feat(policy): namespace root certificates #2771
Open
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
github-actions
bot
added
comp:policy
pflynn-virtru
changed the title
Benchmark results, click to expandBenchmark authorization.GetDecisions Results:
Benchmark authorization.v2.GetMultiResourceDecision Results:
Standard Benchmark Metrics Skipped or FailedBulk Benchmark Results
TDF3 Benchmark Results:
NANOTDF Benchmark Results:
|
Benchmark results, click to expandBenchmark authorization.GetDecisions Results:
Benchmark authorization.v2.GetMultiResourceDecision Results:
Standard Benchmark Metrics Skipped or FailedBulk Benchmark Results
TDF3 Benchmark Results:
NANOTDF Benchmark Results:
|
Benchmark results, click to expandBenchmark authorization.GetDecisions Results:
Benchmark authorization.v2.GetMultiResourceDecision Results:
Standard Benchmark Metrics Skipped or FailedBulk Benchmark Results
TDF3 Benchmark Results:
NANOTDF Benchmark Results:
|
…or certificate management. Add associated tests.
Benchmark results, click to expandBenchmark authorization.GetDecisions Results:
Benchmark authorization.v2.GetMultiResourceDecision Results:
Standard Benchmark Metrics Skipped or FailedBulk Benchmark Results
TDF3 Benchmark Results:
NANOTDF Benchmark Results:
|
Benchmark results, click to expandBenchmark authorization.GetDecisions Results:
Benchmark authorization.v2.GetMultiResourceDecision Results:
Standard Benchmark Metrics Skipped or FailedBulk Benchmark Results
TDF3 Benchmark Results:
NANOTDF Benchmark Results:
|
Benchmark results, click to expandBenchmark authorization.GetDecisions Results:
Benchmark authorization.v2.GetMultiResourceDecision Results:
Standard Benchmark Metrics Skipped or FailedBulk Benchmark Results
TDF3 Benchmark Results:
NANOTDF Benchmark Results:
|
c-r33d
reviewed
Oct 7, 2025
c-r33d
reviewed
Oct 7, 2025
c-r33d
reviewed
Oct 7, 2025
c-r33d
reviewed
Oct 7, 2025
service/policy/db/migrations/20251002000000_add_namespace_certificates.sql
Show resolved
Hide resolved
c-r33d
reviewed
Oct 7, 2025
There was a problem hiding this comment.
Looks good, just a couple small comments.
Are you wanting to be able to retrieve your created certs? In addition, you will probably want an easy command to list your namespace <-> cert pairs. Key management uses a function called ListKeyMappings, which will return all mappings for namespace/definition/value <-> kas asymmetric keys.
…distinction, enhance namespace-certificate management with ID/FQN support. Update related migrations, RPCs, and documentation.
Benchmark results, click to expandBenchmark authorization.GetDecisions Results:
Benchmark authorization.v2.GetMultiResourceDecision Results:
Standard Benchmark Metrics Skipped or FailedBulk Benchmark Results
TDF3 Benchmark Results:
NANOTDF Benchmark Results:
|
Benchmark results, click to expandBenchmark authorization.GetDecisions Results:
Benchmark authorization.v2.GetMultiResourceDecision Results:
Standard Benchmark Metrics Skipped or FailedBulk Benchmark Results
TDF3 Benchmark Results:
NANOTDF Benchmark Results:
|
|
Looks good. Gonna have @jakedoublev review it as well, just to make sure his concerns are met also. |
jakedoublev
reviewed
Oct 8, 2025
|
|
||
| -- name: createCertificate :one | ||
| INSERT INTO certificates (x5c, is_root, metadata) | ||
| VALUES (sqlc.arg('x5c'), COALESCE(sqlc.narg('is_root')::BOOLEAN, TRUE), sqlc.arg('metadata')) |
There was a problem hiding this comment.
