javascript-solid-server 0.0.3 → 0.0.5

package/src/wac/checker.js

@@ -0,0 +1,257 @@
+/**
+ * WAC (Web Access Control) Checker
+ * Checks if an agent has permission to access a resource
+ */
+
+import * as storage from '../storage/filesystem.js';
+import { parseAcl, AccessMode, AgentClass } from './parser.js';
+import { getAclUrl } from '../ldp/headers.js';
+
+/**
+ * Check if agent has required access mode for resource
+ * @param {object} options
+ * @param {string} options.resourceUrl - Full URL of the resource
+ * @param {string} options.resourcePath - Path portion of the resource URL
+ * @param {boolean} options.isContainer - Whether resource is a container
+ * @param {string|null} options.agentWebId - WebID of the agent (null for unauthenticated)
+ * @param {string} options.requiredMode - Required access mode (from AccessMode)
+ * @returns {Promise<{allowed: boolean, wacAllow: string}>}
+ */
+export async function checkAccess({
+  resourceUrl,
+  resourcePath,
+  isContainer,
+  agentWebId,
+  requiredMode
+}) {
+  // Find applicable ACL
+  const aclResult = await findApplicableAcl(resourceUrl, resourcePath, isContainer);
+
+  if (!aclResult) {
+    // No ACL found - allow by default (permissive mode)
+    // This allows resources without ACLs to be publicly accessible
+    return { allowed: true, wacAllow: 'user="read write append control", public="read write append"' };
+  }
+
+  const { authorizations, isDefault, targetUrl } = aclResult;
+
+  // Check authorizations
+  const allowed = checkAuthorizations(
+    authorizations,
+    targetUrl,
+    agentWebId,
+    requiredMode,
+    isDefault
+  );
+
+  // Calculate WAC-Allow header
+  const wacAllow = calculateWacAllow(authorizations, targetUrl, agentWebId, isDefault);
+
+  return { allowed, wacAllow };
+}
+
+/**
+ * Find the applicable ACL for a resource
+ * Walks up the path hierarchy looking for .acl files
+ */
+async function findApplicableAcl(resourceUrl, resourcePath, isContainer) {
+  // First check for resource-specific ACL
+  const resourceAclPath = isContainer
+    ? (resourcePath.endsWith('/') ? resourcePath : resourcePath + '/') + '.acl'
+    : resourcePath + '.acl';
+
+  if (await storage.exists(resourceAclPath)) {
+    const content = await storage.read(resourceAclPath);
+    if (content) {
+      const aclUrl = getAclUrl(resourceUrl, isContainer);
+      const authorizations = parseAcl(content.toString(), aclUrl);
+      return { authorizations, isDefault: false, targetUrl: resourceUrl };
+    }
+  }
+
+  // Walk up the hierarchy looking for default ACLs
+  let currentPath = resourcePath;
+  while (currentPath && currentPath !== '/') {
+    // Get parent container
+    const parentPath = getParentPath(currentPath);
+    const parentAclPath = parentPath + '.acl';
+
+    if (await storage.exists(parentAclPath)) {
+      const content = await storage.read(parentAclPath);
+      if (content) {
+        const parentUrl = resourceUrl.substring(0, resourceUrl.lastIndexOf(currentPath)) + parentPath;
+        const authorizations = parseAcl(content.toString(), parentAclPath);
+        return { authorizations, isDefault: true, targetUrl: parentUrl };
+      }
+    }
+
+    currentPath = parentPath;
+  }
+
+  // Check root ACL
+  if (await storage.exists('/.acl')) {
+    const content = await storage.read('/.acl');
+    if (content) {
+      const rootUrl = resourceUrl.substring(0, resourceUrl.indexOf('/', 8) + 1);
+      const authorizations = parseAcl(content.toString(), '/.acl');
+      return { authorizations, isDefault: true, targetUrl: rootUrl };
+    }
+  }
+
+  return null;
+}
+
+/**
+ * Get parent container path
+ */
+function getParentPath(path) {
+  // Remove trailing slash
+  const normalized = path.endsWith('/') ? path.slice(0, -1) : path;
+  const lastSlash = normalized.lastIndexOf('/');
+  if (lastSlash <= 0) return '/';
+  return normalized.substring(0, lastSlash + 1);
+}
+
+/**
+ * Check if any authorization grants the required mode
+ */
+function checkAuthorizations(authorizations, targetUrl, agentWebId, requiredMode, isDefault) {
+  for (const auth of authorizations) {
+    // Check if this authorization applies to the resource
