feat(authorization service): Gets the attributes from the in-memory service connection inside the GetDecisions request (#273)

Author: jakedoublev

cmd/start.go

@@ -142,7 +142,7 @@ func RegisterServices(_ config.Config, otdf *server.OpenTDFServer, dbClient *db.
 	}
 
 	slog.Info("registering attributes server")
-	err = attr.NewAttributesServer(dbClient, otdf.GrpcServer, otdf.Mux)
+	err = attr.NewAttributesServer(dbClient, otdf.GrpcServer, otdf.GrpcInProcess.GetGrpcServer(), otdf.Mux)
 	if err != nil {
 		return fmt.Errorf("could not register attributes service: %w", err)
 	}
@@ -166,7 +166,7 @@ func RegisterServices(_ config.Config, otdf *server.OpenTDFServer, dbClient *db.
 	}
 
 	slog.Info("registering authorization server")
-	err = authorization.NewAuthorizationServer(otdf.GrpcServer, otdf.Mux)
+	err = authorization.NewAuthorizationServer(otdf.GrpcServer, otdf.GrpcInProcess.Conn(), otdf.Mux)
 	if err != nil {
 		return fmt.Errorf("could not register authorization service: %w", err)
 	}

docs/grpc/index.html

@@ -746,7 +746,7 @@ <h3 id="authorization.Action">Action</h3>
 
 
         <h3 id="authorization.DecisionRequest">DecisionRequest</h3>
-        <p>Example Request Get Decisions to answer the question -  Do Bob (represented by entity chain ec1)</p><p>and Alice (represented by entity chain ec2) have TRANSMIT authorization for</p><p>2 resources; resource1 (attr-set-1) defined by attributes foo:bar  resource2 (attr-set-2) defined by attribute foo:bar, color:red ?</p><p>{</p><p>"actions": [</p><p>{</p><p>"standard": "STANDARD_ACTION_TRANSMIT"</p><p>}</p><p>],</p><p>"entityChains": [</p><p>{</p><p>"id": "ec1",</p><p>"entities": [</p><p>{</p><p>"emailAddress": "[email protected]"</p><p>}</p><p>]</p><p>},</p><p>{</p><p>"id": "ec2",</p><p>"entities": [</p><p>{</p><p>"userName": "[email protected]"</p><p>}</p><p>]</p><p>}</p><p>],</p><p>"resourceAttributes": [</p><p>{</p><p>"attributeValueReferences": [</p><p>{</p><p>"attributeFqn": "http://www.example.org/attr/foo/value/bar"</p><p>}</p><p>]</p><p>},</p><p>{</p><p>"attributeValueReferences": [</p><p>{</p><p>"attributeFqn": "http://www.example.org/attr/foo/value/bar"</p><p>},</p><p>{</p><p>"attributeFqn": "http://www.example.org/attr/color/value/red"</p><p>}</p><p>]</p><p>}</p><p>]</p><p>}</p>
+        <p>Example Request Get Decisions to answer the question -  Do Bob (represented by entity chain ec1)</p><p>and Alice (represented by entity chain ec2) have TRANSMIT authorization for</p><p>2 resources; resource1 (attr-set-1) defined by attributes foo:bar  resource2 (attr-set-2) defined by attribute foo:bar, color:red ?</p><p>{</p><p>"actions": [</p><p>{</p><p>"standard": "STANDARD_ACTION_TRANSMIT"</p><p>}</p><p>],</p><p>"entityChains": [</p><p>{</p><p>"id": "ec1",</p><p>"entities": [</p><p>{</p><p>"emailAddress": "[email protected]"</p><p>}</p><p>]</p><p>},</p><p>{</p><p>"id": "ec2",</p><p>"entities": [</p><p>{</p><p>"userName": "[email protected]"</p><p>}</p><p>]</p><p>}</p><p>],</p><p>"resourceAttributes": [</p><p>{</p><p>"attributeFqns": [</p><p>"https://www.example.org/attr/foo/value/value1"</p><p>]</p><p>},</p><p>{</p><p>"attributeFqns": [</p><p>"https://example.net/attr/attr1/value/value1",</p><p>"https://example.net/attr/attr1/value/value2"</p><p>]</p><p>}</p><p>]</p><p>}</p>
 
