save

strantalis · strantalis · commit d155fc708c1f · 2025-05-15T12:37:36.000-04:00
diff --git a/service/integration/attribute_fqns_test.go b/service/integration/attribute_fqns_test.go
@@ -177,7 +177,7 @@ func (s *AttributeFqnSuite) TestGetAttributeByFqn_WithCasingNormalized() {
 			s.GreaterOrEqual(len(v.GetGrants()), 1)
 			found := false
 			for _, g := range v.GetGrants() {
-				if g.GetId() == kas.GetId() {
+				if g.GetId() == key.KeyAccessServerID {
 					found = true
 					break
 				}
diff --git a/service/policy/db/attribute_fqn.go b/service/policy/db/attribute_fqn.go
@@ -2,12 +2,10 @@ package db
 
 import (
 	"context"
-	"encoding/base64"
 	"fmt"
 	"strings"
 
 	"github.com/opentdf/platform/protocol/go/common"
-	"github.com/opentdf/platform/protocol/go/policy"
 	"github.com/opentdf/platform/protocol/go/policy/attributes"
 	"github.com/opentdf/platform/protocol/go/policy/namespaces"
 	"github.com/opentdf/platform/service/pkg/db"
@@ -112,102 +110,27 @@ func (c *PolicyDBClient) GetAttributesByValueFqns(ctx context.Context, r *attrib
 		}
 	}
 
-	// map keys to grants
 	for _, pair := range list {
-		if pair == nil {
-			continue
-		}
-		// Loop through all keys in the attribute and create grants
-		for _, key := range pair.Attribute.GetKasKeys() {
-			grant := &policy.KeyAccessServer{}
-			grant.Uri = key.GetKasUri()
-
-			kasKeyInfo := key.GetKey() // *policy.KasPublicKeyInfo
-			// Assuming kasKeyInfo is not nil based on SQL construction and panic location.
-			// If kasKeyInfo could be nil, an additional check would be needed here.
-
-			kasPubKey := &policy.KasPublicKey{
-				Kid: kasKeyInfo.GetKeyId(),
-				Alg: policy.KasPublicKeyAlgEnum(kasKeyInfo.GetKeyAlgorithm()),
-			}
-			// Check if PublicKeyCtx is available before accessing Pem
-			if pubKeyCtx := kasKeyInfo.GetPublicKeyCtx(); pubKeyCtx != nil {
-				// Grant pem isn't expected to be b64 encoded.
-				pem, err := base64.StdEncoding.DecodeString(pubKeyCtx.GetPem())
-				if err != nil {
-					return nil, fmt.Errorf("failed to decode PEM for key %s: %w", kasPubKey.Kid, err)
-				}
-				kasPubKey.Pem = string(pem)
-			}
-
-			grant.PublicKey = &policy.PublicKey{
-				PublicKey: &policy.PublicKey_Cached{
-					Cached: &policy.KasPublicKeySet{
-						Keys: []*policy.KasPublicKey{kasPubKey},
-					},
-				},
-			}
-			pair.Attribute.Grants = append(pair.Attribute.Grants, grant)
-		}
-		// Loop through all keys on values and create grants
-		for _, key := range pair.GetValue().GetKasKeys() {
-			grant := &policy.KeyAccessServer{}
-			grant.Uri = key.GetKasUri()
-
-			kasKeyInfo := key.GetKey() // *policy.KasPublicKeyInfo
-			kasPubKey := &policy.KasPublicKey{
-				Kid: kasKeyInfo.GetKeyId(),
-				Alg: policy.KasPublicKeyAlgEnum(kasKeyInfo.GetKeyAlgorithm()),
-			}
-			// Check if PublicKeyCtx is available before accessing Pem
-			if pubKeyCtx := kasKeyInfo.GetPublicKeyCtx(); pubKeyCtx != nil {
-				// Grant pem isn't expected to be b64 encoded.
-				pem, err := base64.StdEncoding.DecodeString(pubKeyCtx.GetPem())
-				if err != nil {
-					return nil, fmt.Errorf("failed to decode PEM for key %s: %w", kasPubKey.Kid, err)
-				}
-				kasPubKey.Pem = string(pem)
+		if pair != nil {
+			attrGrants, err := mapKasKeysToGrants(pair.GetAttribute().GetKasKeys())
+			if err != nil {
+				return nil, fmt.Errorf("could not map KAS attribute keys to grants: %w", err)
 			}
-
-			grant.PublicKey = &policy.PublicKey{
-				PublicKey: &policy.PublicKey_Cached{
-					Cached: &policy.KasPublicKeySet{
-						Keys: []*policy.KasPublicKey{kasPubKey},
-					},
-				},
+			// Update the response map with the attribute grants
+			pair.GetAttribute().Grants = append(pair.GetAttribute().Grants, attrGrants...)
+			// Update the value grants
+			valGrants, err := mapKasKeysToGrants(pair.GetValue().GetKasKeys())
+			if err != nil {
+				return nil, fmt.Errorf("could not map KAS value keys to grants: %w", err)
 			}
-			pair.Value.Grants = append(pair.Value.Grants, grant)
-		}
-
-		// Map Namespace Keys to Grants
-		if ns := pair.Attribute.GetNamespace(); ns != nil {
-			for _, key := range ns.GetKasKeys() {
-				grant := &policy.KeyAccessServer{}
-				grant.Uri = key.GetKasUri()
-
-				kasKeyInfo := key.GetKey() // *policy.KasPublicKeyInfo
-				kasPubKey := &policy.KasPublicKey{
-					Kid: kasKeyInfo.GetKeyId(),
-					Alg: policy.KasPublicKeyAlgEnum(kasKeyInfo.GetKeyAlgorithm()),
-				}
-				// Check if PublicKeyCtx is available before accessing Pem
-				if pubKeyCtx := kasKeyInfo.GetPublicKeyCtx(); pubKeyCtx != nil {
-					pem, err := base64.StdEncoding.DecodeString(pubKeyCtx.GetPem())
-					if err != nil {
-						return nil, fmt.Errorf("failed to decode PEM for key %s: %w", kasPubKey.Kid, err)
-					}
-					kasPubKey.Pem = string(pem)
-				}
-
-				grant.PublicKey = &policy.PublicKey{
-					PublicKey: &policy.PublicKey_Cached{
-						Cached: &policy.KasPublicKeySet{
-							Keys: []*policy.KasPublicKey{kasPubKey},
-						},
-					},
-				}
-				ns.Grants = append(ns.Grants, grant)
+			pair.GetValue().Grants = append(pair.GetValue().Grants, valGrants...)
+			// Update Namespace grants
+			nsGrants, err := mapKasKeysToGrants(pair.GetAttribute().GetNamespace().GetKasKeys())
+			if err != nil {
+				return nil, fmt.Errorf("could not map KAS namespace keys to grants: %w", err)
 			}
+			// Update the response map with the namespace grants
+			pair.GetAttribute().Grants = append(pair.GetAttribute().Grants, nsGrants...)
 		}
 	}
 
