feat(authz): logic for authz v2 (actions within ABAC decisioning)

.github/workflows/checks.yaml

@@ -254,6 +254,19 @@ jobs:
             echo "$OUTPUT";
             echo "EODECISION"
           } >> "$GITHUB_ENV"
+      - name: run decision v2 benchmark tests
+        run: |
+          # Run the benchmark with a specific count (adjust as needed)
+          OUTPUT=$(./examples/examples benchmark-decision-v2 --count 5000)
+          echo "--- Decision Benchmark v2 Output ---"
+          echo "$OUTPUT"
+          echo "$OUTPUT" >> "$GITHUB_STEP_SUMMARY" # Add to job summary page
+          # Save the output to an environment variable for the comment step
+          {
+            echo "BENCHMARK_DECISION_V2_OUTPUT<<EODECISIONV2"; # Unique delimiter
+            echo "$OUTPUT";
+            echo "EODECISIONV2"
+          } >> "$GITHUB_ENV"
       - name: run tdf3 benchmark tests
         run: |
           OUTPUT=$(./examples/examples benchmark --count=5000 --concurrent=50)
@@ -292,12 +305,13 @@ jobs:
         with:
           script: |
             const decisionOutput = process.env.BENCHMARK_DECISION_OUTPUT || '## Decision Benchmark Skipped or Failed';
+            const decisionV2Output = process.env.BENCHMARK_DECISION_V2_OUTPUT || '## Decision Benchmark v2 Skipped or Failed';
             const metricsOutput = process.env.BENCHMARK_METRICS_OUTPUT || '## Standard Benchmark Metrics Skipped or Failed';
             const bulkOutput = process.env.BENCHMARK_BULK_OUTPUT || '## Bulk Benchmark Skipped or Failed';
             const tdf3Output = process.env.BENCHMARK_TDF3_OUTPUT || '## TDF3 Benchmark Skipped or Failed';
             const nanoOutput = process.env.BENCHMARK_NANO_OUTPUT || '## Nano Benchmark Skipped or Failed';
 
-            const body = `<details><summary>Benchmark results, click to expand</summary>\n\n${decisionOutput}\n\n${bulkOutput}\n\n${tdf3Output}\n\n${nanoOutput}\n\n${metricsOutput}</details>`;
+            const body = `<details><summary>Benchmark results, click to expand</summary>\n\n${decisionOutput}\n\n${decisionV2Output}\n\n${bulkOutput}\n\n${tdf3Output}\n\n${nanoOutput}\n\n${metricsOutput}</details>`;
 
             github.rest.issues.createComment({
               owner: context.repo.owner,

examples/cmd/authorization.go

@@ -27,9 +27,9 @@ func authorizationExamples() error {
 	}
 	defer s.Close()
 
-	// request decision on "TRANSMIT" Action
+	// request decision on "read" Action
 	actions := []*policy.Action{{
-		Value: &policy.Action_Standard{Standard: policy.Action_STANDARD_ACTION_TRANSMIT},
+		Name: "read",
 	}}
 
 	// model two groups of entities; user bob and user alice

examples/cmd/benchmark_decision.go

@@ -67,7 +67,7 @@ func runDecisionBenchmark(_ *cobra.Command, _ []string) error {
 	}
 
 	// Print results
-	fmt.Printf("# Benchmark Results:\n")
+	fmt.Printf("# Benchmark authorization.GetDecisions Results:\n")
 	fmt.Printf("| Metric                  | Value                  |\n")
 	fmt.Printf("|-------------------------|------------------------|\n")
 	if err == nil {

