lower case resource attribute FQN at highest level in GetDecision flow

Author: jakedoublev

service/internal/access/v2/evaluate.go

@@ -70,11 +70,7 @@ func evaluateResourceAttributeValues(
 	definitionFqnToValueFqns := make(map[string][]string)
 	definitionsLookup := make(map[string]*policy.Attribute)
 
-	for idx, valueFQN := range resourceAttributeValues.GetFqns() {
-		// lowercase the value FQN to ensure case-insensitive matching
-		valueFQN = strings.ToLower(valueFQN)
-		resourceAttributeValues.Fqns[idx] = valueFQN
-
+	for _, valueFQN := range resourceAttributeValues.GetFqns() {
 		attributeAndValue, ok := accessibleAttributeValues[valueFQN]
 		if !ok {
 			return nil, fmt.Errorf("%w: %s", ErrFQNNotFound, valueFQN)

service/internal/access/v2/evaluate_test.go

@@ -681,21 +681,6 @@ func (s *EvaluateTestSuite) TestEvaluateResourceAttributeValues() {
 			expectAccessible: true,
 			expectError:      false,
 		},
-		{
-			name: "all rules passing - non lower-cased FQNs",
-			resourceAttrs: &authz.Resource_AttributeValues{
-				Fqns: []string{
-					strings.ToUpper(levelMidFQN),
-					strings.ToUpper(deptFinanceFQN),
-				},
-			},
-			entitlements: subjectmappingbuiltin.AttributeValueFQNsToActions{
-				levelMidFQN:    []*policy.Action{actionRead},
-				deptFinanceFQN: []*policy.Action{actionRead},
-			},
-			expectAccessible: true,
-			expectError:      false,
-		},
 		{
 			name: "one rule failing",
 			resourceAttrs: &authz.Resource_AttributeValues{

service/internal/access/v2/pdp.go

@@ -163,8 +163,11 @@ func (p *PolicyDecisionPoint) GetDecision(
 			return nil, fmt.Errorf("registered resource value FQN not supported: %w", ErrInvalidResource)
 
 		case *authz.Resource_AttributeValues_:
-			for _, valueFQN := range resource.GetAttributeValues().GetFqns() {
+			for idx, valueFQN := range resource.GetAttributeValues().GetFqns() {
+				// lowercase each resource attribute value FQN for case consistent map key lookups
 				valueFQN = strings.ToLower(valueFQN)
+				resource.GetAttributeValues().Fqns[idx] = valueFQN
+
 				// If same value FQN more than once, skip
 				if _, ok := decisionableAttributes[valueFQN]; ok {
 					continue

service/internal/access/v2/pdp_test.go

@@ -2,6 +2,7 @@ package access
 
 import (
 	"fmt"
+	"strings"
 	"testing"
 
 	"github.com/stretchr/testify/suite"
@@ -422,6 +423,34 @@ func (s *PDPTestSuite) Test_GetDecision_MultipleResources() {
 		}
 	})
 
+	s.Run("Multiple resources and entitled actions/attributes of varied casing - full access", func() {
+		entity := s.createEntityWithProps("test-user-1", map[string]interface{}{
+			"clearance":  "ts",
+			"department": "engineering",
+		})
+		secretFQN := strings.ToUpper(testClassSecretFQN)
+
+		resources := createResourcePerFqn(secretFQN, testDeptEngineeringFQN)
+
+		decision, err := pdp.GetDecision(s.T().Context(), entity, testActionRead, resources)
+
+		s.Require().NoError(err)
+		s.Require().NotNil(decision)
+		s.True(decision.Access)
+		s.Len(decision.Results, 2)
+
+		expectedResults := map[string]bool{
+			secretFQN:              true,
+			testDeptEngineeringFQN: true,
+		}
+		s.assertAllDecisionResults(decision, expectedResults)
+		for _, result := range decision.Results {
+			s.True(result.Passed, "All data rules should pass")
+			s.Len(result.DataRuleResults, 1)
+			s.Empty(result.DataRuleResults[0].EntitlementFailures)
+		}
+	})
+
 	s.Run("Multiple resources and unentitled attributes - full denial", func() {
 		entity := s.createEntityWithProps("test-user-2", map[string]interface{}{
 			"clearance":  "confidential", // Not high enough for update on secret