Skip to content

feat(policy): create subject mappings with attribute values#3741

Merged
jakedoublev merged 14 commits into
mainfrom
fix/DSPX-3877
Jul 16, 2026
Merged

feat(policy): create subject mappings with attribute values#3741
jakedoublev merged 14 commits into
mainfrom
fix/DSPX-3877

Conversation

@jakedoublev

@jakedoublev jakedoublev commented Jul 9, 2026

Copy link
Copy Markdown
Contributor

Summary

  • add optional subject mappings to CreateAttributeValue requests
  • create inline subject mappings in the same attribute-value transaction path

Summary by CodeRabbit

  • New Features
    • Attribute values can now include up to 250 subject mappings, referencing either existing condition sets or creating new ones inline.
    • Creating and retrieving an attribute value now includes the associated subject mappings with actions, namespaces, and conditions.
    • Added request validation for mapping sources, actions, namespaces, and item limits.
    • Enhanced audit logging for subject-mapping and related obligation trigger events.
    • Updated policy documentation (gRPC/HTML and OpenAPI) to reflect the new request/response shapes.
  • Bug Fixes
    • Prevented attribute value creation when attribute value and subject mappings use mismatched namespaces.

Signed-off-by: jakedoublev <jake.vanvorhis@virtru.com>
@coderabbitai

coderabbitai Bot commented Jul 9, 2026

Copy link
Copy Markdown

Review Change Stack

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info
⚙️ Run configuration

Configuration used: Repository UI

Review profile: ASSERTIVE

Plan: Pro

Run ID: a1c75492-79ba-464f-a79a-044d24c9943c

📥 Commits

Reviewing files that changed from the base of the PR and between 6712a76 and 18a147d.

📒 Files selected for processing (2)
  • service/policy/attributes/attributes.go
  • service/policy/attributes/attributes.proto

📝 Walkthrough

Walkthrough

Attribute value creation now accepts validated subject mappings, creates and audits them transactionally, and returns nested mappings through ID and FQN retrieval. SQL aggregation, protobuf hydration, OpenAPI/gRPC documentation, validation tests, and integration coverage were added or updated.

Changes

Attribute value subject mappings

Layer / File(s) Summary
Subject mapping request contract and validation
service/policy/attributes/attributes.proto, docs/openapi/..., docs/grpc/index.html, service/policy/attributes/attributes_test.go
Adds validated subject mapping fields, condition-set source constraints, namespace options, metadata, API documentation, and a 250-item limit.
Subject mapping creation and audit
service/policy/db/attribute_values.go, service/policy/attributes/attributes.go
Creates subject mappings during attribute value creation and records per-mapping audit success or failure events.
Subject mapping aggregation and hydration
service/policy/db/queries/attribute_values.sql, service/policy/db/attribute_values.sql.go, service/policy/db/utils.go, service/policy/db/attribute_values.go
Aggregates nested mappings in SQL, scans and decodes them, and includes them in returned policy values.
End-to-end subject mapping behavior
service/integration/attribute_values_test.go
Verifies inline mappings, retrieval by ID and FQN, and explicit namespace mismatch errors.

Estimated code review effort: 4 (Complex) | ~60 minutes

Sequence Diagram(s)

sequenceDiagram
  participant Client
  participant CreateAttributeValue
  participant PolicyDB
  participant GetAttributeValue
  Client->>CreateAttributeValue: submit attribute value with subject mappings
  CreateAttributeValue->>PolicyDB: create attribute value and subject mappings
  PolicyDB-->>CreateAttributeValue: return created value
  Client->>GetAttributeValue: request value by ID or FQN
  GetAttributeValue->>PolicyDB: query aggregated subject mappings
  PolicyDB-->>GetAttributeValue: return mapping JSON
  GetAttributeValue-->>Client: return hydrated subject mappings
Loading

Suggested reviewers: alkalescent

Poem

I’m a rabbit with mappings to weave,
New value-bound paths now retrieve.
Condition sets nest,
Audits attest,
Namespaces align as we leap! 🐇

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name Status Explanation Resolution
Docstring Coverage ⚠️ Warning Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%. Write docstrings for the functions missing them to satisfy the coverage threshold.
✅ Passed checks (4 passed)
Check name Status Explanation
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Title check ✅ Passed The title clearly and concisely summarizes the main change: creating subject mappings alongside attribute values.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.
✨ Finishing Touches
📝 Generate docstrings
  • Create stacked PR
  • Commit on current branch
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch fix/DSPX-3877

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands.