+    const appliesToResource = isDefault
+      ? auth.default.some(d => urlMatches(d, targetUrl))
+      : auth.accessTo.some(a => urlMatches(a, targetUrl));
+
+    if (!appliesToResource && !isDefault) continue;
+    if (isDefault && auth.default.length === 0) continue;
+
+    // Check if agent is authorized
+    const agentAuthorized = isAgentAuthorized(auth, agentWebId);
+    if (!agentAuthorized) continue;
+
+    // Check if mode is granted
+    if (auth.modes.includes(requiredMode)) {
+      return true;
+    }
+
+    // Write implies Append
+    if (requiredMode === AccessMode.APPEND && auth.modes.includes(AccessMode.WRITE)) {
+      return true;
+    }
+  }
+
+  return false;
+}
+
+/**
+ * Check if the agent is authorized by an authorization rule
+ */
+function isAgentAuthorized(auth, agentWebId) {
+  // Check specific agent
+  if (agentWebId && auth.agents.includes(agentWebId)) {
+    return true;
+  }
+
+  // Check agent classes
+  for (const agentClass of auth.agentClasses) {
+    // foaf:Agent - everyone (including unauthenticated)
+    if (agentClass === AgentClass.AGENT || agentClass === 'foaf:Agent') {
+      return true;
+    }
+
+    // acl:AuthenticatedAgent - any authenticated user
+    if (agentWebId && (agentClass === AgentClass.AUTHENTICATED || agentClass === 'acl:AuthenticatedAgent')) {
+      return true;
+    }
+  }
+
+  // TODO: Check agent groups (requires fetching and parsing group documents)
+
+  return false;
+}
+
+/**
+ * Check if URLs match (handles trailing slashes)
+ */
+function urlMatches(pattern, url) {
+  const normalizedPattern = pattern.replace(/\/$/, '');
+  const normalizedUrl = url.replace(/\/$/, '');
+  return normalizedPattern === normalizedUrl;
+}
+
+/**
+ * Calculate WAC-Allow header value
+ */
+function calculateWacAllow(authorizations, targetUrl, agentWebId, isDefault) {
+  const userModes = new Set();
+  const publicModes = new Set();
+
+  for (const auth of authorizations) {
+    // Check if applies to resource
+    const applies = isDefault
+      ? auth.default.length > 0
+      : auth.accessTo.some(a => urlMatches(a, targetUrl));
+
+    if (!applies && !isDefault) continue;
+
+    // Check what modes this grants
+    const modes = auth.modes.map(m => {
+      if (m === AccessMode.READ || m === 'acl:Read') return 'read';
+      if (m === AccessMode.WRITE || m === 'acl:Write') return 'write';
+      if (m === AccessMode.APPEND || m === 'acl:Append') return 'append';
+      if (m === AccessMode.CONTROL || m === 'acl:Control') return 'control';
+      return null;
+    }).filter(Boolean);
+
+    // Check if public
+    const isPublic = auth.agentClasses.some(c =>
+      c === AgentClass.AGENT || c === 'foaf:Agent'
+    );
+
+    if (isPublic) {
+      modes.forEach(m => publicModes.add(m));
+    }
+
+    // Check if user-specific
+    if (agentWebId && auth.agents.includes(agentWebId)) {
+      modes.forEach(m => userModes.add(m));
+    }
+
+    // Check authenticated class
+    if (agentWebId && auth.agentClasses.some(c =>
+      c === AgentClass.AUTHENTICATED || c === 'acl:AuthenticatedAgent'
+    )) {
+      modes.forEach(m => userModes.add(m));
+    }
+  }
+
+  // User also gets public modes
+  publicModes.forEach(m => userModes.add(m));
+
+  const userStr = Array.from(userModes).join(' ');
+  const publicStr = Array.from(publicModes).join(' ');
+
+  return `user="${userStr}", public="${publicStr}"`;
+}
+
+/**
+ * Get the required access mode for an HTTP method
+ * @param {string} method - HTTP method
+ * @returns {string} Access mode
+ */
+export function getRequiredMode(method) {
+  switch (method.toUpperCase()) {
+    case 'GET':
+    case 'HEAD':
+    case 'OPTIONS':
+      return AccessMode.READ;
+    case 'POST':
+      return AccessMode.APPEND;
+    case 'PUT':
+    case 'PATCH':
+    case 'DELETE':
+      return AccessMode.WRITE;
+    default:
+      return AccessMode.READ;
+  }
+}

package/src/wac/parser.js

@@ -0,0 +1,284 @@
+/**
+ * WAC (Web Access Control) Parser
+ * Parses JSON-LD .acl files into authorization rules
+ */
+
+const ACL = 'http://www.w3.org/ns/auth/acl#';
+const FOAF = 'http://xmlns.com/foaf/0.1/';
+
+// Access modes
+export const AccessMode = {
+  READ: `${ACL}Read`,
+  WRITE: `${ACL}Write`,
+  APPEND: `${ACL}Append`,
+  CONTROL: `${ACL}Control`
+};
+
+// Agent classes
+export const AgentClass = {
+  AGENT: `${FOAF}Agent`,           // Everyone (public)
+  AUTHENTICATED: `${ACL}AuthenticatedAgent`  // Any authenticated user
+};
+
+/**
+ * Parse a JSON-LD ACL document
+ * @param {string|object} content - JSON-LD content (string or parsed object)
+ * @param {string} aclUrl - URL of the ACL document
+ * @returns {Array<Authorization>} List of authorization rules
+ */
+export function parseAcl(content, aclUrl) {
+  let doc;
+  try {
+    doc = typeof content === 'string' ? JSON.parse(content) : content;
+  } catch {
+    return [];
+  }
+
+  const authorizations = [];
+
+  // Handle @graph array or single object
+  const nodes = doc['@graph'] || [doc];
+
+  for (const node of nodes) {
+    if (isAuthorization(node)) {
+      const auth = parseAuthorization(node, aclUrl);
+      if (auth) {
+        authorizations.push(auth);
+      }
+    }
+  }
+
+  return authorizations;
+}
+
+/**
+ * Check if node is an Authorization
+ */
+function isAuthorization(node) {
+  const type = node['@type'];
+  if (!type) return false;
+
+  const types = Array.isArray(type) ? type : [type];
+  return types.some(t =>
+    t === 'acl:Authorization' ||
+    t === `${ACL}Authorization` ||
+    t === 'Authorization'
+  );
+}
+
+/**
+ * Parse a single Authorization node
+ */
+function parseAuthorization(node, aclUrl) {
+  const auth = {
+    id: node['@id'],
+    accessTo: [],      // Resources this applies to
+    default: [],       // Default for contained resources
+    agents: [],        // Specific WebIDs
+    agentClasses: [],  // Agent classes (public, authenticated)
+    agentGroups: [],   // Groups
+    modes: []          // Access modes
+  };
+
+  // Parse accessTo
+  auth.accessTo = parseUriArray(node['acl:accessTo'] || node['accessTo']);
+
+  // Parse default (for containers)
+  auth.default = parseUriArray(node['acl:default'] || node['default']);
+
+  // Parse agents
+  auth.agents = parseUriArray(node['acl:agent'] || node['agent']);
+
+  // Parse agentClass
+  auth.agentClasses = parseUriArray(node['acl:agentClass'] || node['agentClass']);
+
+  // Parse agentGroup
+  auth.agentGroups = parseUriArray(node['acl:agentGroup'] || node['agentGroup']);
+
+  // Parse modes
+  auth.modes = parseUriArray(node['acl:mode'] || node['mode']).map(normalizeMode);
+
+  return auth;
+}
+
+/**
+ * Parse a value that could be a URI, @id object, or array of either
+ */
+function parseUriArray(value) {
+  if (!value) return [];
+
+  const values = Array.isArray(value) ? value : [value];
+
+  return values.map(v => {
+    if (typeof v === 'string') return v;
+    if (v && typeof v === 'object' && v['@id']) return v['@id'];
+    return null;
+  }).filter(Boolean);
+}
+
+/**
+ * Normalize mode URIs to full form
+ */
+function normalizeMode(mode) {
+  const modeMap = {
+    'Read': AccessMode.READ,
+    'Write': AccessMode.WRITE,
+    'Append': AccessMode.APPEND,
+    'Control': AccessMode.CONTROL,
+    'acl:Read': AccessMode.READ,
+    'acl:Write': AccessMode.WRITE,
+    'acl:Append': AccessMode.APPEND,
+    'acl:Control': AccessMode.CONTROL
+  };
+  return modeMap[mode] || mode;
+}
+
+/**
+ * Generate a default public read ACL
+ * @param {string} resourceUrl - URL of the resource
+ * @returns {object} JSON-LD ACL document
+ */
+export function generatePublicReadAcl(resourceUrl) {
+  return {
+    '@context': {
+      'acl': ACL,
+      'foaf': FOAF
+    },
+    '@graph': [
+      {
+        '@id': '#public',
+        '@type': 'acl:Authorization',
+        'acl:agentClass': { '@id': 'foaf:Agent' },
+        'acl:accessTo': { '@id': resourceUrl },
+        'acl:mode': [
+          { '@id': 'acl:Read' }
+        ]
+      }
+    ]
+  };
+}
+
+/**
+ * Generate a full owner ACL (owner has full control, public read)
+ * @param {string} resourceUrl - URL of the resource
+ * @param {string} ownerWebId - WebID of the owner
+ * @param {boolean} isContainer - Whether this is a container
+ * @returns {object} JSON-LD ACL document
+ */
