opentdf · jakedoublev · Mar 11, 2024 · Mar 1, 2024 · Mar 1, 2024 · Mar 1, 2024
@@ -48,7 +48,7 @@ You can clear/recycle your database with 'docker-compose down' and 'docker-compo
 
 			dbI := fixtures.NewDBInterface(*cfg)
 			f := fixtures.NewFixture(dbI)
-			fixtures.LoadFixtureData("./internal/fixtures/fixtures.yaml")
+			fixtures.LoadFixtureData("./internal/fixtures/policy_fixtures.yaml")
 			f.Provision()
 
 			fmt.Print("fixtures provision fully applied")

@@ -755,10 +755,6 @@ <h2>Table of Contents</h2>
                   <a href="#policy.subjectmapping.MatchSubjectMappingsResponse"><span class="badge">M</span>MatchSubjectMappingsResponse</a>
                 </li>
 
-                <li>
-                  <a href="#policy.subjectmapping.Subject"><span class="badge">M</span>Subject</a>
-                </li>
-
                 <li>
                   <a href="#policy.subjectmapping.SubjectConditionSet"><span class="badge">M</span>SubjectConditionSet</a>
                 </li>
@@ -771,6 +767,10 @@ <h2>Table of Contents</h2>
                   <a href="#policy.subjectmapping.SubjectMapping"><span class="badge">M</span>SubjectMapping</a>
                 </li>
 
+                <li>
+                  <a href="#policy.subjectmapping.SubjectProperty"><span class="badge">M</span>SubjectProperty</a>
+                </li>
+
                 <li>
                   <a href="#policy.subjectmapping.SubjectSet"><span class="badge">M</span>SubjectSet</a>
                 </li>
@@ -5297,7 +5297,7 @@ <h3 id="policy.subjectmapping.ListSubjectMappingsResponse">ListSubjectMappingsRe
 
 
         <h3 id="policy.subjectmapping.MatchSubjectMappingsRequest">MatchSubjectMappingsRequest</h3>
-        <p></p>
+        <p>MatchSubjectMappingsRequest liberally returns a list of SubjectMappings based on the provided SubjectProperties. The SubjectMappings are returned</p><p>if there is any single condition found among the structures that matches for one of the provided properties:</p><p>1. The external field, external value, and an IN operator</p><p>2. The external field, _no_ external value, and a NOT_IN operator</p><p>Without this filtering, if a field was something like 'emailAddress' or 'username', every Subject is probably going to relate to that mapping</p><p>in some way or another, potentially matching every single attribute in the DB if a policy admin has relied heavily on that field. There is no</p><p>logic applied beyond a single condition within the query to avoid business logic interpreting the supplied conditions beyond the bare minimum</p><p>initial filter.</p><p>NOTE: if you have any issues, debug logs are available within the service to help identify why a mapping was or was not returned.</p>
 
 
           <table class="field-table">
@@ -5307,10 +5307,10 @@ <h3 id="policy.subjectmapping.MatchSubjectMappingsRequest">MatchSubjectMappingsR
             <tbody>
 
                 <tr>
-                  <td>subject</td>
-                  <td><a href="#policy.subjectmapping.Subject">Subject</a></td>
-                  <td></td>
-                  <td><p>Required </p></td>
+                  <td>subject_properties</td>
+                  <td><a href="#policy.subjectmapping.SubjectProperty">SubjectProperty</a></td>
+                  <td>repeated</td>
+                  <td><p> </p></td>
                 </tr>
 
             </tbody>
@@ -5344,30 +5344,6 @@ <h3 id="policy.subjectmapping.MatchSubjectMappingsResponse">MatchSubjectMappings
 
 
 
