feat(access-rules): add supplementalSemanticIds to FieldIdentifier (align with IDTA-01002)#77
Open
aorzelskiGH wants to merge 1 commit into
Open
Conversation
…ifier
Align the Security Access Rules BNF and JSON Schema with the
supplementalSemanticIds extensions that the API spec already uses in
its modelStringPattern (IDTA-01002 FieldIdentifier).
Previously, the Security grammar allowed only semanticId under
$sm#, $sme#, $aasdesc#submodelDescriptors.* and $smdesc#. Access
rules that want to scope permissions by supplementalSemanticIds were
therefore formally invalid against the Security schema, even though
the API query language supports them.
Changes:
- access-rules.bnf
<SemanticIdClause> and <SemanticIdClauseFragment> extended to
accept
"supplementalSemanticIds" ( "[" [0-9]* "]" )?
( "." <ReferenceClause> )?
in addition to the existing semanticId forms.
- aas-queries-and-access-rules-schema.json
formulas-and-logical-expressions.json
FieldIdentifier / FieldIdentifierAAS and FragmentFieldIdentifier
patterns widened to include supplementalSemanticIds under $sm#,
$sme#, $aasdesc#submodelDescriptors.*, $smdesc#, mirroring the
API modelStringPattern.
- new example allow-read-supplemental-semantic-id.(bnf|json)
demonstrates a rule scoped by supplementalSemanticIds.
Additive change; all previously valid rules stay valid.
Refs: Review Finding T-05
Made-with: Cursor
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
| @@ -0,0 +1,9 @@ | |||
| ACCESSRULE: | |||
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Add
supplementalSemanticIdssupport to the Security Access Rules grammar and JSON Schemas, aligning them with the field identifiers that the API spec (IDTA-01002) already exposes viamodelStringPattern.Problem
The API query language supports scoping by
supplementalSemanticIdson$sm,$sme,$aasdesc#submodelDescriptors.*and$smdesc, e.g.:The corresponding Security Access Rules grammar and JSON Schemas did not include
supplementalSemanticIds. Rules that try to gate access on supplemental semantics were therefore formally invalid against the Security schema, even though they would parse against the API query language.Solution
Extend
SemanticIdClause(and its Fragment counterpart) to acceptsupplementalSemanticIdswith an optional index and an optional<ReferenceClause>tail, matching the API's modelStringPattern regex. Widen the Security schemaFieldIdentifier/FragmentFieldIdentifierand theFieldIdentifierAASpattern informulas-and-logical-expressions.jsonaccordingly.Affected files
documentation/IDTA-01004/modules/ROOT/partials/bnf/access-rules.bnfdocumentation/IDTA-01004/modules/ROOT/partials/json/aas-queries-and-access-rules-schema.jsondocumentation/IDTA-01004/modules/ROOT/partials/json/formulas-and-logical-expressions.jsondocumentation/IDTA-01004/modules/ROOT/partials/examples/allow-read-supplemental-semantic-id.bnf(new)documentation/IDTA-01004/modules/ROOT/partials/examples/allow-read-supplemental-semantic-id.json(new)Review notes
modelStringPattern(IDTA-01002schema.adoc) to guarantee byte-level cross-spec parity for$sm#,$sme#,$aasdesc#submodelDescriptors.*,$smdesc#.Refs: Review Finding T-05