Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Shape of ACL #169

Closed
csarven opened this issue Apr 23, 2020 · 5 comments
Closed

Shape of ACL #169

csarven opened this issue Apr 23, 2020 · 5 comments
Assignees
@csarven
Labels
doc: Web Access Control topic: authorization topic: resource access
Milestone
~Candidate Recomm...

Comments

@csarven
Copy link
Member

csarven commented Apr 23, 2020
edited
Loading

As clients can create ACLs, servers need to have deterministic handling of the request. Clients and servers need to have a shared understanding and expectation of the information within ACL documents. Invalid ACLs pose potential security issues. Defining an ACL shape to validate request payload can be a way to address this.

Related issues: #56 , #57 , solid/web-access-control-spec#78 , #130 , #67 , #193
@csarven csarven added this to the ~Candidate Recommendation milestone Apr 23, 2020
@NSeydoux
Copy link

Related issue: #186

@csarven csarven mentioned this issue Aug 7, 2020
Closed
@csarven csarven mentioned this issue Aug 24, 2020
Closed
@csarven csarven mentioned this issue Jan 28, 2021
Merged
@csarven csarven mentioned this issue Mar 4, 2021
Open
@tpluscode
Copy link

tpluscode commented Mar 16, 2021
edited
Loading

I'd like to propose SHACL as one standards-based way to describe these shapes.

Questions:

  1. Should acl:mode allow custom modes other than the predefined three?

Authorization

@prefix vcard: <http://www.w3.org/2006/vcard/ns#> .
@prefix acl: <http://www.w3.org/ns/auth/acl#> .
@prefix rdf: <http://www.w3.org/1999/02/22-rdf-syntax-ns#> .
@prefix rdfs: <http://www.w3.org/2000/01/rdf-schema#> .
@prefix sh: <http://www.w3.org/ns/shacl#> .
@prefix xsd: <http://www.w3.org/2001/XMLSchema#> .

acl:Authorization
    a rdfs:Class, sh:NodeShape ;
    sh:or
        (
            [
                # either an acl:agent
                sh:property
                    [
                        a sh:PropertyShape ;
                        sh:minCount 1 ;
                        sh:nodeKind sh:IRI ;
                        sh:path acl:agent
                    ]
            ] [
                  # or class of agents
                  sh:property
                      [
                          a sh:PropertyShape ;
                          sh:minCount 1 ;
                          sh:path acl:agentClass ;
                          sh:nodeKind sh:IRI ;
                      ]
              ] [
                    # or multiple groups
                    sh:property
                        [
                            a sh:PropertyShape ;
                            sh:minCount 1 ;
                            sh:path acl:agentGroup ;
                            sh:class vcard:Group ;
                        ]
                ]
        ) ;
    sh:or
        (
            [
                # either direct resource access
                sh:property
                    [
                        a sh:PropertyShape ;
                        sh:minCount 1 ;
                        sh:nodeKind sh:IRI ;
                        sh:path acl:accessTo
                    ]
            ]
            [
                # or class access
                sh:property
                    [
                        a sh:PropertyShape ;
                        sh:minCount 1 ;
                        sh:nodeKind sh:IRI ;
                        sh:path acl:accessToClass
                    ]
            ]
        ) ;
    sh:property
        [
            a sh:PropertyShape ;
            sh:in ( acl:Read acl:Write acl:Control ) ;
            sh:minCount 1 ;
            sh:path acl:mode
        ],
        [
            a sh:PropertyShape ;
            sh:hasValue acl:Authorization ;
            sh:path rdf:type
        ] ;
.

Group:

@prefix dcterms: <http://purl.org/dc/terms/> .
@prefix vcard: <http://www.w3.org/2006/vcard/ns#> .
@prefix rdfs: <http://www.w3.org/2000/01/rdf-schema#> .
@prefix sh: <http://www.w3.org/ns/shacl#> .
@prefix xsd: <http://www.w3.org/2001/XMLSchema#> .

vcard:Group a rdfs:Class, sh:NodeShape ;
  sh:property
    [
      a sh:PropertyShape ;
      sh:datatype xsd:dateTime ;
      sh:maxCount 1 ;
      sh:path dcterms:modified ;
    ],
    [
      a sh:PropertyShape ;
      sh:datatype xsd:dateTime ;
      sh:maxCount 1 ;
      sh:path dcterms:created ;
    ],
    [
      a sh:PropertyShape ;
      sh:maxCount 1 ;
      sh:minCount 1 ;
      sh:nodeKind sh:IRI ;
      sh:path vcard:hasUID ;
      sh:pattern "^urn:uuid:"
    ],
    [
      a sh:PropertyShape ;
      sh:nodeKind sh:IRI ;
      sh:path vcard:hasMember
    ],
    [
      a sh:PropertyShape ;
      sh:hasValue vcard:Group ;
      sh:path rdf:type
    ] .

By the way, I think that the readme uses the wrong Dublin Core namespace.

EDIT: it's also missing acl:agentClass (added above)

@tpluscode tpluscode mentioned this issue Mar 16, 2021
Closed
@matthieubosquet matthieubosquet mentioned this issue Mar 16, 2021
Merged
@acoburn
Copy link
Member

acoburn commented Mar 16, 2021
edited
Loading

acl:agent should not have a sh:maxCount 1

And acl:Append is missing from the list of modes

@tpluscode
Copy link

tpluscode commented Mar 16, 2021
edited
Loading

Ok, I removed this restriction from properties

@csarven csarven self-assigned this May 17, 2021
@csarven csarven mentioned this issue Jun 17, 2021
Merged
@csarven
Copy link
Member Author

csarven commented Jul 1, 2021

Thanks for this issue and discussion. Closing this issue as consensus is deemed to be captured in WAC Editor's Draft: https://solid.github.io/web-access-control-spec/ . See #authorization-conformance . Please use https://github.com/solid/web-access-control-spec for future discussion.

@csarven csarven closed this as completed Jul 1, 2021
@csarven csarven moved this to Done in Specification Sep 25, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@csarven csarven

Labels
doc: Web Access Control topic: authorization topic: resource access
Projects
Specification
Status: Done
Milestone
~Candidate Recommendation
Development

No branches or pull requests
4 participants
@csarven @tpluscode @acoburn @NSeydoux