feat(policy)!: add namespace field to Actions proto

[elizabethhealy]

Proposed Changes

This pull request introduces namespace support to the policy service, primarily focusing on Actions. It adds a namespace field to the Action protobuf definition and integrates namespace_id and namespace_fqn fields into request messages for creating, retrieving, and listing actions. These new fields are accompanied by robust validation rules to ensure data consistency and proper identification of namespaces. The changes also include updates to the gRPC documentation and expanded unit tests to cover the new validation logic.

Highlights

• Namespace Field Added to Action Proto: A new namespace field of type Namespace has been introduced to the policy.Action message in service/policy/objects.proto, providing a namespace context for actions.
• Namespace Identifiers in Action Request Messages: GetActionRequest, ListActionsRequest, and CreateActionRequest in service/policy/actions/actions.proto now include namespace_id (UUID) and namespace_fqn (URI) fields, which are required and mutually exclusive (oneof).
• Validation for Namespace Fields: Comprehensive validation rules have been added for the new namespace_id and namespace_fqn fields, ensuring they adhere to UUID and URI formats respectively, and that one of them is always provided.

Checklist

• I have added or updated unit tests
• I have added or updated integration tests (if appropriate)
• I have added or updated documentation

Testing Instructions

[gemini-code-assist]

Summary of Changes

Hello, I'm Gemini Code Assist¹! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!

This pull request introduces namespace support to the policy service, primarily focusing on Actions. It adds a namespace field to the Action protobuf definition and integrates namespace_id and namespace_fqn fields into request messages for creating, retrieving, and listing actions. These new fields are accompanied by robust validation rules to ensure data consistency and proper identification of namespaces. The changes also include updates to the gRPC documentation and expanded unit tests to cover the new validation logic.

Highlights

• Namespace Field Added to Action Proto: A new namespace field of type Namespace has been introduced to the policy.Action message in service/policy/objects.proto, providing a namespace context for actions.
• Namespace Identifiers in Action Request Messages: GetActionRequest, ListActionsRequest, and CreateActionRequest in service/policy/actions/actions.proto now include namespace_id (UUID) and namespace_fqn (URI) fields, which are required and mutually exclusive (oneof).
• Validation for Namespace Fields: Comprehensive validation rules have been added for the new namespace_id and namespace_fqn fields, ensuring they adhere to UUID and URI formats respectively, and that one of them is always provided.
• Updated Documentation: The gRPC documentation (docs/grpc/index.html) has been updated to reflect the addition of the namespace field to Action and RegisteredResource messages, and the namespace_id/namespace_fqn fields to various action and registered resource request messages.
• Expanded Unit Tests: Unit tests in service/policy/actions/actions_test.go have been extended to cover the validation logic for the new namespace fields in CreateActionRequest, GetActionRequest, and ListActionsRequest.

🧠 New Feature in Public Preview: You can now enable Memory to help Gemini Code Assist learn from your team's feedback. This makes future code reviews more consistent and personalized to your project's style. Click here to enable Memory in your admin console.

Changelog

• docs/grpc/index.html
  • Added documentation for the namespace field to the policy.Action message.
  • Added documentation for the namespace field to the policy.RegisteredResource message.
  • Added documentation for namespace_id and namespace_fqn fields to policy.actions.CreateActionRequest.
  • Added documentation for namespace_id and namespace_fqn fields to policy.actions.GetActionRequest.
  • Added documentation for namespace_id and namespace_fqn fields to policy.actions.ListActionsRequest.
  • Added documentation for namespace_id and namespace_fqn fields to policy.registeredresources.CreateRegisteredResourceRequest.
  • Added documentation for namespace_fqn field to policy.registeredresources.GetRegisteredResourceRequest.
  • Added documentation for namespace_id and namespace_fqn fields to policy.registeredresources.ListRegisteredResourcesRequest.
• service/policy/actions/actions.proto
  • Added namespace_id and namespace_fqn fields to GetActionRequest, with a oneof constraint and validation rules for UUID and URI formats.
  • Added namespace_id and namespace_fqn fields to ListActionsRequest, with a oneof constraint and validation rules.
  • Added namespace_id and namespace_fqn fields to CreateActionRequest, with a oneof constraint and validation rules.
• service/policy/actions/actions_test.go
  • Added validNamespaceFQN constant.
  • Added errMessageOneof constant.
  • Updated Test_CreateActionRequest_Fails to include tests for missing namespace, invalid namespace ID, and invalid namespace FQN.
  • Updated Test_CreateActionRequest_Succeeds to include NamespaceId or NamespaceFqn in successful requests.
  • Updated Test_GetAction_Succeeds to include NamespaceId or NamespaceFqn in successful requests.
  • Updated Test_GetAction_Fails to include tests for missing namespace, invalid namespace ID, and invalid namespace FQN.
  • Added Test_ListActions_Fails to test for missing namespace, invalid namespace ID, and invalid namespace FQN.
  • Updated Test_ListActions_Succeeds to include NamespaceId or NamespaceFqn in successful requests.
• service/policy/objects.proto
  • Added a namespace field of type Namespace to the Action message.

Ignored Files

• Ignored by pattern: docs/openapi/**/* (10)
  • docs/openapi/authorization/authorization.openapi.yaml
  • docs/openapi/authorization/v2/authorization.openapi.yaml
  • docs/openapi/policy/actions/actions.openapi.yaml
  • docs/openapi/policy/attributes/attributes.openapi.yaml
  • docs/openapi/policy/objects.openapi.yaml
  • docs/openapi/policy/obligations/obligations.openapi.yaml
  • docs/openapi/policy/registeredresources/registered_resources.openapi.yaml
  • docs/openapi/policy/resourcemapping/resource_mapping.openapi.yaml
  • docs/openapi/policy/subjectmapping/subject_mapping.openapi.yaml
  • docs/openapi/policy/unsafe/unsafe.openapi.yaml
• Ignored by pattern: protocol/**/* (2)
  • protocol/go/policy/actions/actions.pb.go
  • protocol/go/policy/objects.pb.go

Activity

• The pull request description indicates that unit tests, integration tests, and documentation are yet to be updated, as the corresponding checklist items are unchecked.
• No specific comments or reviews have been made on the pull request yet.

Using Gemini Code Assist

The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.

Invoking Gemini

You can request assistance from Gemini at any point by creating a comment using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands on the current page.

Feature	Command	Description
Code Review	/gemini review	Performs a code review for the current pull request in its current state.
Pull Request Summary	/gemini summary	Provides a summary of the current pull request in its current state.
Comment	@gemini-code-assist	Responds in comments when explicitly tagged, both in pull request comments and review comments.
Help	/gemini help	Displays a list of available commands.

Customization

To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.

Limitations & Feedback

Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for GitHub and other Google products, sign up here.

You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension.

---

New fields now appear, Namespaces bring order clear, Code review, no fear.

Footnotes

1. Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution. ↩

[gemini-code-assist]

Code Review

This pull request introduces a namespace field to the Action proto message, associating actions with namespaces and propagating this through the gRPC API. However, a critical security vulnerability has been identified: the backend implementation (Go code and SQL queries) has not been updated to utilize these new namespace fields, leading to a security bypass where namespace isolation is not enforced. Additionally, the breaking change in GetActionRequest will disrupt existing internal logic for updating and deleting actions. It is recommended to complete the implementation of namespace filtering in the backend and update internal service calls to ensure consistency and security. Furthermore, consider adding comments to the new namespace_id and namespace_fqn fields in actions.proto to improve clarity and maintainability.

[github-actions]

Benchmark results, click to expand

Benchmark authorization.GetDecisions Results:

Metric	Value
Approved Decision Requests	1000
Denied Decision Requests	0
Total Time	193.977267ms

Benchmark authorization.v2.GetMultiResourceDecision Results:

Metric	Value
Approved Decision Requests	1000
Denied Decision Requests	0
Total Time	94.662308ms

Benchmark Statistics

Name	№ Requests	Avg Duration	Min Duration	Max Duration

Bulk Benchmark Results

Metric	Value
Total Decrypts	100
Successful Decrypts	100
Failed Decrypts	0
Total Time	388.352752ms
Throughput	257.50 requests/second

TDF3 Benchmark Results:

Metric	Value
Total Requests	5000
Successful Requests	5000
Failed Requests	0
Concurrent Requests	50
Total Time	39.723517405s
Average Latency	395.503409ms
Throughput	125.87 requests/second

[github-actions]

X-Test Results

✅ go-pull-3130
✅ go-v0.9.0
✅ java-pull-3130
✅ java-v0.9.0
✅ js-pull-3130
✅ js-v0.9.0
bats-test-results
cukes-report
opentdfplatformOI0HCY.dockerbuild

[github-actions]

Benchmark results, click to expand

Benchmark authorization.GetDecisions Results:

Metric	Value
Approved Decision Requests	1000
Denied Decision Requests	0
Total Time	201.177151ms

Benchmark authorization.v2.GetMultiResourceDecision Results:

Metric	Value
Approved Decision Requests	1000
Denied Decision Requests	0
Total Time	100.039504ms

Benchmark Statistics

Name	№ Requests	Avg Duration	Min Duration	Max Duration

Bulk Benchmark Results

Metric	Value
Total Decrypts	100
Successful Decrypts	100
Failed Decrypts	0
Total Time	386.887671ms
Throughput	258.47 requests/second

TDF3 Benchmark Results:

Metric	Value
Total Requests	5000
Successful Requests	5000
Failed Requests	0
Concurrent Requests	50
Total Time	39.76450823s
Average Latency	395.841042ms
Throughput	125.74 requests/second

[github-actions]

X-Test Results

✅ go-pull-3130
✅ go-v0.9.0
✅ java-pull-3130
✅ js-pull-3130
✅ java-v0.9.0
✅ js-v0.9.0
bats-test-results
cukes-report
opentdfplatformOXOT3B.dockerbuild

[github-actions]

Benchmark results, click to expand

Benchmark authorization.GetDecisions Results:

Metric	Value
Approved Decision Requests	1000
Denied Decision Requests	0
Total Time	199.263597ms

Benchmark authorization.v2.GetMultiResourceDecision Results:

Metric	Value
Approved Decision Requests	1000
Denied Decision Requests	0
Total Time	98.169658ms

Benchmark Statistics

Name	№ Requests	Avg Duration	Min Duration	Max Duration

Bulk Benchmark Results

Metric	Value
Total Decrypts	100
Successful Decrypts	100
Failed Decrypts	0
Total Time	372.608402ms
Throughput	268.38 requests/second

TDF3 Benchmark Results:

Metric	Value
Total Requests	5000
Successful Requests	5000
Failed Requests	0
Concurrent Requests	50
Total Time	38.886557239s
Average Latency	387.65259ms
Throughput	128.58 requests/second

[github-actions]

X-Test Failure Report

test-cases-mapping-report
cukes-report
bats-test-results
opentdfplatformNVG5QO.dockerbuild

[github-actions]

Benchmark results, click to expand

Benchmark authorization.GetDecisions Results:

Metric	Value
Approved Decision Requests	1000
Denied Decision Requests	0
Total Time	179.326207ms

Benchmark authorization.v2.GetMultiResourceDecision Results:

Metric	Value
Approved Decision Requests	1000
Denied Decision Requests	0
Total Time	90.676606ms

Benchmark Statistics

Name	№ Requests	Avg Duration	Min Duration	Max Duration

Bulk Benchmark Results

Metric	Value
Total Decrypts	100
Successful Decrypts	100
Failed Decrypts	0
Total Time	367.847708ms
Throughput	271.85 requests/second

TDF3 Benchmark Results:

Metric	Value
Total Requests	5000
Successful Requests	5000
Failed Requests	0
Concurrent Requests	50
Total Time	39.435263476s
Average Latency	392.835515ms
Throughput	126.79 requests/second