feat(policy): sqlc queries refactor (#2541)

### Proposed Changes

- `query.sql` file has been broken into separate files for each
individual unit of work under a `/queries` folder
- removed sqlc `*Queries` struct embedding from the `PolicyDBClient` and
updated all sqlc gen'd queries to be lowercase so that they are not
exposed to external packages
- refactored queries used only by integration tests into `pgx.Exec`
calls to keep them out of the `PolicyDBClient` functionality

### Checklist

- [ ] I have added or updated unit tests
- [ ] I have added or updated integration tests (if appropriate)
- [ ] I have added or updated documentation

### Testing Instructions

Author: ryanulit

service/integration/attribute_fqns_test.go

@@ -255,12 +255,8 @@ func (s *AttributeFqnSuite) TestGetAttributeByFqn_WithAttributeDefKeysAssociated
 	})
 	s.Require().NoError(err)
 
-	// Remove the attribute
-	_, err = s.db.PolicyClient.DeleteAttribute(s.ctx, attr.GetId())
-	s.Require().NoError(err)
-
-	// Remove the namespace
-	_, err = s.db.PolicyClient.DeleteNamespace(s.ctx, ns.GetId())
+	// cascade delete will remove namespaces and all associated attributes and values
+	_, err = s.db.PolicyClient.UnsafeDeleteNamespace(s.ctx, ns, ns.GetFqn())
 	s.Require().NoError(err)
 }
 
@@ -1676,28 +1672,28 @@ func (s *AttributeFqnSuite) Test_GrantsAreReturned() {
 	s.NotNil(kas)
 
 	// Create NS Grant
-	nsGrant, err := s.db.PolicyClient.AssignKeyAccessServerToNamespace(s.ctx, policydb.AssignKeyAccessServerToNamespaceParams{
-		NamespaceID:       ns.GetId(),
-		KeyAccessServerID: kas.GetId(),
-	})
+	// use Pgx.Exec because INSERT is only for testing and should not be part of PolicyDBClient
+	nsGrant, err := s.db.PolicyClient.Pgx.Exec(s.ctx,
+		`INSERT INTO attribute_namespace_key_access_grants (namespace_id, key_access_server_id) VALUES ($1, $2)`,
+		ns.GetId(), kas.GetId())
 	s.Require().NoError(err)
-	s.NotNil(nsGrant)
+	s.NotNil(nsGrant.RowsAffected())
 
 	// Create Attribute Grant
-	attrGrant, err := s.db.PolicyClient.AssignKeyAccessServerToAttribute(s.ctx, policydb.AssignKeyAccessServerToAttributeParams{
-		AttributeDefinitionID: attr.GetId(),
-		KeyAccessServerID:     kas.GetId(),
-	})
+	// use Pgx.Exec because INSERT is only for testing and should not be part of PolicyDBClient
+	attrGrant, err := s.db.PolicyClient.Pgx.Exec(s.ctx,
+		`INSERT INTO attribute_definition_key_access_grants (attribute_definition_id, key_access_server_id) VALUES ($1, $2)`,
+		attr.GetId(), kas.GetId())
 	s.Require().NoError(err)
-	s.NotNil(attrGrant)
+	s.NotNil(attrGrant.RowsAffected())
 
 	// Create Value Grant
-	valueGrant, err := s.db.PolicyClient.AssignKeyAccessServerToAttributeValue(s.ctx, policydb.AssignKeyAccessServerToAttributeValueParams{
-		AttributeValueID:  attr.GetValues()[0].GetId(),
-		KeyAccessServerID: kas.GetId(),
-	})
+	// use Pgx.Exec because INSERT is only for testing and should not be part of PolicyDBClient
+	valueGrant, err := s.db.PolicyClient.Pgx.Exec(s.ctx,
+		`INSERT INTO attribute_value_key_access_grants (attribute_value_id, key_access_server_id) VALUES ($1, $2)`,
+		attr.GetValues()[0].GetId(), kas.GetId())
 	s.Require().NoError(err)
-	s.NotNil(valueGrant)
+	s.NotNil(valueGrant.RowsAffected())
 
 	// Get Namespace check for grant
 	nsGet, err := s.db.PolicyClient.GetNamespace(s.ctx, ns.GetId())

service/integration/kas_registry_key_test.go

@@ -400,14 +400,12 @@ func (s *KasRegistryKeySuite) Test_ListKeys_KasID_Limit_Success() {
 }
 
 func (s *KasRegistryKeySuite) Test_RotateKey_Multiple_Attributes_Values_Namespaces_Success() {
-	attrValueIDs := make([]string, 0)
-	attrDefIDs := make([]string, 0)
 	namespaceIDs := make([]string, 0)
 	keyIDs := make([]string, 0)
 	kasIDs := make([]string, 0)
 
 	defer func() {
-		s.cleanupAttrs(attrValueIDs, namespaceIDs, attrDefIDs)
+		s.cleanupNamespacesAndAttrsByIDs(namespaceIDs)
 		s.cleanupKeys(keyIDs, kasIDs)
 	}()
 
@@ -426,8 +424,6 @@ func (s *KasRegistryKeySuite) Test_RotateKey_Multiple_Attributes_Values_Namespac
 	namespaceMap := s.setupNamespaceForRotate(1, 1, keyMap[rotateKey].GetKey(), keyMap[nonRotateKey].GetKey())
 	namespaceIDs = append(namespaceIDs, namespaceMap[rotateKey][0].GetId(), namespaceMap[nonRotateKey][0].GetId())
 	attributeMap := s.setupAttributesForRotate(1, 1, 1, 1, namespaceMap, keyMap[rotateKey].GetKey(), keyMap[nonRotateKey].GetKey())
-	attrDefIDs = append(attrDefIDs, attributeMap[rotateKey][0].GetId(), attributeMap[nonRotateKey][0].GetId())
-	attrValueIDs = append(attrValueIDs, attributeMap[rotateKey][0].GetValues()[0].GetId(), attributeMap[nonRotateKey][0].GetValues()[0].GetId())
 
 	newKey := kasregistry.RotateKeyRequest_NewKey{
 		KeyId:        "new_key_id",
@@ -525,14 +521,12 @@ func (s *KasRegistryKeySuite) Test_RotateKey_Multiple_Attributes_Values_Namespac
 }
 
 func (s *KasRegistryKeySuite) Test_RotateKey_Two_Attribute_Two_Namespace_0_AttributeValue_Success() {
-	attrValueIDs := make([]string, 0)
-	attrDefIDs := make([]string, 0)
 	namespaceIDs := make([]string, 0)
 	keyIDs := make([]string, 0)
 	kasIDs := make([]string, 0)
 
 	defer func() {
-		s.cleanupAttrs(attrValueIDs, namespaceIDs, attrDefIDs)
+		s.cleanupNamespacesAndAttrsByIDs(namespaceIDs)
 		s.cleanupKeys(keyIDs, kasIDs)
 	}()
 
@@ -551,7 +545,6 @@ func (s *KasRegistryKeySuite) Test_RotateKey_Two_Attribute_Two_Namespace_0_Attri
 	namespaceMap := s.setupNamespaceForRotate(2, 2, keyMap[rotateKey].GetKey(), keyMap[nonRotateKey].GetKey())
 	namespaceIDs = append(namespaceIDs, namespaceMap[rotateKey][0].GetId(), namespaceMap[rotateKey][1].GetId(), namespaceMap[nonRotateKey][0].GetId(), namespaceMap[nonRotateKey][1].GetId())
 	attributeMap := s.setupAttributesForRotate(2, 2, 0, 0, namespaceMap, keyMap[rotateKey].GetKey(), keyMap[nonRotateKey].GetKey())
-	attrDefIDs = append(attrDefIDs, attributeMap[rotateKey][0].GetId(), attributeMap[nonRotateKey][0].GetId(), attributeMap[rotateKey][1].GetId(), attributeMap[nonRotateKey][1].GetId())
 
 	newKey := kasregistry.RotateKeyRequest_NewKey{
 		KeyId:        "new_key_id",
@@ -1143,7 +1136,7 @@ func (s *KasRegistryKeySuite) Test_ListKeyMappings_ByID_OneAttrValue_Success() {
 			keyIDs = append(keyIDs, key.GetKey().GetId())
 		}
 		s.cleanupKeys(keyIDs, kasIDs)
-		s.deleteAttributes(namespaces, attributeDefs, attrValues)
+		s.cleanupNamespacesAndAttrs(namespaces)
 	}()
 	kasKey := s.createKeyAndKas()
 	kasKeys = append(kasKeys, kasKey)
@@ -1209,7 +1202,7 @@ func (s *KasRegistryKeySuite) Test_ListKeyMappings_By_Key_Success() {
 			keyIDs = append(keyIDs, key.GetKey().GetId())
 		}
 		s.cleanupKeys(keyIDs, kasIDs)
-		s.deleteAttributes(namespaces, attributeDefs, attrValues)
+		s.cleanupNamespacesAndAttrs(namespaces)
 	}()
 	kasKey := s.createKeyAndKas()
 	kasKeys = append(kasKeys, kasKey)
@@ -1308,7 +1301,7 @@ func (s *KasRegistryKeySuite) Test_ListKeyMappings_SameKeyId_DifferentKas_Succes
 			keyIDs = append(keyIDs, key.GetKey().GetId())
 		}
 		s.cleanupKeys(keyIDs, kasIDs)
-		s.deleteAttributes(namespaces, attributeDefs, attrValues)
+		s.cleanupNamespacesAndAttrs(namespaces)
 	}()
 
 	kasKey := s.createKeyAndKas()
@@ -1411,7 +1404,7 @@ func (s *KasRegistryKeySuite) Test_ListKeyMappings_Multiple_Keys_Pagination_Succ
 			keyIDs = append(keyIDs, key.GetKey().GetId())
 		}
 		s.cleanupKeys(keyIDs, kasIDs)
-		s.deleteAttributes(namespaces, attributeDefs, attrValues)
+		s.cleanupNamespacesAndAttrs(namespaces)
 	}()
 	for i := range 2 {
 		kasKey := s.createKeyAndKas()
@@ -1482,7 +1475,7 @@ func (s *KasRegistryKeySuite) Test_ListKeyMappings_Multiple_Mixed_Mappings() {
 			keyIDs = append(keyIDs, key.GetKey().GetId())
 		}
 		s.cleanupKeys(keyIDs, kasIDs)
-		s.deleteAttributes(namespaces, attributeDefs, attrValues)
+		s.cleanupNamespacesAndAttrs(namespaces)
 	}()
 
 	for range 3 {
@@ -1746,23 +1739,9 @@ func (s *KasRegistryKeySuite) setupAttributesForRotate(numAttrsToRotate, numAttr
 	}
 }
 
-func (s *KasRegistryKeySuite) cleanupAttrs(attrValueIDs []string, namespaceIDs []string, attributeIDs []string) {
-	for _, id := range attrValueIDs {
-		_, err := s.db.PolicyClient.DeleteAttributeValue(s.ctx, id)
-		s.Require().NoError(err)
-	}
-	for _, id := range namespaceIDs {
-		_, err := s.db.PolicyClient.DeleteNamespace(s.ctx, id)
-		s.Require().NoError(err)
-	}
-	for _, id := range attributeIDs {
-		_, err := s.db.PolicyClient.DeleteAttribute(s.ctx, id)
-		s.Require().NoError(err)
-	}
-}
-
 func (s *KasRegistryKeySuite) cleanupKeys(keyIDs []string, keyAccessServerIDs []string) {
-	err := s.db.PolicyClient.DeleteAllBaseKeys(s.ctx)
+	// use Pgx.Exec because DELETE is only for testing and should not be part of PolicyDBClient
+	_, err := s.db.PolicyClient.Pgx.Exec(s.ctx, "DELETE FROM base_keys")
 	s.Require().NoError(err)
 
 	for _, id := range keyIDs {
@@ -1846,17 +1825,22 @@ func validatePrivatePublicCtx(s *suite.Suite, expectedPrivCtx, expectedPubCtx []
 	})
 }
 
-func (s *KasRegistryKeySuite) deleteAttributes(namespaces []*policy.Namespace, attributeDefs []*policy.Attribute, attrValues []*policy.Value) {
-	for _, value := range attrValues {
-		_, err := s.db.PolicyClient.DeleteAttributeValue(s.ctx, value.GetId())
-		s.Require().NoError(err)
-	}
-	for _, def := range attributeDefs {
-		_, err := s.db.PolicyClient.DeleteAttribute(s.ctx, def.GetId())
+// cascade delete will remove namespaces and all associated attributes and values
+func (s *KasRegistryKeySuite) cleanupNamespacesAndAttrsByIDs(namespaceIDs []string) {
+	namespaces := make([]*policy.Namespace, len(namespaceIDs))
+	for i, id := range namespaceIDs {
+		ns, err := s.db.PolicyClient.GetNamespace(s.ctx, id)
 		s.Require().NoError(err)
+		s.NotNil(ns)
+		namespaces[i] = ns
 	}
+	s.cleanupNamespacesAndAttrs(namespaces)
+}
+
+// cascade delete will remove namespaces and all associated attributes and values
+func (s *KasRegistryKeySuite) cleanupNamespacesAndAttrs(namespaces []*policy.Namespace) {
 	for _, ns := range namespaces {
-		_, err := s.db.PolicyClient.DeleteNamespace(s.ctx, ns.GetId())
+		_, err := s.db.PolicyClient.UnsafeDeleteNamespace(s.ctx, ns, ns.GetFqn())
 		s.Require().NoError(err)
 	}
 }

service/integration/policy_test.go

@@ -6,6 +6,9 @@ import (
 	"log/slog"
 	"testing"
 
+	"github.com/opentdf/platform/protocol/go/policy"
+	"github.com/opentdf/platform/protocol/go/policy/attributes"
+	"github.com/opentdf/platform/protocol/go/policy/namespaces"
 	"github.com/opentdf/platform/service/internal/fixtures"
 	"github.com/opentdf/platform/service/policy/db"
 	"github.com/stretchr/testify/suite"
@@ -45,26 +48,29 @@ func (s *PolicyDBClientSuite) Test_RunInTx_CommitsOnSuccess() {
 	)
 
 	txErr := s.db.PolicyClient.RunInTx(s.ctx, func(txClient *db.PolicyDBClient) error {
-		nsID, err = txClient.Queries.CreateNamespace(s.ctx, db.CreateNamespaceParams{
+		ns, err := txClient.CreateNamespace(s.ctx, &namespaces.CreateNamespaceRequest{
 			Name: nsName,
 		})
 		s.Require().NoError(err)
-		s.Require().NotNil(nsID)
+		s.Require().NotNil(ns)
+		nsID = ns.GetId()
 
-		attrID, err = txClient.Queries.CreateAttribute(s.ctx, db.CreateAttributeParams{
-			NamespaceID: nsID,
+		attr, err := txClient.CreateAttribute(s.ctx, &attributes.CreateAttributeRequest{
+			NamespaceId: nsID,
 			Name:        attrName,
-			Rule:        db.AttributeDefinitionRuleALLOF,
+			Rule:        policy.AttributeRuleTypeEnum_ATTRIBUTE_RULE_TYPE_ENUM_ALL_OF,
 		})
 		s.Require().NoError(err)
-		s.Require().NotNil(attrID)
+		s.Require().NotNil(attr)
+		attrID = attr.GetId()
 
-		valID, err = txClient.Queries.CreateAttributeValue(s.ctx, db.CreateAttributeValueParams{
-			AttributeDefinitionID: attrID,
-			Value:                 attrValue,
+		val, err := txClient.CreateAttributeValue(s.ctx, attrID, &attributes.CreateAttributeValueRequest{
+			AttributeId: attrID,
+			Value:       attrValue,
 		})
 		s.Require().NoError(err)
 		s.Require().NotNil(valID)
+		valID = val.GetId()
 
 		return nil
 	})
@@ -94,19 +100,22 @@ func (s *PolicyDBClientSuite) Test_RunInTx_RollsBackOnFailure() {
 	)
 
 	txErr := s.db.PolicyClient.RunInTx(s.ctx, func(txClient *db.PolicyDBClient) error {
-		nsID, err = txClient.Queries.CreateNamespace(s.ctx, db.CreateNamespaceParams{
+		ns, err := txClient.CreateNamespace(s.ctx, &namespaces.CreateNamespaceRequest{
 			Name: nsName,
 		})
 		s.Require().NoError(err)
-		s.Require().NotNil(nsID)
+		s.Require().NotNil(ns)
+		nsID = ns.GetId()
 
-		attrID, err = txClient.Queries.CreateAttribute(s.ctx, db.CreateAttributeParams{
-			NamespaceID: "invalid_ns_id",
+		attr, err := txClient.CreateAttribute(s.ctx, &attributes.CreateAttributeRequest{
+			NamespaceId: "invalid_ns_id",
 			Name:        attrName,
-			Rule:        db.AttributeDefinitionRuleALLOF,
+			Rule:        policy.AttributeRuleTypeEnum_ATTRIBUTE_RULE_TYPE_ENUM_ALL_OF,
 		})
 		s.Require().Error(err)
-		s.Require().Empty(attrID)
+		s.Require().Empty(attr)
+		attrID = attr.GetId()
+
 		return err
 	})
 	s.Require().Error(txErr)

service/policy/db/actions.go

@@ -48,7 +48,7 @@ func (c PolicyDBClient) GetAction(ctx context.Context, req *actions.GetActionReq
 		return nil, db.ErrSelectIdentifierInvalid
 	}
 
-	got, err := c.Queries.getAction(ctx, getActionParams)
+	got, err := c.queries.getAction(ctx, getActionParams)
 	if err != nil {
 		return nil, db.WrapIfKnownInvalidQueryErr(err)
 	}
@@ -73,7 +73,7 @@ func (c PolicyDBClient) ListActions(ctx context.Context, req *actions.ListAction
 		return nil, db.ErrListLimitTooLarge
 	}
 
-	list, err := c.Queries.listActions(ctx, listActionsParams{
+	list, err := c.queries.listActions(ctx, listActionsParams{
 		Limit:  limit,
 		Offset: offset,
 	})
@@ -130,7 +130,7 @@ func (c PolicyDBClient) CreateAction(ctx context.Context, req *actions.CreateAct
 		Metadata: metadataJSON,
 	}
 
-	createdID, err := c.Queries.createCustomAction(ctx, createParams)
+	createdID, err := c.queries.createCustomAction(ctx, createParams)
 	if err != nil {
 		return nil, db.WrapIfKnownInvalidQueryErr(err)
 	}
@@ -166,7 +166,7 @@ func (c PolicyDBClient) UpdateAction(ctx context.Context, req *actions.UpdateAct
 		Metadata: metadataJSON,
 	}
 
-	count, err := c.Queries.updateCustomAction(ctx, updateParams)
+	count, err := c.queries.updateCustomAction(ctx, updateParams)
 	if err != nil {
 		return nil, db.WrapIfKnownInvalidQueryErr(err)
 	}
@@ -182,7 +182,7 @@ func (c PolicyDBClient) UpdateAction(ctx context.Context, req *actions.UpdateAct
 }
 
 func (c PolicyDBClient) DeleteAction(ctx context.Context, req *actions.DeleteActionRequest) (*policy.Action, error) {
-	count, err := c.Queries.deleteCustomAction(ctx, req.GetId())
+	count, err := c.queries.deleteCustomAction(ctx, req.GetId())
 	if err != nil {
 		return nil, db.WrapIfKnownInvalidQueryErr(err)
 	}