Skip to content

fix(policy): GetPC does not respect manager field.#3752

Open
c-r33d wants to merge 2 commits into
mainfrom
get-pc-bug
Open

fix(policy): GetPC does not respect manager field.#3752
c-r33d wants to merge 2 commits into
mainfrom
get-pc-bug

Conversation

@c-r33d

@c-r33d c-r33d commented Jul 16, 2026

Copy link
Copy Markdown
Contributor

1.) Bug fix where we didn't respect the user's manager request value when searching by name

Summary by CodeRabbit

  • New Features

    • Added a --manager (-m) option for retrieving key management provider configurations by name and manager implementation.
    • Provider configurations with the same name can now be distinguished using their associated manager.
  • Bug Fixes

    • Improved lookup accuracy when multiple providers share a name.
    • Added validation requiring a manager when retrieving a provider by name.
  • Documentation

    • Updated command documentation and examples to explain manager-based lookups.

@c-r33d
c-r33d requested review from a team as code owners July 16, 2026 15:30
@github-actions github-actions Bot added comp:db DB component comp:policy Policy Configuration ( attributes, subject mappings, resource mappings, kas registry) size/s labels Jul 16, 2026
@coderabbitai

coderabbitai Bot commented Jul 16, 2026

Copy link
Copy Markdown

Review Change Stack

Warning

Review limit reached

@c-r33d, you've reached your PR review limit, so we couldn't start this review.

Next review available in: 41 minutes

Enable usage-based reviews in Billing to review now. Otherwise, wait until the next included review is available.
You're only billed for reviews past your plan's rate limits ($0.25/file).

How can I continue?

After more reviews become available, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

To avoid repeated limits, reduce automatic review volume by pausing incremental auto-reviews earlier, using label-based review opt-in, excluding WIP or generated PR titles, or requesting reviews manually when the PR is ready. If your team needs uninterrupted high-volume reviews, an organization admin can enable usage-based reviews.

How do review limits work?

CodeRabbit enforces per-developer PR review limits for each organization. Most developers receive the normal plan review availability.

For paid Pro and Pro+ PR reviews, CodeRabbit uses adaptive limits for sustained high-volume activity. When a developer's recent PR review activity reaches the 95th percentile or higher among CodeRabbit users, additional reviews become available more gradually as earlier reviews age out of the rolling window.

Please refer docs for additional details.

Review details
⚙️ Run configuration

Configuration used: Repository UI

Review profile: ASSERTIVE

Plan: Pro

Run ID: 7de7bb3d-6303-440e-843f-ea2991742426

📥 Commits

Reviewing files that changed from the base of the PR and between 3fb659d and 64bf28b.

⛔ Files ignored due to path filters (1)
  • protocol/go/policy/keymanagement/key_management.pb.go is excluded by !**/*.pb.go
📒 Files selected for processing (3)
  • docs/grpc/index.html
  • docs/openapi/policy/keymanagement/key_management.openapi.yaml
  • service/policy/keymanagement/key_management.proto
📝 Walkthrough

Walkthrough

Provider configuration retrieval now accepts a manager filter for name-based lookups. The CLI, service and database layers, documentation, integration tests, and end-to-end tests were updated to support and validate this behavior.

Changes

Provider configuration lookup

Layer / File(s) Summary
Request propagation and database lookup
service/policy/keymanagement/key_management.go, service/policy/db/key_management.go
Typed provider lookup requests now preserve identifier and manager fields through service and database queries, including update-related lookups.
CLI manager flag and documentation
otdfctl/cmd/policy/keyManagementProvider.go, otdfctl/pkg/handlers/provider-config.go, otdfctl/docs/man/policy/key-management/provider/get.md
The get command accepts --manager, requires it with --name, forwards it to the handler, and documents name-plus-manager retrieval.
Integration and end-to-end validation
service/integration/keymanagement_test.go, otdfctl/e2e/provider-config.bats
Tests use typed identifiers, cover manager-filtered retrieval and missing-manager failures, and create configurations with explicit managers.

Estimated code review effort: 3 (Moderate) | ~25 minutes

Sequence Diagram(s)

sequenceDiagram
  participant CLI as otdfctl get command
  participant Handler as Handler.GetProviderConfig
  participant Service as keymanagement.GetProviderConfig
  participant DB as PolicyDBClient.GetProviderConfig
  CLI->>Handler: pass id, name, manager
  Handler->>Service: send GetProviderConfigRequest
  Service->>DB: pass full request
  DB-->>Service: return matching provider config
  Service-->>CLI: return provider configuration
Loading

Suggested labels: docs

Suggested reviewers: alkalescent

Poem

I’m a rabbit with flags in my paws,
Manager and name now obey lookup laws.
Typed little identifiers hop through the stack,
Tests guard the trail and keep errors back.
Documentation blooms in the moonlight bright.

🚥 Pre-merge checks | ✅ 5
✅ Passed checks (5 passed)
Check name Status Explanation
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Title check ✅ Passed The title matches the main fix: GetPC now respects the manager field when retrieving provider configs by name.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch get-pc-bug

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands.

@gemini-code-assist

Copy link
Copy Markdown
Contributor

Summary of Changes

Hello, I'm Gemini Code Assist1! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!

This pull request addresses a bug where the manager field was ignored during provider configuration lookups by name. The changes involve updating the internal API signature to include the manager parameter, enforcing its usage in the CLI, and updating relevant integration tests and documentation to ensure consistency and correctness in provider configuration retrieval.

Highlights

  • API and CLI Update: Updated the GetProviderConfig method to accept a manager field, ensuring it is respected when searching by name.
  • Command Line Interface: Added the --manager flag to the otdfctl keymanagement provider get command and enforced it as a required flag when searching by name.
  • Testing and Documentation: Updated E2E tests and documentation to reflect the new requirement for the manager field when retrieving provider configurations by name.
New Features

🧠 You can now enable Memory (public preview) to help Gemini Code Assist learn from your team's feedback. This makes future code reviews more consistent and personalized to your project's style. Click here to enable Memory in your admin console.

Using Gemini Code Assist

The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.

Invoking Gemini

You can request assistance from Gemini at any point by creating a comment using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands on the current page.

Feature Command Description
Code Review /gemini review Performs a code review for the current pull request in its current state.
Pull Request Summary /gemini summary Provides a summary of the current pull request in its current state.
Comment @gemini-code-assist Responds in comments when explicitly tagged, both in pull request comments and review comments.
Help /gemini help Displays a list of available commands.

Customization

To customize the Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.

Limitations & Feedback

Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counterproductive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for GitHub and other Google products, sign up here.


The manager field was lost in the fray, / But now it is found in the light of day. / With name and with manager, clearly defined, / The provider config is easy to find.

Footnotes

  1. Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution.

@github-actions

Copy link
Copy Markdown
Contributor
Benchmark results, click to expand

Benchmark authorization.GetDecisions Results:

Metric Value
Approved Decision Requests 1000
Denied Decision Requests 0
Total Time 141.782844ms

Benchmark authorization.v2.GetMultiResourceDecision Results:

Metric Value
Approved Decision Requests 1000
Denied Decision Requests 0
Total Time 77.782166ms

Benchmark Statistics

Name № Requests Avg Duration Min Duration Max Duration

Bulk Benchmark Results

Metric Value
Total Decrypts 100
Successful Decrypts 100
Failed Decrypts 0
Total Time 314.495822ms
Throughput 317.97 requests/second

TDF3 Benchmark Results:

Metric Value
Total Requests 5000
Successful Requests 5000
Failed Requests 0
Concurrent Requests 50
Total Time 34.992118255s
Average Latency 348.582905ms
Throughput 142.89 requests/second

@gemini-code-assist gemini-code-assist Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Code Review

This pull request updates the key provider configuration retrieval process to support and require a manager parameter when fetching by name. This change is implemented across the CLI commands, documentation, E2E tests, handlers, and database queries. The reviewer raised a valid concern that while the CLI enforces the manager parameter when retrieving by name, the API level does not validate this, which could lead to non-deterministic behavior if multiple configurations share the same name but have different managers.

Important

The consumer version of Gemini Code Assist on GitHub is being sunset. Starting June 18, 2026, new organization installations will be blocked, and all code review activity will officially cease on July 17, 2026.
For more details on the timeline and next steps, please review the Help Documentation.

Comment thread service/policy/keymanagement/key_management.go
@github-actions

Copy link
Copy Markdown
Contributor
Benchmark results, click to expand

Benchmark authorization.GetDecisions Results:

Metric Value
Approved Decision Requests 1000
Denied Decision Requests 0
Total Time 205.167557ms

Benchmark authorization.v2.GetMultiResourceDecision Results:

Metric Value
Approved Decision Requests 1000
Denied Decision Requests 0
Total Time 104.756634ms

Benchmark Statistics

Name № Requests Avg Duration Min Duration Max Duration

Bulk Benchmark Results

Metric Value
Total Decrypts 100
Successful Decrypts 100
Failed Decrypts 0
Total Time 420.043038ms
Throughput 238.07 requests/second

TDF3 Benchmark Results:

Metric Value
Total Requests 5000
Successful Requests 5000
Failed Requests 0
Concurrent Requests 50
Total Time 44.724370206s
Average Latency 444.481427ms
Throughput 111.80 requests/second

@github-actions

Copy link
Copy Markdown
Contributor

⚠️ Govulncheck found vulnerabilities ⚠️

The following modules have known vulnerabilities:

  • examples
  • otdfctl
  • sdk
  • service
  • lib/fixtures
  • tests-bdd

See the workflow run for details.

string id = 2 [(buf.validate.field).string.uuid = true];
// Provider config name. When using name, manager SHOULD also be set because
// provider config uniqueness is based on (name, manager). Omitting manager
// can match multiple provider configs and returns a non-deterministic result.

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Should we send back a bad request error here if this is the case?

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Like don't try to optimistically get a provider config and return one of them, but instead require both parameters to successfully return any result, or otherwise make sure if one is found by name alone that it is globally unique?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

comp:db DB component comp:policy Policy Configuration ( attributes, subject mappings, resource mappings, kas registry) size/s

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants