feat: add WAC (Web Access Control) support

Adds getAcl() and putAcl() to SolidClient for reading and writing
ACL documents. Discovers .acl URL via Link header, parses/serializes
Turtle ACL documents with EasyRdf. Uses ML\IRI\IRI for resolving
relative ACL URLs.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

Author: soyuka

src/SolidClient.php

@@ -11,7 +11,9 @@
 
 namespace Dunglas\PhpSolidClient;
 
+use Dunglas\PhpSolidClient\Wac\AclDocument;
 use EasyRdf\Graph;
+use ML\IRI\IRI;
 use ML\JsonLD\JsonLD;
 use Symfony\Contracts\HttpClient\Exception\ClientExceptionInterface;
 use Symfony\Contracts\HttpClient\HttpClientInterface;
@@ -208,6 +210,36 @@ private static function getParentContainerUrl(string $url): ?string
         return $parent;
     }
 
+    /**
+     * Fetches and parses the ACL document for a resource.
+     *
+     * Discovers the .acl URL via the Link header (rel="acl") from a HEAD request.
+     */
+    public function getAcl(string $resourceUrl, array $options = []): AclDocument
+    {
+        $metadata = $this->getResourceMetadata($resourceUrl, $options);
+        if (null === $metadata->aclUrl) {
+            throw new Exception(\sprintf('No ACL URL found for resource "%s"', $resourceUrl));
+        }
+
+        $aclUrl = (string) (new IRI($resourceUrl))->resolve($metadata->aclUrl);
+        $response = $this->get($aclUrl, array_merge($options, [
+            'headers' => ['Accept' => 'text/turtle'],
+        ]));
+
+        return AclDocument::fromTurtle($response->getContent(), $aclUrl, $resourceUrl);
+    }
+
+    /**
+     * Writes an ACL document for a resource.
+     */
+    public function putAcl(string $resourceUrl, AclDocument $acl, array $options = []): ResponseInterface
+    {
+        return $this->put($acl->aclUrl, $acl->toTurtle(), false, array_merge($options, [
+            'headers' => ['Content-Type' => 'text/turtle'],
+        ]));
+    }
+
     public function request(string $method, string $url, array $options = []): ResponseInterface
     {
         if ($accessToken = $this->oidcClient?->getAccessToken()) {

src/Wac/AclDocument.php

@@ -0,0 +1,117 @@
+<?php
+
+/*
+ * This file is part of the Solid Client PHP project.
+ * (c) Kévin Dunglas <kevin@dunglas.fr>
+ * For the full copyright and license information, please view the LICENSE
+ * file that was distributed with this source code.
+ */
+
+declare(strict_types=1);
+
+namespace Dunglas\PhpSolidClient\Wac;
+
+final class AclDocument
+{
+    private const ACL_NS = 'http://www.w3.org/ns/auth/acl#';
+    private const FOAF_NS = 'http://xmlns.com/foaf/0.1/';
+
+    /**
+     * @param list<Authorization> $authorizations
+     */
+    public function __construct(
+        public readonly string $aclUrl,
+        public array $authorizations = [],
+    ) {
+    }
+
+    /**
+     * Serializes the ACL document to Turtle format.
+     */
+    public function toTurtle(): string
+    {
+        $lines = [
+            '@prefix acl: <'.self::ACL_NS.'>.',
+            '@prefix foaf: <'.self::FOAF_NS.'>.',
+            '',
+        ];
+
+        foreach ($this->authorizations as $i => $auth) {
+            $lines[] = '<#auth'.$i.'>';
+            $lines[] = '    a acl:Authorization;';
+
+            foreach ($auth->agents as $agent) {
+                $lines[] = '    acl:agent <'.$agent.'>;';
+            }
+            foreach ($auth->agentClasses as $class) {
+                $short = self::shortenUri($class);
+                $lines[] = '    acl:agentClass '.$short.';';
+            }
+            foreach ($auth->modes as $mode) {
+                $short = self::shortenUri($mode);
+                $lines[] = '    acl:mode '.$short.';';
+            }
+
+            $lines[] = '    acl:accessTo <'.$auth->accessTo.'>;';
+
+            if ($auth->isDefault) {
+                $lines[] = '    acl:default <'.$auth->accessTo.'>;';
+            }
+
+            // Replace last semicolon with period
+            $lastIndex = \count($lines) - 1;
+            $lines[$lastIndex] = rtrim($lines[$lastIndex], ';').'.';
+            $lines[] = '';
+        }
+
+        return implode("\n", $lines);
+    }
+
+    /**
+     * Parses a Turtle ACL document using EasyRdf.
+     */
+    public static function fromTurtle(string $turtle, string $aclUrl, string $resourceUrl): self
+    {
+        \EasyRdf\RdfNamespace::set('acl', self::ACL_NS);
+        \EasyRdf\RdfNamespace::set('foaf', self::FOAF_NS);
+
+        $graph = new \EasyRdf\Graph($aclUrl, $turtle, 'turtle');
+        $authorizations = [];
+
+        foreach ($graph->allOfType('acl:Authorization') as $resource) {
+            $agents = [];
+            foreach ($resource->allResources('acl:agent') as $agent) {
+                $agents[] = $agent->getUri();
+            }
+
+            $agentClasses = [];
+            foreach ($resource->allResources('acl:agentClass') as $class) {
+                $agentClasses[] = $class->getUri();
+            }
+
+            $modes = [];
+            foreach ($resource->allResources('acl:mode') as $mode) {
+                $modes[] = $mode->getUri();
+            }
+
+            $accessTo = $resource->getResource('acl:accessTo')?->getUri() ?? $resourceUrl;
+            $isDefault = null !== $resource->getResource('acl:default');
+
+            $authorizations[] = new Authorization($accessTo, $agents, $agentClasses, $modes, $isDefault);
+        }
+
+        return new self($aclUrl, $authorizations);
+    }
+
+    private static function shortenUri(string $uri): string
+    {
+        if (str_starts_with($uri, self::ACL_NS)) {
+            return 'acl:'.substr($uri, \strlen(self::ACL_NS));
+        }
+        if (str_starts_with($uri, self::FOAF_NS)) {
+            return 'foaf:'.substr($uri, \strlen(self::FOAF_NS));
+        }
+
+        return '<'.$uri.'>';
+    }
+}

src/Wac/Authorization.php

@@ -0,0 +1,37 @@
+<?php
+
+/*
+ * This file is part of the Solid Client PHP project.
+ * (c) Kévin Dunglas <kevin@dunglas.fr>
+ * For the full copyright and license information, please view the LICENSE
+ * file that was distributed with this source code.
+ */
+
+declare(strict_types=1);
+
+namespace Dunglas\PhpSolidClient\Wac;
+
+final class Authorization
+{
+    public const MODE_READ = 'http://www.w3.org/ns/auth/acl#Read';
+    public const MODE_WRITE = 'http://www.w3.org/ns/auth/acl#Write';
+    public const MODE_APPEND = 'http://www.w3.org/ns/auth/acl#Append';
+    public const MODE_CONTROL = 'http://www.w3.org/ns/auth/acl#Control';
+
+    public const AGENT_CLASS_PUBLIC = 'http://xmlns.com/foaf/0.1/Agent';
+    public const AGENT_CLASS_AUTHENTICATED = 'http://www.w3.org/ns/auth/acl#AuthenticatedAgent';
+
+    /**
+     * @param list<string> $agents       WebID URIs
+     * @param list<string> $agentClasses foaf:Agent (public) or acl:AuthenticatedAgent
+     * @param list<string> $modes        acl:Read, acl:Write, acl:Append, acl:Control
+     */
+    public function __construct(
+        public string $accessTo,
+        public array $agents = [],
+        public array $agentClasses = [],
+        public array $modes = [],
+        public bool $isDefault = false,
+    ) {
+    }
+}

