From b210f95b9256ea8c13fb824e4a4325585fa6f3e8 Mon Sep 17 00:00:00 2001 From: Paul Latzelsperger Date: Mon, 21 Oct 2024 17:34:43 +0200 Subject: [PATCH 1/4] use ParticipantAgentPolicyContext --- .../AbstractCredentialEvaluationFunction.java | 2 +- .../dcp/policy/DataAccessLevelFunction.java | 28 ++++--------------- ...embershipCredentialEvaluationFunction.java | 8 +++--- .../dcp/policy/PolicyEvaluationExtension.java | 4 ++- .../tests/transfer/TransferEndToEndTest.java | 2 +- 5 files changed, 15 insertions(+), 29 deletions(-) diff --git a/extensions/dcp-impl/src/main/java/org/eclipse/edc/demo/dcp/policy/AbstractCredentialEvaluationFunction.java b/extensions/dcp-impl/src/main/java/org/eclipse/edc/demo/dcp/policy/AbstractCredentialEvaluationFunction.java index f1564868..3d6992a4 100644 --- a/extensions/dcp-impl/src/main/java/org/eclipse/edc/demo/dcp/policy/AbstractCredentialEvaluationFunction.java +++ b/extensions/dcp-impl/src/main/java/org/eclipse/edc/demo/dcp/policy/AbstractCredentialEvaluationFunction.java @@ -15,7 +15,7 @@ package org.eclipse.edc.demo.dcp.policy; import org.eclipse.edc.iam.verifiablecredentials.spi.model.VerifiableCredential; -import org.eclipse.edc.spi.agent.ParticipantAgent; +import org.eclipse.edc.participant.spi.ParticipantAgent; import org.eclipse.edc.spi.result.Result; import java.util.List; diff --git a/extensions/dcp-impl/src/main/java/org/eclipse/edc/demo/dcp/policy/DataAccessLevelFunction.java b/extensions/dcp-impl/src/main/java/org/eclipse/edc/demo/dcp/policy/DataAccessLevelFunction.java index 4e47b448..d0065ba2 100644 --- a/extensions/dcp-impl/src/main/java/org/eclipse/edc/demo/dcp/policy/DataAccessLevelFunction.java +++ b/extensions/dcp-impl/src/main/java/org/eclipse/edc/demo/dcp/policy/DataAccessLevelFunction.java @@ -17,16 +17,15 @@ import org.eclipse.edc.connector.controlplane.catalog.spi.policy.CatalogPolicyContext; import org.eclipse.edc.connector.controlplane.contract.spi.policy.ContractNegotiationPolicyContext; import org.eclipse.edc.connector.controlplane.contract.spi.policy.TransferProcessPolicyContext; +import org.eclipse.edc.participant.spi.ParticipantAgent; +import org.eclipse.edc.participant.spi.ParticipantAgentPolicyContext; import org.eclipse.edc.policy.engine.spi.AtomicConstraintRuleFunction; -import org.eclipse.edc.policy.engine.spi.PolicyContext; import org.eclipse.edc.policy.model.Duty; import org.eclipse.edc.policy.model.Operator; -import org.eclipse.edc.spi.agent.ParticipantAgent; -import java.util.Map; import java.util.Objects; -public abstract class DataAccessLevelFunction extends AbstractCredentialEvaluationFunction implements AtomicConstraintRuleFunction { +public abstract class DataAccessLevelFunction extends AbstractCredentialEvaluationFunction implements AtomicConstraintRuleFunction { private static final String DATAPROCESSOR_CRED_TYPE = "DataProcessorCredential"; @@ -34,7 +33,7 @@ public static DataAccessLevelFunction createForTra return new DataAccessLevelFunction<>() { @Override protected ParticipantAgent getAgent(TransferProcessPolicyContext policyContext) { - return policyContext.agent(); + return policyContext.participantAgent(); } }; } @@ -43,7 +42,7 @@ public static DataAccessLevelFunction createFo return new DataAccessLevelFunction<>() { @Override protected ParticipantAgent getAgent(ContractNegotiationPolicyContext policyContext) { - return policyContext.agent(); + return policyContext.participantAgent(); } }; } @@ -52,7 +51,7 @@ public static DataAccessLevelFunction createForCatalog() { return new DataAccessLevelFunction<>() { @Override protected ParticipantAgent getAgent(CatalogPolicyContext policyContext) { - return