Fix 3-level reference resolution: resolve imported policy's references before importing

thjaeckle · claude · thjaeckle · commit 78fc0c7ddbf2 · 2026-04-22T15:53:55.000+02:00
When importing a policy whose entries use references (e.g. fleet-west's
driver references fleet-roles's driver for resources), the references
must be resolved BEFORE the entries are imported and references stripped.

Previously, resolveImport would merge transitive entries then immediately
rewrite labels (stripping references via the 6-arg factory), losing the
resource/subject inheritance that references provided. Now, resolveReferences
is called on the loaded policy's entries after transitive merge but before
label rewriting, materializing the inherited values.

This fixes the 3-level hierarchy scenario (template → intermediate → leaf)
where Alice (subject on intermediate) could not access resources defined
on the template.

Co-Authored-By: Claude Opus 4.6 (1M context) &lt;noreply@anthropic.com&gt;
diff --git a/policies/model/src/main/java/org/eclipse/ditto/policies/model/PolicyImporter.java b/policies/model/src/main/java/org/eclipse/ditto/policies/model/PolicyImporter.java
@@ -140,10 +140,16 @@ private static CompletionStage<Set<PolicyEntry>> resolveImport(
                         resolvedEntriesCs = CompletableFuture.completedFuture(loadedPolicy.getEntriesSet());
                     }
                     return resolvedEntriesCs.thenApply(resolvedEntries -> {
+                        // Resolve the loaded policy's own entry references before importing.
+                        // This ensures entries that inherit resources/subjects via references
+                        // have those values materialized before the references are stripped
+                        // during label rewriting.
+                        final Set<PolicyEntry> withResolvedRefs =
+                                resolveReferences(loadedPolicy, resolvedEntries);
                         final ImportedLabels importedLabels = policyImport.getEffectedImports()
                                 .map(EffectedImports::getImportedLabels)
                                 .orElse(ImportedLabels.none());
-                        return rewriteImportedLabels(importedPolicyId, resolvedEntries,
+                        return rewriteImportedLabels(importedPolicyId, withResolvedRefs,
                                 importedLabels, applyImportPrefix);
                     });
                 }).orElse(CompletableFuture.completedFuture(Collections.emptySet())));