tests/WacTest.php

@@ -0,0 +1,172 @@
+<?php
+
+/*
+ * This file is part of the Solid Client PHP project.
+ * (c) Kévin Dunglas <kevin@dunglas.fr>
+ * For the full copyright and license information, please view the LICENSE
+ * file that was distributed with this source code.
+ */
+
+declare(strict_types=1);
+
+namespace Dunglas\PhpSolidClient\Tests;
+
+use Dunglas\PhpSolidClient\SolidClient;
+use Dunglas\PhpSolidClient\Wac\AclDocument;
+use Dunglas\PhpSolidClient\Wac\Authorization;
+use PHPUnit\Framework\TestCase;
+use Symfony\Component\HttpClient\MockHttpClient;
+use Symfony\Component\HttpClient\Response\MockResponse;
+
+class WacTest extends TestCase
+{
+    public function testAuthorizationConstants(): void
+    {
+        $this->assertSame('http://www.w3.org/ns/auth/acl#Read', Authorization::MODE_READ);
+        $this->assertSame('http://www.w3.org/ns/auth/acl#Write', Authorization::MODE_WRITE);
+        $this->assertSame('http://www.w3.org/ns/auth/acl#Append', Authorization::MODE_APPEND);
+        $this->assertSame('http://www.w3.org/ns/auth/acl#Control', Authorization::MODE_CONTROL);
+    }
+
+    public function testAclDocumentToTurtle(): void
+    {
+        $acl = new AclDocument('http://pod.example/resource.acl', [
+            new Authorization(
+                'http://pod.example/resource',
+                ['http://example.com/user#me'],
+                [],
+                [Authorization::MODE_READ, Authorization::MODE_WRITE, Authorization::MODE_CONTROL],
+            ),
+            new Authorization(
+                'http://pod.example/resource',
+                [],
+                [Authorization::AGENT_CLASS_PUBLIC],
+                [Authorization::MODE_READ],
+            ),
+        ]);
+
+        $turtle = $acl->toTurtle();
+
+        $this->assertStringContainsString('@prefix acl:', $turtle);
+        $this->assertStringContainsString('acl:agent <http://example.com/user#me>', $turtle);
+        $this->assertStringContainsString('acl:agentClass foaf:Agent', $turtle);
+        $this->assertStringContainsString('acl:mode acl:Read', $turtle);
+        $this->assertStringContainsString('acl:mode acl:Write', $turtle);
+        $this->assertStringContainsString('acl:mode acl:Control', $turtle);
+        $this->assertStringContainsString('acl:accessTo <http://pod.example/resource>', $turtle);
+    }
+
+    public function testAclDocumentFromTurtle(): void
+    {
+        $turtle = <<<'TURTLE'
+@prefix acl: <http://www.w3.org/ns/auth/acl#>.
+@prefix foaf: <http://xmlns.com/foaf/0.1/>.
+
+<#owner>
+    a acl:Authorization;
+    acl:agent <http://example.com/user#me>;
+    acl:mode acl:Read, acl:Write, acl:Control;
+    acl:accessTo <http://pod.example/resource>;
+    acl:default <http://pod.example/resource>.
+
+<#public>
+    a acl:Authorization;
+    acl:agentClass foaf:Agent;
+    acl:mode acl:Read;
+    acl:accessTo <http://pod.example/resource>.
+TURTLE;
+
+        $acl = AclDocument::fromTurtle($turtle, 'http://pod.example/resource.acl', 'http://pod.example/resource');
+
+        $this->assertSame('http://pod.example/resource.acl', $acl->aclUrl);
+        $this->assertCount(2, $acl->authorizations);
+
+        $owner = $acl->authorizations[0];
+        $this->assertSame(['http://example.com/user#me'], $owner->agents);
+        $this->assertContains(Authorization::MODE_READ, $owner->modes);
+        $this->assertContains(Authorization::MODE_WRITE, $owner->modes);
+        $this->assertContains(Authorization::MODE_CONTROL, $owner->modes);
+        $this->assertTrue($owner->isDefault);
+
+        $public = $acl->authorizations[1];
+        $this->assertSame([Authorization::AGENT_CLASS_PUBLIC], $public->agentClasses);
+        $this->assertSame([Authorization::MODE_READ], $public->modes);
+        $this->assertFalse($public->isDefault);
+    }
+
+    public function testGetAcl(): void
+    {
+        $aclTurtle = <<<'TURTLE'
+@prefix acl: <http://www.w3.org/ns/auth/acl#>.
+@prefix foaf: <http://xmlns.com/foaf/0.1/>.
+
+<#owner>
+    a acl:Authorization;
+    acl:agent <http://example.com/user#me>;
+    acl:mode acl:Read, acl:Write, acl:Control;
+    acl:accessTo <http://pod.example/data/file.ttl>.
+TURTLE;
+
+        $httpClient = new MockHttpClient([
+            // HEAD response with Link: rel="acl"
+            new MockResponse('', [
+                'http_code' => 200,
+                'response_headers' => [
+                    'Content-Type' => 'text/turtle',
+                    'Link' => '<http://pod.example/data/file.ttl.acl>; rel="acl"',
+                ],
+            ]),
+            // GET ACL document
+            new MockResponse($aclTurtle, [
+                'http_code' => 200,
+                'response_headers' => ['Content-Type' => 'text/turtle'],
+            ]),
+        ]);
+        $client = new SolidClient($httpClient);
+
+        $acl = $client->getAcl('http://pod.example/data/file.ttl');
+
+        $this->assertSame('http://pod.example/data/file.ttl.acl', $acl->aclUrl);
+        $this->assertCount(1, $acl->authorizations);
+        $this->assertSame(['http://example.com/user#me'], $acl->authorizations[0]->agents);
+    }
+
+    public function testPutAcl(): void
+    {
+        $response = new MockResponse('', ['http_code' => 201]);
+        $httpClient = new MockHttpClient($response);
+        $client = new SolidClient($httpClient);
+
+        $acl = new AclDocument('http://pod.example/data/file.ttl.acl', [
+            new Authorization(
+                'http://pod.example/data/file.ttl',
+                ['http://example.com/user#me'],
+                [],
+                [Authorization::MODE_READ, Authorization::MODE_WRITE],
+            ),
+        ]);
+
+        $client->putAcl('http://pod.example/data/file.ttl', $acl);
+
+        $this->assertSame('PUT', $response->getRequestMethod());
+        $this->assertSame('http://pod.example/data/file.ttl.acl', $response->getRequestUrl());
+        $this->assertStringContainsString('acl:agent', $response->getRequestOptions()['body']);
+    }
+
+    public function testAclDocumentWithDefault(): void
+    {
+        $acl = new AclDocument('http://pod.example/container/.acl', [
+            new Authorization(
+                'http://pod.example/container/',
+                ['http://example.com/user#me'],
+                [],
+                [Authorization::MODE_READ, Authorization::MODE_WRITE],
+                true,
+            ),
+        ]);
+
+        $turtle = $acl->toTurtle();
+
+        $this->assertStringContainsString('acl:default', $turtle);
+    }
+}