opentdf
diff --git a/‎service/integration/attribute_fqns_test.go‎
Lines changed: 59 additions & 100 deletions b/‎service/integration/attribute_fqns_test.go‎
Lines changed: 59 additions & 100 deletions
diff --git a/‎service/internal/fixtures/fixtures.go‎
Lines changed: 40 additions & 4 deletions b/‎service/internal/fixtures/fixtures.go‎
Lines changed: 40 additions & 4 deletions
@@ -469,9 +469,14 @@ func (s *AttributeFqnSuite) TestGetAttributeByFqn_WithKeyAccessGrants_Definition
 	s.Contains(grantIDs, got.GetGrants()[1].GetId())
 	pemIsPresent := false
 
-	for i, g := range got.GetGrants() {
+	for _, g := range got.GetGrants() {
 		if g.GetId() == key2.KeyAccessServerID {
-			s.Equal(base64.StdEncoding.EncodeToString([]byte(g.GetPublicKey().GetCached().GetKeys()[i].GetPem())), key2.PublicKeyCtx)
+			decodedPubKey, err := base64.StdEncoding.DecodeString(key2.PublicKeyCtx)
+			s.Require().NoError(err)
+			s.Equal(
+				strings.TrimRight(string(decodedPubKey), "\n"),
+				fmt.Sprintf("{\"pem\":\"%s\"}", base64.StdEncoding.EncodeToString([]byte(g.GetPublicKey().GetCached().GetKeys()[0].GetPem()))),
+			)
 			s.Equal(g.GetId(), key2.KeyAccessServerID)
 			pemIsPresent = true
 		}
@@ -541,16 +546,6 @@ func (s *AttributeFqnSuite) TestGetAttributeByFqn_WithKeyAccessGrants_Values() {
 	s.Empty(got.GetGrants())
 	s.Empty(got.GetValues()[0].GetGrants())
 
-	// create a new kas registration
-	remoteKASName := "testing-io-remote"
-	remoteKAS, err := s.db.PolicyClient.CreateKeyAccessServer(s.ctx, &kasregistry.CreateKeyAccessServerRequest{
-		Uri:       "https://testing.io/kas",
-		PublicKey: &policy.PublicKey{},
-		Name:      remoteKASName,
-	})
-	s.Require().NoError(err)
-	s.NotNil(remoteKAS)
-
 	// make a grant association to the first value
 	grant, err := s.db.PolicyClient.AssignPublicKeyToValue(s.ctx, &attributes.ValueKey{
 		KeyId:   key.ID,
@@ -559,16 +554,6 @@ func (s *AttributeFqnSuite) TestGetAttributeByFqn_WithKeyAccessGrants_Values() {
 	s.Require().NoError(err)
 	s.NotNil(grant)
 
-	// create a second kas registration and grant it to the second value
-	cachedKASName := "testion-io-local"
-	cachedKAS, err := s.db.PolicyClient.CreateKeyAccessServer(s.ctx, &kasregistry.CreateKeyAccessServerRequest{
-		Uri:       "https://testing.io/kas2",
-		PublicKey: &policy.PublicKey{},
-		Name:      cachedKASName,
-	})
-	s.Require().NoError(err)
-	s.NotNil(cachedKAS)
-
 	grant2, err := s.db.PolicyClient.AssignPublicKeyToValue(s.ctx, &attributes.ValueKey{
 		KeyId:   key2.ID,
 		ValueId: valueSecond.GetId(),
@@ -597,11 +582,9 @@ func (s *AttributeFqnSuite) TestGetAttributeByFqn_WithKeyAccessGrants_Values() {
 		firstGrant := grants[0]
 		switch v.GetId() {
 		case valueFirst.GetId():
-			s.Equal(remoteKAS.GetId(), firstGrant.GetId())
-			s.Equal(remoteKASName, firstGrant.GetName())
+			s.Equal(key.KeyAccessServerID, firstGrant.GetId())
 		case valueSecond.GetId():
-			s.Equal(cachedKAS.GetId(), firstGrant.GetId())
-			s.Equal(cachedKASName, firstGrant.GetName())
+			s.Equal(key2.KeyAccessServerID, firstGrant.GetId())
 		default:
 			s.Fail("unexpected value", v)
 		}
@@ -652,14 +635,6 @@ func (s *AttributeFqnSuite) TestGetAttributeByFqn_WithKeyAccessGrants_DefAndValu
 	s.Empty(got.GetGrants())
 	s.Empty(got.GetValues()[0].GetGrants())
 
-	// create a new kas registration
-	valKAS1, err := s.db.PolicyClient.CreateKeyAccessServer(s.ctx, &kasregistry.CreateKeyAccessServerRequest{
-		Uri:       "https://testing.org/kas",
-		PublicKey: &policy.PublicKey{},
-	})
-	s.Require().NoError(err)
-	s.NotNil(valKAS1)
-
 	// make a grant association to the first value
 	grant, err := s.db.PolicyClient.AssignPublicKeyToValue(s.ctx, &attributes.ValueKey{
 		KeyId:   key.ID,
@@ -668,29 +643,13 @@ func (s *AttributeFqnSuite) TestGetAttributeByFqn_WithKeyAccessGrants_DefAndValu
 	s.Require().NoError(err)
 	s.NotNil(grant)
 
-	// create a second kas registration and grant it to the second value
-	valKAS2, err := s.db.PolicyClient.CreateKeyAccessServer(s.ctx, &kasregistry.CreateKeyAccessServerRequest{
-		Uri:       "https://testing.org/kas2",
-		PublicKey: &policy.PublicKey{},
-	})
-	s.Require().NoError(err)
-	s.NotNil(valKAS2)
-
 	grant2, err := s.db.PolicyClient.AssignPublicKeyToValue(s.ctx, &attributes.ValueKey{
 		KeyId:   key2.ID,
 		ValueId: valueSecond.GetId(),
 	})
 	s.Require().NoError(err)
 	s.NotNil(grant2)
 
-	// create a third kas registration and grant it to the attribute definition
-	defKAS, err := s.db.PolicyClient.CreateKeyAccessServer(s.ctx, &kasregistry.CreateKeyAccessServerRequest{
-		Uri:       "https://testing.org/kas3",
-		PublicKey: &policy.PublicKey{},
-	})
-	s.Require().NoError(err)
-	s.NotNil(defKAS)
-
 	defGrant, err := s.db.PolicyClient.AssignPublicKeyToAttribute(s.ctx, &attributes.AttributeKey{
 		KeyId:       key3.ID,
 		AttributeId: a.GetId(),
@@ -705,24 +664,24 @@ func (s *AttributeFqnSuite) TestGetAttributeByFqn_WithKeyAccessGrants_DefAndValu
 
 	// ensure the attribute has exactly one definition grant
 	s.Len(got.GetGrants(), 1)
-	s.Equal(defKAS.GetId(), got.GetGrants()[0].GetId())
+	s.Equal(key3.KeyAccessServerID, got.GetGrants()[0].GetId())
 
 	// get the attribute by the fqn of one of its values and ensure the grants are present
 	got, err = s.db.PolicyClient.GetAttributeByFqn(s.ctx, val1Fqn)
 	s.Require().NoError(err)
 	s.NotNil(got)
 	s.Len(got.GetValues(), 2)
 	s.Len(got.GetGrants(), 1)
-	s.Equal(defKAS.GetId(), got.GetGrants()[0].GetId())
+	s.Equal(key.KeyAccessServerID, got.GetGrants()[0].GetId())
 
 	for _, v := range got.GetValues() {
 		switch v.GetId() {
 		case valueFirst.GetId():
 			s.Require().Len(v.GetGrants(), 1)
-			s.Equal(valKAS1.GetId(), v.GetGrants()[0].GetId())
+			s.Equal(key.KeyAccessServerID, v.GetGrants()[0].GetId())
 		case valueSecond.GetId():
 			s.Require().Len(v.GetGrants(), 1)
-			s.Equal(valKAS2.GetId(), v.GetGrants()[0].GetId())
+			s.Equal(key2.KeyAccessServerID, v.GetGrants()[0].GetId())
 		default:
 			s.Fail("unexpected value", v)
 		}
@@ -748,16 +707,6 @@ func (s *AttributeFqnSuite) TestGetAttributeByFqn_WithKeyAccessGrants_NamespaceG
 	s.Require().NoError(err)
 	s.NotNil(attr)
 
-	// create a new kas registration
-	nsKASName := "namespace-kas1"
-	kas, err := s.db.PolicyClient.CreateKeyAccessServer(s.ctx, &kasregistry.CreateKeyAccessServerRequest{
-		Uri:       "https://testing_granted_namespace.com/kas",
-		PublicKey: &policy.PublicKey{},
-		Name:      nsKASName,
-	})
-	s.Require().NoError(err)
-	s.NotNil(kas)
-
 	// make a grant association to the namespace
 	grant, err := s.db.PolicyClient.AssignPublicKeyToNamespace(s.ctx, &namespaces.NamespaceKey{
 		KeyId:       key.ID,
@@ -775,20 +724,25 @@ func (s *AttributeFqnSuite) TestGetAttributeByFqn_WithKeyAccessGrants_NamespaceG
 	gotNs := got.GetNamespace()
 	grants := gotNs.GetGrants()
 	s.Len(grants, 1)
-	s.Equal(kas.GetId(), grants[0].GetId())
-	s.Equal(nsKASName, grants[0].GetName())
+	s.Equal(key.KeyAccessServerID, grants[0].GetId())
 }
 
 // for all the big tests set up:
 // attribute name is "test_attr", values are "value1" and "value2"
 // kas uris granted to each are "https://testing_granted_<ns | attr | val1 | val1>.com/<ns>/kas",
+type KasAssociations struct {
+	kasID   string
+	uri     string
+	keyID   string
+	keyUUID string
+}
 type bigSetup struct {
 	attrFqn         string
 	nsID            string
 	attrID          string
 	val1ID          string
 	val2ID          string
-	kasAssociations map[string]string
+	kasAssociations map[string]*KasAssociations
 }
 
 func (s *AttributeFqnSuite) TestGetAttributeByFqn_SameResultsWhetherAttrOrValueFqnUsed() {
@@ -846,53 +800,53 @@ func (s *AttributeFqnSuite) TestGetAttributeByFqn_WithKeyAccessGrants_ProperOnAl
 	// ensure the namespace has the grants
 	s.Len(got.GetNamespace().GetGrants(), 1)
 	nsGrant := got.GetNamespace().GetGrants()[0]
-	s.Equal(setup.kasAssociations[got.GetNamespace().GetId()], nsGrant.GetId())
+	s.Equal(setup.kasAssociations[got.GetNamespace().GetId()].kasID, nsGrant.GetId())
 	s.Equal(fmt.Sprintf("https://testing_granted_ns.com/%s/kas", ns), nsGrant.GetUri())
 
 	// ensure the attribute has the grants
 	s.Len(got.GetGrants(), 1)
 	attrGrant := got.GetGrants()[0]
-	s.Equal(setup.kasAssociations[got.GetId()], attrGrant.GetId())
+	s.Equal(setup.kasAssociations[got.GetId()].kasID, attrGrant.GetId())
 	s.Equal(fmt.Sprintf("https://testing_granted_attr.com/%s/kas", ns), attrGrant.GetUri())
 
 	// ensure the first value has the grants
 	val1 := got.GetValues()[0]
 	s.Len(val1.GetGrants(), 1)
 	val1Grant := val1.GetGrants()[0]
-	s.Equal(setup.kasAssociations[val1.GetId()], val1Grant.GetId())
+	s.Equal(setup.kasAssociations[val1.GetId()].kasID, val1Grant.GetId())
 	s.Equal(fmt.Sprintf("https://testing_granted_val.com/%s/kas", ns), val1Grant.GetUri())
 
 	// ensure the second value has the grants
 	val2 := got.GetValues()[1]
 	s.Len(val2.GetGrants(), 1)
 	val2Grant := val2.GetGrants()[0]
-	s.Equal(setup.kasAssociations[val2.GetId()], val2Grant.GetId())
+	s.Equal(setup.kasAssociations[val2.GetId()].kasID, val2Grant.GetId())
 	s.Equal(fmt.Sprintf("https://testing_granted_val2.com/%s/kas", ns), val2Grant.GetUri())
 
 	// remove grants from all objects
-	// _, err = s.db.PolicyClient.RemoveKeyAccessServerFromNamespace(s.ctx, &namespaces.NamespaceKeyAccessServer{
-	// 	KeyAccessServerId: nsGrant.GetId(),
-	// 	NamespaceId:       got.GetNamespace().GetId(),
-	// })
-	// s.Require().NoError(err)
-
-	// _, err = s.db.PolicyClient.RemoveKeyAccessServerFromAttribute(s.ctx, &attributes.AttributeKeyAccessServer{
-	// 	KeyAccessServerId: attrGrant.GetId(),
-	// 	AttributeId:       got.GetId(),
-	// })
-	// s.Require().NoError(err)
-
-	// _, err = s.db.PolicyClient.RemoveKeyAccessServerFromValue(s.ctx, &attributes.ValueKeyAccessServer{
-	// 	KeyAccessServerId: val1Grant.GetId(),
-	// 	ValueId:           val1.GetId(),
-	// })
-	// s.Require().NoError(err)
-
-	// _, err = s.db.PolicyClient.RemoveKeyAccessServerFromValue(s.ctx, &attributes.ValueKeyAccessServer{
-	// 	KeyAccessServerId: val2Grant.GetId(),
-	// 	ValueId:           val2.GetId(),
-	// })
-	// s.Require().NoError(err)
+	_, err = s.db.PolicyClient.RemovePublicKeyFromNamespace(s.ctx, &namespaces.NamespaceKey{
+		KeyId:       setup.kasAssociations[got.GetNamespace().GetId()].keyUUID,
+		NamespaceId: got.GetNamespace().GetId(),
+	})
+	s.Require().NoError(err)
+
+	_, err = s.db.PolicyClient.RemovePublicKeyFromAttribute(s.ctx, &attributes.AttributeKey{
+		KeyId:       setup.kasAssociations[got.GetId()].keyUUID,
+		AttributeId: got.GetId(),
+	})
+	s.Require().NoError(err)
+
+	_, err = s.db.PolicyClient.RemovePublicKeyFromValue(s.ctx, &attributes.ValueKey{
+		KeyId:   setup.kasAssociations[val1.GetId()].keyUUID,
+		ValueId: val1.GetId(),
+	})
+	s.Require().NoError(err)
+
+	_, err = s.db.PolicyClient.RemovePublicKeyFromValue(s.ctx, &attributes.ValueKey{
+		KeyId:   setup.kasAssociations[val2.GetId()].keyUUID,
+		ValueId: val2.GetId(),
+	})
+	s.Require().NoError(err)
 
 	// ensure the grants are removed from all objects
 	got, err = s.db.PolicyClient.GetAttributeByFqn(s.ctx, setup.attrFqn)
@@ -1684,7 +1638,7 @@ func (s *AttributeFqnSuite) bigTestSetup(namespaceName string) bigSetup {
 	val1KasURI := fmt.Sprintf("https://testing_granted_val.com/%s/kas", namespaceName)
 	val2KasURI := fmt.Sprintf("https://testing_granted_val2.com/%s/kas", namespaceName)
 
-	kasAssociations := map[string]string{}
+	kasAssociations := map[string]*KasAssociations{}
 	// create new KASes
 	for _, toAssociate := range []struct {
 		id  string
@@ -1720,36 +1674,41 @@ func (s *AttributeFqnSuite) bigTestSetup(namespaceName string) bigSetup {
 		s.Require().NoError(err)
 		s.NotNil(resp)
 
-		kasAssociations[toAssociate.id] = resp.GetKasKey().GetKey().GetId()
+		kasAssociations[toAssociate.id] = &KasAssociations{
+			kasID:   kas.GetId(),
+			uri:     toAssociate.uri,
+			keyID:   resp.GetKasKey().GetKey().GetKeyId(),
+			keyUUID: resp.GetKasKey().GetKey().GetId(),
+		}
 	}
 
 	// make a grant association to the namespace
 	nsGrant, err := s.db.PolicyClient.AssignPublicKeyToNamespace(s.ctx, &namespaces.NamespaceKey{
-		KeyId:       kasAssociations[ns.GetId()],
+		KeyId:       kasAssociations[ns.GetId()].keyUUID,
 		NamespaceId: ns.GetId(),
 	})
 	s.Require().NoError(err)
 	s.NotNil(nsGrant)
 
 	// make a grant association to the attribute definition
 	attrGrant, err := s.db.PolicyClient.AssignPublicKeyToAttribute(s.ctx, &attributes.AttributeKey{
-		KeyId:       kasAssociations[attr.GetId()],
+		KeyId:       kasAssociations[attr.GetId()].keyUUID,
 		AttributeId: attr.GetId(),
 	})
 	s.Require().NoError(err)
 	s.NotNil(attrGrant)
 
 	// make a grant association to the first value
 	val1Grant, err := s.db.PolicyClient.AssignPublicKeyToValue(s.ctx, &attributes.ValueKey{
-		KeyId:   kasAssociations[val1.GetId()],
+		KeyId:   kasAssociations[val1.GetId()].keyUUID,
 		ValueId: val1.GetId(),
 	})
 	s.Require().NoError(err)
 	s.NotNil(val1Grant)
 
 	// make a grant association to the second value
 	val2Grant, err := s.db.PolicyClient.AssignPublicKeyToValue(s.ctx, &attributes.ValueKey{
-		KeyId:   kasAssociations[val2.GetId()],
+		KeyId:   kasAssociations[val2.GetId()].keyUUID,
 		ValueId: val2.GetId(),
 	})
 	s.Require().NoError(err)
 
@@ -668,6 +668,33 @@ func (f *Fixtures) provisionProviderConfigs() int64 {
 
 func (f *Fixtures) provisionKasRegistryKeys() int64 {
 	values := make([][]string, 0, len(fixtureData.KasRegistryKeys.Data))
+	// Create a local copy of columns to avoid modifying the global fixtureData
+	columns := make([]string, len(fixtureData.KasRegistryKeys.Metadata.Columns))
+	copy(columns, fixtureData.KasRegistryKeys.Metadata.Columns)
+
+	// Check if provider_config_id needs to be added to the columns
+	// This should only happen once, not inside the loop
+	providerConfigIDColumnPresent := false
+	for _, d := range fixtureData.KasRegistryKeys.Data {
+		if d.ProviderConfigID != "" {
+			providerConfigIDColumnPresent = true
+			break
+		}
+	}
+	if providerConfigIDColumnPresent {
+		// Ensure "provider_config_id" is not already in the base columns from YAML
+		exists := false
+		for _, colName := range columns {
+			if colName == "provider_config_id" {
+				exists = true
+				break
+			}
+		}
+		if !exists {
+			columns = append(columns, "provider_config_id")
+		}
+	}
+
 	for _, d := range fixtureData.KasRegistryKeys.Data {
 		pubCtx, err := base64.StdEncoding.DecodeString(d.PublicKeyCtx)
 		if err != nil {
@@ -679,7 +706,8 @@ func (f *Fixtures) provisionKasRegistryKeys() int64 {
 			slog.Error("⛔️ 📦 issue with kas registry private key context - check policy_fixtures.yaml for issues")
 			panic("issue with kas registry private key context")
 		}
-		values = append(values, []string{
+
+		currentRowValues := []string{
 			f.db.StringWrap(d.ID),
 			f.db.StringWrap(d.KeyAccessServerID),
 			f.db.StringWrap(d.KeyAlgorithm),
@@ -688,11 +716,19 @@ func (f *Fixtures) provisionKasRegistryKeys() int64 {
 			f.db.StringWrap(d.KeyStatus),
 			f.db.StringWrap(string(privateCtx)),
 			f.db.StringWrap(string(pubCtx)),
-			f.db.StringWrap(d.ProviderConfigID),
-		})
+		}
+
+		if providerConfigIDColumnPresent {
+			if d.ProviderConfigID == "" {
+				currentRowValues = append(currentRowValues, "NULL") // Use NULL for empty UUID
+			} else {
+				currentRowValues = append(currentRowValues, f.db.StringWrap(d.ProviderConfigID))
+			}
+		}
+		values = append(values, currentRowValues)
 	}
 
-	return f.provision(fixtureData.KasRegistryKeys.Metadata.TableName, fixtureData.KasRegistryKeys.Metadata.Columns, values)
+	return f.provision(fixtureData.KasRegistryKeys.Metadata.TableName, columns, values)
 }
 
 func (f *Fixtures) provisionRegisteredResources() int64 {