feat(policy): actions service RPCs should actually hit storage layer CRUD (#2063)

jakedoublev · web-flow · commit da4faf5d8410 · 2025-04-23T19:41:23.000Z
### Proposed Changes

* roundtrip to db storage in actions service RPCs

### Checklist

- [ ] I have added or updated unit tests
- [ ] I have added or updated integration tests (if appropriate)
- [ ] I have added or updated documentation

### Testing Instructions
diff --git a/sdk/sdk.go b/sdk/sdk.go
@@ -18,6 +18,7 @@ import (
 	"github.com/opentdf/platform/protocol/go/authorization"
 	"github.com/opentdf/platform/protocol/go/entityresolution"
 	"github.com/opentdf/platform/protocol/go/policy"
+	"github.com/opentdf/platform/protocol/go/policy/actions"
 	"github.com/opentdf/platform/protocol/go/policy/attributes"
 	"github.com/opentdf/platform/protocol/go/policy/kasregistry"
 	"github.com/opentdf/platform/protocol/go/policy/namespaces"
@@ -63,14 +64,15 @@ type SDK struct {
 	conn                    *grpc.ClientConn
 	dialOptions             []grpc.DialOption
 	tokenSource             auth.AccessTokenSource
-	Namespaces              namespaces.NamespaceServiceClient
+	Actions                 actions.ActionServiceClient
 	Attributes              attributes.AttributesServiceClient
+	Authorization           authorization.AuthorizationServiceClient
+	EntityResoution         entityresolution.EntityResolutionServiceClient
+	KeyAccessServerRegistry kasregistry.KeyAccessServerRegistryServiceClient
+	Namespaces              namespaces.NamespaceServiceClient
 	ResourceMapping         resourcemapping.ResourceMappingServiceClient
 	SubjectMapping          subjectmapping.SubjectMappingServiceClient
-	KeyAccessServerRegistry kasregistry.KeyAccessServerRegistryServiceClient
 	Unsafe                  unsafe.UnsafeServiceClient
-	Authorization           authorization.AuthorizationServiceClient
-	EntityResoution         entityresolution.EntityResolutionServiceClient
 	wellknownConfiguration  wellknownconfiguration.WellKnownServiceClient
 }
 
@@ -193,6 +195,7 @@ func New(platformEndpoint string, opts ...Option) (*SDK, error) {
 		conn:                    platformConn,
 		dialOptions:             dialOptions,
 		tokenSource:             accessTokenSource,
+		Actions:                 actions.NewActionServiceClient(platformConn),
 		Attributes:              attributes.NewAttributesServiceClient(platformConn),
 		Namespaces:              namespaces.NewNamespaceServiceClient(platformConn),
 		ResourceMapping:         resourcemapping.NewResourceMappingServiceClient(platformConn),
diff --git a/service/logger/audit/constants.go b/service/logger/audit/constants.go
@@ -21,6 +21,7 @@ const (
 	ObjectTypeEntityObject
 	ObjectTypeResourceMappingGroup
 	ObjectTypePublicKey
+	ObjectTypeAction
 )
 
 func (ot ObjectType) String() string {
@@ -38,6 +39,8 @@ func (ot ObjectType) String() string {
 		"key_object",
 		"entity_object",
 		"resource_mapping_group",
+		"public_key",
+		"action",
 	}[ot]
 }
 
diff --git a/service/pkg/server/services_test.go b/service/pkg/server/services_test.go
@@ -26,6 +26,8 @@ type mockTestServiceOptions struct {
 	dbRegister         serviceregistry.DBRegister
 }
 
+const numExpectedPolicyServices = 7
+
 func mockTestServiceRegistry(opts mockTestServiceOptions) (serviceregistry.IService, *spyTestService) {
 	spy := &spyTestService{}
 	mockTestServiceDefaults := mockTestServiceOptions{
@@ -112,7 +114,7 @@ func (suite *ServiceTestSuite) Test_RegisterCoreServices_In_Mode_ALL_Expect_All_
 
 	policy, err := registry.GetNamespace(servicePolicy)
 	suite.Require().NoError(err)
-	suite.Len(policy.Services, 6)
+	suite.Len(policy.Services, numExpectedPolicyServices)
 	suite.Equal(modeCore, policy.Mode)
 
 	wellKnown, err := registry.GetNamespace(serviceWellKnown)
@@ -143,7 +145,7 @@ func (suite *ServiceTestSuite) Test_RegisterCoreServices_In_Mode_Core_Expect_Cor
 
 	policy, err := registry.GetNamespace(servicePolicy)
 	suite.Require().NoError(err)
-	suite.Len(policy.Services, 6)
+	suite.Len(policy.Services, numExpectedPolicyServices)
 	suite.Equal(modeCore, policy.Mode)
 
 	wellKnown, err := registry.GetNamespace(serviceWellKnown)
@@ -170,7 +172,7 @@ func (suite *ServiceTestSuite) Test_RegisterServices_In_Mode_Core_Plus_Kas_Expec
 
 	policy, err := registry.GetNamespace(servicePolicy)
 	suite.Require().NoError(err)
-	suite.Len(policy.Services, 6)
+	suite.Len(policy.Services, numExpectedPolicyServices)
 	suite.Equal(modeCore, policy.Mode)
 
 	wellKnown, err := registry.GetNamespace(serviceWellKnown)
@@ -197,7 +199,7 @@ func (suite *ServiceTestSuite) Test_RegisterServices_In_Mode_Core_Plus_Kas_Expec
 
 	policy, err := registry.GetNamespace(servicePolicy)
 	suite.Require().NoError(err)
-	suite.Len(policy.Services, 6)
+	suite.Len(policy.Services, numExpectedPolicyServices)
 	suite.Equal(modeCore, policy.Mode)
 
 	wellKnown, err := registry.GetNamespace(serviceWellKnown)
diff --git a/service/policy/actions/actions.go b/service/policy/actions/actions.go
@@ -2,15 +2,16 @@ package actions
 
 import (
 	"context"
-	"errors"
 	"fmt"
 	"log/slog"
 
 	"connectrpc.com/connect"
 	"github.com/opentdf/platform/protocol/go/policy/actions"
 	"github.com/opentdf/platform/protocol/go/policy/actions/actionsconnect"
 	"github.com/opentdf/platform/service/logger"
+	"github.com/opentdf/platform/service/logger/audit"
 	"github.com/opentdf/platform/service/pkg/config"
+	"github.com/opentdf/platform/service/pkg/db"
 	"github.com/opentdf/platform/service/pkg/serviceregistry"
 
 	policyconfig "github.com/opentdf/platform/service/policy/config"
@@ -78,22 +79,118 @@ func NewRegistration(ns string, dbRegister serviceregistry.DBRegister) *servicer
 	}
 }
 
-func (a *ActionService) GetAction(context.Context, *connect.Request[actions.GetActionRequest]) (*connect.Response[actions.GetActionResponse], error) {
-	return nil, connect.NewError(connect.CodeUnimplemented, errors.New("GetAction is not implemented"))
+func (a *ActionService) GetAction(ctx context.Context, req *connect.Request[actions.GetActionRequest]) (*connect.Response[actions.GetActionResponse], error) {
+	rsp := &actions.GetActionResponse{}
+
+	a.logger.DebugContext(ctx, "getting action", slog.Any("identifier", req.Msg.GetIdentifier()))
+
+	action, err := a.dbClient.GetAction(ctx, req.Msg)
+	if err != nil {
+		return nil, db.StatusifyError(err, db.ErrTextGetRetrievalFailed, slog.Any("identifier", req.Msg.GetIdentifier()))
+	}
+	rsp.Action = action
+
+	return connect.NewResponse(rsp), nil
 }
 
-func (a *ActionService) ListActions(context.Context, *connect.Request[actions.ListActionsRequest]) (*connect.Response[actions.ListActionsResponse], error) {
-	return nil, connect.NewError(connect.CodeUnimplemented, errors.New("ListActions is not implemented"))
+func (a *ActionService) ListActions(ctx context.Context, req *connect.Request[actions.ListActionsRequest]) (*connect.Response[actions.ListActionsResponse], error) {
+	a.logger.DebugContext(ctx, "listing actions")
+	rsp, err := a.dbClient.ListActions(ctx, req.Msg)
+	if err != nil {
+		return nil, db.StatusifyError(err, db.ErrTextListRetrievalFailed)
+	}
+	a.logger.DebugContext(ctx, "listed actions")
+	return connect.NewResponse(rsp), nil
 }
 
-func (a *ActionService) CreateAction(context.Context, *connect.Request[actions.CreateActionRequest]) (*connect.Response[actions.CreateActionResponse], error) {
-	return nil, connect.NewError(connect.CodeUnimplemented, errors.New("CreateAction is not implemented"))
+func (a *ActionService) CreateAction(ctx context.Context, req *connect.Request[actions.CreateActionRequest]) (*connect.Response[actions.CreateActionResponse], error) {
+	a.logger.DebugContext(ctx, "creating action", slog.String("name", req.Msg.GetName()))
+	auditParams := audit.PolicyEventParams{
+		ActionType: audit.ActionTypeCreate,
+		ObjectType: audit.ObjectTypeAction,
+	}
+	rsp := &actions.CreateActionResponse{}
+
+	err := a.dbClient.RunInTx(ctx, func(txClient *policydb.PolicyDBClient) error {
+		action, err := txClient.CreateAction(ctx, req.Msg)
+		if err != nil {
+			return err
+		}
+
+		auditParams.ObjectID = action.GetId()
+		auditParams.Original = action
+		a.logger.Audit.PolicyCRUDSuccess(ctx, auditParams)
+
+		rsp.Action = action
+		return nil
+	})
+	if err != nil {
+		a.logger.Audit.PolicyCRUDFailure(ctx, auditParams)
+		return nil, db.StatusifyError(err, db.ErrTextCreationFailed, slog.String("action", req.Msg.String()))
+	}
+	return connect.NewResponse(rsp), nil
 }
 
-func (a *ActionService) UpdateAction(context.Context, *connect.Request[actions.UpdateActionRequest]) (*connect.Response[actions.UpdateActionResponse], error) {
-	return nil, connect.NewError(connect.CodeUnimplemented, errors.New("UpdateAction is not implemented"))
+func (a *ActionService) UpdateAction(ctx context.Context, req *connect.Request[actions.UpdateActionRequest]) (*connect.Response[actions.UpdateActionResponse], error) {
+	actionID := req.Msg.GetId()
+	a.logger.DebugContext(ctx, "updating action", slog.String("id", actionID))
+	rsp := &actions.UpdateActionResponse{}
+
+	auditParams := audit.PolicyEventParams{
+		ActionType: audit.ActionTypeUpdate,
+		ObjectType: audit.ObjectTypeAction,
+		ObjectID:   actionID,
+	}
+
+	err := a.dbClient.RunInTx(ctx, func(txClient *policydb.PolicyDBClient) error {
+		original, err := txClient.GetAction(ctx, &actions.GetActionRequest{
+			Identifier: &actions.GetActionRequest_Id{
+				Id: actionID,
+			},
+		})
+		if err != nil {
+			return err
+		}
+
+		updated, err := txClient.UpdateAction(ctx, req.Msg)
+		if err != nil {
+			return err
+		}
+
+		auditParams.Original = original
+		auditParams.Updated = updated
+		a.logger.Audit.PolicyCRUDSuccess(ctx, auditParams)
+
+		rsp.Action = updated
+		return nil
+	})
+	if err != nil {
+		a.logger.Audit.PolicyCRUDFailure(ctx, auditParams)
+		return nil, db.StatusifyError(err, db.ErrTextUpdateFailed, slog.String("action", req.Msg.String()))
+	}
+
+	return connect.NewResponse(rsp), nil
 }
 
-func (a *ActionService) DeleteAction(context.Context, *connect.Request[actions.DeleteActionRequest]) (*connect.Response[actions.DeleteActionResponse], error) {
-	return nil, connect.NewError(connect.CodeUnimplemented, errors.New("DeleteAction is not implemented"))
+func (a *ActionService) DeleteAction(ctx context.Context, req *connect.Request[actions.DeleteActionRequest]) (*connect.Response[actions.DeleteActionResponse], error) {
+	rsp := &actions.DeleteActionResponse{}
+	actionID := req.Msg.GetId()
+
+	auditParams := audit.PolicyEventParams{
+		ActionType: audit.ActionTypeDelete,
+		ObjectType: audit.ObjectTypeAction,
+		ObjectID:   actionID,
+	}
+	a.logger.DebugContext(ctx, "deleting action", slog.String("id", actionID))
+
+	deleted, err := a.dbClient.DeleteAction(ctx, req.Msg)
+	if err != nil {
+		a.logger.Audit.PolicyCRUDFailure(ctx, auditParams)
+		return nil, db.StatusifyError(err, db.ErrTextDeletionFailed, slog.String("action", req.Msg.String()))
+	}
+
+	a.logger.Audit.PolicyCRUDSuccess(ctx, auditParams)
+	rsp.Action = deleted
+
+	return connect.NewResponse(rsp), nil
 }
diff --git a/service/policy/db/actions.go b/service/policy/db/actions.go
@@ -199,8 +199,7 @@ func (c PolicyDBClient) DeleteAction(ctx context.Context, req *actions.DeleteAct
 		}
 		// standard action
 		name := strings.ToLower(got.GetName())
-		isStandard := ActionStandard(name).IsValid()
-		if isStandard {
+		if ActionStandard(name).IsValid() {
 			return nil, fmt.Errorf("cannot delete standard action %s: %w", name, db.ErrRestrictViolation)
 		}
 		return nil, db.ErrNotFound
diff --git a/service/policy/db/query.sql b/service/policy/db/query.sql
@@ -1228,7 +1228,6 @@ INSERT INTO attribute_value_public_key_map (value_id, key_id) VALUES ($1, $2);
 -- name: removePublicKeyFromAttributeValue :execrows
 DELETE FROM attribute_value_public_key_map WHERE value_id = $1 AND key_id = $2;
 
-
 ---------------------------------------------------------------- 
 -- ACTIONS
 ----------------------------------------------------------------
diff --git a/service/policy/db/subject_mappings.go b/service/policy/db/subject_mappings.go
@@ -7,8 +7,6 @@ import (
 	"fmt"
 	"strings"
 
-	"github.com/jackc/pgerrcode"
-	"github.com/jackc/pgx/v5"
 	"github.com/opentdf/platform/protocol/go/common"
 	"github.com/opentdf/platform/protocol/go/policy"
 	"github.com/opentdf/platform/protocol/go/policy/subjectmapping"
@@ -508,10 +506,6 @@ func (c PolicyDBClient) UpdateSubjectMapping(ctx context.Context, r *subjectmapp
 
 	_, err = c.Queries.updateSubjectMapping(ctx, updateParams)
 	if err != nil {
-		// CTE behavior requires custom handling with divide by zero to detect 0 count
-		if strings.Contains(err.Error(), pgerrcode.DivisionByZero) {
-			err = pgx.ErrNoRows
-		}
 		return nil, db.WrapIfKnownInvalidQueryErr(err)
 	}
 
diff --git a/service/policy/namespaces/namespaces.go b/service/policy/namespaces/namespaces.go
@@ -117,7 +117,6 @@ func (ns NamespacesService) GetNamespace(ctx context.Context, req *connect.Reque
 
 func (ns NamespacesService) CreateNamespace(ctx context.Context, req *connect.Request[namespaces.CreateNamespaceRequest]) (*connect.Response[namespaces.CreateNamespaceResponse], error) {
 	ns.logger.Debug("creating new namespace", slog.String("name", req.Msg.GetName()))
-
 	auditParams := audit.PolicyEventParams{
 		ActionType: audit.ActionTypeCreate,
 		ObjectType: audit.ObjectTypeNamespace,
diff --git a/service/policy/policy.go b/service/policy/policy.go
@@ -4,6 +4,7 @@ import (
 	"embed"
 
 	"github.com/opentdf/platform/service/pkg/serviceregistry"
+	"github.com/opentdf/platform/service/policy/actions"
 	"github.com/opentdf/platform/service/policy/attributes"
 	"github.com/opentdf/platform/service/policy/db/migrations"
 	"github.com/opentdf/platform/service/policy/kasregistry"
@@ -34,6 +35,7 @@ func NewRegistrations() []serviceregistry.IService {
 		subjectmapping.NewRegistration(namespace, dbRegister),
 		kasregistry.NewRegistration(namespace, dbRegister),
 		unsafe.NewRegistration(namespace, dbRegister),
+		actions.NewRegistration(namespace, dbRegister),
 	}...)
 	return registrations
 }

Original file line number	Diff line number	Diff line change
`@@ -21,6 +21,7 @@ const (`
`21`	`21`	`ObjectTypeEntityObject`
`22`	`22`	`ObjectTypeResourceMappingGroup`
`23`	`23`	`ObjectTypePublicKey`
	`24`	`+ ObjectTypeAction`
`24`	`25`	`)`
`25`	`26`
`26`	`27`	`func (ot ObjectType) String() string {`
`@@ -38,6 +39,8 @@ func (ot ObjectType) String() string {`
`38`	`39`	`"key_object",`
`39`	`40`	`"entity_object",`
`40`	`41`	`"resource_mapping_group",`
	`42`	`+ "public_key",`
	`43`	`+ "action",`
`41`	`44`	`}[ot]`
`42`	`45`	`}`
`43`	`46`
Original file line number	Diff line number	Diff line change
`@@ -199,8 +199,7 @@ func (c PolicyDBClient) DeleteAction(ctx context.Context, req *actions.DeleteAct`
`199`	`199`	`}`
`200`	`200`	`// standard action`
`201`	`201`	`name := strings.ToLower(got.GetName())`
`202`		`- isStandard := ActionStandard(name).IsValid()`
`203`		`- if isStandard {`
	`202`	`+ if ActionStandard(name).IsValid() {`
`204`	`203`	`return nil, fmt.Errorf("cannot delete standard action %s: %w", name, db.ErrRestrictViolation)`
`205`	`204`	`}`
`206`	`205`	`return nil, db.ErrNotFound`