Skip to content

feat(sdk): Expose policy binding hash from Nano. #2857

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 3 commits into from
Nov 3, 2025
Merged

feat(sdk): Expose policy binding hash from Nano. #2857

merged 3 commits into from
Nov 3, 2025
+241 −11

Conversation

@c-r33d
Copy link
Contributor

@c-r33d c-r33d commented Oct 30, 2025
edited
Loading

Proposed Changes

1.) Expose PolicyBinding method that returns a implementation of the new PolicyBind interface.
2.) Create new PolicyBind interface with methods String() and Verify().

DSPX-1875

Checklist

  • I have added or updated unit tests
  • I have added or updated integration tests (if appropriate)
  • I have added or updated documentation

Testing Instructions

@c-r33d c-r33d requested review from a team as code owners October 30, 2025 17:45
@github-actions github-actions bot added the comp:sdk A software development kit, including library, for client applications and inter-service communicati label Oct 30, 2025
@gemini-code-assist
Copy link
Contributor

gemini-code-assist bot commented Oct 30, 2025

Summary of Changes

Hello @c-r33d, I'm Gemini Code Assist1! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!

This pull request enhances the SDK's policy binding mechanism by introducing a new PolicyBind interface. This interface abstracts the verification and hashing logic for different policy binding types, such as ECDSA and GMAC. The change promotes a more modular design, making the policy binding process more flexible and easier to maintain or extend in the future. It also provides a clear way to access the specific policy binding implementation.

Highlights

  • New PolicyBind Interface: Introduced a new PolicyBind interface with Verify() and Hash() methods to standardize policy binding operations.
  • Refactored Policy Binding Logic: The existing VerifyPolicyBinding() method has been refactored to utilize the new PolicyBind interface, improving modularity and extensibility.
  • Exposed PolicyBinding Method: A new PolicyBinding() method is now exposed on the NanoTDFHeader to return an appropriate PolicyBind implementation (either ECDSA or GMAC).
  • Dedicated Implementations: Concrete implementations, ecdsaPolicyBinding and gmacPolicyBinding structs, have been added to handle the specific logic for each binding type.
  • Comprehensive Unit Tests: New unit tests have been added to thoroughly cover the functionality of the new PolicyBind interface, its implementations, and the refactored VerifyPolicyBinding() method.
Using Gemini Code Assist

The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.

Invoking Gemini

You can request assistance from Gemini at any point by creating a comment using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands on the current page.

Feature Command Description
Code Review /gemini review Performs a code review for the current pull request in its current state.
Pull Request Summary /gemini summary Provides a summary of the current pull request in its current state.
Comment @gemini-code-assist Responds in comments when explicitly tagged, both in pull request comments and review comments.
Help /gemini help Displays a list of available commands.

Customization

To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.

Limitations & Feedback

Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for Github and other Google products, sign up here.

You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension.

An interface, so neat, Methods defined, a contract sweet. Code now clean and bright, Decoupled, taking flight.

Footnotes

  1. Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution.

@gemini-code-assist
Copy link
Contributor

gemini-code-assist bot commented Oct 30, 2025

Warning

Gemini encountered an error creating the review. You can try again by commenting /gemini review.

@github-actions
Copy link
Contributor

github-actions bot commented Oct 30, 2025

Benchmark results, click to expand

Benchmark authorization.GetDecisions Results:

Metric Value
Approved Decision Requests 1000
Denied Decision Requests 0
Total Time 190.712831ms

Benchmark authorization.v2.GetMultiResourceDecision Results:

Metric Value
Approved Decision Requests 1000
Denied Decision Requests 0
Total Time 103.861161ms

Standard Benchmark Metrics Skipped or Failed

Bulk Benchmark Results

Metric Value
Total Decrypts 100
Successful Decrypts 100
Failed Decrypts 0
Total Time 358.65308ms
Throughput 278.82 requests/second

TDF3 Benchmark Results:

Metric Value
Total Requests 5000
Successful Requests 5000
Failed Requests 0
Concurrent Requests 50
Total Time 40.421832918s
Average Latency 402.022287ms
Throughput 123.70 requests/second

NANOTDF Benchmark Results:

Metric Value
Total Requests 5000
Successful Requests 5000
Failed Requests 0
Concurrent Requests 50
Total Time 28.702774778s
Average Latency 285.126745ms
Throughput 174.20 requests/second

@c-r33d
Copy link
Contributor Author

c-r33d commented Oct 30, 2025

/gemini review

gemini-code-assist[bot]
gemini-code-assist bot reviewed Oct 30, 2025
View reviewed changes
Copy link
Contributor

@gemini-code-assist gemini-code-assist bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Code Review

This pull request introduces a PolicyBind interface to abstract the policy binding verification and hash generation, which is a great improvement for code structure and extensibility. The implementation for ECDSA and GMAC bindings has been refactored into separate structs that satisfy this new interface. The changes are well-tested, but I've found some issues in the test setup for GMAC bindings that make them confusing and semantically incorrect. I've also suggested a minor performance improvement for hash generation. Overall, this is a solid refactoring with good test coverage.

