Skip to content

fix(bnf,schema): harmonize SecurityQueryFilter and add FILTERLIST#579

Open
aorzelskiGH wants to merge 1 commit into
IDTA-01002-3-2_workingfrom
fix/filter-filterlist-harmonization
Open

fix(bnf,schema): harmonize SecurityQueryFilter and add FILTERLIST#579
aorzelskiGH wants to merge 1 commit into
IDTA-01002-3-2_workingfrom
fix/filter-filterlist-harmonization

Conversation

@aorzelskiGH
Copy link
Copy Markdown
Contributor

@aorzelskiGH aorzelskiGH commented Apr 17, 2026

Summary

Harmonizes SecurityQueryFilter between aas-specs-api and
aas-specs-security, and adds the missing FILTERLIST construct to
the API grammar and JSON schemas. Pairs with the review-finding T-02
"incompatible FILTER definitions".

Problem

  • The API BNF defined <SecurityQueryFilter> over <FragmentObject>
    (i.e. "FRAGMENT" <RouteLiteral>), while the Security BNF uses
    "FRAGMENT:" <FieldIdentifierFragment>. These are syntactically
    distinct and describe different things.
  • The API AccessPermissionRule had no FILTERLIST, whereas the
    Security spec has used FILTERLIST for some time.
  • The API JSON Schema typed SecurityQueryFilter.FRAGMENT as a plain
    string, losing all validation semantics of a field identifier.

Consequence: Implementers cannot reuse one parser/validator for both
specs; rules valid under the security spec are not valid under the
API spec and vice versa.

Solution

The Security spec is taken as the canonical form.

BNF (partials/bnf/grammar.bnf):

  • <SecurityQueryFilter> is rewritten to
    "FRAGMENT:" <ws> <FieldIdentifierFragment>.
  • <AccessPermissionRule> gains the optional
    "FILTERLIST:" ( <SecurityQueryFilter> )* block (sibling of
    FILTER).
  • The <FieldIdentifierFragment> family (AAS, SM, SME, CD, AAS
    Descriptor, SM Descriptor) and its supporting *Fragment clauses
    (SpecificAssetIds, SemanticId, Reference, Endpoint,
    SmDescriptor) are ported from aas-specs-security.

JSON Schema (partials/query-json-schema.json and
pages/schema.adoc):

  • New FragmentFieldIdentifier definition (regex sibling of
    modelStringPattern, restricted to fragment-legal fields).
  • SecurityQueryFilter.FRAGMENT becomes $ref: "#/definitions/FragmentFieldIdentifier".
  • AccessPermissionRule.properties.FILTERLIST added (array of
    SecurityQueryFilter).

Impact

  • Affected specs: IDTA-01002 (API), indirectly IDTA-01004 (Security,
    no change here; this PR aligns API to Security).
  • Rules containing FILTER: FRAGMENT "..." (literal route form) were
    never interoperable and are now explicitly invalid — recommended
    migration: FILTER: FRAGMENT: $sme("...").path#idShort.
  • Rules currently valid on Security become valid on API as well.
  • Follow-up PR 1 will deduplicate these definitions into a shared
    partial (single source of truth).

Review notes

  • Please confirm the port of <FieldIdentifierFragment> productions
    is byte-identical to aas-specs-security/partials/bnf/access-rules.bnf
    lines 224–235.
  • FragmentFieldIdentifier regex is identical to the one in
    aas-specs-security/partials/json/aas-queries-and-access-rules-schema.json
    line 17.
  • Prose updates documenting FILTERLIST and the new FILTER
    fragment syntax are intentionally left for PR 11 to keep the diff
    focused.

Related

Review Finding T-02: SecurityQueryFilter / FILTERLIST mismatch.
Depends on: T-04 (aas-specs-security PR #71) for schema validity.

@aorzelskiGH
fix(bnf,schema): harmonize SecurityQueryFilter and add FILTERLIST
4ee70da 
The API and Security specs gave two incompatible definitions for
SecurityQueryFilter, and the API grammar lacked FILTERLIST entirely.

BNF (partials/bnf/grammar.bnf):
- <SecurityQueryFilter> now uses "FRAGMENT:" <FieldIdentifierFragment>
  instead of <FragmentObject>, aligning with aas-specs-security.
- <AccessPermissionRule> now accepts an optional FILTERLIST block.
- Added the <FieldIdentifierFragment> production family (AAS, SM, SME,
  CD, AAS Descriptor, SM Descriptor) together with the supporting
  *Fragment clauses (SpecificAssetIds, SemanticId, Reference, Endpoint,
  SmDescriptor).

JSON Schema (partials/query-json-schema.json and pages/schema.adoc):
- Added FragmentFieldIdentifier definition (regex sibling of
  modelStringPattern, restricted to fragment-legal fields).
- SecurityQueryFilter.FRAGMENT now $refs FragmentFieldIdentifier
  (was: plain string).
- AccessPermissionRule gains FILTERLIST (array of SecurityQueryFilter).

Refs: Review Finding T-02
Made-with: Cursor
github-advanced-security[bot]
github-advanced-security AI found potential problems Apr 17, 2026
View reviewed changes
Comment thread documentation/IDTA-01002-3/modules/ROOT/pages/schema.adoc Dismissed
Comment thread documentation/IDTA-01002-3/modules/ROOT/pages/schema.adoc
},
"FragmentFieldIdentifier": {
"type": "string",
"pattern": "^(?:\\$aas#(?:idShort|assetInformation\\.assetType|assetInformation\\.globalAssetId|assetInformation\\.specificAssetIds\\[[0-9]*\\](?:\\.externalSubjectId(?:\\.keys\\[[0-9]*\\])?)?|submodels\\[[0-9]*\\](?:\\.keys\\[[0-9]*\\])?)|\\$sm#(?:semanticId(?:\\.keys\\[[0-9]*\\])?|idShort|id)|\\$sme(?:\\.[A-Za-z](?:[A-Za-z0-9_-]*[A-Za-z0-9_])?(?:\\[[0-9]*\\])*(?:\\.[A-Za-z](?:[A-Za-z0-9_-]*[A-Za-z0-9_])?(?:\\[[0-9]*\\])*)*)?(?:#(?:semanticId(?:\\.keys\\[[0-9]*\\])?|idShort|value|valueType|language))?|\\$cd#idShort|\\$aasdesc#(?:idShort|description|displayName|extension|administration|assetKind|assetType|globalAssetId|specificAssetIds\\[[0-9]*\\](?:\\.externalSubjectId(?:\\.keys\\[[0-9]*\\])?)?|endpoints\\[[0-9]*\\]|submodelDescriptors\\[[0-9]*\\](?:\\.(?:semanticId(?:\\.keys\\[[0-9]*\\])?|idShort|endpoints\\[[0-9]*\\]))?)|\\$smdesc#(?:semanticId(?:\\.keys\\[[0-9]*\\])?|idShort|endpoints\\[[0-9]*\\]))$"
Comment thread documentation/IDTA-01002-3/modules/ROOT/partials/bnf/grammar.bnf Dismissed
Comment thread documentation/IDTA-01002-3/modules/ROOT/partials/query-json-schema.json
"$ref": "#/definitions/SecurityQueryFilter",
"additionalProperties": false
},
"FILTERLIST": {
@BirgitBoss BirgitBoss added this to the 3.1.3 milestone May 11, 2026
This was referenced May 20, 2026
Open
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@sebbader-sap sebbader-sap Awaiting requested review from sebbader-sap sebbader-sap is a code owner

@BirgitBoss BirgitBoss Awaiting requested review from BirgitBoss BirgitBoss is a code owner

@alexgordtop alexgordtop Awaiting requested review from alexgordtop alexgordtop is a code owner

@mjacoby mjacoby Awaiting requested review from mjacoby mjacoby is a code owner

@danielporta danielporta Awaiting requested review from danielporta danielporta is a code owner

@g1zzm0 g1zzm0 Awaiting requested review from g1zzm0 g1zzm0 is a code owner

@waltersve waltersve Awaiting requested review from waltersve waltersve is a code owner

@zrgt zrgt Awaiting requested review from zrgt zrgt is a code owner

1 more reviewer

@github-advanced-security github-advanced-security[bot] github-advanced-security[bot] left review comments

Reviewers whose approvals may not affect merge requirements

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

3.1.3

Development

Successfully merging this pull request may close these issues.

3 participants

@aorzelskiGH @github-advanced-security @BirgitBoss