search

woutslabbinck / ucp-enforcement

A playground for calculating access mode grants based on usage control rules and usage control rule interpreters
2 stars 0 forks source link

Add Temporal usage control properly #3

Closed woutslabbinck closed 7 months ago

woutslabbinck commented 7 months ago

To properly have a proper temporal usage control odrl rule, I need to limit the amount of constraints to the exactly one (such that only temporal UC is done).

In the Solid Agent repository, I have experimented with such a rule. However, when multiple constraints are present in the odrl policy, the UC engine will still grant the permission (without checking the others).

With Notation3 built-ins, it is possible to limit the cardinality for certain Basic Graph Patterns.

So, in this repository (similarly to crud-engine) there should be a proper temporal odrl rule engine.

As an example, following N3 rule (+ data) will result in a conclusion, only if there is at least one constraint in the ucon rule:

@prefix odrl: <http://www.w3.org/ns/odrl/2/> .
@prefix : <http://example.org/> .
@prefix acl: <http://www.w3.org/ns/auth/acl#>.
@prefix fno:  <https://w3id.org/function/ontology#> .
@prefix log: <http://www.w3.org/2000/10/swap/log#> .
@prefix string: <http://www.w3.org/2000/10/swap/string#> .
@prefix list: <http://www.w3.org/2000/10/swap/list#> .
# Update ODRL Rule (odrl:modify: new asset is not created, not same as acl:write)
{ 
    ?permission a odrl:Permission;
        odrl:action ?action ;
        odrl:target ?targetResource ;
        odrl:assignee ?requestedParty;
        odrl:assigner ?resourceOwner .   

    ?action list:in (odrl:use odrl:modify). # multiple options

    # number of constraints must be one
    (?template {?permission odrl:constraint _:s} ?L) log:collectAllIn ?SCOPE.
    ?L list:length 1.
    # context of a request
    ?context 
        :resourceOwner ?resourceOwner;
        :requestingParty ?requestedParty;
        :target ?targetResource;
        :requestPermission acl:Write.

    :uuid5 log:uuid ?uuidStringdataUsagePolicyExecution.
    ( "urn:uuid:" ?uuidStringdataUsagePolicyExecution) string:concatenation ?urnUuidStringdataUsagePolicyExecution.
    ?dataUsagePolicyExecution log:uri ?urnUuidStringdataUsagePolicyExecution .
} =>
{
    ?dataUsagePolicyExecution a fno:Execution;
        fno:executes <http://example.org/dataUsage> ; 
        :accessModesAllowed acl:Write.
}.
<http://example.org/1705937573496#usagePolicy> <http://www.w3.org/1999/02/22-rdf-syntax-ns#type> <http://www.w3.org/ns/odrl/2/Agreement> .
<http://example.org/1705937573496#usagePolicy> <http://www.w3.org/ns/odrl/2/permission> <http://example.org/1705937573496#permission> .
<http://example.org/1705937573496#permission> <http://www.w3.org/1999/02/22-rdf-syntax-ns#type> <http://www.w3.org/ns/odrl/2/Permission> .
<http://example.org/1705937573496#permission> <http://www.w3.org/ns/odrl/2/action> <http://www.w3.org/ns/odrl/2/use> .
<http://example.org/1705937573496#permission> <http://www.w3.org/ns/odrl/2/target> <http://localhost:3000/test.ttl> .
<http://example.org/1705937573496#permission> <http://www.w3.org/ns/odrl/2/assignee> <https://woslabbi.pod.knows.idlab.ugent.be/profile/card#me> .
<http://example.org/1705937573496#permission> <http://www.w3.org/ns/odrl/2/assigner> <https://pod.woutslabbinck.com/profile/card#me> .
<http://example.org/1705937573496#permission> odrl:constraint <test>. 

<http://example.org/context> <http://example.org/resourceOwner> <https://pod.woutslabbinck.com/profile/card#me> .
<http://example.org/context> <http://example.org/requestingParty> <https://woslabbi.pod.knows.idlab.ugent.be/profile/card#me> .
<http://example.org/context> <http://example.org/target> <http://localhost:3000/test.ttl> .
<http://example.org/context> <http://example.org/requestPermission> <http://www.w3.org/ns/auth/acl#Write> .

With as a conclusion

@prefix fno: <https://w3id.org/function/ontology#>.
@prefix : <http://example.org/>.
@prefix acl: <http://www.w3.org/ns/auth/acl#>.

<urn:uuid:f8203e74-f001-4790-8bae-7f20b4b9e8c3> a fno:Execution.
<urn:uuid:f8203e74-f001-4790-8bae-7f20b4b9e8c3> fno:executes :dataUsage.
<urn:uuid:f8203e74-f001-4790-8bae-7f20b4b9e8c3> :accessModesAllowed acl:Write.

Uncommenting <http://example.org/1705937573496#permission> odrl:constraint <test>. results in no conclusion.

Many thanks to @josd for letting me craft this rule.

woutslabbinck commented 7 months ago

Just as mentioned with a similar issue in crud engine, it might be necessary to wait for a bump of koreografeye with a new version of the eyereasoner.

woutslabbinck commented 7 months ago

Added in https://github.com/woutslabbinck/ucp-enforcement/blob/3955a6505fcd2796bf4fdd6b80818c8bbaabf530/crud_engine_temporal.ts