feat: key access server assignments

go.work.sum

@@ -43,10 +43,12 @@ github.com/kr/fs v0.1.0/go.mod h1:FFnZGqtBN9Gxj7eW1uZ42v5BccTP0vu6NEaFoC2HwRg=
 github.com/kylelemons/godebug v1.1.0/go.mod h1:9/0rRGxNHcop5bhtWyNeEfOS8JIWk580+fNqagV/RAw=
 github.com/lestrrat-go/backoff/v2 v2.0.8/go.mod h1:rHP/q/r9aT27n24JQLa7JhSQZCKBBOiM/uP402WwN8Y=
 github.com/lestrrat-go/blackmagic v1.0.0/go.mod h1:TNgH//0vYSs8VXDCfkZLgIrVTTXQELZffUV0tz3MtdQ=
+github.com/lestrrat-go/httpcc v1.0.1/go.mod h1:qiltp3Mt56+55GPVCbTdM9MlqhvzyuL6W/NMDA8vA5E=
 github.com/lestrrat-go/iter v1.0.1/go.mod h1:zIdgO1mRKhn8l9vrZJZz9TUMMFbQbLeTsbqPDrJ/OJc=
 github.com/lestrrat-go/option v1.0.0/go.mod h1:5ZHFbivi4xwXxhxY9XHDe2FHo6/Z7WWmtT7T5nBBp3I=
 github.com/mailru/easyjson v0.0.0-20190626092158-b2ccc519800e/go.mod h1:C1wdFJiN94OJF2b5HbByQZoLdCWB1Yqtg26g4irojpc=
 github.com/mattn/go-runewidth v0.0.9/go.mod h1:H031xJmbD/WCDINGzjvQ9THkh0rPKHF+m2gUSrubnMI=
+github.com/miekg/pkcs11 v1.1.1/go.mod h1:XsNlhZGX73bx86s2hdc/FuaLm2CPZJemRLMA+WTFxgs=
 github.com/mitchellh/go-homedir v1.1.0/go.mod h1:SfyaCUpYCn1Vlf4IUYiD9fPX4A5wJrkLzIz1N1q0pr0=
 github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd/go.mod h1:6dJC0mAP4ikYIbvyc7fijjWJddQyLn8Ig3JB5CqoB9Q=
 github.com/modern-go/reflect2 v1.0.2/go.mod h1:yWuevngMOJpCy52FWWMvUC8ws7m/LJsjYzDa0/r8luk=

integration/attribute_values_test.go

@@ -14,7 +14,9 @@ import (
 
 // TODO: test failure of create/update with invalid member id's [https://github.com/opentdf/opentdf-v2-poc/issues/105]
 
-var nonExistentAttributeValueUuid = "78909865-8888-9999-9999-000000000000"
+var (
+	nonExistentAttributeValueUuid = "78909865-8888-9999-9999-000000000000"
+)
 
 type AttributeValuesSuite struct {
 	suite.Suite
@@ -27,6 +29,7 @@ type AttributeValuesSuite struct {
 func (s *AttributeValuesSuite) SetupSuite() {
 	slog.Info("setting up db.AttributeValues test suite")
 	s.ctx = context.Background()
+	fixtureKeyAccessServerId = fixtures.GetKasRegistryKey("key_access_server_1").Id
 	s.schema = "test_opentdf_attribute_values"
 	s.db = NewDBInterface(s.schema)
 	s.f = NewFixture(s.db)
@@ -229,6 +232,80 @@ func (s *AttributeValuesSuite) Test_DeleteAttribute_NotFound() {
 	assert.Nil(s.T(), resp)
 }
 
+func (s *AttributeValuesSuite) Test_AssignKeyAccessServerToValue_Returns_Error_When_Value_Not_Found() {
+	v := &attributes.ValueKeyAccessServer{
+		ValueId:           nonExistentAttributeValueUuid,
+		KeyAccessServerId: fixtureKeyAccessServerId,
+	}
+
+	resp, err := s.db.Client.AssignKeyAccessServerToValue(s.ctx, v)
+
+	assert.NotNil(s.T(), err)
+	assert.Nil(s.T(), resp)
+}
+
+func (s *AttributeValuesSuite) Test_AssignKeyAccessServerToValue_Returns_Error_When_KeyAccessServer_Not_Found() {
+	v := &attributes.ValueKeyAccessServer{
+		ValueId:           fixtures.GetAttributeValueKey("example.net/attr/attr1/value/value1").Id,
+		KeyAccessServerId: "non-existent-kas-id",
+	}
+
+	resp, err := s.db.Client.AssignKeyAccessServerToValue(s.ctx, v)
+
+	assert.NotNil(s.T(), err)
+	assert.Nil(s.T(), resp)
+}
+
+func (s *AttributeValuesSuite) Test_AssignKeyAccessServerToValue_Returns_Success_When_Value_And_KeyAccessServer_Exist() {
+	v := &attributes.ValueKeyAccessServer{
+		ValueId:           fixtures.GetAttributeValueKey("example.net/attr/attr1/value/value1").Id,
+		KeyAccessServerId: fixtureKeyAccessServerId,
+	}
+
+	resp, err := s.db.Client.AssignKeyAccessServerToValue(s.ctx, v)
+
+	assert.Nil(s.T(), err)
+	assert.NotNil(s.T(), resp)
+	assert.Equal(s.T(), v, resp)
+}
+
+func (s *AttributeValuesSuite) Test_RemoveKeyAccessServerFromValue_Returns_Error_When_Value_Not_Found() {
+	v := &attributes.ValueKeyAccessServer{
+		ValueId:           nonExistentAttributeValueUuid,
+		KeyAccessServerId: fixtureKeyAccessServerId,
+	}
+
+	resp, err := s.db.Client.RemoveKeyAccessServerFromValue(s.ctx, v)
+
+	assert.NotNil(s.T(), err)
+	assert.Nil(s.T(), resp)
+}
+
+func (s *AttributeValuesSuite) Test_RemoveKeyAccessServerFromValue_Returns_Error_When_KeyAccessServer_Not_Found() {
+	v := &attributes.ValueKeyAccessServer{
+		ValueId:           fixtures.GetAttributeValueKey("example.net/attr/attr1/value/value1").Id,
+		KeyAccessServerId: "non-existent-kas-id",
+	}
+
+	resp, err := s.db.Client.RemoveKeyAccessServerFromValue(s.ctx, v)
+
+	assert.NotNil(s.T(), err)
+	assert.Nil(s.T(), resp)
+}
+
+func (s *AttributeValuesSuite) Test_RemoveKeyAccessServerFromValue_Returns_Success_When_Value_And_KeyAccessServer_Exist() {
+	v := &attributes.ValueKeyAccessServer{
+		ValueId:           fixtures.GetAttributeValueKey("example.net/attr/attr1/value/value1").Id,
+		KeyAccessServerId: fixtureKeyAccessServerId,
+	}
+
+	resp, err := s.db.Client.RemoveKeyAccessServerFromValue(s.ctx, v)
+
+	assert.Nil(s.T(), err)
+	assert.NotNil(s.T(), resp)
+	assert.Equal(s.T(), v, resp)
+}
+
 func TestAttributeValuesSuite(t *testing.T) {
 	if testing.Short() {
 		t.Skip("skipping attribute values integration tests")

integration/attributes_test.go

@@ -22,14 +22,16 @@ type AttributesSuite struct {
 }
 
 var (
-	fixtureNamespaceId string
-	nonExistentAttrId  = "00000000-6789-4321-9876-123456765436"
+	fixtureNamespaceId       string
+	nonExistentAttrId        = "00000000-6789-4321-9876-123456765436"
+	fixtureKeyAccessServerId string
 )
 
 func (s *AttributesSuite) SetupSuite() {
 	slog.Info("setting up db.Attributes test suite")
 	s.ctx = context.Background()
 	fixtureNamespaceId = fixtures.GetNamespaceKey("example.com").Id
+	fixtureKeyAccessServerId = fixtures.GetKasRegistryKey("key_access_server_1").Id
 	s.schema = "test_opentdf_attribute_definitions"
 	s.db = NewDBInterface(s.schema)
 	s.f = NewFixture(s.db)
@@ -303,6 +305,74 @@ func (s *AttributesSuite) Test_DeleteAttribute() {
 	assert.Nil(s.T(), resp)
 }
 
+func (s *AttributesSuite) Test_AssignKeyAccessServerToAttribute_Returns_Error_When_Attribute_Not_Found() {
+	aKas := &attributes.AttributeKeyAccessServer{
+		AttributeId:       nonExistentAttrId,
+		KeyAccessServerId: fixtureKeyAccessServerId,
+	}
+	resp, err := s.db.Client.AssignKeyAccessServerToAttribute(s.ctx, aKas)
+
+	assert.NotNil(s.T(), err)
+	assert.Nil(s.T(), resp)
+}
+
+func (s *AttributesSuite) Test_AssignKeyAccessServerToAttribute_Returns_Error_When_KeyAccessServer_Not_Found() {
+	aKas := &attributes.AttributeKeyAccessServer{
+		AttributeId:       fixtures.GetAttributeKey("example.com/attr/attr1").Id,
+		KeyAccessServerId: nonExistentAttrId,
+	}
+	resp, err := s.db.Client.AssignKeyAccessServerToAttribute(s.ctx, aKas)
+
+	assert.NotNil(s.T(), err)
+	assert.Nil(s.T(), resp)
+}
+
+func (s *AttributesSuite) Test_AssignKeyAccessServerToAttribute_Returns_Success_When_Attribute_And_KeyAccessServer_Exist() {
+	aKas := &attributes.AttributeKeyAccessServer{
+		AttributeId:       fixtures.GetAttributeKey("example.com/attr/attr2").Id,
+		KeyAccessServerId: fixtureKeyAccessServerId,
+	}
+	resp, err := s.db.Client.AssignKeyAccessServerToAttribute(s.ctx, aKas)
+
+	assert.Nil(s.T(), err)
+	assert.NotNil(s.T(), resp)
+	assert.Equal(s.T(), aKas, resp)
+}
+
+func (s *AttributesSuite) Test_RemoveKeyAccessServerFromAttribute_Returns_Error_When_Attribute_Not_Found() {
+	aKas := &attributes.AttributeKeyAccessServer{
+		AttributeId:       nonExistentAttrId,
+		KeyAccessServerId: fixtureKeyAccessServerId,
+	}
+	resp, err := s.db.Client.RemoveKeyAccessServerFromAttribute(s.ctx, aKas)
+
+	assert.NotNil(s.T(), err)
+	assert.Nil(s.T(), resp)
+}
+
+func (s *AttributesSuite) Test_RemoveKeyAccessServerFromAttribute_Returns_Error_When_KeyAccessServer_Not_Found() {
+	aKas := &attributes.AttributeKeyAccessServer{
+		AttributeId:       fixtures.GetAttributeKey("example.com/attr/attr1").Id,
+		KeyAccessServerId: nonExistentAttrId,
+	}
+	resp, err := s.db.Client.RemoveKeyAccessServerFromAttribute(s.ctx, aKas)
+
+	assert.NotNil(s.T(), err)
+	assert.Nil(s.T(), resp)
+}
+
+func (s *AttributesSuite) Test_RemoveKeyAccessServerFromAttribute_Returns_Success_When_Attribute_And_KeyAccessServer_Exist() {
+	aKas := &attributes.AttributeKeyAccessServer{
+		AttributeId:       fixtures.GetAttributeKey("example.com/attr/attr2").Id,
+		KeyAccessServerId: fixtureKeyAccessServerId,
+	}
+	resp, err := s.db.Client.RemoveKeyAccessServerFromAttribute(s.ctx, aKas)
+
+	assert.Nil(s.T(), err)
+	assert.NotNil(s.T(), resp)
+	assert.Equal(s.T(), aKas, resp)
+}
+
 func TestAttributesSuite(t *testing.T) {
 	if testing.Short() {
 		t.Skip("skipping attributes integration tests")

integration/fixtures.go

@@ -2,6 +2,7 @@ package integration
 
 import (
 	"encoding/json"
+	"fmt"
 	"log/slog"
 	"os"
 
