fix(authz): if entity identifier results in multiple representations, treat with AND in resource decision results #2860

jakedoublev · 2025-10-31T17:16:37Z

Proposed Changes

Make sure an entity identifier that breaks out into multiple entity representations when back from the ERS response results in AND logic across the representations on each individual resource
Audit should log for each entity representation for clarity (possible to provide an entity chain with dozens of email addresses in a single identifier, so there should be a log to audit for each representation of an entity from the chained email address entities)

Checklist

I have added or updated unit tests
I have added or updated integration tests (if appropriate)
I have added or updated documentation

Testing Instructions

github-actions · 2025-10-31T17:21:32Z

Benchmark results, click to expand

Benchmark authorization.GetDecisions Results:

Metric	Value
Approved Decision Requests	1000
Denied Decision Requests	0
Total Time	177.23364ms

Benchmark authorization.v2.GetMultiResourceDecision Results:

Metric	Value
Approved Decision Requests	1000
Denied Decision Requests	0
Total Time	92.342052ms

Standard Benchmark Metrics Skipped or Failed

Bulk Benchmark Results

Metric	Value
Total Decrypts	100
Successful Decrypts	100
Failed Decrypts	0
Total Time	354.41741ms
Throughput	282.15 requests/second

TDF3 Benchmark Results:

Metric	Value
Total Requests	5000
Successful Requests	5000
Failed Requests	0
Concurrent Requests	50
Total Time	38.450794043s
Average Latency	383.027341ms
Throughput	130.04 requests/second

NANOTDF Benchmark Results:

Metric	Value
Total Requests	5000
Successful Requests	5000
Failed Requests	0
Concurrent Requests	50
Total Time	26.85261399s
Average Latency	267.34349ms
Throughput	186.20 requests/second

github-actions · 2025-10-31T17:31:54Z

X-Test Results

opentdf~~platform~~OPJDCB.dockerbuild
cukes-report
✅ js-v0.4.34
✅ java-v0.4.34
✅ go-v0.4.34
bats-test-results
test-cases-mapping-report
✅ js-pull-2860
✅ java-pull-2860
✅ go-pull-2860

github-actions · 2025-10-31T17:44:33Z

Benchmark results, click to expand

Benchmark authorization.GetDecisions Results:

Metric	Value
Approved Decision Requests	1000
Denied Decision Requests	0
Total Time	186.024452ms

Benchmark authorization.v2.GetMultiResourceDecision Results:

Metric	Value
Approved Decision Requests	1000
Denied Decision Requests	0
Total Time	97.484191ms

Standard Benchmark Metrics Skipped or Failed

Bulk Benchmark Results

Metric	Value
Total Decrypts	100
Successful Decrypts	100
Failed Decrypts	0
Total Time	375.919567ms
Throughput	266.01 requests/second

TDF3 Benchmark Results:

Metric	Value
Total Requests	5000
Successful Requests	5000
Failed Requests	0
Concurrent Requests	50
Total Time	40.011384602s
Average Latency	398.850193ms
Throughput	124.96 requests/second

NANOTDF Benchmark Results:

Metric	Value
Total Requests	5000
Successful Requests	5000
Failed Requests	0
Concurrent Requests	50
Total Time	27.686250733s
Average Latency	276.079108ms
Throughput	180.60 requests/second

github-actions · 2025-10-31T17:54:26Z

X-Test Results

opentdf~~platform~~NNS6QI.dockerbuild
✅ java-v0.4.34
cukes-report
✅ js-v0.4.34
✅ go-v0.4.34
bats-test-results
test-cases-mapping-report
✅ js-pull-2860
✅ java-pull-2860
✅ go-pull-2860

github-actions · 2025-10-31T18:27:16Z

Benchmark results, click to expand

Benchmark authorization.GetDecisions Results:

Metric	Value
Approved Decision Requests	1000
Denied Decision Requests	0
Total Time	177.508738ms

Benchmark authorization.v2.GetMultiResourceDecision Results:

Metric	Value
Approved Decision Requests	1000
Denied Decision Requests	0
Total Time	99.761284ms

Standard Benchmark Metrics Skipped or Failed

Bulk Benchmark Results

Metric	Value
Total Decrypts	100
Successful Decrypts	100
Failed Decrypts	0
Total Time	361.51056ms
Throughput	276.62 requests/second

TDF3 Benchmark Results:

Metric	Value
Total Requests	5000
Successful Requests	5000
Failed Requests	0
Concurrent Requests	50
Total Time	38.799897514s
Average Latency	385.812205ms
Throughput	128.87 requests/second

NANOTDF Benchmark Results:

Metric	Value
Total Requests	5000
Successful Requests	5000
Failed Requests	0
Concurrent Requests	50
Total Time	27.08025863s
Average Latency	270.039625ms
Throughput	184.64 requests/second

…entitled

github-actions · 2025-10-31T18:37:22Z

X-Test Results

opentdf~~platform~~YVNPJY.dockerbuild
cukes-report
✅ js-v0.4.34
✅ java-v0.4.34
✅ go-v0.4.34
bats-test-results
test-cases-mapping-report
✅ js-pull-2860
✅ java-pull-2860
✅ go-pull-2860

github-actions · 2025-10-31T18:40:46Z

Benchmark results, click to expand

Benchmark authorization.GetDecisions Results:

Metric	Value
Approved Decision Requests	1000
Denied Decision Requests	0
Total Time	184.707034ms

Benchmark authorization.v2.GetMultiResourceDecision Results:

Metric	Value
Approved Decision Requests	1000
Denied Decision Requests	0
Total Time	91.743648ms

Standard Benchmark Metrics Skipped or Failed

Bulk Benchmark Results

Metric	Value
Total Decrypts	100
Successful Decrypts	100
Failed Decrypts	0
Total Time	380.789871ms
Throughput	262.61 requests/second

TDF3 Benchmark Results:

Metric	Value
Total Requests	5000
Successful Requests	5000
Failed Requests	0
Concurrent Requests	50
Total Time	38.366858364s
Average Latency	381.614136ms
Throughput	130.32 requests/second

NANOTDF Benchmark Results:

Metric	Value
Total Requests	5000
Successful Requests	5000
Failed Requests	0
Concurrent Requests	50
Total Time	26.774250809s
Average Latency	266.805711ms
Throughput	186.75 requests/second

github-actions · 2025-10-31T18:45:39Z

Benchmark results, click to expand

Benchmark authorization.GetDecisions Results:

Metric	Value
Approved Decision Requests	1000
Denied Decision Requests	0
Total Time	175.498737ms

Benchmark authorization.v2.GetMultiResourceDecision Results:

Metric	Value
Approved Decision Requests	1000
Denied Decision Requests	0
Total Time	99.313082ms

Standard Benchmark Metrics Skipped or Failed

Bulk Benchmark Results

Metric	Value
Total Decrypts	100
Successful Decrypts	100
Failed Decrypts	0
Total Time	365.51013ms
Throughput	273.59 requests/second

TDF3 Benchmark Results:

Metric	Value
Total Requests	5000
Successful Requests	5000
Failed Requests	0
Concurrent Requests	50
Total Time	38.935014842s
Average Latency	387.268383ms
Throughput	128.42 requests/second

NANOTDF Benchmark Results:

Metric	Value
Total Requests	5000
Successful Requests	5000
Failed Requests	0
Concurrent Requests	50
Total Time	27.116960767s
Average Latency	270.1239ms
Throughput	184.39 requests/second

jakedoublev · 2025-10-31T18:47:46Z

/gemini review

gemini-code-assist

Code Review

This pull request refactors the authorization decision logic to correctly handle entity identifiers that resolve to multiple representations. It consolidates multiple decisions into one using AND logic, ensuring all representations are entitled for access to be granted. The helper functions for rolling up decisions have been simplified, and tests have been updated accordingly. My feedback includes a suggestion to add a defensive check to prevent a potential panic and another to improve the readability of the new consolidation logic for better maintainability.

