feat: clean up ODRL Authorizer

Author: woutslabbinck

packages/uma/src/policies/authorizers/OdrlAuthorizer.ts

@@ -1,6 +1,5 @@
 import { createVocabulary, DC, getLoggerFor, RDF } from '@solid/community-server';
-import { ODRL, UconRequest, UCRulesStorage } from '@solidlab/ucp';
-import { generate_uuid } from 'koreografeye';
+import { basicPolicy, ODRL, UCPPolicy, UCRulesStorage } from '@solidlab/ucp';
 import { DataFactory, Literal, NamedNode, Quad_Subject, Store } from 'n3';
 import { ODRLEngineMultipleSteps, ODRLEvaluator } from 'odrl-evaluator'
 import { WEBID } from '../../credentials/Claims';
@@ -11,13 +10,30 @@ import { Authorizer } from './Authorizer';
 
 const {quad, namedNode, literal} = DataFactory
 
+/**
+ * Permission evaluation is performed as follows:
+ *
+ * 1. Conversion of Permission queries to ODRL Requests.
+ *    - A translation is performed to transform CSS actions to ODRL actions.
+ *    - One ODRL Request per Action and target Resource.
+ *
+ * 2. ODRL Evaluator performs ODRL Evaluation
+ *    - No policy selection is performed (all policies are inserted rather than all relevant).
+ *    - No conflict resolution strategy is present (Prohibition policies are ignored).
+ *    - No duties are checked.
+ *
+ * 3. Conversion from ODRL Policy Compliance Reports to Permissions
+ *    - Selecting the ODRL actions from Active Permission Reports
+ *    - Translation from ODRL actions to CSS actions
+ */
 export class OdrlAuthorizer implements Authorizer {
     protected readonly logger = getLoggerFor(this);
     private readonly odrlEvaluator: ODRLEvaluator;
 
     /**
      * Creates a OdrlAuthorizer enforcing policies using ODRL with the ODRL Evaluator.
      *
+     *
      * @param policies - A store containing the ODRL policy rules.
      */
     constructor(
@@ -35,79 +51,66 @@ export class OdrlAuthorizer implements Authorizer {
             return [];
         }
 
-        const requests: UconRequest[] = [];
-        for (const {resource_id, resource_scopes} of query) {
-
-            if (!resource_id) {
-                this.logger.warn('The OdrlAuthorizer can only calculate permissions for explicit resources.');
-                continue;
-            }
-
-            // ODRL can only handle odrl actions
-            requests.push({
-                subject: typeof claims[WEBID] === 'string' ? claims[WEBID] : 'urn:solidlab:uma:id:anonymous',
-                resource: resource_id,
-                action: resource_scopes ? transformActionsCssToOdrl(resource_scopes) : ["http://www.w3.org/ns/odrl/2/use"],
-                claims
-            });
-        }
-        const permissions: Permission[] = await Promise.all(requests.map(
-            async (request) => {
-                const scopes_permitted = [];
-
-                // prepare sotw
-                const sotw = new Store();
-
-                sotw.add(quad(namedNode('http://example.com/request/currentTime'), namedNode('http://purl.org/dc/terms/issued'), literal(new Date().toISOString(), namedNode("http://www.w3.org/2001/XMLSchema#dateTime"))));
-
-                // prepare policy
-                const policyStore = (await this.policies.getStore())
+        // key value store for building the permissions to be granted on a resource
+        const grantedPermissions: { [key: string]: string[] } = {};
 
+        // prepare policy
+        const policyStore = (await this.policies.getStore())
 
-                for (const action of request.action) {
-                    // prepare request
-                    const req = new Store();
-                    const requestNode = generate_uuid();
-                    const permissionNode = generate_uuid();
-                    req.add(quad(requestNode, RDF.terms.type, ODRL.terms.Request));
-                    req.add(quad(requestNode, ODRL.terms.permission, permissionNode));
+        // prepare sotw
+        const sotw = new Store();
+        sotw.add(quad(namedNode('http://example.com/request/currentTime'), namedNode('http://purl.org/dc/terms/issued'), literal(new Date().toISOString(), namedNode("http://www.w3.org/2001/XMLSchema#dateTime"))));
 
-                    req.add(quad(permissionNode, RDF.terms.type, ODRL.terms.Permission));
-                    req.add(quad(permissionNode, ODRL.terms.assignee, namedNode(request.subject)));
-                    req.add(quad(permissionNode, ODRL.terms.target, namedNode(request.resource)));
-                    req.add(quad(permissionNode, ODRL.terms.action, namedNode(action)));
+        const subject = typeof claims[WEBID] === 'string' ? claims[WEBID] : 'urn:solidlab:uma:id:anonymous';
 
-                    // evaluate policies
-                    const reports = await this.odrlEvaluator.evaluate([...policyStore], [...req], [...sotw]);
-                    const reportStore = new Store(reports)
 
-                    // TODO: handle multiple reports -> possible to be generated
-                    // NOTE: current strategy, add all actions of active reports generated by the request
-                    // fetch active and attempted
-                    // console.log(new Writer().quadsToString([...req]))
+        for (const {resource_id, resource_scopes} of query) {
+            if (!resource_id) {
+                this.logger.warn('The OdrlAuthorizer can only calculate permissions for explicit resources.');
+                continue;
+            }
 
-                    const PolicyReportNodes = reportStore.getSubjects(RDF.type, CR.PolicyReport, null);
-                    for (const policyReportNode of PolicyReportNodes) {
-                        const policyReport = parseComplianceReport(policyReportNode, reportStore)
-                        // console.log(new Writer().quadsToString([...policyStore]))
-                        // console.log(new Writer().quadsToString([...sotw]))
-                        // console.log(new Writer().quadsToString(reports))
-                        // console.log(policyReport)
-                        if (policyReport.ruleReport.activationState === ActivationState.Active &&
-                            policyReport.ruleReport.type === RuleReportType.PermissionReport) {
-                            scopes_permitted.push(action)
+            grantedPermissions[resource_id] = [];
+            const actions = resource_scopes ? transformActionsCssToOdrl(resource_scopes) : ["http://www.w3.org/ns/odrl/2/use"]
+            for (const action of actions) {
+                this.logger.info(`Evaluating Request [S R AR]: [${subject} ${resource_id} ${action}]`);
+                const requestPolicy: UCPPolicy = {
+                    type: ODRL.Request,
+                    rules: [
+                        {
+                            action: action,
+                            resource: resource_id,
+                            requestingParty: subject
                         }
-                    }
-
+                    ]
                 }
-                // extract allowed scopes
-                return {
-                    resource_id: request.resource,
-                    resource_scopes: transformActionsOdrlToCss(scopes_permitted)
+                const requestStore = basicPolicy(requestPolicy).representation
+                // evaluate policies
+                const reports = await this.odrlEvaluator.evaluate(
+                    [...policyStore],
+                    [...requestStore],
+                    [...sotw]);
+                const reportStore = new Store(reports);
+
+                // TODO: handle multiple reports -> possible to be generated
+                // NOTE: current strategy, add all actions of active reports generated by the request
+                // fetch active and attempted
+                const PolicyReportNodes = reportStore.getSubjects(RDF.type, CR.PolicyReport, null);
+                for (const policyReportNode of PolicyReportNodes) {
+                    const policyReport = parseComplianceReport(policyReportNode, reportStore)
+                    if (policyReport.ruleReport[0].activationState === ActivationState.Active &&
+                        policyReport.ruleReport[0].type === RuleReportType.PermissionReport) {
+                        grantedPermissions[resource_id].push(action);
+                    }
                 }
             }
-        ));
-        // console.log(permissions)
+        }
+        const permissions: Permission[] = []
+        Object.keys(grantedPermissions).forEach(
+            resource_id => permissions.push({
+                resource_id,
+                resource_scopes: transformActionsOdrlToCss(grantedPermissions[resource_id])
+            }) );
         return permissions;
     }
 
@@ -125,14 +128,21 @@ scopeCssToOdrl.set('urn:example:css:modes:write','http://www.w3.org/ns/odrl/2/wr
 
 const scopeOdrlToCss : Map<string, string> = new Map(Array.from(scopeCssToOdrl, entry => [entry[1], entry[0]]));
 
+/**
+ * Transform the Actions enforced by the Community Solid Server to equivalent ODRL Actions
+ * @param actions
+ */
 function transformActionsCssToOdrl(actions: string[]): string[] {
     // scopes come from UmaClient.ts -> see CSS package
 
     // in UMAPermissionReader, only the last part of the URN will be used, divided by a colon
     // again, see CSS package
     return actions.map(action => scopeCssToOdrl.get(action)!);
 }
-
+/**
+ * Transform ODRL Actions to equivalent Actions enforced by the Community Solid Server
+ * @param actions
+ */
 function transformActionsOdrlToCss(actions: string[]): string[] {
     const cssActions = []
     for (const action of actions) {
@@ -149,13 +159,14 @@ type PolicyReport = {
     created: Literal;
     request: NamedNode;
     policy: NamedNode;
-    ruleReport: RuleReport;
+    ruleReport: RuleReport[];
 }
 type RuleReport = {
     id: NamedNode;
     type: RuleReportType;
     activationState: ActivationState
-    // TODO: others
+    rule: NamedNode;
+    requestedRule: NamedNode;
     premiseReport: PremiseReport[]
 }
 
@@ -189,35 +200,58 @@ enum ActivationState {
     Active= 'http://example.com/report/temp/Active',
     Inactive= 'http://example.com/report/temp/Inactive',
 }
-function parseComplianceReport(identifier: Quad_Subject, store: Store):PolicyReport{
-    const exists = store.getQuads(identifier,RDF.type,CR.PolicyReport, null).length ===1;
+
+/**
+ * Parses an ODRL Compliance Report Model into a {@link PolicyReport}.
+ * @param identifier
+ * @param store
+ */
+function parseComplianceReport(identifier: Quad_Subject, store: Store): PolicyReport {
+    const exists = store.getQuads(identifier,RDF.type,CR.PolicyReport, null).length === 1;
     if (!exists) { throw Error(`No Policy Report found with: ${identifier}.`); }
-    const ruleReportNode = store.getQuads(identifier,CR.ruleReport, null, null)[0].object as NamedNode;
-    const premises :PremiseReport[] = [];
-    const premiseNodes = store.getObjects(ruleReportNode,CR.premiseReport, null) as NamedNode[];
-    for (const premiseNode of premiseNodes) {
-        premises.push({
-            id: premiseNode,
-            type: store.getObjects(premiseNode, RDF.type, null)[0].value as PremiseReportType,
-            premiseReport:[], // Note: won't get nested premises this way
-            satisfactionState: store.getObjects(premiseNode, CR.satisfactionState, null)[0].value as SatisfactionState
-        })
-    }
-    const ruleReport :RuleReport = {
-        id: ruleReportNode,
-        type: store.getObjects(ruleReportNode, RDF.type, null)[0].value as RuleReportType,
-        activationState: store.getObjects(ruleReportNode, CR.activationState, null)[0].value as ActivationState,
-        premiseReport: premises
-    }
+    const ruleReportNodes = store.getObjects(identifier, CR.ruleReport, null) as NamedNode[];
+
     return {
         id: identifier as NamedNode,
         created: store.getObjects(identifier, DC.namespace+"created", null)[0] as Literal,
         policy: store.getObjects(identifier, CR.policy, null)[0] as NamedNode,
         request: store.getObjects(identifier, CR.policyRequest, null)[0] as NamedNode,
-        ruleReport: ruleReport
+        ruleReport: ruleReportNodes.map(ruleReportNode => parseRuleReport(ruleReportNode, store))
     }
 }
 
+/**
+ * Parses Rule Reports from a Compliance Report, including its premises
+ * @param identifier
+ * @param store
+ */
+function parseRuleReport(identifier: Quad_Subject, store: Store): RuleReport {
+    const premiseNodes = store.getObjects(identifier,CR.premiseReport, null) as NamedNode[];
+    return {
+        id: identifier as NamedNode,
+        type: store.getObjects(identifier, RDF.type, null)[0].value as RuleReportType,
+        activationState: store.getObjects(identifier, CR.activationState, null)[0].value as ActivationState,
+        requestedRule: store.getObjects(identifier, CR.ruleRequest, null)[0] as NamedNode,
+        rule: store.getObjects(identifier, CR.rule, null)[0] as NamedNode,
+        premiseReport: premiseNodes.map((prem) => parsePremiseReport(prem, store))
+    }
+}
+
+/**
+ * Parses Premise Reports, including premises of a Premise Report itself.
+ * Note that if for some reason there are circular premise reports, this will result into an infinite loop
+ * @param identifier
+ * @param store
+ */
+function parsePremiseReport(identifier: Quad_Subject, store: Store): PremiseReport {
+    const nestedPremises = store.getObjects(identifier, CR.PremiseReport, null) as NamedNode[];
+    return {
+        id: identifier as NamedNode,
+        type: store.getObjects(identifier, RDF.type, null)[0].value as PremiseReportType,
+        premiseReport: nestedPremises.map((prem) => parsePremiseReport(prem, store)),
+        satisfactionState: store.getObjects(identifier, CR.satisfactionState, null)[0].value as SatisfactionState
+    }
+}
 const CR = createVocabulary('http://example.com/report/temp/',
     'PolicyReport',
     'RuleReport',