@github-actions
Copy link
Contributor

github-actions bot commented Oct 30, 2025

X-Test Results

opentdfplatformXSORH2.dockerbuild
cukes-report
✅ java-v0.4.34
✅ js-v0.4.34
✅ go-v0.4.34
bats-test-results
test-cases-mapping-report
✅ js-pull-2857
✅ java-pull-2857
✅ go-pull-2857

@github-actions
Copy link
Contributor

github-actions bot commented Oct 30, 2025

Benchmark results, click to expand

Benchmark authorization.GetDecisions Results:

Metric Value
Approved Decision Requests 1000
Denied Decision Requests 0
Total Time 171.341567ms

Benchmark authorization.v2.GetMultiResourceDecision Results:

Metric Value
Approved Decision Requests 1000
Denied Decision Requests 0
Total Time 100.304094ms

Standard Benchmark Metrics Skipped or Failed

Bulk Benchmark Results

Metric Value
Total Decrypts 100
Successful Decrypts 100
Failed Decrypts 0
Total Time 351.380248ms
Throughput 284.59 requests/second

TDF3 Benchmark Results:

Metric Value
Total Requests 5000
Successful Requests 5000
Failed Requests 0
Concurrent Requests 50
Total Time 39.01685928s
Average Latency 388.728578ms
Throughput 128.15 requests/second

NANOTDF Benchmark Results:

Metric Value
Total Requests 5000
Successful Requests 5000
Failed Requests 0
Concurrent Requests 50
Total Time 27.410467359s
Average Latency 272.635568ms
Throughput 182.41 requests/second

@github-actions
Copy link
Contributor

github-actions bot commented Oct 30, 2025

X-Test Results

opentdfplatformZ2UDQD.dockerbuild
cukes-report
✅ js-v0.4.34
✅ java-v0.4.34
✅ go-v0.4.34
bats-test-results
test-cases-mapping-report
✅ js-pull-2857
✅ java-pull-2857
✅ go-pull-2857

dmihalcik-virtru
dmihalcik-virtru reviewed Oct 31, 2025
View reviewed changes
@github-actions
Copy link
Contributor

github-actions bot commented Oct 31, 2025

Benchmark results, click to expand

Benchmark authorization.GetDecisions Results:

Metric Value
Approved Decision Requests 1000
Denied Decision Requests 0
Total Time 181.201379ms

Benchmark authorization.v2.GetMultiResourceDecision Results:

Metric Value
Approved Decision Requests 1000
Denied Decision Requests 0
Total Time 102.269046ms

Standard Benchmark Metrics Skipped or Failed

Bulk Benchmark Results

Metric Value
Total Decrypts 100
Successful Decrypts 100
Failed Decrypts 0
Total Time 361.244343ms
Throughput 276.82 requests/second

TDF3 Benchmark Results:

Metric Value
Total Requests 5000
Successful Requests 5000
Failed Requests 0
Concurrent Requests 50
Total Time 39.572478405s
Average Latency 394.646371ms
Throughput 126.35 requests/second

NANOTDF Benchmark Results:

Metric Value
Total Requests 5000
Successful Requests 5000
Failed Requests 0
Concurrent Requests 50
Total Time 27.496899083s
Average Latency 274.156557ms
Throughput 181.84 requests/second

@github-actions
Copy link
Contributor

github-actions bot commented Oct 31, 2025

X-Test Results

opentdfplatformJTTV9Z.dockerbuild
cukes-report
✅ java-v0.4.34
✅ js-v0.4.34
✅ go-v0.4.34
bats-test-results
test-cases-mapping-report
✅ js-pull-2857
✅ java-pull-2857
✅ go-pull-2857

dmihalcik-virtru
dmihalcik-virtru approved these changes Oct 31, 2025
View reviewed changes
Copy link
Member

@dmihalcik-virtru dmihalcik-virtru left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

You could clean up the tests a bit, but it isn't a blocker

@c-r33d c-r33d added this pull request to the merge queue Nov 3, 2025
Merged via the queue into main with commit 5221cf4 Nov 3, 2025
40 checks passed
@c-r33d c-r33d deleted the feat/nano-expose-policy-binding branch November 3, 2025 18:48
opentdf-automation bot pushed a commit that referenced this pull request Nov 3, 2025
@c-r33d @github-actions
feat(sdk): Expose policy binding hash from Nano. (#2857)
ab3f267 
### Proposed Changes

1.) Expose `PolicyBinding` method that returns a implementation of the
new `PolicyBind` interface.
2.) Create new `PolicyBind` interface with methods `String()` and
`Verify()`.

DSPX-1875

### Checklist

- [ ] I have added or updated unit tests
- [ ] I have added or updated integration tests (if appropriate)
- [ ] I have added or updated documentation

### Testing Instructions

(cherry picked from commit 5221cf4)
@opentdf-automation
Copy link
Contributor

opentdf-automation bot commented Nov 3, 2025

Successfully created backport PR for release/sdk/v0.10:

@opentdf-automation opentdf-automation bot mentioned this pull request Nov 3, 2025
Merged
opentdf-automation bot added a commit that referenced this pull request Nov 3, 2025
@opentdf-automation
feat(sdk): Expose policy binding hash from Nano. (#2857)
6ff7414 
### Proposed Changes

1.) Expose `PolicyBinding` method that returns a implementation of the
new `PolicyBind` interface.
2.) Create new `PolicyBind` interface with methods `String()` and
`Verify()`.

DSPX-1875

### Checklist

- [ ] I have added or updated unit tests
- [ ] I have added or updated integration tests (if appropriate)
- [ ] I have added or updated documentation

### Testing Instructions

(cherry picked from commit 5221cf4)
@opentdf-automation opentdf-automation bot mentioned this pull request Nov 3, 2025
Open
strantalis pushed a commit that referenced this pull request Nov 4, 2025
@opentdf-automation
feat(sdk): Expose policy binding hash from Nano. [backport to release…
556a0e2 
…/sdk/v0.10] (#2869)

# Description
Backport of #2857 to `release/sdk/v0.10`.

Co-authored-by: opentdf-automation[bot] <149537512+opentdf-automation[bot]@users.noreply.github.com>
@c-r33d
Copy link
Contributor Author

c-r33d commented Nov 5, 2025

/backport

opentdf-automation bot pushed a commit that referenced this pull request Nov 5, 2025
@c-r33d @github-actions
feat(sdk): Expose policy binding hash from Nano. (#2857)
7f44e5f 
### Proposed Changes

1.) Expose `PolicyBinding` method that returns a implementation of the
new `PolicyBind` interface.
2.) Create new `PolicyBind` interface with methods `String()` and
`Verify()`.

DSPX-1875

### Checklist

- [ ] I have added or updated unit tests
- [ ] I have added or updated integration tests (if appropriate)
- [ ] I have added or updated documentation

### Testing Instructions

(cherry picked from commit 5221cf4)
@opentdf-automation
Copy link
Contributor

opentdf-automation bot commented Nov 5, 2025

Successfully created backport PR for release/service/v0.11:

@opentdf-automation opentdf-automation bot mentioned this pull request Nov 5, 2025
Merged
@opentdf-automation
Copy link
Contributor

opentdf-automation bot commented Nov 5, 2025

Backport failed for release/sdk/v0.10, because it was unable to cherry-pick the commit(s).

Please cherry-pick the changes locally and resolve any conflicts.

git fetch origin release/sdk/v0.10
git worktree add -d .worktree/backport-2857-to-release/sdk/v0.10 origin/release/sdk/v0.10
cd .worktree/backport-2857-to-release/sdk/v0.10
git switch --create backport-2857-to-release/sdk/v0.10
git cherry-pick -x 5221cf41079fc43a3966e17c6f3e0d3cf8a16730

opentdf-automation bot added a commit that referenced this pull request Nov 5, 2025
@opentdf-automation
feat(sdk): Expose policy binding hash from Nano. (#2857)
9122a46 
### Proposed Changes

1.) Expose `PolicyBinding` method that returns a implementation of the
new `PolicyBind` interface.
2.) Create new `PolicyBind` interface with methods `String()` and
`Verify()`.

DSPX-1875

### Checklist

- [ ] I have added or updated unit tests
- [ ] I have added or updated integration tests (if appropriate)
- [ ] I have added or updated documentation

### Testing Instructions

(cherry picked from commit 5221cf4)
c-r33d pushed a commit that referenced this pull request Nov 5, 2025
@opentdf-automation
feat(sdk): Expose policy binding hash from Nano. [backport to release…
262eb53 
…/service/v0.11] (#2879)

# Description
Backport of #2857 to `release/service/v0.11`.

Co-authored-by: opentdf-automation[bot] <149537512+opentdf-automation[bot]@users.noreply.github.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@sujankota sujankota sujankota approved these changes

@dmihalcik-virtru dmihalcik-virtru dmihalcik-virtru approved these changes

@alkalescent alkalescent alkalescent approved these changes

+1 more reviewer

@gemini-code-assist gemini-code-assist[bot] gemini-code-assist[bot] left review comments

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

backport release/sdk/v0.10 backport release/service/v0.11 comp:sdk A software development kit, including library, for client applications and inter-service communicati size/s

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

5 participants

@c-r33d @sujankota @dmihalcik-virtru @alkalescent