fix(authz): Add default role for every req.

[c-r33d]

1.) Follow v1 flow and add role:unknown for every request.

Summary by CodeRabbit

• Bug Fixes
  • Authorization now consistently evaluates requests with the default role included, improving policy matching for all requests.
  • Requests can now match policies tied to the fallback role even when other roles are present.

[gemini-code-assist]

Summary of Changes

Hello, I'm Gemini Code Assist¹! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!

This pull request updates the v2 authorization logic to ensure that a default 'role:unknown' is applied to every request, regardless of whether other subjects were found. This change standardizes the authorization behavior to match the established v1 flow and includes a regression test to validate the implementation.

Highlights

• Authorization Logic Update: Modified the v2 authorizer to consistently append the 'role:unknown' default role to all requests, ensuring alignment with v1 flow behavior.
• Test Coverage: Added a new test case to verify that all requests now correctly include the 'role:unknown' role during the authorization process.

New Features

🧠 You can now enable Memory (public preview) to help Gemini Code Assist learn from your team's feedback. This makes future code reviews more consistent and personalized to your project's style. Click here to enable Memory in your admin console.

Using Gemini Code Assist

The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.

Invoking Gemini

You can request assistance from Gemini at any point by creating a comment using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands on the current page.

Feature	Command	Description
Code Review	/gemini review	Performs a code review for the current pull request in its current state.
Pull Request Summary	/gemini summary	Provides a summary of the current pull request in its current state.
Comment	@gemini-code-assist	Responds in comments when explicitly tagged, both in pull request comments and review comments.
Help	/gemini help	Displays a list of available commands.

Customization

To customize the Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.

Limitations & Feedback

Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counterproductive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for GitHub and other Google products, sign up here.

---

The role was missing from the list, A v1 flow that we had missed. Now unknown joins the authz fray, To keep the access safe today.

Footnotes

1. Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution. ↩

[gemini-code-assist]

Code Review

This pull request modifies the Casbin v2 authorizer to unconditionally append the default role (role:unknown) to the list of authorization subjects, and adds a test to verify this behavior. The reviewer noted that unconditionally appending the default role can lead to duplicate subjects if the token already explicitly contains the unknown role, causing redundant policy evaluations. They suggested checking for the existence of the default role in the subjects slice before appending it.

Important

The consumer version of Gemini Code Assist on GitHub is being sunset. Starting June 18, 2026, new organization installations will be blocked, and all code review activity will officially cease on July 17, 2026.
For more details on the timeline and next steps, please review the Help Documentation.

[github-actions]

Benchmark results, click to expand

Benchmark authorization.GetDecisions Results:

Metric	Value
Approved Decision Requests	1000
Denied Decision Requests	0
Total Time	208.937373ms

Benchmark authorization.v2.GetMultiResourceDecision Results:

Metric	Value
Approved Decision Requests	1000
Denied Decision Requests	0
Total Time	112.399123ms

Benchmark Statistics

Name	№ Requests	Avg Duration	Min Duration	Max Duration

Bulk Benchmark Results

Metric	Value
Total Decrypts	100
Successful Decrypts	100
Failed Decrypts	0
Total Time	426.355787ms
Throughput	234.55 requests/second

TDF3 Benchmark Results:

Metric	Value
Total Requests	5000
Successful Requests	5000
Failed Requests	0
Concurrent Requests	50
Total Time	46.558937031s
Average Latency	464.232168ms
Throughput	107.39 requests/second

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Repository UI

Review profile: ASSERTIVE

Plan: Pro

Run ID: 08ac17ae-cdb5-493b-ab7b-c4c64d98f81e

📥 Commits

Reviewing files that changed from the base of the PR and between 03021fa and 8459938.

📒 Files selected for processing (2)

• service/internal/auth/authz/casbin/v2/authorizer.go
• service/internal/auth/authz/casbin/v2/authorizer_test.go

---

📝 Walkthrough

Walkthrough

The v2 Casbin authorizer now always includes the default role subject in authorization checks. A new test verifies a request with only the standard role matches a policy granted to role:unknown.

Changes

Default-role subject authorization

Layer / File(s)	Summary
Always append the default role service/internal/auth/authz/casbin/v2/authorizer.go, service/internal/auth/authz/casbin/v2/authorizer_test.go	The v2 authorizer appends role: + defaultRole to every computed subject set, and the new test asserts /kas.AccessService/Rewrap is allowed through role:unknown for a token containing only standard.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

Suggested labels

size/s

Suggested reviewers

• alkalescent

Poem

A bunny hopped by with a twitchy nose,
“Add one more role,” the little code prose.
Now every request gets a default-seat pass,
And unknown-role policies hop through the grass. 🐇

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title clearly matches the main change: adding the default role to every request.
Docstring Coverage	✅ Passed	Docstring coverage is 100.00% which is sufficient. The required threshold is 80.00%.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

📝 Generate docstrings

• Create stacked PR
• Commit on current branch

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch add-unknown-role

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands.}

[github-actions]

⚠️ Govulncheck found vulnerabilities ⚠️

The following modules have known vulnerabilities:

• examples
• otdfctl
• sdk
• service
• lib/fixtures
• tests-bdd

See the workflow run for details.

[github-actions]

X-Test Results

✅ go@pull-3664-main
✅ go@pull-3664-pull-3664
✅ go@main-main
✅ go@main-v0.9.0
✅ go@pull-3664-v0.9.0
✅ go@main-pull-3664
✅ java@main-pull-3664
✅ java@main-main
✅ js@main-pull-3664
✅ js@main-main
✅ java@main-v0.9.0
✅ js@main-v0.9.0
cukes-report
opentdfplatformXDWS6A.dockerbuild
govulncheck-failure-2
govulncheck-failure-8
govulncheck-failure-1
govulncheck-failure-3
govulncheck-failure-0
govulncheck-failure-5