added security in aasrepo

[Martin187187]

closes #217

AAS Repository Security PR Summary

What Changed

• Enabled security middleware in cmd/aasrepositoryservice/main.go so AAS Repository endpoints run with OIDC/ABAC enforcement.
• Added default security config for AAS Repository:
  • cmd/aasrepositoryservice/config.yaml (ABAC/OIDC + implicit-cast config)
  • cmd/aasrepositoryservice/config/access_rules/access-rules.json
  • cmd/aasrepositoryservice/config/trustlist.json
• Extended security route and object mappings for AAS endpoints in:
  • internal/common/security/abac_engine_methods.go
  • internal/common/security/abac_engine_objects.go
• Added ShouldEnforceABACWriteCheck in internal/common/security/authorize.go and integrated ABAC-aware checks across AAS repository write paths.
• Propagated request context into AAS repository API/backend calls and mapped denied operations to HTTP 403 in internal/aasrepository/api/api_asset_administration_shell_repository_api_service.go.
• Updated internal/aasrepository/persistence/aas_database.go to:
  • Apply ABAC formula filtering on reads.
  • Re-check visibility for write operations before/after transaction changes.
  • Return denied/not-found semantics aligned with security behavior.
• Added position handling for AAS submodel references:
  • basyxschema.sql adds aas_submodel_reference.position.
  • Query/build helpers and ordering updated in internal/aasrepository/persistence/aas_database_query_utils.go.
• Extended grammar support for AAS filter fields ($aas#...) and shorthand/enum handling in:
  • internal/common/model/grammar/field_column_mapping.go
  • internal/common/model/grammar/fieldidentifier_processing.go
  • internal/common/model/grammar/logical_expression_simplify_backend.go
  • internal/common/model/grammar/logical_expression_to_sql.go
  • internal/common/model/grammar/model_string_pattern.go
• Added/updated grammar tests and introduced a dedicated AAS repository security integration suite under internal/aasrepository/security_tests.
• Added CI execution for the new security test suite in .github/workflows/go-tests.yml.

[Copilot]

Pull request overview

This PR adds ABAC/OIDC security enforcement to the AAS Repository service, closing #217. It follows the same security patterns already established in the Concept Description and Submodel repositories, extending the security middleware, ABAC engine mappings, and grammar/SQL translation to support $aas# field identifiers.

Changes:

• Enabled security middleware in the AAS repository service main entry point, added OIDC/ABAC configuration files, and added ABAC-aware write checks across all AAS repository persistence write paths with pre/post-commit visibility verification.
• Extended grammar processing to support $aas# field identifiers including field-to-SQL-column mappings, array segment bindings for submodels[] and specificAssetIds[], join plan configuration, and enum literal conversion for AssetKind, ReferenceType, and KeyType columns.
• Added a comprehensive security integration test suite with docker-compose, Keycloak realm reuse, access rules, and test scenarios covering admin/viewer/editor role-based access control.

Reviewed changes

Copilot reviewed 37 out of 37 changed files in this pull request and generated 4 comments.

Show a summary per file

File	Description
cmd/aasrepositoryservice/main.go	Wire security middleware into the Chi router with a protected API subrouter
cmd/aasrepositoryservice/config.yaml	Add ABAC, OIDC, and implicit-cast config sections
cmd/aasrepositoryservice/config/trustlist.json	Default OIDC trust list for development
cmd/aasrepositoryservice/config/access_rules/access-rules.json	Default ABAC access rules for AAS repository
internal/common/security/authorize.go	Extract ShouldEnforceABACWriteCheck as public function
internal/common/security/abac_engine_methods.go	Map AAS HTTP methods/patterns to ABAC rights
internal/common/security/abac_engine_objects.go	Map AAS routes to identifiable route/filter fields
internal/common/model/grammar/model_string_pattern.go	Rewrite regex to support $aas#submodels[], $bd#, $smdesc#createdAt
internal/common/model/grammar/field_column_mapping.go	Add $aas# terminal column mappings and fix prevSimple after array tokens
internal/common/model/grammar/fieldidentifier_processing.go	Add ctxAAS, ctxAASSubmodelReference contexts and array segment mappings
internal/common/model/grammar/logical_expression_to_sql.go	Add CollectorRootAAS and joinPlanConfigForAAS()
internal/common/model/grammar/logical_expression_simplify_backend.go	Extend enum conversion for AssetKind, ReferenceType, KeyType; add text-cast fallback
internal/common/model/grammar/fieldidentifier_processing_test.go	Add test cases for $aas# field identifiers
internal/common/model/grammar/string_pattern_unmarshal_test.go	Add test for $aas#submodels[0].keys[0].value
internal/common/model/grammar/logical_expression_to_sql_implicit_cast_test.go	Add enum conversion and text-cast fallback tests
internal/aasrepository/persistence/aas_database.go	Add ABAC read/write checks, pass ctx to all backend methods
internal/aasrepository/persistence/aas_database_query_utils.go	Add position to submodel reference insert, return dataset instead of SQL for ABAC injection, fix ordering
internal/aasrepository/api/api_asset_administration_shell_repository_api_service.go	Pass ctx, handle ErrDenied → 403
basyxschema.sql	Add position column to aas_submodel_reference
.github/workflows/go-tests.yml	Add CI job for AAS repository security tests
internal/aasrepository/security_tests/ (multiple files)	New security integration test suite

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[aaronzi]

Thanks for the PR. I added a few remarks and questions.