Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Create wac-acp-diff-story.md #178

Merged
merged 16 commits into from
Apr 7, 2021
Merged

Create wac-acp-diff-story.md #178

Changes from 11 commits
Commits
Show all changes
16 commits
Select commit Hold shift + click to select a range
9d19b51
Create wac-acp-diff-story.md
Feb 22, 2021
2c7b4df
Update proposals/acp/wac-acp-diff-story.md
bblfish Feb 24, 2021
69cac5d
Update proposals/acp/wac-acp-diff-story.md
bblfish Feb 24, 2021
65ade4d
Update proposals/acp/wac-acp-diff-story.md
bblfish Feb 24, 2021
4a2bf27
Update proposals/acp/wac-acp-diff-story.md
bblfish Feb 24, 2021
a86e3c2
Update proposals/acp/wac-acp-diff-story.md
bblfish Feb 24, 2021
3e1bdcc
Update proposals/acp/wac-acp-diff-story.md
bblfish Feb 24, 2021
2a48bb1
Update proposals/acp/wac-acp-diff-story.md
bblfish Feb 26, 2021
01fe4e9
updated intention/scope
Mar 3, 2021
71689cb
work in progress
Mar 3, 2021
2023b0f
+ TODO on acl:accessToClass
Mar 3, 2021
5260f5f
Update proposals/acp/wac-acp-diff-story.md
Mar 31, 2021
0890add
~ updates per 2021-03-31 interop panel meeting
Mar 31, 2021
419817d
~ moved wac-acp-diff-story up a directory
Mar 31, 2021
e021638
Update proposals/wac-acp-diff-story.md
elf-pavlik Mar 31, 2021
9b471dc
Update proposals/wac-acp-diff-story.md
elf-pavlik Apr 7, 2021
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
134 changes: 134 additions & 0 deletions proposals/acp/wac-acp-diff-story.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,134 @@
# ACP Compared to Web Access Control

This document is intended to reflect the following authoritative-ish definitions:
- [W3C wiki](http://www.w3.org/wiki/WebAccessControl)
- [solid/specification](http://github.com/solid/specification)
- [sold/web-access-control](http://github.com/solid/solid-spec)
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
This document is intended to reflect the following authoritative-ish definitions:
- [W3C wiki](http://www.w3.org/wiki/WebAccessControl)
- [solid/specification](http://github.com/solid/specification)
- [sold/web-access-control](http://github.com/solid/solid-spec)
This document is intended to reflect the following authoritative-ish definitions/clarifications e.g.:
- [W3C wiki](http://www.w3.org/wiki/WebAccessControl)
- [solid/specification](http://github.com/solid/specification)
- [solid/solid-spec](http://github.com/solid/solid-spec)
- [solid/web-access-control-spec](http://github.com/solid/web-access-control-spec)

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This document is intended to reflect the following authoritative-ish definitions/clarifications e.g.:

the following fights with e.g. (readable as, for example)

I suggest either --
This document is intended to reflect the following authoritative-ish definitions/clarifications:
-- or --
This document is intended to reflect a number of authoritative-ish definitions/clarifications, including the following:

The goal is to ground conversations which compare WAC and ACP.
This is a work in progress.

Audience: those familiar with WAC or those who learn from comparisons

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Indicate that this is for the purpose of discussion/exercise -- as other things are moving in parallel - and not to be taken as authoritative definitions of the mechanisms.

Access control is fundamentally about stating `who` can `do what` to `what resource`.

## ShEx for WAC:
Web Access Control (WAC) uses a simple schema to make those assertions directly in RDF:
ericprud marked this conversation as resolved.
Show resolved Hide resolved

``` shex
PREFIX acl: <http://www.w3.org/ns/auth/acl#>
PREFIX foaf: <http://xmlns.com/foaf/0.1/>

<AclShape> {
# who
( acl:agentClass @<GroupShape> OR [foaf:Agent] ;
Copy link
Contributor

@bblfish bblfish Feb 24, 2021
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

According to Shex Value sets this statement says that ACL Shapes are constraining the acl:agentClass range to be a Group with member or the singleton foaf:Agent.
But that is overly restrictive interpretation of WAC:

  1. In Issue 176 I point to the fact that WAC has a subclass of foaf:Agent that is acl:AuthenticatedAgent. This shows that WAC always intended to allow subclasses of foaf:Agent to be allowed in the range of acl:agentClass
  2. Given that one can use subclasses of foaf:Agent as the range of acl:AgentClass one can also build descriptions of agents in many more ways, as show again in issue Limitations: Only Trust Certain issuers of Identity #176. This may not fit current deployments of WAC but those don't fit current deployments of ACP either.
    There is nothing therefore stopping WAC to grow to allow these extensions.

The danger of using Shex here is that its argument works by over constraining WAC and then showing it cannot be extended in the way it clearly can.

Copy link
Contributor

@bblfish bblfish Mar 4, 2021
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is overly restrictive. The acl ontology has

 acl:agentClass     a rdf:Property;
         :comment "A class of persons or social entities to being given the right";
         :domain acl:Authorization;
         :label "agent class";
         :range :Class .

which states that the range of agent can be any Class, eg the class of people over 18, or over 21, or married people, etc. The ShEX states that the only class can only be foaf:Agent.

| acl:agent IRI
| acl:origin IRI
)+ ;

# can do what
acl:mode [acl:Read acl:Write acl:Append acl:Control] + ;
Copy link
Member

@csarven csarven Mar 4, 2021
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The value set for acl:mode is overly restrictive as per ACL Ontology:

    acl:mode     a rdf:Property;
         :comment "A mode of access such as read or write.";
         :domain acl:Authorization;
         :label "access mode";
         :range :Class .

The rule may reflect deployments however ACL permits any class eg. :Create, :Delete.

Copy link
Contributor

@bblfish bblfish Mar 4, 2021
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

note: the acl Ontology would be a lot clearer if it restricted the range of acl:mode to the subclasses of acl:Access. See issue #187


# to what resource
( acl:accessTo IRI
| acl:accessToClass [foaf:Document] OR @<AclRegexShape> # TODO: remove Regexp, add auth user
) ;

^acl:trustedOrigin IRI ?
}

<GroupShape> { foaf:member IRI + }
<AclRegexShape> { acl:regex LITERAL }
```
([try it](http://shex.io/webapps/shex.js/doc/shex-simple?schema=PREFIX%20acl%3A%20%3Chttp%3A%2F%2Fwww.w3.org%2Fns%2Fauth%2Facl%23%3E%0APREFIX%20foaf%3A%20%3Chttp%3A%2F%2Fxmlns.com%2Ffoaf%2F0.1%2F%3E%0A%0A%3CAclShape%3E%20%7B%0A%20%20%23%20who%0A%20%20(%20%20acl%3AagentClass%20%40%3CGroupShape%3E%20OR%20%5Bfoaf%3AAgent%5D%20%3B%0A%20%20%20%20%7C%20acl%3Aagent%20IRI%0A%20%20%20%20%7C%20acl%3Aorigin%20IRI%0A%20%20)%2B%20%3B%0A%0A%20%20%23%20can%20do%20what%0A%20%20acl%3Amode%20%5Bacl%3ARead%20acl%3AWrite%20acl%3AAppend%20acl%3AControl%5D%20%2B%20%3B%0A%0A%20%20%23%20to%20what%0A%20%20(%20%20%20acl%3AaccessTo%20IRI%0A%20%20%20%20%7C%20acl%3AaccessToClass%20%5Bfoaf%3ADocument%5D%20OR%20%40%3CAclRegexShape%3E%0A%20%20)%20%3B%0A%0A%20%20%5Eacl%3AtrustedOrigin%20IRI%20%3F%0A%7D%0A%0A%3CGroupShape%3E%20%7B%20foaf%3Amember%20IRI%20%2B%20%7D%0A%0A%3CAclRegexShape%3E%20%7B%20acl%3Aregex%20LITERAL%20%7D%0A&data=PREFIX%20acl%3A%20%3Chttp%3A%2F%2Fwww.w3.org%2Fns%2Fauth%2Facl%23%3E%0APREFIX%20foaf%3A%20%3Chttp%3A%2F%2Fxmlns.com%2Ffoaf%2F0.1%2F%3E%0A%0A%3Cacl1%3E%0A%20%20acl%3AaccessTo%20%3Ccard%3E%20%3B%0A%20%20acl%3Amode%20acl%3ARead%20%3B%0A%20%20acl%3AagentClass%20foaf%3AAgent%20.%0A%0A%3Cacl2%3E%0A%20%20acl%3AaccessTo%20%3Ccard%3E%20%3B%0A%20%20acl%3Amode%20acl%3ARead%2C%20acl%3AWrite%20%3B%0A%20%20acl%3Aagent%20%3Ccard%23i%3E.%0A%0A%3Cacl3%3E%0A%20%20acl%3AaccessTo%20%3Ccard%3E%20%3B%0A%20%20acl%3Amode%20acl%3ARead%20%3B%0A%20%20acl%3AagentClass%20%3Cfriends%23group%3E%20.%0A%0A%3Cacl4%3E%0A%20%20acl%3AaccessTo%20%3Ccard%3E%20%3B%0A%20%20acl%3Amode%20acl%3ARead%2C%20acl%3AWrite%20%3B%0A%20%20acl%3AagentClass%20%3Cfamily%23group%3E%20.%0A%0A%3Cfriends%23group%3E%20foaf%3Amember%20%3C..%2Fuser%2Falice%23me%3E%2C%20%3C..%2Fuser%2Fbob%23me%3E%2C%20%3C..%2Fuser%2Fcharlie%23me%3E%20.%20%0A%3Cfamily%23group%3E%20foaf%3Amember%20%20%3C..%2Fpeople%2Fdon%23me%3E%2C%20%3C..%2Fpeople%2Feloise%23me%3E%20.%0A%0A%3Cacl5%3E%0A%20%20acl%3AaccessToClass%20%5B%20acl%3Aregex%20%22https%3A%2F%2Fjoe.solid.example%2F.*%22%20%5D%20%3B%0A%20%20acl%3Amode%20acl%3ARead%20%3B%20%0A%20%20acl%3AagentClass%20foaf%3AAgent%20.%0A%0A%3Cacl6%3E%0A%20%20acl%3AaccessToClass%20%5B%20acl%3Aregex%20%22https%3A%2F%2Fbblfish.solid.example%2F.*%22%20%5D%20%3B%0A%20%20acl%3Amode%20acl%3AWrite%20%3B%0A%20%20acl%3Aorigin%20%3Chttps%3A%2F%2Fapps.rww.io%3E%20.%0A%0A%3C%23i%3E%20acl%3AtrustedOrigin%20%3Cacl7%3E%2C%20%3Cacl8%3E%20.%0A%3Cacl7%3E%0A%20%20acl%3Amode%20acl%3ARead%20%3B%0A%20%20acl%3AaccessToClass%20foaf%3ADocument%20%3B%20%20%23%3C-%20give%20access%20to%20all%20documents%20(%20that%20allow%20one%20access%20)%0A%20%20acl%3AagentClass%20foaf%3AAgent%20%3B%0A.%0A%3Cacl8%3E%0A%20%20acl%3Amode%20acl%3AWrite%20%3B%0A%20%20acl%3AaccessToClass%20foaf%3ADocument%20%3B%20%20%23%3C-%20give%20access%20to%20all%20documents%20(%20that%20allow%20access%20of%20course%20)%0A%20%20acl%3Aagent%20%3Chttps%3A%2F%2Fapps.w3.org%2F%3E%2C%20%3C%3E%20%23but%20only%20to%20JS%20agents%20that%20come%20from%20these%20two%20origins%0A.%0A&manifestURL=http%3A%2F%2Fshex.io%2Fwebapps%2Fshex.js%2Fexamples%2Fmanifest.json&shape-map=%7B%20FOCUS%20acl%3Amode%20_%20%7D%40%3CAclShape%3E&interface=minimal&success=proof&regexpEngine=eval-threaded-nerr))

For example, if Jezebel decides to let Bartholomew copy her physics assignment, she could write:

``` turtle
_:bart-copies-assignment-1
acl:agent <http://solid.example/users/bart#id> ;
acl:mode acl:Read ;
acl:accessTo </courses/8.04/assignment-1> .
```
In Solid, this access document would appear in the same Container as `assignment-1`.

In principle, WAC lets her grant access to all assignments under `/courses/8.04/` &mdash;
``` turtle
_:bart-copies-my-assignments
acl:agent <http://solid.example/users/bart#id> ;
acl:mode acl:Read ;
acl:accessToClass [ acl:regex ".*/courses/8.04/assignment-.*" ] .
```
&mdash; but Solid doesn't implement that feature, instead applying access to everything in a Container, e.g. &mdash;
``` turtle
_:bart-reads-8.04
acl:agent <http://solid.example/users/bart#id> ;
acl:mode acl:Read ;
acl:accessTo </courses/8.04/> .
```


## ShEx for ACP

ACP maintains separate metadata associating resources to access control statements.

``` shex
PREFIX acp: <http://www.w3.org/ns/solid/acp#>
PREFIX rdf: <http://www.w3.org/1999/02/22-rdf-syntax-ns#>

# who
<RuleShape> {
a [acp:Rule] ? ;
acp:agent IRI ;
}

# can do what
<AccessPolicyShape> {
a [acp:AccessPolicy] ? ;
acp:allow [acp:Write acp:Read acp:Append] + ;
acp:allOf @<RuleShape> ;
}

# to what -- AccessControl doc linked to ACL'd resource with:
# Link: <https://alice.pod/resume?ext=acp>; rel="http://www.w3.org/ns/solid/acp#accessControl"
<AccessControlShape> {
a [acp:AccessControl] ? ;
(
acp:apply @<AccessPolicyShape>
|
( acp:applyConstant @<AccessPolicyShape> ;
acp:applyMembersConstant @<AccessPolicyShape> ;
)
)
}
```
([try it](http://shex.io/webapps/shex.js/doc/shex-simple?schema=PREFIX%20acp%3A%20%3Chttp%3A%2F%2Fwww.w3.org%2Fns%2Fsolid%2Facp%23%3E%0APREFIX%20rdf%3A%20%3Chttp%3A%2F%2Fwww.w3.org%2F1999%2F02%2F22-rdf-syntax-ns%23%3E%0A%0A%23%20Policies%0A%0A%3CAccessPolicyShape%3E%20%7B%0A%20%20a%20%5Bacp%3AAccessPolicy%5D%20%3F%20%3B%0A%20%20acp%3Aallow%20%5Bacp%3AWrite%20acp%3ARead%5D%2B%20%3B%0A%20%20acp%3AallOf%20%40%3CRuleShape%3E%20%3B%0A%7D%0A%0A%3CRuleShape%3E%20%7B%0A%20%20a%20%5Bacp%3ARule%5D%20%3F%20%3B%0A%20%20acp%3Aagent%20IRI%20%3B%0A%7D%0A&data=PREFIX%20acp%3A%20%3Chttp%3A%2F%2Fwww.w3.org%2Fns%2Fsolid%2Facp%23%3E%0APREFIX%20rdf%3A%20%3Chttp%3A%2F%2Fwww.w3.org%2F1999%2F02%2F22-rdf-syntax-ns%23%3E%0A%0A%3C%23i%3E%0A%20%20acp%3Aaccess%20%3C%23podControl%3E%20%3B%0A%20%20acp%3AaccessMembers%20%3C%23podControl%3E%20.%0A%3C%23myPodAccess%3E%0A%20%20a%20acp%3AAccessControl%20%3B%0A%20%20acp%3AapplyConstant%20%3C%23podControl%3E%20%3B%0A%20%20acp%3AapplyMembersConstant%20%3C%23podControl%3E%20.%0A%3C%23resumeAssistance%3E%0A%20%20a%20acp%3AAccessControl%20%3B%0A%20%20acp%3Aapply%20%3C%23personalTrusted%3E%20.%0A%0A%23%20Policies%0A%0A%3C%23personalTrusted%3E%0A%20%20a%20acp%3AAccessPolicy%20%3B%0A%20%20acp%3Aallow%20acp%3AWrite%2C%20acp%3ARead%20%3B%0A%20%20acp%3AallOf%20%3C%23editorFriends%3E%20.%0A%0A%3C%23podControl%3E%0A%20%20a%20acp%3AAccessPolicy%20%3B%0A%20%20acp%3Aallow%20acp%3AWrite%2C%20acp%3ARead%20%3B%0A%20%20acp%3AallOf%20%3C%23accessControllers%3E%20.%0A%0A%23%20Rules%0A%0A%3C%23editorFriends%3E%0A%20%20a%20acp%3ARule%20%3B%0A%20%20acp%3Aagent%20%3Chttps%3A%2F%2Fbob.pod%2Fprofile%2Fcard%23me%3E%20.%0A%0A%3C%23accessControllers%3E%0A%20%20a%20acp%3ARule%20%3B%0A%20%20acp%3Aagent%20%3Chttps%3A%2F%2Falice.pod%2Fprofile%2Fcard%23me%3E%20.%0A&manifestURL=http%3A%2F%2Fshex.io%2Fwebapps%2Fshex.js%2Fexamples%2Fmanifest.json&shape-map=%7BFOCUS%20acp%3Aallow%20_%7D%40%3CAccessPolicyShape%3E&interface=human&success=proof&regexpEngine=eval-threaded-nerr))

As above, Jezebel can let Bartholomew copy her homework by editing the ACL document associated with `</courses/8.04/assignment-1>` by the `acp:accessControl` link header (e.g., `</courses/8.04/assignment-1?access>`):

``` turtle
_:bart-copies-assignment-1
a acl:AccessControl ;
acp:apply [
a acp:AccessPolicy ;
acp:allow acp:Read ;
acp:allOf [
acp:agent <http://solid.example/users/bart#id>
]
] .
```

She could instead move that policy someplace independent from the existence of `</courses/8.04/assignment-1>`, e.g., `</myAccessPolicies>`, so it won't disappear if she deletes or renames `assignment-1`:
``` turtle
<#bart-copies-my-homework>
a acp:AccessPolicy ;
acp:allow acp:Read ;
acp:allOf [
acp:agent <http://solid.example/users/bart#id>
] .
```
Now she can apply it to multiple homework documents or all of her 8.04 documents with individual access controls like:
``` turtle
_:bart-copies-assignment-2
a acl:AccessControl ;
acp:apply </myAccessPolicies#bart-copies-my-homework> .
```