feat(policy): cache SubjectConditionSet selectors in dedicated column maintained via trigger (#2320)

### Proposed Changes

* Maintain a cache of selectors utilized for the `MatchSubjectMappings`
RPC to power fetching resolve-able entitlement objects
* Improve protovalidate implementation of subject mappings/subject
condition sets creation
* Add a new db integration test for `MatchSubjectMappings` that ensures
updation to the selectors

### Checklist

- [ ] I have added or updated unit tests
- [ ] I have added or updated integration tests (if appropriate)
- [ ] I have added or updated documentation

### Testing Instructions

Author: jakedoublev

protocol/go/policy/subjectmapping/subject_mapping.pb.go

@@ -958,7 +958,22 @@ func (s *SubjectMappingsSuite) Test_ListSubjectConditionSet_Offset_Succeeds() {
 func (s *SubjectMappingsSuite) TestDeleteSubjectConditionSet() {
 	// create a new subject condition set, delete it, and verify get fails with not found
 	newConditionSet := &subjectmapping.SubjectConditionSetCreate{
-		SubjectSets: []*policy.SubjectSet{},
+		SubjectSets: []*policy.SubjectSet{
+			{
+				ConditionGroups: []*policy.ConditionGroup{
+					{
+						BooleanOperator: policy.ConditionBooleanTypeEnum_CONDITION_BOOLEAN_TYPE_ENUM_OR,
+						Conditions: []*policy.Condition{
+							{
+								SubjectExternalSelectorValue: ".someField[1]",
+								Operator:                     policy.SubjectMappingOperatorEnum_SUBJECT_MAPPING_OPERATOR_ENUM_NOT_IN,
+								SubjectExternalValues:        []string{"some_value"},
+							},
+						},
+					},
+				},
+			},
+		},
 	}
 
 	created, err := s.db.PolicyClient.CreateSubjectConditionSet(s.ctx, newConditionSet)
@@ -1575,6 +1590,113 @@ func (s *SubjectMappingsSuite) TestGetMatchedSubjectMappings_NonExistentField_Re
 	s.Empty(sm)
 }
 
