feat(authz): Allow un-scoped GetEntitlements calls (#833)

Resolves #823 Per the proto definitions scope should be optional for getEntitlements However there will be performance implications on un-scoped calls since we will have to evaluate all subject mappings Temporary solution: retrieve all the attribute fqns then get their subject mappings
opentdf · May 17, 2024 · 9146947 · 9146947
1 parent 7cad1f1
commit 9146947
Showing 1 changed file with 26 additions and 8 deletions.
diff --git a/service/authorization/authorization.go b/service/authorization/authorization.go
@@ -271,19 +271,37 @@ func (as *AuthorizationService) GetDecisions(ctx context.Context, req *authoriza
 
 func (as *AuthorizationService) GetEntitlements(ctx context.Context, req *authorization.GetEntitlementsRequest) (*authorization.GetEntitlementsResponse, error) {
 	as.logger.DebugContext(ctx, "getting entitlements")
-	// Scope is required for because of performance.  Remove and handle 360 no scope
-	// https://github.com/opentdf/platform/issues/365
-	if req.GetScope() == nil {
-		as.logger.ErrorContext(ctx, "requires scope")
-		return nil, errors.New(db.ErrTextFqnMissingValue)
-	}
-	// get subject mappings
 	request := attr.GetAttributeValuesByFqnsRequest{
-		Fqns: req.GetScope().GetAttributeValueFqns(),
 		WithValue: &policy.AttributeValueSelector{
 			WithSubjectMaps: true,
 		},
 	}
+	// Lack of scope has impacts on performance
+	// https://github.com/opentdf/platform/issues/365
+	if req.GetScope() == nil {
+		// TODO: Reomve and use MatchSubjectMappings instead later in the flow
+		listAttributeResp, err := as.sdk.Attributes.ListAttributes(ctx, &attr.ListAttributesRequest{})
+		if err != nil {
+			return nil, err
+		}
+		var attributeFqns []string
+		for _, attr := range listAttributeResp.GetAttributes() {
+			ns := attr.GetNamespace().GetName()
+			an := attr.GetName()
+			for _, val := range attr.GetValues() {
+				fqn, err := fqnBuilder(ns, an, val.GetValue())
+				if err != nil {
+					slog.Error("Error building attribute fqn for ", "attr", attr, "value", val)
+					return nil, err
+				}
+				attributeFqns = append(attributeFqns, fqn)
+			}
+		}
+		request.Fqns = attributeFqns
+	} else {
+		// get subject mappings
+		request.Fqns = req.GetScope().GetAttributeValueFqns()
+	}
 	avf, err := as.sdk.Attributes.GetAttributeValuesByFqns(ctx, &request)
 	if err != nil {
 		return nil, err