add filesystem/classpath backstop #39
Conversation
| @@ -138,7 +147,7 @@ public void deleteRoles(final Node node) throws RepositoryException { | |||
| // Read the effective Acl and return a list of acl:Authorization statements | |||
| final List<WebACAuthorization> authorizations = effectiveAcl | |||
| .map(uncheck(x -> getAuthorizations(x.getLeft().toString()))) | |||
| .orElse(new ArrayList<>()); | |||
| .orElseGet(() -> getDefaultAuthorizations()); | |||
There was a problem hiding this comment.
Instead of tying in the default ACL here, I would have thought the backstop ACL would logically be returned when searching for getEffectiveAcl:
https://github.com/acoburn/fcrepo-module-auth-webac/blob/fcrepo-1792/src/main/java/org/fcrepo/auth/webac/WebACRolesProvider.java#L121
Was there a reason you did not go that direction?
There was a problem hiding this comment.
Because getEffectiveAcl returns a Pair<URI, FedoraResource> which than gets loaded and the children (e.g. acl:Authorization nodes) are read -- and all of that is irrelevant for a default acl (which is already an acl:Authorization).
That is, I don't know what a filesystem-based FedoraResource would be (?). If we were to go that direction, the getAuthorizations method would need to be completely rewritten. This route is extremely light-weight -- the default is loaded only if an in-domain acl resource is not found.
There was a problem hiding this comment.
Is it correct then, that the algorithm of determining the effective policy is now different than documented here:
https://wiki.duraspace.org/display/FEDORA4x/WebAC+Authorization+Delegate#WebACAuthorizationDelegate-Stepsindeterminingtheeffectiveauthorization
The default is not "Deny Access", but rather, "whatever is in the root-authorization.rdf"?
...or rather, "Deny Access" preceded by a search for "root-authorization.rdf".
There was a problem hiding this comment.
That is correct, which is why we should discuss the contents of that file.
There was a problem hiding this comment.
The default acl:Authorization will now deny access to all non-admin users, but the wiki should be updated as you describe.
|
Something odd. When I use the following root authorization: And try to read the root of the repository with:
If I create an ACL and Authorization identical to the authorization above within the repository and link to it from the root with
If I use an admin user to create a resource
If I change the root authorization to: and execute:
But if I create an ACL and Authorization as above (pointing to
It seems that something is not working as expected. |
|
@awoods the previous code did not properly support The second issue relates to internal/external translations of the path. I left the implementation as-is, but I am open to changing it. The webac code operates on internal URIs: Thoughts? |
| @@ -132,6 +145,16 @@ public void deleteRoles(final Node node) throws RepositoryException { | |||
| rdfTypes.addAll(x.getTypes()); | |||
| }); | |||
|
|
|||
| // If we get the default Authorization and it contains acl:accessTo properties, | |||
There was a problem hiding this comment.
It is unclear to me what you are achieving with this block... particularly since the comment is somewhat misleading by referring to the "default Authorization", which is not found until line:169 further down.
There was a problem hiding this comment.
This block handles the following case:
Say you make a request for /rest/foo/bar/baz
If there is no acl:accessControl triple on that resource, it searches up the hierarchy to the root. If no acl:accessControl triple is found (effectiveAcl.isPresent() == false), the filesystem backstop is checked. Now, say that filesystem backstop contains an acl:accessTo triple pointing to the root: acl:accessTo <info:fedora/> (or, alternately: acl:accessTo <info:fedora/foo>). This is where this block comes in.
Later on, when the code checks the List<WebACAuthorization>, it needs to make sure that the path of the requested resource matches the resource pointed to by acl:accessTo, but if the filesystem backstop is used, we need a way to line up the path of the original resource and whatever is listed in the acl:Authorization. In the more traditional case (where there is an acl:accessControl triple somewhere in the hierarchy), we simply use that path, but we don't have that information in this case. Thus, we need to provide all the possible paths: /rest/, /rest/foo, /rest/foo/bar and /rest/foo/baz. That is what this block generates. With that list in place, it can be compared to the acl:accessControl triple(s) in the filesystem backstop. If any of those match, then the ACL modes are applied. If none of them match (and there is no relevant acl:accessToClass), then the request is denied.
The block is located here because resourcePaths is needed in the next line when the checkAccessTo Predicate is created. (The accessTo function forms a closure over the value of resourcePaths).
There was a problem hiding this comment.
Thanks, @acoburn, that makes sense... however, the block itself and associated comment did not shine much light in that direction for me. Would you please update the comment or pull this into its own private method to make the logic and intent more clear?
|
Resolved with: 7d9cf0d |
See: https://jira.duraspace.org/browse/FCREPO-1792