Skip to content

Adding a new constraint to baton config schema #674

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
socialyadept wants to merge 5 commits into
base: main
Choose a base branch
from
Open

Adding a new constraint to baton config schema #674

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
5 commits
Select commit Hold shift + click to select a range
4c53094
add: constraint for limited option
socialyadept Feb 6, 2026
baed2e0
add: allowed options
socialyadept Feb 6, 2026
dd67a81
fix: allowed option values name
socialyadept Feb 6, 2026
2c89935
fix: attribute name
socialyadept Feb 9, 2026
63e3bd3
test: unit allowed options
socialyadept Feb 11, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
27 changes: 23 additions & 4 deletions pb/c1/config/v1/config.pb.go
View file
Open in desktop

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

27 changes: 23 additions & 4 deletions pb/c1/config/v1/config_protoopaque.pb.go
View file
Open in desktop

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

34 changes: 32 additions & 2 deletions pkg/actions/actions.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -563,14 +563,14 @@ func validateActionConstraints(constraints []*config.Constraint, args *structpb.

// Validate each constraint
for _, constraint := range constraints {
if err := validateConstraint(constraint, present); err != nil {
if err := validateConstraint(constraint, present, args); err != nil {
return err
}
}
return nil
}

func validateConstraint(c *config.Constraint, present map[string]bool) error {
func validateConstraint(c *config.Constraint, present map[string]bool, args *structpb.Struct) error {
// Deduplicate field names to handle cases where the same field is listed multiple times
uniqueFieldNames := deduplicateStrings(c.GetFieldNames())

Expand Down Expand Up @@ -605,6 +605,36 @@ func validateConstraint(c *config.Constraint, present map[string]bool) error {
}
}
}
case config.ConstraintKind_CONSTRAINT_KIND_ALLOWED_OPTIONS:
if primaryPresent > 0 {
// When secondary fields are set, only allowed option values are permitted
uniqueSecondaryFieldNames := deduplicateStrings(c.GetSecondaryFieldNames())
anySecondaryPresent := false
for _, name := range uniqueSecondaryFieldNames {
if present[name] {
anySecondaryPresent = true
break
}
}
if anySecondaryPresent {
allowedValues := make(map[string]bool)
for _, v := range c.GetAllowedOptionValues() {
allowedValues[v] = true
}
if args != nil {
for _, fieldName := range uniqueFieldNames {
if val, ok := args.GetFields()[fieldName]; ok {
if strVal, ok := val.GetKind().(*structpb.Value_StringValue); ok {
if !allowedValues[strVal.StringValue] {
return fmt.Errorf("option %q for field %q is not allowed when %v is set; allowed values: %v",
strVal.StringValue, fieldName, uniqueSecondaryFieldNames, c.GetAllowedOptionValues())
}
}
}
}
}
}
}
case config.ConstraintKind_CONSTRAINT_KIND_UNSPECIFIED:
return nil
default:
Expand Down
105 changes: 105 additions & 0 deletions pkg/actions/actions_test.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -465,6 +465,111 @@ func TestConstraintValidation(t *testing.T) {
require.NoError(t, err)
})

t.Run("Value allowed when secondary field present passes - AllowedOptions", func(t *testing.T) {
// If field_a is set to value_a and field_b is set to value_b,
// then value_a is allowed because it is in the allowed option values.
constraints := []*config.Constraint{
config.Constraint_builder{
Kind: config.ConstraintKind_CONSTRAINT_KIND_ALLOWED_OPTIONS,
FieldNames: []string{"field_a"},
SecondaryFieldNames: []string{"field_b"},
AllowedOptionValues: []string{"value_a", "value_b"},
}.Build(),
}
args := &structpb.Struct{
Fields: map[string]*structpb.Value{
"field_a": structpb.NewStringValue("value_a"),
"field_b": structpb.NewStringValue("value_b"),
},
}
err := validateActionConstraints(constraints, args)
require.NoError(t, err)
})

t.Run("Disallowed value when secondary field present fails - AllowedOptions", func(t *testing.T) {
// If field_a is set to value_c and field_b is set to value_b,
// then value_c is not allowed because it is not in the allowed option values.
constraints := []*config.Constraint{
config.Constraint_builder{
Kind: config.ConstraintKind_CONSTRAINT_KIND_ALLOWED_OPTIONS,
FieldNames: []string{"field_a"},
SecondaryFieldNames: []string{"field_b"},
AllowedOptionValues: []string{"value_a", "value_b"},
}.Build(),
}
args := &structpb.Struct{
Fields: map[string]*structpb.Value{
"field_a": structpb.NewStringValue("value_c"),
"field_b": structpb.NewStringValue("value_b"),
},
}
err := validateActionConstraints(constraints, args)
require.Error(t, err)
require.Contains(t, err.Error(), "not allowed")
})

t.Run("Any value allowed when secondary field absent - AllowedOptions", func(t *testing.T) {
// If field_a is set to value_c and field_b is not set,
// then value_c is allowed because the constraint is not applied.
constraints := []*config.Constraint{
config.Constraint_builder{
Kind: config.ConstraintKind_CONSTRAINT_KIND_ALLOWED_OPTIONS,
FieldNames: []string{"field_a"},
SecondaryFieldNames: []string{"field_b"},
AllowedOptionValues: []string{"value_a", "value_b"},
}.Build(),
}
args := &structpb.Struct{
Fields: map[string]*structpb.Value{
"field_a": structpb.NewStringValue("value_c"),
},
}
err := validateActionConstraints(constraints, args)
require.NoError(t, err)
})

t.Run("Primary field absent passes regardless - AllowedOptions", func(t *testing.T) {
// If field_a is not set and field_b is set to value_b,
// then the constraint is not applied because the primary field is not set.
constraints := []*config.Constraint{
config.Constraint_builder{
Kind: config.ConstraintKind_CONSTRAINT_KIND_ALLOWED_OPTIONS,
FieldNames: []string{"field_a"},
SecondaryFieldNames: []string{"field_b"},
AllowedOptionValues: []string{"value_a", "value_b"},
}.Build(),
}
args := &structpb.Struct{
Fields: map[string]*structpb.Value{
"field_b": structpb.NewStringValue("value_b"),
},
}
err := validateActionConstraints(constraints, args)
require.NoError(t, err)
})

t.Run("Multiple secondary fields checked - AllowedOptions", func(t *testing.T) {
// If field_a is set to value_a, field_b and field_c are also set
// then the constraint is applied to field_a because field_b and field_c are set.
constraints := []*config.Constraint{
config.Constraint_builder{
Kind: config.ConstraintKind_CONSTRAINT_KIND_ALLOWED_OPTIONS,
FieldNames: []string{"field_a"},
SecondaryFieldNames: []string{"field_b", "field_c"},
AllowedOptionValues: []string{"value_a", "value_b"},
}.Build(),
}
args := &structpb.Struct{
Fields: map[string]*structpb.Value{
"field_a": structpb.NewStringValue("value_a"),
"field_b": structpb.NewStringValue("value_b"),
"field_c": structpb.NewStringValue("value_c"),
},
}
err := validateActionConstraints(constraints, args)
require.NoError(t, err)
})

t.Run("duplicate secondary field names are deduplicated - DependentOn", func(t *testing.T) {
// Secondary field names should also be deduplicated
constraints := []*config.Constraint{
Expand Down
2 changes: 2 additions & 0 deletions proto/c1/config/v1/config.proto
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -27,6 +27,7 @@ enum ConstraintKind {
CONSTRAINT_KIND_AT_LEAST_ONE = 2;
CONSTRAINT_KIND_MUTUALLY_EXCLUSIVE = 3;
CONSTRAINT_KIND_DEPENDENT_ON = 4;
CONSTRAINT_KIND_ALLOWED_OPTIONS = 5;
}

message Constraint {
Expand All @@ -36,6 +37,7 @@ message Constraint {
string name = 4; // optional
string help_text = 5; // optional
bool is_field_group = 6;
repeated string allowed_option_values = 7;
Copy link
Contributor

@ggreer ggreer Feb 10, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

StringField already has a StringRules that lets you specify a whitelist of allowed values.

baton-sdk/proto/c1/config/v1/rules.proto

Line 178 in 562e873

repeated string in = 10;
StringField also has a StringFieldOption that lets you specify options for a dropdown or select widget. StringSliceField has a similar RepeatedStringRules that lets you do the same thing.

Copy link
Author

@socialyadept socialyadept Feb 11, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The StringRules.in field handles static validation... a fixed whitelist that applies unconditionally. Our case is different: we need conditional constraints where the allowed values for one field change based on the value of another field.

Concrete example from the GitHub connector: when creating a team, the privacy field normally allows secret or closed. But if the user sets parent (making it a child team), privacy must be restricted to only closed. This is a cross-field dependency that StringRules.in can't express.

More details and a video walkthrough: DIR-146

I implemented this with Constraint messages on the action schema:

Github PR with an example code is shared below:

Constraints: []*config.Constraint{
			{
				Kind:                config.ConstraintKind_CONSTRAINT_KIND_ALLOWED_OPTIONS,
				FieldNames:          []string{"privacy"},
				SecondaryFieldNames: []string{"parent"},
				AllowedOptionValues: []string{"closed"}, // options limited only when parent is set
				Name:                "Privacy must be closed if parent is set",
				HelpText:            "Privacy must be closed if parent is set",
			},
		},

https://github.com/ConductorOne/baton-github/blob/59d95fd29f928b7ce46a365e5501114ab85c176c/pkg/connector/team.go#L392

The alternative would be to add conditional logic directly to the rules, something like:

message StringRules {
  // ... existing fields

  // Conditionally override this rule when another field matches a value.
  ConditionWhen when = 28;
}

message ConditionWhen {
  // The field whose value triggers this condition.
  string field_name = 1;
  // The condition applies when the field matches any of these values.
  repeated string field_values = 2;
}

But that couples validation rules to cross-field awareness, which gets complex quickly (nested conditions, multiple dependencies, etc.).

What do you think?

}

message FieldGroup {
Expand Down
Loading