-+WebID+TLS+Delegation QA Guide:

--++What is it ?

An open standards based multi-protocol authentication layer that provides fine-grained attributed-based access controls (ABAC) to protected resources (HTTP-accessible documents, folders, services [via their endpoints], and SPARQL named graphs). In a nutshell, this solution uses logic expressed in the nature of entity relationships to address issues such as identity, authorization, and restriction.

----++++The key components of this solution are:

[1] HTTP URI (Hyperlink) based Entity Identifiers (Names)
[2] TLS based data transmission
[3] RDF Language based Statements representing Entity Relationships and Entity Relationship Types
[4] Ontology of terms from shared vocabularies such as <http://www.w3.org/ns/auth/acl#Authorization>, <http://www.openlinksw.com/ontology/acl#>,
                                                       <http://www.openlinksw.com/ontology/restrictions#>, and <http://www.openlinksw.com/schemas/cert#>
[5] Entity Relationship Type Semantics -- incluidng the nature of relationships that exist between Software Applications and their Users via <http://www.openlinksw.com/schemas/cert#onBehalfOf> .


----++++Collectively, the components above enable:

[1] Unambiguous Naming for Software Applications (Agents or Bots) and their Users
[2] Identity Claims Construction 
[3] Identity Claims Verification
[4] Resource Access Rules (Authorizations) Creation & Evaluation
[5] Resource Access Rate Rules (Restrictions) Creation & Evaluation .

--++Why is it important?

Explicitly distinguishing the identity of an user and an application is a fundamental requirement for practical attribute-based access controls that leverage open standards such as:

[1] URIs -- Entity Denotation
[2] HTTP -- Data Access Protocol 
[3] HTTP URIs -- Entity Identification (Denotation & Connotation via in-built interpretation using Denotation->Connotation redirection)
[4] RDF Language Statements -- enabling construction of Profile Documents using machine- and human-comprehensible sentences/statements
[5] X.509 -- Identity Cards (Certificates) that include references to Profile Documents via Subject Alternative Name field
[6] TLS -- Data Encryption and Basic Identity Verification that scales to the Internet and Web.

---++How do I use it? 

Assuming the following scenario:

A publisher of a document seeks to constrain its access to a specific user or group of users. As part of this effort, the following are desired with regards to user experience:

[1] An X.509 Certificate is only created for software agebt (e.g., cURL, Web Browser, ODBC compliant app etc.) used to access the protected document
[2] Document access controls are scoped to the application user, as opposed to software being used.

---+++ Components to be installed

[1] Virtuoso Server with WebID+TLS+Delegation
[2] Sponger Cartridge VAD 
[3] Faceted Browser VAD 
[4] Virtuoso Authentication Layer (VAL) VAD .

---+++Sample Resources 

[1] <urn:protected:demo:graph:2> -- Protected Named Graph accessible to any NetID (which includes WebIDs)
[2] <urn:protected:demo:graph:1> -- Protected Named Graph accessible to a specific WebID list

---+++Certificates and their Subjects:

[1] LODConnectivity Cert -- required for WebID+TLS testing using my setup on UB
[2] CA Certificate Bundle for verifying Certs issued by YouID and UB (requested via Shop Agent re. LOD Connectivity Certs)
[3] WebID for which access has been granted to the resource identified by <urn:protected:demo:graph:1>  . 

---+++WebID-Profile Document Entries

[1] Add oplcert:onBehalfOf relations to the Agent's WebID-Profile Document that connects it with authorized Users
[2] Add an entry in the WebID-Profile doc of each User that associates them with the Agent
[3] Load WebID-Profile Documents into Virtuoso's Quad Store (using the variout options it supports: Sponger, SPARQL Load, ODS-Briefcase etc..) .

Note: In situations where there are massive numbers of users and a single agent, a single Turtle document can hold data from steps 1&2 above.

Examples documents:

[1] http://kingsley.idehen.net/DAV/home/kidehen/agent-profile-document.ttl -- Agent WebID-Profile Document .
[2] http://kingsley.idehen.net/DAV/home/kidehen/profile.ttl -- User WebID-Profile . 


---+++ACL Definitions Example Script:

{see-sample-below} .

---+++WebID+TLS ISQL/ODBC using TLS Connection Tests:

Template:

./isql linkeddata.uriburner.com:1113 "" {app-or-agent-pkcs-file-access-pwd} -X {app-or-agent-pkcs-file} -T {ca-cert-bundle} 


[1] isql linkeddata.uriburner.com:1113 "" 1234 -X VirtuosoLODConnectivity.p12 -T ca_list_shop_2016.pem
[2] isql linkeddata.uriburner.com:1113 "" 1234 -X kidehen_dot_net.p12 -T ca_list_shop_2016.pem

ACL Test Queries:

[1] sparql select count (*) from <urn:protected:demo:graph:2> where {?s ?p ?o}; 
[2] sparql select count (*) from <urn:protected:demo:graph:1> where {?s ?p ?o};

Results:

You will have count of "0" as the solution for queries performed by identities that fail protected resource acl test.



---+++WebID+TLS via HTTP (using cURL) Connection Tests:

Template:
curl -iLk --cert-type P12 --cert {app-or-agent-pkcs-file}:{app-or-agent-pkcs-file-access-pwd} "https://linkeddata.uriburner.com/sparql/?default-graph-uri=&query=select+distinct+*+from+%3Curn:protected:demo:graph:2%3E++where+%7B%5B%5D+a+%3FEntityType%7D+limit+50&should-sponge=&format=text%2Fcsv%2Btr&CXML_redir_for_subjs=121&CXML_redir_for_hrefs=&timeout=30000000"


[1] curl -iLk --cert-type P12 --cert VirtuosoLODConnectivity.p12:1234 "https://linkeddata.uriburner.com/sparql/?default-graph-uri=&query=select+distinct+*+from+%3Curn:protected:demo:graph:2%3E++where+%7B%5B%5D+a+%3FEntityType%7D+limit+50&should-sponge=&format=text%2Fcsv%2Btr&CXML_redir_for_subjs=121&CXML_redir_for_hrefs=&timeout=30000000"

[2] curl -iLk --cert-type P12 --cert VirtuosoLODConnectivity.p12:1234 "https://linkeddata.uriburner.com/sparql/?default-graph-uri=&query=select+distinct+*+from+%3Curn:protected:demo:graph:1%3E++where+%7B%5B%5D+a+%3FEntityType%7D+limit+50&should-sponge=&format=text%2Fcsv%2Btr&CXML_redir_for_subjs=121&CXML_redir_for_hrefs=&timeout=30000000"

Results:

You will have empty solutions for queries performed by identities that fail protected resource acl tests.

WebID+TLS+Delegation ISQL/ODBC using TLS Connection Tests:

In this scenario the identity of the software user and the software (application/agent/bot) are distinct i.e., you have a WebID for the software and a WebID for the software user. In this test scenario the WebID of the user (identified by value of -W parameter) is the only identity to which protected resource access has been granted.

Template:

./isql linkeddata.uriburner.com:1113 "" {app-or-agent-pkcs-file-access-pwd} -X {app-or-agent-pkcs-file} -T {ca-cert-bundle} -W {user-webid}

[1] isql linkeddata.uriburner.com:1113 "" 1234 -X VirtuosoLODConnectivity.p12 -T ca_list_shop_2016.pem -W http://kingsley.idehen.net/public_home/kidehen/profile.ttl#i

[2] ./isql-new linkeddata.uriburner.com:1113 "" 1234 -X my_software_agent.p12 -T ca_list_shop_2016.pem -W http://kingsley.idehen.net/public_home/kidehen/profile.ttl#i


./isql-new linkeddata.uriburner.com:1113 "" 1234 -X my_software_agent.p12 -T ca_list_shop_2016.pem -W http://kingsley.idehen.net/public_home/kidehen/profile.ttl#i

./isql-new linkeddata.uriburner.com:1113 "" 1234 -X my_software_agent.p12 -T ca_list_shop_2016.pem -W http://kingsley.idehen.net/public_home/kidehen/profile.ttl#i


ACL Test Queries:

[1] sparql select count (*) from <urn:protected:demo:graph:2> where {?s ?p ?o}; 
[2] sparql select count (*) from <urn:protected:demo:graph:1> where {?s ?p ?o};


Results:

You will have count of "0" as the solution for queries performed by identities that fail protected resource acl test.


---+++WebID+TLS+Delegate via HTTPS (using cURL) Connection Tests:

In this usage scenario we make use of the "OnBehalfOf:" custom HTTP request header. The value of this header takes the form of a WebID that identifies the user of an application/agent/bot accessing a protected resource via the HTTP protocol.

Template:

curl -iLk --cert-type P12 --cert {app-or-agent-pkcs-file}:{pkcs-file-access-pwd} --cacert {ca-cert-bundle} -H "OnBehalfOf: {user-webid}" "{uri-for-accessing-protected-resource}"

[1] curl -iLk --cert-type P12 --cert VirtuosoLODConnectivity.p12:1234 --cacert ca_list_shop_2016.pem -H "On-Behalf-Of: http://kingsley.idehen.net/public_home/kidehen/profile.ttl#i"   
"https://linkeddata.uriburner.com/sparql/?default-graph-uri=&query=select+count+%28*%29+from+%3Curn:protected:demo:graph:1%3E+where+%7B%3Fs+%3Fp+%3Fo%7D&should-sponge=&format=text%2Fcsv&CXML_redir_for_subjs=121&CXML_redir_for_hrefs=&timeout=30000000"

[2] curl -iLk --cert-type P12 --cert my_software_agent_id.p12:1234 --cacert ca_list_shop_2016.pem -H "On-Behalf-Of: http://kingsley.idehen.net/public_home/kidehen/profile.ttl#i" "https://linkeddata.uriburner.com/sparql/?default-graph-uri=&query=select+count+%28*%29+from+%3Curn:protected:demo:graph:1%3E+where+%7B%3Fs+%3Fp+%3Fo%7D&should-sponge=&format=text%2Fcsv&CXML_redir_for_subjs=121&CXML_redir_for_hrefs=&timeout=30000000"

[3] curl -iLk --cert-type P12 --cert dropbox_software_agent.p12:1234 --cacert ca_list_shop_2016.pem -H "On-Behalf-Of: https://www.dropbox.com/s/m5sdy9nn0qi15hk/profile.ttl?dl=1#identity" "https://linkeddata.uriburner.com/sparql/?default-graph-uri=&query=select+count+%28*%29+from+%3Curn:protected:demo:graph:1%3E+where+%7B%3Fs+%3Fp+%3Fo%7D&should-sponge=&format=text%2Fcsv&CXML_redir_for_subjs=121&CXML_redir_for_hrefs=&timeout=30000000"


[4] curl -iLk --cert-type P12 --cert VirtuosoLODConnectivity.p12:1234 --cacert ca_list_shop_2016.pem -H "On-Behalf-Of: http://kingsley.idehen.net/public_home/kidehen/profile.ttl#i"  "https://linkeddata.uriburner.com/sparql/?default-graph-uri=&query=select+distinct+*+from+%3Curn:protected:demo:graph:2%3E++where+%7B%5B%5D+a+%3FEntityType%7D+limit+50&should-sponge=&format=text%2Fcsv%2Btr&CXML_redir_for_subjs=121&CXML_redir_for_hrefs=&timeout=30000000"

[5] curl -iLk --cert-type P12 --cert my_software_agent.p12:1234 --cacert ca_list_shop_2016.pem -H "On-Behalf-Of: http://kingsley.idehen.net/public_home/kidehen/profile.ttl#i"  "https://linkeddata.uriburner.com/sparql/?default-graph-uri=&query=select+distinct+*+from+%3Curn:protected:demo:graph:2%3E++where+%7B%5B%5D+a+%3FEntityType%7D+limit+50&should-sponge=&format=text%2Fcsv%2Btr&CXML_redir_for_subjs=121&CXML_redir_for_hrefs=&timeout=30000000"

[6] curl -iLk --cert-type P12 --cert dropbox_software_agent.p12:1234 --cacert ca_list_shop_2016.pem -H "On-Behalf-Of: https://www.dropbox.com/s/m5sdy9nn0qi15hk/profile.ttl?dl=1#identity"  "https://linkeddata.uriburner.com/sparql/?default-graph-uri=&query=select+distinct+*+from+%3Curn:protected:demo:graph:2%3E++where+%7B%5B%5D+a+%3FEntityType%7D+limit+50&should-sponge=&format=text%2Fcsv%2Btr&CXML_redir_for_subjs=121&CXML_redir_for_hrefs=&timeout=30000000"



Results:

You will have empty solutions for queries performed by identities that fail protected resource acl tests