Skip to content

fix: authzen#442

Merged
gusfcarvalho merged 1 commit into
mainfrom
gc-fix-authzen
Jul 2, 2026
Merged

fix: authzen#442
gusfcarvalho merged 1 commit into
mainfrom
gc-fix-authzen

Conversation

@gusfcarvalho

@gusfcarvalho gusfcarvalho commented Jul 2, 2026

Copy link
Copy Markdown
Contributor

Summary by CodeRabbit

  • New Features

    • Added support for two additional authentication/authorization environment settings.
    • Improved visibility into authorization activity with startup, request, and batch decision logs.
  • Bug Fixes

    • Added error logging for failed authorization requests to make issues easier to diagnose.
    • Included request timing information and decision summaries for better monitoring and troubleshooting.

Signed-off-by: Gustavo Carvalho <gustavo.carvalho@container-solutions.com>
Copilot AI review requested due to automatic review settings July 2, 2026 08:02
@gusfcarvalho gusfcarvalho enabled auto-merge (squash) July 2, 2026 08:02
@coderabbitai

coderabbitai Bot commented Jul 2, 2026

Copy link
Copy Markdown

Review Change Stack

📝 Walkthrough

Walkthrough

This PR adds two new environment variable bindings for authz configuration (endpoint and cedar policy directory) in the CLI setup, and instruments the AuthZen client's constructor and request methods with structured startup, latency, and decision-outcome logging.

Changes

AuthZen observability and config

Layer / File(s) Summary
Config binding for authz environment variables
cmd/root.go
Adds MustBindEnv calls for authz_endpoint and authz_cedar_policy_dir.
Constructor startup logging
internal/authz/authzen.go
NewAuthZen logs an Infow with computed evalURL, evalsURL, wellKnownURL, and timeout before returning.
Evaluate/Evaluations request logging
internal/authz/authzen.go
Both methods record latency, log Warnw on POST failure, and log Debugw with decision outcomes/counts and latencyMs on success.
post() debug logging
internal/authz/authzen.go
Logs outgoing JSON request body and incoming response status code via Debugw.

Estimated code review effort: 2 (Simple) | ~10 minutes

Sequence Diagram(s)

sequenceDiagram
  participant Caller
  participant AuthZen
  participant PDP as AuthZen Endpoint

  Caller->>AuthZen: Evaluate(subject, resource, action)
  AuthZen->>AuthZen: record start time
  AuthZen->>PDP: post(request body)
  alt POST fails
    PDP-->>AuthZen: error
    AuthZen-->>AuthZen: Warnw(error, identifiers)
  else POST succeeds
    PDP-->>AuthZen: response(status, body)
    AuthZen-->>AuthZen: Debugw(status)
    AuthZen-->>AuthZen: decisionFrom(response)
    AuthZen-->>AuthZen: Debugw(decision, latencyMs)
  end
  AuthZen-->>Caller: decision
Loading

Poem

A rabbit hops through logs so bright,
Watching timeouts, watching flight,
Debugw whispers, Warnw calls,
Decisions echo down the halls. 🐇
Endpoints bound, the config's set—
No burrow left uncharted yet!

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 inconclusive)

Check name Status Explanation Resolution
Title check ❓ Inconclusive The title is vague and does not describe the specific authzen logging and environment binding changes. Rename the PR to reflect the main change, such as adding AuthZen logging/latency instrumentation and new authz env bindings.
✅ Passed checks (4 passed)
Check name Status Explanation
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands.

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR improves the AuthZen authorization driver’s observability and wires up missing environment variable bindings so AuthZ configuration can be provided via env vars.

Changes:

  • Add initialization and per-request logging (latency, allow/deny) for the AuthZen PDP driver.
  • Add debug logging for outbound AuthZen requests/responses.
  • Bind additional AuthZ-related environment variables (authz_endpoint, authz_cache_ttl, authz_cedar_policy_dir) in the CLI startup.

Reviewed changes

Copilot reviewed 2 out of 2 changed files in this pull request and generated 2 comments.

File Description
internal/authz/authzen.go Adds AuthZen driver init logging plus request/decision/latency debug logs for evaluate calls.
cmd/root.go Binds additional AuthZ-related environment variables so config is read from the environment.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Comment thread internal/authz/authzen.go
if err != nil {
return fmt.Errorf("authz: marshal authzen request: %w", err)
}
a.logger.Debugw("authz: authzen request", "endpoint", endpoint, "body", string(buf))
Comment thread internal/authz/authzen.go
Comment on lines +68 to +70
logger.Infow("authz: authzen driver initialized",
"evalURL", a.evalURL, "evalsURL", a.evalsURL, "wellKnownURL", a.wellKnownURL,
"timeout", defaultAuthzenTimeout.String())

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 1

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (2)
internal/authz/authzen.go (2)

224-229: 🔒 Security & Privacy | 🟠 Major | ⚡ Quick win

Full request body logged unconditionally — potential PII/sensitive-data leak.

post() logs the entire outgoing JSON body (string(buf)) on every call. This body is built from caller-supplied Subject, Resource, and context data (toEvaluation), which can contain PII or other sensitive attributes. Even at Debug level, this data can end up in log aggregation systems once debug logging is enabled for troubleshooting — a real compliance risk for an authorization service.

Consider redacting/omitting sensitive fields (e.g., log only subject/resource type+ID, not full properties/context) rather than the raw serialized payload.

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@internal/authz/authzen.go` around lines 224 - 229, The AuthZen post() method
is logging the full serialized request payload via a.Debugw, which can leak
sensitive Subject/Resource/context data. Update post() to avoid emitting
string(buf) directly and instead log only safe metadata from the request built
by toEvaluation, such as endpoint plus redacted subject/resource identifiers or
types. If detailed tracing is needed, ensure any logged fields are explicitly
sanitized before reaching the logger.

224-229: 🚀 Performance & Scalability | 🔵 Trivial | ⚡ Quick win

Debug log arguments are eagerly evaluated on every request, even when Debug is disabled.

string(buf) performs a full copy of the serialized body on every call to post(), regardless of whether Debug logging is actually enabled — Go evaluates the Debugw arguments before zap's internal level check runs. Since post() is invoked on every single authz decision, this adds an unconditional allocation/copy to a hot path.

Guard with an explicit level check (e.g. a.logger.Desugar().Core().Enabled(zapcore.DebugLevel)) before building the body log, or use a zap field type that defers serialization.

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@internal/authz/authzen.go` around lines 224 - 229, The debug body log in
AuthZen.post is doing an unconditional string(buf) conversion and allocation on
every authz request even when debug logging is off. Update post to avoid
building the serialized body unless debug is actually enabled, either by
guarding the authz: authzen request log with an explicit zap debug-level check
on a.logger or by switching to a deferred zap field approach, so the hot path no
longer pays the copy cost when Debugw would be dropped.
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@internal/authz/authzen.go`:
- Around line 152-165: The Evaluate logging in authzen.go is emitting the raw
subject identifier via s.ID in both the Warnw and Debugw paths. Review the
authz: authzen evaluate failed and authz: authzen decision logs in the Evaluate
flow and either confirm the backend/retention policy allows this, or replace
s.ID with a hashed/redacted form before logging. Keep the rest of the context
fields intact so the logging remains useful without exposing potentially
PII-bearing subject IDs.

---

Outside diff comments:
In `@internal/authz/authzen.go`:
- Around line 224-229: The AuthZen post() method is logging the full serialized
request payload via a.Debugw, which can leak sensitive Subject/Resource/context
data. Update post() to avoid emitting string(buf) directly and instead log only
safe metadata from the request built by toEvaluation, such as endpoint plus
redacted subject/resource identifiers or types. If detailed tracing is needed,
ensure any logged fields are explicitly sanitized before reaching the logger.
- Around line 224-229: The debug body log in AuthZen.post is doing an
unconditional string(buf) conversion and allocation on every authz request even
when debug logging is off. Update post to avoid building the serialized body
unless debug is actually enabled, either by guarding the authz: authzen request
log with an explicit zap debug-level check on a.logger or by switching to a
deferred zap field approach, so the hot path no longer pays the copy cost when
Debugw would be dropped.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: Organization UI

Review profile: ASSERTIVE

Plan: Pro Plus

Run ID: 9bbd9124-4433-4b57-be2b-a674c491e91f

📥 Commits

Reviewing files that changed from the base of the PR and between 4590770 and c199fa5.

📒 Files selected for processing (2)
  • cmd/root.go
  • internal/authz/authzen.go

Comment thread internal/authz/authzen.go
Comment on lines +152 to +165
start := time.Now()
var resp authzenDecisionResponse
if err := a.post(ctx, a.evalURL, toEvaluation(s, action, r, reqCtx), &resp); err != nil {
a.logger.Warnw("authz: authzen evaluate failed",
"subject", s.ID, "subjectType", s.Type, "action", action,
"resource", r.Type, "resourceID", r.ID, "error", err)
return Decision{}, err
}
return decisionFrom(resp), nil
dec := decisionFrom(resp)
a.logger.Debugw("authz: authzen decision",
"subject", s.ID, "subjectType", s.Type, "action", action,
"resource", r.Type, "resourceID", r.ID, "allow", dec.Allow, "reason", dec.Reason,
"latencyMs", float64(time.Since(start).Microseconds())/1000.0)
return dec, nil

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🔒 Security & Privacy | 🟡 Minor | ⚡ Quick win

Subject ID logged on every Evaluate call — verify it isn't PII.

Unlike Evaluations (which only logs aggregate counts), Evaluate's Warnw/Debugw calls log s.ID directly. Depending on the IdP, subject IDs may be emails or other identifying values. Given the compliance-focused nature of this service, confirm this is acceptable for the target logging backend/retention policy, or hash/redact the identifier.

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@internal/authz/authzen.go` around lines 152 - 165, The Evaluate logging in
authzen.go is emitting the raw subject identifier via s.ID in both the Warnw and
Debugw paths. Review the authz: authzen evaluate failed and authz: authzen
decision logs in the Evaluate flow and either confirm the backend/retention
policy allows this, or replace s.ID with a hashed/redacted form before logging.
Keep the rest of the context fields intact so the logging remains useful without
exposing potentially PII-bearing subject IDs.

@gusfcarvalho gusfcarvalho merged commit 381dbb9 into main Jul 2, 2026
6 checks passed
@gusfcarvalho gusfcarvalho deleted the gc-fix-authzen branch July 2, 2026 08:08
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants