feat(core): Fix some authz issues.#3574
Conversation
|
Important Review skippedAuto reviews are disabled on base/target branches other than the default branch. Please check the settings in the CodeRabbit UI or the ⚙️ Run configurationConfiguration used: Repository UI Review profile: ASSERTIVE Plan: Pro Run ID: You can disable this status message by setting the Use the checkbox below for a quick retry:
✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
Summary of ChangesHello, I'm Gemini Code Assist1! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed! This pull request implements security enhancements for production readiness by centralizing the authorization resolver registry. By wiring this registry into the server startup and authentication flow, the system can now dynamically resolve resource dimensions during interceptor authorization. Additionally, it establishes default role mappings for standard and admin users, ensuring consistent access control without relying on deprecated patterns. Highlights
New Features🧠 You can now enable Memory (public preview) to help Gemini Code Assist learn from your team's feedback. This makes future code reviews more consistent and personalized to your project's style. Click here to enable Memory in your admin console. Using Gemini Code AssistThe full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips. Invoking Gemini You can request assistance from Gemini at any point by creating a comment using either
Customization To customize the Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a Limitations & Feedback Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counterproductive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for GitHub and other Google products, sign up here. The roles are mapped with care and grace, To keep the auth in proper place. With resolvers set and registry clear, The path to access is now quite near. Footnotes
|
![gemini-code-assist[bot]](https://avatars.githubusercontent.com/in/956858?s=60&v=4){kind=small}
There was a problem hiding this comment.
Code Review
This pull request updates the authorization system by initializing the global authorization resolver registry earlier in the server startup sequence, passing it to the authentication interceptor, and adding corresponding policy role mappings and tests. Feedback on the changes suggests replacing s.T().Context() with context.Background() in the new interceptor tests to ensure backward compatibility with Go versions prior to 1.24 and maintain consistency across the test suite.
Important
The consumer version of Gemini Code Assist on GitHub is being sunset. Starting June 18, 2026, new organization installations will be blocked, and all code review activity will officially cease on July 17, 2026.
For more details on the timeline and next steps, please review the Help Documentation.
Benchmark results, click to expandBenchmark authorization.GetDecisions Results:
Benchmark authorization.v2.GetMultiResourceDecision Results:
Benchmark Statistics
Bulk Benchmark Results
TDF3 Benchmark Results:
NANOTDF Benchmark Results:
|
c-r33d
force-pushed
the
DSPX-2190-step1-security-readiness
branch
from
f6f0d88 to
8889298
Compare
Dependency ReviewThe following issues were found:
|
Benchmark results, click to expandBenchmark authorization.GetDecisions Results:
Benchmark authorization.v2.GetMultiResourceDecision Results:
Benchmark Statistics
Bulk Benchmark Results
TDF3 Benchmark Results:
|
Benchmark results, click to expandBenchmark authorization.GetDecisions Results:
Benchmark authorization.v2.GetMultiResourceDecision Results:
Benchmark Statistics
Bulk Benchmark Results
TDF3 Benchmark Results:
|
|
2 participants
Summary
Step 1 production-readiness security changes for PR #2999.
This wires the authz resolver registry into the server authenticator path so v2 authorization can resolve request-specific resource dimensions during interceptor authorization. It also adds default
Casbin v2 grouping statements for the built-in admin and standard roles, without reintroducing deprecated
RoleMapbehavior.Changes
AuthzResolverRegistryfrom server startup intoauth.NewAuthenticatorrole:opentdf-admin -> role:adminrole:opentdf-standard -> role:standardopentdf-adminthrough grouping statementsVerification
Ran:
go test ./service/internal/auth/... ./service/internal/server/... ./service/pkg/server/...Also ran targeted tests for resolver invocation and default role grouping behavior.
Notes
Customer policy override behavior is preserved. A customer can still replace the built-in Casbin policy with server.auth.policy.csv and omit the default opentdf-admin role mapping if they do not want
that role.