+func (s *SubjectMappingsSuite) TestGetMatchedSubjectMappings_ResponsiveToUpdation() {
+	// Create a Subject Condition Set with a specific selector
+	initialSelector := ".test_updation_selector"
+	updatedSelector := ".updated_selector" // Will be used later for the update
+
+	subjectConditionSet := &subjectmapping.SubjectConditionSetCreate{
+		SubjectSets: []*policy.SubjectSet{
+			{
+				ConditionGroups: []*policy.ConditionGroup{
+					{
+						BooleanOperator: policy.ConditionBooleanTypeEnum_CONDITION_BOOLEAN_TYPE_ENUM_AND,
+						Conditions: []*policy.Condition{
+							{
+								SubjectExternalSelectorValue: initialSelector,
+								Operator:                     policy.SubjectMappingOperatorEnum_SUBJECT_MAPPING_OPERATOR_ENUM_IN,
+								SubjectExternalValues:        []string{"test_value"},
+							},
+						},
+					},
+				},
+			},
+		},
+	}
+
+	createdSCS, err := s.db.PolicyClient.CreateSubjectConditionSet(s.ctx, subjectConditionSet)
+	s.Require().NoError(err)
+	s.NotNil(createdSCS)
+
+	// Create a Subject Mapping with the created SCS
+	fixtureAttrValID := s.f.GetAttributeValueKey("example.com/attr/attr1/value/value2").ID
+	actionRead := s.f.GetStandardAction(policydb.ActionRead.String())
+
+	subjectMapping := &subjectmapping.CreateSubjectMappingRequest{
+		AttributeValueId:              fixtureAttrValID,
+		Actions:                       []*policy.Action{actionRead},
+		ExistingSubjectConditionSetId: createdSCS.GetId(),
+	}
+
+	createdSM, err := s.db.PolicyClient.CreateSubjectMapping(s.ctx, subjectMapping)
+	s.Require().NoError(err)
+	s.NotNil(createdSM)
+
+	// Validate the subject mapping is matched using the initial selector but not updated
+	props := []*policy.SubjectProperty{
+		{
+			ExternalSelectorValue: initialSelector,
+		},
+	}
+
+	matchedList, err := s.db.PolicyClient.GetMatchedSubjectMappings(s.ctx, props)
+	s.Require().NoError(err)
+	s.Len(matchedList, 1)
+
+	matchedSM := matchedList[0]
+	s.Equal(createdSM.GetId(), matchedSM.GetId())
+
+	updatedProps := []*policy.SubjectProperty{
+		{
+			ExternalSelectorValue: updatedSelector, // This selector is not yet in use
+		},
+	}
+
+	matchedList, err = s.db.PolicyClient.GetMatchedSubjectMappings(s.ctx, updatedProps)
+	s.Require().NoError(err)
+	s.Empty(matchedList)
+
+	// Update the Subject Condition Set with a different selector
+	updateRequest := &subjectmapping.UpdateSubjectConditionSetRequest{
+		Id: createdSCS.GetId(),
+		SubjectSets: []*policy.SubjectSet{
+			{
+				ConditionGroups: []*policy.ConditionGroup{
+					{
+						BooleanOperator: policy.ConditionBooleanTypeEnum_CONDITION_BOOLEAN_TYPE_ENUM_AND,
+						Conditions: []*policy.Condition{
+							{
+								SubjectExternalSelectorValue: updatedSelector, // Changed selector
+								Operator:                     policy.SubjectMappingOperatorEnum_SUBJECT_MAPPING_OPERATOR_ENUM_IN,
+								SubjectExternalValues:        []string{"test_value"},
+							},
+						},
+					},
+				},
+			},
+		},
+	}
+
+	updatedSCS, err := s.db.PolicyClient.UpdateSubjectConditionSet(s.ctx, updateRequest)
+	s.Require().NoError(err)
+	s.NotNil(updatedSCS)
+
+	matchedAfterUpdate, err := s.db.PolicyClient.GetMatchedSubjectMappings(s.ctx, props)
+	s.Require().NoError(err)
+	s.Empty(matchedAfterUpdate)
+
+	matchedList, err = s.db.PolicyClient.GetMatchedSubjectMappings(s.ctx, updatedProps)
+	s.Require().NoError(err)
+	s.Len(matchedList, 1)
+
+	matchedSM = matchedList[0]
+	s.Equal(createdSM.GetId(), matchedSM.GetId())
+
+	matchedList, err = s.db.PolicyClient.GetMatchedSubjectMappings(s.ctx, props)
+	s.Require().NoError(err)
+	s.Empty(matchedList)
+}
+
 func (s *SubjectMappingsSuite) TestUpdateSubjectConditionSet_MetadataVariations() {
 	fixedLabel := "fixed label"
 	updateLabel := "update label"

service/integration/subject_mappings_test.go

@@ -64,14 +64,14 @@ type SubjectConditionSet struct {
 	Condition struct {
 		SubjectSets []struct {
 			ConditionGroups []struct {
-				BooleanOperator string `yaml:"boolean_operator" json:"boolean_operator"`
+				BooleanOperator string `yaml:"booleanOperator" json:"booleanOperator"`
 				Conditions      []struct {
-					SubjectExternalSelectorValue string   `yaml:"subject_external_selector_value" json:"subject_external_selector_value"`
+					SubjectExternalSelectorValue string   `yaml:"subjectExternalSelectorValue" json:"subjectExternalSelectorValue"`
 					Operator                     string   `yaml:"operator" json:"operator"`
-					SubjectExternalValues        []string `yaml:"subject_external_values" json:"subject_external_values"`
+					SubjectExternalValues        []string `yaml:"subjectExternalValues" json:"subjectExternalValues"`
 				} `yaml:"conditions" json:"conditions"`
-			} `yaml:"condition_groups" json:"condition_groups"`
-		} `yaml:"subject_sets" json:"subject_sets"`
+			} `yaml:"conditionGroups" json:"conditionGroups"`
+		} `yaml:"subjectSets" json:"subjectSets"`
 	} `yaml:"condition" json:"condition"`
 }
 

service/internal/fixtures/fixtures.go

@@ -245,116 +245,116 @@ subject_condition_set:
     subject_condition_set1:
       id: b3903282-06f9-41a4-924a-7b8eb43dffe0
       condition:
-        subject_sets:
-          - condition_groups:
-              - boolean_operator: CONDITION_BOOLEAN_TYPE_ENUM_AND
+        subjectSets:
+          - conditionGroups:
+              - booleanOperator: CONDITION_BOOLEAN_TYPE_ENUM_AND
                 conditions:
-                  - subject_external_selector_value: ".attributes.superhero_name[]"
+                  - subjectExternalSelectorValue: ".attributes.superhero_name[]"
                     operator: SUBJECT_MAPPING_OPERATOR_ENUM_IN
-                    subject_external_values:
+                    subjectExternalValues:
                       - thor
                       - captain_america
-                  - subject_external_selector_value: ".attributes.superhero_group[]"
+                  - subjectExternalSelectorValue: ".attributes.superhero_group[]"
                     operator: SUBJECT_MAPPING_OPERATOR_ENUM_IN
-                    subject_external_values:
+                    subjectExternalValues:
                       - avengers
     subject_condition_set2:
       id: 798aacd2-abaf-4623-975e-3bb8ca43e318
       condition:
-        subject_sets:
-          - condition_groups:
-              - boolean_operator: CONDITION_BOOLEAN_TYPE_ENUM_AND
+        subjectSets:
+          - conditionGroups:
+              - booleanOperator: CONDITION_BOOLEAN_TYPE_ENUM_AND
                 conditions:
-                  - subject_external_selector_value: ".org"
+                  - subjectExternalSelectorValue: ".org"
                     operator: SUBJECT_MAPPING_OPERATOR_ENUM_IN
-                    subject_external_values:
+                    subjectExternalValues:
                       - marketing
                       - sales
-                  - subject_external_selector_value: ".role"
+                  - subjectExternalSelectorValue: ".role"
                     operator: SUBJECT_MAPPING_OPERATOR_ENUM_IN
-                    subject_external_values:
+                    subjectExternalValues:
                       - senior_vice_president
                       - vice_president
                       - director
     subject_condition_set3:
       id: eaf866c0-327f-4826-846a-5041c3c22f06
       condition:
-        subject_sets:
-          - condition_groups:
-              - boolean_operator: CONDITION_BOOLEAN_TYPE_ENUM_OR
+        subjectSets:
+          - conditionGroups:
+              - booleanOperator: CONDITION_BOOLEAN_TYPE_ENUM_OR
                 conditions:
                   # any index
-                  - subject_external_selector_value: ".data[0].favorite_things[]"
+                  - subjectExternalSelectorValue: ".data[0].favorite_things[]"
                     operator: SUBJECT_MAPPING_OPERATOR_ENUM_IN
-                    subject_external_values:
+                    subjectExternalValues:
                       - futbol
                       - soccer
                   # specific index
-                  - subject_external_selector_value: ".data[0].favorite_things[1]"
+                  - subjectExternalSelectorValue: ".data[0].favorite_things[1]"
                     operator: SUBJECT_MAPPING_OPERATOR_ENUM_NOT_IN
-                    subject_external_values:
+                    subjectExternalValues:
                       - ice_cream
-              - boolean_operator: CONDITION_BOOLEAN_TYPE_ENUM_AND
+              - booleanOperator: CONDITION_BOOLEAN_TYPE_ENUM_AND
                 conditions:
-                  - subject_external_selector_value: ".department"
+                  - subjectExternalSelectorValue: ".department"
                     operator: SUBJECT_MAPPING_OPERATOR_ENUM_IN
-                    subject_external_values:
+                    subjectExternalValues:
                       - engineering
-                  - subject_external_selector_value: ".role"
+                  - subjectExternalSelectorValue: ".role"
                     operator: SUBJECT_MAPPING_OPERATOR_ENUM_NOT_IN
-                    subject_external_values:
+                    subjectExternalValues:
                       - manager
                       - director
                       - vice_president
     subject_condition_simple_in:
       id: 3c623ede-df88-4906-8a78-ebdfacadcd57
       condition:
-        subject_sets:
-          - condition_groups:
-              - boolean_operator: CONDITION_BOOLEAN_TYPE_ENUM_OR
+        subjectSets:
+          - conditionGroups:
+              - booleanOperator: CONDITION_BOOLEAN_TYPE_ENUM_OR
                 conditions:
-                  - subject_external_selector_value: ".some_field"
+                  - subjectExternalSelectorValue: ".some_field"
                     operator: SUBJECT_MAPPING_OPERATOR_ENUM_IN
-                    subject_external_values:
+                    subjectExternalValues:
                       - some_value
     subject_condition_simple_not_in:
       id: cf17ec4c-d206-4b74-b3db-5ce07d6995cc
       condition:
-        subject_sets:
-          - condition_groups:
-              - boolean_operator: CONDITION_BOOLEAN_TYPE_ENUM_OR
+        subjectSets:
+          - conditionGroups:
+              - booleanOperator: CONDITION_BOOLEAN_TYPE_ENUM_OR
                 conditions:
-                  - subject_external_selector_value: ".some_other_field[1]"
+                  - subjectExternalSelectorValue: ".some_other_field[1]"
                     operator: SUBJECT_MAPPING_OPERATOR_ENUM_NOT_IN
-                    subject_external_values:
+                    subjectExternalValues:
                       - some_other_value_123
     subject_condition_working_group_blue_scenario:
       id: 10d03422-7eae-43b9-ac3b-d10400171858
       condition:
-        subject_sets:
-          - condition_groups:
-              - boolean_operator: CONDITION_BOOLEAN_TYPE_ENUM_AND
+        subjectSets:
+          - conditionGroups:
+              - booleanOperator: CONDITION_BOOLEAN_TYPE_ENUM_AND
                 conditions:
-                  - subject_external_selector_value: ".team.name"
+                  - subjectExternalSelectorValue: ".team.name"
                     operator: SUBJECT_MAPPING_OPERATOR_ENUM_IN
-                    subject_external_values:
+                    subjectExternalValues:
                       - CoolTool
                       - RadService
                       - ShinyThing
-                  - subject_external_selector_value: ".org.name"
+                  - subjectExternalSelectorValue: ".org.name"
                     operator: SUBJECT_MAPPING_OPERATOR_ENUM_IN
-                    subject_external_values:
+                    subjectExternalValues:
                       - marketing
     subject_condition_sdk_client:
       id: 86621a00-b63e-42e9-bea5-40ba52d98ede
       condition:
-        subject_sets:
-          - condition_groups:
-              - boolean_operator: CONDITION_BOOLEAN_TYPE_ENUM_OR
+        subjectSets:
+          - conditionGroups:
+              - booleanOperator: CONDITION_BOOLEAN_TYPE_ENUM_OR
                 conditions:
-                  - subject_external_selector_value: ".clientId"
+                  - subjectExternalSelectorValue: ".clientId"
                     operator: SUBJECT_MAPPING_OPERATOR_ENUM_IN
-                    subject_external_values:
+                    subjectExternalValues:
                       - opentdf-sdk
 
 ##

service/internal/fixtures/policy_fixtures.yaml

@@ -0,0 +1,11 @@
+### Changes
+
+#### Cached selectors approach
+
+Utilize a trigger to set and maintain cached selectors in a dedicated column on the
+Subject Condition Set table, then do an overlap `&&` check against the cache instead
+of parsing JSON in the `matchSubjectMappings` query.
+
+#### Indices
+
+Index on any relations in the `matchSubjectMappings` query for fastest reads.