Added Array, Set and operator 'IN' #110
Conversation
...-pdp-opa/src/main/java/com/contentgrid/thunx/pdp/opa/QuerySetToThunkExpressionConverter.java
Show resolved
Hide resolved
|
I was going to ask to add a test in |
That's right. I can add default implementation (throwing UnsupportedException) to RegoVisitor (T visit(SetTerm setTerm);) not to fail the build of ThunX. And then add test to ThunX after merging opa-client |
|
@ystrict the opa-java-client PR has been merged. Can you update this PR accordingly ? |
Done, but please take a look on this one firstly(made some small fixes) - xenit-eu/opa-java-client#26 |
|
@tgeens can you please restart the build? looks like dependencies didn't get in time |
|
@tgeens Can you please take a look on this build issue? I've checked locally and it looks like something is wrong with the github publishing process of opa-client. I've checked your sonatype repo and it contains the correct version of opa-client with my last updates. Locally gradle gets the correct jars and so on, but it's not building and IDE says that the bytecode doesn't match the source code, it's strange |
thunx-model/src/main/java/com/contentgrid/thunx/predicates/model/CollectionValue.java
Outdated
Show resolved
Hide resolved
You should update the dependency to opa-java-client in |
done |
|
Ok, but that won't be sufficient. See my comment on |
Hi, can you please take a look on my changes? |
|
@tgeens Hi, I've changed the version but it's still falling. For me it looks like there are some building or publishing issues, because on local using publishToMavenLocal it works good. Can you please take a look and help me in your free time? |
I found a compile error here: https://github.com/xenit-eu/thunx/pull/110/files#diff-e1519f085982147798370b05f00c49957d1c5f2be3db626be759193e055631a3R155 It's trying to pass Rego objects to something that should be a thunx It's strange that it compiles for you locally, do you still have some uncommitted changes, or perhaps an |
thunx-model/src/main/java/com/contentgrid/thunx/predicates/model/FunctionExpression.java
Outdated
Show resolved
Hide resolved
| @@ -57,6 +63,7 @@ public ThunkExpression<Boolean> convert(Query query) { | |||
|
|
|||
| var expressions = query.stream() | |||
| .map(this::convert) | |||
| .filter(Objects::nonNull) | |||
There was a problem hiding this comment.
Are there ever null values returned from this::convert?
I think that would indicate a bug, so filtering them out might be counterproductive, and actually result in an expression that can't be converted being dropped, thereby widening the access policies, which is an undesired effect.
We should prefer erroring out (even if it's a null pointer exception) over accidentally allowing access to data that should have been protected.
There was a problem hiding this comment.
This filtering is done because there is an ability to return empty Term for in operation.
Example:
"index": 4, "terms": [ { "type": "ref", "value": [ { "type": "var", "value": "internal" }, { "type": "string", "value": "member_2" } ] }, { "type": "ref", "value": [ { "type": "var", "value": "input" }, { "type": "string", "value": "entity" }, { "type": "string", "value": "accountId" } ] }, { "type": "array", "value": [] # will return null in conversion, cause we need to skip empty in clause } ] }
There was a problem hiding this comment.
That's why in this place we are filtering empty in cases
| @@ -6,5 +6,8 @@ public interface ThunkExpressionVisitor<T, C> { | |||
| T visit(FunctionExpression<?> functionExpression, C context); | |||
| T visit(SymbolicReference symbolicReference, C context); | |||
| T visit(Variable variable, C context); | |||
| default T visit(CollectionValue collection, C context) { | |||
| throw new UnsupportedOperationException("Visit for CollectionValue is not yet implemented."); | |||
There was a problem hiding this comment.
During development/experimenting this is fine, but we should remove the default implementation.
At some, all visitors need to implement this method, so we can be sure that we can handle collection values.
One of the important ones that is still missing an implementation is the ExpressionJsonConverter.JsonEncoderVisitor, without which we can't send the partial expression to the application.
...rydsl/src/main/java/com/contentgrid/thunx/predicates/querydsl/QueryDslConvertingVisitor.java
Outdated
Show resolved
Hide resolved
...-pdp-opa/src/main/java/com/contentgrid/thunx/pdp/opa/QuerySetToThunkExpressionConverter.java
Outdated
Show resolved
Hide resolved
...-pdp-opa/src/main/java/com/contentgrid/thunx/pdp/opa/QuerySetToThunkExpressionConverter.java
Outdated
Show resolved
Hide resolved
|
|
||
| @Override | ||
| public ThunkExpression<?> visit(ArrayTerm arrayTerm) { | ||
| arrayTerm.getValue().forEach(scalarTerm -> scalarTerm.accept(this)); |
There was a problem hiding this comment.
Doing this would unpack a rego array ['a', 'b', ['c', 'd']] into ['a', 'b', 'c', 'd'], which is not a valid conversion.
Instead, this would probably need to use the same code as used above to collect scalars, and add the whole resulting CollectionValue as a scalar value.
There was a problem hiding this comment.
Now SetTerm and ArrayTerm extends Term, that means that SetTerm cannot have SetTerm as a value. If you want to have such case when SetTerm contains SetTerm, then we need to change opa-client, to make SetTerm and ArrayTerm extend ScalarTerm
There was a problem hiding this comment.
I've added support of collection in collection for opa-client (xenit-eu/opa-java-client#28) and for thunx
|
|
||
| @Override | ||
| public ThunkExpression<?> visit(SetTerm setTerm) { | ||
| setTerm.getValue().forEach(scalarTerm -> scalarTerm.accept(this)); |
There was a problem hiding this comment.
Same remark as for the array case, nested sets shouldn't be flattened.
|
|
||
| @Override | ||
| public ThunkExpression<?> visit(QuerySet querySet) { | ||
| return null; |
There was a problem hiding this comment.
All these rego types are unexpected in a scalar collection, so they should throw an exception instead of silently dropping the term.
For example, in rego, you can have a Ref in an array, for example, when constructing input.entity.something in [input.entity.optionA, input.entity.optionB]
That is probably (I didn't check) a valid rego expression, but is not supported as entry in the current CollectionValue.
It's fine to limit ourselves to only scalar values for now, but we should not drop those terms silently.
There was a problem hiding this comment.
I've added support of collection in collection for opa-client (xenit-eu/opa-java-client#28) and for thunx
includeBuild is commented, but everything builds fine without any errors and it also works. Really strange, where did you find this error? |
This line: Scalar.of(
Set.of(new Term.Numeric(4), new Term.Numeric(5))
)
These types are not compatible with each other: |
thanks, let me check |
Hi, I've added json functionality, please take a look as soon as you have time |
|
Hi, my opa-client PR(xenit-eu/opa-java-client#28) was merged, please take a look on this one. |
...ding-json/src/main/java/com/contentgrid/thunx/encoding/json/CollectionValueDeserializer.java
Outdated
Show resolved
Hide resolved
| } | ||
|
|
||
| private static JsonScalarDto<?> processCollectionDto(CollectionValue collectionValue) { | ||
| Collection<JsonExpressionDto> result; | ||
| if (JsonCollectionValueDto.getTypeByClass(collectionValue.getResultType()).equals("set")) { |
There was a problem hiding this comment.
If you need to do typechecks here, this indicates that we need two separate visit methods: one for the set type and one for the array type.
This also means that we need two separate classes: CollectionValue needs to be split up in ArrayCollectionValue and SetCollectionValue. You can keep CollectionValue as an interface so it can be used in places where an array or a set would be sufficient.
There was a problem hiding this comment.
Yeap, I agree with you, but can we merge this PR and create issue, for this? I will pick it up and fix in next PR, cause this one became to big and too time consuming. This change requires rewriting the whole PR:(
thunx-model/src/main/java/com/contentgrid/thunx/predicates/model/Scalar.java
Outdated
Show resolved
Hide resolved
...-pdp-opa/src/main/java/com/contentgrid/thunx/pdp/opa/QuerySetToThunkExpressionConverter.java
Outdated
Show resolved
Hide resolved
|
@ystrict: We are working on upgrading Thunx to Spring Boot 3, which will make it incompatible with Spring Boot 2 applications. Please let us know if you have to integrate this in a Spring Boot 2 application, so we can plan a final release for Spring Boot 2 containing this PR. |
Can you please include my changes to Spring Boot 2 release? |
|
|
Really sorry to close this PR, but at this point we cannot get it merged in. Sorry @ystrict |
Hi, I've added implementation for array, set and 'in' support. Please take a look on it, will be happy if you make some comments!