@@ -30,13 +31,23 @@ type FixtureDataAttribute struct {
 	Rule        string `yaml:"rule"`
 }
 
+type FixtureDataAttributeKeyAccessServer struct {
+	AttributeID       string `yaml:"attribute_id"`
+	KeyAccessServerID string `yaml:"key_access_server_id"`
+}
+
 type FixtureDataAttributeValue struct {
 	Id                    string   `yaml:"id"`
 	AttributeDefinitionId string   `yaml:"attribute_definition_id"`
 	Value                 string   `yaml:"value"`
 	Members               []string `yaml:"members"`
 }
 
+type FixtureDataAttributeValueKeyAccessServer struct {
+	ValueID           string `yaml:"value_id"`
+	KeyAccessServerID string `yaml:"key_access_server_id"`
+}
+
 type FixtureDataSubjectMapping struct {
 	Id                     string   `yaml:"id"`
 	AttributeValueId       string   `yaml:"attribute_value_id"`
@@ -69,11 +80,13 @@ type FixtureData struct {
 		Metadata FixtureMetadata                 `yaml:"metadata"`
 		Data     map[string]FixtureDataAttribute `yaml:"data"`
 	} `yaml:"attributes"`
-	AttributeValues struct {
+	AttributeKeyAccessServer []FixtureDataAttributeKeyAccessServer `yaml:"attribute_key_access_servers"`
+	AttributeValues          struct {
 		Metadata FixtureMetadata                      `yaml:"metadata"`
 		Data     map[string]FixtureDataAttributeValue `yaml:"data"`
 	} `yaml:"attribute_values"`
-	SubjectMappings struct {
+	AttributeValueKeyAccessServer []FixtureDataAttributeValueKeyAccessServer `yaml:"attribute_value_key_access_servers"`
+	SubjectMappings               struct {
 		Metadata FixtureMetadata                      `yaml:"metadata"`
 		Data     map[string]FixtureDataSubjectMapping `yaml:"data"`
 	} `yaml:"subject_mappings"`
@@ -98,6 +111,7 @@ func loadFixtureData() {
 		slog.Error("could not unmarshal "+fixtureFilename, slog.String("error", err.Error()))
 		panic(err)
 	}
+	fmt.Println(fixtureData)
 }
 
 type Fixtures struct {
@@ -174,6 +188,10 @@ func (f *Fixtures) Provision() {
 	rM := f.provisionResourceMappings()
 	slog.Info("📦 provisioning kas registry data")
 	kas := f.provisionKasRegistry()
+	slog.Info("📦 provisioning attribute key access server data")
+	akas := f.provisionAttributeKeyAccessServer()
+	slog.Info("📦 provisioning attribute value key access server data")
+	akas = f.provisionAttributeValueKeyAccessServer()
 
 	slog.Info("📦 provisioned fixtures data",
 		slog.Int64("namespaces", n),
@@ -182,6 +200,8 @@ func (f *Fixtures) Provision() {
 		slog.Int64("subject_mappings", sM),
 		slog.Int64("resource_mappings", rM),
 		slog.Int64("kas_registry", kas),
+		slog.Int64("attribute_key_access_server", akas),
+		slog.Int64("attribute_value_key_access_server", akas),
 	)
 }
 
@@ -277,6 +297,28 @@ func (f *Fixtures) provisionKasRegistry() int64 {
 	return f.provision(fixtureData.KasRegistries.Metadata.TableName, fixtureData.KasRegistries.Metadata.Columns, values)
 }
 
+func (f *Fixtures) provisionAttributeKeyAccessServer() int64 {
+	var values [][]string
+	for _, d := range fixtureData.AttributeKeyAccessServer {
+		values = append(values, []string{
+			f.db.StringWrap(d.AttributeID),
+			f.db.StringWrap(d.KeyAccessServerID),
+		})
+	}
+	return f.provision("attribute_definition_key_access_grants", []string{"attribute_definition_id", "key_access_server_id"}, values)
+}
+
+func (f *Fixtures) provisionAttributeValueKeyAccessServer() int64 {
+	var values [][]string
+	for _, d := range fixtureData.AttributeValueKeyAccessServer {
+		values = append(values, []string{
+			f.db.StringWrap(d.ValueID),
+			f.db.StringWrap(d.KeyAccessServerID),
+		})
+	}
+	return f.provision("attribute_value_key_access_grants", []string{"attribute_value_id", "key_access_server_id"}, values)
+}
+
 func (f *Fixtures) provision(t string, c []string, v [][]string) (rows int64) {
 	var err error
 	rows, err = f.db.ExecInsert(t, c, v...)

integration/fixtures.yaml

@@ -75,6 +75,10 @@ attributes:
       name: attr3
       rule: HIERARCHY
 
+attribute_key_access_servers:
+  - attribute_id: 00000000-0000-0000-0000-000000000000
+    key_access_server_id: 00000000-0000-0000-0000-000000000000
+
 ##
 # Attribute Values
 ##
@@ -119,6 +123,10 @@ attribute_values:
       attribute_definition_id: 00000000-0000-0000-0000-000000000002
       value: value2
 
+attribute_value_key_access_servers:
+  - value_id: 00000000-0000-0000-0000-000000000000
+    key_access_server_id: 00000000-0000-0000-0000-000000000000
+
 ##
 # Subject Mappings
 #

internal/db/attribute_values.go

@@ -228,3 +228,46 @@ func (c Client) DeleteAttributeValue(ctx context.Context, id string) (*attribute
 
 	return prev, nil
 }
+
+func assignKeyAccessServerToValueSql(valueID, keyAccessServerID string) (string, []interface{}, error) {
+	t := Tables.AttributeValueKeyAccessGrants
+	return newStatementBuilder().
+		Insert(t.Name()).
+		Columns("attribute_value_id", "key_access_server_id").
+		Values(valueID, keyAccessServerID).
+		ToSql()
+}
+
+func (c Client) AssignKeyAccessServerToValue(ctx context.Context, k *attributes.ValueKeyAccessServer) (*attributes.ValueKeyAccessServer, error) {
+	sql, args, err := assignKeyAccessServerToValueSql(k.ValueId, k.KeyAccessServerId)
+	if err != nil {
+		return nil, err
+	}
+
+	if err := c.exec(ctx, sql, args, err); err != nil {
+		return nil, err
+	}
+
+	return k, nil
+}
+
+func removeKeyAccessServerFromValueSql(valueID, keyAccessServerID string) (string, []interface{}, error) {
+	t := Tables.AttributeValueKeyAccessGrants
+	return newStatementBuilder().
+		Delete(t.Name()).
+		Where(sq.Eq{"attribute_value_id": valueID, "key_access_server_id": keyAccessServerID}).
+		ToSql()
+}
+
+func (c Client) RemoveKeyAccessServerFromValue(ctx context.Context, k *attributes.ValueKeyAccessServer) (*attributes.ValueKeyAccessServer, error) {
+	sql, args, err := removeKeyAccessServerFromValueSql(k.ValueId, k.KeyAccessServerId)
+	if err != nil {
+		return nil, err
+	}
+
+	if err := c.exec(ctx, sql, args, err); err != nil {
+		return nil, err
+	}
+
+	return k, nil
+}