feat(policy): namespace Registered Resources

[alkalescent]

Proposed Changes

• Add namespacing to Registered Resources.

Checklist

• I have added or updated unit tests
• I have added or updated integration tests (if appropriate)
• I have added or updated documentation

Testing Instructions

[gemini-code-assist]

Summary of Changes

Hello, I'm Gemini Code Assist¹! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!

This pull request introduces a significant architectural enhancement by implementing namespacing for Registered Resources. This change allows for better organization and isolation of resources, addressing potential naming conflicts and improving multi-tenancy support. The modifications span across data models, database schema, API contracts, and internal logic, ensuring a robust and backward-compatible solution for managing both new namespaced and existing legacy resources.

Highlights

• Namespaced Registered Resources: Introduced a Namespace field to FullyQualifiedRegisteredResourceValue and RegisteredResource objects, enabling resources to be organized within specific namespaces. This includes new FQN formats like https://<namespace>/rr/<name>/value/<value>.
• Backward Compatibility: Implemented logic to support both the new namespaced FQN format and the legacy https://reg_res/<name>/value/<value> format, ensuring existing non-namespaced resources remain accessible and functional.
• Database Schema and Query Updates: Added a namespace_id column to the registered_resources table, updated uniqueness constraints to enforce uniqueness within a namespace for new resources, and modified SQL queries to filter and return namespace information.
• API and Validation Enhancements: Updated API requests (CreateRegisteredResourceRequest, GetRegisteredResourceRequest, ListRegisteredResourcesRequest) to include namespace identifiers (ID or FQN) and added validation to ensure that related entities, such as action attribute values, are constrained to the same namespace as their parent registered resource.
• Comprehensive Testing: Expanded unit and integration tests to cover new namespaced scenarios, including creation, retrieval, listing, and cross-namespace enforcement, as well as verifying continued functionality for legacy resources.

🧠 New Feature in Public Preview: You can now enable Memory to help Gemini Code Assist learn from your team's feedback. This makes future code reviews more consistent and personalized to your project's style. Click here to enable Memory in your admin console.

Changelog

• lib/identifier/registered_resource_value.go
  • Updated FullyQualifiedRegisteredResourceValue struct to include a Namespace field.
  • Added new regex for namespaced FQNs and a separate one for legacy FQNs.
  • Modified parseRegisteredResourceValueFqn to support both new namespaced and legacy FQN formats.
  • Updated FQN() method to generate namespaced FQNs when a namespace is present.
• lib/identifier/registered_resource_value_test.go
  • Expanded test cases for FQN generation and parsing to cover namespaced and legacy formats.
  • Added assertions for the Namespace field in parsed FQNs.
• service/integration/registered_resources_test.go
  • Introduced helper functions getNamespaceID and getNamespaceFQN.
  • Modified existing resource creation tests to specify a NamespaceId.
  • Added comprehensive integration tests for namespaced resource creation, retrieval, listing, and value handling.
  • Implemented tests for cross-namespace enforcement, ensuring attribute values are linked within the same namespace.
  • Verified backward compatibility for legacy (non-namespaced) resources.
  • Renamed and updated Test_CreateRegisteredResource_WithNonUniqueName_Fails to Test_CreateRegisteredResource_WithNonUniqueName_SameNamespace_Fails.
  • Renamed and updated Test_UpdateRegisteredResource_NonUniqueName_Fails to Test_UpdateRegisteredResource_NonUniqueName_SameNamespace_Fails.
• service/policy/db/migrations/20260302000000_add_namespace_to_registered_resources.sql
  • Added a new migration to introduce a namespace_id column to the registered_resources table.
  • Modified uniqueness constraints to support namespaced and legacy resource names.
  • Added an index for namespace_id for efficient querying.
• service/policy/db/models.go
  • Updated the RegisteredResource struct to include the NamespaceID field.
• service/policy/db/queries/registered_resources.sql
  • Modified SQL queries for creating, getting, and listing registered resources and their values to incorporate namespace filtering and return namespace details.
• service/policy/db/registered_resources.go
  • Implemented hydrateNamespaceFromInterface to process namespace data from database queries.
  • Updated CreateRegisteredResource to accept and store namespace information.
  • Enhanced GetRegisteredResource and ListRegisteredResources to support namespace-aware lookups and return hydrated namespace objects.
  • Modified GetRegisteredResourceValue and ListRegisteredResourceValues to return namespace and resource name details.
  • Added validation in createRegisteredResourceActionAttributeValues to prevent linking attribute values from different namespaces.
• service/policy/db/registered_resources.sql.go
  • Regenerated SQLC code to align with the updated SQL queries and data structures.
• service/policy/objects.proto
  • Added a Namespace field to the RegisteredResource message.
• service/policy/registeredresources/registered_resources.proto
  • Updated CreateRegisteredResourceRequest to require either namespace_id or namespace_fqn.
  • Added namespace_fqn to GetRegisteredResourceRequest for name-based lookups.
  • Added optional namespace_id and namespace_fqn filters to ListRegisteredResourcesRequest.
  • Updated validation rules for new namespace fields.
• service/policy/registeredresources/registered_resources_test.go
  • Updated unit tests for CreateRegisteredResourceRequest to validate the new namespace fields and their oneof requirement.

Ignored Files

• Ignored by pattern: protocol/**/* (2)
  • protocol/go/policy/objects.pb.go
  • protocol/go/policy/registeredresources/registered_resources.pb.go

Activity

• The author alkalescent initiated this pull request to introduce namespacing for Registered Resources.
• Unit tests have been added or updated to validate the new namespacing logic and ensure correct behavior.
• Integration tests have been added or updated to verify the end-to-end functionality of namespaced Registered Resources and their interactions with other components.
• Documentation has been updated to reflect the changes in the data model and API, as indicated by the checklist.

Using Gemini Code Assist

The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.

Invoking Gemini

You can request assistance from Gemini at any point by creating a comment using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands on the current page.

Feature	Command	Description
Code Review	/gemini review	Performs a code review for the current pull request in its current state.
Pull Request Summary	/gemini summary	Provides a summary of the current pull request in its current state.
Comment	@gemini-code-assist	Responds in comments when explicitly tagged, both in pull request comments and review comments.
Help	/gemini help	Displays a list of available commands.

Customization

To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.

Limitations & Feedback

Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for Github and other Google products, sign up here.

You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension.

---

A resource, once alone, Now finds a home, a namespace known. No longer lost, but neatly bound, In order, logic can be found.

Footnotes

1. Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution. ↩

[gemini-code-assist]

Code Review

This pull request introduces namespacing for Registered Resources, a significant and well-implemented feature. The changes are comprehensive, touching the database schema, queries, application logic, and API definitions, while maintaining backward compatibility for legacy resources. The database migration and integration tests are particularly well-executed.

I have two main points of feedback. First, there's an opportunity to reduce code duplication in the FQN parsing logic for better maintainability. Second, there is a potential N+1 query performance issue in the same-namespace enforcement logic that should be addressed by batching database queries. Overall, this is a strong pull request, and addressing the performance concern is recommended.

[github-actions]

Benchmark results, click to expand

Benchmark authorization.GetDecisions Results:

Metric	Value
Approved Decision Requests	1000
Denied Decision Requests	0
Total Time	190.14413ms

Benchmark authorization.v2.GetMultiResourceDecision Results:

Metric	Value
Approved Decision Requests	1000
Denied Decision Requests	0
Total Time	94.948172ms

Benchmark Statistics

Name	№ Requests	Avg Duration	Min Duration	Max Duration

Bulk Benchmark Results

Metric	Value
Total Decrypts	100
Successful Decrypts	100
Failed Decrypts	0
Total Time	381.127484ms
Throughput	262.38 requests/second

TDF3 Benchmark Results:

Metric	Value
Total Requests	5000
Successful Requests	5000
Failed Requests	0
Concurrent Requests	50
Total Time	39.692071688s
Average Latency	395.17933ms
Throughput	125.97 requests/second

[github-actions]

X-Test Results

opentdfplatformKP1AS6.dockerbuild
cukes-report
bats-test-results
✅ js-pull-3106
✅ js-v0.9.0
✅ java-v0.9.0
✅ java-pull-3106
✅ go-v0.9.0
✅ go-pull-3106

[github-actions]

Benchmark results, click to expand

Benchmark authorization.GetDecisions Results:

Metric	Value
Approved Decision Requests	1000
Denied Decision Requests	0
Total Time	198.790078ms

Benchmark authorization.v2.GetMultiResourceDecision Results:

Metric	Value
Approved Decision Requests	1000
Denied Decision Requests	0
Total Time	86.765848ms

Benchmark Statistics

Name	№ Requests	Avg Duration	Min Duration	Max Duration

Bulk Benchmark Results

Metric	Value
Total Decrypts	100
Successful Decrypts	100
Failed Decrypts	0
Total Time	401.896173ms
Throughput	248.82 requests/second

TDF3 Benchmark Results:

Metric	Value
Total Requests	5000
Successful Requests	5000
Failed Requests	0
Concurrent Requests	50
Total Time	41.229427898s
Average Latency	410.098253ms
Throughput	121.27 requests/second

[github-actions]

X-Test Failure Report

opentdfplatformMZ3ISS.dockerbuild
bats-test-results
cukes-report
✅ js-pull-3106
✅ js-v0.9.0
✅ java-v0.9.0
✅ java-pull-3106
❌ go-v0.9.0
✅ go-pull-3106

[github-actions]

Benchmark results, click to expand

Benchmark authorization.GetDecisions Results:

Metric	Value
Approved Decision Requests	1000
Denied Decision Requests	0
Total Time	179.507753ms

Benchmark authorization.v2.GetMultiResourceDecision Results:

Metric	Value
Approved Decision Requests	1000
Denied Decision Requests	0
Total Time	96.37001ms

Benchmark Statistics

Name	№ Requests	Avg Duration	Min Duration	Max Duration

Bulk Benchmark Results

Metric	Value
Total Decrypts	100
Successful Decrypts	100
Failed Decrypts	0
Total Time	370.853246ms
Throughput	269.65 requests/second

TDF3 Benchmark Results:

Metric	Value
Total Requests	5000
Successful Requests	5000
Failed Requests	0
Concurrent Requests	50
Total Time	40.200066782s
Average Latency	400.129323ms
Throughput	124.38 requests/second

[github-actions]

X-Test Failure Report

opentdfplatformO2VOY2.dockerbuild
bats-test-results
cukes-report
✅ js-v0.9.0
✅ js-pull-3106
✅ java-v0.9.0
✅ java-pull-3106
❌ go-v0.9.0
✅ go-pull-3106

[github-actions]

Benchmark results, click to expand

Benchmark authorization.GetDecisions Results:

Metric	Value
Approved Decision Requests	1000
Denied Decision Requests	0
Total Time	184.691515ms

Benchmark authorization.v2.GetMultiResourceDecision Results:

Metric	Value
Approved Decision Requests	1000
Denied Decision Requests	0
Total Time	86.538939ms

Benchmark Statistics

Name	№ Requests	Avg Duration	Min Duration	Max Duration

Bulk Benchmark Results

Metric	Value
Total Decrypts	100
Successful Decrypts	100
Failed Decrypts	0
Total Time	388.362286ms
Throughput	257.49 requests/second

TDF3 Benchmark Results:

Metric	Value
Total Requests	5000
Successful Requests	5000
Failed Requests	0
Concurrent Requests	50
Total Time	43.25724633s
Average Latency	430.770187ms
Throughput	115.59 requests/second

[github-actions]

X-Test Failure Report

opentdfplatform2XMWBD.dockerbuild
cukes-report
bats-test-results
✅ js-pull-3106
✅ js-v0.9.0
✅ java-v0.9.0
✅ java-pull-3106
❌ go-v0.9.0
✅ go-pull-3106

[github-actions]

X-Test Failure Report

opentdfplatform2XMWBD.dockerbuild
cukes-report
bats-test-results
✅ js-pull-3106
✅ js-v0.9.0
✅ java-v0.9.0
✅ java-pull-3106
❌ go-v0.9.0
✅ go-pull-3106
❌ go-v0.9.0