search

opentdf / platform

OpenTDF Platform monorepo enabling the development and integration of _forever control_ of data into new and existing applications. The concept of forever control stems from an increasingly common concept known as zero trust.
BSD 3-Clause Clear License
17 stars 5 forks source link

TDF Policy Data Attributes are case sensitive #1359

Closed imdominicreed closed 2 weeks ago

imdominicreed commented 3 weeks ago

TDF Policy Data Attributes seem to be case sensitive and do not get normalized to lower case when doing a keyRewrap, and authorization of getDecision.

If the TDF Policy Data Attributes is created with cases (example being: https://example.com/attr/Caps/value/Bad), the request will get denied even if the user is entitled with https://example.com/attr/caps/value/bad.

Steps to Reproduce:

  1. Encrypt a TDF with an attribute that contains cases like https://example.com/attr/Caps/value/Bad.
  2. Entitle a user with that attribute cases by creating a subject mapping, shouldn't matter I believe, and should be normalized down. Tested with OTDFCTL.
  3. Decrypt the TDF and the request hitting Platform has the attributes with cases. (I am on an older version of SDK) so it could be possible that the new version of SDK cleans this up. But server-side should catch this in case a user is doing RPC call rather than using the sdk.

The request should be a denied by Platform.

jrschumacher commented 3 weeks ago

Verified that we have a test in the policy so we can focus on GetDecision or the SubjectMapping https://github.com/opentdf/platform/blob/main/service/integration/attribute_fqns_test.go#L136-L159

jrschumacher commented 2 weeks ago

Need to update these to use strings.EqualFold()

Code: https://github.com/opentdf/platform/blob/e6c76ee415e08ec8681ae4ff8fb9d5d04ea7d2bb/service/internal/access/pdp.go#L372