@opentdf/sdk 0.3.1 → 0.3.2-beta.1

package/src/platform/wellknownconfiguration/wellknown_configuration_pb.ts

@@ -0,0 +1,78 @@
+// @generated by protoc-gen-es v2.2.5 with parameter "target=ts,import_extension=.js"
+// @generated from file wellknownconfiguration/wellknown_configuration.proto (package wellknownconfiguration, syntax proto3)
+/* eslint-disable */
+
+import type { GenFile, GenMessage, GenService } from "@bufbuild/protobuf/codegenv1";
+import { fileDesc, messageDesc, serviceDesc } from "@bufbuild/protobuf/codegenv1";
+import { file_google_api_annotations } from "../google/api/annotations_pb.js";
+import { file_google_protobuf_struct } from "@bufbuild/protobuf/wkt";
+import type { JsonObject, Message } from "@bufbuild/protobuf";
+
+/**
+ * Describes the file wellknownconfiguration/wellknown_configuration.proto.
+ */
+export const file_wellknownconfiguration_wellknown_configuration: GenFile = /*@__PURE__*/
+  fileDesc("CjR3ZWxsa25vd25jb25maWd1cmF0aW9uL3dlbGxrbm93bl9jb25maWd1cmF0aW9uLnByb3RvEhZ3ZWxsa25vd25jb25maWd1cmF0aW9uIrMBCg9XZWxsS25vd25Db25maWcSUQoNY29uZmlndXJhdGlvbhgBIAMoCzI6LndlbGxrbm93bmNvbmZpZ3VyYXRpb24uV2VsbEtub3duQ29uZmlnLkNvbmZpZ3VyYXRpb25FbnRyeRpNChJDb25maWd1cmF0aW9uRW50cnkSCwoDa2V5GAEgASgJEiYKBXZhbHVlGAIgASgLMhcuZ29vZ2xlLnByb3RvYnVmLlN0cnVjdDoCOAEiIgogR2V0V2VsbEtub3duQ29uZmlndXJhdGlvblJlcXVlc3QiUwohR2V0V2VsbEtub3duQ29uZmlndXJhdGlvblJlc3BvbnNlEi4KDWNvbmZpZ3VyYXRpb24YASABKAsyFy5nb29nbGUucHJvdG9idWYuU3RydWN0MtQBChBXZWxsS25vd25TZXJ2aWNlEr8BChlHZXRXZWxsS25vd25Db25maWd1cmF0aW9uEjgud2VsbGtub3duY29uZmlndXJhdGlvbi5HZXRXZWxsS25vd25Db25maWd1cmF0aW9uUmVxdWVzdBo5LndlbGxrbm93bmNvbmZpZ3VyYXRpb24uR2V0V2VsbEtub3duQ29uZmlndXJhdGlvblJlc3BvbnNlIi2QAgGC0+STAiQSIi8ud2VsbC1rbm93bi9vcGVudGRmLWNvbmZpZ3VyYXRpb25iBnByb3RvMw", [file_google_api_annotations, file_google_protobuf_struct]);
+
+/**
+ * @generated from message wellknownconfiguration.WellKnownConfig
+ */
+export type WellKnownConfig = Message<"wellknownconfiguration.WellKnownConfig"> & {
+  /**
+   * @generated from field: map<string, google.protobuf.Struct> configuration = 1;
+   */
+  configuration: { [key: string]: JsonObject };
+};
+
+/**
+ * Describes the message wellknownconfiguration.WellKnownConfig.
+ * Use `create(WellKnownConfigSchema)` to create a new message.
+ */
+export const WellKnownConfigSchema: GenMessage<WellKnownConfig> = /*@__PURE__*/
+  messageDesc(file_wellknownconfiguration_wellknown_configuration, 0);
+
+/**
+ * @generated from message wellknownconfiguration.GetWellKnownConfigurationRequest
+ */
+export type GetWellKnownConfigurationRequest = Message<"wellknownconfiguration.GetWellKnownConfigurationRequest"> & {
+};
+
+/**
+ * Describes the message wellknownconfiguration.GetWellKnownConfigurationRequest.
+ * Use `create(GetWellKnownConfigurationRequestSchema)` to create a new message.
+ */
+export const GetWellKnownConfigurationRequestSchema: GenMessage<GetWellKnownConfigurationRequest> = /*@__PURE__*/
+  messageDesc(file_wellknownconfiguration_wellknown_configuration, 1);
+
+/**
+ * @generated from message wellknownconfiguration.GetWellKnownConfigurationResponse
+ */
+export type GetWellKnownConfigurationResponse = Message<"wellknownconfiguration.GetWellKnownConfigurationResponse"> & {
+  /**
+   * @generated from field: google.protobuf.Struct configuration = 1;
+   */
+  configuration?: JsonObject;
+};
+
+/**
+ * Describes the message wellknownconfiguration.GetWellKnownConfigurationResponse.
+ * Use `create(GetWellKnownConfigurationResponseSchema)` to create a new message.
+ */
+export const GetWellKnownConfigurationResponseSchema: GenMessage<GetWellKnownConfigurationResponse> = /*@__PURE__*/
+  messageDesc(file_wellknownconfiguration_wellknown_configuration, 2);
+
+/**
+ * @generated from service wellknownconfiguration.WellKnownService
+ */
+export const WellKnownService: GenService<{
+  /**
+   * @generated from rpc wellknownconfiguration.WellKnownService.GetWellKnownConfiguration
+   */
+  getWellKnownConfiguration: {
+    methodKind: "unary";
+    input: typeof GetWellKnownConfigurationRequestSchema;
+    output: typeof GetWellKnownConfigurationResponseSchema;
+  },
+}> = /*@__PURE__*/
+  serviceDesc(file_wellknownconfiguration_wellknown_configuration, 0);
+

package/src/platform.ts

@@ -0,0 +1,122 @@
+// export Connect RPC framework
+export * as platformConnectWeb from '@connectrpc/connect-web';
+export * as platformConnect from '@connectrpc/connect';
+
+import { createConnectTransport } from '@connectrpc/connect-web';
+import { AuthProvider } from '../tdf3/index.js';
+
+import { Client, createClient, Interceptor } from '@connectrpc/connect';
+import { WellKnownService } from './platform/wellknownconfiguration/wellknown_configuration_pb.js';
+import { AuthorizationService } from './platform/authorization/authorization_pb.js';
+import { EntityResolutionService } from './platform/entityresolution/entity_resolution_pb.js';
+import { AccessService } from './platform/kas/kas_pb.js';
+import { ActionService } from './platform/policy/actions/actions_pb.js';
+import { AttributesService } from './platform/policy/attributes/attributes_pb.js';
+import { KeyAccessServerRegistryService } from './platform/policy/kasregistry/key_access_server_registry_pb.js';
+import { NamespaceService } from './platform/policy/namespaces/namespaces_pb.js';
+import { ResourceMappingService } from './platform/policy/resourcemapping/resource_mapping_pb.js';
+import { SubjectMappingService } from './platform/policy/subjectmapping/subject_mapping_pb.js';
+import { UnsafeService } from './platform/policy/unsafe/unsafe_pb.js';
+
+export interface PlatformServices {
+  authorization: Client<typeof AuthorizationService>;
+  entityResolution: Client<typeof EntityResolutionService>;
+  access: Client<typeof AccessService>;
+  action: Client<typeof ActionService>;
+  attributes: Client<typeof AttributesService>;
+  keyAccessServerRegistry: Client<typeof KeyAccessServerRegistryService>;
+  namespace: Client<typeof NamespaceService>;
+  resourceMapping: Client<typeof ResourceMappingService>;
+  subjectMapping: Client<typeof SubjectMappingService>;
+  unsafe: Client<typeof UnsafeService>;
+  wellknown: Client<typeof WellKnownService>;
+}
+
+export interface PlatformClientOptions {
+  // Optional authentication provider for generating auth interceptor.
+  authProvider?: AuthProvider;
+  // Array of custom interceptors to apply to rpc requests.
+  interceptors?: Interceptor[];
+  // Base URL of the platform API.
+  platformUrl: string;
+}
+
+/**
+ * A client for interacting with the Platform using the Connect RPC framework.
+ *
+ * This client provides access to various services offered by the Platform, such as
+ * authorization, entity resolution, key access, policy management, and more. It uses
+ * the Connect RPC framework to communicate with the platform's API endpoints.
+ *
+ * This client supports authentication via an `AuthProvider` or custom interceptors, which can
+ * be used to add authentication headers or other custom logic to outgoing requests.
+ *
+ */
+export class PlatformClient {
+  readonly v1: PlatformServices;
+
+  constructor(options: PlatformClientOptions) {
+    const interceptors: Interceptor[] = [];
+
+    if (options.authProvider) {
+      const authInterceptor = createAuthInterceptor(options.authProvider);
+      interceptors.push(authInterceptor);
+    }
+
+    if (options.interceptors?.length) {
+      interceptors.push(...options.interceptors);
+    }
+
+    const transport = createConnectTransport({
+      baseUrl: options.platformUrl,
+      interceptors,
+    });
+
+    this.v1 = {
+      authorization: createClient(AuthorizationService, transport),
+      entityResolution: createClient(EntityResolutionService, transport),
+      access: createClient(AccessService, transport),
+      action: createClient(ActionService, transport),
+      attributes: createClient(AttributesService, transport),
+      keyAccessServerRegistry: createClient(KeyAccessServerRegistryService, transport),
+      namespace: createClient(NamespaceService, transport),
+      resourceMapping: createClient(ResourceMappingService, transport),
+      subjectMapping: createClient(SubjectMappingService, transport),
+      unsafe: createClient(UnsafeService, transport),
+      wellknown: createClient(WellKnownService, transport),
+    };
+  }
+}
+
+/**
+ * Creates an interceptor that adds authentication headers to outgoing requests.
+ *
+ * This function uses the provided `AuthProvider` to generate authentication credentials
+ * for each request. The `AuthProvider` is expected to implement a `withCreds` method
+ * that returns an object containing authentication headers. These headers are then
+ * added to the request before it is sent to the server.
+ *
+ * @param authProvider - An instance of `AuthProvider` used to generate authentication credentials.
+ * @returns An `Interceptor` function that modifies requests to include authentication headers.
+ */
+function createAuthInterceptor(authProvider: AuthProvider): Interceptor {
+  const authInterceptor: Interceptor = (next) => async (req) => {
+    const url = new URL(req.url);
+    const pathOnly = url.pathname;
+    // Signs only the path of the url in the request
+    const token = await authProvider.withCreds({
+      url: pathOnly,
+      method: 'POST',
+      headers: {
+        'Content-Type': 'application/json',
+      },
+    });
+
+    Object.entries(token.headers).forEach(([key, value]) => {
+      req.header.set(key, value);
+    });
+
+    return await next(req);
+  };
+  return authInterceptor;
+}

package/src/policy/api.ts

@@ -1,61 +1,48 @@
-import { NetworkError, ServiceError } from '../errors.js';
+import { NetworkError } from '../errors.js';
 import { AuthProvider } from '../auth/auth.js';
-import { rstrip } from '../utils.js';
-import { GetAttributeValuesByFqnsResponse, Value } from './attributes.js';
+import { extractRpcErrorMessage, getPlatformUrlFromKasEndpoint } from '../utils.js';
+import { PlatformClient } from '../platform.js';
+import { Value } from './attributes.js';
+import { GetAttributeValuesByFqnsResponse } from '../platform/policy/attributes/attributes_pb.js';
 
+// TODO KAS: go over web-sdk and remove policyEndpoint that is only defined to be used here
 export async function attributeFQNsAsValues(
-  kasUrl: string,
+  platformUrl: string,
   authProvider: AuthProvider,
   ...fqns: string[]
 ): Promise<Value[]> {
-  const avs = new URLSearchParams();
-  for (const fqn of fqns) {
-    avs.append('fqns', fqn);
-  }
-  avs.append('withValue.withKeyAccessGrants', 'true');
-  avs.append('withValue.withAttribute.withKeyAccessGrants', 'true');
-  const uNoSlash = rstrip(kasUrl, '/');
-  const uNoKas = uNoSlash.endsWith('/kas') ? uNoSlash.slice(0, -4) : uNoSlash;
-  const url = `${uNoKas}/attributes/*/fqn?${avs}`;
-  const req = await authProvider.withCreds({
-    url,
-    headers: {},
-    method: 'GET',
-  });
-  let response: Response;
-  try {
-    response = await fetch(req.url, {
-      mode: 'cors',
-      credentials: 'same-origin',
-      headers: req.headers,
-      redirect: 'follow',
-      referrerPolicy: 'no-referrer',
-    });
-  } catch (e) {
-    throw new NetworkError(`network error [${req.method} ${req.url}]`, e);
-  }
+  platformUrl = getPlatformUrlFromKasEndpoint(platformUrl);
+  const platform = new PlatformClient({ authProvider, platformUrl });
 
-  if (!response.ok) {
-    throw new ServiceError(`${req.method} ${req.url} => ${response.status} ${response.statusText}`);
-  }
-
-  let resp: GetAttributeValuesByFqnsResponse;
+  let response: GetAttributeValuesByFqnsResponse;
   try {
-    resp = (await response.json()) as GetAttributeValuesByFqnsResponse;
+    response = await platform.v1.attributes.getAttributeValuesByFqns({
+      fqns,
+      withValue: {
+        withKeyAccessGrants: true,
+        withAttribute: {
+          withKeyAccessGrants: true,
+        },
+      },
+    });
   } catch (e) {
-    throw new ServiceError(`response parse error [${req.method} ${req.url}]`, e);
+    throw new NetworkError(
+      `[${platformUrl}] [GetAttributeValuesByFqns] ${extractRpcErrorMessage(e)}`
+    );
   }
 
   const values: Value[] = [];
-  for (const [fqn, av] of Object.entries(resp.fqnAttributeValues)) {
-    if (!av.value) {
+  for (const [fqn, av] of Object.entries(response.fqnAttributeValues)) {
+    const value = av.value;
+    if (!value) {
       console.log(`Missing value definition for [${fqn}]; is this a valid attribute?`);
       continue;
     }
-    if (av.attribute && !av.value.attribute) {
-      av.value.attribute = av.attribute;
+    if (value && av.attribute && !value?.attribute) {
+      value.attribute = av.attribute;
     }
-    values.push(av.value);
+
+    values.push(value);
   }
   return values;
 }

package/src/policy/attributes.ts

@@ -1,117 +1,21 @@
-export type Metadata = {
-  /**
-   * created_at set by server (entity who created will recorded in an audit event)
-   * Format: date-time
-   */
-  createdAt?: string;
-
-  /**
-   * updated_at set by server (entity who updated will recorded in an audit event)
-   * Format: date-time
-   */
-  updatedAt?: string;
-
-  /** optional short description */
-  labels?: Record<string, string>;
-};
-
-export type KasPublicKeyAlgorithm =
-  | 'KAS_PUBLIC_KEY_ALG_ENUM_UNSPECIFIED'
-  | 'KAS_PUBLIC_KEY_ALG_ENUM_RSA_2048'
-  | 'KAS_PUBLIC_KEY_ALG_ENUM_EC_SECP256R1';
-
-export type KasPublicKey = {
-  /** x509 ASN.1 content in PEM envelope, usually */
-  pem: string;
-  /** A unique string identifier for this key */
-  kid: string;
-  /**
-   * @description A known algorithm type with any additional parameters encoded.
-   * To start, these may be `rsa:2048` for encrypting ZTDF files and
-   * `ec:secp256r1` for nanoTDF, but more formats may be added as needed.
-   */
-  alg: KasPublicKeyAlgorithm;
-};
+import { GetAttributeValuesByFqnsResponse } from '../platform/policy/attributes/attributes_pb.js';
+import { AttributeRuleTypeEnum } from '../platform/policy/objects_pb.js';
 
+export type KasPublicKey = Value['kasKeys'][number];
+export type Value = NonNullable<
+  GetAttributeValuesByFqnsResponse['fqnAttributeValues'][string]['value']
+>;
 export type KasPublicKeySet = {
   keys: KasPublicKey[];
 };
 
