From a7c7b78b224855e5c3843a76b2bfac72a8bd2c4b Mon Sep 17 00:00:00 2001 From: Michiel de Jong Date: Thu, 23 Jan 2025 14:35:15 +0100 Subject: [PATCH 1/2] ACP --- templates/pod/acp/.acr.hbs | 39 +++++++++++++++++++ templates/pod/acp/.meta | 3 ++ templates/pod/acp/README$.md.hbs | 22 +++++++++++ templates/pod/acp/README.acr | 18 +++++++++ templates/pod/acp/profile/card$.ttl.hbs | 18 +++++++++ templates/pod/acp/profile/card.acr | 22 +++++++++++ templates/pod/acp/public/.acr | 28 +++++++++++++ templates/pod/acp/robots.txt | 3 ++ templates/pod/acp/settings/prefs.ttl.hbs | 15 +++++++ .../pod/acp/settings/privateTypeIndex.ttl.hbs | 4 ++ .../pod/acp/settings/publicTypeIndex.ttl.acr | 18 +++++++++ .../pod/acp/settings/publicTypeIndex.ttl.hbs | 4 ++ 12 files changed, 194 insertions(+) create mode 100644 templates/pod/acp/.acr.hbs create mode 100644 templates/pod/acp/.meta create mode 100644 templates/pod/acp/README$.md.hbs create mode 100644 templates/pod/acp/README.acr create mode 100644 templates/pod/acp/profile/card$.ttl.hbs create mode 100644 templates/pod/acp/profile/card.acr create mode 100644 templates/pod/acp/public/.acr create mode 100644 templates/pod/acp/robots.txt create mode 100644 templates/pod/acp/settings/prefs.ttl.hbs create mode 100644 templates/pod/acp/settings/privateTypeIndex.ttl.hbs create mode 100644 templates/pod/acp/settings/publicTypeIndex.ttl.acr create mode 100644 templates/pod/acp/settings/publicTypeIndex.ttl.hbs diff --git a/templates/pod/acp/.acr.hbs b/templates/pod/acp/.acr.hbs new file mode 100644 index 0000000..d699726 --- /dev/null +++ b/templates/pod/acp/.acr.hbs @@ -0,0 +1,39 @@ +# Root ACR for the agent account +@prefix acl: . +@prefix acp: . + +# The owner has full access to every resource in their pod. +# Other agents have no access rights, +# unless specifically authorized in other ACRs. +<#root> + a acp:AccessControlResource; + # Set the access to the root storage folder itself + acp:resource <./>; + # The homepage is readable by the public + acp:accessControl <#fullOwnerAccess>, <#publicReadAccess>; + # All resources will inherit this authorization + acp:memberAccessControl <#fullOwnerAccess>. + +# The public only has read access +<#publicReadAccess> + a acp:AccessControl; + acp:apply [ + a acp:Policy; + acp:allow acl:Read; + acp:anyOf [ + a acp:Matcher; + acp:agent acp:PublicAgent + ] + ]. + +# The owner has all of the access modes allowed +<#fullOwnerAccess> + a acp:AccessControl; + acp:apply [ + a acp:Policy; + acp:allow acl:Read, acl:Write, acl:Control; + acp:anyOf [ + a acp:Matcher; + acp:agent <{{webId}}> + ] + ]. diff --git a/templates/pod/acp/.meta b/templates/pod/acp/.meta new file mode 100644 index 0000000..5ecce5e --- /dev/null +++ b/templates/pod/acp/.meta @@ -0,0 +1,3 @@ +@prefix pim: . + +<> a pim:Storage. diff --git a/templates/pod/acp/README$.md.hbs b/templates/pod/acp/README$.md.hbs new file mode 100644 index 0000000..19ace8a --- /dev/null +++ b/templates/pod/acp/README$.md.hbs @@ -0,0 +1,22 @@ +# Welcome to your pod + +## A place to store your data +Your pod is a **secure storage space** for your documents and data. +
+You can choose to share those with other people and apps. + +As the owner of this pod, +identified by {{webId}}, +you have access to all of your documents. + +## Working with your pod +The easiest way to interact with pods +is through Solid apps. +
+For example, +you can open your pod in [Databrowser](https://solidos.github.io/mashlib/dist/browse.html?uri={{podBaseUrl}}). + +## Learn more +The [Solid website](https://solidproject.org/) +and the people on its [forum](https://forum.solidproject.org/) +will be glad to help you on your journey. diff --git a/templates/pod/acp/README.acr b/templates/pod/acp/README.acr new file mode 100644 index 0000000..be3fdd8 --- /dev/null +++ b/templates/pod/acp/README.acr @@ -0,0 +1,18 @@ +@prefix acl: . +@prefix acp: . + +<#card> + a acp:AccessControlResource; + acp:resource <./README>; + acp:accessControl <#publicReadAccess>. + +<#publicReadAccess> + a acp:AccessControl; + acp:apply [ + a acp:Policy; + acp:allow acl:Read; + acp:anyOf [ + a acp:Matcher; + acp:agent acp:PublicAgent + ] + ]. diff --git a/templates/pod/acp/profile/card$.ttl.hbs b/templates/pod/acp/profile/card$.ttl.hbs new file mode 100644 index 0000000..9f8e355 --- /dev/null +++ b/templates/pod/acp/profile/card$.ttl.hbs @@ -0,0 +1,18 @@ +@prefix foaf: . +@prefix solid: . +@prefix space: . +@prefix ldp: . +<> + a foaf:PersonalProfileDocument; + foaf:maker <{{webId}}>; + foaf:primaryTopic <{{webId}}>. + +<{{webId}}> + {{#if name}}foaf:name "{{name}}";{{/if}} + space:storage <../>; + ldp:inbox <../inbox/>; + space:preferencesFile <../settings/prefs.ttl>; + solid:privateTypeIndex <../settings/privateTypeIndex.ttl>; + solid:publicTypeIndex <../settings/publicTypeIndex.ttl>; + {{#if oidcIssuer}}solid:oidcIssuer <{{oidcIssuer}}>;{{/if}} + a foaf:Person. diff --git a/templates/pod/acp/profile/card.acr b/templates/pod/acp/profile/card.acr new file mode 100644 index 0000000..5febf64 --- /dev/null +++ b/templates/pod/acp/profile/card.acr @@ -0,0 +1,22 @@ +# ACR for the WebID profile document +@prefix acl: . +@prefix acp: . + +# The WebID profile is readable by the public. +# This is required for discovery and verification, +# e.g. when checking identity providers. +<#card> + a acp:AccessControlResource; + acp:resource <./card>; + acp:accessControl <#publicReadAccess>. + +<#publicReadAccess> + a acp:AccessControl; + acp:apply [ + a acp:Policy; + acp:allow acl:Read; + acp:anyOf [ + a acp:Matcher; + acp:agent acp:PublicAgent + ] + ]. diff --git a/templates/pod/acp/public/.acr b/templates/pod/acp/public/.acr new file mode 100644 index 0000000..757e97a --- /dev/null +++ b/templates/pod/acp/public/.acr @@ -0,0 +1,28 @@ +# Root ACR for the agent account +@prefix acl: . +@prefix acp: . + +# The owner has full access to every resource in their pod. +# Other agents have no access rights, +# unless specifically authorized in other ACRs. +<#root> + a acp:AccessControlResource; + # Set the access to the root storage folder itself + acp:resource <./>; + # The homepage is readable by the public + acp:accessControl <#publicReadAccess>; + # All resources will inherit this authorization + acp:memberAccessControl <#publicReadAccess>. + +# The public has read access to anything under this folder +<#publicReadAccess> + a acp:AccessControl; + acp:apply [ + a acp:Policy; + acp:allow acl:Read; + acp:anyOf [ + a acp:Matcher; + acp:agent acp:PublicAgent + ] + ]. + diff --git a/templates/pod/acp/robots.txt b/templates/pod/acp/robots.txt new file mode 100644 index 0000000..7b5fefd --- /dev/null +++ b/templates/pod/acp/robots.txt @@ -0,0 +1,3 @@ +User-agent: * +# Allow all crawling (subject to ACLs as usual, of course) +Disallow: diff --git a/templates/pod/acp/settings/prefs.ttl.hbs b/templates/pod/acp/settings/prefs.ttl.hbs new file mode 100644 index 0000000..92d0fde --- /dev/null +++ b/templates/pod/acp/settings/prefs.ttl.hbs @@ -0,0 +1,15 @@ +@prefix dct: . +@prefix pim: . +@prefix foaf: . +@prefix solid: . + +<> + a pim:ConfigurationFile; + + dct:title "Preferences file" . + +{{#if email}}<{{webId}}> foaf:mbox <{{email}}> .{{/if}} + +<{{webId}}> + solid:publicTypeIndex ; + solid:privateTypeIndex . diff --git a/templates/pod/acp/settings/privateTypeIndex.ttl.hbs b/templates/pod/acp/settings/privateTypeIndex.ttl.hbs new file mode 100644 index 0000000..b6fee77 --- /dev/null +++ b/templates/pod/acp/settings/privateTypeIndex.ttl.hbs @@ -0,0 +1,4 @@ +@prefix solid: . +<> + a solid:TypeIndex ; + a solid:UnlistedDocument. diff --git a/templates/pod/acp/settings/publicTypeIndex.ttl.acr b/templates/pod/acp/settings/publicTypeIndex.ttl.acr new file mode 100644 index 0000000..be3fdd8 --- /dev/null +++ b/templates/pod/acp/settings/publicTypeIndex.ttl.acr @@ -0,0 +1,18 @@ +@prefix acl: . +@prefix acp: . + +<#card> + a acp:AccessControlResource; + acp:resource <./README>; + acp:accessControl <#publicReadAccess>. + +<#publicReadAccess> + a acp:AccessControl; + acp:apply [ + a acp:Policy; + acp:allow acl:Read; + acp:anyOf [ + a acp:Matcher; + acp:agent acp:PublicAgent + ] + ]. diff --git a/templates/pod/acp/settings/publicTypeIndex.ttl.hbs b/templates/pod/acp/settings/publicTypeIndex.ttl.hbs new file mode 100644 index 0000000..4334862 --- /dev/null +++ b/templates/pod/acp/settings/publicTypeIndex.ttl.hbs @@ -0,0 +1,4 @@ +@prefix solid: . +<> + a solid:TypeIndex ; + a solid:ListedDocument. From f1b3e3bc1c256f74da9e6f3b701131c0dd80f3fa Mon Sep 17 00:00:00 2001 From: Michiel de Jong Date: Mon, 27 Jan 2025 14:03:22 +0100 Subject: [PATCH 2/2] hard code choice of launcher app FIXME: it seems from https://github.com/CommunitySolidServer/CommunitySolidServer/blob/main/documentation/markdown/usage/seeding-pods.md that in `--seedConfig` you can add custom template variables when seeding a pod, but in https://github.com/CommunitySolidServer/CommunitySolidServer/blob/7baa9e68ab83ef10bc565afb577b5a502003d670/test/unit/identity/interaction/pod/util/BasePodCreator.test.ts#L56-L58 it seems that the only template variables that exist for allowing end-users to create pods are `base.path`, `webId` and `oidcIssuer`. So AFAICS the only way to specify a default clientId here is to hard-code it in this file here. --- templates/pod/acp/.acr.hbs | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/templates/pod/acp/.acr.hbs b/templates/pod/acp/.acr.hbs index d699726..1286b7b 100644 --- a/templates/pod/acp/.acr.hbs +++ b/templates/pod/acp/.acr.hbs @@ -32,8 +32,9 @@ acp:apply [ a acp:Policy; acp:allow acl:Read, acl:Write, acl:Control; - acp:anyOf [ + acp:allOf [ a acp:Matcher; acp:agent <{{webId}}> + acp:client ] ].