feat: add structured schema policy config

.github/workflows/go-checks.yaml

@@ -39,4 +39,4 @@ jobs:
           go-version: '1.21'
           cache: false
       - name: Integration Tests with the Go CLI
-        run: go test ./tests -race
+        run: go test ./integration -race

.golangci.yaml

@@ -0,0 +1,12 @@
+issues:
+  # Show only new issues: if there are unstaged changes or untracked files,
+  # only those changes are analyzed, else only changes in HEAD~ are analyzed.
+  # It's a super-useful option for integration of golangci-lint into existing large codebase.
+  # It's not practical to fix all existing issues at the moment of integration:
+  # much better don't allow issues in new code.
+  #
+  # Default: false
+  new: true
+  # Show only new issues created after git revision `REV`.
+  # Default: ""
+  new-from-rev: HEAD

README.md

@@ -35,25 +35,32 @@ This should bring up a grpc server on port **9000** and http server on port **80
 ```bash
   grpcurl -plaintext localhost:9000 list
 
-  acre.v1.ResourcEncodingService
-  attributes.v1.AttributesService
+  attributes.AttributesService
   grpc.reflection.v1.ServerReflection
   grpc.reflection.v1alpha.ServerReflection
-
-  grpcurl -plaintext localhost:9000 list attributes.v1.AttributesService
-
-  attributes.v1.AttributesService.CreateAttribute
-  attributes.v1.AttributesService.DeleteAttribute
-  attributes.v1.AttributesService.GetAttribute
-  attributes.v1.AttributesService.ListAttributes
-  attributes.v1.AttributesService.UpdateAttribute
-
+  kasregistry.KeyAccessServerRegistryService
+  namespaces.NamespaceService
+  resourcemapping.ResourceMappingService
+  subjectmapping.SubjectMappingService
+
+  grpcurl -plaintext localhost:9000 list attributes.AttributesService
+
+  attributes.AttributesService.CreateAttribute
+  attributes.AttributesService.CreateAttributeValue
+  attributes.AttributesService.DeleteAttribute
+  attributes.AttributesService.DeleteAttributeValue
+  attributes.AttributesService.GetAttribute
+  attributes.AttributesService.GetAttributeValue
+  attributes.AttributesService.ListAttributeValues
+  attributes.AttributesService.ListAttributes
+  attributes.AttributesService.UpdateAttribute
+  attributes.AttributesService.UpdateAttributeValue
 ```
 
