import { expect } from 'chai'

import { createTestApp, cleanTestDir, createFile, createDir } from './helpers.js'

const ALICE = 'https://alice.example.org/profile/card#me'

function publicReadAcl (resourceUri) {

return `

@prefix acl: <http://www.w3.org/ns/auth/acl#>.

@prefix foaf: <http://xmlns.com/foaf/0.1/>.

<#public>

a acl:Authorization;

acl:agentClass foaf:Agent;

acl:accessTo <${resourceUri}>;

acl:mode acl:Read.

`

}

function ownerFullAcl (resourceUri, owner) {

return `

@prefix acl: <http://www.w3.org/ns/auth/acl#>.

<#owner>

a acl:Authorization;

acl:agent <${owner}>;

acl:accessTo <${resourceUri}>;

acl:mode acl:Read, acl:Write, acl:Control.

`

}

function defaultPublicReadAcl (containerUri) {

return `

@prefix acl: <http://www.w3.org/ns/auth/acl#>.

@prefix foaf: <http://xmlns.com/foaf/0.1/>.

<#public>

a acl:Authorization;

acl:agentClass foaf:Agent;

acl:default <${containerUri}>;

acl:mode acl:Read.

`

}

describe('ACL', () => {

let request, testDir, serverUri

beforeEach(() => {

({ request, testDir, serverUri } = createTestApp({ skipAuth: false }))

})

afterEach(() => cleanTestDir(testDir))

it('returns 401 for unauthenticated access to protected resource', async () => {

createFile(testDir, 'secret.txt', 'private data')

createFile(testDir, 'secret.txt.acl', ownerFullAcl(serverUri + '/secret.txt', ALICE))

await request.get('/secret.txt').expect(401)

})

it('returns 403 for wrong user on protected resource', async () => {

createFile(testDir, 'secret.txt', 'private data')

createFile(testDir, 'secret.txt.acl', ownerFullAcl(serverUri + '/secret.txt', ALICE))

await request.get('/secret.txt')

.set('User', 'https://bob.example.org/profile/card#me')

.expect(403)

})

it('grants access to authorized user', async () => {

createFile(testDir, 'secret.txt', 'private data')

createFile(testDir, 'secret.txt.acl', ownerFullAcl(serverUri + '/secret.txt', ALICE))

const res = await request.get('/secret.txt')

.set('User', ALICE)

.expect(200)

expect(res.text).to.equal('private data')

})

it('grants public read access', async () => {

createFile(testDir, 'public.txt', 'open data')

createFile(testDir, 'public.txt.acl', publicReadAcl(serverUri + '/public.txt'))

const res = await request.get('/public.txt').expect(200)

expect(res.text).to.equal('open data')

})

it('denies write to public-read resource', async () => {

createFile(testDir, 'readonly.txt', 'read only')

createFile(testDir, 'readonly.txt.acl', publicReadAcl(serverUri + '/readonly.txt'))

await request.put('/readonly.txt')

.set('Content-Type', 'text/plain')

.send('overwrite')

.expect(401)

})

it('inherits ACL from parent container', async () => {

createDir(testDir, 'shared')

createFile(testDir, 'shared/.acl', defaultPublicReadAcl(serverUri + '/shared/'))

createFile(testDir, 'shared/readme.txt', 'hello')

const res = await request.get('/shared/readme.txt').expect(200)

expect(res.text).to.equal('hello')

})

it('returns 500 if no ACL found anywhere', async () => {

createFile(testDir, 'orphan.txt', 'data')

await request.get('/orphan.txt').expect(500)

})

it('sets WAC-Allow header', async () => {

createFile(testDir, 'wac.txt', 'data')

createFile(testDir, 'wac.txt.acl', publicReadAcl(serverUri + '/wac.txt'))

const res = await request.get('/wac.txt').expect(200)

expect(res.headers['wac-allow']).to.include('public="read"')

})

})