@opentdf/sdk 0.3.2-beta.2292 → 0.3.2-beta.2435

package/src/platform/wellknownconfiguration/wellknown_configuration_pb.ts

@@ -0,0 +1,78 @@
+// @generated by protoc-gen-es v2.2.5 with parameter "target=ts,import_extension=.js"
+// @generated from file wellknownconfiguration/wellknown_configuration.proto (package wellknownconfiguration, syntax proto3)
+/* eslint-disable */
+
+import type { GenFile, GenMessage, GenService } from "@bufbuild/protobuf/codegenv1";
+import { fileDesc, messageDesc, serviceDesc } from "@bufbuild/protobuf/codegenv1";
+import { file_google_api_annotations } from "../google/api/annotations_pb.js";
+import { file_google_protobuf_struct } from "@bufbuild/protobuf/wkt";
+import type { JsonObject, Message } from "@bufbuild/protobuf";
+
+/**
+ * Describes the file wellknownconfiguration/wellknown_configuration.proto.
+ */
+export const file_wellknownconfiguration_wellknown_configuration: GenFile = /*@__PURE__*/
+  fileDesc("CjR3ZWxsa25vd25jb25maWd1cmF0aW9uL3dlbGxrbm93bl9jb25maWd1cmF0aW9uLnByb3RvEhZ3ZWxsa25vd25jb25maWd1cmF0aW9uIrMBCg9XZWxsS25vd25Db25maWcSUQoNY29uZmlndXJhdGlvbhgBIAMoCzI6LndlbGxrbm93bmNvbmZpZ3VyYXRpb24uV2VsbEtub3duQ29uZmlnLkNvbmZpZ3VyYXRpb25FbnRyeRpNChJDb25maWd1cmF0aW9uRW50cnkSCwoDa2V5GAEgASgJEiYKBXZhbHVlGAIgASgLMhcuZ29vZ2xlLnByb3RvYnVmLlN0cnVjdDoCOAEiIgogR2V0V2VsbEtub3duQ29uZmlndXJhdGlvblJlcXVlc3QiUwohR2V0V2VsbEtub3duQ29uZmlndXJhdGlvblJlc3BvbnNlEi4KDWNvbmZpZ3VyYXRpb24YASABKAsyFy5nb29nbGUucHJvdG9idWYuU3RydWN0MtQBChBXZWxsS25vd25TZXJ2aWNlEr8BChlHZXRXZWxsS25vd25Db25maWd1cmF0aW9uEjgud2VsbGtub3duY29uZmlndXJhdGlvbi5HZXRXZWxsS25vd25Db25maWd1cmF0aW9uUmVxdWVzdBo5LndlbGxrbm93bmNvbmZpZ3VyYXRpb24uR2V0V2VsbEtub3duQ29uZmlndXJhdGlvblJlc3BvbnNlIi2QAgGC0+STAiQSIi8ud2VsbC1rbm93bi9vcGVudGRmLWNvbmZpZ3VyYXRpb25iBnByb3RvMw", [file_google_api_annotations, file_google_protobuf_struct]);
+
+/**
+ * @generated from message wellknownconfiguration.WellKnownConfig
+ */
+export type WellKnownConfig = Message<"wellknownconfiguration.WellKnownConfig"> & {
+  /**
+   * @generated from field: map<string, google.protobuf.Struct> configuration = 1;
+   */
+  configuration: { [key: string]: JsonObject };
+};
+
+/**
+ * Describes the message wellknownconfiguration.WellKnownConfig.
+ * Use `create(WellKnownConfigSchema)` to create a new message.
+ */
+export const WellKnownConfigSchema: GenMessage<WellKnownConfig> = /*@__PURE__*/
+  messageDesc(file_wellknownconfiguration_wellknown_configuration, 0);
+
+/**
+ * @generated from message wellknownconfiguration.GetWellKnownConfigurationRequest
+ */
+export type GetWellKnownConfigurationRequest = Message<"wellknownconfiguration.GetWellKnownConfigurationRequest"> & {
+};
+
+/**
+ * Describes the message wellknownconfiguration.GetWellKnownConfigurationRequest.
+ * Use `create(GetWellKnownConfigurationRequestSchema)` to create a new message.
+ */
+export const GetWellKnownConfigurationRequestSchema: GenMessage<GetWellKnownConfigurationRequest> = /*@__PURE__*/
+  messageDesc(file_wellknownconfiguration_wellknown_configuration, 1);
+
+/**
+ * @generated from message wellknownconfiguration.GetWellKnownConfigurationResponse
+ */
+export type GetWellKnownConfigurationResponse = Message<"wellknownconfiguration.GetWellKnownConfigurationResponse"> & {
+  /**
+   * @generated from field: google.protobuf.Struct configuration = 1;
+   */
+  configuration?: JsonObject;
+};
+
+/**
+ * Describes the message wellknownconfiguration.GetWellKnownConfigurationResponse.
+ * Use `create(GetWellKnownConfigurationResponseSchema)` to create a new message.
+ */
+export const GetWellKnownConfigurationResponseSchema: GenMessage<GetWellKnownConfigurationResponse> = /*@__PURE__*/
+  messageDesc(file_wellknownconfiguration_wellknown_configuration, 2);
+
+/**
+ * @generated from service wellknownconfiguration.WellKnownService
+ */
+export const WellKnownService: GenService<{
+  /**
+   * @generated from rpc wellknownconfiguration.WellKnownService.GetWellKnownConfiguration
+   */
+  getWellKnownConfiguration: {
+    methodKind: "unary";
+    input: typeof GetWellKnownConfigurationRequestSchema;
+    output: typeof GetWellKnownConfigurationResponseSchema;
+  },
+}> = /*@__PURE__*/
+  serviceDesc(file_wellknownconfiguration_wellknown_configuration, 0);
+

