Skip to content

fix(authz): if entity identifier results in multiple representations, treat with AND in resource decision results #2860

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
jakedoublev merged 25 commits into from
Nov 6, 2025
Merged

fix(authz): if entity identifier results in multiple representations, treat with AND in resource decision results #2860

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
25 commits
Select commit Hold shift + click to select a range
c6722b2
wip cleanup
jakedoublev Oct 31, 2025
1df02b0
Merge remote-tracking branch 'origin' into fix/DSPX-1810
jakedoublev Oct 31, 2025
6ea7edc
test fixes
jakedoublev Oct 31, 2025
cdb2e5f
cleanup tests
jakedoublev Oct 31, 2025
3a890b7
optimize
jakedoublev Oct 31, 2025
21313ef
comment cleanup
jakedoublev Oct 31, 2025
6e94a41
cleanup
jakedoublev Oct 31, 2025
8125985
fix return obligations when multiple entity representations that are …
jakedoublev Oct 31, 2025
d21c960
improve diff
jakedoublev Oct 31, 2025
bf612df
comment cleanup
jakedoublev Oct 31, 2025
5c2b678
run new obligations x-tests that are yet to be merged in CI
jakedoublev Oct 31, 2025
8300cdb
Revert "run new obligations x-tests that are yet to be merged in CI"
jakedoublev Oct 31, 2025
52f3ddb
try abstracting some logic into helpers in the entity representation …
jakedoublev Nov 3, 2025
738cffc
go fmt
jakedoublev Nov 3, 2025
016cd9e
lint fix
jakedoublev Nov 3, 2025
57f9caa
fix benchmark job
jakedoublev Nov 3, 2025
164fd7f
trace config properly in benchmark job
jakedoublev Nov 3, 2025
e9e360f
Merge remote-tracking branch 'origin' into fix/DSPX-1810
jakedoublev Nov 5, 2025
f3e88b0
suggestion
jakedoublev Nov 5, 2025
05c2180
readability improvements to consolidateResourceDecisions
jakedoublev Nov 5, 2025
82ed3f4
optimization
jakedoublev Nov 5, 2025
e81b491
better comments and variable names
jakedoublev Nov 5, 2025
e9d8d0c
go fmt
jakedoublev Nov 5, 2025
2a691e4
lint and improve test
jakedoublev Nov 5, 2025
b947a14
Merge remote-tracking branch 'origin' into fix/DSPX-1810
jakedoublev Nov 6, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion .github/workflows/checks.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -214,7 +214,7 @@ jobs:
mkcert -cert-file ./keys/platform.crt -key-file ./keys/platform-key.pem localhost
cp opentdf-dev.yaml opentdf.yaml
yq eval '.server.tls.enabled = true' -i opentdf.yaml
yq eval '.trace = {"enabled":true}' -i opentdf.yaml
yq eval '.server.trace.enabled = true' -i opentdf.yaml
- name: Added Trusted Certs
run: |
sudo chmod -R 777 ./keys
Expand Down
21 changes: 13 additions & 8 deletions service/authorization/v2/authorization.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -188,7 +188,7 @@ func (as *Service) GetDecision(ctx context.Context, req *connect.Request[authzV2
return nil, statusifyError(ctx, as.logger, err)
}

decisions, permitted, err := pdp.GetDecision(
decision, err := pdp.GetDecision(
ctx,
entityIdentifier,
action,
Expand All @@ -199,10 +199,15 @@ func (as *Service) GetDecision(ctx context.Context, req *connect.Request[authzV2
if err != nil {
return nil, statusifyError(ctx, as.logger, err)
}
resp, err := rollupSingleResourceDecision(permitted, decisions)

resourceDecisions, err := rollupResourceDecisions(decision)
if err != nil {
return nil, statusifyError(ctx, as.logger, err)
}

resp := &authzV2.GetDecisionResponse{
Decision: resourceDecisions[0],
}
return connect.NewResponse(resp), nil
}

Expand Down Expand Up @@ -232,7 +237,7 @@ func (as *Service) GetDecisionMultiResource(ctx context.Context, req *connect.Re
return nil, statusifyError(ctx, as.logger, err)
}

decisions, allPermitted, err := pdp.GetDecision(
decision, err := pdp.GetDecision(
ctx,
entityIdentifier,
action,
Expand All @@ -244,14 +249,14 @@ func (as *Service) GetDecisionMultiResource(ctx context.Context, req *connect.Re
return nil, statusifyError(ctx, as.logger, errors.Join(ErrFailedToGetDecision, err))
}

resourceDecisions, err := rollupMultiResourceDecisions(decisions)
resourceDecisions, err := rollupResourceDecisions(decision)
if err != nil {
return nil, statusifyError(ctx, as.logger, err)
}

resp := &authzV2.GetDecisionMultiResourceResponse{
AllPermitted: &wrapperspb.BoolValue{
Value: allPermitted,
Value: decision.AllPermitted,
},
ResourceDecisions: resourceDecisions,
}
Expand Down Expand Up @@ -291,19 +296,19 @@ func (as *Service) GetDecisionBulk(ctx context.Context, req *connect.Request[aut
resources := request.GetResources()
fulfillableObligations := request.GetFulfillableObligationFqns()

decisions, allPermitted, err := pdp.GetDecision(ctx, entityIdentifier, action, resources, reqContext, fulfillableObligations)
decision, err := pdp.GetDecision(ctx, entityIdentifier, action, resources, reqContext, fulfillableObligations)
if err != nil {
return nil, statusifyError(ctx, as.logger, errors.Join(ErrFailedToGetDecision, err))
}

resourceDecisions, err := rollupMultiResourceDecisions(decisions)
resourceDecisions, err := rollupResourceDecisions(decision)
if err != nil {
return nil, statusifyError(ctx, as.logger, err, slog.Int("index", idx))
}

decisionResponse := &authzV2.GetDecisionMultiResourceResponse{
AllPermitted: &wrapperspb.BoolValue{
Value: allPermitted,
Value: decision.AllPermitted,
},
ResourceDecisions: resourceDecisions,
}
Expand Down
Loading
Loading