feat(policy): add obligation tables (#2532)

alkalescent · web-flow · commit c7d7aa4fd333 · 2025-07-21T19:21:29.000Z
### Proposed Changes

*

### Checklist

- [ ] I have added or updated unit tests
- [ ] I have added or updated integration tests (if appropriate)
- [ ] I have added or updated documentation

### Testing Instructions
diff --git a/service/policy/db/migrations/20250703000000_obligations.md b/service/policy/db/migrations/20250703000000_obligations.md
@@ -0,0 +1,65 @@
+[ADR for Obligations](https://github.com/opentdf/platform/issues/1933)
+
+This migration adds the obligation tables for definitions, values, triggers, and fulfillers.
+
+```mermaid
+erDiagram
+    attribute_namespaces ||--o{ obligation_definitions : "belongs_to"
+    obligation_definitions ||--o{ obligation_values_standard : "has_many"
+    obligation_values_standard ||--o{ obligation_triggers : "has_many"
+    obligation_values_standard ||--o{ obligation_fulfillers : "has_many"
+    attribute_values ||--o{ obligation_triggers : "triggers"
+    actions ||--o{ obligation_triggers : "triggers"
+
+    attribute_namespaces {
+        UUID id PK
+        string name
+    }
+    
+    obligation_definitions {
+        UUID id PK
+        UUID namespace_id FK
+        string name
+        jsonb metadata
+        timestamp created_at
+        timestamp updated_at
+    }
+    
+    obligation_values_standard {
+        UUID id PK
+        UUID obligation_definition_id FK
+        string value
+        jsonb metadata
+        timestamp created_at
+        timestamp updated_at
+    }
+    
+    obligation_triggers {
+        UUID id PK
+        UUID attribute_value_id FK
+        UUID obligation_value_id FK
+        UUID action_id FK
+        jsonb metadata
+        timestamp created_at
+        timestamp updated_at
+    }
+    
+    obligation_fulfillers {
+        UUID id PK
+        UUID obligation_value_id FK
+        jsonb conditionals
+        jsonb metadata
+        timestamp created_at
+        timestamp updated_at
+    }
+    
+    attribute_values {
+        UUID id PK
+        string value
+    }
+    
+    actions {
+        UUID id PK
+        string name
+    }
+```
diff --git a/service/policy/db/migrations/20250703000000_obligations.sql b/service/policy/db/migrations/20250703000000_obligations.sql
@@ -0,0 +1,84 @@
+-- +goose Up
+-- +goose StatementBegin
+
+CREATE TABLE IF NOT EXISTS obligation_definitions
+(
+    id UUID PRIMARY KEY DEFAULT gen_random_uuid(),
+    namespace_id UUID NOT NULL REFERENCES attribute_namespaces(id) ON DELETE CASCADE,
+    -- name is a unique identifier for the obligation definition within the namespace
+    name VARCHAR NOT NULL,
+    metadata JSONB,
+    created_at TIMESTAMP WITH TIME ZONE NOT NULL DEFAULT CURRENT_TIMESTAMP,
+    updated_at TIMESTAMP WITH TIME ZONE NOT NULL DEFAULT CURRENT_TIMESTAMP,
+    -- implicit index on unique (namespace_id, name) combo
+    -- index name: obligation_definitions_namespace_id_name_key
+    UNIQUE (namespace_id, name)
+);
+
+CREATE TABLE IF NOT EXISTS obligation_values_standard
+(
+    id UUID PRIMARY KEY DEFAULT gen_random_uuid(),
+    obligation_definition_id UUID NOT NULL REFERENCES obligation_definitions(id) ON DELETE CASCADE,
+    -- value is a unique identifier for the obligation value within the definition
+    value VARCHAR NOT NULL,
+    metadata JSONB,
+    created_at TIMESTAMP WITH TIME ZONE NOT NULL DEFAULT CURRENT_TIMESTAMP,
+    updated_at TIMESTAMP WITH TIME ZONE NOT NULL DEFAULT CURRENT_TIMESTAMP,
+    -- implicit index on unique (obligation_definition_id, value) combo
+    -- index name: obligation_values_standard_obligation_definition_id_value_key
+    UNIQUE (obligation_definition_id, value)
+);
+
+CREATE TABLE IF NOT EXISTS obligation_triggers
+(
+    id UUID PRIMARY KEY DEFAULT gen_random_uuid(),
+    obligation_value_id UUID NOT NULL REFERENCES obligation_values_standard(id) ON DELETE CASCADE,
+    action_id UUID NOT NULL REFERENCES actions(id) ON DELETE CASCADE,
+    attribute_value_id UUID NOT NULL REFERENCES attribute_values(id) ON DELETE CASCADE,
+    metadata JSONB,
+    created_at TIMESTAMP WITH TIME ZONE NOT NULL DEFAULT CURRENT_TIMESTAMP,
+    updated_at TIMESTAMP WITH TIME ZONE NOT NULL DEFAULT CURRENT_TIMESTAMP,
+    UNIQUE(obligation_value_id, action_id, attribute_value_id)
+);
+
+CREATE TABLE IF NOT EXISTS obligation_fulfillers
+(
+    id UUID PRIMARY KEY DEFAULT gen_random_uuid(),
+    obligation_value_id UUID NOT NULL REFERENCES obligation_values_standard(id) ON DELETE CASCADE,
+    conditionals JSONB,
+    metadata JSONB,
+    created_at TIMESTAMP WITH TIME ZONE NOT NULL DEFAULT CURRENT_TIMESTAMP,
+    updated_at TIMESTAMP WITH TIME ZONE NOT NULL DEFAULT CURRENT_TIMESTAMP
+);
+
+CREATE TRIGGER obligation_definitions_updated_at
+    BEFORE UPDATE ON obligation_definitions
+    FOR EACH ROW
+    EXECUTE FUNCTION update_updated_at();
+
+CREATE TRIGGER obligation_values_standard_updated_at
+    BEFORE UPDATE ON obligation_values_standard
+    FOR EACH ROW
+    EXECUTE FUNCTION update_updated_at();
+
+CREATE TRIGGER obligation_triggers_updated_at
+    BEFORE UPDATE ON obligation_triggers
+    FOR EACH ROW
+    EXECUTE FUNCTION update_updated_at();
+
+CREATE TRIGGER obligation_fulfillers_updated_at
+    BEFORE UPDATE ON obligation_fulfillers
+    FOR EACH ROW
+    EXECUTE FUNCTION update_updated_at();
+
+-- +goose StatementEnd
+
+-- +goose Down
+-- +goose StatementBegin
+
+DROP TABLE IF EXISTS obligation_fulfillers;
+DROP TABLE IF EXISTS obligation_triggers;
+DROP TABLE IF EXISTS obligation_values_standard;
+DROP TABLE IF EXISTS obligation_definitions;
+
+-- +goose StatementEnd
diff --git a/service/policy/db/schema_erd.md b/service/policy/db/schema_erd.md
@@ -132,6 +132,43 @@ erDiagram
         character_varying uri UK "URI of the KAS"
     }
 
+    obligation_definitions {
+        timestamp_with_time_zone created_at 
+        uuid id PK 
+        jsonb metadata 
+        character_varying name UK 
+        uuid namespace_id FK,UK 
+        timestamp_with_time_zone updated_at 
+    }
+
+    obligation_fulfillers {
+        jsonb conditionals 
+        timestamp_with_time_zone created_at 
+        uuid id PK 
+        jsonb metadata 
+        uuid obligation_value_id FK 
+        timestamp_with_time_zone updated_at 
+    }
+
+    obligation_triggers {
+        uuid action_id FK,UK 
+        uuid attribute_value_id FK,UK 
+        timestamp_with_time_zone created_at 
+        uuid id PK 
+        jsonb metadata 
+        uuid obligation_value_id FK,UK 
+        timestamp_with_time_zone updated_at 
+    }
+
+    obligation_values_standard {
+        timestamp_with_time_zone created_at 
+        uuid id PK 
+        jsonb metadata 
+        uuid obligation_definition_id FK,UK 
+        timestamp_with_time_zone updated_at 
+        character_varying value UK 
+    }
+
     provider_config {
         jsonb config "Configuration details for the key provider"
         timestamp_with_time_zone created_at "Timestamp when the provider configuration was created"
@@ -223,6 +260,7 @@ erDiagram
         timestamp_with_time_zone updated_at "Timestamp when the key was last updated"
     }
 
+    obligation_triggers }o--|| actions : "action_id"
     registered_resource_action_attribute_values }o--|| actions : "action_id"
     subject_mapping_actions }o--|| actions : "action_id"
     asym_key }o--|| provider_config : "provider_config_id"
@@ -239,17 +277,22 @@ erDiagram
     attribute_namespace_key_access_grants }o--|| key_access_servers : "key_access_server_id"
     attribute_namespace_public_key_map }o--|| attribute_namespaces : "namespace_id"
     attribute_namespace_public_key_map }o--|| key_access_server_keys : "key_access_server_key_id"
+    obligation_definitions }o--|| attribute_namespaces : "namespace_id"
     resource_mapping_groups }o--|| attribute_namespaces : "namespace_id"
     attribute_value_key_access_grants }o--|| attribute_values : "attribute_value_id"
     attribute_value_key_access_grants }o--|| key_access_servers : "key_access_server_id"
     attribute_value_public_key_map }o--|| attribute_values : "value_id"
     attribute_value_public_key_map }o--|| key_access_server_keys : "key_access_server_key_id"
+    obligation_triggers }o--|| attribute_values : "attribute_value_id"
     registered_resource_action_attribute_values }o--|| attribute_values : "attribute_value_id"
     resource_mappings }o--|| attribute_values : "attribute_value_id"
     subject_mappings }o--|| attribute_values : "attribute_value_id"
     base_keys }o--|| key_access_server_keys : "key_access_server_key_id"
     key_access_server_keys }o--|| key_access_servers : "key_access_server_id"
     key_access_server_keys }o--|| provider_config : "provider_config_id"
+    obligation_values_standard }o--|| obligation_definitions : "obligation_definition_id"
+    obligation_fulfillers }o--|| obligation_values_standard : "obligation_value_id"
+    obligation_triggers }o--|| obligation_values_standard : "obligation_value_id"
     sym_key }o--|| provider_config : "provider_config_id"
     registered_resource_action_attribute_values }o--|| registered_resource_values : "registered_resource_value_id"
     registered_resource_values }o--|| registered_resources : "registered_resource_id"
