Skip to content

Policy: KAS registration lacks validation of URI #1640

New issue
New issue
Closed
#1656
Closed
Policy: KAS registration lacks validation of URI#1640
#1656
@jakedoublev

Description

@jakedoublev
jakedoublev
opened on Oct 14, 2024

Background

Registering a KAS to a platform currently requires a unique URI and a public_key that is either remote or cached:

platform/service/policy/kasregistry/key_access_server_registry.proto

Line 22 in 0551247

message CreateKeyAccessServerRequest {

Soon, it will also include (optionally) a common name for the KAS which is also unique: #153

However, the uri field in the proto above has no validation at present.

./otdfctl policy kasr create -r https://remote.com/kas -u 'b' --json
{
  "id": "87859c4d-b7f2-4366-8900-658b2a97de49",
  "uri": "b", // this should not be valid
  "public_key": {
    "PublicKey": {
      "Remote": "https://remote.com/kas"
    }
  },
  "metadata": {
    "created_at": {
      "seconds": 1728938163,
      "nanos": 43877000
    },
    "updated_at": {
      "seconds": 1728938163,
      "nanos": 43877000
    }
  }
}

Acceptance Criteria

  1. define allowed protocol schemes for KAS URIs
  2. enforce valid URI format with a CEL expression at the proto level

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions