eclipse-basyx · aaronzi · Mar 13, 2026 · Mar 12, 2026 · Mar 12, 2026 · Mar 12, 2026
diff --git a/.github/workflows/go-tests.yml b/.github/workflows/go-tests.yml
@@ -411,3 +411,24 @@ jobs:
         run: |
           cd internal/aasrepository/integration_tests
           go test -v .
+
+  aas-repository-security-tests:
+    name: Asset Administration Shell Repository Security Tests
+    runs-on: ubuntu-latest
+    steps:
+      - name: Check out code
+        uses: actions/checkout@v6
+
+      - name: Set up Go
+        uses: actions/setup-go@v6
+        with:
+          go-version-file: go.mod
+          cache: true
+
+      - name: Get dependencies
+        run: go mod download
+
+      - name: Run aas repository security tests
+        run: |
+          cd internal/aasrepository/security_tests
+          go test -v .
diff --git a/basyxschema.sql b/basyxschema.sql
@@ -79,6 +79,7 @@ CREATE TABLE IF NOT EXISTS asset_information (
 CREATE TABLE IF NOT EXISTS aas_submodel_reference (
   id BIGSERIAL PRIMARY KEY,
   aas_id BIGINT NOT NULL REFERENCES aas(id) ON DELETE CASCADE,
+  position     INTEGER NOT NULL,
   type int NOT NULL
 );
 

diff --git a/cmd/aasrepositoryservice/config.yaml b/cmd/aasrepositoryservice/config.yaml
@@ -15,6 +15,16 @@ postgres:
   maxIdleConnections: 500
   connMaxLifetimeMinutes: 5
 
+general:
+  enableImplicitCasts: false
+
+oidc:
+  trustlistPath: "config/trustlist.json"
+
+abac:
+  enabled: false
+  modelPath: "config/access_rules/access-rules.json"
+
 # jws:
 #   privateKeyPath: "./rsa-key.pem"
 

diff --git a/cmd/aasrepositoryservice/config/access_rules/access-rules.json b/cmd/aasrepositoryservice/config/access_rules/access-rules.json
@@ -0,0 +1,84 @@
+{
+  "AllAccessPermissionRules": {
+    "DEFATTRIBUTES": [
+      { "name": "anonym_attr", "attributes": [ { "GLOBAL": "ANONYMOUS" } ] },
+      { "name": "role_attr", "attributes": [ { "CLAIM": "role" } ] },
+      { "name": "member_attr", "attributes": [ { "CLAIM": "role" }, { "CLAIM": "clear" } ] }
+    ],
+    "DEFOBJECTS": [
+      { "name": "description", "objects": [ { "ROUTE": "/description" } ] },
+      {
+        "name": "all_shell_routes",
+        "objects": [
+          { "ROUTE": "/shells" },
+          { "ROUTE": "/shells/$reference" },
+          { "ROUTE": "/shells/*" },
+          { "ROUTE": "/shells/*/*" },
+          { "ROUTE": "/shells/*/*/*" },
+          { "ROUTE": "/shells/*/*/*/*" }
+        ]
+      },
+      {
+        "name": "all_shell_identifiable",
+        "objects": [
+          { "IDENTIFIABLE": "$aas(\"*\")" }
+        ]
+      }
+    ],
+    "DEFACLS": [
+      { "name": "read_anonymous", "acl": { "USEATTRIBUTES": "anonym_attr", "RIGHTS": ["READ"], "ACCESS": "ALLOW" } },
+      { "name": "read_role", "acl": { "USEATTRIBUTES": "role_attr", "RIGHTS": ["READ"], "ACCESS": "ALLOW" } },
+      { "name": "write_role", "acl": { "USEATTRIBUTES": "role_attr", "RIGHTS": ["CREATE", "UPDATE", "DELETE"], "ACCESS": "ALLOW" } },
+      { "name": "admin_all", "acl": { "USEATTRIBUTES": "member_attr", "RIGHTS": ["ALL"], "ACCESS": "ALLOW" } }
+    ],
+    "DEFFORMULAS": [
+      { "name": "always_true", "formula": { "$boolean": true } },
+      {
+        "name": "role_is_admin",
+        "formula": {
+          "$and": [
+            { "$eq": [ { "$attribute": { "CLAIM": "role" } }, { "$strVal": "admin" } ] },
+            { "$ge": [ { "$numCast": { "$attribute": { "CLAIM": "clear" } } }, { "$numVal": 10 } ] }
+          ]
+        }
+      },
+      {
+        "name": "viewer_visible_aas",
+        "formula": {
+          "$and": [
+            { "$eq": [ { "$attribute": { "CLAIM": "role" } }, { "$strVal": "viewer" } ] },
+            { "$eq": [ { "$field": "$aas#assetInformation.assetType" }, { "$strVal": "viewer-visible" } ] }
+          ]
+        }
+      },
+      {
+        "name": "editor_editable_aas",
+        "formula": {
+          "$and": [
+            { "$eq": [ { "$attribute": { "CLAIM": "role" } }, { "$strVal": "editor" } ] },
+            { "$eq": [ { "$field": "$aas#assetInformation.assetType" }, { "$strVal": "editor-allowed" } ] }
+          ]
+        }
+      }
+    ],
+    "rules": [
+      { "USEACL": "read_anonymous", "USEOBJECTS": ["description"], "USEFORMULA": "always_true" },
+      { "USEACL": "admin_all", "USEOBJECTS": ["all_shell_routes"], "USEFORMULA": "role_is_admin" },
+      {
+        "USEACL": "read_role",
+        "USEOBJECTS": ["all_shell_identifiable"],
+        "USEFORMULA": "viewer_visible_aas",
+        "FILTER": {
+          "FRAGMENT": "$aas#assetInformation.specificAssetIds[]",
+          "CONDITION": {
+            "$eq": [
+              { "$field": "$aas#assetInformation.specificAssetIds[].name" },
+              { "$strVal": "customerPartId" }
+            ]
+          }
+        }
+      },
+      { "USEACL": "write_role", "USEOBJECTS": ["all_shell_routes"], "USEFORMULA": "editor_editable_aas" }
+    ]
+  }
+}
diff --git a/cmd/aasrepositoryservice/config/trustlist.json b/cmd/aasrepositoryservice/config/trustlist.json
@@ -0,0 +1,7 @@
+[
+  {
+    "issuer": "http://localhost:8080/realms/basyx",
+    "audience": "discovery-service",
+    "scopes": ["email", "profile"]
+  }
+]
diff --git a/cmd/aasrepositoryservice/main.go b/cmd/aasrepositoryservice/main.go
@@ -16,6 +16,7 @@ import (
 	"github.com/eclipse-basyx/basyx-go-components/internal/aasrepository/api"
 	persistencepostgresql "github.com/eclipse-basyx/basyx-go-components/internal/aasrepository/persistence"
 	"github.com/eclipse-basyx/basyx-go-components/internal/common"
+	auth "github.com/eclipse-basyx/basyx-go-components/internal/common/security"
 	openapi "github.com/eclipse-basyx/basyx-go-components/pkg/aasrepositoryapi/go"
 )
 
