Skip to content

fix(authz): access pdp should use proto getter #2530

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 2 commits into from
Jul 7, 2025
Merged

fix(authz): access pdp should use proto getter #2530

merged 2 commits into from
Jul 7, 2025
+1 −1

Conversation

jakedoublev
Copy link
Contributor

Proposed Changes

  • Fixes one direct access of proto fields without using nil-safe getter

Checklist

  • I have added or updated unit tests
  • I have added or updated integration tests (if appropriate)
  • I have added or updated documentation

Testing Instructions

gemini-code-assist[bot]
gemini-code-assist bot reviewed Jul 7, 2025
View reviewed changes
Copy link
Contributor

@gemini-code-assist gemini-code-assist bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Summary of Changes

Hello @jakedoublev, I'm Gemini Code Assist1! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!

This pull request implements a targeted fix to enhance the robustness of the authorization policy decision point (PDP) by ensuring that protocol buffer fields are accessed using their nil-safe getter methods. This change prevents potential panics that could occur if a directly accessed field were nil, thereby improving the overall stability and reliability of the access control system.

Highlights

  • Bug Fix: Corrected a direct access of a protocol buffer field (Value) to use its generated nil-safe getter method (GetValue()) within the Policy Decision Point (PDP) logic.
Using Gemini Code Assist

The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.

Invoking Gemini

You can request assistance from Gemini at any point in your pull request via creating an issue comment (i.e. comment on the pull request page) using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands.

Feature Command Description
Code Review /gemini review Performs a code review for the current pull request in its current state.
Pull Request Summary /gemini summary Provides a summary of the current pull request in its current state.
Comment @gemini-code-assist Responds in comments when explicitly tagged, both in issue comments and review comments.
Help /gemini help Displays a list of available commands.

Customization

To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.

Limitations & Feedback

Gemini Code Assist is currently in preview and may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments to provide feedback.

You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension.

Direct field access, Can bring a nil pointer crash, Getters make it safe.

Footnotes

  1. Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution.

gemini-code-assist[bot]
gemini-code-assist bot reviewed Jul 7, 2025
View reviewed changes
Copy link
Contributor

@gemini-code-assist gemini-code-assist bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Code Review

This pull request aims to fix a direct access of a protobuf field by using a nil-safe getter, which is a good practice for correctness and to prevent panics. The change is in the right direction, but it's incomplete as another direct field access remains on the same line. My review includes a suggestion to fully resolve this issue.

@github-actions GitHub Actions
Copy link
Contributor

github-actions bot commented Jul 7, 2025

Benchmark results, click to expand

Benchmark authorization.GetDecisions Results:

Metric Value
Approved Decision Requests 5000
Denied Decision Requests 0
Total Time 523.816898ms

Benchmark authorization.v2.GetMultiResourceDecision Results:

Metric Value
Error invalid_argument: validation error:
  • resources: value must contain no more than 1000 item(s) [repeated.max_items] |
    | Total Time | 45.63362ms |

Standard Benchmark Metrics Skipped or Failed

Bulk Benchmark Results

Metric Value
Total Decrypts 100
Successful Decrypts 100
Failed Decrypts 0
Total Time 550.675262ms
Throughput 181.60 requests/second

TDF3 Benchmark Results:

Metric Value
Total Requests 5000
Successful Requests 5000
Failed Requests 0
Concurrent Requests 50
Total Time 36.68326581s
Average Latency 365.125703ms
Throughput 136.30 requests/second

NANOTDF Benchmark Results:

Metric Value
Total Requests 5000
Successful Requests 5000
Failed Requests 0
Concurrent Requests 50
Total Time 25.845202717s
Average Latency 257.288186ms
Throughput 193.46 requests/second

@github-actions GitHub Actions
Copy link
Contributor

github-actions bot commented Jul 7, 2025

Benchmark results, click to expand

Benchmark authorization.GetDecisions Results:

Metric Value
Approved Decision Requests 5000
Denied Decision Requests 0
Total Time 532.772212ms

Benchmark authorization.v2.GetMultiResourceDecision Results:

Metric Value
Error invalid_argument: validation error:
  • resources: value must contain no more than 1000 item(s) [repeated.max_items] |
    | Total Time | 37.402225ms |

Standard Benchmark Metrics Skipped or Failed

Bulk Benchmark Results

Metric Value
Total Decrypts 100
Successful Decrypts 100
Failed Decrypts 0
Total Time 349.937963ms
Throughput 285.76 requests/second

TDF3 Benchmark Results:

Metric Value
Total Requests 5000
Successful Requests 5000
Failed Requests 0
Concurrent Requests 50
Total Time 38.935364505s
Average Latency 387.434344ms
Throughput 128.42 requests/second

NANOTDF Benchmark Results:

Metric Value
Total Requests 5000
Successful Requests 5000
Failed Requests 0
Concurrent Requests 50
Total Time 27.864204054s
Average Latency 277.595084ms
Throughput 179.44 requests/second

@jakedoublev jakedoublev marked this pull request as ready for review July 7, 2025 16:58
@jakedoublev jakedoublev requested a review from a team as a code owner July 7, 2025 16:58
@jakedoublev jakedoublev added this pull request to the merge queue Jul 7, 2025
Merged via the queue into main with commit f856212 Jul 7, 2025
29 checks passed
@jakedoublev jakedoublev deleted the fix/access-pdp branch July 7, 2025 17:36
@opentdf-automation opentdf-automation bot mentioned this pull request Jul 3, 2025
Merged
github-merge-queue bot pushed a commit that referenced this pull request Jul 31, 2025
@opentdf-automation
chore(main): release service 0.8.0 (#2487)
b95d4b3 
🤖 I have created a release *beep* *boop*
---


##
[0.8.0](service/v0.7.0...service/v0.8.0)
(2025-07-29)


### Features

* **authz:** RR GetDecision improvements
([#2479](#2479))
([443cedb](443cedb))
* **authz:** sensible request limit upper bounds
([#2526](#2526))
([b3093cc](b3093cc))
* **core:** Add the ability to configure the http server settings
([#2522](#2522))
([b1472df](b1472df))
* **policy:** Add list key mappings rpc.
([#2533](#2533))
([fbc2724](fbc2724))
* **policy:** add obligation protos
([#2579](#2579))
([50882e1](50882e1))
* **policy:** add obligation tables
([#2532](#2532))
([c7d7aa4](c7d7aa4))
* **policy:** Add validation to delete keys
([#2576](#2576))
([cc169d9](cc169d9))
* **policy:** Allow the deletion of a key.
([#2575](#2575))
([82b96f0](82b96f0))
* **policy:** Change return type for delete key proto.
([#2566](#2566))
([c1ae924](c1ae924))
* **policy:** sqlc queries refactor
([#2541](#2541))
([e34680e](e34680e))


### Bug Fixes

* add back grants to listAttributesByDefOrValueFqns
([#2493](#2493))
([2b47095](2b47095))
* **authz:** access pdp should use proto getter
([#2530](#2530))
([f856212](f856212))
* **core:** Allow 521 curve to be used
([#2485](#2485))
([aaf43dc](aaf43dc))
* **core:** resolve 'built-in' typos
([#2548](#2548))
([ccdfa96](ccdfa96))
* **deps:** bump github.com/opentdf/platform/lib/ocrypto from 0.2.0 to
0.3.0 in /service
([#2504](#2504))
([a9cc4dd](a9cc4dd))
* **sdk:** Prefer KID and Algorithm selection from key maps
([#2475](#2475))
([98fd392](98fd392))

---
This PR was generated with [Release
Please](https://github.com/googleapis/release-please). See
[documentation](https://github.com/googleapis/release-please#release-please).

Co-authored-by: opentdf-automation[bot] <149537512+opentdf-automation[bot]@users.noreply.github.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@ryanulit ryanulit ryanulit approved these changes

@elizabethhealy elizabethhealy elizabethhealy approved these changes

+1 more reviewer

@gemini-code-assist gemini-code-assist[bot] gemini-code-assist[bot] left review comments

Reviewers whose approvals may not affect merge requirements
Assignees
No one assigned
Labels
size/xs
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@jakedoublev @ryanulit @elizabethhealy