Skip to content

Commit

Permalink
fix(authz): handle pagination in authz service (#1797)
Browse files Browse the repository at this point in the history
### Proposed Changes

* Handle pagination limit/offset in `authorization.GetEntitlements`
* If quantity of attributes or subject mappings exceeds default "list"
API limit as configured, we need to retrieve all to make accurate
entitlement decision

### Checklist

- [ ] I have added or updated unit tests
- [ ] I have added or updated integration tests (if appropriate)
- [ ] I have added or updated documentation

### Testing Instructions
  • Loading branch information
jakedoublev authored Dec 3, 2024
1 parent 7c4c74f commit 58cb3f6
Show file tree
Hide file tree
Showing 2 changed files with 184 additions and 10 deletions.
59 changes: 49 additions & 10 deletions service/authorization/authorization.go
Original file line number Diff line number Diff line change
Expand Up @@ -16,6 +16,7 @@ import (
"github.com/open-policy-agent/opa/rego"
"github.com/opentdf/platform/protocol/go/authorization"
"github.com/opentdf/platform/protocol/go/authorization/authorizationconnect"
"github.com/opentdf/platform/protocol/go/common"
"github.com/opentdf/platform/protocol/go/entityresolution"
"github.com/opentdf/platform/protocol/go/policy"
attr "github.com/opentdf/platform/protocol/go/policy/attributes"
Expand Down Expand Up @@ -444,22 +445,60 @@ func makeScopeMap(scope *authorization.ResourceAttribute) map[string]bool {

func (as *AuthorizationService) GetEntitlements(ctx context.Context, req *connect.Request[authorization.GetEntitlementsRequest]) (*connect.Response[authorization.GetEntitlementsResponse], error) {
as.logger.DebugContext(ctx, "getting entitlements")
attrsRes, err := as.sdk.Attributes.ListAttributes(ctx, &attr.ListAttributesRequest{})
if err != nil {
as.logger.ErrorContext(ctx, "failed to list attributes", slog.String("error", err.Error()))
return nil, connect.NewError(connect.CodeInternal, errors.New("failed to list attributes"))

var nextOffset int32
attrsList := make([]*policy.Attribute, 0)
subjectMappingsList := make([]*policy.SubjectMapping, 0)

// If quantity of attributes exceeds maximum list pagination, all are needed to determine entitlements
for {
listed, err := as.sdk.Attributes.ListAttributes(ctx, &attr.ListAttributesRequest{
State: common.ActiveStateEnum_ACTIVE_STATE_ENUM_ACTIVE,
Pagination: &policy.PageRequest{
Offset: nextOffset,
},
})
if err != nil {
as.logger.ErrorContext(ctx, "failed to list attributes", slog.String("error", err.Error()))
return nil, connect.NewError(connect.CodeInternal, errors.New("failed to list attributes"))
}

nextOffset = listed.GetPagination().GetNextOffset()
attrsList = append(attrsList, listed.GetAttributes()...)

// offset becomes zero when list is exhausted
if nextOffset <= 0 {
break
}
}
subMapsRes, err := as.sdk.SubjectMapping.ListSubjectMappings(ctx, &subjectmapping.ListSubjectMappingsRequest{})
if err != nil {
as.logger.ErrorContext(ctx, "failed to list subject mappings", slog.String("error", err.Error()))
return nil, connect.NewError(connect.CodeInternal, errors.New("failed to list subject mappings"))

// If quantity of subject mappings exceeds maximum list pagination, all are needed to determine entitlements
nextOffset = 0
for {
listed, err := as.sdk.SubjectMapping.ListSubjectMappings(ctx, &subjectmapping.ListSubjectMappingsRequest{
Pagination: &policy.PageRequest{
Offset: nextOffset,
},
})
if err != nil {
as.logger.ErrorContext(ctx, "failed to list subject mappings", slog.String("error", err.Error()))
return nil, connect.NewError(connect.CodeInternal, errors.New("failed to list subject mappings"))
}

nextOffset = listed.GetPagination().GetNextOffset()
subjectMappingsList = append(subjectMappingsList, listed.GetSubjectMappings()...)

// offset becomes zero when list is exhausted
if nextOffset <= 0 {
break
}
}
// create a lookup map of attribute value FQNs (based on request scope)
scopeMap := makeScopeMap(req.Msg.GetScope())
// create a lookup map of subject mappings by attribute value ID
subMapsByVal := makeSubMapsByValLookup(subMapsRes.GetSubjectMappings())
subMapsByVal := makeSubMapsByValLookup(subjectMappingsList)
// create a lookup map of attribute values by FQN (for rego query)
fqnAttrVals := makeValsByFqnsLookup(attrsRes.GetAttributes(), subMapsByVal, scopeMap)
fqnAttrVals := makeValsByFqnsLookup(attrsList, subMapsByVal, scopeMap)
avf := &attr.GetAttributeValuesByFqnsResponse{
FqnAttributeValues: fqnAttrVals,
}
Expand Down
135 changes: 135 additions & 0 deletions service/authorization/authorization_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -57,6 +57,10 @@ type mySubjectMappingClient struct {
sm.SubjectMappingServiceClient
}

type paginatedMockSubjectMappingClient struct {
sm.SubjectMappingServiceClient
}

func (*mySubjectMappingClient) ListSubjectMappings(_ context.Context, _ *sm.ListSubjectMappingsRequest, _ ...grpc.CallOption) (*sm.ListSubjectMappingsResponse, error) {
return &listSubjectMappings, nil
}
Expand All @@ -69,6 +73,52 @@ func (*myERSClient) ResolveEntities(_ context.Context, _ *entityresolution.Resol
return &resolveEntitiesResp, nil
}

var (
smPaginationOffset = 3
smListCallCount = 0
)

func (*paginatedMockSubjectMappingClient) ListSubjectMappings(_ context.Context, _ *sm.ListSubjectMappingsRequest, _ ...grpc.CallOption) (*sm.ListSubjectMappingsResponse, error) {
smListCallCount++
// simulate paginated list and policy LIST behavior
if smPaginationOffset > 0 {
rsp := &sm.ListSubjectMappingsResponse{
SubjectMappings: nil,
Pagination: &policy.PageResponse{
NextOffset: int32(smPaginationOffset),
},
}
smPaginationOffset = 0
return rsp, nil
}
return &listSubjectMappings, nil
}

type paginatedMockAttributesClient struct {
attr.AttributesServiceClient
}

var (
attrPaginationOffset = 3
attrListCallCount = 0
)

func (*paginatedMockAttributesClient) ListAttributes(_ context.Context, _ *attr.ListAttributesRequest, _ ...grpc.CallOption) (*attr.ListAttributesResponse, error) {
attrListCallCount++
// simulate paginated list and policy LIST behavior
if attrPaginationOffset > 0 {
rsp := &attr.ListAttributesResponse{
Attributes: nil,
Pagination: &policy.PageResponse{
NextOffset: int32(attrPaginationOffset),
},
}
attrPaginationOffset = 0
return rsp, nil
}
return &listAttributeResp, nil
}

func TestGetComprehensiveHierarchy(t *testing.T) {
as := &AuthorizationService{
logger: logger.CreateTestLogger(),
Expand Down Expand Up @@ -763,6 +813,91 @@ func Test_GetEntitlementsFqnCasing(t *testing.T) {
assert.Equal(t, []string{"https://www.example.org/attr/foo/value/value1"}, resp.Msg.GetEntitlements()[0].GetAttributeValueFqns())
}

func Test_GetEntitlements_HandlesPagination(t *testing.T) {
logger := logger.CreateTestLogger()

listAttributeResp = attr.ListAttributesResponse{}
attrDef := policy.Attribute{
Name: mockAttrName,
Namespace: &policy.Namespace{
Name: mockNamespace,
},
Rule: policy.AttributeRuleTypeEnum_ATTRIBUTE_RULE_TYPE_ENUM_ALL_OF,
Values: []*policy.Value{
{
Value: mockAttrValue1,
},
{
Value: mockAttrValue2,
},
},
}
listAttributeResp.Attributes = []*policy.Attribute{&attrDef}
userRepresentation := map[string]interface{}{
"A": "B",
"C": "D",
}
userStruct, _ := structpb.NewStruct(userRepresentation)
resolveEntitiesResp = entityresolution.ResolveEntitiesResponse{
EntityRepresentations: []*entityresolution.EntityRepresentation{
{
OriginalId: "e1",
AdditionalProps: []*structpb.Struct{
userStruct,
},
},
},
}

ctxb := context.Background()

rego := rego.New(
rego.Query("data.example.p"),
rego.Module("example.rego",
`package example
p = {"e1":["https://www.example.org/attr/foo/value/value1"]} { true }`,
))

// Run evaluation.
prepared, err := rego.PrepareForEval(ctxb)
require.NoError(t, err)

as := AuthorizationService{
logger: logger, sdk: &otdf.SDK{
SubjectMapping: &paginatedMockSubjectMappingClient{},
Attributes: &paginatedMockAttributesClient{},
EntityResoution: &myERSClient{},
},
eval: prepared,
}

req := connect.Request[authorization.GetEntitlementsRequest]{
Msg: &authorization.GetEntitlementsRequest{
Entities: []*authorization.Entity{{Id: "e1", EntityType: &authorization.Entity_ClientId{ClientId: "testclient"}, Category: authorization.Entity_CATEGORY_ENVIRONMENT}},
// Using mixed case here
Scope: &authorization.ResourceAttribute{AttributeValueFqns: []string{"https://www.example.org/attr/foo/value/VaLuE1"}},
},
}

for fqn := range makeScopeMap(req.Msg.GetScope()) {
assert.Equal(t, fqn, strings.ToLower(fqn))
}

resp, err := as.GetEntitlements(ctxb, &req)

require.NoError(t, err)
assert.NotNil(t, resp)
assert.Len(t, resp.Msg.GetEntitlements(), 1)
assert.Equal(t, "e1", resp.Msg.GetEntitlements()[0].GetEntityId())
assert.Equal(t, []string{"https://www.example.org/attr/foo/value/value1"}, resp.Msg.GetEntitlements()[0].GetAttributeValueFqns())

// paginated successfully
assert.Equal(t, 2, smListCallCount)
assert.Zero(t, smPaginationOffset)
assert.Equal(t, 2, attrListCallCount)
assert.Zero(t, attrPaginationOffset)
}

func Test_GetEntitlementsWithComprehensiveHierarchy(t *testing.T) {
logger := logger.CreateTestLogger()
attrDef := policy.Attribute{
Expand Down

0 comments on commit 58cb3f6

Please sign in to comment.