Allow token without accessRole

Author: aorzelskiGH

src/AasSecurity/ISecurityService.cs

@@ -11,6 +11,7 @@
 * SPDX-License-Identifier: Apache-2.0
 ********************************************************************************/
 
+using System.Security.Claims;
 using AasSecurity.Models;
 using Microsoft.AspNetCore.Authentication;
 using Microsoft.AspNetCore.Http;
@@ -29,7 +30,9 @@ bool AuthorizeRequest(string accessRole,
                               out string? getPolicy,
                               string objPath = null,
                               string? aasResourceType = null,
-                              IClass? aasResource = null, string? policy = null);
+                              IClass? aasResource = null,
+                              string? policy = null,
+                              List<Claim> tokenClaims = null);
 
         string GetSecurityRules(out List<Dictionary<string, string>> condition);
     }

src/AasSecurity/SecurityService.cs

@@ -18,6 +18,7 @@
 using System.Linq.Expressions;
 using System.Net;
 using System.Net.Http.Headers;
+using System.Security.AccessControl;
 using System.Security.Claims;
 using System.Security.Cryptography;
 using System.Security.Cryptography.X509Certificates;
@@ -88,12 +89,14 @@ public void parseAccessRuleFile()
             }
         }
 
-        public List<AccessPermissionRule>? GetAccessRules(string accessRole, string neededRightsClaim, string? httpRoute = null, List<Claim>? tokenClaims = null)
+        public List<AccessPermissionRule>? GetAccessRules(string accessRole, string neededRightsClaim, string? httpRoute = null,
+            List<Claim>? tokenClaims = null)
         {
             return GetAccessRulesStatic(accessRole, neededRightsClaim, httpRoute, tokenClaims);
         }
 
-        public static List<AccessPermissionRule>? GetAccessRulesStatic(string accessRole, string neededRightsClaim, string? httpRoute = null, List<Claim>? tokenClaims = null)
+        public static List<AccessPermissionRule>? GetAccessRulesStatic(string accessRole, string neededRightsClaim, string? httpRoute = null,
+            List<Claim>? tokenClaims = null)
         {
             if (_accessRules != null)
             {
@@ -124,7 +127,7 @@ public void parseAccessRuleFile()
                             a.ItemType == "CLAIM" &&
                             (
                                 (accessRole != null && a.Value == accessRole) ||
-                                (tokenClaims != null && tokenClaims.Any(t => t.ValueType == "token:" + a.Value))
+                                (tokenClaims != null && tokenClaims.Any(t => t.Type == a.Value))
                             )
                         ) &&
                         (
@@ -147,7 +150,7 @@ public void parseAccessRuleFile()
         }
         public Dictionary<string, string>? GetCondition(string accessRole, string neededRightsClaim, string? httpRoute = null, List<Claim>? tokenClaims = null)
         {
-            var rules = GetAccessRules(accessRole, neededRightsClaim);
+            var rules = GetAccessRules(accessRole, neededRightsClaim, tokenClaims: tokenClaims);
 
             if (rules == null)
             {
@@ -315,7 +318,7 @@ public void AddSecurityRule(string name, string access, string right, string obj
             }
 
             var accessRole = GetAccessRole(queries, headers, out var policy, out var policyRequestedResource, out var tokenClaims);
-            if (string.IsNullOrEmpty(accessRole))
+            if (string.IsNullOrEmpty(accessRole) && tokenClaims.Count == 0)
             {
                 _logger.LogDebug($"Access Role found null. Hence setting the access role as isNotAuthenticated.");
                 accessRole = "isNotAuthenticated";
@@ -807,22 +810,24 @@ private string CheckUserPW(string userPW64, out string userName, out string pass
 
         public bool AuthorizeRequest(string accessRole, string httpRoute, AccessRights neededRights,
                                      out string error, out bool withAllow, out string? getPolicy, string objPath = null, string? aasResourceType = null,
-                                     IClass? aasResource = null, string? policy = null)
+                                     IClass? aasResource = null, string? policy = null, List<Claim>? tokenClaims = null)
         {
-            return CheckAccessRights(accessRole, httpRoute, neededRights, out error, out withAllow, out getPolicy, objPath, aasResourceType, aasResource, policy: policy);
+            return CheckAccessRights(accessRole, httpRoute, neededRights, out error, out withAllow, out getPolicy,
+                objPath, aasResourceType, aasResource, policy: policy, tokenClaims: tokenClaims);
         }
 
         private static bool CheckAccessRights(string currentRole, string operation, AccessRights neededRights, out string error, out bool withAllow, out string? getPolicy,
-                                              string objPath = "", string? aasResourceType = null, IClass? aasResource = null, bool testOnly = false, string? policy = null)
+                                              string objPath = "", string? aasResourceType = null, IClass? aasResource = null, bool testOnly = false, string? policy = null,
+                                              List<Claim>? tokenClaims = null)
         {
             withAllow = false;
             return CheckAccessRightsWithAllow(currentRole, operation, neededRights, out error, out withAllow, out getPolicy,
-                                              objPath, aasResourceType, aasResource, testOnly, policy);
+                                              objPath, aasResourceType, aasResource, testOnly, policy, tokenClaims);
         }
 
         private static bool CheckAccessRightsWithAllow(string currentRole, string operation, AccessRights neededRights, out string error, out bool withAllow, out string? getPolicy,
                                                        string objPath = "", string? aasResourceType = null, IClass? aasResource = null, bool testOnly = false,
-                                                       string? policy = null)
+                                                       string? policy = null, List<Claim>? tokenClaims = null)
         {
             error = "Access not allowed";
             withAllow = false;
@@ -837,7 +842,7 @@ private static bool CheckAccessRightsWithAllow(string currentRole, string operat
                 // TODO (jtikekar, 2023-09-04): uncomment
                 if (CheckAccessLevelWithError(
                                               out error, currentRole, operation, neededRights, out withAllow, out getPolicy,
-                                              objPath, aasResourceType, aasResource, policy))
+                                              objPath, aasResourceType, aasResource, policy, tokenClaims))
                     return true;
             }
 
@@ -852,7 +857,8 @@ private static bool CheckAccessRightsWithAllow(string currentRole, string operat
         }
 
         private static bool CheckAccessLevelWithError(out string error, string currentRole, string operation, AccessRights neededRights, out bool withAllow, out string? getPolicy,
-                                                      string objPath, string? aasResourceType, IClass? aasResource, string? policy = null)
+                                                      string objPath, string? aasResourceType, IClass? aasResource, string? policy = null,
+                                                      List<Claim>? tokenClaims = null)
         {
             withAllow = false;
             getPolicy = "";
@@ -872,7 +878,7 @@ private static bool CheckAccessLevelWithError(out string error, string currentRo
             if (aasResource == null)
             {
                 //API security check
-                return CheckAccessLevelApi(currentRole, operation, neededRights, out error, out getPolicy);
+                return CheckAccessLevelApi(currentRole, operation, neededRights, out error, out getPolicy, tokenClaims);
             }
 
             if (string.IsNullOrEmpty(objPath))
@@ -889,12 +895,13 @@ private static bool CheckAccessLevelWithError(out string error, string currentRo
             return false;
         }
 
-        private static bool CheckAccessLevelApi(string currentRole, string operation, AccessRights neededRights, out string error, out string? getPolicy)
+        private static bool CheckAccessLevelApi(string currentRole, string operation, AccessRights neededRights, out string error,
+            out string? getPolicy, List<Claim>? tokenClaims = null)
         {
             error = string.Empty;
             getPolicy = string.Empty;
 
-            var rules = GetAccessRulesStatic(currentRole, neededRights.ToString(), operation);
+            var rules = GetAccessRulesStatic(currentRole, neededRights.ToString(), operation, tokenClaims);
 
             if (rules != null && rules.Count != 0)
             {

src/AasxServerBlazor/AasxServerBlazor.csproj

@@ -91,6 +91,9 @@
     </ItemGroup>
 
     <ItemGroup>
+        <None Update="accessrules - Kopieren.txt">
+          <CopyToOutputDirectory>PreserveNewest</CopyToOutputDirectory>
+        </None>
         <None Update="accessrules.txt">
           <CopyToOutputDirectory>PreserveNewest</CopyToOutputDirectory>
         </None>

