NAME

RDF::ACL - access control lists for the semantic web


SYNOPSIS

  use RDF::ACL;
  
  my $acl  = RDF::ACL->new('access.ttl');
  my $auth = $acl->allow(
    webid => 'http://example.com/joe#me',
    item  => 'http://example.com/private/document',
    level => ['Read', 'Write'],
    );
  $acl->save('turtle', 'access.ttl');
  
  # later...
  
  if ($acl->check('http://example.com/joe#me',
                  'http://example.com/private/document',
                  'Read'))
  {
    print slurp("private/document");
  }
  else
  {
    print "Denied";
  }
  
  # later...
  
  foreach my $reason ($acl->why('http://example.com/joe#me',
                                'http://example.com/private/document',
                                'Read'))
  {
    $acl->deny($reason) if defined $reason;
  }
  $acl->save('turtle', 'access.ttl');


VERSION

0.01


CONSTRUCTORS

$acl->new($input, %args)

Creates a new access control list based on RDF data defined in $input. $input can be a serialised string of RDF, a file name, a URI or any other input accepted by the rdf_parse function (see the RDF::Trine::Shortcuts manpage).

$acl->new_remote($endpoint)

Creates a new access control list based on RDF data accessed via a remote SPARQL Protocol 1.0 endpoint.


PUBLIC METHODS

$acl->check($webid, $item, $level, @data)

Checks an agent's authorisation to access an item.

$webid is the WebID (URI) of the agent requesting access to the item.

$item is the URL (URI) of the item being accessed.

$level is a URI identifying the type of access required. As special cases, the case-insensitive string 'read' is expanded to the URI <http://www.w3.org/ns/auth/acl#Read>, 'write' to <http://www.w3.org/ns/auth/acl#Write> and 'control' to <http://www.w3.org/ns/auth/acl#Control>.

If the access control list is local (not remote), zero or more additional RDF graphs can be passed (i.e. @data) containing data to take into consideration when checking the agent's authorisation. This data is trusted blindly, so should not include data that the user has themselves supplied. If the access control list is remote, then this function throws an error if any additional data is provided. (A remote ACL cannot take into account local data.)

If $level is provided, this function returns a boolean.

If $level is undefined or omitted, this function returns a list of URIs which each represent a type of access that the user is authorised.

$acl->why($webid, $item, $level, @data)

Investigates an agent's authorisation to access an item.

Arguments as per check, however $level is required.

Returns a list of authentications that justify a user's access to the item with the given access level. These authentications are equivalent to $authid values provided by allow().

In some cases (especially if the authentication was created by hand, and not via allow()) an authentication may not have an identifier. In these cases, the list will contain undef.

$acl->allow(%args)

Adds an authorisation to the ACL. The ACL must be mutable.

The function takes a hash of named arguments:

  my $authid = $acl->allow(
    webid => 'http://example.com/joe#me',
    item  => 'http://example.com/private/document',
    level => ['Read', 'Write'],
    );

'item' is the URI of the item to authorise access to. As an alternative, 'item_class' may be used to authorise access to an entire class of items (using classes in the RDFS/OWL sense of the word). If neither of these arguments is provided, then the function will throw an error. Both may be provided. Either or both may be an arrayref, because an authorisation may authorise access to more than one thing.

'webid' is the WebID (URI) of the person or agent being granted access. As an alternative, 'agent_class' may be used to authorise access to an entire class of agents. If neither is provided, an agent_class of <http://xmlns.com/foaf/0.1/Agent> is assumed. Both may be provided. Either or both may be an arrayref, because an authorisation may authorise access by more than one agent. (For consistency with 'item', 'agent' is supported as a synonym for 'webid'.)

'level' is the access level being granted. As with the check function, the shortcuts 'read', 'write' and 'control' may be used. An arrayref may be used. If no level is specified, 'read' is assumed.

This authorisation is not automatically saved, so it is probably useful to call save() after adding authorisations.

The function returns an identifier for the authorisation. This identifier may be needed again if you ever need to deny() the authorisation.

$acl->deny($authid)

Completely removes all traces of an authorisation from the ACL.

The authentication identifier can be found using why() or you may have remembered it when you first allowed the access. In some cases (especially if the authentication was created by hand, and not via allow()) an authentication may not have an identifier. In these cases, you will have to be creative in figuring out how to deny access.

Returns the number of statements removed from the ACL's internal model as a result of the removal. (This will normally be at least 3.)

This authorisation is not automatically saved, so it is probably useful to call save() after removing authorisations.

$acl->save($format, $filename)

Serialises a local (not remote) ACL.

$format can be any format supported by rdf_string (see the RDF::Trine::Shortcuts manpage).

If $filename is provided, this function writes to the file and returns the new file size in bytes.

If $filename is omitted, this function does not attempt to write to a file, and simply returns the string it would have written.

$acl->is_remote

Returns true if the ACL is remote; false if local.

$acl->is_mutable

Can this ACL be modified?

$acl->model

The graph model against which authorisation checks are made.

Returned as an the RDF::Trine::Model manpage object.

$acl->endpoint

The endpoint URI for remote (non-local) ACL queries.

Returned as a URI object.


BUGS

Please report any bugs to http://rt.cpan.org/.


SEE ALSO

the CGI::Auth::FOAF_SSL manpage.

http://www.w3.org/ns/auth/acl.n3.

http://www.perlrdf.org/, http://lists.foaf-project.org/mailman/listinfo/foaf-protocols.


AUTHOR

Toby Inkster <tobyink@cpan.org>.


COPYRIGHT

Copyright 2010 Toby Inkster

This library is free software; you can redistribute it and/or modify it under the same terms as Perl itself.