feat(policy): Return obligations from GetAttributeValue calls #2742
Conversation
github-actions
bot
added
comp:db
![gemini-code-assist[bot]](https://avatars.githubusercontent.com/in/956858?s=60&v=4){kind=small}
There was a problem hiding this comment.
Summary of Changes
Hello @c-r33d, I'm Gemini Code Assist1! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!
This pull request introduces a significant enhancement to the policy service by enabling the GetAttributeValue API to return associated policy obligations. This change provides a more complete picture of policy enforcement by linking attribute values directly to the obligations they trigger, streamlining policy evaluation and decision-making processes for consumers of the API.
Highlights
- API Enhancement: The
GetAttributeValueendpoint now returns an array ofObligationsalongside attribute values, providing a more comprehensive policy context. - Schema Update: The
policy.Valueprotobuf message has been extended to include arepeated Obligation obligationsfield to accommodate the new data. - Database Query Refactoring: The SQL query for
getAttributeValuehas been significantly updated to fetch and aggregate associated obligation data using advanced JSONB capabilities in PostgreSQL. - Backend Integration: The Go service logic was modified to correctly unmarshal and attach the newly fetched obligation data from the database to the
policy.Valueobject before returning it. - New Integration Tests: New integration tests have been introduced to thoroughly validate the correct retrieval and structure of obligations from
GetAttributeValuecalls, including proper test setup and teardown. - FQN Generation: Fully Qualified Name (FQN) generation logic has been added for
ObligationandObligationValueobjects during their creation.
Using Gemini Code Assist
The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.
Invoking Gemini
You can request assistance from Gemini at any point by creating a comment using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands on the current page.
| Feature | Command | Description |
|---|---|---|
| Code Review | /gemini review |
Performs a code review for the current pull request in its current state. |
| Pull Request Summary | /gemini summary |
Provides a summary of the current pull request in its current state. |
| Comment | @gemini-code-assist | Responds in comments when explicitly tagged, both in pull request comments and review comments. |
| Help | /gemini help |
Displays a list of available commands. |
Customization
To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.
Limitations & Feedback
Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for Github and other Google products, sign up here.
You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension.
A policy, a rule, Attributes now show their might, Obligations bloom.
Footnotes
-
Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution. ↩
There was a problem hiding this comment.
Code Review
This pull request enhances the GetAttributeValue endpoint to include associated obligations. The changes involve a significant SQL query modification to aggregate obligation data using CTEs and JSON functions, updates to the Go database client to handle the new data, and modifications to the policy.Value protobuf message. A comprehensive integration test has been added to validate the new functionality, ensuring that obligations, their values, and triggers are correctly returned. My review focuses on the correctness of the new test logic.
Benchmark results, click to expandBenchmark authorization.GetDecisions Results:
Benchmark authorization.v2.GetMultiResourceDecision Results:
Standard Benchmark Metrics Skipped or FailedBulk Benchmark Results
TDF3 Benchmark Results:
NANOTDF Benchmark Results:
|
Benchmark results, click to expandBenchmark authorization.GetDecisions Results:
Benchmark authorization.v2.GetMultiResourceDecision Results:
Standard Benchmark Metrics Skipped or FailedBulk Benchmark Results
TDF3 Benchmark Results:
NANOTDF Benchmark Results:
|
🤖 I have created a release *beep* *boop* --- ## [0.11.0](protocol/go/v0.10.0...protocol/go/v0.11.0) (2025-09-18) ### Features * **authz:** obligations protos within auth service ([#2745](#2745)) ([41ee5a8](41ee5a8)) * **policy:** Return obligations from GetAttributeValue calls ([#2742](#2742)) ([aa9b393](aa9b393)) --- This PR was generated with [Release Please](https://github.com/googleapis/release-please). See [documentation](https://github.com/googleapis/release-please#release-please). Co-authored-by: opentdf-automation[bot] <149537512+opentdf-automation[bot]@users.noreply.github.com>
🤖 I have created a release *beep* *boop* --- ## [0.11.0](service/v0.10.0...service/v0.11.0) (2025-10-22) ### Features * **authz:** add obligation fulfillment logic to obligation PDP ([#2740](#2740)) ([2f8d30d](2f8d30d)) * **authz:** audit logs should properly handle obligations ([#2824](#2824)) ([874ec7b](874ec7b)) * **authz:** defer to request auth as decision/entitlements entity ([#2789](#2789)) ([feb34d8](feb34d8)) * **authz:** obligations protos within auth service ([#2745](#2745)) ([41ee5a8](41ee5a8)) * **authz:** protovalidate tests for new authz obligations fields ([#2747](#2747)) ([73e6319](73e6319)) * **authz:** service logic to use request auth as entity identifier in PDP decisions/entitlements ([#2790](#2790)) ([6784e88](6784e88)) * **authz:** wire up obligations enforcement in auth service ([#2756](#2756)) ([11b3ea9](11b3ea9)) * **core:** propagate token clientID on configured claim via interceptor into shared context metadata ([#2760](#2760)) ([0f77246](0f77246)) * **kas:** Add required obligations to kao metadata.: ([#2806](#2806)) ([16fb26c](16fb26c)) * **policy:** add FQNs to obligation defs + vals ([#2749](#2749)) ([fa2585c](fa2585c)) * **policy:** Add obligation support to KAS ([#2786](#2786)) ([bb1bca0](bb1bca0)) * **policy:** List obligation triggers rpc ([#2823](#2823)) ([206abe3](206abe3)) * **policy:** namespace root certificates ([#2771](#2771)) ([beaff21](beaff21)) * **policy:** Proto - root certificates by namespace ([#2800](#2800)) ([0edb359](0edb359)) * **policy:** Protos List obligation triggers ([#2803](#2803)) ([b32df81](b32df81)) * **policy:** Return built obligations fqns with triggers. ([#2830](#2830)) ([e843018](e843018)) * **policy:** Return obligations from GetAttributeValue calls ([#2742](#2742)) ([aa9b393](aa9b393)) ### Bug Fixes * **core:** CORS ([#2787](#2787)) ([a030ac6](a030ac6)) * **core:** deprecate policy WithValue selector not utilized by RPC ([#2794](#2794)) ([c573595](c573595)) * **core:** deprecated stale protos and add better upgrade comments ([#2793](#2793)) ([f2678cc](f2678cc)) * **core:** Don't require known manager names ([#2792](#2792)) ([8a56a96](8a56a96)) * **core:** Fix mode negation and core mode ([#2779](#2779)) ([de9807d](de9807d)) * **core:** resolve environment loading issues ([#2827](#2827)) ([9af3184](9af3184)) * **deps:** bump github.com/opentdf/platform/lib/ocrypto from 0.6.0 to 0.7.0 in /service ([#2812](#2812)) ([a6d180d](a6d180d)) * **deps:** bump github.com/opentdf/platform/protocol/go from 0.12.0 to 0.13.0 in /service ([#2814](#2814)) ([5e9c695](5e9c695)) * **deps:** bump github.com/opentdf/platform/sdk from 0.7.0 to 0.9.0 in /service ([#2798](#2798)) ([d6bc9a8](d6bc9a8)) * **deps:** bump github.com/opentdf/platform/sdk from 0.9.0 to 0.10.0 in /service ([#2831](#2831)) ([412dfd1](412dfd1)) * ECC key loading (deprecated) ([#2757](#2757)) ([49990eb](49990eb)) * **policy:** Change to nil ([#2746](#2746)) ([a449434](a449434)) --- This PR was generated with [Release Please](https://github.com/googleapis/release-please). See [documentation](https://github.com/googleapis/release-please#release-please). Co-authored-by: opentdf-automation[bot] <149537512+opentdf-automation[bot]@users.noreply.github.com>
2 participants
Proposed Changes
1.) Update Attribute
Valuestructure inobjectsproto, making Obligations part of the object.2.) Return an array of
Obligationsfrom theGetAttributeValueendpointChecklist
Testing Instructions