Programmatically adjust ACL

aveltens · June 20, 2020, 3:25pm

What is the state of the art way of adjusting resource ACL nowadays? Are we still supposed to do low level operations with solid-auth-client, or is there some library that can do the following:

Create new ACL for file.ttl, applying all permissions from parent ACL

Add public append permission to file.ttl keeping everything else as is.

Smag0 · June 22, 2020, 9:32am

The more advanced & friendly I saw is @A_A
https://github.com/Otto-AA/solid-acl-parser

A_A · June 22, 2020, 10:00am

You could use the libraries I’ve written for that, but keep in mind that they are not maintained (at least by me). Also the documentation isn’t that good and doesn’t reflect everything it can do iirc.

With solid-acl-parser you can read turtle strings into an object, modify it there with a simple API, and parse it back to turtle. Here’s a simple example (more documentation is here):

  // Parse the turtle to an AclDoc object which we can modify
  const parser = new AclParser({ aclUrl, fileUrl })
  const doc = await parser.turtleToAclDoc(turtleString)

  // Give the webId WRITE and CONTROL permissions
  doc.addRule([WRITE, CONTROL], webId)
// or in your case: doc.addRule(APPEND, Agents.PUBLIC)

  // Parse it back to turtle so we can store it in the pod
  const newTurtle = await parser.aclDocToTurtle(doc)

And if you also don’t want to manually fetch and save the acl file, I’ve written a wrapper solid-acl-utils which does that for you:

const aclApi = new AclApi(fetch, { autoSave: false }) // create one per acl file you want to modify
const acl = aclApi.loadFromFileUrl('https://pod.example.org/file.ttl')

acl.addRule([READ, WRITE], webId)
acl.addRule(READ, Agents.PUBLIC)

await acl.saveToPod()

These should make it rather simple to modify acl files, but as said above: I’m not going to maintain it, some things may be broken (though I’ve written tests for everything which came into my mind).

Smag0 · June 22, 2020, 10:06am

Even if not maintained, that’s a good starting point that helped me to understand & deal with Acl

@aveltens how I use it for inbox for example

github.com

scenaristeur/agora/blob/master/src/views/config-get-view.js

import { LitElement, html } from 'lit-element';
import { HelloAgent } from '../agents/hello-agent.js';

import * as SolidFileClient from "solid-file-client"
import { namedNode } from '@rdfjs/data-model';

class ConfigGetView extends LitElement {

  static get properties() {
    return {
      name: { type: String },
      config: {type: Object},
      log: {type: String},
      aclInbox: {type: String},
      textColor: {type: String},
      debug: {type: Boolean},
      fc : {type: Object}
    };
  }

This file has been truncated. show original

aveltens · June 23, 2020, 7:04am

This looks really great and seams to do what I was looking for. Will give it a try.

Sad to hear, that you are not going to maintain it. Perhaps we should move it to the solid github org and ensure it is maintained by the community?

aveltens · June 23, 2020, 7:08am

github.com

scenaristeur/agora/blob/master/src/views/config-get-view.js#L32


super();
this.name = "Config GET"
this.config = {}
this.log = "Init"
this.fc = new SolidFileClient(solid.auth)
this.textColor = "text-primary"
this.debug = false
this.aclInboxContent = `@prefix : <#>.
@prefix acl: <http://www.w3.org/ns/auth/acl#>.
@prefix inbox: <./>.
@prefix c: </profile/card#>.


:Append
a acl:Authorization;
acl:accessTo <./>;
acl:agentClass acl:AuthenticatedAgent;
acl:default <./>;
acl:mode acl:Append.
:ControlReadWrite
a acl:Authorization;
acl:accessTo <./>;

Looks like you are assuming a specific WebID structure here, which will bring problems to people with different URI structure.

Smag0 · June 23, 2020, 7:12am

You are right ,thxxs it just a copy/paste from an Acl file to start something but can be improved

A_A · June 23, 2020, 11:56am

Sure, if somebody wants to keep it up to date and fix things when issues arise, I think it would be good to transfer it. I just don’t have the time to maintain this project, but I’d be happy if someone else forks it and takes care about it. I could also remove the solid-acl-parser on npm in favor of newer versions.

If this is done, it would probably also make sense to look if the databrowser could use it too. Currently it uses its own implementation iirc. Merging them to one would probably make sense

A_A · June 23, 2020, 12:04pm

I also want to note, that my implementation is just one way of doing this. It parses the whole acl file into an object, modifies it, and parses it back. Another way would be to use a library to directly manipulate the turtle (e.g. with SPARQL statements)

aveltens · June 30, 2020, 7:16pm

Hey @A_A I had some time to try your lib and it is exactly what I was looking for. Thank you very much.

I am encountering just a small problem, perhaps you have an idea:

Couldn’t retrieve the acl location from the link header

This occurs, if I try to add an ACL to a container and there is now ACL except the root acl. If at least one of the parent containers has an ACL everything works fine. But the root ACL cannot be discovered somehow. Might as well be a bug in NSS, not sure.

With curl I can get a link to the ACL file from a Pod root:

▶ curl -s -I https://solid-groups.solid.community/ | grep Link:
Link: <.acl>; rel="acl", <.meta>; rel="describedBy", <http://www.w3.org/ns/ldp#Resource>; rel="type"

But in the browser dev tools it is actually not to be found in the response of the OPTIONS request to the Pod root:

Link: <https://solid-groups.solid.community/.well-known/solid>; rel="service", <https://solid.community>; rel="http://openid.net/specs/connect/1.0/issuer"

Any ideas?

A_A · July 1, 2020, 9:43am

Apparently node-solid-server only sets the link header for GET but not for OPTIONS requests on the root. Here’s a simple script to reproduce it from the browser console when logged in to your pod:

fetch('/', { method: 'GET' }).then(res => console.log(res.headers.get('link')))
// <.acl>; rel="acl", <.meta>; rel="describedBy", <http://www.w3.org/ns/ldp#Resource>; rel="type"
fetch('/', { method: 'OPTIONS' }).then(res => console.log(res.headers.get('link')))
// <https://otman.solid.community/.well-known/solid>; rel="service", <https://solid.community>; rel="http://openid.net/specs/connect/1.0/issuer"

So I believe that it’s an issue of node-solid-server not adding rel="acl" to the link header.

EDIT: For HEAD it works fine. I’m not that familiar with the difference between HEAD and OPTIONS, so probably that should be used instead. If you know more about it just let me know and I’ll change it

aveltens · July 1, 2020, 10:31am

I think a HEAD request would be correct as stated in 2.4.3.1. Discovery of Auxiliary Resources

To discover the auxiliary resources directly associated with a given Solid resource, a Solid client MUST issue a HEAD or GET request to the target resource URL and inspect the Link headers in the response.

A_A · July 1, 2020, 1:31pm

I’ve updated it to use HEAD, can you try it with this version?

aveltens · July 1, 2020, 4:17pm

Awesome, it’s working Thanks a lot

aveltens · July 5, 2020, 8:47am

Hi @A_A sorry to bother you again. Your library has no capability to set a acl:default, or am I missing something?

A_A · July 5, 2020, 9:26am

You can use addDefaultRule(...) instead of addRule(...) to set the default.
https://otto-aa.github.io/solid-acl-parser/#/quickstart?id=working-with-default

Basically you can use everything defined in this map and all methods defined in this class. So if you don’t find a functionality in the documentation you can take a look there (and open a PR to add it to the documentation :))

aveltens · July 5, 2020, 9:34am

Thanks a lot, sorry I should not have missed that!

tsojcanth · August 16, 2020, 8:27pm

Hi @A_A, those libraries are great, as is your pod explorer.
is there any change you can add support for the origin predicate? this would allow trusted apps.

tsojcanth · August 17, 2020, 10:10am

@A_A the issue is that if I create an ACL for a file inheriting (defaulting to) an origin predicate, the subject still points to the default location).

For example, this is what happens to the acl for https://gaia.solid.community/is.darcy/foo.txt after I load the default, amend it, and save it:

@prefix foaf: <http://xmlns.com/foaf/0.1/>.

<#trusted-apps> a acl:Authorization;
    acl:agent </profile/card#me>;
    acl:accessTo <./foo.txt>;
    acl:mode acl:Control, acl:Read, acl:Write.
<https://gaia.solid.community/is.darcy/.acl#trusted-apps> acl:origin <https://localhost>.
<#ControlReadWrite> a acl:Authorization;
    acl:agent </profile/card#me>, <mailto:gaia@foo.co.uk>;
    acl:accessTo <./foo.txt>;
    acl:mode acl:Control, acl:Read, acl:Write.
<#Read-0> a acl:Authorization;
    acl:agent <https://giulio.solid.community/profile/card#me>;
    acl:accessTo <./foo.txt>;
    acl:mode acl:Read.

You can see that the origin predicate still points to the parent.

I tried to bodge it by changing the structure just before saving it, but it does not have a setter, so I was wondering if you were inclined to add origin support.

Smag0 · August 17, 2020, 8:06pm

You can take a look at the new inrupt lib too
Seems quite easy to deal with Acl

https://docs.inrupt.com/client-libraries/solid-client-js/tutorial/manage-access-control-list.html

Topic		Replies	Views
Library for parsing and modifying ACL files App Testing	0	905	July 8, 2019
JS Library for working with acl files Solid App Development FAQs	5	1153	June 30, 2019
How to update ACL of binary file Solid App Development FAQs	3	511	June 9, 2022
[SOLVED] Solid-Client create ACL for container makes agent lose control Build a Solid App	4	935	February 27, 2021
Unable to update user access using 'setAgentResourceAccess' Solid App Development FAQs	2	702	February 11, 2022

Programmatically adjust ACL

Related Topics