@opentdf/sdk 0.3.0 → 0.3.2-beta.1

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@opentdf/sdk",
-  "version": "0.3.0",
+  "version": "0.3.2-beta.1",
   "description": "OpenTDF for the Web",
   "homepage": "https://github.com/opentdf/web-sdk",
   "bugs": {
@@ -52,6 +52,16 @@
       "types": "./dist/types/src/nanoindex.d.ts",
       "require": "./dist/cjs/src/nanoindex.js",
       "import": "./dist/web/src/nanoindex.js"
+    },
+    "./platform": {
+      "types": "./dist/types/src/platform.d.ts",
+      "require": "./dist/cjs/src/platform.js",
+      "import": "./dist/web/src/platform.js"
+    },
+    "./platform/*": {
+      "types": "./dist/types/src/platform/*",
+      "require": "./dist/cjs/src/platform/*",
+      "import": "./dist/web/src/platform/*"
     }
   },
   "scripts": {
@@ -65,13 +75,17 @@
     "lint": "eslint ./src/**/*.ts ./tdf3/**/*.ts ./tests/**/*.ts",
     "prepack": "npm run build",
     "test": "npm run build && npm run test:with-server",
+    "mock:platform": "npm run build && node dist/web/tests/server.js",
     "test:with-server": "node dist/web/tests/server.js & trap \"node dist/web/tests/stopServer.js\" EXIT; npm run test:mocha && npm run test:wtr && npm run test:browser && npm run coverage:merge",
     "test:browser": "npx webpack --config webpack.test.config.cjs && npx karma start karma.conf.cjs",
     "test:mocha": "c8 --exclude=\"dist/web/tests/**/*\" --report-dir=./coverage/mocha mocha 'dist/web/tests/mocha/**/*.spec.js' && npx c8 report --reporter=json --report-dir=./coverage/mocha",
     "test:wtr": "web-test-runner",
+    "test:wtr-manual": "web-test-runner --manual",
     "watch": "(trap 'kill 0' SIGINT; npm run build && (npm run build:watch & npm run test -- --watch))"
   },
   "dependencies": {
+    "@connectrpc/connect": "^2.0.2",
+    "@connectrpc/connect-web": "^2.0.2",
     "buffer-crc32": "^1.0.0",
     "dpop": "^1.4.1",
     "jose": "^6.0.8",
@@ -79,6 +93,8 @@
     "uuid": "~11.1.0"
   },
   "devDependencies": {
+    "@bufbuild/buf": "^1.52.1",
+    "@bufbuild/protoc-gen-es": "^2.2.5",
     "@eslint/js": "^9.21.0",
     "@esm-bundle/chai": "~4.3.4-fix.0",
     "@types/buffer-crc32": "^0.2.4",

package/src/access/access-fetch.ts

@@ -0,0 +1,202 @@
+import {
+  KasPublicKeyAlgorithm,
+  KasPublicKeyInfo,
+  noteInvalidPublicKey,
+  OriginAllowList,
+} from '../access.js';
+import { type AuthProvider } from '../auth/auth.js';
+import {
+  ConfigurationError,
+  InvalidFileError,
+  NetworkError,
+  PermissionDeniedError,
+  ServiceError,
+  UnauthenticatedError,
+} from '../errors.js';
+import { pemToCryptoPublicKey, validateSecureUrl } from '../utils.js';
+
+export type RewrapRequest = {
+  signedRequestToken: string;
+};
+
+export type RewrapResponseLegacy = {
+  metadata: Record<string, unknown>;
+  entityWrappedKey: string;
+  sessionPublicKey: string;
+  schemaVersion: string;
+};
+
+/**
+ * Get a rewrapped access key to the document, if possible
+ * @param url Key access server rewrap endpoint
+ * @param requestBody a signed request with an encrypted document key
+ * @param authProvider Authorization middleware
+ */
+export async function fetchWrappedKey(
+  url: string,
+  requestBody: RewrapRequest,
+  authProvider: AuthProvider
+): Promise<RewrapResponseLegacy> {
+  const req = await authProvider.withCreds({
+    url,
+    method: 'POST',
+    headers: {
+      'Content-Type': 'application/json',
+    },
+    body: JSON.stringify(requestBody),
+  });
+
+  let response: Response;
+
+  try {
+    response = await fetch(req.url, {
