Skip to content

feat(policy): add search support to ListSubjectConditionSets#3556

Merged
c-r33d merged 4 commits into
search-term-implfrom
dspx-2739-listsubjectconditionsets-search
Jun 3, 2026
Merged

feat(policy): add search support to ListSubjectConditionSets#3556
c-r33d merged 4 commits into
search-term-implfrom
dspx-2739-listsubjectconditionsets-search

Conversation

@c-r33d

@c-r33d c-r33d commented Jun 1, 2026

Copy link
Copy Markdown
Contributor

Summary

  • Adds ListSubjectConditionSets RPC search support by wiring request search into the policy DB list query.
  • Applies escaped, case-insensitive matching in the subject condition set SQL path and adds integration coverage for search behavior, wildcard literals, empty search, and pagination after filtering.

Summary by CodeRabbit

  • New Features

    • Added search functionality for subject condition sets filtered by metadata labels.
    • Search supports pagination, sorting, and combines with namespace filtering.
    • Search properly handles whitespace and special character escaping.
  • Tests

    • Expanded integration test coverage for search behavior with metadata labels.
    • Updated existing sorting tests with improved cleanup utilities.

@coderabbitai

coderabbitai Bot commented Jun 1, 2026

Copy link
Copy Markdown

Review Change Stack

Important

Review skipped

Auto reviews are disabled on base/target branches other than the default branch.

Please check the settings in the CodeRabbit UI or the .coderabbit.yaml file in this repository. To trigger a single review, invoke the @coderabbitai review command.

⚙️ Run configuration

Configuration used: Repository UI

Review profile: ASSERTIVE

Plan: Pro

Run ID: 89d6cc4d-f9dd-4941-87f9-9f5fe198130d

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

Use the checkbox below for a quick retry:

  • 🔍 Trigger review
📝 Walkthrough

Walkthrough

This PR adds text search capability to ListSubjectConditionSets by filtering subject condition sets based on metadata label values. It updates the SQL query to support case-insensitive label matching with wildcard escaping, integrates the search parameter into the Go service layer and generated sqlc code, adds comprehensive integration tests validating search behavior with pagination and namespace filtering, and includes a minor UUID formatting fix.

Changes

ListSubjectConditionSets Search Filter Implementation

Layer / File(s) Summary
Search query definition with JSONB label filtering
service/policy/db/queries/subject_mappings.sql
The listSubjectConditionSets query adds an optional @search parameter that filters by checking if any (key, value) pair in scs.metadata->'labels' has a value matching the search term via case-insensitive ILIKE with backslash escape for SQL LIKE wildcards.
Go service layer and generated query code updates
service/policy/db/subject_mappings.go, service/policy/db/subject_mappings.sql.go
The service layer derives a substring search pattern from the request and passes it to the query; the generated sqlc file adds the Search parameter to the query struct and adjusts all placeholder positions throughout the SQL execution (WHERE clause, parameter CTE references, LIMIT/OFFSET bindings).
Integration tests for search functionality and test helpers
service/integration/subject_mappings_test.go
New tests validate searching by metadata label values with pagination, sorting by created-at, wildcard escaping (\*, %), namespace filtering combinations, and empty/whitespace search edge cases. Helper functions newSearchTestSubjectConditionSet and deleteTestSCSs support test creation and cleanup, with existing sort tests updated to use the new cleanup helper.
UUID string formatting adjustment
service/policy/db/utils.go
The UUIDToString utility updates its fmt.Sprintf format string to a multi-line literal while preserving the same UUID field widths and grouping.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Possibly related PRs

  • opentdf/platform#3403: Both PRs update service/integration/subject_mappings_test.go sorting test setup/cleanup and created-at tie-breaker behavior, though this PR additionally adds ListSubjectConditionSets search filtering tests.

Suggested reviewers

  • elizabethhealy

Poem

🐰 A search through the labels so fine,
With ILIKE and escapes so divine,
The metadata dances in JSONB's embrace,
Finding conditions in filtered space!
Hops of joy — the query's a chase! ✨

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name Status Explanation Resolution
Docstring Coverage ⚠️ Warning Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%. Write docstrings for the functions missing them to satisfy the coverage threshold.
✅ Passed checks (4 passed)
Check name Status Explanation
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Title check ✅ Passed The title 'feat(policy): add search support to ListSubjectConditionSets' directly and clearly describes the main change: adding search functionality to the ListSubjectConditionSets RPC endpoint.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.

✏️ Tip: You can configure your own custom pre-merge checks in the settings.

✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch dspx-2739-listsubjectconditionsets-search

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands and usage tips.

@gemini-code-assist

Copy link
Copy Markdown
Contributor

Summary of Changes

Hello, I'm Gemini Code Assist1! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!

This pull request introduces search capabilities for the ListSubjectConditionSets RPC. By wiring search terms into the underlying policy database queries, users can now filter condition sets based on selectors and values. The implementation ensures robust matching through case-insensitive SQL operations and includes new utility functions to handle search patterns, while also adding extensive integration tests to verify the new functionality.

Highlights

  • Search Functionality: Added search support to the ListSubjectConditionSets RPC by integrating request search terms into the policy database query.
  • Database Query Updates: Updated the SQL query to perform case-insensitive, escaped matching against various JSONB fields within the subject condition set.
  • Integration Testing: Added comprehensive integration tests covering search behavior, wildcard literals, empty search scenarios, and pagination after filtering.
New Features

🧠 You can now enable Memory (public preview) to help Gemini Code Assist learn from your team's feedback. This makes future code reviews more consistent and personalized to your project's style. Click here to enable Memory in your admin console.

Using Gemini Code Assist

The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.

Invoking Gemini

You can request assistance from Gemini at any point by creating a comment using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands on the current page.

Feature Command Description
Code Review /gemini review Performs a code review for the current pull request in its current state.
Pull Request Summary /gemini summary Provides a summary of the current pull request in its current state.
Comment @gemini-code-assist Responds in comments when explicitly tagged, both in pull request comments and review comments.
Help /gemini help Displays a list of available commands.

Customization

To customize the Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.

Limitations & Feedback

Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counterproductive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for GitHub and other Google products, sign up here.


A search term sent to find the set, / With SQL logic, we are set. / Through JSONB paths the query flows, / To find the match that the user knows.

Footnotes

  1. Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution.

@github-actions github-actions Bot added comp:db DB component comp:policy Policy Configuration ( attributes, subject mappings, resource mappings, kas registry) size/m labels Jun 1, 2026

@gemini-code-assist gemini-code-assist Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Code Review

This pull request introduces search capabilities to the ListSubjectConditionSets endpoint, allowing users to search within the JSONB condition field of subject condition sets. It includes updates to the SQL queries, database client code, utility functions, and comprehensive integration tests. The reviewer's feedback suggests optimizing the SQL query by combining multiple EXISTS clauses into a single one using UNION ALL to reduce duplication and improve query execution. Additionally, the reviewer recommends using the existing pgtypeSubstringSearchPattern function instead of introducing a new NoTrim variant to maintain consistency across search endpoints and avoid redundant helper code.

Comment thread service/policy/db/queries/subject_mappings.sql Outdated
Comment thread service/policy/db/subject_mappings.go Outdated
Comment thread service/policy/db/utils.go Outdated
@github-actions

github-actions Bot commented Jun 1, 2026

Copy link
Copy Markdown
Contributor
Benchmark results, click to expand

Benchmark authorization.GetDecisions Results:

Metric Value
Approved Decision Requests 1000
Denied Decision Requests 0
Total Time 191.215688ms

Benchmark authorization.v2.GetMultiResourceDecision Results:

Metric Value
Approved Decision Requests 1000
Denied Decision Requests 0
Total Time 101.725733ms

Benchmark Statistics

Name № Requests Avg Duration Min Duration Max Duration

Bulk Benchmark Results

Metric Value
Total Decrypts 100
Successful Decrypts 100
Failed Decrypts 0
Total Time 437.617662ms
Throughput 228.51 requests/second

TDF3 Benchmark Results:

Metric Value
Total Requests 5000
Successful Requests 5000
Failed Requests 0
Concurrent Requests 50
Total Time 44.516093676s
Average Latency 443.549502ms
Throughput 112.32 requests/second

c-r33d added 2 commits June 2, 2026 15:26
Signed-off-by: Chris Reed <creed@virtru.com>
Signed-off-by: Chris Reed <creed@virtru.com>
@c-r33d
c-r33d force-pushed the dspx-2739-listsubjectconditionsets-search branch from 2efc296 to 4a4b167 Compare June 2, 2026 21:42
@c-r33d
c-r33d marked this pull request as ready for review June 2, 2026 21:44
@c-r33d
c-r33d requested review from a team as code owners June 2, 2026 21:44
@c-r33d

c-r33d commented Jun 2, 2026

Copy link
Copy Markdown
Contributor Author

@coderabbitai review

@coderabbitai

coderabbitai Bot commented Jun 2, 2026

Copy link
Copy Markdown
✅ Actions performed

Review triggered.

Note: CodeRabbit is an incremental review system and does not re-review already reviewed commits. This command is applicable only when automatic reviews are paused.

@github-actions

github-actions Bot commented Jun 2, 2026

Copy link
Copy Markdown
Contributor
Benchmark results, click to expand

Benchmark authorization.GetDecisions Results:

Metric Value
Approved Decision Requests 1000
Denied Decision Requests 0
Total Time 293.215549ms

Benchmark authorization.v2.GetMultiResourceDecision Results:

Metric Value
Approved Decision Requests 1000
Denied Decision Requests 0
Total Time 96.953211ms

Benchmark Statistics

Name № Requests Avg Duration Min Duration Max Duration

Bulk Benchmark Results

Metric Value
Total Decrypts 100
Successful Decrypts 100
Failed Decrypts 0
Total Time 519.512644ms
Throughput 192.49 requests/second

TDF3 Benchmark Results:

Metric Value
Total Requests 5000
Successful Requests 5000
Failed Requests 0
Concurrent Requests 50
Total Time 43.386720466s
Average Latency 431.866105ms
Throughput 115.24 requests/second

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@service/integration/subject_mappings_test.go`:
- Around line 1493-1529: The created_at ordering assertion can flake because
labelValueMatch and anotherLabelValueMatch are created back-to-back; insert a
short deterministic delay (e.g., time.Sleep(5 * time.Millisecond)) between
creating labelValueMatch and anotherLabelValueMatch (the calls that assign those
variables via s.newSearchTestSubjectConditionSet) so their created_at timestamps
differ, ensuring ListSubjectConditionSets sorted by created_at ASC returns a
stable order; mirror the same approach used in other sort tests in this file.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: Repository UI

Review profile: ASSERTIVE

Plan: Pro

Run ID: cdd701a1-70f9-4f37-96cf-5b9478271105

📥 Commits

Reviewing files that changed from the base of the PR and between a9db895 and 4a4b167.

📒 Files selected for processing (5)
  • service/integration/subject_mappings_test.go
  • service/policy/db/queries/subject_mappings.sql
  • service/policy/db/subject_mappings.go
  • service/policy/db/subject_mappings.sql.go
  • service/policy/db/utils.go

Comment thread service/integration/subject_mappings_test.go
Signed-off-by: Chris Reed <creed@virtru.com>
@github-actions

github-actions Bot commented Jun 2, 2026

Copy link
Copy Markdown
Contributor
Benchmark results, click to expand

Benchmark authorization.GetDecisions Results:

Metric Value
Approved Decision Requests 1000
Denied Decision Requests 0
Total Time 171.129255ms

Benchmark authorization.v2.GetMultiResourceDecision Results:

Metric Value
Approved Decision Requests 1000
Denied Decision Requests 0
Total Time 91.047784ms

Benchmark Statistics

Name № Requests Avg Duration Min Duration Max Duration

Bulk Benchmark Results

Metric Value
Total Decrypts 100
Successful Decrypts 100
Failed Decrypts 0
Total Time 435.492133ms
Throughput 229.63 requests/second

TDF3 Benchmark Results:

Metric Value
Total Requests 5000
Successful Requests 5000
Failed Requests 0
Concurrent Requests 50
Total Time 43.262267205s
Average Latency 430.6594ms
Throughput 115.57 requests/second

@github-actions

github-actions Bot commented Jun 3, 2026

Copy link
Copy Markdown
Contributor
Benchmark results, click to expand

Benchmark authorization.GetDecisions Results:

Metric Value
Approved Decision Requests 1000
Denied Decision Requests 0
Total Time 188.503938ms

Benchmark authorization.v2.GetMultiResourceDecision Results:

Metric Value
Approved Decision Requests 1000
Denied Decision Requests 0
Total Time 93.663566ms

Benchmark Statistics

Name № Requests Avg Duration Min Duration Max Duration

Bulk Benchmark Results

Metric Value
Total Decrypts 100
Successful Decrypts 100
Failed Decrypts 0
Total Time 411.724456ms
Throughput 242.88 requests/second

TDF3 Benchmark Results:

Metric Value
Total Requests 5000
Successful Requests 5000
Failed Requests 0
Concurrent Requests 50
Total Time 43.587684122s
Average Latency 433.950787ms
Throughput 114.71 requests/second

@github-actions

github-actions Bot commented Jun 3, 2026

Copy link
Copy Markdown
Contributor

⚠️ Govulncheck found vulnerabilities ⚠️

The following modules have known vulnerabilities:

  • examples
  • otdfctl
  • sdk
  • service
  • lib/fixtures
  • tests-bdd

See the workflow run for details.

Comment thread service/policy/db/queries/subject_mappings.sql
@c-r33d
c-r33d merged commit bb38767 into search-term-impl Jun 3, 2026
35 checks passed
@c-r33d
c-r33d deleted the dspx-2739-listsubjectconditionsets-search branch June 3, 2026 13:50
c-r33d added a commit that referenced this pull request Jun 15, 2026
## Summary
- Adds ListSubjectConditionSets RPC search support by wiring request
search into the policy DB list query.
- Applies escaped, case-insensitive matching in the subject condition
set SQL path and adds integration coverage for search behavior, wildcard
literals, empty search, and pagination after filtering.


<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->

## Summary by CodeRabbit

* **New Features**
* Added search functionality for subject condition sets filtered by
metadata labels.
* Search supports pagination, sorting, and combines with namespace
filtering.
  * Search properly handles whitespace and special character escaping.

* **Tests**
* Expanded integration test coverage for search behavior with metadata
labels.
  * Updated existing sorting tests with improved cleanup utilities.

<!-- end of auto-generated comment: release notes by coderabbit.ai -->

---------

Signed-off-by: Chris Reed <creed@virtru.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

comp:db DB component comp:policy Policy Configuration ( attributes, subject mappings, resource mappings, kas registry) size/m

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants