Authorization submodel semantic id + new submodel API methods (#262)

Signed-off-by: FlorianWege-IESE <[email protected]>
Co-authored-by: Daespen <[email protected]>

src/main/java/org/eclipse/basyx/extensions/aas/aggregator/authorization/internal/SimpleRbacAASAggregatorAuthorizer.java

@@ -59,14 +59,14 @@ public Collection<IAssetAdministrationShell> authorizeGetAASList(final SubjectIn
 
 	@Override
 	public IAssetAdministrationShell authorizeGetAAS(final SubjectInformationType subjectInformation, final IIdentifier aasId, final Supplier<IAssetAdministrationShell> aasSupplier) throws InhibitException {
-		SimpleRbacHelper.checkRule(rbacRuleChecker, roleAuthenticator, subjectInformation, AASAggregatorScopes.READ_SCOPE, new BaSyxObjectTargetInformation(IdHelper.getIdentifierId(aasId), null, null));
+		SimpleRbacHelper.checkRule(rbacRuleChecker, roleAuthenticator, subjectInformation, AASAggregatorScopes.READ_SCOPE, new BaSyxObjectTargetInformation(IdHelper.getIdentifierId(aasId), null, null, null));
 
 		return aasSupplier.get();
 	}
 
 	@Override
 	public IModelProvider authorizeGetAASProvider(final SubjectInformationType subjectInformation, final IIdentifier aasId, final Supplier<IModelProvider> modelProviderSupplier) throws InhibitException {
-		SimpleRbacHelper.checkRule(rbacRuleChecker, roleAuthenticator, subjectInformation, AASAggregatorScopes.READ_SCOPE, new BaSyxObjectTargetInformation(IdHelper.getIdentifierId(aasId), null, null));
+		SimpleRbacHelper.checkRule(rbacRuleChecker, roleAuthenticator, subjectInformation, AASAggregatorScopes.READ_SCOPE, new BaSyxObjectTargetInformation(IdHelper.getIdentifierId(aasId), null, null, null));
 
 		return modelProviderSupplier.get();
 	}
@@ -75,18 +75,18 @@ public IModelProvider authorizeGetAASProvider(final SubjectInformationType subje
 	public void authorizeCreateAAS(final SubjectInformationType subjectInformation, final AssetAdministrationShell aas) throws InhibitException {
 		final IIdentifier aasId = aas.getIdentification();
 
-		SimpleRbacHelper.checkRule(rbacRuleChecker, roleAuthenticator, subjectInformation, AASAggregatorScopes.WRITE_SCOPE, new BaSyxObjectTargetInformation(IdHelper.getIdentifierId(aasId), null, null));
+		SimpleRbacHelper.checkRule(rbacRuleChecker, roleAuthenticator, subjectInformation, AASAggregatorScopes.WRITE_SCOPE, new BaSyxObjectTargetInformation(IdHelper.getIdentifierId(aasId), null, null, null));
 	}
 
 	@Override
 	public void authorizeUpdateAAS(final SubjectInformationType subjectInformation, final AssetAdministrationShell aas) throws InhibitException {
 		final IIdentifier aasId = aas.getIdentification();
 
-		SimpleRbacHelper.checkRule(rbacRuleChecker, roleAuthenticator, subjectInformation, AASAggregatorScopes.WRITE_SCOPE, new BaSyxObjectTargetInformation(IdHelper.getIdentifierId(aasId), null, null));
+		SimpleRbacHelper.checkRule(rbacRuleChecker, roleAuthenticator, subjectInformation, AASAggregatorScopes.WRITE_SCOPE, new BaSyxObjectTargetInformation(IdHelper.getIdentifierId(aasId), null, null, null));
 	}
 
 	@Override
 	public void authorizeDeleteAAS(final SubjectInformationType subjectInformation, final IIdentifier aasId) throws InhibitException {
-		SimpleRbacHelper.checkRule(rbacRuleChecker, roleAuthenticator, subjectInformation, AASAggregatorScopes.WRITE_SCOPE, new BaSyxObjectTargetInformation(IdHelper.getIdentifierId(aasId), null, null));
+		SimpleRbacHelper.checkRule(rbacRuleChecker, roleAuthenticator, subjectInformation, AASAggregatorScopes.WRITE_SCOPE, new BaSyxObjectTargetInformation(IdHelper.getIdentifierId(aasId), null, null, null));
 	}
 }

src/main/java/org/eclipse/basyx/extensions/aas/api/authorization/internal/SimpleRbacAASAPIAuthorizer.java

@@ -55,7 +55,7 @@ public SimpleRbacAASAPIAuthorizer(final IRbacRuleChecker rbacRuleChecker, final
 	public IAssetAdministrationShell authorizeGetAAS(final SubjectInformationType subjectInformation, final Supplier<IAssetAdministrationShell> aasSupplier) throws InhibitException {
 		final IIdentifier aasId = getAasId(aasSupplier);
 
-		SimpleRbacHelper.checkRule(rbacRuleChecker, roleAuthenticator, subjectInformation, AASAPIScopes.READ_SCOPE, new BaSyxObjectTargetInformation(IdHelper.getIdentifierId(aasId), null, null));
+		SimpleRbacHelper.checkRule(rbacRuleChecker, roleAuthenticator, subjectInformation, AASAPIScopes.READ_SCOPE, new BaSyxObjectTargetInformation(IdHelper.getIdentifierId(aasId), null, null, null));
 
 		return aasSupplier.get();
 	}
@@ -64,14 +64,14 @@ public IAssetAdministrationShell authorizeGetAAS(final SubjectInformationType su
 	public void authorizeAddSubmodel(final SubjectInformationType subjectInformation, final Supplier<IAssetAdministrationShell> aasSupplier, final IReference smId) throws InhibitException {
 		final IIdentifier aasId = getAasId(aasSupplier);
 
-		SimpleRbacHelper.checkRule(rbacRuleChecker, roleAuthenticator, subjectInformation, AASAPIScopes.WRITE_SCOPE, new BaSyxObjectTargetInformation(IdHelper.getIdentifierId(aasId), IdHelper.getReferenceId(smId), null));
+		SimpleRbacHelper.checkRule(rbacRuleChecker, roleAuthenticator, subjectInformation, AASAPIScopes.WRITE_SCOPE, new BaSyxObjectTargetInformation(IdHelper.getIdentifierId(aasId), IdHelper.getReferenceId(smId), null, null));
 	}
 
 	@Override
 	public void authorizeRemoveSubmodel(final SubjectInformationType subjectInformation, final Supplier<IAssetAdministrationShell> aasSupplier, final String smIdShortPath) throws InhibitException {
 		final IIdentifier aasId = getAasId(aasSupplier);
 
-		SimpleRbacHelper.checkRule(rbacRuleChecker, roleAuthenticator, subjectInformation, AASAPIScopes.WRITE_SCOPE, new BaSyxObjectTargetInformation(IdHelper.getIdentifierId(aasId), smIdShortPath, null));
+		SimpleRbacHelper.checkRule(rbacRuleChecker, roleAuthenticator, subjectInformation, AASAPIScopes.WRITE_SCOPE, new BaSyxObjectTargetInformation(IdHelper.getIdentifierId(aasId), smIdShortPath, null, null));
 	}
 
 	private IIdentifier getAasId(final Supplier<IAssetAdministrationShell> aasSupplier) {

src/main/java/org/eclipse/basyx/extensions/aas/directory/tagged/authorized/internal/AuthorizedTaggedDirectory.java

@@ -24,12 +24,6 @@
  ******************************************************************************/
 package org.eclipse.basyx.extensions.aas.directory.tagged.authorized.internal;
 
