feat(authz): [DRAFT] Add temporal attribute to AccessPDP

Dockerfile

@@ -2,7 +2,7 @@ FROM cgr.dev/chainguard/go:latest AS builder
 ARG TARGETOS TARGETARCH
 
 WORKDIR /app
-# dependencies, add local,dependant package here
+
 COPY protocol/ protocol/
 COPY sdk/ sdk/
 COPY lib/ocrypto lib/ocrypto
@@ -16,7 +16,7 @@ RUN cd service \
     && go mod verify
 RUN GOOS=$TARGETOS GOARCH=$TARGETARCH go build -o opentdf ./service
 
-FROM cgr.dev/chainguard/glibc-dynamic
+FROM cgr.dev/chainguard/glibc-dynamic:latest
 
 COPY --from=builder /app/opentdf /usr/bin/
 

docker-compose.yaml

@@ -1,69 +1,8 @@
 networks:
   default:
     name: opentdf_platform
+
 services:
-  keycloak:
-    volumes:
-    - ./keys/localhost.crt:/etc/x509/tls/localhost.crt
-    - ./keys/localhost.key:/etc/x509/tls/localhost.key
-    - ./keys/ca.jks:/truststore/truststore.jks
-    # This is kc 24.0.1 with opentdf protocol mapper on board
-    image: cgr.dev/chainguard/keycloak@sha256:37895558d2e0e93ffff75da5900f9ae7e79ec6d1c390b18b2ecea6cee45ec26f
-    restart: always
-    command:
-    - "start-dev"
-    - "--verbose"
-    - "-Djavax.net.ssl.trustStorePassword=password"
-    - "-Djavax.net.ssl.HostnameVerifier=AllowAll"
-    - "-Djavax.net.ssl.trustStore=/truststore/truststore.jks"
-    - "--spi-truststore-file-hostname-verification-policy=ANY"
-    environment:
-      KC_PROXY: edge
-      KC_HTTP_RELATIVE_PATH: /auth
-      KC_DB_VENDOR: postgres
-      KC_DB_URL_HOST: keycloakdb
-      KC_DB_URL_PORT: 5432
-      KC_DB_URL_DATABASE: keycloak
-      KC_DB_USERNAME: keycloak
-      KC_DB_PASSWORD: changeme
-      KC_HOSTNAME_STRICT: "false"
-      KC_HOSTNAME_STRICT_BACKCHANNEL: "false"
-      KC_HOSTNAME_STRICT_HTTPS: "false"
-      KC_HTTP_ENABLED: "true"
-      KC_HTTP_PORT: "8888"
-      KC_HTTPS_PORT: "8443"
-      KEYCLOAK_ADMIN: admin
-      KEYCLOAK_ADMIN_PASSWORD: changeme
-      #KC_HOSTNAME_URL: http://localhost:8888/auth
-      KC_FEATURES: "preview,token-exchange"
-      KC_HEALTH_ENABLED: "true"
-      KC_HTTPS_KEY_STORE_PASSWORD: "password"
-      KC_HTTPS_KEY_STORE_FILE: "/truststore/truststore.jks"
-      KC_HTTPS_CERTIFICATE_FILE: "/etc/x509/tls/localhost.crt"
-      KC_HTTPS_CERTIFICATE_KEY_FILE: "/etc/x509/tls/localhost.key"
-      KC_HTTPS_CLIENT_AUTH: "request"
-    ports:
-      - "8888:8888"
-      - "8443:8443"
-    healthcheck:
-      test: ['CMD-SHELL', '[ -f /tmp/HealthCheck.java ] || echo "public class HealthCheck { public static void main(String[] args) throws java.lang.Throwable { System.exit(java.net.HttpURLConnection.HTTP_OK == ((java.net.HttpURLConnection)new java.net.URL(args[0]).openConnection()).getResponseCode() ? 0 : 1); } }" > /tmp/HealthCheck.java && java /tmp/HealthCheck.java http://localhost:8888/auth/health/live']
-      interval: 5s
-      timeout: 10s
-      retries: 3
-      start_period: 2m
-  keycloakdb:
-    image: postgres:15-alpine
-    restart: always
-    user: postgres
-    environment:
-      POSTGRES_PASSWORD: changeme
-      POSTGRES_USER: postgres
-      POSTGRES_DB: keycloak
-    healthcheck:
-      test: ["CMD-SHELL", "pg_isready"]
-      interval: 5s
-      timeout: 5s
-      retries: 10
   opentdfdb:
     image: postgres:15-alpine
     restart: always
@@ -73,9 +12,26 @@ services:
       POSTGRES_PASSWORD: changeme
       POSTGRES_DB: opentdf
     healthcheck:
-      test: ["CMD-SHELL", "pg_isready"]
+      test: [ "CMD-SHELL", "pg_isready" ]
       interval: 5s
       timeout: 5s
       retries: 10
     ports:
       - "5432:5432"
+
+  opentdf:
+    image: custom-opentdf:latest
+    restart: always
+    volumes:
+      - "./keys:/keys"  # Mount your keys directory
+      - "./opentdf.yaml:/home/nonroot/.opentdf/opentdf.yaml"  # Mount opentdf.yaml
+      - "./keys/local-dsp.virtru.com.pem:/usr/local/share/ca-certificates/ca.crt"  # Mount the cert file
+    networks:
+      - default
+    ports:
+      - "8080:8080"  # Expose the service on port 8080
+    environment:
+      SSL_CERT_DIR: "/usr/local/share/ca-certificates"  # Ensure the cert dir is set
+    entrypoint: ["/usr/bin/opentdf","start"]
+    extra_hosts:
+      - "local-dsp.virtru.com:192.168.1.195"  # Add custom host entries

