Skip to content

feat(policy): Allow for additional context to be added to obligation triggers #2705

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 12 commits into from
Sep 10, 2025
Merged

feat(policy): Allow for additional context to be added to obligation triggers #2705

Show file tree
Hide file tree
Changes from 1 commit
Commits
Show all changes
12 commits
Select commit Hold shift + click to select a range
52d47f9
feat(policy): Add registered peps column to db.
c-r33d Sep 9, 2025
1a32827
Add better protovalidate rules.
c-r33d Sep 9, 2025
c445f15
Geminin.
c-r33d Sep 9, 2025
69e1370
change based on comments.
c-r33d Sep 9, 2025
f3e7e1f
fix tests.
c-r33d Sep 9, 2025
8748ac3
Merge branch 'main' into DSPX-1346-add-clients
c-r33d Sep 9, 2025
ae34ef1
fix sql.
c-r33d Sep 9, 2025
d4b3e52
check for req context.
c-r33d Sep 9, 2025
fd7673c
Merge branch 'main' into DSPX-1346-add-clients
c-r33d Sep 9, 2025
a0d9abb
make optional.
c-r33d Sep 9, 2025
8bf418b
gemini.
c-r33d Sep 10, 2025
e113d74
fix.
c-r33d Sep 10, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
8 changes: 4 additions & 4 deletions docs/grpc/index.html
View file
Open in desktop

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

6 changes: 3 additions & 3 deletions docs/openapi/policy/objects.openapi.yaml
View file
Open in desktop

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

8 changes: 4 additions & 4 deletions docs/openapi/policy/obligations/obligations.openapi.yaml
View file
Open in desktop

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

434 changes: 217 additions & 217 deletions protocol/go/policy/objects.pb.go
View file
Open in desktop

Large diffs are not rendered by default.

2 changes: 1 addition & 1 deletion protocol/go/policy/obligations/obligations.pb.go
View file
Open in desktop