 Create Attribute
 
 ```bash
-grpcurl -plaintext -d @ localhost:9000 attributes.v1.AttributesService/CreateAttribute <<EOM  
+grpcurl -plaintext -d @ localhost:9000 attributes.v1.AttributesService/CreateAttribute <<EOM
 {
     "definition": {
         "name": "relto",

cmd/migrate.go

@@ -0,0 +1,56 @@
+package cmd
+
+import (
+	"fmt"
+	"log/slog"
+
+	"github.com/opentdf/opentdf-v2-poc/internal/config"
+	"github.com/opentdf/opentdf-v2-poc/internal/db"
+	"github.com/spf13/cobra"
+)
+
+var (
+	migrateCmd = &cobra.Command{
+		Use:   "migrate",
+		Short: "Run database migrations",
+	}
+
+	migrateDownCmd = &cobra.Command{
+		Use:   "down",
+		Short: "Run database migrations",
+		Run: func(cmd *cobra.Command, args []string) {
+			dbClient, err := migrateDbClient()
+			if err != nil {
+				panic(fmt.Errorf("could not load config: %w", err))
+			}
+
+			res, err := dbClient.MigrationDown()
+			if err != nil {
+				panic(fmt.Errorf("migration down failed: %w", err))
+			}
+			fmt.Print("migration down applied: ", slog.Any("res", res))
+		},
+	}
+)
+
+func migrateDbClient() (*db.Client, error) {
+	// Load the config
+	conf, err := config.LoadConfig()
+	if err != nil {
+		return nil, err
+	}
+
+	slog.Info("creating database client")
+	dbClient, err := db.NewClient(conf.DB)
+	if err != nil {
+		//nolint:wrapcheck // we want to return the error as is. the start command will wrap it
+		return nil, err
+	}
+	return dbClient, nil
+
+}
+
+func init() {
+	migrateCmd.AddCommand(migrateDownCmd)
+	rootCmd.AddCommand(migrateCmd)
+}

cmd/start.go

@@ -16,10 +16,15 @@ import (
 	"github.com/opentdf/opentdf-v2-poc/internal/logger"
 	"github.com/opentdf/opentdf-v2-poc/internal/opa"
 	"github.com/opentdf/opentdf-v2-poc/internal/server"
-	"github.com/opentdf/opentdf-v2-poc/services/acre"
-	"github.com/opentdf/opentdf-v2-poc/services/acse"
+	"github.com/opentdf/opentdf-v2-poc/services/resourcemapping"
+
+	// "github.com/opentdf/opentdf-v2-poc/services/acre"
 	"github.com/opentdf/opentdf-v2-poc/services/attributes"
-	"github.com/opentdf/opentdf-v2-poc/services/keyaccessgrants"
+	"github.com/opentdf/opentdf-v2-poc/services/kasregistry"
+	"github.com/opentdf/opentdf-v2-poc/services/subjectmapping"
+
+	"github.com/opentdf/opentdf-v2-poc/services/namespaces"
+	// "github.com/opentdf/opentdf-v2-poc/services/keyaccessgrants"
 	"github.com/spf13/cobra"
 )
 
@@ -126,13 +131,11 @@ func createDatabaseClient(conf db.Config) (*db.Client, error) {
 
 //nolint:revive // the opa engine will be used in the future
 func RegisterServices(_ config.Config, otdf *server.OpenTDFServer, dbClient *db.Client, eng *opa.Engine) error {
-	var (
-		err error
-	)
-	slog.Info("registering acre server")
-	err = acre.NewResourceEncoding(dbClient, otdf.GrpcServer, otdf.Mux)
+	var err error
+	slog.Info("registering resource mappings server")
+	err = resourcemapping.NewResourceMappingServer(dbClient, otdf.GrpcServer, otdf.Mux)
 	if err != nil {
-		return fmt.Errorf("could not register acre service: %w", err)
+		return fmt.Errorf("could not register resource mappings service: %w", err)
 	}
 
 	slog.Info("registering attributes server")
@@ -141,17 +144,23 @@ func RegisterServices(_ config.Config, otdf *server.OpenTDFServer, dbClient *db.
 		return fmt.Errorf("could not register attributes service: %w", err)
 	}
 
-	slog.Info("registering acse server")
-	err = acse.NewSubjectEncodingServer(dbClient, otdf.GrpcServer, otdf.GrpcInProcess.GetGrpcServer(), otdf.Mux)
+	slog.Info("registering subject mappings service")
+	err = subjectmapping.NewSubjectMappingServer(dbClient, otdf.GrpcServer, otdf.GrpcInProcess.GetGrpcServer(), otdf.Mux)
 	if err != nil {
-		return fmt.Errorf("could not register acse service: %w", err)
+		return fmt.Errorf("could not register subject mappings service: %w", err)
 	}
 
-	slog.Info("registering key access grants service")
-	err = keyaccessgrants.NewKeyAccessGrantsServer(dbClient, otdf.GrpcServer, otdf.Mux)
+	slog.Info("registering key access server registry")
+	err = kasregistry.NewKeyAccessServerRegistryServer(dbClient, otdf.GrpcServer, otdf.Mux)
 	if err != nil {
 		return fmt.Errorf("could not register key access grants service: %w", err)
 	}
 
+	slog.Info("registering namespaces server")
+	err = namespaces.NewNamespacesServer(dbClient, otdf.GrpcServer, otdf.Mux)
+	if err != nil {
+		return fmt.Errorf("could not register namespaces service: %w", err)
+	}
+
 	return nil
 }

examples/attributes/main.go

@@ -4,34 +4,13 @@ import (
 	"context"
 	"log/slog"
 	"os"
+	"strconv"
 
 	"github.com/opentdf/opentdf-v2-poc/sdk"
 	"github.com/opentdf/opentdf-v2-poc/sdk/attributes"
-	"github.com/opentdf/opentdf-v2-poc/sdk/common"
 )
 
 func main() {
-	definition := attributes.AttributeDefinition{
-		Name: "relto",
-		Rule: attributes.AttributeDefinition_ATTRIBUTE_RULE_TYPE_ANY_OF,
-		Values: []*attributes.AttributeDefinitionValue{
-			{
-				Value: "USA",
-			},
-			{
-				Value: "GBR",
-			},
-		},
-		Descriptor_: &common.ResourceDescriptor{
-			Version:     1,
-			Namespace:   "demo.com",
-			Fqn:         "http://demo.com/attr/relto",
-			Description: "The relto attribute is used to describe the relationship of the resource to the country of origin. ",
-			Labels:      map[string]string{"origin": "Country of Origin"},
-			Type:        common.PolicyResourceType_POLICY_RESOURCE_TYPE_ATTRIBUTE_DEFINITION,
-		},
-	}
-
 	s, err := sdk.New("localhost:9000", sdk.WithInsecureConn())
 	if err != nil {
 		slog.Error("could not connect", slog.String("error", err.Error()))
@@ -40,7 +19,11 @@ func main() {
 	defer s.Close()
 
 	_, err = s.Attributes.CreateAttribute(context.Background(), &attributes.CreateAttributeRequest{
-		Definition: &definition,
+		Attribute: &attributes.AttributeCreateUpdate{
+			Name:        "relto",
+			NamespaceId: "",
+			Rule:        *attributes.AttributeRuleTypeEnum_ATTRIBUTE_RULE_TYPE_ENUM_ALL_OF.Enum(),
+		},
 	})
 	if err != nil {
 		slog.Error("could not create attribute", slog.String("error", err.Error()))
@@ -54,11 +37,16 @@ func main() {
 		slog.Error("could not list attributes", slog.String("error", err.Error()))
 		os.Exit(1)
 	}
-	for _, attr := range allAttr.Definitions {
+	for _, attr := range allAttr.Attributes {
+		slog.Info("attribute", slog.String("id", attr.Id))
 		slog.Info("attribute", slog.String("name", attr.Name))
 		slog.Info("attribute", slog.String("rule", attr.Rule.String()))
-		for _, val := range attr.Values {
-			slog.Info("attribute", slog.String("name", attr.Name), slog.String("value", val.Value))
+		slog.Info("attribute", slog.Any("metadata", attr.Metadata))
+		for i, val := range attr.Values {
+			slog.Info("attribute: "+strconv.Itoa(i), slog.String("id", val.Id))
+			slog.Info("attribute: "+strconv.Itoa(i), slog.String("value", val.Value))
+			slog.Info("attribute: "+strconv.Itoa(i), slog.Any("members", val.Members))
+			slog.Info("attribute: "+strconv.Itoa(i), slog.Any("metadata", val.Metadata))
 		}
 	}
 

go.mod

@@ -35,33 +35,43 @@ require (
 	github.com/agnivade/levenshtein v1.1.1 // indirect
 	github.com/antlr4-go/antlr/v4 v4.13.0 // indirect
 	github.com/beorn7/perks v1.0.1 // indirect
+	github.com/bep/godartsass v0.16.0 // indirect
+	github.com/bep/golibsass v1.1.0 // indirect
 	github.com/bytecodealliance/wasmtime-go/v3 v3.0.2 // indirect
 	github.com/cenkalti/backoff/v4 v4.2.1 // indirect
 	github.com/cespare/xxhash/v2 v2.2.0 // indirect
+	github.com/cli/safeexec v1.0.0 // indirect
 	github.com/containerd/containerd v1.7.9 // indirect
 	github.com/containerd/log v0.1.0 // indirect
+	github.com/cosmtrek/air v1.49.0 // indirect
 	github.com/cpuguy83/dockercfg v0.3.1 // indirect
+	github.com/creack/pty v1.1.18 // indirect
 	github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc // indirect
 	github.com/docker/distribution v2.8.2+incompatible // indirect
 	github.com/docker/docker v24.0.7+incompatible // indirect
 	github.com/docker/go-connections v0.4.0 // indirect
 	github.com/docker/go-units v0.5.0 // indirect
+	github.com/fatih/color v1.14.1 // indirect
 	github.com/fsnotify/fsnotify v1.7.0 // indirect
 	github.com/go-ini/ini v1.67.0 // indirect
 	github.com/go-logr/logr v1.3.0 // indirect
 	github.com/go-logr/stdr v1.2.2 // indirect
 	github.com/go-ole/go-ole v1.2.6 // indirect
 	github.com/gobwas/glob v0.2.3 // indirect
 	github.com/gogo/protobuf v1.3.2 // indirect
+	github.com/gohugoio/hugo v0.111.3 // indirect
 	github.com/google/cel-go v0.18.2 // indirect
 	github.com/google/uuid v1.4.0 // indirect
 	github.com/gorilla/mux v1.8.1 // indirect
 	github.com/hashicorp/hcl v1.0.0 // indirect
+	github.com/jackc/pgerrcode v0.0.0-20220416144525-469b46aa5efa // indirect
 	github.com/klauspost/compress v1.17.2 // indirect
 	github.com/lann/builder v0.0.0-20180802200727-47ae307949d0 // indirect
 	github.com/lann/ps v0.0.0-20150810152359-62de8c46ede0 // indirect
 	github.com/lufia/plan9stats v0.0.0-20211012122336-39d0f177ccd0 // indirect
 	github.com/magiconair/properties v1.8.7 // indirect
+	github.com/mattn/go-colorable v0.1.13 // indirect
+	github.com/mattn/go-isatty v0.0.20 // indirect
 	github.com/matttproud/golang_protobuf_extensions v1.0.4 // indirect
 	github.com/mitchellh/mapstructure v1.5.0 // indirect
 	github.com/moby/locker v1.0.1 // indirect
@@ -72,6 +82,7 @@ require (
 	github.com/opencontainers/go-digest v1.0.0 // indirect
 	github.com/opencontainers/image-spec v1.1.0-rc5 // indirect
 	github.com/opencontainers/runc v1.1.10 // indirect
+	github.com/pelletier/go-toml v1.9.5 // indirect
 	github.com/pelletier/go-toml/v2 v2.1.0 // indirect
 	github.com/pkg/errors v0.9.1 // indirect
 	github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2 // indirect
@@ -93,6 +104,7 @@ require (
 	github.com/stoewer/go-strcase v1.3.0 // indirect
 	github.com/subosito/gotenv v1.6.0 // indirect
 	github.com/tchap/go-patricia/v2 v2.3.1 // indirect
+	github.com/tdewolff/parse/v2 v2.6.5 // indirect
 	github.com/tklauser/go-sysconf v0.3.12 // indirect
 	github.com/tklauser/numcpus v0.6.1 // indirect
 	github.com/xeipuuv/gojsonpointer v0.0.0-20190905194746-02993c407bfb // indirect