solid-server 5.6.9-beta

package/docs/login-and-grant-access-to-application.md

@@ -0,0 +1,32 @@
+# Granting access to an application as part of authentication
+
+**TL:DR: This is a temporary option that will be removed once we have better ways of granting access to applications. We recommend you grant read and write access by default, but it depends on the application you want to trust.**
+
+Applications provide very useful ways of consuming and producing data. Solid provides functionality that allows you to grant access to applications that you trust. This trust might be misplaced sometimes though, which Solid tries to mitigate to lessen the harm that malicious applications can cause.
+
+One of the strategies available in Solid is to check the origins of applications, and in solid-server in Node version 5 (NSS5) we set the configuration for this to be true by default. This strengthens the security of instances running on this codebase, but it also makes it more difficult for users to test applications without explicitly granting them access beforehand.
+
+To facilitate a better user experience, we introduced the option of granting access to applications as part of the authentication process. We believe this is a [better flow then forcing users to navigate to their profile and use the functionality provided in the trusted applications pane](https://github.com/solid/node-solid-server/issues/1142), and offer this as a temporary solution.
+
+## Which modes should I grant the application?
+
+That really depends on what the application needs to do. In general we suggest granting it Read and Write access. 
+
+This is what the various modes allows the application to do:
+
+- **Read:** Allows the application to read resources - this includes navigating through your pod and potentially copy all of your data
+- **Write:** Allows the application to change and delete resources
+- **Append:** Allows the application to only append new content to resources, not remove existing content
+- **Control:** Allows the application to set which access modes agents have (including themself) - by allowing this you essentially allow the application complete control of your pod
+
+The last mode is a very powerful mode to grant an application. An application could use this to remove all of your control access, essentially locking you out of your pod. (This would also mean that the application couldn't get access to your pod though, as it is still relying on your authentication.)
+
+## Why is it temporary?
+
+The way this solutions works "behind the scenes" is that you are granting the application access to all resources that you have access to and that is connected to your profile (in general this would be the pod that was created alongside your WebID). This is probably fine when you want to test an application that you or someone you trust are developing, but it's definitely not the granular access control we want to offer.
+
+We do not have a solution ready yet, but [we are working on it](https://github.com/solid/webid-oidc-spec). When the solution is specified and implemented in NSS, we will remove the option in the login flow, as you would go through another process of granting applications access that would result in a more granular control.
+
+## Learn more
+
+The way that we handle access control in Solid is described in [the Web Access Control specification (WAC)]([http://solid.github.io/web-access-control-spec/](http://solid.github.io/web-access-control-spec/)). If you want to understand the reasoning for why we chose to turn origin checking on by default, you can read about it in the [Meeting W3 Solid Community Group had March 7th 2019 (last point on the agenda)](https://www.w3.org/community/solid/wiki/Meetings#20190307_1400CET).

package/examples/custom-error-handling.js

@@ -0,0 +1,31 @@
+const solid = require('../')
+const path = require('path')
+
+solid
+  .createServer({
+    webid: true,
+    sslCert: path.resolve('../test/keys/cert.pem'),
+    sslKey: path.resolve('../test/keys/key.pem'),
+    errorHandler: function (err, req, res, next) {
+      if (err.status !== 200) {
+        console.log('Oh no! There is an error:' + err.message)
+        res.status(err.status)
+
+        // Now you can send the error how you want
+        // Maybe you want to render an error page
+        // res.render('errorPage.ejs', {
+        //   title: err.status + ": This is an error!",
+        //   message: err.message
+        // })
+        // Or you want to respond in JSON?
+
+        res.json({
+          title: err.status + ': This is an error!',
+          message: err.message
+        })
+      }
+    }
+  })
+  .listen(3456, function () {
+    console.log('started ldp with webid on port ' + 3456)
+  })

package/examples/ldp-with-webid.js

@@ -0,0 +1,12 @@
+const solid = require('../') // or require('solid')
+const path = require('path')
+
+solid
+  .createServer({
+    webid: true,
+    sslCert: path.resolve('../test/keys/cert.pem'),
+    sslKey: path.resolve('../test/keys/key.pem')
+  })
+  .listen(3456, function () {
+    console.log('started ldp with webid on port ' + 3456)
+  })

package/examples/simple-express-app.js

@@ -0,0 +1,20 @@
+const express = require('express')
+const solid = require('../') // or require('solid')
+
+// Starting our express app
+const app = express()
+
+// My routes
+app.get('/', function (req, res) {
+  console.log(req)
+  res.send('Welcome to my server!')
+})
+
+// Mounting solid on /ldp
+const ldp = solid()
+app.use('/ldp', ldp)
+
+// Starting server
+app.listen(3000, function () {
+  console.log('Server started on port 3000!')
+})

package/examples/simple-ldp-server.js

@@ -0,0 +1,8 @@
+const solid = require('../') // or require('solid-server')
+
+// Startin solid server
+const ldp = solid.createServer()
+ldp.listen(3456, function () {
+  console.log('Starting server on port ' + 3456)
+  console.log('LDP will run on /')
+})

package/favicon.ico.acl

@@ -0,0 +1,15 @@
+# ACL for the default favicon.ico resource
+# Server operators will be able to override it as they wish
+# Public-readable
+
+@prefix acl: <http://www.w3.org/ns/auth/acl#>.
+@prefix foaf: <http://xmlns.com/foaf/0.1/>.
+
+<#public>
+    a acl:Authorization;
+
+    acl:agentClass foaf:Agent;  # everyone
+
+    acl:accessTo </favicon.ico>;
+
+    acl:mode acl:Read.

package/index.html

@@ -0,0 +1,48 @@
+<!doctype html>
+<html lang="en">
+<head>
+  <meta charset="utf-8">
+  <meta name="viewport" content="width=device-width, initial-scale=1">
+  <title>Welcome to Solid</title>
+  <link rel="stylesheet" href="/common/css/bootstrap.min.css">
+  <link rel="stylesheet" href="/common/css/solid.css">
+</head>
+<body>
+<div class="container">
+  <div class="page-header">
+    <div class="pull-right">
+      <button id="register" type="button" class="btn btn-primary">Register</button>
+      <button id="login"    type="button" class="hidden btn btn-default btn-success">Log in</button>
+      <button id="logout"   type="button" class="hidden btn btn-danger">Log out</button>
+    </div>
+
+    <h1>Welcome to the Solid Prototype</h1>
+  </div>
+
+  <p class="lead">
+    This is a prototype implementation of a Solid server.
+
+    It is a fully functional server, but there are no security or stability guarantees.
+
+    If you have not already done so, please create an account.
+  </p>
+
+  <p class="lead hidden" id="loggedIn">
+    You are logged in as
+    <a href="#" id="profileLink"></a>.
+  </p>
+
+  <section>
+    <h2>Server info</h2>
+    <dl>
+      <dt>Name</dt>
+      <dd>localhost</dd>
+      <dt>Details</dt>
+      <dd>Running on <a href="https://github.com/solid/node-solid-server/releases/tag/v5.6.6">Solid 5.6.6</a></dd>
+    </dl>
+  </section>
+</div>
+<script src="/common/js/solid-auth-client.bundle.js"></script>
+<script src="/common/js/auth-buttons.js"></script>
+</body>
+</html>

package/index.js

@@ -0,0 +1,3 @@
+module.exports = require('./lib/create-app')
+module.exports.createServer = require('./lib/create-server')
+module.exports.startCli = require('./bin/lib/cli')

package/lib/acl-checker.js

@@ -0,0 +1,274 @@
+'use strict'
+/* eslint-disable node/no-deprecated-api */
+
+const { dirname } = require('path')
+const rdf = require('rdflib')
+const debug = require('./debug').ACL
+const debugCache = require('./debug').cache
+const HTTPError = require('./http-error')
+const aclCheck = require('@solid/acl-check')
+const { URL } = require('url')
+const { promisify } = require('util')
+const fs = require('fs')
+const Url = require('url')
+const httpFetch = require('node-fetch')
+
+const DEFAULT_ACL_SUFFIX = '.acl'
+const ACL = rdf.Namespace('http://www.w3.org/ns/auth/acl#')
+
+// TODO: expunge-on-write so that we can increase the caching time
+// For now this cache is a big performance gain but very simple
+// FIXME: set this through the config system instead of directly
+// through an env var:
+const EXPIRY_MS = parseInt(process.env.ACL_CACHE_TIME) || 10000 // 10 seconds
+let temporaryCache = {}
+
+// An ACLChecker exposes the permissions on a specific resource
+class ACLChecker {
+  constructor (resource, options = {}) {
+    this.resource = resource
+    this.resourceUrl = new URL(resource)
+    this.agentOrigin = options.strictOrigin && options.agentOrigin ? rdf.sym(options.agentOrigin) : null
+    this.fetch = options.fetch
+    this.fetchGraph = options.fetchGraph
+    this.trustedOrigins = options.strictOrigin && options.trustedOrigins ? options.trustedOrigins.map(trustedOrigin => rdf.sym(trustedOrigin)) : null
+    this.suffix = options.suffix || DEFAULT_ACL_SUFFIX
+    this.aclCached = {}
+    this.messagesCached = {}
+    this.requests = {}
+    this.slug = options.slug
+  }
+
+  // Returns a fulfilled promise when the user can access the resource
+  // in the given mode; otherwise, rejects with an HTTP error
+  async can (user, mode, method = 'GET', resourceExists = true) {
+    const cacheKey = `${mode}-${user}`
+    if (this.aclCached[cacheKey]) {
+      return this.aclCached[cacheKey]
+    }
+    this.messagesCached[cacheKey] = this.messagesCached[cacheKey] || []
+
+    const acl = await this.getNearestACL().catch(err => {
+      this.messagesCached[cacheKey].push(new HTTPError(err.status || 500, err.message || err))
+    })
+    if (!acl) {
+      this.aclCached[cacheKey] = Promise.resolve(false)
+      return this.aclCached[cacheKey]
+    }
+    let resource = rdf.sym(this.resource)
+    if (this.resource.endsWith('/' + this.suffix)) {
+      resource = rdf.sym(ACLChecker.getDirectory(this.resource))
+    }
+    // If this is an ACL, Control mode must be present for any operations
+    if (this.isAcl(this.resource)) {
+      mode = 'Control'
+      resource = rdf.sym(this.resource.substring(0, this.resource.length - this.suffix.length))
+    }
+    // If the slug is an acl, reject
+    /* if (this.isAcl(this.slug)) {
+      this.aclCached[cacheKey] = Promise.resolve(false)
+      return this.aclCached[cacheKey]
+    } */
+    const directory = acl.isContainer ? rdf.sym(ACLChecker.getDirectory(acl.acl)) : null
+    const aclFile = rdf.sym(acl.acl)
+    const agent = user ? rdf.sym(user) : null
+    const modes = [ACL(mode)]
+    const agentOrigin = this.agentOrigin
+    const trustedOrigins = this.trustedOrigins
+    let originTrustedModes = []
+    try {
+      this.fetch(aclFile.doc().value)
+      originTrustedModes = await aclCheck.getTrustedModesForOrigin(acl.graph, resource, directory, aclFile, agentOrigin, (uriNode) => {
+        return this.fetch(uriNode.doc().value, acl.graph)
+      })
+    } catch (e) {
+      // FIXME: https://github.com/solid/acl-check/issues/23
+      // console.error(e.message)
+    }
+    let accessDenied = aclCheck.accessDenied(acl.graph, resource, directory, aclFile, agent, modes, agentOrigin, trustedOrigins, originTrustedModes)
+
+    // For create and update HTTP methods
+    if ((method === 'PUT' || method === 'PATCH' || method === 'COPY') && directory) {
+      // if resource and acl have same parent container,
+      // and resource does not exist, then accessTo Append from parent is required
+      if (directory.value === dirname(aclFile.value) + '/' && !resourceExists) {
+        const accessDeniedAccessTo = aclCheck.accessDenied(acl.graph, directory, null, aclFile, agent, [ACL('Append')], agentOrigin, trustedOrigins, originTrustedModes)
+        const accessResult = !accessDenied && !accessDeniedAccessTo
+        accessDenied = accessResult ? false : accessDenied || accessDeniedAccessTo
+        // debugCache('accessDenied result ' + accessDenied)
+      }
+    }
+    if (accessDenied && user) {
+      this.messagesCached[cacheKey].push(HTTPError(403, accessDenied))
+    } else if (accessDenied) {
+      this.messagesCached[cacheKey].push(HTTPError(401, 'Unauthenticated'))
+    }
+    this.aclCached[cacheKey] = Promise.resolve(!accessDenied)
+    return this.aclCached[cacheKey]
+  }
+
+  async getError (user, mode) {
+    const cacheKey = `${mode}-${user}`
+    // TODO ?? add to can: req.method and resourceExists.  Actually all tests pass
+    this.aclCached[cacheKey] = this.aclCached[cacheKey] || this.can(user, mode)
+    const isAllowed = await this.aclCached[cacheKey]
+    return isAllowed ? null : this.messagesCached[cacheKey].reduce((prevMsg, msg) => msg.status > prevMsg.status ? msg : prevMsg, { status: 0 })
+  }
+
+  static getDirectory (aclFile) {
+    const parts = aclFile.split('/')
+    parts.pop()
+    return `${parts.join('/')}/`
+  }
+
+  // Gets the ACL that applies to the resource
+  async getNearestACL () {
+    const { resource } = this
+    let isContainer = false
+    const possibleACLs = this.getPossibleACLs()
+    const acls = [...possibleACLs]
+    let returnAcl = null
+    while (possibleACLs.length > 0 && !returnAcl) {
+      const acl = possibleACLs.shift()
+      let graph
+      try {
+        this.requests[acl] = this.requests[acl] || this.fetch(acl)
+        graph = await this.requests[acl]
+      } catch (err) {
+        if (err && (err.code === 'ENOENT' || err.status === 404)) {
+          isContainer = true
+          continue
+        }
+        debug(err)
+        throw err
+      }
+      const relative = resource.replace(acl.replace(/[^/]+$/, ''), './')
+      debug(`Using ACL ${acl} for ${relative}`)
+      returnAcl = { acl, graph, isContainer }
+    }
+    if (!returnAcl) {
+      throw new HTTPError(500, `No ACL found for ${resource}, searched in \n- ${acls.join('\n- ')}`)
+    }
+    const groupNodes = returnAcl.graph.statementsMatching(null, ACL('agentGroup'), null)
+    const groupUrls = groupNodes.map(node => node.object.value.split('#')[0])
+    await Promise.all(groupUrls.map(async groupUrl => {
+      try {
+        const graph = await this.fetch(groupUrl, returnAcl.graph)
+        this.requests[groupUrl] = this.requests[groupUrl] || graph
+      } catch (e) {} // failed to fetch groupUrl
+    }))
+
+    return returnAcl
+  }
+
+  // Gets all possible ACL paths that apply to the resource
+  getPossibleACLs () {
+    // Obtain the resource URI and the length of its base
+    const { resource: uri, suffix } = this
+    const [{ length: base }] = uri.match(/^[^:]+:\/*[^/]+/)
+
+    // If the URI points to a file, append the file's ACL
+    const possibleAcls = []
+    if (!uri.endsWith('/')) {
+      possibleAcls.push(uri.endsWith(suffix) ? uri : uri + suffix)
+    }
+
+    // Append the ACLs of all parent directories
+    for (let i = lastSlash(uri); i >= base; i = lastSlash(uri, i - 1)) {
+      possibleAcls.push(uri.substr(0, i + 1) + suffix)
+    }
+    return possibleAcls
+  }
+
+  isAcl (resource) {
+    return resource.endsWith(this.suffix)
+  }
+
+  static createFromLDPAndRequest (resource, ldp, req) {
+    const trustedOrigins = ldp.getTrustedOrigins(req)
+    return new ACLChecker(resource, {
+      agentOrigin: req.get('origin'),
+      // host: req.get('host'),
+      fetch: fetchLocalOrRemote(ldp.resourceMapper, ldp.serverUri),
+      fetchGraph: (uri, options) => {
+        // first try loading from local fs
+        return ldp.getGraph(uri, options.contentType)
+        // failing that, fetch remote graph
+          .catch(() => ldp.fetchGraph(uri, options))
+      },
+      suffix: ldp.suffixAcl,
+      strictOrigin: ldp.strictOrigin,
+      trustedOrigins,
+      slug: decodeURIComponent(req.headers.slug)
+    })
+  }
+}
+
+/**
+ * Returns a fetch document handler used by the ACLChecker to fetch .acl
+ * resources up the inheritance chain.
+ * The `fetch(uri, callback)` results in the callback, with either:
+ *   - `callback(err, graph)` if any error is encountered, or
+ *   - `callback(null, graph)` with the parsed RDF graph of the fetched resource
+ * @return {Function} Returns a `fetch(uri, callback)` handler
+ */
+function fetchLocalOrRemote (mapper, serverUri) {
+  async function doFetch (url) {
+    // Convert the URL into a filename
+    let body, path, contentType
+
+    if (Url.parse(url).host.includes(Url.parse(serverUri).host)) {
+      // Fetch the acl from local
+      try {
+        ({ path, contentType } = await mapper.mapUrlToFile({ url }))
+      } catch (err) {
+        // delete from cache
+        delete temporaryCache[url]
+        throw new HTTPError(404, err)
+      }
+      // Read the file from disk
+      body = await promisify(fs.readFile)(path, { encoding: 'utf8' })
+    } else {
+      // Fetch the acl from the internet
+      const response = await httpFetch(url)
+      body = await response.text()
+      contentType = response.headers.get('content-type')
+    }
+    return { body, contentType }
+  }
+  return async function fetch (url, graph = rdf.graph()) {
+    graph.initPropertyActions(['sameAs']) // activate sameAs
+    if (!temporaryCache[url]) {
+      // debugCache('Populating cache', url)
+      temporaryCache[url] = {
+        timer: setTimeout(() => {
+          // debugCache('Expunging from cache', url)
+          delete temporaryCache[url]
+          if (Object.keys(temporaryCache).length === 0) {
+            debugCache('Cache is empty again')
+          }
+        }, EXPIRY_MS),
+        promise: doFetch(url)
+      }
+    }
+    // debugCache('Cache hit', url)
+    const { body, contentType } = await temporaryCache[url].promise
+    // Parse the file as Turtle
+    rdf.parse(body, graph, url, contentType)
+    return graph
+  }
+}
+
+// Returns the index of the last slash before the given position
+function lastSlash (string, pos = string.length) {
+  return string.lastIndexOf('/', pos)
+}
+
+module.exports = ACLChecker
+module.exports.DEFAULT_ACL_SUFFIX = DEFAULT_ACL_SUFFIX
+
+// Used in ldp and the unit tests:
+module.exports.clearAclCache = function (url) {
+  if (url) delete temporaryCache[url]
+  else temporaryCache = {}
+}

package/lib/api/accounts/user-accounts.js

@@ -0,0 +1,88 @@
+'use strict'
+
+const express = require('express')
+const bodyParser = require('body-parser').urlencoded({ extended: false })
+const debug = require('../../debug').accounts
+
+const restrictToTopDomain = require('../../handlers/restrict-to-top-domain')
+
+const CreateAccountRequest = require('../../requests/create-account-request')
+const AddCertificateRequest = require('../../requests/add-cert-request')
+const DeleteAccountRequest = require('../../requests/delete-account-request')
+const DeleteAccountConfirmRequest = require('../../requests/delete-account-confirm-request')
+
+/**
+ * Returns an Express middleware handler for checking if a particular account
+ * exists (used by Signup apps).
+ *
+ * @param accountManager {AccountManager}
+ *
+ * @return {Function}
+ */
+function checkAccountExists (accountManager) {
+  return (req, res, next) => {
+    const accountUri = req.hostname
+
+    accountManager.accountUriExists(accountUri)
+      .then(found => {
+        if (!found) {
+          debug(`Account ${accountUri} is available (for ${req.originalUrl})`)
+          return res.sendStatus(404)
+        }
+        debug(`Account ${accountUri} is not available (for ${req.originalUrl})`)
+        next()
+      })
+      .catch(next)
+  }
+}
+
+/**
+ * Returns an Express middleware handler for adding a new certificate to an
+ * existing account (POST to /api/accounts/cert).
+ *
+ * @param accountManager
+ *
+ * @return {Function}
+ */
+function newCertificate (accountManager) {
+  return (req, res, next) => {
+    return AddCertificateRequest.handle(req, res, accountManager)
+      .catch(err => {
+        err.status = err.status || 400
+        next(err)
+      })
+  }
+}
+
+/**
+ * Returns an Express router for providing user account related middleware
+ * handlers.
+ *
+ * @param accountManager {AccountManager}
+ *
+ * @return {Router}
+ */
+function middleware (accountManager) {
+  const router = express.Router('/')
+
+  router.get('/', checkAccountExists(accountManager))
+
+  router.post('/api/accounts/new', restrictToTopDomain, bodyParser, CreateAccountRequest.post)
+  router.get(['/register', '/api/accounts/new'], restrictToTopDomain, CreateAccountRequest.get)
+
+  router.post('/api/accounts/cert', restrictToTopDomain, bodyParser, newCertificate(accountManager))
+
+  router.get('/account/delete', restrictToTopDomain, DeleteAccountRequest.get)
+  router.post('/account/delete', restrictToTopDomain, bodyParser, DeleteAccountRequest.post)
+
+  router.get('/account/delete/confirm', restrictToTopDomain, DeleteAccountConfirmRequest.get)
+  router.post('/account/delete/confirm', restrictToTopDomain, bodyParser, DeleteAccountConfirmRequest.post)
+
+  return router
+}
+
+module.exports = {
+  middleware,
+  checkAccountExists,
+  newCertificate
+}

package/lib/api/authn/force-user.js

@@ -0,0 +1,21 @@
+const debug = require('../../debug').authentication
+
+/**
+ * Enforces the `--force-user` server flag, hardcoding a webid for all requests,
+ * for testing purposes.
+ */
+function initialize (app, argv) {
+  const forceUserId = argv.forceUser
+  app.use('/', (req, res, next) => {
+    debug(`Identified user (override): ${forceUserId}`)
+    req.session.userId = forceUserId
+    if (argv.auth === 'tls') {
+      res.set('User', forceUserId)
+    }
+    next()
+  })
+}
+
+module.exports = {
+  initialize
+}

package/lib/api/authn/index.js

@@ -0,0 +1,5 @@
+module.exports = {
+  oidc: require('./webid-oidc'),
+  tls: require('./webid-tls'),
+  forceUser: require('./force-user.js')
+}