Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Feature: add tests for 'Origin' header #16

Open
ylebre opened this issue Jan 11, 2021 · 4 comments
Open

Feature: add tests for 'Origin' header #16

ylebre opened this issue Jan 11, 2021 · 4 comments

Comments

@ylebre
Copy link
Contributor

ylebre commented Jan 11, 2021

There are currently no checks for this part of the spec:
http://solid.github.io/web-access-control-spec/#referring-to-origins-ie-web-apps

@michielbdejong
Copy link
Collaborator

Correct! I just totally forgot to write those. We don't need to test for the acl:trustedApp mechanism since that was always considered a bit of a stop-gap. But we should add tests for acl:origin, for instance this ACL doc:

@prefix : <#>.
@prefix n0: <http://www.w3.org/ns/auth/acl#>.
@prefix priv: <./>.
@prefix c: </profile/card#>.

:ControlReadWrite
    a n0:Authorization;
    n0:accessTo priv:;
    n0:agent c:me;
    n0:default priv:;
    n0:mode n0:Control, n0:Read, n0:Write.
:Read
    a n0:Authorization;
    n0:accessTo priv:;
    n0:default priv:;
    n0:mode n0:Read;
    n0:origin <https://chat.inrupt.app>.

which is the ACL of my private folder, means that I have:

  • full read/write/control when not coming cross-origin
  • read only when coming specifically from origin https://chat.inrupt.app
  • no access when coming from any other origin

So the authorizations add up, and you need to be authorized for both your identity and (if you come cross-origin) for your origin.

@edwardsph
Copy link
Contributor

So to make sure I understand, the origin authorization applies to all agent authorizations in the same ACL. There is no need to specify any agent in the origin authorization. This is what you mean by saying they add up. So if we added an authorization for the agent Bob to read this folder, then he would also only be able to do that from origin https://chat.inrupt.app.

@michielbdejong
Copy link
Collaborator

Ah wait, now I'm not sure anymore. It could either by that you need >=1 authorization for your origin and >=1 for your webid, but it could also be that you need >=1 authorization that combines the two in a single authorization.

https://github.com/solid/web-access-control-spec says "If the Origin is allowed by [any authorization in] the ACL" so that would imply "If the Origin is allowed by [any authorization in] the ACL", not necessarily "If the Origin is allowed by [that same authorization in] the ACL".

But to play it safe you could create two tests:

  • it("allows access if the origin is mentioned in the same Authorization", ...
  • it("allows access if the origin is mentioned in a different Authorization in the same ACL", ...

@csarven do you think that is correct? Is there anything you want to add?

@ylebre
Copy link
Contributor Author

ylebre commented Mar 10, 2021

Just for clarification, consider the following acl rules:

@prefix acl: <http://www.w3.org/ns/auth/acl#>.

:ControlReadWrite
    a acl:Authorization;
    acl:agent </alice/profile/card#me>;
    acl:default <./>;
    acl:accessTo <./>;
    acl:mode acl:Control, acl:Read, acl:Write.

:Read
    a acl:Authorization;
    acl:origin <https://chat.app>
    acl:default <./>;
    acl:accessTo <./>;
    acl:mode acl:Read.

:BobReadWrite
    a acl:Authorization;
    acl:agent </alice/profile/card#me>;
    acl:origin <https://another-chat.app>;
    acl:default <./>;
    acl:accessTo <./>;
    acl:mode acl:Write acl:Read.

The grants from the acl file are:
Agent Alice has Read, Write, Control
Agent Bob has Read, Write
Origin chat.app has Read
Origin another-chat.app has Read, Write

So combined with the origin, this would be:
Without origin:

Agent alice (without origin) has Read, Write, Control
Agent Bob (without origin) has Read, Write

With origin chat.app:

Agent alice, from Origin chat.app has Read
Agent Bob, from Origin chat.app has Read

With origin another-chat.app:

Agent alice, from Origin another-chat.app has Read, Write
Agent Bob, from Origin another-chat.app has Read, Write

Is this the right interpretation?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

3 participants