feat(authz): DSPX-894 auth svc registered resource GetEntitlement support #2358
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
![gemini-code-assist[bot]](https://avatars.githubusercontent.com/in/956858?s=60&v=4){kind=small}
There was a problem hiding this comment.
Hello @ryanulit, I'm Gemini Code Assist1! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!
Summary of Changes
Hello! Gemini here, providing a summary of this pull request to help everyone quickly understand the changes.
This PR introduces support for fetching entitlements based on Registered Resource Values within the authorization service's Policy Decision Point (PDP). Previously, entitlement checks primarily focused on entities resolved via the Entity Resolution Service (ERS). This change adds a new path to handle entitlement requests directly for registered resource values, which do not have corresponding entity representations in ERS.
The core changes involve modifying the PDP to load and cache registered resources and their values, adding a new method to the PDP to calculate entitlements specifically for registered resource values, and updating the Just-In-Time PDP to utilize this new functionality when a registered resource value FQN is provided as the entity identifier.
Highlights
- Registered Resource Entitlements: Adds the capability for the authorization service to calculate entitlements for Registered Resource Values, expanding the types of resources that can be checked for access.
- PDP Enhancement: The Policy Decision Point (PDP) is updated to load and store registered resources and their values in memory upon initialization, alongside attributes and subject mappings.
- New Entitlement Path: A dedicated logic path is added to the
GetEntitlementsflow in the Just-In-Time PDP to handle requests where the entity identifier is a Registered Resource Value FQN, bypassing the need for ERS resolution. - Validation and Error Handling: New validation logic and error types are introduced to ensure that registered resources are valid when loaded into the PDP.
Changelog
Click here to see the changelog
- service/internal/access/v2/helpers.go
- Added
ErrInvalidRegisteredResourceandErrInvalidRegisteredResourceValueerror variables (lines 19-20).
- Added
- service/internal/access/v2/just_in_time_pdp.go
- Imported
strings(line 8) andregisteredresourcesprotocol (line 17). - Modified
NewJustInTimePDPto fetch all registered resources usingfetchAllRegisteredResourcesand pass them toNewPolicyDecisionPoint(lines 68-72). - Updated the
GetEntitlementsmethod to handle theRegisteredResourceValueFqncase by calling the newpdp.GetEntitlementsRegisteredResourcemethod (lines 159-161). - Added the
fetchAllRegisteredResourcesmethod to retrieve all registered resources from the SDK with pagination (lines 280-306).
- Imported
- service/internal/access/v2/pdp.go
- Imported
slices(line 8) andidentifierlibrary (line 12). - Added
allRegisteredResourceValuesByFQNmap field toPolicyDecisionPointstruct (line 52). - Modified
NewPolicyDecisionPointconstructor to acceptallRegisteredResources(line 72). - Added logic in
NewPolicyDecisionPointto populateallRegisteredResourceValuesByFQNmap from the provided registered resources, including validation (lines 130-143). - Added the
GetEntitlementsRegisteredResourcemethod to calculate entitlements for a given registered resource value FQN (lines 321-376).
- Imported
- service/internal/access/v2/validators.go
- Added the
validateRegisteredResourcefunction to validate registered resource objects (lines 100-125).
- Added the
- service/internal/access/v2/validators_test.go
- Added
TestValidateRegisteredResourcefunction with various test cases for the new validation logic (lines 286-360).
- Added
Using Gemini Code Assist
The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.
Invoking Gemini
You can request assistance from Gemini at any point in your pull request via creating an issue comment (i.e. comment on the pull request page) using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands.
| Feature | Command | Description |
|---|---|---|
| Code Review | /gemini review |
Performs a code review for the current pull request in its current state. |
| Pull Request Summary | /gemini summary |
Provides a summary of the current pull request in its current state. |
| Comment | @gemini-code-assist | Responds in comments when explicitly tagged, both in issue comments and review comments. |
| Help | /gemini help |
Displays a list of available commands. |
Customization
To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.
Limitations & Feedback
Gemini Code Assist is currently in preview and may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments to provide feedback.
You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension.
A new path is laid,
For resources registered,
Access now is clear.
Footnotes
-
Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution. ↩
There was a problem hiding this comment.
Code Review
This pull request effectively adds support for GetEntitlement for registered resources. The new functions for fetching and validating registered resources are clear, and the integration into the Policy Decision Point (PDP) is logical. The added unit tests for the validator function are comprehensive.
I've identified a critical issue regarding a potential nil pointer dereference that needs to be addressed. Additionally, there's a TODO comment regarding FQN validation that would be good to resolve for enhanced robustness.
While not part of the code changes themselves, please ensure that unit tests covering the new logic in PolicyDecisionPoint.GetEntitlementsRegisteredResource and the new case in JustInTimePDP.GetEntitlements are added, if not already planned for a subsequent PR, to maintain good test coverage.
Summary of Findings
- Potential Nil Pointer Dereference: In
GetEntitlementsRegisteredResource, if the providedregisteredResourceValueFQNis not found in the map,registeredResourceValuewill be nil, leading to a panic when its methods are called. A nil check is required. - FQN Validation: A TODO comment in
GetEntitlementsRegisteredResourcesuggests validating theregisteredResourceValueFQN. While a nil check after map lookup is crucial, validating the FQN format beforehand would improve robustness.
Merge Readiness
The pull request makes good progress in adding support for registered resource entitlements. However, there is a critical issue regarding a potential nil pointer dereference that must be addressed before this PR can be considered ready for merging. Additionally, there's a suggestion for enhancing FQN validation.
I am unable to approve pull requests directly. Please address the critical issue, consider the medium-severity feedback, and then have other reviewers approve this code before merging.
Benchmark results, click to expandBenchmark authorization.GetDecisions Results:
Benchmark authorization.v2.GetMultiResourceDecision Results:
Bulk Benchmark Results
Error Summary
TDF3 Benchmark Results:
Error Summary:
NANOTDF Benchmark Results:
Error Summary:
Standard Benchmark Metrics Skipped or Failed |
Benchmark results, click to expandBenchmark authorization.GetDecisions Results:
Benchmark authorization.v2.GetMultiResourceDecision Results:
Bulk Benchmark Results
Error Summary
TDF3 Benchmark Results:
Error Summary:
NANOTDF Benchmark Results:
Error Summary:
Standard Benchmark Metrics Skipped or Failed |
Benchmark results, click to expandBenchmark authorization.GetDecisions Results:
Benchmark authorization.v2.GetMultiResourceDecision Results:
Bulk Benchmark Results
Error Summary
TDF3 Benchmark Results:
Error Summary:
NANOTDF Benchmark Results:
Error Summary:
Standard Benchmark Metrics Skipped or Failed |
Benchmark results, click to expandBenchmark authorization.GetDecisions Results:
Benchmark authorization.v2.GetMultiResourceDecision Results:
Bulk Benchmark Results
Error Summary
TDF3 Benchmark Results:
Error Summary:
NANOTDF Benchmark Results:
Error Summary:
Standard Benchmark Metrics Skipped or Failed |
Benchmark results, click to expandBenchmark authorization.GetDecisions Results:
Benchmark authorization.v2.GetMultiResourceDecision Results:
Bulk Benchmark Results
Error Summary
TDF3 Benchmark Results:
Error Summary:
NANOTDF Benchmark Results:
Error Summary:
Standard Benchmark Metrics Skipped or Failed |
Benchmark results, click to expandBenchmark authorization.GetDecisions Results:
Benchmark authorization.v2.GetMultiResourceDecision Results:
Bulk Benchmark Results
Error Summary
TDF3 Benchmark Results:
Error Summary:
NANOTDF Benchmark Results:
Error Summary:
Standard Benchmark Metrics Skipped or Failed |
Benchmark results, click to expandBenchmark authorization.GetDecisions Results:
Benchmark authorization.v2.GetMultiResourceDecision Results:
Bulk Benchmark Results
Error Summary
TDF3 Benchmark Results:
Error Summary:
NANOTDF Benchmark Results:
Error Summary:
Standard Benchmark Metrics Skipped or Failed |
Benchmark results, click to expandBenchmark authorization.GetDecisions Results:
Benchmark authorization.v2.GetMultiResourceDecision Results:
Bulk Benchmark Results
Error Summary
TDF3 Benchmark Results:
Error Summary:
NANOTDF Benchmark Results:
Error Summary:
Standard Benchmark Metrics Skipped or Failed |
Benchmark results, click to expandBenchmark authorization.GetDecisions Results:
Benchmark authorization.v2.GetMultiResourceDecision Results:
Bulk Benchmark Results
Error Summary
TDF3 Benchmark Results:
Error Summary:
NANOTDF Benchmark Results:
Error Summary:
Standard Benchmark Metrics Skipped or Failed |
|
/gemini review |
There was a problem hiding this comment.
Code Review
This pull request effectively introduces support for GetEntitlement for registered resources. The changes are well-structured, with clear separation of concerns between the JustInTimePDP and the core PolicyDecisionPoint. The addition of new helper functions, modifications to existing ones, and the introduction of new test suites demonstrate a thorough approach to implementing this feature.
The new fetchAllRegisteredResources function correctly handles pagination, and the GetEntitlementsRegisteredResource method in the PDP provides the core logic for determining entitlements based on registered resource FQNs, including support for comprehensive hierarchy.
Unit tests are comprehensive, covering various scenarios such as invalid inputs, different combinations of action-attribute values, and hierarchy considerations. The addition of validation for registered resources (validateRegisteredResource and its tests) further enhances the robustness of the system.
Overall, the code quality is high, and the changes appear to be correct and well-implemented.
Summary of Findings
- Code Quality and Testing: The overall code quality is excellent. The new functionality is well-integrated, and the unit tests are comprehensive, covering a wide range of scenarios and edge cases. This significantly increases confidence in the correctness of the implementation.
- Clarity and Maintainability: The code is clear and maintainable. New functions and methods are well-named, and their purpose is evident. The reuse of existing logic, such as
populateLowerValuesIfHierarchy, is good practice. - Log Message Consistency (Minor): In
service/internal/access/v2/just_in_time_pdp.go, line 158, the debug log message"getting decision - resolving registered resource value FQN"is within theGetEntitlementsmethod. For consistency with other log messages related to entitlements (e.g., inpdp.go), it could be slightly more precise, like"getting entitlements - resolving registered resource value FQN". This is a minor point and was not formally commented on due to review settings prioritizing medium severity issues and above.
Merge Readiness
The pull request is in excellent shape and implements the new feature thoroughly and correctly. The code is clear, well-tested, and adheres to good practices. I have not identified any critical or high-severity issues. Based on this review, the PR appears ready for merging, pending any other review processes or integration testing requirements. As an AI, I am not authorized to approve pull requests, so please ensure it is reviewed and approved by the appropriate team members.
jakedoublev
reviewed
Jun 4, 2025
jakedoublev
reviewed
Jun 4, 2025
Benchmark results, click to expandBenchmark authorization.GetDecisions Results:
Benchmark authorization.v2.GetMultiResourceDecision Results:
Bulk Benchmark Results
Error Summary
TDF3 Benchmark Results:
Error Summary:
NANOTDF Benchmark Results:
Error Summary:
Standard Benchmark Metrics Skipped or Failed |
…without values and update tests
Benchmark results, click to expandBenchmark authorization.GetDecisions Results:
Benchmark authorization.v2.GetMultiResourceDecision Results:
Bulk Benchmark Results
TDF3 Benchmark Results:
NANOTDF Benchmark Results:
Error Summary:
Standard Benchmark Metrics Skipped or Failed |
|
/gemini review |
There was a problem hiding this comment.
Code Review
This pull request introduces support for GetEntitlement for registered resources within the authorization service. The changes are quite comprehensive, touching upon the PDP (Policy Decision Point) core logic, JIT PDP, helpers, validators, and extensive test suites.
Overall, the implementation appears robust and well-thought-out. The new functionality is clearly delineated, and the integration into existing components seems logical. The test coverage for the new GetEntitlementsRegisteredResource method and associated validators is particularly commendable, covering a wide range of scenarios including invalid inputs, various data configurations, and hierarchy considerations.
I have one suggestion for a minor refinement in error handling for increased clarity, detailed in a specific comment.
Regarding the PR description:
- The checklist item "I have added or updated unit tests" should be checked, as significant unit tests have indeed been added and updated.
- The status of integration tests and documentation updates is unclear from the description. It would be beneficial to update these as well.
Summary of Findings
- Error Handling Clarity for Non-Existent Registered Resource FQN: In
GetEntitlementsRegisteredResource, when aregisteredResourceValueFQNis not found in the internal map, the current logic relies onvalidateRegisteredResourceValue(nil)to signal an error. While correct, a more explicit check for the FQN's existence could provide a clearer error message, distinguishing 'not found' from 'found but invalid'.
Merge Readiness
The pull request is largely in good shape and introduces valuable functionality with good test coverage. There is one medium-severity suggestion regarding error handling clarity in service/internal/access/v2/pdp.go that I recommend considering for improved maintainability. Additionally, updating the PR description checklist would be helpful.
I am not authorized to approve pull requests, so please ensure further review and approval from authorized maintainers before merging. Addressing the suggested refinement would be beneficial.
jakedoublev
approved these changes
Jun 5, 2025
3 tasks
strantalis
approved these changes
Jun 5, 2025
dmihalcik-virtru
restored the
DSPX-894-auth-svc-rr-get-entitlement-support
branch
github-merge-queue bot
pushed a commit
that referenced
this pull request
Jun 6, 2025
🤖 I have created a release *beep* *boop* --- ## [0.6.0](service/v0.5.5...service/v0.6.0) (2025-06-06) ### Features * **authz:** DSPX-894 auth svc registered resource GetEntitlement support ([#2358](#2358)) ([a199aa7](a199aa7)) * **authz:** improve v2 request proto validation ([#2357](#2357)) ([f927b99](f927b99)) * **core:** DSPX-608 - Deprecate public_client_id ([#2185](#2185)) ([0f58efa](0f58efa)) * **policy:** Return Simple Kas Keys from non-Key RPCs ([#2387](#2387)) ([5113e0e](5113e0e)) * **policy:** Unique name for the key provider. ([#2391](#2391)) ([bb58b78](bb58b78)) * **policy:** Update simple kas key ([#2378](#2378)) ([09d8239](09d8239)) ### Bug Fixes * **deps:** bump github.com/opentdf/platform/protocol/go from 0.3.6 to 0.4.0 in /service ([#2399](#2399)) ([1c6fa75](1c6fa75)) * **deps:** bump the external group across 1 directory with 21 updates ([#2401](#2401)) ([3d0d4d1](3d0d4d1)) * **policy:** move action sub queries to CTE in sm list and match sql ([#2369](#2369)) ([0fd6feb](0fd6feb)) * **policy:** protovalidate deprecated action types and removal of gRPC gateway in subject mappings svc ([#2377](#2377)) ([54a6de0](54a6de0)) * **policy:** remove gRPC gateway in policy except where needed ([#2382](#2382)) ([1937acb](1937acb)) * **policy:** remove support for creation/updation of SubjectMappings with deprecated proto actions ([#2373](#2373)) ([3660200](3660200)) --- This PR was generated with [Release Please](https://github.com/googleapis/release-please). See [documentation](https://github.com/googleapis/release-please#release-please). Co-authored-by: opentdf-automation[bot] <149537512+opentdf-automation[bot]@users.noreply.github.com>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Proposed Changes
GetEntitlementsRegisteredResourcesmethod to pdp access v2 logicChecklist
Testing Instructions