-export type PublicKey = {
-  /** kas public key url - optional since can also be retrieved via public key */
-  remote?: string;
-  /** public key; PEM of RSA public key; prefer `cached` */
-  local?: string;
-  /** public key with additional information. Current preferred version */
-  cached?: KasPublicKeySet;
-};
-
-export type KeyAccessServer = {
-  id?: string;
-  /** Address of a KAS instance */
-  uri: string;
-  publicKey?: PublicKey;
-  metadata?: Metadata;
-};
-
-export type Namespace = {
-  /** uuid */
-  id?: string;
-  /** used to partition Attribute Definitions, support by namespace AuthN and enable federation */
-  name?: string;
-  fqn: string;
-  /** active by default until explicitly deactivated */
-  active?: boolean;
-  metadata?: Metadata;
-  grants?: KeyAccessServer[];
-};
-
-export type AttributeRuleType =
-  | 'ATTRIBUTE_RULE_TYPE_ENUM_UNSPECIFIED'
-  | 'ATTRIBUTE_RULE_TYPE_ENUM_ALL_OF'
-  | 'ATTRIBUTE_RULE_TYPE_ENUM_ANY_OF'
-  | 'ATTRIBUTE_RULE_TYPE_ENUM_HIERARCHY';
-
-export type Attribute = {
-  /** UUID */
-  id?: string;
-  namespace?: Namespace;
-  /** attribute name */
-  name?: string;
-  /** attribute rule enum */
-  rule?: AttributeRuleType;
-  values?: Value[];
-  grants?: KeyAccessServer[];
-  fqn: string;
-  /** active by default until explicitly deactivated */
-  active?: boolean;
-  /** Common metadata */
-  metadata?: Metadata;
-};
-
-// This is not currently needed by the client, but may be returned.
-// Setting it to unknown to allow it to be ignored for now.
-export type SubjectMapping = unknown;
-
-export type Value = {
-  id?: string;
-  attribute?: Attribute;
-  value?: string;
-  /** list of key access servers */
-  grants?: KeyAccessServer[];
-  fqn: string;
-  /** active by default until explicitly deactivated */
-  active?: boolean;
-  subjectMappings?: SubjectMapping[];
-  /** Common metadata */
-  metadata?: Metadata;
-};
-
+export type Metadata = Value['metadata'];
+export type KeyAccessServer = Value['grants'][number];
+export type Attribute = Value['attribute'];
+export type SubjectMapping = Value['subjectMappings'][number];
+export type Namespace = NonNullable<Value['attribute']>['namespace'];
 export type AttributeAndValue = {
   attribute: Attribute;
   value: Value;
 };
-
-export type GetAttributeValuesByFqnsResponse = {
-  fqnAttributeValues: Record<string, AttributeAndValue>;
-};
+export { AttributeRuleTypeEnum as AttributeRuleType };

package/src/policy/granter.ts

@@ -36,17 +36,16 @@ type ComplexBooleanClause = {
 };
 
 export function booleanOperatorFor(rule?: AttributeRuleType): BooleanOperator {
-  if (!rule) {
-    return 'allOf';
-  }
   switch (rule) {
-    case 'ATTRIBUTE_RULE_TYPE_ENUM_UNSPECIFIED':
-    case 'ATTRIBUTE_RULE_TYPE_ENUM_ALL_OF':
+    case AttributeRuleType.UNSPECIFIED:
+    case AttributeRuleType.ALL_OF:
       return 'allOf';
-    case 'ATTRIBUTE_RULE_TYPE_ENUM_ANY_OF':
+    case AttributeRuleType.ANY_OF:
       return 'anyOf';
-    case 'ATTRIBUTE_RULE_TYPE_ENUM_HIERARCHY':
+    case AttributeRuleType.HIERARCHY:
       return 'hierarchy';
+    default:
+      return 'allOf';
   }
 }
 
@@ -114,7 +113,7 @@ export function plan(dataAttrs: Value[]): KeySplitStep[] {
         });
       }
     }
-    const op = booleanOperatorFor(attrClause.def.rule);
+    const op = booleanOperatorFor(attrClause.def?.rule);
     kcs.push({
       op,
       children: ccv,

package/src/utils.ts

@@ -3,6 +3,7 @@ import { exportSPKI, importX509 } from 'jose';
 import { base64 } from './encodings/index.js';
 import { pemCertToCrypto, pemPublicToCrypto } from './nanotdf-crypto/pemPublicToCrypto.js';
 import { ConfigurationError } from './errors.js';
+import { ConnectError } from '@connectrpc/connect';
 
 /**
  * Check to see if the given URL is 'secure'. This assumes:
@@ -139,3 +140,32 @@ export async function extractPemFromKeyString(keyString: string): Promise<string
 
   return pem;
 }
+
+/**
+ * Extracts the error message from an RPC catch error.
+ */
+export function extractRpcErrorMessage(error: unknown): string {
+  if (error instanceof ConnectError || error instanceof Error) {
+    return error.message;
+  }
+  return 'Unknown network error occurred';
+}
+
+/**
+ * Converts a KAS endpoint URL to a platform URL.
+ * If the KAS endpoint ends with '/kas', it returns the host url
+ * Otherwise, it returns the original KAS endpoint.
+ */
+export function getPlatformUrlFromKasEndpoint(endpoint: string): string {
+  let result = endpoint || '';
+  if (result.endsWith('/')) {
+    result = rstrip(result, '/');
+  }
+  if (result.endsWith('/v2/rewrap')) {
+    result = result.slice(0, -10);
+  }
+  if (result.endsWith('/kas')) {
+    result = result.slice(0, -4);
+  }
+  return result;
+}

package/src/version.ts

@@ -1,7 +1,7 @@
 /**
  * Exposes the released version number of the `@opentdf/sdk` package
  */
-export const version = '0.3.1';
+export const version = '0.3.2'; // x-release-please-version
 
 /**
  * A string name used to label requests as coming from this library client.

package/tdf3/src/client/index.ts

@@ -19,7 +19,12 @@ import { OIDCRefreshTokenProvider } from '../../../src/auth/oidc-refreshtoken-pr
 import { OIDCExternalJwtProvider } from '../../../src/auth/oidc-externaljwt-provider.js';
 import { CryptoService } from '../crypto/declarations.js';
 import { type AuthProvider, HttpRequest, withHeaders } from '../../../src/auth/auth.js';
-import { pemToCryptoPublicKey, rstrip, validateSecureUrl } from '../../../src/utils.js';
+import {
+  getPlatformUrlFromKasEndpoint,
+  pemToCryptoPublicKey,
+  rstrip,
+  validateSecureUrl,
+} from '../../../src/utils.js';
 
 import {
   type EncryptParams,
@@ -39,6 +44,7 @@ import {
   EncryptParamsBuilder,
 } from './builders.js';
 import {
+  fetchKeyAccessServers,
   type KasPublicKeyInfo,
   keyAlgorithmToPublicKeyAlgorithm,
   OriginAllowList,
@@ -73,7 +79,7 @@ export const resolveKasInfo = async (
   kid?: string
 ): Promise<KasPublicKeyInfo> => {
   const k: CryptoKey = await pemToCryptoPublicKey(pem);
-  const algorithm = keyAlgorithmToPublicKeyAlgorithm(k.algorithm);
+  const algorithm = keyAlgorithmToPublicKeyAlgorithm(k);
   return {
     key: Promise.resolve(k),
     publicKey: pem,
@@ -125,7 +131,7 @@ export interface ClientConfig {
   clientId?: string;
   dpopEnabled?: boolean;
   dpopKeys?: Promise<CryptoKeyPair>;
-  kasEndpoint?: string;
+  kasEndpoint: string;
   /**
    * Service to use to look up ABAC. Used during autoconfigure. Defaults to
    * kasEndpoint without the trailing `/kas` path segment, if present.
@@ -133,9 +139,11 @@ export interface ClientConfig {
   policyEndpoint?: string;
   /**
    * List of allowed KASes to connect to for rewrap requests.
-   * Defaults to `[kasEndpoint]`.
+   * Defaults to `[]`.
    */
   allowedKases?: string[];
+  // Platform URL to use to lookup allowed KASes when allowedKases is empty
+  platformUrl?: string;
   ignoreAllowList?: boolean;
   easEndpoint?: string;
   // DEPRECATED Ignored
@@ -237,7 +245,12 @@ export class Client {
    * List of allowed KASes to connect to for rewrap requests.
    * Defaults to `[this.kasEndpoint]`.
    */
-  readonly allowedKases: OriginAllowList;
+  readonly allowedKases?: OriginAllowList;
+
+  /**
+   * URL of the platform, required to fetch list of allowed KASes when allowedKases is empty
+   */
+  readonly platformUrl?: string;
 
   readonly kasKeys: Record<string, Promise<KasPublicKeyInfo>[]> = {};
 
@@ -287,10 +300,17 @@ export class Client {
       this.kasEndpoint = clientConfig.keyRewrapEndpoint.replace(/\/rewrap$/, '');
     }
     this.kasEndpoint = rstrip(this.kasEndpoint, '/');
+
+    if (!validateSecureUrl(this.kasEndpoint)) {
+      throw new ConfigurationError(`Invalid KAS endpoint [${this.kasEndpoint}]`);
+    }
+
+    if (config.platformUrl) {
+      this.platformUrl = config.platformUrl;
+    }
+
     if (clientConfig.policyEndpoint) {
-      this.policyEndpoint = rstrip(clientConfig.policyEndpoint, '/');
-    } else if (this.kasEndpoint.endsWith('/kas')) {
-      this.policyEndpoint = this.kasEndpoint.slice(0, -4);
+      this.policyEndpoint = getPlatformUrlFromKasEndpoint(clientConfig.policyEndpoint);
     }
 
     const kasOrigin = new URL(this.kasEndpoint).origin;
@@ -299,16 +319,12 @@ export class Client {
         clientConfig.allowedKases,
         !!clientConfig.ignoreAllowList
       );
-      if (!validateSecureUrl(this.kasEndpoint) && !this.allowedKases.allows(kasOrigin)) {
-        throw new ConfigurationError(`Invalid KAS endpoint [${this.kasEndpoint}]`);
-      }
-    } else {
-      if (!validateSecureUrl(this.kasEndpoint)) {
+      if (!this.allowedKases.allows(kasOrigin)) {
+        // TODO PR: ask if in this cases it makes more sense to add defaultKASEndpoint to the allow list if the allowList is not empty but doesn't have the defaultKas
         throw new ConfigurationError(
-          `Invalid KAS endpoint [${this.kasEndpoint}]; to force, please list it among allowedKases`
+          `Invalid KAS endpoint [${this.kasEndpoint}]. When allowedKases is set, defaultKASEndpoint needs to be in the allow list`
         );
       }
-      this.allowedKases = new OriginAllowList([kasOrigin], !!clientConfig.ignoreAllowList);
     }
 
     this.authProvider = config.authProvider;
@@ -382,7 +398,7 @@ export class Client {
       keyMiddleware = defaultKeyMiddleware,
       streamMiddleware = async (stream: DecoratedReadableStream) => stream,
       tdfSpecVersion,
-      wrappingKeyAlgorithm = 'rsa:2048',
+      wrappingKeyAlgorithm,
     } = opts;
     const scope = opts.scope ?? { attributes: [], dissem: [] };
 
@@ -427,8 +443,9 @@ export class Client {
       const detailedPlan = plan(avs);
       splitPlan = detailedPlan.map((kat) => {
         const { kas, sid } = kat;
-        if (kas?.publicKey?.cached?.keys && !(kas.uri in this.kasKeys)) {
-          const keys = kas.publicKey.cached.keys;
+        const pubKey = kas.publicKey?.publicKey;
+        if (pubKey?.case === 'cached' && pubKey.value.keys && !(kas.uri in this.kasKeys)) {
+          const keys = pubKey.value.keys;
           if (keys?.length) {
             this.kasKeys[kas.uri] = keys.map((key) => resolveKasInfo(key.pem, kas.uri, key.kid));
           }
@@ -531,8 +548,12 @@ export class Client {
       throw new ConfigurationError('AuthProvider missing');
     }
     const chunker = await makeChunkable(source);
-    if (!allowList) {
+    if (!allowList && this.allowedKases) {
       allowList = this.allowedKases;
+    } else if (this.platformUrl) {
+      allowList = await fetchKeyAccessServers(this.platformUrl, this.authProvider);
+    } else {
+      throw new ConfigurationError('platformUrl is required when allowedKases is empty');
     }
 
     // Await in order to catch any errors from this call.