npm - @opentdf/sdk - Versions diffs - 0.3.0 → 0.3.2-beta.1 - Mend

@opentdf/sdk 0.3.0 → 0.3.2-beta.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (227) hide show

package/tdf3/src/client/index.ts CHANGED Viewed

@@ -19,7 +19,12 @@ import { OIDCRefreshTokenProvider } from '../../../src/auth/oidc-refreshtoken-pr
 import { OIDCExternalJwtProvider } from '../../../src/auth/oidc-externaljwt-provider.js';
 import { CryptoService } from '../crypto/declarations.js';
 import { type AuthProvider, HttpRequest, withHeaders } from '../../../src/auth/auth.js';
-import { pemToCryptoPublicKey, rstrip, validateSecureUrl } from '../../../src/utils.js';
+import {
+  getPlatformUrlFromKasEndpoint,
+  pemToCryptoPublicKey,
+  rstrip,
+  validateSecureUrl,
+} from '../../../src/utils.js';
 import {
   type EncryptParams,
@@ -39,6 +44,7 @@ import {
   EncryptParamsBuilder,
 } from './builders.js';
 import {
+  fetchKeyAccessServers,
   type KasPublicKeyInfo,
   keyAlgorithmToPublicKeyAlgorithm,
   OriginAllowList,
@@ -73,7 +79,7 @@ export const resolveKasInfo = async (
   kid?: string
 ): Promise<KasPublicKeyInfo> => {
   const k: CryptoKey = await pemToCryptoPublicKey(pem);
-  const algorithm = keyAlgorithmToPublicKeyAlgorithm(k.algorithm);
+  const algorithm = keyAlgorithmToPublicKeyAlgorithm(k);
   return {
     key: Promise.resolve(k),
     publicKey: pem,
@@ -125,7 +131,7 @@ export interface ClientConfig {
   clientId?: string;
   dpopEnabled?: boolean;
   dpopKeys?: Promise<CryptoKeyPair>;
-  kasEndpoint?: string;
+  kasEndpoint: string;
   /**
    * Service to use to look up ABAC. Used during autoconfigure. Defaults to
    * kasEndpoint without the trailing `/kas` path segment, if present.
@@ -133,9 +139,11 @@ export interface ClientConfig {
   policyEndpoint?: string;
   /**
    * List of allowed KASes to connect to for rewrap requests.
-   * Defaults to `[kasEndpoint]`.
+   * Defaults to `[]`.
    */
   allowedKases?: string[];
+  // Platform URL to use to lookup allowed KASes when allowedKases is empty
+  platformUrl?: string;
   ignoreAllowList?: boolean;
   easEndpoint?: string;
   // DEPRECATED Ignored
@@ -237,7 +245,12 @@ export class Client {
    * List of allowed KASes to connect to for rewrap requests.
    * Defaults to `[this.kasEndpoint]`.
    */
-  readonly allowedKases: OriginAllowList;
+  readonly allowedKases?: OriginAllowList;
+  /**
+   * URL of the platform, required to fetch list of allowed KASes when allowedKases is empty
+   */
+  readonly platformUrl?: string;
   readonly kasKeys: Record<string, Promise<KasPublicKeyInfo>[]> = {};
@@ -287,10 +300,17 @@ export class Client {
       this.kasEndpoint = clientConfig.keyRewrapEndpoint.replace(/\/rewrap$/, '');
     }
     this.kasEndpoint = rstrip(this.kasEndpoint, '/');
+    if (!validateSecureUrl(this.kasEndpoint)) {
+      throw new ConfigurationError(`Invalid KAS endpoint [${this.kasEndpoint}]`);
+    }
+    if (config.platformUrl) {
+      this.platformUrl = config.platformUrl;
+    }
     if (clientConfig.policyEndpoint) {
-      this.policyEndpoint = rstrip(clientConfig.policyEndpoint, '/');
-    } else if (this.kasEndpoint.endsWith('/kas')) {
-      this.policyEndpoint = this.kasEndpoint.slice(0, -4);
+      this.policyEndpoint = getPlatformUrlFromKasEndpoint(clientConfig.policyEndpoint);
     }
     const kasOrigin = new URL(this.kasEndpoint).origin;
@@ -299,16 +319,12 @@ export class Client {
         clientConfig.allowedKases,
         !!clientConfig.ignoreAllowList
       );
-      if (!validateSecureUrl(this.kasEndpoint) && !this.allowedKases.allows(kasOrigin)) {
-        throw new ConfigurationError(`Invalid KAS endpoint [${this.kasEndpoint}]`);
-      }
-    } else {
-      if (!validateSecureUrl(this.kasEndpoint)) {
+      if (!this.allowedKases.allows(kasOrigin)) {
+        // TODO PR: ask if in this cases it makes more sense to add defaultKASEndpoint to the allow list if the allowList is not empty but doesn't have the defaultKas
         throw new ConfigurationError(
-          `Invalid KAS endpoint [${this.kasEndpoint}]; to force, please list it among allowedKases`
+          `Invalid KAS endpoint [${this.kasEndpoint}]. When allowedKases is set, defaultKASEndpoint needs to be in the allow list`
         );
       }
-      this.allowedKases = new OriginAllowList([kasOrigin], !!clientConfig.ignoreAllowList);
     }
     this.authProvider = config.authProvider;
@@ -381,7 +397,8 @@ export class Client {
       windowSize = DEFAULT_SEGMENT_SIZE,
       keyMiddleware = defaultKeyMiddleware,
       streamMiddleware = async (stream: DecoratedReadableStream) => stream,
-      wrappingKeyAlgorithm = 'rsa:2048',
+      tdfSpecVersion,
+      wrappingKeyAlgorithm,
     } = opts;
     const scope = opts.scope ?? { attributes: [], dissem: [] };
@@ -426,8 +443,9 @@ export class Client {
       const detailedPlan = plan(avs);
       splitPlan = detailedPlan.map((kat) => {
         const { kas, sid } = kat;
-        if (kas?.publicKey?.cached?.keys && !(kas.uri in this.kasKeys)) {
-          const keys = kas.publicKey.cached.keys;
+        const pubKey = kas.publicKey?.publicKey;
+        if (pubKey?.case === 'cached' && pubKey.value.keys && !(kas.uri in this.kasKeys)) {
+          const keys = pubKey.value.keys;
           if (keys?.length) {
             this.kasKeys[kas.uri] = keys.map((key) => resolveKasInfo(key.pem, kas.uri, key.kid));
           }
@@ -498,6 +516,7 @@ export class Client {
       keyForEncryption,
       keyForManifest,
       assertionConfigs: opts.assertionConfigs,
+      tdfSpecVersion,
     };
     return (streamMiddleware as EncryptStreamMiddleware)(await writeStream(ecfg));
@@ -529,8 +548,12 @@ export class Client {
       throw new ConfigurationError('AuthProvider missing');
     }
     const chunker = await makeChunkable(source);
-    if (!allowList) {
+    if (!allowList && this.allowedKases) {
       allowList = this.allowedKases;
+    } else if (this.platformUrl) {
+      allowList = await fetchKeyAccessServers(this.platformUrl, this.authProvider);
+    } else {
+      throw new ConfigurationError('platformUrl is required when allowedKases is empty');
     }
     // Await in order to catch any errors from this call.

package/tdf3/src/models/manifest.ts CHANGED Viewed

@@ -6,7 +6,8 @@ export type Manifest = {
   payload: Payload;
   encryptionInformation: EncryptionInformation;
   assertions: Assertion[];
-  schemaVersion: string;
+  // Required in later versions, optional prior to 4.3.0
+  schemaVersion?: string;
   // Deprecated
   tdf_spec_version?: string;
 };

package/tdf3/src/tdf.ts CHANGED Viewed

@@ -199,7 +199,7 @@ export async function fetchKasPublicKey(
   kas: string,
   algorithm?: KasPublicKeyAlgorithm
 ): Promise<KasPublicKeyInfo> {
-  return fetchKasPubKeyV2(kas, algorithm || 'rsa:2048');
+  return fetchKasPubKeyV2(kas, algorithm);
 }
 export async function extractPemFromKeyString(
@@ -287,8 +287,8 @@ async function _generateManifest(
   keyInfo: KeyInfo,
   encryptionInformation: SplitKey,
   policy: Policy,
-  mimeType: string | undefined,
-  targetSpecVersion: string | undefined
+  mimeType?: string,
+  targetSpecVersion?: string
 ): Promise<Manifest> {
   // (maybe) Fields are quoted to avoid renaming
   const payload: Payload = {
@@ -301,13 +301,19 @@ async function _generateManifest(
   const encryptionInformationStr = await encryptionInformation.write(policy, keyInfo);
   const assertions: assertions.Assertion[] = [];
-  return {
+  const partial = {
     payload,
     // generate the manifest first, then insert integrity information into it
     encryptionInformation: encryptionInformationStr,
     assertions: assertions,
-    // when `targetSpecVersion` is provided, overrides the tdfSpecVersion
-    schemaVersion: targetSpecVersion || tdfSpecVersion,
+  };
+  const schemaVersion = targetSpecVersion || tdfSpecVersion;
+  if (schemaVersion === '4.2.2') {
+    return partial;
+  }
+  return {
+    ...partial,
+    schemaVersion,
   };
 }
@@ -401,7 +407,7 @@ export async function writeStream(cfg: EncryptConfiguration): Promise<DecoratedR
     cfg.encryptionInformation,
     cfg.policy,
     cfg.mimeType,
-    cfg.tdfSpecVersion ?? '4.3.0'
+    cfg.tdfSpecVersion
   );
   if (!manifest) {
@@ -531,10 +537,14 @@ export async function writeStream(cfg: EncryptConfiguration): Promise<DecoratedR
                 alg: 'HS256',
                 key: new Uint8Array(cfg.keyForEncryption.unwrappedKeyBinary.asArrayBuffer()),
               };
-              const assertion = await assertions.CreateAssertion(aggregateHash, {
-                ...assertionConfig,
-                signingKey,
-              });
+              const assertion = await assertions.CreateAssertion(
+                aggregateHash,
+                {
+                  ...assertionConfig,
+                  signingKey,
+                },
+                cfg.tdfSpecVersion
+              );
               // Add signed assertion to the signedAssertions array
               signedAssertions.push(assertion);
@@ -756,9 +766,8 @@ async function unwrapKey({
     const { entityWrappedKey, metadata, sessionPublicKey } = await fetchWrappedKey(
       url,
-      { signedRequestToken },
-      authProvider,
-      '0.0.1'
+      signedRequestToken,
+      authProvider
     );
     if (wrappingKeyAlgorithm === 'ec:secp256r1') {
@@ -768,7 +777,7 @@ async function unwrapKey({
         hkdfSalt: await ztdfSalt,
         hkdfHash: 'SHA-256',
       });
-      const wrappedKeyAndNonce = base64.decodeArrayBuffer(entityWrappedKey);
+      const wrappedKeyAndNonce = entityWrappedKey;
       const iv = wrappedKeyAndNonce.slice(0, 12);
       const wrappedKey = wrappedKeyAndNonce.slice(12);
@@ -779,7 +788,7 @@ async function unwrapKey({
         metadata,
       };
     }
-    const key = Binary.fromString(base64.decode(entityWrappedKey));
+    const key = Binary.fromArrayBuffer(entityWrappedKey);
     const decryptedKeyBinary = await cryptoService.decryptWithPrivateKey(
       key,
       ephemeralEncryptionKeys.privateKey

package/src/platform/authorization/authorization_connect.d.ts DELETED Viewed

@@ -1,44 +0,0 @@
-// @generated by protoc-gen-connect-es v1.4.0 with parameter "target=js+dts,import_extension=none"
-// @generated from file authorization/authorization.proto (package authorization, syntax proto3)
-/* eslint-disable */
-// @ts-nocheck
-import { GetDecisionsByTokenRequest, GetDecisionsByTokenResponse, GetDecisionsRequest, GetDecisionsResponse, GetEntitlementsRequest, GetEntitlementsResponse } from "./authorization_pb";
-import { MethodKind } from "@bufbuild/protobuf";
-/**
- * @generated from service authorization.AuthorizationService
- */
-export declare const AuthorizationService: {
-  readonly typeName: "authorization.AuthorizationService",
-  readonly methods: {
-    /**
-     * @generated from rpc authorization.AuthorizationService.GetDecisions
-     */
-    readonly getDecisions: {
-      readonly name: "GetDecisions",
-      readonly I: typeof GetDecisionsRequest,
-      readonly O: typeof GetDecisionsResponse,
-      readonly kind: MethodKind.Unary,
-    },
-    /**
-     * @generated from rpc authorization.AuthorizationService.GetDecisionsByToken
-     */
-    readonly getDecisionsByToken: {
-      readonly name: "GetDecisionsByToken",
-      readonly I: typeof GetDecisionsByTokenRequest,
-      readonly O: typeof GetDecisionsByTokenResponse,
-      readonly kind: MethodKind.Unary,
-    },
-    /**
-     * @generated from rpc authorization.AuthorizationService.GetEntitlements
-     */
-    readonly getEntitlements: {
-      readonly name: "GetEntitlements",
-      readonly I: typeof GetEntitlementsRequest,
-      readonly O: typeof GetEntitlementsResponse,
-      readonly kind: MethodKind.Unary,
-    },
-  }
-};

package/src/platform/authorization/authorization_connect.js DELETED Viewed

@@ -1,44 +0,0 @@
-// @generated by protoc-gen-connect-es v1.4.0 with parameter "target=js+dts,import_extension=none"
-// @generated from file authorization/authorization.proto (package authorization, syntax proto3)
-/* eslint-disable */
-// @ts-nocheck
-import { GetDecisionsByTokenRequest, GetDecisionsByTokenResponse, GetDecisionsRequest, GetDecisionsResponse, GetEntitlementsRequest, GetEntitlementsResponse } from "./authorization_pb";
-import { MethodKind } from "@bufbuild/protobuf";
-/**
- * @generated from service authorization.AuthorizationService
- */
-export const AuthorizationService = {
-  typeName: "authorization.AuthorizationService",
-  methods: {
-    /**
-     * @generated from rpc authorization.AuthorizationService.GetDecisions
-     */
-    getDecisions: {
-      name: "GetDecisions",
-      I: GetDecisionsRequest,
-      O: GetDecisionsResponse,
-      kind: MethodKind.Unary,
-    },
-    /**
-     * @generated from rpc authorization.AuthorizationService.GetDecisionsByToken
-     */
-    getDecisionsByToken: {
-      name: "GetDecisionsByToken",
-      I: GetDecisionsByTokenRequest,
-      O: GetDecisionsByTokenResponse,
-      kind: MethodKind.Unary,
-    },
-    /**
-     * @generated from rpc authorization.AuthorizationService.GetEntitlements
-     */
-    getEntitlements: {
-      name: "GetEntitlements",
-      I: GetEntitlementsRequest,
-      O: GetEntitlementsResponse,
-      kind: MethodKind.Unary,
-    },
-  }
-};