Issue with Decrypting a TDF with an Attribute

When I attempt to decrypt a TDF with a FQDN "https://example.com/attr/attr1/value/value1" using the otdfctl tool and authenticated as a Keycloak User with the KV pair: { Attr1: Value1 } I get the following error:

Platform Output Log For Otdfctl Decrypt:

What I Expected: Given a Keycloak user with the same keys and values of TDF's FQDN, the user should be able to decrypt it.

Environment:

Ubunutu v22.04 VM
opentdfdb, keycloakdb and keycloak are running on docker containers using the docker-compose.yaml
The OTDF platform is running in the background directly using service binary with ./service start
I ran the ./service provision keycloak-from-config to provision default user sampleuser

Steps to Reproduce:

Add Attribute {Key: attr1, Value: value1} to SampleUser
Encrypt a file with attribute FQDN using OTDF CLI with echo "Hello World" > test.txt and ./otdfctl encrypt test.txt -o testWithAttribute.txt.tdf -a "https://example.com/attr/attr1/value/value1"
Authenticate as SampleUser by hardcoding access_token from KeyCloak when using OTDF CLI `./otdfcli auth client-credentials --client-id opentdf --client-secret secret (If there is a better way of doing this without doing this hacky approach please let me know)
1. Run Decrypt and see the fail log ./otdfctl decrypt testWithAttribute.txt.tdf

My Theory: I tried editing the entitlement.rego file with no success. I think I have to get the right rego conditions to get this working but I don't know how to DEBUG the rego policy. I don't actually know what is in the ers_request and I don't think I need to use the otdfdb subject_mappings for such a simple comparison.

I would just like to compare SampleUser attribute to the attribute attached to the TDF file.

If I could get help with this that would be amazing, also please let me know if there is additional information I can provide.

Thanks.

opentdf / otdfctl

Issue with Decrypting a TDF with an Attribute #169