diff --git a/service/policy/db/attributes.go b/service/policy/db/attributes.go
@@ -291,12 +291,34 @@ func (c PolicyDBClient) ListAttributesByFqns(ctx context.Context, fqns []string)
 		}
 
 		var keys []*policy.KasKey
+		var attrGrants []*policy.KeyAccessServer
 		if len(attr.Keys) > 0 {
 			keys, err = db.KasKeysProtoJSON(attr.Keys)
 			if err != nil {
 				return nil, fmt.Errorf("failed to unmarshal keys [%s]: %w", string(attr.Keys), err)
 			}
+			attrGrants, err = mapKasKeysToGrants(keys)
+			if err != nil {
+				return nil, fmt.Errorf("could not map KAS attribute keys to grants: %w", err)
+			}
+		}
+
+		for _, val := range values {
+			if val.GetKasKeys() != nil {
+				valGrants, err := mapKasKeysToGrants(val.GetKasKeys())
+				if err != nil {
+					return nil, fmt.Errorf("could not map KAS value keys to grants: %w", err)
+				}
+				val.Grants = append(val.Grants, valGrants...)
+			}
+		}
+
+		// Update Namespace grants
+		nsGrants, err := mapKasKeysToGrants(ns.GetKasKeys())
+		if err != nil {
+			return nil, fmt.Errorf("could not map KAS namespace keys to grants: %w", err)
 		}
+		ns.Grants = append(ns.Grants, nsGrants...)
 
 		attrs[i] = &policy.Attribute{
 			Id:        attr.ID,
@@ -305,6 +327,7 @@ func (c PolicyDBClient) ListAttributesByFqns(ctx context.Context, fqns []string)
 			Fqn:       attr.Fqn,
 			Active:    &wrapperspb.BoolValue{Value: attr.Active},
 			Namespace: ns,
+			Grants:    attrGrants,
 			Values:    values,
 			KasKeys:   keys,
 		}

Original file line number	Diff line number	Diff line change
`@@ -177,7 +177,7 @@ func (s *AttributeFqnSuite) TestGetAttributeByFqn_WithCasingNormalized() {`
`177`	`177`	`s.GreaterOrEqual(len(v.GetGrants()), 1)`
`178`	`178`	`found := false`
`179`	`179`	`for _, g := range v.GetGrants() {`
`180`		`- if g.GetId() == kas.GetId() {`
	`180`	`+ if g.GetId() == key.KeyAccessServerID {`
`181`	`181`	`found = true`
`182`	`182`	`break`
`183`	`183`	`}`