From ab71501d5fc3bee67eeff0c6fcf2ece6bcc5a681 Mon Sep 17 00:00:00 2001 From: Krish Suchak Date: Fri, 23 Aug 2024 11:21:23 -0400 Subject: [PATCH 1/4] use lowercase fqn --- service/authorization/authorization.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/service/authorization/authorization.go b/service/authorization/authorization.go index 69498acf7..19cfe09e2 100644 --- a/service/authorization/authorization.go +++ b/service/authorization/authorization.go @@ -434,7 +434,7 @@ func makeScopeMap(scope *authorization.ResourceAttribute) map[string]bool { scopeMap := make(map[string]bool) // add attribute value FQNs from scope to the map for _, fqn := range scope.GetAttributeValueFqns() { - scopeMap[fqn] = true + scopeMap[strings.ToLower(fqn)] = true } return scopeMap } From e6742bdd58ddbc20a87fd797bd5ee61b3355cb49 Mon Sep 17 00:00:00 2001 From: Krish Suchak Date: Fri, 23 Aug 2024 14:55:44 -0400 Subject: [PATCH 2/4] add fqn casing test --- service/authorization/authorization_test.go | 68 +++++++++++++++++++++ 1 file changed, 68 insertions(+) diff --git a/service/authorization/authorization_test.go b/service/authorization/authorization_test.go index ab0c46882..471a595cb 100644 --- a/service/authorization/authorization_test.go +++ b/service/authorization/authorization_test.go @@ -640,6 +640,74 @@ func Test_GetEntitlementsSimple(t *testing.T) { assert.Equal(t, []string{"https://www.example.org/attr/foo/value/value1"}, resp.GetEntitlements()[0].GetAttributeValueFqns()) } +func Test_GetEntitlementsFqnCasing(t *testing.T) { + logger := logger.CreateTestLogger() + + listAttributeResp = attr.ListAttributesResponse{} + attrDef := policy.Attribute{ + Name: mockAttrName, + Namespace: &policy.Namespace{ + Name: mockNamespace, + }, + Rule: policy.AttributeRuleTypeEnum_ATTRIBUTE_RULE_TYPE_ENUM_ALL_OF, + Values: []*policy.Value{ + { + Value: mockAttrValue1, + }, + { + Value: mockAttrValue2, + }, + }, + } + listAttributeResp.Attributes = []*policy.Attribute{&attrDef} + userRepresentation := map[string]interface{}{ + "A": "B", + "C": "D", + } + userStruct, _ := structpb.NewStruct(userRepresentation) + resolveEntitiesResp = entityresolution.ResolveEntitiesResponse{ + EntityRepresentations: []*entityresolution.EntityRepresentation{{ + OriginalId: "e1", + AdditionalProps: []*structpb.Struct{ + userStruct, + }, + }, + }, + } + + ctxb := context.Background() + + rego := rego.New( + rego.Query("data.example.p"), + rego.Module("example.rego", + `package example + p = {"e1":["https://www.example.org/attr/foo/value/value1"]} { true }`, + )) + + // Run evaluation. + prepared, err := rego.PrepareForEval(ctxb) + require.NoError(t, err) + + as := AuthorizationService{logger: logger, sdk: &otdf.SDK{ + SubjectMapping: &mySubjectMappingClient{}, + Attributes: &myAttributesClient{}, EntityResoution: &myERSClient{}}, + eval: prepared} + + req := authorization.GetEntitlementsRequest{ + Entities: []*authorization.Entity{{Id: "e1", EntityType: &authorization.Entity_ClientId{ClientId: "testclient"}, Category: authorization.Entity_CATEGORY_ENVIRONMENT}}, + // Using mixed case here + Scope: &authorization.ResourceAttribute{AttributeValueFqns: []string{"https://www.example.org/attr/foo/value/VaLuE1"}}, + } + + resp, err := as.GetEntitlements(ctxb, &req) + + require.NoError(t, err) + assert.NotNil(t, resp) + assert.Len(t, resp.GetEntitlements(), 1) + assert.Equal(t, "e1", resp.GetEntitlements()[0].GetEntityId()) + assert.Equal(t, []string{"https://www.example.org/attr/foo/value/value1"}, resp.GetEntitlements()[0].GetAttributeValueFqns()) +} + func Test_GetEntitlementsWithComprehensiveHierarchy(t *testing.T) { logger := logger.CreateTestLogger() attrDef := policy.Attribute{ From 3a5f2d494c52db443dd9c023db7d7f1303d78a07 Mon Sep 17 00:00:00 2001 From: Krish Suchak Date: Fri, 23 Aug 2024 15:03:24 -0400 Subject: [PATCH 3/4] explicitly test result of scopeMap --- service/authorization/authorization.go | 6 +++--- service/authorization/authorization_test.go | 5 +++++ 2 files changed, 8 insertions(+), 3 deletions(-) diff --git a/service/authorization/authorization.go b/service/authorization/authorization.go index 19cfe09e2..bd68ccbb2 100644 --- a/service/authorization/authorization.go +++ b/service/authorization/authorization.go @@ -425,8 +425,8 @@ func makeValsByFqnsLookup(attrs []*policy.Attribute, subMapsByVal map[string][]* return fqnAttrVals } -// makeScopeMap creates a map of attribute value FQNs. -func makeScopeMap(scope *authorization.ResourceAttribute) map[string]bool { +// MakeScopeMap creates a map of attribute value FQNs. +func MakeScopeMap(scope *authorization.ResourceAttribute) map[string]bool { // if scope not defined, return nil pointer if scope == nil { return nil @@ -452,7 +452,7 @@ func (as *AuthorizationService) GetEntitlements(ctx context.Context, req *author return nil, status.Error(codes.Internal, "failed to list subject mappings") } // create a lookup map of attribute value FQNs (based on request scope) - scopeMap := makeScopeMap(req.GetScope()) + scopeMap := MakeScopeMap(req.GetScope()) // create a lookup map of subject mappings by attribute value ID subMapsByVal := makeSubMapsByValLookup(subMapsRes.GetSubjectMappings()) // create a lookup map of attribute values by FQN (for rego query) diff --git a/service/authorization/authorization_test.go b/service/authorization/authorization_test.go index 471a595cb..1bbf5458b 100644 --- a/service/authorization/authorization_test.go +++ b/service/authorization/authorization_test.go @@ -5,6 +5,7 @@ import ( "errors" "fmt" "log/slog" + "strings" "testing" "github.com/open-policy-agent/opa/rego" @@ -699,6 +700,10 @@ func Test_GetEntitlementsFqnCasing(t *testing.T) { Scope: &authorization.ResourceAttribute{AttributeValueFqns: []string{"https://www.example.org/attr/foo/value/VaLuE1"}}, } + for fqn := range MakeScopeMap(req.GetScope()) { + assert.Equal(t, fqn, strings.ToLower(fqn)) + } + resp, err := as.GetEntitlements(ctxb, &req) require.NoError(t, err) From 90908b7adc3ad0fd0e2824f72f3f5204b4da478a Mon Sep 17 00:00:00 2001 From: Krish Suchak Date: Fri, 23 Aug 2024 15:46:17 -0400 Subject: [PATCH 4/4] revert public fx --- service/authorization/authorization.go | 6 +++--- service/authorization/authorization_test.go | 2 +- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/service/authorization/authorization.go b/service/authorization/authorization.go index bd68ccbb2..19cfe09e2 100644 --- a/service/authorization/authorization.go +++ b/service/authorization/authorization.go @@ -425,8 +425,8 @@ func makeValsByFqnsLookup(attrs []*policy.Attribute, subMapsByVal map[string][]* return fqnAttrVals } -// MakeScopeMap creates a map of attribute value FQNs. -func MakeScopeMap(scope *authorization.ResourceAttribute) map[string]bool { +// makeScopeMap creates a map of attribute value FQNs. +func makeScopeMap(scope *authorization.ResourceAttribute) map[string]bool { // if scope not defined, return nil pointer if scope == nil { return nil @@ -452,7 +452,7 @@ func (as *AuthorizationService) GetEntitlements(ctx context.Context, req *author return nil, status.Error(codes.Internal, "failed to list subject mappings") } // create a lookup map of attribute value FQNs (based on request scope) - scopeMap := MakeScopeMap(req.GetScope()) + scopeMap := makeScopeMap(req.GetScope()) // create a lookup map of subject mappings by attribute value ID subMapsByVal := makeSubMapsByValLookup(subMapsRes.GetSubjectMappings()) // create a lookup map of attribute values by FQN (for rego query) diff --git a/service/authorization/authorization_test.go b/service/authorization/authorization_test.go index 1bbf5458b..59940559f 100644 --- a/service/authorization/authorization_test.go +++ b/service/authorization/authorization_test.go @@ -700,7 +700,7 @@ func Test_GetEntitlementsFqnCasing(t *testing.T) { Scope: &authorization.ResourceAttribute{AttributeValueFqns: []string{"https://www.example.org/attr/foo/value/VaLuE1"}}, } - for fqn := range MakeScopeMap(req.GetScope()) { + for fqn := range makeScopeMap(req.GetScope()) { assert.Equal(t, fqn, strings.ToLower(fqn)) }