package/src/platform.ts

@@ -0,0 +1,139 @@
+// export client service definitions
+export * as authorization from './platform/authorization/authorization_pb.js';
+export * as common from './platform/common/common_pb.js';
+export * as entityResolution from './platform/entityresolution/entity_resolution_pb.js';
+export * as kas from './platform/kas/kas_pb.js';
+export * as policyActions from './platform/policy/actions/actions_pb.js';
+export * as policyAttributes from './platform/policy/attributes/attributes_pb.js';
+export * as policyKasRegistry from './platform/policy/kasregistry/key_access_server_registry_pb.js';
+export * as policyNamespaces from './platform/policy/namespaces/namespaces_pb.js';
+export * as policyObjects from './platform/policy/objects_pb.js';
+export * as policyRegisteredResources from './platform/policy/registeredresources/registered_resources_pb.js';
+export * as policyResourceMapping from './platform/policy/resourcemapping/resource_mapping_pb.js';
+export * as policySelectors from './platform/policy/selectors_pb.js';
+export * as policySubjectMapping from './platform/policy/subjectmapping/subject_mapping_pb.js';
+export * as policyUnsafe from './platform/policy/unsafe/unsafe_pb.js';
+export * as wellknown from './platform/wellknownconfiguration/wellknown_configuration_pb.js';
+
+// export Connect RPC framework
+export * as platformConnectWeb from '@connectrpc/connect-web';
+export * as platformConnect from '@connectrpc/connect';
+
+import { createConnectTransport } from '@connectrpc/connect-web';
+import { AuthProvider } from '../tdf3/index.js';
+
+import { Client, createClient, Interceptor } from '@connectrpc/connect';
+import { WellKnownService } from './platform/wellknownconfiguration/wellknown_configuration_pb.js';
+import { AuthorizationService } from './platform/authorization/authorization_pb.js';
+import { EntityResolutionService } from './platform/entityresolution/entity_resolution_pb.js';
+import { AccessService } from './platform/kas/kas_pb.js';
+import { ActionService } from './platform/policy/actions/actions_pb.js';
+import { AttributesService } from './platform/policy/attributes/attributes_pb.js';
+import { KeyAccessServerRegistryService } from './platform/policy/kasregistry/key_access_server_registry_pb.js';
+import { NamespaceService } from './platform/policy/namespaces/namespaces_pb.js';
+import { ResourceMappingService } from './platform/policy/resourcemapping/resource_mapping_pb.js';
+import { SubjectMappingService } from './platform/policy/subjectmapping/subject_mapping_pb.js';
+import { UnsafeService } from './platform/policy/unsafe/unsafe_pb.js';
+
+export interface PlatformServices {
+  authorization: Client<typeof AuthorizationService>;
+  entityResolution: Client<typeof EntityResolutionService>;
+  access: Client<typeof AccessService>;
+  action: Client<typeof ActionService>;
+  attributes: Client<typeof AttributesService>;
+  keyAccessServerRegistry: Client<typeof KeyAccessServerRegistryService>;
+  namespace: Client<typeof NamespaceService>;
+  resourceMapping: Client<typeof ResourceMappingService>;
+  subjectMapping: Client<typeof SubjectMappingService>;
+  unsafe: Client<typeof UnsafeService>;
+  wellknown: Client<typeof WellKnownService>;
+}
+
+export interface PlatformClientOptions {
+  // Optional authentication provider for generating auth interceptor.
+  authProvider?: AuthProvider;
+  // Array of custom interceptors to apply to rpc requests.
+  interceptors?: Interceptor[];
+  // Base URL of the platform API.
+  platformUrl: string;
+}
+
+/**
+ * A client for interacting with the Platform using the Connect RPC framework.