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

14 changes: 7 additions & 7 deletions service/integration/obligation_triggers_test.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -145,7 +145,7 @@ func (s *ObligationTriggersSuite) Test_CreateObligationTrigger_WithIDs_Success()
Labels: map[string]string{"source": "test"},
},
Context: &policy.RequestContext{
Pep: &policy.PolicyEnforcemenPoint{
Pep: &policy.PolicyEnforcementPoint{
ClientId: clientID,
},
},
Expand Down Expand Up @@ -176,7 +176,7 @@ func (s *ObligationTriggersSuite) Test_CreateObligationTrigger_WithNameFQN_Succe
Labels: map[string]string{"source": "test"},
},
Context: &policy.RequestContext{
Pep: &policy.PolicyEnforcemenPoint{
Pep: &policy.PolicyEnforcementPoint{
ClientId: clientID,
},
},
Expand All @@ -194,7 +194,7 @@ func (s *ObligationTriggersSuite) Test_CreateObligationTrigger_ObligationValueNo
AttributeValue: &common.IdFqnIdentifier{Id: s.attributeValue.GetId()},
Action: &common.IdNameIdentifier{Id: s.action.GetId()},
Context: &policy.RequestContext{
Pep: &policy.PolicyEnforcemenPoint{
Pep: &policy.PolicyEnforcementPoint{
ClientId: clientID,
},
},
Expand All @@ -211,7 +211,7 @@ func (s *ObligationTriggersSuite) Test_CreateObligationTrigger_AttributeValueNot
AttributeValue: &common.IdFqnIdentifier{Id: randomID},
Action: &common.IdNameIdentifier{Id: s.action.GetId()},
Context: &policy.RequestContext{
Pep: &policy.PolicyEnforcemenPoint{
Pep: &policy.PolicyEnforcementPoint{
ClientId: clientID,
},
},
Expand All @@ -228,7 +228,7 @@ func (s *ObligationTriggersSuite) Test_CreateObligationTrigger_ActionNotFound_Fa
AttributeValue: &common.IdFqnIdentifier{Id: s.attributeValue.GetId()},
Action: &common.IdNameIdentifier{Id: randomID},
Context: &policy.RequestContext{
Pep: &policy.PolicyEnforcemenPoint{
Pep: &policy.PolicyEnforcementPoint{
ClientId: clientID,
},
},
Expand Down Expand Up @@ -270,7 +270,7 @@ func (s *ObligationTriggersSuite) Test_CreateObligationTrigger_AttributeValueDif
AttributeValue: &common.IdFqnIdentifier{Id: differentAttributeValue.GetId()},
Action: &common.IdNameIdentifier{Id: s.action.GetId()},
Context: &policy.RequestContext{
Pep: &policy.PolicyEnforcemenPoint{
Pep: &policy.PolicyEnforcementPoint{
ClientId: clientID,
},
},
Expand Down Expand Up @@ -306,7 +306,7 @@ func (s *ObligationTriggersSuite) createGenericTrigger() *policy.ObligationTrigg
Action: &common.IdNameIdentifier{Id: s.action.GetId()},
Metadata: &common.MetadataMutable{},
Context: &policy.RequestContext{
Pep: &policy.PolicyEnforcemenPoint{
Pep: &policy.PolicyEnforcementPoint{
ClientId: clientID,
},
},
Expand Down
36 changes: 17 additions & 19 deletions service/integration/obligations_test.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -284,7 +284,7 @@ func (s *ObligationsSuite) Test_GetObligationsByFQNs_WithTriggers_Succeeds() {
Action: &common.IdNameIdentifier{Name: "read"},
AttributeValue: &common.IdFqnIdentifier{Fqn: "https://example.com/attr/attr1/value/value1"},
Context: &policy.RequestContext{
Pep: &policy.PolicyEnforcemenPoint{
Pep: &policy.PolicyEnforcementPoint{
ClientId: clientID,
},
},
Expand Down Expand Up @@ -501,7 +501,7 @@ func (s *ObligationsSuite) Test_ListObligations_WithTriggers_Succeeds() {
Action: &common.IdNameIdentifier{Name: "read"},
AttributeValue: &common.IdFqnIdentifier{Fqn: "https://example.com/attr/attr1/value/value1"},
Context: &policy.RequestContext{
Pep: &policy.PolicyEnforcemenPoint{
Pep: &policy.PolicyEnforcementPoint{
ClientId: clientID,
},
},
Expand All @@ -516,7 +516,7 @@ func (s *ObligationsSuite) Test_ListObligations_WithTriggers_Succeeds() {
Action: &common.IdNameIdentifier{Name: "update"},
AttributeValue: &common.IdFqnIdentifier{Fqn: "https://example.com/attr/attr1/value/value2"},
Context: &policy.RequestContext{
Pep: &policy.PolicyEnforcemenPoint{
Pep: &policy.PolicyEnforcementPoint{
ClientId: clientID,
},
},
Expand Down Expand Up @@ -800,7 +800,7 @@ func (s *ObligationsSuite) Test_CreateObligationValue_WithTriggers_IDs_Succeeds(
Action: &common.IdNameIdentifier{Id: triggerSetup.action.GetId()},
AttributeValue: &common.IdFqnIdentifier{Id: triggerSetup.attributeValues[0].ID},
Context: &policy.RequestContext{
Pep: &policy.PolicyEnforcemenPoint{
Pep: &policy.PolicyEnforcementPoint{
ClientId: clientID,
},
},
Expand Down Expand Up @@ -851,7 +851,7 @@ func (s *ObligationsSuite) Test_CreateObligationValue_WithTriggers_FQNsNames_Suc
Action: &common.IdNameIdentifier{Name: triggerSetup.action.GetName()},
AttributeValue: &common.IdFqnIdentifier{Fqn: "https://example.com/attr/attr1/value/value1"},
Context: &policy.RequestContext{
Pep: &policy.PolicyEnforcemenPoint{
Pep: &policy.PolicyEnforcementPoint{
ClientId: clientID,
},
},
Expand Down Expand Up @@ -1179,7 +1179,7 @@ func (s *ObligationsSuite) Test_GetObligationValuesByFQNs_WithTriggers_Succeeds(
Action: &common.IdNameIdentifier{Name: "read"},
AttributeValue: &common.IdFqnIdentifier{Fqn: "https://example.com/attr/attr1/value/value1"},
Context: &policy.RequestContext{
Pep: &policy.PolicyEnforcemenPoint{
Pep: &policy.PolicyEnforcementPoint{
ClientId: clientID,
},
},
Expand All @@ -1192,7 +1192,7 @@ func (s *ObligationsSuite) Test_GetObligationValuesByFQNs_WithTriggers_Succeeds(
Action: &common.IdNameIdentifier{Name: "update"},
AttributeValue: &common.IdFqnIdentifier{Fqn: "https://example.com/attr/attr1/value/value2"},
Context: &policy.RequestContext{
Pep: &policy.PolicyEnforcemenPoint{
Pep: &policy.PolicyEnforcementPoint{
ClientId: clientID,
},
},
Expand Down Expand Up @@ -1434,7 +1434,7 @@ func (s *ObligationsSuite) Test_UpdateObligationValue_WithTriggers_Succeeds() {
Action: &common.IdNameIdentifier{Id: triggerSetup.action.GetId()},
AttributeValue: &common.IdFqnIdentifier{Id: triggerSetup.attributeValues[0].ID},
Context: &policy.RequestContext{
Pep: &policy.PolicyEnforcemenPoint{
Pep: &policy.PolicyEnforcementPoint{
ClientId: clientID,
},
},
Expand All @@ -1443,7 +1443,7 @@ func (s *ObligationsSuite) Test_UpdateObligationValue_WithTriggers_Succeeds() {
Action: &common.IdNameIdentifier{Id: triggerSetup.action.GetId()},
AttributeValue: &common.IdFqnIdentifier{Id: triggerSetup.attributeValues[1].ID},
Context: &policy.RequestContext{
Pep: &policy.PolicyEnforcemenPoint{
Pep: &policy.PolicyEnforcementPoint{
ClientId: clientID,
},
},
Expand Down Expand Up @@ -1483,7 +1483,7 @@ func (s *ObligationsSuite) Test_UpdateObligationValue_WithTriggers_Succeeds() {
Action: &common.IdNameIdentifier{Id: triggerSetup.action.GetId()},
AttributeValue: &common.IdFqnIdentifier{Id: triggerSetup.attributeValues[0].ID},
Context: &policy.RequestContext{
Pep: &policy.PolicyEnforcemenPoint{
Pep: &policy.PolicyEnforcementPoint{
ClientId: updatedClientID,
},
},
Expand Down Expand Up @@ -1826,7 +1826,7 @@ func (s *ObligationsSuite) createObligationValueWithTriggers(obligationID string
Action: &common.IdNameIdentifier{Id: triggerAction.GetId()},
AttributeValue: &common.IdFqnIdentifier{Id: triggerAttributeValue.ID},
Context: &policy.RequestContext{
Pep: &policy.PolicyEnforcemenPoint{
Pep: &policy.PolicyEnforcementPoint{
ClientId: clientID,
},
},
Expand All @@ -1835,7 +1835,7 @@ func (s *ObligationsSuite) createObligationValueWithTriggers(obligationID string
Action: &common.IdNameIdentifier{Id: triggerAction.GetId()},
AttributeValue: &common.IdFqnIdentifier{Id: triggerAttributeValue2.ID},
Context: &policy.RequestContext{
Pep: &policy.PolicyEnforcemenPoint{
Pep: &policy.PolicyEnforcementPoint{
ClientId: clientID,
},
},
Expand Down Expand Up @@ -1906,15 +1906,13 @@ func (s *ObligationsSuite) assertObligationValuesSpecificTriggers(obl *policy.Ob
s.Require().Nil(actualTrigger.GetObligationValue(),
"Trigger's obligation_value field should be empty to avoid circular references")
s.Require().Len(actualTrigger.GetContext(), len(expectedTrigger.GetContext()))
found := 0
expectedClientIDs := make(map[string]bool)
for _, expReqContext := range expectedTrigger.GetContext() {
expectedClientIDs[expReqContext.GetPep().GetClientId()] = true
}
for _, actReqContext := range actualTrigger.GetContext() {
for _, expReqContext := range expectedTrigger.GetContext() {
if actReqContext.GetPep().GetClientId() == expReqContext.GetPep().GetClientId() {
found++
}
}
s.Require().True(expectedClientIDs[actReqContext.GetPep().GetClientId()], "unexpected client id %s", actReqContext.GetPep().GetClientId())
}
s.Require().Len(expectedTrigger.GetContext(), found)
}
}
}
2 changes: 1 addition & 1 deletion ...icy/db/migrations/20250909000000_add_registered_peps_to_obligations_triggers.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -34,4 +34,4 @@ erDiagram

### 1. **Column Addition**

- Require `client_id` to be a part of a trigger.
- Add optional `client_id` to be a part of a trigger.
7 changes: 6 additions & 1 deletion service/policy/db/obligations.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -596,13 +596,18 @@ func (c PolicyDBClient) CreateObligationTrigger(ctx context.Context, r *obligati
return nil, fmt.Errorf("failed to get obligation value: %w", err)
}

clientID := ""
if r.GetContext() != nil && r.GetContext().GetPep() != nil {
clientID = r.GetContext().GetPep().GetClientId()
}

params := createObligationTriggerParams{
ObligationValueID: oblVal.GetId(),
ActionName: r.GetAction().GetName(),
ActionID: r.GetAction().GetId(),
AttributeValueID: r.GetAttributeValue().GetId(),
AttributeValueFqn: r.GetAttributeValue().GetFqn(),
ClientID: r.GetContext().GetPep().GetClientId(),
ClientID: clientID,
Metadata: metadataJSON,
}
row, err := c.queries.createObligationTrigger(ctx, params)
Expand Down
4 changes: 2 additions & 2 deletions service/policy/objects.proto
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -461,15 +461,15 @@ message RegisteredResourceValue {
common.Metadata metadata = 100;
}

message PolicyEnforcemenPoint {
message PolicyEnforcementPoint {
string client_id = 1 [
(buf.validate.field).string = {min_len: 1}
];
}

// Holds the context needed for obligation fulfillment
message RequestContext {
PolicyEnforcemenPoint pep = 1;
PolicyEnforcementPoint pep = 1;
}

message Obligation {
Expand Down
2 changes: 1 addition & 1 deletion service/policy/obligations/obligations.proto
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -182,7 +182,7 @@ message AddObligationTriggerRequest {
// Required
common.IdFqnIdentifier attribute_value = 3 [(buf.validate.field).required = true];

// Required
// Optional
// The request context for this obligation value policy decisioning.
policy.RequestContext context = 4;

Expand Down
6 changes: 3 additions & 3 deletions service/policy/obligations/obligations_test.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -31,7 +31,7 @@ func Test_AddObligationTrigger_Request(t *testing.T) {
invalidFQN := "invalid-fqn"
validName := "kas"
validRequestContext := &policy.RequestContext{
Pep: &policy.PolicyEnforcemenPoint{
Pep: &policy.PolicyEnforcementPoint{
ClientId: "client-id",
},
}
Expand Down Expand Up @@ -266,7 +266,7 @@ func Test_RemoveObligationTrigger_Request(t *testing.T) {
func Test_CreateObligationValue_Request(t *testing.T) {
validUUID := uuid.NewString()
validRequestContext := &policy.RequestContext{
Pep: &policy.PolicyEnforcemenPoint{
Pep: &policy.PolicyEnforcementPoint{
ClientId: "client-id",
},
}
Expand Down Expand Up @@ -438,7 +438,7 @@ func Test_CreateObligationValue_Request(t *testing.T) {
func Test_UpdateObligationValue_Request(t *testing.T) {
validUUID := uuid.NewString()
validRequestContext := &policy.RequestContext{
Pep: &policy.PolicyEnforcemenPoint{
Pep: &policy.PolicyEnforcementPoint{
ClientId: "client-id",
},
}
Expand Down
Loading