 
           <table class="field-table">

docs/openapi/authorization/authorization.swagger.json

@@ -130,7 +130,7 @@
           }
         }
       },
-      "description": "{\n\"actions\": [\n{\n\"standard\": \"STANDARD_ACTION_TRANSMIT\"\n}\n],\n\"entityChains\": [\n{\n\"id\": \"ec1\",\n\"entities\": [\n{\n\"emailAddress\": \"[email protected]\"\n}\n]\n},\n{\n\"id\": \"ec2\",\n\"entities\": [\n{\n\"userName\": \"[email protected]\"\n}\n]\n}\n],\n\"resourceAttributes\": [\n{\n\"attributeValueReferences\": [\n{\n\"attributeFqn\": \"http://www.example.org/attr/foo/value/bar\"\n}\n]\n},\n{\n\"attributeValueReferences\": [\n{\n\"attributeFqn\": \"http://www.example.org/attr/foo/value/bar\"\n},\n{\n\"attributeFqn\": \"http://www.example.org/attr/color/value/red\"\n}\n]\n}\n]\n}",
+      "description": "{\n\"actions\": [\n{\n\"standard\": \"STANDARD_ACTION_TRANSMIT\"\n}\n],\n\"entityChains\": [\n{\n\"id\": \"ec1\",\n\"entities\": [\n{\n\"emailAddress\": \"[email protected]\"\n}\n]\n},\n{\n\"id\": \"ec2\",\n\"entities\": [\n{\n\"userName\": \"[email protected]\"\n}\n]\n}\n],\n\"resourceAttributes\": [\n{\n\"attributeFqns\": [\n\"https://www.example.org/attr/foo/value/value1\"\n]\n},\n{\n\"attributeFqns\": [\n\"https://example.net/attr/attr1/value/value1\",\n\"https://example.net/attr/attr1/value/value2\"\n]\n}\n]\n}",
       "title": "Example Request Get Decisions to answer the question -  Do Bob (represented by entity chain ec1)\nand Alice (represented by entity chain ec2) have TRANSMIT authorization for\n2 resources; resource1 (attr-set-1) defined by attributes foo:bar  resource2 (attr-set-2) defined by attribute foo:bar, color:red ?"
     },
     "authorizationDecisionResponse": {

protocol/go/authorization/authorization.pb.go

@@ -4,18 +4,24 @@ import (
 	"context"
 	"fmt"
 	"log/slog"
+	"strings"
 
 	"github.com/grpc-ecosystem/grpc-gateway/v2/runtime"
 	"github.com/opentdf/platform/protocol/go/authorization"
+	attr "github.com/opentdf/platform/protocol/go/policy/attributes"
+	"github.com/opentdf/platform/services"
 	"google.golang.org/grpc"
 )
 
 type AuthorizationService struct {
 	authorization.UnimplementedAuthorizationServiceServer
+	cc *grpc.ClientConn
 }
 
-func NewAuthorizationServer(g *grpc.Server, s *runtime.ServeMux) error {
-	as := &AuthorizationService{}
+func NewAuthorizationServer(g *grpc.Server, cc *grpc.ClientConn, s *runtime.ServeMux) error {
+	as := &AuthorizationService{
+		cc: cc,
+	}
 	authorization.RegisterAuthorizationServiceServer(g, as)
 	err := authorization.RegisterAuthorizationServiceHandlerServer(context.Background(), s, as)
 	if err != nil {
@@ -27,13 +33,25 @@ func NewAuthorizationServer(g *grpc.Server, s *runtime.ServeMux) error {
 func (as AuthorizationService) GetDecisions(ctx context.Context, req *authorization.GetDecisionsRequest) (*authorization.GetDecisionsResponse, error) {
 	slog.Debug("getting decisions")
 
