feat(core): improve resource and entity metadata within kas and authz decision audit logs#3109
feat(core): improve resource and entity metadata within kas and authz decision audit logs#3109jakedoublev wants to merge 12 commits intomainfrom
Conversation
jakedoublev
commented
Mar 4, 2026
jakedoublev
commented
- Adds resource/entity metadata fields to APIs and docs.
- Threads decrypted/structured metadata through SDK and KAS requests.
- Expands audit logging for metadata in authz/rewrap flows.
- Updates example configs to include the new metadata settings.
github-actions
bot
added
comp:sdk
Summary of ChangesHello, I'm Gemini Code Assist1! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed! This pull request enhances the OpenTDF platform by adding support for resource and entity metadata within KAS and authorization decision audit logs. These changes provide a richer context for access control decisions and improve the granularity of audit logging. The updates include modifications to proto definitions, SDK enhancements, and example configurations. Highlights
🧠 New Feature in Public Preview: You can now enable Memory to help Gemini Code Assist learn from your team's feedback. This makes future code reviews more consistent and personalized to your project's style. Click here to enable Memory in your admin console. Ignored Files
Activity
Using Gemini Code AssistThe full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips. Invoking Gemini You can request assistance from Gemini at any point by creating a comment using either
Customization To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a Limitations & Feedback Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for Github and other Google products, sign up here. You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension. A claim's journey, Through KAS and logs it flies, Context now so rich. Footnotes
|
X-Test Failure Reportopentdf |
![gemini-code-assist[bot]](https://avatars.githubusercontent.com/in/956858?s=60&v=4){kind=small}
There was a problem hiding this comment.
Code Review
This pull request introduces a significant feature to improve resource and entity metadata within KAS and authorization decision audit logs. The changes are comprehensive, touching upon API definitions, SDK logic, KAS request handling, and audit logging. The implementation appears solid and well-tested. I have one suggestion regarding code duplication in the SDK to improve long-term maintainability.
| package sdk | ||
|
|
||
| import ( | ||
| "encoding/json" | ||
| "maps" | ||
| ) | ||
|
|
||
| func buildResourceMetadata(cfg *TDFConfig, totalPlaintextSize int64) map[string]any { | ||
| resourceMetadata := make(map[string]any) | ||
|
|
||
| if cfg.resourceMetadata != nil { | ||
| maps.Copy(resourceMetadata, cfg.resourceMetadata) | ||
| } | ||
|
|
||
| if _, ok := resourceMetadata[encMetadataKeyByteSize]; !ok { | ||
| resourceMetadata[encMetadataKeyByteSize] = totalPlaintextSize | ||
| } | ||
|
|
||
| if len(resourceMetadata) == 0 { | ||
| return nil | ||
| } | ||
| return resourceMetadata | ||
| } | ||
|
|
||
| func mergeEncryptedMetadata(base string, resourceMetadata map[string]any) (string, error) { | ||
| if len(resourceMetadata) == 0 { | ||
| return base, nil | ||
| } | ||
|
|
||
| if base != "" { | ||
| var baseObject map[string]any | ||
| if err := json.Unmarshal([]byte(base), &baseObject); err == nil { | ||
| baseObject["resourceMetadata"] = mergeResourceMetadata(baseObject["resourceMetadata"], resourceMetadata) | ||
| merged, err := json.Marshal(baseObject) | ||
| if err != nil { | ||
| return "", err | ||
| } | ||
| return string(merged), nil | ||
| } | ||
| } | ||
|
|
||
| envelope := map[string]any{ | ||
| "resourceMetadata": resourceMetadata, | ||
| } | ||
| if base != "" { | ||
| envelope["metadata"] = base | ||
| } | ||
|
|
||
| merged, err := json.Marshal(envelope) | ||
| if err != nil { | ||
| return "", err | ||
| } | ||
| return string(merged), nil | ||
| } | ||
|
|
||
| func mergeResourceMetadata(existing any, additions map[string]any) map[string]any { | ||
| existingMap, ok := existing.(map[string]any) | ||
| if !ok { | ||
| existingMap = make(map[string]any) | ||
| } | ||
| for k, v := range additions { | ||
| existingMap[k] = v | ||
| } | ||
| return existingMap | ||
| } |
There was a problem hiding this comment.
This file is nearly identical to sdk/experimental/tdf/resource_metadata.go. This code duplication can lead to maintenance issues, as changes would need to be synchronized across both files. To improve maintainability, consider refactoring this logic into a shared internal package.
For example, you could define an interface that both TDFConfig and experimental/tdf.WriterFinalizeConfig implement to provide the resource metadata. This would allow a single implementation of these utility functions to operate on that interface, eliminating the duplicated code.
X-Test Failure Report |
Benchmark results, click to expandBenchmark authorization.GetDecisions Results:
Benchmark authorization.v2.GetMultiResourceDecision Results:
Benchmark Statistics
Bulk Benchmark Results
TDF3 Benchmark Results:
|
Benchmark results, click to expandBenchmark authorization.GetDecisions Results:
Benchmark authorization.v2.GetMultiResourceDecision Results:
Benchmark Statistics
Bulk Benchmark Results
TDF3 Benchmark Results:
|
1 participant
