Skip to content

feat(policy): implement narrow attribute read APIs#3697

Open
alkalescent wants to merge 6 commits into
mainfrom
DSPX-2541-attribute-read-apis-service
Open

feat(policy): implement narrow attribute read APIs#3697
alkalescent wants to merge 6 commits into
mainfrom
DSPX-2541-attribute-read-apis-service

Conversation

@alkalescent

@alkalescent alkalescent commented Jun 30, 2026

Copy link
Copy Markdown
Contributor

Proposed Changes

Service implementation of the narrow attribute read APIs. Stacked on #3634 (proto + generated code).

  • GetKeyMappingsByFqns / GetEntitleableAttributesByFqns DB methods with value > definition > namespace key resolution (mirrors sdk/granter.go).
  • New lean getSubjectMappingsByValueFqns query (single round-trip; action aggregation restricted to the requested FQNs).
  • Value-FQN guards: reject allow_traversal definition-only fallbacks.
  • Real server handlers replacing feat(policy): add narrow attribute read API protos and generated code #3634's Unimplemented stubs.
  • Integration + unit tests; regenerated SQL.

Stack

  1. feat(policy): add narrow attribute read API protos and generated code #3634 — proto + generated + docs + sdkconnect wrapper
  2. this PR — service implementation

Base is #3634; rebase onto main once it merges.

Summary by CodeRabbit

  • New Features

    • Added support for retrieving key mappings and entitleable attributes by attribute FQN.
    • Returned results now include richer subject-mapping details and better hierarchy-aware attribute grouping.
  • Bug Fixes

    • Improved key selection so the most specific available keys are used first, with safer fallback behavior.
    • Requests for missing or invalid attribute values now fail consistently instead of returning partial data.
    • Legacy key grants are now filtered more reliably to exclude unusable entries.

@alkalescent alkalescent requested review from a team as code owners June 30, 2026 21:34
@coderabbitai

coderabbitai Bot commented Jun 30, 2026

Copy link
Copy Markdown

Review Change Stack

Warning

Review limit reached

@alkalescent, you've reached your PR review limit, so we couldn't start this review.

Next review available in: 3 minutes

Enable usage-based reviews in Billing to review now. Otherwise, wait until the next included review is available.
You're only billed for reviews past your plan's rate limits ($0.25/file).

How can I continue?

After more reviews become available, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

To avoid repeated limits, reduce automatic review volume by pausing incremental auto-reviews earlier, using label-based review opt-in, excluding WIP or generated PR titles, or requesting reviews manually when the PR is ready. If your team needs uninterrupted high-volume reviews, an organization admin can enable usage-based reviews.

How do review limits work?

CodeRabbit enforces per-developer PR review limits for each organization. Most developers receive the normal plan review availability.

For paid Pro and Pro+ PR reviews, CodeRabbit uses adaptive limits for sustained high-volume activity. When a developer's recent PR review activity reaches the 95th percentile or higher among CodeRabbit users, additional reviews become available more gradually as earlier reviews age out of the rolling window.

Please refer docs for additional details.

Review details
⚙️ Run configuration

Configuration used: Repository UI

Review profile: ASSERTIVE

Plan: Pro

Run ID: 7b1c640c-fd33-47b3-b6fa-640426f26f53

📥 Commits

Reviewing files that changed from the base of the PR and between 3f48978 and 0ba0a45.

📒 Files selected for processing (2)
  • service/policy/db/attribute_fqn.go
  • service/policy/db/grant_mappings.go
📝 Walkthrough

Walkthrough

Implements GetKeyMappingsByFqns and GetEntitleableAttributesByFqns RPCs, replacing unimplemented stubs. Adds PolicyDBClient logic for FQN resolution, KAS key precedence (value/definition/namespace, with legacy grant fallback), a new subject-mappings-by-value-fqns SQL query and generated code, plus unit and integration tests.

Changes

FQN key mapping and entitlement lookups

Layer / File(s) Summary
Subject mappings by value FQN query
service/policy/db/queries/subject_mappings.sql, service/policy/db/subject_mappings.sql.go
Adds getSubjectMappingsByValueFqns SQL query and generated Go method fetching value-level subject mappings with aggregated actions, condition sets, and attribute value JSON.
GetKeyMappingsByFqns DB client and KAS key precedence
service/policy/db/attribute_fqn.go, service/policy/db/grant_mappings.go, service/policy/db/attribute_fqn_test.go
Adds GetKeyMappingsByFqns, resolveEffectiveKasKeys (value > definition > namespace precedence), mapKasPublicKeyAlgToAlgorithm, grantsToSimpleKasKeys, and unit tests.
GetEntitleableAttributesByFqns DB client and hydration
service/policy/db/attribute_fqn.go
Adds GetEntitleableAttributesByFqns and hydrateSubjectMappingForEntitlement, expanding hierarchy sibling FQNs and assembling per-definition and per-FQN entitlement responses.
RPC handler wiring
service/policy/attributes/attributes.go
Replaces unimplemented stubs with traced implementations calling the DB client and statusifying retrieval errors.
Integration tests
service/integration/attributes_test.go
Adds integration test suites covering key mapping inheritance, grant behavior, entitleable attribute deduplication, hierarchy, namespace scoping, and error paths.

Estimated code review effort: 4 (Complex) | ~60 minutes

Sequence Diagram(s)

sequenceDiagram
  participant AttributesService
  participant PolicyDBClient
  participant resolveEffectiveKasKeys
  AttributesService->>PolicyDBClient: GetKeyMappingsByFqns(fqns)
  PolicyDBClient->>PolicyDBClient: GetAttributesByValueFqns(fqns)
  PolicyDBClient->>resolveEffectiveKasKeys: resolve value/definition/namespace keys
  resolveEffectiveKasKeys-->>PolicyDBClient: effective KAS keys
  PolicyDBClient-->>AttributesService: AttributeKeyMapping per FQN
Loading
sequenceDiagram
  participant AttributesService
  participant PolicyDBClient
  participant SubjectMappingsQuery

  AttributesService->>PolicyDBClient: GetEntitleableAttributesByFqns(fqns)
  PolicyDBClient->>PolicyDBClient: GetAttributesByValueFqns(fqns)
  PolicyDBClient->>PolicyDBClient: expand hierarchy sibling FQNs
  PolicyDBClient->>SubjectMappingsQuery: getSubjectMappingsByValueFqns(valueFqns)
  SubjectMappingsQuery-->>PolicyDBClient: subject mapping rows
  PolicyDBClient->>PolicyDBClient: hydrateSubjectMappingForEntitlement(rows)
  PolicyDBClient-->>AttributesService: entitleable definitions and per-FQN values
Loading

Suggested reviewers: elizabethhealy, jakedoublev

Poem

Hop, hop, through FQNs I trace,
Keys inherited from value's embrace 🔑
Grants that lag behind get skipped,
While definitions and namespace get flipped.
A carrot for each mapping found —
This bunny's tests all pass, sound! 🐇

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name Status Explanation Resolution
Docstring Coverage ⚠️ Warning Docstring coverage is 66.67% which is insufficient. The required threshold is 80.00%. Write docstrings for the functions missing them to satisfy the coverage threshold.
✅ Passed checks (4 passed)
Check name Status Explanation
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Title check ✅ Passed The title accurately summarizes the main change: implementing the narrow attribute read APIs in the policy service.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch DSPX-2541-attribute-read-apis-service

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands.

@github-actions github-actions Bot added comp:db DB component comp:policy Policy Configuration ( attributes, subject mappings, resource mappings, kas registry) labels Jun 30, 2026
@gemini-code-assist

Copy link
Copy Markdown
Contributor

Summary of Changes

Hello, I'm Gemini Code Assist1! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!

This pull request completes the service-level implementation for the narrow attribute read APIs, following the previously merged protocol and generated code changes. It focuses on providing efficient, performant data retrieval for key mappings and entitleable attributes by optimizing database queries and enforcing correct FQN resolution logic. These changes are part of a multi-stage rollout to ensure release safety.

Highlights

  • Service Implementation: Implemented the service-level handlers for GetKeyMappingsByFqns and GetEntitleableAttributesByFqns, replacing the previous Unimplemented stubs.
  • Database Layer: Added efficient DB methods for key resolution (value > definition > namespace) and a new lean query getSubjectMappingsByValueFqns to retrieve subject mappings in a single round-trip.
  • Policy Enforcement: Introduced value-FQN guards to reject definition-only fallbacks, ensuring stricter policy validation.
  • Testing: Added comprehensive integration and unit tests to verify key mapping inheritance and entitlement resolution logic.
New Features

🧠 You can now enable Memory (public preview) to help Gemini Code Assist learn from your team's feedback. This makes future code reviews more consistent and personalized to your project's style. Click here to enable Memory in your admin console.

Using Gemini Code Assist

The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.

Invoking Gemini

You can request assistance from Gemini at any point by creating a comment using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands on the current page.

Feature Command Description
Code Review /gemini review Performs a code review for the current pull request in its current state.
Pull Request Summary /gemini summary Provides a summary of the current pull request in its current state.
Comment @gemini-code-assist Responds in comments when explicitly tagged, both in pull request comments and review comments.
Help /gemini help Displays a list of available commands.

Customization

To customize the Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.

Limitations & Feedback

Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counterproductive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for GitHub and other Google products, sign up here.


The FQNs dance in a line, To make the policy design, With keys resolved and mappings set, The best performance we shall get.

Footnotes

  1. Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution.

@gemini-code-assist gemini-code-assist Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Code Review

This pull request implements the server-side database and service logic for the GetKeyMappingsByFqns and GetEntitleableAttributesByFqns endpoints in the policy service, along with corresponding integration and unit tests. The review feedback suggests minor improvements to these database methods, specifically adding early returns when the input FQN slice is empty to avoid redundant database queries, and normalizing keys to lowercase during subject mapping lookups to ensure case-insensitive robustness.

Important

The consumer version of Gemini Code Assist on GitHub is being sunset. Starting June 18, 2026, new organization installations will be blocked, and all code review activity will officially cease on July 17, 2026.
For more details on the timeline and next steps, please review the Help Documentation.

Comment thread service/policy/db/attribute_fqn.go Outdated
Comment thread service/policy/db/attribute_fqn.go
Comment thread service/policy/db/attribute_fqn.go
@alkalescent alkalescent force-pushed the DSPX-2541-attribute-read-apis branch from 10d625d to a40a66d Compare June 30, 2026 21:38
@alkalescent alkalescent force-pushed the DSPX-2541-attribute-read-apis-service branch from 5d4d9cc to 1ebed0f Compare June 30, 2026 21:38
@github-actions

Copy link
Copy Markdown
Contributor

@github-actions

Copy link
Copy Markdown
Contributor
Benchmark results, click to expand

Benchmark authorization.GetDecisions Results:

Metric Value
Approved Decision Requests 1000
Denied Decision Requests 0
Total Time 195.589174ms

Benchmark authorization.v2.GetMultiResourceDecision Results:

Metric Value
Approved Decision Requests 1000
Denied Decision Requests 0
Total Time 110.10593ms

Benchmark Statistics

Name № Requests Avg Duration Min Duration Max Duration

Bulk Benchmark Results

Metric Value
Total Decrypts 100
Successful Decrypts 100
Failed Decrypts 0
Total Time 411.032232ms
Throughput 243.29 requests/second

TDF3 Benchmark Results:

Metric Value
Total Requests 5000
Successful Requests 5000
Failed Requests 0
Concurrent Requests 50
Total Time 45.150200085s
Average Latency 449.232824ms
Throughput 110.74 requests/second

@github-actions

Copy link
Copy Markdown
Contributor
Benchmark results, click to expand

Benchmark authorization.GetDecisions Results:

Metric Value
Approved Decision Requests 1000
Denied Decision Requests 0
Total Time 207.449977ms

Benchmark authorization.v2.GetMultiResourceDecision Results:

Metric Value
Approved Decision Requests 1000
Denied Decision Requests 0
Total Time 111.106603ms

Benchmark Statistics

Name № Requests Avg Duration Min Duration Max Duration

Bulk Benchmark Results

Metric Value
Total Decrypts 100
Successful Decrypts 100
Failed Decrypts 0
Total Time 665.097593ms
Throughput 150.35 requests/second

TDF3 Benchmark Results:

Metric Value
Total Requests 5000
Successful Requests 5000
Failed Requests 0
Concurrent Requests 50
Total Time 44.769835593s
Average Latency 446.187791ms
Throughput 111.68 requests/second

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@service/integration/attributes_test.go`:
- Around line 1673-1678: The GetKeyMappingsByFqns negative-path subtest
currently only checks that an error is returned, but it should also verify the
specific contract for missing mappings. Update the “errors when a requested fqn
does not exist” case in attributes_test.go to assert the error is db.ErrNotFound
using ErrorIs on the err returned from PolicyClient.GetKeyMappingsByFqns, and
apply the same pattern to any other non-existent FQN subtests in this area.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: Repository UI

Review profile: ASSERTIVE

Plan: Pro

Run ID: 4728e400-250b-4050-addf-126cc5ba6902

📥 Commits

Reviewing files that changed from the base of the PR and between a40a66d and 1ebed0f.

📒 Files selected for processing (6)
  • service/integration/attributes_test.go
  • service/policy/attributes/attributes.go
  • service/policy/db/attribute_fqn.go
  • service/policy/db/attribute_fqn_test.go
  • service/policy/db/queries/subject_mappings.sql
  • service/policy/db/subject_mappings.sql.go

Comment thread service/integration/attributes_test.go
@alkalescent alkalescent force-pushed the DSPX-2541-attribute-read-apis branch from a40a66d to 3239ed4 Compare June 30, 2026 22:41
@alkalescent alkalescent requested a review from a team as a code owner June 30, 2026 22:41
@alkalescent alkalescent force-pushed the DSPX-2541-attribute-read-apis-service branch 2 times, most recently from abaa330 to 39680c6 Compare June 30, 2026 22:45
@github-actions

Copy link
Copy Markdown
Contributor

@github-actions

Copy link
Copy Markdown
Contributor
Benchmark results, click to expand

Benchmark authorization.GetDecisions Results:

Metric Value
Approved Decision Requests 1000
Denied Decision Requests 0
Total Time 215.795303ms

Benchmark authorization.v2.GetMultiResourceDecision Results:

Metric Value
Approved Decision Requests 1000
Denied Decision Requests 0
Total Time 115.754087ms

Benchmark Statistics

Name № Requests Avg Duration Min Duration Max Duration

Bulk Benchmark Results

Metric Value
Total Decrypts 100
Successful Decrypts 100
Failed Decrypts 0
Total Time 443.635392ms
Throughput 225.41 requests/second

TDF3 Benchmark Results:

Metric Value
Total Requests 5000
Successful Requests 5000
Failed Requests 0
Concurrent Requests 50
Total Time 46.108388125s
Average Latency 459.770573ms
Throughput 108.44 requests/second

@github-actions

Copy link
Copy Markdown
Contributor
Benchmark results, click to expand

Benchmark authorization.GetDecisions Results:

Metric Value
Approved Decision Requests 1000
Denied Decision Requests 0
Total Time 214.05914ms

Benchmark authorization.v2.GetMultiResourceDecision Results:

Metric Value
Approved Decision Requests 1000
Denied Decision Requests 0
Total Time 117.995708ms

Benchmark Statistics

Name № Requests Avg Duration Min Duration Max Duration

Bulk Benchmark Results

Metric Value
Total Decrypts 100
Successful Decrypts 100
Failed Decrypts 0
Total Time 460.036859ms
Throughput 217.37 requests/second

TDF3 Benchmark Results:

Metric Value
Total Requests 5000
Successful Requests 5000
Failed Requests 0
Concurrent Requests 50
Total Time 45.943055923s
Average Latency 457.627503ms
Throughput 108.83 requests/second

@github-actions

Copy link
Copy Markdown
Contributor
Benchmark results, click to expand

Benchmark authorization.GetDecisions Results:

Metric Value
Approved Decision Requests 1000
Denied Decision Requests 0
Total Time 209.707449ms

Benchmark authorization.v2.GetMultiResourceDecision Results:

Metric Value
Approved Decision Requests 1000
Denied Decision Requests 0
Total Time 106.110781ms

Benchmark Statistics

Name № Requests Avg Duration Min Duration Max Duration

Bulk Benchmark Results

Metric Value
Total Decrypts 100
Successful Decrypts 100
Failed Decrypts 0
Total Time 415.799996ms
Throughput 240.50 requests/second

TDF3 Benchmark Results:

Metric Value
Total Requests 5000
Successful Requests 5000
Failed Requests 0
Concurrent Requests 50
Total Time 45.718756399s
Average Latency 455.318103ms
Throughput 109.36 requests/second

Base automatically changed from DSPX-2541-attribute-read-apis to main July 1, 2026 17:24
github-merge-queue Bot pushed a commit that referenced this pull request Jul 1, 2026
…#3634)

## Proposed Changes

Proto and generated-code portion of the narrow attribute read APIs,
split out so the heavy service implementation lands separately and
`protocol/go` releases cleanly.

Adds two RPCs to `AttributesService`:
- **`GetKeyMappingsByFqns`** — per value FQN: the attribute rule and
effective KAS keys (value > definition > namespace precedence), for
client-side key splits.
- **`GetEntitleableAttributesByFqns`** — per value FQN: rule, value id,
the definition's ordered value FQNs (hierarchy), and value-level subject
mappings, for server-side decisioning.

Includes the `.proto`, regenerated `protocol/go`, gRPC/OpenAPI docs, and
the generated `sdkconnect` client wrapper. The wrapper and the
`AttributesServiceClient` test mocks ship here because CI regenerates
them from the proto (`make connect-wrapper-generate`) and requires a
clean tree. Server methods are `Unimplemented` stubs.

## PR stack
Replaces the previous combined PR per review (separate proto/generated
from service logic). Merge order:
1. **this PR** — proto + generated + docs + sdkconnect wrapper
2. #3697 — service implementation (DB, SQL, real handlers, tests)

Follow-up feature branch: switch the SDK granter to consume
`GetKeyMappingsByFqns` and add an xtest proving key-split parity with
the previous SDK.

Signed-off-by: Krish Suchak <[email protected]>
Implement GetKeyMappingsByFqns and GetEntitleableAttributesByFqns in the
attributes service: DB methods with value > definition > namespace key
resolution, a lean subject-mapping-by-FQN query, value-FQN guards (reject
allow_traversal definition-only fallbacks), real handlers replacing the proto
PR's stubs, integration/unit tests, and updated AttributesServiceClient mocks.

Signed-off-by: Krish Suchak <[email protected]>
- early-return on empty fqns in GetKeyMappingsByFqns and
  GetEntitleableAttributesByFqns to avoid a needless DB round-trip
- assert db.ErrNotFound in the non-existent-FQN integration subtests

Signed-off-by: Krish Suchak <[email protected]>
Extend resolveEffectiveKasKeys to fall through to grant-derived keys per level
(value > definition > namespace, mapped keys preferred within a level), so the
RPC returns the effective key set for grant-configured policy instead of an empty
set. Grants are converted to SimpleKasKeys from their cached public keys; grants
without a cached key are skipped. This lets the SDK stop resolving grants and use
the RPC as a complete replacement for the split path.

Signed-off-by: Krish Suchak <[email protected]>
Return the subject mapping's own namespace from getSubjectMappingsByValueFqns
and hydrate SubjectMapping.Namespace in GetEntitleableAttributesByFqns, so the
API carries what the PDP's strict namespaced-entitlements filter requires.

Signed-off-by: Krish Suchak <[email protected]>
@alkalescent alkalescent force-pushed the DSPX-2541-attribute-read-apis-service branch from 27563e7 to 3f48978 Compare July 1, 2026 21:57
@github-actions

github-actions Bot commented Jul 1, 2026

Copy link
Copy Markdown
Contributor
Benchmark results, click to expand

Benchmark authorization.GetDecisions Results:

Metric Value
Approved Decision Requests 1000
Denied Decision Requests 0
Total Time 203.80423ms

Benchmark authorization.v2.GetMultiResourceDecision Results:

Metric Value
Approved Decision Requests 1000
Denied Decision Requests 0
Total Time 106.903955ms

Benchmark Statistics

Name № Requests Avg Duration Min Duration Max Duration

Bulk Benchmark Results

Metric Value
Total Decrypts 100
Successful Decrypts 100
Failed Decrypts 0
Total Time 433.327616ms
Throughput 230.77 requests/second

TDF3 Benchmark Results:

Metric Value
Total Requests 5000
Successful Requests 5000
Failed Requests 0
Concurrent Requests 50
Total Time 46.187725802s
Average Latency 460.881333ms
Throughput 108.25 requests/second

