Merge pull request #984 from rubensworks/fix/missing-root-acl

Fix/missing root acl

Author: kjetilk

default-templates/server/.acl

@@ -0,0 +1,10 @@
+# Root ACL resource for the root
+@prefix acl: <http://www.w3.org/ns/auth/acl#>.
+@prefix foaf: <http://xmlns.com/foaf/0.1/>.
+
+<#public>
+    a acl:Authorization;
+    acl:agentClass foaf:Agent;  # everyone
+    acl:accessTo </>;
+    acl:default </common/>;
+    acl:mode acl:Read.

lib/handlers/get.js

@@ -24,8 +24,6 @@ async function handler (req, res, next) {
   const path = res.locals.path || req.path
   const requestedType = negotiator.mediaType()
   let possibleRDFType = negotiator.mediaType(RDFs)
-  // Fallback to text/turtle if content type is unknown
-  possibleRDFType = (!possibleRDFType) ? 'text/turtle' : possibleRDFType
 
   res.header('MS-Author-Via', 'SPARQL')
 

lib/server-config.js

@@ -55,6 +55,13 @@ async function ensureWelcomePage (argv) {
       serverVersion: packageData.version
     })
   }
+
+  // Ensure that the root .acl file exists,
+  // because this was not mandatory in before 5.0.0
+  const existingRootAcl = path.join(serverRootDir, '.acl')
+  if (!fs.existsSync(existingRootAcl)) {
+    await fsUtils.copyTemplateDir(path.join(templates.server, '.acl'), existingRootAcl)
+  }
 }
 
 /**
@@ -118,6 +125,13 @@ function initTemplateDirs (configPath) {
     path.join(configPath, 'templates', 'server')
   )
 
+  // Ensure that the root .acl file exists,
+  // because this was not mandatory in before 5.0.0
+  ensureDirCopyExists(
+    path.join(__dirname, '../default-templates/server/.acl'),
+    path.join(configPath, 'templates', 'server', '.acl')
+  )
+
   return {
     account: accountTemplatePath,
     email: emailTemplatesPath,

test/integration/account-creation-oidc-test.js

@@ -250,10 +250,10 @@ describe('Single User signup page', () => {
     fs.removeSync(rootDir)
   })
 
-  it('should return a 401 unauthorized without accept text/html', done => {
+  it('should return a 406 not acceptable without accept text/html', done => {
     server.get('/')
       .set('accept', 'text/plain')
-      .expect(401)
+      .expect(406)
       .end(done)
   })
 })

test/integration/acl-tls-test.js

@@ -89,6 +89,7 @@ describe('ACL with WebID+TLS', function () {
 
   describe('no ACL', function () {
     it('should return 500 for any resource', function (done) {
+      rm('.acl')
       var options = createOptions('/acl-tls/no-acl/', 'user1')
       request(options, function (error, response, body) {
         assert.equal(error, null)
@@ -98,6 +99,7 @@ describe('ACL with WebID+TLS', function () {
     })
 
     it('should have `User` set in the Response Header', function (done) {
+      rm('.acl')
       var options = createOptions('/acl-tls/no-acl/', 'user1')
       request(options, function (error, response, body) {
         assert.equal(error, null)
@@ -107,6 +109,7 @@ describe('ACL with WebID+TLS', function () {
     })
 
     it.skip('should return a 401 and WWW-Authenticate header without credentials', (done) => {
+      rm('.acl')
       let options = {
         url: address + '/acl-tls/no-acl/',
         headers: { accept: 'text/turtle' }

test/integration/authentication-oidc-test.js

@@ -10,7 +10,7 @@ const localStorage = require('localstorage-memory')
 const URL = require('whatwg-url').URL
 global.URL = URL
 global.URLSearchParams = require('whatwg-url').URLSearchParams
-const { cleanDir } = require('../utils')
+const { cleanDir, cp } = require('../utils')
 
 const supertest = require('supertest')
 const chai = require('chai')
@@ -68,14 +68,16 @@ describe('Authentication API (OIDC)', () => {
     })
   }
 
-  before(() => {
-    return Promise.all([
+  before(async () => {
+    await Promise.all([
       startServer(alicePod, 7000),
       startServer(bobPod, 7001)
     ]).then(() => {
       alice = supertest(aliceServerUri)
       bob = supertest(bobServerUri)
     })
+    cp(path.join('accounts-scenario/alice', '.acl-override'), path.join('accounts-scenario/alice', '.acl'))
+    cp(path.join('accounts-scenario/bob', '.acl-override'), path.join('accounts-scenario/bob', '.acl'))
   })
 
   after(() => {
@@ -147,7 +149,7 @@ describe('Authentication API (OIDC)', () => {
         describe('without that cookie', () => {
           let response
           before(done => {
-            alice.get('/')
+            alice.get('/private-for-alice.txt')
               .end((err, res) => {
                 response = res
                 done(err)
@@ -197,7 +199,7 @@ describe('Authentication API (OIDC)', () => {
           let response
           before(done => {
             var malcookie = cookie.replace(/connect\.sid=(\S+)/, 'connect.sid=l33th4x0rzp0wn4g3;')
-            alice.get('/')
+            alice.get('/private-for-alice.txt')
               .set('Cookie', malcookie)
               .end((err, res) => {
                 response = res
@@ -267,7 +269,7 @@ describe('Authentication API (OIDC)', () => {
         describe('without that cookie but with globally configured origin', () => {
           let response
           before(done => {
-            alice.get('/')
+            alice.get('/private-for-alice.txt')
               .set('Origin', 'https://apps.solid.invalid')
               .end((err, res) => {
                 response = res
@@ -285,7 +287,7 @@ describe('Authentication API (OIDC)', () => {
           let response
           before(done => {
             var malcookie = cookie.replace(/connect\.sid=(\S+)/, 'connect.sid=l33th4x0rzp0wn4g3;')
-            alice.get('/')
+            alice.get('/private-for-alice.txt')
               .set('Cookie', malcookie)
               .set('Origin', 'https://apps.solid.invalid')
               .end((err, res) => {

test/integration/errors-oidc-test.js

@@ -1,7 +1,7 @@
 const supertest = require('supertest')
 const ldnode = require('../../index')
 const path = require('path')
-const { cleanDir } = require('../utils')
+const { cleanDir, cp } = require('../utils')
 const expect = require('chai').expect
 
 describe('OIDC error handling', function () {
@@ -25,7 +25,10 @@ describe('OIDC error handling', function () {
   })
 
   before(function (done) {
-    ldpHttpsServer = ldp.listen(3457, done)
+    ldpHttpsServer = ldp.listen(3457, () => {
+      cp(path.join('accounts/errortests', '.acl-override'), path.join('accounts/errortests', '.acl'))
+      done()
+    })
   })
 
   after(function () {

test/resources/accounts-acl/config/templates/server/.acl

@@ -0,0 +1,10 @@
+# Root ACL resource for the root
+@prefix acl: <http://www.w3.org/ns/auth/acl#>.
+@prefix foaf: <http://xmlns.com/foaf/0.1/>.
+
+<#public>
+    a acl:Authorization;
+    acl:agentClass foaf:Agent;  # everyone
+    acl:accessTo </>;
+    acl:default </common/>;
+    acl:mode acl:Read.

test/resources/accounts-acl/localhost/.acl

@@ -0,0 +1,10 @@
+# Root ACL resource for the root
+@prefix acl: <http://www.w3.org/ns/auth/acl#>.
+@prefix foaf: <http://xmlns.com/foaf/0.1/>.
+
+<#public>
+    a acl:Authorization;
+    acl:agentClass foaf:Agent;  # everyone
+    acl:accessTo </>;
+    acl:default </common/>;
+    acl:mode acl:Read.