opentdf · jakedoublev · Jun 17, 2025 · Jun 16, 2025 · Jun 16, 2025 · Jun 16, 2025
@@ -3,7 +3,6 @@ package authorization
 import (
 	"context"
 	"errors"
-	"fmt"
 	"log/slog"
 
 	"connectrpc.com/connect"
@@ -82,14 +81,14 @@ func (as *Service) GetEntitlements(ctx context.Context, req *connect.Request[aut
 	// When authorization service can consume cached policy, switch to the other PDP (process based on policy passed in)
 	pdp, err := access.NewJustInTimePDP(ctx, as.logger, as.sdk)
 	if err != nil {
-		as.logger.ErrorContext(ctx, "failed to create JIT PDP", slog.String("error", err.Error()))
+		as.logger.ErrorContext(ctx, "failed to create JIT PDP", slog.Any("error", err))
 		return nil, connect.NewError(connect.CodeInternal, err)
 	}
 
 	entitlements, err := pdp.GetEntitlements(ctx, entityIdentifier, withComprehensiveHierarchy)
 	if err != nil {
 		// TODO: any bad request errors that aren't 500s?
-		as.logger.ErrorContext(ctx, "failed to get entitlements", slog.String("error", err.Error()))
+		as.logger.ErrorContext(ctx, "failed to get entitlements", slog.Any("error", err))
 		return nil, connect.NewError(connect.CodeInternal, err)
 	}
 
@@ -113,23 +112,26 @@ func (as *Service) GetDecision(ctx context.Context, req *connect.Request[authzV2
 
 	pdp, err := access.NewJustInTimePDP(ctx, as.logger, as.sdk)
 	if err != nil {
-		as.logger.ErrorContext(ctx, "failed to create JIT PDP", slog.String("error", err.Error()))
+		as.logger.ErrorContext(ctx, "failed to create JIT PDP", slog.Any("error", err))
 		return nil, connect.NewError(connect.CodeInternal, err)
 	}
+
 	request := req.Msg
 	entityIdentifier := request.GetEntityIdentifier()
 	action := request.GetAction()
 	resource := request.GetResource()
 
 	decisions, permitted, err := pdp.GetDecision(ctx, entityIdentifier, action, []*authzV2.Resource{resource})
 	if err != nil {
-		// TODO: any bad request errors that aren't 500s?
-		as.logger.ErrorContext(ctx, "failed to get decision", slog.String("error", err.Error()))
+		as.logger.ErrorContext(ctx, "failed to get decision", slog.Any("error", err), slog.Any("request", request))
+		if errors.Is(err, access.ErrFQNNotFound) || errors.Is(err, access.ErrDefinitionNotFound) {
+			return nil, connect.NewError(connect.CodeNotFound, err)
+		}
 		return nil, connect.NewError(connect.CodeInternal, err)
 	}
 	resp, err := rollupSingleResourceDecision(permitted, decisions)
 	if err != nil {
-		as.logger.ErrorContext(ctx, "failed to rollup single resource decision", slog.String("error", err.Error()))
+		as.logger.ErrorContext(ctx, "failed to rollup single-resource decision", slog.Any("error", err), slog.Any("request", request))
 		return nil, connect.NewError(connect.CodeInternal, err)
 	}
 	return connect.NewResponse(resp), nil
@@ -148,8 +150,7 @@ func (as *Service) GetDecisionMultiResource(ctx context.Context, req *connect.Re
 
 	pdp, err := access.NewJustInTimePDP(ctx, as.logger, as.sdk)
 	if err != nil {
-		as.logger.ErrorContext(ctx, "failed to create JIT PDP", slog.String("error", err.Error()))
-		return nil, connect.NewError(connect.CodeInternal, err)
+		return nil, statusifyError(ctx, as.logger, errors.Join(errors.New("failed to create JIT PDP"), err))
 	}
 	request := req.Msg
 	entityIdentifier := request.GetEntityIdentifier()
@@ -158,15 +159,12 @@ func (as *Service) GetDecisionMultiResource(ctx context.Context, req *connect.Re
 
 	decisions, allPermitted, err := pdp.GetDecision(ctx, entityIdentifier, action, resources)
 	if err != nil {
-		// TODO: any bad request errors that aren't 500s?
-		as.logger.ErrorContext(ctx, "failed to get decision", slog.String("error", err.Error()))
-		return nil, connect.NewError(connect.CodeInternal, err)
+		return nil, statusifyError(ctx, as.logger, errors.Join(errors.New("failed to get decision"), err), slog.Any("request", request))
 	}
 
-	resourceDecisions, err := rollupMultiResourceDecision(decisions)
+	resourceDecisions, err := rollupMultiResourceDecisions(decisions)
 	if err != nil {
-		as.logger.ErrorContext(ctx, "failed to rollup multi resource decision", slog.String("error", err.Error()))
-		return nil, connect.NewError(connect.CodeInternal, err)
+		return nil, statusifyError(ctx, as.logger, errors.Join(errors.New("failed to rollup multi-resource decision"), err), slog.Any("request", request))
 	}
 
 	resp := &authzV2.GetDecisionMultiResourceResponse{
@@ -180,73 +178,52 @@ func (as *Service) GetDecisionMultiResource(ctx context.Context, req *connect.Re
 }
 
 // GetDecisionBulk for multiple requests, each comprising a combination of entity chain, action, and one or more resources
-func (as *Service) GetDecisionBulk(_ context.Context, _ *connect.Request[authzV2.GetDecisionBulkRequest]) (*connect.Response[authzV2.GetDecisionBulkResponse], error) {
-	return nil, connect.NewError(connect.CodeUnimplemented, errors.New("GetDecisionBulk not implemented"))
-}
+func (as *Service) GetDecisionBulk(ctx context.Context, req *connect.Request[authzV2.GetDecisionBulkRequest]) (*connect.Response[authzV2.GetDecisionBulkResponse], error) {
+	as.logger.DebugContext(ctx, "getting decision bulk")
 
-// rollupMultiResourceDecision creates a standardized response for multi-resource decisions
-// by processing the decisions returned from the PDP.
-func rollupMultiResourceDecision(
-	decisions []*access.Decision,
-) ([]*authzV2.ResourceDecision, error) {
-	if len(decisions) == 0 {
-		return nil, errors.New("no decisions returned")
-	}
+	ctx, span := as.Tracer.Start(ctx, "GetDecisionBulk")
+	defer span.End()
 
-	var resourceDecisions []*authzV2.ResourceDecision
+	// Extract trace context from the incoming request
+	propagator := otel.GetTextMapPropagator()
+	ctx = propagator.Extract(ctx, propagation.HeaderCarrier(req.Header()))
 
-	for idx, decision := range decisions {
-		if decision == nil {
-			return nil, fmt.Errorf("nil decision at index %d", idx)
-		}
-		if len(decision.Results) == 0 {
-			return nil, errors.New("no decision results returned")
-		}
-		for _, result := range decision.Results {
-			access := authzV2.Decision_DECISION_DENY
-			if result.Passed {
-				access = authzV2.Decision_DECISION_PERMIT
-			}
-			resourceDecision := &authzV2.ResourceDecision{
-				Decision:            access,
-				EphemeralResourceId: result.ResourceID,
-			}
-			resourceDecisions = append(resourceDecisions, resourceDecision)
-		}
+	pdp, err := access.NewJustInTimePDP(ctx, as.logger, as.sdk)
+	if err != nil {
+		return nil, statusifyError(ctx, as.logger, errors.Join(errors.New("failed to create JIT PDP"), err))
 	}
 
-	return resourceDecisions, nil
-}
+	multiRequests := req.Msg.GetDecisionRequests()
+	decisionResponses := make([]*authzV2.GetDecisionMultiResourceResponse, len(multiRequests))
 
-// rollupSingleResourceDecision creates a standardized response for a single resource decision
-// by processing the decision returned from the PDP.
-func rollupSingleResourceDecision(
-	permitted bool,
-	decisions []*access.Decision,
-) (*authzV2.GetDecisionResponse, error) {
-	if len(decisions) == 0 {
-		return nil, errors.New("no decisions returned")
-	}
+	// TODO: revisit performance of this loop after introduction of caching and registered resource values within decisioning,
+	// as the same entity in multiple requests should only be resolved JIT once, not once per request if the same in each.
+	for idx, request := range multiRequests {
+		entityIdentifier := request.GetEntityIdentifier()
+		action := request.GetAction()
+		resources := request.GetResources()
 
-	decision := decisions[0]
-	if decision == nil {
-		return nil, errors.New("nil decision at index 0")
-	}
+		decisions, allPermitted, err := pdp.GetDecision(ctx, entityIdentifier, action, resources)
+		if err != nil {
+			return nil, statusifyError(ctx, as.logger, errors.Join(errors.New("failed to get bulk decision"), err), slog.Any("request", request))
+		}
 
-	if len(decision.Results) == 0 {
-		return nil, errors.New("no decision results returned")
-	}
+		resourceDecisions, err := rollupMultiResourceDecisions(decisions)
+		if err != nil {
+			return nil, statusifyError(ctx, as.logger, errors.Join(errors.New("failed to rollup bulk multi-resource decision"), err), slog.Any("request", request), slog.Int("index", idx))
+		}
 
-	result := decision.Results[0]
-	access := authzV2.Decision_DECISION_DENY
-	if permitted {
-		access = authzV2.Decision_DECISION_PERMIT
+		decisionResponse := &authzV2.GetDecisionMultiResourceResponse{
+			AllPermitted: &wrapperspb.BoolValue{
+				Value: allPermitted,
+			},
+			ResourceDecisions: resourceDecisions,
+		}
+		decisionResponses[idx] = decisionResponse
 	}
-	resourceDecision := &authzV2.ResourceDecision{
-		Decision:            access,
-		EphemeralResourceId: result.ResourceID,
+
+	rsp := &authzV2.GetDecisionBulkResponse{
+		DecisionResponses: decisionResponses,
 	}
-	return &authzV2.GetDecisionResponse{
-		Decision: resourceDecision,
-	}, nil
+	return connect.NewResponse(rsp), nil
 }