search

solid-contrib / web-access-control-tests

Tests if a Solid server implements web access control correctly
MIT License
2 stars 5 forks source link

Investigate 4 CSS v4.0.1 failures in create.test.ts #51

Closed michielbdejong closed 2 years ago

michielbdejong commented 2 years ago

As reported by @mrvahedi68 - just reproduced it:

 FAIL  test/surface/create.test.ts (11.652 s)
  Create
    Using POST to existing container
      ✓ Is allowed with accessTo Append access (1263 ms)
      ✓ Is allowed with accessTo Write access (460 ms)
      ✓ Is disallowed otherwise (426 ms)
    Using PUT in existing container
      ✓ Is allowed with accessTo Write and default Write access (440 ms)
      ✓ Is allowed with accessTo Append and default Write access (421 ms)
      ✓ is disallowed without default Write (398 ms)
      ✓ is disallowed without accessTo Write or Append (403 ms)
    Using PATCH in existing container
      ✓ Is allowed with accessTo Write and default Write access (403 ms)
      ✓ Is allowed with accessTo Append and default Write access (373 ms)
      ✕ is disallowed without default Write (402 ms)
      ✓ is disallowed without accessTo Write or Append (401 ms)
    Using PUT in non-existing container
      ✓ Is allowed with accessTo Write and default Write access (388 ms)
      ✓ Is allowed with accessTo Append and default Write access (392 ms)
      ✓ is disallowed without default Write (383 ms)
      ✕ is disallowed without accessTo Write or Append (378 ms)
    Using PATCH in non-existing container
      ✓ Is allowed with accessTo Write and default Write access (390 ms)
      ✓ Is allowed with accessTo Append and default Write access (384 ms)
      ✕ is disallowed without default Write (360 ms)
      ✕ is disallowed without accessTo Write or Append (365 ms)

  ● Create › Using PATCH in existing container › is disallowed without default Write

    expect(received).toEqual(expected) // deep equality

    Expected: 403
    Received: 201

      365 |         "  solid:inserts { <#hello> <#linked> <#world> .}.\n",
      366 |       });
    > 367 |       expect(result.status).toEqual(403);
          |                             ^
      368 |     });
      369 | 
      370 |     it(`is disallowed without accessTo Write or Append`, async () => {

      at test/surface/create.test.ts:367:29
      at step (test/surface/create.test.ts:33:23)
      at Object.next (test/surface/create.test.ts:14:53)
      at fulfilled (test/surface/create.test.ts:5:58)

  ● Create › Using PUT in non-existing container › is disallowed without accessTo Write or Append

    expect(received).toEqual(expected) // deep equality

    Expected: 403
    Received: 201

      524 |         }
      525 |       });
    > 526 |       expect(result.status).toEqual(403);
          |                             ^
      527 |     });
      528 | 
      529 |   });

      at test/surface/create.test.ts:526:29
      at step (test/surface/create.test.ts:33:23)
      at Object.next (test/surface/create.test.ts:14:53)
      at fulfilled (test/surface/create.test.ts:5:58)
          at runMicrotasks (<anonymous>)

  ● Create › Using PATCH in non-existing container › is disallowed without default Write

    expect(received).toEqual(expected) // deep equality

    Expected: 403
    Received: 201

      625 |         "  solid:inserts { <#hello> <#linked> <#world> .}.\n",
      626 |       });
    > 627 |       expect(result.status).toEqual(403);
          |                             ^
      628 |     });
      629 | 
      630 |     it(`is disallowed without accessTo Write or Append`, async () => {

      at test/surface/create.test.ts:627:29
      at step (test/surface/create.test.ts:33:23)
      at Object.next (test/surface/create.test.ts:14:53)
      at fulfilled (test/surface/create.test.ts:5:58)
          at runMicrotasks (<anonymous>)

  ● Create › Using PATCH in non-existing container › is disallowed without accessTo Write or Append

    expect(received).toEqual(expected) // deep equality

    Expected: 403
    Received: 201

      658 |         "  solid:inserts { <#hello> <#linked> <#world> .}.\n",
      659 |       });
    > 660 |       expect(result.status).toEqual(403);
          |                             ^
      661 |     });
      662 |   });
      663 | });

      at test/surface/create.test.ts:660:29
      at step (test/surface/create.test.ts:33:23)
      at Object.next (test/surface/create.test.ts:14:53)
      at fulfilled (test/surface/create.test.ts:5:58)
          at runMicrotasks (<anonymous>)

Test Suites: 1 failed, 1 total
Tests:       4 failed, 15 passed, 19 total
Snapshots:   0 total
Time:        11.832 s, estimated 12 s
Ran all test suites matching /.\/test\/surface\/create.test.ts/i.
Test results written to: ../test-suite/CSS/wac-results.json
npm ERR! code ELIFECYCLE
npm ERR! errno 1
npm ERR! web-access-control-tests@6.0.0 jest: `jest ./test/surface/create.test.ts "--verbose" "--json" "--outputFile=../test-suite/CSS/wac-results.json"`
npm ERR! Exit status 1
npm ERR! 
npm ERR! Failed at the web-access-control-tests@6.0.0 jest script.
npm ERR! This is probably not a problem with npm. There is likely additional logging output above.

npm ERR! A complete log of this run can be found in:
npm ERR!     /Users/michiel/.npm/_logs/2022-06-13T11_22_27_593Z-debug.log
michielbdejong commented 2 years ago

Create -> Using PUT in non-existing container -> is disallowed without accessTo Write or Append seems to pass when run in isolation

michielbdejong commented 2 years ago

Investigating Create › Using PATCH in existing container › is disallowed without default Write. This is the ACL:

SolidAuthFetcher curl -v -X 'PUT' -d '@prefix acl: <http://www.w3.org/ns/auth/acl#>.
  SolidAuthFetcher 
  SolidAuthFetcher <#alice> a acl:Authorization;
  SolidAuthFetcher   acl:agent <https://solidtestsuite.solidcommunity.net/profile/card#me>;
  SolidAuthFetcher   acl:accessTo <http://localhost:3000/web-access-control-tests-1655121303903/10/allOtherModes/>;
  SolidAuthFetcher   acl:default <http://localhost:3000/web-access-control-tests-1655121303903/10/allOtherModes/>;
  SolidAuthFetcher   acl:mode acl:Read, acl:Write, acl:Control.
  SolidAuthFetcher <#bobAccessTo> a acl:Authorization;
  SolidAuthFetcher   acl:agent <https://solid-crud-tests-example-2.solidcommunity.net/profile/card#me>;
  SolidAuthFetcher   acl:accessTo <http://localhost:3000/web-access-control-tests-1655121303903/10/allOtherModes/>;
  SolidAuthFetcher   acl:mode acl:Read, acl:Append, acl:Write, acl:Control.
  SolidAuthFetcher <#bobDefault> a acl:Authorization;
  SolidAuthFetcher   acl:agent <https://solid-crud-tests-example-2.solidcommunity.net/profile/card#me>;
  SolidAuthFetcher   acl:default <http://localhost:3000/web-access-control-tests-1655121303903/10/allOtherModes/>;
  SolidAuthFetcher   acl:mode acl:Read, acl:Append, acl:Control.
  SolidAuthFetcher ' -H 'Content-Type: text/turtle' -H 'authorization: DPoP eyJhbGciOiJSUzI1NiIsImtpZCI6IkpxS29zX2J0SHBnIn0.eyJpc3MiOiJodHRwczovL3NvbGlkY29tbXVuaXR5Lm5ldCIsImF1ZCI6InNvbGlkIiwic3ViIjoiaHR0cHM6Ly9zb2xpZHRlc3RzdWl0ZS5zb2xpZGNvbW11bml0eS5uZXQvcHJvZmlsZS9jYXJkI21lIiwiZXhwIjoxNjU2MzMwOTA0LCJpYXQiOjE2NTUxMjEzMDQsImp0aSI6IjU5OGMwZDZkOWY2OTg4NzIiLCJjbmYiOnsiamt0IjoiS18wOXF0Q2JKZTlTXzVrQ1BkX2RSRVhOT3AybHczaDNiS1NzNU13RmZzZyJ9LCJjbGllbnRfaWQiOiJmMTQyOWY5OWJiMjM0YzdkNjc5MTQ5ZWNkNmU2ZmM4NyIsIndlYmlkIjoiaHR0cHM6Ly9zb2xpZHRlc3RzdWl0ZS5zb2xpZGNvbW11bml0eS5uZXQvcHJvZmlsZS9jYXJkI21lIn0.DiOMqQGnVQvQp2rcq8zdQ3AuGrTBPG_HEmOTKmssIzKKr9c9S330WcUHGlXAOqs13prTqkrQnATjG7pOmEWoD-i_m4BYBw8qOZ2XcPo6QOn7JyGcFL-CHZWEfFfq7y3voohC5xzvcdjWQnklFhbnO26x8chjXQ2t5-0Ay9yV02mTbmBmbK8TeRxh47ndiZ8ExJ_jQjH2onZMbSgWzprmdgiwBM5HZ522rYb_qgVu5BgKcC4PlxD93UyKkNZiWDSGBW4mwcl9Z-HHKl8F76MqSwLtsUo35oUcJtBCudSQFwirRU8ZieuVPK_LFg7S8tapcwv1YEijbF1aAy0NL9vOoA' -H 'dpop: eyJhbGciOiJSUzI1NiIsInR5cCI6ImRwb3Arand0IiwiandrIjp7Imt0eSI6IlJTQSIsImtpZCI6IktfMDlxdENiSmU5U181a0NQZF9kUkVYTk9wMmx3M2gzYktTczVNd0Zmc2ciLCJ1c2UiOiJzaWciLCJhbGciOiJSUzI1NiIsImUiOiJBUUFCIiwibiI6IjNmZ2c5MGhWUUtORjdQZXNhMmZSdFdBQ05TX1VXTFRHcDR5ZEt0NDM1ZWtUakFVVVdINGNtOV9ScXpIM0FFQ3Vaek0tbzU1TEllbDFxQ1JZc0NhNVBCd0M2SmJ5V29JQmJlQjljZExtWEhXdHdfQmFRQXNvbDZnTTlDazJxTXFqTWQ1Q2doTzVRME1VdXU0S1RKeWhvaFM1US0zT2xiUHNiU3lNSXdYV2NENVdCODBEMHBxU0dEUUVmcGV0Sm4xbFNpci1Qd2tGTGtEUmRmUGk5OWd5QktQbkI5RVpwNTVWUmhvWW1WNkplMGdmNS1rOEJQY3Q0ZWhVVGY0Qi1vUWZ2aERKVGc4by1Fc3RlN2g5Nnl0QXNtWnA2TU9zb0VaaUk0ZjVwRlhDVmdudjhqRjZWeUVnTHNPaHo3d3R2bEZNaGFqTWcyblpvWTFXNkNTQXZWR2NidyJ9fQ.eyJodHUiOiJodHRwOi8vbG9jYWxob3N0OjMwMDAvd2ViLWFjY2Vzcy1jb250cm9sLXRlc3RzLTE2NTUxMjEzMDM5MDMvMTAvYWxsT3RoZXJNb2Rlcy8uYWNsIiwiaHRtIjoiUFVUIiwianRpIjoiNjMyYWQ5YjgtMTEwMi00YTllLTlhODUtMWVlNTg1ZDlmYjMxIiwiaWF0IjoxNjU1MTIxMzA1LCJleHAiOjE2NTUxMjQ5MDV9.QHYBpGmWmJzMyHSKRmTDqIo-hxyQ3E18Op0LRmI22zKbpLJJX2_nij63HaPJHVN0bZGksMgLiRZfBPDbAGu6ASh6-RPJHxIhdoe2SXysUsR7w1EV9ecURCFl5Nzsa_aEHhvVlqQtf3fCoWrTAx5Z8cLSCSK1uAltVMdKsIVGX8Tj9oPtxLpG2z-YG4XV88oz08VKLxX9a_YjTDnwOBJ4UJ7tvOVsYOJpUhoWFcRiCUsLfKcjOJDiPiB6lpK3YNdUt6r1syV1gRzigbd-2sYQ6vWx6Alag33CemRWB-7JIqIb7-Cz5WKQ2WbjLdyIcfWZ1iCV-OcM7KNi3Mkc4U9A8Q' http://localhost:3000/web-access-control-tests-1655121303903/10/allOtherModes/.acl +84ms

This is the request that the test thinks should be disallowed:

  SolidAuthFetcher curl -v -X 'PATCH' -d '@prefix solid: <http://www.w3.org/ns/solid/terms#>.
  SolidAuthFetcher <#patch> a solid:InsertDeletePatch;
  SolidAuthFetcher   solid:inserts { <#hello> <#linked> <#world> .}.
  SolidAuthFetcher ' -H 'Content-Type: text/n3' -H 'authorization: DPoP eyJhbGciOiJSUzI1NiIsImtpZCI6IkpxS29zX2J0SHBnIn0.eyJpc3MiOiJodHRwczovL3NvbGlkY29tbXVuaXR5Lm5ldCIsImF1ZCI6InNvbGlkIiwic3ViIjoiaHR0cHM6Ly9zb2xpZC1jcnVkLXRlc3RzLWV4YW1wbGUtMi5zb2xpZGNvbW11bml0eS5uZXQvcHJvZmlsZS9jYXJkI21lIiwiZXhwIjoxNjU2MzMwOTA1LCJpYXQiOjE2NTUxMjEzMDUsImp0aSI6IjhkZThmMjExYjEyNDQ5ZWQiLCJjbmYiOnsiamt0IjoiekdfbVRSY2NCb0ZKTmFlVXVlQVBLY0NQUGxEcWxFZjlpR3plZGVSekZIZyJ9LCJjbGllbnRfaWQiOiIwN2FjMDhjNjk3NjhmN2VhNzNlNjc1ZTRkYTdmNzYzNCIsIndlYmlkIjoiaHR0cHM6Ly9zb2xpZC1jcnVkLXRlc3RzLWV4YW1wbGUtMi5zb2xpZGNvbW11bml0eS5uZXQvcHJvZmlsZS9jYXJkI21lIn0.NgyOXEVYxgiKoHZRUwb5l2-kuwZ5sbXYW-_fonGC_kEKuA0Vl2ajY2tYDaE6z_Fn-EcneH_5KSIZdLdkZR3Xh5fpcN8mx3R0L3m9hpzVUCT7QgdnPyal1gKBzgEToY_CvvLm5x7PogwJia04MfROKcJe3ILFyUO6ngXwG_S991W-5fCs3lOCkGNv2uG1HzALNo_CNvP7TjhJpMKDZeVVWCxlOGjCoEBs9k_n8w_Txgl0Tay7ypOF7Rzoh6DfHvk4MtrdZ4Z1opGsLtrmc2n2b3VBKxNVMAZv1IftEcup2cB2B_zjEdlveXASfp56YH2TfnxBgAZIudZEHPRgHfAe1g' -H 'dpop: eyJhbGciOiJSUzI1NiIsInR5cCI6ImRwb3Arand0IiwiandrIjp7Imt0eSI6IlJTQSIsImtpZCI6InpHX21UUmNjQm9GSk5hZVV1ZUFQS2NDUFBsRHFsRWY5aUd6ZWRlUnpGSGciLCJ1c2UiOiJzaWciLCJhbGciOiJSUzI1NiIsImUiOiJBUUFCIiwibiI6InB6WWJlRTFxUzhCNWhabHNiSWNQcUw3X1FKaXZWVVVkSks1eXZ0WTdfRmZtcnBKMmdmeG1WR0FlZ1hFVjQyaDRiMkttR0d3eldLVzIyTWxDTUlkUXJuSmhnZFBvdHMxWDBCZHluQmE5MWZhZE10dnJiejl4UWVsQUx6Wi1Cc0xHVGkxMjBUZ0h2Q2pEaHFzZEhOOXdRWDliN1BFMjh4bXVITHp5MEtGVlhKdkVrdzZNWFZvQXZmcktwYjNKSmFJY0JfOW9zMi1HbE1rUWNINm5wZElOR3pid0FORnctaWI2TDB1UERQNHZ1X2ZrMF9UWGtyekdXQ2tMLTcxMjRjZjRiR3NxbFJVQXpTYWVINmxhV3VzNjZLeWIzMU9GdGY1bzdETTlJM1RLZVlfR0RWbXZuczVUbjJwYjZmT05TaEw4UEozdzgyV1JFRGtJZVRHS1RpYmVVdyJ9fQ.eyJodHUiOiJodHRwOi8vbG9jYWxob3N0OjMwMDAvd2ViLWFjY2Vzcy1jb250cm9sLXRlc3RzLTE2NTUxMjEzMDM5MDMvMTAvYWxsT3RoZXJNb2Rlcy9uZXcudHh0IiwiaHRtIjoiUEFUQ0giLCJqdGkiOiI3OWU4ODI2Mi1jMWEwLTQ5NTgtOGUxOC1kMmFhMDdkY2FjNzAiLCJpYXQiOjE2NTUxMjEzMDUsImV4cCI6MTY1NTEyNDkwNX0.V0JH6xZsNt9hCQg-9sR8km4r3ugdtRMpBoaebf42pg3Yk1rPWsWYMWLCQeaflv_ja8ZjguFhQwCmuJg01iziHDj2D0yGRmXGu4Gd7WmYx1AYASgLa16bGZbGMYIZEyKERo-JoeNawFPAijLHEd5AbczjLSBBVY6fprDrwholQWh7aJa7o-rHyF_zlc7qFzZh-PAUYPGoBxHzBpFFeh-E5TVZzLwaUHpUA4KGpNCX35w_GeP4ybC_QA5vg7l7JbdndBFacOEcePtwWdLcnwmmsXM_2l-rK4LCD2suXmUfVSRxXgWgHz4aTSVHFYjQmUtkODk_wj2_KVC_hJUOKskXHw' http://localhost:3000/web-access-control-tests-1655121303903/10/allOtherModes/new.txt +62ms
michielbdejong commented 2 years ago

Edit line 32 of node_modules/@solid/access-token-verifier/dist/algorithm/verifyDpopProof.js to reproduce this:

curl -v -X 'PUT' -d @acl.ttl -H 'Content-Type: text/turtle' -H 'authorization: DPoP eyJhbGciOiJSUzI1NiIsImtpZCI6IkpxS29zX2J0SHBnIn0.eyJpc3MiOiJodHRwczovL3NvbGlkY29tbXVuaXR5Lm5ldCIsImF1ZCI6InNvbGlkIiwic3ViIjoiaHR0cHM6Ly9zb2xpZHRlc3RzdWl0ZS5zb2xpZGNvbW11bml0eS5uZXQvcHJvZmlsZS9jYXJkI21lIiwiZXhwIjoxNjU2MzMwOTA0LCJpYXQiOjE2NTUxMjEzMDQsImp0aSI6IjU5OGMwZDZkOWY2OTg4NzIiLCJjbmYiOnsiamt0IjoiS18wOXF0Q2JKZTlTXzVrQ1BkX2RSRVhOT3AybHczaDNiS1NzNU13RmZzZyJ9LCJjbGllbnRfaWQiOiJmMTQyOWY5OWJiMjM0YzdkNjc5MTQ5ZWNkNmU2ZmM4NyIsIndlYmlkIjoiaHR0cHM6Ly9zb2xpZHRlc3RzdWl0ZS5zb2xpZGNvbW11bml0eS5uZXQvcHJvZmlsZS9jYXJkI21lIn0.DiOMqQGnVQvQp2rcq8zdQ3AuGrTBPG_HEmOTKmssIzKKr9c9S330WcUHGlXAOqs13prTqkrQnATjG7pOmEWoD-i_m4BYBw8qOZ2XcPo6QOn7JyGcFL-CHZWEfFfq7y3voohC5xzvcdjWQnklFhbnO26x8chjXQ2t5-0Ay9yV02mTbmBmbK8TeRxh47ndiZ8ExJ_jQjH2onZMbSgWzprmdgiwBM5HZ522rYb_qgVu5BgKcC4PlxD93UyKkNZiWDSGBW4mwcl9Z-HHKl8F76MqSwLtsUo35oUcJtBCudSQFwirRU8ZieuVPK_LFg7S8tapcwv1YEijbF1aAy0NL9vOoA' -H 'dpop: eyJhbGciOiJSUzI1NiIsInR5cCI6ImRwb3Arand0IiwiandrIjp7Imt0eSI6IlJTQSIsImtpZCI6IktfMDlxdENiSmU5U181a0NQZF9kUkVYTk9wMmx3M2gzYktTczVNd0Zmc2ciLCJ1c2UiOiJzaWciLCJhbGciOiJSUzI1NiIsImUiOiJBUUFCIiwibiI6IjNmZ2c5MGhWUUtORjdQZXNhMmZSdFdBQ05TX1VXTFRHcDR5ZEt0NDM1ZWtUakFVVVdINGNtOV9ScXpIM0FFQ3Vaek0tbzU1TEllbDFxQ1JZc0NhNVBCd0M2SmJ5V29JQmJlQjljZExtWEhXdHdfQmFRQXNvbDZnTTlDazJxTXFqTWQ1Q2doTzVRME1VdXU0S1RKeWhvaFM1US0zT2xiUHNiU3lNSXdYV2NENVdCODBEMHBxU0dEUUVmcGV0Sm4xbFNpci1Qd2tGTGtEUmRmUGk5OWd5QktQbkI5RVpwNTVWUmhvWW1WNkplMGdmNS1rOEJQY3Q0ZWhVVGY0Qi1vUWZ2aERKVGc4by1Fc3RlN2g5Nnl0QXNtWnA2TU9zb0VaaUk0ZjVwRlhDVmdudjhqRjZWeUVnTHNPaHo3d3R2bEZNaGFqTWcyblpvWTFXNkNTQXZWR2NidyJ9fQ.eyJodHUiOiJodHRwOi8vbG9jYWxob3N0OjMwMDAvd2ViLWFjY2Vzcy1jb250cm9sLXRlc3RzLTE2NTUxMjEzMDM5MDMvMTAvYWxsT3RoZXJNb2Rlcy8uYWNsIiwiaHRtIjoiUFVUIiwianRpIjoiNjMyYWQ5YjgtMTEwMi00YTllLTlhODUtMWVlNTg1ZDlmYjMxIiwiaWF0IjoxNjU1MTIxMzA1LCJleHAiOjE2NTUxMjQ5MDV9.QHYBpGmWmJzMyHSKRmTDqIo-hxyQ3E18Op0LRmI22zKbpLJJX2_nij63HaPJHVN0bZGksMgLiRZfBPDbAGu6ASh6-RPJHxIhdoe2SXysUsR7w1EV9ecURCFl5Nzsa_aEHhvVlqQtf3fCoWrTAx5Z8cLSCSK1uAltVMdKsIVGX8Tj9oPtxLpG2z-YG4XV88oz08VKLxX9a_YjTDnwOBJ4UJ7tvOVsYOJpUhoWFcRiCUsLfKcjOJDiPiB6lpK3YNdUt6r1syV1gRzigbd-2sYQ6vWx6Alag33CemRWB-7JIqIb7-Cz5WKQ2WbjLdyIcfWZ1iCV-OcM7KNi3Mkc4U9A8Q' http://localhost:3000/web-access-control-tests-1655121303903/10/allOtherModes/.acl

curl -v -X 'PATCH' -d @patch.ttl -H 'Content-Type: text/n3' -H 'authorization: DPoP eyJhbGciOiJSUzI1NiIsImtpZCI6IkpxS29zX2J0SHBnIn0.eyJpc3MiOiJodHRwczovL3NvbGlkY29tbXVuaXR5Lm5ldCIsImF1ZCI6InNvbGlkIiwic3ViIjoiaHR0cHM6Ly9zb2xpZC1jcnVkLXRlc3RzLWV4YW1wbGUtMi5zb2xpZGNvbW11bml0eS5uZXQvcHJvZmlsZS9jYXJkI21lIiwiZXhwIjoxNjU2MzMwOTA1LCJpYXQiOjE2NTUxMjEzMDUsImp0aSI6IjhkZThmMjExYjEyNDQ5ZWQiLCJjbmYiOnsiamt0IjoiekdfbVRSY2NCb0ZKTmFlVXVlQVBLY0NQUGxEcWxFZjlpR3plZGVSekZIZyJ9LCJjbGllbnRfaWQiOiIwN2FjMDhjNjk3NjhmN2VhNzNlNjc1ZTRkYTdmNzYzNCIsIndlYmlkIjoiaHR0cHM6Ly9zb2xpZC1jcnVkLXRlc3RzLWV4YW1wbGUtMi5zb2xpZGNvbW11bml0eS5uZXQvcHJvZmlsZS9jYXJkI21lIn0.NgyOXEVYxgiKoHZRUwb5l2-kuwZ5sbXYW-_fonGC_kEKuA0Vl2ajY2tYDaE6z_Fn-EcneH_5KSIZdLdkZR3Xh5fpcN8mx3R0L3m9hpzVUCT7QgdnPyal1gKBzgEToY_CvvLm5x7PogwJia04MfROKcJe3ILFyUO6ngXwG_S991W-5fCs3lOCkGNv2uG1HzALNo_CNvP7TjhJpMKDZeVVWCxlOGjCoEBs9k_n8w_Txgl0Tay7ypOF7Rzoh6DfHvk4MtrdZ4Z1opGsLtrmc2n2b3VBKxNVMAZv1IftEcup2cB2B_zjEdlveXASfp56YH2TfnxBgAZIudZEHPRgHfAe1g' -H 'dpop: eyJhbGciOiJSUzI1NiIsInR5cCI6ImRwb3Arand0IiwiandrIjp7Imt0eSI6IlJTQSIsImtpZCI6InpHX21UUmNjQm9GSk5hZVV1ZUFQS2NDUFBsRHFsRWY5aUd6ZWRlUnpGSGciLCJ1c2UiOiJzaWciLCJhbGciOiJSUzI1NiIsImUiOiJBUUFCIiwibiI6InB6WWJlRTFxUzhCNWhabHNiSWNQcUw3X1FKaXZWVVVkSks1eXZ0WTdfRmZtcnBKMmdmeG1WR0FlZ1hFVjQyaDRiMkttR0d3eldLVzIyTWxDTUlkUXJuSmhnZFBvdHMxWDBCZHluQmE5MWZhZE10dnJiejl4UWVsQUx6Wi1Cc0xHVGkxMjBUZ0h2Q2pEaHFzZEhOOXdRWDliN1BFMjh4bXVITHp5MEtGVlhKdkVrdzZNWFZvQXZmcktwYjNKSmFJY0JfOW9zMi1HbE1rUWNINm5wZElOR3pid0FORnctaWI2TDB1UERQNHZ1X2ZrMF9UWGtyekdXQ2tMLTcxMjRjZjRiR3NxbFJVQXpTYWVINmxhV3VzNjZLeWIzMU9GdGY1bzdETTlJM1RLZVlfR0RWbXZuczVUbjJwYjZmT05TaEw4UEozdzgyV1JFRGtJZVRHS1RpYmVVdyJ9fQ.eyJodHUiOiJodHRwOi8vbG9jYWxob3N0OjMwMDAvd2ViLWFjY2Vzcy1jb250cm9sLXRlc3RzLTE2NTUxMjEzMDM5MDMvMTAvYWxsT3RoZXJNb2Rlcy9uZXcudHh0IiwiaHRtIjoiUEFUQ0giLCJqdGkiOiI3OWU4ODI2Mi1jMWEwLTQ5NTgtOGUxOC1kMmFhMDdkY2FjNzAiLCJpYXQiOjE2NTUxMjEzMDUsImV4cCI6MTY1NTEyNDkwNX0.V0JH6xZsNt9hCQg-9sR8km4r3ugdtRMpBoaebf42pg3Yk1rPWsWYMWLCQeaflv_ja8ZjguFhQwCmuJg01iziHDj2D0yGRmXGu4Gd7WmYx1AYASgLa16bGZbGMYIZEyKERo-JoeNawFPAijLHEd5AbczjLSBBVY6fprDrwholQWh7aJa7o-rHyF_zlc7qFzZh-PAUYPGoBxHzBpFFeh-E5TVZzLwaUHpUA4KGpNCX35w_GeP4ybC_QA5vg7l7JbdndBFacOEcePtwWdLcnwmmsXM_2l-rK4LCD2suXmUfVSRxXgWgHz4aTSVHFYjQmUtkODk_wj2_KVC_hJUOKskXHw' http://localhost:3000/web-access-control-tests-1655121303903/10/allOtherModes/new.txt

Just read the spec again and I think the CSS behaviour is correct here -> https://github.com/solid-contrib/web-access-control-tests/issues/52

michielbdejong commented 2 years ago

Continuing with the access-to-append-suffice-to-create branch, now seeing 7 failures:

Create
    Using POST to existing container
      ✓ Is allowed with accessTo Append access (1383 ms)
      ✓ Is allowed with accessTo Write access (479 ms)
      ✓ Is disallowed otherwise (433 ms)
    Using PUT in existing container
      ✓ Is allowed with accessTo Write and default Write access (402 ms)
      ✕ Is allowed with accessTo Write and default Append access (401 ms)
      ✓ Is allowed with accessTo Append and default Write access (409 ms)
      ✕ Is allowed with accessTo Append and default Append access (386 ms)
      ✓ is disallowed without default Write or Append (391 ms)
      ✓ is disallowed without accessTo Write or Append (372 ms)
    Using PATCH in existing container
      ✓ Is allowed with accessTo Write and default Write access (384 ms)
      ✓ Is allowed with accessTo Write and default Append access (381 ms)
      ✓ Is allowed with accessTo Append and default Write access (393 ms)
      ✓ Is allowed with accessTo Append and default Append access (421 ms)
      ✓ is disallowed without default Write or Append (376 ms)
      ✓ is disallowed without accessTo Write or Append (363 ms)
    Using PUT in non-existing container
      ✓ Is allowed with accessTo Write and default Write access (362 ms)
      ✕ Is allowed with accessTo Write and default Append access (346 ms)
      ✕ Is allowed with accessTo Append and default Write access (330 ms)
      ✕ Is allowed with accessTo Append and default Append access (304 ms)
      ✓ is disallowed without default Write or Append (369 ms)
      ✕ is disallowed without accessTo Write or Append (368 ms)
    Using PATCH in non-existing container
      ✓ Is allowed with accessTo Write and default Write access (360 ms)
      ✓ Is allowed with accessTo Write and default Append access (399 ms)
      ✓ Is allowed with accessTo Append and default Write access (360 ms)
      ✓ Is allowed with accessTo Append and default Append access (358 ms)
      ✓ is disallowed without default Write or Append (356 ms)

Will test which of these fail when run in isolation

michielbdejong commented 2 years ago

After clean up of test container names in the access-to-append-suffice-to-create branch, seeing: ● Create › Using PUT in existing container › Is allowed with accessTo Write and default Append access

● Create › Using PUT in existing container › Is allowed with accessTo Append and default Append access

● Create › Using PUT in non-existing container › is disallowed without accessTo Write or Append

● Create › Using PATCH in non-existing container › is disallowed without accessTo Write or Append

michielbdejong commented 2 years ago

Created https://github.com/solid/web-access-control-spec/issues/105 about those first two.

michielbdejong commented 2 years ago

It's uploading http://localhost:3000/web-access-control-tests-1655126590886/using-PUT-in-non-existing-test-disallowed-accessTo/.acl with accessTo 'acl:Read, acl:Control' and default 'acl:Read, acl:Append, acl:Write, acl:Control' and then tries to PUT http://localhost:3000/web-access-control-tests-1655126590886/using-PUT-in-non-existing-test-disallowed-accessTo/nested/new.txt

michielbdejong commented 2 years ago

Save this as acl.ttl:

@prefix acl: <http://www.w3.org/ns/auth/acl#>.
@prefix foaf: <http://xmlns.com/foaf/0.1/>.

<#access-to-read> a acl:Authorization;
  acl:agentClass foaf:Agent;
  acl:accessTo <http://localhost:3000/>;
  acl:mode acl:Read.

<#default-read-write> a acl:Authorization;
  acl:agentClass foaf:Agent;
  acl:default <http://localhost:3000/>;
  acl:mode acl:Read, acl:Write.

And upload it to a newly started CSS v4.0.1 instance using: curl -v -X PUT -H 'Content-Type: text/turtle' -T acl.ttl http://localhost:3000/.acl

Now try these commands:

curl -v -X PUT  -H 'Content-Type: text/plain' -d hello http://localhost:3000/test.txt
curl -v -X PUT  -H 'Content-Type: text/plain' -d hello http://localhost:3000/nested/test.txt

The first will give a 401, the second a 201. And indeed, if you then run curl http://localhost:3000/ you will see that although the creation of /test.txt was blocked correctly, the creation of a /nested folder in the pod root was not prevented:

@prefix dc: <http://purl.org/dc/terms/>.
@prefix ldp: <http://www.w3.org/ns/ldp#>.
@prefix posix: <http://www.w3.org/ns/posix/stat#>.
@prefix xsd: <http://www.w3.org/2001/XMLSchema#>.

<> a <http://www.w3.org/ns/pim/space#Storage>, ldp:Container, ldp:BasicContainer, ldp:Resource;
    dc:modified "2022-06-13T13:51:47.000Z"^^xsd:dateTime;
    <http://www.w3.org/ns/auth/acl#accessControl> <.acl>;
    ldp:contains <index.html>, <nested/>.
michielbdejong commented 2 years ago

OK, so to conclude, we found that CSS v4.0.1 passes all known tests for Solid spec v0.9, except:

1) Folder create permissions for "mkdir -p" not enforced? #1339

Environment

CSS v4.0.1, node v12.19.1, npm v6.14.8

Description

Save this as acl.ttl which gives any agent read-only access to the server root, and read-write access to any contained resources:

@prefix acl: <http://www.w3.org/ns/auth/acl#>.
@prefix foaf: <http://xmlns.com/foaf/0.1/>.

<#access-to-read> a acl:Authorization;
  acl:agentClass foaf:Agent;
  acl:accessTo <http://localhost:3000/>;
  acl:mode acl:Read.

<#default-read-write> a acl:Authorization;
  acl:agentClass foaf:Agent;
  acl:default <http://localhost:3000/>;
  acl:mode acl:Read, acl:Write.

And upload it to a newly started CSS v4.0.1 instance using: curl -v -X PUT -H 'Content-Type: text/turtle' -T acl.ttl http://localhost:3000/.acl

Now try these commands:

curl -v -X PUT  -H 'Content-Type: text/plain' -d hello http://localhost:3000/test.txt
curl -v -X PUT  -H 'Content-Type: text/plain' -d hello http://localhost:3000/nested/test.txt

The first will give a 401, the second a 201. And indeed, if you then run curl http://localhost:3000/ you will see that although the creation of /test.txt was blocked correctly, the creation of a /nested folder in the pod root was not prevented:

@prefix dc: <http://purl.org/dc/terms/>.
@prefix ldp: <http://www.w3.org/ns/ldp#>.
@prefix posix: <http://www.w3.org/ns/posix/stat#>.
@prefix xsd: <http://www.w3.org/2001/XMLSchema#>.

<> a <http://www.w3.org/ns/pim/space#Storage>, ldp:Container, ldp:BasicContainer, ldp:Resource;
    dc:modified "2022-06-13T13:51:47.000Z"^^xsd:dateTime;
    <http://www.w3.org/ns/auth/acl#accessControl> <.acl>;
    ldp:contains <index.html>, <nested/>.

However, the spec says that creating that nested/ folder should have require Write or Append on /. Is WAC not enforced for the "mkdir -p" behaviour of creating nested folders?

2) Permissions for create differ between PUT and PATCH #1340

Environment

CSS v4.0.1, node v12.19.1, npm v6.14.8

Description

Save this file as acl.ttl:

@prefix acl: <http://www.w3.org/ns/auth/acl#>.
@prefix foaf: <http://xmlns.com/foaf/0.1/>.

<#read-append> a acl:Authorization;
  acl:agentClass foaf:Agent;
  acl:accessTo <http://localhost:3000/>;
  acl:default <http://localhost:3000/>;
  acl:mode acl:Read, acl:Append.

Upload it to http://localhost:3000/.acl by doing:

curl -v -X PUT -H 'Content-Type: text/turtle' -T acl.ttl http://localhost:3000/.acl

Now save this as patch.n3:

@prefix solid: <http://www.w3.org/ns/solid/terms#>.
<#patch> a solid:InsertDeletePatch;
  solid:inserts { <#hello> <#linked> <#world> .}.

and run the following two curl commands:

curl -X PUT -d '<#hello> <#linked> <#world>.' -H 'Content-Type: text/turtle' http://localhost:3000/with-put.ttl
curl -X PATCH -T patch.n3 -H 'Content-Type: text/n3' http://localhost:3000/with-patch.ttl

You will see the first one results in a 401, the second one in a 201, and indeed when you do curl http://localhost:3000/ you see /with-patch.ttl was created and /with-put.ttl was not:

[...]
    ldp:contains <index.html>, <with-patch.ttl>.

And with curl http://localhost:3000/with-patch.ttl you can see the contents:

<#hello> <#linked> <#world>.

Why is this different depending on the verb?

See also https://github.com/solid/web-access-control-spec/issues/105.

3) the optional concurrency tests

These are not actually part of the requirements, so that's fine.

michielbdejong commented 2 years ago

Split out into https://github.com/solid-contrib/test-suite/issues/145 and https://github.com/solid-contrib/test-suite/issues/146