Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Investigate 4 CSS v4.0.1 failures in create.test.ts #51

Closed
michielbdejong opened this issue Jun 13, 2022 · 10 comments
Closed

Investigate 4 CSS v4.0.1 failures in create.test.ts #51

michielbdejong opened this issue Jun 13, 2022 · 10 comments

Comments

@michielbdejong
Copy link
Collaborator

As reported by @mrvahedi68 - just reproduced it:

 FAIL  test/surface/create.test.ts (11.652 s)
  Create
    Using POST to existing container
      ✓ Is allowed with accessTo Append access (1263 ms)
      ✓ Is allowed with accessTo Write access (460 ms)
      ✓ Is disallowed otherwise (426 ms)
    Using PUT in existing container
      ✓ Is allowed with accessTo Write and default Write access (440 ms)
      ✓ Is allowed with accessTo Append and default Write access (421 ms)
      ✓ is disallowed without default Write (398 ms)
      ✓ is disallowed without accessTo Write or Append (403 ms)
    Using PATCH in existing container
      ✓ Is allowed with accessTo Write and default Write access (403 ms)
      ✓ Is allowed with accessTo Append and default Write access (373 ms)
      ✕ is disallowed without default Write (402 ms)
      ✓ is disallowed without accessTo Write or Append (401 ms)
    Using PUT in non-existing container
      ✓ Is allowed with accessTo Write and default Write access (388 ms)
      ✓ Is allowed with accessTo Append and default Write access (392 ms)
      ✓ is disallowed without default Write (383 ms)
      ✕ is disallowed without accessTo Write or Append (378 ms)
    Using PATCH in non-existing container
      ✓ Is allowed with accessTo Write and default Write access (390 ms)
      ✓ Is allowed with accessTo Append and default Write access (384 ms)
      ✕ is disallowed without default Write (360 ms)
      ✕ is disallowed without accessTo Write or Append (365 ms)

  ● Create › Using PATCH in existing container › is disallowed without default Write

    expect(received).toEqual(expected) // deep equality

    Expected: 403
    Received: 201

      365 |         "  solid:inserts { <#hello> <#linked> <#world> .}.\n",
      366 |       });
    > 367 |       expect(result.status).toEqual(403);
          |                             ^
      368 |     });
      369 | 
      370 |     it(`is disallowed without accessTo Write or Append`, async () => {

      at test/surface/create.test.ts:367:29
      at step (test/surface/create.test.ts:33:23)
      at Object.next (test/surface/create.test.ts:14:53)
      at fulfilled (test/surface/create.test.ts:5:58)

  ● Create › Using PUT in non-existing container › is disallowed without accessTo Write or Append

    expect(received).toEqual(expected) // deep equality

    Expected: 403
    Received: 201

      524 |         }
      525 |       });
    > 526 |       expect(result.status).toEqual(403);
          |                             ^
      527 |     });
      528 | 
      529 |   });

      at test/surface/create.test.ts:526:29
      at step (test/surface/create.test.ts:33:23)
      at Object.next (test/surface/create.test.ts:14:53)
      at fulfilled (test/surface/create.test.ts:5:58)
          at runMicrotasks (<anonymous>)

  ● Create › Using PATCH in non-existing container › is disallowed without default Write

    expect(received).toEqual(expected) // deep equality

    Expected: 403
    Received: 201

      625 |         "  solid:inserts { <#hello> <#linked> <#world> .}.\n",
      626 |       });
    > 627 |       expect(result.status).toEqual(403);
          |                             ^
      628 |     });
      629 | 
      630 |     it(`is disallowed without accessTo Write or Append`, async () => {

      at test/surface/create.test.ts:627:29
      at step (test/surface/create.test.ts:33:23)
      at Object.next (test/surface/create.test.ts:14:53)
      at fulfilled (test/surface/create.test.ts:5:58)
          at runMicrotasks (<anonymous>)

  ● Create › Using PATCH in non-existing container › is disallowed without accessTo Write or Append

    expect(received).toEqual(expected) // deep equality

    Expected: 403
    Received: 201

      658 |         "  solid:inserts { <#hello> <#linked> <#world> .}.\n",
      659 |       });
    > 660 |       expect(result.status).toEqual(403);
          |                             ^
      661 |     });
      662 |   });
      663 | });

      at test/surface/create.test.ts:660:29
      at step (test/surface/create.test.ts:33:23)
      at Object.next (test/surface/create.test.ts:14:53)
      at fulfilled (test/surface/create.test.ts:5:58)
          at runMicrotasks (<anonymous>)

Test Suites: 1 failed, 1 total
Tests:       4 failed, 15 passed, 19 total
Snapshots:   0 total
Time:        11.832 s, estimated 12 s
Ran all test suites matching /.\/test\/surface\/create.test.ts/i.
Test results written to: ../test-suite/CSS/wac-results.json
npm ERR! code ELIFECYCLE
npm ERR! errno 1
npm ERR! web-access-control-tests@6.0.0 jest: `jest ./test/surface/create.test.ts "--verbose" "--json" "--outputFile=../test-suite/CSS/wac-results.json"`
npm ERR! Exit status 1
npm ERR! 
npm ERR! Failed at the web-access-control-tests@6.0.0 jest script.
npm ERR! This is probably not a problem with npm. There is likely additional logging output above.

npm ERR! A complete log of this run can be found in:
npm ERR!     /Users/michiel/.npm/_logs/2022-06-13T11_22_27_593Z-debug.log
This was referenced Jun 13, 2022
Closed
Merged
@michielbdejong
Copy link
Collaborator Author

Create -> Using PUT in non-existing container -> is disallowed without accessTo Write or Append seems to pass when run in isolation

@michielbdejong
Copy link
Collaborator Author

Investigating Create › Using PATCH in existing container › is disallowed without default Write. This is the ACL:

SolidAuthFetcher curl -v -X 'PUT' -d '@prefix acl: <http://www.w3.org/ns/auth/acl#>.
  SolidAuthFetcher 
  SolidAuthFetcher <#alice> a acl:Authorization;
  SolidAuthFetcher   acl:agent <https://solidtestsuite.solidcommunity.net/profile/card#me>;
  SolidAuthFetcher   acl:accessTo <http://localhost:3000/web-access-control-tests-1655121303903/10/allOtherModes/>;
  SolidAuthFetcher   acl:default <http://localhost:3000/web-access-control-tests-1655121303903/10/allOtherModes/>;
  SolidAuthFetcher   acl:mode acl:Read, acl:Write, acl:Control.
  SolidAuthFetcher <#bobAccessTo> a acl:Authorization;
  SolidAuthFetcher   acl:agent <https://solid-crud-tests-example-2.solidcommunity.net/profile/card#me>;
  SolidAuthFetcher   acl:accessTo <http://localhost:3000/web-access-control-tests-1655121303903/10/allOtherModes/>;
  SolidAuthFetcher   acl:mode acl:Read, acl:Append, acl:Write, acl:Control.
  SolidAuthFetcher <#bobDefault> a acl:Authorization;
  SolidAuthFetcher   acl:agent <https://solid-crud-tests-example-2.solidcommunity.net/profile/card#me>;
  SolidAuthFetcher   acl:default <http://localhost:3000/web-access-control-tests-1655121303903/10/allOtherModes/>;
  SolidAuthFetcher   acl:mode acl:Read, acl:Append, acl:Control.
  SolidAuthFetcher ' -H 'Content-Type: text/turtle' -H 'authorization: DPoP eyJhbGciOiJSUzI1NiIsImtpZCI6IkpxS29zX2J0SHBnIn0.eyJpc3MiOiJodHRwczovL3NvbGlkY29tbXVuaXR5Lm5ldCIsImF1ZCI6InNvbGlkIiwic3ViIjoiaHR0cHM6Ly9zb2xpZHRlc3RzdWl0ZS5zb2xpZGNvbW11bml0eS5uZXQvcHJvZmlsZS9jYXJkI21lIiwiZXhwIjoxNjU2MzMwOTA0LCJpYXQiOjE2NTUxMjEzMDQsImp0aSI6IjU5OGMwZDZkOWY2OTg4NzIiLCJjbmYiOnsiamt0IjoiS18wOXF0Q2JKZTlTXzVrQ1BkX2RSRVhOT3AybHczaDNiS1NzNU13RmZzZyJ9LCJjbGllbnRfaWQiOiJmMTQyOWY5OWJiMjM0YzdkNjc5MTQ5ZWNkNmU2ZmM4NyIsIndlYmlkIjoiaHR0cHM6Ly9zb2xpZHRlc3RzdWl0ZS5zb2xpZGNvbW11bml0eS5uZXQvcHJvZmlsZS9jYXJkI21lIn0.DiOMqQGnVQvQp2rcq8zdQ3AuGrTBPG_HEmOTKmssIzKKr9c9S330WcUHGlXAOqs13prTqkrQnATjG7pOmEWoD-i_m4BYBw8qOZ2XcPo6QOn7JyGcFL-CHZWEfFfq7y3voohC5xzvcdjWQnklFhbnO26x8chjXQ2t5-0Ay9yV02mTbmBmbK8TeRxh47ndiZ8ExJ_jQjH2onZMbSgWzprmdgiwBM5HZ522rYb_qgVu5BgKcC4PlxD93UyKkNZiWDSGBW4mwcl9Z-HHKl8F76MqSwLtsUo35oUcJtBCudSQFwirRU8ZieuVPK_LFg7S8tapcwv1YEijbF1aAy0NL9vOoA' -H 'dpop: eyJhbGciOiJSUzI1NiIsInR5cCI6ImRwb3Arand0IiwiandrIjp7Imt0eSI6IlJTQSIsImtpZCI6IktfMDlxdENiSmU5U181a0NQZF9kUkVYTk9wMmx3M2gzYktTczVNd0Zmc2ciLCJ1c2UiOiJzaWciLCJhbGciOiJSUzI1NiIsImUiOiJBUUFCIiwibiI6IjNmZ2c5MGhWUUtORjdQZXNhMmZSdFdBQ05TX1VXTFRHcDR5ZEt0NDM1ZWtUakFVVVdINGNtOV9ScXpIM0FFQ3Vaek0tbzU1TEllbDFxQ1JZc0NhNVBCd0M2SmJ5V29JQmJlQjljZExtWEhXdHdfQmFRQXNvbDZnTTlDazJxTXFqTWQ1Q2doTzVRME1VdXU0S1RKeWhvaFM1US0zT2xiUHNiU3lNSXdYV2NENVdCODBEMHBxU0dEUUVmcGV0Sm4xbFNpci1Qd2tGTGtEUmRmUGk5OWd5QktQbkI5RVpwNTVWUmhvWW1WNkplMGdmNS1rOEJQY3Q0ZWhVVGY0Qi1vUWZ2aERKVGc4by1Fc3RlN2g5Nnl0QXNtWnA2TU9zb0VaaUk0ZjVwRlhDVmdudjhqRjZWeUVnTHNPaHo3d3R2bEZNaGFqTWcyblpvWTFXNkNTQXZWR2NidyJ9fQ.eyJodHUiOiJodHRwOi8vbG9jYWxob3N0OjMwMDAvd2ViLWFjY2Vzcy1jb250cm9sLXRlc3RzLTE2NTUxMjEzMDM5MDMvMTAvYWxsT3RoZXJNb2Rlcy8uYWNsIiwiaHRtIjoiUFVUIiwianRpIjoiNjMyYWQ5YjgtMTEwMi00YTllLTlhODUtMWVlNTg1ZDlmYjMxIiwiaWF0IjoxNjU1MTIxMzA1LCJleHAiOjE2NTUxMjQ5MDV9.QHYBpGmWmJzMyHSKRmTDqIo-hxyQ3E18Op0LRmI22zKbpLJJX2_nij63HaPJHVN0bZGksMgLiRZfBPDbAGu6ASh6-RPJHxIhdoe2SXysUsR7w1EV9ecURCFl5Nzsa_aEHhvVlqQtf3fCoWrTAx5Z8cLSCSK1uAltVMdKsIVGX8Tj9oPtxLpG2z-YG4XV88oz08VKLxX9a_YjTDnwOBJ4UJ7tvOVsYOJpUhoWFcRiCUsLfKcjOJDiPiB6lpK3YNdUt6r1syV1gRzigbd-2sYQ6vWx6Alag33CemRWB-7JIqIb7-Cz5WKQ2WbjLdyIcfWZ1iCV-OcM7KNi3Mkc4U9A8Q' http://localhost:3000/web-access-control-tests-1655121303903/10/allOtherModes/.acl +84ms

This is the request that the test thinks should be disallowed:

  SolidAuthFetcher curl -v -X 'PATCH' -d '@prefix solid: <http://www.w3.org/ns/solid/terms#>.
  SolidAuthFetcher <#patch> a solid:InsertDeletePatch;
  SolidAuthFetcher   solid:inserts { <#hello> <#linked> <#world> .}.
  SolidAuthFetcher ' -H 'Content-Type: text/n3' -H 'authorization: DPoP eyJhbGciOiJSUzI1NiIsImtpZCI6IkpxS29zX2J0SHBnIn0.eyJpc3MiOiJodHRwczovL3NvbGlkY29tbXVuaXR5Lm5ldCIsImF1ZCI6InNvbGlkIiwic3ViIjoiaHR0cHM6Ly9zb2xpZC1jcnVkLXRlc3RzLWV4YW1wbGUtMi5zb2xpZGNvbW11bml0eS5uZXQvcHJvZmlsZS9jYXJkI21lIiwiZXhwIjoxNjU2MzMwOTA1LCJpYXQiOjE2NTUxMjEzMDUsImp0aSI6IjhkZThmMjExYjEyNDQ5ZWQiLCJjbmYiOnsiamt0IjoiekdfbVRSY2NCb0ZKTmFlVXVlQVBLY0NQUGxEcWxFZjlpR3plZGVSekZIZyJ9LCJjbGllbnRfaWQiOiIwN2FjMDhjNjk3NjhmN2VhNzNlNjc1ZTRkYTdmNzYzNCIsIndlYmlkIjoiaHR0cHM6Ly9zb2xpZC1jcnVkLXRlc3RzLWV4YW1wbGUtMi5zb2xpZGNvbW11bml0eS5uZXQvcHJvZmlsZS9jYXJkI21lIn0.NgyOXEVYxgiKoHZRUwb5l2-kuwZ5sbXYW-_fonGC_kEKuA0Vl2ajY2tYDaE6z_Fn-EcneH_5KSIZdLdkZR3Xh5fpcN8mx3R0L3m9hpzVUCT7QgdnPyal1gKBzgEToY_CvvLm5x7PogwJia04MfROKcJe3ILFyUO6ngXwG_S991W-5fCs3lOCkGNv2uG1HzALNo_CNvP7TjhJpMKDZeVVWCxlOGjCoEBs9k_n8w_Txgl0Tay7ypOF7Rzoh6DfHvk4MtrdZ4Z1opGsLtrmc2n2b3VBKxNVMAZv1IftEcup2cB2B_zjEdlveXASfp56YH2TfnxBgAZIudZEHPRgHfAe1g' -H 'dpop: eyJhbGciOiJSUzI1NiIsInR5cCI6ImRwb3Arand0IiwiandrIjp7Imt0eSI6IlJTQSIsImtpZCI6InpHX21UUmNjQm9GSk5hZVV1ZUFQS2NDUFBsRHFsRWY5aUd6ZWRlUnpGSGciLCJ1c2UiOiJzaWciLCJhbGciOiJSUzI1NiIsImUiOiJBUUFCIiwibiI6InB6WWJlRTFxUzhCNWhabHNiSWNQcUw3X1FKaXZWVVVkSks1eXZ0WTdfRmZtcnBKMmdmeG1WR0FlZ1hFVjQyaDRiMkttR0d3eldLVzIyTWxDTUlkUXJuSmhnZFBvdHMxWDBCZHluQmE5MWZhZE10dnJiejl4UWVsQUx6Wi1Cc0xHVGkxMjBUZ0h2Q2pEaHFzZEhOOXdRWDliN1BFMjh4bXVITHp5MEtGVlhKdkVrdzZNWFZvQXZmcktwYjNKSmFJY0JfOW9zMi1HbE1rUWNINm5wZElOR3pid0FORnctaWI2TDB1UERQNHZ1X2ZrMF9UWGtyekdXQ2tMLTcxMjRjZjRiR3NxbFJVQXpTYWVINmxhV3VzNjZLeWIzMU9GdGY1bzdETTlJM1RLZVlfR0RWbXZuczVUbjJwYjZmT05TaEw4UEozdzgyV1JFRGtJZVRHS1RpYmVVdyJ9fQ.eyJodHUiOiJodHRwOi8vbG9jYWxob3N0OjMwMDAvd2ViLWFjY2Vzcy1jb250cm9sLXRlc3RzLTE2NTUxMjEzMDM5MDMvMTAvYWxsT3RoZXJNb2Rlcy9uZXcudHh0IiwiaHRtIjoiUEFUQ0giLCJqdGkiOiI3OWU4ODI2Mi1jMWEwLTQ5NTgtOGUxOC1kMmFhMDdkY2FjNzAiLCJpYXQiOjE2NTUxMjEzMDUsImV4cCI6MTY1NTEyNDkwNX0.V0JH6xZsNt9hCQg-9sR8km4r3ugdtRMpBoaebf42pg3Yk1rPWsWYMWLCQeaflv_ja8ZjguFhQwCmuJg01iziHDj2D0yGRmXGu4Gd7WmYx1AYASgLa16bGZbGMYIZEyKERo-JoeNawFPAijLHEd5AbczjLSBBVY6fprDrwholQWh7aJa7o-rHyF_zlc7qFzZh-PAUYPGoBxHzBpFFeh-E5TVZzLwaUHpUA4KGpNCX35w_GeP4ybC_QA5vg7l7JbdndBFacOEcePtwWdLcnwmmsXM_2l-rK4LCD2suXmUfVSRxXgWgHz4aTSVHFYjQmUtkODk_wj2_KVC_hJUOKskXHw' http://localhost:3000/web-access-control-tests-1655121303903/10/allOtherModes/new.txt +62ms

@michielbdejong
Copy link
Collaborator Author

Edit line 32 of node_modules/@solid/access-token-verifier/dist/algorithm/verifyDpopProof.js to reproduce this:

curl -v -X 'PUT' -d @acl.ttl -H 'Content-Type: text/turtle' -H 'authorization: DPoP eyJhbGciOiJSUzI1NiIsImtpZCI6IkpxS29zX2J0SHBnIn0.eyJpc3MiOiJodHRwczovL3NvbGlkY29tbXVuaXR5Lm5ldCIsImF1ZCI6InNvbGlkIiwic3ViIjoiaHR0cHM6Ly9zb2xpZHRlc3RzdWl0ZS5zb2xpZGNvbW11bml0eS5uZXQvcHJvZmlsZS9jYXJkI21lIiwiZXhwIjoxNjU2MzMwOTA0LCJpYXQiOjE2NTUxMjEzMDQsImp0aSI6IjU5OGMwZDZkOWY2OTg4NzIiLCJjbmYiOnsiamt0IjoiS18wOXF0Q2JKZTlTXzVrQ1BkX2RSRVhOT3AybHczaDNiS1NzNU13RmZzZyJ9LCJjbGllbnRfaWQiOiJmMTQyOWY5OWJiMjM0YzdkNjc5MTQ5ZWNkNmU2ZmM4NyIsIndlYmlkIjoiaHR0cHM6Ly9zb2xpZHRlc3RzdWl0ZS5zb2xpZGNvbW11bml0eS5uZXQvcHJvZmlsZS9jYXJkI21lIn0.DiOMqQGnVQvQp2rcq8zdQ3AuGrTBPG_HEmOTKmssIzKKr9c9S330WcUHGlXAOqs13prTqkrQnATjG7pOmEWoD-i_m4BYBw8qOZ2XcPo6QOn7JyGcFL-CHZWEfFfq7y3voohC5xzvcdjWQnklFhbnO26x8chjXQ2t5-0Ay9yV02mTbmBmbK8TeRxh47ndiZ8ExJ_jQjH2onZMbSgWzprmdgiwBM5HZ522rYb_qgVu5BgKcC4PlxD93UyKkNZiWDSGBW4mwcl9Z-HHKl8F76MqSwLtsUo35oUcJtBCudSQFwirRU8ZieuVPK_LFg7S8tapcwv1YEijbF1aAy0NL9vOoA' -H 'dpop: eyJhbGciOiJSUzI1NiIsInR5cCI6ImRwb3Arand0IiwiandrIjp7Imt0eSI6IlJTQSIsImtpZCI6IktfMDlxdENiSmU5U181a0NQZF9kUkVYTk9wMmx3M2gzYktTczVNd0Zmc2ciLCJ1c2UiOiJzaWciLCJhbGciOiJSUzI1NiIsImUiOiJBUUFCIiwibiI6IjNmZ2c5MGhWUUtORjdQZXNhMmZSdFdBQ05TX1VXTFRHcDR5ZEt0NDM1ZWtUakFVVVdINGNtOV9ScXpIM0FFQ3Vaek0tbzU1TEllbDFxQ1JZc0NhNVBCd0M2SmJ5V29JQmJlQjljZExtWEhXdHdfQmFRQXNvbDZnTTlDazJxTXFqTWQ1Q2doTzVRME1VdXU0S1RKeWhvaFM1US0zT2xiUHNiU3lNSXdYV2NENVdCODBEMHBxU0dEUUVmcGV0Sm4xbFNpci1Qd2tGTGtEUmRmUGk5OWd5QktQbkI5RVpwNTVWUmhvWW1WNkplMGdmNS1rOEJQY3Q0ZWhVVGY0Qi1vUWZ2aERKVGc4by1Fc3RlN2g5Nnl0QXNtWnA2TU9zb0VaaUk0ZjVwRlhDVmdudjhqRjZWeUVnTHNPaHo3d3R2bEZNaGFqTWcyblpvWTFXNkNTQXZWR2NidyJ9fQ.eyJodHUiOiJodHRwOi8vbG9jYWxob3N0OjMwMDAvd2ViLWFjY2Vzcy1jb250cm9sLXRlc3RzLTE2NTUxMjEzMDM5MDMvMTAvYWxsT3RoZXJNb2Rlcy8uYWNsIiwiaHRtIjoiUFVUIiwianRpIjoiNjMyYWQ5YjgtMTEwMi00YTllLTlhODUtMWVlNTg1ZDlmYjMxIiwiaWF0IjoxNjU1MTIxMzA1LCJleHAiOjE2NTUxMjQ5MDV9.QHYBpGmWmJzMyHSKRmTDqIo-hxyQ3E18Op0LRmI22zKbpLJJX2_nij63HaPJHVN0bZGksMgLiRZfBPDbAGu6ASh6-RPJHxIhdoe2SXysUsR7w1EV9ecURCFl5Nzsa_aEHhvVlqQtf3fCoWrTAx5Z8cLSCSK1uAltVMdKsIVGX8Tj9oPtxLpG2z-YG4XV88oz08VKLxX9a_YjTDnwOBJ4UJ7tvOVsYOJpUhoWFcRiCUsLfKcjOJDiPiB6lpK3YNdUt6r1syV1gRzigbd-2sYQ6vWx6Alag33CemRWB-7JIqIb7-Cz5WKQ2WbjLdyIcfWZ1iCV-OcM7KNi3Mkc4U9A8Q' http://localhost:3000/web-access-control-tests-1655121303903/10/allOtherModes/.acl

curl -v -X 'PATCH' -d @patch.ttl -H 'Content-Type: text/n3' -H 'authorization: DPoP eyJhbGciOiJSUzI1NiIsImtpZCI6IkpxS29zX2J0SHBnIn0.eyJpc3MiOiJodHRwczovL3NvbGlkY29tbXVuaXR5Lm5ldCIsImF1ZCI6InNvbGlkIiwic3ViIjoiaHR0cHM6Ly9zb2xpZC1jcnVkLXRlc3RzLWV4YW1wbGUtMi5zb2xpZGNvbW11bml0eS5uZXQvcHJvZmlsZS9jYXJkI21lIiwiZXhwIjoxNjU2MzMwOTA1LCJpYXQiOjE2NTUxMjEzMDUsImp0aSI6IjhkZThmMjExYjEyNDQ5ZWQiLCJjbmYiOnsiamt0IjoiekdfbVRSY2NCb0ZKTmFlVXVlQVBLY0NQUGxEcWxFZjlpR3plZGVSekZIZyJ9LCJjbGllbnRfaWQiOiIwN2FjMDhjNjk3NjhmN2VhNzNlNjc1ZTRkYTdmNzYzNCIsIndlYmlkIjoiaHR0cHM6Ly9zb2xpZC1jcnVkLXRlc3RzLWV4YW1wbGUtMi5zb2xpZGNvbW11bml0eS5uZXQvcHJvZmlsZS9jYXJkI21lIn0.NgyOXEVYxgiKoHZRUwb5l2-kuwZ5sbXYW-_fonGC_kEKuA0Vl2ajY2tYDaE6z_Fn-EcneH_5KSIZdLdkZR3Xh5fpcN8mx3R0L3m9hpzVUCT7QgdnPyal1gKBzgEToY_CvvLm5x7PogwJia04MfROKcJe3ILFyUO6ngXwG_S991W-5fCs3lOCkGNv2uG1HzALNo_CNvP7TjhJpMKDZeVVWCxlOGjCoEBs9k_n8w_Txgl0Tay7ypOF7Rzoh6DfHvk4MtrdZ4Z1opGsLtrmc2n2b3VBKxNVMAZv1IftEcup2cB2B_zjEdlveXASfp56YH2TfnxBgAZIudZEHPRgHfAe1g' -H 'dpop: eyJhbGciOiJSUzI1NiIsInR5cCI6ImRwb3Arand0IiwiandrIjp7Imt0eSI6IlJTQSIsImtpZCI6InpHX21UUmNjQm9GSk5hZVV1ZUFQS2NDUFBsRHFsRWY5aUd6ZWRlUnpGSGciLCJ1c2UiOiJzaWciLCJhbGciOiJSUzI1NiIsImUiOiJBUUFCIiwibiI6InB6WWJlRTFxUzhCNWhabHNiSWNQcUw3X1FKaXZWVVVkSks1eXZ0WTdfRmZtcnBKMmdmeG1WR0FlZ1hFVjQyaDRiMkttR0d3eldLVzIyTWxDTUlkUXJuSmhnZFBvdHMxWDBCZHluQmE5MWZhZE10dnJiejl4UWVsQUx6Wi1Cc0xHVGkxMjBUZ0h2Q2pEaHFzZEhOOXdRWDliN1BFMjh4bXVITHp5MEtGVlhKdkVrdzZNWFZvQXZmcktwYjNKSmFJY0JfOW9zMi1HbE1rUWNINm5wZElOR3pid0FORnctaWI2TDB1UERQNHZ1X2ZrMF9UWGtyekdXQ2tMLTcxMjRjZjRiR3NxbFJVQXpTYWVINmxhV3VzNjZLeWIzMU9GdGY1bzdETTlJM1RLZVlfR0RWbXZuczVUbjJwYjZmT05TaEw4UEozdzgyV1JFRGtJZVRHS1RpYmVVdyJ9fQ.eyJodHUiOiJodHRwOi8vbG9jYWxob3N0OjMwMDAvd2ViLWFjY2Vzcy1jb250cm9sLXRlc3RzLTE2NTUxMjEzMDM5MDMvMTAvYWxsT3RoZXJNb2Rlcy9uZXcudHh0IiwiaHRtIjoiUEFUQ0giLCJqdGkiOiI3OWU4ODI2Mi1jMWEwLTQ5NTgtOGUxOC1kMmFhMDdkY2FjNzAiLCJpYXQiOjE2NTUxMjEzMDUsImV4cCI6MTY1NTEyNDkwNX0.V0JH6xZsNt9hCQg-9sR8km4r3ugdtRMpBoaebf42pg3Yk1rPWsWYMWLCQeaflv_ja8ZjguFhQwCmuJg01iziHDj2D0yGRmXGu4Gd7WmYx1AYASgLa16bGZbGMYIZEyKERo-JoeNawFPAijLHEd5AbczjLSBBVY6fprDrwholQWh7aJa7o-rHyF_zlc7qFzZh-PAUYPGoBxHzBpFFeh-E5TVZzLwaUHpUA4KGpNCX35w_GeP4ybC_QA5vg7l7JbdndBFacOEcePtwWdLcnwmmsXM_2l-rK4LCD2suXmUfVSRxXgWgHz4aTSVHFYjQmUtkODk_wj2_KVC_hJUOKskXHw' http://localhost:3000/web-access-control-tests-1655121303903/10/allOtherModes/new.txt

Just read the spec again and I think the CSS behaviour is correct here -> #52

@michielbdejong
Copy link
Collaborator Author

Continuing with the access-to-append-suffice-to-create branch, now seeing 7 failures:

Create
    Using POST to existing container
      ✓ Is allowed with accessTo Append access (1383 ms)
      ✓ Is allowed with accessTo Write access (479 ms)
      ✓ Is disallowed otherwise (433 ms)
    Using PUT in existing container
      ✓ Is allowed with accessTo Write and default Write access (402 ms)
      ✕ Is allowed with accessTo Write and default Append access (401 ms)
      ✓ Is allowed with accessTo Append and default Write access (409 ms)
      ✕ Is allowed with accessTo Append and default Append access (386 ms)
      ✓ is disallowed without default Write or Append (391 ms)
      ✓ is disallowed without accessTo Write or Append (372 ms)
    Using PATCH in existing container
      ✓ Is allowed with accessTo Write and default Write access (384 ms)
      ✓ Is allowed with accessTo Write and default Append access (381 ms)
      ✓ Is allowed with accessTo Append and default Write access (393 ms)
      ✓ Is allowed with accessTo Append and default Append access (421 ms)
      ✓ is disallowed without default Write or Append (376 ms)
      ✓ is disallowed without accessTo Write or Append (363 ms)
    Using PUT in non-existing container
      ✓ Is allowed with accessTo Write and default Write access (362 ms)
      ✕ Is allowed with accessTo Write and default Append access (346 ms)
      ✕ Is allowed with accessTo Append and default Write access (330 ms)
      ✕ Is allowed with accessTo Append and default Append access (304 ms)
      ✓ is disallowed without default Write or Append (369 ms)
      ✕ is disallowed without accessTo Write or Append (368 ms)
    Using PATCH in non-existing container
      ✓ Is allowed with accessTo Write and default Write access (360 ms)
      ✓ Is allowed with accessTo Write and default Append access (399 ms)
      ✓ Is allowed with accessTo Append and default Write access (360 ms)
      ✓ Is allowed with accessTo Append and default Append access (358 ms)
      ✓ is disallowed without default Write or Append (356 ms)

Will test which of these fail when run in isolation

@michielbdejong
Copy link
Collaborator Author

After clean up of test container names in the access-to-append-suffice-to-create branch, seeing:
● Create › Using PUT in existing container › Is allowed with accessTo Write and default Append access

● Create › Using PUT in existing container › Is allowed with accessTo Append and default Append access

● Create › Using PUT in non-existing container › is disallowed without accessTo Write or Append

● Create › Using PATCH in non-existing container › is disallowed without accessTo Write or Append

@michielbdejong
Copy link
Collaborator Author

Created solid/web-access-control-spec#105 about those first two.

@michielbdejong
Copy link
Collaborator Author

michielbdejong commented Jun 13, 2022
edited
Loading

It's uploading http://localhost:3000/web-access-control-tests-1655126590886/using-PUT-in-non-existing-test-disallowed-accessTo/.acl with accessTo 'acl:Read, acl:Control' and default 'acl:Read, acl:Append, acl:Write, acl:Control'
and then tries to PUT
http://localhost:3000/web-access-control-tests-1655126590886/using-PUT-in-non-existing-test-disallowed-accessTo/nested/new.txt

@michielbdejong
Copy link
Collaborator Author

Save this as acl.ttl:

@prefix acl: <http://www.w3.org/ns/auth/acl#>.
@prefix foaf: <http://xmlns.com/foaf/0.1/>.

<#access-to-read> a acl:Authorization;
  acl:agentClass foaf:Agent;
  acl:accessTo <http://localhost:3000/>;
  acl:mode acl:Read.

<#default-read-write> a acl:Authorization;
  acl:agentClass foaf:Agent;
  acl:default <http://localhost:3000/>;
  acl:mode acl:Read, acl:Write.

And upload it to a newly started CSS v4.0.1 instance using:
curl -v -X PUT -H 'Content-Type: text/turtle' -T acl.ttl http://localhost:3000/.acl

Now try these commands:

curl -v -X PUT  -H 'Content-Type: text/plain' -d hello http://localhost:3000/test.txt
curl -v -X PUT  -H 'Content-Type: text/plain' -d hello http://localhost:3000/nested/test.txt

The first will give a 401, the second a 201. And indeed, if you then run curl http://localhost:3000/ you will see that although the creation of /test.txt was blocked correctly, the creation of a /nested folder in the pod root was not prevented:

@prefix dc: <http://purl.org/dc/terms/>.
@prefix ldp: <http://www.w3.org/ns/ldp#>.
@prefix posix: <http://www.w3.org/ns/posix/stat#>.
@prefix xsd: <http://www.w3.org/2001/XMLSchema#>.

<> a <http://www.w3.org/ns/pim/space#Storage>, ldp:Container, ldp:BasicContainer, ldp:Resource;
    dc:modified "2022-06-13T13:51:47.000Z"^^xsd:dateTime;
    <http://www.w3.org/ns/auth/acl#accessControl> <.acl>;
    ldp:contains <index.html>, <nested/>.

@michielbdejong
Copy link
Collaborator Author

michielbdejong commented Jun 13, 2022
edited
Loading

OK, so to conclude, we found that CSS v4.0.1 passes all known tests for Solid spec v0.9, except:

1) Folder create permissions for "mkdir -p" not enforced? #1339

Environment

CSS v4.0.1, node v12.19.1, npm v6.14.8

Description

Save this as acl.ttl which gives any agent read-only access to the server root, and read-write access to any contained resources:

@prefix acl: <http://www.w3.org/ns/auth/acl#>.
@prefix foaf: <http://xmlns.com/foaf/0.1/>.

<#access-to-read> a acl:Authorization;
  acl:agentClass foaf:Agent;
  acl:accessTo <http://localhost:3000/>;
  acl:mode acl:Read.

<#default-read-write> a acl:Authorization;
  acl:agentClass foaf:Agent;
  acl:default <http://localhost:3000/>;
  acl:mode acl:Read, acl:Write.

And upload it to a newly started CSS v4.0.1 instance using:
curl -v -X PUT -H 'Content-Type: text/turtle' -T acl.ttl http://localhost:3000/.acl

Now try these commands:

curl -v -X PUT  -H 'Content-Type: text/plain' -d hello http://localhost:3000/test.txt
curl -v -X PUT  -H 'Content-Type: text/plain' -d hello http://localhost:3000/nested/test.txt

The first will give a 401, the second a 201. And indeed, if you then run curl http://localhost:3000/ you will see that although the creation of /test.txt was blocked correctly, the creation of a /nested folder in the pod root was not prevented:

@prefix dc: <http://purl.org/dc/terms/>.
@prefix ldp: <http://www.w3.org/ns/ldp#>.
@prefix posix: <http://www.w3.org/ns/posix/stat#>.
@prefix xsd: <http://www.w3.org/2001/XMLSchema#>.

<> a <http://www.w3.org/ns/pim/space#Storage>, ldp:Container, ldp:BasicContainer, ldp:Resource;
    dc:modified "2022-06-13T13:51:47.000Z"^^xsd:dateTime;
    <http://www.w3.org/ns/auth/acl#accessControl> <.acl>;
    ldp:contains <index.html>, <nested/>.

However, the spec says that creating that nested/ folder should have require Write or Append on /. Is WAC not enforced for the "mkdir -p" behaviour of creating nested folders?

2) Permissions for create differ between PUT and PATCH #1340

Environment

CSS v4.0.1, node v12.19.1, npm v6.14.8

Description

Save this file as acl.ttl:

@prefix acl: <http://www.w3.org/ns/auth/acl#>.
@prefix foaf: <http://xmlns.com/foaf/0.1/>.

<#read-append> a acl:Authorization;
  acl:agentClass foaf:Agent;
  acl:accessTo <http://localhost:3000/>;
  acl:default <http://localhost:3000/>;
  acl:mode acl:Read, acl:Append.

Upload it to http://localhost:3000/.acl by doing:

curl -v -X PUT -H 'Content-Type: text/turtle' -T acl.ttl http://localhost:3000/.acl

Now save this as patch.n3:

@prefix solid: <http://www.w3.org/ns/solid/terms#>.
<#patch> a solid:InsertDeletePatch;
  solid:inserts { <#hello> <#linked> <#world> .}.

and run the following two curl commands:

curl -X PUT -d '<#hello> <#linked> <#world>.' -H 'Content-Type: text/turtle' http://localhost:3000/with-put.ttl
curl -X PATCH -T patch.n3 -H 'Content-Type: text/n3' http://localhost:3000/with-patch.ttl

You will see the first one results in a 401, the second one in a 201, and indeed when you do curl http://localhost:3000/ you see /with-patch.ttl was created and /with-put.ttl was not:

[...]
    ldp:contains <index.html>, <with-patch.ttl>.

And with curl http://localhost:3000/with-patch.ttl you can see the contents:

<#hello> <#linked> <#world>.

Why is this different depending on the verb?

See also solid/web-access-control-spec#105.

3) the optional concurrency tests

These are not actually part of the requirements, so that's fine.

@michielbdejong
Copy link
Collaborator Author

Split out into solid-contrib/test-suite#145 and solid-contrib/test-suite#146

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@michielbdejong