Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

TDF Policy Data Attributes are case sensitive #1359

Closed
imdominicreed opened this issue Aug 15, 2024 · 2 comments · Fixed by #1439, #1446 or #1427
Closed

TDF Policy Data Attributes are case sensitive #1359

imdominicreed opened this issue Aug 15, 2024 · 2 comments · Fixed by #1439, #1446 or #1427

Comments

@imdominicreed
Copy link
Contributor

TDF Policy Data Attributes seem to be case sensitive and do not get normalized to lower case when doing a keyRewrap, and authorization of getDecision.

If the TDF Policy Data Attributes is created with cases (example being: https://example.com/attr/Caps/value/Bad), the request will get denied even if the user is entitled with https://example.com/attr/caps/value/bad.

Steps to Reproduce:

  1. Encrypt a TDF with an attribute that contains cases like https://example.com/attr/Caps/value/Bad.
  2. Entitle a user with that attribute cases by creating a subject mapping, shouldn't matter I believe, and should be normalized down. Tested with OTDFCTL.
  3. Decrypt the TDF and the request hitting Platform has the attributes with cases. (I am on an older version of SDK) so it could be possible that the new version of SDK cleans this up. But server-side should catch this in case a user is doing RPC call rather than using the sdk.

The request should be a denied by Platform.

@jrschumacher
Copy link
Member

Verified that we have a test in the policy so we can focus on GetDecision or the SubjectMapping https://github.com/opentdf/platform/blob/main/service/integration/attribute_fqns_test.go#L136-L159

@jrschumacher
Copy link
Member

jrschumacher commented Aug 22, 2024

Need to update these to use strings.EqualFold()

Code:

func getIsValueFoundInFqnValuesSet(v *policy.Value, fqns []string, l *logger.Logger) bool {

github-merge-queue bot pushed a commit that referenced this issue Aug 23, 2024
github-merge-queue bot pushed a commit that referenced this issue Aug 23, 2024
jakedoublev added a commit to opentdf/otdfctl that referenced this issue Aug 23, 2024
github-merge-queue bot pushed a commit that referenced this issue Aug 23, 2024
🤖 I have created a release *beep* *boop*
---


##
[0.4.21](service/v0.4.20...service/v0.4.21)
(2024-08-23)


### Features

* **core:** KID in NanoTDF KAS ResourceLocator borrowed from Protocol
([#1222](#1222))
([e5ee4ef](e5ee4ef))


### Bug Fixes

* **authz:** entitlements fqn casing
([#1446](#1446))
([2ffc66b](2ffc66b)),
closes [#1359](#1359)
* **core:** Autobump service
([#1417](#1417))
([e6db378](e6db378))
* **core:** Autobump service
([#1441](#1441))
([e17deab](e17deab))
* **core:** Autobump service
([#1449](#1449))
([7e443da](7e443da))
* **core:** case sensitivity in AccessPDP
([#1439](#1439))
([aed7633](aed7633)),
closes [#1359](#1359)
* **core:** policy db should use pool connection hook to set search_path
([#1443](#1443))
([8501ff5](8501ff5))

---
This PR was generated with [Release
Please](https://github.com/googleapis/release-please). See
[documentation](https://github.com/googleapis/release-please#release-please).

Co-authored-by: opentdf-automation[bot] <149537512+opentdf-automation[bot]@users.noreply.github.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
2 participants