Regression tests revealed a problem, introduced inadvertently in fixes for issues #128 and #129. These altered the inheritance hierarchy for indirect usage relationships, along with the criteria for inferring the presence of direct communication between a process that initiates interaction with another, given that the interaction may be indirect.
The new problem created by this affects cases where a client has an asserted relationship to a service, but access is via a remote access service. The client-service relationship and communication inference sequence starts with construction pattern CaS-SP+CC, which creates a direct relationship if and only if no indirect relationship has been found. Two prohibited links are used:
usesViaDeputy: rules out cases where access is via a reverse proxy or a chain of credential forwarding/sharing services
usesViaRAS: rules out cases where access is via a remote access service
The bug appears only to affect cases where access is via a remote access service, but this service is itself accessed via a reverse proxy or a credential forwarding/sharing chain.
This bug appeared in regression tests for fixes to address #107, so should be addressed in conjunction with those fixes.
mike1813
commented
3 months ago
Regression tests revealed a problem, introduced inadvertently in fixes for issues #128 and #129. These altered the inheritance hierarchy for indirect usage relationships, along with the criteria for inferring the presence of direct communication between a process that initiates interaction with another, given that the interaction may be indirect.
The new problem created by this affects cases where a client has an asserted relationship to a service, but access is via a remote access service. The client-service relationship and communication inference sequence starts with construction pattern CaS-SP+CC, which creates a direct relationship if and only if no indirect relationship has been found. Two prohibited links are used:
The bug appears only to affect cases where access is via a remote access service, but this service is itself accessed via a reverse proxy or a credential forwarding/sharing chain.
This bug appeared in regression tests for fixes to address #107, so should be addressed in conjunction with those fixes.