+ *
+ * This client provides access to various services offered by the Platform, such as
+ * authorization, entity resolution, key access, policy management, and more. It uses
+ * the Connect RPC framework to communicate with the platform's API endpoints.
+ *
+ * This client supports authentication via an `AuthProvider` or custom interceptors, which can
+ * be used to add authentication headers or other custom logic to outgoing requests.
+ *
+ */
+export class PlatformClient {
+  readonly v1: PlatformServices;
+
+  constructor(options: PlatformClientOptions) {
+    const interceptors: Interceptor[] = [];
+
+    if (options.authProvider) {
+      const authInterceptor = createAuthInterceptor(options.authProvider);
+      interceptors.push(authInterceptor);
+    }
+
+    if (options.interceptors?.length) {
+      interceptors.push(...options.interceptors);
+    }
+
+    const transport = createConnectTransport({
+      baseUrl: options.platformUrl,
+      interceptors,
+    });
+
+    this.v1 = {
+      authorization: createClient(AuthorizationService, transport),
+      entityResolution: createClient(EntityResolutionService, transport),
+      access: createClient(AccessService, transport),
+      action: createClient(ActionService, transport),
+      attributes: createClient(AttributesService, transport),
+      keyAccessServerRegistry: createClient(KeyAccessServerRegistryService, transport),
+      namespace: createClient(NamespaceService, transport),
+      resourceMapping: createClient(ResourceMappingService, transport),
+      subjectMapping: createClient(SubjectMappingService, transport),
+      unsafe: createClient(UnsafeService, transport),
+      wellknown: createClient(WellKnownService, transport),
+    };
+  }
+}
+
+/**
+ * Creates an interceptor that adds authentication headers to outgoing requests.
+ *
+ * This function uses the provided `AuthProvider` to generate authentication credentials
+ * for each request. The `AuthProvider` is expected to implement a `withCreds` method
+ * that returns an object containing authentication headers. These headers are then
+ * added to the request before it is sent to the server.
+ *
+ * @param authProvider - An instance of `AuthProvider` used to generate authentication credentials.
+ * @returns An `Interceptor` function that modifies requests to include authentication headers.
+ */
+function createAuthInterceptor(authProvider: AuthProvider): Interceptor {
+  const authInterceptor: Interceptor = (next) => async (req) => {
+    const url = new URL(req.url);
+    const pathOnly = url.pathname;
+    // Signs only the path of the url in the request
+    const token = await authProvider.withCreds({
+      url: pathOnly,
+      method: 'POST',
+      headers: {
+        'Content-Type': 'application/json',
+      },
+    });
+
+    Object.entries(token.headers).forEach(([key, value]) => {
+      req.header.set(key, value);
+    });
+
+    return await next(req);
+  };
+  return authInterceptor;
+}

package/src/policy/api.ts

@@ -1,61 +1,48 @@
-import { NetworkError, ServiceError } from '../errors.js';
+import { NetworkError } from '../errors.js';
 import { AuthProvider } from '../auth/auth.js';
-import { rstrip } from '../utils.js';
-import { GetAttributeValuesByFqnsResponse, Value } from './attributes.js';
+import { extractRpcErrorMessage, getPlatformUrlFromKasEndpoint } from '../utils.js';
+import { PlatformClient } from '../platform.js';
+import { Value } from './attributes.js';
+import { GetAttributeValuesByFqnsResponse } from '../platform/policy/attributes/attributes_pb.js';
 
+// TODO KAS: go over web-sdk and remove policyEndpoint that is only defined to be used here
 export async function attributeFQNsAsValues(
-  kasUrl: string,
+  platformUrl: string,
   authProvider: AuthProvider,
   ...fqns: string[]
 ): Promise<Value[]> {
-  const avs = new URLSearchParams();
-  for (const fqn of fqns) {
-    avs.append('fqns', fqn);
-  }
-  avs.append('withValue.withKeyAccessGrants', 'true');
-  avs.append('withValue.withAttribute.withKeyAccessGrants', 'true');
-  const uNoSlash = rstrip(kasUrl, '/');
-  const uNoKas = uNoSlash.endsWith('/kas') ? uNoSlash.slice(0, -4) : uNoSlash;
-  const url = `${uNoKas}/attributes/*/fqn?${avs}`;
-  const req = await authProvider.withCreds({
-    url,
-    headers: {},
-    method: 'GET',
-  });
-  let response: Response;
-  try {
-    response = await fetch(req.url, {
-      mode: 'cors',
-      credentials: 'same-origin',
-      headers: req.headers,
-      redirect: 'follow',
-      referrerPolicy: 'no-referrer',
-    });
-  } catch (e) {
-    throw new NetworkError(`network error [${req.method} ${req.url}]`, e);
-  }
+  platformUrl = getPlatformUrlFromKasEndpoint(platformUrl);
+  const platform = new PlatformClient({ authProvider, platformUrl });
 
-  if (!response.ok) {
-    throw new ServiceError(`${req.method} ${req.url} => ${response.status} ${response.statusText}`);
-  }
-
-  let resp: GetAttributeValuesByFqnsResponse;
+  let response: GetAttributeValuesByFqnsResponse;
   try {
-    resp = (await response.json()) as GetAttributeValuesByFqnsResponse;
+    response = await platform.v1.attributes.getAttributeValuesByFqns({
+      fqns,
+      withValue: {
+        withKeyAccessGrants: true,
+        withAttribute: {
+          withKeyAccessGrants: true,
+        },
+      },
+    });
   } catch (e) {
-    throw new ServiceError(`response parse error [${req.method} ${req.url}]`, e);
+    throw new NetworkError(
+      `[${platformUrl}] [GetAttributeValuesByFqns] ${extractRpcErrorMessage(e)}`
+    );
   }
 
   const values: Value[] = [];
-  for (const [fqn, av] of Object.entries(resp.fqnAttributeValues)) {
-    if (!av.value) {
+  for (const [fqn, av] of Object.entries(response.fqnAttributeValues)) {
+    const value = av.value;
+    if (!value) {
       console.log(`Missing value definition for [${fqn}]; is this a valid attribute?`);
       continue;
     }
-    if (av.attribute && !av.value.attribute) {
-      av.value.attribute = av.attribute;
+    if (value && av.attribute && !value?.attribute) {
+      value.attribute = av.attribute;
     }
-    values.push(av.value);
+
+    values.push(value);
   }
   return values;
 }

package/src/policy/attributes.ts

@@ -1,117 +1,21 @@
-export type Metadata = {
-  /**
-   * created_at set by server (entity who created will recorded in an audit event)
-   * Format: date-time
-   */
-  createdAt?: string;
-
-  /**
-   * updated_at set by server (entity who updated will recorded in an audit event)
-   * Format: date-time
-   */
-  updatedAt?: string;
-
-  /** optional short description */
-  labels?: Record<string, string>;
-};
-
-export type KasPublicKeyAlgorithm =
-  | 'KAS_PUBLIC_KEY_ALG_ENUM_UNSPECIFIED'
-  | 'KAS_PUBLIC_KEY_ALG_ENUM_RSA_2048'
-  | 'KAS_PUBLIC_KEY_ALG_ENUM_EC_SECP256R1';
-
-export type KasPublicKey = {
-  /** x509 ASN.1 content in PEM envelope, usually */
-  pem: string;
-  /** A unique string identifier for this key */
-  kid: string;
-  /**
-   * @description A known algorithm type with any additional parameters encoded.
-   * To start, these may be `rsa:2048` for encrypting ZTDF files and
-   * `ec:secp256r1` for nanoTDF, but more formats may be added as needed.
-   */
-  alg: KasPublicKeyAlgorithm;
-};
+import { GetAttributeValuesByFqnsResponse } from '../platform/policy/attributes/attributes_pb.js';
+import { AttributeRuleTypeEnum } from '../platform/policy/objects_pb.js';
 
+export type KasPublicKey = Value['kasKeys'][number];
+export type Value = NonNullable<
+  GetAttributeValuesByFqnsResponse['fqnAttributeValues'][string]['value']
+>;
 export type KasPublicKeySet = {
   keys: KasPublicKey[];
 };
 
-export type PublicKey = {
-  /** kas public key url - optional since can also be retrieved via public key */
-  remote?: string;
-  /** public key; PEM of RSA public key; prefer `cached` */
-  local?: string;
-  /** public key with additional information. Current preferred version */
-  cached?: KasPublicKeySet;
-};
-
-export type KeyAccessServer = {
-  id?: string;
-  /** Address of a KAS instance */
-  uri: string;
-  publicKey?: PublicKey;
-  metadata?: Metadata;
-};
-
-export type Namespace = {
-  /** uuid */
-  id?: string;
-  /** used to partition Attribute Definitions, support by namespace AuthN and enable federation */
-  name?: string;
-  fqn: string;
-  /** active by default until explicitly deactivated */
-  active?: boolean;
-  metadata?: Metadata;
-  grants?: KeyAccessServer[];
-};
-
-export type AttributeRuleType =
-  | 'ATTRIBUTE_RULE_TYPE_ENUM_UNSPECIFIED'
-  | 'ATTRIBUTE_RULE_TYPE_ENUM_ALL_OF'
-  | 'ATTRIBUTE_RULE_TYPE_ENUM_ANY_OF'
-  | 'ATTRIBUTE_RULE_TYPE_ENUM_HIERARCHY';
-
-export type Attribute = {
-  /** UUID */
-  id?: string;
-  namespace?: Namespace;
-  /** attribute name */
-  name?: string;
-  /** attribute rule enum */
-  rule?: AttributeRuleType;
-  values?: Value[];
-  grants?: KeyAccessServer[];
-  fqn: string;
-  /** active by default until explicitly deactivated */
-  active?: boolean;
-  /** Common metadata */
-  metadata?: Metadata;
-};
-
-// This is not currently needed by the client, but may be returned.
-// Setting it to unknown to allow it to be ignored for now.
-export type SubjectMapping = unknown;
-
-export type Value = {
-  id?: string;
-  attribute?: Attribute;
-  value?: string;
-  /** list of key access servers */
-  grants?: KeyAccessServer[];
-  fqn: string;
-  /** active by default until explicitly deactivated */
-  active?: boolean;
-  subjectMappings?: SubjectMapping[];
-  /** Common metadata */
-  metadata?: Metadata;
-};
-
+export type Metadata = Value['metadata'];
+export type KeyAccessServer = Value['grants'][number];
+export type Attribute = Value['attribute'];
+export type SubjectMapping = Value['subjectMappings'][number];
+export type Namespace = NonNullable<Value['attribute']>['namespace'];
 export type AttributeAndValue = {
   attribute: Attribute;
   value: Value;
 };
-
-export type GetAttributeValuesByFqnsResponse = {
-  fqnAttributeValues: Record<string, AttributeAndValue>;
-};
+export { AttributeRuleTypeEnum as AttributeRuleType };

package/src/policy/granter.ts

@@ -36,17 +36,16 @@ type ComplexBooleanClause = {
 };
 
 export function booleanOperatorFor(rule?: AttributeRuleType): BooleanOperator {
-  if (!rule) {
-    return 'allOf';
-  }
   switch (rule) {
-    case 'ATTRIBUTE_RULE_TYPE_ENUM_UNSPECIFIED':
-    case 'ATTRIBUTE_RULE_TYPE_ENUM_ALL_OF':
+    case AttributeRuleType.UNSPECIFIED:
+    case AttributeRuleType.ALL_OF:
       return 'allOf';
-    case 'ATTRIBUTE_RULE_TYPE_ENUM_ANY_OF':
+    case AttributeRuleType.ANY_OF:
       return 'anyOf';
-    case 'ATTRIBUTE_RULE_TYPE_ENUM_HIERARCHY':
+    case AttributeRuleType.HIERARCHY:
       return 'hierarchy';
+    default:
+      return 'allOf';
   }
 }
 
@@ -114,7 +113,7 @@ export function plan(dataAttrs: Value[]): KeySplitStep[] {
         });
       }
     }
-    const op = booleanOperatorFor(attrClause.def.rule);
+    const op = booleanOperatorFor(attrClause.def?.rule);
     kcs.push({
       op,
       children: ccv,

package/src/utils.ts

@@ -3,6 +3,7 @@ import { exportSPKI, importX509 } from 'jose';
 import { base64 } from './encodings/index.js';
 import { pemCertToCrypto, pemPublicToCrypto } from './nanotdf-crypto/pemPublicToCrypto.js';
 import { ConfigurationError } from './errors.js';
+import { ConnectError } from '@connectrpc/connect';
 
 /**
  * Check to see if the given URL is 'secure'. This assumes:
@@ -139,3 +140,32 @@ export async function extractPemFromKeyString(keyString: string): Promise<string
 
   return pem;
 }
+
+/**
+ * Extracts the error message from an RPC catch error.
+ */
+export function extractRpcErrorMessage(error: unknown): string {
+  if (error instanceof ConnectError || error instanceof Error) {
+    return error.message;
+  }
+  return 'Unknown network error occurred';
+}
+
+/**
+ * Converts a KAS endpoint URL to a platform URL.
+ * If the KAS endpoint ends with '/kas', it returns the host url
+ * Otherwise, it returns the original KAS endpoint.
+ */
+export function getPlatformUrlFromKasEndpoint(endpoint: string): string {
+  let result = endpoint || '';
+  if (result.endsWith('/')) {
+    result = rstrip(result, '/');
+  }
+  if (result.endsWith('/v2/rewrap')) {
+    result = result.slice(0, -10);
+  }
+  if (result.endsWith('/kas')) {
+    result = result.slice(0, -4);
+  }
+  return result;
+}

package/tdf3/src/client/index.ts

@@ -19,7 +19,12 @@ import { OIDCRefreshTokenProvider } from '../../../src/auth/oidc-refreshtoken-pr
 import { OIDCExternalJwtProvider } from '../../../src/auth/oidc-externaljwt-provider.js';
 import { CryptoService } from '../crypto/declarations.js';
 import { type AuthProvider, HttpRequest, withHeaders } from '../../../src/auth/auth.js';
-import { pemToCryptoPublicKey, rstrip, validateSecureUrl } from '../../../src/utils.js';
+import {
+  getPlatformUrlFromKasEndpoint,
+  pemToCryptoPublicKey,
+  rstrip,
+  validateSecureUrl,
+} from '../../../src/utils.js';
 
 import {
   type EncryptParams,
@@ -299,14 +304,13 @@ export class Client {
     if (!validateSecureUrl(this.kasEndpoint)) {
       throw new ConfigurationError(`Invalid KAS endpoint [${this.kasEndpoint}]`);
     }
+
     if (config.platformUrl) {
       this.platformUrl = config.platformUrl;
     }
 
     if (clientConfig.policyEndpoint) {
-      this.policyEndpoint = rstrip(clientConfig.policyEndpoint, '/');
-    } else if (this.kasEndpoint.endsWith('/kas')) {
-      this.policyEndpoint = this.kasEndpoint.slice(0, -4);
+      this.policyEndpoint = getPlatformUrlFromKasEndpoint(clientConfig.policyEndpoint);
     }
 
     const kasOrigin = new URL(this.kasEndpoint).origin;
@@ -439,8 +443,9 @@ export class Client {
       const detailedPlan = plan(avs);
       splitPlan = detailedPlan.map((kat) => {
         const { kas, sid } = kat;
-        if (kas?.publicKey?.cached?.keys && !(kas.uri in this.kasKeys)) {
-          const keys = kas.publicKey.cached.keys;
+        const pubKey = kas.publicKey?.publicKey;
+        if (pubKey?.case === 'cached' && pubKey.value.keys && !(kas.uri in this.kasKeys)) {
+          const keys = pubKey.value.keys;
           if (keys?.length) {
             this.kasKeys[kas.uri] = keys.map((key) => resolveKasInfo(key.pem, kas.uri, key.kid));
           }

package/tdf3/src/tdf.ts

@@ -766,9 +766,8 @@ async function unwrapKey({
 
     const { entityWrappedKey, metadata, sessionPublicKey } = await fetchWrappedKey(
       url,
-      { signedRequestToken },
-      authProvider,
-      '0.0.1'
+      signedRequestToken,
+      authProvider
     );
 
     if (wrappingKeyAlgorithm === 'ec:secp256r1') {
@@ -778,7 +777,7 @@ async function unwrapKey({
         hkdfSalt: await ztdfSalt,
         hkdfHash: 'SHA-256',
       });
-      const wrappedKeyAndNonce = base64.decodeArrayBuffer(entityWrappedKey);
+      const wrappedKeyAndNonce = entityWrappedKey;
       const iv = wrappedKeyAndNonce.slice(0, 12);
       const wrappedKey = wrappedKeyAndNonce.slice(12);
 
@@ -789,7 +788,7 @@ async function unwrapKey({
         metadata,
       };
     }
-    const key = Binary.fromString(base64.decode(entityWrappedKey));
+    const key = Binary.fromArrayBuffer(entityWrappedKey);
     const decryptedKeyBinary = await cryptoService.decryptWithPrivateKey(
       key,
       ephemeralEncryptionKeys.privateKey
@@ -991,13 +990,6 @@ export async function readStream(cfg: DecryptConfiguration) {
   return decryptStreamFrom(cfg, overview);
 }
 
-// TODO: potentially might need fixing here
-// By the time this function is called the allow list will be already set.
-// Verify that this function is not exported in the sdk and only exported for internal use
-// Verify this during tests and PR
-// Remove this comment before merging!
-// https://www.youtube.com/watch?v=NGrLb6W5YOM
-// Don't leave me here all by myself!
 export async function decryptStreamFrom(
   cfg: DecryptConfiguration,
   { manifest, zipReader, centralDirectory }: InspectedTDFOverview

package/src/platform/authorization/authorization_connect.d.ts

@@ -1,44 +0,0 @@
-// @generated by protoc-gen-connect-es v1.4.0 with parameter "target=js+dts,import_extension=none"
-// @generated from file authorization/authorization.proto (package authorization, syntax proto3)
-/* eslint-disable */
-// @ts-nocheck
-
-import { GetDecisionsByTokenRequest, GetDecisionsByTokenResponse, GetDecisionsRequest, GetDecisionsResponse, GetEntitlementsRequest, GetEntitlementsResponse } from "./authorization_pb";
-import { MethodKind } from "@bufbuild/protobuf";
-
-/**
- * @generated from service authorization.AuthorizationService
- */
-export declare const AuthorizationService: {
-  readonly typeName: "authorization.AuthorizationService",
-  readonly methods: {
-    /**
-     * @generated from rpc authorization.AuthorizationService.GetDecisions
-     */
-    readonly getDecisions: {
-      readonly name: "GetDecisions",
-      readonly I: typeof GetDecisionsRequest,
-      readonly O: typeof GetDecisionsResponse,
-      readonly kind: MethodKind.Unary,
-    },
-    /**
-     * @generated from rpc authorization.AuthorizationService.GetDecisionsByToken
-     */
-    readonly getDecisionsByToken: {
-      readonly name: "GetDecisionsByToken",
-      readonly I: typeof GetDecisionsByTokenRequest,
-      readonly O: typeof GetDecisionsByTokenResponse,
-      readonly kind: MethodKind.Unary,
-    },
-    /**
-     * @generated from rpc authorization.AuthorizationService.GetEntitlements
-     */
-    readonly getEntitlements: {
-      readonly name: "GetEntitlements",
-      readonly I: typeof GetEntitlementsRequest,
-      readonly O: typeof GetEntitlementsResponse,
-      readonly kind: MethodKind.Unary,
-    },
-  }
-};
-