service/authorization/v2/authorization.go

service/internal/access/v2/just_in_time_pdp.go

github-actions · 2025-10-31T18:52:22Z

X-Test Results

opentdf~~platform~~SIQJZN.dockerbuild
✅ java-v0.4.34
cukes-report
✅ js-v0.4.34
✅ go-v0.4.34
bats-test-results
test-cases-mapping-report
✅ js-pull-2860
✅ java-pull-2860
✅ go-pull-2860

github-actions · 2025-10-31T18:52:22Z

Benchmark results, click to expand

Benchmark authorization.GetDecisions Results:

Metric	Value
Approved Decision Requests	1000
Denied Decision Requests	0
Total Time	178.496997ms

Benchmark authorization.v2.GetMultiResourceDecision Results:

Metric	Value
Approved Decision Requests	1000
Denied Decision Requests	0
Total Time	99.222197ms

Standard Benchmark Metrics Skipped or Failed

Bulk Benchmark Results

Metric	Value
Total Decrypts	100
Successful Decrypts	100
Failed Decrypts	0
Total Time	361.888076ms
Throughput	276.33 requests/second

TDF3 Benchmark Results:

Metric	Value
Total Requests	5000
Successful Requests	5000
Failed Requests	0
Concurrent Requests	50
Total Time	38.923690124s
Average Latency	387.422637ms
Throughput	128.46 requests/second

NANOTDF Benchmark Results:

Metric	Value
Total Requests	5000
Successful Requests	5000
Failed Requests	0
Concurrent Requests	50
Total Time	27.352374482s
Average Latency	272.4942ms
Throughput	182.80 requests/second

github-actions · 2025-10-31T18:57:26Z

X-Test Results

opentdf~~platform~~Z2VLIK.dockerbuild
cukes-report
✅ js-v0.4.34
✅ java-v0.4.34
✅ go-v0.4.34
bats-test-results
test-cases-mapping-report
✅ js-pull-2860
✅ java-pull-2860
✅ go-pull-2860

github-actions · 2025-10-31T19:01:00Z

Benchmark results, click to expand

Benchmark authorization.GetDecisions Results:

Metric	Value
Approved Decision Requests	1000
Denied Decision Requests	0
Total Time	171.127352ms

Benchmark authorization.v2.GetMultiResourceDecision Results:

Metric	Value
Approved Decision Requests	1000
Denied Decision Requests	0
Total Time	100.027387ms

Standard Benchmark Metrics Skipped or Failed

Bulk Benchmark Results

Metric	Value
Total Decrypts	100
Successful Decrypts	100
Failed Decrypts	0
Total Time	356.690022ms
Throughput	280.36 requests/second

TDF3 Benchmark Results:

Metric	Value
Total Requests	5000
Successful Requests	5000
Failed Requests	0
Concurrent Requests	50
Total Time	39.45163969s
Average Latency	392.185637ms
Throughput	126.74 requests/second

NANOTDF Benchmark Results:

Metric	Value
Total Requests	5000
Successful Requests	5000
Failed Requests	0
Concurrent Requests	50
Total Time	27.374287409s
Average Latency	272.938917ms
Throughput	182.65 requests/second

github-actions · 2025-11-05T19:43:41Z

Benchmark results, click to expand

Benchmark authorization.GetDecisions Results:

Metric	Value
Approved Decision Requests	1000
Denied Decision Requests	0
Total Time	215.672245ms

Benchmark authorization.v2.GetMultiResourceDecision Results:

Metric	Value
Approved Decision Requests	1000
Denied Decision Requests	0
Total Time	108.569987ms

Benchmark Statistics

Name	№ Requests	Avg Duration	Min Duration	Max Duration

Bulk Benchmark Results

Metric	Value
Total Decrypts	100
Successful Decrypts	100
Failed Decrypts	0
Total Time	394.607966ms
Throughput	253.42 requests/second

TDF3 Benchmark Results:

Metric	Value
Total Requests	5000
Successful Requests	5000
Failed Requests	0
Concurrent Requests	50
Total Time	44.054567457s
Average Latency	438.66633ms
Throughput	113.50 requests/second

NANOTDF Benchmark Results:

Metric	Value
Total Requests	5000
Successful Requests	5000
Failed Requests	0
Concurrent Requests	50
Total Time	30.573180348s
Average Latency	304.94033ms
Throughput	163.54 requests/second

github-actions · 2025-11-05T19:54:46Z

X-Test Results

opentdf~~platform~~NIOKEV.dockerbuild
cukes-report
✅ java-v0.4.34
✅ js-v0.4.34
✅ go-v0.4.34
bats-test-results
✅ js-pull-2860
✅ java-pull-2860
✅ go-pull-2860

github-actions · 2025-11-05T21:43:39Z

Benchmark results, click to expand

Benchmark authorization.GetDecisions Results:

Metric	Value
Approved Decision Requests	1000
Denied Decision Requests	0
Total Time	166.276081ms

Benchmark authorization.v2.GetMultiResourceDecision Results:

Metric	Value
Approved Decision Requests	1000
Denied Decision Requests	0
Total Time	95.738723ms

Benchmark Statistics

Name	№ Requests	Avg Duration	Min Duration	Max Duration

Bulk Benchmark Results

Metric	Value
Total Decrypts	100
Successful Decrypts	100
Failed Decrypts	0
Total Time	364.133125ms
Throughput	274.62 requests/second

TDF3 Benchmark Results:

Metric	Value
Total Requests	5000
Successful Requests	5000
Failed Requests	0
Concurrent Requests	50
Total Time	39.382690008s
Average Latency	392.354715ms
Throughput	126.96 requests/second

NANOTDF Benchmark Results:

Metric	Value
Total Requests	5000
Successful Requests	5000
Failed Requests	0
Concurrent Requests	50
Total Time	27.670353171s
Average Latency	275.430313ms
Throughput	180.70 requests/second

github-actions · 2025-11-05T21:49:19Z

Benchmark results, click to expand

Benchmark authorization.GetDecisions Results:

Metric	Value
Approved Decision Requests	1000
Denied Decision Requests	0
Total Time	175.505507ms

Benchmark authorization.v2.GetMultiResourceDecision Results:

Metric	Value
Approved Decision Requests	1000
Denied Decision Requests	0
Total Time	98.088078ms

Benchmark Statistics

Name	№ Requests	Avg Duration	Min Duration	Max Duration

Bulk Benchmark Results

Metric	Value
Total Decrypts	100
Successful Decrypts	100
Failed Decrypts	0
Total Time	358.48451ms
Throughput	278.95 requests/second

TDF3 Benchmark Results:

Metric	Value
Total Requests	5000
Successful Requests	5000
Failed Requests	0
Concurrent Requests	50
Total Time	38.820531746s
Average Latency	386.433679ms
Throughput	128.80 requests/second

NANOTDF Benchmark Results:

Metric	Value
Total Requests	5000
Successful Requests	5000
Failed Requests	0
Concurrent Requests	50
Total Time	27.657485612s
Average Latency	275.520281ms
Throughput	180.78 requests/second

github-actions · 2025-11-05T21:54:13Z

X-Test Results

opentdf~~platform~~GDUJ7X.dockerbuild
✅ js-v0.4.34
cukes-report
✅ java-v0.4.34
✅ go-v0.4.34
bats-test-results
test-cases-mapping-report
✅ js-pull-2860
✅ java-pull-2860
✅ go-pull-2860

github-actions · 2025-11-05T22:00:33Z

X-Test Results

opentdf~~platform~~B0XEBJ.dockerbuild
cukes-report
✅ js-v0.4.34
✅ java-v0.4.34
✅ go-v0.4.34
bats-test-results
✅ js-pull-2860
✅ java-pull-2860
✅ go-pull-2860

github-actions · 2025-11-06T17:11:01Z

Benchmark results, click to expand

Benchmark authorization.GetDecisions Results:

Metric	Value
Approved Decision Requests	1000
Denied Decision Requests	0
Total Time	180.257819ms

Benchmark authorization.v2.GetMultiResourceDecision Results:

Metric	Value
Approved Decision Requests	1000
Denied Decision Requests	0
Total Time	104.984976ms

Benchmark Statistics

Name	№ Requests	Avg Duration	Min Duration	Max Duration

Bulk Benchmark Results

Metric	Value
Total Decrypts	100
Successful Decrypts	100
Failed Decrypts	0
Total Time	369.462504ms
Throughput	270.66 requests/second

TDF3 Benchmark Results:

Metric	Value
Total Requests	5000
Successful Requests	5000
Failed Requests	0
Concurrent Requests	50
Total Time	40.848952488s
Average Latency	407.056327ms
Throughput	122.40 requests/second

NANOTDF Benchmark Results:

Metric	Value
Total Requests	5000
Successful Requests	5000
Failed Requests	0
Concurrent Requests	50
Total Time	28.227460953s
Average Latency	281.366048ms
Throughput	177.13 requests/second

github-actions · 2025-11-06T17:23:23Z

X-Test Results

opentdf~~platform~~YKPCEX.dockerbuild
cukes-report
✅ java-v0.4.34
✅ js-v0.4.34
✅ go-v0.4.34
bats-test-results
test-cases-mapping-report
✅ js-pull-2860
✅ java-pull-2860
✅ go-pull-2860

jakedoublev · 2025-11-06T22:09:15Z

/backport

… treat with AND in resource decision results (#2860) ### Proposed Changes * Make sure an entity identifier that breaks out into multiple entity representations when back from the ERS response results in AND logic across the representations on each individual resource * Audit should log for each entity representation for clarity (possible to provide an entity chain with dozens of email addresses in a single identifier, so there should be a log to audit for each representation of an entity from the chained email address entities) ### Checklist - [ ] I have added or updated unit tests - [ ] I have added or updated integration tests (if appropriate) - [ ] I have added or updated documentation ### Testing Instructions (cherry picked from commit e869b35)

opentdf-automation · 2025-11-06T22:09:29Z

Successfully created backport PR for release/service/v0.11:

fix(authz): if entity identifier results in multiple representations, treat with AND in resource decision results [backport to release/service/v0.11] #2887

… treat with AND in resource decision results (#2860) ### Proposed Changes * Make sure an entity identifier that breaks out into multiple entity representations when back from the ERS response results in AND logic across the representations on each individual resource * Audit should log for each entity representation for clarity (possible to provide an entity chain with dozens of email addresses in a single identifier, so there should be a log to audit for each representation of an entity from the chained email address entities) ### Checklist - [ ] I have added or updated unit tests - [ ] I have added or updated integration tests (if appropriate) - [ ] I have added or updated documentation ### Testing Instructions (cherry picked from commit e869b35)

… treat with AND in resource decision results [backport to release/service/v0.11] (#2887) # Description Backport of #2860 to `release/service/v0.11`. Co-authored-by: opentdf-automation[bot] <149537512+opentdf-automation[bot]@users.noreply.github.com> Co-authored-by: jakedoublev <jake.vanvorhis@virtru.com>

jakedoublev added 3 commits October 31, 2025 08:12

wip cleanup

c6722b2

Merge remote-tracking branch 'origin' into fix/DSPX-1810

1df02b0

test fixes

6ea7edc

github-actions bot added comp:authorization size/m labels Oct 31, 2025

cleanup tests

cdb2e5f

jakedoublev added 2 commits October 31, 2025 10:33

optimize

3a890b7

comment cleanup

21313ef

cleanup

6e94a41

fix return obligations when multiple entity representations that are …

8125985

…entitled

improve diff

d21c960

comment cleanup

bf612df

jakedoublev marked this pull request as ready for review October 31, 2025 18:47

jakedoublev requested a review from a team as a code owner October 31, 2025 18:47

gemini-code-assist bot reviewed Oct 31, 2025

View reviewed changes

service/authorization/v2/authorization.go Show resolved Hide resolved

service/internal/access/v2/just_in_time_pdp.go Outdated Show resolved Hide resolved

run new obligations x-tests that are yet to be merged in CI

5c2b678

jakedoublev requested a review from a team as a code owner October 31, 2025 18:56

c-r33d previously approved these changes Nov 5, 2025

View reviewed changes

jakedoublev added 2 commits November 5, 2025 09:55

readability improvements to consolidateResourceDecisions

05c2180

optimization

82ed3f4

jakedoublev dismissed c-r33d’s stale review via 82ed3f4 November 5, 2025 19:38

jakedoublev added 2 commits November 5, 2025 12:48

better comments and variable names

e81b491

go fmt

e9d8d0c

lint and improve test

2a691e4

Merge remote-tracking branch 'origin' into fix/DSPX-1810

b947a14

c-r33d approved these changes Nov 6, 2025

View reviewed changes

alkalescent approved these changes Nov 6, 2025

View reviewed changes

jakedoublev added this pull request to the merge queue Nov 6, 2025

Merged via the queue into main with commit e869b35 Nov 6, 2025
41 checks passed

jakedoublev deleted the fix/DSPX-1810 branch November 6, 2025 22:05

opentdf-automation bot mentioned this pull request Nov 6, 2025

chore(main): release service 0.12.0 #2841

Open

jakedoublev added the backport release/service/v0.11 label Nov 6, 2025

opentdf-automation bot mentioned this pull request Nov 6, 2025

fix(authz): if entity identifier results in multiple representations, treat with AND in resource decision results [backport to release/service/v0.11] #2887

Merged

fix(authz): if entity identifier results in multiple representations, treat with AND in resource decision results #2860

fix(authz): if entity identifier results in multiple representations, treat with AND in resource decision results #2860

Uh oh!

Conversation

jakedoublev commented Oct 31, 2025 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Proposed Changes

Checklist

Testing Instructions

Uh oh!

github-actions bot commented Oct 31, 2025

Benchmark authorization.GetDecisions Results:

Benchmark authorization.v2.GetMultiResourceDecision Results:

Standard Benchmark Metrics Skipped or Failed

Bulk Benchmark Results

TDF3 Benchmark Results:

NANOTDF Benchmark Results:

Uh oh!

github-actions bot commented Oct 31, 2025

X-Test Results

Uh oh!

github-actions bot commented Oct 31, 2025

Benchmark authorization.GetDecisions Results:

Benchmark authorization.v2.GetMultiResourceDecision Results:

Standard Benchmark Metrics Skipped or Failed

Bulk Benchmark Results

TDF3 Benchmark Results:

NANOTDF Benchmark Results:

Uh oh!

github-actions bot commented Oct 31, 2025

X-Test Results

Uh oh!

github-actions bot commented Oct 31, 2025

Benchmark authorization.GetDecisions Results:

Benchmark authorization.v2.GetMultiResourceDecision Results:

Standard Benchmark Metrics Skipped or Failed

Bulk Benchmark Results

TDF3 Benchmark Results:

NANOTDF Benchmark Results:

Uh oh!

github-actions bot commented Oct 31, 2025

X-Test Results

Uh oh!

github-actions bot commented Oct 31, 2025

Benchmark authorization.GetDecisions Results:

Benchmark authorization.v2.GetMultiResourceDecision Results:

Standard Benchmark Metrics Skipped or Failed

Bulk Benchmark Results

TDF3 Benchmark Results:

NANOTDF Benchmark Results:

Uh oh!

github-actions bot commented Oct 31, 2025

Benchmark authorization.GetDecisions Results:

Benchmark authorization.v2.GetMultiResourceDecision Results:

Standard Benchmark Metrics Skipped or Failed

Bulk Benchmark Results

TDF3 Benchmark Results:

NANOTDF Benchmark Results:

Uh oh!

jakedoublev commented Oct 31, 2025

Uh oh!

gemini-code-assist bot left a comment

Choose a reason for hiding this comment

Code Review

Uh oh!

Uh oh!

Uh oh!

github-actions bot commented Oct 31, 2025

X-Test Results

Uh oh!

github-actions bot commented Oct 31, 2025

Benchmark authorization.GetDecisions Results:

Benchmark authorization.v2.GetMultiResourceDecision Results:

Standard Benchmark Metrics Skipped or Failed

Bulk Benchmark Results

TDF3 Benchmark Results:

NANOTDF Benchmark Results:

Uh oh!

github-actions bot commented Oct 31, 2025

X-Test Results

jakedoublev commented Oct 31, 2025 •

edited

Loading