Add entriesAdditions and allowedImportAdditions for policy imports#2347
Conversation
…clipse-ditto#2221) Introduce `entriesAdditions` on policy imports to allow importing policies to additively merge subjects and resources into imported policy entries. Template policies control what can be extended via `allowedImportAdditions` (enum-backed, secure-by-default: empty set means no additions allowed). New model types: EntryAddition, EntriesAdditions, AllowedImportAddition enum. Write-time validation ensures entriesAdditions labels are declared in entries. Merge-time logic in PolicyImporter silently skips disallowed additions. Includes OpenAPI schema updates, documentation, and comprehensive tests. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
…ction All code paths that reconstructed PolicyEntry objects (builder, ImmutablePolicy mutations, command/event strategies, placeholder substitution, gateway route) were using 3-arg or 4-arg factory methods that silently dropped the new allowedImportAdditions field. Upgraded all call sites to the 5-arg PoliciesModelFactory.newPolicyEntry() overload and added unit tests verifying preservation through each code path. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
…mportable Add endpoints for managing policy import entries, entriesAdditions, entryAddition, allowedImportAdditions, and entry importable type. Includes signal classes, command/event strategies, gateway routes, protocol adapter mappings, OpenAPI docs, and unit tests. Also fix OpenAPI validation errors in PermissionCheckRequest, PermissionCheckResponse, and WoT validation config response schemas. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
|
System tests run: https://github.com/eclipse-ditto/ditto/actions/runs/22302981477 Inlcuding added tests from eclipse-ditto/ditto-testing#22 |
policies/model/src/main/java/org/eclipse/ditto/policies/model/PolicyImporter.java
Show resolved
Hide resolved
|
I noticed an issue in the importable API validation.
Repro: control case (valid -> 204)curl -g -sS -i -X PUT failing case (invalid -> currently 500, should be 400)curl -g -sS -i -X PUT |
|
I noticed another issue in allowedImportAdditions validation.
Repro: control case (valid -> 204)curl -g -sS -i -X PUT failing case (invalid -> currently 204, should be 400)curl -g -sS -i -X PUT |
…ditions values Replace IllegalArgumentException (500) with PolicyEntryInvalidException (400) for invalid importable type values, and reject unknown allowedImportAdditions enum values instead of silently dropping them. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
…ion with DittoJsonException Add unit tests for PolicyEntriesRoute and PolicyImportsRoute covering all CRUD endpoints. Replace IllegalArgumentException with DittoJsonException wrapping JsonParseException (with dittoHeaders) for unknown ImportableType values in PolicyEntryImportableModified and AbstractPolicyMappingStrategies. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
|
Enhanced System tests run only contains 1 error in non-related test (about connectivity log publishing): |
…resource commands
Add round-trip adapter tests (fromAdaptable, toAdaptable, and both
round-trip directions) for all new policy import sub-resource commands,
responses, and their protocol mapping strategies.
Register new resource paths in PolicyResource and PolicyPathMatcher so
the toAdaptable direction can resolve paths like /entries/{label}/importable,
/entries/{label}/allowedImportAdditions, /imports/{id}/entries,
/imports/{id}/entriesAdditions, and /imports/{id}/entriesAdditions/{label}.
Fix ModifyPolicyImportEntryAdditionResponse mapping from Adaptable which
was always passing null for entryAddition, causing failures for CREATED
(201) responses that include the entity payload.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
3 participants
Resolves: #2221
Introduce
entriesAdditionson policy imports to allow importing policies to additively merge subjects and resources into imported policy entries. Template policies control what can be extended viaallowedImportAdditions(enum-backed, secure-by-default: empty set means no additions allowed).New model types: EntryAddition, EntriesAdditions, AllowedImportAddition enum. Write-time validation ensures entriesAdditions labels are declared in entries. Merge-time logic in PolicyImporter silently skips disallowed additions.
The PR also adds HTTP endpoints for:
/api/2/policies/{policyId}/entries/{label}/allowedImportAdditions/api/2/policies/{policyId}/entries/{label}/importable(was existing before in the policy model, however no extra endpoint was yet provided)/api/2/policies/{policyId}/imports/{importedPolicyId}/entries(was existing before in the policy model, however no extra endpoint was yet provided)/api/2/policies/{policyId}/imports/{importedPolicyId}/entriesAdditionsAs adding those separate endpoints and providing also model classes to map requests/responses adds a lot of boilerplate code, the PR got quite big..