authorization. This is what you mean by saying they add up. So if we added an authorization for the agent Bob to read this folder, then he would also only be able to do that from origin https://chat.inrupt.app.
Ah wait, now I'm not sure anymore. It could either by that you need >=1 authorization for your origin and >=1 for your webid, but it could also be that you need >=1 authorization that combines the two in a single authorization.
https://github.com/solid/web-access-control-spec says "If the Origin is allowed by [any authorization in] the ACL" so that would imply "If the Origin is allowed by [any authorization in] the ACL", not necessarily "If the Origin is allowed by [that same authorization in] the ACL".
But to play it safe you could create two tests:
@csarven do you think that is correct? Is there anything you want to add?
Just for clarification, consider the following acl rules:
@prefix acl: <http://www.w3.org/ns/auth/acl#>.
:ControlReadWrite
a acl:Authorization;
acl:agent </alice/profile/card#me>;
acl:default <./>;
acl:accessTo <./>;
acl:mode acl:Control, acl:Read, acl:Write.
:Read
a acl:Authorization;
acl:origin <https://chat.app>
acl:default <./>;
acl:accessTo <./>;
acl:mode acl:Read.
:BobReadWrite
a acl:Authorization;
acl:agent </alice/profile/card#me>;
acl:origin <https://another-chat.app>;
acl:default <./>;
acl:accessTo <./>;
acl:mode acl:Write acl:Read.
The grants from the acl file are: Agent Alice has Read, Write, Control Agent Bob has Read, Write Origin chat.app has Read Origin another-chat.app has Read, Write
So combined with the origin, this would be: Without origin:
Agent alice (without origin) has Read, Write, Control Agent Bob (without origin) has Read, Write
With origin chat.app:
Agent alice, from Origin chat.app has Read Agent Bob, from Origin chat.app has Read
With origin another-chat.app:
Agent alice, from Origin another-chat.app has Read, Write Agent Bob, from Origin another-chat.app has Read, Write
Is this the right interpretation?
There are currently no checks for this part of the spec: http://solid.github.io/web-access-control-spec/#referring-to-origins-ie-web-apps