[Authz] Add QueryAllowedProjects client method#8
Merged
Conversation
Adds a third query method to the Client interface that calls the new allowed_projects Rego rule and returns the set of project names the caller is allowed to read or list. A returned slice containing "*" signals that all projects are accessible. - types.go: new AllowedProjectsQueryPath config field; new AllowedProjectsRequest/Input/Response types - opa.go: extend Client interface with QueryAllowedProjects - http.go: extract a private doRequest helper shared by all three query methods (URL build, marshal, retry, verbose log, unmarshal); add QueryAllowedProjects with the same override-bypass behavior as the existing methods - nop.go, mock.go: implement the new method (Nop returns ["*"]) - factory.go: thread AllowedProjectsQueryPath into NewHTTPClient - http_test.go: third route on the in-test OPA server, fixture-backed test helper, five new test cases covering wildcard, concrete projects, empty/unknown ids, and override bypass - README.md: document the new method and config field Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
liranbg
reviewed
May 7, 2026
|
|
||
| var response PermissionQueryResponse | ||
| if err := c.doRequest(ctx, c.permissionQueryPath, request, &response); err != nil { | ||
| return false, err |
|
|
||
| var response AllowedProjectsResponse | ||
| if err := c.doRequest(ctx, c.allowedProjectsQueryPath, request, &response); err != nil { | ||
| return nil, err |
liranbg
approved these changes
May 10, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
📝 Description
Adds a third query method,
QueryAllowedProjects, to the OPAClientinterface. It calls the newallowed_projectsRego rule (orca PR #707) and returns the set of project names the caller is allowed to read or list. A returned slice containing"*"signals "all projects accessible" — callers treat"*"as a wildcard; no concrete names are returned alongside it.This gives consumers a single OPA query to compute project-scoped visibility instead of filtering per-resource paths.
🛠️ Changes Made
types.go: newConfig.AllowedProjectsQueryPathfield; newAllowedProjectsRequest/AllowedProjectsRequestInput/AllowedProjectsResponsetypes.opa.go: extendClientinterface withQueryAllowedProjects(ctx, *PermissionOptions) ([]string, error).http.go:doRequesthelper that all three query methods share (URL build, headers, marshal, retry loop, verbose request/response logging, unmarshal). ExistingQueryPermissionsandQueryPermissionsMultiResourcesare refactored onto it; observable behavior (retry timing, log keys, error wrapping) is unchanged.QueryAllowedProjects. Override-header bypass returns["*"], consistent with the other methods' bypass semantics.NewHTTPClientgains anallowedProjectsQueryPathparameter.nop.go: implement the new method, returning["*"](fail-open, consistent with the other Nop methods).mock.go: testify passthrough.factory.go: threadConfig.AllowedProjectsQueryPathintoNewHTTPClient.README.md: document the new method and config field.✅ Checklist
README.md🧪 Testing
Unit tests in
http_test.go(build tagtest_unit). The existing in-test OPAhttptest.Servergains a third route at/v1/data/platform/authz/allowed_projectsplus a fixture-backed test helper that emulates the rego rule.Five new cases:
TestQueryAllowedProjects_Wildcard— admin id →["*"].TestQueryAllowedProjects_ConcreteProjects— two ids' concrete names unioned ({"abc","def"}, asserted withElementsMatchsince the rego returns a set).TestQueryAllowedProjects_NoProjects— unknown id → empty.TestQueryAllowedProjects_WithOverride— override header →["*"], server not hit (asserted via a request-count counter).TestQueryAllowedProjects_EmptyIds— emptyMemberIds→ empty.Verification:
make test— 10/10 pass (5 new + 5 existing).make lint—0 issues.go vet ./...— clean.🔗 References
allowed_projectsRego rule this method consumes.🚨 Breaking Changes?
NewHTTPClientgains a newallowedProjectsQueryPathparameter (positioned betweenpermissionFilterPathandrequestTimeout). Direct callers ofNewHTTPClientmust add the new argument.The
Clientinterface also grows a method (QueryAllowedProjects) — any custom implementations ofClientoutside this repo must add it.Callers using only the documented
CreateOpaClient(logger, *Config)entry point are unaffected at the call site, but should setConfig.AllowedProjectsQueryPathbefore invoking the new method.🔍️ Additional Notes
The
doRequestextraction is a refactor of pre-existing duplication, not a behavior change. Reviewers may want to spot-check that retry timing (6stotal,1sinterval), verbose log keys (requestBody,requestURL,responseBody), and error wrapping ("Failed to send HTTP request to OPA") are preserved exactly across the two existing methods.PermissionOptions.RaiseForbiddenandSkipLoggingForbiddenare accepted on the new method for API consistency but, as in the existing methods, are passthrough fields not acted on inside the client.