search

opentdf / platform

OpenTDF Platform monorepo enabling the development and integration of _forever control_ of data into new and existing applications. The concept of forever control stems from an increasingly common concept known as zero trust.
BSD 3-Clause Clear License
18 stars 7 forks source link

`GetEntitlements` or `EntityResolution` unexpected entitlements #1055

Closed strantalis closed 2 months ago

strantalis commented 3 months ago

I am seeing weird behavior when calling GetEntitlements . See the example code below. 

package main

import (
    "context"
    "log"

    "github.com/opentdf/platform/protocol/go/authorization"
    "github.com/opentdf/platform/sdk"
)

func main() {

    platformEndpoint := "http://localhost:9002"

    // Create a new client
    client, err := sdk.New(
        platformEndpoint,
        sdk.WithInsecurePlaintextConn(), // This is for example
        sdk.WithClientCredentials("opentdf", "secret", nil),
    )

    if err != nil {
        log.Fatal(err)
    }

    // Get Entitlements

    entitlementReq := &authorization.GetEntitlementsRequest{
        Entities: []*authorization.Entity{
            {
                Id: "entity-1",
                // EntityType: &authorization.Entity_ClientId{
                //  ClientId: "opentdf",
                // },
            },
        },
    }

    entitlements, err := client.Authorization.GetEntitlements(context.Background(), entitlementReq)
    if err != nil {
        log.Fatal(err)
    }

    log.Printf("Entitlements: %v", entitlements.GetEntitlements())

}

I am getting the output below which I would have expected it to be an empty set entitlement set.

2024/06/28 15:44:06 Entitlements: [entity_id:"entity-1"  attribute_value_fqns:"https://example.net/attr/attr1/value/value1"  attribute_value_fqns:"https://example.com/attr/attr1/value/value1"]

Logs

time=2024-06-28T15:54:55.796-04:00 level=DEBUG msg="root claim found" claim=realm_access.roles claims="map[roles:[default-roles-opentdf offline_access uma_authorization]]"
time=2024-06-28T15:54:55.796-04:00 level=DEBUG msg="checking role" role=default-roles-opentdf map=standard
time=2024-06-28T15:54:55.796-04:00 level=DEBUG msg="checking role" role=default-roles-opentdf map=admin
time=2024-06-28T15:54:55.796-04:00 level=DEBUG msg="checking role" role=default-roles-opentdf map=org-admin
time=2024-06-28T15:54:55.796-04:00 level=DEBUG msg="checking role" role=offline_access map=standard
time=2024-06-28T15:54:55.796-04:00 level=DEBUG msg="checking role" role=offline_access map=admin
time=2024-06-28T15:54:55.796-04:00 level=DEBUG msg="checking role" role=offline_access map=org-admin
time=2024-06-28T15:54:55.796-04:00 level=DEBUG msg="checking role" role=uma_authorization map=standard
time=2024-06-28T15:54:55.796-04:00 level=DEBUG msg="checking role" role=uma_authorization map=admin
time=2024-06-28T15:54:55.796-04:00 level=DEBUG msg="checking role" role=uma_authorization map=org-admin
time=2024-06-28T15:54:55.796-04:00 level=INFO msg="enforcing policy" subject=role:unknown resource=/entityresolution/resolve action=write
time=2024-06-28T15:54:55.797-04:00 level=DEBUG msg=request ""="entities:{id:\"entity-1\"}"
time=2024-06-28T15:54:55.797-04:00 level=DEBUG msg=EntityResolution req="entities:{id:\"entity-1\"}"
time=2024-06-28T15:54:55.797-04:00 level=WARN msg="Using legacy connection mode for Keycloak < 17.x.x"
time=2024-06-28T15:54:55.847-04:00 level=DEBUG msg="EntityResolution invoked" payload="[id:\"entity-1\"]"
time=2024-06-28T15:54:55.847-04:00 level=DEBUG msg=Lookup entity=<nil>
time=2024-06-28T15:54:55.875-04:00 level=DEBUG msg="User found" user=85019d7d-6837-4328-bf7a-78f03826138c entity="id:\"entity-1\""
time=2024-06-28T15:54:55.875-04:00 level=DEBUG msg=User details="{\n\t\"id\": \"85019d7d-6837-4328-bf7a-78f03826138c\",\n\t\"createdTimestamp\": 1719350856061,\n\t\"username\": \"sample-user\",\n\t\"enabled\": true,\n\t\"totp\": false,\n\t\"emailVerified\": false,\n\t\"firstName\": \"sample\",\n\t\"lastName\": \"user\",\n\t\"email\": \"sampleuser@sample.com\",\n\t\"attributes\": {\n\t\t\"superhero_group\": [\n\t\t\t\"avengers\"\n\t\t],\n\t\t\"superhero_name\": [\n\t\t\t\"thor\"\n\t\t]\n\t},\n\t\"disableableCredentialTypes\": [],\n\t\"requiredActions\": [],\n\t\"access\": {\n\t\t\"impersonate\": false,\n\t\t\"manage\": false,\n\t\t\"manageGroupMembership\": false,\n\t\t\"mapRoles\": false,\n\t\t\"view\": true\n\t}\n}"
time=2024-06-28T15:54:55.875-04:00 level=DEBUG msg=User attributes="&map[superhero_group:[avengers] superhero_name:[thor]]"