+      method: req.method,
+      mode: 'cors', // no-cors, *cors, same-origin
+      cache: 'no-cache', // *default, no-cache, reload, force-cache, only-if-cached
+      credentials: 'same-origin', // include, *same-origin, omit
+      headers: req.headers,
+      redirect: 'follow', // manual, *follow, error
+      referrerPolicy: 'no-referrer', // no-referrer, *no-referrer-when-downgrade, origin, origin-when-cross-origin, same-origin, strict-origin, strict-origin-when-cross-origin, unsafe-url
+      body: req.body as BodyInit,
+    });
+  } catch (e) {
+    throw new NetworkError(`unable to fetch wrapped key from [${url}]`, e);
+  }
+
+  if (!response.ok) {
+    switch (response.status) {
+      case 400:
+        throw new InvalidFileError(
+          `400 for [${req.url}]: rewrap bad request [${await response.text()}]`
+        );
+      case 401:
+        throw new UnauthenticatedError(`401 for [${req.url}]; rewrap auth failure`);
+      case 403:
+        throw new PermissionDeniedError(`403 for [${req.url}]; rewrap permission denied`);
+      default:
+        if (response.status >= 500) {
+          throw new ServiceError(
+            `${response.status} for [${req.url}]: rewrap failure due to service error [${await response.text()}]`
+          );
+        }
+        throw new NetworkError(
+          `${req.method} ${req.url} => ${response.status} ${response.statusText}`
+        );
+    }
+  }
+
+  return response.json();
+}
+
+export async function fetchKeyAccessServers(
+  platformUrl: string,
+  authProvider: AuthProvider
+): Promise<OriginAllowList> {
+  let nextOffset = 0;
+  const allServers = [];
+  do {
+    const req = await authProvider.withCreds({
+      url: `${platformUrl}/key-access-servers?pagination.offset=${nextOffset}`,
+      method: 'GET',
+      headers: {
+        'Content-Type': 'application/json',
+      },
+    });
+    let response: Response;
+    try {
+      response = await fetch(req.url, {
+        method: req.method,
+        headers: req.headers,
+        body: req.body as BodyInit,
+        mode: 'cors',
+        cache: 'no-cache',
+        credentials: 'same-origin',
+        redirect: 'follow',
+        referrerPolicy: 'no-referrer',
+      });
+    } catch (e) {
+      throw new NetworkError(`unable to fetch kas list from [${req.url}]`, e);
+    }
+    // if we get an error from the kas registry, throw an error
+    if (!response.ok) {
+      throw new ServiceError(
+        `unable to fetch kas list from [${req.url}], status: ${response.status}`
+      );
+    }
+    const { keyAccessServers = [], pagination = {} } = await response.json();
+    allServers.push(...keyAccessServers);
+    nextOffset = pagination.nextOffset || 0;
+  } while (nextOffset > 0);
+
+  const serverUrls = allServers.map((server) => server.uri);
+  // add base platform kas
+  if (!serverUrls.includes(`${platformUrl}/kas`)) {
+    serverUrls.push(`${platformUrl}/kas`);
+  }
+
+  return new OriginAllowList(serverUrls, false);
+}
+
+export async function fetchKasPubKey(
+  kasEndpoint: string,
+  algorithm?: KasPublicKeyAlgorithm
+): Promise<KasPublicKeyInfo> {
+  if (!kasEndpoint) {
+    throw new ConfigurationError('KAS definition not found');
+  }
+  // Logs insecure KAS. Secure is enforced in constructor
+  validateSecureUrl(kasEndpoint);
+
+  // Parse kasEndpoint to URL, then append to its path and update its query parameters
+  let pkUrlV2: URL;
+  try {
+    pkUrlV2 = new URL(kasEndpoint);
+  } catch (e) {
+    throw new ConfigurationError(`KAS definition invalid: [${kasEndpoint}]`, e);
+  }
+  if (!pkUrlV2.pathname.endsWith('kas_public_key')) {
+    if (!pkUrlV2.pathname.endsWith('/')) {
+      pkUrlV2.pathname += '/';
+    }
+    pkUrlV2.pathname += 'v2/kas_public_key';
+  }
+  pkUrlV2.searchParams.set('algorithm', algorithm || 'rsa:2048');
+  if (!pkUrlV2.searchParams.get('v')) {
+    pkUrlV2.searchParams.set('v', '2');
+  }
+
+  let kasPubKeyResponseV2: Response;
+  try {
+    kasPubKeyResponseV2 = await fetch(pkUrlV2);
+  } catch (e) {
+    throw new NetworkError(`unable to fetch public key from [${pkUrlV2}]`, e);
+  }
+  if (!kasPubKeyResponseV2.ok) {
+    switch (kasPubKeyResponseV2.status) {
+      case 404:
+        throw new ConfigurationError(`404 for [${pkUrlV2}]`);
+      case 401:
+        throw new UnauthenticatedError(`401 for [${pkUrlV2}]`);
+      case 403:
+        throw new PermissionDeniedError(`403 for [${pkUrlV2}]`);
+      default:
+        throw new NetworkError(
+          `${pkUrlV2} => ${kasPubKeyResponseV2.status} ${kasPubKeyResponseV2.statusText}`
+        );
+    }
+  }
+  const jsonContent = await kasPubKeyResponseV2.json();
+  const { publicKey, kid }: KasPublicKeyInfo = jsonContent;
+  if (!publicKey) {
+    throw new NetworkError(
+      `invalid response from public key endpoint [${JSON.stringify(jsonContent)}]`
+    );
+  }
+  return {
+    key: noteInvalidPublicKey(pkUrlV2, pemToCryptoPublicKey(publicKey)),
+    publicKey,
+    url: kasEndpoint,
+    algorithm: algorithm || 'rsa:2048',
+    ...(kid && { kid }),
+  };
+}

package/src/access/access-rpc.ts

@@ -0,0 +1,175 @@
+import {
+  isPublicKeyAlgorithm,
+  KasPublicKeyAlgorithm,
+  KasPublicKeyInfo,
+  noteInvalidPublicKey,
+  OriginAllowList,
+} from '../access.js';
+import { type AuthProvider } from '../auth/auth.js';
+import { ConfigurationError, NetworkError } from '../errors.js';
+import { PlatformClient } from '../platform.js';
+import { RewrapResponse } from '../platform/kas/kas_pb.js';
+import { ListKeyAccessServersResponse } from '../platform/policy/kasregistry/key_access_server_registry_pb.js';
+import {
+  extractRpcErrorMessage,
+  getPlatformUrlFromKasEndpoint,
+  pemToCryptoPublicKey,
+  validateSecureUrl,
+} from '../utils.js';
+
+/**
+ * Get a rewrapped access key to the document, if possible
+ * @param url Key access server rewrap endpoint
+ * @param requestBody a signed request with an encrypted document key
+ * @param authProvider Authorization middleware
+ * @param clientVersion
+ */
+export async function fetchWrappedKey(
+  url: string,
+  signedRequestToken: string,
+  authProvider: AuthProvider
+): Promise<RewrapResponse> {
+  const platformUrl = getPlatformUrlFromKasEndpoint(url);
+  const platform = new PlatformClient({ authProvider, platformUrl });
+  try {
+    return await platform.v1.access.rewrap({
+      signedRequestToken,
+    });
+  } catch (e) {
+    throw new NetworkError(`[${platformUrl}] [Rewrap] ${extractRpcErrorMessage(e)}`);
+  }
+}
+
+export async function fetchKeyAccessServers(
+  platformUrl: string,
+  authProvider: AuthProvider
+): Promise<OriginAllowList> {
+  let nextOffset = 0;
+  const allServers = [];
+  const platform = new PlatformClient({ authProvider, platformUrl });
+
+  do {
+    let response: ListKeyAccessServersResponse;
+    try {
+      response = await platform.v1.keyAccessServerRegistry.listKeyAccessServers({
+        pagination: {
+          offset: nextOffset,
+        },
+      });
+    } catch (e) {
+      throw new NetworkError(
+        `[${platformUrl}] [ListKeyAccessServers] ${extractRpcErrorMessage(e)}`
+      );
+    }
+
+    allServers.push(...response.keyAccessServers);
+    nextOffset = response?.pagination?.nextOffset || 0;
+  } while (nextOffset > 0);
+
+  const serverUrls = allServers.map((server) => server.uri);
+  // add base platform kas
+  if (!serverUrls.includes(`${platformUrl}/kas`)) {
+    serverUrls.push(`${platformUrl}/kas`);
+  }
+
+  return new OriginAllowList(serverUrls, false);
+}
+
+interface PlatformBaseKey {
+  kas_id?: string;
+  kas_uri: string;
+  public_key: {
+    algorithm: KasPublicKeyAlgorithm;
+    kid: string;
+    pem: string;
+  };
+}
+
+function isBaseKey(baseKey?: unknown): baseKey is PlatformBaseKey {
+  if (!baseKey) {
+    return false;
+  }
+  const bk = baseKey as PlatformBaseKey;
+  return (
+    !!bk.kas_uri &&
+    !!bk.public_key &&
+    typeof bk.public_key === 'object' &&
+    !!bk.public_key.pem &&
+    !!bk.public_key.algorithm &&
+    isPublicKeyAlgorithm(bk.public_key.algorithm)
+  );
+}
+
+export async function fetchKasPubKey(
+  kasEndpoint: string,
+  algorithm?: KasPublicKeyAlgorithm
+): Promise<KasPublicKeyInfo> {
+  if (!kasEndpoint) {
+    throw new ConfigurationError('KAS definition not found');
+  }
+  // Logs insecure KAS. Secure is enforced in constructor
+  validateSecureUrl(kasEndpoint);
+
+  const platformUrl = getPlatformUrlFromKasEndpoint(kasEndpoint);
+  const platform = new PlatformClient({
+    platformUrl,
+  });
+  try {
+    const { kid, publicKey } = await platform.v1.access.publicKey({
+      algorithm: algorithm || 'rsa:2048',
+      v: '2',
+    });
+    const result: KasPublicKeyInfo = {
+      key: noteInvalidPublicKey(new URL(platformUrl), pemToCryptoPublicKey(publicKey)),
+      publicKey,
+      url: kasEndpoint,
+      algorithm: algorithm || 'rsa:2048',
+      ...(kid && { kid }),
+    };
+    return result;
+  } catch (e) {
+    throw new NetworkError(`[${platformUrl}] [PublicKey] ${extractRpcErrorMessage(e)}`);
+  }
+}
+
+/**
+ * Fetch the base public key from WellKnownConfiguration of the platform.
+ * @param kasEndpoint The KAS endpoint URL.
+ * @throws {ConfigurationError} If the KAS endpoint is not defined.
+ * @throws {NetworkError} If there is an error fetching the public key from the KAS endpoint.
+ * @returns The base public key information for the KAS endpoint.
+ */
+export async function fetchKasBasePubKey(kasEndpoint: string): Promise<KasPublicKeyInfo> {
+  if (!kasEndpoint) {
+    throw new ConfigurationError('KAS definition not found');
+  }
+  validateSecureUrl(kasEndpoint);
+
+  const platformUrl = getPlatformUrlFromKasEndpoint(kasEndpoint);
+  const platform = new PlatformClient({
+    platformUrl,
+  });
+  try {
+    const { configuration } = await platform.v1.wellknown.getWellKnownConfiguration({});
+    const baseKey = configuration?.base_key as unknown as PlatformBaseKey;
+    if (!isBaseKey(baseKey)) {
+      throw new NetworkError(
+        `Invalid Platform Configuration: [${kasEndpoint}] is missing BaseKey in WellKnownConfiguration`
+      );
+    }
+
+    const result: KasPublicKeyInfo = {
+      key: noteInvalidPublicKey(
+        new URL(baseKey.kas_uri),
+        pemToCryptoPublicKey(baseKey.public_key.pem)
+      ),
+      publicKey: baseKey.public_key.pem,
+      url: baseKey.kas_uri,
+      algorithm: baseKey.public_key.algorithm,
+      kid: baseKey.public_key.kid,
+    };
+    return result;
+  } catch (e) {
+    throw new NetworkError(`[${platformUrl}] [PublicKey] ${extractRpcErrorMessage(e)}`);
+  }
+}