@github-actions github-actions Bot added comp:db DB component comp:policy Policy Configuration ( attributes, subject mappings, resource mappings, kas registry) docs Documentation size/s labels Jul 9, 2026
@github-actions

github-actions Bot commented Jul 9, 2026

Copy link
Copy Markdown
Contributor
Benchmark results, click to expand

Benchmark authorization.GetDecisions Results:

Metric Value
Approved Decision Requests 1000
Denied Decision Requests 0
Total Time 112.208756ms

Benchmark authorization.v2.GetMultiResourceDecision Results:

Metric Value
Approved Decision Requests 1000
Denied Decision Requests 0
Total Time 48.538297ms

Benchmark Statistics

Name № Requests Avg Duration Min Duration Max Duration

Bulk Benchmark Results

Metric Value
Total Decrypts 100
Successful Decrypts 100
Failed Decrypts 0
Total Time 233.39251ms
Throughput 428.46 requests/second

TDF3 Benchmark Results:

Metric Value
Total Requests 5000
Successful Requests 5000
Failed Requests 0
Concurrent Requests 50
Total Time 23.318741793s
Average Latency 232.199535ms
Throughput 214.42 requests/second

@gemini-code-assist

Copy link
Copy Markdown
Contributor

Summary of Changes

Hello, I'm Gemini Code Assist1! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!

This pull request introduces the ability to define subject mappings directly when creating an attribute value. By allowing these mappings to be processed within the same transaction, it simplifies the policy management workflow and ensures atomicity. The changes include updates to the protobuf definitions, database client logic, and robust test coverage to ensure data integrity.

Highlights

  • API Enhancement: Added optional subject mappings to the CreateAttributeValue request, allowing for inline creation of subject mappings during attribute value creation.
  • Validation and Coverage: Implemented comprehensive validation for subject mapping inputs and added integration tests to verify successful creation and rollback behavior.
New Features

🧠 You can now enable Memory (public preview) to help Gemini Code Assist learn from your team's feedback. This makes future code reviews more consistent and personalized to your project's style. Click here to enable Memory in your admin console.

Ignored Files
  • Ignored by pattern: docs/openapi/**/* (1)
    • docs/openapi/policy/attributes/attributes.openapi.yaml
  • Ignored by pattern: protocol/**/* (1)
    • protocol/go/policy/attributes/attributes.pb.go
Using Gemini Code Assist

The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.

Invoking Gemini

You can request assistance from Gemini at any point by creating a comment using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands on the current page.

Feature Command Description
Code Review /gemini review Performs a code review for the current pull request in its current state.
Pull Request Summary /gemini summary Provides a summary of the current pull request in its current state.
Comment @gemini-code-assist Responds in comments when explicitly tagged, both in pull request comments and review comments.
Help /gemini help Displays a list of available commands.

Customization

To customize the Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.

Limitations & Feedback

Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counterproductive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for GitHub and other Google products, sign up here.


Attributes grow with mappings new, In transactions, they hold true. With subject sets and actions defined, A cleaner policy we now find.

Footnotes

  1. Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution.

@gemini-code-assist gemini-code-assist Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Code Review

This pull request introduces support for creating inline subject mappings when creating attribute values, updating the protobuf definitions, database creation logic, and associated unit and integration tests. The reviewer feedback highlights three key areas for improvement: defaulting the namespace of inline subject mappings to the parent attribute's namespace to prevent unintended global mappings, standardizing optional UUID validation in the protobuf definitions using built-in validators, and adding message-level validation to ensure that either an existing or a new subject condition set is provided.

Important

The consumer version of Gemini Code Assist on GitHub is being sunset. Starting June 18, 2026, new organization installations will be blocked, and all code review activity will officially cease on July 17, 2026.
For more details on the timeline and next steps, please review the Help Documentation.

Comment thread service/policy/db/attribute_values.go
Comment thread service/policy/attributes/attributes.proto Outdated
Comment thread service/policy/attributes/attributes.proto
Signed-off-by: jakedoublev <jake.vanvorhis@virtru.com>
@github-actions

github-actions Bot commented Jul 9, 2026

Copy link
Copy Markdown
Contributor
Benchmark results, click to expand

Benchmark authorization.GetDecisions Results:

Metric Value
Approved Decision Requests 1000
Denied Decision Requests 0
Total Time 155.771237ms

Benchmark authorization.v2.GetMultiResourceDecision Results:

Metric Value
Approved Decision Requests 1000
Denied Decision Requests 0
Total Time 93.622605ms

Benchmark Statistics

Name № Requests Avg Duration Min Duration Max Duration

Bulk Benchmark Results

Metric Value
Total Decrypts 100
Successful Decrypts 100
Failed Decrypts 0
Total Time 413.896711ms
Throughput 241.61 requests/second

TDF3 Benchmark Results:

Metric Value
Total Requests 5000
Successful Requests 5000
Failed Requests 0
Concurrent Requests 50
Total Time 44.156552563s
Average Latency 440.133465ms
Throughput 113.23 requests/second

Signed-off-by: jakedoublev <jake.vanvorhis@virtru.com>
Signed-off-by: jakedoublev <jake.vanvorhis@virtru.com>
Signed-off-by: jakedoublev <jake.vanvorhis@virtru.com>
@github-actions

Copy link
Copy Markdown
Contributor
Benchmark results, click to expand

Benchmark authorization.GetDecisions Results:

Metric Value
Approved Decision Requests 1000
Denied Decision Requests 0
Total Time 170.866553ms

Benchmark authorization.v2.GetMultiResourceDecision Results:

Metric Value
Approved Decision Requests 1000
Denied Decision Requests 0
Total Time 95.91033ms

Benchmark Statistics

Name № Requests Avg Duration Min Duration Max Duration

Bulk Benchmark Results

Metric Value
Total Decrypts 100
Successful Decrypts 100
Failed Decrypts 0
Total Time 409.431251ms
Throughput 244.24 requests/second

TDF3 Benchmark Results:

Metric Value
Total Requests 5000
Successful Requests 5000
Failed Requests 0
Concurrent Requests 50
Total Time 43.877682057s
Average Latency 437.187895ms
Throughput 113.95 requests/second

@github-actions

Copy link
Copy Markdown
Contributor
Benchmark results, click to expand

Benchmark authorization.GetDecisions Results:

Metric Value
Approved Decision Requests 1000
Denied Decision Requests 0
Total Time 205.189732ms

Benchmark authorization.v2.GetMultiResourceDecision Results:

Metric Value
Approved Decision Requests 1000
Denied Decision Requests 0
Total Time 114.94366ms

Benchmark Statistics

Name № Requests Avg Duration Min Duration Max Duration

Bulk Benchmark Results

Metric Value
Total Decrypts 100
Successful Decrypts 100
Failed Decrypts 0
Total Time 424.942985ms
Throughput 235.33 requests/second

TDF3 Benchmark Results:

Metric Value
Total Requests 5000
Successful Requests 5000
Failed Requests 0
Concurrent Requests 50
Total Time 47.018102076s
Average Latency 468.254508ms
Throughput 106.34 requests/second

@github-actions

Copy link
Copy Markdown
Contributor

Comment thread service/integration/attribute_values_test.go Outdated
Comment thread service/integration/attribute_values_test.go Outdated
@github-actions

Copy link
Copy Markdown
Contributor
Benchmark results, click to expand

Benchmark authorization.GetDecisions Results:

Metric Value
Approved Decision Requests 1000
Denied Decision Requests 0
Total Time 198.347681ms

Benchmark authorization.v2.GetMultiResourceDecision Results:

Metric Value
Approved Decision Requests 1000
Denied Decision Requests 0
Total Time 101.926355ms

Benchmark Statistics

Name № Requests Avg Duration Min Duration Max Duration

Bulk Benchmark Results

Metric Value
Total Decrypts 100
Successful Decrypts 100
Failed Decrypts 0
Total Time 482.195759ms
Throughput 207.38 requests/second

TDF3 Benchmark Results:

Metric Value
Total Requests 5000
Successful Requests 5000
Failed Requests 0
Concurrent Requests 50
Total Time 45.089552077s
Average Latency 448.880574ms
Throughput 110.89 requests/second

Comment thread service/integration/attribute_values_test.go Outdated
Comment thread service/policy/db/attribute_values.go Outdated
@github-actions

Copy link
Copy Markdown
Contributor
Benchmark results, click to expand

Benchmark authorization.GetDecisions Results:

Metric Value
Approved Decision Requests 1000
Denied Decision Requests 0
Total Time 246.026958ms

Benchmark authorization.v2.GetMultiResourceDecision Results:

Metric Value
Approved Decision Requests 1000
Denied Decision Requests 0
Total Time 165.613423ms

Benchmark Statistics

Name № Requests Avg Duration Min Duration Max Duration

Bulk Benchmark Results

Metric Value
Total Decrypts 100
Successful Decrypts 100
Failed Decrypts 0
Total Time 452.53034ms
Throughput 220.98 requests/second

TDF3 Benchmark Results:

Metric Value
Total Requests 5000
Successful Requests 5000
Failed Requests 0
Concurrent Requests 50
Total Time 45.393170667s
Average Latency 451.254352ms
Throughput 110.15 requests/second

@jakedoublev
jakedoublev marked this pull request as ready for review July 15, 2026 19:42
@jakedoublev
jakedoublev requested review from a team as code owners July 15, 2026 19:42
@jakedoublev
jakedoublev requested a review from ryanulit July 15, 2026 19:48
@jakedoublev
jakedoublev enabled auto-merge July 15, 2026 19:48

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 5

🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@service/integration/attribute_values_test.go`:
- Around line 1410-1411: Update the test setup for mappingNamespace in the
namespace mismatch case to explicitly create and provision a "read" policy
action before constructing the policy.Action reference. Keep the test focused on
the intended attribute-level namespace mismatch and preserve its existing
assertions.

In `@service/policy/attributes/attributes.proto`:
- Around line 294-296: Update the protobuf documentation around the
namespace_id/namespace_fqn oneof to explicitly state that when both fields are
omitted, CreateAttributeValue inherits the parent attribute’s namespace.
Preserve the existing optional validation rule, then regenerate protobuf
artifacts with make proto-generate and verify the changes pass buf lint.
- Around line 276-284: Update the actions field in the relevant mapping request
schema to use the request-specific action DTO/schema instead of policy.Action,
ensuring payloads containing only name or only id validate correctly;
alternatively, remove the generated top-level oneOf for deprecated
custom/standard variants so the OpenAPI schema accepts those forms.

In `@service/policy/db/attribute_values.go`:
- Around line 71-78: Update the subject-mapping aggregate’s read model and
hydration path used by GetAttributeValue to emit and preserve metadata from
CreateSubjectMappingRequest.Metadata, ensuring the audit Original retains those
labels. Add a round-trip test covering metadata written during subject-mapping
creation and returned through GetAttributeValue.

In `@service/policy/db/utils.go`:
- Around line 222-240: Add unit tests for unmarshalSubjectMappingsProto,
mirroring the existing actions helper test structure. Cover a valid single
mapping, multiple mappings, nil input, malformed outer JSON, and malformed
mapping JSON, asserting both returned errors and populated mappings.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: Repository UI

Review profile: ASSERTIVE

Plan: Pro

Run ID: 0b5cdfed-3fff-48b9-84d0-f59d76a16ddc

📥 Commits

Reviewing files that changed from the base of the PR and between 6dd5f64 and 6712a76.

⛔ Files ignored due to path filters (1)
  • protocol/go/policy/attributes/attributes.pb.go is excluded by !**/*.pb.go
📒 Files selected for processing (10)
  • docs/grpc/index.html
  • docs/openapi/policy/attributes/attributes.openapi.yaml
  • service/integration/attribute_values_test.go
  • service/policy/attributes/attributes.go
  • service/policy/attributes/attributes.proto
  • service/policy/attributes/attributes_test.go
  • service/policy/db/attribute_values.go
  • service/policy/db/attribute_values.sql.go
  • service/policy/db/queries/attribute_values.sql
  • service/policy/db/utils.go

Comment thread service/integration/attribute_values_test.go
Comment thread service/policy/attributes/attributes.proto
Comment thread service/policy/attributes/attributes.proto Outdated
Comment thread service/policy/db/attribute_values.go
Comment thread service/policy/db/utils.go
@github-actions

Copy link
Copy Markdown
Contributor
Benchmark results, click to expand

Benchmark authorization.GetDecisions Results:

Metric Value
Approved Decision Requests 1000
Denied Decision Requests 0
Total Time 135.885998ms

Benchmark authorization.v2.GetMultiResourceDecision Results:

Metric Value
Approved Decision Requests 1000
Denied Decision Requests 0
Total Time 77.77936ms

Benchmark Statistics

Name № Requests Avg Duration Min Duration Max Duration

Bulk Benchmark Results

Metric Value
Total Decrypts 100
Successful Decrypts 100
Failed Decrypts 0
Total Time 324.805713ms
Throughput 307.88 requests/second

TDF3 Benchmark Results:

Metric Value
Total Requests 5000
Successful Requests 5000
Failed Requests 0
Concurrent Requests 50
Total Time 36.482245777s
Average Latency 363.69516ms
Throughput 137.05 requests/second

ryanulit
ryanulit previously approved these changes Jul 15, 2026

@ryanulit ryanulit left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM, just that one comment

Comment thread service/policy/attributes/attributes.go
@github-actions

Copy link
Copy Markdown
Contributor
Benchmark results, click to expand

Benchmark authorization.GetDecisions Results:

Metric Value
Approved Decision Requests 1000
Denied Decision Requests 0
Total Time 211.441727ms

Benchmark authorization.v2.GetMultiResourceDecision Results:

Metric Value
Approved Decision Requests 1000
Denied Decision Requests 0
Total Time 112.567183ms

Benchmark Statistics

Name № Requests Avg Duration Min Duration Max Duration

Bulk Benchmark Results

Metric Value
Total Decrypts 100
Successful Decrypts 100
Failed Decrypts 0
Total Time 416.755528ms
Throughput 239.95 requests/second

TDF3 Benchmark Results:

Metric Value
Total Requests 5000
Successful Requests 5000
Failed Requests 0
Concurrent Requests 50
Total Time 45.338747261s
Average Latency 450.98023ms
Throughput 110.28 requests/second

@github-actions

Copy link
Copy Markdown
Contributor

⚠️ Govulncheck found vulnerabilities ⚠️

The following modules have known vulnerabilities:

  • examples
  • otdfctl
  • sdk
  • service
  • lib/fixtures
  • tests-bdd

See the workflow run for details.

@jakedoublev
jakedoublev added this pull request to the merge queue Jul 16, 2026
Merged via the queue into main with commit 718320b Jul 16, 2026
78 of 81 checks passed
@jakedoublev
jakedoublev deleted the fix/DSPX-3877 branch July 16, 2026 21:00
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

comp:db DB component comp:policy Policy Configuration ( attributes, subject mappings, resource mappings, kas registry) docs Documentation size/s

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants