Skip to content

[Authz] Add QueryAllowedProjects client method#8

Merged
TomerShor merged 2 commits into
mainfrom
feature/IG4-2244-allowed-projects
May 10, 2026
Merged

[Authz] Add QueryAllowedProjects client method#8
TomerShor merged 2 commits into
mainfrom
feature/IG4-2244-allowed-projects

Conversation

@TomerShor

@TomerShor TomerShor commented May 7, 2026

Copy link
Copy Markdown
Contributor

📝 Description

Adds a third query method, QueryAllowedProjects, to the OPA Client interface. It calls the new allowed_projects Rego rule (orca PR #707) and returns the set of project names the caller is allowed to read or list. A returned slice containing "*" signals "all projects accessible" — callers treat "*" as a wildcard; no concrete names are returned alongside it.

This gives consumers a single OPA query to compute project-scoped visibility instead of filtering per-resource paths.


🛠️ Changes Made

  • types.go: new Config.AllowedProjectsQueryPath field; new AllowedProjectsRequest/AllowedProjectsRequestInput/AllowedProjectsResponse types.
  • opa.go: extend Client interface with QueryAllowedProjects(ctx, *PermissionOptions) ([]string, error).
  • http.go:
    • Extract a private doRequest helper that all three query methods share (URL build, headers, marshal, retry loop, verbose request/response logging, unmarshal). Existing QueryPermissions and QueryPermissionsMultiResources are refactored onto it; observable behavior (retry timing, log keys, error wrapping) is unchanged.
    • Add QueryAllowedProjects. Override-header bypass returns ["*"], consistent with the other methods' bypass semantics.
    • NewHTTPClient gains an allowedProjectsQueryPath parameter.
  • nop.go: implement the new method, returning ["*"] (fail-open, consistent with the other Nop methods).
  • mock.go: testify passthrough.
  • factory.go: thread Config.AllowedProjectsQueryPath into NewHTTPClient.
  • README.md: document the new method and config field.

✅ Checklist

  • I updated the documentation (if applicable) — README.md
  • I have tested the changes in this PR

🧪 Testing

Unit tests in http_test.go (build tag test_unit). The existing in-test OPA httptest.Server gains a third route at /v1/data/platform/authz/allowed_projects plus a fixture-backed test helper that emulates the rego rule.

Five new cases:

  • TestQueryAllowedProjects_Wildcard — admin id → ["*"].
  • TestQueryAllowedProjects_ConcreteProjects — two ids' concrete names unioned ({"abc","def"}, asserted with ElementsMatch since the rego returns a set).
  • TestQueryAllowedProjects_NoProjects — unknown id → empty.
  • TestQueryAllowedProjects_WithOverride — override header → ["*"], server not hit (asserted via a request-count counter).
  • TestQueryAllowedProjects_EmptyIds — empty MemberIds → empty.

Verification:

  • make test — 10/10 pass (5 new + 5 existing).
  • make lint0 issues.
  • go vet ./... — clean.

🔗 References

  • Ticket link: IG4-2244
  • Design docs links: n/a
  • External links: orca PR #707 — adds the allowed_projects Rego rule this method consumes.

🚨 Breaking Changes?

  • Yes (explain below)
  • No

NewHTTPClient gains a new allowedProjectsQueryPath parameter (positioned between permissionFilterPath and requestTimeout). Direct callers of NewHTTPClient must add the new argument.

The Client interface also grows a method (QueryAllowedProjects) — any custom implementations of Client outside this repo must add it.

Callers using only the documented CreateOpaClient(logger, *Config) entry point are unaffected at the call site, but should set Config.AllowedProjectsQueryPath before invoking the new method.


🔍️ Additional Notes

The doRequest extraction is a refactor of pre-existing duplication, not a behavior change. Reviewers may want to spot-check that retry timing (6s total, 1s interval), verbose log keys (requestBody, requestURL, responseBody), and error wrapping ("Failed to send HTTP request to OPA") are preserved exactly across the two existing methods.

PermissionOptions.RaiseForbidden and SkipLoggingForbidden are accepted on the new method for API consistency but, as in the existing methods, are passthrough fields not acted on inside the client.

Adds a third query method to the Client interface that calls the new
allowed_projects Rego rule and returns the set of project names the
caller is allowed to read or list. A returned slice containing "*"
signals that all projects are accessible.

- types.go: new AllowedProjectsQueryPath config field; new
  AllowedProjectsRequest/Input/Response types
- opa.go: extend Client interface with QueryAllowedProjects
- http.go: extract a private doRequest helper shared by all three query
  methods (URL build, marshal, retry, verbose log, unmarshal); add
  QueryAllowedProjects with the same override-bypass behavior as the
  existing methods
- nop.go, mock.go: implement the new method (Nop returns ["*"])
- factory.go: thread AllowedProjectsQueryPath into NewHTTPClient
- http_test.go: third route on the in-test OPA server, fixture-backed
  test helper, five new test cases covering wildcard, concrete
  projects, empty/unknown ids, and override bypass
- README.md: document the new method and config field

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

@liranbg liranbg left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

lgtm. minor fixes

Comment thread http.go Outdated

var response PermissionQueryResponse
if err := c.doRequest(ctx, c.permissionQueryPath, request, &response); err != nil {
return false, err

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

wrap err

Comment thread http.go Outdated

var response AllowedProjectsResponse
if err := c.doRequest(ctx, c.allowedProjectsQueryPath, request, &response); err != nil {
return nil, err

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

wrap, and do for the rest as well

@TomerShor TomerShor requested a review from liranbg May 10, 2026 06:45
@TomerShor TomerShor merged commit 89b310b into main May 10, 2026
5 checks passed
@TomerShor TomerShor deleted the feature/IG4-2244-allowed-projects branch May 10, 2026 07:23
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants