New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
add filesystem/classpath backstop #39
Conversation
@@ -138,7 +147,7 @@ public void deleteRoles(final Node node) throws RepositoryException { | |||
// Read the effective Acl and return a list of acl:Authorization statements | |||
final List<WebACAuthorization> authorizations = effectiveAcl | |||
.map(uncheck(x -> getAuthorizations(x.getLeft().toString()))) | |||
.orElse(new ArrayList<>()); | |||
.orElseGet(() -> getDefaultAuthorizations()); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Instead of tying in the default ACL here, I would have thought the backstop ACL would logically be returned when searching for getEffectiveAcl
:
https://github.com/acoburn/fcrepo-module-auth-webac/blob/fcrepo-1792/src/main/java/org/fcrepo/auth/webac/WebACRolesProvider.java#L121
Was there a reason you did not go that direction?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Because getEffectiveAcl
returns a Pair<URI, FedoraResource>
which than gets loaded and the children (e.g. acl:Authorization nodes) are read -- and all of that is irrelevant for a default acl (which is already an acl:Authorization).
That is, I don't know what a filesystem-based FedoraResource
would be (?). If we were to go that direction, the getAuthorizations
method would need to be completely rewritten. This route is extremely light-weight -- the default is loaded only if an in-domain acl resource is not found.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Is it correct then, that the algorithm of determining the effective policy is now different than documented here:
https://wiki.duraspace.org/display/FEDORA4x/WebAC+Authorization+Delegate#WebACAuthorizationDelegate-Stepsindeterminingtheeffectiveauthorization
The default is not "Deny Access", but rather, "whatever is in the root-authorization.rdf"?
...or rather, "Deny Access" preceded by a search for "root-authorization.rdf".
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
That is correct, which is why we should discuss the contents of that file.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The default acl:Authorization
will now deny access to all non-admin users, but the wiki should be updated as you describe.
Something odd. When I use the following root authorization:
And try to read the root of the repository with:
If I create an ACL and Authorization identical to the authorization above within the repository and link to it from the root with
If I use an admin user to create a resource
If I change the root authorization to:
and execute:
But if I create an ACL and Authorization as above (pointing to
It seems that something is not working as expected. |
@awoods the previous code did not properly support The second issue relates to internal/external translations of the path. I left the implementation as-is, but I am open to changing it. The webac code operates on internal URIs: Thoughts? |
@@ -132,6 +145,16 @@ public void deleteRoles(final Node node) throws RepositoryException { | |||
rdfTypes.addAll(x.getTypes()); | |||
}); | |||
|
|||
// If we get the default Authorization and it contains acl:accessTo properties, |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It is unclear to me what you are achieving with this block... particularly since the comment is somewhat misleading by referring to the "default Authorization", which is not found until line:169 further down.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This block handles the following case:
Say you make a request for /rest/foo/bar/baz
If there is no acl:accessControl triple on that resource, it searches up the hierarchy to the root. If no acl:accessControl triple is found (effectiveAcl.isPresent() == false
), the filesystem backstop is checked. Now, say that filesystem backstop contains an acl:accessTo triple pointing to the root: acl:accessTo <info:fedora/>
(or, alternately: acl:accessTo <info:fedora/foo>
). This is where this block comes in.
Later on, when the code checks the List<WebACAuthorization>
, it needs to make sure that the path of the requested resource matches the resource pointed to by acl:accessTo, but if the filesystem backstop is used, we need a way to line up the path of the original resource and whatever is listed in the acl:Authorization. In the more traditional case (where there is an acl:accessControl triple somewhere in the hierarchy), we simply use that path, but we don't have that information in this case. Thus, we need to provide all the possible paths: /rest/, /rest/foo, /rest/foo/bar and /rest/foo/baz. That is what this block generates. With that list in place, it can be compared to the acl:accessControl triple(s) in the filesystem backstop. If any of those match, then the ACL modes are applied. If none of them match (and there is no relevant acl:accessToClass), then the request is denied.
The block is located here because resourcePaths
is needed in the next line when the checkAccessTo
Predicate is created. (The accessTo
function forms a closure over the value of resourcePaths
).
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks, @acoburn, that makes sense... however, the block itself and associated comment did not shine much light in that direction for me. Would you please update the comment or pull this into its own private method to make the logic and intent more clear?
Resolved with: 7d9cf0d |
See: https://jira.duraspace.org/browse/FCREPO-1792