+export function generateOwnerAcl(resourceUrl, ownerWebId, isContainer = false) {
+  const graph = [
+    {
+      '@id': '#owner',
+      '@type': 'acl:Authorization',
+      'acl:agent': { '@id': ownerWebId },
+      'acl:accessTo': { '@id': resourceUrl },
+      'acl:mode': [
+        { '@id': 'acl:Read' },
+        { '@id': 'acl:Write' },
+        { '@id': 'acl:Control' }
+      ]
+    },
+    {
+      '@id': '#public',
+      '@type': 'acl:Authorization',
+      'acl:agentClass': { '@id': 'foaf:Agent' },
+      'acl:accessTo': { '@id': resourceUrl },
+      'acl:mode': [
+        { '@id': 'acl:Read' }
+      ]
+    }
+  ];
+
+  // Add default rules for containers
+  if (isContainer) {
+    graph[0]['acl:default'] = { '@id': resourceUrl };
+    graph[1]['acl:default'] = { '@id': resourceUrl };
+  }
+
+  return {
+    '@context': {
+      'acl': ACL,
+      'foaf': FOAF
+    },
+    '@graph': graph
+  };
+}
+
+/**
+ * Generate a private ACL (owner only, no public access)
+ * @param {string} resourceUrl - URL of the resource
+ * @param {string} ownerWebId - WebID of the owner
+ * @param {boolean} isContainer - Whether this is a container
+ * @returns {object} JSON-LD ACL document
+ */
+export function generatePrivateAcl(resourceUrl, ownerWebId, isContainer = true) {
+  const auth = {
+    '@id': '#owner',
+    '@type': 'acl:Authorization',
+    'acl:agent': { '@id': ownerWebId },
+    'acl:accessTo': { '@id': resourceUrl },
+    'acl:mode': [
+      { '@id': 'acl:Read' },
+      { '@id': 'acl:Write' },
+      { '@id': 'acl:Control' }
+    ]
+  };
+
+  if (isContainer) {
+    auth['acl:default'] = { '@id': resourceUrl };
+  }
+
+  return {
+    '@context': {
+      'acl': ACL,
+      'foaf': FOAF
+    },
+    '@graph': [auth]
+  };
+}
+
+/**
+ * Generate an inbox ACL (owner full control, public append)
+ * @param {string} resourceUrl - URL of the inbox
+ * @param {string} ownerWebId - WebID of the owner
+ * @returns {object} JSON-LD ACL document
+ */
+export function generateInboxAcl(resourceUrl, ownerWebId) {
+  return {
+    '@context': {
+      'acl': ACL,
+      'foaf': FOAF
+    },
+    '@graph': [
+      {
+        '@id': '#owner',
+        '@type': 'acl:Authorization',
+        'acl:agent': { '@id': ownerWebId },
+        'acl:accessTo': { '@id': resourceUrl },
+        'acl:default': { '@id': resourceUrl },
+        'acl:mode': [
+          { '@id': 'acl:Read' },
+          { '@id': 'acl:Write' },
+          { '@id': 'acl:Control' }
+        ]
+      },
+      {
+        '@id': '#public',
+        '@type': 'acl:Authorization',
+        'acl:agentClass': { '@id': 'foaf:Agent' },
+        'acl:accessTo': { '@id': resourceUrl },
+        'acl:default': { '@id': resourceUrl },
+        'acl:mode': [
+          { '@id': 'acl:Append' }
+        ]
+      }
+    ]
+  };
+}
+
+/**
+ * Serialize ACL to JSON string
+ */
+export function serializeAcl(acl) {
+  return JSON.stringify(acl, null, 2);
+}

package/test/auth.test.js

@@ -0,0 +1,175 @@
+/**
+ * Authentication and Authorization tests
+ */
+
+import { describe, it, before, after } from 'node:test';
+import assert from 'node:assert';
+import {
+  startTestServer,
+  stopTestServer,
+  request,
+  createTestPod,
+  getPodToken,
+  getBaseUrl,
+  assertStatus,
+  assertHeader
+} from './helpers.js';
+
+describe('Authentication', () => {
+  before(async () => {
+    await startTestServer();
+  });
+
+  after(async () => {
+    await stopTestServer();
+  });
+
+  describe('Token Authentication', () => {
+    it('should return token on pod creation', async () => {
+      const result = await createTestPod('authtest');
+
+      assert.ok(result.token, 'Should return a token');
+      assert.ok(result.token.includes('.'), 'Token should have signature');
+    });
+
+    it('should allow authenticated access to private resources', async () => {
+      await createTestPod('privatetest');
+
+      // Should succeed with auth
+      const res = await request('/privatetest/private/', { auth: 'privatetest' });
+      assertStatus(res, 200);
+    });
+
+    it('should deny unauthenticated access to private resources', async () => {
+      await createTestPod('denytest');
