otdf-python 0.1.10__py3-none-any.whl → 0.3.5__py3-none-any.whl

otdf_python/cli.py

@@ -0,0 +1,569 @@
+#!/usr/bin/env python3
+"""
+OpenTDF Python CLI
+
+A command-line interface for encrypting and decrypting files using OpenTDF.
+Provides encrypt, decrypt, and inspect commands similar to the otdfctl CLI.
+"""
+
+import argparse
+import contextlib
+import json
+import logging
+import sys
+from dataclasses import asdict
+from importlib import metadata
+from io import BytesIO
+from pathlib import Path
+
+from otdf_python.config import KASInfo, NanoTDFConfig, TDFConfig
+from otdf_python.sdk import SDK
+from otdf_python.sdk_builder import SDKBuilder
+from otdf_python.sdk_exceptions import SDKException
+
+try:
+    __version__ = metadata.version("otdf-python")
+except metadata.PackageNotFoundError:
+    # package is not installed, e.g., in development
+    __version__ = "0.0.0"
+
+
+# Set up logging
+logger = logging.getLogger(__name__)
+
+
+class CLIError(Exception):
+    """Custom exception for CLI errors."""
+
+    def __init__(self, level: str, message: str, cause: Exception | None = None):
+        self.level = level
+        self.message = message
+        self.cause = cause
+        super().__init__(message)
+
+
+def setup_logging(level: str = "INFO", silent: bool = False):
+    """Set up logging configuration."""
+    if silent:
+        level = "CRITICAL"
+
+    log_level = getattr(logging, level.upper(), logging.INFO)
+    logging.basicConfig(
+        level=log_level,
+        format="%(levelname)s: %(message)s",
+        handlers=[logging.StreamHandler(sys.stderr)],
+    )
+
+
+def validate_file_exists(file_path: str) -> Path:
+    """Validate that a file exists and is readable."""
+    path = Path(file_path)
+    if not path.exists():
+        raise CLIError("CRITICAL", f"File does not exist: {file_path}")
+    if not path.is_file():
+        raise CLIError("CRITICAL", f"Path is not a file: {file_path}")
+    return path
+
+
+def parse_attributes(attributes_str: str) -> list[str]:
+    """Parse comma-separated attributes string."""
+    if not attributes_str:
+        return []
+    return [attr.strip() for attr in attributes_str.split(",") if attr.strip()]
+
+
+def parse_kas_endpoints(kas_str: str) -> list[str]:
+    """Parse comma-separated KAS endpoints."""
+    if not kas_str:
+        return []
+    return [kas.strip() for kas in kas_str.split(",") if kas.strip()]
+
+
+def load_client_credentials(creds_file_path: str) -> tuple[str, str]:
+    """Load client credentials from JSON file."""
+    try:
+        creds_path = Path(creds_file_path)
+        if not creds_path.exists():
+            raise CLIError(
+                "CRITICAL", f"Credentials file does not exist: {creds_file_path}"
+            )
+
+        with creds_path.open() as f:
+            creds = json.load(f)
+
+        client_id = creds.get("clientId")
+        client_secret = creds.get("clientSecret")
+
+        if not client_id or not client_secret:
+            raise CLIError(
+                "CRITICAL",
+                f"Credentials file must contain 'clientId' and 'clientSecret' fields: {creds_file_path}",
+            )
+
+        return client_id, client_secret
+
+    except json.JSONDecodeError as e:
+        raise CLIError(
+            "CRITICAL", f"Invalid JSON in credentials file {creds_file_path}: {e}"
+        )
+    except Exception as e:
+        raise CLIError(
+            "CRITICAL", f"Error reading credentials file {creds_file_path}: {e}"
+        )
+
+
+def build_sdk(args) -> SDK:
+    """Build SDK instance from CLI arguments."""
+    builder = SDKBuilder()
+
+    if args.platform_url:
+        builder.set_platform_endpoint(args.platform_url)
+
+        # Auto-detect HTTP URLs and enable plaintext mode
+        if args.platform_url.startswith("http://") and (
+            not hasattr(args, "plaintext") or not args.plaintext
+        ):
+            logger.debug(
+                f"Auto-detected HTTP URL {args.platform_url}, enabling plaintext mode"
+            )
+            builder.use_insecure_plaintext_connection(True)
+
+    if args.oidc_endpoint:
+        builder.set_issuer_endpoint(args.oidc_endpoint)
+
+    if args.client_id and args.client_secret:
+        builder.client_secret(args.client_id, args.client_secret)
+    elif hasattr(args, "with_client_creds_file") and args.with_client_creds_file:
+        # Load credentials from file
+        client_id, client_secret = load_client_credentials(args.with_client_creds_file)
+        builder.client_secret(client_id, client_secret)
+    elif hasattr(args, "auth") and args.auth:
+        # Parse combined auth string (clientId:clientSecret) - legacy support
+        auth_parts = args.auth.split(":")
+        if len(auth_parts) != 2:
+            raise CLIError(
+                "CRITICAL",
+                f"Auth expects <clientId>:<clientSecret>, received {args.auth}",
+            )
+        builder.client_secret(auth_parts[0], auth_parts[1])
+    else:
+        raise CLIError(
+            "CRITICAL",
+            "Authentication required: provide --with-client-creds-file OR --client-id and --client-secret",
+        )
+
+    if hasattr(args, "plaintext") and args.plaintext:
+        builder.use_insecure_plaintext_connection(True)
+
+    if args.insecure:
+        builder.use_insecure_skip_verify(True)
+
+    return builder.build()
+
+
+def create_tdf_config(sdk: SDK, args) -> TDFConfig:
+    """Create TDF configuration from CLI arguments."""
+    attributes = (
+        parse_attributes(args.attributes)
+        if hasattr(args, "attributes") and args.attributes
+        else []
+    )
+
+    config = sdk.new_tdf_config(attributes=attributes)
+
+    if hasattr(args, "kas_endpoint") and args.kas_endpoint:
+        # Add KAS endpoints
+        kas_endpoints = parse_kas_endpoints(args.kas_endpoint)
+        kas_info_list = [KASInfo(url=kas_url) for kas_url in kas_endpoints]
+        config.kas_info_list.extend(kas_info_list)
+
+    if hasattr(args, "mime_type") and args.mime_type:
+        config.mime_type = args.mime_type
+
+    if hasattr(args, "autoconfigure") and args.autoconfigure is not None:
+        config.autoconfigure = args.autoconfigure
+
+    return config
+
+
+def create_nano_tdf_config(sdk: SDK, args) -> NanoTDFConfig:
+    """Create NanoTDF configuration from CLI arguments."""
+    attributes = (
+        parse_attributes(args.attributes)
+        if hasattr(args, "attributes") and args.attributes
+        else []
+    )
+
+    config = NanoTDFConfig(attributes=attributes)
+
+    if hasattr(args, "kas_endpoint") and args.kas_endpoint:
+        # Add KAS endpoints
+        kas_endpoints = parse_kas_endpoints(args.kas_endpoint)
+        kas_info_list = [KASInfo(url=kas_url) for kas_url in kas_endpoints]
+        config.kas_info_list.extend(kas_info_list)
+    elif args.platform_url:
+        # If no explicit KAS endpoint provided, derive from platform URL
+        # This matches the default KAS path convention
+        kas_url = args.platform_url.rstrip("/") + "/kas"
+        logger.debug(f"Deriving KAS endpoint from platform URL: {kas_url}")
+        kas_info = KASInfo(url=kas_url)
+        config.kas_info_list.append(kas_info)
+
+    if hasattr(args, "policy_binding") and args.policy_binding:
+        if args.policy_binding.lower() == "ecdsa":
+            config.ecc_mode = "ecdsa"
+        else:
+            config.ecc_mode = "gmac"  # default
+
+    return config
+
+
+def cmd_encrypt(args):
+    """Handle encrypt command."""
+    logger.info("Running encrypt command")
+
+    # Validate input file
+    input_path = validate_file_exists(args.file)
+
+    # Build SDK
+    sdk = build_sdk(args)
+
+    try:
+        # Read input file
+        with input_path.open("rb") as input_file:
+            payload = input_file.read()
+
+        # Determine output
+        if args.output:
+            output_path = Path(args.output)
+            with output_path.open("wb") as output_file:
+                try:
+                    # Create appropriate config based on container type
+                    container_type = getattr(args, "container_type", "tdf")
+
+                    if container_type == "nano":
+                        logger.debug("Creating NanoTDF")
+                        config = create_nano_tdf_config(sdk, args)
+                        output_stream = BytesIO()
+                        size = sdk.create_nano_tdf(
+                            BytesIO(payload), output_stream, config
+                        )
+                        output_file.write(output_stream.getvalue())
+                        logger.info(f"Created NanoTDF of size {size} bytes")
+                    else:
+                        logger.debug("Creating TDF")
+                        config = create_tdf_config(sdk, args)
+                        output_stream = BytesIO()
+                        _manifest, size, _ = sdk.create_tdf(
+                            BytesIO(payload), config, output_stream
+                        )
+                        output_file.write(output_stream.getvalue())
+                        logger.info(f"Created TDF of size {size} bytes")
+
+                except Exception:
+                    # Clean up the output file if there was an error
+                    with contextlib.suppress(Exception):
+                        output_path.unlink()
+                    raise
+        else:
+            output_file = sys.stdout.buffer
+            # Create appropriate config based on container type
+            container_type = getattr(args, "container_type", "tdf")
+
+            if container_type == "nano":
+                logger.debug("Creating NanoTDF")
+                config = create_nano_tdf_config(sdk, args)
+                output_stream = BytesIO()
+                size = sdk.create_nano_tdf(BytesIO(payload), output_stream, config)
+                output_file.write(output_stream.getvalue())
+                logger.info(f"Created NanoTDF of size {size} bytes")
+            else:
+                logger.debug("Creating TDF")
+                config = create_tdf_config(sdk, args)
+                output_stream = BytesIO()
+                _manifest, size, _ = sdk.create_tdf(
+                    BytesIO(payload), config, output_stream
+                )
+                output_file.write(output_stream.getvalue())
+                logger.info(f"Created TDF of size {size} bytes")
+
+    finally:
+        sdk.close()
+
+
+def cmd_decrypt(args):
+    """Handle decrypt command."""
+    logger.info("Running decrypt command")
+
+    # Validate input file
+    input_path = validate_file_exists(args.file)
+
+    # Build SDK
+    sdk = build_sdk(args)
+
+    try:
+        # Read encrypted file
+        with input_path.open("rb") as input_file:
+            encrypted_data = input_file.read()
+
+        # Determine output
+        if args.output:
+            output_path = Path(args.output)
+            with output_path.open("wb") as output_file:
+                try:
+                    # Try to determine if it's a NanoTDF or regular TDF
+                    # NanoTDFs have a specific header format, regular TDFs are ZIP files
+                    if encrypted_data.startswith(b"PK"):
+                        # Regular TDF (ZIP format)
+                        logger.debug("Decrypting TDF")
+                        tdf_reader = sdk.load_tdf(encrypted_data)
+                        # Access payload directly from TDFReader
+                        payload_bytes = tdf_reader.payload
+                        output_file.write(payload_bytes)
+                        logger.info("Successfully decrypted TDF")
+                    else:
+                        # Assume NanoTDF
+                        logger.debug("Decrypting NanoTDF")
+                        config = create_nano_tdf_config(sdk, args)
+                        sdk.read_nano_tdf(BytesIO(encrypted_data), output_file, config)
+                        logger.info("Successfully decrypted NanoTDF")
+
+                except Exception:
+                    # Clean up the output file if there was an error
+                    output_path.unlink(missing_ok=True)
+                    raise
+        else:
+            output_file = sys.stdout.buffer
+            # Try to determine if it's a NanoTDF or regular TDF
+            # NanoTDFs have a specific header format, regular TDFs are ZIP files
+            if encrypted_data.startswith(b"PK"):
+                # Regular TDF (ZIP format)
+                logger.debug("Decrypting TDF")
+                tdf_reader = sdk.load_tdf(encrypted_data)
+                payload_bytes = tdf_reader.payload
+                output_file.write(payload_bytes)
+                logger.info("Successfully decrypted TDF")
+            else:
+                # Assume NanoTDF
+                logger.debug("Decrypting NanoTDF")
+                config = create_nano_tdf_config(sdk, args)
+                sdk.read_nano_tdf(BytesIO(encrypted_data), output_file, config)
+                logger.info("Successfully decrypted NanoTDF")
+
+    finally:
+        sdk.close()
+
+
+def cmd_inspect(args):
+    """Handle inspect command."""
+    logger.info("Running inspect command")
+
+    # Validate input file
+    input_path = validate_file_exists(args.file)
+
+    try:
+        sdk = build_sdk(args)
+
+        try:
+            # Read encrypted file
+            with input_path.open("rb") as input_file:
+                encrypted_data = input_file.read()
+
+            if encrypted_data.startswith(b"PK"):
+                # Regular TDF
+                logger.debug("Inspecting TDF")
+                tdf_reader = sdk.load_tdf(BytesIO(encrypted_data))
+                manifest = tdf_reader.manifest
+
+                # Try to get data attributes
+                try:
+                    data_attributes = []  # This would need to be implemented in the SDK
+                    inspection_result = {
+                        "manifest": asdict(manifest),
+                        "dataAttributes": data_attributes,
+                    }
+                except Exception as e:
+                    logger.warning(f"Could not retrieve data attributes: {e}")
+                    inspection_result = {"manifest": asdict(manifest)}
+
+                print(json.dumps(inspection_result, indent=2, default=str))
+            else:
+                # NanoTDF - for now just show basic info
+                logger.debug("Inspecting NanoTDF")
+                print(
+                    json.dumps(
+                        {
+                            "type": "NanoTDF",
+                            "size": len(encrypted_data),
+                            "note": "NanoTDF inspection not fully implemented",
+                        },
+                        indent=2,
+                    )
+                )
+
+        finally:
+            sdk.close()
+
+    except Exception as e:
+        # If we can't inspect due to auth issues, show what we can
+        logger.warning(f"Limited inspection due to: {e}")
+        with input_path.open("rb") as input_file:
+            encrypted_data = input_file.read()
+
+        file_type = "TDF" if encrypted_data.startswith(b"PK") else "NanoTDF"
+        print(
+            json.dumps(
+                {
+                    "type": file_type,
+                    "size": len(encrypted_data),
+                    "note": "Full inspection requires authentication",
+                },
+                indent=2,
+            )
+        )
+
+
+def create_parser() -> argparse.ArgumentParser:
+    """Create the argument parser."""
+    parser = argparse.ArgumentParser(
+        description="OpenTDF CLI - Encrypt and decrypt files using OpenTDF",
+        formatter_class=argparse.RawDescriptionHelpFormatter,
+        epilog="""
+Examples:
+  %(prog)s encrypt --file plain.txt --with-client-creds-file creds.json --platform-url https://platform.example.com
+  %(prog)s decrypt --file encrypted.tdf --with-client-creds-file creds.json --platform-url https://platform.example.com
+  %(prog)s inspect --file encrypted.tdf
+
+Where creds.json contains:
+  {"clientId": "your-client-id", "clientSecret": "your-client-secret"}
+        """,
+    )
+
+    # Global options
+    parser.add_argument(
+        "--version", action="version", version=f"OpenTDF Python SDK {__version__}"
+    )
+    parser.add_argument(
+        "--log-level",
+        choices=["DEBUG", "INFO", "WARNING", "ERROR", "CRITICAL"],
+        default="INFO",
+        help="Set logging level",
+    )
+    parser.add_argument("--silent", action="store_true", help="Disable logging")
+
+    # Server endpoints
+    server_group = parser.add_argument_group("Server Endpoints")
+    server_group.add_argument("--platform-url", help="OpenTDF platform URL")
+    server_group.add_argument(
+        "--kas-endpoint", help="KAS endpoint URL (comma-separated for multiple)"
+    )
+    server_group.add_argument("--oidc-endpoint", help="OIDC endpoint URL")
+
+    # Authentication
+    auth_group = parser.add_argument_group("Authentication")
+    auth_group.add_argument(
+        "--with-client-creds-file",
+        help="Path to JSON file containing OAuth credentials (clientId and clientSecret)",
+    )
+    auth_group.add_argument("--client-id", help="OAuth client ID")
+    auth_group.add_argument("--client-secret", help="OAuth client secret")
+
+    # Security options
+    security_group = parser.add_argument_group("Security")
+    security_group.add_argument(
+        "--plaintext", action="store_true", help="Use HTTP instead of HTTPS"
+    )
+    security_group.add_argument(
+        "--insecure", action="store_true", help="Skip TLS verification"
+    )
+
+    # Subcommands
+    subparsers = parser.add_subparsers(dest="command", help="Available commands")
+
+    # Encrypt command
+    encrypt_parser = subparsers.add_parser("encrypt", help="Encrypt a file")
+    encrypt_parser.add_argument("file", help="Path to file to encrypt")
+    encrypt_parser.add_argument(
+        "--output", "-o", help="Output file path (default: stdout)"
+    )
+    encrypt_parser.add_argument(
+        "--attributes", help="Data attributes (comma-separated)"
+    )
+    encrypt_parser.add_argument(
+        "--container-type",
+        choices=["tdf", "nano"],
+        default="tdf",
+        help="Container format",
+    )
+    encrypt_parser.add_argument("--mime-type", help="MIME type of the input file")
+    encrypt_parser.add_argument(
+        "--autoconfigure",
+        action="store_true",
+        help="Enable automatic configuration from attributes",
+    )
+    encrypt_parser.add_argument(
+        "--policy-binding",
+        choices=["ecdsa", "gmac"],
+        default="gmac",
+        help="Policy binding type (nano only)",
+    )
+
+    # Decrypt command
+    decrypt_parser = subparsers.add_parser("decrypt", help="Decrypt a file")
+    decrypt_parser.add_argument("file", help="Path to encrypted file")
+    decrypt_parser.add_argument(
+        "--output", "-o", help="Output file path (default: stdout)"
+    )
+
+    # Inspect command
+    inspect_parser = subparsers.add_parser(
+        "inspect", help="Inspect encrypted file metadata"
+    )
+    inspect_parser.add_argument("file", help="Path to encrypted file")
+
+    return parser
+
+
+def main():
+    """Main CLI entry point."""
+    parser = create_parser()
+    args = parser.parse_args()
+
+    # Set up logging
+    setup_logging(args.log_level, args.silent)
+
+    # Validate command
+    if not args.command:
+        parser.print_help()
+        sys.exit(1)
+
+    try:
+        if args.command == "encrypt":
+            cmd_encrypt(args)
+        elif args.command == "decrypt":
+            cmd_decrypt(args)
+        elif args.command == "inspect":
+            cmd_inspect(args)
+        else:
+            parser.print_help()
+            sys.exit(1)
+
+    except CLIError as e:
+        logger.error(f"{e.level}: {e.message}")
+        if e.cause:
+            logger.debug(f"Caused by: {e.cause}")
+        sys.exit(1)
+    except SDKException as e:
+        logger.error(f"SDK Error: {e}")
+        sys.exit(1)
+    except KeyboardInterrupt:
+        logger.info("Interrupted by user")
+        sys.exit(1)
+    except Exception as e:
+        logger.error(f"Unexpected error: {e}")
+        logger.error("", exc_info=True)  # Always print traceback for unexpected errors
+        sys.exit(1)
+
+
+if __name__ == "__main__":
+    main()

otdf_python/collection_store.py

@@ -0,0 +1,41 @@
+from collections import OrderedDict
+
+
+class CollectionKey:
+    def __init__(self, key: bytes | None):
+        self.key = key
+
+
+class CollectionStore:
+    NO_PRIVATE_KEY = CollectionKey(None)
+
+    def store(self, header, key: CollectionKey):
+        raise NotImplementedError
+
+    def get_key(self, header) -> CollectionKey:
+        raise NotImplementedError
+
+
+class NoOpCollectionStore(CollectionStore):
+    def store(self, header, key: CollectionKey):
+        pass
+
+    def get_key(self, header) -> CollectionKey:
+        return self.NO_PRIVATE_KEY
+
+
+class CollectionStoreImpl(OrderedDict, CollectionStore):
+    MAX_SIZE_STORE = 500
+
+    def __init__(self):
+        super().__init__()
+
+    def store(self, header, key: CollectionKey):
+        buf = header.to_bytes()
+        self[buf] = key
+        if len(self) > self.MAX_SIZE_STORE:
+            self.popitem(last=False)
+
+    def get_key(self, header) -> CollectionKey:
+        buf = header.to_bytes()
+        return self.get(buf, self.NO_PRIVATE_KEY)

otdf_python/collection_store_impl.py

@@ -0,0 +1,22 @@
+from collections import OrderedDict
+from threading import RLock
+
+MAX_SIZE_STORE = 500
+
+
+class CollectionStoreImpl(OrderedDict):
+    def __init__(self):
+        super().__init__()
+        self._lock = RLock()
+
+    def store(self, header, key):
+        buf = header.to_bytes()  # Assumes header has a to_bytes() method
+        with self._lock:
+            self[buf] = key
+            if len(self) > MAX_SIZE_STORE:
+                self.popitem(last=False)
+
+    def get_key(self, header, no_private_key=None):
+        buf = header.to_bytes()
+        with self._lock:
+            return self.get(buf, no_private_key)

otdf_python/config.py

@@ -0,0 +1,69 @@
+from dataclasses import dataclass, field
+from enum import Enum
+from typing import Any
+from urllib.parse import urlparse, urlunparse
+
+
+class TDFFormat(Enum):
+    JSONFormat = "JSONFormat"
+    XMLFormat = "XMLFormat"
+
+
+class IntegrityAlgorithm(Enum):
+    HS256 = "HS256"
+    GMAC = "GMAC"
+
+
+@dataclass
+class KASInfo:
+    url: str
+    public_key: str | None = None
+    kid: str | None = None
+    default: bool | None = None
+    algorithm: str | None = None
+
+    def __str__(self):
+        return f"KASInfo{{URL:'{self.url}', PublicKey:'{self.public_key}', KID:'{self.kid}', Default:{self.default}, Algorithm:'{self.algorithm}'}}"
+
+
+@dataclass
+class TDFConfig:
+    autoconfigure: bool = True
+    default_segment_size: int = 2 * 1024 * 1024
+    enable_encryption: bool = True
+    tdf_format: TDFFormat = TDFFormat.JSONFormat
+    tdf_public_key: str | None = None
+    tdf_private_key: str | None = None
+    meta_data: str | None = None
+    integrity_algorithm: IntegrityAlgorithm = IntegrityAlgorithm.HS256
+    segment_integrity_algorithm: IntegrityAlgorithm = IntegrityAlgorithm.GMAC
+    attributes: list[str] = field(default_factory=list)
+    kas_info_list: list[KASInfo] = field(default_factory=list)
+    mime_type: str = "application/octet-stream"
+    split_plan: list[str] | None = field(default_factory=list)
+    wrapping_key_type: str | None = None
+    hex_encode_root_and_segment_hashes: bool = False
+    render_version_info_in_manifest: bool = True
+    policy_object: Any | None = None
+
+
+@dataclass
+class NanoTDFConfig:
+    ecc_mode: str | None = None
+    cipher: str | None = None
+    config: str | None = None
+    attributes: list[str] = field(default_factory=list)
+    kas_info_list: list[KASInfo] = field(default_factory=list)
+    collection_config: str | None = None
+    policy_type: str | None = None
+
+
+# Utility function to normalize KAS URLs (Python equivalent)
+def get_kas_address(kas_url: str) -> str:
+    if "://" not in kas_url:
+        kas_url = "https://" + kas_url
+    parsed = urlparse(kas_url)
+    scheme = parsed.scheme or "https"
+    netloc = parsed.hostname or ""
+    port = parsed.port or 443
+    return urlunparse((scheme, f"{netloc}:{port}", "", "", "", ""))