Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Error obtaining data when provider's usage policy changes from ids:permission to ids:prohibition #547

Open
jfernandezsqs opened this issue Nov 16, 2022 · 0 comments
Open

Error obtaining data when provider's usage policy changes from ids:permission to ids:prohibition #547

jfernandezsqs opened this issue Nov 16, 2022 · 0 comments

Comments

@jfernandezsqs
Copy link
Member

While using the IDS-testbed, @aramirezarsys has tried to change the usage policy in use from ids-permission to ids-prohibition in DSC version 8.0.2 so that the Consumer connector will not have rights to access that artifact again.
However, the consumer is able to obtain the artifact with the prohibit usage policy in use when the expected behavior is not supposed to be like that.

The following steps have been taken to find this possible failure in the implementation of usage policies:

  1. Launch the IDS-testbed.
    Actually, the IDS-testbed deploys two DSC version7.1.0, but it has been tested with version 8.0.2 of the Dataspace Connector
    Just change lines 48 and 68 of the docker-compose.yml to image: ghcr.io/international-data-spaces-association/dataspace-connector:8.0.2
  2. Launch postman script to create a complete offer with ids-permission usage policy applied
  3. Change provider’s rule from ‘ids-permission’ to `ids-prohibition’
curl -X 'PUT' \
  'https://localhost:8080/api/rules/7730d8e8-5926-4887-b0d0-f7869f170046' \
  -H 'accept: */*' \
  -H 'Content-Type: application/json' \
  -d '{
   "title": "Example Usage Policy",
   "description": "Usage policy prohibit access applied",
   "value": "{\n  \"@context\" : {\n    \"ids\" : \"https://w3id.org/idsa/core/\",\n    \"idsc\" : \"https://w3id.org/idsa/code/\"\n  },\n  \"@type\" : \"ids:Prohibition\",\n  \"@id\" : \"https://w3id.org/idsa/autogen/prohibition/51f5f7e4-f97f-4f91-bc57-b243714642be\",\n  \"ids:description\" : [ {\n    \"@value\" : \"Usage policy prohibit access applied\",\n    \"@type\" : \"http://www.w3.org/2001/XMLSchema#string\"\n  } ],\n  \"ids:title\" : [ {\n    \"@value\" : \"Example Usage Policy\",\n    \"@type\" : \"http://www.w3.org/2001/XMLSchema#string\"\n  } ],\n    \"ids:action\" : [ {\n    \"@id\" : \"https://w3id.org/idsa/code/USE\"\n  } ]\n }"
}
'

At this point, the data should not be accesed anymore by the consumer connector.

  1. Try to Access the data from consumer's dataspace connector
    Data is accessed and the field numAccessed is updated in the provider’s artifact.This field is also updated at consumer’s artifact.
connectorb             | 2022-11-16T13:19:27,279 [https-jsse-nio-8081-exec-9] INFO - Using cached DAPS DAT. [expiration=(2022-11-16T14:17:45.000+0000), code=(IMSCOI0053)]
connectorb             | 2022-11-16T13:19:27,297 [https-jsse-nio-8081-exec-9] INFO - Sending request to https://connectora:8080/api/ids/data ... [code=(IMSMEI0065)]
connectora             | 2022-11-16T13:19:27,329 [https-jsse-nio-8080-exec-7] INFO - Received incoming message. [code=(IMSMEI0059)]
connectora             | 2022-11-16T13:19:27,350 [https-jsse-nio-8080-exec-7] INFO - Requesting public key of token issuer. [url=(https://omejdn/auth/jwks.json), kid=(b5dac7d64831047f7395d8362aa575b1e908eedbf1e5c500bee184558cacbd97), code=(IMSCOI0051)]
omejdn-server          | 172.22.0.6 - - [16/Nov/2022:13:19:27 +0000] "GET /jwks.json HTTP/1.1" 200 469 0.0014
omejdn                 | 172.22.0.9 - - [16/Nov/2022:13:19:27 +0000] "GET /auth/jwks.json HTTP/1.1" 200 469 "-" "okhttp/4.10.0" "-"
connectora             | 2022-11-16T13:19:27,375 [https-jsse-nio-8080-exec-7] INFO - Successfully validated DAPS whitelisting.
connectora             | 2022-11-16T13:19:27,375 [https-jsse-nio-8080-exec-7] INFO - Successfully verified DAT claims. [code=(IMSCOI0050)]
connectora             | 2022-11-16T13:19:27,415 [https-jsse-nio-8080-exec-7] INFO - Using cached DAPS DAT. [expiration=(2022-11-16T14:17:46.000+0000), code=(IMSCOI0053)]
connectora             | 2022-11-16T13:19:27,434 [https-jsse-nio-8080-exec-7] INFO - Sending response with status OK (200). [code=(IMSMEI0061)]
connectorb             | 2022-11-16T13:19:27,436 [https-jsse-nio-8081-exec-9] INFO - Successfully received response to request. [code=(IMSMEI0067)]
connectorb             | 2022-11-16T13:19:27,454 [https-jsse-nio-8081-exec-9] INFO - Successfully passed SHACL-Validation. [code=(IMSMEI0064)]
connectorb             | 2022-11-16T13:19:27,470 [https-jsse-nio-8081-exec-9] INFO - Requesting public key of token issuer. [url=(https://omejdn/auth/jwks.json), kid=(b5dac7d64831047f7395d8362aa575b1e908eedbf1e5c500bee184558cacbd97), code=(IMSCOI0051)]
omejdn-server          | 172.22.0.6 - - [16/Nov/2022:13:19:27 +0000] "GET /jwks.json HTTP/1.1" 200 469 0.0012
omejdn                 | 172.22.0.5 - - [16/Nov/2022:13:19:27 +0000] "GET /auth/jwks.json HTTP/1.1" 200 469 "-" "okhttp/4.10.0" "-"
connectorb             | 2022-11-16T13:19:27,500 [https-jsse-nio-8081-exec-9] INFO - Successfully validated DAPS whitelisting.
connectorb             | 2022-11-16T13:19:27,502 [https-jsse-nio-8081-exec-9] INFO - Successfully verified DAT claims. [code=(IMSCOI0050)]

As can be seen, even if there is a usage policy prohibition, the consumer is able to obtain the data from the provider.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@jfernandezsqs