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 2

🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@service/policy/db/attribute_fqn.go`:
- Around line 218-238: The value-FQN normalization and validation logic is
duplicated in GetKeyMappingsByFqns and GetEntitleableAttributesByFqns, so
extract it into a shared helper on PolicyDBClient (for example, a
resolveValueFqns-style method) that lowercases the input FQNs, calls
GetAttributesByValueFqns, and rejects any result whose AttributeAndValue has a
nil Value. Update both call sites to use the helper so the
allow_traversal/value-FQN contract lives in one place and cannot drift.
- Around line 208-213: The docstring for GetKeyMappingsByFqns contradicts the
real fallback behavior in resolveEffectiveKasKeys and the legacy-grants test.
Update the comment to say that effective KAS keys are resolved with value >
definition > namespace precedence and that legacy grant-only rules can still
produce keys via grantsToSimpleKasKeys when cached key material is available,
while grants without usable kid/pem are skipped. Keep the wording aligned with
the behavior of GetKeyMappingsByFqns, resolveEffectiveKasKeys, and
grantsToSimpleKasKeys.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: Repository UI

Review profile: ASSERTIVE

Plan: Pro

Run ID: 6eabce9c-509b-41dc-af52-8c5ddc95c8ba

📥 Commits

Reviewing files that changed from the base of the PR and between 1ebed0f and 3f48978.

📒 Files selected for processing (7)
  • service/integration/attributes_test.go
  • service/policy/attributes/attributes.go
  • service/policy/db/attribute_fqn.go
  • service/policy/db/attribute_fqn_test.go
  • service/policy/db/grant_mappings.go
  • service/policy/db/queries/subject_mappings.sql
  • service/policy/db/subject_mappings.sql.go

Comment thread service/policy/db/attribute_fqn.go Outdated
Comment thread service/policy/db/attribute_fqn.go Outdated
- correct GetKeyMappingsByFqns docstring to reflect grant fallback (grants
  resolve per level; only grants without a cached kid/pem are skipped)
- extract shared resolveValueFqns helper used by GetKeyMappingsByFqns and
  GetEntitleableAttributesByFqns (normalize, resolve, reject nil-value)

Signed-off-by: Krish Suchak <[email protected]>
@github-actions

github-actions Bot commented Jul 2, 2026

Copy link
Copy Markdown
Contributor
Benchmark results, click to expand

Benchmark authorization.GetDecisions Results:

Metric Value
Approved Decision Requests 1000
Denied Decision Requests 0
Total Time 167.680368ms

Benchmark authorization.v2.GetMultiResourceDecision Results:

Metric Value
Approved Decision Requests 1000
Denied Decision Requests 0
Total Time 94.029465ms

Benchmark Statistics

Name № Requests Avg Duration Min Duration Max Duration

Bulk Benchmark Results

Metric Value
Total Decrypts 100
Successful Decrypts 100
Failed Decrypts 0
Total Time 415.802829ms
Throughput 240.50 requests/second

TDF3 Benchmark Results:

Metric Value
Total Requests 5000
Successful Requests 5000
Failed Requests 0
Concurrent Requests 50
Total Time 42.486890625s
Average Latency 422.646135ms
Throughput 117.68 requests/second

grant.GetUri() is nil-safe and returns "" for a nil grant, so the grant == nil
clause is redundant; the empty-URI check already skips nil grants.

Signed-off-by: Krish Suchak <[email protected]>
@github-actions

github-actions Bot commented Jul 2, 2026

Copy link
Copy Markdown
Contributor
Benchmark results, click to expand

Benchmark authorization.GetDecisions Results:

Metric Value
Approved Decision Requests 1000
Denied Decision Requests 0
Total Time 159.827799ms

Benchmark authorization.v2.GetMultiResourceDecision Results:

Metric Value
Approved Decision Requests 1000
Denied Decision Requests 0
Total Time 81.940052ms

Benchmark Statistics

Name № Requests Avg Duration Min Duration Max Duration

Bulk Benchmark Results

Metric Value
Total Decrypts 100
Successful Decrypts 100
Failed Decrypts 0
Total Time 355.648349ms
Throughput 281.18 requests/second

TDF3 Benchmark Results:

Metric Value
Total Requests 5000
Successful Requests 5000
Failed Requests 0
Concurrent Requests 50
Total Time 35.09796912s
Average Latency 349.609904ms
Throughput 142.46 requests/second

@github-actions

github-actions Bot commented Jul 2, 2026

Copy link
Copy Markdown
Contributor

⚠️ Govulncheck found vulnerabilities ⚠️

The following modules have known vulnerabilities:

  • examples
  • otdfctl
  • sdk
  • service
  • lib/fixtures
  • tests-bdd

See the workflow run for details.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

comp:db DB component comp:policy Policy Configuration ( attributes, subject mappings, resource mappings, kas registry) size/m

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant