@opentdf/sdk 0.3.0 → 0.3.2-beta.2277

package/tdf3/src/client/index.ts

@@ -39,6 +39,7 @@ import {
   EncryptParamsBuilder,
 } from './builders.js';
 import {
+  fetchKeyAccessServers,
   type KasPublicKeyInfo,
   keyAlgorithmToPublicKeyAlgorithm,
   OriginAllowList,
@@ -125,7 +126,7 @@ export interface ClientConfig {
   clientId?: string;
   dpopEnabled?: boolean;
   dpopKeys?: Promise<CryptoKeyPair>;
-  kasEndpoint?: string;
+  kasEndpoint: string;
   /**
    * Service to use to look up ABAC. Used during autoconfigure. Defaults to
    * kasEndpoint without the trailing `/kas` path segment, if present.
@@ -133,9 +134,11 @@ export interface ClientConfig {
   policyEndpoint?: string;
   /**
    * List of allowed KASes to connect to for rewrap requests.
-   * Defaults to `[kasEndpoint]`.
+   * Defaults to `[]`.
    */
   allowedKases?: string[];
+  // Platform URL to use to lookup allowed KASes when allowedKases is empty
+  platformUrl?: string;
   ignoreAllowList?: boolean;
   easEndpoint?: string;
   // DEPRECATED Ignored
@@ -237,7 +240,12 @@ export class Client {
    * List of allowed KASes to connect to for rewrap requests.
    * Defaults to `[this.kasEndpoint]`.
    */
-  readonly allowedKases: OriginAllowList;
+  readonly allowedKases?: OriginAllowList;
+
+  /**
+   * URL of the platform, required to fetch list of allowed KASes when allowedKases is empty
+   */
+  readonly platformUrl?: string;
 
   readonly kasKeys: Record<string, Promise<KasPublicKeyInfo>[]> = {};
 
@@ -287,6 +295,14 @@ export class Client {
       this.kasEndpoint = clientConfig.keyRewrapEndpoint.replace(/\/rewrap$/, '');
     }
     this.kasEndpoint = rstrip(this.kasEndpoint, '/');
+
+    if (!validateSecureUrl(this.kasEndpoint)) {
+      throw new ConfigurationError(`Invalid KAS endpoint [${this.kasEndpoint}]`);
+    }
+    if (config.platformUrl) {
+      this.platformUrl = config.platformUrl;
+    }
+
     if (clientConfig.policyEndpoint) {
       this.policyEndpoint = rstrip(clientConfig.policyEndpoint, '/');
     } else if (this.kasEndpoint.endsWith('/kas')) {
@@ -299,16 +315,12 @@ export class Client {
         clientConfig.allowedKases,
         !!clientConfig.ignoreAllowList
       );
-      if (!validateSecureUrl(this.kasEndpoint) && !this.allowedKases.allows(kasOrigin)) {
-        throw new ConfigurationError(`Invalid KAS endpoint [${this.kasEndpoint}]`);
-      }
-    } else {
-      if (!validateSecureUrl(this.kasEndpoint)) {
+      if (!this.allowedKases.allows(kasOrigin)) {
+        // TODO PR: ask if in this cases it makes more sense to add defaultKASEndpoint to the allow list if the allowList is not empty but doesn't have the defaultKas
         throw new ConfigurationError(
-          `Invalid KAS endpoint [${this.kasEndpoint}]; to force, please list it among allowedKases`
+          `Invalid KAS endpoint [${this.kasEndpoint}]. When allowedKases is set, defaultKASEndpoint needs to be in the allow list`
         );
       }
-      this.allowedKases = new OriginAllowList([kasOrigin], !!clientConfig.ignoreAllowList);
     }
 
     this.authProvider = config.authProvider;
@@ -381,6 +393,7 @@ export class Client {
       windowSize = DEFAULT_SEGMENT_SIZE,
       keyMiddleware = defaultKeyMiddleware,
       streamMiddleware = async (stream: DecoratedReadableStream) => stream,
+      tdfSpecVersion,
       wrappingKeyAlgorithm = 'rsa:2048',
     } = opts;
     const scope = opts.scope ?? { attributes: [], dissem: [] };
@@ -444,6 +457,7 @@ export class Client {
         ? maxByteLimit
         : opts.byteLimit;
     const encryptionInformation = new SplitKey(new AesGcmCipher(this.cryptoService));
+    // TODO KAS: check here
     const splits: SplitStep[] = splitPlan?.length
       ? splitPlan
       : [{ kas: opts.defaultKASEndpoint ?? this.kasEndpoint }];
@@ -498,6 +512,7 @@ export class Client {
       keyForEncryption,
       keyForManifest,
       assertionConfigs: opts.assertionConfigs,
+      tdfSpecVersion,
     };
 
     return (streamMiddleware as EncryptStreamMiddleware)(await writeStream(ecfg));
@@ -529,8 +544,12 @@ export class Client {
       throw new ConfigurationError('AuthProvider missing');
     }
     const chunker = await makeChunkable(source);
-    if (!allowList) {
+    if (!allowList && this.allowedKases) {
       allowList = this.allowedKases;
+    } else if (this.platformUrl) {
+      allowList = await fetchKeyAccessServers(this.platformUrl, this.authProvider);
+    } else {
+      throw new ConfigurationError('platformUrl is required when allowedKases is empty');
     }
 
     // Await in order to catch any errors from this call.

package/tdf3/src/models/manifest.ts

@@ -6,7 +6,8 @@ export type Manifest = {
   payload: Payload;
   encryptionInformation: EncryptionInformation;
   assertions: Assertion[];
-  schemaVersion: string;
+  // Required in later versions, optional prior to 4.3.0
+  schemaVersion?: string;
   // Deprecated
   tdf_spec_version?: string;
 };

package/tdf3/src/tdf.ts

@@ -287,8 +287,8 @@ async function _generateManifest(
   keyInfo: KeyInfo,
   encryptionInformation: SplitKey,
   policy: Policy,
-  mimeType: string | undefined,
-  targetSpecVersion: string | undefined
+  mimeType?: string,
+  targetSpecVersion?: string
 ): Promise<Manifest> {
   // (maybe) Fields are quoted to avoid renaming
   const payload: Payload = {
@@ -301,13 +301,19 @@ async function _generateManifest(
 
   const encryptionInformationStr = await encryptionInformation.write(policy, keyInfo);
   const assertions: assertions.Assertion[] = [];
-  return {
+  const partial = {
     payload,
     // generate the manifest first, then insert integrity information into it
     encryptionInformation: encryptionInformationStr,
     assertions: assertions,
-    // when `targetSpecVersion` is provided, overrides the tdfSpecVersion
-    schemaVersion: targetSpecVersion || tdfSpecVersion,
+  };
+  const schemaVersion = targetSpecVersion || tdfSpecVersion;
+  if (schemaVersion === '4.2.2') {
+    return partial;
+  }
+  return {
+    ...partial,
+    schemaVersion,
   };
 }
 
@@ -401,7 +407,7 @@ export async function writeStream(cfg: EncryptConfiguration): Promise<DecoratedR
     cfg.encryptionInformation,
     cfg.policy,
     cfg.mimeType,
-    cfg.tdfSpecVersion ?? '4.3.0'
+    cfg.tdfSpecVersion
   );
 
   if (!manifest) {
@@ -531,10 +537,14 @@ export async function writeStream(cfg: EncryptConfiguration): Promise<DecoratedR
                 alg: 'HS256',
                 key: new Uint8Array(cfg.keyForEncryption.unwrappedKeyBinary.asArrayBuffer()),
               };
-              const assertion = await assertions.CreateAssertion(aggregateHash, {
-                ...assertionConfig,
-                signingKey,
-              });
+              const assertion = await assertions.CreateAssertion(
+                aggregateHash,
+                {
+                  ...assertionConfig,
+                  signingKey,
+                },
+                cfg.tdfSpecVersion
+              );
 
               // Add signed assertion to the signedAssertions array
               signedAssertions.push(assertion);
@@ -981,6 +991,13 @@ export async function readStream(cfg: DecryptConfiguration) {
   return decryptStreamFrom(cfg, overview);
 }
 
+// TODO: potentially might need fixing here
+// By the time this function is called the allow list will be already set.
+// Verify that this function is not exported in the sdk and only exported for internal use
+// Verify this during tests and PR
+// Remove this comment before merging!
+// https://www.youtube.com/watch?v=NGrLb6W5YOM
+// Don't leave me here all by myself!
 export async function decryptStreamFrom(
   cfg: DecryptConfiguration,
   { manifest, zipReader, centralDirectory }: InspectedTDFOverview