feat(policy): register unsafe service in platform

opentdf-dev.yaml

@@ -33,15 +33,15 @@ services:
   entityresolution:
     enabled: true
     url: http://localhost:8888/auth
-    clientid: "tdf-entity-resolution"
-    clientsecret: "secret"
-    realm: "opentdf"
+    clientid: 'tdf-entity-resolution'
+    clientsecret: 'secret'
+    realm: 'opentdf'
     legacykeycloak: true
 server:
   auth:
     enabled: true
     enforceDPoP: false
-    audience: "http://localhost:8080"
+    audience: 'http://localhost:8080'
     issuer: http://localhost:8888/auth/realms/opentdf
     policy:
       ## Default policy for all requests
@@ -61,6 +61,7 @@ server:
       #  p, role:org-admin, policy:subject-mappings, *, *, allow
       #  p, role:org-admin, policy:resource-mappings, *, *, allow
       #  p, role:org-admin, policy:kas-registry, *, *, allow
+      #  p, role:org-admin, policy:unsafe, *, *, allow
 
       ## Custom model (see https://casbin.org/docs/syntax-for-models/)
       model: #|
@@ -81,8 +82,8 @@ server:
   cors:
     enabled: false
     # '*' to allow any origin or a specific domain like 'https://yourdomain.com'
-    allowedorigins: 
-      - "*"
+    allowedorigins:
+      - '*'
     # List of methods. Examples: 'GET,POST,PUT'
     allowedmethods:
       - GET

opentdf-example.yaml

@@ -52,6 +52,7 @@ server:
       #  p, role:org-admin, policy:subject-mappings, *, *, allow
       #  p, role:org-admin, policy:resource-mappings, *, *, allow
       #  p, role:org-admin, policy:kas-registry, *, *, allow
+      #  p, role:org-admin, policy:unsafe, *, *, allow
       ## Custom model (see https://casbin.org/docs/syntax-for-models/)
       model: #|
       #  [request_definition]

opentdf-with-hsm.yaml

@@ -57,6 +57,7 @@ server:
       #  p, role:org-admin, policy:subject-mappings, *, *, allow
       #  p, role:org-admin, policy:resource-mappings, *, *, allow
       #  p, role:org-admin, policy:kas-registry, *, *, allow
+      #  p, role:org-admin, policy:unsafe, *, *, allow
       ## Custom model (see https://casbin.org/docs/syntax-for-models/)
       model: #|
       #  [request_definition]

service/buf.yaml

@@ -9,8 +9,6 @@ breaking:
     - PACKAGE
     - WIRE_JSON
     - WIRE
-  ignore:
-    - policy/unsafe/unsafe.proto
 lint:
   allow_comment_ignores: true
   use:

service/internal/auth/casbin.go

@@ -59,7 +59,9 @@ p,	role:org-admin,		/unsafe*,										            *,			allow
 
 # Role: Admin
 ## gRPC routes
-p,	role:admin,		    policy.*,																*,			allow
+p,	role:admin,		    policy.*,																read,			allow
+p,	role:admin,		    policy.*,																write,			allow
+p,	role:admin,		    policy.*,																delete,			allow
 p,	role:admin,		    kasregistry.*,													*,			allow
 p,	role:admin,		    kas.AccessService/Rewrap, 			        *,			allow
 p,  role:admin,   authorization.*,                        *,      allow
@@ -73,7 +75,6 @@ p,	role:admin,		/kas/v2/rewrap,						  				        *,      allow
 
 ## Role: Standard
 ## gRPC routes
-p,  role:standard,		policy.unsafe.*,													 *,			deny
 p,	role:standard,		policy.*,																read,			allow
 p,	role:standard,		kasregistry.*,													read,			allow
 p,	role:standard,    kas.AccessService/Rewrap, 			           *,			allow

service/policy/db/namespaces.go

@@ -111,12 +111,7 @@ func (c PolicyDBClient) GetNamespace(ctx context.Context, id string) (*policy.Na
 		return nil, err
 	}
 
-	n, err := hydrateNamespaceItem(row, opts)
-	if err != nil {
-		return nil, err
-	}
-
-	return n, nil
+	return hydrateNamespaceItem(row, opts)
 }
 
 func listNamespacesSQL(opts namespaceSelectOptions) (string, []interface{}, error) {

service/policy/policy.go

@@ -10,7 +10,7 @@ import (
 	"github.com/opentdf/platform/service/policy/namespaces"
 	"github.com/opentdf/platform/service/policy/resourcemapping"
 	"github.com/opentdf/platform/service/policy/subjectmapping"
-	// "github.com/opentdf/platform/service/policy/unsafe"
+	"github.com/opentdf/platform/service/policy/unsafe"
 )
 
 var Migrations *embed.FS
@@ -33,7 +33,7 @@ func NewRegistrations() []serviceregistry.Registration {
 		resourcemapping.NewRegistration(),
 		subjectmapping.NewRegistration(),
 		kasregistry.NewRegistration(),
-		// unsafe.NewRegistration(),
+		unsafe.NewRegistration(),
 	} {
 		r.Namespace = namespace
 		r.DB = dbRegister

service/policy/unsafe/unsafe.proto

@@ -19,8 +19,8 @@ message UnsafeUpdateNamespaceRequest {
     (buf.validate.field).string.max_len = 253,
     (buf.validate.field).cel = {
       id: "namespace_name_format",
-      message: "Namespace name must be an alphanumeric string, allowing hyphens and underscores but not as the first or last character. The stored namespace name will be normalized to lower case.",
-      expression: "this.matches('^[a-zA-Z0-9](?:[a-zA-Z0-9_-]*[a-zA-Z0-9])?$')"
+      message: "Namespace must be a valid hostname. It should include at least one dot, with each segment (label) starting and ending with an alphanumeric character. Each label must be 1 to 63 characters long, allowing hyphens but not as the first or last character. The top-level domain (the last segment after the final dot) must consist of at least two alphabetic characters. The stored namespace will be normalized to lower case.",
+      expression: "this.matches('^([a-zA-Z0-9]([a-zA-Z0-9\\\\-]{0,61}[a-zA-Z0-9])?\\\\.)+[a-zA-Z]{2,}$')"
     }
   ];
 }