@virtru/dsp-sdk 0.2.3 → 0.3.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (33) hide show
  1. package/.rush/temp/chunked-rush-logs/dsp-sdk._phase_build.chunks.jsonl +3 -3
  2. package/.rush/temp/chunked-rush-logs/dsp-sdk._phase_test.chunks.jsonl +37 -9
  3. package/.rush/temp/package-deps__phase_build.json +16 -8
  4. package/.rush/temp/shrinkwrap-deps.json +39 -35
  5. package/CHANGELOG.json +28 -0
  6. package/CHANGELOG.md +15 -1
  7. package/README.md +55 -0
  8. package/buf.gen.yaml +17 -0
  9. package/buf.yaml +4 -0
  10. package/dist/src/gen/virtru/common/common_pb.d.ts +151 -0
  11. package/dist/src/gen/virtru/common/common_pb.js +57 -0
  12. package/dist/src/gen/virtru/policy/certificates/v1/certificates_pb.d.ts +215 -0
  13. package/dist/src/gen/virtru/policy/certificates/v1/certificates_pb.js +50 -0
  14. package/dist/src/gen/virtru/policy/objects_pb.d.ts +188 -0
  15. package/dist/src/gen/virtru/policy/objects_pb.js +126 -0
  16. package/dist/src/index.d.ts +1 -1
  17. package/dist/src/index.js +1 -1
  18. package/dist/src/lib/client.d.ts +2 -0
  19. package/dist/src/lib/client.js +2 -0
  20. package/dist/src/lib/consts.d.ts +2 -0
  21. package/dist/src/lib/consts.js +7 -0
  22. package/dist/src/lib/utils.d.ts +136 -0
  23. package/dist/src/lib/utils.js +355 -2
  24. package/package.json +5 -3
  25. package/src/gen/virtru/common/common_pb.ts +179 -0
  26. package/src/gen/virtru/policy/certificates/v1/certificates_connect.ts +44 -0
  27. package/src/gen/virtru/policy/certificates/v1/certificates_pb.ts +260 -0
  28. package/src/gen/virtru/policy/objects_pb.ts +235 -0
  29. package/src/index.ts +15 -1
  30. package/src/lib/client.ts +3 -0
  31. package/src/lib/consts.ts +8 -0
  32. package/src/lib/utils.test.ts +376 -0
  33. package/src/lib/utils.ts +460 -4
@@ -0,0 +1,126 @@
1
+ // @generated by protoc-gen-es v2.3.0 with parameter "target=ts"
2
+ // @generated from file virtru/policy/objects.proto (package virtru.policy, syntax proto3)
3
+ /* eslint-disable */
4
+ import { enumDesc, fileDesc, messageDesc } from "@bufbuild/protobuf/codegenv1";
5
+ import { file_buf_validate_validate } from "../../buf/validate/validate_pb";
6
+ import { file_virtru_common_common } from "../common/common_pb";
7
+ /**
8
+ * Describes the file virtru/policy/objects.proto.
9
+ */
10
+ export const file_virtru_policy_objects = /*@__PURE__*/ fileDesc("Cht2aXJ0cnUvcG9saWN5L29iamVjdHMucHJvdG8SDXZpcnRydS5wb2xpY3kinwIKC0NlcnRpZmljYXRlEgoKAmlkGAEgASgJEg4KBmtleV9pZBgCIAEoCRIvCg1rZXlfYWxnb3JpdGhtGAMgASgOMhgudmlydHJ1LnBvbGljeS5BbGdvcml0aG0SLAoKa2V5X3N0YXR1cxgEIAEoDjIYLnZpcnRydS5wb2xpY3kuS2V5U3RhdHVzEhQKA3BlbRgFIAEoCUIHukgEcgIQARIVCgRuYW1lGAYgASgJQge6SARyAhABEigKCGtleV9tb2RlGAcgASgOMhYudmlydHJ1LnBvbGljeS5LZXlNb2RlEhMKC2ZpbmdlcnByaW50GAggASgJEikKCG1ldGFkYXRhGGQgASgLMhcudmlydHJ1LmNvbW1vbi5NZXRhZGF0YSKXAQoSQ2VydGlmaWNhdGVNYXBwaW5nEhQKAmlkGAEgASgJQgi6SAVyA7ABARIgCg5jZXJ0aWZpY2F0ZV9pZBgCIAEoCUIIukgFcgOwAQESHgoMbmFtZXNwYWNlX2lkGAMgASgJQgi6SAVyA7ABARIpCghtZXRhZGF0YRhkIAEoCzIXLnZpcnRydS5jb21tb24uTWV0YWRhdGEqmwEKCUFsZ29yaXRobRIZChVBTEdPUklUSE1fVU5TUEVDSUZJRUQQABIWChJBTEdPUklUSE1fUlNBXzIwNDgQARIWChJBTEdPUklUSE1fUlNBXzQwOTYQAhIVChFBTEdPUklUSE1fRUNfUDI1NhADEhUKEUFMR09SSVRITV9FQ19QMzg0EAQSFQoRQUxHT1JJVEhNX0VDX1A1MjEQBSpWCglLZXlTdGF0dXMSGgoWS0VZX1NUQVRVU19VTlNQRUNJRklFRBAAEhUKEUtFWV9TVEFUVVNfQUNUSVZFEAESFgoSS0VZX1NUQVRVU19ST1RBVEVEEAIqlAEKB0tleU1vZGUSGAoUS0VZX01PREVfVU5TUEVDSUZJRUQQABIcChhLRVlfTU9ERV9DT05GSUdfUk9PVF9LRVkQARIeChpLRVlfTU9ERV9QUk9WSURFUl9ST09UX0tFWRACEhMKD0tFWV9NT0RFX1JFTU9URRADEhwKGEtFWV9NT0RFX1BVQkxJQ19LRVlfT05MWRAEQnYKEWNvbS52aXJ0cnUucG9saWN5QgxPYmplY3RzUHJvdG9QAaICA1ZQWKoCDVZpcnRydS5Qb2xpY3nKAg1WaXJ0cnVcUG9saWN54gIZVmlydHJ1XFBvbGljeVxHUEJNZXRhZGF0YeoCDlZpcnRydTo6UG9saWN5YgZwcm90bzM", [file_buf_validate_validate, file_virtru_common_common]);
11
+ /**
12
+ * Describes the message virtru.policy.Certificate.
13
+ * Use `create(CertificateSchema)` to create a new message.
14
+ */
15
+ export const CertificateSchema = /*@__PURE__*/ messageDesc(file_virtru_policy_objects, 0);
16
+ /**
17
+ * Describes the message virtru.policy.CertificateMapping.
18
+ * Use `create(CertificateMappingSchema)` to create a new message.
19
+ */
20
+ export const CertificateMappingSchema = /*@__PURE__*/ messageDesc(file_virtru_policy_objects, 1);
21
+ /**
22
+ * @generated from enum virtru.policy.Algorithm
23
+ */
24
+ export var Algorithm;
25
+ (function (Algorithm) {
26
+ /**
27
+ * @generated from enum value: ALGORITHM_UNSPECIFIED = 0;
28
+ */
29
+ Algorithm[Algorithm["UNSPECIFIED"] = 0] = "UNSPECIFIED";
30
+ /**
31
+ * @generated from enum value: ALGORITHM_RSA_2048 = 1;
32
+ */
33
+ Algorithm[Algorithm["RSA_2048"] = 1] = "RSA_2048";
34
+ /**
35
+ * @generated from enum value: ALGORITHM_RSA_4096 = 2;
36
+ */
37
+ Algorithm[Algorithm["RSA_4096"] = 2] = "RSA_4096";
38
+ /**
39
+ * @generated from enum value: ALGORITHM_EC_P256 = 3;
40
+ */
41
+ Algorithm[Algorithm["EC_P256"] = 3] = "EC_P256";
42
+ /**
43
+ * @generated from enum value: ALGORITHM_EC_P384 = 4;
44
+ */
45
+ Algorithm[Algorithm["EC_P384"] = 4] = "EC_P384";
46
+ /**
47
+ * @generated from enum value: ALGORITHM_EC_P521 = 5;
48
+ */
49
+ Algorithm[Algorithm["EC_P521"] = 5] = "EC_P521";
50
+ })(Algorithm || (Algorithm = {}));
51
+ /**
52
+ * Describes the enum virtru.policy.Algorithm.
53
+ */
54
+ export const AlgorithmSchema = /*@__PURE__*/ enumDesc(file_virtru_policy_objects, 0);
55
+ /**
56
+ * @generated from enum virtru.policy.KeyStatus
57
+ */
58
+ export var KeyStatus;
59
+ (function (KeyStatus) {
60
+ /**
61
+ * @generated from enum value: KEY_STATUS_UNSPECIFIED = 0;
62
+ */
63
+ KeyStatus[KeyStatus["UNSPECIFIED"] = 0] = "UNSPECIFIED";
64
+ /**
65
+ * @generated from enum value: KEY_STATUS_ACTIVE = 1;
66
+ */
67
+ KeyStatus[KeyStatus["ACTIVE"] = 1] = "ACTIVE";
68
+ /**
69
+ * @generated from enum value: KEY_STATUS_ROTATED = 2;
70
+ */
71
+ KeyStatus[KeyStatus["ROTATED"] = 2] = "ROTATED";
72
+ })(KeyStatus || (KeyStatus = {}));
73
+ /**
74
+ * Describes the enum virtru.policy.KeyStatus.
75
+ */
76
+ export const KeyStatusSchema = /*@__PURE__*/ enumDesc(file_virtru_policy_objects, 1);
77
+ /**
78
+ * Describes the management and operational mode of a cryptographic key.
79
+ *
80
+ * @generated from enum virtru.policy.KeyMode
81
+ */
82
+ export var KeyMode;
83
+ (function (KeyMode) {
84
+ /**
85
+ * KEY_MODE_UNSPECIFIED: Default, unspecified key mode. Indicates an uninitialized or error state.
86
+ *
87
+ * @generated from enum value: KEY_MODE_UNSPECIFIED = 0;
88
+ */
89
+ KeyMode[KeyMode["UNSPECIFIED"] = 0] = "UNSPECIFIED";
90
+ /**
91
+ * KEY_MODE_CONFIG_ROOT_KEY: Local key management where the private key is wrapped by a Key Encryption Key (KEK)
92
+ * sourced from local configuration. Unwrapping and all cryptographic operations are performed locally.
93
+ *
94
+ * @generated from enum value: KEY_MODE_CONFIG_ROOT_KEY = 1;
95
+ */
96
+ KeyMode[KeyMode["CONFIG_ROOT_KEY"] = 1] = "CONFIG_ROOT_KEY";
97
+ /**
98
+ * KEY_MODE_PROVIDER_ROOT_KEY: Local key management where the private key is wrapped by a Key Encryption Key (KEK)
99
+ * managed by an external provider (e.g., a Hardware Security Module or Cloud KMS).
100
+ * Key unwrapping is delegated to the external provider; subsequent cryptographic operations
101
+ * are performed locally using the unwrapped key.
102
+ *
103
+ * @generated from enum value: KEY_MODE_PROVIDER_ROOT_KEY = 2;
104
+ */
105
+ KeyMode[KeyMode["PROVIDER_ROOT_KEY"] = 2] = "PROVIDER_ROOT_KEY";
106
+ /**
107
+ * KEY_MODE_REMOTE: Remote key management where the private key is stored in, and all cryptographic
108
+ * operations are performed by, a remote Key Management Service (KMS) or HSM.
109
+ * The private key material never leaves the secure boundary of the remote system.
110
+ *
111
+ * @generated from enum value: KEY_MODE_REMOTE = 3;
112
+ */
113
+ KeyMode[KeyMode["REMOTE"] = 3] = "REMOTE";
114
+ /**
115
+ * KEY_MODE_PUBLIC_KEY_ONLY: Public key only mode. Used when only a public key is available or required,
116
+ * typically for wrapping operations (e.g., encrypting a Data Encryption Key (DEK) for an external KAS).
117
+ * The corresponding private key is not managed or accessible by this system.
118
+ *
119
+ * @generated from enum value: KEY_MODE_PUBLIC_KEY_ONLY = 4;
120
+ */
121
+ KeyMode[KeyMode["PUBLIC_KEY_ONLY"] = 4] = "PUBLIC_KEY_ONLY";
122
+ })(KeyMode || (KeyMode = {}));
123
+ /**
124
+ * Describes the enum virtru.policy.KeyMode.
125
+ */
126
+ export const KeyModeSchema = /*@__PURE__*/ enumDesc(file_virtru_policy_objects, 2);
@@ -7,7 +7,7 @@ export { platformConnect as dspConnect, platformConnectWeb as dspConnectWeb, } f
7
7
  */
8
8
  export { type DSPClientServicesV1 as DSPServicesV1, type DSPClientServicesV2 as DSPServicesV2, type DSPClientOptions, DSPClient, } from './lib/client';
9
9
  export { PlatformClient } from '@opentdf/sdk/platform';
10
- export { createAuthInterceptor, type Interceptor } from './lib/utils';
10
+ export { createAuthInterceptor, type Interceptor, createAuthProvider, createOpenTDFClient, getObligations, getUserEntitlements, flattenObligations, getTrustedCertificates, validateJWSCertificateChain, type JWSValidationResult, type ObligationFeatureMap, type SupportedObligations, type GetUserEntitlementsResponse, } from './lib/utils';
11
11
  /**
12
12
  * Exports the DSP wrapper of OpenTDF
13
13
  */
package/dist/src/index.js CHANGED
@@ -12,7 +12,7 @@ export { platformConnect as dspConnect, platformConnectWeb as dspConnectWeb, } f
12
12
  */
13
13
  export { DSPClient, } from './lib/client';
14
14
  export { PlatformClient } from '@opentdf/sdk/platform';
15
- export { createAuthInterceptor } from './lib/utils';
15
+ export { createAuthInterceptor, createAuthProvider, createOpenTDFClient, getObligations, getUserEntitlements, flattenObligations, getTrustedCertificates, validateJWSCertificateChain, } from './lib/utils';
16
16
  /**
17
17
  * Exports the DSP wrapper of OpenTDF
18
18
  */
@@ -5,11 +5,13 @@ import { PolicyArtifactService } from '../gen/policyimportexport/v1/policy_impor
5
5
  import { SharedService } from '../gen/shared/v1/shared_pb';
6
6
  import { TaggingPDPService } from '../gen/tagging/pdp/v2/tagging_pb';
7
7
  import { VersionService } from '../gen/version/v1/version_pb';
8
+ import { CertificateService } from '../gen/virtru/policy/certificates/v1/certificates_pb';
8
9
  export interface DSPClientServicesV1 {
9
10
  configService: Client<typeof ConfigService>;
10
11
  policyArtifactService: Client<typeof PolicyArtifactService>;
11
12
  sharedService: Client<typeof SharedService>;
12
13
  versionService: Client<typeof VersionService>;
14
+ certificateService: Client<typeof CertificateService>;
13
15
  }
14
16
  export interface DSPClientServicesV2 {
15
17
  taggingPDPService: Client<typeof TaggingPDPService>;
@@ -10,6 +10,7 @@ import { PolicyArtifactService } from '../gen/policyimportexport/v1/policy_impor
10
10
  import { SharedService } from '../gen/shared/v1/shared_pb';
11
11
  import { TaggingPDPService } from '../gen/tagging/pdp/v2/tagging_pb';
12
12
  import { VersionService } from '../gen/version/v1/version_pb';
13
+ import { CertificateService } from '../gen/virtru/policy/certificates/v1/certificates_pb';
13
14
  import { createAuthInterceptor } from './utils';
14
15
  /**
15
16
  * A client for interacting with the DSP using the Connect RPC framework.
@@ -52,6 +53,7 @@ export class DSPClient {
52
53
  policyArtifactService: createClient(PolicyArtifactService, transport),
53
54
  sharedService: createClient(SharedService, transport),
54
55
  versionService: createClient(VersionService, transport),
56
+ certificateService: createClient(CertificateService, transport),
55
57
  };
56
58
  this.v2 = {
57
59
  taggingPDPService: createClient(TaggingPDPService, transport),
@@ -0,0 +1,2 @@
1
+ export declare const MAX_CERTS = 10;
2
+ export declare const MAX_CERT_BYTES: number;
@@ -0,0 +1,7 @@
1
+ /*
2
+ * Copyright (c) Virtru Corporation. All rights reserved.
3
+ *
4
+ * Your use of this file is governed by the Virtu Terms of Service <https://www.virtru.com/terms-of-service/>.
5
+ */
6
+ export const MAX_CERTS = 10; // reasonable upper bound for chain depth
7
+ export const MAX_CERT_BYTES = 64 * 1024; // 64KB per certificate
@@ -1,6 +1,21 @@
1
1
  import type { AuthProvider } from '@opentdf/sdk';
2
+ import { AuthProviders, OpenTDF } from '@opentdf/sdk';
3
+ import type { Certificate } from '../gen/virtru/policy/objects_pb';
2
4
  import type { Interceptor as Inter } from '@connectrpc/connect';
3
5
  export type Interceptor = Inter;
6
+ export type ObligationFeatureMap = {
7
+ fully_qualified_names: string[];
8
+ };
9
+ export type SupportedObligations = {
10
+ watermark?: ObligationFeatureMap;
11
+ prevent_download?: ObligationFeatureMap;
12
+ };
13
+ export type GetUserEntitlementsResponse = {
14
+ entitlements: {
15
+ entityId: string;
16
+ attributeValueFqns: string[];
17
+ }[];
18
+ };
4
19
  /**
5
20
  * Creates an interceptor that adds authentication headers to outgoing requests.
6
21
  *
@@ -13,3 +28,124 @@ export type Interceptor = Inter;
13
28
  * @returns An `Interceptor` function that modifies requests to include authentication headers.
14
29
  */
15
30
  export declare function createAuthInterceptor(authProvider: AuthProvider): Interceptor;
31
+ /** Creates a new instance of an OIDC Auth Provider consumed by the TDF Clients */
32
+ export declare function createAuthProvider(options: {
33
+ oidc: {
34
+ clientId: string;
35
+ tokenEndpoint: string;
36
+ userInfoEndpoint: string;
37
+ };
38
+ refreshToken: string;
39
+ }): Promise<AuthProviders.OIDCRefreshTokenProvider>;
40
+ export declare function createOpenTDFClient(options: {
41
+ oidc: {
42
+ clientId: string;
43
+ tokenEndpoint: string;
44
+ userInfoEndpoint: string;
45
+ };
46
+ platformEndpoint: string;
47
+ refreshToken: string;
48
+ obligations: string[];
49
+ }): Promise<OpenTDF>;
50
+ export declare const getObligations: (ciphertext: ArrayBuffer, options: {
51
+ oidc: {
52
+ clientId: string;
53
+ tokenEndpoint: string;
54
+ userInfoEndpoint: string;
55
+ };
56
+ platformEndpoint: string;
57
+ refreshToken: string;
58
+ obligations: string[];
59
+ }) => Promise<string[]>;
60
+ export declare function getUserEntitlements(options: {
61
+ oidc: {
62
+ clientId: string;
63
+ tokenEndpoint: string;
64
+ userInfoEndpoint: string;
65
+ };
66
+ platformEndpoint: string;
67
+ refreshToken: string;
68
+ }): Promise<GetUserEntitlementsResponse>;
69
+ export declare const flattenObligations: (obligations: SupportedObligations) => string[];
70
+ /**
71
+ * Retrieves all trusted certificates from active namespaces in the platform.
72
+ *
73
+ * This function uses the new CertificateService API to retrieve certificates from all active
74
+ * namespaces. It automatically handles pagination to ensure all certificates are retrieved.
75
+ *
76
+ * The function performs the following steps:
77
+ * 1. Creates an authenticated auth provider with DPoP signing keys
78
+ * 2. Lists all active namespaces using the PlatformClient
79
+ * 3. For each namespace, retrieves all associated certificates using the CertificateService
80
+ * 4. Aggregates and returns all certificates from all namespaces
81
+ *
82
+ * @param options - The options object containing the platform endpoint, OIDC configuration, and refresh token.
83
+ * @param options.oidc - The OIDC configuration object.
84
+ * @param options.oidc.clientId - The OIDC client ID.
85
+ * @param options.oidc.tokenEndpoint - The OIDC token endpoint URL.
86
+ * @param options.oidc.userInfoEndpoint - The OIDC user info endpoint URL.
87
+ * @param options.platformEndpoint - The base URL of the platform.
88
+ * @param options.refreshToken - The refresh token for authentication.
89
+ * @returns A promise that resolves to an array of trusted certificates from all active namespaces.
90
+ * @throws If there is an error retrieving namespaces or certificates.
91
+ *
92
+ * @example
93
+ * ```typescript
94
+ * const certificates = await getTrustedCertificates({
95
+ * oidc: {
96
+ * clientId: 'my-client-id',
97
+ * tokenEndpoint: 'https://auth.example.com/token',
98
+ * userInfoEndpoint: 'https://auth.example.com/userinfo',
99
+ * },
100
+ * platformEndpoint: 'https://platform.example.com',
101
+ * refreshToken: 'my-refresh-token',
102
+ * });
103
+ * ```
104
+ */
105
+ export declare function getTrustedCertificates(options: {
106
+ oidc: {
107
+ clientId: string;
108
+ tokenEndpoint: string;
109
+ userInfoEndpoint: string;
110
+ };
111
+ platformEndpoint: string;
112
+ refreshToken: string;
113
+ }): Promise<Certificate[]>;
114
+ export type JWSValidationResult = {
115
+ valid: boolean;
116
+ validationResult: Record<string, string[]>;
117
+ };
118
+ /**
119
+ * Validate that a certificate chain from JWS x5c header chains to a trusted root.
120
+ *
121
+ * This function is designed to be portable and can be moved to another repository.
122
+ * It validates that the certificate chain presented in a JWS x5c header builds a
123
+ * valid chain to one of the provided trusted root certificates.
124
+ *
125
+ * Expectations and behavior:
126
+ * - `x5c` must be ordered leaf-first and contain base64-encoded DER certs.
127
+ * - `trustedRootCertificates` should contain PEM-encoded root certificates.
128
+ * - Performs basic input size checks and safe base64 decoding.
129
+ * - Uses PKI.js `CertificateChainValidationEngine` for comprehensive path validation
130
+ * (validity dates, signatures, policies when present, etc.).
131
+ * - Returns detailed error messages including the leaf subject/issuer and parsing warnings.
132
+ *
133
+ * @param x5c - Array of base64-encoded DER certificates from JWS header (leaf first)
134
+ * @param trustedRootCertificates - Array of Certificate objects containing trusted roots in PEM format
135
+ * @returns Object with validation result and warnings
136
+ * @throws {Error} if validation fails
137
+ *
138
+ * @example
139
+ * ```typescript
140
+ * try {
141
+ * const result = await validateJWSCertificateChain(
142
+ * jwsHeader.x5c,
143
+ * namespaceCertificates
144
+ * );
145
+ * console.log('Chain validates to trusted root', result.validationResult.warnings);
146
+ * } catch (error) {
147
+ * console.error('Validation failed:', error.message);
148
+ * }
149
+ * ```
150
+ */
151
+ export declare function validateJWSCertificateChain(x5c: string[], trustedRootCertificates: Certificate[]): Promise<JWSValidationResult>;