feat(authz): add protovalidate interceptor for Casbin

[alkalescent]

Proposed Changes

• Adds a protovalidate-based auth interceptor for Casbin.

Checklist

• I have added or updated unit tests
• I have added or updated integration tests (if appropriate)
• I have added or updated documentation

Testing Instructions

[gemini-code-assist]

Summary of Changes

Hello @alkalescent, I'm Gemini Code Assist¹! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!

This pull request introduces a robust mechanism for integrating protovalidate with Casbin authorization within ConnectRPC services. It provides a configurable interceptor that automatically validates incoming protobuf messages and extracts a predefined set of attributes. These attributes are then made available for fine-grained, attribute-based access control policies in Casbin, ensuring that only validated and explicitly whitelisted data influences authorization decisions.

Highlights

• New Protovalidate Interceptor: Introduced a new ProtoAttrMapper struct and its Interceptor method to create a ConnectRPC unary interceptor. This interceptor is designed to validate incoming protobuf messages using protovalidate and extract specific attributes for Casbin authorization.
• Attribute Extraction and Whitelisting: The ProtoAttrMapper allows configuring a whitelist of Allowed protobuf fields to be extracted. It also supports RequiredFields to ensure critical attributes are present. Only whitelisted fields are attached to the context, enhancing security by preventing unintended data exposure to authorization policies.
• Protobuf Field Lookup Helper: A lookupProtoFieldString helper function was added to safely extract string representations of single-level protobuf fields, supporting various scalar types like strings, integers, and booleans.
• Comprehensive Unit Tests: Extensive unit tests have been added to protovalidate_interceptor_test.go covering core functionalities such as attribute extraction, validation of required fields, strict whitelisting behavior, and integration with a Casbin enforcer for attribute-based policy evaluation.

🧠 New Feature in Public Preview: You can now enable Memory to help Gemini Code Assist learn from your team's feedback. This makes future code reviews more consistent and personalized to your project's style. Click here to enable Memory in your admin console.

Using Gemini Code Assist

The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.

Invoking Gemini

You can request assistance from Gemini at any point by creating a comment using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands on the current page.

Feature	Command	Description
Code Review	/gemini review	Performs a code review for the current pull request in its current state.
Pull Request Summary	/gemini summary	Provides a summary of the current pull request in its current state.
Comment	@gemini-code-assist	Responds in comments when explicitly tagged, both in pull request comments and review comments.
Help	/gemini help	Displays a list of available commands.

Customization

To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.

Limitations & Feedback

Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for Github and other Google products, sign up here.

You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension.

---

Proto fields flow, Casbin guards with careful hand, Access now refined.

Footnotes

1. Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution. ↩

[gemini-code-assist]

Code Review

This pull request introduces a protovalidate-based interceptor for Casbin authorization attribute extraction. The implementation has a critical security vulnerability where authorization check results are ignored, allowing unauthorized requests to proceed. There is also a significant performance issue due to the re-initialization of the validator on every request. I've provided comments and suggestions to address these critical issues, along with feedback on improving test organization and fixing a bug in a test's Casbin matcher.

[github-actions]

Benchmark results, click to expand

Benchmark authorization.GetDecisions Results:

Metric	Value
Approved Decision Requests	1000
Denied Decision Requests	0
Total Time	195.308302ms

Benchmark authorization.v2.GetMultiResourceDecision Results:

Metric	Value
Approved Decision Requests	1000
Denied Decision Requests	0
Total Time	102.468701ms

Benchmark Statistics

Name	№ Requests	Avg Duration	Min Duration	Max Duration

Bulk Benchmark Results

Metric	Value
Total Decrypts	100
Successful Decrypts	100
Failed Decrypts	0
Total Time	368.76236ms
Throughput	271.18 requests/second

TDF3 Benchmark Results:

Metric	Value
Total Requests	5000
Successful Requests	5000
Failed Requests	0
Concurrent Requests	50
Total Time	39.953841241s
Average Latency	397.81446ms
Throughput	125.14 requests/second

NANOTDF Benchmark Results:

Metric	Value
Total Requests	5000
Successful Requests	5000
Failed Requests	0
Concurrent Requests	50
Total Time	28.132851901s
Average Latency	280.435631ms
Throughput	177.73 requests/second

[github-actions]

X-Test Results

opentdfplatformX7JE8Y.dockerbuild
cukes-report
✅ js-v0.4.34
✅ java-v0.4.34
✅ go-v0.4.34
bats-test-results
test-cases-mapping-report
✅ js-pull-2986
✅ java-pull-2986
✅ go-pull-2986

[github-actions]

Benchmark results, click to expand

Benchmark authorization.GetDecisions Results:

Metric	Value
Approved Decision Requests	1000
Denied Decision Requests	0
Total Time	207.31581ms

Benchmark authorization.v2.GetMultiResourceDecision Results:

Metric	Value
Approved Decision Requests	1000
Denied Decision Requests	0
Total Time	105.697565ms

Benchmark Statistics

Name	№ Requests	Avg Duration	Min Duration	Max Duration

Bulk Benchmark Results

Metric	Value
Total Decrypts	100
Successful Decrypts	100
Failed Decrypts	0
Total Time	387.861352ms
Throughput	257.82 requests/second

TDF3 Benchmark Results:

Metric	Value
Total Requests	5000
Successful Requests	5000
Failed Requests	0
Concurrent Requests	50
Total Time	41.933821931s
Average Latency	418.075472ms
Throughput	119.24 requests/second

NANOTDF Benchmark Results:

Metric	Value
Total Requests	5000
Successful Requests	5000
Failed Requests	0
Concurrent Requests	50
Total Time	29.663189948s
Average Latency	295.483379ms
Throughput	168.56 requests/second

[github-actions]

X-Test Results

opentdfplatformC52T3E.dockerbuild
cukes-report
✅ js-v0.4.34
✅ java-v0.4.34
✅ go-v0.4.34
bats-test-results
test-cases-mapping-report
✅ js-pull-2986
✅ java-pull-2986
✅ go-pull-2986

[github-actions]

X-Test Failure Report

opentdfplatformAIGJ7P.dockerbuild

[github-actions]

Benchmark results, click to expand

Benchmark authorization.GetDecisions Results:

Metric	Value
Approved Decision Requests	1000
Denied Decision Requests	0
Total Time	192.433779ms

Benchmark authorization.v2.GetMultiResourceDecision Results:

Metric	Value
Approved Decision Requests	1000
Denied Decision Requests	0
Total Time	105.202666ms

Benchmark Statistics

Name	№ Requests	Avg Duration	Min Duration	Max Duration

Bulk Benchmark Results

Metric	Value
Total Decrypts	100
Successful Decrypts	100
Failed Decrypts	0
Total Time	372.9324ms
Throughput	268.15 requests/second

TDF3 Benchmark Results:

Metric	Value
Total Requests	5000
Successful Requests	5000
Failed Requests	0
Concurrent Requests	50
Total Time	38.727057023s
Average Latency	385.357936ms
Throughput	129.11 requests/second

NANOTDF Benchmark Results:

Metric	Value
Total Requests	5000
Successful Requests	5000
Failed Requests	0
Concurrent Requests	50
Total Time	27.745716083s
Average Latency	276.590323ms
Throughput	180.21 requests/second

[github-actions]

Benchmark results, click to expand

Benchmark authorization.GetDecisions Results:

Metric	Value
Approved Decision Requests	1000
Denied Decision Requests	0
Total Time	181.35699ms

Benchmark authorization.v2.GetMultiResourceDecision Results:

Metric	Value
Approved Decision Requests	1000
Denied Decision Requests	0
Total Time	103.080306ms

Benchmark Statistics

Name	№ Requests	Avg Duration	Min Duration	Max Duration

Bulk Benchmark Results

Metric	Value
Total Decrypts	100
Successful Decrypts	100
Failed Decrypts	0
Total Time	358.67178ms
Throughput	278.81 requests/second

TDF3 Benchmark Results:

Metric	Value
Total Requests	5000
Successful Requests	5000
Failed Requests	0
Concurrent Requests	50
Total Time	38.183610133s
Average Latency	380.062361ms
Throughput	130.95 requests/second

NANOTDF Benchmark Results:

Metric	Value
Total Requests	5000
Successful Requests	5000
Failed Requests	0
Concurrent Requests	50
Total Time	27.564021505s
Average Latency	274.745658ms
Throughput	181.40 requests/second

[github-actions]

Benchmark results, click to expand

Benchmark authorization.GetDecisions Results:

Metric	Value
Approved Decision Requests	1000
Denied Decision Requests	0
Total Time	201.096495ms

Benchmark authorization.v2.GetMultiResourceDecision Results:

Metric	Value
Approved Decision Requests	1000
Denied Decision Requests	0
Total Time	104.990666ms

Benchmark Statistics

Name	№ Requests	Avg Duration	Min Duration	Max Duration

Bulk Benchmark Results

Metric	Value
Total Decrypts	100
Successful Decrypts	100
Failed Decrypts	0
Total Time	365.332587ms
Throughput	273.72 requests/second

TDF3 Benchmark Results:

Metric	Value
Total Requests	5000
Successful Requests	5000
Failed Requests	0
Concurrent Requests	50
Total Time	39.136364845s
Average Latency	389.695439ms
Throughput	127.76 requests/second

NANOTDF Benchmark Results:

Metric	Value
Total Requests	5000
Successful Requests	5000
Failed Requests	0
Concurrent Requests	50
Total Time	28.016209925s
Average Latency	279.337488ms
Throughput	178.47 requests/second

[github-actions]

X-Test Failure Report

opentdfplatformIWK5RO.dockerbuild
cukes-report
✅ java-v0.4.34
✅ js-v0.4.34
bats-test-results
test-cases-mapping-report
✅ js-pull-2986
✅ java-pull-2986
✅ go-pull-2986

[github-actions]

Benchmark results, click to expand

Benchmark authorization.GetDecisions Results:

Metric	Value
Approved Decision Requests	1000
Denied Decision Requests	0
Total Time	154.645497ms

Benchmark authorization.v2.GetMultiResourceDecision Results:

Metric	Value
Approved Decision Requests	1000
Denied Decision Requests	0
Total Time	89.701816ms

Benchmark Statistics

Name	№ Requests	Avg Duration	Min Duration	Max Duration

Bulk Benchmark Results

Metric	Value
Total Decrypts	100
Successful Decrypts	100
Failed Decrypts	0
Total Time	364.623718ms
Throughput	274.26 requests/second

TDF3 Benchmark Results:

Metric	Value
Total Requests	5000
Successful Requests	5000
Failed Requests	0
Concurrent Requests	50
Total Time	39.518906609s
Average Latency	393.297354ms
Throughput	126.52 requests/second

NANOTDF Benchmark Results:

Metric	Value
Total Requests	5000
Successful Requests	5000
Failed Requests	0
Concurrent Requests	50
Total Time	27.880174286s
Average Latency	278.001058ms
Throughput	179.34 requests/second

[github-actions]

X-Test Results

opentdfplatformI3QXOP.dockerbuild
✅ js-v0.4.34
✅ java-v0.4.34
cukes-report
✅ go-v0.4.34
bats-test-results
test-cases-mapping-report
✅ js-pull-2986
✅ java-pull-2986
✅ go-pull-2986

[github-actions]

X-Test Results

opentdfplatformLBVWOI.dockerbuild
cukes-report
✅ java-v0.4.34
✅ js-v0.4.34
✅ go-v0.4.34
bats-test-results
test-cases-mapping-report
✅ js-pull-2986
✅ java-pull-2986
✅ go-pull-2986