enhancement: Migrate to protovalidate (#4)

depends on cerbos/cerbos#1800 the `validator.Validate` cannot validate correctly because cerbos/cerbos#1800 has the newly generated code, while this module still being dependent on the previously generated code version. --------- Signed-off-by: Oğuzhan Durgun <oguzhandurgun95@gmail.com>
cerbos · Oct 3, 2023 · 0a48b82 · 0a48b82
1 parent 18b6a59
commit 0a48b82
Show file tree

Hide file tree

Showing 6 changed files with 89 additions and 35 deletions.
diff --git a/cerbos/grpc.go b/cerbos/grpc.go
@@ -12,7 +12,6 @@ import (
 	"os"
 	"time"
 
-	"github.com/cerbos/cerbos-sdk-go/internal"
 	effectv1 "github.com/cerbos/cerbos/api/genpb/cerbos/effect/v1"
 	enginev1 "github.com/cerbos/cerbos/api/genpb/cerbos/engine/v1"
 	requestv1 "github.com/cerbos/cerbos/api/genpb/cerbos/request/v1"
@@ -22,6 +21,8 @@ import (
 	"google.golang.org/grpc"
 	"google.golang.org/grpc/credentials"
 	"google.golang.org/grpc/credentials/insecure"
+
+	"github.com/cerbos/cerbos-sdk-go/internal"
 )
 
 var _ Client[*GRPCClient, PrincipalCtx] = (*GRPCClient)(nil)

diff --git a/cerbos/grpc_admin.go b/cerbos/grpc_admin.go
@@ -9,16 +9,16 @@ import (
 	"fmt"
 	"io"
 
-	"google.golang.org/grpc"
-	"google.golang.org/grpc/credentials"
-	"google.golang.org/protobuf/types/known/timestamppb"
-
-	"github.com/cerbos/cerbos-sdk-go/internal"
 	policyv1 "github.com/cerbos/cerbos/api/genpb/cerbos/policy/v1"
 	requestv1 "github.com/cerbos/cerbos/api/genpb/cerbos/request/v1"
 	responsev1 "github.com/cerbos/cerbos/api/genpb/cerbos/response/v1"
 	schemav1 "github.com/cerbos/cerbos/api/genpb/cerbos/schema/v1"
 	svcv1 "github.com/cerbos/cerbos/api/genpb/cerbos/svc/v1"
+	"google.golang.org/grpc"
+	"google.golang.org/grpc/credentials"
+	"google.golang.org/protobuf/types/known/timestamppb"
+
+	"github.com/cerbos/cerbos-sdk-go/internal"
 )
 
 const (
@@ -147,7 +147,7 @@ func (c *GRPCAdminClient) auditLogs(ctx context.Context, opts AuditLogOptions) (
 		req.Filter = &requestv1.ListAuditLogEntriesRequest_Lookup{Lookup: opts.Lookup}
 	}
 
-	if err := req.Validate(); err != nil {
+	if err := internal.Validate(req); err != nil {
 		return nil, err
 	}
 
@@ -164,7 +164,7 @@ func (c *GRPCAdminClient) ListPolicies(ctx context.Context, opts ...ListPolicies
 	for _, opt := range opts {
 		opt(req)
 	}
-	if err := req.Validate(); err != nil {
+	if err := internal.Validate(req); err != nil {
 		return nil, fmt.Errorf("could not validate list policies request: %w", err)
 	}
 
@@ -180,7 +180,7 @@ func (c *GRPCAdminClient) GetPolicy(ctx context.Context, ids ...string) ([]*poli
 	req := &requestv1.GetPolicyRequest{
 		Id: ids,
 	}
-	if err := req.Validate(); err != nil {
+	if err := internal.Validate(req); err != nil {
 		return nil, fmt.Errorf("could not validate get policy request: %w", err)
 	}
 
@@ -196,7 +196,7 @@ func (c *GRPCAdminClient) DisablePolicy(ctx context.Context, ids ...string) (uin
 	req := &requestv1.DisablePolicyRequest{
 		Id: ids,
 	}
-	if err := req.Validate(); err != nil {
+	if err := internal.Validate(req); err != nil {
 		return 0, fmt.Errorf("could not validate disable policy request: %w", err)
 	}
 