src/AasxServerBlazor/Properties/launchSettings.json

@@ -10,7 +10,7 @@
     },
     "AasxServerBlazor": {
       "commandName": "Project",
-      "commandLineArgs": "--with-db --start-index 1000 --secret-string-api 1234 --data-path \"C:\\Development\\newdb1\" --edit --external-blazor http://localhost:5001",
+      "commandLineArgs": "--with-db --start-index 1000 --secret-string-api 1234 --data-path \"C:\\Development\\p5\" --edit --external-blazor http://localhost:5001",
       "launchBrowser": true,
       "environmentVariables": {
         "ASPNETCORE_ENVIRONMENT": "Development",

src/AasxServerBlazor/accessrules.txt

@@ -118,7 +118,7 @@
         "ACL": {
           "ATTRIBUTES": [
             {
-              "CLAIM": "isAuthenticated"
+              "CLAIM": "token:sub"
             }
           ],
           "RIGHTS": [
@@ -150,6 +150,18 @@
           "$or": [
             {
               "$and": [
+                {
+                  "$ends-with": [
+                    {
+                      "$attribute": {
+                        "CLAIM": "token:sub"
+                      }
+                    },
+                    {
+                      "$strVal": "xx.com"
+                    }
+                  ]
+                },
                 {
                   "$eq": [
                     {
@@ -172,7 +184,7 @@
                       }
                     },
                     {
-                      "$strVal": "phoenixcontact.com"
+                      "$strVal": "xx.com"
                     }
                   ]
                 },

src/AasxServerBlazor/trustlist.txt

@@ -0,0 +1,119 @@
+# This is the f-x trustlist
+
+# url: https://www.admin-shell-io.com/50001/.well-known/openid-configuration
+serverName: identityserver.test.rsa
+
+-----BEGIN CERTIFICATE-----
+MIIEkTCCAvmgAwIBAgIRAM4etV7VpsRyr47UXp5q52wwDQYJKoZIhvcNAQELBQAw
+gY0xHjAcBgNVBAoTFW1rY2VydCBkZXZlbG9wbWVudCBDQTExMC8GA1UECwwoRE9N
+SU5JQ0tCQUlBRTgwXGRvbWluaWNrQERPTUlOSUNLQkFJQUU4MDE4MDYGA1UEAwwv
+bWtjZXJ0IERPTUlOSUNLQkFJQUU4MFxkb21pbmlja0BET01JTklDS0JBSUFFODAw
+HhcNMTkwNjAxMDAwMDAwWhcNMjkxMTAyMDgwODU1WjB+MScwJQYDVQQKEx5ta2Nl
+cnQgZGV2ZWxvcG1lbnQgY2VydGlmaWNhdGUxMTAvBgNVBAsMKERPTUlOSUNLQkFJ
+QUU4MFxkb21pbmlja0BET01JTklDS0JBSUFFODAxIDAeBgNVBAMTF2lkZW50aXR5
+c2VydmVyLnRlc3QucnNhMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA
+4BHPb4kNFadWsFfvOhAubS4GUsMogvBBpugquY0vlRlX9qYvA/LmkmoY5YCkHQtD
+ipsxnh2O60q19lhWWCFfJ8VLLoUnnuQsrfXwba8rXtGukxOvqkslrUf4HXEEh6xE
+lVF0mYxJ6lHxuZpMpWXm0s2cZ6jebMw2iWrlI3rbPe1at5F6OEEwKNcY6ORmIRI/
+rusJdMzmKQvbdhqhhsi6ckf0nVKq7h+Zs0ZWDcTwKsjYQDoE4nQ+ohwgKPzlIE8F
+ZGbrqUPJ9ueVJRXVXT3HZ0L50GO1ZoDduONLW9FxTWWUucMOuDjZOXUnEOYdhmbH
+5F2X7pkn+aQ21un41bnnkwIDAQABo3oweDAOBgNVHQ8BAf8EBAMCBaAwEwYDVR0l
+BAwwCgYIKwYBBQUHAwEwDAYDVR0TAQH/BAIwADAfBgNVHSMEGDAWgBRJVNNoaS/q
+JG2yyA1U5ZHxrnh5/TAiBgNVHREEGzAZghdpZGVudGl0eXNlcnZlci50ZXN0LnJz
+YTANBgkqhkiG9w0BAQsFAAOCAYEAcGEPBhSvQ0P9RaDU/aQaaBqlWd9pjmPAsxsj
+NWewn322Y4qiGXpAACqDhTbxhMSkWJjprphC6HvfMsKpiJ7ZB2TSXkTtXBwpKg9K
+s74M1ao/KKM9iBsH0VEL/THAw5oSSQW4V1LRLWWOivMrabVMUmfndhNwqRBbqTfO
+C3fpQhlmBCs/d48XPkGVdN1XFmL+fUSrBIs/MJf9eOszqhBuAiHWksXitpiUtFUr
+kN3emfhzr/QgG4vP+x3Vp+uQmXEThLbact31AjEQa3mt5vkvGOWODjjT2ub6xtwB
+LPnpqCeEHKicZHumFrEXRv8H0Jdx3/CBD2wWYRuxmaJzLgxqxlDkuMl2UVRS0z3E
+vsnukHfNyaJC3nrpevAFVXrd0NmDEVUJBYVQZSUYaNW4lPC0vakmIVoWlLPuqr15
+DFDpKoFBhMJrUO7okfTMEOKp6460yqZ5/OtOMJ2ZzPCNCj+00HdMpSl/r/Oq+dnD
+Rw5ZoSbLTy64pAmAM1LwmmyqU3ZJ
+-----END CERTIFICATE-----
+
+# url: https://auth.aas-voyager.com/.well-known/openid-configuration
+serverName: aas-voyager.com.rsa
+# domain: phoenixcontact.com
+
+-----BEGIN CERTIFICATE-----
+MIID0TCCArkCFH+qHAtTwAgZlBxdwJqIrXH4hDQWMA0GCSqGSIb3DQEBCwUAMIGk
+MQswCQYDVQQGEwJERTEQMA4GA1UECAwHR2VybWFueTERMA8GA1UEBwwIQmxvbWJl
+cmcxEzARBgNVBAoMCkFhc1ZveWFnZXIxEzARBgNVBAsMCkFhc1ZveWFnZXIxGTAX
+BgNVBAMMEEFuZHJlYXMgT3J6ZWxza2kxKzApBgkqhkiG9w0BCQEWHGFvcnplbHNr
+aUBwaG9lbml4Y29udGFjdC5jb20wHhcNMjUwNzE4MTIyMzMwWhcNMzAwNzE3MTIy
+MzMwWjCBpDELMAkGA1UEBhMCREUxEDAOBgNVBAgMB0dlcm1hbnkxETAPBgNVBAcM
+CEJsb21iZXJnMRMwEQYDVQQKDApBYXNWb3lhZ2VyMRMwEQYDVQQLDApBYXNWb3lh
+Z2VyMRkwFwYDVQQDDBBBbmRyZWFzIE9yemVsc2tpMSswKQYJKoZIhvcNAQkBFhxh
+b3J6ZWxza2lAcGhvZW5peGNvbnRhY3QuY29tMIIBIjANBgkqhkiG9w0BAQEFAAOC
+AQ8AMIIBCgKCAQEAxM47E7054b//40zCUNqUqpN2vKVePlk/4dzHV1iw98wetar4
+ou8gXJ5JkzlUcgSeqfr5Mm9QWVn2t8ilVL3DtZWkzUBVlS5H/yVjEHaEc6gmpxgJ
+XaT8vECUcNg8MSNab0FnOxhRTo/gMswD84gleItG6+hq/5rCjmDrulDlYj1EaVXe
+IOgTEAPMm0HKQBMQPCkV6x3hXQ6/H6FtjZMrOiEbGRKL3Pc87umxvKVbVoyJIdEN
+hh5LB5zz7x971noLDN8yFdQriDijxSPPAYO/oerAWm8QVuv2XmtpNrB5sHC2FHth
+I4Fnd/bx3JtcV0CpgKu++LW4381M12h2ChPFcQIDAQABMA0GCSqGSIb3DQEBCwUA
+A4IBAQBG4bVkRmCB7dhFXdWowex+avI6X/aO8w+8GULZVMG6XZpeC6ba6UQQZRl2
+V/w+eSCeu5jyYxX62lC/yslAc+PuVX2njcpm0yxk5L3eBddHH+QaadVkQiB0lQwY
+KORWgHJojsWia3rVJK+JF8mKsoJI5wqgbdB6CR4iHV+DsaDzvtSBwFdLfV5Itg7j
+08EdzU+aegQtP6PSv9KL8OyOOYV/IMkf09ERwEip8eDUssWR6H97kfycMHNeC8eT
+vIF6NaI/gf7pCsBo67ax0Ygrkt6gpSwGuBVH3nUpKRruJhwmQSPBSIS4ukTYBTjk
+AvIfdl+kJvjhcMhNyO71RgMBOppw
+-----END CERTIFICATE-----
+
+
+# url: https://credential.aas-voyager.com/token
+serverName: client-credential.rsa
+
+-----BEGIN CERTIFICATE-----
+MIIDwzCCAqsCFC6KyzqWooqrGsmqebIqy9gSXrWJMA0GCSqGSIb3DQEBCwUAMIGd
+MQswCQYDVQQGEwJERTEQMA4GA1UECAwHR2VybWFueTERMA8GA1UEBwwIQmxvbWJl
+cmcxITAfBgNVBAoMGEludGVybmV0IFdpZGdpdHMgUHR5IEx0ZDEZMBcGA1UEAwwQ
+QW5kcmVhcyBPcnplbHNraTErMCkGCSqGSIb3DQEJARYcYW9yemVsc2tpQHBob2Vu
+aXhjb250YWN0LmNvbTAeFw0yNTA3MjgwNTQzMDBaFw0zMDA3MjcwNTQzMDBaMIGd
+MQswCQYDVQQGEwJERTEQMA4GA1UECAwHR2VybWFueTERMA8GA1UEBwwIQmxvbWJl
+cmcxITAfBgNVBAoMGEludGVybmV0IFdpZGdpdHMgUHR5IEx0ZDEZMBcGA1UEAwwQ
+QW5kcmVhcyBPcnplbHNraTErMCkGCSqGSIb3DQEJARYcYW9yemVsc2tpQHBob2Vu
+aXhjb250YWN0LmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALZ5
+7tatDmFvkWsoD3QYvUqqG9C9p8BIB5Y61n7Au9HFELgAYVxjWzJkPEgb1JdMW7+H
+Q5hG1SYYArdjJoGD1xeGAaLHnobZiZ6K8pUnvuS0mDeoaap1cc/S6Zzf3jbCZ1q9
+pRHRufUrpKEV4kgy1VIUu0U+MfFz6lHAmaUia7Q4/wN6ScsVltqxJkrR3D57ZTNc
+AbVoqFC2nLHgNLSQkSVHDIg55tOBjuDNrf5qNT2MLysUsf0+AZ8LDlmsmrmjj0ua
+7bmiAE5ZN8i3uSCA1CchV38p3dL9ytan5ryYh5Jrm/Lrvbi/FX2oHLVRcE48Jt8W
+XHgK6iW2lMD10SHBQjsCAwEAATANBgkqhkiG9w0BAQsFAAOCAQEAHpJxQdinqKMN
+1fR3gXxk9CbBaCBA+P5ii6/jvt6hTg6wSODB/ljAcY9zbF8nCJJVLiKiZWt2xBXR
+ZRUZmVnEWiuqiK2qmAPAdxzfqEioWts1czJVoDYK7UrGKTd1I611VZ9n6RjsH8fH
+bwMOFKmGjFTQV9NQiSKoaiPcNo7BE3iNt1/t7L9DCmypHqjcgYriJBeqa7GGXKE/
+qsGA0wuDXMP5MmqjVis7BvShZuB9ctHDz7xJeRbF5dlBpIj5wXLPIe+jlUnvXCVC
+ovsIBCzKo0Dt4orM+gVNsOuf32cif9sjkZ3KiSJPJK3i8PtgH/JcGBS/cWU7fBQx
+FIUuZ0fDbA==
+-----END CERTIFICATE-----
+
+# url: localhost:5022/token on aas-voyager.com
+serverName: credential2.rsa
+
+-----BEGIN CERTIFICATE-----
+MIIDmzCCAoMCFDOvlB89ZepXaqf42JHAjBJcaOnGMA0GCSqGSIb3DQEBCwUAMIGJ
+MQswCQYDVQQGEwJERTEQMA4GA1UECAwHR2VybWFueTERMA8GA1UEBwwIQmxvbWJl
+cmcxDTALBgNVBAoMBElEVEExGTAXBgNVBAMMEEFuZHJlYXMgT3J6ZWxza2kxKzAp
+BgkqhkiG9w0BCQEWHGFvcnplbHNraUBwaG9lbml4Y29udGFjdC5jb20wHhcNMjUw
+ODA1MTQ1MTQwWhcNMzAwODA0MTQ1MTQwWjCBiTELMAkGA1UEBhMCREUxEDAOBgNV
+BAgMB0dlcm1hbnkxETAPBgNVBAcMCEJsb21iZXJnMQ0wCwYDVQQKDARJRFRBMRkw
+FwYDVQQDDBBBbmRyZWFzIE9yemVsc2tpMSswKQYJKoZIhvcNAQkBFhxhb3J6ZWxz
+a2lAcGhvZW5peGNvbnRhY3QuY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIB
+CgKCAQEAhqNkda9OYosQ4x1ZZhbGGyKnbE2YD5zQbP7OGStBZKnKRZ3jLVVIsn9b
+Z5/Ztdjzi8zi+JpnkuWt2xCHTyan2h1RWWR2mktZdD3XbumHQVGoRLnvQrOakCFk
+iC8mGS2ss2KTYPTk7pxsSHQjNQe8nTMesI/Hn2yBjgKCjgaraKB5SHHoPL5S9eJX
+EFLOMpscd3JPH1KYQqK8kXvwp37fu/Up015K8zSXRUOh2JjuZoVm0GSnYGoXz8GR
+vsnnI5tZByCptf6QSIMnR00HlFJJjb3yLmHSuteIW4Zwi92I9Bgm1FItPBLUHk1e
+QMXYMOJd/h2YE+lETPK70upctrE+cQIDAQABMA0GCSqGSIb3DQEBCwUAA4IBAQAq
+GaBdxrlMU16XKikCVhRmgtULPQKFYAjIhdj6HhfY7p+3JaAXjXbU9mZ7RJP4fr3h
+48RIRbLQ2y0jhnmDp6So2VdEnzBC9z4csRAJmH9a8pjjRfJyMvRoqgbapuwaQ9E3
+ytnsIac1Lmd+lhO/JyBSH9QJauEAwbfPHh2W3C1FhKO06ghGi1htAWMXqkmgMb+E
+kooy8pxAjM5YUv+GDZdu3ojEdtDtTeZewiAXVCcDeUSLb+q2ogB2GTbYkuBSebhZ
+BmNbiHJ541E5aeIXKj1Ksdv6fUgYvzXgASKfjpq3l+bD7XSBbIAp9mMYl/pi0C8D
+ejiwt3d6N936huydhEwz
+-----END CERTIFICATE-----
+
+# Token exchange
+serverName: STS
+jwks: https://iam-security-training.com/sts
+kid: demo-key

src/AasxServerDB/EntityFrameworkPersistenceService.cs

@@ -2144,9 +2144,9 @@ private bool InitSecurity(ISecurityConfig? securityConfig, out Dictionary<string
         securityCondition = _contractSecurityRules.GetCondition(accessRole, neededRights.ToString(), tokenClaims: tokenClaims);
         accessRules = _contractSecurityRules.GetAccessRules(accessRole, neededRights.ToString(), tokenClaims: tokenClaims);
 
-        if (accessRole != null && httpRoute != null)
+        if (accessRules.Count != 0 && httpRoute != null)
         {
-            authResult = _contractSecurityRules.AuthorizeRequest(accessRole, httpRoute, neededRights, out _, out _, out _);
+            authResult = _contractSecurityRules.AuthorizeRequest(accessRole, httpRoute, neededRights, out _, out _, out _, tokenClaims: tokenClaims);
         }
 
         return authResult;

src/Contracts/ContractSecurityRule.cs

@@ -31,7 +31,8 @@ bool AuthorizeRequest(string accessRole,
                       out string? getPolicy,
                       string objPath = null,
                       string? aasResourceType = null,
-                      IClass? aasResource = null, string? policy = null);
+                      IClass? aasResource = null, string? policy = null,
+                      List<Claim>? tokenClaims = null);
 
         public void ClearSecurityRules();
         public void AddSecurityRule(string name, string acccess, string right, string objectType, string semanticId, string route);

src/Contracts/QueryParserJSON.cs

@@ -882,7 +882,10 @@ void ParseAccessRule(AccessPermissionRule rule, Dictionary<string, string> acces
                 if (a.ItemType == "CLAIM")
                 {
                     claim = a.Value;
-                    claimList += claim + " ";
+                    if (!claimList.Contains(claim + " "))
+                    {
+                        claimList += claim + " ";
+                    }
                 }
             }
             accessRuleExpression["claim"] = claimList;