fix(core): Add AUDIT events for improper bindings

[dmihalcik-virtru]

Proposed Changes

Checklist

• I have added or updated unit tests
• I have added or updated integration tests (if appropriate)
• I have added or updated documentation

Testing Instructions

[gemini-code-assist]

Summary of Changes

Hello @dmihalcik-virtru, I'm Gemini Code Assist¹! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!

This pull request improves the observability and security posture of the core service by implementing detailed audit logging for various failure scenarios encountered during key rewrapping operations. By capturing specific RewrapFailure events, the system gains better insight into issues related to policy binding integrity and validity, which is crucial for security monitoring and incident response.

Highlights

• Audit Logging: Introduced new audit events for 'RewrapFailure' within the Key Access Server (KAS) access service.
• Error Handling: Specifically, audit events are now triggered when policy bindings are found to be nil, have invalid encoding, or fail verification during the rewrap process.

🧠 New Feature in Public Preview: You can now enable Memory to help Gemini Code Assist learn from your team's feedback. This makes future code reviews more consistent and personalized to your project's style. Click here to enable Memory in your admin console.

Changelog

• service/kas/access/rewrap.go
  • Added RewrapFailure audit event when a policy binding is nil.
  • Added RewrapFailure audit event when a policy binding has invalid encoding.
  • Added RewrapFailure audit event when policy binding verification fails.

Activity

• No human activity (comments, reviews, etc.) has been recorded on this pull request yet.

Using Gemini Code Assist

The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.

Invoking Gemini

You can request assistance from Gemini at any point by creating a comment using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands on the current page.

Feature	Command	Description
Code Review	/gemini review	Performs a code review for the current pull request in its current state.
Pull Request Summary	/gemini summary	Provides a summary of the current pull request in its current state.
Comment	@gemini-code-assist	Responds in comments when explicitly tagged, both in pull request comments and review comments.
Help	/gemini help	Displays a list of available commands.

Customization

To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.

Limitations & Feedback

Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for Github and other Google products, sign up here.

You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension.

---

When bindings fail fast, Audit logs catch every slip, Security holds strong.

Footnotes

1. Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution. ↩

[gemini-code-assist]

Code Review

This pull request adds audit logging for several failure scenarios within the rewrap process, specifically for improper policy bindings. The changes correctly identify the failure points and add the necessary audit events. However, the implementation introduces significant code duplication for the audit logging logic. I've left a comment suggesting a refactoring to extract this duplicated code into a helper method to improve maintainability.

[gemini-code-assist]

This block for audit logging is nearly identical to two other blocks added in this function (lines 795-802 and 819-826). This duplication can make future changes more difficult.

Consider extracting this logic into a private helper method on the Provider to reduce code duplication and improve maintainability. For example:

func (p *Provider) auditRewrapFailure(ctx context.Context, policy *Policy, req *kaspb.UnsignedRewrapRequest_WithPolicyRequest, kao *kaspb.UnsignedRewrapRequest_WithKeyAccessObject, policyBinding string) {
	p.Logger.Audit.RewrapFailure(ctx, audit.RewrapAuditEventParams{
		Policy:        ConvertToAuditKasPolicy(*policy),
		IsSuccess:     false,
		TDFFormat:     "tdf3",
		Algorithm:     req.GetAlgorithm(),
		PolicyBinding: policyBinding,
		KeyID:         kao.GetKeyAccessObject().GetKid(),
	})
}

This new method could then be called from all three failure locations with the appropriate policyBinding value.

[github-actions]

Benchmark results, click to expand

Benchmark authorization.GetDecisions Results:

Metric	Value
Approved Decision Requests	1000
Denied Decision Requests	0
Total Time	192.835496ms

Benchmark authorization.v2.GetMultiResourceDecision Results:

Metric	Value
Approved Decision Requests	1000
Denied Decision Requests	0
Total Time	110.536743ms

Benchmark Statistics

Name	№ Requests	Avg Duration	Min Duration	Max Duration

Bulk Benchmark Results

Metric	Value
Total Decrypts	100
Successful Decrypts	100
Failed Decrypts	0
Total Time	370.285435ms
Throughput	270.06 requests/second

TDF3 Benchmark Results:

Metric	Value
Total Requests	5000
Successful Requests	5000
Failed Requests	0
Concurrent Requests	50
Total Time	39.942226246s
Average Latency	397.525975ms
Throughput	125.18 requests/second

[github-actions]

X-Test Failure Report

opentdfplatformT2BN0M.dockerbuild
❌ js-v0.9.0
cukes-report
❌ java-v0.9.0
❌ go-v0.9.0

[github-actions]

Benchmark results, click to expand

Benchmark authorization.GetDecisions Results:

Metric	Value
Approved Decision Requests	1000
Denied Decision Requests	0
Total Time	196.000447ms

Benchmark authorization.v2.GetMultiResourceDecision Results:

Metric	Value
Approved Decision Requests	1000
Denied Decision Requests	0
Total Time	97.448157ms

Benchmark Statistics

Name	№ Requests	Avg Duration	Min Duration	Max Duration

Bulk Benchmark Results

Metric	Value
Total Decrypts	100
Successful Decrypts	100
Failed Decrypts	0
Total Time	363.959917ms
Throughput	274.76 requests/second

TDF3 Benchmark Results:

Metric	Value
Total Requests	5000
Successful Requests	5000
Failed Requests	0
Concurrent Requests	50
Total Time	38.362573274s
Average Latency	382.157273ms
Throughput	130.34 requests/second

[github-actions]

X-Test Results

opentdfplatformZOFI38.dockerbuild
cukes-report
✅ js-pull-3054
✅ js-v0.9.0
✅ java-v0.9.0
✅ java-pull-3054
✅ go-v0.9.0
✅ go-pull-3054
bats-test-results
test-cases-mapping-report