@opentdf/sdk 0.4.0-beta.4 → 0.4.0-beta.41

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (217) hide show
  1. package/dist/cjs/src/access/access-fetch.js +2 -1
  2. package/dist/cjs/src/access/access-rpc.js +11 -5
  3. package/dist/cjs/src/access/constants.js +6 -0
  4. package/dist/cjs/src/access.js +39 -4
  5. package/dist/cjs/src/auth/oidc-clientcredentials-provider.js +4 -2
  6. package/dist/cjs/src/auth/oidc-externaljwt-provider.js +5 -3
  7. package/dist/cjs/src/auth/oidc-refreshtoken-provider.js +19 -3
  8. package/dist/cjs/src/auth/oidc.js +9 -8
  9. package/dist/cjs/src/auth/providers.js +7 -1
  10. package/dist/cjs/src/index.js +4 -2
  11. package/dist/cjs/src/nanoclients.js +4 -4
  12. package/dist/cjs/src/nanotdf/Client.js +10 -6
  13. package/dist/cjs/src/opentdf.js +103 -13
  14. package/dist/cjs/src/platform/authorization/v2/authorization_pb.js +112 -0
  15. package/dist/cjs/src/platform/buf/validate/validate_pb.js +114 -170
  16. package/dist/cjs/src/platform/common/common_pb.js +16 -5
  17. package/dist/cjs/src/platform/entity/entity_pb.js +51 -0
  18. package/dist/cjs/src/platform/entityresolution/entity_resolution_pb.js +1 -1
  19. package/dist/cjs/src/platform/entityresolution/v2/entity_resolution_pb.js +49 -0
  20. package/dist/cjs/src/platform/google/api/annotations_pb.js +1 -1
  21. package/dist/cjs/src/platform/google/api/http_pb.js +3 -3
  22. package/dist/cjs/src/platform/kas/kas_pb.js +2 -2
  23. package/dist/cjs/src/platform/policy/attributes/attributes_pb.js +12 -2
  24. package/dist/cjs/src/platform/policy/kasregistry/key_access_server_registry_pb.js +57 -4
  25. package/dist/cjs/src/platform/policy/keymanagement/key_management_pb.js +2 -2
  26. package/dist/cjs/src/platform/policy/namespaces/namespaces_pb.js +31 -4
  27. package/dist/cjs/src/platform/policy/objects_pb.js +116 -42
  28. package/dist/cjs/src/platform/policy/obligations/obligations_pb.js +159 -0
  29. package/dist/cjs/src/platform/policy/registeredresources/registered_resources_pb.js +20 -15
  30. package/dist/cjs/src/platform/policy/resourcemapping/resource_mapping_pb.js +2 -3
  31. package/dist/cjs/src/platform/policy/selectors_pb.js +1 -1
  32. package/dist/cjs/src/platform/policy/subjectmapping/subject_mapping_pb.js +2 -3
  33. package/dist/cjs/src/platform/policy/unsafe/unsafe_pb.js +2 -4
  34. package/dist/cjs/src/platform.js +20 -3
  35. package/dist/cjs/src/policy/api.js +27 -7
  36. package/dist/cjs/src/policy/granter.js +75 -48
  37. package/dist/cjs/src/seekable.js +32 -1
  38. package/dist/cjs/src/utils.js +85 -3
  39. package/dist/cjs/tdf3/src/assertions.js +39 -2
  40. package/dist/cjs/tdf3/src/client/DecoratedReadableStream.js +8 -1
  41. package/dist/cjs/tdf3/src/client/builders.js +13 -1
  42. package/dist/cjs/tdf3/src/client/index.js +213 -54
  43. package/dist/cjs/tdf3/src/client/validation.js +3 -3
  44. package/dist/cjs/tdf3/src/tdf.js +42 -9
  45. package/dist/cjs/tdf3/src/utils/unwrap.js +2 -2
  46. package/dist/types/src/access/access-fetch.d.ts +1 -0
  47. package/dist/types/src/access/access-fetch.d.ts.map +1 -1
  48. package/dist/types/src/access/access-rpc.d.ts +2 -1
  49. package/dist/types/src/access/access-rpc.d.ts.map +1 -1
  50. package/dist/types/src/access/constants.d.ts +3 -0
  51. package/dist/types/src/access/constants.d.ts.map +1 -0
  52. package/dist/types/src/access.d.ts +30 -1
  53. package/dist/types/src/access.d.ts.map +1 -1
  54. package/dist/types/src/auth/oidc-clientcredentials-provider.d.ts +1 -1
  55. package/dist/types/src/auth/oidc-clientcredentials-provider.d.ts.map +1 -1
  56. package/dist/types/src/auth/oidc-externaljwt-provider.d.ts +1 -1
  57. package/dist/types/src/auth/oidc-externaljwt-provider.d.ts.map +1 -1
  58. package/dist/types/src/auth/oidc-refreshtoken-provider.d.ts +15 -1
  59. package/dist/types/src/auth/oidc-refreshtoken-provider.d.ts.map +1 -1
  60. package/dist/types/src/auth/oidc.d.ts +4 -0
  61. package/dist/types/src/auth/oidc.d.ts.map +1 -1
  62. package/dist/types/src/auth/providers.d.ts.map +1 -1
  63. package/dist/types/src/index.d.ts +1 -0
  64. package/dist/types/src/index.d.ts.map +1 -1
  65. package/dist/types/src/nanotdf/Client.d.ts +8 -1
  66. package/dist/types/src/nanotdf/Client.d.ts.map +1 -1
  67. package/dist/types/src/opentdf.d.ts +137 -6
  68. package/dist/types/src/opentdf.d.ts.map +1 -1
  69. package/dist/types/src/platform/authorization/v2/authorization_pb.d.ts +439 -0
  70. package/dist/types/src/platform/authorization/v2/authorization_pb.d.ts.map +1 -0
  71. package/dist/types/src/platform/buf/validate/validate_pb.d.ts +495 -370
  72. package/dist/types/src/platform/buf/validate/validate_pb.d.ts.map +1 -1
  73. package/dist/types/src/platform/common/common_pb.d.ts +36 -0
  74. package/dist/types/src/platform/common/common_pb.d.ts.map +1 -1
  75. package/dist/types/src/platform/entity/entity_pb.d.ts +130 -0
  76. package/dist/types/src/platform/entity/entity_pb.d.ts.map +1 -0
  77. package/dist/types/src/platform/entityresolution/entity_resolution_pb.d.ts +4 -0
  78. package/dist/types/src/platform/entityresolution/entity_resolution_pb.d.ts.map +1 -1
  79. package/dist/types/src/platform/entityresolution/v2/entity_resolution_pb.d.ts +136 -0
  80. package/dist/types/src/platform/entityresolution/v2/entity_resolution_pb.d.ts.map +1 -0
  81. package/dist/types/src/platform/google/api/http_pb.d.ts.map +1 -1
  82. package/dist/types/src/platform/kas/kas_pb.d.ts +5 -0
  83. package/dist/types/src/platform/kas/kas_pb.d.ts.map +1 -1
  84. package/dist/types/src/platform/policy/attributes/attributes_pb.d.ts +44 -13
  85. package/dist/types/src/platform/policy/attributes/attributes_pb.d.ts.map +1 -1
  86. package/dist/types/src/platform/policy/kasregistry/key_access_server_registry_pb.d.ts +329 -24
  87. package/dist/types/src/platform/policy/kasregistry/key_access_server_registry_pb.d.ts.map +1 -1
  88. package/dist/types/src/platform/policy/keymanagement/key_management_pb.d.ts +20 -1
  89. package/dist/types/src/platform/policy/keymanagement/key_management_pb.d.ts.map +1 -1
  90. package/dist/types/src/platform/policy/namespaces/namespaces_pb.d.ts +143 -5
  91. package/dist/types/src/platform/policy/namespaces/namespaces_pb.d.ts.map +1 -1
  92. package/dist/types/src/platform/policy/objects_pb.d.ts +382 -33
  93. package/dist/types/src/platform/policy/objects_pb.d.ts.map +1 -1
  94. package/dist/types/src/platform/policy/obligations/obligations_pb.d.ts +670 -0
  95. package/dist/types/src/platform/policy/obligations/obligations_pb.d.ts.map +1 -0
  96. package/dist/types/src/platform/policy/registeredresources/registered_resources_pb.d.ts +67 -0
  97. package/dist/types/src/platform/policy/registeredresources/registered_resources_pb.d.ts.map +1 -1
  98. package/dist/types/src/platform/policy/resourcemapping/resource_mapping_pb.d.ts.map +1 -1
  99. package/dist/types/src/platform/policy/selectors_pb.d.ts +18 -0
  100. package/dist/types/src/platform/policy/selectors_pb.d.ts.map +1 -1
  101. package/dist/types/src/platform/policy/subjectmapping/subject_mapping_pb.d.ts.map +1 -1
  102. package/dist/types/src/platform/policy/unsafe/unsafe_pb.d.ts +18 -4
  103. package/dist/types/src/platform/policy/unsafe/unsafe_pb.d.ts.map +1 -1
  104. package/dist/types/src/platform.d.ts +21 -0
  105. package/dist/types/src/platform.d.ts.map +1 -1
  106. package/dist/types/src/policy/api.d.ts +2 -0
  107. package/dist/types/src/policy/api.d.ts.map +1 -1
  108. package/dist/types/src/policy/granter.d.ts +11 -6
  109. package/dist/types/src/policy/granter.d.ts.map +1 -1
  110. package/dist/types/src/seekable.d.ts +31 -0
  111. package/dist/types/src/seekable.d.ts.map +1 -1
  112. package/dist/types/src/utils.d.ts +61 -2
  113. package/dist/types/src/utils.d.ts.map +1 -1
  114. package/dist/types/tdf3/src/assertions.d.ts +4 -0
  115. package/dist/types/tdf3/src/assertions.d.ts.map +1 -1
  116. package/dist/types/tdf3/src/client/DecoratedReadableStream.d.ts +6 -0
  117. package/dist/types/tdf3/src/client/DecoratedReadableStream.d.ts.map +1 -1
  118. package/dist/types/tdf3/src/client/builders.d.ts +14 -0
  119. package/dist/types/tdf3/src/client/builders.d.ts.map +1 -1
  120. package/dist/types/tdf3/src/client/index.d.ts +25 -4
  121. package/dist/types/tdf3/src/client/index.d.ts.map +1 -1
  122. package/dist/types/tdf3/src/client/validation.d.ts +3 -3
  123. package/dist/types/tdf3/src/client/validation.d.ts.map +1 -1
  124. package/dist/types/tdf3/src/tdf.d.ts +3 -1
  125. package/dist/types/tdf3/src/tdf.d.ts.map +1 -1
  126. package/dist/types/tdf3/src/utils/unwrap.d.ts.map +1 -1
  127. package/dist/web/src/access/access-fetch.js +2 -1
  128. package/dist/web/src/access/access-rpc.js +11 -5
  129. package/dist/web/src/access/constants.js +3 -0
  130. package/dist/web/src/access.js +37 -3
  131. package/dist/web/src/auth/oidc-clientcredentials-provider.js +4 -2
  132. package/dist/web/src/auth/oidc-externaljwt-provider.js +5 -3
  133. package/dist/web/src/auth/oidc-refreshtoken-provider.js +19 -3
  134. package/dist/web/src/auth/oidc.js +9 -8
  135. package/dist/web/src/auth/providers.js +7 -1
  136. package/dist/web/src/index.js +2 -1
  137. package/dist/web/src/nanoclients.js +4 -4
  138. package/dist/web/src/nanotdf/Client.js +11 -7
  139. package/dist/web/src/opentdf.js +103 -13
  140. package/dist/web/src/platform/authorization/v2/authorization_pb.js +109 -0
  141. package/dist/web/src/platform/buf/validate/validate_pb.js +113 -169
  142. package/dist/web/src/platform/common/common_pb.js +15 -4
  143. package/dist/web/src/platform/entity/entity_pb.js +48 -0
  144. package/dist/web/src/platform/entityresolution/entity_resolution_pb.js +1 -1
  145. package/dist/web/src/platform/entityresolution/v2/entity_resolution_pb.js +46 -0
  146. package/dist/web/src/platform/google/api/annotations_pb.js +1 -1
  147. package/dist/web/src/platform/google/api/http_pb.js +3 -3
  148. package/dist/web/src/platform/kas/kas_pb.js +2 -2
  149. package/dist/web/src/platform/policy/attributes/attributes_pb.js +12 -2
  150. package/dist/web/src/platform/policy/kasregistry/key_access_server_registry_pb.js +55 -3
  151. package/dist/web/src/platform/policy/keymanagement/key_management_pb.js +2 -2
  152. package/dist/web/src/platform/policy/namespaces/namespaces_pb.js +30 -3
  153. package/dist/web/src/platform/policy/objects_pb.js +114 -41
  154. package/dist/web/src/platform/policy/obligations/obligations_pb.js +156 -0
  155. package/dist/web/src/platform/policy/registeredresources/registered_resources_pb.js +19 -14
  156. package/dist/web/src/platform/policy/resourcemapping/resource_mapping_pb.js +2 -3
  157. package/dist/web/src/platform/policy/selectors_pb.js +1 -1
  158. package/dist/web/src/platform/policy/subjectmapping/subject_mapping_pb.js +2 -3
  159. package/dist/web/src/platform/policy/unsafe/unsafe_pb.js +2 -4
  160. package/dist/web/src/platform.js +20 -3
  161. package/dist/web/src/policy/api.js +26 -7
  162. package/dist/web/src/policy/granter.js +75 -48
  163. package/dist/web/src/seekable.js +32 -1
  164. package/dist/web/src/utils.js +84 -3
  165. package/dist/web/tdf3/src/assertions.js +38 -2
  166. package/dist/web/tdf3/src/client/DecoratedReadableStream.js +8 -1
  167. package/dist/web/tdf3/src/client/builders.js +13 -1
  168. package/dist/web/tdf3/src/client/index.js +215 -57
  169. package/dist/web/tdf3/src/client/validation.js +3 -3
  170. package/dist/web/tdf3/src/tdf.js +42 -9
  171. package/dist/web/tdf3/src/utils/unwrap.js +2 -2
  172. package/package.json +7 -5
  173. package/src/access/access-fetch.ts +1 -0
  174. package/src/access/access-rpc.ts +13 -4
  175. package/src/access/constants.ts +2 -0
  176. package/src/access.ts +54 -2
  177. package/src/auth/oidc-clientcredentials-provider.ts +4 -0
  178. package/src/auth/oidc-externaljwt-provider.ts +5 -1
  179. package/src/auth/oidc-refreshtoken-provider.ts +19 -1
  180. package/src/auth/oidc.ts +12 -7
  181. package/src/auth/providers.ts +6 -0
  182. package/src/index.ts +1 -0
  183. package/src/nanoclients.ts +3 -3
  184. package/src/nanotdf/Client.ts +28 -6
  185. package/src/opentdf.ts +206 -73
  186. package/src/platform/authorization/v2/authorization_pb.ts +503 -0
  187. package/src/platform/buf/validate/validate_pb.ts +529 -401
  188. package/src/platform/common/common_pb.ts +48 -3
  189. package/src/platform/entity/entity_pb.ts +154 -0
  190. package/src/platform/entityresolution/entity_resolution_pb.ts +4 -0
  191. package/src/platform/entityresolution/v2/entity_resolution_pb.ts +170 -0
  192. package/src/platform/google/api/annotations_pb.ts +1 -1
  193. package/src/platform/google/api/http_pb.ts +2 -2
  194. package/src/platform/kas/kas_pb.ts +6 -1
  195. package/src/platform/policy/attributes/attributes_pb.ts +46 -16
  196. package/src/platform/policy/kasregistry/key_access_server_registry_pb.ts +371 -27
  197. package/src/platform/policy/keymanagement/key_management_pb.ts +24 -2
  198. package/src/platform/policy/namespaces/namespaces_pb.ts +163 -7
  199. package/src/platform/policy/objects_pb.ts +474 -59
  200. package/src/platform/policy/obligations/obligations_pb.ts +788 -0
  201. package/src/platform/policy/registeredresources/registered_resources_pb.ts +80 -13
  202. package/src/platform/policy/resourcemapping/resource_mapping_pb.ts +1 -2
  203. package/src/platform/policy/selectors_pb.ts +18 -0
  204. package/src/platform/policy/subjectmapping/subject_mapping_pb.ts +1 -2
  205. package/src/platform/policy/unsafe/unsafe_pb.ts +21 -6
  206. package/src/platform.ts +29 -5
  207. package/src/policy/api.ts +37 -6
  208. package/src/policy/granter.ts +82 -56
  209. package/src/seekable.ts +31 -0
  210. package/src/utils.ts +88 -2
  211. package/tdf3/src/assertions.ts +52 -1
  212. package/tdf3/src/client/DecoratedReadableStream.ts +9 -0
  213. package/tdf3/src/client/builders.ts +16 -0
  214. package/tdf3/src/client/index.ts +309 -73
  215. package/tdf3/src/client/validation.ts +2 -2
  216. package/tdf3/src/tdf.ts +53 -9
  217. package/tdf3/src/utils/unwrap.ts +2 -1
package/src/auth/oidc.ts CHANGED
@@ -12,6 +12,8 @@ export type CommonCredentials = {
12
12
  clientId: string;
13
13
  /** The endpoint of the OIDC IdP to authenticate against, ex. 'https://virtru.com/auth' */
14
14
  oidcOrigin: string;
15
+ oidcTokenEndpoint?: string;
16
+ oidcUserInfoEndpoint?: string;
15
17
  /** Whether or not DPoP is enabled. */
16
18
  dpopEnabled?: boolean;
17
19
 