Are we taking in is_root from the protos at all? Or is every cert creation/assignment a root at this time? I didn't see it in the protos. 🤔
service/policy/db/migrations/20251002000000_add_namespace_certificates.sql
Show resolved
Hide resolved
|
/gemini review |
![gemini-code-assist[bot]](https://avatars.githubusercontent.com/in/956858?s=60&v=4){kind=small}
There was a problem hiding this comment.
Code Review
This is a great feature addition, enabling namespace-scoped root certificates. The implementation is well-structured, with good use of database transactions, clear separation of concerns, and appropriate validation. The addition of database migrations, documentation, and tests is also excellent.
I've identified a couple of areas for improvement related to database query efficiency and maintainability. My comments are detailed below.
strantalis
reviewed
Oct 8, 2025
…Cs, migrations, documentation, and tests for consistency with PEM standards.
Benchmark results, click to expandBenchmark authorization.GetDecisions Results:
Benchmark authorization.v2.GetMultiResourceDecision Results:
Standard Benchmark Metrics Skipped or FailedBulk Benchmark Results
TDF3 Benchmark Results:
NANOTDF Benchmark Results:
|
…space # Conflicts: # docs/openapi/policy/attributes/attributes.openapi.yaml # protocol/go/policy/namespaces/namespaces.pb.go
…e certificate RPCs for enhanced certificate management.
Benchmark results, click to expandBenchmark authorization.GetDecisions Results:
Benchmark authorization.v2.GetMultiResourceDecision Results:
Standard Benchmark Metrics Skipped or FailedBulk Benchmark Results
TDF3 Benchmark Results:
NANOTDF Benchmark Results:
|
…n namespace key and certificate assignments
…in migration rollback
Benchmark results, click to expandBenchmark authorization.GetDecisions Results:
Benchmark authorization.v2.GetMultiResourceDecision Results:
Standard Benchmark Metrics Skipped or FailedBulk Benchmark Results
TDF3 Benchmark Results:
NANOTDF Benchmark Results:
|
…pecs, and database mappings; update related documentation and RPCs.
Co-authored-by: Jake Van Vorhis <83739412+jakedoublev@users.noreply.github.com>
…d error context serialization
Benchmark results, click to expandBenchmark authorization.GetDecisions Results:
Benchmark authorization.v2.GetMultiResourceDecision Results:
Standard Benchmark Metrics Skipped or FailedBulk Benchmark Results
TDF3 Benchmark Results:
NANOTDF Benchmark Results:
|
Benchmark results, click to expandBenchmark authorization.GetDecisions Results:
Benchmark authorization.v2.GetMultiResourceDecision Results:
Standard Benchmark Metrics Skipped or FailedBulk Benchmark Results
TDF3 Benchmark Results:
NANOTDF Benchmark Results:
|
Benchmark results, click to expandBenchmark authorization.GetDecisions Results:
Benchmark authorization.v2.GetMultiResourceDecision Results:
Standard Benchmark Metrics Skipped or FailedBulk Benchmark Results
TDF3 Benchmark Results:
NANOTDF Benchmark Results:
|
…nhanced context in unknown identifier cases
Benchmark results, click to expandBenchmark authorization.GetDecisions Results:
Benchmark authorization.v2.GetMultiResourceDecision Results:
Standard Benchmark Metrics Skipped or FailedBulk Benchmark Results
TDF3 Benchmark Results:
NANOTDF Benchmark Results:
|
…ries, methods, and documentation for simplified root-only certificate management.
I added a check to see if the PEM is already added to the certificate table. so no duplicate PEM |
Benchmark results, click to expandBenchmark authorization.GetDecisions Results:
Benchmark authorization.v2.GetMultiResourceDecision Results:
Standard Benchmark Metrics Skipped or FailedBulk Benchmark Results
TDF3 Benchmark Results:
NANOTDF Benchmark Results:
|
…, and ensure proper certificate cleanup on namespace removal
Benchmark results, click to expandBenchmark authorization.GetDecisions Results:
Benchmark authorization.v2.GetMultiResourceDecision Results:
Standard Benchmark Metrics Skipped or FailedBulk Benchmark Results
TDF3 Benchmark Results:
NANOTDF Benchmark Results:
|
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
4 participants
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This pull request introduces new support for namespace root certificates within the policy service, updates the API to expose these certificates, and makes related improvements to authentication and routing. The most significant changes include extending the
Namespaceobject to include root certificates, updating the API and HTTP routing to allow public access to namespace information, and adding a proof-of-concept implementation for injecting a root CA certificate.http://localhost:8080/policy.namespaces.NamespaceService/GetNamespace{ "namespace": { "id": "8f1d8839-2851-4bf4-8bf4-5243dbfe517d", "name": "example.com", "fqn": "https://example.com", "active": true, "metadata": { "createdAt": "2025-10-10T17:01:12.477117Z", "updatedAt": "2025-10-10T17:01:12.477117Z" }, "rootCerts": [ { "id": "46f1aa69-a458-45fa-9ff3-bc6e2f349773", "pem": "-----BEGIN CERTIFICATE-----\nMIIC/TCCAeWgAwIBAgIUSMNrGBq+5ax1wDaMSX8Nnl1m/REwDQYJKoZIhvcNAQEL\nBQAwDjEMMAoGA1UEAwwDa2FzMB4XDTI0MDUyOTE4MzcxOFoXDTI1MDUyOTE4Mzcx\nOFowDjEMMAoGA1UEAwwDa2FzMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKC\nAQEAzbLGCYovxrCy6DccFAdj1DjnDKwmTqjYQoHfOKXbYOF1Yf5mvAyFO9MhtLet\nPRhmCd7mJA3M8Sy4/kqqAZprYHmvagAIwD0zQyQ+DcogrzmirQ8cUYIDkGre1exc\niVKsNYSlM/NcjNO5AqOaw7gQvmUkp2YciSMa7mixPsl3OTArtOtEGMn34RK1NGC+\n+MdUH6TOF2VmhqJ6+F8iSF154ldRoiR01LIzIxvqpHr0RYhU93BrMDcb4Yx92j2M\nlCpwJ8hVf2RPIqhjsnivzXu+BBQh7zynB3H6LnZUGlyWEHgEfM9yhTFWNeKDClKC\nFE2s1DD8ksvMa8ayndIy0+cNXQIDAQABo1MwUTAdBgNVHQ4EFgQUrrmJ35Nvvkpp\nGnQi686Y/DKmsv0wHwYDVR0jBBgwFoAUrrmJ35NvvkppGnQi686Y/DKmsv0wDwYD\nVR0TAQH/BAUwAwEB/zANBgkqhkiG9w0BAQsFAAOCAQEAAXfFJqJYVD+7GqZAWg3v\nw1Sr9jKvwMTtcAhmEJ8KKu9u4C/eGz+P4vU+KwismRfFwQaZVr0AuxRhCtCt3dqh\nKPHZ6sVUw8NG/Fg8v7cQmSpNEuy31vxTMrAWE0/zgScZmIQgS5TnqavsEaxiQGU1\nKTEGOuYQRQZ44KBQJJwUHpwb6znHOwVTKex4OsenkxMLOgsPYa3Qf53kHdZIq8x6\nkxm+METK7jT7RMDNqFWPo4R7XfpvCBR/HS3xjmXe0VVonSc2I4QKdrFPpmx2oOsS\n8Mr8dklyCivjNJ4dM1oKU/YK0hm0bF4OuhoROKpDDBDimDPnFFh/tphl1rzAuuxM\n/A==\n-----END CERTIFICATE-----\n" } ] } }Namespace Root Certificate Support:
root_certsrepeated field of typeCertificateto theNamespacemessage inpolicy/objects.proto, and defined a newCertificatemessage to hold certificate data in PEM format.