feat(main): update proto GIT_TAG to service/v0.8.0 (#137)

* feat: update proto GIT_TAG to service/v0.8.0

- Bump default GIT_TAG from service/v0.7.2 to service/v0.8.0
- Remove unnecessary lambda from re.sub in run_buf_generate()
- Restore buf.gen.yaml to its original content after buf generate runs (was leaking absolute plugin path into tracked file)
- Add sys.path fix in __init__.py for connect-python v0.6+ absolute import style
- Regenerate all proto files from service/v0.8.0 (new: obligations, updated kasregistry/objects/unsafe/authorization)
- Update test assertion to match new default tag

* fix(proto-gen): use lambda replacement in re.sub to safely handle backslashes in plugin path

* fix(proto): correct misleading version reference in sys.path workaround comment

* fix(proto): replace sys.path mutation with sys.modules aliases for connect absolute imports

* test(proto): add tests and fix two-pass stub registration for connect absolute imports

* fix(proto): update connect-python to >=0.6.0 and add protoc-gen-openapiv2 dependency

* chore: add Gemini config to ignore generated proto files from code review

Author: b-long

.gemini/config.yaml

@@ -0,0 +1,4 @@
+code_review:
+  ignore_patterns:
+    - "otdf-python-proto/proto-files/**/*"
+    - "otdf-python-proto/src/otdf_python_proto/**/*"

otdf-python-proto/proto-files/authorization/v2/authorization.proto

@@ -21,11 +21,11 @@ message EntityIdentifier {
   oneof identifier {
     option (buf.validate.oneof).required = true;
 
-    // chain of one or more entities
+    // chain of one or more entities and at most 10
     entity.EntityChain entity_chain = 1 [(buf.validate.field).cel = {
       id: "entity_chain_required"
-      message: "entities must be provided"
-      expression: "has(this.entities) && this.entities.size() > 0"
+      message: "entities must be provided and between 1 and 10 in count"
+      expression: "has(this.entities) && this.entities.size() > 0 && this.entities.size() <= 10"
     }];
 
     // fully qualified name of the registered resource value stored in platform policy, where in
@@ -65,11 +65,13 @@ message Resource {
   }
 
   oneof resource {
+    // a set of attribute value FQNs, such as those on a TDF, between 1 and 20 in count
     AttributeValues attribute_values = 2 [(buf.validate.field).cel = {
       id: "attribute_values_required"
-      message: "if provided, resource.attribute_values must not be empty"
-      expression: "this.fqns.size() > 0 && this.fqns.all(item, item.isUri())"
+      message: "if provided, resource.attribute_values must be between 1 and 20 in count with all valid FQNs"
+      expression: "this.fqns.size() > 0 && this.fqns.size() <= 20 && this.fqns.all(item, item.isUri())"
     }];
+    // fully qualified name of the registered resource value stored in platform policy
     string registered_resource_value_fqn = 3 [(buf.validate.field).string = {
       min_len: 1
       uri: true
@@ -112,15 +114,17 @@ message GetDecisionResponse {
 // 1. one entity reference (actor)
 // 2. one action
 // 3. multiple resources
-// Note: this is a more performant bulk request for multiple resource decisions
+// Note: this is a more performant bulk request for multiple resource decisions, up to 1000 per request
 message GetDecisionMultiResourceRequest {
   // an entity must be identified for authorization decisioning
   EntityIdentifier entity_identifier = 1 [(buf.validate.field).required = true];
   // name on action is required
   policy.Action action = 2 [(buf.validate.field).required = true];
   repeated Resource resources = 3 [
-    (buf.validate.field).required = true,
-    (buf.validate.field).repeated = {min_items: 1}
+    (buf.validate.field).repeated = {
+      min_items: 1
+      max_items: 1000
+    }
   ];
 
   option (buf.validate.message).cel = {
@@ -141,7 +145,12 @@ message GetDecisionMultiResourceResponse {
 // This is a more performant bulk request for complex decisioning (i.e. multiple entity chains or actions on
 // multiple resources)
 message GetDecisionBulkRequest {
-  repeated GetDecisionMultiResourceRequest decision_requests = 1;
+  repeated GetDecisionMultiResourceRequest decision_requests = 1 [
+    (buf.validate.field).repeated = {
+      min_items: 1
+      max_items: 200
+    }
+  ];
 }
 message GetDecisionBulkResponse {
   repeated GetDecisionMultiResourceResponse decision_responses = 1;

otdf-python-proto/proto-files/policy/kasregistry/key_access_server_registry.proto

@@ -403,7 +403,7 @@ message CreateKeyRequest {
   Algorithm key_algorithm = 3 [(buf.validate.field).cel = {
     id: "key_algorithm_defined"
     message: "The key_algorithm must be one of the defined values."
-    expression: "this in [1, 2, 3, 4]" // Allow ALGORITHM_EC_P256, ALGORITHM_RSA_2048, ALGORITHM_X25519, ALGORITHM_AES_256_GCM
+    expression: "this in [1, 2, 3, 4, 5]" // Allow ALGORITHM_RSA_2048, ALGORITHM_RSA_4096, ALGORITHM_EC_P256, ALGORITHM_EC_P384, ALGORITHM_EC_P521
   }]; // The algorithm to be used for the key
   // Required
   KeyMode key_mode = 4 [(buf.validate.field).cel = {
@@ -445,7 +445,7 @@ message ListKeysRequest {
   Algorithm key_algorithm = 1 [(buf.validate.field).cel = {
     id: "key_algorithm_defined"
     message: "The key_algorithm must be one of the defined values."
-    expression: "this in [0, 1, 2, 3, 4]" // Allow ALGORITHM_EC_P256, ALGORITHM_RSA_2048, ALGORITHM_X25519, ALGORITHM_AES_256_GCM
+    expression: "this in [0, 1, 2, 3, 4, 5]" // Allow unspecified and object.Algorithm values for currently supported RSA bit sizes and EC curve types
   }]; // Filter keys by algorithm
 
   oneof kas_filter {
@@ -545,15 +545,15 @@ message RotateKeyRequest {
     Algorithm algorithm = 2 [(buf.validate.field).cel = {
       id: "key_algorithm_defined"
       message: "The key_algorithm must be one of the defined values."
-      expression: "this in [1, 2, 3, 4]" // Allow ALGORITHM_EC_P256, ALGORITHM_RSA_2048, ALGORITHM_X25519, ALGORITHM_AES_256_GCM
+      expression: "this in [1, 2, 3, 4, 5]" // Allow ALGORITHM_RSA_2048, ALGORITHM_RSA_4096, ALGORITHM_EC_P256, ALGORITHM_EC_P384, ALGORITHM_EC_P521
     }];
     // Required
     KeyMode key_mode = 3 [
       (buf.validate.field).enum.defined_only = true,
       (buf.validate.field).cel = {
         id: "new_key_mode_defined"
         message: "The new key_mode must be one of the defined values (1-4)."
-        expression: "this in [1, 2, 3, 4]" // Allow all defined modes
+        expression: "this in [1, 2, 3, 4]" // Allow modes CONFIG_ROOT_KEY, PROVIDER_ROOT_KEY, REMOTE, PUBLIC_KEY_ONLY
       }
     ];
     // Required
@@ -617,6 +617,35 @@ message SetBaseKeyResponse {
   SimpleKasKey previous_base_key = 2; // The previous base key, if any
 }
 
+message MappedPolicyObject {
+  string id = 1; // The unique identifier of the policy object
+  string fqn = 2; // The fully qualified name of the policy object
+}
+
+message KeyMapping {
+  string kid = 1;
+  string kas_uri = 2;
+  repeated MappedPolicyObject namespace_mappings = 3; // List of namespaces mapped to the key
+  repeated MappedPolicyObject attribute_mappings = 4; // List of attribute definitions mapped to the key
+  repeated MappedPolicyObject value_mappings = 5; // List of attribute values mapped to the key
+}
+
+message ListKeyMappingsRequest {
+  oneof identifier {
+    option (buf.validate.oneof).required = false;
+    string id = 2 [(buf.validate.field).string.uuid = true]; // The unique identifier of the key to retrieve
+    KasKeyIdentifier key = 3;
+  }
+
+  policy.PageRequest pagination = 10; // Pagination request for the list of keys
+}
+
+message ListKeyMappingsResponse {
+  repeated KeyMapping key_mappings = 1; // The list of key mappings
+
+  policy.PageResponse pagination = 10; // Pagination response for the list of keys
+}
+
 service KeyAccessServerRegistryService {
   rpc ListKeyAccessServers(ListKeyAccessServersRequest) returns (ListKeyAccessServersResponse) {
     option (google.api.http) = {get: "/key-access-servers"};
@@ -660,4 +689,7 @@ service KeyAccessServerRegistryService {
 
   // Get Default kas keys
   rpc GetBaseKey(GetBaseKeyRequest) returns (GetBaseKeyResponse) {}
+
+  // Request to list key mappings in the Key Access Service.
+  rpc ListKeyMappings(ListKeyMappingsRequest) returns (ListKeyMappingsResponse) {}
 }

otdf-python-proto/proto-files/policy/objects.proto

@@ -5,6 +5,7 @@ package policy;
 import "buf/validate/validate.proto";
 import "common/common.proto";
 import "google/protobuf/wrappers.proto";
+// import "google/protobuf/struct.proto";
 
 message SimpleKasPublicKey {
   Algorithm algorithm = 1;
@@ -447,7 +448,6 @@ message RegisteredResourceValue {
     // Common metadata
     common.Metadata metadata = 100;
   }
-
   string id = 1;
 
   string value = 2;
@@ -460,6 +460,50 @@ message RegisteredResourceValue {
   common.Metadata metadata = 100;
 }
 
+message Obligation {
+  string id = 1;
+
+  Namespace namespace = 2;
+
+  string name = 3;
+
+  repeated ObligationValue values = 4;
+  
+  common.Metadata metadata = 100;
+}
+
+message ObligationValue {
+  string id = 1;
+
+  Obligation obligation = 2;
+
+  string value = 3;
+
+  common.Metadata metadata = 100;
+}
+
+message ObligationTrigger {
+  string id = 1;
+
+  ObligationValue obligation_value = 2;
+
+  Action action = 3;
+
+  Value attribute_value = 4;
+
+  common.Metadata metadata = 100;
+}
+
+// message ObligationFulfiller {
+//   string id = 1;
+
+//   ObligationValue obligation_value = 2;
+
+//   google.protobuf.Struct conditionals = 3;
+
+//   common.Metadata metadata = 100;
+// }
+
 // Supported key algorithms.
 enum Algorithm {
   ALGORITHM_UNSPECIFIED = 0;