-import java.util.Collection;
-import java.util.HashSet;
-import java.util.List;
-import java.util.Objects;
-import java.util.Set;
-import java.util.stream.Collectors;
 import org.eclipse.basyx.aas.metamodel.map.descriptor.ModelUrn;
 import org.eclipse.basyx.aas.metamodel.map.descriptor.SubmodelDescriptor;
 import org.eclipse.basyx.extensions.aas.directory.tagged.api.IAASTaggedDirectory;
@@ -41,9 +35,13 @@
 import org.eclipse.basyx.extensions.shared.authorization.internal.InhibitException;
 import org.eclipse.basyx.extensions.shared.authorization.internal.NotAuthorizedException;
 import org.eclipse.basyx.submodel.metamodel.api.identifier.IIdentifier;
+import org.eclipse.basyx.submodel.metamodel.api.reference.IReference;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 
+import java.util.*;
+import java.util.stream.Collectors;
+
 /**
  * Implementation of {@link IAASTaggedDirectory} for restricting access to
  * sensitive data
@@ -93,7 +91,8 @@ public void register(final TaggedAASDescriptor descriptor) {
 	}
 
 	protected void authorizeRegister(final TaggedAASDescriptor descriptor) throws InhibitException {
-		taggedDirectoryAuthorizer.authorizeRegister(subjectInformationProvider.get(), descriptor);
+		final IIdentifier aasId = getAasIdUnsecured(descriptor);
+		taggedDirectoryAuthorizer.authorizeRegister(subjectInformationProvider.get(), aasId, descriptor);
 	}
 
 	@Override
@@ -186,7 +185,9 @@ public void registerSubmodel(final IIdentifier aasId, final TaggedSubmodelDescri
 	}
 
 	protected void authorizeRegisterSubmodel(final IIdentifier aasId, final TaggedSubmodelDescriptor smDescriptor) throws InhibitException {
-		taggedDirectoryAuthorizer.authorizeRegisterSubmodel(subjectInformationProvider.get(), aasId, smDescriptor);
+		final IIdentifier smId = getSmIdUnsecured(smDescriptor);
+		final IReference smSemanticId = getSmSemanticIdUnsecured(smDescriptor);
+		taggedDirectoryAuthorizer.authorizeRegisterSubmodel(subjectInformationProvider.get(), aasId, smId, smSemanticId, smDescriptor);
 	}
 
 	@Override

src/main/java/org/eclipse/basyx/extensions/aas/directory/tagged/authorized/internal/GrantedAuthorityTaggedDirectoryAuthorizer.java

@@ -34,6 +34,7 @@
 import org.eclipse.basyx.extensions.shared.authorization.internal.IGrantedAuthorityAuthenticator;
 import org.eclipse.basyx.extensions.shared.authorization.internal.InhibitException;
 import org.eclipse.basyx.submodel.metamodel.api.identifier.IIdentifier;
+import org.eclipse.basyx.submodel.metamodel.api.reference.IReference;
 
 /**
  * Scope based implementation for {@link ITaggedDirectoryAuthorizer}.
@@ -46,7 +47,7 @@ public GrantedAuthorityTaggedDirectoryAuthorizer(final IGrantedAuthorityAuthenti
 	}
 
 	@Override
-	public void authorizeRegister(final SubjectInformationType subjectInformation, final TaggedAASDescriptor taggedAASDescriptorSupplier) throws InhibitException {
+	public void authorizeRegister(final SubjectInformationType subjectInformation, final IIdentifier aasId, final TaggedAASDescriptor taggedAASDescriptorSupplier) throws InhibitException {
 		GrantedAuthorityHelper.checkAuthority(grantedAuthorityAuthenticator, subjectInformation, AuthorizedAASRegistry.WRITE_AUTHORITY);
 	}
 
@@ -65,7 +66,7 @@ public Set<TaggedAASDescriptor> authorizeLookupTags(final SubjectInformationType
 	}
 
 	@Override
-	public void authorizeRegisterSubmodel(final SubjectInformationType subjectInformation, final IIdentifier aasId, final TaggedSubmodelDescriptor taggedSubmodelDescriptor) throws InhibitException {
+	public void authorizeRegisterSubmodel(final SubjectInformationType subjectInformation, final IIdentifier aasId, final IIdentifier smId, final IReference smSemanticId, final TaggedSubmodelDescriptor taggedSubmodelDescriptor) throws InhibitException {
 		GrantedAuthorityHelper.checkAuthority(grantedAuthorityAuthenticator, subjectInformation, AuthorizedAASRegistry.WRITE_AUTHORITY);
 	}
 

src/main/java/org/eclipse/basyx/extensions/aas/directory/tagged/authorized/internal/ITaggedDirectoryAuthorizer.java

@@ -33,6 +33,7 @@
 import org.eclipse.basyx.extensions.aas.registration.authorization.internal.IAASRegistryAuthorizer;
 import org.eclipse.basyx.extensions.shared.authorization.internal.InhibitException;
 import org.eclipse.basyx.submodel.metamodel.api.identifier.IIdentifier;
+import org.eclipse.basyx.submodel.metamodel.api.reference.IReference;
 
 /**
  * Interface for the authorization points used in
@@ -46,12 +47,14 @@ public interface ITaggedDirectoryAuthorizer<SubjectInformationType> extends IAAS
 	 *
 	 * @param subjectInformation
 	 *            information of the requester.
+	 * @param aasId
+	 *            id of the AAS.
 	 * @param taggedAASDescriptor
 	 *            the AAS descriptor.
 	 * @throws InhibitException
 	 *             if authorization failed
 	 */
-	public void authorizeRegister(final SubjectInformationType subjectInformation, final TaggedAASDescriptor taggedAASDescriptor) throws InhibitException;
+	public void authorizeRegister(final SubjectInformationType subjectInformation, final IIdentifier aasId, final TaggedAASDescriptor taggedAASDescriptor) throws InhibitException;
 
 	/**
 	 * Checks authorization for {@link IAASTaggedDirectory#lookupTag(String)}.
@@ -91,12 +94,16 @@ public interface ITaggedDirectoryAuthorizer<SubjectInformationType> extends IAAS
 	 *            information of the requester.
 	 * @param aasId
 	 *            id of the AAS.
+	 * @param smId
+	 *            id of the submodel.
+	 * @param smSemanticId
+	 *            smenatic id of the submodel.
 	 * @param taggedSubmodelDescriptor
 	 *            supplier for the submodel descriptor.
 	 * @throws InhibitException
 	 *             if authorization failed
 	 */
-	public void authorizeRegisterSubmodel(final SubjectInformationType subjectInformation, final IIdentifier aasId, final TaggedSubmodelDescriptor taggedSubmodelDescriptor) throws InhibitException;
+	public void authorizeRegisterSubmodel(final SubjectInformationType subjectInformation, final IIdentifier aasId, final IIdentifier smId, final IReference smSemanticId, final TaggedSubmodelDescriptor taggedSubmodelDescriptor) throws InhibitException;
 
 	/**
 	 * Checks authorization for

src/main/java/org/eclipse/basyx/extensions/aas/directory/tagged/authorized/internal/SimpleRbacTaggedDirectoryAuthorizer.java

@@ -38,6 +38,7 @@
 import org.eclipse.basyx.extensions.shared.authorization.internal.SimpleRbacHelper;
 import org.eclipse.basyx.extensions.shared.authorization.internal.TagTargetInformation;
 import org.eclipse.basyx.submodel.metamodel.api.identifier.IIdentifier;
+import org.eclipse.basyx.submodel.metamodel.api.reference.IReference;
 
 /**
  * Simple role based implementation for {@link ITaggedDirectoryAuthorizer}.
@@ -50,10 +51,8 @@ public SimpleRbacTaggedDirectoryAuthorizer(final IRbacRuleChecker rbacRuleChecke
 	}
 
 	@Override
-	public void authorizeRegister(final SubjectInformationType subjectInformation, final TaggedAASDescriptor taggedAASDescriptor) throws InhibitException {
-		final IIdentifier aasId = taggedAASDescriptor.getIdentifier();
-
-		SimpleRbacHelper.checkRule(rbacRuleChecker, roleAuthenticator, subjectInformation, AASRegistryScopes.WRITE_SCOPE, new BaSyxObjectTargetInformation(IdHelper.getIdentifierId(aasId), null, null));
+	public void authorizeRegister(final SubjectInformationType subjectInformation, final IIdentifier aasId, final TaggedAASDescriptor taggedAASDescriptor) throws InhibitException {
+		SimpleRbacHelper.checkRule(rbacRuleChecker, roleAuthenticator, subjectInformation, AASRegistryScopes.WRITE_SCOPE, new BaSyxObjectTargetInformation(IdHelper.getIdentifierId(aasId), null, null, null));
 	}
 
 	@Override
@@ -69,10 +68,8 @@ public Set<TaggedAASDescriptor> authorizeLookupTags(final SubjectInformationType
 	}
 
 	@Override
-	public void authorizeRegisterSubmodel(final SubjectInformationType subjectInformation, final IIdentifier aasId, final TaggedSubmodelDescriptor taggedSubmodelDescriptor) throws InhibitException {
-		final IIdentifier smId = taggedSubmodelDescriptor.getIdentifier();
-
-		SimpleRbacHelper.checkRule(rbacRuleChecker, roleAuthenticator, subjectInformation, AASRegistryScopes.WRITE_SCOPE, new BaSyxObjectTargetInformation(IdHelper.getIdentifierId(aasId), IdHelper.getIdentifierId(smId), null));
+	public void authorizeRegisterSubmodel(final SubjectInformationType subjectInformation, final IIdentifier aasId, final IIdentifier smId, final IReference smSemanticId, final TaggedSubmodelDescriptor taggedSubmodelDescriptor) throws InhibitException {
+		SimpleRbacHelper.checkRule(rbacRuleChecker, roleAuthenticator, subjectInformation, AASRegistryScopes.WRITE_SCOPE, new BaSyxObjectTargetInformation(IdHelper.getIdentifierId(aasId), IdHelper.getIdentifierId(smId), IdHelper.getReferenceId(smSemanticId), null));
 	}
 
 	@Override

src/main/java/org/eclipse/basyx/extensions/aas/registration/authorization/internal/AuthorizedAASRegistry.java

@@ -40,7 +40,9 @@
 import org.eclipse.basyx.extensions.shared.authorization.internal.ISubjectInformationProvider;
 import org.eclipse.basyx.extensions.shared.authorization.internal.InhibitException;
 import org.eclipse.basyx.extensions.shared.authorization.internal.NotAuthorizedException;
+import org.eclipse.basyx.submodel.metamodel.api.ISubmodel;
 import org.eclipse.basyx.submodel.metamodel.api.identifier.IIdentifier;
+import org.eclipse.basyx.submodel.metamodel.api.reference.IReference;
 import org.eclipse.basyx.vab.exception.provider.ProviderException;
 import org.eclipse.basyx.vab.exception.provider.ResourceNotFoundException;
 import org.slf4j.Logger;
@@ -90,7 +92,8 @@ public void register(final AASDescriptor deviceAASDescriptor) throws ProviderExc
 	}
 
 	protected void authorizeRegister(final AASDescriptor aasDescriptor) throws InhibitException {
-		aasRegistryAuthorizer.authorizeRegisterAas(subjectInformationProvider.get(), aasDescriptor);
+		final IIdentifier aasId = getAasIdUnsecured(aasDescriptor);
+		aasRegistryAuthorizer.authorizeRegisterAas(subjectInformationProvider.get(), aasId, aasDescriptor);
 	}
 