examples/cmd/benchmark_decision_v2.go

@@ -0,0 +1,103 @@
+//nolint:forbidigo // We use Println here extensively because we are printing markdown.
+package cmd
+
+import (
+	"context"
+	"fmt"
+	"strconv"
+	"time"
+
+	authzV2 "github.com/opentdf/platform/protocol/go/authorization/v2"
+	"github.com/opentdf/platform/protocol/go/entity"
+	"github.com/opentdf/platform/protocol/go/policy"
+	"github.com/spf13/cobra"
+)
+
+func init() {
+	benchmarkCmd := &cobra.Command{
+		Use:   "benchmark-decision-v2",
+		Short: "benchmark authorization.v2.GetDecisionMultiResource",
+		Long:  `A OpenTDF benchmark tool to measure throughput and latency with configurable concurrency for authorization.v2.GetDecisionMultiResource.`,
+		RunE:  runDecisionBenchmarkV2,
+	}
+	benchmarkCmd.Flags().IntVar(&config.RequestCount, "count", 100, "Total number of requests") //nolint: mnd // This is output to the help with explanation
+	ExamplesCmd.AddCommand(benchmarkCmd)
+}
+
+func runDecisionBenchmarkV2(_ *cobra.Command, _ []string) error {
+	// Create new offline client
+	client, err := newSDK()
+	if err != nil {
+		return err
+	}
+
+	var resources []*authzV2.Resource
+	attrValueFQN := "https://example.com/attr/attr1/value/value1"
+
+	for i := range config.RequestCount {
+		r := &authzV2.Resource{
+			EphemeralId: "resource-%d" + strconv.Itoa(i),
+			Resource: &authzV2.Resource_AttributeValues_{
+				AttributeValues: &authzV2.Resource_AttributeValues{
+					Fqns: []string{attrValueFQN},
+				},
+			},
+		}
+		resources = append(resources, r)
+	}
+
+	start := time.Now()
+	res, err := client.AuthorizationV2.GetDecisionMultiResource(context.Background(), &authzV2.GetDecisionMultiResourceRequest{
+		Action: &policy.Action{
+			Name: "read",
+		},
+		EntityIdentifier: &authzV2.EntityIdentifier{
+			Identifier: &authzV2.EntityIdentifier_EntityChain{
+				EntityChain: &entity.EntityChain{
+					EphemeralId: "decision-bulk-entity-chain",
+					Entities: []*entity.Entity{
+						{
+							EphemeralId: "jwtentity-0-clientid-opentdf-sdk",
+							EntityType:  &entity.Entity_ClientId{ClientId: "opentdf-public"},
+							Category:    entity.Entity_CATEGORY_ENVIRONMENT,
+						},
+						{
+							EphemeralId: "jwtentity-1-username-sample-user",
+							EntityType:  &entity.Entity_UserName{UserName: "sample-user"},
+							Category:    entity.Entity_CATEGORY_SUBJECT,
+						},
+					},
+				},
+			},
+		},
+		Resources: resources,
+	})
+	end := time.Now()
+	totalTime := end.Sub(start)
+
+	numberApproved := 0
+	numberDenied := 0
+	if err == nil {
+		for _, decision := range res.GetResourceDecisions() {
+			if decision.GetDecision() == authzV2.Decision_DECISION_PERMIT {
+				numberApproved++
+			} else {
+				numberDenied++
+			}
+		}
+	}
+
+	// Print results
+	fmt.Printf("# Benchmark authorization.v2.GetMultiResourceDecision Results:\n")
+	fmt.Printf("| Metric                  | Value                  |\n")
+	fmt.Printf("|-------------------------|------------------------|\n")
+	if err == nil {
+		fmt.Printf("| Approved Decision Requests | %d |\n", numberApproved)
+		fmt.Printf("| Denied Decision Requests   | %d |\n", numberDenied)
+	} else {
+		fmt.Printf("| Error                    | %s |\n", err.Error())
+	}
+	fmt.Printf("| Total Time              | %s |\n", totalTime)
+
+	return nil
+}

service/authorization/v2/authorization.go

@@ -3,14 +3,20 @@ package authorization
 import (
 	"context"
 	"errors"
+	"fmt"
+	"log/slog"
 
 	"connectrpc.com/connect"
 	authzV2 "github.com/opentdf/platform/protocol/go/authorization/v2"
 	authzV2Connect "github.com/opentdf/platform/protocol/go/authorization/v2/authorizationv2connect"
 	otdf "github.com/opentdf/platform/sdk"
+	"github.com/opentdf/platform/service/internal/access/v2"
 	"github.com/opentdf/platform/service/logger"
 	"github.com/opentdf/platform/service/pkg/serviceregistry"
+	"go.opentelemetry.io/otel"
+	"go.opentelemetry.io/otel/propagation"
 	"go.opentelemetry.io/otel/trace"
+	"google.golang.org/protobuf/types/known/wrapperspb"
 )
 
 type Service struct {
@@ -36,9 +42,9 @@ func NewRegistration() *serviceregistry.Service[authzV2Connect.AuthorizationServ
 
 				logger := srp.Logger
 
-				// default ERS endpoint
 				as.sdk = srp.SDK
 				as.logger = logger
+
 				// if err := srp.RegisterReadinessCheck("authorization", as.IsReady); err != nil {
 				// 	logger.Error("failed to register authorization readiness check", slog.String("error", err.Error()))
 				// }
@@ -60,21 +66,187 @@ func NewRegistration() *serviceregistry.Service[authzV2Connect.AuthorizationServ
 // }
 
 // GetEntitlements for an entity chain
-func (as *Service) GetEntitlements(_ context.Context, _ *connect.Request[authzV2.GetEntitlementsRequest]) (*connect.Response[authzV2.GetEntitlementsResponse], error) {
-	return nil, connect.NewError(connect.CodeUnimplemented, errors.New("GetEntitlements not implemented"))
+func (as *Service) GetEntitlements(ctx context.Context, req *connect.Request[authzV2.GetEntitlementsRequest]) (*connect.Response[authzV2.GetEntitlementsResponse], error) {
+	as.logger.DebugContext(ctx, "getting entitlements")
+
+	ctx, span := as.Tracer.Start(ctx, "GetEntitlements")
+	defer span.End()
+
+	// Extract trace context from the incoming request
+	propagator := otel.GetTextMapPropagator()
+	ctx = propagator.Extract(ctx, propagation.HeaderCarrier(req.Header()))
+
+	entityIdentifier := req.Msg.GetEntityIdentifier()
+	withComprehensiveHierarchy := req.Msg.GetWithComprehensiveHierarchy()
+
+	// When authorization service can consume cached policy, switch to the other PDP (process based on policy passed in)
+	pdp, err := access.NewJustInTimePDP(ctx, as.logger, as.sdk)
+	if err != nil {
+		as.logger.ErrorContext(ctx, "failed to create JIT PDP", slog.String("error", err.Error()))
+		return nil, connect.NewError(connect.CodeInternal, err)
+	}
+
+	entitlements, err := pdp.GetEntitlements(ctx, entityIdentifier, withComprehensiveHierarchy)
+	if err != nil {
+		// TODO: any bad request errors that aren't 500s?
+		as.logger.ErrorContext(ctx, "failed to get entitlements", slog.String("error", err.Error()))
+		return nil, connect.NewError(connect.CodeInternal, err)
+	}
+
+	rsp := &authzV2.GetEntitlementsResponse{
+		Entitlements: entitlements,
+	}
+
+	return connect.NewResponse(rsp), nil
 }
 
 // GetDecision for an entity chain and an action on a single resource
-func (as *Service) GetDecision(_ context.Context, _ *connect.Request[authzV2.GetDecisionRequest]) (*connect.Response[authzV2.GetDecisionResponse], error) {
-	return nil, connect.NewError(connect.CodeUnimplemented, errors.New("GetDecision not implemented"))
+func (as *Service) GetDecision(ctx context.Context, req *connect.Request[authzV2.GetDecisionRequest]) (*connect.Response[authzV2.GetDecisionResponse], error) {
+	as.logger.DebugContext(ctx, "getting decision")
+
+	ctx, span := as.Tracer.Start(ctx, "GetDecision")
+	defer span.End()
+
+	// Extract trace context from the incoming request
+	propagator := otel.GetTextMapPropagator()
+	ctx = propagator.Extract(ctx, propagation.HeaderCarrier(req.Header()))
+
+	pdp, err := access.NewJustInTimePDP(ctx, as.logger, as.sdk)
+	if err != nil {
+		as.logger.ErrorContext(ctx, "failed to create JIT PDP", slog.String("error", err.Error()))
+		return nil, connect.NewError(connect.CodeInternal, err)
+	}
+	request := req.Msg
+	entityIdentifier := request.GetEntityIdentifier()
+	action := request.GetAction()
+	resource := request.GetResource()
+
+	decisions, permitted, err := pdp.GetDecision(ctx, entityIdentifier, action, []*authzV2.Resource{resource})
+	if err != nil {
+		// TODO: any bad request errors that aren't 500s?
+		as.logger.ErrorContext(ctx, "failed to get decision", slog.String("error", err.Error()))
+		return nil, connect.NewError(connect.CodeInternal, err)
+	}
+	resp, err := rollupSingleResourceDecision(permitted, decisions)
+	if err != nil {
+		as.logger.ErrorContext(ctx, "failed to rollup single resource decision", slog.String("error", err.Error()))
+		return nil, connect.NewError(connect.CodeInternal, err)
+	}
+	return connect.NewResponse(resp), nil
 }
 
 // GetDecisionMultiResource for an entity chain and action on multiple resources
-func (as *Service) GetDecisionMultiResource(_ context.Context, _ *connect.Request[authzV2.GetDecisionMultiResourceRequest]) (*connect.Response[authzV2.GetDecisionMultiResourceResponse], error) {
-	return nil, connect.NewError(connect.CodeUnimplemented, errors.New("GetDecisionMultiResource not implemented"))
+func (as *Service) GetDecisionMultiResource(ctx context.Context, req *connect.Request[authzV2.GetDecisionMultiResourceRequest]) (*connect.Response[authzV2.GetDecisionMultiResourceResponse], error) {
+	as.logger.DebugContext(ctx, "getting decision multi resource")
+
+	ctx, span := as.Tracer.Start(ctx, "GetDecisionMultiResource")
+	defer span.End()
+
+	// Extract trace context from the incoming request
+	propagator := otel.GetTextMapPropagator()
+	ctx = propagator.Extract(ctx, propagation.HeaderCarrier(req.Header()))
+
+	pdp, err := access.NewJustInTimePDP(ctx, as.logger, as.sdk)
+	if err != nil {
+		as.logger.ErrorContext(ctx, "failed to create JIT PDP", slog.String("error", err.Error()))
+		return nil, connect.NewError(connect.CodeInternal, err)
+	}
+	request := req.Msg
+	entityIdentifier := request.GetEntityIdentifier()
+	action := request.GetAction()
+	resources := request.GetResources()
+
+	decisions, allPermitted, err := pdp.GetDecision(ctx, entityIdentifier, action, resources)
+	if err != nil {
+		// TODO: any bad request errors that aren't 500s?
+		as.logger.ErrorContext(ctx, "failed to get decision", slog.String("error", err.Error()))
+		return nil, connect.NewError(connect.CodeInternal, err)
+	}
+
+	resourceDecisions, err := rollupMultiResourceDecision(decisions)
+	if err != nil {
+		as.logger.ErrorContext(ctx, "failed to rollup multi resource decision", slog.String("error", err.Error()))
+		return nil, connect.NewError(connect.CodeInternal, err)
+	}
+
+	resp := &authzV2.GetDecisionMultiResourceResponse{
+		AllPermitted: &wrapperspb.BoolValue{
+			Value: allPermitted,
+		},
+		ResourceDecisions: resourceDecisions,
+	}
+
+	return connect.NewResponse(resp), nil
 }
 
 // GetDecisionBulk for multiple requests, each comprising a combination of entity chain, action, and one or more resources
 func (as *Service) GetDecisionBulk(_ context.Context, _ *connect.Request[authzV2.GetDecisionBulkRequest]) (*connect.Response[authzV2.GetDecisionBulkResponse], error) {
 	return nil, connect.NewError(connect.CodeUnimplemented, errors.New("GetDecisionBulk not implemented"))
 }
+
+// rollupMultiResourceDecision creates a standardized response for multi-resource decisions
+// by processing the decisions returned from the PDP.
+func rollupMultiResourceDecision(
+	decisions []*access.Decision,
+) ([]*authzV2.ResourceDecision, error) {
+	if len(decisions) == 0 {
+		return nil, errors.New("no decisions returned")
+	}
+
+	var resourceDecisions []*authzV2.ResourceDecision
+
+	for idx, decision := range decisions {
+		if decision == nil {
+			return nil, fmt.Errorf("nil decision at index %d", idx)
+		}
+		if len(decision.Results) == 0 {
+			return nil, errors.New("no decision results returned")
+		}
+		for _, result := range decision.Results {
+			access := authzV2.Decision_DECISION_DENY
+			if result.Passed {
+				access = authzV2.Decision_DECISION_PERMIT
+			}
+			resourceDecision := &authzV2.ResourceDecision{
+				Decision:            access,
+				EphemeralResourceId: result.ResourceID,
+			}
+			resourceDecisions = append(resourceDecisions, resourceDecision)
+		}
+	}
+
+	return resourceDecisions, nil
+}
+
+// rollupSingleResourceDecision creates a standardized response for a single resource decision
+// by processing the decision returned from the PDP.
+func rollupSingleResourceDecision(
+	permitted bool,
+	decisions []*access.Decision,
+) (*authzV2.GetDecisionResponse, error) {
+	if len(decisions) == 0 {
+		return nil, errors.New("no decisions returned")
+	}
+
+	decision := decisions[0]
+	if decision == nil {
+		return nil, errors.New("nil decision at index 0")
+	}
+
+	if len(decision.Results) == 0 {
+		return nil, errors.New("no decision results returned")
+	}
+
+	result := decision.Results[0]
+	access := authzV2.Decision_DECISION_DENY
+	if permitted {
+		access = authzV2.Decision_DECISION_PERMIT
+	}
+	resourceDecision := &authzV2.ResourceDecision{
+		Decision:            access,
+		EphemeralResourceId: result.ResourceID,
+	}
+	return &authzV2.GetDecisionResponse{
+		Decision: resourceDecision,
+	}, nil
+}