service/authorization/authorization.go

@@ -2,10 +2,11 @@ package authorization
 
 import (
 	"context"
+	"encoding/json"
 	"errors"
 	"fmt"
 	"log/slog"
-	"os"
+	"os"	
 	"strings"
 
 	"google.golang.org/grpc/codes"
@@ -188,6 +189,26 @@ func (as *AuthorizationService) GetDecisions(ctx context.Context, req *authoriza
 		for _, ra := range dr.GetResourceAttributes() {
 			as.logger.DebugContext(ctx, "getting resource attributes", slog.String("FQNs", strings.Join(ra.GetAttributeValueFqns(), ", ")))
 
+			filteredFQNs := []string{}
+			for _, fqn := range ra.GetAttributeValueFqns() {
+				if strings.Contains(fqn, "temporal/") {
+					// This FQN is part of the temporal attribute system, which can have dynamic or time-based values
+					// (e.g., /temporal/value/after::2024-11-05T12:00:00Z). Temporal attributes are handled separately
+					// by the accessPdp and do not require further processing here.
+					// Skipping these attributes avoids unnecessary handling as they do not affect other parts
+					// of the decision logic.
+					as.logger.DebugContext(ctx, "ignoring temporal FQN", slog.String("FQN", fqn))
+					continue
+				}
+				filteredFQNs = append(filteredFQNs, fqn)
+			}
+
+			if len(filteredFQNs) == 0 {
+				as.logger.DebugContext(ctx, "no valid FQNs left after filtering")				
+			}
+
+			ra.AttributeValueFqns = filteredFQNs
+
 			// get attribute definition/value combinations
 			dataAttrDefsAndVals, err := retrieveAttributeDefinitions(ctx, ra, as.sdk)
 			if err != nil {
@@ -440,7 +461,12 @@ func makeScopeMap(scope *authorization.ResourceAttribute) map[string]bool {
 }
 
 func (as *AuthorizationService) GetEntitlements(ctx context.Context, req *authorization.GetEntitlementsRequest) (*authorization.GetEntitlementsResponse, error) {
-	as.logger.DebugContext(ctx, "getting entitlements")
+	as.logger.DebugContext(ctx, "Preparing to retrieve entitlements")
+	as.logger.DebugContext(ctx, "getting entitlements with request", slog.String("Request Body", req.String()))
+
+	reqJSON, _ := json.Marshal(req)
+	as.logger.DebugContext(ctx, "getting entitlements", slog.String("Request Body", string(reqJSON)))
+
 	attrsRes, err := as.sdk.Attributes.ListAttributes(ctx, &attr.ListAttributesRequest{})
 	if err != nil {
 		as.logger.ErrorContext(ctx, "failed to list attributes", slog.String("error", err.Error()))
@@ -464,7 +490,12 @@ func (as *AuthorizationService) GetEntitlements(ctx context.Context, req *author
 	as.logger.DebugContext(ctx, fmt.Sprintf("retrieved %d subject mappings", len(subjectMappings)))
 	// TODO: this could probably be moved to proto validation https://github.com/opentdf/platform/issues/1057
 	if req.Entities == nil {
-		as.logger.ErrorContext(ctx, "requires entities")
+		as.logger.ErrorContext(
+			ctx,
+			"invalid request: missing entities field in GetEntitlementsRequest",
+			slog.String("method", "GetEntitlements"),
+			slog.Any("request", req),
+		)
 		return nil, status.Error(codes.InvalidArgument, "requires entities")
 	}
 	rsp := &authorization.GetEntitlementsResponse{

service/authorization/authorization.proto

@@ -297,6 +297,9 @@ service AuthorizationService {
     option (google.api.http) = {post: "/v1/token/authorization"};
   }
   rpc GetEntitlements(GetEntitlementsRequest) returns (GetEntitlementsResponse) {
-    option (google.api.http) = {post: "/v1/entitlements"};
+    option (google.api.http) = {
+      post: "/v1/entitlements",
+      body:"*"
+      };
   }
 }

service/buf.lock

@@ -4,15 +4,15 @@ deps:
   - remote: buf.build
     owner: bufbuild
     repository: protovalidate
-    commit: e097f827e65240ac9fd4b1158849a8fc
-    digest: shake256:f19252436fd9ded945631e2ffaaed28247a92c9015ccf55ae99db9fb3d9600c4fdb00fd2d3bd7701026ec2fd4715c5129e6ae517c25a59ba690020cfe80bf8ad
+    commit: 5a7b106cbb87462d9a8c9ffecdbd2e38
+    digest: shake256:2f7efa5a904668219f039d4f6eeb51e871f8f7f5966055a10663cba335bd65f76cac84da3fa758ab7b5dcb489ec599521390ce3951d119fb56df1fc2def16bb0
   - remote: buf.build
     owner: googleapis
     repository: googleapis
-    commit: a86849a25cc04f4dbe9b15ddddfbc488
-    digest: shake256:e19143328f8cbfe13fc226aeee5e63773ca494693a72740a7560664270039a380d94a1344234b88c7691311460df9a9b1c2982190d0a2612eae80368718e1943
+    commit: e7f8d366f5264595bcc4cd4139af9973
+    digest: shake256:e5e5f1c12f82e028ea696faa43b4f9dc6258a6d1226282962a8c8b282e10946281d815884f574bd279ebd9cd7588629beb3db17b892af6c33b56f92f8f67f509
   - remote: buf.build
     owner: grpc-ecosystem
     repository: grpc-gateway
-    commit: 3f42134f4c564983838425bc43c7a65f
-    digest: shake256:3d11d4c0fe5e05fda0131afefbce233940e27f0c31c5d4e385686aea58ccd30f72053f61af432fa83f1fc11cda57f5f18ca3da26a29064f73c5a0d076bba8d92
+    commit: a48fcebcf8f140dd9d09359b9bb185a4
+    digest: shake256:a926173f0ec3e1a929462c350acda846e546134b5ce2bb83fe44f02f9330a42b1c9b292f64b951b06a4d2c47e2ce4d477d6a2cb31502a15637ada35ecedefcf6

service/cmd/keycloak_data.yaml

@@ -1,5 +1,5 @@
-baseUrl: &baseUrl http://localhost:8888
-serverBaseUrl: &serverBaseUrl http://localhost:8080
+baseUrl: &baseUrl http://local-dsp.virtru.com:8888
+serverBaseUrl: &serverBaseUrl http://local-dsp.virtru.com:8080
 customAudMapper: &customAudMapper
   name: audience-mapper
   protocol: openid-connect
@@ -78,7 +78,7 @@ realms:
           serviceAccountsEnabled: false
           publicClient: true
           redirectUris:
-            - 'http://localhost:9000/*' # otdfctl CLI tool
+            - 'http://local-dsp.virtru.com:9000/*' # otdfctl CLI tool
           protocolMappers:
             - *customAudMapper
     users: