fix(policy): enhance proto validation across policy requests

opentdf · Oct 16, 2024 · 69c5727 · 69c5727
1 parent c486712
commit 69c5727
Show file tree

Hide file tree

Showing 6 changed files with 196 additions and 89 deletions.
diff --git a/service/policy/attributes/attributes.proto b/service/policy/attributes/attributes.proto
@@ -13,13 +13,25 @@ import "policy/selectors.proto";
 */
 
 message AttributeKeyAccessServer {
- string attribute_id = 1;
- string key_access_server_id = 2;
+ string attribute_id = 1 [
+ (buf.validate.field).required = true,
+ (buf.validate.field).string.uuid = true
+ ];
+ string key_access_server_id = 2 [
+ (buf.validate.field).required = true,
+ (buf.validate.field).string.uuid = true
+ ];
 }
 
 message ValueKeyAccessServer {
- string value_id = 1;
- string key_access_server_id = 2;
+ string value_id = 1 [
+ (buf.validate.field).required = true,
+ (buf.validate.field).string.uuid = true
+ ];
+ string key_access_server_id = 2 [
+ (buf.validate.field).required = true,
+ (buf.validate.field).string.uuid = true
+ ];
 }
 
 /*
@@ -37,15 +49,21 @@ message ListAttributesResponse {
 }
 
 message GetAttributeRequest {
- string id = 1 [(buf.validate.field).required = true];
+ string id = 1 [
+ (buf.validate.field).required = true,
+ (buf.validate.field).string.uuid = true
+ ];
 }
 message GetAttributeResponse {
  policy.Attribute attribute = 1;
 }
 
 message CreateAttributeRequest {
  // Required
- string namespace_id = 1 [(buf.validate.field).required = true];
+ string namespace_id = 1 [
+ (buf.validate.field).required = true,
+ (buf.validate.field).string.uuid = true
+ ];
  string name = 2 [
  (buf.validate.field).required = true,
  (buf.validate.field).string.max_len = 253,
@@ -84,7 +102,10 @@ message CreateAttributeResponse {
 
 message UpdateAttributeRequest {
  // Required
- string id = 1 [(buf.validate.field).required = true];
+ string id = 1 [
+ (buf.validate.field).required = true,
+ (buf.validate.field).string.uuid = true
+ ];
 
  // Optional
  common.MetadataMutable metadata = 100;
@@ -95,7 +116,10 @@ message UpdateAttributeResponse {
 }
 
 message DeactivateAttributeRequest {
- string id = 1 [(buf.validate.field).required = true];
+ string id = 1 [
+ (buf.validate.field).required = true,
+ (buf.validate.field).string.uuid = true
+ ];
 }
 message DeactivateAttributeResponse {
  policy.Attribute attribute = 1;
@@ -105,14 +129,20 @@ message DeactivateAttributeResponse {
 /// Value RPC messages
 ///
 message GetAttributeValueRequest {
- string id = 1 [(buf.validate.field).required = true];
+ string id = 1 [
+ (buf.validate.field).required = true,
+ (buf.validate.field).string.uuid = true
+ ];
 }
 message GetAttributeValueResponse {
  policy.Value value = 1;
 }
 
 message ListAttributeValuesRequest {
- string attribute_id = 1 [(buf.validate.field).required = true];
+ string attribute_id = 1 [
+ (buf.validate.field).required = true,
+ (buf.validate.field).string.uuid = true
+ ];
  // ACTIVE by default when not specified
  common.ActiveStateEnum state = 2;
 }
@@ -122,7 +152,10 @@ message ListAttributeValuesResponse {
 
 message CreateAttributeValueRequest {
  // Required
- string attribute_id = 1 [(buf.validate.field).required = true];
+ string attribute_id = 1 [
+ (buf.validate.field).required = true,
+ (buf.validate.field).string.uuid = true
+ ];
  string value = 2 [
  (buf.validate.field).required = true,
  (buf.validate.field).string.max_len = 253,
@@ -145,7 +178,10 @@ message CreateAttributeValueResponse {
 }
 
 message UpdateAttributeValueRequest {
- string id = 1 [(buf.validate.field).required = true];
+ string id = 1 [
+ (buf.validate.field).required = true,
+ (buf.validate.field).string.uuid = true
+ ];
 
  // Deprecated
  reserved "members";
@@ -160,7 +196,10 @@ message UpdateAttributeValueResponse {
 }
 
 message DeactivateAttributeValueRequest {
- string id = 1 [(buf.validate.field).required = true];
+ string id = 1 [
+ (buf.validate.field).required = true,
+ (buf.validate.field).string.uuid = true
+ ];
 }
 message DeactivateAttributeValueResponse {
  policy.Value value = 1;
@@ -169,7 +208,7 @@ message DeactivateAttributeValueResponse {
 message GetAttributeValuesByFqnsRequest {
  // Required
  // Fully Qualified Names of attribute values (i.e. https://<namespace>/attr/<attribute_name>/value/<value_name>), normalized to lower case.
- repeated string fqns = 1 [(buf.validate.field).required = true];
+ repeated string fqns = 1 [(buf.validate.field).required = true]; // TODO: validate min/max len but NOT FQN format
  policy.AttributeValueSelector with_value = 2 [(buf.validate.field).required = true];
 }
 message GetAttributeValuesByFqnsResponse {

diff --git a/service/policy/kasregistry/key_access_server_registry.proto b/service/policy/kasregistry/key_access_server_registry.proto
@@ -8,7 +8,10 @@ import "google/api/annotations.proto";
 import "policy/objects.proto";
 
 message GetKeyAccessServerRequest {
- string id = 1 [(buf.validate.field).required = true];
+ string id = 1 [
+ (buf.validate.field).required = true,
+ (buf.validate.field).string.uuid = true
+ ];
 }
 message GetKeyAccessServerResponse {
  KeyAccessServer key_access_server = 1;
@@ -33,7 +36,10 @@ message CreateKeyAccessServerResponse {
 
 message UpdateKeyAccessServerRequest {
  // Required
- string id = 1 [(buf.validate.field).required = true];
+ string id = 1 [
+ (buf.validate.field).required = true,
+ (buf.validate.field).string.uuid = true
+ ];
  string uri = 2;
  PublicKey public_key = 3;
 
@@ -46,7 +52,10 @@ message UpdateKeyAccessServerResponse {
 }
 
 message DeleteKeyAccessServerRequest {
- string id = 1 [(buf.validate.field).required = true];
+ string id = 1 [
+ (buf.validate.field).required = true,
+ (buf.validate.field).string.uuid = true
+ ];
 }
 message DeleteKeyAccessServerResponse {
  KeyAccessServer key_access_server = 1;
@@ -73,8 +82,8 @@ message ListKeyAccessServerGrantsRequest {
  // Optional
  // Filter LIST by either ID or URI of a registered Key Access Server.
  // If neither is provided, grants from all registered KASs to policy attribute objects are returned.
- string kas_id = 1;
- string kas_uri = 2;
+ string kas_id = 1; // TOOD: test ignore_empty and other options for validating UUID only when not empty
+ string kas_uri = 2; // TODO: uri format
 }
 
 message ListKeyAccessServerGrantsResponse {

diff --git a/service/policy/namespaces/namespaces.proto b/service/policy/namespaces/namespaces.proto
@@ -13,8 +13,14 @@ import "policy/objects.proto";
 */
 
 message NamespaceKeyAccessServer {
- string namespace_id = 1;
- string key_access_server_id = 2;
+ string namespace_id = 1 [
+ (buf.validate.field).required = true,
+ (buf.validate.field).string.uuid = true
+ ];
+ string key_access_server_id = 2 [
+ (buf.validate.field).required = true,
+ (buf.validate.field).string.uuid = true
+ ];
 }
 
 /*
@@ -24,7 +30,10 @@ message NamespaceKeyAccessServer {
 */
 
 message GetNamespaceRequest {
- string id = 1 [(buf.validate.field).required = true];
+ string id = 1 [
+ (buf.validate.field).required = true,
+ (buf.validate.field).string.uuid = true
+ ];
 }
 message GetNamespaceResponse {
  policy.Namespace namespace = 1;
@@ -59,7 +68,10 @@ message CreateNamespaceResponse {
 
 message UpdateNamespaceRequest {
  // Required
- string id = 1 [(buf.validate.field).required = true];
+ string id = 1 [
+ (buf.validate.field).required = true,
+ (buf.validate.field).string.uuid = true
+ ];
 
  // Optional
  common.MetadataMutable metadata = 100;
@@ -70,7 +82,10 @@ message UpdateNamespaceResponse {
 }
 
 message DeactivateNamespaceRequest {
- string id = 1 [(buf.validate.field).required = true];
+ string id = 1 [
+ (buf.validate.field).required = true,
+ (buf.validate.field).string.uuid = true
+ ];
 }
 message DeactivateNamespaceResponse {}