feat(authz): audit logs should properly handle obligations #2824
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Benchmark results, click to expandBenchmark authorization.GetDecisions Results:
Benchmark authorization.v2.GetMultiResourceDecision Results:
Standard Benchmark Metrics Skipped or FailedBulk Benchmark Results
TDF3 Benchmark Results:
NANOTDF Benchmark Results:
|
Benchmark results, click to expandBenchmark authorization.GetDecisions Results:
Benchmark authorization.v2.GetMultiResourceDecision Results:
Standard Benchmark Metrics Skipped or FailedBulk Benchmark Results
TDF3 Benchmark Results:
NANOTDF Benchmark Results:
|
Benchmark results, click to expandBenchmark authorization.GetDecisions Results:
Benchmark authorization.v2.GetMultiResourceDecision Results:
Standard Benchmark Metrics Skipped or FailedBulk Benchmark Results
TDF3 Benchmark Results:
NANOTDF Benchmark Results:
|
|
/gemini review |
![gemini-code-assist[bot]](https://avatars.githubusercontent.com/in/956858?s=60&v=4){kind=small}
There was a problem hiding this comment.
Code Review
This pull request enhances audit logging to include information about obligations. The changes are generally good, introducing a dedicated struct for obligation decisions and refactoring the policy decision points to propagate entitlement information for auditing. I've identified a bug where the Access field in multi-entity decisions is not correctly updated based on obligation fulfillment, leading to inconsistent return values. I've also suggested several refactorings to reduce code duplication and simplify logic, improving maintainability. Additionally, there's an unused parameter in the audit event parameters that should be removed.
Benchmark results, click to expandBenchmark authorization.GetDecisions Results:
Benchmark authorization.v2.GetMultiResourceDecision Results:
Standard Benchmark Metrics Skipped or FailedBulk Benchmark Results
TDF3 Benchmark Results:
NANOTDF Benchmark Results:
|
Benchmark results, click to expandBenchmark authorization.GetDecisions Results:
Benchmark authorization.v2.GetMultiResourceDecision Results:
Standard Benchmark Metrics Skipped or FailedBulk Benchmark Results
TDF3 Benchmark Results:
NANOTDF Benchmark Results:
|
Benchmark results, click to expandBenchmark authorization.GetDecisions Results:
Benchmark authorization.v2.GetMultiResourceDecision Results:
Standard Benchmark Metrics Skipped or FailedBulk Benchmark Results
TDF3 Benchmark Results:
NANOTDF Benchmark Results:
|
Benchmark results, click to expandBenchmark authorization.GetDecisions Results:
Benchmark authorization.v2.GetMultiResourceDecision Results:
Standard Benchmark Metrics Skipped or FailedBulk Benchmark Results
TDF3 Benchmark Results:
NANOTDF Benchmark Results:
|
|
/gemini review |
There was a problem hiding this comment.
Code Review
This pull request introduces significant enhancements to the authorization service, focusing on the proper handling and auditing of obligations. Key changes include refactoring the decision logic to clearly distinguish between 'entitlement' (based on attributes) and the final 'passed' status (which now includes obligation fulfillment), and greatly improving the detail in audit logs to report on fulfillable obligations, required obligations, and their satisfaction status. The code has been restructured for better clarity and separation of concerns, such as moving audit logic into a dedicated function and using more descriptive data structures for obligation decisions. The tests have also been thoroughly updated to reflect these changes.
My review includes a couple of suggestions to further improve code clarity and adhere to idiomatic Go practices, particularly around loop efficiency and variable naming.
