OPA ABAC policy

[ProninIgorr]

I wrote a Rego policy that has a main function called getattributes. It should retrieve user attributes. In it, we need to send a request, receive a response. Then parse the received object and validate the schema using json.match_schema or json.verify_schema (I'm not sure which is better). If an error occurs at any stage, we should terminate the policy execution and return a 403 code with an error. Later, we will import this Rego policy into other Rego policies where attribute retrieval is required.
More details:
ABAC Implementation
When authorizing user requests, it is necessary to retrieve attributes of the requested objects from the consumer system.
To do this, we need to implement the "getAttributes" function that performs the following actions:

Sending a request to the consumer system at the specified URL
Retrieving data about the requested object from the consumer system
Parsing the received data
Validating the data based on a JSON schema
Handling possible errors
In case of an error, it is necessary to return a status code 403 and a unique event identifier
This function should be called in every Rego policy responsible for granting subject access to objects.

This is what I wrote. But this policy doesn't seem to work. What's the reason and how can I fix it?

package httputil

# getattributes function retrieves user attributes from a consumer system
# This function handles various scenarios such as HTTP errors, JSON parsing issues, and schema validation
# Parameters:
# - url: The endpoint URL to fetch attributes from
# - method: HTTP method (GET, POST, etc.)
# - schema: JSON schema for validation
# - options: Additional request options (headers, body, timeout)
getattributes(url, method, schema, options) := result if {
	response := http_request(url, method, options)

	# Handle HTTP status code errors (400+)
	response.status_code >= 400
	result := {
		"status": "error",
		"status_code": 403,
		"error": sprintf("HTTP request failed: %d", [response.status_code]),
		"request_id": uuid.rfc4122(""),
	}
} else := result if {
	# Handle errors during HTTP request execution
	response := http_request(url, method, options)
	response.error != null
	result := {
		"status": "error",
		"status_code": 403,
		"error": sprintf("HTTP request error: %s", [response.error]),
		"request_id": uuid.rfc4122(""),
	}
} else := result if {
	# Handle invalid JSON in response
	response := http_request(url, method, options)
	response.status_code < 400
	response.error == null
	not json.is_valid(response.body)
	result := {
		"status": "error",
		"status_code": 403,
		"error": "Failed to parse response: invalid JSON",
		"request_id": uuid.rfc4122(""),
	}
} else := result if {
	# Handle schema validation failures
	response := http_request(url, method, options)
	response.status_code < 400
	response.error == null
	json.is_valid(response.body)
	parsed_body := json.unmarshal(response.body)
	not json.match_schema(schema, parsed_body)
	result := {
		"status": "error",
		"status_code": 403,
		"error": "Schema validation failed",
		"request_id": uuid.rfc4122(""),
	}
} else := result if {
	# Successful case - valid response and matching schema
	response := http_request(url, method, options)
	response.status_code < 400
	response.error == null
	json.is_valid(response.body)
	parsed_body := json.unmarshal(response.body)
	json.match_schema(schema, parsed_body)
	result := {
		"status": "success",
		"status_code": 200,
		"data": parsed_body,
		"request_id": uuid.rfc4122(""),
	}
}

# Helper function to perform HTTP requests
# Handles both cases: with and without request body
http_request(url, method, options) := response if {
	# Case with request body
	body := object.get(options, "body", null)
	body != null
	request := {
		"url": url,
		"method": method,
		"headers": object.get(options, "headers", {}),
		"timeout": object.get(options, "timeout", 5000),
		"body": body,
	}
	response := http.send(request)
} else := response if {
	# Case without request body
	body := object.get(options, "body", null)
	body == null
	request := {
		"url": url,
		"method": method,
		"headers": object.get(options, "headers", {}),
		"timeout": object.get(options, "timeout", 5000),
	}
	response := http.send(request)
}