+
+      // Should fail without auth
+      const res = await request('/denytest/private/');
+      assertStatus(res, 401);
+    });
+
+    it('should return 403 for wrong user accessing private resources', async () => {
+      await createTestPod('user1');
+      await createTestPod('user2');
+
+      // User2 trying to access User1's private folder
+      const res = await request('/user1/private/', { auth: 'user2' });
+      assertStatus(res, 403);
+    });
+
+    it('should accept Bearer token format', async () => {
+      await createTestPod('bearertest');
+      const token = getPodToken('bearertest');
+
+      const res = await fetch(`${getBaseUrl()}/bearertest/private/`, {
+        headers: { 'Authorization': `Bearer ${token}` }
+      });
+      assertStatus(res, 200);
+    });
+
+    it('should reject invalid tokens', async () => {
+      await createTestPod('invalidtest');
+
+      const res = await fetch(`${getBaseUrl()}/invalidtest/private/`, {
+        headers: { 'Authorization': 'Bearer invalid.token' }
+      });
+      assertStatus(res, 401);
+    });
+  });
+
+  describe('WAC Enforcement', () => {
+    it('should allow public read on pod root', async () => {
+      await createTestPod('publicread');
+
+      // Public folder should be readable without auth
+      const res = await request('/publicread/public/');
+      assertStatus(res, 200);
+    });
+
+    it('should allow public read on explicit public folders', async () => {
+      await createTestPod('explicitpublic');
+
+      // Root ACL has public read default
+      const res = await request('/explicitpublic/');
+      assertStatus(res, 200);
+    });
+
+    it('should allow authenticated write to owned resources', async () => {
+      await createTestPod('writetest');
+
+      const res = await request('/writetest/public/test.txt', {
+        method: 'PUT',
+        body: 'test content',
+        auth: 'writetest'
+      });
+      assertStatus(res, 201);
+    });
+
+    it('should deny unauthenticated write', async () => {
+      await createTestPod('nowrite');
+
+      const res = await request('/nowrite/public/test.txt', {
+        method: 'PUT',
+        body: 'test content'
+      });
+      assertStatus(res, 401);
+    });
+
+    it('should deny other user write to owned resources', async () => {
+      await createTestPod('owner1');
+      await createTestPod('attacker');
+
+      const res = await request('/owner1/public/test.txt', {
+        method: 'PUT',
+        body: 'malicious content',
+        auth: 'attacker'
+      });
+      assertStatus(res, 403);
+    });
+
+    it('should allow public append to inbox', async () => {
+      await createTestPod('inboxtest');
+
+      // POST to inbox should work for anyone (public append)
+      const res = await request('/inboxtest/inbox/', {
+        method: 'POST',
+        headers: {
+          'Content-Type': 'application/json',
+          'Slug': 'notification'
+        },
+        body: JSON.stringify({ type: 'notification' })
+      });
+      assertStatus(res, 201);
+    });
+
+    it('should deny public read on inbox', async () => {
+      await createTestPod('inboxread');
+
+      // GET inbox should fail for unauthenticated
+      const res = await request('/inboxread/inbox/');
+      assertStatus(res, 401);
+    });
+  });
+
+  describe('WAC-Allow Header', () => {
+    it('should include user permissions for authenticated requests', async () => {
+      await createTestPod('wacallow');
+
+      const res = await request('/wacallow/public/', { auth: 'wacallow' });
+      const wacAllow = res.headers.get('WAC-Allow');
+
+      assert.ok(wacAllow, 'Should have WAC-Allow header');
+      assert.ok(wacAllow.includes('user='), 'Should include user permissions');
+    });
+
+    it('should include public permissions', async () => {
+      await createTestPod('wacpublic');
+
+      const res = await request('/wacpublic/public/');
+      const wacAllow = res.headers.get('WAC-Allow');
+
+      assert.ok(wacAllow, 'Should have WAC-Allow header');
+      assert.ok(wacAllow.includes('public='), 'Should include public permissions');
+    });
+  });
+});