@opentdf/sdk 0.3.1 → 0.3.2-beta.2277

package/src/nanotdf/Client.ts

@@ -2,7 +2,12 @@ import * as base64 from '../encodings/base64.js';
 import { generateKeyPair, keyAgreement } from '../nanotdf-crypto/index.js';
 import getHkdfSalt from './helpers/getHkdfSalt.js';
 import DefaultParams from './models/DefaultParams.js';
-import { fetchWrappedKey, KasPublicKeyInfo, OriginAllowList } from '../access.js';
+import {
+  fetchKeyAccessServers,
+  fetchWrappedKey,
+  KasPublicKeyInfo,
+  OriginAllowList,
+} from '../access.js';
 import { AuthProvider, isAuthProvider, reqSignature } from '../auth/providers.js';
 import { ConfigurationError, DecryptError, TdfError, UnsafeUrlError } from '../errors.js';
 import { cryptoPublicToPem, pemToCryptoPublicKey, validateSecureUrl } from '../utils.js';
@@ -15,6 +20,7 @@ export interface ClientConfig {
   dpopKeys?: Promise<CryptoKeyPair>;
   ephemeralKeyPair?: Promise<CryptoKeyPair>;
   kasEndpoint: string;
+  platformUrl: string;
 }
 
 function toJWSAlg(c: CryptoKey): string {
@@ -99,12 +105,13 @@ export default class Client {
   static readonly INITIAL_RELEASE_IV_SIZE = 3;
   static readonly IV_SIZE = 12;
 
-  allowedKases: OriginAllowList;
+  allowedKases?: OriginAllowList;
   /*
     These variables are expected to be either assigned during initialization or within the methods.
     This is needed as the flow is very specific. Errors should be thrown if the necessary step is not completed.
   */
   protected kasUrl: string;
+  readonly platformUrl: string;
   kasPubKey?: KasPublicKeyInfo;
   readonly authProvider: AuthProvider;
   readonly dpopEnabled: boolean;
@@ -150,7 +157,6 @@ export default class Client {
       // TODO Disallow http KAS. For now just log as error
       validateSecureUrl(kasUrl);
       this.kasUrl = kasUrl;
-      this.allowedKases = new OriginAllowList([kasUrl]);
       this.dpopEnabled = dpopEnabled;
 
       if (ephemeralKeyPair) {
@@ -168,12 +174,16 @@ export default class Client {
         dpopKeys,
         ephemeralKeyPair,
         kasEndpoint,
+        platformUrl,
       } = optsOrOldAuthProvider;
       this.authProvider = enwrapAuthProvider(authProvider);
       // TODO Disallow http KAS. For now just log as error
       validateSecureUrl(kasEndpoint);
       this.kasUrl = kasEndpoint;
-      this.allowedKases = new OriginAllowList(allowedKases || [kasEndpoint], !!ignoreAllowList);
+      this.platformUrl = platformUrl;
+      if (allowedKases?.length || ignoreAllowList) {
+        this.allowedKases = new OriginAllowList(allowedKases || [], ignoreAllowList);
+      }
       this.dpopEnabled = !!dpopEnabled;
       if (dpopKeys) {
         this.requestSignerKeyPair = dpopKeys;
@@ -214,8 +224,14 @@ export default class Client {
     magicNumberVersion: ArrayBufferLike,
     clientVersion: string
   ): Promise<CryptoKey> {
-    if (!this.allowedKases.allows(kasRewrapUrl)) {
-      throw new UnsafeUrlError(`request URL ∉ ${this.allowedKases.origins};`, kasRewrapUrl);
+    let allowedKases = this.allowedKases;
+
+    if (!allowedKases) {
+      allowedKases = await fetchKeyAccessServers(this.platformUrl, this.authProvider);
+    }
+
+    if (!allowedKases.allows(kasRewrapUrl)) {
+      throw new UnsafeUrlError(`request URL ∉ ${allowedKases.origins};`, kasRewrapUrl);
     }
 
     const ephemeralKeyPair = await this.ephemeralKeyPair;

package/src/opentdf.ts

@@ -13,7 +13,12 @@ import {
   AssertionConfig,
   AssertionVerificationKeys,
 } from '../tdf3/src/assertions.js';
-import { type KasPublicKeyAlgorithm, OriginAllowList, isPublicKeyAlgorithm } from './access.js';
+import {
+  type KasPublicKeyAlgorithm,
+  OriginAllowList,
+  fetchKeyAccessServers,
+  isPublicKeyAlgorithm,
+} from './access.js';
 import { type Manifest } from '../tdf3/src/models/manifest.js';
 import { type Payload } from '../tdf3/src/models/payload.js';
 import {
@@ -87,6 +92,7 @@ export type CreateNanoTDFOptions = CreateOptions & {
 };
 
 export type CreateNanoTDFCollectionOptions = CreateNanoTDFOptions & {
+  platformUrl: string;
   // The maximum number of key iterations to use for a single DEK.
   maxKeyIterations?: number;
 };
@@ -136,6 +142,8 @@ export type CreateZTDFOptions = CreateOptions & {
 export type ReadOptions = {
   // ciphertext
   source: Source;
+  // Platform URL
+  platformUrl?: string;
   // list of KASes that may be contacted for a rewrap
   allowedKASEndpoints?: string[];
   // Optionally disable checking the allowlist
@@ -157,6 +165,9 @@ export type OpenTDFOptions = {
   // Policy service endpoint
   policyEndpoint?: string;
 
+  // Platform URL
+  platformUrl?: string;
+
   // Auth provider for connections to the policy service and KASes.
   authProvider: AuthProvider;
 
@@ -286,6 +297,7 @@ export type TDFReader = {
 // SDK for dealing with OpenTDF data and policy services.
 export class OpenTDF {
   // Configuration service and more is at this URL/connectRPC endpoint
+  readonly platformUrl: string;
   readonly policyEndpoint: string;
   readonly authProvider: AuthProvider;
   readonly dpopEnabled: boolean;
@@ -305,11 +317,19 @@ export class OpenTDF {
     disableDPoP,
     policyEndpoint,
     rewrapCacheOptions,
+    platformUrl,
   }: OpenTDFOptions) {
     this.authProvider = authProvider;
     this.defaultCreateOptions = defaultCreateOptions || {};
     this.defaultReadOptions = defaultReadOptions || {};
     this.dpopEnabled = !!disableDPoP;
+    if (platformUrl) {
+      this.platformUrl = platformUrl;
+    } else {
+      console.warn(
+        "Warning: 'platformUrl' is required for security to ensure the SDK uses the platform-configured Key Access Server list"
+      );
+    }
     this.policyEndpoint = policyEndpoint || '';
     this.rewrapCache = new RewrapCache(rewrapCacheOptions);
     this.tdf3Client = new TDF3Client({
@@ -333,8 +353,14 @@ export class OpenTDF {
   }
 
   async createNanoTDF(opts: CreateNanoTDFOptions): Promise<DecoratedStream> {
-    opts = { ...this.defaultCreateOptions, ...opts };
-    const collection = await this.createNanoTDFCollection(opts);
+    opts = {
+      ...this.defaultCreateOptions,
+      ...opts,
+    };
+    const collection = await this.createNanoTDFCollection({
+      ...opts,
+      platformUrl: this.platformUrl,
+    });
     try {
       return await collection.encrypt(opts.source);
     } finally {
@@ -415,6 +441,9 @@ class UnknownTypeReader {
     this.state = 'resolving';
     const chunker = await fromSource(this.opts.source);
     const prefix = await chunker(0, 3);
+    if (!this.opts.platformUrl && this.outer.platformUrl) {
+      this.opts.platformUrl = this.outer.platformUrl;
+    }
     if (prefix[0] === 0x50 && prefix[1] === 0x4b) {
       this.state = 'loaded';
       return new ZTDFReader(this.outer.tdf3Client, this.opts, chunker);
@@ -466,6 +495,13 @@ class NanoTDFReader {
     readonly chunker: Chunker,
     private readonly rewrapCache: RewrapCache
   ) {
+    if (
+      !this.opts.ignoreAllowlist &&
+      !this.outer.platformUrl &&
+      !this.opts.allowedKASEndpoints?.length
+    ) {
+      throw new ConfigurationError('platformUrl is required when allowedKasEndpoints is empty');
+    }
     // lazily load the container
     this.container = new Promise(async (resolve, reject) => {
       try {
@@ -493,6 +529,7 @@ class NanoTDFReader {
       dpopEnabled: this.outer.dpopEnabled,
       dpopKeys: this.outer.dpopKeys,
       kasEndpoint: this.opts.allowedKASEndpoints?.[0] || 'https://disallow.all.invalid',
+      platformUrl: this.outer.platformUrl,
     });
     // TODO: The version number should be fetched from the API
     const version = '0.0.1';
@@ -550,10 +587,11 @@ class ZTDFReader {
       noVerify: noVerifyAssertions,
       wrappingKeyAlgorithm,
     } = this.opts;
-    const allowList = new OriginAllowList(
-      this.opts.allowedKASEndpoints ?? [],
-      this.opts.ignoreAllowlist
-    );
+
+    if (!this.opts.ignoreAllowlist && !this.opts.allowedKASEndpoints && !this.opts.platformUrl) {
+      throw new ConfigurationError('platformUrl is required when allowedKasEndpoints is empty');
+    }
+
     const dpopKeys = await this.client.dpopKeys;
 
     const { authProvider, cryptoService } = this.client;
@@ -561,6 +599,17 @@ class ZTDFReader {
       throw new ConfigurationError('authProvider is required');
     }
 
+    let allowList: OriginAllowList | undefined;
+
+    if (this.opts.allowedKASEndpoints?.length || this.opts.ignoreAllowlist) {
+      allowList = new OriginAllowList(
+        this.opts.allowedKASEndpoints || [],
+        this.opts.ignoreAllowlist
+      );
+    } else if (this.opts.platformUrl) {
+      allowList = await fetchKeyAccessServers(this.opts.platformUrl, authProvider);
+    }
+
     const overview = await this.overview;
     const oldStream = await decryptStreamFrom(
       {
@@ -646,6 +695,7 @@ class Collection {
       authProvider,
       kasEndpoint: opts.defaultKASEndpoint ?? 'https://disallow.all.invalid',
       maxKeyIterations: opts.maxKeyIterations,
+      platformUrl: opts.platformUrl,
     });
   }
 

package/src/version.ts

@@ -1,7 +1,7 @@
 /**
  * Exposes the released version number of the `@opentdf/sdk` package
  */
-export const version = '0.3.1';
+export const version = '0.3.2';
 
 /**
  * A string name used to label requests as coming from this library client.

package/tdf3/src/client/index.ts

@@ -39,6 +39,7 @@ import {
   EncryptParamsBuilder,
 } from './builders.js';
 import {
+  fetchKeyAccessServers,
   type KasPublicKeyInfo,
   keyAlgorithmToPublicKeyAlgorithm,
   OriginAllowList,
@@ -125,7 +126,7 @@ export interface ClientConfig {
   clientId?: string;
   dpopEnabled?: boolean;
   dpopKeys?: Promise<CryptoKeyPair>;
-  kasEndpoint?: string;
+  kasEndpoint: string;
   /**
    * Service to use to look up ABAC. Used during autoconfigure. Defaults to
    * kasEndpoint without the trailing `/kas` path segment, if present.
@@ -133,9 +134,11 @@ export interface ClientConfig {
   policyEndpoint?: string;
   /**
    * List of allowed KASes to connect to for rewrap requests.
-   * Defaults to `[kasEndpoint]`.
+   * Defaults to `[]`.
    */
   allowedKases?: string[];
+  // Platform URL to use to lookup allowed KASes when allowedKases is empty
+  platformUrl?: string;
   ignoreAllowList?: boolean;
   easEndpoint?: string;
   // DEPRECATED Ignored
@@ -237,7 +240,12 @@ export class Client {
    * List of allowed KASes to connect to for rewrap requests.
    * Defaults to `[this.kasEndpoint]`.
    */
-  readonly allowedKases: OriginAllowList;
+  readonly allowedKases?: OriginAllowList;
+
+  /**
+   * URL of the platform, required to fetch list of allowed KASes when allowedKases is empty
+   */
+  readonly platformUrl?: string;
 
   readonly kasKeys: Record<string, Promise<KasPublicKeyInfo>[]> = {};
 