time=2024-06-28T15:54:55.875-04:00 level=DEBUG msg=Entities resolved="[additional_props:{fields:{key:\"access\" value:{struct_value:{fields:{key:\"impersonate\" value:{bool_value:false}} fields:{key:\"manage\" value:{bool_value:false}} fields:{key:\"manageGroupMembership\" value:{bool_value:false}} fields:{key:\"mapRoles\" value:{bool_value:false}} fields:{key:\"view\" value:{bool_value:true}}}}} fields:{key:\"attributes\" value:{struct_value:{fields:{key:\"superhero_group\" value:{list_value:{values:{string_value:\"avengers\"}}}} fields:{key:\"superhero_name\" value:{list_value:{values:{string_value:\"thor\"}}}}}}} fields:{key:\"createdTimestamp\" value:{number_value:1.719350856061e+12}} fields:{key:\"disableableCredentialTypes\" value:{list_value:{}}} fields:{key:\"email\" value:{string_value:\"sampleuser@sample.com\"}} fields:{key:\"emailVerified\" value:{bool_value:false}} fields:{key:\"enabled\" value:{bool_value:true}} fields:{key:\"firstName\" value:{string_value:\"sample\"}} fields:{key:\"id\" value:{string_value:\"85019d7d-6837-4328-bf7a-78f03826138c\"}} fields:{key:\"lastName\" value:{string_value:\"user\"}} fields:{key:\"requiredActions\" value:{list_value:{}}} fields:{key:\"totp\" value:{bool_value:false}} fields:{key:\"username\" value:{string_value:\"sample-user\"}}} original_id:\"entity-1\"]"
time=2024-06-28T15:54:55.876-04:00 level=DEBUG msg="Subject mapping plugin invoked"
time=2024-06-28T15:54:55.879-04:00 level=INFO msg="Decision Log" metrics="map[counter_eval_op_virtual_cache_miss:4 histogram_eval_op_builtin_call:map[75%:13322.75 90%:59882764.700000085 95%:84801635 99%:84801635 99.9%:84801635 99.99%:84801635 count:12 max:84801635 mean:7213499.333333333 median:427.5 min:160 stddev:23398586.007650286] histogram_eval_op_plug:map[75%:472 90%:1226.6000000000001 95%:3839.9999999999923 99%:6815 99.9%:6815 99.99%:6815 count:43 max:6815 mean:608.7441860465116 median:242 min:152 stddev:1177.027376991346] histogram_eval_op_resolve:map[75%:2377.75 90%:2443 95%:2443 99%:2443 99.9%:2443 99.99%:2443 count:4 max:2443 mean:1686.5 median:1730 min:843 stddev:651.186801156166] histogram_eval_op_rule_index:map[75%:16931.5 90%:17018 95%:17018 99%:17018 99.9%:17018 99.99%:17018 count:4 max:17018 mean:13045.75 median:14238 min:6689 stddev:4209.473623566253] timer_eval_op_builtin_call_ns:86561992 timer_eval_op_plug_ns:26176 timer_eval_op_resolve_ns:6746 timer_eval_op_rule_index_ns:52183 timer_rego_builtin_http_send_ns:84784315 timer_rego_query_eval_ns:87050817 timer_sdk_decision_eval_ns:87147115]" nd_builtin_cache=<nil> path=opentdf/entitlements/attributes bundles=map[test:map[]] type=openpolicyagent.org/decision_logs decision_id="entities:{id:\"entity-1\"}" timestamp=2024-06-28T15:54:55.791037-04:00 input="map[attribute_mappings:map[https://example.com/attr/attr1/value/value1:{\"attribute\":{\"id\":\"6a261d68-0899-4e17-bb2f-124abba7c09c\",\"namespace\":{\"id\":\"8f1d8839-2851-4bf4-8bf4-5243dbfe517d\",\"name\":\"example.com\"},\"name\":\"attr1\",\"rule\":\"ATTRIBUTE_RULE_TYPE_ENUM_ANY_OF\",\"values\":[{\"id\":\"74babca6-016f-4f3e-a99b-4e46ea8d0fd8\",\"value\":\"value1\",\"fqn\":\"https://example.com/attr/attr1/value/value1\",\"active\":true},{\"id\":\"2fe8dea1-3555-498c-afe9-99724f35f3d3\",\"value\":\"value2\",\"members\":[{\"id\":\"0fd363db-27b1-4210-b77b-8c82fe044d41\",\"attribute\":{\"id\":\"e1536f25-d287-43ed-9ad9-2cf4a7698e5f\"},\"value\":\"value1\",\"active\":true},{\"id\":\"532e5957-28f7-466d-91e2-493e9431cd83\",\"attribute\":{\"id\":\"d2396dd6-0e4e-4b6d-9ab1-74b69c4b9b99\"},\"value\":\"value1\",\"active\":true}],\"active\":true}],\"active\":true,\"metadata\":{\"createdAt\":\"2024-06-25T21:29:11.491512Z\",\"updatedAt\":\"2024-06-25T21:29:11.496344Z\"}},\"value\":{\"id\":\"74babca6-016f-4f3e-a99b-4e46ea8d0fd8\",\"value\":\"value1\",\"fqn\":\"https://example.com/attr/attr1/value/value1\",\"active\":true,\"subjectMappings\":[{\"id\":\"bc28cacb-1687-4c87-9c63-eae55e271320\",\"subjectConditionSet\":{\"id\":\"86621a00-b63e-42e9-bea5-40ba52d98ede\",\"subjectSets\":[{\"conditionGroups\":[{\"conditions\":[{\"subjectExternalSelectorValue\":\".clientId\",\"operator\":\"SUBJECT_MAPPING_OPERATOR_ENUM_IN\",\"subjectExternalValues\":[\"opentdf-sdk\"]}],\"booleanOperator\":\"CONDITION_BOOLEAN_TYPE_ENUM_OR\"}]}],\"metadata\":{\"createdAt\":\"2024-06-25T21:29:11.509179Z\",\"updatedAt\":\"2024-06-25T21:29:11.509179Z\"}},\"actions\":[{\"standard\":\"STANDARD_ACTION_TRANSMIT\"},{\"standard\":\"STANDARD_ACTION_DECRYPT\"}],\"metadata\":{\"createdAt\":\"2024-06-25T21:29:11.512297Z\",\"updatedAt\":\"2024-06-25T21:29:11.512297Z\"}},{\"id\":\"812fab35-9aa4-4e73-bf22-c96638d58ea4\",\"subjectConditionSet\":{\"id\":\"b3903282-06f9-41a4-924a-7b8eb43dffe0\",\"subjectSets\":[{\"conditionGroups\":[{\"conditions\":[{\"subjectExternalSelectorValue\":\".attributes.superhero_name[]\",\"operator\":\"SUBJECT_MAPPING_OPERATOR_ENUM_IN\",\"subjectExternalValues\":[\"thor\",\"captain_america\"]},{\"subjectExternalSelectorValue\":\".attributes.superhero_group[]\",\"operator\":\"SUBJECT_MAPPING_OPERATOR_ENUM_IN\",\"subjectExternalValues\":[\"avengers\"]}],\"booleanOperator\":\"CONDITION_BOOLEAN_TYPE_ENUM_AND\"}]}],\"metadata\":{\"createdAt\":\"2024-06-25T21:29:11.509179Z\",\"updatedAt\":\"2024-06-25T21:29:11.509179Z\"}},\"actions\":[{\"standard\":\"STANDARD_ACTION_DECRYPT\"}],\"metadata\":{\"createdAt\":\"2024-06-25T21:29:11.512297Z\",\"updatedAt\":\"2024-06-25T21:29:11.512297Z\"}},{\"id\":\"9d06c757-06b9-4713-8fbd-5ef007b1afe2\",\"subjectConditionSet\":{\"id\":\"eaf866c0-327f-4826-846a-5041c3c22f06\",\"subjectSets\":[{\"conditionGroups\":[{\"conditions\":[{\"subjectExternalSelectorValue\":\".data[0].favorite_things[]\",\"operator\":\"SUBJECT_MAPPING_OPERATOR_ENUM_IN\",\"subjectExternalValues\":[\"futbol\",\"soccer\"]},{\"subjectExternalSelectorValue\":\".data[0].favorite_things[1]\",\"operator\":\"SUBJECT_MAPPING_OPERATOR_ENUM_NOT_IN\",\"subjectExternalValues\":[\"ice_cream\"]}],\"booleanOperator\":\"CONDITION_BOOLEAN_TYPE_ENUM_OR\"},{\"conditions\":[{\"subjectExternalSelectorValue\":\".department\",\"operator\":\"SUBJECT_MAPPING_OPERATOR_ENUM_IN\",\"subjectExternalValues\":[\"engineering\"]},{\"subjectExternalSelectorValue\":\".role\",\"operator\":\"SUBJECT_MAPPING_OPERATOR_ENUM_NOT_IN\",\"subjectExternalValues\":[\"manager\",\"director\",\"vice_president\"]}],\"booleanOperator\":\"CONDITION_BOOLEAN_TYPE_ENUM_AND\"}]}],\"metadata\":{\"createdAt\":\"2024-06-25T21:29:11.509179Z\",\"updatedAt\":\"2024-06-25T21:29:11.509179Z\"}},\"actions\":[{\"standard\":\"STANDARD_ACTION_TRANSMIT\"},{\"custom\":\"custom_action_1\"}],\"metadata\":{\"createdAt\":\"2024-06-25T21:29:11.512297Z\",\"updatedAt\":\"2024-06-25T21:29:11.512297Z\"}},{\"id\":\"3