Update buf and use protovalidate #2596
Conversation
github-actions
bot
added
area/cli
tstirrat15
force-pushed
the
update-buf-and-use-protovalidate
branch
4 times, most recently
from
afaf255 to
7e05740
Compare
| v1 "github.com/authzed/authzed-go/proto/authzed/api/v1" | ||
| "github.com/authzed/grpcutil" |
There was a problem hiding this comment.
There's a number of these changes. This is the formatter.
There was a problem hiding this comment.
I don't understand, which formatter do you mean? You didn't change the Go linter rules..
There was a problem hiding this comment.
golangci-lint fmt is what i'm using locally
| } | ||
| } | ||
| return | ||
| return vulnerableFn, protectedFn |
There was a problem hiding this comment.
There's also several of these changes, which are also the formatter.
There was a problem hiding this comment.
let's do this in a separate PR #2600
|
|
||
| func (si SchemaInformation) debugValidate() { | ||
| spiceerrors.DebugAssert(func() bool { | ||
| spiceerrors.DebugAssertf(func() bool { |
There was a problem hiding this comment.
This is the new linter complaint - because DebugAssert had a Printf-like signature, the linter wanted the function to end in f
|
|
||
| func (sqf SchemaQueryFilterer) UnderlyingQueryBuilder() sq.SelectBuilder { | ||
| spiceerrors.DebugAssert(func() bool { | ||
| spiceerrors.DebugAssertf(func() bool { |
There was a problem hiding this comment.
So there's lots of these changes
|
|
||
| for _, ns := range read { | ||
| err := ns.Definition.Validate() | ||
| err := protovalidate.Validate(ns.Definition) |
There was a problem hiding this comment.
These are a part of the substantive changes in this PR - protovalidate uses reflection on the messages to figure out what the associated CEL is, and then runs those expressions from the outside, rather than invoking generated code (which is what protoc-gen-validate used to do)
| ObjectAndRelation resource_and_relation = 1 [(validate.rules).message.required = true]; | ||
| ObjectAndRelation resource_and_relation = 1 [(buf.validate.field).required = true]; | ||
|
|
There was a problem hiding this comment.
These are changes brought by running the migration tool.
There was a problem hiding this comment.
This got moved down and out of the proto folder by the migration step. I think this is a fine place for it to be.
| @@ -1,4 +0,0 @@ | |||
| --- | |||
There was a problem hiding this comment.
No longer necessary with buf.yaml being in the root.
| - remote: "buf.build/protocolbuffers/go:v1.36.10" | ||
| out: "pkg/proto" | ||
| opt: "paths=source_relative" | ||
| - remote: "buf.build/grpc/go:v1.5.1" | ||
| out: "pkg/proto" | ||
| opt: "paths=source_relative" |
There was a problem hiding this comment.
We're using the remote plugins now, similar to what we're doing with the client libraries.
| SetOperation union = 1 [(validate.rules).message.required = true]; | ||
| SetOperation intersection = 2 [(validate.rules).message.required = true]; | ||
| SetOperation exclusion = 3 [(validate.rules).message.required = true]; |
There was a problem hiding this comment.
This was a change called out by buf lint - the required fields don't mean anything on the options in a oneof, so the linter says they should be excluded.
Codecov Report❌ Patch coverage is Additional details and impacted files@@ Coverage Diff @@
## main #2596 +/- ##
==========================================
+ Coverage 77.62% 77.63% +0.01%
==========================================
Files 442 442
Lines 54880 54880
==========================================
+ Hits 42597 42599 +2
+ Misses 9618 9617 -1
+ Partials 2665 2664 -1 ☔ View full report in Codecov by Sentry. 🚀 New features to boost your workflow:
|
tstirrat15
force-pushed
the
update-buf-and-use-protovalidate
branch
3 times, most recently
from
30c3e48 to
8ff28bd
Compare
buf.yaml
Outdated
| - "ENUM_VALUE_PREFIX" | ||
| - "ENUM_ZERO_VALUE_SUFFIX" | ||
| - "FIELD_NOT_REQUIRED" | ||
| - "PACKAGE_NO_IMPORT_CYCLE" |
There was a problem hiding this comment.
😨 we have a cycle somewhere?
There was a problem hiding this comment.
No - I think this was added defensively by the migration script. I removed both of these exceptions and lints still pass, so I committed that.
| DispatchVersion uint32 `protobuf:"varint,4,opt,name=dispatch_version,json=dispatchVersion,proto3" json:"dispatch_version,omitempty"` | ||
| // flags are flags set by the API caller. | ||
| Flags map[string]string `protobuf:"bytes,5,rep,name=flags,proto3" json:"flags,omitempty" protobuf_key:"bytes,1,opt,name=key,proto3" protobuf_val:"bytes,2,opt,name=value,proto3"` | ||
| Flags map[string]string `protobuf:"bytes,5,rep,name=flags,proto3" json:"flags,omitempty" protobuf_key:"bytes,1,opt,name=key" protobuf_val:"bytes,2,opt,name=value"` |
There was a problem hiding this comment.
This is a difference between the remote plugin's version and the version we were previously using. I'm not expecting it to have any meaningful effect, but I also can't say for certain because I don't understand this part of protobuf generation very well.
| // * name represents the globally-unique identifier of the caveat * | ||
| Name string `protobuf:"bytes,1,opt,name=name,proto3" json:"name,omitempty"` | ||
| // * serialized_expression is the byte representation of a caveat's logic | ||
| SerializedExpression []byte `protobuf:"bytes,2,opt,name=serialized_expression,json=serializedExpression,proto3" json:"serialized_expression,omitempty"` | ||
| // * parameters_and_types is a map from parameter name to its type | ||
| ParameterTypes map[string]*CaveatTypeReference `protobuf:"bytes,3,rep,name=parameter_types,json=parameterTypes,proto3" json:"parameter_types,omitempty" protobuf_key:"bytes,1,opt,name=key,proto3" protobuf_val:"bytes,2,opt,name=value,proto3"` | ||
| ParameterTypes map[string]*CaveatTypeReference `protobuf:"bytes,3,rep,name=parameter_types,json=parameterTypes,proto3" json:"parameter_types,omitempty" protobuf_key:"bytes,1,opt,name=key" protobuf_val:"bytes,2,opt,name=value"` |
|
Yeah, that's not a bad idea. |
tstirrat15
force-pushed
the
update-buf-and-use-protovalidate
branch
2 times, most recently
from
2296200 to
fdf13a2
Compare
|
Some benchmarks from the Buf folks: bufbuild/protovalidate-go#283 (comment) Their sense is that |
tstirrat15
force-pushed
the
update-buf-and-use-protovalidate
branch
2 times, most recently
from
6f0cdcc to
0bb56df
Compare
| nilPrefix, | ||
| `definition someTenant/fo {}`, | ||
| "parse error in `invalid definition name`, line 1, column 1: error in object definition someTenant/fo: invalid NamespaceDefinition.Name: value does not match regex pattern \"^([a-z][a-z0-9_]{1,62}[a-z0-9]/)*[a-z][a-z0-9_]{1,62}[a-z0-9]$\"", | ||
| "parse error in `invalid definition name`, line 1, column 1: error in object definition someTenant/fo: validation error:\n - name: value does not match regex pattern `^([a-z][a-z0-9_]{1,62}[a-z0-9]/)*[a-z][a-z0-9_]{1,62}[a-z0-9]$` [string.pattern]", |
There was a problem hiding this comment.
These changes represent something that's different from the perspective of the user - it no longer names the object being validated, and it includes the [string.pattern] bit at the end. I think this is fine.
tstirrat15
force-pushed
the
update-buf-and-use-protovalidate
branch
from
0bb56df to
97925eb
Compare
Description
We'd like to use
protovalidatefor protobuf validation instead ofprotoc-gen-validate. This is a first step towards that in SpiceDB, replacing thevalidategenerated code with use ofprotovalidate.This also updates our generation code, using v2 of
buf.gen.yaml.Changes
Printfsignaturebuf config migrateprotoc-gen-validatefrombuf.yamland addedprotovalidateinsteadprotovalidate.Validatecalls where we were previously calling.Validate()on proto messagesTesting
Review. See that tests pass.