@@ -287,6 +295,14 @@ export class Client {
       this.kasEndpoint = clientConfig.keyRewrapEndpoint.replace(/\/rewrap$/, '');
     }
     this.kasEndpoint = rstrip(this.kasEndpoint, '/');
+
+    if (!validateSecureUrl(this.kasEndpoint)) {
+      throw new ConfigurationError(`Invalid KAS endpoint [${this.kasEndpoint}]`);
+    }
+    if (config.platformUrl) {
+      this.platformUrl = config.platformUrl;
+    }
+
     if (clientConfig.policyEndpoint) {
       this.policyEndpoint = rstrip(clientConfig.policyEndpoint, '/');
     } else if (this.kasEndpoint.endsWith('/kas')) {
@@ -299,16 +315,12 @@ export class Client {
         clientConfig.allowedKases,
         !!clientConfig.ignoreAllowList
       );
-      if (!validateSecureUrl(this.kasEndpoint) && !this.allowedKases.allows(kasOrigin)) {
-        throw new ConfigurationError(`Invalid KAS endpoint [${this.kasEndpoint}]`);
-      }
-    } else {
-      if (!validateSecureUrl(this.kasEndpoint)) {
+      if (!this.allowedKases.allows(kasOrigin)) {
+        // TODO PR: ask if in this cases it makes more sense to add defaultKASEndpoint to the allow list if the allowList is not empty but doesn't have the defaultKas
         throw new ConfigurationError(
-          `Invalid KAS endpoint [${this.kasEndpoint}]; to force, please list it among allowedKases`
+          `Invalid KAS endpoint [${this.kasEndpoint}]. When allowedKases is set, defaultKASEndpoint needs to be in the allow list`
         );
       }
-      this.allowedKases = new OriginAllowList([kasOrigin], !!clientConfig.ignoreAllowList);
     }
 
     this.authProvider = config.authProvider;
@@ -445,6 +457,7 @@ export class Client {
         ? maxByteLimit
         : opts.byteLimit;
     const encryptionInformation = new SplitKey(new AesGcmCipher(this.cryptoService));
+    // TODO KAS: check here
     const splits: SplitStep[] = splitPlan?.length
       ? splitPlan
       : [{ kas: opts.defaultKASEndpoint ?? this.kasEndpoint }];
@@ -531,8 +544,12 @@ export class Client {
       throw new ConfigurationError('AuthProvider missing');
     }
     const chunker = await makeChunkable(source);
-    if (!allowList) {
+    if (!allowList && this.allowedKases) {
       allowList = this.allowedKases;
+    } else if (this.platformUrl) {
+      allowList = await fetchKeyAccessServers(this.platformUrl, this.authProvider);
+    } else {
+      throw new ConfigurationError('platformUrl is required when allowedKases is empty');
     }
 
     // Await in order to catch any errors from this call.

package/tdf3/src/tdf.ts

@@ -991,6 +991,13 @@ export async function readStream(cfg: DecryptConfiguration) {
   return decryptStreamFrom(cfg, overview);
 }
 
+// TODO: potentially might need fixing here
+// By the time this function is called the allow list will be already set.
+// Verify that this function is not exported in the sdk and only exported for internal use
+// Verify this during tests and PR
+// Remove this comment before merging!
+// https://www.youtube.com/watch?v=NGrLb6W5YOM
+// Don't leave me here all by myself!
 export async function decryptStreamFrom(
   cfg: DecryptConfiguration,
   { manifest, zipReader, centralDirectory }: InspectedTDFOverview