Add entriesAdditions and allowedImportAdditions for policy imports#2347
Add entriesAdditions and allowedImportAdditions for policy imports#2347thjaeckle wants to merge 5 commits intoeclipse-ditto:masterfrom
Conversation
…clipse-ditto#2221) Introduce `entriesAdditions` on policy imports to allow importing policies to additively merge subjects and resources into imported policy entries. Template policies control what can be extended via `allowedImportAdditions` (enum-backed, secure-by-default: empty set means no additions allowed). New model types: EntryAddition, EntriesAdditions, AllowedImportAddition enum. Write-time validation ensures entriesAdditions labels are declared in entries. Merge-time logic in PolicyImporter silently skips disallowed additions. Includes OpenAPI schema updates, documentation, and comprehensive tests. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
…ction All code paths that reconstructed PolicyEntry objects (builder, ImmutablePolicy mutations, command/event strategies, placeholder substitution, gateway route) were using 3-arg or 4-arg factory methods that silently dropped the new allowedImportAdditions field. Upgraded all call sites to the 5-arg PoliciesModelFactory.newPolicyEntry() overload and added unit tests verifying preservation through each code path. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
…mportable Add endpoints for managing policy import entries, entriesAdditions, entryAddition, allowedImportAdditions, and entry importable type. Includes signal classes, command/event strategies, gateway routes, protocol adapter mappings, OpenAPI docs, and unit tests. Also fix OpenAPI validation errors in PermissionCheckRequest, PermissionCheckResponse, and WoT validation config response schemas. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
|
System tests run: https://github.com/eclipse-ditto/ditto/actions/runs/22302981477 Inlcuding added tests from eclipse-ditto/ditto-testing#22 |
policies/model/src/main/java/org/eclipse/ditto/policies/model/PolicyImporter.java
Show resolved
Hide resolved
|
I noticed an issue in the importable API validation.
Repro: control case (valid -> 204)curl -g -sS -i -X PUT failing case (invalid -> currently 500, should be 400)curl -g -sS -i -X PUT |
|
I noticed another issue in allowedImportAdditions validation.
Repro: control case (valid -> 204)curl -g -sS -i -X PUT failing case (invalid -> currently 204, should be 400)curl -g -sS -i -X PUT |
…ditions values Replace IllegalArgumentException (500) with PolicyEntryInvalidException (400) for invalid importable type values, and reject unknown allowedImportAdditions enum values instead of silently dropping them. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
3 participants
Resolves: #2221
Introduce
entriesAdditionson policy imports to allow importing policies to additively merge subjects and resources into imported policy entries. Template policies control what can be extended viaallowedImportAdditions(enum-backed, secure-by-default: empty set means no additions allowed).New model types: EntryAddition, EntriesAdditions, AllowedImportAddition enum. Write-time validation ensures entriesAdditions labels are declared in entries. Merge-time logic in PolicyImporter silently skips disallowed additions.
The PR also adds HTTP endpoints for:
/api/2/policies/{policyId}/entries/{label}/allowedImportAdditions/api/2/policies/{policyId}/entries/{label}/importable(was existing before in the policy model, however no extra endpoint was yet provided)/api/2/policies/{policyId}/imports/{importedPolicyId}/entries(was existing before in the policy model, however no extra endpoint was yet provided)/api/2/policies/{policyId}/imports/{importedPolicyId}/entriesAdditionsAs adding those separate endpoints and providing also model classes to map requests/responses adds a lot of boilerplate code, the PR got quite big..