feat: Support acl authorization for IDP components

Configuration has been updated so the IDP requests
also pass through an Authorization component.
A new config option was added to choose
which authorization scheme to use for the IDP.

config/default.json

@@ -8,6 +8,7 @@
     "files-scs:config/http/middleware/websockets.json",
     "files-scs:config/http/server-factory/websockets.json",
     "files-scs:config/http/static/default.json",
+    "files-scs:config/identity/access/public.json",
     "files-scs:config/identity/email/default.json",
     "files-scs:config/identity/handler/default.json",
     "files-scs:config/identity/ownership/token.json",

config/dynamic.json

@@ -8,6 +8,7 @@
     "files-scs:config/http/middleware/websockets.json",
     "files-scs:config/http/server-factory/websockets.json",
     "files-scs:config/http/static/default.json",
+    "files-scs:config/identity/access/public.json",
     "files-scs:config/identity/email/default.json",
     "files-scs:config/identity/handler/default.json",
     "files-scs:config/identity/ownership/token.json",

config/example-https-file.json

@@ -8,6 +8,7 @@
     "files-scs:config/http/middleware/websockets.json",
 
     "files-scs:config/http/static/default.json",
+    "files-scs:config/identity/access/public.json",
     "files-scs:config/identity/email/default.json",
     "files-scs:config/identity/handler/default.json",
     "files-scs:config/identity/ownership/token.json",

config/file-no-setup.json

@@ -8,6 +8,7 @@
     "files-scs:config/http/middleware/websockets.json",
     "files-scs:config/http/server-factory/websockets.json",
     "files-scs:config/http/static/default.json",
+    "files-scs:config/identity/access/public.json",
     "files-scs:config/identity/email/default.json",
     "files-scs:config/identity/handler/default.json",
     "files-scs:config/identity/ownership/token.json",

config/file.json

@@ -8,6 +8,7 @@
     "files-scs:config/http/middleware/websockets.json",
     "files-scs:config/http/server-factory/websockets.json",
     "files-scs:config/http/static/default.json",
+    "files-scs:config/identity/access/public.json",
     "files-scs:config/identity/email/default.json",
     "files-scs:config/identity/handler/default.json",
     "files-scs:config/identity/ownership/token.json",

config/http/handler/default.json

@@ -15,6 +15,7 @@
           "handlers": [
             { "@id": "urn:solid-server:default:StaticAssetHandler" },
             { "@id": "urn:solid-server:default:SetupHandler" },
+            { "@id": "urn:solid-server:default:AuthResourceHttpHandler" },
             { "@id": "urn:solid-server:default:IdentityProviderHandler" },
             { "@id": "urn:solid-server:default:LdpHandler" }
           ]

config/identity/README.md

@@ -1,6 +1,16 @@
 # Identity
 Options related to the Identity Provider.
 
+## Access
+Determines how publicly accessible some IDP features are.
+* *public*: Everything is publicly accessible.
+* *restricted*: The IDP components use the same authorization scheme as the main LDP component.
+  For example, if the server uses WebACL authorization and the registration endpoint is `/idp/register/`,
+  access to registration can be restricted by creating a valid `/idp/register/.acl` resource.
+  WARNING: This setting will write the necessary resources to the `.well-known` and IDP containers
+  to make this work. Again in the case of WebACL, this means ACL resources allowing full control access.
+  So make sure to update those two containers so only the correct credentials have the correct rights.
+
 ## Email
 Necessary for sending e-mail when using IDP.
 * *default*: Disables e-mail functionality.

config/identity/access/initializers/idp.json

@@ -0,0 +1,27 @@
+{
+  "@context": "https://linkedsoftwaredependencies.org/bundles/npm/@solid/community-server/^1.0.0/components/context.jsonld",
+  "@graph": [
+    {
+      "comment": "Makes sure the IDP container has the necessary root resources.",
+      "@id": "urn:solid-server:default:IdpContainerInitializer",
+      "@type": "ConditionalHandler",
+      "storageKey": "idpContainerInitialized",
+      "storageValue": true,
+      "storage": { "@id": "urn:solid-server:default:SetupStorage" },
+      "source": {
+        "@type": "ContainerInitializer",
+        "args_baseUrl": { "@id": "urn:solid-server:default:variable:baseUrl" },
+        "args_path": "/idp/",
+        "args_store": { "@id": "urn:solid-server:default:ResourceStore" },
+        "args_generator": {
+          "@type": "TemplatedResourcesGenerator",
+          "templateFolder": "@css:templates/root/empty",
+          "factory": { "@type": "ExtensionBasedMapperFactory" },
+          "templateEngine": { "@type": "HandlebarsTemplateEngine" }
+        },
+        "args_storageKey": "idpContainerInitialized",
+        "args_storage": { "@id": "urn:solid-server:default:SetupStorage" }
+      }
+    }
+  ]
+}

config/identity/access/initializers/well-known.json

@@ -0,0 +1,27 @@
+{
+  "@context": "https://linkedsoftwaredependencies.org/bundles/npm/@solid/community-server/^1.0.0/components/context.jsonld",
+  "@graph": [
+    {
+      "comment": "Makes sure the .well-known container has the necessary root resources. Some IDP resources are stored there due to OIDC requirements.",
+      "@id": "urn:solid-server:default:WellKnownContainerInitializer",
+      "@type": "ConditionalHandler",
+      "storageKey": "wellKnownContainerInitialized",
+      "storageValue": true,
+      "storage": { "@id": "urn:solid-server:default:SetupStorage" },
+      "source": {
+        "@type": "ContainerInitializer",
+        "args_baseUrl": { "@id": "urn:solid-server:default:variable:baseUrl" },
+        "args_path": "/.well-known/",
+        "args_store": { "@id": "urn:solid-server:default:ResourceStore" },
+        "args_generator": {
+          "@type": "TemplatedResourcesGenerator",
+          "templateFolder": "@css:templates/root/empty",
+          "factory": { "@type": "ExtensionBasedMapperFactory" },
+          "templateEngine": { "@type": "HandlebarsTemplateEngine" }
+        },
+        "args_storageKey": "wellKnownContainerInitialized",
+        "args_storage": { "@id": "urn:solid-server:default:SetupStorage" }
+      }
+    }
+  ]
+}

config/identity/access/public.json

@@ -0,0 +1,13 @@
+{
+  "@context": "https://linkedsoftwaredependencies.org/bundles/npm/@solid/community-server/^1.0.0/components/context.jsonld",
+  "@graph": [
+    {
+      "comment": "Allow everyone to register new pods.",
+      "@id": "urn:solid-server:default:IdentityProviderAuthorizingHandler",
+      "AuthorizingHttpHandler:_args_permissionReader": {
+        "@type": "AllStaticReader",
+        "allow": true
+      }
+    }
+  ]
+}

config/identity/access/restricted.json

@@ -0,0 +1,22 @@
+{
+  "@context": "https://linkedsoftwaredependencies.org/bundles/npm/@solid/community-server/^1.0.0/components/context.jsonld",
+  "import": [
+    "files-scs:config/identity/access/initializers/idp.json",
+    "files-scs:config/identity/access/initializers/well-known.json"
+  ],
+  "@graph": [
+    {
+      "comment": "Use the same authorization for IDP components as is used for LDP, such that for instance registration can be restricted to certain agents.",
+      "@id": "urn:solid-server:default:IdentityProviderAuthorizingHandler",
+      "AuthorizingHttpHandler:_args_permissionReader": { "@id": "urn:solid-server:default:PermissionReader" }
+    },
+    {
+      "comment": "IDP-related containers require initialized resources to support authorization.",
+      "@id": "urn:solid-server:default:ParallelInitializer",
+      "ParallelHandler:_handlers": [
+        { "@id": "urn:solid-server:default:IdpContainerInitializer" },
+        { "@id": "urn:solid-server:default:WellKnownContainerInitializer" }
+      ]
+    }
+  ]
+}

config/identity/handler/default.json

@@ -18,26 +18,37 @@
       "args_handler": { "@id": "urn:solid-server:default:IdentityProviderParsingHandler" }
     },
     {
+      "comment": "Handles IDP input parsing.",
       "@id": "urn:solid-server:default:IdentityProviderParsingHandler",
       "@type": "ParsingHttpHandler",
       "args_requestParser": { "@id": "urn:solid-server:default:RequestParser" },
       "args_metadataCollector": { "@id": "urn:solid-server:default:OperationMetadataCollector" },
       "args_errorHandler": { "@id": "urn:solid-server:default:ErrorHandler" },
       "args_responseWriter": { "@id": "urn:solid-server:default:ResponseWriter" },
       "args_operationHandler": {
-        "@id": "urn:solid-server:default:IdentityProviderHttpHandler",
-        "@type": "IdentityProviderHttpHandler",
-        "args_baseUrl": { "@id": "urn:solid-server:default:variable:baseUrl" },
-        "args_idpPath": "/idp",
-        "args_providerFactory": { "@id": "urn:solid-server:default:IdentityProviderFactory" },
-        "args_converter": { "@id": "urn:solid-server:default:RepresentationConverter" },
-        "args_interactionCompleter": {
-          "comment": "Responsible for finishing OIDC interactions.",
-          "@type": "InteractionCompleter",
-          "providerFactory": { "@id": "urn:solid-server:default:IdentityProviderFactory" }
-        },
-        "args_errorHandler": { "@id": "urn:solid-server:default:ErrorHandler" }
+        "comment": "Handles IDP input authorization. Permission reader should be set to allow all if no authorization is needed.",
+        "@type": "AuthorizingHttpHandler",
+        "@id": "urn:solid-server:default:IdentityProviderAuthorizingHandler",
+        "args_credentialsExtractor": { "@id": "urn:solid-server:default:CredentialsExtractor" },
+        "args_modesExtractor": { "@id": "urn:solid-server:default:ModesExtractor" },
+        "args_authorizer": { "@id": "urn:solid-server:default:Authorizer" },
+        "args_operationHandler": { "@id": "urn:solid-server:default:IdentityProviderHttpHandler" }
       }
+    },
+    {
+      "comment": "Handles IDP handler behaviour.",
+      "@id": "urn:solid-server:default:IdentityProviderHttpHandler",
+      "@type": "IdentityProviderHttpHandler",
+      "args_baseUrl": { "@id": "urn:solid-server:default:variable:baseUrl" },
+      "args_idpPath": "/idp",
+      "args_providerFactory": { "@id": "urn:solid-server:default:IdentityProviderFactory" },
+      "args_converter": { "@id": "urn:solid-server:default:RepresentationConverter" },
+      "args_interactionCompleter": {
+        "comment": "Responsible for finishing OIDC interactions.",
+        "@type": "InteractionCompleter",
+        "providerFactory": { "@id": "urn:solid-server:default:IdentityProviderFactory" }
+      },
+      "args_errorHandler": { "@id": "urn:solid-server:default:ErrorHandler" }
     }
   ]
 }

config/identity/handler/interaction/routes/forgot-password.json

@@ -5,7 +5,7 @@
       "comment": "Handles all functionality on the forgot password page",
       "@id": "urn:solid-server:auth:password:ForgotPasswordRoute",
       "@type": "BasicInteractionRoute",
-      "route": "^/forgotpassword/?$",
+      "route": "^/forgotpassword/$",
       "viewTemplates": {
         "BasicInteractionRoute:_viewTemplates_key": "text/html",
         "BasicInteractionRoute:_viewTemplates_value": "@css:templates/identity/email-password/forgot-password.html.ejs"

config/identity/handler/interaction/routes/login.json

@@ -5,7 +5,7 @@
       "comment": "Handles all functionality on the Login Page",
       "@id": "urn:solid-server:auth:password:LoginRoute",
       "@type": "BasicInteractionRoute",
-      "route": "^/login/?$",
+      "route": "^/login/$",
       "prompt": "login",
       "viewTemplates": {
         "BasicInteractionRoute:_viewTemplates_key": "text/html",

config/identity/handler/interaction/routes/reset-password.json

@@ -6,7 +6,7 @@
       "comment": "Handles the reset password page submission",
       "@id": "urn:solid-server:auth:password:ResetPasswordRoute",
       "@type": "BasicInteractionRoute",
-      "route": "^/resetpassword(/[^/]*)?$",
+      "route": "^/resetpassword/[^/]*$",
       "viewTemplates": {
         "BasicInteractionRoute:_viewTemplates_key": "text/html",
         "BasicInteractionRoute:_viewTemplates_value": "@css:templates/identity/email-password/reset-password.html.ejs"

config/identity/handler/interaction/routes/session.json

@@ -5,7 +5,7 @@
       "comment": "Handles confirm requests",
       "@id": "urn:solid-server:auth:password:SessionRoute",
       "@type": "BasicInteractionRoute",
-      "route": "^/confirm/?$",
+      "route": "^/confirm/$",
       "prompt": "consent",
       "viewTemplates": {
         "BasicInteractionRoute:_viewTemplates_key": "text/html",

config/identity/registration/route/registration.json

@@ -5,7 +5,7 @@
       "comment": "Handles all functionality on the register page",
       "@id": "urn:solid-server:auth:password:RegistrationRoute",
       "@type": "BasicInteractionRoute",
-      "route": "^/register/?$",
+      "route": "^/register/$",
       "viewTemplates": {
         "BasicInteractionRoute:_viewTemplates_key": "text/html",
         "BasicInteractionRoute:_viewTemplates_value": "@css:templates/identity/email-password/register.html.ejs"

config/ldp/authentication/debug-auth-header.json

@@ -10,7 +10,7 @@
       "@type": "UnionCredentialsExtractor",
       "extractors": [
         { "@type": "UnsecureWebIdExtractor" },
-        { "@type": "EmptyCredentialsExtractor" }
+        { "@type": "PublicCredentialsExtractor" }
       ]
     }
   ]

config/ldp/authentication/debug-test-agent.json

@@ -13,7 +13,7 @@
           "@type": "UnsecureConstantCredentialsExtractor",
           "agent": "http://test.com/card#me"
         },
-        { "@type": "EmptyCredentialsExtractor" }
+        { "@type": "PublicCredentialsExtractor" }
       ]
     }
   ]

config/ldp/authentication/dpop-bearer.json

@@ -18,7 +18,7 @@
             { "@type": "BearerWebIdExtractor" }
           ]
         },
-        { "@type": "EmptyCredentialsExtractor" }
+        { "@type": "PublicCredentialsExtractor" }
       ]
     }
   ]

config/ldp/authorization/allow-all.json

@@ -9,6 +9,11 @@
       "@id": "urn:solid-server:default:PermissionReader",
       "@type": "AllStaticReader",
       "allow": true
+    },
+    {
+      "comment": "Everything is allowed, so there are no auth-specific resources.",
+      "@id": "urn:solid-server:default:AuthResourceHttpHandler",
+      "@type": "UnsupportedAsyncHandler"
     }
   ]
 }

config/ldp/authorization/webacl.json

@@ -25,6 +25,16 @@
         },
         { "@id": "urn:solid-server:default:WebAclReader" }
       ]
+    },
+    {
+      "comment": "In case of WebACL authorization the ACL resources determine authorization.",
+      "@id": "urn:solid-server:default:AuthResourceHttpHandler",
+      "@type": "RouterHandler",
+      "args_baseUrl": { "@id": "urn:solid-server:default:variable:baseUrl" },
+      "args_targetExtractor": { "@id": "urn:solid-server:default:TargetExtractor" },
+      "args_allowedMethods": [ "*" ],
+      "args_allowedPathNames": [ "^/.*\\.acl$" ],
+      "args_handler": { "@id": "urn:solid-server:default:LdpHandler" }
     }
   ]
 }

config/memory-subdomains.json

@@ -8,6 +8,7 @@
     "files-scs:config/http/middleware/websockets.json",
     "files-scs:config/http/server-factory/websockets.json",
     "files-scs:config/http/static/default.json",
+    "files-scs:config/identity/access/public.json",
     "files-scs:config/identity/email/default.json",
     "files-scs:config/identity/handler/default.json",
     "files-scs:config/identity/ownership/token.json",

config/path-routing.json

@@ -8,6 +8,7 @@
     "files-scs:config/http/middleware/websockets.json",
     "files-scs:config/http/server-factory/websockets.json",
     "files-scs:config/http/static/default.json",
+    "files-scs:config/identity/access/public.json",
     "files-scs:config/identity/email/default.json",
     "files-scs:config/identity/handler/default.json",
     "files-scs:config/identity/ownership/token.json",

config/restrict-idp.json

@@ -0,0 +1,42 @@
+{
+  "@context": "https://linkedsoftwaredependencies.org/bundles/npm/@solid/community-server/^1.0.0/components/context.jsonld",
+  "import": [
+    "files-scs:config/app/main/default.json",
+    "files-scs:config/app/init/default.json",
+    "files-scs:config/app/setup/disabled.json",
+    "files-scs:config/http/handler/default.json",
+    "files-scs:config/http/middleware/websockets.json",
+    "files-scs:config/http/server-factory/websockets.json",
+    "files-scs:config/http/static/default.json",
+    "files-scs:config/identity/access/restricted.json",
+    "files-scs:config/identity/email/default.json",
+    "files-scs:config/identity/handler/default.json",
+    "files-scs:config/identity/ownership/token.json",
+    "files-scs:config/identity/pod/static.json",
+    "files-scs:config/identity/registration/enabled.json",
+    "files-scs:config/ldp/authentication/dpop-bearer.json",
+    "files-scs:config/ldp/authorization/webacl.json",
+    "files-scs:config/ldp/handler/default.json",
+    "files-scs:config/ldp/metadata-parser/default.json",
+    "files-scs:config/ldp/metadata-writer/default.json",
+    "files-scs:config/ldp/modes/default.json",
+    "files-scs:config/storage/backend/file.json",
+    "files-scs:config/storage/key-value/resource-store.json",
+    "files-scs:config/storage/middleware/default.json",
+    "files-scs:config/util/auxiliary/acl.json",
+    "files-scs:config/util/identifiers/suffix.json",
+    "files-scs:config/util/index/default.json",
+    "files-scs:config/util/logging/winston.json",
+    "files-scs:config/util/representation-conversion/default.json",
+    "files-scs:config/util/resource-locker/memory.json",
+    "files-scs:config/util/variables/default.json"
+  ],
+  "@graph": [
+    {
+      "comment": [
+        "This server uses a file backend and allows restricting the access to IDP components using WebACL.",
+        "Make sure to read the documentation about the config/identity/access configuration."
+      ]
+    }
+  ]
+}

config/sparql-endpoint-no-setup.json

@@ -8,6 +8,7 @@
     "files-scs:config/http/middleware/websockets.json",
     "files-scs:config/http/server-factory/websockets.json",
     "files-scs:config/http/static/default.json",
+    "files-scs:config/identity/access/public.json",
     "files-scs:config/identity/email/default.json",
     "files-scs:config/identity/handler/default.json",
     "files-scs:config/identity/ownership/token.json",

config/sparql-endpoint.json

@@ -8,6 +8,7 @@
     "files-scs:config/http/middleware/websockets.json",
     "files-scs:config/http/server-factory/websockets.json",
     "files-scs:config/http/static/default.json",
+    "files-scs:config/identity/access/public.json",
     "files-scs:config/identity/email/default.json",
     "files-scs:config/identity/handler/default.json",
     "files-scs:config/identity/ownership/token.json",