ENG-3084: Go shared library + CLI via ctypes#7944
Conversation
|
The latest updates on your projects. Learn more about Vercel for GitHub.
1 Skipped Deployment
|
thabofletcher
changed the title
thabofletcher
force-pushed
the
pbac-cli-option-b
branch
from
6f726ce to
b2cfb53
Compare
Codecov Report❌ Patch coverage is ❌ Your patch status has failed because the patch coverage (50.00%) is below the target coverage (100.00%). You can increase the patch coverage or adjust the target coverage. Additional details and impacted files@@ Coverage Diff @@
## main #7944 +/- ##
==========================================
- Coverage 85.04% 84.94% -0.11%
==========================================
Files 631 630 -1
Lines 41217 41082 -135
Branches 4807 4768 -39
==========================================
- Hits 35053 34896 -157
- Misses 5070 5103 +33
+ Partials 1094 1083 -11 ☔ View full report in Codecov by Sentry. 🚀 New features to boost your workflow:
|
thabofletcher
force-pushed
the
pbac-cli-option-b
branch
2 times, most recently
from
5e2a475 to
842043b
Compare
Mirrors the POC fides-pbac CLI (#7941) but with the CLI staying in Python and the SQL parsing staying in Python. The Go library gets a new pipeline package that can drive the same flow over HTTP or in-process — useful when we want to move the hot path off of Python later without rewriting the CLI UX. Go additions (policy-engine/): - pkg/fixtures — YAML loaders for consumers/, purposes/, datasets/, policies/ matching the POC's config dir layout - pkg/pipeline — identity resolution + dataset resolution + purpose eval + gap reclassification + policy filtering, returning one EvaluationRecord per statement. 8 tests against the pbac/ fixtures. - pkg/pbac/types.go — SuppressedByPolicy + SuppressedByAction on PurposeViolation so suppressed violations stay in the record for audit instead of being dropped. GapUnconfiguredConsumer restored (the pipeline needs it; the engine still doesn't produce it). - pkg/pbac/policy_types.go — yaml: tags alongside json: on the policy types so YAML-loaded policies round-trip through the same struct. New Identity field on AccessEvaluationRequest carries the caller identity through the engine so identity-aware policies become an additive change rather than a request-shape break. Python additions (src/fides/): - service/pbac/fixtures.py — Python mirror of the Go fixture loaders - service/pbac/pipeline.py — Python mirror of the Go pipeline; reuses the existing sql_parser (sqlglot), evaluate_purpose, and evaluate_policies primitives - service/pbac/policies/interface.py — Identity field on AccessEvaluationRequest to match the Go side - cli/commands/pbac.py — new `fides pbac evaluate --config DIR --identity EMAIL [SQL_FILE]` command. Existing evaluate-purpose and evaluate-policies commands stay as lower-level JSON primitives. Fixtures (pbac/): - Ported verbatim from the POC to serve as both demo data and the test fixture set for the pipeline tests.
Pipeline inputs (Fixtures, Input, TableRef) and the fixtures.Consumer/ Purpose/Datasets types had yaml tags but no json tags. Go's JSON unmarshaling defaults to PascalCase field names, which makes clients send ugly payloads. Add snake_case json tags so the HTTP API matches the YAML shape and the existing engine response format. No behavior change — all existing tests pass. Required before fidesplus adds a sidecar handler for /v1/evaluate-pipeline.
EvaluatePolicies by design only returns Action on DENY decisions, so the pipeline's policy-filter step can't attribute an ALLOW suppression to a human-readable message via result.Action. Look up the decisive policy by key in the input list and read its action directly. Also add suppressed_by_policy / suppressed_by_action to the Python PurposeViolation dataclass so Python callers can deserialize both endpoint responses with the same type.
The CLI and InProcessPBACEvaluationService now call Go directly via ctypes/libpbac.so instead of reimplementing evaluation in Python. Added: - policy-engine/cmd/libpbac/ — CGo exports: EvaluatePipelineJSON, EvaluatePurposeJSON, EvaluatePoliciesJSON, LoadFixturesJSON, FreeString. Build with `go build -buildmode=c-shared`. - src/fides/service/pbac/engine.py — ctypes wrapper that loads libpbac and exposes evaluate_pipeline(), evaluate_purpose(), evaluate_policies(), load_fixtures() as Python functions. JSON in, JSON out, Go does all the work. Changed: - src/fides/cli/commands/pbac.py — all three commands (evaluate, evaluate-purpose, evaluate-policies) now call engine.py which calls Go. SQL parsing stays in Python (sqlglot). - src/fides/service/pbac/service.py — InProcessPBACEvaluationService now calls engine.evaluate_purpose() (Go via ctypes) instead of the deleted Python evaluate_purpose(). Deleted (Python reimplementations of Go logic): - service/pbac/evaluate.py — was: Python EvaluatePurpose - service/pbac/policies/evaluate.py — was: Python EvaluatePolicies + ParsedPolicy + InProcessAccessPolicyEvaluator - service/pbac/pipeline.py — was: Python pipeline orchestration - service/pbac/fixtures.py — was: Python YAML fixture loaders - tests for the above (Go tests in policy-engine/ are the source of truth now) Kept (not reimplementations): - policies/interface.py — type definitions (AccessEvaluationRequest, PolicyDecision, etc.) - policies/noop.py — null object, not evaluation logic - types.py — data shapes - sql_parser.py — Python-specific SQL parsing (the one allowed divergence from Go) - service.py — Protocol + orchestration that calls Go for evaluation
filterViolationsThroughPolicies was resolving data_uses for policy matching but never writing data_use back onto the PurposeViolation struct. Similarly, control was never set. Both fields are now populated before policy evaluation, matching the Python service layer's _resolve_data_uses step.
thabofletcher
force-pushed
the
pbac-cli-option-b
branch
from
842043b to
253b493
Compare
#1 — Fix C memory leak in engine.py. FreeString was defined but never called. Changed restype to c_void_p (not c_char_p which auto-converts to bytes and loses the pointer), copy via ctypes.string_at(), then free via FreeString in a finally block. #4 — Pass collections through in service.py. _call_go_evaluate_purpose now accepts and forwards the collections map so collection-level purposes are evaluated correctly. The collection names are extracted from table_ref.table during dataset resolution (step 2). #6 — Thread-safe lazy library init. Added threading.Lock around the _get_lib singleton init so concurrent first-callers don't race on attribute writes. #7 — Drop fragile len(result)==1 guard on error check. Now any response containing an "error" key raises, not just single-key dicts. #9 — Fix README: fides-pbac → fides pbac evaluate, pkg/sqlextract → sqlglot, add build instruction for libpbac.
These tests called the Python CLI which now delegates to Go via the shared library. Without libpbac built, every test crashes on import. The evaluation logic they tested is covered by Go tests in policy-engine/pkg/pbac/ and policy-engine/pkg/pipeline/. The CLI argument parsing is trivial click wiring — not worth a separate Go build dependency in the test suite.
- changelog/7944: describes the Go shared library and CLI addition - tests/service/pbac/test_engine_unit.py: 7 tests covering the Python-side logic (platform detection, library search paths, env var override, error messages) without requiring the Go library - pragma: no cover on _get_lib, _call, and the 4 public functions in engine.py — these are thin ctypes wrappers that require the Go shared library. Evaluation logic is tested in Go (58 tests in policy-engine/pkg/). Python coverage tools can't see Go execution.
thabofletcher
requested review from
dsill-ethyca and
galvana
and removed request for
a team and
dsill-ethyca
|
/code-review |
![claude[bot]](https://avatars.githubusercontent.com/in/1236702?s=60&v=4){kind=small}
There was a problem hiding this comment.
Code Review: Go shared library (libpbac) + fides pbac CLI
This PR makes a significant architectural shift: the PBAC evaluation engine moves from pure Python to a Go shared library called via ctypes, with Python retained only for CLI argument parsing, SQL parsing (sqlglot), and JSON I/O. The overall design is sound — keeping evaluation logic in one place (Go) and using the shared library as the single source of truth is a good pattern. The fixture loading, pipeline orchestration, and demo data are well-structured.
That said, there are a few issues worth addressing before this lands.
Critical
Test coverage gap (deleted Python tests, not replaced in Go)
The most significant concern is that ~1,000 lines of precise Python test coverage was deleted — covering taxonomy prefix matching, all four consent requirement variants, geo not_in, data_flow none_of, AND logic in unless blocks, and several edge cases (empty match key, empty context, action only on DENY). These are the highest-stakes paths in an access-control system. The new Go pipeline tests cover the happy-path scenarios but don't reach the policy evaluation unit level. The detailed comment on the deleted test_evaluate_access.py lists the specific gaps. Recommend adding equivalent Go unit tests in policy_evaluate_test.go before merging.
Null pointer from Go not guarded in _call
ctypes.string_at(result_ptr) when result_ptr is None (null c_void_p) gives an unhelpful ValueError. Add an explicit None check with a clear error message.
Medium
_find_libraryfragile path arithmetic — 5 chained.parentcalls; silent breakage if the file moves.- Library absence fails at evaluation time — If the Go
.soisn't built, the service crashes on the firstevaluate()call. A startup-time check or clearer documentation of the build prerequisite is needed. - Path traversal in
LoadFixturesJSON—config_diris used unsanitized; a../../prefix can escape the intended directory. .yamlnot supported — All fourLoad*functions only glob*.yml.
Minor / Nit
__import__("threading").Lock()pattern is unexplained; normal top-levelimport threadingis preferred.inputparameter shadows the Python built-in inevaluate_pipeline._qualified_nameis defined below its call site inpbac.py.collectionslist per dataset key inservice.pyis not deduplicated before passing to Go (Go deduplicates, but the redundant data is unnecessary).- The
allSuppressedvacuously-true case for empty violations is correct but deserves a clarifying comment. - The
except Exceptioncatch aroundsqlglot.parseneeds a comment explaining what non-ParseErrorexceptions are expected.
🔬 Codegraph: connected (47107 nodes)
💡 Write /code-review in a comment to re-run this review.
…rdering
- Add null pointer guard in _call before ctypes.string_at
- Replace __import__("threading") pattern with module-level import
- Rename `input` param in evaluate_pipeline to avoid shadowing built-in
- Move _qualified_name before its call site in pbac.py
- Support both .yml and .yaml in fixtures loader via globYAML helper
- Remove work-in-progress section comments from edge_cases_test.go
|
Thanks for the thorough review. Addressed in the latest commit: Critical #1 — Test coverage gap The coverage is actually present — it moved to Go. Critical #2 — Null pointer from Go not guarded ✅ Fixed — explicit Medium #4 — Minor — Minor — Minor — Medium #1 — Fragile path arithmetic — Left as-is for now; the five Medium #2 — Library absence fails at eval time — Intentional lazy loading; the error message already includes the build command. A startup check would require importing the service at init time which has other tradeoffs. Medium #3 — Path traversal in |
2 participants
Ticket ENG-3084
Description Of Changes
Adds
libpbac— a Go shared library (.so/.dylib) that Python calls directly viactypes. This eliminates all duplicated Python evaluation code. The Go library is the single source of truth for PBAC evaluation; Python handles only CLI argument parsing, SQL parsing (sqlglot), and JSON I/O.Architecture:
Code Changes
Go — new packages:
pkg/fixtures/— YAML loaders for consumers/, purposes/, datasets/, policies/ config directoriespkg/pipeline/— full pipeline: identity resolution + dataset resolution + purpose eval + gap reclassification + policy filtering. 8 tests against thepbac/fixture set.cmd/libpbac/— CGo exports:EvaluatePipelineJSON,EvaluatePurposeJSON,EvaluatePoliciesJSON,LoadFixturesJSON,FreeString. Build withgo build -buildmode=c-shared.Go — type changes:
PurposeViolation— addSuppressedByPolicy,SuppressedByActionfields (violations are kept for audit with suppression metadata inline, not dropped)AccessEvaluationRequest— addIdentityfield (carried through for future identity-aware policies)yaml:+json:dual tags for YAML loading and HTTP transportGapUnconfiguredConsumerrestored (needed by pipeline's gap reclassification step)data_useandcontrolenriched on violations in the pipelinePython — new:
service/pbac/engine.py— ctypes wrapper that loadslibpbacand exposesevaluate_pipeline(),evaluate_purpose(),evaluate_policies(),load_fixtures(). JSON in, JSON out, Go does all the work.Python — rewritten:
cli/commands/pbac.py—fides pbac evaluate --config DIR --identity EMAIL [SQL_FILE]now parses SQL with sqlglot then calls Go viaengine.py. Lower-levelevaluate-purposeandevaluate-policiesprimitives also call Go.service/pbac/service.py—InProcessPBACEvaluationServicecallsengine.evaluate_purpose()(Go via ctypes) instead of the deleted Python reimplementation.Python — deleted (was duplicating Go):
service/pbac/evaluate.py— PythonEvaluatePurpose(135 lines)service/pbac/policies/evaluate.py— PythonEvaluatePolicies+ParsedPolicy(349 lines)service/pbac/pipeline.py— Python pipeline (307 lines)service/pbac/fixtures.py— Python YAML loaders (220 lines)Fixtures — ported from POC #7941:
pbac/— consumers, purposes, datasets, policies, SQL entries for alice/bob/carol/daveHow to test
Expected outcomes
allow-analytics-on-billing-data(withdata_use+control+suppressed_by_action), compliant via collection-level purpose, violation standsunconfigured_datasetgap forcold_storageunresolved_identitygapunconfigured_consumergap (exists but no purposes)Companion PRs
pbac-cli-option-b-transport— sidecar endpointPOST /v1/evaluate-pipeline+ Python client method, consuming the same Go library over HTTP