c623ede-df88-4906-8a78-ebdfacadcd57\",\"subjectConditionSet\":{\"id\":\"3c623ede-df88-4906-8a78-ebdfacadcd57\",\"subjectSets\":[{\"conditionGroups\":[{\"conditions\":[{\"subjectExternalSelectorValue\":\".some_field\",\"operator\":\"SUBJECT_MAPPING_OPERATOR_ENUM_IN\",\"subjectExternalValues\":[\"some_value\"]}],\"booleanOperator\":\"CONDITION_BOOLEAN_TYPE_ENUM_OR\"}]}],\"metadata\":{\"createdAt\":\"2024-06-25T21:29:11.509179Z\",\"updatedAt\":\"2024-06-25T21:29:11.509179Z\"}},\"actions\":[{\"standard\":\"STANDARD_ACTION_DECRYPT\"}],\"metadata\":{\"createdAt\":\"2024-06-25T21:29:11.512297Z\",\"updatedAt\":\"2024-06-25T21:29:11.512297Z\"}}]}} https://example.com/attr/attr1/value/value2:{\"attribute\":{\"id\":\"6a261d68-0899-4e17-bb2f-124abba7c09c\",\"namespace\":{\"id\":\"8f1d8839-2851-4bf4-8bf4-5243dbfe517d\",\"name\":\"example.com\"},\"name\":\"attr1\",\"rule\":\"ATTRIBUTE_RULE_TYPE_ENUM_ANY_OF\",\"values\":[{\"id\":\"74babca6-016f-4f3e-a99b-4e46ea8d0fd8\",\"value\":\"value1\",\"active\":true},{\"id\":\"2fe8dea1-3555-498c-afe9-99724f35f3d3\",\"value\":\"value2\",\"members\":[{\"id\":\"0fd363db-27b1-4210-b77b-8c82fe044d41\",\"attribute\":{\"id\":\"e1536f25-d287-43ed-9ad9-2cf4a7698e5f\"},\"value\":\"value1\",\"active\":true},{\"id\":\"532e5957-28f7-466d-91e2-493e9431cd83\",\"attribute\":{\"id\":\"d2396dd6-0e4e-4b6d-9ab1-74b69c4b9b99\"},\"value\":\"value1\",\"active\":true}],\"fqn\":\"https://example.com/attr/attr1/value/value2\",\"active\":true}],\"active\":true,\"metadata\":{\"createdAt\":\"2024-06-25T21:29:11.491512Z\",\"updatedAt\":\"2024-06-25T21:29:11.496344Z\"}},\"value\":{\"id\":\"2fe8dea1-3555-498c-afe9-99724f35f3d3\",\"value\":\"value2\",\"members\":[{\"id\":\"0fd363db-27b1-4210-b77b-8c82fe044d41\",\"attribute\":{\"id\":\"e1536f25-d287-43ed-9ad9-2cf4a7698e5f\"},\"value\":\"value1\",\"active\":true},{\"id\":\"532e5957-28f7-466d-91e2-493e9431cd83\",\"attribute\":{\"id\":\"d2396dd6-0e4e-4b6d-9ab1-74b69c4b9b99\"},\"value\":\"value1\",\"active\":true}],\"fqn\":\"https://example.com/attr/attr1/value/value2\",\"active\":true,\"subjectMappings\":[{\"id\":\"e6a3f940-e24f-4383-8763-718a1a304948\",\"subjectConditionSet\":{\"id\":\"798aacd2-abaf-4623-975e-3bb8ca43e318\",\"subjectSets\":[{\"conditionGroups\":[{\"conditions\":[{\"subjectExternalSelectorValue\":\".org\",\"operator\":\"SUBJECT_MAPPING_OPERATOR_ENUM_IN\",\"subjectExternalValues\":[\"marketing\",\"sales\"]},{\"subjectExternalSelectorValue\":\".role\",\"operator\":\"SUBJECT_MAPPING_OPERATOR_ENUM_IN\",\"subjectExternalValues\":[\"senior_vice_president\",\"vice_president\",\"director\"]}],\"booleanOperator\":\"CONDITION_BOOLEAN_TYPE_ENUM_AND\"}]}],\"metadata\":{\"createdAt\":\"2024-06-25T21:29:11.509179Z\",\"updatedAt\":\"2024-06-25T21:29:11.509179Z\"}},\"actions\":[{\"standard\":\"STANDARD_ACTION_TRANSMIT\"},{\"standard\":\"STANDARD_ACTION_DECRYPT\"}],\"metadata\":{\"createdAt\":\"2024-06-25T21:29:11.512297Z\",\"updatedAt\":\"2024-06-25T21:29:11.512297Z\"}}]}} https://example.com/attr/attr2/value/value1:{\"attribute\":{\"id\":\"e1536f25-d287-43ed-9ad9-2cf4a7698e5f\",\"namespace\":{\"id\":\"8f1d8839-2851-4bf4-8bf4-5243dbfe517d\",\"name\":\"example.com\"},\"name\":\"attr2\",\"rule\":\"ATTRIBUTE_RULE_TYPE_ENUM_ALL_OF\",\"values\":[{\"id\":\"0fd363db-27b1-4210-b77b-8c82fe044d41\",\"value\":\"value1\",\"active\":true},{\"id\":\"81f643f8-e050-4b97-a005-b61294d4c8bb\",\"value\":\"value2\",\"active\":true}],\"active\":true,\"metadata\":{\"createdAt\":\"2024-06-25T21:29:11.491512Z\",\"updatedAt\":\"2024-06-25T21:29:11.496344Z\"}},\"value\":{\"id\":\"0fd363db-27b1-4210-b77b-8c82fe044d41\",\"value\":\"value1\",\"active\":true}} https://example.com/attr/attr2/value/value2:{\"attribute\":{\"id\":\"e1536f25-d287-43ed-9ad9-2cf4a7698e5f\",\"namespace\":{\"id\":\"8f1d8839-2851-4bf4-8bf4-5243dbfe517d\",\"name\":\"example.com\"},\"name\":\"attr2\",\"rule\":\"ATTRIBUTE_RULE_TYPE_ENUM_ALL_OF\",\"values\":[{\"id\":\"0fd363db-27b1-4210-b77b-8c82fe044d41\",\"value\":\"value1\",\"active\":true},{\"id\":\"81f643f8-e050-4b97-a005-b61294d4c8bb\",\"value\":\"value2\",\"active\":true}],\"active\":true,\"metadata\":{\"createdAt\":\"2024-06-25T21:29:11.491512Z\",\"updatedAt\":\"2024-06-25T21:29:11.496344Z\"}},\"value\":{\"id\":\"81f643f8-e050-4b97-a005-b61294d4c8bb\",\"value\":\"value2\",\"active\":true}} https://example.net/attr/attr1/value/value1:{\"attribute\":{\"id\":\"d2396dd6-0e4e-4b6d-9ab1-74b69c4b9b99\",\"namespace\":{\"id\":\"d69cf14d-744b-48cf-aab4-43756e97a8e5\",\"name\":\"example.net\"},\"name\":\"attr1\",\"rule\":\"ATTRIBUTE_RULE_TYPE_ENUM_ANY_OF\",\"values\":[{\"id\":\"532e5957-28f7-466d-91e2-493e9431cd83\",\"value\":\"value1\",\"fqn\":\"https://example.net/attr/attr1/value/value1\",\"active\":true},{\"id\":\"04bd2657-de10-46bc-a88f-5d687de4816b\",\"value\":\"value2\",\"active\":true}],\"active\":true,\"metadata\":{\"createdAt\":\"2024-06-25T21:29:11.491512Z\",\"updatedAt\":\"2024-06-25T21:29:11.496344Z\"}},\"value\":{\"id\":\"532e5957-28f7-466d-91e2-493e9431cd83\",\"value\":\"value1\",\"fqn\":\"https://example.net/attr/attr1/value/value1\",\"active\":true,\"subjectMappings\":[{\"id\":\"1b9508a7-746a-4705-a1f1-4b6e676377ce\",\"subjectConditionSet\":{\"id\":\"cf17ec4c-d206-4b74-b3db-5ce07d6995cc\",\"subjectSets\":[{\"conditionGroups\":[{\"conditions\":[{\"subjectExternalSelectorValue\":\".some_other_field[1]\",\"operator\":\"SUBJECT_MAPPING_OPERATOR_ENUM_NOT_IN\",\"subjectExternalValues\":[\"some_other_value_123\"]}],\"booleanOperator\":\"CONDITION_BOOLEAN_TYPE_ENUM_OR\"}]}],\"metadata\":{\"createdAt\":\"2024-06-25T21:29:11.509179Z\",\"updatedAt\":\"2024-06-25T21:29:11.509179Z\"}},\"actions\":[{\"standard\":\"STANDARD_ACTION_DECRYPT\"}],\"metadata\":{\"createdAt\":\"2024-06-25T21:29:11.512297Z\",\"updatedAt\":\"2024-06-25T21:29:11.512297Z\"}}]}} https://example.net/attr/attr1/value/value2:{\"attribute\":{\"id\":\"d2396dd6-0e4e-4b6d-9ab1-74b69c4b9b99\",\"namespace\":{\"id\":\"d69cf14d-744b-48cf-aab4-43756e97a8e5\",\"name\":\"example.net\"},\"name\":\"attr1\",\"rule\":\"ATTRIBUTE_RULE_TYPE_ENUM_ANY_OF\",\"values\":[{\"id\":\"532e5957-28f7-466d-91e2-493e9431cd83\",\"value\":\"value1\",\"active\":true},{\"id\":\"04bd2657-de10-46bc-a88f-5d687de4816b\",\"value\":\"value2\",\"active\":true}],\"active\":true,\"metadata\":{\"createdAt\":\"2024-06-25T21:29:11.491512Z\",\"updatedAt\":\"2024-06-25T21:29:11.496344Z\"}},\"value\":{\"id\":\"04bd2657-de10-46bc-a88f-5d687de4816b\",\"value\":\"value2\",\"active\":true}} https://opentdf.io/attr/role/value/admin:{\"attribute\":{\"id\":\"378a7808-03ff-408d-bc58-6576cd47ec3c\",\"namespace\":{\"id\":\"f9ac9403-a12f-4ed3-b3c9-a46910361b4d\",\"name\":\"opentdf.io\"},\"name\":\"role\",\"rule\":\"ATTRIBUTE_RULE_TYPE_ENUM_ANY_OF\",\"values\":[{\"id\":\"6fdaab89-d5f1-4b34-ab40-bec612c100b7\",\"value\":\"admin\",\"active\":true},{\"id\":\"224c9d29-2cd4-4a38-b6ad-5f025ca93a8c\",\"value\":\"developer\",\"active\":true},{\"id\":\"67ac234d-10b7-47bd-8f52-bc95c7ccb30c\",\"value\":\"guest\",\"active\":true}],\"active\":true,\"metadata\":{\"createdAt\":\"2024-06-26T11:05:17.015694Z\",\"updatedAt\":\"2024-06-26T11:05:17.125281Z\"}},\"value\":{\"id\":\"6fdaab89-d5f1-4b34-ab40-bec612c100b7\",\"value\":\"admin\",\"active\":true}} https://opentdf.io/attr/role/value/developer:{\"attribute\":{\"id\":\"378a7808-03ff-408d-bc58-6576cd47ec3c\",\"namespace\":{\"id\":\"f9ac9403-a12f-4ed3-b3c9-a46910361b4d\",\"name\":\"opentdf.io\"},\"name\":\"role\",\"rule\":\"ATTRIBUTE_RULE_TYPE_ENUM_ANY_OF\",\"values\":[{\"id\":\"6fdaab89-d5f1-4b34-ab40-bec612c100b7\",\"value\":\"admin\",\"active\":true},{\"id\":\"224c9d29-2cd4-4a38-b6ad-5f025ca93a8c\",\"value\":\"developer\",\"fqn\":\"https://opentdf.io/attr/role/value/developer\",\"active\":true},{\"id\":\"67ac234d-10b7-47bd-8f52-bc95c7ccb30c\",\"value\":\"guest\",\"active\":true}],\"active\":true,\"metadata\":{\"createdAt\":\"2024-06-26T11:05:17.015694Z\",\"updatedAt\":\"2024-06-26T11:05:17.125281Z\"}},\"value\":{\"id\":\"224c9d29-2cd4-4a38-b6ad-5f025ca93a8c\",\"value\":\"developer\",\"fqn\":\"https://opentdf.io/attr/role/value/developer\",\"active\":true,\"subjectMappings\":[{\"id\":\"1e0bda93-dd53-4d50-849a-58865952fc83\",\"subjectConditionSet\":{\"id\":\"890b26db-4ee4-447f-ae8a-2862d922eeef\",\"subjectSets\":[{\"conditionGroups\":[{\"conditions\":[{\"subjectExternalSelectorValue\":\".clientId\",\"operator\":\"SUBJECT_MAPPING_OPERATOR_ENUM_IN\",\"subjectExternalValues\":[\"opentdf\"]}],\"booleanOperator\":\"CONDITION_BOOLEAN_TYPE_ENUM_AND\"}]}],\"metadata\":{\"createdAt\":\"2024-06-26T11:14:40.767225Z\",\"updatedAt\":\"2024-06-26T18:29:59.988360Z\"}},\"actions\":[{\"standard\":\"STANDARD_ACTION_DECRYPT\"}],\"metadata\":{\"createdAt\":\"2024-06-26T11:18:13.591555Z\",\"updatedAt\":\"2024-06-26T11:18:13.591555Z\"}}]}} https://opentdf.io/attr/role/value/guest:{\"attribute\":{\"id\":\"378a7808-03ff-408d-bc58-6576cd47ec3c\",\"namespace\":{\"id\":\"f9ac9403-a12f-4ed3-b3c9-a46910361b4d\",\"name\":\"opentdf.io\"},\"name\":\"role\",\"rule\":\"ATTRIBUTE_RULE_TYPE_ENUM_ANY_OF\",\"values\":[{\"id\":\"6fdaab89-d5f1-4b34-ab40-bec612c100b7\",\"value\":\"admin\",\"active\":true},{\"id\":\"224c9d29-2cd4-4a38-b6ad-5f025ca93a8c\",\"value\":\"developer\",\"active\":true},{\"id\":\"67ac234d-10b7-47bd-8f52-bc95c7ccb30c\",\"value\":\"guest\",\"active\":true}],\"active\":true,\"metadata\":{\"createdAt\":\"2024-06-26T11:05:17.015694Z\",\"updatedAt\":\"2024-06-26T11:05:17.125281Z\"}},\"value\":{\"id\":\"67ac234d-10b7-47bd-8f52-bc95c7ccb30c\",\"value\":\"guest\",\"active\":true}} https://scenario.com/attr/working_group/value/blue:{\"attribute\":{\"id\":\"6181b7f3-c7ed-4050-b654-315016a65563\",\"namespace\":{\"id\":\"87ba60e1-da12-4889-95fd-267968bf0896\",\"name\":\"scenario.com\"},\"name\":\"working_group\",\"rule\":\"ATTRIBUTE_RULE_TYPE_ENUM_ALL_OF\",\"values\":[{\"id\":\"c2140825-0969-44c9-8dd6-5d7e0a856b9c\",\"value\":\"blue\",\"fqn\":\"https://scenario.com/attr/working_group/value/blue\",\"active\":true}],\"active\":true,\"metadata\":{\"createdAt\":\"2024-06-25T21:29:11.491512Z\",\"updatedAt\":\"2024-06-25T21:29:11.496344Z\"}},\"value\":{\"id\":\"c2140825-0969-44c9-8dd6-5d7e0a856b9c\",\"value\":\"blue\",\"fqn\":\"https://scenario.com/attr/working_group/value/blue\",\"active\":true,\"subjectMappings\":[{\"id\":\"1748761a-bd8c-4b23-8560-16ba7a181f19\",\"subjectConditionSet\":{\"id\":\"10d03422-7eae-43b9-ac3b-d10400171858\",\"subjectSets\":[{\"conditionGroups\":[{\"conditions\":[{\"subjectExternalSelectorValue\":\".team.name\",\"operator\":\"SUBJECT_MAPPING_OPERATOR_ENUM_IN\",\"subjectExternalValues\":[\"CoolTool\",\"RadService\",\"ShinyThing\"]},{\"subjectExternalSelectorValue\":\".org.name\",\"operator\":\"SUBJECT_MAPPING_OPERATOR_ENUM_IN\",\"subjectExternalValues\":[\"marketing\"]}],\"booleanOperator\":\"CONDITION_BOOLEAN_TYPE_ENUM_AND\"}]}],\"metadata\":{\"createdAt\":\"2024-06-25T21:29:11.509179Z\",\"updatedAt\":\"2024-06-25T21:29:11.509179Z\"}},\"actions\":[{\"standard\":\"STANDARD_ACTION_DECRYPT\"}],\"metadata\":{\"createdAt\":\"2024-06-25T21:29:11.512297Z\",\"updatedAt\":\"2024-06-25T21:29:11.512297Z\"}}]}}] auth_token:xxxxxxxxxxx entity:map[id:entity-1] ers_url:http://localhost:9002/entityresolution/resolve]" result="[https://example.net/attr/attr1/value/value1 https://example.com/attr/attr1/value/value1]" labels="map[id:opentdf version:0.63.0]"
time=2024-06-28T15:54:55.882-04:00 level=DEBUG msg="opa results" namespace=authorization entity_id=entity-1 results="[https://example.net/attr/attr1/value/value1 https://example.com/attr/attr1/value/value1]"
time=2024-06-28T15:54:55.883-04:00 level=DEBUG msg=opa namespace=authorization rsp="entitlements:{entity_id:\"entity-1\" attribute_value_fqns:\"https://example.net/attr/attr1/value/value1\" attribute_value_fqns:\"https://example.com/attr/attr1/value/value1\"}
elizabethhealy commented 3 months ago

ya this part is def weird

time=2024-06-28T15:54:55.847-04:00 level=DEBUG msg=Lookup entity=<nil>
time=2024-06-28T15:54:55.875-04:00 level=DEBUG msg="User found" user=85019d7d-6837-4328-bf7a-78f03826138c entity="id:\"entity-1\""

but ive been unable to reproduce it thus far, ill double check how were handling the default case in keycloak ERS

what is the expected behavior, should it just be [] or should we error if no entity identifier is provided?

pflynn-virtru commented 3 months ago

I think the direction in general is "Fail Closed". If an entity is unknown, then it should error, like a 404. If no or incorrect entity identifier then error, like a 400.

cassandrabailey293 commented 2 months ago

Fixed by #1113