fix(policy): properly formatted pem in test fixtures (#2409)

### Proposed Changes

*

### Checklist

- [ ] I have added or updated unit tests
- [ ] I have added or updated integration tests (if appropriate)
- [ ] I have added or updated documentation

### Testing Instructions

Author: strantalis

docs/Configuring.md

@@ -88,11 +88,12 @@ Root level key `server`
 | `auth.cache_refresh`    | Interval in which the IDP jwks should be refreshed                                                            | `15m`   | OPENTDF_SERVER_AUTH_CACHE_REFRESH    |
 | `auth.dpopskew`         | The amount of time drift allowed between when the client generated a dpop proof and the server time.          | `1h`    | OPENTDF_SERVER_AUTH                  |
 | `auth.skew`             | The amount of time drift allowed between a tokens `exp` claim and the server time.                            | `1m`    | OPENTDF_SERVER_AUTH_SKEW             |
-| `auth.public_client_id` | [DEPRECATED] The oidc client id. This is leveraged by otdfctl.                                                             |         | OPENTDF_SERVER_AUTH_PUBLIC_CLIENT_ID |
+| `auth.public_client_id` | [DEPRECATED] The oidc client id. This is leveraged by otdfctl.                                                |         | OPENTDF_SERVER_AUTH_PUBLIC_CLIENT_ID |
 | `auth.enforceDPoP`      | If true, DPoP bindings on Access Tokens are enforced.                                                         | `false` | OPENTDF_SERVER_AUTH_ENFORCEDPOP      |
 | `cryptoProvider`        | A list of public/private keypairs and their use. Described [below](#crypto-provider)                          | empty   |                                      |
 | `enable_pprof`          | Enable golang performance profiling                                                                           | `false` | OPENTDF_SERVER_ENABLE_PPROF          |
 | `grpc.reflection`       | The configuration for the grpc server.                                                                        | `true`  | OPENTDF_SERVER_GRPC_REFLECTION       |
+| `public_hostname`       | The public facing hostname for the server.                                                                    |         | OPENTDF_SERVER_PUBLIC_HOSTNAME       |
 | `host`                  | The host address for the server.                                                                              | `""`    | OPENTDF_SERVER_HOST                  |
 | `port`                  | The port number for the server.                                                                               | `9000`  | OPENTDF_SERVER_PORT                  |
 | `tls.enabled`           | Enable tls.                                                                                                   | `false` | OPENTDF_SERVER_TLS_ENABLED           |

opentdf-dev.yaml

@@ -19,6 +19,10 @@ logger:
 #     health_check_period_seconds: 60
 services:
   kas:
+    preview:
+      ec_tdf_enabled: false
+      key_management: false
+    root_key: a8c4824daafcfa38ed0d13002e92b08720e6c4fcee67d52e954c1a6e045907d1 # For local development testing only
     keyring:
       - kid: e1
         alg: ec:secp256r1
@@ -47,6 +51,7 @@ services:
   # list_request_limit_default: 1000
   # list_request_limit_max: 2500
 server:
+  public_hostname: localhost
   tls:
     enabled: false
     cert: ./keys/platform.crt
@@ -92,20 +97,20 @@ server:
       file:
         path: "./traces/traces.log"
         prettyPrint: true # Optional, default is compact JSON
-        maxSize: 50    # Optional, default 20MB
-        maxBackups: 5    # Optional, default 10
-        maxAge: 14    # Optional, default 30 days
-        compress: true   # Optional, default false
+        maxSize: 50 # Optional, default 20MB
+        maxBackups: 5 # Optional, default 10
+        maxAge: 14 # Optional, default 30 days
+        compress: true # Optional, default false
       # otlp:
-        # protocol: grpc # Optional, defaults to grpc
-        # endpoint: "localhost:4317"
-        # insecure: true # Set to false if Jaeger requires TLS
-        # headers: {} # Add if authentication is needed
-        # HTTP
-        #        protocol: "http/protobuf"
-        #        endpoint: "http://localhost:4318" # Default OTLP HTTP port
-        #        insecure: true # If collector is just HTTP, not HTTPS
-        # headers: {} # Add if authentication is needed
+      # protocol: grpc # Optional, defaults to grpc
+      # endpoint: "localhost:4317"
+      # insecure: true # Set to false if Jaeger requires TLS
+      # headers: {} # Add if authentication is needed
+      # HTTP
+      #        protocol: "http/protobuf"
+      #        endpoint: "http://localhost:4318" # Default OTLP HTTP port
+      #        insecure: true # If collector is just HTTP, not HTTPS
+      # headers: {} # Add if authentication is needed
   cors:
     # "*" to allow any origin or a specific domain like "https://yourdomain.com"
     allowedorigins:

opentdf-kas-mode.yaml

@@ -13,6 +13,10 @@ logger:
   output: stdout
 services:
   kas:
+    preview:
+      ec_tdf_enabled: false
+      key_management: false
+    # root_key: # create key `openssl rand 32 -hex`
     keyring:
       - kid: e1
         alg: ec:secp256r1
@@ -25,14 +29,15 @@ services:
         alg: rsa:2048
         legacy: true
 server:
+  public_hostname: localhost
   tls:
     enabled: false
     cert: ./keys/platform.crt
     key: ./keys/platform-key.pem
   auth:
     enabled: true
     enforceDPoP: false
-    audience: 'http://localhost:8080'
+    audience: "http://localhost:8080"
     issuer: http://localhost:8888/auth/realms/opentdf
     policy:
       ## Default policy for all requests
@@ -69,7 +74,7 @@ server:
     enabled: false
     # "*" to allow any origin or a specific domain like "https://yourdomain.com"
     allowedorigins:
-      - '*'
+      - "*"
     # List of methods. Examples: "GET,POST,PUT"
     allowedmethods:
       - GET

service/go.mod

@@ -16,7 +16,6 @@ require (
 	github.com/casbin/casbin/v2 v2.106.0
 	github.com/creasty/defaults v1.8.0
 	github.com/dgraph-io/ristretto v0.2.0
-	github.com/docker/docker v28.2.2+incompatible
 	github.com/docker/go-connections v0.5.0
 	github.com/eko/gocache/lib/v4 v4.2.0
 	github.com/eko/gocache/store/ristretto/v4 v4.2.2
@@ -61,6 +60,7 @@ require (
 	github.com/containerd/errdefs v1.0.0 // indirect
 	github.com/containerd/errdefs/pkg v0.3.0 // indirect
 	github.com/dgryski/go-farm v0.0.0-20240924180020-3414d57e47da // indirect
+	github.com/docker/docker v28.2.2+incompatible // indirect
 	github.com/ebitengine/purego v0.8.2 // indirect
 	github.com/moby/go-archive v0.1.0 // indirect
 	github.com/moby/sys/atomicwriter v0.1.0 // indirect

service/integration/kas_registry_key_test.go

@@ -180,7 +180,11 @@ func (s *KasRegistryKeySuite) Test_GetKasKeyById_Success() {
 	s.NotNil(resp)
 	s.Equal(s.kasKeys[0].KeyAccessServerID, resp.GetKasId())
 	s.Equal(s.kasKeys[0].ID, resp.GetKey().GetId())
-	s.Equal(s.kasKeys[0].ProviderConfigID, resp.GetKey().GetProviderConfig().GetId())
+	if s.kasKeys[0].ProviderConfigID == nil {
+		s.Nil(resp.GetKey().GetProviderConfig())
+	} else {
+		s.Equal(*s.kasKeys[0].ProviderConfigID, resp.GetKey().GetProviderConfig().GetId())
+	}
 }
 
 func (s *KasRegistryKeySuite) Test_GetKasKeyByKey_WrongKas_Fail() {
@@ -232,7 +236,7 @@ func (s *KasRegistryKeySuite) Test_GetKasKeyByKeyId_Success() {
 	s.Equal(s.kasKeys[0].KeyAccessServerID, resp.GetKasId())
 	s.Equal(s.kasKeys[0].ID, resp.GetKey().GetId())
 	validatePrivatePublicCtx(&s.Suite, []byte(s.kasKeys[0].PrivateKeyCtx), []byte(s.kasKeys[0].PublicKeyCtx), resp)
-	s.Equal(s.kasKeys[0].ProviderConfigID, resp.GetKey().GetProviderConfig().GetId())
+	s.Equal(*s.kasKeys[0].ProviderConfigID, resp.GetKey().GetProviderConfig().GetId())
 }
 
 func (s *KasRegistryKeySuite) Test_GetKasKey_WithKasName_Success() {
@@ -255,7 +259,11 @@ func (s *KasRegistryKeySuite) Test_GetKasKey_WithKasName_Success() {
 	s.Equal(s.kasKeys[0].KeyAccessServerID, resp.GetKasId())
 	s.Equal(s.kasKeys[0].ID, resp.GetKey().GetId())
 	validatePrivatePublicCtx(&s.Suite, []byte(s.kasKeys[0].PrivateKeyCtx), []byte(s.kasKeys[0].PublicKeyCtx), resp)
-	s.Equal(s.kasKeys[0].ProviderConfigID, resp.GetKey().GetProviderConfig().GetId())
+	if s.kasKeys[0].ProviderConfigID == nil {
+		s.Nil(resp.GetKey().GetProviderConfig())
+	} else {
+		s.Equal(*s.kasKeys[0].ProviderConfigID, resp.GetKey().GetProviderConfig().GetId())
+	}
 }
 
 func (s *KasRegistryKeySuite) Test_GetKasKey_WithKasUri_Success() {
@@ -279,7 +287,7 @@ func (s *KasRegistryKeySuite) Test_GetKasKey_WithKasUri_Success() {
 	s.Equal(s.kasKeys[0].ID, resp.GetKey().GetId())
 	validatePrivatePublicCtx(&s.Suite, []byte(s.kasKeys[0].PrivateKeyCtx), []byte(s.kasKeys[0].PublicKeyCtx), resp)
 	s.Require().NoError(err)
-	s.Equal(s.kasKeys[0].ProviderConfigID, resp.GetKey().GetProviderConfig().GetId())
+	s.Equal(*s.kasKeys[0].ProviderConfigID, resp.GetKey().GetProviderConfig().GetId())
 }
 
 func (s *KasRegistryKeySuite) Test_UpdateKey_InvalidKeyId_Fails() {
@@ -325,7 +333,7 @@ func (s *KasRegistryKeySuite) Test_ListKeys_KasID_Success() {
 		},
 	}
 	resp, err := s.db.PolicyClient.ListKeys(s.ctx, &req)
-	s.validateListKeysResponse(resp, err)
+	s.validateListKeysResponse(resp, 2, err)
 }
 
 func (s *KasRegistryKeySuite) Test_ListKeys_KasName_Success() {
@@ -335,7 +343,7 @@ func (s *KasRegistryKeySuite) Test_ListKeys_KasName_Success() {
 		},
 	}
 	resp, err := s.db.PolicyClient.ListKeys(s.ctx, &req)
-	s.validateListKeysResponse(resp, err)
+	s.validateListKeysResponse(resp, 2, err)
 }
 
 func (s *KasRegistryKeySuite) Test_ListKeys_KasURI_Success() {
@@ -345,7 +353,7 @@ func (s *KasRegistryKeySuite) Test_ListKeys_KasURI_Success() {
 		},
 	}
 	resp, err := s.db.PolicyClient.ListKeys(s.ctx, &req)
-	s.validateListKeysResponse(resp, err)
+	s.validateListKeysResponse(resp, 2, err)
 }
 
 func (s *KasRegistryKeySuite) Test_ListKeys_FilterAlgo_NoKeysWithAlgo_Success() {
@@ -369,7 +377,7 @@ func (s *KasRegistryKeySuite) Test_ListKeys_FilterAlgo_TwoKeys_Success() {
 		KeyAlgorithm: policy.Algorithm_ALGORITHM_RSA_2048,
 	}
 	resp, err := s.db.PolicyClient.ListKeys(s.ctx, &req)
-	s.validateListKeysResponse(resp, err)
+	s.validateListKeysResponse(resp, 1, err)
 }
 
 func (s *KasRegistryKeySuite) Test_ListKeys_KasID_Limit_Success() {
@@ -387,7 +395,7 @@ func (s *KasRegistryKeySuite) Test_ListKeys_KasID_Limit_Success() {
 	s.NotNil(resp)
 	s.Len(resp.GetKasKeys(), 1)
 	s.GreaterOrEqual(int32(2), resp.GetPagination().GetTotal())
-	s.Equal(int32(1), resp.GetPagination().GetNextOffset())
+	s.Equal(int32(0), resp.GetPagination().GetNextOffset())
 	s.Equal(int32(0), resp.GetPagination().GetCurrentOffset())
 }
 
@@ -1332,10 +1340,10 @@ func (s *KasRegistryKeySuite) getKasRegistryFixtures() []fixtures.FixtureDataKas
 	}
 }
 
-func (s *KasRegistryKeySuite) validateListKeysResponse(resp *kasregistry.ListKeysResponse, err error) {
+func (s *KasRegistryKeySuite) validateListKeysResponse(resp *kasregistry.ListKeysResponse, numKeys int, err error) {
 	s.Require().NoError(err)
 	s.NotNil(resp)
-	s.GreaterOrEqual(len(resp.GetKasKeys()), 2)
+	s.GreaterOrEqual(len(resp.GetKasKeys()), numKeys)
 	s.GreaterOrEqual(int32(2), resp.GetPagination().GetTotal())
 
 	for _, key := range resp.GetKasKeys() {
@@ -1351,7 +1359,11 @@ func (s *KasRegistryKeySuite) validateListKeysResponse(resp *kasregistry.ListKey
 		s.Require().NotNil(fixtureKey, "No matching KAS key found for ID: %s", key.GetKey().GetId())
 		s.Equal(fixtureKey.KeyAccessServerID, key.GetKasId())
 		s.Equal(fixtureKey.ID, key.GetKey().GetId())
-		s.Equal(fixtureKey.ProviderConfigID, key.GetKey().GetProviderConfig().GetId())
+		if fixtureKey.ProviderConfigID == nil {
+			s.Nil(key.GetKey().GetProviderConfig())
+		} else {
+			s.Equal(*fixtureKey.ProviderConfigID, key.GetKey().GetProviderConfig().GetId())
+		}
 		validatePrivatePublicCtx(&s.Suite, []byte(fixtureKey.PrivateKeyCtx), []byte(fixtureKey.PublicKeyCtx), key)
 		s.Require().NoError(err)
 	}

service/integration/main_test.go

@@ -10,8 +10,8 @@ import (
 	"time"
 
 	"github.com/creasty/defaults"
-	"github.com/docker/docker/api/types/container"
 	"github.com/docker/go-connections/nat"
+	"github.com/google/uuid"
 	"github.com/opentdf/platform/service/internal/fixtures"
 	tc "github.com/testcontainers/testcontainers-go"
 	"github.com/testcontainers/testcontainers-go/wait"
@@ -69,37 +69,28 @@ func TestMain(m *testing.M) {
 		providerType = tc.ProviderDocker
 	}
 
+	randomSuffix := uuid.NewString()[:8]
+	containerName := "testcontainer-postgres-" + randomSuffix
+
 	req := tc.GenericContainerRequest{
 		ProviderType: providerType,
 		ContainerRequest: tc.ContainerRequest{
 			Image:        "postgres:15-alpine",
-			Name:         "testcontainer-postgres",
+			Name:         containerName,
 			ExposedPorts: []string{"5432/tcp"},
-			HostConfigModifier: func(config *container.HostConfig) {
-				config.PortBindings = nat.PortMap{
-					"5432/tcp": []nat.PortBinding{
-						{
-							HostIP:   "0.0.0.0",
-							HostPort: "54322",
-						},
-					},
-				}
-			},
 			Env: map[string]string{
 				"POSTGRES_USER":     conf.DB.User,
 				"POSTGRES_PASSWORD": conf.DB.Password,
 				"POSTGRES_DB":       conf.DB.Database,
 			},
-
 			WaitingFor: wait.ForSQL(nat.Port("5432/tcp"), "pgx", func(host string, port nat.Port) string {
-				net.JoinHostPort(host, port.Port())
 				return fmt.Sprintf("postgres://%s:%s@%s/%s?sslmode=disable",
 					conf.DB.User,
 					conf.DB.Password,
 					net.JoinHostPort(host, port.Port()),
 					conf.DB.Database,
 				)
-			}).WithStartupTimeout(time.Second * 5).WithQuery("SELECT 10"),
+			}).WithStartupTimeout(time.Second * 60).WithQuery("SELECT 1"), // Increased timeout and simplified query
 		},
 		Started: true,
 	}

service/internal/fixtures/fixtures.go

@@ -144,15 +144,15 @@ type FixtureDataRegisteredResourceActionAttributeValue struct {
 }
 
 type FixtureDataKasRegistryKey struct {
-	ID                string `yaml:"id"`
-	KeyAccessServerID string `yaml:"key_access_server_id"`
-	KeyAlgorithm      string `yaml:"key_algorithm"`
-	KeyID             string `yaml:"key_id"`
-	KeyMode           string `yaml:"key_mode"`
-	KeyStatus         string `yaml:"key_status"`
-	PrivateKeyCtx     string `yaml:"private_key_ctx"`
-	PublicKeyCtx      string `yaml:"public_key_ctx"`
-	ProviderConfigID  string `yaml:"provider_config_id"`
+	ID                string  `yaml:"id"`
+	KeyAccessServerID string  `yaml:"key_access_server_id"`
+	KeyAlgorithm      string  `yaml:"key_algorithm"`
+	KeyID             string  `yaml:"key_id"`
+	KeyMode           string  `yaml:"key_mode"`
+	KeyStatus         string  `yaml:"key_status"`
+	PrivateKeyCtx     string  `yaml:"private_key_ctx"`
+	PublicKeyCtx      string  `yaml:"public_key_ctx"`
+	ProviderConfigID  *string `yaml:"provider_config_id"`
 }
 
 type FixtureDataProviderConfig struct {
@@ -702,10 +702,13 @@ func (f *Fixtures) provisionKasRegistryKeys() int64 {
 			f.db.StringWrap(d.KeyStatus),
 			f.db.StringWrap(string(privateCtx)),
 			f.db.StringWrap(string(pubCtx)),
-			f.db.StringWrap(d.ProviderConfigID),
 		})
+		providerConfigIDSQL := "NULL"
+		if d.ProviderConfigID != nil {
+			providerConfigIDSQL = f.db.StringWrap(*d.ProviderConfigID)
+		}
+		values[len(values)-1] = append(values[len(values)-1], providerConfigIDSQL)
 	}
-
 	return f.provision(fixtureData.KasRegistryKeys.Metadata.TableName, fixtureData.KasRegistryKeys.Metadata.Columns, values)
 }