feat(policy): Unique name for the key provider. #2391
Conversation
github-actions
bot
added
external-contributor
![gemini-code-assist[bot]](https://avatars.githubusercontent.com/in/956858?s=60&v=4){kind=small}
There was a problem hiding this comment.
Hello @c-r33d, I'm Gemini Code Assist1! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!
Summary of Changes
Hello team,
Gemini or gemini-code-assist here to provide a summary of this pull request. The primary goal of this PR, as indicated by the title and description, is to enforce uniqueness for the provider_name field within the provider_config table in the policy service database. This ensures that each key provider configuration can be uniquely identified by its name.
The changes involve adding a unique constraint to the database schema via a new migration script, updating the schema documentation to reflect this change, and enhancing the integration tests for key management to verify the new unique constraint and improve test cleanup procedures.
Highlights
- Database Schema Change: A unique constraint has been added to the
provider_namecolumn in theprovider_configtable to enforce uniqueness. - Database Migration: A new SQL migration script (
20250605000000_unique_provider_name.sql) is included to apply and rollback the unique constraint on theprovider_namecolumn. - Integration Test Enhancement: The key management integration tests (
keymanagement_test.go) have been updated to include a new test case specifically for verifying that creating a provider config with a duplicate name fails as expected. Additionally, a helper function (deleteTestProviderConfigs) anddeferstatements were introduced to ensure proper cleanup of created test data after each test run. - Schema Documentation Update: The schema ER diagram documentation (
schema_erd.md) has been updated to mark theprovider_namecolumn as a Unique Key (UK) in theprovider_configtable. (Note: An unrelated change addingselector_valuestocondition_setwas also included in this file).
Changelog
Click here to see the changelog
- service/integration/keymanagement_test.go
- Added
deleteTestProviderConfigshelper function for test cleanup (lines 50-56). - Updated existing tests to use
deleteTestProviderConfigswithdeferfor cleanup (e.g., lines 59-60, 64-67, 107-110, 122-125, 144-147, 158-161, 197-200, 236-239). - Added
Test_CreateProviderConfig_DuplicateName_Failsto verify unique name constraint (lines 89-104). - Modified
createTestProviderConfighelper to accept provider name, config, and metadata as arguments (lines 317-324).
- Added
- service/policy/db/migrations/20250605000000_unique_provider_name.md
- Added new migration documentation file with ER diagram showing unique constraint on
provider_name.
- Added new migration documentation file with ER diagram showing unique constraint on
- service/policy/db/migrations/20250605000000_unique_provider_name.sql
- Added new SQL migration file.
- Added
+goose Upstatement to add a unique constraintprovider_config_provider_name_keytoprovider_config.provider_name(line 3). - Added
+goose Downstatement to drop the unique constraint (line 10).
- service/policy/db/schema_erd.md
- Updated
provider_configentry to markprovider_nameas a Unique Key (UK) (line 140). - Added description for
selector_valuescolumn incondition_settable (line 194).
- Updated
Using Gemini Code Assist
The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.
Invoking Gemini
You can request assistance from Gemini at any point in your pull request via creating an issue comment (i.e. comment on the pull request page) using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands.
| Feature | Command | Description |
|---|---|---|
| Code Review | /gemini review |
Performs a code review for the current pull request in its current state. |
| Pull Request Summary | /gemini summary |
Provides a summary of the current pull request in its current state. |
| Comment | @gemini-code-assist | Responds in comments when explicitly tagged, both in issue comments and review comments. |
| Help | /gemini help |
Displays a list of available commands. |
Customization
To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.
Limitations & Feedback
Gemini Code Assist is currently in preview and may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments to provide feedback.
You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension.
Name must stand alone,
One provider, one true name,
Database says so.
Footnotes
-
Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution. ↩
![github-actions[bot]](https://avatars.githubusercontent.com/in/15368?s=60&v=4){kind=small}
There was a problem hiding this comment.
Code Review
The pull request introduces a unique constraint on the provider_name field in the provider_config table. This ensures that each key provider has a unique name, preventing naming conflicts. The changes include database migrations, schema updates, and integration tests to validate the new constraint. Overall, the changes are well-structured and address the intended functionality. However, there are a few areas that could be improved for clarity and efficiency.
Summary of Findings
- Resource Cleanup: Several test cases create provider configurations but don't ensure they are always deleted, especially in case of panics. Using
deferto calldeleteTestProviderConfigscan prevent orphaned resources. - Test Case Clarity: Some test cases lack comments explaining their purpose. Adding comments can improve readability and understanding of the test's intent.
- Test Case Efficiency: In several test cases, the
appendoperation to create a slice of provider config IDs is unnecessary. Passing the ID directly todeleteTestProviderConfigscan simplify the code.
Merge Readiness
The pull request is almost ready for merging. Addressing the feedback regarding resource cleanup and test case clarity will improve the overall quality and reliability of the code. I am unable to directly approve the pull request, and users should have others review and approve this code before merging. I recommend addressing the medium severity issues before merging.
Benchmark results, click to expandBenchmark authorization.GetDecisions Results:
Benchmark authorization.v2.GetMultiResourceDecision Results:
Bulk Benchmark Results
TDF3 Benchmark Results:
NANOTDF Benchmark Results:
Error Summary:
Standard Benchmark Metrics Skipped or Failed |
Benchmark results, click to expandBenchmark authorization.GetDecisions Results:
Benchmark authorization.v2.GetMultiResourceDecision Results:
Bulk Benchmark Results
TDF3 Benchmark Results:
NANOTDF Benchmark Results:
Error Summary:
Standard Benchmark Metrics Skipped or Failed |
🤖 I have created a release *beep* *boop* --- ## [0.6.0](service/v0.5.5...service/v0.6.0) (2025-06-06) ### Features * **authz:** DSPX-894 auth svc registered resource GetEntitlement support ([#2358](#2358)) ([a199aa7](a199aa7)) * **authz:** improve v2 request proto validation ([#2357](#2357)) ([f927b99](f927b99)) * **core:** DSPX-608 - Deprecate public_client_id ([#2185](#2185)) ([0f58efa](0f58efa)) * **policy:** Return Simple Kas Keys from non-Key RPCs ([#2387](#2387)) ([5113e0e](5113e0e)) * **policy:** Unique name for the key provider. ([#2391](#2391)) ([bb58b78](bb58b78)) * **policy:** Update simple kas key ([#2378](#2378)) ([09d8239](09d8239)) ### Bug Fixes * **deps:** bump github.com/opentdf/platform/protocol/go from 0.3.6 to 0.4.0 in /service ([#2399](#2399)) ([1c6fa75](1c6fa75)) * **deps:** bump the external group across 1 directory with 21 updates ([#2401](#2401)) ([3d0d4d1](3d0d4d1)) * **policy:** move action sub queries to CTE in sm list and match sql ([#2369](#2369)) ([0fd6feb](0fd6feb)) * **policy:** protovalidate deprecated action types and removal of gRPC gateway in subject mappings svc ([#2377](#2377)) ([54a6de0](54a6de0)) * **policy:** remove gRPC gateway in policy except where needed ([#2382](#2382)) ([1937acb](1937acb)) * **policy:** remove support for creation/updation of SubjectMappings with deprecated proto actions ([#2373](#2373)) ([3660200](3660200)) --- This PR was generated with [Release Please](https://github.com/googleapis/release-please). See [documentation](https://github.com/googleapis/release-please#release-please). Co-authored-by: opentdf-automation[bot] <149537512+opentdf-automation[bot]@users.noreply.github.com>
Proposed Changes
1.) Make the provider_name for the provider configuration unique.
Checklist
Testing Instructions