-        <h3 id="policy.subjectmapping.Subject">Subject</h3>
-        <p>A Representation of a subject as attribute->value pairs.  This would mirror user attributes retrieved</p><p>from an authoritative source such as an IDP (Identity Provider) or User Store.  Examples include such ADFS/LDAP, OKTA, etc.</p>
-
-
-          <table class="field-table">
-            <thead>
-              <tr><td>Field</td><td>Type</td><td>Label</td><td>Description</td></tr>
-            </thead>
-            <tbody>
-
-                <tr>
-                  <td>attributes</td>
-                  <td><a href="#google.protobuf.Struct">google.protobuf.Struct</a></td>
-                  <td></td>
-                  <td><p> </p></td>
-                </tr>
-
-            </tbody>
-          </table>
-
-
-
-
-
         <h3 id="policy.subjectmapping.SubjectConditionSet">SubjectConditionSet</h3>
         <p>A container for multiple Subject Sets, each containing Condition Groups, each containing Conditions. Multiple Subject Sets in a SubjectConditionSet</p><p>are evaluated with AND logic. As each Subject Mapping has only one Attribute Value, the SubjectConditionSet is reusable across multiple</p><p>Subject Mappings / Attribute Values and is an independent unit.</p>
 
@@ -5490,6 +5466,37 @@ <h3 id="policy.subjectmapping.SubjectMapping">SubjectMapping</h3>
 
 
 
+        <h3 id="policy.subjectmapping.SubjectProperty">SubjectProperty</h3>
+        <p>A property of a Subject/Entity as a field->value pair.  This would mirror external user attributes retrieved</p><p>from an authoritative source such as an IDP (Identity Provider) or User Store.  Examples include such ADFS/LDAP, OKTA, etc.</p><p>For now, a valid property must contain both field & value.</p>
+
+
+          <table class="field-table">
+            <thead>
+              <tr><td>Field</td><td>Type</td><td>Label</td><td>Description</td></tr>
+            </thead>
+            <tbody>
+
+                <tr>
+                  <td>external_field</td>
+                  <td><a href="#string">string</a></td>
+                  <td></td>
+                  <td><p> </p></td>
+                </tr>
+
+                <tr>
+                  <td>external_value</td>
+                  <td><a href="#string">string</a></td>
+                  <td></td>
+                  <td><p> </p></td>
+                </tr>
+
+            </tbody>
+          </table>
+
+
+
+
+
         <h3 id="policy.subjectmapping.SubjectSet">SubjectSet</h3>
         <p>A collection of Condition Groups</p>
 
@@ -5834,7 +5841,7 @@ <h4>Methods with HTTP bindings</h4>
                 <td>MatchSubjectMappings</td>
                 <td>POST</td>
                 <td>/subject-mappings/match</td>
-                <td>subject</td>
+                <td>subject_properties</td>
               </tr>
 
 

@@ -252,12 +252,15 @@
         },
         "parameters": [
           {
-            "name": "subject",
-            "description": "Required",
+            "name": "subjectProperties",
             "in": "body",
             "required": true,
             "schema": {
-              "$ref": "#/definitions/subjectmappingSubject"
+              "type": "array",
+              "items": {
+                "type": "object",
+                "$ref": "#/definitions/subjectmappingSubjectProperty"
+              }
             }
           }
         ],
@@ -615,14 +618,6 @@
       "additionalProperties": {},
       "description": "`Any` contains an arbitrary serialized protocol buffer message along with a\nURL that describes the type of the serialized message.\n\nProtobuf library provides support to pack/unpack Any values in the form\nof utility functions or additional generated methods of the Any type.\n\nExample 1: Pack and unpack a message in C++.\n\n    Foo foo = ...;\n    Any any;\n    any.PackFrom(foo);\n    ...\n    if (any.UnpackTo(\u0026foo)) {\n      ...\n    }\n\nExample 2: Pack and unpack a message in Java.\n\n    Foo foo = ...;\n    Any any = Any.pack(foo);\n    ...\n    if (any.is(Foo.class)) {\n      foo = any.unpack(Foo.class);\n    }\n    // or ...\n    if (any.isSameTypeAs(Foo.getDefaultInstance())) {\n      foo = any.unpack(Foo.getDefaultInstance());\n    }\n\n Example 3: Pack and unpack a message in Python.\n\n    foo = Foo(...)\n    any = Any()\n    any.Pack(foo)\n    ...\n    if any.Is(Foo.DESCRIPTOR):\n      any.Unpack(foo)\n      ...\n\n Example 4: Pack and unpack a message in Go\n\n     foo := \u0026pb.Foo{...}\n     any, err := anypb.New(foo)\n     if err != nil {\n       ...\n     }\n     ...\n     foo := \u0026pb.Foo{}\n     if err := any.UnmarshalTo(foo); err != nil {\n       ...\n     }\n\nThe pack methods provided by protobuf library will by default use\n'type.googleapis.com/full.type.name' as the type URL and the unpack\nmethods only use the fully qualified type name after the last '/'\nin the type URL, for example \"foo.bar.com/x/y.z\" will yield type\nname \"y.z\".\n\nJSON\n====\nThe JSON representation of an `Any` value uses the regular\nrepresentation of the deserialized, embedded message, with an\nadditional field `@type` which contains the type URL. Example:\n\n    package google.profile;\n    message Person {\n      string first_name = 1;\n      string last_name = 2;\n    }\n\n    {\n      \"@type\": \"type.googleapis.com/google.profile.Person\",\n      \"firstName\": \u003cstring\u003e,\n      \"lastName\": \u003cstring\u003e\n    }\n\nIf the embedded message type is well-known and has a custom JSON\nrepresentation, that representation will be embedded adding a field\n`value` which holds the custom JSON in addition to the `@type`\nfield. Example (for message [google.protobuf.Duration][]):\n\n    {\n      \"@type\": \"type.googleapis.com/google.protobuf.Duration\",\n      \"value\": \"1.212s\"\n    }"
     },
-    "protobufNullValue": {
-      "type": "string",
-      "enum": [
-        "NULL_VALUE"
-      ],
-      "default": "NULL_VALUE",
-      "description": "`NullValue` is a singleton enumeration to represent the null value for the\n`Value` type union.\n\nThe JSON representation for `NullValue` is JSON `null`.\n\n - NULL_VALUE: Null value."
-    },
     "rpcStatus": {
       "type": "object",
       "properties": {
@@ -822,15 +817,6 @@
         }
       }
     },
-    "subjectmappingSubject": {
-      "type": "object",
-      "properties": {
-        "attributes": {
-          "type": "object"
-        }
-      },
-      "description": "A Representation of a subject as attribute-\u003evalue pairs.  This would mirror user attributes retrieved\nfrom an authoritative source such as an IDP (Identity Provider) or User Store.  Examples include such ADFS/LDAP, OKTA, etc."
-    },
     "subjectmappingSubjectConditionSet": {
       "type": "object",
       "properties": {
@@ -906,6 +892,18 @@
       "default": "SUBJECT_MAPPING_OPERATOR_ENUM_UNSPECIFIED",
       "title": "buflint ENUM_VALUE_PREFIX: to make sure that C++ scoping rules aren't violated when users add new enum values to an enum in a given package"
     },
+    "subjectmappingSubjectProperty": {
+      "type": "object",
+      "properties": {
+        "externalField": {
+          "type": "string"
+        },
+        "externalValue": {
+          "type": "string"
+        }
+      },
+      "description": "A property of a Subject/Entity as a field-\u003evalue pair.  This would mirror external user attributes retrieved\nfrom an authoritative source such as an IDP (Identity Provider) or User Store.  Examples include such ADFS/LDAP, OKTA, etc.\nFor now, a valid property must contain both field \u0026 value."
+    },
     "subjectmappingSubjectSet": {
       "type": "object",
       "properties": {

@@ -122,7 +122,7 @@ func TestMain(m *testing.M) {
 	slog.Info("🚚 applied migrations", slog.Int("count", applied))
 
 	slog.Info("🏠 loading fixtures")
-	fixtures.LoadFixtureData("../internal/fixtures/fixtures.yaml")
+	fixtures.LoadFixtureData("../internal/fixtures/policy_fixtures.yaml")
 
 	slog.Info("📚 indexing FQNs for test fixtures")
 	db.PolicyClient.AttrFqnReindex()