Skip to content

feat(policy): add enhanced standard/custom actions protos #2020

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 35 commits into from
Apr 14, 2025
Merged

feat(policy): add enhanced standard/custom actions protos #2020

merged 35 commits into from
Apr 14, 2025

Conversation

@jakedoublev
Copy link
Contributor

@jakedoublev jakedoublev commented Mar 31, 2025
edited
Loading

  • Actions need to be truly considered within ABAC entitlement decisioning
  • Actions are a precursor to obligations
  • Custom actions should be CRUDable
  • Standard actions should support mutable metadata key/value store common throughout policy
  • bump /protocol/go to 1.24 to handle underlying protovalidate changes

jakedoublev
jakedoublev commented Mar 31, 2025
View reviewed changes
@jakedoublev jakedoublev force-pushed the feat/actions-protos branch from 5393bbd to 857f493 Compare April 1, 2025 17:17
@jakedoublev jakedoublev marked this pull request as ready for review April 1, 2025 17:31
@jakedoublev jakedoublev requested review from a team as code owners April 1, 2025 17:31
@jakedoublev jakedoublev mentioned this pull request Apr 1, 2025
Merged
github-actions[bot]
github-actions bot reviewed Apr 2, 2025
View reviewed changes
@jakedoublev jakedoublev mentioned this pull request Apr 4, 2025
Merged
@github-actions
Copy link
Contributor

github-actions bot commented Apr 10, 2025

Benchmark Statistics

Name № Requests Avg Duration Min Duration Max Duration
publickey 3 0.070 ms 0.036 ms 0.119 ms
rewrap-nanotdf 4623 411.179 ms 52.035 ms 958.689 ms
rewrap-tdf3 5001 441.450 ms 53.643 ms 1129.699 ms

Bulk Benchmark Results

Metric Value
Total Decrypts 100
Successful Decrypts 100
Failed Decrypts 0
Total Time 342.435155ms
Throughput 292.03 requests/second

@github-actions
Copy link
Contributor

github-actions bot commented Apr 11, 2025

Benchmark Statistics

Name № Requests Avg Duration Min Duration Max Duration
publickey 3 0.065 ms 0.038 ms 0.108 ms
rewrap-nanotdf 4768 450.887 ms 35.354 ms 1061.151 ms
rewrap-tdf3 5001 479.560 ms 54.035 ms 1102.965 ms

Bulk Benchmark Results

Metric Value
Total Decrypts 100
Successful Decrypts 100
Failed Decrypts 0
Total Time 349.75383ms
Throughput 285.92 requests/second

@github-actions
Copy link
Contributor

github-actions bot commented Apr 14, 2025

Benchmark Statistics

Name № Requests Avg Duration Min Duration Max Duration
publickey 3 0.068 ms 0.030 ms 0.124 ms
rewrap-nanotdf 4725 416.290 ms 41.213 ms 1014.211 ms
rewrap-tdf3 5001 446.635 ms 47.310 ms 1184.036 ms

Bulk Benchmark Results

Metric Value
Total Decrypts 100
Successful Decrypts 100
Failed Decrypts 0
Total Time 356.190365ms
Throughput 280.75 requests/second

@jakedoublev jakedoublev requested a review from Copilot April 14, 2025 18:22
Copilot AI reviewed Apr 14, 2025
View reviewed changes
Copy link
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull Request Overview

This PR introduces enhanced policy protos to support both standard and custom actions—including new validations and storage handling—as well as updating associated integration tests and generated client/server code. Key changes include:

  • Adding new proto definitions and extended validations in service/policy/predefined_rules.proto.
  • Modifying the Action message and related enums/fields in service/policy/objects.proto to support a unique ID and deprecate legacy fields.
  • Implementing CRUD operations for actions in service/policy/actions/actions.proto along with updates to integration tests and generated protocol files.

Reviewed Changes

Copilot reviewed 14 out of 21 changed files in this pull request and generated no comments.

Show a summary per file
File Description
service/policy/predefined_rules.proto Introduces extended validation rules for object names.
service/policy/objects.proto Updates Action message with new fields and deprecates legacy enum values.
service/policy/adr/0004-standard-action-storage-handling.md Adds ADR documenting the storage-driven approach for standard actions.
service/policy/actions/actions.proto Provides new CRUD RPC definitions for actions.
service/integration/subject_mappings_test.go Updates tests to reflect changes in action naming and behavior.
service/integration/attribute_fqns_test.go Adjusts test scenarios to use the updated action names.
protocol/go/... Regenerated Go code reflecting the proto changes for both Connect and gRPC.
Files not reviewed (7)
  • docs/openapi/authorization/authorization.swagger.json: Language not supported
  • docs/openapi/policy/attributes/attributes.swagger.json: Language not supported
  • docs/openapi/policy/predefined_rules.swagger.json: Language not supported
  • docs/openapi/policy/resourcemapping/resource_mapping.swagger.json: Language not supported
  • docs/openapi/policy/subjectmapping/subject_mapping.swagger.json: Language not supported
  • docs/openapi/policy/unsafe/unsafe.swagger.json: Language not supported
  • protocol/go/go.mod: Language not supported
Comments suppressed due to low confidence (2)

service/policy/adr/0004-standard-action-storage-handling.md:12

  • Typo detected: 'configrable' should be corrected to 'configurable'.
Custom Actions in PEPs will be retrievable or configrable as needed (as action name strings or policy object action ids).

service/integration/subject_mappings_test.go:90

  • [nitpick] The variable name 'aDecrypt' no longer matches the referenced 'Read' action; consider renaming it to 'aRead' for clarity.
aDecrypt := fixtureActions[Read]

@github-actions
Copy link
Contributor

github-actions bot commented Apr 14, 2025

Benchmark Statistics

Name № Requests Avg Duration Min Duration Max Duration
publickey 3 0.063 ms 0.040 ms 0.103 ms
rewrap-nanotdf 4818 420.853 ms 34.457 ms 914.062 ms
rewrap-tdf3 5001 439.707 ms 32.091 ms 1053.009 ms

Bulk Benchmark Results

Metric Value
Total Decrypts 100
Successful Decrypts 100
Failed Decrypts 0
Total Time 357.16392ms
Throughput 279.98 requests/second

github-actions[bot]
github-actions bot reviewed Apr 14, 2025
View reviewed changes
@github-actions
Copy link
Contributor

github-actions bot commented Apr 14, 2025

Benchmark Statistics

Name № Requests Avg Duration Min Duration Max Duration
publickey 3 0.067 ms 0.029 ms 0.124 ms
rewrap-nanotdf 4936 419.578 ms 80.910 ms 891.806 ms
rewrap-tdf3 5001 442.589 ms 46.831 ms 1016.941 ms

Bulk Benchmark Results

Metric Value
Total Decrypts 100
Successful Decrypts 100
Failed Decrypts 0
Total Time 357.948482ms
Throughput 279.37 requests/second

@jakedoublev jakedoublev added this pull request to the merge queue Apr 14, 2025
Merged via the queue into main with commit bbac53f Apr 14, 2025
26 checks passed
@jakedoublev jakedoublev deleted the feat/actions-protos branch April 14, 2025 20:09
This was referenced Apr 14, 2025
Merged
Merged
jakedoublev added a commit that referenced this pull request Apr 14, 2025
@jakedoublev
Revert "feat(policy): add enhanced standard/custom actions protos (#2020
b0699c4 
)"

This reverts commit bbac53f.
@jakedoublev jakedoublev mentioned this pull request Apr 14, 2025
Closed
3 tasks
github-merge-queue bot pushed a commit that referenced this pull request Apr 16, 2025
@opentdf-automation @dmihalcik-virtru
chore(main): release protocol/go 0.3.0 (#1983)
d0969f1 
🤖 I have created a release *beep* *boop*
---


##
[0.3.0](protocol/go/v0.2.29...protocol/go/v0.3.0)
(2025-04-16)


### ⚠ BREAKING CHANGES

* **core:** Require go 1.23+
([#1979](#1979))

### Features

* **core:** Require go 1.23+
([#1979](#1979))
([164c922](164c922))
* **policy:** add enhanced standard/custom actions protos
([#2020](#2020))
([bbac53f](bbac53f))
* **policy:** DSPX-893 NDR define crud protos
([#2056](#2056))
([55a5c27](55a5c27))


### Bug Fixes

* **deps:** bump toolchain in /lib/fixtures and /examples to resolve CVE
GO-2025-3563 ([#2061](#2061))
([9c16843](9c16843))
* **policy:** remove predefined rules in actions protos
([#2069](#2069))
([060f059](060f059))

---
This PR was generated with [Release
Please](https://github.com/googleapis/release-please). See
[documentation](https://github.com/googleapis/release-please#release-please).