Benchmark results, click to expandBenchmark authorization.GetDecisions Results:
Benchmark authorization.v2.GetMultiResourceDecision Results:
Standard Benchmark Metrics Skipped or FailedBulk Benchmark Results
TDF3 Benchmark Results:
NANOTDF Benchmark Results:
|
Benchmark results, click to expandBenchmark authorization.GetDecisions Results:
Benchmark authorization.v2.GetMultiResourceDecision Results:
Standard Benchmark Metrics Skipped or FailedBulk Benchmark Results
TDF3 Benchmark Results:
NANOTDF Benchmark Results:
|
Benchmark results, click to expandBenchmark authorization.GetDecisions Results:
Benchmark authorization.v2.GetMultiResourceDecision Results:
Standard Benchmark Metrics Skipped or FailedBulk Benchmark Results
TDF3 Benchmark Results:
NANOTDF Benchmark Results:
|
strantalis
reviewed
Oct 22, 2025
Benchmark results, click to expandBenchmark authorization.GetDecisions Results:
Benchmark authorization.v2.GetMultiResourceDecision Results:
Standard Benchmark Metrics Skipped or FailedBulk Benchmark Results
TDF3 Benchmark Results:
NANOTDF Benchmark Results:
|
strantalis
approved these changes
Oct 22, 2025
github-merge-queue
bot
removed this pull request from the merge queue due to failed status checks
github-merge-queue bot
pushed a commit
that referenced
this pull request
Oct 22, 2025
🤖 I have created a release *beep* *boop* --- ## [0.11.0](service/v0.10.0...service/v0.11.0) (2025-10-22) ### Features * **authz:** add obligation fulfillment logic to obligation PDP ([#2740](#2740)) ([2f8d30d](2f8d30d)) * **authz:** audit logs should properly handle obligations ([#2824](#2824)) ([874ec7b](874ec7b)) * **authz:** defer to request auth as decision/entitlements entity ([#2789](#2789)) ([feb34d8](feb34d8)) * **authz:** obligations protos within auth service ([#2745](#2745)) ([41ee5a8](41ee5a8)) * **authz:** protovalidate tests for new authz obligations fields ([#2747](#2747)) ([73e6319](73e6319)) * **authz:** service logic to use request auth as entity identifier in PDP decisions/entitlements ([#2790](#2790)) ([6784e88](6784e88)) * **authz:** wire up obligations enforcement in auth service ([#2756](#2756)) ([11b3ea9](11b3ea9)) * **core:** propagate token clientID on configured claim via interceptor into shared context metadata ([#2760](#2760)) ([0f77246](0f77246)) * **kas:** Add required obligations to kao metadata.: ([#2806](#2806)) ([16fb26c](16fb26c)) * **policy:** add FQNs to obligation defs + vals ([#2749](#2749)) ([fa2585c](fa2585c)) * **policy:** Add obligation support to KAS ([#2786](#2786)) ([bb1bca0](bb1bca0)) * **policy:** List obligation triggers rpc ([#2823](#2823)) ([206abe3](206abe3)) * **policy:** namespace root certificates ([#2771](#2771)) ([beaff21](beaff21)) * **policy:** Proto - root certificates by namespace ([#2800](#2800)) ([0edb359](0edb359)) * **policy:** Protos List obligation triggers ([#2803](#2803)) ([b32df81](b32df81)) * **policy:** Return built obligations fqns with triggers. ([#2830](#2830)) ([e843018](e843018)) * **policy:** Return obligations from GetAttributeValue calls ([#2742](#2742)) ([aa9b393](aa9b393)) ### Bug Fixes * **core:** CORS ([#2787](#2787)) ([a030ac6](a030ac6)) * **core:** deprecate policy WithValue selector not utilized by RPC ([#2794](#2794)) ([c573595](c573595)) * **core:** deprecated stale protos and add better upgrade comments ([#2793](#2793)) ([f2678cc](f2678cc)) * **core:** Don't require known manager names ([#2792](#2792)) ([8a56a96](8a56a96)) * **core:** Fix mode negation and core mode ([#2779](#2779)) ([de9807d](de9807d)) * **core:** resolve environment loading issues ([#2827](#2827)) ([9af3184](9af3184)) * **deps:** bump github.com/opentdf/platform/lib/ocrypto from 0.6.0 to 0.7.0 in /service ([#2812](#2812)) ([a6d180d](a6d180d)) * **deps:** bump github.com/opentdf/platform/protocol/go from 0.12.0 to 0.13.0 in /service ([#2814](#2814)) ([5e9c695](5e9c695)) * **deps:** bump github.com/opentdf/platform/sdk from 0.7.0 to 0.9.0 in /service ([#2798](#2798)) ([d6bc9a8](d6bc9a8)) * **deps:** bump github.com/opentdf/platform/sdk from 0.9.0 to 0.10.0 in /service ([#2831](#2831)) ([412dfd1](412dfd1)) * ECC key loading (deprecated) ([#2757](#2757)) ([49990eb](49990eb)) * **policy:** Change to nil ([#2746](#2746)) ([a449434](a449434)) --- This PR was generated with [Release Please](https://github.com/googleapis/release-please). See [documentation](https://github.com/googleapis/release-please#release-please). Co-authored-by: opentdf-automation[bot] <149537512+opentdf-automation[bot]@users.noreply.github.com>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Proposed Changes
Single resource success log:
{ "time": "2025-10-21T19:42:59.465451-07:00", "level": "AUDIT", "msg": "decision", "namespace": "authorization", "version": "v2", "audit": { "object": { "type": "entity_object", "id": "jwtentity-1-clientid-opentdf-read", "name": "decisionRequest-read", "attributes": { "assertions": null, "attrs": null, "permissions": null } }, "action": { "type": "read", "result": "success" }, "actor": { "id": "jwtentity-1-clientid-opentdf", "attributes": [ { "entitlements_relevant_to_decision": { "https://example.com/attr/class/value/topsecret": [ { "id": "a1bb9ff7-74a1-4c30-a5c2-7067a1d84aef", "Value": null, "name": "read" } ] } } ] }, "eventMetaData": { "resource_decisions": [ { "passed": true, "obligations_satisfied": true, "entitled": true, "resource_id": "resource-0", "resource_name": "https://reg_res/testing/value/secret", "data_rule_results": [ { "passed": true, "resource_value_fqns": [ "https://example.com/attr/class/value/secret" ], "attribute": { "id": "70e2949e-8a15-4b4d-ab2a-a1a9bfa415a9", "rule": 3, "fqn": "https://example.com/attr/class" }, "entitlement_failures": null } ], "required_obligation_value_fqns": [ "https://example.com/obl/drm/value/mask" ] } ], "fulfillable_obligation_value_fqns": [ "https://example.com/obl/drm/value/mask" ], "obligations_satisfied": true }, "clientInfo": { "userAgent": "grpc-go/1.61.0", "platform": "authorization.v2", "requestIP": "None" }, "original": null, "updated": null, "requestID": "17a49c85-8a0c-4996-8804-d91d0b77e501", "timestamp": "2025-10-21T19:42:59-07:00" } }single resource failure log:
{ "time": "2025-10-21T19:42:18.829716-07:00", "level": "AUDIT", "msg": "decision", "namespace": "authorization", "version": "v2", "audit": { "object": { "type": "entity_object", "id": "jwtentity-1-clientid-opentdf-read", "name": "decisionRequest-read", "attributes": { "assertions": null, "attrs": null, "permissions": null } }, "action": { "type": "read", "result": "failure" }, "actor": { "id": "jwtentity-1-clientid-opentdf", "attributes": [ { "entitlements_relevant_to_decision": { "https://example.com/attr/class/value/topsecret": [ { "id": "a1bb9ff7-74a1-4c30-a5c2-7067a1d84aef", "Value": null, "name": "read" } ] } } ] }, "eventMetaData": { "resource_decisions": [ { "passed": false, "obligations_satisfied": false, "entitled": true, "resource_id": "resource-0", "resource_name": "https://reg_res/testing/value/secret", "data_rule_results": [ { "passed": true, "resource_value_fqns": [ "https://example.com/attr/class/value/secret" ], "attribute": { "id": "70e2949e-8a15-4b4d-ab2a-a1a9bfa415a9", "rule": 3, "fqn": "https://example.com/attr/class" }, "entitlement_failures": null } ], "required_obligation_value_fqns": [ "https://example.com/obl/drm/value/mask" ] } ], "fulfillable_obligation_value_fqns": [], "obligations_satisfied": false }, "clientInfo": { "userAgent": "grpc-go/1.61.0", "platform": "authorization.v2", "requestIP": "None" }, "original": null, "updated": null, "requestID": "eb3681fc-96e5-4328-be1b-3b4da9deab19", "timestamp": "2025-10-21T19:42:18-07:00" } }multi-resource success log:
{ "time": "2025-10-21T19:40:00.00347-07:00", "level": "AUDIT", "msg": "decision", "namespace": "authorization", "version": "v2", "audit": { "object": { "type": "entity_object", "id": "jwtentity-1-clientid-opentdf-read", "name": "decisionRequest-read", "attributes": { "assertions": null, "attrs": null, "permissions": null } }, "action": { "type": "read", "result": "success" }, "actor": { "id": "jwtentity-1-clientid-opentdf", "attributes": [ { "entitlements_relevant_to_decision": { "https://example.com/attr/class/value/topsecret": [ { "id": "a1bb9ff7-74a1-4c30-a5c2-7067a1d84aef", "Value": null, "name": "read" } ] } } ] }, "eventMetaData": { "resource_decisions": [ { "passed": true, "obligations_satisfied": true, "entitled": true, "resource_id": "resource-0", "resource_name": "https://reg_res/testing/value/secret", "data_rule_results": [ { "passed": true, "resource_value_fqns": [ "https://example.com/attr/class/value/secret" ], "attribute": { "id": "70e2949e-8a15-4b4d-ab2a-a1a9bfa415a9", "rule": 3, "fqn": "https://example.com/attr/class" }, "entitlement_failures": null } ], "required_obligation_value_fqns": [ "https://example.com/obl/drm/value/mask" ] }, { "passed": true, "obligations_satisfied": true, "entitled": true, "resource_id": "resource-1", "data_rule_results": [ { "passed": true, "resource_value_fqns": [ "https://example.com/attr/class/value/secret" ], "attribute": { "id": "70e2949e-8a15-4b4d-ab2a-a1a9bfa415a9", "rule": 3, "fqn": "https://example.com/attr/class" }, "entitlement_failures": null } ], "required_obligation_value_fqns": [ "https://example.com/obl/drm/value/mask" ] } ], "fulfillable_obligation_value_fqns": [ "https://example.com/obl/drm/value/mask" ], "obligations_satisfied": true }, "clientInfo": { "userAgent": "grpc-go/1.61.0", "platform": "authorization.v2", "requestIP": "None" }, "original": null, "updated": null, "requestID": "f87d7480-20b5-4e2e-b08a-0e4608e43c9e", "timestamp": "2025-10-21T19:40:00-07:00" } }Multi resource failure log:
{ "time": "2025-10-21T19:40:06.710929-07:00", "level": "AUDIT", "msg": "decision", "namespace": "authorization", "version": "v2", "audit": { "object": { "type": "entity_object", "id": "jwtentity-1-clientid-opentdf-read", "name": "decisionRequest-read", "attributes": { "assertions": null, "attrs": null, "permissions": null } }, "action": { "type": "read", "result": "failure" }, "actor": { "id": "jwtentity-1-clientid-opentdf", "attributes": [ { "entitlements_relevant_to_decision": { "https://example.com/attr/class/value/topsecret": [ { "id": "a1bb9ff7-74a1-4c30-a5c2-7067a1d84aef", "Value": null, "name": "read" } ] } } ] }, "eventMetaData": { "resource_decisions": [ { "passed": false, "obligations_satisfied": false, "entitled": true, "resource_id": "resource-0", "resource_name": "https://reg_res/testing/value/secret", "data_rule_results": [ { "passed": true, "resource_value_fqns": [ "https://example.com/attr/class/value/secret" ], "attribute": { "id": "70e2949e-8a15-4b4d-ab2a-a1a9bfa415a9", "rule": 3, "fqn": "https://example.com/attr/class" }, "entitlement_failures": null } ], "required_obligation_value_fqns": [ "https://example.com/obl/drm/value/mask" ] }, { "passed": false, "obligations_satisfied": false, "entitled": true, "resource_id": "resource-1", "data_rule_results": [ { "passed": true, "resource_value_fqns": [ "https://example.com/attr/class/value/secret" ], "attribute": { "id": "70e2949e-8a15-4b4d-ab2a-a1a9bfa415a9", "rule": 3, "fqn": "https://example.com/attr/class" }, "entitlement_failures": null } ], "required_obligation_value_fqns": [ "https://example.com/obl/drm/value/mask" ] } ], "fulfillable_obligation_value_fqns": [], "obligations_satisfied": false }, "clientInfo": { "userAgent": "grpc-go/1.61.0", "platform": "authorization.v2", "requestIP": "None" }, "original": null, "updated": null, "requestID": "6561c969-f169-4e16-84a6-f378f481b28d", "timestamp": "2025-10-21T19:40:06-07:00" } }