Skip to content

feat(policy): Restrict deletion of pc with used key. #2414

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 2 commits into from
Jun 9, 2025
Merged

feat(policy): Restrict deletion of pc with used key. #2414

merged 2 commits into from
Jun 9, 2025

Conversation

@c-r33d
Copy link
Contributor

@c-r33d c-r33d commented Jun 9, 2025
edited
Loading

Proposed Changes

1.) Update key_access_server_keys table to not allow deletion of in-use provider configurations
2.) Remove application level check for provider_configuration, in-favor or db level

Checklist

  • I have added or updated unit tests
  • I have added or updated integration tests (if appropriate)
  • I have added or updated documentation

Testing Instructions

@c-r33d c-r33d requested review from a team as code owners June 9, 2025 13:43
@github-actions github-actions bot added external-contributor External Org Member comp:db DB component comp:policy Policy Configuration ( attributes, subject mappings, resource mappings, kas registry) size/s labels Jun 9, 2025
gemini-code-assist[bot]
gemini-code-assist bot reviewed Jun 9, 2025
View reviewed changes
Copy link
Contributor

@gemini-code-assist gemini-code-assist bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hello @c-r33d, I'm Gemini Code Assist1! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!

Summary of Changes

Hello team,

Gemini here, providing a summary of this pull request by @c-r33d. The primary goal of this PR is to enforce a policy at the database level that prevents the deletion of a ProviderConfig if it is currently associated with a KeyAccessServerKey (a key). This shifts the responsibility for this check from the application code to the database's foreign key constraints, specifically using ON DELETE RESTRICT.

The changes involve adding a database migration to implement the foreign key constraint, removing the now redundant application-level check when creating a key, updating schema documentation, and adding/modifying tests to verify the new database-enforced behavior.

Highlights

  • Application Logic Removal: The application-level check that previously fetched the ProviderConfig when creating a key has been removed, as the database now handles the validation of the provider_config_id existence.
  • Testing: An existing test for creating a key with an invalid provider config is updated to expect a foreign key violation error instead of a 'not found' error. A new integration test is added specifically to verify that attempting to delete a ProviderConfig that is in use by a key results in a foreign key violation error.
  • Documentation: The database schema ER diagrams (both the migration-specific one and the main schema file) are updated to visually represent the new foreign key relationship between key_access_server_keys and provider_config.

Changelog

Click here to see the changelog
  • service/integration/kas_registry_key_test.go
    • Updated test Test_CreateKasKey_ProviderConfigInvalid_Fail to assert for db.ErrForeignKeyViolation.Error() at line 100, reflecting the shift to database-level validation.
  • service/integration/keymanagement_test.go
    • Added import for github.com/opentdf/platform/protocol/go/policy/kasregistry at line 12.
    • Added new test Test_DeleteProviderConfig_InUse_Fails starting at line 388 to specifically test the ON DELETE RESTRICT behavior.
  • service/policy/db/key_access_server_registry.go
    • Removed import for github.com/opentdf/platform/protocol/go/policy/keymanagement at line 15.
    • Removed application logic that fetched the provider config before creating a key (lines 377-386).
    • Updated the database insert statement in CreateKey to directly use the provided providerConfigID at line 403.
  • service/policy/db/migrations/20250609000000_restrict_provider_deletion.md
    • Added a new markdown file documenting the foreign key relationship between key_access_server_keys and provider_config using a mermaid diagram (lines 1-21).
  • service/policy/db/migrations/20250609000000_restrict_provider_deletion.sql
    • Added a new SQL migration file to drop and re-add the foreign key constraint on key_access_server_keys.provider_config_id with ON DELETE RESTRICT (lines 1-30).
  • service/policy/db/schema_erd.md
    • Updated the key_access_server_keys table definition to mark provider_config_id as a foreign key (FK) at line 119.
    • Added the relationship line key_access_server_keys }o--|| provider_config : "provider_config_id" to the ER diagram definition at line 252.
Using Gemini Code Assist

The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.

Invoking Gemini

You can request assistance from Gemini at any point in your pull request via creating an issue comment (i.e. comment on the pull request page) using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands.

Feature Command Description
Code Review /gemini review Performs a code review for the current pull request in its current state.
Pull Request Summary /gemini summary Provides a summary of the current pull request in its current state.
Comment @gemini-code-assist Responds in comments when explicitly tagged, both in issue comments and review comments.
Help /gemini help Displays a list of available commands.

Customization

To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.

Limitations & Feedback

Gemini Code Assist is currently in preview and may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments to provide feedback.

You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension.

A foreign key, strong and true,
Links tables, old and new.
Delete restricted,
A rule respected,
Data integrity sees it through.

Footnotes

  1. Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution.

github-actions[bot]
github-actions bot reviewed Jun 9, 2025
View reviewed changes
gemini-code-assist[bot]
gemini-code-assist bot suggested changes Jun 9, 2025
View reviewed changes
Copy link
Contributor

@gemini-code-assist gemini-code-assist bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Code Review

This pull request effectively moves the responsibility of restricting the deletion of in-use provider configurations from the application layer to the database layer by utilizing an ON DELETE RESTRICT foreign key constraint. This is a good practice for ensuring data integrity.

The code changes, including the new SQL migration, updates to the ERD, and the new integration test, appear to correctly implement this feature. The removal of the application-level check in CreateKey is consistent with this approach, and the updated test in kas_registry_key_test.go reflects the change in error handling.

However, a significant concern is that the checklist items in the pull request description (unit tests, integration tests, documentation) are all unchecked. This needs to be addressed before merging.

Summary of Findings

  • PR Checklist Incomplete: The pull request checklist indicates that unit tests, integration tests, and documentation have not been added or updated. Please ensure these are completed and the checklist is updated accordingly. This is important for maintaining code quality and ensuring the changes are well-understood and tested.

Merge Readiness

The core logic of restricting provider configuration deletion at the database level is well-implemented and tested with a new integration test. However, the PR checklist items for unit tests, integration tests, and documentation are currently unchecked. It's crucial to address these items to ensure comprehensive testing and proper documentation of the changes.

Therefore, I recommend that these checklist items be completed before this pull request is merged. I am not authorized to approve pull requests, so please ensure other reviewers also assess these changes.

@github-actions
Copy link
Contributor

github-actions bot commented Jun 9, 2025

Benchmark results, click to expand

Benchmark authorization.GetDecisions Results:

Metric Value
Approved Decision Requests 5000
Denied Decision Requests 0
Total Time 447.160742ms

Benchmark authorization.v2.GetMultiResourceDecision Results:

Metric Value
Approved Decision Requests 5000
Denied Decision Requests 0
Total Time 307.709808ms

Bulk Benchmark Results

Metric Value
Total Decrypts 100
Successful Decrypts 100
Failed Decrypts 0
Total Time 347.741837ms
Throughput 287.57 requests/second

TDF3 Benchmark Results:

Metric Value
Total Requests 5000
Successful Requests 5000
Failed Requests 0
Concurrent Requests 50
Total Time 36.602907331s
Average Latency 364.329496ms
Throughput 136.60 requests/second

NANOTDF Benchmark Results:

Metric Value
Total Requests 5000
Successful Requests 5000
Failed Requests 0
Concurrent Requests 50
Total Time 25.421447121s
Average Latency 253.243187ms
Throughput 196.68 requests/second

Standard Benchmark Metrics Skipped or Failed

@github-actions
Copy link
Contributor

github-actions bot commented Jun 9, 2025

Benchmark results, click to expand

Benchmark authorization.GetDecisions Results:

Metric Value
Approved Decision Requests 5000
Denied Decision Requests 0
Total Time 426.163165ms

Benchmark authorization.v2.GetMultiResourceDecision Results:

Metric Value
Approved Decision Requests 5000
Denied Decision Requests 0
Total Time 282.466555ms

Bulk Benchmark Results

Metric Value
Total Decrypts 100
Successful Decrypts 100
Failed Decrypts 0
Total Time 345.734492ms
Throughput 289.24 requests/second

TDF3 Benchmark Results:

Metric Value
Total Requests 5000
Successful Requests 5000
Failed Requests 0
Concurrent Requests 50
Total Time 36.746713762s
Average Latency 366.05635ms
Throughput 136.07 requests/second

NANOTDF Benchmark Results:

Metric Value
Total Requests 5000
Successful Requests 5000
Failed Requests 0
Concurrent Requests 50
Total Time 25.641601927s
Average Latency 255.597434ms
Throughput 195.00 requests/second

Standard Benchmark Metrics Skipped or Failed

@c-r33d c-r33d added this pull request to the merge queue Jun 9, 2025
Merged via the queue into main with commit 3b40a46 Jun 9, 2025
29 checks passed
@c-r33d c-r33d deleted the feat/DSPX-1222-resttrict-provider-config-del branch June 9, 2025 18:56
@opentdf-automation opentdf-automation bot mentioned this pull request Jun 9, 2025
Merged
github-merge-queue bot pushed a commit that referenced this pull request Jun 24, 2025
@opentdf-automation
chore(main): release service 0.7.0 (#2406)
71be9d1 
🤖 I have created a release *beep* *boop*
---


##
[0.7.0](service/v0.6.0...service/v0.7.0)
(2025-06-24)


### ⚠ BREAKING CHANGES

* **policy:** disable kas grants in favor of key mappings
([#2220](#2220))

### Features

* **authz:** Add caching to keycloak ERS
([#2466](#2466))
([f5b0a06](f5b0a06))
* **authz:** auth svc registered resource GetDecision support
([#2392](#2392))
([5405674](5405674))
* **authz:** authz v2 GetBulkDecision
([#2448](#2448))
([0da3363](0da3363))
* **authz:** cache entitlement policy within authorization service
([#2457](#2457))
([c16361c](c16361c))
* **authz:** ensure logging parity between authz v2 and v1
([#2443](#2443))
([ef68586](ef68586))
* **core:** add cache manager
([#2449](#2449))
([2b062c5](2b062c5))
* **core:** consume RPC interceptor request context metadata in logging
([#2442](#2442))
([2769c48](2769c48))
* **core:** DSPX-609 - add cli-client to keycloak provisioning
([#2396](#2396))
([48e7489](48e7489))
* **core:** ERS cache setup, fix cache initialization
([#2458](#2458))
([d0c6938](d0c6938))
* inject logger and cache manager to key managers
([#2461](#2461))
([9292162](9292162))
* **kas:** expose provider config from key details.
([#2459](#2459))
([0e7d39a](0e7d39a))
* **main:** Add Close() method to cache manager
([#2465](#2465))
([32630d6](32630d6))
* **policy:** disable kas grants in favor of key mappings
([#2220](#2220))
([30f8cf5](30f8cf5))
* **policy:** Restrict deletion of pc with used key.
([#2414](#2414))
([3b40a46](3b40a46))
* **sdk:** allow Connect-Protocol-Version RPC header for cors
([#2437](#2437))
([4bf241e](4bf241e))


### Bug Fixes

* **core:** remove generics on new platform cache manager and client
([#2456](#2456))
([98c3c16](98c3c16))
* **core:** replace opentdf-public client with cli-client
([#2422](#2422))
([fb18525](fb18525))
* **deps:** bump github.com/casbin/casbin/v2 from 2.106.0 to 2.107.0 in
/service in the external group
([#2416](#2416))
([43afd48](43afd48))
* **deps:** bump github.com/opentdf/platform/protocol/go from 0.4.0 to
0.5.0 in /service
([#2470](#2470))
([3a73fc9](3a73fc9))
* **deps:** bump github.com/opentdf/platform/sdk from 0.4.7 to 0.5.0 in
/service ([#2473](#2473))
([ad37476](ad37476))
* **deps:** bump the external group across 1 directory with 2 updates
([#2450](#2450))
([9d8d1f1](9d8d1f1))
* **deps:** bump the external group across 1 directory with 2 updates
([#2472](#2472))
([d45b3c8](d45b3c8))
* only request a token when near expiration
([#2370](#2370))
([556d95e](556d95e))
* **policy:** fix casing bug and get provider config on update.
([#2403](#2403))
([a52b8f9](a52b8f9))
* **policy:** properly formatted pem in test fixtures
([#2409](#2409))
([54ffd23](54ffd23))

---
This PR was generated with [Release
Please](https://github.com/googleapis/release-please). See
[documentation](https://github.com/googleapis/release-please#release-please).

Co-authored-by: opentdf-automation[bot] <149537512+opentdf-automation[bot]@users.noreply.github.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@github-actions github-actions[bot] github-actions[bot] left review comments

@strantalis strantalis strantalis approved these changes

+1 more reviewer

@gemini-code-assist gemini-code-assist[bot] gemini-code-assist[bot] requested changes

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

comp:db DB component comp:policy Policy Configuration ( attributes, subject mappings, resource mappings, kas registry) external-contributor External Org Member size/s

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@c-r33d @strantalis