@@ -35,7 +36,7 @@ func runServer(ctx context.Context, configPath string, databaseSchema string) er
 
 	// Create Chi router
 	r := chi.NewRouter()
-	common.AddDefaultRouterErrorHandlers(r, "AASRepositoryService")
+	r.Use(common.ConfigMiddleware(config))
 	common.AddCors(r, config)
 
 	// Add health endpoint
@@ -56,17 +57,30 @@ func runServer(ctx context.Context, configPath string, databaseSchema string) er
 
 	aasSvc := api.NewAssetAdministrationShellRepositoryAPIAPIService(*aasDatabase)
 	aasCtrl := openapi.NewAssetAdministrationShellRepositoryAPIAPIController(aasSvc, config.Server.ContextPath, config.Server.StrictVerification)
-	for _, rt := range aasCtrl.Routes() {
-		r.Method(rt.Method, rt.Pattern, rt.HandlerFunc)
-	}
 
 	// ==== Description Service ====
 	descSvc := openapi.NewDescriptionAPIAPIService()
 	descCtrl := openapi.NewDescriptionAPIAPIController(descSvc)
+
+	base := common.NormalizeBasePath(config.Server.ContextPath)
+
+	// === Protected API Subrouter ===
+	apiRouter := chi.NewRouter()
+	common.AddDefaultRouterErrorHandlers(apiRouter, "AASRepositoryService")
+
+	if err := auth.SetupSecurity(ctx, config, apiRouter); err != nil {
+		return err
+	}
+
+	for _, rt := range aasCtrl.Routes() {
+		apiRouter.Method(rt.Method, rt.Pattern, rt.HandlerFunc)
+	}
 	for _, rt := range descCtrl.Routes() {
-		r.Method(rt.Method, rt.Pattern, rt.HandlerFunc)
+		apiRouter.Method(rt.Method, rt.Pattern, rt.HandlerFunc)
 	}
 
+	r.Mount(base, apiRouter)
+
 	// Start the server
 	addr := "0.0.0.0:" + fmt.Sprintf("%d", config.Server.Port)
 	log.Printf("▶️  Asset Administration Shell Repository listening on %s\n", addr)

diff --git a/internal/aasrepository/api/api_asset_administration_shell_repository_api_service.go b/internal/aasrepository/api/api_asset_administration_shell_repository_api_service.go