@@ -212,7 +212,7 @@ func (c *GRPCAdminClient) EnablePolicy(ctx context.Context, ids ...string) (uint
 	req := &requestv1.EnablePolicyRequest{
 		Id: ids,
 	}
-	if err := req.Validate(); err != nil {
+	if err := internal.Validate(req); err != nil {
 		return 0, fmt.Errorf("could not validate enable policy request: %w", err)
 	}
 
@@ -245,7 +245,7 @@ func (c *GRPCAdminClient) DeleteSchema(ctx context.Context, ids ...string) (uint
 	req := &requestv1.DeleteSchemaRequest{
 		Id: ids,
 	}
-	if err := req.Validate(); err != nil {
+	if err := internal.Validate(req); err != nil {
 		return 0, fmt.Errorf("could not validate delete schema request: %w", err)
 	}
 
@@ -259,7 +259,7 @@ func (c *GRPCAdminClient) DeleteSchema(ctx context.Context, ids ...string) (uint
 
 func (c *GRPCAdminClient) ListSchemas(ctx context.Context) ([]string, error) {
 	req := &requestv1.ListSchemasRequest{}
-	if err := req.Validate(); err != nil {
+	if err := internal.Validate(req); err != nil {
 		return nil, fmt.Errorf("could not validate list schemas request: %w", err)
 	}
 
@@ -275,7 +275,7 @@ func (c *GRPCAdminClient) GetSchema(ctx context.Context, ids ...string) ([]*sche
 	req := &requestv1.GetSchemaRequest{
 		Id: ids,
 	}
-	if err := req.Validate(); err != nil {
+	if err := internal.Validate(req); err != nil {
 		return nil, fmt.Errorf("could not validate get schema request: %w", err)
 	}
 
@@ -291,7 +291,7 @@ func (c *GRPCAdminClient) ReloadStore(ctx context.Context, wait bool) error {
 	req := &requestv1.ReloadStoreRequest{
 		Wait: wait,
 	}
-	if err := req.Validate(); err != nil {
+	if err := internal.Validate(req); err != nil {
 		return fmt.Errorf("could not validate reload store request: %w", err)
 	}
 

diff --git a/cerbos/model.go b/cerbos/model.go
@@ -12,18 +12,18 @@ import (
 	"sync"
 	"time"
 
-	"go.uber.org/multierr"
-	"google.golang.org/protobuf/encoding/protojson"
-	"google.golang.org/protobuf/types/known/structpb"
-
-	"github.com/cerbos/cerbos-sdk-go/internal"
 	auditv1 "github.com/cerbos/cerbos/api/genpb/cerbos/audit/v1"
 	effectv1 "github.com/cerbos/cerbos/api/genpb/cerbos/effect/v1"
 	enginev1 "github.com/cerbos/cerbos/api/genpb/cerbos/engine/v1"
 	policyv1 "github.com/cerbos/cerbos/api/genpb/cerbos/policy/v1"
 	requestv1 "github.com/cerbos/cerbos/api/genpb/cerbos/request/v1"
 	responsev1 "github.com/cerbos/cerbos/api/genpb/cerbos/response/v1"
 	schemav1 "github.com/cerbos/cerbos/api/genpb/cerbos/schema/v1"
+	"go.uber.org/multierr"
+	"google.golang.org/protobuf/encoding/protojson"
+	"google.golang.org/protobuf/types/known/structpb"
+
+	"github.com/cerbos/cerbos-sdk-go/internal"
 )
 
 const apiVersion = "api.cerbos.dev/v1"
@@ -123,7 +123,7 @@ func (p *Principal) Validate() error {
 		return p.err
 	}
 
-	return p.Obj.Validate()
+	return internal.Validate(p.Obj)
 }
 
 // Resource is a single resource instance.
@@ -212,7 +212,7 @@ func (r *Resource) Validate() error {
 		return r.err
 	}
 
-	return r.Obj.Validate()
+	return internal.Validate(r.Obj)
 }
 
 // ResourceBatch is a container for a batch of heterogeneous resources.
@@ -237,7 +237,7 @@ func (rb *ResourceBatch) Add(resource *Resource, actions ...string) *ResourceBat
 		Resource: resource.Obj,
 	}
 
-	if err := entry.Validate(); err != nil {
+	if err := internal.Validate(entry); err != nil {
 		rb.err = multierr.Append(rb.err, fmt.Errorf("invalid resource '%s': %w", resource.Obj.Id, err))
 		return rb
 	}
@@ -263,7 +263,7 @@ func (rb *ResourceBatch) Validate() error {
 
 	var errList error
 	for _, entry := range rb.Batch {
-		if err := entry.Validate(); err != nil {
+		if err := internal.Validate(entry); err != nil {
 			errList = multierr.Append(errList, err)
 		}
 	}
@@ -687,7 +687,7 @@ func (s *Schema) AddIgnoredActions(actions ...string) *Schema {
 }
 
 func (s *Schema) Validate() error {
-	return s.Obj.Validate()
+	return internal.Validate(s.Obj)
 }
 
 func (s *Schema) build() *policyv1.Schemas_Schema {
@@ -849,7 +849,7 @@ func (rr *ResourceRule) Err() error {
 
 // Validate checks whether the resource rule is valid.
 func (rr *ResourceRule) Validate() error {
-	return rr.Obj.Validate()
+	return internal.Validate(rr.Obj)
 }
 
 // PrincipalPolicy is a builder for principal policies.
@@ -990,7 +990,7 @@ func (pr *PrincipalRule) Err() error {
 
 // Validate checks whether the rule is valid.
 func (pr *PrincipalRule) Validate() error {
-	return pr.Obj.Validate()
+	return internal.Validate(pr.Obj)
 }
 
 // DerivedRoles is a builder for derived roles.

diff --git a/go.mod b/go.mod
@@ -3,6 +3,7 @@ module github.com/cerbos/cerbos-sdk-go
 go 1.20
 
 require (
+	github.com/bufbuild/protovalidate-go v0.3.1
 	github.com/cenkalti/backoff/v4 v4.2.1
 	github.com/cerbos/cerbos/api/genpb v0.0.0-20230925081347-341baa486365
 	github.com/ghodss/yaml v1.0.0
@@ -19,9 +20,11 @@ require (
 )
 
 require (
+	buf.build/gen/go/bufbuild/protovalidate/protocolbuffers/go v1.31.0-20230914171853-63dfe56cc2c4.1 // indirect
 	github.com/Azure/go-ansiterm v0.0.0-20230124172434-306776ec8161 // indirect
 	github.com/Microsoft/go-winio v0.6.1 // indirect
 	github.com/Nvveen/Gotty v0.0.0-20120604004816-cd527374f1e5 // indirect
+	github.com/antlr/antlr4/runtime/Go/antlr/v4 v4.0.0-20230512164433-5d1fd1a340c9 // indirect
 	github.com/containerd/continuity v0.3.0 // indirect
 	github.com/davecgh/go-spew v1.1.1 // indirect
 	github.com/decred/dcrd/dcrec/secp256k1/v4 v4.2.0 // indirect
@@ -34,10 +37,10 @@ require (
 	github.com/goccy/go-json v0.10.2 // indirect
 	github.com/gogo/protobuf v1.3.2 // indirect
 	github.com/golang/protobuf v1.5.3 // indirect
+	github.com/google/cel-go v0.17.6 // indirect
 	github.com/google/shlex v0.0.0-20191202100458-e7afc7fbc510 // indirect
 	github.com/grpc-ecosystem/grpc-gateway/v2 v2.18.0 // indirect
 	github.com/imdario/mergo v0.3.15 // indirect
-	github.com/kr/text v0.2.0 // indirect
 	github.com/lestrrat-go/blackmagic v1.0.2 // indirect
 	github.com/lestrrat-go/httpcc v1.0.1 // indirect
 	github.com/lestrrat-go/httprc v1.0.4 // indirect
@@ -54,15 +57,17 @@ require (
 	github.com/rogpeppe/go-internal v1.11.0 // indirect
 	github.com/segmentio/asm v1.2.0 // indirect
 	github.com/sirupsen/logrus v1.9.2 // indirect
+	github.com/stoewer/go-strcase v1.3.0 // indirect
 	github.com/xeipuuv/gojsonpointer v0.0.0-20190905194746-02993c407bfb // indirect
 	github.com/xeipuuv/gojsonreference v0.0.0-20180127040603-bd5ef7bd5415 // indirect
 	github.com/xeipuuv/gojsonschema v1.2.0 // indirect
 	golang.org/x/crypto v0.13.0 // indirect
+	golang.org/x/exp v0.0.0-20230905200255-921286631fa9 // indirect
 	golang.org/x/mod v0.12.0 // indirect
 	golang.org/x/net v0.15.0 // indirect
 	golang.org/x/sys v0.12.0 // indirect
 	golang.org/x/text v0.13.0 // indirect
-	golang.org/x/tools v0.11.0 // indirect
+	golang.org/x/tools v0.13.0 // indirect
 	google.golang.org/genproto v0.0.0-20230913181813-007df8e322eb // indirect
 	google.golang.org/genproto/googleapis/api v0.0.0-20230920204549-e6e6cdab5c13 // indirect
 	google.golang.org/genproto/googleapis/rpc v0.0.0-20230920183334-c177e329c48b // indirect

diff --git a/go.sum b/go.sum
@@ -1,10 +1,16 @@
+buf.build/gen/go/bufbuild/protovalidate/protocolbuffers/go v1.31.0-20230914171853-63dfe56cc2c4.1 h1:2gmp+PRca1fqQHf/WMKOgu9inVb0R0N07TucgY3QZCQ=
+buf.build/gen/go/bufbuild/protovalidate/protocolbuffers/go v1.31.0-20230914171853-63dfe56cc2c4.1/go.mod h1:xafc+XIsTxTy76GJQ1TKgvJWsSugFBqMaN27WhUblew=
 github.com/Azure/go-ansiterm v0.0.0-20230124172434-306776ec8161 h1:L/gRVlceqvL25UVaW/CKtUDjefjrs0SPonmDGUVOYP0=
 github.com/Azure/go-ansiterm v0.0.0-20230124172434-306776ec8161/go.mod h1:xomTg63KZ2rFqZQzSB4Vz2SUXa1BpHTVz9L5PTmPC4E=
 github.com/BurntSushi/toml v0.3.1/go.mod h1:xHWCNGjB5oqiDr8zfno3MHue2Ht5sIBksp03qcyfWMU=
 github.com/Microsoft/go-winio v0.6.1 h1:9/kr64B9VUZrLm5YYwbGtUJnMgqWVOdUAXu6Migciow=
 github.com/Microsoft/go-winio v0.6.1/go.mod h1:LRdKpFKfdobln8UmuiYcKPot9D2v6svN5+sAH+4kjUM=
 github.com/Nvveen/Gotty v0.0.0-20120604004816-cd527374f1e5 h1:TngWCqHvy9oXAN6lEVMRuU21PR1EtLVZJmdB18Gu3Rw=
 github.com/Nvveen/Gotty v0.0.0-20120604004816-cd527374f1e5/go.mod h1:lmUJ/7eu/Q8D7ML55dXQrVaamCz2vxCfdQBasLZfHKk=
+github.com/antlr/antlr4/runtime/Go/antlr/v4 v4.0.0-20230512164433-5d1fd1a340c9 h1:goHVqTbFX3AIo0tzGr14pgfAW2ZfPChKO21Z9MGf/gk=
+github.com/antlr/antlr4/runtime/Go/antlr/v4 v4.0.0-20230512164433-5d1fd1a340c9/go.mod h1:pSwJ0fSY5KhvocuWSx4fz3BA8OrA1bQn+K1Eli3BRwM=
+github.com/bufbuild/protovalidate-go v0.3.1 h1:+jbgQXo+7SzttLbGwVClpHowXKEgwK1QG/bK4xrmUy8=
+github.com/bufbuild/protovalidate-go v0.3.1/go.mod h1:oD/fAR3ojBAunOmY3SGFJ4jhILpUtnuIalI4Id9rluY=
 github.com/cenkalti/backoff/v4 v4.2.1 h1:y4OZtCnogmCPw98Zjyt5a6+QwPLGkiQsYW5oUqylYbM=
 github.com/cenkalti/backoff/v4 v4.2.1/go.mod h1:Y3VNntkOUPxTVeUxJ/G5vcM//AlwfmyYozVcomhLiZE=
 github.com/cerbos/cerbos/api/genpb v0.0.0-20230925081347-341baa486365 h1:2T2qdJx/US0o3sn2ffpFCAzdnAH+s/vx/64iFRsa/H4=
@@ -16,7 +22,6 @@ github.com/containerd/continuity v0.3.0 h1:nisirsYROK15TAMVukJOUyGJjz4BNQJBVsNvA
 github.com/containerd/continuity v0.3.0/go.mod h1:wJEAIwKOm/pBZuBd0JmeTvnLquTB1Ag8espWhkykbPM=
 github.com/coreos/go-systemd/v22 v22.3.2/go.mod h1:Y58oyj3AT4RCenI/lSvhwexgC+NSVTIJ3seZv2GcEnc=
 github.com/cpuguy83/go-md2man/v2 v2.0.0-20190314233015-f79a8a8ca69d/go.mod h1:maD7wRr/U5Z6m/iR4s+kqSMx2CaBsrgA7czyZG/E6dU=
-github.com/creack/pty v1.1.9/go.mod h1:oKZEueFk5CKHvIhNR5MUki03XCEU+Q6VDXinZuGJ33E=
 github.com/creack/pty v1.1.18 h1:n56/Zwd5o6whRC5PMGretI4IdRLlmBXYNjScPaBgsbY=
 github.com/cyphar/filepath-securejoin v0.2.3/go.mod h1:aPGpWjXOXUn2NCNjFvBE6aRxGGx79pTxQpKOJNYHHl4=
 github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
@@ -51,6 +56,8 @@ github.com/golang/glog v1.1.0 h1:/d3pCKDPWNnvIWe0vVUpNP32qc8U3PDVxySP/y360qE=
 github.com/golang/protobuf v1.5.0/go.mod h1:FsONVRAS9T7sI+LIUmWTfcYkHO4aIWwzhcaSAoJOfIk=
 github.com/golang/protobuf v1.5.3 h1:KhyjKVUg7Usr/dYsdSqoFveMYd5ko72D+zANwlG1mmg=
 github.com/golang/protobuf v1.5.3/go.mod h1:XVQd3VNwM+JqD3oG2Ue2ip4fOMUkwXdXDdiuN0vRsmY=
+github.com/google/cel-go v0.17.6 h1:QDvHTIJunIsbgN8yVukx0HGnsqVLSY6xGqo+17IjIyM=
+github.com/google/cel-go v0.17.6/go.mod h1:HXZKzB0LXqer5lHHgfWAnlYwJaQBDKMjxjulNQzhwhY=
 github.com/google/go-cmp v0.5.4/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE=
 github.com/google/go-cmp v0.5.5/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE=
 github.com/google/go-cmp v0.5.9 h1:O2Tfq5qg4qc4AmwVlvv0oLiVAGB7enBSJ2x2DqQFi38=
@@ -72,7 +79,6 @@ github.com/kr/pretty v0.3.1 h1:flRD4NNwYAUpkphVc1HcthR4KEIFJ65n8Mw5qdRn3LE=
 github.com/kr/pty v1.1.1/go.mod h1:pFQYn66WHrOpPYNljwOMqo10TkYh1fy3cYio2l3bCsQ=
 github.com/kr/text v0.1.0/go.mod h1:4Jbv+DJW3UT/LiOwJeYQe1efqtUx/iVham/4vfdArNI=
 github.com/kr/text v0.2.0 h1:5Nx0Ya0ZqY2ygV366QzturHI13Jq95ApcVaJBhpS+AY=
-github.com/kr/text v0.2.0/go.mod h1:eLer722TekiGuMkidMxC/pM04lWEeraHUUmBw8l2grE=
 github.com/lestrrat-go/blackmagic v1.0.2 h1:Cg2gVSc9h7sz9NOByczrbUvLopQmXrfFx//N+AkAr5k=
 github.com/lestrrat-go/blackmagic v1.0.2/go.mod h1:UrEqBzIR2U6CnzVyUtfM6oZNMt/7O7Vohk2J0OGSAtU=
 github.com/lestrrat-go/httpcc v1.0.1 h1:ydWCStUeJLkpYyjLDHihupbn2tYmZ7m22BGkcvZZrIE=
@@ -121,6 +127,8 @@ github.com/shurcooL/sanitized_anchor_name v1.0.0/go.mod h1:1NzhyTcUVG4SuEtjjoZeV
 github.com/sirupsen/logrus v1.8.1/go.mod h1:yWOB1SBYBC5VeMP7gHvWumXLIWorT60ONWic61uBYv0=
 github.com/sirupsen/logrus v1.9.2 h1:oxx1eChJGI6Uks2ZC4W1zpLlVgqB8ner4EuQwV4Ik1Y=
 github.com/sirupsen/logrus v1.9.2/go.mod h1:naHLuLoDiP4jHNo9R0sCBMtWGeIprob74mVsIT4qYEQ=
+github.com/stoewer/go-strcase v1.3.0 h1:g0eASXYtp+yvN9fK8sH94oCIk0fau9uV1/ZdJ0AVEzs=
+github.com/stoewer/go-strcase v1.3.0/go.mod h1:fAH5hQ5pehh+j3nZfvwdk2RgEgQjAoM8wodgtPmh1xo=
 github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=
 github.com/stretchr/objx v0.4.0/go.mod h1:YvHI0jy2hoMjB+UWwv71VJQ9isScKT/TqJzVSSt89Yw=
 github.com/stretchr/objx v0.5.0/go.mod h1:Yh+to48EsGEfYuaHDzXPcE3xhTkx73EhmCGUpEOglKo=
@@ -130,6 +138,7 @@ github.com/stretchr/testify v1.6.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/
 github.com/stretchr/testify v1.7.0/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=
 github.com/stretchr/testify v1.7.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=
 github.com/stretchr/testify v1.8.0/go.mod h1:yNjHg4UonilssWZ8iaSj1OCr/vHnekPRkoO+kdMU+MU=
+github.com/stretchr/testify v1.8.1/go.mod h1:w2LPCIKwWwSfY2zedu0+kehJoqGctiVI29o6fzry7u4=
 github.com/stretchr/testify v1.8.4 h1:CcVxjf3Q8PM0mHUKJCdn+eZZtm5yQwehR5yeSVQQcUk=
 github.com/stretchr/testify v1.8.4/go.mod h1:sz/lmYIOXD/1dqDmKjjqLyZ2RngseejIcXlSw2iwfAo=
 github.com/syndtr/gocapability v0.0.0-20200815063812-42c35b437635/go.mod h1:hkRG7XYTFWNJGYcbNJQlaLq0fg1yr4J4t/NcTQtrfww=
@@ -154,6 +163,8 @@ golang.org/x/crypto v0.0.0-20200622213623-75b288015ac9/go.mod h1:LzIPMQfyMNhhGPh
 golang.org/x/crypto v0.0.0-20210921155107-089bfa567519/go.mod h1:GvvjBRRGRdwPK5ydBHafDWAxML/pGHZbMvKqRZ5+Abc=
 golang.org/x/crypto v0.13.0 h1:mvySKfSWJ+UKUii46M40LOvyWfN0s2U+46/jDd0e6Ck=
 golang.org/x/crypto v0.13.0/go.mod h1:y6Z2r+Rw4iayiXXAIxJIDAJ1zMW4yaTpebo8fPOliYc=
+golang.org/x/exp v0.0.0-20230905200255-921286631fa9 h1:GoHiUyI/Tp2nVkLI2mCxVkOjsbSXD66ic0XW0js0R9g=
+golang.org/x/exp v0.0.0-20230905200255-921286631fa9/go.mod h1:S2oDrQGGwySpoQPVqRShND87VCbxmc6bL1Yd2oYrm6k=
 golang.org/x/mod v0.2.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
 golang.org/x/mod v0.3.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
 golang.org/x/mod v0.6.0-dev.0.20220419223038-86c51ed26bb4/go.mod h1:jJ57K6gSWd91VN4djpZkiMVwK6gcyfeH4XE8wZrZaV4=
@@ -216,8 +227,8 @@ golang.org/x/tools v0.0.0-20200619180055-7c47624df98f/go.mod h1:EkVYQZoAsY45+roY
 golang.org/x/tools v0.0.0-20210106214847-113979e3529a/go.mod h1:emZCQorbCU4vsT4fOWvOPXz4eW1wZW4PmDk9uLelYpA=
 golang.org/x/tools v0.1.12/go.mod h1:hNGJHUnrk76NpqgfD5Aqm5Crs+Hm0VOH/i9J2+nxYbc=
 golang.org/x/tools v0.6.0/go.mod h1:Xwgl3UAJ/d3gWutnCtw505GrjyAbvKui8lOU390QaIU=
-golang.org/x/tools v0.11.0 h1:EMCa6U9S2LtZXLAMoWiR/R8dAQFRqbAitmbJ2UKhoi8=
-golang.org/x/tools v0.11.0/go.mod h1:anzJrxPjNtfgiYQYirP2CPGzGLxrH2u2QBhn6Bf3qY8=
+golang.org/x/tools v0.13.0 h1:Iey4qkscZuv0VvIt8E0neZjtPVQFSc870HQ448QgEmQ=
+golang.org/x/tools v0.13.0/go.mod h1:HvlwmtVNQAhOuCjW7xxvovg8wbNq7LwfXh/k7wXUl58=
 golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 golang.org/x/xerrors v0.0.0-20191011141410-1b5146add898/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=

diff --git a/internal/validate.go b/internal/validate.go
@@ -5,11 +5,48 @@ package internal
 
 import (
 	"fmt"
+	"sync"
 
-	policyv1 "github.com/cerbos/cerbos/api/genpb/cerbos/policy/v1"
+	"github.com/bufbuild/protovalidate-go"
 	"go.uber.org/multierr"
+	"google.golang.org/protobuf/proto"
+
+	enginev1 "github.com/cerbos/cerbos/api/genpb/cerbos/engine/v1"
+	policyv1 "github.com/cerbos/cerbos/api/genpb/cerbos/policy/v1"
+	requestv1 "github.com/cerbos/cerbos/api/genpb/cerbos/request/v1"
 )
 
+var (
+	validateFn    func(proto.Message) error
+	validatorOnce sync.Once
+)
+
+func Validate[T proto.Message](obj T) error {
+	validatorOnce.Do(func() {
+		validator, err := protovalidate.New(
+			protovalidate.WithMessages(
+				&enginev1.Principal{},
+				&enginev1.Resource{},
+				&policyv1.Policy{},
+				&requestv1.CheckResourcesRequest{},
+				&requestv1.PlanResourcesRequest{},
+				&requestv1.AddOrUpdatePolicyRequest{},
+			),
+		)
+		if err != nil {
+			validateFn = func(_ proto.Message) error {
+				return fmt.Errorf("failed to initialize validator: %w", err)
+			}
+		} else {
+			validateFn = func(m proto.Message) error {
+				return validator.Validate(m)
+			}
+		}
+	})
+
+	return validateFn(obj)
+}
+
 type Validatable interface {
 	Err() error
 	Validate() error
@@ -24,7 +61,7 @@ func IsValid[T Validatable](obj T) error {
 }
 
 func ValidatePolicy(p *policyv1.Policy) error {
-	if err := p.Validate(); err != nil {
+	if err := Validate(p); err != nil {
 		return err
 	}