Co-authored-by: opentdf-automation[bot] <149537512+opentdf-automation[bot]@users.noreply.github.com>
Co-authored-by: Dave Mihalcik <[email protected]>
@opentdf-automation opentdf-automation bot mentioned this pull request Apr 29, 2025
Closed
github-merge-queue bot pushed a commit that referenced this pull request May 22, 2025
@opentdf-automation
chore(main): release service 0.5.3 (#2046)
66550d2 
🤖 I have created a release *beep* *boop*
---


##
[0.5.3](service/v0.5.2...service/v0.5.3)
(2025-05-22)


### Features

* **authz:** authz v2 versioning implementation
([#2173](#2173))
([557fc21](557fc21))
* **authz:** authz v2, ers v2 protos and gencode for ABAC with actions &
registered resource
([#2124](#2124))
([ea7992a](ea7992a))
* **authz:** export entity id prefix constant from entity instead of
authorization service v1
([#2261](#2261))
([94079a9](94079a9))
* **authz:** subject mapping plugin support for ABAC with actions
([#2223](#2223))
([d08b939](d08b939))
* bulk keycloak provisioning
([#2205](#2205))
([59e4485](59e4485))
* **core:** add otel to opentdf services
([#1858](#1858))
([53a7aa0](53a7aa0))
* **core:** Adds EC withSalt options
([#2126](#2126))
([67b6fb8](67b6fb8))
* **core:** enhance db configuration options
([#2285](#2285))
([ed9ff59](ed9ff59))
* **core:** New Key Index and Manager Plugin SPI
([#2095](#2095))
([eb446fc](eb446fc))
* **core:** support onConfigUpdate hook when registering services
([#1992](#1992))
([366d4dc](366d4dc))
* **core:** v2 ERS with proto updates
([#2210](#2210))
([a161ef8](a161ef8))
* **policy:** actions crud service endpoints and proto validation
([#2037](#2037))
([e933fa9](e933fa9))
* **policy:** actions service RPCs should actually hit storage layer
CRUD ([#2063](#2063))
([da4faf5](da4faf5))
* **policy:** add enhanced standard/custom actions protos
([#2020](#2020))
([bbac53f](bbac53f))
* **policy:** Add platform key indexer.
([#2189](#2189))
([861ef8d](861ef8d))
* **policy:** consume lib/identifier parse function
([#2181](#2181))
([1cef22b](1cef22b))
* **policy:** DSPX-1018 NDR retrieval by FQN support
([#2131](#2131))
([0001041](0001041))
* **policy:** DSPX-1057 registered resource action attribute values (DB
+ Service implementation)
([#2191](#2191))
([6bf1b2e](6bf1b2e))
* **policy:** DSPX-1057 registered resource action attribute values
(protos only) ([#2217](#2217))
([6375596](6375596))
* **policy:** DSPX-893 NDR define crud protos
([#2056](#2056))
([55a5c27](55a5c27))
* **policy:** DSPX-898 NDR database schema
([#2055](#2055))
([2a10a6a](2a10a6a))
* **policy:** DSPX-901 NDR database crud
([#2071](#2071))
([20e0a5f](20e0a5f))
* **policy:** DSPX-902 NDR service crud implementation (2/2)
([#2066](#2066))
([030ad33](030ad33))
* **policy:** DSPX-902 NDR service crud protos only (1/2)
([#2092](#2092))
([24b6cb5](24b6cb5))
* **policy:** Finish resource mapping groups
([#2224](#2224))
([5ff754e](5ff754e))
* **policy:** GetMatchedSubjectMappings should provide value FQN
([#2151](#2151))
([ad80044](ad80044))
* **policy:** key management crud
([#2110](#2110))
([4c3d53d](4c3d53d))
* **policy:** Key management proto
([#2115](#2115))
([561f853](561f853))
* **policy:** Modify get request to search for keys by kasid with keyid.
([#2147](#2147))
([780d2e4](780d2e4))
* **policy:** Restrict KAS deletion when tied to Key
([#2144](#2144))
([4c4ab13](4c4ab13))
* **policy:** Return KAS Key structure
([#2172](#2172))
([7f97b99](7f97b99))
* **policy:** rotate keys rpc
([#2180](#2180))
([0d00743](0d00743))
* **policy:** stored enhanced actions database migration, CRUD queries,
SM updates ([#2040](#2040))
([e6b7c79](e6b7c79))
* **sdk:** Add a KAS allowlist
([#2085](#2085))
([d7cfdf3](d7cfdf3))
* **sdk:** add nanotdf plaintext policy
([#2182](#2182))
([e5c56db](e5c56db))
* **sdk:** Use ConnectRPC in the go client
([#2200](#2200))
([fc34ee6](fc34ee6))


### Bug Fixes

* **core:** access pdp cleanup before actions in ABAC decisioning
([#2123](#2123))
([9b38a3c](9b38a3c))
* **core:** Autobump service
([#2080](#2080))
([006c724](006c724))
* **core:** Autobump service
([#2104](#2104))
([1f72cc7](1f72cc7))
* **core:** Autobump service
([#2108](#2108))
([be5b7d7](be5b7d7))
* **core:** bump to go 1.24 and bump service proto module dependencies
([#2064](#2064))
([94891a0](94891a0))
* **core:** Fix DPoP with grpc-gateway
([#2044](#2044))
([4483ef2](4483ef2))
* **core:** fix service go.mod
([#2141](#2141))
([3b98f6d](3b98f6d))
* **core:** Improves errors when under heavy load
([#2132](#2132))
([4490a14](4490a14))
* **core:** Let legacy KAOs use new trust plugins
([#2218](#2218))
([5aa6916](5aa6916))
* **core:** migrate from mitchellh/mapstructure to go-viper/mapstructure
([#2087](#2087))
([0a3a82e](0a3a82e))
* **core:** update viper to 1.20.1
([#2088](#2088))
([09099e9](09099e9))
* **core:** Updates vulnerable dep go/x/net
([#2072](#2072))
([11c02cd](11c02cd))
* **deps:** bump github.com/creasty/defaults from 1.7.0 to 1.8.0 in
/service ([#2242](#2242))
([86a9b46](86a9b46))
* **deps:** bump github.com/jackc/pgx/v5 from 5.5.5 to 5.7.5 in /service
([#2249](#2249))
([d8f3b67](d8f3b67))
* **deps:** bump the internal group across 1 directory with 2 updates
([#2296](#2296))
([7f92c70](7f92c70))
* **deps:** bump toolchain in /lib/fixtures and /examples to resolve CVE
GO-2025-3563 ([#2061](#2061))
([9c16843](9c16843))
* handle empty private and public key ctx structs
([#2272](#2272))
([f3fc647](f3fc647))
* **policy:** remove predefined rules in actions protos
([#2069](#2069))
([060f059](060f059))
* **policy:** return kas uri on keys for definition, namespace and
values ([#2186](#2186))
([6c55fb8](6c55fb8))
* update key_mode to provide more context
([#2226](#2226))
([44d0805](44d0805))

---
This PR was generated with [Release
Please](https://github.com/googleapis/release-please). See
[documentation](https://github.com/googleapis/release-please#release-please).

Co-authored-by: opentdf-automation[bot] <149537512+opentdf-automation[bot]@users.noreply.github.com>
@opentdf-automation opentdf-automation bot mentioned this pull request Jul 25, 2025
Merged
github-merge-queue bot pushed a commit that referenced this pull request Aug 9, 2025
@opentdf-automation @alkalescent
chore(main): release protocol/go 0.7.0 (#2567)
2c029a3 
🤖 I have created a release *beep* *boop*
---


##
[0.7.0](protocol/go/v0.6.2...protocol/go/v0.7.0)
(2025-08-08)


### ⚠ BREAKING CHANGES

* **policy:** disable kas grants in favor of key mappings
([#2220](#2220))
* **core:** Require go 1.23+
([#1979](#1979))

### Features

* add ability to retrieve policy resources by id or name
([#1901](#1901))
([deb4455](deb4455))
* **authz:** authz v2, ers v2 protos and gencode for ABAC with actions &
registered resource
([#2124](#2124))
([ea7992a](ea7992a))
* **authz:** improve v2 request proto validation
([#2357](#2357))
([f927b99](f927b99))
* **authz:** sensible request limit upper bounds
([#2526](#2526))
([b3093cc](b3093cc))
* **core:** adds bulk rewrap to sdk and service
([#1835](#1835))
([11698ae](11698ae))
* **core:** EXPERIMENTAL: EC-wrapped key support
([#1902](#1902))
([652266f](652266f))
* **core:** Require go 1.23+
([#1979](#1979))
([164c922](164c922))
* **core:** v2 ERS with proto updates
([#2210](#2210))
([a161ef8](a161ef8))
* **policy:** add enhanced standard/custom actions protos
([#2020](#2020))
([bbac53f](bbac53f))
* **policy:** Add legacy keys.
([#2613](#2613))
([57370b0](57370b0))
* **policy:** Add list key mappings rpc.
([#2533](#2533))
([fbc2724](fbc2724))
* **policy:** add obligation protos
([#2579](#2579))
([50882e1](50882e1))
* **policy:** Add validation to delete keys
([#2576](#2576))
([cc169d9](cc169d9))
* **policy:** add values to CreateObligationRequest
([#2614](#2614))
([94535cc](94535cc))
* **policy:** adds new public keys table
([#1836](#1836))
([cad5048](cad5048))
* **policy:** Allow the deletion of a key.
([#2575](#2575))
([82b96f0](82b96f0))
* **policy:** cache SubjectConditionSet selectors in dedicated column
maintained via trigger
([#2320](#2320))
([215791f](215791f))
* **policy:** Change return type for delete key proto.
([#2566](#2566))
([c1ae924](c1ae924))
* **policy:** Default Platform Keys
([#2254](#2254))
([d7447fe](d7447fe))
* **policy:** disable kas grants in favor of key mappings
([#2220](#2220))
([30f8cf5](30f8cf5))
* **policy:** DSPX-1018 NDR retrieval by FQN support
([#2131](#2131))
([0001041](0001041))
* **policy:** DSPX-1057 registered resource action attribute values
(protos only) ([#2217](#2217))
([6375596](6375596))
* **policy:** DSPX-893 NDR define crud protos
([#2056](#2056))
([55a5c27](55a5c27))
* **policy:** DSPX-902 NDR service crud protos only (1/2)
([#2092](#2092))
([24b6cb5](24b6cb5))
* **policy:** Finish resource mapping groups
([#2224](#2224))
([5ff754e](5ff754e))
* **policy:** key management crud
([#2110](#2110))
([4c3d53d](4c3d53d))
* **policy:** Key management proto
([#2115](#2115))
([561f853](561f853))
* **policy:** Modify get request to search for keys by kasid with keyid.
([#2147](#2147))
([780d2e4](780d2e4))
* **policy:** Return KAS Key structure
([#2172](#2172))
([7f97b99](7f97b99))
* **policy:** Return Simple Kas Keys from non-Key RPCs
([#2387](#2387))
([5113e0e](5113e0e))
* **policy:** rotate keys rpc
([#2180](#2180))
([0d00743](0d00743))
* **policy:** Update key status's and UpdateKey rpc.
([#2315](#2315))
([7908db9](7908db9))
* **policy:** Update simple kas key
([#2378](#2378))
([09d8239](09d8239))


### Bug Fixes

* add pagination to list public key mappings response
([#1889](#1889))
([9898fbd](9898fbd))
* **core:** Allow 521 curve to be used
([#2485](#2485))
([aaf43dc](aaf43dc))
* **core:** Fixes protoJSON parse bug on ec rewrap
([#1943](#1943))
([9bebfd0](9bebfd0))
* **core:** Update fixtures and flattening in sdk and service
([#1827](#1827))
([d6d6a7a](d6d6a7a))
* **deps:** bump toolchain in /lib/fixtures and /examples to resolve CVE
GO-2025-3563 ([#2061](#2061))
([9c16843](9c16843))
* **policy:** protovalidate deprecated action types and removal of gRPC
gateway in subject mappings svc
([#2377](#2377))
([54a6de0](54a6de0))
* **policy:** remove gRPC gateway in policy except where needed
([#2382](#2382))
([1937acb](1937acb))
* **policy:** remove new public keys rpc's
([#1962](#1962))
([5049bab](5049bab))
* **policy:** remove predefined rules in actions protos
([#2069](#2069))
([060f059](060f059))
* **policy:** return kas uri on keys for definition, namespace and
values ([#2186](#2186))
([6c55fb8](6c55fb8))
* **sdk:** Fix compatibility between bulk and non-bulk rewrap
([#1914](#1914))
([74abbb6](74abbb6))
* update key_mode to provide more context
([#2226](#2226))
([44d0805](44d0805))

---
This PR was generated with [Release
Please](https://github.com/googleapis/release-please). See
[documentation](https://github.com/googleapis/release-please#release-please).

---------

Co-authored-by: opentdf-automation[bot] <149537512+opentdf-automation[bot]@users.noreply.github.com>
Co-authored-by: Krish Suchak <[email protected]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@github-actions github-actions[bot] github-actions[bot] left review comments

Copilot code review Copilot Copilot left review comments

@ryanulit ryanulit ryanulit approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@jakedoublev @ryanulit