NSeydoux
commented
4 years ago Related issue: https://github.com/solid/specification/issues/186
Closed csarven closed 3 years ago
NSeydoux
commented
4 years ago Related issue: https://github.com/solid/specification/issues/186
tpluscode
commented
3 years ago I'd like to propose SHACL as one standards-based way to describe these shapes.
Questions:
acl:mode allow custom modes other than the predefined three?Authorization
@prefix vcard: <http://www.w3.org/2006/vcard/ns#> .
@prefix acl: <http://www.w3.org/ns/auth/acl#> .
@prefix rdf: <http://www.w3.org/1999/02/22-rdf-syntax-ns#> .
@prefix rdfs: <http://www.w3.org/2000/01/rdf-schema#> .
@prefix sh: <http://www.w3.org/ns/shacl#> .
@prefix xsd: <http://www.w3.org/2001/XMLSchema#> .
acl:Authorization
a rdfs:Class, sh:NodeShape ;
sh:or
(
[
# either an acl:agent
sh:property
[
a sh:PropertyShape ;
sh:minCount 1 ;
sh:nodeKind sh:IRI ;
sh:path acl:agent
]
] [
# or class of agents
sh:property
[
a sh:PropertyShape ;
sh:minCount 1 ;
sh:path acl:agentClass ;
sh:nodeKind sh:IRI ;
]
] [
# or multiple groups
sh:property
[
a sh:PropertyShape ;
sh:minCount 1 ;
sh:path acl:agentGroup ;
sh:class vcard:Group ;
]
]
) ;
sh:or
(
[
# either direct resource access
sh:property
[
a sh:PropertyShape ;
sh:minCount 1 ;
sh:nodeKind sh:IRI ;
sh:path acl:accessTo
]
]
[
# or class access
sh:property
[
a sh:PropertyShape ;
sh:minCount 1 ;
sh:nodeKind sh:IRI ;
sh:path acl:accessToClass
]
]
) ;
sh:property
[
a sh:PropertyShape ;
sh:in ( acl:Read acl:Write acl:Control ) ;
sh:minCount 1 ;
sh:path acl:mode
],
[
a sh:PropertyShape ;
sh:hasValue acl:Authorization ;
sh:path rdf:type
] ;
.Group:
@prefix dcterms: <http://purl.org/dc/terms/> .
@prefix vcard: <http://www.w3.org/2006/vcard/ns#> .
@prefix rdfs: <http://www.w3.org/2000/01/rdf-schema#> .
@prefix sh: <http://www.w3.org/ns/shacl#> .
@prefix xsd: <http://www.w3.org/2001/XMLSchema#> .
vcard:Group a rdfs:Class, sh:NodeShape ;
sh:property
[
a sh:PropertyShape ;
sh:datatype xsd:dateTime ;
sh:maxCount 1 ;
sh:path dcterms:modified ;
],
[
a sh:PropertyShape ;
sh:datatype xsd:dateTime ;
sh:maxCount 1 ;
sh:path dcterms:created ;
],
[
a sh:PropertyShape ;
sh:maxCount 1 ;
sh:minCount 1 ;
sh:nodeKind sh:IRI ;
sh:path vcard:hasUID ;
sh:pattern "^urn:uuid:"
],
[
a sh:PropertyShape ;
sh:nodeKind sh:IRI ;
sh:path vcard:hasMember
],
[
a sh:PropertyShape ;
sh:hasValue vcard:Group ;
sh:path rdf:type
] .By the way, I think that the readme uses the wrong Dublin Core namespace.
EDIT: it's also missing acl:agentClass (added above)
acoburn
commented
3 years ago acl:agent should not have a sh:maxCount 1
And acl:Append is missing from the list of modes
tpluscode
commented
3 years ago Ok, I removed this restriction from properties
csarven
commented
3 years ago Thanks for this issue and discussion. Closing this issue as consensus is deemed to be captured in WAC Editor's Draft: https://solid.github.io/web-access-control-spec/ . See #authorization-conformance . Please use https://github.com/solid/web-access-control-spec for future discussion.
As clients can create ACLs, servers need to have deterministic handling of the request. Clients and servers need to have a shared understanding and expectation of the information within ACL documents. Invalid ACLs pose potential security issues. Defining an ACL shape to validate request payload can be a way to address this.
Related issues: https://github.com/solid/specification/issues/56 , https://github.com/solid/specification/issues/57 , https://github.com/solid/web-access-control-spec/issues/78 , https://github.com/solid/specification/issues/130 , https://github.com/solid/specification/issues/67 , https://github.com/solid/specification/issues/193