feat(authz): improve v2 request proto validation #2357
Conversation
github-actions
bot
added
comp:authorization
external-contributor
![gemini-code-assist[bot]](https://avatars.githubusercontent.com/in/956858?s=60&v=4){kind=small}
There was a problem hiding this comment.
Hello @jakedoublev, I'm Gemini Code Assist1! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!
Summary of Changes
Hello team, Gemini here with a summary of this pull request. This PR, authored by @jakedoublev, focuses on enhancing the validation of the v2 authorization request protobuf messages. The primary goal is to ensure that incoming requests adhere to expected formats and constraints using buf.validate. Complementing these validation rule additions, the PR also introduces comprehensive unit tests to verify that these new validation rules are correctly applied and enforced for both successful and failing scenarios.
Highlights
- Protobuf Validation: Added new message-level validation rules to the
GetDecisionRequestprotobuf message in the v2 authorization service definition (authorization.proto). These rules enforce constraints on theresourcefield, specifically checking thatregistered_resource_value_fqnis a valid URI if present, and that the list offqnswithinattribute_valuesis not empty if that resource type is used. - Unit Tests: Introduced extensive unit tests in
authorization_test.goto cover the newly addedprotovalidaterules. These tests validate various combinations ofGetDecisionRequestandGetDecisionMultiResourceRequestpayloads, ensuring that valid requests pass validation and invalid requests fail with the expected errors. This significantly improves test coverage for the authorization service's request handling.
Changelog
Click here to see the changelog
- service/authorization/v2/authorization.proto
- Added message-level validation options to
GetDecisionRequest(around lines 93-107) to validate theresourcefield content. - Ensured
resource.registered_resource_value_fqnis a valid URI if present. - Ensured
resource.attribute_values.fqnsis not empty ifattribute_valuesis used. - Made a minor formatting adjustment to the
buf.validate.fieldannotation forEntityIdentifier.registered_resource_value_fqn(around lines 33-36).
- Added message-level validation options to
- service/authorization/v2/authorization_test.go
- Added imports for
protovalidate,entity, andpolicy(around lines 7-10). - Added helper function
getValidatorfor creating aprotovalidate.Validatorinstance (around lines 25-31). - Added
Test_GetDecisionRequest_Succeedswith multiple test cases covering validGetDecisionRequestscenarios (around lines 33-183). - Added
Test_GetDecisionRequest_Failswith multiple test cases covering invalidGetDecisionRequestscenarios and expected validation errors (around lines 185-378). - Added
Test_GetDecisionMultiResourceRequest_Succeedswith multiple test cases covering validGetDecisionMultiResourceRequestscenarios (around lines 380-497). - Added placeholder tests for
GetDecisionMultiResourceRequest_FailsandGetEntitlementsRequestvalidation (around lines 498-500).
- Added imports for
Using Gemini Code Assist
The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.
Invoking Gemini
You can request assistance from Gemini at any point in your pull request via creating an issue comment (i.e. comment on the pull request page) using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands.
| Feature | Command | Description |
|---|---|---|
| Code Review | /gemini review |
Performs a code review for the current pull request in its current state. |
| Pull Request Summary | /gemini summary |
Provides a summary of the current pull request in its current state. |
| Comment | @gemini-code-assist | Responds in comments when explicitly tagged, both in issue comments and review comments. |
| Help | /gemini help |
Displays a list of available commands. |
Customization
To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.
Limitations & Feedback
Gemini Code Assist is currently in preview and may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments to provide feedback.
You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension.
Proto rules defined,
Validation keeps requests clean,
Tests make sure it's right.
Footnotes
-
Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution. ↩
There was a problem hiding this comment.
Code Review
This pull request significantly improves the validation for GetDecisionRequest by adding new CEL rules and includes a substantial number of unit tests for these new rules, which is great. The tests for GetDecisionRequest (both success and failure cases) are well-structured and cover the new validation logic effectively.
There are a couple of areas for improvement, primarily concerning the test coverage for GetDecisionMultiResourceRequest and the implementation of placeholder test functions. Addressing these will further enhance the robustness of the v2 request validation.
It's also noted that the checklist item "I have added or updated unit tests" in the PR description is currently unchecked, despite the addition of many tests. This might be an oversight.
Summary of Findings
- Incorrect Test Expectation for Empty Resources: In
Test_GetDecisionMultiResourceRequest_Succeeds, the test case "entity: token, action: create, empty resources array" expects success. However, theresourcesfield inGetDecisionMultiResourceRequesthas amin_items: 1validation rule, meaning an empty list should fail validation. This test case should likely be in the failure suite. - Incomplete Test Coverage for Protovalidate Rules: The test functions
Test_GetDecisionMultiResourceRequest_Fails,Test_GetEntitlementsRequest_Succeeds, andTest_GetEntitlementsRequest_Failsare placeholders. To ensure comprehensive validation coverage as per the PR's goal, these should be implemented to test the existingprotovalidaterules for their respective request messages.
Merge Readiness
The pull request makes good progress in improving proto validation and adding unit tests. However, there is a high-severity issue with an incorrect test expectation in Test_GetDecisionMultiResourceRequest_Succeeds that needs to be addressed. Additionally, implementing the placeholder test functions would significantly improve overall test coverage for existing validation rules.
I recommend addressing these points, particularly the incorrect test case, before merging. As an AI, I am not authorized to approve pull requests; please ensure further review and approval from team members.
Benchmark results, click to expandBenchmark authorization.GetDecisions Results:
Benchmark authorization.v2.GetMultiResourceDecision Results:
Bulk Benchmark Results
TDF3 Benchmark Results:
NANOTDF Benchmark Results:
Error Summary:
Standard Benchmark Metrics Skipped or Failed |
Benchmark results, click to expandBenchmark authorization.GetDecisions Results:
Benchmark authorization.v2.GetMultiResourceDecision Results:
Bulk Benchmark Results
TDF3 Benchmark Results:
NANOTDF Benchmark Results:
Error Summary:
Standard Benchmark Metrics Skipped or Failed |
|
/gemini review |
There was a problem hiding this comment.
Code Review
This pull request significantly improves the v2 request proto validation by adding comprehensive protovalidate rules and thorough unit tests to verify them. The changes are well-implemented and the tests cover a wide range of scenarios for GetDecisionRequest, GetDecisionMultiResourceRequest, and GetEntitlementsRequest.
The new validation rules in authorization.proto for the Resource message, particularly for AttributeValues and registered_resource_value_fqn, are clear and enhance the robustness of the API.
The unit tests in authorization_test.go are well-structured using table-driven tests, making them readable and maintainable. The coverage of both success and failure cases for the validation rules is excellent.
Overall, this is a high-quality contribution that strengthens the authorization service's input validation. Great work!
Summary of Findings
- Clarity of Validation Message: The validation message for
Resource.attribute_values("if provided, resource.attribute_values must not be empty") inservice/authorization/v2/authorization.protoprimarily addresses the non-empty constraint (this.fqns.size() > 0). The associated CEL expressionthis.fqns.size() > 0 && this.fqns.all(item, item.isUri())also enforces that all FQNs are URIs. While the current message isn't incorrect, it could be slightly more comprehensive by hinting at the URI format requirement as well. This is a minor observation (low severity) and was not commented on directly due to the review settings, as it doesn't impede functionality and the CEL expression itself is the source of truth for the validation logic.
Merge Readiness
The pull request is in good shape. The added validations are robust and the unit tests provide excellent coverage for these changes. I have no major concerns. As a reviewer, I am not authorized to approve pull requests, so please ensure it undergoes the standard approval process by other maintainers before merging.
🤖 I have created a release *beep* *boop* --- ## [0.4.0](protocol/go/v0.3.6...protocol/go/v0.4.0) (2025-06-05) ### Features * **authz:** improve v2 request proto validation ([#2357](#2357)) ([f927b99](f927b99)) * **policy:** cache SubjectConditionSet selectors in dedicated column maintained via trigger ([#2320](#2320)) ([215791f](215791f)) * **policy:** Return Simple Kas Keys from non-Key RPCs ([#2387](#2387)) ([5113e0e](5113e0e)) * **policy:** Update simple kas key ([#2378](#2378)) ([09d8239](09d8239)) ### Bug Fixes * **policy:** protovalidate deprecated action types and removal of gRPC gateway in subject mappings svc ([#2377](#2377)) ([54a6de0](54a6de0)) * **policy:** remove gRPC gateway in policy except where needed ([#2382](#2382)) ([1937acb](1937acb)) --- This PR was generated with [Release Please](https://github.com/googleapis/release-please). See [documentation](https://github.com/googleapis/release-please#release-please). Co-authored-by: opentdf-automation[bot] <149537512+opentdf-automation[bot]@users.noreply.github.com>
🤖 I have created a release *beep* *boop* --- ## [0.6.0](service/v0.5.5...service/v0.6.0) (2025-06-06) ### Features * **authz:** DSPX-894 auth svc registered resource GetEntitlement support ([#2358](#2358)) ([a199aa7](a199aa7)) * **authz:** improve v2 request proto validation ([#2357](#2357)) ([f927b99](f927b99)) * **core:** DSPX-608 - Deprecate public_client_id ([#2185](#2185)) ([0f58efa](0f58efa)) * **policy:** Return Simple Kas Keys from non-Key RPCs ([#2387](#2387)) ([5113e0e](5113e0e)) * **policy:** Unique name for the key provider. ([#2391](#2391)) ([bb58b78](bb58b78)) * **policy:** Update simple kas key ([#2378](#2378)) ([09d8239](09d8239)) ### Bug Fixes * **deps:** bump github.com/opentdf/platform/protocol/go from 0.3.6 to 0.4.0 in /service ([#2399](#2399)) ([1c6fa75](1c6fa75)) * **deps:** bump the external group across 1 directory with 21 updates ([#2401](#2401)) ([3d0d4d1](3d0d4d1)) * **policy:** move action sub queries to CTE in sm list and match sql ([#2369](#2369)) ([0fd6feb](0fd6feb)) * **policy:** protovalidate deprecated action types and removal of gRPC gateway in subject mappings svc ([#2377](#2377)) ([54a6de0](54a6de0)) * **policy:** remove gRPC gateway in policy except where needed ([#2382](#2382)) ([1937acb](1937acb)) * **policy:** remove support for creation/updation of SubjectMappings with deprecated proto actions ([#2373](#2373)) ([3660200](3660200)) --- This PR was generated with [Release Please](https://github.com/googleapis/release-please). See [documentation](https://github.com/googleapis/release-please#release-please). Co-authored-by: opentdf-automation[bot] <149537512+opentdf-automation[bot]@users.noreply.github.com>
🤖 I have created a release *beep* *boop* --- ## [0.7.0](protocol/go/v0.6.2...protocol/go/v0.7.0) (2025-08-08) ### ⚠ BREAKING CHANGES * **policy:** disable kas grants in favor of key mappings ([#2220](#2220)) * **core:** Require go 1.23+ ([#1979](#1979)) ### Features * add ability to retrieve policy resources by id or name ([#1901](#1901)) ([deb4455](deb4455)) * **authz:** authz v2, ers v2 protos and gencode for ABAC with actions & registered resource ([#2124](#2124)) ([ea7992a](ea7992a)) * **authz:** improve v2 request proto validation ([#2357](#2357)) ([f927b99](f927b99)) * **authz:** sensible request limit upper bounds ([#2526](#2526)) ([b3093cc](b3093cc)) * **core:** adds bulk rewrap to sdk and service ([#1835](#1835)) ([11698ae](11698ae)) * **core:** EXPERIMENTAL: EC-wrapped key support ([#1902](#1902)) ([652266f](652266f)) * **core:** Require go 1.23+ ([#1979](#1979)) ([164c922](164c922)) * **core:** v2 ERS with proto updates ([#2210](#2210)) ([a161ef8](a161ef8)) * **policy:** add enhanced standard/custom actions protos ([#2020](#2020)) ([bbac53f](bbac53f)) * **policy:** Add legacy keys. ([#2613](#2613)) ([57370b0](57370b0)) * **policy:** Add list key mappings rpc. ([#2533](#2533)) ([fbc2724](fbc2724)) * **policy:** add obligation protos ([#2579](#2579)) ([50882e1](50882e1)) * **policy:** Add validation to delete keys ([#2576](#2576)) ([cc169d9](cc169d9)) * **policy:** add values to CreateObligationRequest ([#2614](#2614)) ([94535cc](94535cc)) * **policy:** adds new public keys table ([#1836](#1836)) ([cad5048](cad5048)) * **policy:** Allow the deletion of a key. ([#2575](#2575)) ([82b96f0](82b96f0)) * **policy:** cache SubjectConditionSet selectors in dedicated column maintained via trigger ([#2320](#2320)) ([215791f](215791f)) * **policy:** Change return type for delete key proto. ([#2566](#2566)) ([c1ae924](c1ae924)) * **policy:** Default Platform Keys ([#2254](#2254)) ([d7447fe](d7447fe)) * **policy:** disable kas grants in favor of key mappings ([#2220](#2220)) ([30f8cf5](30f8cf5)) * **policy:** DSPX-1018 NDR retrieval by FQN support ([#2131](#2131)) ([0001041](0001041)) * **policy:** DSPX-1057 registered resource action attribute values (protos only) ([#2217](#2217)) ([6375596](6375596)) * **policy:** DSPX-893 NDR define crud protos ([#2056](#2056)) ([55a5c27](55a5c27)) * **policy:** DSPX-902 NDR service crud protos only (1/2) ([#2092](#2092)) ([24b6cb5](24b6cb5)) * **policy:** Finish resource mapping groups ([#2224](#2224)) ([5ff754e](5ff754e)) * **policy:** key management crud ([#2110](#2110)) ([4c3d53d](4c3d53d)) * **policy:** Key management proto ([#2115](#2115)) ([561f853](561f853)) * **policy:** Modify get request to search for keys by kasid with keyid. ([#2147](#2147)) ([780d2e4](780d2e4)) * **policy:** Return KAS Key structure ([#2172](#2172)) ([7f97b99](7f97b99)) * **policy:** Return Simple Kas Keys from non-Key RPCs ([#2387](#2387)) ([5113e0e](5113e0e)) * **policy:** rotate keys rpc ([#2180](#2180)) ([0d00743](0d00743)) * **policy:** Update key status's and UpdateKey rpc. ([#2315](#2315)) ([7908db9](7908db9)) * **policy:** Update simple kas key ([#2378](#2378)) ([09d8239](09d8239)) ### Bug Fixes * add pagination to list public key mappings response ([#1889](#1889)) ([9898fbd](9898fbd)) * **core:** Allow 521 curve to be used ([#2485](#2485)) ([aaf43dc](aaf43dc)) * **core:** Fixes protoJSON parse bug on ec rewrap ([#1943](#1943)) ([9bebfd0](9bebfd0)) * **core:** Update fixtures and flattening in sdk and service ([#1827](#1827)) ([d6d6a7a](d6d6a7a)) * **deps:** bump toolchain in /lib/fixtures and /examples to resolve CVE GO-2025-3563 ([#2061](#2061)) ([9c16843](9c16843)) * **policy:** protovalidate deprecated action types and removal of gRPC gateway in subject mappings svc ([#2377](#2377)) ([54a6de0](54a6de0)) * **policy:** remove gRPC gateway in policy except where needed ([#2382](#2382)) ([1937acb](1937acb)) * **policy:** remove new public keys rpc's ([#1962](#1962)) ([5049bab](5049bab)) * **policy:** remove predefined rules in actions protos ([#2069](#2069)) ([060f059](060f059)) * **policy:** return kas uri on keys for definition, namespace and values ([#2186](#2186)) ([6c55fb8](6c55fb8)) * **sdk:** Fix compatibility between bulk and non-bulk rewrap ([#1914](#1914)) ([74abbb6](74abbb6)) * update key_mode to provide more context ([#2226](#2226)) ([44d0805](44d0805)) --- This PR was generated with [Release Please](https://github.com/googleapis/release-please). See [documentation](https://github.com/googleapis/release-please#release-please). --------- Co-authored-by: opentdf-automation[bot] <149537512+opentdf-automation[bot]@users.noreply.github.com> Co-authored-by: Krish Suchak <42231639+alkalescent@users.noreply.github.com>
Proposed Changes
Checklist
Testing Instructions