Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Updated AccessRule Not Applied: Old BPN Retains Access, New BPN Denied #489

Open
efiege opened this issue Dec 10, 2024 · 0 comments
Open

Updated AccessRule Not Applied: Old BPN Retains Access, New BPN Denied #489

efiege opened this issue Dec 10, 2024 · 0 comments
Labels
bug Something isn't working

Comments

@efiege
Copy link

efiege commented Dec 10, 2024

Current Behavior

When having Granular Access Control enabled, after creating an AccessRule using the POST /access-controls/rules endpoint for a certain BPN like

"accessRules": [
        {
            "attribute": "bpn",
            "operator": "eq",
            "value": "BPNLXXXXXXXXXXX1"
        },
       ...
]

and successfully (Response: 200 OK) updating this AccessRule using the PUT /access-controls/rules/{{Id}} endpoint to

"accessRules": [
        {
            "attribute": "bpn",
            "operator": "eq",
            "value": "BPNLXXXXXXXXXXX2"
        },
       ...
]

BPNLXXXXXXXXXXX1 is still able to retrieve Shell information (using the Edc-Bpn header). On the other hand BPNLXXXXXXXXXXX2 is still not able to fetch this information.

Expected Behavior

Updated AccessRule is applied as returned by the response of the PUT /access-controls/rules/{{Id}} endpoint

Steps To Reproduce

  1. Enable Granular Access Control
  2. Create a Shell using POST /shell-descriptors
  3. Create an AccessRule that enables BPNLXXXXXXXXXXX1 to access the Shell information
  4. Ensure BPNLXXXXXXXXXXX1 can retrieve the information using the GET /shell-descriptors endpoint and Edc-Bpn header set to BPNLXXXXXXXXXXX1
  5. Update the previously created AccessRule by just changing the bpn AccessRule to BPNLXXXXXXXXXXX2
  6. Find updated rule not being applied by using the GET /shell-descriptors endpoint and Edc-Bpn header set to
  • BPNLXXXXXXXXXXX1: Still able to access
  • BPNLXXXXXXXXXXX2: Still unable to access

Possible Solution

We are happy to help with a PR for this!

The targetTenant field in the AccessRule entity seems not to be updated when using the PUT /access-controls/rules/{{Id}} endpoint.

This could be caused by a non updatable column:

sldt-digital-twin-registry/access-control-service-sql-impl/src/main/java/org/eclipse/tractusx/semantics/accesscontrol/sql/model/AccessRule.java

Line 69 in 4c927cf

@Column( name = "TARGET_TENANT", nullable = false, updatable = false, length = 36 )

@efiege efiege added the bug Something isn't working label Dec 10, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@efiege