Shape of ACL

[csarven]

As clients can create ACLs, servers need to have deterministic handling of the request. Clients and servers need to have a shared understanding and expectation of the information within ACL documents. Invalid ACLs pose potential security issues. Defining an ACL shape to validate request payload can be a way to address this.

Related issues: #56 , #57 , solid/web-access-control-spec#78 , #130 , #67 , #193

[NSeydoux]

Related issue: #186

[tpluscode]

I'd like to propose SHACL as one standards-based way to describe these shapes.

Questions:

1. Should acl:mode allow custom modes other than the predefined three?

Authorization

@prefix vcard: <http://www.w3.org/2006/vcard/ns#> .
@prefix acl: <http://www.w3.org/ns/auth/acl#> .
@prefix rdf: <http://www.w3.org/1999/02/22-rdf-syntax-ns#> .
@prefix rdfs: <http://www.w3.org/2000/01/rdf-schema#> .
@prefix sh: <http://www.w3.org/ns/shacl#> .
@prefix xsd: <http://www.w3.org/2001/XMLSchema#> .

acl:Authorization
    a rdfs:Class, sh:NodeShape ;
    sh:or
        (
            [
                # either an acl:agent
                sh:property
                    [
                        a sh:PropertyShape ;
                        sh:minCount 1 ;
                        sh:nodeKind sh:IRI ;
                        sh:path acl:agent
                    ]
            ] [
                  # or class of agents
                  sh:property
                      [
                          a sh:PropertyShape ;
                          sh:minCount 1 ;
                          sh:path acl:agentClass ;
                          sh:nodeKind sh:IRI ;
                      ]
              ] [
                    # or multiple groups
                    sh:property
                        [
                            a sh:PropertyShape ;
                            sh:minCount 1 ;
                            sh:path acl:agentGroup ;
                            sh:class vcard:Group ;
                        ]
                ]
        ) ;
    sh:or
        (
            [
                # either direct resource access
                sh:property
                    [
                        a sh:PropertyShape ;
                        sh:minCount 1 ;
                        sh:nodeKind sh:IRI ;
                        sh:path acl:accessTo
                    ]
            ]
            [
                # or class access
                sh:property
                    [
                        a sh:PropertyShape ;
                        sh:minCount 1 ;
                        sh:nodeKind sh:IRI ;
                        sh:path acl:accessToClass
                    ]
            ]
        ) ;
    sh:property
        [
            a sh:PropertyShape ;
            sh:in ( acl:Read acl:Write acl:Control ) ;
            sh:minCount 1 ;
            sh:path acl:mode
        ],
        [
            a sh:PropertyShape ;
            sh:hasValue acl:Authorization ;
            sh:path rdf:type
        ] ;
.

Group:

@prefix dcterms: <http://purl.org/dc/terms/> .
@prefix vcard: <http://www.w3.org/2006/vcard/ns#> .
@prefix rdfs: <http://www.w3.org/2000/01/rdf-schema#> .
@prefix sh: <http://www.w3.org/ns/shacl#> .
@prefix xsd: <http://www.w3.org/2001/XMLSchema#> .

vcard:Group a rdfs:Class, sh:NodeShape ;
  sh:property
    [
      a sh:PropertyShape ;
      sh:datatype xsd:dateTime ;
      sh:maxCount 1 ;
      sh:path dcterms:modified ;
    ],
    [
      a sh:PropertyShape ;
      sh:datatype xsd:dateTime ;
      sh:maxCount 1 ;
      sh:path dcterms:created ;
    ],
    [
      a sh:PropertyShape ;
      sh:maxCount 1 ;
      sh:minCount 1 ;
      sh:nodeKind sh:IRI ;
      sh:path vcard:hasUID ;
      sh:pattern "^urn:uuid:"
    ],
    [
      a sh:PropertyShape ;
      sh:nodeKind sh:IRI ;
      sh:path vcard:hasMember
    ],
    [
      a sh:PropertyShape ;
      sh:hasValue vcard:Group ;
      sh:path rdf:type
    ] .

By the way, I think that the readme uses the wrong Dublin Core namespace.

EDIT: it's also missing acl:agentClass (added above)

[acoburn]

acl:agent should not have a sh:maxCount 1

And acl:Append is missing from the list of modes

[tpluscode]

Ok, I removed this restriction from properties