SR-190: Access control conversion (#25)

Author: langsamu

package.json

@@ -45,6 +45,7 @@
     "@types/n3": "^1",
     "@types/node": "^24",
     "n3": "^2",
+    "rdf-isomorphic": "^2.0.1",
     "typescript": "^6"
   },
   "engines": {

src/accessControlConversion/AcpToWacError.ts

@@ -0,0 +1,7 @@
+import { TranslationError } from "./TranslationError.js"
+
+export class AcpToWacError extends TranslationError {
+    constructor(property: string, cause?: any) {
+        super("acp", property, "WAC", cause)
+    }
+}

src/accessControlConversion/TranslationError.ts

@@ -0,0 +1,7 @@
+export class TranslationError extends Error {
+    constructor(prefix: string, property: string, target: string, cause?: any) {
+        super(`${prefix}:${property} cannot be translated to ${target}`)
+        this.name = this.constructor.name
+        this.cause = cause
+    }
+}

src/accessControlConversion/WacToAcpError.ts

@@ -0,0 +1,7 @@
+import { TranslationError } from "./TranslationError.js"
+
+export class WacToAcpError extends TranslationError {
+    constructor(property: string, cause?: any) {
+        super("acl", property, "ACP", cause)
+    }
+}

src/accessControlConversion/acpToWac.ts

@@ -0,0 +1,86 @@
+import { AccessControl, AccessControlResource, AcrDataset } from "../acp/mod.js"
+import type { DatasetCore } from "@rdfjs/types"
+import { Authorization } from "../wac/mod.js"
+import { ACL, ACP, FOAF } from "../vocabulary/mod.js"
+import { AcpToWacError } from "./AcpToWacError.js"
+
+export function acpToWac(source: AcrDataset, target: DatasetCore) {
+    if (source.acr === undefined) {
+        return
+    }
+
+    const auth = new Authorization(source.acr.factory.blankNode(), target, source.acr.factory)
+    auth.type.add(ACL.Authorization)
+
+    processAcr(source.acr, auth)
+}
+
+function processAcr(source: AccessControlResource, target: Authorization) {
+    if (source.accessControl.size > 0) {
+        target.accessTo = source.resource
+    }
+
+    if (source.memberAccessControl.size > 0) {
+        target.default = source.resource
+    }
+
+    for (const ac of source.accessControl) {
+        processAc(ac, target)
+    }
+
+    for (const ac of source.memberAccessControl) {
+        processAc(ac, target)
+    }
+}
+
+function processAc(source: AccessControl, target: Authorization) {
+    for (const policy of source.apply) {
+        if (policy.deny.size > 0) {
+            throw new AcpToWacError("deny")
+        }
+
+        if (policy.anyOf.size > 0) {
+            throw new AcpToWacError("anyOf")
+        }
+
+        if (policy.noneOf.size > 0) {
+            throw new AcpToWacError("noneOf")
+        }
+
+        for (const mode of policy.allow) {
+            target.mode.add(mode)
+        }
+
+        for (const matcher of policy.allOf) {
+            if (matcher.client.size > 0) {
+                throw new AcpToWacError("client")
+            }
+
+            if (matcher.issuer.size > 0) {
+                throw new AcpToWacError("issuer")
+            }
+
+            if (matcher.vc.size > 0) {
+                throw new AcpToWacError("vc")
+            }
+
+            for (const agent of matcher.agent) {
+                if (agent === ACP.CreatorAgent) {
+                    throw new AcpToWacError("CreatorAgent")
+                }
+
+                if (agent === ACP.OwnerAgent) {
+                    throw new AcpToWacError("OwnerAgent")
+                }
+
+                if (agent === ACP.PublicAgent) {
+                    target.agent.add(FOAF.Agent)
+                } else if (agent === ACP.AuthenticatedAgent) {
+                    target.agent.add(ACL.AuthenticatedAgent)
+                } else {
+                    target.agent.add(agent)
+                }
+            }
+        }
+    }
+}

src/accessControlConversion/mod.ts

@@ -0,0 +1,5 @@
+export * from "./wacToAcp.js"
+export * from "./acpToWac.js"
+export * from "./WacToAcpError.js"
+export * from "./TranslationError.js"
+export * from "./AcpToWacError.js"

src/accessControlConversion/wacToAcp.ts

@@ -0,0 +1,53 @@
+import { AclResource, Authorization, } from "../wac/mod.js"
+import { AccessControl, AccessControlResource, Matcher, Policy } from "../acp/mod.js"
+import type { DatasetCore } from "@rdfjs/types"
+import { WacToAcpError } from "./WacToAcpError.js"
+import { ACL, ACP, FOAF } from "../vocabulary/mod.js"
+
+export function wacToAcp(source: AclResource, target: DatasetCore) {
+    for (const auth of source.authorizations) {
+        processAuthorization(auth, target)
+    }
+}
+
+function processAuthorization(source: Authorization, target: DatasetCore) {
+    if (source.origin.size > 0) throw new WacToAcpError("origin")
+
+    if (source.accessTo !== undefined) {
+        const acr = new AccessControlResource(source.factory.blankNode(), target, source.factory)
+        populatePolicy(acr, source, source.accessTo, acr.accessControl)
+    }
+
+    if (source.default !== undefined) {
+        const acr = new AccessControlResource(source.factory.blankNode(), target, source.factory)
+        populatePolicy(acr, source, source.default, acr.memberAccessControl)
+    }
+}
+
+function populatePolicy(acr: AccessControlResource, auth: Authorization, resource: string, accessControls: Set<AccessControl>) {
+    const accessControl = new AccessControl(acr.factory.blankNode(), acr.dataset, acr.factory)
+    const policy = new Policy(acr.factory.blankNode(), acr.dataset, acr.factory)
+    const matcher = new Matcher(acr.factory.blankNode(), acr.dataset, acr.factory)
+
+    accessControls.add(accessControl)
+    accessControl.apply.add(policy)
+    policy.allOf.add(matcher)
+
+    acr.resource = resource
+
+    for (const mode of auth.mode) {
+        policy.allow.add(mode)
+    }
+
+    for (const agent of auth.agent) {
+        if (agent === FOAF.Agent) {
+            matcher.agent.add(ACP.PublicAgent)
+        } else if (agent === ACL.AuthenticatedAgent) {
+            matcher.agent.add(ACP.AuthenticatedAgent)
+        } else matcher.agent.add(agent)
+    }
+
+    for (const member of auth.agentGroup?.hasMember ?? []) {
+        matcher.agent.add(member)
+    }
+}

src/mod.ts

@@ -2,3 +2,4 @@ export * from "./acp/mod.js"
 export * from "./solid/mod.js"
 export * from "./wac/mod.js"
 export * from "./webid/mod.js"
+export * from "./accessControlConversion/mod.js"

src/vocabulary/acp.ts

@@ -10,6 +10,10 @@ export const ACP = {
   vc: "http://www.w3.org/ns/solid/acp#vc",
   allow: "http://www.w3.org/ns/solid/acp#allow",
   deny: "http://www.w3.org/ns/solid/acp#deny",
+  CreatorAgent: "http://www.w3.org/ns/solid/acp#CreatorAgent",
+  OwnerAgent: "http://www.w3.org/ns/solid/acp#OwnerAgent",
+  PublicAgent: "http://www.w3.org/ns/solid/acp#PublicAgent",
+  AuthenticatedAgent: "http://www.w3.org/ns/solid/acp#AuthenticatedAgent",
   anyOf: "http://www.w3.org/ns/solid/acp#anyOf",
   allOf: "http://www.w3.org/ns/solid/acp#allOf",
   noneOf: "http://www.w3.org/ns/solid/acp#noneOf",