feat(policy): Add kas_uri dimenstion to ListKeys.#3663
Conversation
github-actions
Bot
added
the
comp:policy
|
Warning Review limit reached
More reviews will be available in 19 minutes and 2 seconds. Learn how PR review limits work. Your organization has used up its prepaid credits, and credit purchases are no longer available. Enable the review add-on in the billing tab to keep reviews running — you're only billed for reviews past your plan's rate limits ($0.25/file). ⌛ How to resolve this issue?After more reviews become available, a review can be triggered using the To avoid repeated limits, reduce automatic review volume by pausing incremental auto-reviews earlier, using label-based review opt-in, excluding WIP or generated PR titles, or requesting reviews manually when the PR is ready. If your team needs uninterrupted high-volume reviews, an organization admin can enable usage-based credits. 🚦 How do rate limits work?CodeRabbit enforces per-developer PR review limits for each organization. Most developers receive the normal plan review availability. For paid Pro and Pro+ PR reviews, CodeRabbit uses adaptive limits for sustained high-volume activity. When a developer's recent PR review activity reaches the 95th percentile or higher among CodeRabbit users, additional reviews become available more gradually as earlier reviews age out of the rolling window. Please see our Fair Usage Limits Policy for further information. ℹ️ Review info⚙️ Run configurationConfiguration used: Repository UI Review profile: ASSERTIVE Plan: Pro Run ID: 📒 Files selected for processing (5)
📝 WalkthroughWalkthroughThe PR extends KAS registry authorization to cover ChangesKAS ListKeys authorization
Sequence Diagram(s)sequenceDiagram
participant KeyAccessServerRegistry
participant listKeysAuthzResolver
participant keyAuthzDBClient
KeyAccessServerRegistry->>listKeysAuthzResolver: resolve ListKeys authz context
listKeysAuthzResolver->>keyAuthzDBClient: ListKeys(request)
keyAuthzDBClient-->>listKeysAuthzResolver: ListKeysResponse
listKeysAuthzResolver->>listKeysAuthzResolver: derive distinct KAS URI resources
listKeysAuthzResolver-->>KeyAccessServerRegistry: resolverCtx.Resources
Estimated code review effort🎯 4 (Complex) | ⏱️ ~45 minutes Possibly related PRs
Suggested labels
Suggested reviewers
Poem
🚥 Pre-merge checks | ✅ 4 | ❌ 1❌ Failed checks (1 warning)
✅ Passed checks (4 passed)
✏️ Tip: You can configure your own custom pre-merge checks in the settings. ✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
Summary of ChangesHello, I'm Gemini Code Assist1! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed! This pull request introduces authorization support for the Highlights
New Features🧠 You can now enable Memory (public preview) to help Gemini Code Assist learn from your team's feedback. This makes future code reviews more consistent and personalized to your project's style. Click here to enable Memory in your admin console. Using Gemini Code AssistThe full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips. Invoking Gemini You can request assistance from Gemini at any point by creating a comment using either
Customization To customize the Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a Limitations & Feedback Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counterproductive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for GitHub and other Google products, sign up here. The keys are listed, one by one, With URI checks, the work is done. Authorization now is tight, Ensuring access stays just right. Footnotes
|
![gemini-code-assist[bot]](https://avatars.githubusercontent.com/in/956858?s=60&v=4){kind=small}
There was a problem hiding this comment.
Code Review
This pull request implements authorization resolution for the ListKeys RPC in the Key Access Server (KAS) registry. It introduces the listKeysAuthzResolver to extract and authorize KAS URIs returned from the database, registers the resolver, and adds comprehensive unit and BDD tests to validate the new authorization logic. The feedback suggests adding defensive nil checks in resolveListKeysReturnedKeyURIs and listedKASKeyIDs to prevent potential nil pointer dereference panics when handling KAS keys.
Important
The consumer version of Gemini Code Assist on GitHub is being sunset. Starting June 18, 2026, new organization installations will be blocked, and all code review activity will officially cease on July 17, 2026.
For more details on the timeline and next steps, please review the Help Documentation.
Benchmark results, click to expandBenchmark authorization.GetDecisions Results:
Benchmark authorization.v2.GetMultiResourceDecision Results:
Benchmark Statistics
Bulk Benchmark Results
TDF3 Benchmark Results:
|
![coderabbitai[bot]](https://avatars.githubusercontent.com/in/347564?s=60&v=4){kind=small}
There was a problem hiding this comment.
Actionable comments posted: 3
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Inline comments:
In `@service/policy/kasregistry/authz_resolver.go`:
- Around line 113-127: `resolveListKeysAuthzResources` currently authorizes a
separate `dbClient.ListKeys` result from the one later used by
`KeyAccessServerRegistry.ListKeys`, which can create a snapshot mismatch. Change
the flow so the handler and authz path share the exact same `ListKeys` response,
or move the authz resource derivation into the single DB read performed by
`KeyAccessServerRegistry.ListKeys`, and keep `resolveListKeysReturnedKeyURIs`
working from that authorized response.
In `@tests-bdd/cukes/steps_kasregistry.go`:
- Around line 173-219: The `listedKASKeysContainOnly` check is using
`listedKASKeyIDs`, which turns the response into a set and hides duplicate
entries. Update `listedKASKeysContainOnly` to compare the expected IDs against
the actual `ListKeysResponse` contents as a count-aware slice or multiset, so
duplicate rows are detected instead of being collapsed. Keep the fix localized
to `listedKASKeysContainOnly` and the helper it relies on (`listedKASKeyIDs`) so
the BDD assertion validates both membership and multiplicity.
- Around line 110-155: The ListKeys step methods are leaving stale
`listKASKeysResponse` data in the `KasRegistryStepDefinitions` scenario context
when a later call fails or returns nil. Update `iListKASKeys`,
`iListKASKeysForURI`, and `iListKASKeysByStoredKASID` to clear or reset the
recorded `listKASKeysResponse` before each
`scenarioContext.SDK.KeyAccessServerRegistry.ListKeys` request, so assertions
never read an older payload from a previous successful call.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Repository UI
Review profile: ASSERTIVE
Plan: Pro
Run ID: 2189c5ac-6de6-4a28-80f5-edb5d832dfb2
📒 Files selected for processing (6)
service/policy/kasregistry/authz_resolver.goservice/policy/kasregistry/authz_resolver_test.goservice/policy/kasregistry/key_access_server_registry.gotests-bdd/cukes/resources/platform.authz_v2.templatetests-bdd/cukes/steps_kasregistry.gotests-bdd/features/authz-v2.feature
Benchmark results, click to expandBenchmark authorization.GetDecisions Results:
Benchmark authorization.v2.GetMultiResourceDecision Results:
Benchmark Statistics
Bulk Benchmark Results
TDF3 Benchmark Results:
|
Benchmark results, click to expandBenchmark authorization.GetDecisions Results:
Benchmark authorization.v2.GetMultiResourceDecision Results:
Benchmark Statistics
Bulk Benchmark Results
TDF3 Benchmark Results:
|
|
1 participant
1.) Add
kas_uridimension toListKeysrpc.Summary by CodeRabbit
New Features
Bug Fixes