policyContext.agent(); + return policyContext.participantAgent(); } }; } @@ -91,19 +90,4 @@ public boolean evaluate(Operator operator, Object rightOperand, Duty duty, C pol protected abstract ParticipantAgent getAgent(C policyContext); - @SuppressWarnings("unchecked") - private T getClaim(String postfix, Map claims) { - return (T) claims.entrySet().stream().filter(e -> e.getKey().endsWith(postfix)) - .findFirst() - .map(Map.Entry::getValue) - .orElse(null); - } - - private static class ForCatalog extends DataAccessLevelFunction { - - @Override - protected ParticipantAgent getAgent(CatalogPolicyContext policyContext) { - return policyContext.agent(); - } - } } diff --git a/extensions/dcp-impl/src/main/java/org/eclipse/edc/demo/dcp/policy/MembershipCredentialEvaluationFunction.java b/extensions/dcp-impl/src/main/java/org/eclipse/edc/demo/dcp/policy/MembershipCredentialEvaluationFunction.java index 2fa0ab95..cc118249 100644 --- a/extensions/dcp-impl/src/main/java/org/eclipse/edc/demo/dcp/policy/MembershipCredentialEvaluationFunction.java +++ b/extensions/dcp-impl/src/main/java/org/eclipse/edc/demo/dcp/policy/MembershipCredentialEvaluationFunction.java @@ -17,11 +17,11 @@ import org.eclipse.edc.connector.controlplane.catalog.spi.policy.CatalogPolicyContext; import org.eclipse.edc.connector.controlplane.contract.spi.policy.ContractNegotiationPolicyContext; import org.eclipse.edc.connector.controlplane.contract.spi.policy.TransferProcessPolicyContext; +import org.eclipse.edc.participant.spi.ParticipantAgent; import org.eclipse.edc.policy.engine.spi.AtomicConstraintRuleFunction; import org.eclipse.edc.policy.engine.spi.PolicyContext; import org.eclipse.edc.policy.model.Operator; import org.eclipse.edc.policy.model.Permission; -import org.eclipse.edc.spi.agent.ParticipantAgent; import java.time.Instant; import java.util.Map; @@ -38,7 +38,7 @@ public static MembershipCredentialEvaluationFunction creat @Override protected ParticipantAgent getAgent(CatalogPolicyContext policyContext) { - return policyContext.agent(); + return policyContext.participantAgent(); } }; } @@ -48,7 +48,7 @@ public static MembershipCredentialEvaluationFunction void bindPermissionFunction(AtomicConstraintRu ruleBindingRegistry.bind(ODRL_SCHEMA + "use", scope); ruleBindingRegistry.bind(constraintType, scope); - policyEngine.registerFunction(contextClass, Permission.class, constraintType, function); +// policyEngine.registerFunction(contextClass, Permission.class, constraintType, function); } private void bindDutyFunction(AtomicConstraintRuleFunction function, Class contextClass, String scope, String constraintType) { diff --git a/tests/end2end/src/test/java/org/eclipse/edc/demo/tests/transfer/TransferEndToEndTest.java b/tests/end2end/src/test/java/org/eclipse/edc/demo/tests/transfer/TransferEndToEndTest.java index cbe3d216..810a2d47 100644 --- a/tests/end2end/src/test/java/org/eclipse/edc/demo/tests/transfer/TransferEndToEndTest.java +++ b/tests/end2end/src/test/java/org/eclipse/edc/demo/tests/transfer/TransferEndToEndTest.java @@ -29,7 +29,7 @@ import org.eclipse.edc.jsonld.util.JacksonJsonLd; import org.eclipse.edc.junit.annotations.EndToEndTest; import org.eclipse.edc.junit.testfixtures.TestUtils; -import org.eclipse.edc.spi.agent.ParticipantIdMapper; +import org.eclipse.edc.participant.spi.ParticipantIdMapper; import org.eclipse.edc.spi.monitor.ConsoleMonitor; import org.eclipse.edc.transform.TypeTransformerRegistryImpl; import org.eclipse.edc.transform.spi.TypeTransformerRegistry; From 2bfabfb161e410e116a06c0fbd957a46815fa8f9 Mon Sep 17 00:00:00 2001 From: Paul Latzelsperger Date: Mon, 21 Oct 2024 17:45:05 +0200 Subject: [PATCH 2/4] use single factory method --- deployment/modules/identity-hub/main.tf | 3 +- .../DataAccessCredentialScopeExtractor.java | 3 +- .../dcp/policy/DataAccessLevelFunction.java | 32 ++-------------- ...embershipCredentialEvaluationFunction.java | 38 +++---------------- .../dcp/policy/PolicyEvaluationExtension.java | 17 ++++----- 5 files changed, 20 insertions(+), 73 deletions(-) diff --git a/deployment/modules/identity-hub/main.tf b/deployment/modules/identity-hub/main.tf index 191326bb..c103f3e3 100644 --- a/deployment/modules/identity-hub/main.tf +++ b/deployment/modules/identity-hub/main.tf @@ -13,7 +13,7 @@ resource "kubernetes_deployment" "identityhub" { metadata { - name = lower(var.humanReadableName) + name = lower(var.humanReadableName) namespace = var.namespace labels = { App = lower(var.humanReadableName) @@ -163,6 +163,7 @@ resource "kubernetes_config_map" "identityhub-config" { EDC_SQL_SCHEMA_AUTOCREATE = true EDC_STS_ACCOUNT_API_URL = var.sts-accounts-api-url EDC_STS_ACCOUNTS_API_AUTH_HEADER_VALUE = "password" + EDC_IAM_ACCESSTOKEN_JTI_VALIDATION = true } } diff --git a/extensions/dcp-impl/src/main/java/org/eclipse/edc/demo/dcp/core/DataAccessCredentialScopeExtractor.java b/extensions/dcp-impl/src/main/java/org/eclipse/edc/demo/dcp/core/DataAccessCredentialScopeExtractor.java index b29a503f..d62a9a34 100644 --- a/extensions/dcp-impl/src/main/java/org/eclipse/edc/demo/dcp/core/DataAccessCredentialScopeExtractor.java +++ b/extensions/dcp-impl/src/main/java/org/eclipse/edc/demo/dcp/core/DataAccessCredentialScopeExtractor.java @@ -15,6 +15,7 @@ package org.eclipse.edc.demo.dcp.core; import org.eclipse.edc.iam.identitytrust.spi.scope.ScopeExtractor; +import org.eclipse.edc.policy.context.request.spi.RequestPolicyContext; import org.eclipse.edc.policy.engine.spi.PolicyContext; import org.eclipse.edc.policy.model.Operator; @@ -26,7 +27,7 @@ class DataAccessCredentialScopeExtractor implements ScopeExtractor { public static final String DATA_PROCESSOR_CREDENTIAL_TYPE = "DataProcessorCredential"; @Override - public Set extractScopes(Object leftValue, Operator operator, Object rightValue, PolicyContext context) { + public Set extractScopes(Object leftValue, Operator operator, Object rightValue, RequestPolicyContext context) { Set scopes = Set.of(); if (leftValue instanceof String leftOperand) { if (leftOperand.startsWith(DATA_ACCESS_CONSTRAINT_PREFIX)) { diff --git a/extensions/dcp-impl/src/main/java/org/eclipse/edc/demo/dcp/policy/DataAccessLevelFunction.java b/extensions/dcp-impl/src/main/java/org/eclipse/edc/demo/dcp/policy/DataAccessLevelFunction.java index d0065ba2..49ac49b3 100644 --- a/extensions/dcp-impl/src/main/java/org/eclipse/edc/demo/dcp/policy/DataAccessLevelFunction.java +++ b/extensions/dcp-impl/src/main/java/org/eclipse/edc/demo/dcp/policy/DataAccessLevelFunction.java @@ -14,10 +14,6 @@ package org.eclipse.edc.demo.dcp.policy; -import org.eclipse.edc.connector.controlplane.catalog.spi.policy.CatalogPolicyContext; -import org.eclipse.edc.connector.controlplane.contract.spi.policy.ContractNegotiationPolicyContext; -import org.eclipse.edc.connector.controlplane.contract.spi.policy.TransferProcessPolicyContext; -import org.eclipse.edc.participant.spi.ParticipantAgent; import org.eclipse.edc.participant.spi.ParticipantAgentPolicyContext; import org.eclipse.edc.policy.engine.spi.AtomicConstraintRuleFunction; import org.eclipse.edc.policy.model.Duty; @@ -25,34 +21,16 @@ import java.util.Objects; -public abstract class DataAccessLevelFunction extends AbstractCredentialEvaluationFunction implements AtomicConstraintRuleFunction { +public class DataAccessLevelFunction extends AbstractCredentialEvaluationFunction implements AtomicConstraintRuleFunction { private static final String DATAPROCESSOR_CRED_TYPE = "DataProcessorCredential"; - public static DataAccessLevelFunction createForTransferProcess() { - return new DataAccessLevelFunction<>() { - @Override - protected ParticipantAgent getAgent(TransferProcessPolicyContext policyContext) { - return policyContext.participantAgent(); - } - }; - } + private DataAccessLevelFunction() { - public static DataAccessLevelFunction createForNegotiation() { - return new DataAccessLevelFunction<>() { - @Override - protected ParticipantAgent getAgent(ContractNegotiationPolicyContext policyContext) { - return policyContext.participantAgent(); - } - }; } - public static DataAccessLevelFunction createForCatalog() { + public static DataAccessLevelFunction create() { return new DataAccessLevelFunction<>() { - @Override - protected ParticipantAgent getAgent(CatalogPolicyContext policyContext) { - return policyContext.participantAgent(); - } }; } @@ -62,7 +40,7 @@ public boolean evaluate(Operator operator, Object rightOperand, Duty duty, C pol policyContext.reportProblem("Cannot evaluate operator %s, only %s is supported".formatted(operator, Operator.EQ)); return false; } - var pa = getAgent(policyContext); + var pa = policyContext.participantAgent(); if (pa == null) { policyContext.reportProblem("ParticipantAgent not found on PolicyContext"); return false; @@ -88,6 +66,4 @@ public boolean evaluate(Operator operator, Object rightOperand, Duty duty, C pol } - protected abstract ParticipantAgent getAgent(C policyContext); - } diff --git a/extensions/dcp-impl/src/main/java/org/eclipse/edc/demo/dcp/policy/MembershipCredentialEvaluationFunction.java b/extensions/dcp-impl/src/main/java/org/eclipse/edc/demo/dcp/policy/MembershipCredentialEvaluationFunction.java index cc118249..4f9e5152 100644 --- a/extensions/dcp-impl/src/main/java/org/eclipse/edc/demo/dcp/policy/MembershipCredentialEvaluationFunction.java +++ b/extensions/dcp-impl/src/main/java/org/eclipse/edc/demo/dcp/policy/MembershipCredentialEvaluationFunction.java @@ -14,52 +14,26 @@ package org.eclipse.edc.demo.dcp.policy; -import org.eclipse.edc.connector.controlplane.catalog.spi.policy.CatalogPolicyContext; -import org.eclipse.edc.connector.controlplane.contract.spi.policy.ContractNegotiationPolicyContext; -import org.eclipse.edc.connector.controlplane.contract.spi.policy.TransferProcessPolicyContext; -import org.eclipse.edc.participant.spi.ParticipantAgent; +import org.eclipse.edc.participant.spi.ParticipantAgentPolicyContext; import org.eclipse.edc.policy.engine.spi.AtomicConstraintRuleFunction; -import org.eclipse.edc.policy.engine.spi.PolicyContext; import org.eclipse.edc.policy.model.Operator; import org.eclipse.edc.policy.model.Permission; import java.time.Instant; import java.util.Map; -public abstract class MembershipCredentialEvaluationFunction extends AbstractCredentialEvaluationFunction implements AtomicConstraintRuleFunction { +public class MembershipCredentialEvaluationFunction extends AbstractCredentialEvaluationFunction implements AtomicConstraintRuleFunction { public static final String MEMBERSHIP_CONSTRAINT_KEY = "MembershipCredential"; private static final String MEMBERSHIP_CLAIM = "membership"; private static final String SINCE_CLAIM = "since"; private static final String ACTIVE = "active"; - public static MembershipCredentialEvaluationFunction createForCatalog() { - return new MembershipCredentialEvaluationFunction<>() { - - @Override - protected ParticipantAgent getAgent(CatalogPolicyContext policyContext) { - return policyContext.participantAgent(); - } - }; - } - - public static MembershipCredentialEvaluationFunction createForTransfer() { - return new MembershipCredentialEvaluationFunction<>() { - - @Override - protected ParticipantAgent getAgent(TransferProcessPolicyContext policyContext) { - return policyContext.participantAgent(); - } - }; + private MembershipCredentialEvaluationFunction() { } - public static MembershipCredentialEvaluationFunction createForNegotiation() { + public static MembershipCredentialEvaluationFunction create() { return new MembershipCredentialEvaluationFunction<>() { - - @Override - protected ParticipantAgent getAgent(ContractNegotiationPolicyContext policyContext) { - return policyContext.participantAgent(); - } }; } @@ -75,7 +49,7 @@ public boolean evaluate(Operator operator, Object rightOperand, Permission permi return false; } - var pa = getAgent(policyContext); + var pa = policyContext.participantAgent(); if (pa == null) { policyContext.reportProblem("No ParticipantAgent found on context."); return false; @@ -97,6 +71,4 @@ public boolean evaluate(Operator operator, Object rightOperand, Permission permi }); } - protected abstract ParticipantAgent getAgent(C policyContext); - } diff --git a/extensions/dcp-impl/src/main/java/org/eclipse/edc/demo/dcp/policy/PolicyEvaluationExtension.java b/extensions/dcp-impl/src/main/java/org/eclipse/edc/demo/dcp/policy/PolicyEvaluationExtension.java index ccee8f60..01b761a1 100644 --- a/extensions/dcp-impl/src/main/java/org/eclipse/edc/demo/dcp/policy/PolicyEvaluationExtension.java +++ b/extensions/dcp-impl/src/main/java/org/eclipse/edc/demo/dcp/policy/PolicyEvaluationExtension.java @@ -41,12 +41,9 @@ public class PolicyEvaluationExtension implements ServiceExtension { @Override public void initialize(ServiceExtensionContext context) { - - bindPermissionFunction(MembershipCredentialEvaluationFunction.createForTransfer(), TransferProcessPolicyContext.class, TransferProcessPolicyContext.TRANSFER_SCOPE, MEMBERSHIP_CONSTRAINT_KEY); - bindPermissionFunction(MembershipCredentialEvaluationFunction.createForNegotiation(), ContractNegotiationPolicyContext.class, ContractNegotiationPolicyContext.NEGOTIATION_SCOPE, MEMBERSHIP_CONSTRAINT_KEY); - bindPermissionFunction(MembershipCredentialEvaluationFunction.createForCatalog(), CatalogPolicyContext.class, CatalogPolicyContext.CATALOG_SCOPE, MEMBERSHIP_CONSTRAINT_KEY); - - policyEngine.registerFunction(TransferProcessPolicyContext.class, Permission.class, ); + bindPermissionFunction(MembershipCredentialEvaluationFunction.create(), TransferProcessPolicyContext.class, TransferProcessPolicyContext.TRANSFER_SCOPE, MEMBERSHIP_CONSTRAINT_KEY); + bindPermissionFunction(MembershipCredentialEvaluationFunction.create(), ContractNegotiationPolicyContext.class, ContractNegotiationPolicyContext.NEGOTIATION_SCOPE, MEMBERSHIP_CONSTRAINT_KEY); + bindPermissionFunction(MembershipCredentialEvaluationFunction.create(), CatalogPolicyContext.class, CatalogPolicyContext.CATALOG_SCOPE, MEMBERSHIP_CONSTRAINT_KEY); registerDataAccessLevelFunction(); @@ -55,9 +52,9 @@ public void initialize(ServiceExtensionContext context) { private void registerDataAccessLevelFunction() { var accessLevelKey = "DataAccess.level"; - bindDutyFunction(DataAccessLevelFunction.createForTransferProcess(), TransferProcessPolicyContext.class, TransferProcessPolicyContext.TRANSFER_SCOPE, accessLevelKey); - bindDutyFunction(DataAccessLevelFunction.createForNegotiation(), ContractNegotiationPolicyContext.class, ContractNegotiationPolicyContext.NEGOTIATION_SCOPE, accessLevelKey); - bindDutyFunction(DataAccessLevelFunction.createForCatalog(), CatalogPolicyContext.class, CatalogPolicyContext.CATALOG_SCOPE, accessLevelKey); + bindDutyFunction(DataAccessLevelFunction.create(), TransferProcessPolicyContext.class, TransferProcessPolicyContext.TRANSFER_SCOPE, accessLevelKey); + bindDutyFunction(DataAccessLevelFunction.create(), ContractNegotiationPolicyContext.class, ContractNegotiationPolicyContext.NEGOTIATION_SCOPE, accessLevelKey); + bindDutyFunction(DataAccessLevelFunction.create(), CatalogPolicyContext.class, CatalogPolicyContext.CATALOG_SCOPE, accessLevelKey); } private void bindPermissionFunction(AtomicConstraintRuleFunction function, Class contextClass, String scope, String constraintType) { @@ -65,7 +62,7 @@ private void bindPermissionFunction(AtomicConstraintRu ruleBindingRegistry.bind(ODRL_SCHEMA + "use", scope); ruleBindingRegistry.bind(constraintType, scope); -// policyEngine.registerFunction(contextClass, Permission.class, constraintType, function); + policyEngine.registerFunction(contextClass, Permission.class, constraintType, function); } private void bindDutyFunction(AtomicConstraintRuleFunction function, Class contextClass, String scope, String constraintType) { From 566afb34994730dfe147972ada00a38bfd6e7c8c Mon Sep 17 00:00:00 2001 From: Paul Latzelsperger Date: Tue, 22 Oct 2024 08:35:11 +0200 Subject: [PATCH 3/4] terraform fmt --- deployment/modules/identity-hub/main.tf | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/deployment/modules/identity-hub/main.tf b/deployment/modules/identity-hub/main.tf index c103f3e3..191326bb 100644 --- a/deployment/modules/identity-hub/main.tf +++ b/deployment/modules/identity-hub/main.tf @@ -13,7 +13,7 @@ resource "kubernetes_deployment" "identityhub" { metadata { - name = lower(var.humanReadableName) + name = lower(var.humanReadableName) namespace = var.namespace labels = { App = lower(var.humanReadableName) @@ -163,7 +163,6 @@ resource "kubernetes_config_map" "identityhub-config" { EDC_SQL_SCHEMA_AUTOCREATE = true EDC_STS_ACCOUNT_API_URL = var.sts-accounts-api-url EDC_STS_ACCOUNTS_API_AUTH_HEADER_VALUE = "password" - EDC_IAM_ACCESSTOKEN_JTI_VALIDATION = true } } From a7a89600709a7330f9d1d873ff4917e99c47957d Mon Sep 17 00:00:00 2001 From: Paul Latzelsperger Date: Tue, 22 Oct 2024 08:53:14 +0200 Subject: [PATCH 4/4] checkstyle --- .../edc/demo/dcp/core/DataAccessCredentialScopeExtractor.java | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/extensions/dcp-impl/src/main/java/org/eclipse/edc/demo/dcp/core/DataAccessCredentialScopeExtractor.java b/extensions/dcp-impl/src/main/java/org/eclipse/edc/demo/dcp/core/DataAccessCredentialScopeExtractor.java index d62a9a34..46b192f3 100644 --- a/extensions/dcp-impl/src/main/java/org/eclipse/edc/demo/dcp/core/DataAccessCredentialScopeExtractor.java +++ b/extensions/dcp-impl/src/main/java/org/eclipse/edc/demo/dcp/core/DataAccessCredentialScopeExtractor.java @@ -16,15 +16,14 @@ import org.eclipse.edc.iam.identitytrust.spi.scope.ScopeExtractor; import org.eclipse.edc.policy.context.request.spi.RequestPolicyContext; -import org.eclipse.edc.policy.engine.spi.PolicyContext; import org.eclipse.edc.policy.model.Operator; import java.util.Set; class DataAccessCredentialScopeExtractor implements ScopeExtractor { + public static final String DATA_PROCESSOR_CREDENTIAL_TYPE = "DataProcessorCredential"; private static final String DATA_ACCESS_CONSTRAINT_PREFIX = "DataAccess."; private static final String CREDENTIAL_TYPE_NAMESPACE = "org.eclipse.edc.vc.type"; - public static final String DATA_PROCESSOR_CREDENTIAL_TYPE = "DataProcessorCredential"; @Override public Set extractScopes(Object leftValue, Operator operator, Object rightValue, RequestPolicyContext context) {