Backend updates to include multi-target policies

Author: Dexagod

package.json

@@ -57,7 +57,7 @@
     "test": "yarn workspaces foreach --include 'packages/*' -A -pi -j unlimited run test",
     "start": "yarn workspaces foreach --include 'packages/*' -A -pi -j unlimited run start",
     "start:demo": "yarn workspaces foreach --include 'packages/*' -A -pi -j unlimited run demo",
-    "script:demo": "yarn exec ts-node ./demo/flow.ts",
+    "script:demo": "yarn exec tsx ./demo/flow.ts",
     "script:public": "yarn exec ts-node ./scripts/test-public.ts",
     "script:private": "yarn exec ts-node ./scripts/test-private.ts",
     "script:registration": "yarn exec ts-node ./scripts/test-registration.ts",
@@ -154,10 +154,14 @@
     "@digitalbazaar/ed25519-signature-2020": "^5.4.0",
     "@digitalbazaar/ed25519-verification-key-2020": "^4.2.0",
     "@digitalbazaar/vc": "^7.1.0",
-    "@digitalcredentials/vc-data-model": "^1.1.1",
+    "@digitalcredentials/ed25519-signature-2020": "^6.0.0",
+    "@digitalcredentials/ed25519-verification-key-2020": "^4.0.0",
+    "@digitalcredentials/vc": "^9.0.1",
+    "@digitalcredentials/vc-data-model": "^2.0.0",
     "@inrupt/solid-client": "^2.0.1",
     "@inrupt/solid-client-authn-core": "^2.1.0",
     "chalk": "^5.4.1",
-    "jsonld": "^8.3.3"
+    "jsonld": "^8.3.3",
+    "tsx": "^4.19.2"
   }
 }

packages/uma/package.json

@@ -73,6 +73,7 @@
     "koreografeye": "^0.4.8",
     "logform": "^2.6.0",
     "n3": "^1.17.2",
+    "ts-node": "^10.9.2",
     "uuid": "^9.0.1",
     "winston": "^3.11.0"
   },

packages/uma/src/dialog/ContractNegotiator.ts

@@ -18,8 +18,8 @@ import { ForbiddenHttpError } from '@solid/community-server';
 import { ContractManager } from '../policies/contracts/ContractManager';
 import { Result, Success } from '../util/Result';
 import { AccessToken, Permission, Requirements } from '..';
-import { convertStringOrJsonLdIdentifierToString, ODRLContract, ODRLPermission } from '../views/Contract';
-import { PermissionMapping, processRequestPermission, ReversePermissionMapping } from '../util/rdf/RequestProcessing';
+import { convertStringOrJsonLdIdentifierToString, JsonLdIdentifier, ODRLContract, ODRLPermission, StringOrJsonLdIdentifier } from '../views/Contract';
+import { processRequestPermission, switchODRLandCSSPermission } from '../util/rdf/RequestProcessing';
 
 
 /**
@@ -112,10 +112,10 @@ export class ContractNegotiator implements Negotiator {
       // todo: set resource scopes according to contract!
       let permissions: Permission[] = contract.permission.map( (p: ODRLPermission) => {
         const perm : Permission = {
-          resource_id: convertStringOrJsonLdIdentifierToString(p.target),
+          // We do not accept AssetCollections as targets of an UMA access request formatted as an ODRL request!
+          resource_id: convertStringOrJsonLdIdentifierToString(p.target as StringOrJsonLdIdentifier),
           resource_scopes: [ // mapping from ODRL to internal CSS read permission
-            // ReversePermissionMapping[convertStringOrJsonLdIdentifierToString(p.action)]
-            "urn:example:css:modes:read"
+            switchODRLandCSSPermission(convertStringOrJsonLdIdentifierToString(p.action))
           ] 
         }
         return(perm)

packages/uma/src/policies/contracts/ContractManager.ts

@@ -3,7 +3,7 @@ import { DialogInput, Permission, Ticket } from "../.."
 import { ContractStorage } from "./ContractStorage";
 import { ODRLContract, ODRLConstraint, ODRLPermission } from "../../views/Contract";
 import { randomUUID } from "crypto";
-import { ReversePermissionMapping } from "../../util/rdf/RequestProcessing";
+import { switchODRLandCSSPermission } from "../../util/rdf/RequestProcessing";
 
 
 export class ContractManager {
@@ -38,7 +38,7 @@ export class ContractManager {
             "https://w3id.org/dpv#hasLegalBasis": { "@id": "https://w3id.org/dpv/legal/eu/gdpr#eu-gdpr:A9-2-a" },
             permission: [ { 
                 "@type": "Permission",
-                action: ReversePermissionMapping[permission.resource_scopes[0]],
+                action: switchODRLandCSSPermission(permission.resource_scopes[0]),
                 target: permission.resource_id,
                 assigner: 'http://localhost:3000/ruben/profile/card#me', // user WebID
                 assignee: 'http://localhost:3000/alice/profile/card#me', // target WebID

packages/uma/src/util/rdf/RequestProcessing.ts

@@ -1,25 +1,23 @@
 import { ClaimSet } from "../../credentials/ClaimSet";
-import { convertStringOrJsonLdIdentifierToString, ODRLPermission } from "../../views/Contract";
+import { convertStringOrJsonLdIdentifierToString, ODRLPermission, StringOrJsonLdIdentifier } from "../../views/Contract";
 import { Permission } from "../../views/Permission";
 
-export const PermissionMapping: any = {
-    "https://w3id.org/oac#read": "urn:example:css:modes:read",
-    "https://w3id.org/oac#write": "urn:example:css:modes:write",
-    "https://w3id.org/oac#append": "urn:example:css:modes:append",
-    "https://w3id.org/oac#delete": "urn:example:css:modes:delete",
-}
-export const ReversePermissionMapping: any = {
-    "urn:example:css:modes:read": "https://w3id.org/oac#read",
-    "urn:example:css:modes:write": "https://w3id.org/oac#write",
-    "urn:example:css:modes:append": "https://w3id.org/oac#append",
-    "urn:example:css:modes:delete": "https://w3id.org/oac#delete",
+export function switchODRLandCSSPermission(permission: string): string {
+    if(permission.startsWith("urn:example:css:modes:")) {
+        return permission.replace("urn:example:css:modes:", "https://w3id.org/oac#");
+    } else if(permission.startsWith("https://w3id.org/oac#")) {
+        return permission.replace("https://w3id.org/oac#", "urn:example:css:modes:");
+    } else {
+        throw new Error(`Permission ${permission} not recognized`)
+    }
+
 }
 
 export function processRequestPermission(permission: ODRLPermission): Permission {
-
-    const resource_id = convertStringOrJsonLdIdentifierToString(permission.target)
+    // We do not accept AssetCollections as targets of an UMA access request formatted as an ODRL request!
+    const resource_id = convertStringOrJsonLdIdentifierToString(permission.target as StringOrJsonLdIdentifier)
     const action: any = convertStringOrJsonLdIdentifierToString(permission.action)
-    const resource_scopes = [ PermissionMapping[action] ]
+    const resource_scopes = [ switchODRLandCSSPermission(action) ]
 
     return { resource_id, resource_scopes }
 }

packages/uma/src/views/Contract.ts

@@ -1,10 +1,18 @@
+import { ODRL } from "@solidlab/ucp";
 import { Type, array, string, optional, any, union } from "../util/ReType";
 
 export const JsonLdIdentifier = {
     '@id': string
 }
 
 export const StringOrJsonLdIdentifier = union(string, JsonLdIdentifier)
+export const IdentifierSet = union(StringOrJsonLdIdentifier, array(StringOrJsonLdIdentifier))
+export const ODRLAssetCollection = {
+    "@type": string,
+    "source": string,
+}
+export const ODRLTargetOrAssetCollection = union(StringOrJsonLdIdentifier, ODRLAssetCollection)
+
 
 export const ODRLConstraint = {
     "@type": optional(string),
@@ -20,7 +28,7 @@ export const ODRLPermission = {
     "@id": optional(string),
     uid: optional(string),
     action: StringOrJsonLdIdentifier,
-    target: StringOrJsonLdIdentifier, // resourceURL
+    target: ODRLTargetOrAssetCollection, // resourceURL
     assigner: StringOrJsonLdIdentifier, // user WebID
     assignee: StringOrJsonLdIdentifier, // target WebID
     constraint: optional(array(ODRLConstraint))
@@ -41,9 +49,49 @@ export type ODRLPermission = Type<typeof ODRLPermission>;
 export type ODRLContract = Type<typeof ODRLContract>;
 export type JsonLdIdentifier = Type<typeof JsonLdIdentifier>;
 export type StringOrJsonLdIdentifier = Type<typeof StringOrJsonLdIdentifier>;
+export type IdentifierSet = Type<typeof IdentifierSet>;
+export type ODRLAssetCollection = Type<typeof ODRLAssetCollection>;
+export type ODRLTargetOrAssetCollection = Type<typeof ODRLTargetOrAssetCollection>;
 
 
 export function convertStringOrJsonLdIdentifierToString(x : StringOrJsonLdIdentifier) : string {
     const id = (x as JsonLdIdentifier)["@id"]
     return id ? id : x as string
+}
+
+/**
+ * Note: This check makes the assumption of slash-semantics based resource ordering!
+ * @param url 
+ * @param policyTarget 
+ * @returns 
+ */
+export function isPolicyTarget(url: string, policyTarget: ODRLTargetOrAssetCollection) {
+    // AssetCollection
+    const assetCollectionType  = (policyTarget as ODRLAssetCollection)["@type"]
+    if (assetCollectionType && assetCollectionType === ODRL.namespace + "AssetCollection") {
+        return url.startsWith((policyTarget as ODRLAssetCollection).source)
+    }
+    
+    // @id identfier
+    const id = (policyTarget as JsonLdIdentifier)["@id"]
+    if (id && url === id) return true
+
+    // string
+    return (policyTarget as string) === url
+
+}
+
+export function getPolicyTargets(policyTarget: ODRLTargetOrAssetCollection): string {
+    // AssetCollection
+    const assetCollectionType  = (policyTarget as ODRLAssetCollection)["@type"]
+    if (assetCollectionType && assetCollectionType === ODRL.namespace + "AssetCollection") {
+        return (policyTarget as ODRLAssetCollection).source
+    }
+    
+    // @id identfier
+    const id = (policyTarget as JsonLdIdentifier)["@id"]
+    if (id) return id
+
+    // string
+    return policyTarget as string  
 }