opentdf · strantalis · Jun 23, 2025 · May 29, 2025 · May 29, 2025 · Jun 2, 2025
@@ -14,8 +14,10 @@ import (
 )
 
 var (
-	ErrInvalidSubjectMapping      = errors.New("access: invalid subject mapping")
-	ErrInvalidAttributeDefinition = errors.New("access: invalid attribute definition")
+	ErrInvalidSubjectMapping          = errors.New("access: invalid subject mapping")
+	ErrInvalidAttributeDefinition     = errors.New("access: invalid attribute definition")
+	ErrInvalidRegisteredResource      = errors.New("access: invalid registered resource")
+	ErrInvalidRegisteredResourceValue = errors.New("access: invalid registered resource value")
 )
 
 // getDefinition parses the value FQN and uses it to retrieve the definition from the provided definitions canmap

@@ -5,6 +5,7 @@ import (
 	"errors"
 	"fmt"
 	"log/slog"
+	"strings"
 
 	"github.com/opentdf/platform/lib/flattening"
 	authzV2 "github.com/opentdf/platform/protocol/go/authorization/v2"
@@ -13,6 +14,7 @@ import (
 	entityresolutionV2 "github.com/opentdf/platform/protocol/go/entityresolution/v2"
 	"github.com/opentdf/platform/protocol/go/policy"
 	attrs "github.com/opentdf/platform/protocol/go/policy/attributes"
+	"github.com/opentdf/platform/protocol/go/policy/registeredresources"
 	"github.com/opentdf/platform/protocol/go/policy/subjectmapping"
 	otdfSDK "github.com/opentdf/platform/sdk"
 
@@ -63,7 +65,11 @@ func NewJustInTimePDP(
 	if err != nil {
 		return nil, fmt.Errorf("failed to fetch all subject mappings: %w", err)
 	}
-	pdp, err := NewPolicyDecisionPoint(ctx, l, allAttributes, allSubjectMappings)
+	allRegisteredResources, err := p.fetchAllRegisteredResources(ctx)
+	if err != nil {
+		return nil, fmt.Errorf("failed to fetch all registered resources: %w", err)
+	}
+	pdp, err := NewPolicyDecisionPoint(ctx, l, allAttributes, allSubjectMappings, allRegisteredResources)
 	if err != nil {
 		return nil, fmt.Errorf("failed to create new policy decision point: %w", err)
 	}
@@ -94,10 +100,17 @@ func (p *JustInTimePDP) GetDecision(
 	case *authzV2.EntityIdentifier_Token:
 		entityRepresentations, err = p.resolveEntitiesFromToken(ctx, entityIdentifier.GetToken(), skipEnvironmentEntities)
 
-	// TODO: implement this case
 	case *authzV2.EntityIdentifier_RegisteredResourceValueFqn:
-		p.logger.DebugContext(ctx, "getting decision - resolving registered resource value FQN")
-		return nil, false, errors.New("registered resources not yet implemented")
+		valueFQN := strings.ToLower(entityIdentifier.GetRegisteredResourceValueFqn())
+		// registered resources do not have entity representations, so only one decision to make and we can skip the remaining logic
+		decision, err := p.pdp.GetDecisionRegisteredResource(ctx, valueFQN, action, resources)
+		if err != nil {
+			return nil, false, fmt.Errorf("failed to get decision for registered resource value FQN [%s]: %w", valueFQN, err)
+		}
+		if decision == nil {
+			return nil, false, fmt.Errorf("decision is nil for registered resource value FQN [%s]", valueFQN)
+		}
+		return []*Decision{decision}, decision.Access, nil
 
 	default:
 		return nil, false, ErrInvalidEntityType
@@ -150,8 +163,10 @@ func (p *JustInTimePDP) GetEntitlements(
 
 	case *authzV2.EntityIdentifier_RegisteredResourceValueFqn:
 		p.logger.DebugContext(ctx, "getting decision - resolving registered resource value FQN")
-		return nil, errors.New("registered resources not yet implemented")
-		// TODO: implement this case
+		valueFQN := strings.ToLower(entityIdentifier.GetRegisteredResourceValueFqn())
+		// registered resources do not have entity representations, so we can skip the remaining logic
+		return p.pdp.GetEntitlementsRegisteredResource(ctx, valueFQN, withComprehensiveHierarchy)
+
 	default:
 		return nil, fmt.Errorf("entity type %T: %w", entityIdentifier.GetIdentifier(), ErrInvalidEntityType)
 	}
@@ -269,6 +284,34 @@ func (p *JustInTimePDP) fetchAllSubjectMappings(ctx context.Context) ([]*policy.
 	return smList, nil
 }
 
+// fetchAllRegisteredResources retrieves all registered resources within policy
+func (p *JustInTimePDP) fetchAllRegisteredResources(ctx context.Context) ([]*policy.RegisteredResource, error) {
+	// If quantity of registered resources exceeds maximum list pagination, all are needed to determine entitlements
+	var nextOffset int32
+	rrList := make([]*policy.RegisteredResource, 0)
+
+	for {
+		listed, err := p.sdk.RegisteredResources.ListRegisteredResources(ctx, &registeredresources.ListRegisteredResourcesRequest{
+			// defer to service default for limit pagination
+			Pagination: &policy.PageRequest{
+				Offset: nextOffset,
+			},
+		})
+		if err != nil {
+			return nil, fmt.Errorf("failed to list registered resources: %w", err)
+		}
+
+		nextOffset = listed.GetPagination().GetNextOffset()
+		rrList = append(rrList, listed.GetResources()...)
+
+		if nextOffset <= 0 {
+			break
+		}
+	}
+
+	return rrList, nil
+}
+
 // resolveEntitiesFromEntityChain roundtrips to ERS to resolve the provided entity chain
 // and optionally skips environment entities (which is expected behavior in decision flow)
 func (p *JustInTimePDP) resolveEntitiesFromEntityChain(

@@ -5,9 +5,11 @@ import (
 	"errors"
 	"fmt"
 	"log/slog"
+	"slices"
 	"strconv"
 	"strings"
 
+	"github.com/opentdf/platform/lib/identifier"
 	authz "github.com/opentdf/platform/protocol/go/authorization/v2"
 	entityresolutionV2 "github.com/opentdf/platform/protocol/go/entityresolution/v2"
 	"github.com/opentdf/platform/protocol/go/policy"
@@ -47,7 +49,7 @@ type EntitlementFailure struct {
 type PolicyDecisionPoint struct {
 	logger                             *logger.Logger
 	allEntitleableAttributesByValueFQN map[string]*attrs.GetAttributeValuesByFqnsResponse_AttributeAndValue
-	// allRegisteredResourcesByValueFQN map[string]*policy.RegisteredResourceValue
+	allRegisteredResourceValuesByFQN   map[string]*policy.RegisteredResourceValue
 }
 
 var (
@@ -67,8 +69,7 @@ func NewPolicyDecisionPoint(
 	l *logger.Logger,
 	allAttributeDefinitions []*policy.Attribute,
 	allSubjectMappings []*policy.SubjectMapping,
-	// TODO: take in all registered resources and store them in memory by value FQN
-	// allRegisteredResources []*policy.RegisteredResource,
+	allRegisteredResources []*policy.RegisteredResource,
 ) (*PolicyDecisionPoint, error) {
 	var err error
 
@@ -126,9 +127,26 @@ func NewPolicyDecisionPoint(
 		allEntitleableAttributesByValueFQN[mappedValueFQN] = mapped
 	}
 
+	allRegisteredResourceValuesByFQN := make(map[string]*policy.RegisteredResourceValue)
+	for _, rr := range allRegisteredResources {
+		if err := validateRegisteredResource(rr); err != nil {
+			return nil, fmt.Errorf("invalid registered resource: %w", err)
+		}
+		rrName := rr.GetName()
+
+		for _, v := range rr.GetValues() {
+			fullyQualifiedValue := identifier.FullyQualifiedRegisteredResourceValue{
+				Name:  rrName,
+				Value: v.GetValue(),
+			}
+			allRegisteredResourceValuesByFQN[fullyQualifiedValue.FQN()] = v
+		}
+	}
+
 	pdp := &PolicyDecisionPoint{
 		l,
 		allEntitleableAttributesByValueFQN,
+		allRegisteredResourceValuesByFQN,
 	}
 	return pdp, nil
 }
@@ -227,6 +245,111 @@ func (p *PolicyDecisionPoint) GetDecision(
 	return decision, nil
 }
 
+func (p *PolicyDecisionPoint) GetDecisionRegisteredResource(
+	ctx context.Context,
+	registeredResourceValueFQN string,
+	action *policy.Action,
+	resources []*authz.Resource,
+) (*Decision, error) {
+	l := p.logger.With("registeredResourceValueFQN", registeredResourceValueFQN)
+	l = l.With("action", action.GetName())
+	l.DebugContext(ctx, "getting decision", slog.Int("resourcesCount", len(resources)))
+
+	if err := validateGetDecisionRegisteredResource(registeredResourceValueFQN, action, resources); err != nil {
+		return nil, err
+	}
+
+	registeredResourceValue := p.allRegisteredResourceValuesByFQN[registeredResourceValueFQN]
+	if err := validateRegisteredResourceValue(registeredResourceValue); err != nil {
+		return nil, err
+	}
+
+	// Filter all attributes down to only those that relevant to the entitlement decisioning of these specific resources
+	decisionableAttributes := make(map[string]*attrs.GetAttributeValuesByFqnsResponse_AttributeAndValue)
+
+	for idx, resource := range resources {
+		// Assign indexed ephemeral ID for resource if not already set
+		if resource.GetEphemeralId() == "" {
+			resource.EphemeralId = "resource-" + strconv.Itoa(idx)
+		}
+
+		for idx, valueFQN := range resource.GetAttributeValues().GetFqns() {
+			// lowercase each resource attribute value FQN for case consistent map key lookups
+			valueFQN = strings.ToLower(valueFQN)
+			resource.GetAttributeValues().Fqns[idx] = valueFQN
+
+			// If same value FQN more than once, skip
+			if _, ok := decisionableAttributes[valueFQN]; ok {
+				continue
+			}
+
+			attributeAndValue, ok := p.allEntitleableAttributesByValueFQN[valueFQN]
+			if !ok {
+				return nil, fmt.Errorf("resource value FQN not found in memory [%s]: %w", valueFQN, ErrInvalidResource)
+			}
+
+			decisionableAttributes[valueFQN] = attributeAndValue
+			err := populateHigherValuesIfHierarchy(ctx, p.logger, valueFQN, attributeAndValue.GetAttribute(), p.allEntitleableAttributesByValueFQN, decisionableAttributes)
+			if err != nil {
+				return nil, fmt.Errorf("error populating higher hierarchy attribute values: %w", err)
+			}
+		}
+	}
+	l.DebugContext(ctx, "filtered to only entitlements relevant to decisioning", slog.Int("decisionableAttributeValuesCount", len(decisionableAttributes)))
+
+	entitledFQNsToActions := make(map[string][]*policy.Action)
+	for _, aav := range registeredResourceValue.GetActionAttributeValues() {
+		aavAction := aav.GetAction()
+		if action.GetName() != aavAction.GetName() {
+			l.DebugContext(ctx, "skipping action not matching Decision Request action", slog.String("actionName", aavAction.GetName()))
+			continue
+		}
+
+		attrVal := aav.GetAttributeValue()
+		attrValFQN := attrVal.GetFqn()
+		actionsList, ok := entitledFQNsToActions[attrValFQN]
+		if !ok {
+			actionsList = make([]*policy.Action, 0)
+		}
+
+		if !slices.ContainsFunc(actionsList, func(a *policy.Action) bool {
+			return a.GetName() == aavAction.GetName()
+		}) {
+			actionsList = append(actionsList, aavAction)
+		}
+
+		entitledFQNsToActions[attrValFQN] = actionsList
+
+		// todo: does hierarchy (low or high) need to be populated here?
+	}
+
+	decision := &Decision{
+		Access:  true,
+		Results: make([]ResourceDecision, len(resources)),
+	}
+
+	for idx, resource := range resources {
+		resourceDecision, err := getResourceDecision(ctx, p.logger, decisionableAttributes, entitledFQNsToActions, action, resource)
+		if err != nil || resourceDecision == nil {
+			return nil, fmt.Errorf("error evaluating a decision on resource [%v]: %w", resource, err)
+		}
+		if !resourceDecision.Passed {
+			decision.Access = false
+		}
+
+		l.DebugContext(
+			ctx,
+			"resourceDecision result",
+			slog.Bool("passed", resourceDecision.Passed),
+			slog.String("resourceID", resourceDecision.ResourceID),
+			slog.Int("dataRuleResultsCount", len(resourceDecision.DataRuleResults)),
+		)
+		decision.Results[idx] = *resourceDecision
+	}
+
+	return decision, nil
+}
+
 func (p *PolicyDecisionPoint) GetEntitlements(
 	ctx context.Context,
 	entityRepresentations []*entityresolutionV2.EntityRepresentation,
@@ -299,3 +422,65 @@ func (p *PolicyDecisionPoint) GetEntitlements(
 	)
 	return result, nil
 }
+
+func (p *PolicyDecisionPoint) GetEntitlementsRegisteredResource(
+	ctx context.Context,
+	registeredResourceValueFQN string,
+	withComprehensiveHierarchy bool,
+) ([]*authz.EntityEntitlements, error) {
+	l := p.logger.With("withComprehensiveHierarchy", strconv.FormatBool(withComprehensiveHierarchy))
+	l.DebugContext(ctx, "getting entitlements for registered resource value", slog.String("fqn", registeredResourceValueFQN))
+
+	if _, err := identifier.Parse[*identifier.FullyQualifiedRegisteredResourceValue](registeredResourceValueFQN); err != nil {
+		return nil, err
+	}
+
+	registeredResourceValue := p.allRegisteredResourceValuesByFQN[registeredResourceValueFQN]
+	if err := validateRegisteredResourceValue(registeredResourceValue); err != nil {
+		return nil, err
+	}
+
+	actionsPerAttributeValueFqn := make(map[string]*authz.EntityEntitlements_ActionsList)
+
+	for _, aav := range registeredResourceValue.GetActionAttributeValues() {
+		action := aav.GetAction()
+		attrVal := aav.GetAttributeValue()
+		attrValFQN := attrVal.GetFqn()
+
+		actionsList, ok := actionsPerAttributeValueFqn[attrValFQN]
+		if !ok {
+			actionsList = &authz.EntityEntitlements_ActionsList{
+				Actions: make([]*policy.Action, 0),
+			}
+		}
+
+		if !slices.ContainsFunc(actionsList.GetActions(), func(a *policy.Action) bool {
+			return a.GetName() == action.GetName()
+		}) {
+			actionsList.Actions = append(actionsList.Actions, action)
+		}
+
+		actionsPerAttributeValueFqn[attrValFQN] = actionsList
+
+		if withComprehensiveHierarchy {
+			err := populateLowerValuesIfHierarchy(attrValFQN, p.allEntitleableAttributesByValueFQN, actionsList, actionsPerAttributeValueFqn)
+			if err != nil {
+				return nil, fmt.Errorf("error populating comprehensive lower hierarchy values for registered resource value FQN [%s]: %w", attrValFQN, err)
+			}
+		}
+	}
+
+	result := []*authz.EntityEntitlements{
+		{
+			EphemeralId:                 registeredResourceValueFQN,
+			ActionsPerAttributeValueFqn: actionsPerAttributeValueFqn,
+		},
+	}
+	l.DebugContext(
+		ctx,
+		"entitlement results for registered resource value",
+		slog.Any("entitlements", result),
+	)
+
+	return result, nil
+}