feat(policy): DSPX-2754 dynamic attribute value entitlement mappings#3568
feat(policy): DSPX-2754 dynamic attribute value entitlement mappings#3568alkalescent wants to merge 8 commits into
Conversation
Implement the DefinitionValueEntitlementMapping primitive end to end: a definition-scoped mapping that entitles dynamically-requested attribute values by comparing the requested resource value segment against the entity representation at decision time, instead of pre-provisioning a value + subject mapping per discrete value. Design (per ADR 0005, improving on the reference spike): - A dedicated DynamicValueOperatorEnum (RESOURCE_VALUE_IN / _IN_CONTAINS) and DefinitionValueResolver, so operators stay isolated from static subject mapping operators and the schema honestly expresses 'dynamic'. - An optional static SubjectConditionSet pre-gate (normal static semantics) to support compound 'entity attribute AND resource value' conditions. - No-coexistence enforcement (both directions) between value-level subject mappings and dynamic mappings on the same definition. - HIERARCHY rejected; canonicalized (case/space) value comparison. Wiring: proto + generated code + SDK client, DB migration + sqlc + CRUD, dedicated DefinitionValueEntitlementMappingService, decision-time evaluator, PDP load/merge, synthetic-value support, and authz cache. Replaces the throwaway spike package; ports its tests. Refs: DSPX-2754, virtru-corp/adr#266 Signed-off-by: Krish Suchak <suchak.krish@gmail.com>
|
Important Review skippedDraft detected. Please check the settings in the CodeRabbit UI or the ⚙️ Run configurationConfiguration used: Repository UI Review profile: ASSERTIVE Plan: Pro Run ID: You can disable this status message by setting the Use the checkbox below for a quick retry:
✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
github-actions
Bot
added
comp:db
Benchmark results, click to expandBenchmark authorization.GetDecisions Results:
Benchmark authorization.v2.GetMultiResourceDecision Results:
Benchmark Statistics
Bulk Benchmark Results
TDF3 Benchmark Results:
|
Summary of ChangesHello, I'm Gemini Code Assist1! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed! This pull request implements a new policy primitive, DefinitionValueEntitlementMapping, which enables dynamic entitlement mappings at the attribute definition level. This allows for more flexible and scalable authorization by comparing resource values against entity attributes at decision time, rather than relying on pre-provisioned static mappings. The change includes a full end-to-end implementation, including protocol definitions, service logic, database persistence, and integration into the existing policy decision point. Highlights
New Features🧠 You can now enable Memory (public preview) to help Gemini Code Assist learn from your team's feedback. This makes future code reviews more consistent and personalized to your project's style. Click here to enable Memory in your admin console. Ignored Files
Using Gemini Code AssistThe full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips. Invoking Gemini You can request assistance from Gemini at any point by creating a comment using either
Customization To customize the Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a Limitations & Feedback Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counterproductive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for GitHub and other Google products, sign up here. Dynamic rules now take the stage, No longer static on the page. From definition, values flow, To let the right permissions grow. Footnotes
|
![gemini-code-assist[bot]](https://avatars.githubusercontent.com/in/956858?s=60&v=4){kind=small}
There was a problem hiding this comment.
Code Review
This pull request implements Definition Value Entitlement Mappings (DSPX-2754), which move entitlement authority from concrete attribute values to the attribute definition level. The changes span SDK client generation, caching, PDP evaluation, database storage, and a new gRPC service. The review feedback is highly constructive and identifies several critical issues that should be addressed: a potential data race hazard in the gRPC service, possible nil pointer dereferences in both the PDP evaluator and the database client, a bug in error handling that could return nil values, incorrect type formatting in cache errors, and a redundant database index in the migration script.
Important
The consumer version of Gemini Code Assist on GitHub is being sunset. Starting June 18, 2026, new organization installations will be blocked, and all code review activity will officially cease on July 17, 2026.
For more details on the timeline and next steps, please review the Help Documentation.
- Reverse HIERARCHY guard: reject UnsafeUpdateAttribute rule change to HIERARCHY when the definition has a dynamic value entitlement mapping (symmetric with the create-time guard). - PDP decision test: ANY_OF permit / ALL_OF deny when a resource carries two dynamic values under one definition and the entity is entitled to one. - Integration tests (testcontainers): CRUD, optional static gate, HIERARCHY rejection, no-coexistence both directions, reverse rule guard, list. Refs: DSPX-3498, DSPX-2754 Signed-off-by: Krish Suchak <suchak.krish@gmail.com>
Benchmark results, click to expandBenchmark authorization.GetDecisions Results:
Benchmark authorization.v2.GetMultiResourceDecision Results:
Benchmark Statistics
Bulk Benchmark Results
TDF3 Benchmark Results:
|
…ervice Move the DefinitionValueEntitlementMapping CRUD RPCs/messages from a dedicated service+package into the existing policy.subjectmapping package / SubjectMappingService. A brand-new proto package added an import path absent from the released protocol/go, which broke the per-module 'go mod tidy' CI check (that step does not use the go workspace). Reusing the already-published subjectmapping package removes the new import path so go mod tidy passes in a single PR, and drops the long dedicated package name. The object name DefinitionValueEntitlementMapping is kept. Refs: DSPX-3498, DSPX-2754 Signed-off-by: Krish Suchak <suchak.krish@gmail.com>
Benchmark results, click to expandBenchmark authorization.GetDecisions Results:
Benchmark authorization.v2.GetMultiResourceDecision Results:
Benchmark Statistics
Bulk Benchmark Results
TDF3 Benchmark Results:
|
Rename the primitive from DefinitionValueEntitlementMapping to DynamicValueMapping (shorter, drops redundant 'Entitlement' per SubjectMapping/ResourceMapping convention, avoids overloading the authz 'entitlement' term). The upstream ADR #266 noted names are subject to change during implementation. Restore the dedicated service: DynamicValueMappingService in its own policy.dynamicvaluemapping package (un-folded from SubjectMappingService), with its own SDK client. DynamicValueResolver + DynamicValueOperatorEnum round out the type family. DB tables/queries/files renamed to dynamic_value_mapping(s). ADR 0005 updated with the rename note. NOTE: this adds a new protocol/go package, so per-module 'go mod tidy' will fail until protocol/go is released with it (intended; see the protocol-first split). Refs: DSPX-3498, DSPX-2754 Signed-off-by: Krish Suchak <suchak.krish@gmail.com>
Benchmark results, click to expandBenchmark authorization.GetDecisions Results:
Benchmark authorization.v2.GetMultiResourceDecision Results:
Benchmark Statistics
Bulk Benchmark Results
TDF3 Benchmark Results:
|
Mirror the proto validation fix from #3580 (namespace oneof, min_len:1 + uri on FQN fields, direct uuid/uri rules) so the consumer branch stays in sync. Refs: DSPX-2754, DSPX-3498 Signed-off-by: Krish Suchak <suchak.krish@gmail.com>
|
Benchmark results, click to expandBenchmark authorization.GetDecisions Results:
Benchmark authorization.v2.GetMultiResourceDecision Results:
Benchmark Statistics
Bulk Benchmark Results
TDF3 Benchmark Results:
|
2 participants
Important
Depends on #3580 (protocol-first). This PR adds a new
protocol/gopackage, so the per-modulego mod tidyCI check stays red until #3580 merges andprotocol/gois released. Sequence: merge #3580 → releaseprotocol/go→ rebase this branch and bumpsdk/servicego.mod → CI goes green.Proposed Changes
Implements the
DefinitionValueEntitlementMappingpolicy primitive end to end (the model chosen by the DSPX-2754 spike / ADR 0005). It raises entitlement authority from a concreteAttributeValueto theAttributeDefinition: a single mapping entitles dynamically-requested values by comparing the requested resource value segment against the entity representation at decision time, instead of pre-provisioning a value + subject mapping per discrete ID (MRNs, account IDs, etc.).Design highlights (improving on the reference spike):
DynamicValueOperatorEnum:RESOURCE_VALUE_IN/RESOURCE_VALUE_IN_CONTAINS,DefinitionValueResolver) so dynamic operators stay isolated from static subject-mapping operators and the schema honestly expresses "dynamic".SubjectConditionSetpre-gate (normal static semantics, no field overload) to support compound "entity attribute AND resource value" conditions.ANY_OF/ALL_OFrule layer as static values (manifest stays a list of attribute FQNs).Wiring: proto + generated code + SDK client; DB migration + sqlc + CRUD; dedicated
DefinitionValueEntitlementMappingService; decision-time evaluator; PDP load/merge with synthetic-value support; and authz cache. Replaces the throwaway spike package and ports its tests.GetEntitlementsintentionally does not enumerate dynamic values (high-cardinality, resource-scoped).Checklist
Testing Instructions
cd service && go build ./...cd service && go test ./internal/subjectmappingbuiltin/... ./internal/access/v2/... ./authorization/v2/...cd service && golangci-lint run ./internal/subjectmappingbuiltin/... ./internal/access/v2/ ./authorization/v2/ ./policy/db/ ./policy/definitionvalueentitlement/Related
service/policy/adr/0005-dynamic-attribute-value-entitlements-spike.md