feat(policy): create subject mappings with attribute values#3741
Conversation
Signed-off-by: jakedoublev <jake.vanvorhis@virtru.com>
|
No actionable comments were generated in the recent review. 🎉 ℹ️ Recent review info⚙️ Run configurationConfiguration used: Repository UI Review profile: ASSERTIVE Plan: Pro Run ID: 📒 Files selected for processing (2)
📝 WalkthroughWalkthroughAttribute value creation now accepts validated subject mappings, creates and audits them transactionally, and returns nested mappings through ID and FQN retrieval. SQL aggregation, protobuf hydration, OpenAPI/gRPC documentation, validation tests, and integration coverage were added or updated. ChangesAttribute value subject mappings
Estimated code review effort: 4 (Complex) | ~60 minutes Sequence Diagram(s)sequenceDiagram
participant Client
participant CreateAttributeValue
participant PolicyDB
participant GetAttributeValue
Client->>CreateAttributeValue: submit attribute value with subject mappings
CreateAttributeValue->>PolicyDB: create attribute value and subject mappings
PolicyDB-->>CreateAttributeValue: return created value
Client->>GetAttributeValue: request value by ID or FQN
GetAttributeValue->>PolicyDB: query aggregated subject mappings
PolicyDB-->>GetAttributeValue: return mapping JSON
GetAttributeValue-->>Client: return hydrated subject mappings
Suggested reviewers: Poem
🚥 Pre-merge checks | ✅ 4 | ❌ 1❌ Failed checks (1 warning)
✅ Passed checks (4 passed)
✨ Finishing Touches📝 Generate docstrings
🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
Benchmark results, click to expandBenchmark authorization.GetDecisions Results:
Benchmark authorization.v2.GetMultiResourceDecision Results:
Benchmark Statistics
Bulk Benchmark Results
TDF3 Benchmark Results:
|
Summary of ChangesHello, I'm Gemini Code Assist1! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed! This pull request introduces the ability to define subject mappings directly when creating an attribute value. By allowing these mappings to be processed within the same transaction, it simplifies the policy management workflow and ensures atomicity. The changes include updates to the protobuf definitions, database client logic, and robust test coverage to ensure data integrity. Highlights
New Features🧠 You can now enable Memory (public preview) to help Gemini Code Assist learn from your team's feedback. This makes future code reviews more consistent and personalized to your project's style. Click here to enable Memory in your admin console. Ignored Files
Using Gemini Code AssistThe full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips. Invoking Gemini You can request assistance from Gemini at any point by creating a comment using either
Customization To customize the Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a Limitations & Feedback Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counterproductive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for GitHub and other Google products, sign up here. Attributes grow with mappings new, In transactions, they hold true. With subject sets and actions defined, A cleaner policy we now find. Footnotes
|
There was a problem hiding this comment.
Code Review
This pull request introduces support for creating inline subject mappings when creating attribute values, updating the protobuf definitions, database creation logic, and associated unit and integration tests. The reviewer feedback highlights three key areas for improvement: defaulting the namespace of inline subject mappings to the parent attribute's namespace to prevent unintended global mappings, standardizing optional UUID validation in the protobuf definitions using built-in validators, and adding message-level validation to ensure that either an existing or a new subject condition set is provided.
Important
The consumer version of Gemini Code Assist on GitHub is being sunset. Starting June 18, 2026, new organization installations will be blocked, and all code review activity will officially cease on July 17, 2026.
For more details on the timeline and next steps, please review the Help Documentation.
Signed-off-by: jakedoublev <jake.vanvorhis@virtru.com>
Benchmark results, click to expandBenchmark authorization.GetDecisions Results:
Benchmark authorization.v2.GetMultiResourceDecision Results:
Benchmark Statistics
Bulk Benchmark Results
TDF3 Benchmark Results:
|
Signed-off-by: jakedoublev <jake.vanvorhis@virtru.com>
Signed-off-by: jakedoublev <jake.vanvorhis@virtru.com>
Signed-off-by: jakedoublev <jake.vanvorhis@virtru.com>
Benchmark results, click to expandBenchmark authorization.GetDecisions Results:
Benchmark authorization.v2.GetMultiResourceDecision Results:
Benchmark Statistics
Bulk Benchmark Results
TDF3 Benchmark Results:
|
Signed-off-by: jakedoublev <jake.vanvorhis@virtru.com>
Benchmark results, click to expandBenchmark authorization.GetDecisions Results:
Benchmark authorization.v2.GetMultiResourceDecision Results:
Benchmark Statistics
Bulk Benchmark Results
TDF3 Benchmark Results:
|
This reverts commit 2a4d32f.
Benchmark results, click to expandBenchmark authorization.GetDecisions Results:
Benchmark authorization.v2.GetMultiResourceDecision Results:
Benchmark Statistics
Bulk Benchmark Results
TDF3 Benchmark Results:
|
Benchmark results, click to expandBenchmark authorization.GetDecisions Results:
Benchmark authorization.v2.GetMultiResourceDecision Results:
Benchmark Statistics
Bulk Benchmark Results
TDF3 Benchmark Results:
|
There was a problem hiding this comment.
Actionable comments posted: 5
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Inline comments:
In `@service/integration/attribute_values_test.go`:
- Around line 1410-1411: Update the test setup for mappingNamespace in the
namespace mismatch case to explicitly create and provision a "read" policy
action before constructing the policy.Action reference. Keep the test focused on
the intended attribute-level namespace mismatch and preserve its existing
assertions.
In `@service/policy/attributes/attributes.proto`:
- Around line 294-296: Update the protobuf documentation around the
namespace_id/namespace_fqn oneof to explicitly state that when both fields are
omitted, CreateAttributeValue inherits the parent attribute’s namespace.
Preserve the existing optional validation rule, then regenerate protobuf
artifacts with make proto-generate and verify the changes pass buf lint.
- Around line 276-284: Update the actions field in the relevant mapping request
schema to use the request-specific action DTO/schema instead of policy.Action,
ensuring payloads containing only name or only id validate correctly;
alternatively, remove the generated top-level oneOf for deprecated
custom/standard variants so the OpenAPI schema accepts those forms.
In `@service/policy/db/attribute_values.go`:
- Around line 71-78: Update the subject-mapping aggregate’s read model and
hydration path used by GetAttributeValue to emit and preserve metadata from
CreateSubjectMappingRequest.Metadata, ensuring the audit Original retains those
labels. Add a round-trip test covering metadata written during subject-mapping
creation and returned through GetAttributeValue.
In `@service/policy/db/utils.go`:
- Around line 222-240: Add unit tests for unmarshalSubjectMappingsProto,
mirroring the existing actions helper test structure. Cover a valid single
mapping, multiple mappings, nil input, malformed outer JSON, and malformed
mapping JSON, asserting both returned errors and populated mappings.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Repository UI
Review profile: ASSERTIVE
Plan: Pro
Run ID: 0b5cdfed-3fff-48b9-84d0-f59d76a16ddc
⛔ Files ignored due to path filters (1)
protocol/go/policy/attributes/attributes.pb.gois excluded by!**/*.pb.go
📒 Files selected for processing (10)
docs/grpc/index.htmldocs/openapi/policy/attributes/attributes.openapi.yamlservice/integration/attribute_values_test.goservice/policy/attributes/attributes.goservice/policy/attributes/attributes.protoservice/policy/attributes/attributes_test.goservice/policy/db/attribute_values.goservice/policy/db/attribute_values.sql.goservice/policy/db/queries/attribute_values.sqlservice/policy/db/utils.go
Benchmark results, click to expandBenchmark authorization.GetDecisions Results:
Benchmark authorization.v2.GetMultiResourceDecision Results:
Benchmark Statistics
Bulk Benchmark Results
TDF3 Benchmark Results:
|
ryanulit
left a comment
There was a problem hiding this comment.
LGTM, just that one comment
Benchmark results, click to expandBenchmark authorization.GetDecisions Results:
Benchmark authorization.v2.GetMultiResourceDecision Results:
Benchmark Statistics
Bulk Benchmark Results
TDF3 Benchmark Results:
|
|
Summary
Summary by CodeRabbit