[Feature Request] Allow extending default cel.Env created by protovalidate.New about protovalidate-go HOT 4 CLOSED

Amazing, I just came here to file the exact same request :-)

from protovalidate-go.

That design ended up having some limitations, notably I needed to be able to access the Env's CELTypeProvider() and CELTypeAdapter() to use custom protobuf message types as function inputs/outputs. The updated implementation is here: kralicky@da6dae8

Here's an example of how I used it:

message X509Certificate {
  bytes                     raw       = 1;
  bool                      isCA      = 2;
  string                    issuer    = 3;
  string                    subject   = 4;
  google.protobuf.Timestamp notBefore = 5;
  google.protobuf.Timestamp notAfter  = 6;
  string                    alg       = 7;
}

protovalidate.New(
  protovalidate.WithExtendFunc(func(e *cel.Env) []cel.EnvOption {
    tr := env.CELTypeProvider().(*types.Registry)
    tr.RegisterMessage(&X509Certificate{})

    return []cel.EnvOption {
      cel.Function("x509Parse",
        cel.Overload("str_parse_x509",
          []*cel.Type{cel.StringType},
          cel.ObjectType(string(proto.MessageName(&X509Certificate{}))),
          cel.UnaryBinding(func(value ref.Val) ref.Val {
            str, ok := value.Value().(string)
            if !ok {
              return types.UnsupportedRefValConversionErr(value)
            }
            block, _ := pem.Decode([]byte(str))
            if block == nil {
              return types.NewErr("malformed PEM block")
            }

            cert, err := x509.ParseCertificate(block.Bytes)
            if err != nil {
              return types.WrapErr(err)
            }
            return env.CELTypeAdapter().NativeToValue(&X509Certificate{
              Raw:       cert.Raw,
              IsCA:      cert.IsCA,
              Issuer:    cert.Issuer.String(),
              Subject:   cert.Subject.String(),
              NotBefore: timestamppb.New(cert.NotBefore),
              NotAfter:  timestamppb.New(cert.NotAfter),
              Alg:       cert.PublicKeyAlgorithm.String(),
            })
          }),
        ),
      ),
    }
  }),
)

Then I can write, for example:

expression: "x509Parse(this.certData).issuer == 'foo'"

or pass it to some other methods:

expression: "x509Parse(this.certData).checkSignatureFrom(x509Parse(this.caCertData))"

from protovalidate-go.

See #60 for a previous discussion on this topic.

We are not going to expose the CEL environment. The goal of protovalidate is for constraints to be portable across any implementation as the protos where the rules are defined might be run in any context. This means that the only supported custom CEL functions must be part of the protovalidate spec or defined as a custom CEL expression on the message/field itself.

That said, if your validation rule is common enough, we're happy to discuss incorporating it as a standard constraint (a recent example is support for IP/CIDR Prefixes). We're alternatively looking at ways to share/reuse a CEL expression across multiple entities.

As for your certificate example above, perhaps this goes a bit beyond the scope of protovalidate and into actual implementation of your service. I can see an isX509 function to make sure the data is in the correct shape, but actually evaluating the cert data is signed by the CA probably belongs in your business logic.

from protovalidate-go.

That is disappointing, but understandable I suppose. In my case, I am using protovalidate to standardize validation across a bunch of different APIs, which were previously all doing their own thing slightly differently. This way validations can be performed automatically and have all the context info from the descriptors.

My example code is a bit contrived, yes, and out of scope for any standard validators, but I wanted to give an example that made use of a few different features. The intent was a rigorous sanity-check, not a replacement for real backend logic, of course. 😉

from protovalidate-go.