@@ -89,6 +91,8 @@ export class AccessToken {
89
91
  data?: AccessTokenResponse;
90
92
 
91
93
  baseUrl: string;
94
+ tokenEndpoint: string;
95
+ userInfoEndpoint: string;
92
96
 
93
97
  signingKey?: CryptoKeyPair;
94
98
 
@@ -119,6 +123,9 @@ export class AccessToken {
119
123
  this.config = cfg;
120
124
  this.request = request;
121
125
  this.baseUrl = rstrip(cfg.oidcOrigin, '/');
126
+ this.tokenEndpoint = cfg.oidcTokenEndpoint || `${this.baseUrl}/protocol/openid-connect/token`;
127
+ this.userInfoEndpoint =
128
+ cfg.oidcUserInfoEndpoint || `${this.baseUrl}/protocol/openid-connect/userinfo`;
122
129
  this.signingKey = cfg.signingKey;
123
130
  }
124
131
 
@@ -128,21 +135,20 @@ export class AccessToken {
128
135
  * @returns
129
136
  */
130
137
  async info(accessToken: string): Promise<unknown> {
131
- const url = `${this.baseUrl}/protocol/openid-connect/userinfo`;
132
138
  const headers = {
133
139
  ...this.extraHeaders,
134
140
  Authorization: `Bearer ${accessToken}`,
135
141
  } as Record<string, string>;
136
142
  if (this.config.dpopEnabled && this.signingKey) {
137
- headers.DPoP = await dpopFn(this.signingKey, url, 'POST');
143
+ headers.DPoP = await dpopFn(this.signingKey, this.userInfoEndpoint, 'POST');
138
144
  }
139
- const response = await (this.request || fetch)(url, {
145
+ const response = await (this.request || fetch)(this.userInfoEndpoint, {
140
146
  headers,
141
147
  });
142
148
  if (!response.ok) {
143
149
  console.error(await response.text());
144
150
  throw new TdfError(
145
- `auth info fail: GET [${url}] => ${response.status} ${response.statusText}`
151
+ `auth info fail: GET [${this.userInfoEndpoint}] => ${response.status} ${response.statusText}`
146
152
  );
147
153
  }
148
154
 
@@ -171,7 +177,6 @@ export class AccessToken {
171
177
  }
172
178
 
173
179
  async accessTokenLookup(cfg: OIDCCredentials) {
174
- const url = `${this.baseUrl}/protocol/openid-connect/token`;
175
180
  let body;
176
181
  switch (cfg.exchange) {
177
182
  case 'client':
@@ -198,11 +203,11 @@ export class AccessToken {
198
203
  };
199
204
  break;
200
205
  }
201
- const response = await this.doPost(url, body);
206
+ const response = await this.doPost(this.tokenEndpoint, body);
202
207
  if (!response.ok) {
203
208
  console.error(await response.text());
204
209
  throw new TdfError(
205
- `token/code exchange fail: POST [${url}] => ${response.status} ${response.statusText}`
210
+ `token/code exchange fail: POST [${this.tokenEndpoint}] => ${response.status} ${response.statusText}`
206
211
  );
207
212
  }
208
213
  return response.json();
package/src/auth/providers.ts CHANGED
@@ -36,6 +36,8 @@ export const clientSecretAuthProvider = async (
36
36
  clientId: clientConfig.clientId,
37
37
  clientSecret: clientConfig.clientSecret,
38
38
  oidcOrigin: clientConfig.oidcOrigin,
39
+ oidcTokenEndpoint: clientConfig.oidcTokenEndpoint,
40
+ oidcUserInfoEndpoint: clientConfig.oidcUserInfoEndpoint,
39
41
  });
40
42
  };
41
43
 
@@ -62,6 +64,8 @@ export const externalAuthProvider = async (
62
64
  clientId: clientConfig.clientId,
63
65
  externalJwt: clientConfig.externalJwt,
64
66
  oidcOrigin: clientConfig.oidcOrigin,
67
+ oidcTokenEndpoint: clientConfig.oidcTokenEndpoint,
68
+ oidcUserInfoEndpoint: clientConfig.oidcUserInfoEndpoint,
65
69
  });
66
70
  };
67
71
 
@@ -86,6 +90,8 @@ export const refreshAuthProvider = async (
86
90
  clientId: clientConfig.clientId,
87
91
  refreshToken: clientConfig.refreshToken,
88
92
  oidcOrigin: clientConfig.oidcOrigin,
93
+ oidcTokenEndpoint: clientConfig.oidcTokenEndpoint,
94
+ oidcUserInfoEndpoint: clientConfig.oidcUserInfoEndpoint,
89
95
  });
90
96
  };
91
97
 
package/src/index.ts CHANGED
@@ -2,6 +2,7 @@ export { type AuthProvider, type HttpMethod, HttpRequest, withHeaders } from './
2
2
  export * as AuthProviders from './auth/providers.js';
3
3
  export { attributeFQNsAsValues } from './policy/api.js';
4
4
  export { version, clientType, tdfSpecVersion } from './version.js';
5
+ export { PlatformClient, type PlatformClientOptions, type PlatformServices } from './platform.js';
5
6
  export * from './opentdf.js';
6
7
  export * from './seekable.js';
7
8
  export * from '../tdf3/src/models/index.js';
package/src/nanoclients.ts CHANGED
@@ -46,7 +46,7 @@ export class NanoTDFClient extends Client {
46
46
  const kasUrl = nanotdf.header.getKasRewrapUrl();
47
47
 
48
48
  // Rewrap key on every request
49
- const ukey = await this.rewrapKey(
49
+ const { unwrappedKey: ukey } = await this.rewrapKey(
50
50
  nanotdf.header.toBuffer(),
51
51
  kasUrl,
52
52
  nanotdf.header.magicNumberVersion,
@@ -73,7 +73,7 @@ export class NanoTDFClient extends Client {
73
73
 
74
74
  const legacyVersion = '0.0.0';
75
75
  // Rewrap key on every request
76
- const key = await this.rewrapKey(
76
+ const { unwrappedKey: key } = await this.rewrapKey(
77
77
  nanotdf.header.toBuffer(),
78
78
  nanotdf.header.getKasRewrapUrl(),
79
79
  nanotdf.header.magicNumberVersion,
@@ -351,7 +351,7 @@ export class NanoTDFDatasetClient extends Client {
351
351
  // TODO: The version number should be fetched from the API
352
352
  const version = '0.0.1';
353
353
  // Rewrap key on every request
354
- const ukey = await this.rewrapKey(
354
+ const { unwrappedKey: ukey } = await this.rewrapKey(
355
355
  nanotdf.header.toBuffer(),
356
356
  nanotdf.header.getKasRewrapUrl(),
357
357
  nanotdf.header.magicNumberVersion,
package/src/nanotdf/Client.ts CHANGED
@@ -10,10 +10,16 @@ import {
10
10
  } from '../access.js';
11
11
  import { AuthProvider, isAuthProvider, reqSignature } from '../auth/providers.js';
12
12
  import { ConfigurationError, DecryptError, TdfError, UnsafeUrlError } from '../errors.js';
13
- import { cryptoPublicToPem, pemToCryptoPublicKey, validateSecureUrl } from '../utils.js';
13
+ import {
14
+ cryptoPublicToPem,
15
+ getRequiredObligationFQNs,
16
+ pemToCryptoPublicKey,
17
+ validateSecureUrl,
18
+ } from '../utils.js';
14
19
 
15
20
  export interface ClientConfig {
16
21
  allowedKases?: string[];
22
+ fulfillableObligationFQNs?: string[];
17
23
  ignoreAllowList?: boolean;
18
24
  authProvider: AuthProvider;
19
25
  dpopEnabled?: boolean;
@@ -23,6 +29,11 @@ export interface ClientConfig {
23
29
  platformUrl: string;
24
30
  }
25
31
 
32
+ type RewrapKeyResult = {
33
+ unwrappedKey: CryptoKey;
34
+ requiredObligations: string[];
35
+ };
36
+
26
37
  function toJWSAlg(c: CryptoKey): string {
27
38
  const { algorithm } = c;
28
39
  switch (algorithm.name) {
@@ -106,6 +117,7 @@ export default class Client {
106
117
  static readonly IV_SIZE = 12;
107
118
 
108
119
  allowedKases?: OriginAllowList;
120
+ readonly fulfillableObligationFQNs: string[];
109
121
  /*
110
122
  These variables are expected to be either assigned during initialization or within the methods.
111
123
  This is needed as the flow is very specific. Errors should be thrown if the necessary step is not completed.
@@ -168,6 +180,7 @@ export default class Client {
168
180
  } else {
169
181
  const {
170
182
  allowedKases,
183
+ fulfillableObligationFQNs = [],
171
184
  ignoreAllowList,
172
185
  authProvider,
173
186
  dpopEnabled,
@@ -184,6 +197,7 @@ export default class Client {
184
197
  if (allowedKases?.length || ignoreAllowList) {
185
198
  this.allowedKases = new OriginAllowList(allowedKases || [], ignoreAllowList);
186
199
  }
200
+ this.fulfillableObligationFQNs = fulfillableObligationFQNs;
187
201
  this.dpopEnabled = !!dpopEnabled;
188
202
  if (dpopKeys) {
189
203
  this.requestSignerKeyPair = dpopKeys;
@@ -223,7 +237,7 @@ export default class Client {
223
237
  kasRewrapUrl: string,
224
238
  magicNumberVersion: ArrayBufferLike,
225
239
  clientVersion: string
226
- ): Promise<CryptoKey> {
240
+ ): Promise<RewrapKeyResult> {
227
241
  let allowedKases = this.allowedKases;
228
242
 
229
243
  if (!allowedKases) {
@@ -265,10 +279,15 @@ export default class Client {
265
279
  });
266
280
 
267
281
  // Wrapped
268
- const wrappedKey = await fetchWrappedKey(kasRewrapUrl, signedRequestToken, this.authProvider);
282
+ const rewrapResp = await fetchWrappedKey(
283
+ kasRewrapUrl,
284
+ signedRequestToken,
285
+ this.authProvider,
286
+ this.fulfillableObligationFQNs
287
+ );
269
288
 
270
289
  // Extract the iv and ciphertext
271
- const entityWrappedKey = wrappedKey.entityWrappedKey;
290
+ const entityWrappedKey = rewrapResp.entityWrappedKey;
272
291
  const ivLength =
273
292
  clientVersion == Client.SDK_INITIAL_RELEASE ? Client.INITIAL_RELEASE_IV_SIZE : Client.IV_SIZE;
274
293
  const iv = entityWrappedKey.subarray(0, ivLength);
@@ -277,7 +296,7 @@ export default class Client {
277
296
  let kasPublicKey;
278
297
  try {
279
298
  // Let us import public key as a cert or public key
280
- kasPublicKey = await pemToCryptoPublicKey(wrappedKey.sessionPublicKey);
299
+ kasPublicKey = await pemToCryptoPublicKey(rewrapResp.sessionPublicKey);
281
300
  } catch (cause) {
282
301
  throw new ConfigurationError(
283
302
  `internal: [${kasRewrapUrl}] PEM Public Key to crypto public key failed. Is PEM formatted correctly?`,
@@ -346,6 +365,9 @@ export default class Client {
346
365
  throw new DecryptError('Unable to import raw key.', cause);
347
366
  }
348
367
 
349
- return unwrappedKey;
368
+ return {
369
+ requiredObligations: getRequiredObligationFQNs(rewrapResp),
370
+ unwrappedKey: unwrappedKey,
371
+ };
350
372
  }
351
373
  }