+	attrClient := attr.NewAttributesServiceClient(as.cc)
+
 	// Temporary canned echo response with permit decision for all requested decision/entity/ra combos
 	rsp := &authorization.GetDecisionsResponse{
 		DecisionResponses: make([]*authorization.DecisionResponse, 0),
 	}
 	for _, dr := range req.DecisionRequests {
 		for _, ra := range dr.ResourceAttributes {
+			slog.Debug("getting resource attributes", slog.String("FQNs", strings.Join(ra.AttributeFqns, ", ")))
+
+			attrs, err := attrClient.GetAttributesByValueFqns(ctx, &attr.GetAttributesByValueFqnsRequest{
+				Fqns: ra.AttributeFqns,
+			})
+			if err != nil {
+				// TODO: should all decisions in a request fail if one FQN lookup fails?
+				return nil, services.HandleError(err, services.ErrGetRetrievalFailed, slog.String("fqns", strings.Join(ra.AttributeFqns, ", ")))
+			}
 			for _, ec := range dr.EntityChains {
+				fmt.Printf("\nTODO: make access decision here with these fully qualified attributes: %+v\n", attrs)
 				decision := &authorization.DecisionResponse{
 					Decision:      authorization.DecisionResponse_DECISION_PERMIT,
 					EntityChainId: ec.Id,

sdkjava/src/main/java/io/opentdf/platform/authorization/DecisionRequest.java

@@ -49,52 +49,44 @@ message Action {
    and Alice (represented by entity chain ec2) have TRANSMIT authorization for
    2 resources; resource1 (attr-set-1) defined by attributes foo:bar  resource2 (attr-set-2) defined by attribute foo:bar, color:red ?
 
-   {
-     "actions": [
-       {
-         "standard": "STANDARD_ACTION_TRANSMIT"
-       }
-     ],
-     "entityChains": [
-       {
-         "id": "ec1",
-         "entities": [
-           {
-             "emailAddress": "[email protected]"
-           }
-         ]
-       },
-       {
-         "id": "ec2",
-         "entities": [
-           {
-             "userName": "[email protected]"
-           }
-         ]
-       }
-     ],
-     "resourceAttributes": [
-       {
-         "attributeValueReferences": [
-           {
-             "attributeFqn": "http://www.example.org/attr/foo/value/bar"
-           }
-         ]
-       },
-       {
-         "attributeValueReferences": [
-           {
-             "attributeFqn": "http://www.example.org/attr/foo/value/bar"
-           },
-           {
-             "attributeFqn": "http://www.example.org/attr/color/value/red"
-           }
-         ]
-       }
-     ]
-   }
-
-
+  {
+  "actions": [
+    {
+      "standard": "STANDARD_ACTION_TRANSMIT"
+    }
+  ],
+  "entityChains": [
+    {
+      "id": "ec1",
+      "entities": [
+        {
+          "emailAddress": "[email protected]"
+        }
+      ]
+    },
+    {
+      "id": "ec2",
+      "entities": [
+        {
+          "userName": "[email protected]"
+        }
+      ]
+    }
+  ],
+  "resourceAttributes": [
+    {
+      "attributeFqns": [
+        "https://www.example.org/attr/foo/value/value1"
+      ]
+    },
+    {
+      "attributeFqns": [
+        "https://example.net/attr/attr1/value/value1",
+        "https://example.net/attr/attr1/value/value2"
+      ]
+    }
+  ]
+}
 
 */
 message DecisionRequest {

services/authorization/authorization.go

@@ -18,11 +18,14 @@ type AttributesService struct {
 	dbClient *policydb.PolicyDbClient
 }
 
-func NewAttributesServer(dbClient *db.Client, g *grpc.Server, s *runtime.ServeMux) error {
+func NewAttributesServer(dbClient *db.Client, g *grpc.Server, grpcInprocess *grpc.Server, s *runtime.ServeMux) error {
 	as := &AttributesService{
 		dbClient: policydb.NewClient(*dbClient),
 	}
 	attr.RegisterAttributesServiceServer(g, as)
+	if grpcInprocess != nil {
+		attr.RegisterAttributesServiceServer(grpcInprocess, as)
+	}
 	err := attr.RegisterAttributesServiceHandlerServer(context.Background(), s, as)
 	if err != nil {
 		return fmt.Errorf("failed to register attributes service handler: %w", err)