feat(policy): Proto - root certificates by namespace

[pflynn-virtru]

Proposed Changes

This pull request adds support for managing certificates within namespaces in the policy API and documentation. It introduces new data models, API endpoints, and documentation for associating certificates with namespaces, including assigning and removing certificates, and listing root certificates as part of a namespace's properties.

• Introduced AssignCertificateToNamespace and RemoveCertificateFromNamespace RPCs to NamespaceService.
• Defined supporting protobuf messages, schemas, and service handlers.
• Updated OpenAPI documentation to include the new APIs.
• Extended namespaces with root certificate support.

Checklist

• I have added or updated unit tests
• I have added or updated integration tests (if appropriate)
• I have added or updated documentation

Testing Instructions

[gemini-code-assist]

Summary of Changes

Hello @pflynn-virtru, I'm Gemini Code Assist¹! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!

This pull request significantly enhances the policy API by enabling the management of root certificates at the namespace level. This allows for more granular control over trust chains, associating specific certificates with namespaces, and improving the security and flexibility of policy enforcement. The changes encompass new protobuf definitions, API endpoints, corresponding SDK updates, and comprehensive documentation.

Highlights

• Certificate Management: Introduced new API endpoints and data models for assigning and removing root certificates within specific namespaces, enhancing trust chain management.
• Namespace Extension: The Namespace protobuf message now includes a root_certs field to store associated certificates, allowing namespaces to directly manage their trust anchors.
• New RPCs: Added AssignCertificateToNamespace and RemoveCertificateFromNamespace RPCs to the NamespaceService for programmatic certificate management.
• Documentation Update: The OpenAPI documentation has been updated to reflect the new certificate-related APIs and data structures, ensuring clear usage guidelines.
• SDK Integration: The Go SDK client for NamespaceService has been extended to include the new certificate assignment and removal methods, providing immediate client-side support.

Ignored Files

• Ignored by pattern: docs/openapi/**/* (9)
  • docs/openapi/policy/actions/actions.openapi.yaml
  • docs/openapi/policy/attributes/attributes.openapi.yaml
  • docs/openapi/policy/namespaces/namespaces.openapi.yaml
  • docs/openapi/policy/objects.openapi.yaml
  • docs/openapi/policy/obligations/obligations.openapi.yaml
  • docs/openapi/policy/registeredresources/registered_resources.openapi.yaml
  • docs/openapi/policy/resourcemapping/resource_mapping.openapi.yaml
  • docs/openapi/policy/subjectmapping/subject_mapping.openapi.yaml
  • docs/openapi/policy/unsafe/unsafe.openapi.yaml
• Ignored by pattern: protocol/**/* (4)
  • protocol/go/policy/namespaces/namespaces.pb.go
  • protocol/go/policy/namespaces/namespaces_grpc.pb.go
  • protocol/go/policy/namespaces/namespacesconnect/namespaces.connect.go
  • protocol/go/policy/objects.pb.go

Using Gemini Code Assist

The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.

Invoking Gemini

You can request assistance from Gemini at any point by creating a comment using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands on the current page.

Feature	Command	Description
Code Review	/gemini review	Performs a code review for the current pull request in its current state.
Pull Request Summary	/gemini summary	Provides a summary of the current pull request in its current state.
Comment	@gemini-code-assist	Responds in comments when explicitly tagged, both in pull request comments and review comments.
Help	/gemini help	Displays a list of available commands.

Customization

To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.

Limitations & Feedback

Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for Github and other Google products, sign up here.

You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension.

---

Root certs now find home, Namespaces hold trust's strong chain, Secure paths unfold.

Footnotes

1. Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution. ↩

[gemini-code-assist]

Code Review

This pull request introduces support for managing root certificates within namespaces. The changes include new protobuf messages and RPCs in the policy service, updates to the Go SDK wrapper, and regenerated documentation.

The protobuf definitions are well-structured and follow existing patterns. I've added a few suggestions to improve the comments in the .proto files, which will enhance the clarity of the generated documentation. I also suggested a minor change to a comment block style to improve how it's rendered in the documentation.

[github-actions]

Benchmark results, click to expand

Benchmark authorization.GetDecisions Results:

Metric	Value
Approved Decision Requests	1000
Denied Decision Requests	0
Total Time	176.929081ms

Benchmark authorization.v2.GetMultiResourceDecision Results:

Metric	Value
Approved Decision Requests	1000
Denied Decision Requests	0
Total Time	112.718315ms

Standard Benchmark Metrics Skipped or Failed

Bulk Benchmark Results

Metric	Value
Total Decrypts	100
Successful Decrypts	100
Failed Decrypts	0
Total Time	363.320265ms
Throughput	275.24 requests/second

TDF3 Benchmark Results:

Metric	Value
Total Requests	5000
Successful Requests	5000
Failed Requests	0
Concurrent Requests	50
Total Time	40.106550425s
Average Latency	398.699293ms
Throughput	124.67 requests/second

NANOTDF Benchmark Results:

Metric	Value
Total Requests	5000
Successful Requests	5000
Failed Requests	0
Concurrent Requests	50
Total Time	26.881954561s
Average Latency	267.865406ms
Throughput	186.00 requests/second

[github-actions]

Benchmark results, click to expand

Benchmark authorization.GetDecisions Results:

Metric	Value
Approved Decision Requests	1000
Denied Decision Requests	0
Total Time	173.162476ms

Benchmark authorization.v2.GetMultiResourceDecision Results:

Metric	Value
Approved Decision Requests	1000
Denied Decision Requests	0
Total Time	102.441237ms

Standard Benchmark Metrics Skipped or Failed

Bulk Benchmark Results

Metric	Value
Total Decrypts	100
Successful Decrypts	100
Failed Decrypts	0
Total Time	382.252959ms
Throughput	261.61 requests/second

TDF3 Benchmark Results:

Metric	Value
Total Requests	5000
Successful Requests	5000
Failed Requests	0
Concurrent Requests	50
Total Time	39.780057865s
Average Latency	396.051152ms
Throughput	125.69 requests/second

NANOTDF Benchmark Results:

Metric	Value
Total Requests	5000
Successful Requests	5000
Failed Requests	0
Concurrent Requests	50
Total Time	26.656111626s
Average Latency	265.70566ms
Throughput	187.57 requests/second

[jakedoublev]

Proto changes LGTM (comments and policy conventions are clear)