 	@Override
@@ -109,7 +112,9 @@ public void register(final IIdentifier aasId, final SubmodelDescriptor smDescrip
 	}
 
 	protected void authorizeRegister(final IIdentifier aasId, final SubmodelDescriptor smDescriptor) throws InhibitException {
-		aasRegistryAuthorizer.authorizeRegisterSubmodel(subjectInformationProvider.get(), aasId, smDescriptor);
+		final IIdentifier smId = getSmIdUnsecured(smDescriptor);
+		final IReference smSemanticId = getSmSemanticIdUnsecured(smDescriptor);
+		aasRegistryAuthorizer.authorizeRegisterSubmodel(subjectInformationProvider.get(), aasId, smId, smSemanticId, smDescriptor);
 	}
 
 	@Override
@@ -147,7 +152,9 @@ public void delete(final IIdentifier aasId, final IIdentifier smId) throws Provi
 	}
 
 	protected void authorizeDelete(final IIdentifier aasId, final IIdentifier smId) throws InhibitException {
-		aasRegistryAuthorizer.authorizeUnregisterSubmodel(subjectInformationProvider.get(), aasId, smId);
+		final SubmodelDescriptor smDescriptor = getSmDescriptorUnsecured(aasId, smId);
+		final IReference smSemanticId = getSmSemanticIdUnsecured(smDescriptor);
+		aasRegistryAuthorizer.authorizeUnregisterSubmodel(subjectInformationProvider.get(), aasId, smId, smSemanticId);
 	}
 
 	@Override
@@ -278,6 +285,43 @@ public SubmodelDescriptor lookupSubmodel(final IIdentifier aasId, final IIdentif
 	}
 
 	protected SubmodelDescriptor authorizeLookupSubmodel(final IIdentifier aasId, final IIdentifier smId) throws InhibitException {
-		return aasRegistryAuthorizer.authorizeLookupSubmodel(subjectInformationProvider.get(), aasId, smId, () -> decoratedRegistry.lookupSubmodel(aasId, smId));
+		final SubmodelDescriptor smDescriptor = getSmDescriptorUnsecured(aasId, smId);
+		final IReference smSemanticId = getSmSemanticIdUnsecured(smDescriptor);
+		return aasRegistryAuthorizer.authorizeLookupSubmodel(subjectInformationProvider.get(), aasId, smId, smSemanticId, () -> decoratedRegistry.lookupSubmodel(aasId, smId));
+	}
+
+	protected IIdentifier getAasIdUnsecured(final AASDescriptor aasDescriptor) throws ResourceNotFoundException {
+		if (aasDescriptor == null) {
+			return null;
+		}
+
+		try (final ElevatedCodeAuthentication.ElevatedCodeAuthenticationAreaHandler ignored = ElevatedCodeAuthentication.enterElevatedCodeAuthenticationArea()) {
+			return aasDescriptor.getIdentifier();
+		}
+	}
+
+	protected SubmodelDescriptor getSmDescriptorUnsecured(final IIdentifier aasId, final IIdentifier smId) throws ResourceNotFoundException {
+		try (final ElevatedCodeAuthentication.ElevatedCodeAuthenticationAreaHandler ignored = ElevatedCodeAuthentication.enterElevatedCodeAuthenticationArea()) {
+			return decoratedRegistry.lookupSubmodel(aasId, smId);
+		}
+	}
+
+	protected IIdentifier getSmIdUnsecured(final SubmodelDescriptor smDescriptor) throws ResourceNotFoundException {
+		if (smDescriptor == null) {
+			return null;
+		}
+
+		try (final ElevatedCodeAuthentication.ElevatedCodeAuthenticationAreaHandler ignored = ElevatedCodeAuthentication.enterElevatedCodeAuthenticationArea()) {
+			return smDescriptor.getIdentifier();
+		}
+	}
+	protected IReference getSmSemanticIdUnsecured(final SubmodelDescriptor smDescriptor) throws ResourceNotFoundException {
+		if (smDescriptor == null) {
+			return null;
+		}
+
+		try (final ElevatedCodeAuthentication.ElevatedCodeAuthenticationAreaHandler ignored = ElevatedCodeAuthentication.enterElevatedCodeAuthenticationArea()) {
+			return smDescriptor.getSemanticId();
+		}
 	}
 }