search

International-Data-Spaces-Association / DataspaceConnector

This is an IDS Connector reference implementation.
Apache License 2.0
32 stars 27 forks source link

Error obtaining data when provider's usage policy changes from ids:permission to ids:prohibition #547

Open jfernandezsqs opened 1 year ago

jfernandezsqs commented 1 year ago

While using the IDS-testbed, @aramirezarsys has tried to change the usage policy in use from ids-permission to ids-prohibition in DSC version 8.0.2 so that the Consumer connector will not have rights to access that artifact again. However, the consumer is able to obtain the artifact with the prohibit usage policy in use when the expected behavior is not supposed to be like that.

The following steps have been taken to find this possible failure in the implementation of usage policies: 1) Launch the IDS-testbed. Actually, the IDS-testbed deploys two DSC version7.1.0, but it has been tested with version 8.0.2 of the Dataspace Connector Just change lines 48 and 68 of the docker-compose.yml to image: ghcr.io/international-data-spaces-association/dataspace-connector:8.0.2 2) Launch postman script to create a complete offer with ids-permission usage policy applied 3) Change provider’s rule from ‘ids-permission’ to `ids-prohibition’

curl -X 'PUT' \
  'https://localhost:8080/api/rules/7730d8e8-5926-4887-b0d0-f7869f170046' \
  -H 'accept: */*' \
  -H 'Content-Type: application/json' \
  -d '{
   "title": "Example Usage Policy",
   "description": "Usage policy prohibit access applied",
   "value": "{\n  \"@context\" : {\n    \"ids\" : \"https://w3id.org/idsa/core/\",\n    \"idsc\" : \"https://w3id.org/idsa/code/\"\n  },\n  \"@type\" : \"ids:Prohibition\",\n  \"@id\" : \"https://w3id.org/idsa/autogen/prohibition/51f5f7e4-f97f-4f91-bc57-b243714642be\",\n  \"ids:description\" : [ {\n    \"@value\" : \"Usage policy prohibit access applied\",\n    \"@type\" : \"http://www.w3.org/2001/XMLSchema#string\"\n  } ],\n  \"ids:title\" : [ {\n    \"@value\" : \"Example Usage Policy\",\n    \"@type\" : \"http://www.w3.org/2001/XMLSchema#string\"\n  } ],\n    \"ids:action\" : [ {\n    \"@id\" : \"https://w3id.org/idsa/code/USE\"\n  } ]\n }"
}
'

At this point, the data should not be accesed anymore by the consumer connector.

4) Try to Access the data from consumer's dataspace connector Data is accessed and the field numAccessed is updated in the provider’s artifact.This field is also updated at consumer’s artifact.

connectorb             | 2022-11-16T13:19:27,279 [https-jsse-nio-8081-exec-9] INFO - Using cached DAPS DAT. [expiration=(2022-11-16T14:17:45.000+0000), code=(IMSCOI0053)]
connectorb             | 2022-11-16T13:19:27,297 [https-jsse-nio-8081-exec-9] INFO - Sending request to https://connectora:8080/api/ids/data ... [code=(IMSMEI0065)]
connectora             | 2022-11-16T13:19:27,329 [https-jsse-nio-8080-exec-7] INFO - Received incoming message. [code=(IMSMEI0059)]
connectora             | 2022-11-16T13:19:27,350 [https-jsse-nio-8080-exec-7] INFO - Requesting public key of token issuer. [url=(https://omejdn/auth/jwks.json), kid=(b5dac7d64831047f7395d8362aa575b1e908eedbf1e5c500bee184558cacbd97), code=(IMSCOI0051)]
omejdn-server          | 172.22.0.6 - - [16/Nov/2022:13:19:27 +0000] "GET /jwks.json HTTP/1.1" 200 469 0.0014
omejdn                 | 172.22.0.9 - - [16/Nov/2022:13:19:27 +0000] "GET /auth/jwks.json HTTP/1.1" 200 469 "-" "okhttp/4.10.0" "-"
connectora             | 2022-11-16T13:19:27,375 [https-jsse-nio-8080-exec-7] INFO - Successfully validated DAPS whitelisting.
connectora             | 2022-11-16T13:19:27,375 [https-jsse-nio-8080-exec-7] INFO - Successfully verified DAT claims. [code=(IMSCOI0050)]
connectora             | 2022-11-16T13:19:27,415 [https-jsse-nio-8080-exec-7] INFO - Using cached DAPS DAT. [expiration=(2022-11-16T14:17:46.000+0000), code=(IMSCOI0053)]
connectora             | 2022-11-16T13:19:27,434 [https-jsse-nio-8080-exec-7] INFO - Sending response with status OK (200). [code=(IMSMEI0061)]
connectorb             | 2022-11-16T13:19:27,436 [https-jsse-nio-8081-exec-9] INFO - Successfully received response to request. [code=(IMSMEI0067)]
connectorb             | 2022-11-16T13:19:27,454 [https-jsse-nio-8081-exec-9] INFO - Successfully passed SHACL-Validation. [code=(IMSMEI0064)]
connectorb             | 2022-11-16T13:19:27,470 [https-jsse-nio-8081-exec-9] INFO - Requesting public key of token issuer. [url=(https://omejdn/auth/jwks.json), kid=(b5dac7d64831047f7395d8362aa575b1e908eedbf1e5c500bee184558cacbd97), code=(IMSCOI0051)]
omejdn-server          | 172.22.0.6 - - [16/Nov/2022:13:19:27 +0000] "GET /jwks.json HTTP/1.1" 200 469 0.0012
omejdn                 | 172.22.0.5 - - [16/Nov/2022:13:19:27 +0000] "GET /auth/jwks.json HTTP/1.1" 200 469 "-" "okhttp/4.10.0" "-"
connectorb             | 2022-11-16T13:19:27,500 [https-jsse-nio-8081-exec-9] INFO - Successfully validated DAPS whitelisting.
connectorb             | 2022-11-16T13:19:27,502 [https-jsse-nio-8081-exec-9] INFO - Successfully verified DAT claims. [code=(IMSCOI0050)]

As can be seen, even if there is a usage policy prohibition, the consumer is able to obtain the data from the provider.