otdf-python 0.3.0__py3-none-any.whl → 0.3.5__py3-none-any.whl

otdf_python/policy_info.py

@@ -2,14 +2,10 @@ class PolicyInfo:
     def __init__(
         self,
         policy_type: int = 0,
-        has_ecdsa_binding: bool = False,
         body: bytes | None = None,
-        binding: bytes | None = None,
     ):
         self.policy_type = policy_type
-        self.has_ecdsa_binding = has_ecdsa_binding
         self.body = body
-        self.binding = binding
 
     def set_embedded_plain_text_policy(self, body: bytes):
         self.body = body
@@ -19,21 +15,13 @@ class PolicyInfo:
         self.body = body
         self.policy_type = 2  # Placeholder for EMBEDDED_POLICY_ENCRYPTED
 
-    def set_policy_binding(self, binding: bytes):
-        self.binding = binding
-
     def get_body(self) -> bytes | None:
         return self.body
 
-    def get_binding(self) -> bytes | None:
-        return self.binding
-
     def get_total_size(self) -> int:
         size = 1  # policy_type
         size += 2  # body_len
         size += len(self.body) if self.body else 0
-        size += 1  # binding_len
-        size += len(self.binding) if self.binding else 0
         return size
 
     def write_into_buffer(self, buffer: bytearray, offset: int = 0) -> int:
@@ -46,33 +34,22 @@ class PolicyInfo:
         if self.body:
             buffer[offset : offset + body_len] = self.body
             offset += body_len
-        binding_len = len(self.binding) if self.binding else 0
-        buffer[offset] = binding_len
-        offset += 1
-        if self.binding:
-            buffer[offset : offset + binding_len] = self.binding
-            offset += binding_len
         return offset - start
 
     @staticmethod
     def from_bytes_with_size(buffer: bytes, ecc_mode):
-        # Based on Java implementation: parse policy_type (1 byte), body_len (2 bytes), body, binding_len (1 byte), binding
+        # Parse policy_type (1 byte), body_len (2 bytes), body
+        # Note: binding is NOT part of PolicyInfo - it's read separately in Header
         offset = 0
-        if len(buffer) < 4:
+        if len(buffer) < 3:
             raise ValueError("Buffer too short for PolicyInfo header")
         policy_type = buffer[offset]
         offset += 1
         body_len = int.from_bytes(buffer[offset : offset + 2], "big")
         offset += 2
-        if len(buffer) < offset + body_len + 1:
+        if len(buffer) < offset + body_len:
             raise ValueError("Buffer too short for PolicyInfo body")
         body = buffer[offset : offset + body_len]
         offset += body_len
-        binding_len = buffer[offset]
-        offset += 1
-        if len(buffer) < offset + binding_len:
-            raise ValueError("Buffer too short for PolicyInfo binding")
-        binding = buffer[offset : offset + binding_len]
-        offset += binding_len
-        pi = PolicyInfo(policy_type=policy_type, body=body, binding=binding)
+        pi = PolicyInfo(policy_type=policy_type, body=body)
         return pi, offset

otdf_python/resource_locator.py

@@ -1,7 +1,31 @@
 class ResourceLocator:
+    """
+    NanoTDF Resource Locator per the spec:
+    https://github.com/opentdf/spec/blob/main/schema/nanotdf/README.md
+
+    Format:
+    - Byte 0: Protocol Enum (bits 0-3) + Identifier Length (bits 4-7)
+      - Protocol: 0x0=HTTP, 0x1=HTTPS, 0xF=Shared Resource Directory
+      - Identifier: 0x0=None, 0x1=2 bytes, 0x2=8 bytes, 0x3=32 bytes
+    - Byte 1: Body Length (1-255 bytes)
+    - Bytes 2-N: Body (URL path)
+    - Bytes N+1-M: Identifier (optional, 0/2/8/32 bytes)
+    """
+
+    # Protocol enum values
+    PROTOCOL_HTTP = 0x0
+    PROTOCOL_HTTPS = 0x1
+    PROTOCOL_SHARED_RESOURCE_DIR = 0xF
+
+    # Identifier length enum values (in bits 4-7)
+    IDENTIFIER_NONE = 0x0
+    IDENTIFIER_2_BYTES = 0x1
+    IDENTIFIER_8_BYTES = 0x2
+    IDENTIFIER_32_BYTES = 0x3
+
     def __init__(self, resource_url: str | None = None, identifier: str | None = None):
-        self.resource_url = resource_url
-        self.identifier = identifier
+        self.resource_url = resource_url or ""
+        self.identifier = identifier or ""
 
     def get_resource_url(self):
         return self.resource_url
@@ -9,13 +33,68 @@ class ResourceLocator:
     def get_identifier(self):
         return self.identifier
 
+    def _parse_url(self):
+        """Parse URL to extract protocol and body (path)."""
+        url = self.resource_url
+        if url.startswith("https://"):
+            protocol = self.PROTOCOL_HTTPS
+            body = url[8:]  # Remove "https://"
+        elif url.startswith("http://"):
+            protocol = self.PROTOCOL_HTTP
+            body = url[7:]  # Remove "http://"
+        else:
+            # Default to HTTP
+            protocol = self.PROTOCOL_HTTP
+            body = url
+        return protocol, body.encode()
+
+    def _get_identifier_bytes(self):
+        """Get identifier bytes and determine identifier length enum."""
+        if not self.identifier:
+            return self.IDENTIFIER_NONE, b""
+
+        id_bytes = self.identifier.encode()
+        id_len = len(id_bytes)
+
+        if id_len == 0:
+            return self.IDENTIFIER_NONE, b""
+        elif id_len <= 2:
+            # Pad to 2 bytes
+            return self.IDENTIFIER_2_BYTES, id_bytes.ljust(2, b"\x00")
+        elif id_len <= 8:
+            # Pad to 8 bytes
+            return self.IDENTIFIER_8_BYTES, id_bytes.ljust(8, b"\x00")
+        elif id_len <= 32:
+            # Pad to 32 bytes
+            return self.IDENTIFIER_32_BYTES, id_bytes.ljust(32, b"\x00")
+        else:
+            raise ValueError(f"Identifier too long: {id_len} bytes (max 32)")
+
     def to_bytes(self):
-        # Based on Java implementation: [url_len][url_bytes][id_len][id_bytes], each len is 1 byte
-        url_bytes = (self.resource_url or "").encode()
-        id_bytes = (self.identifier or "").encode()
-        if len(url_bytes) > 255 or len(id_bytes) > 255:
-            raise ValueError("ResourceLocator fields too long for 1-byte length prefix")
-        return bytes([len(url_bytes)]) + url_bytes + bytes([len(id_bytes)]) + id_bytes
+        """
+        Convert to NanoTDF Resource Locator format per spec.
+
+        Format:
+        - Byte 0: Protocol Enum (bits 0-3) + Identifier Length (bits 4-7)
+        - Byte 1: Body Length
+        - Bytes 2-N: Body (URL path)
+        - Bytes N+1-M: Identifier (0/2/8/32 bytes)
+        """
+        protocol, body_bytes = self._parse_url()
+        identifier_enum, identifier_bytes = self._get_identifier_bytes()
+
+        if len(body_bytes) > 255:
+            raise ValueError(
+                f"Resource Locator body too long: {len(body_bytes)} bytes (max 255)"
+            )
+
+        # Byte 0: protocol in bits 0-3, identifier length in bits 4-7
+        protocol_and_id = (identifier_enum << 4) | protocol
+
+        # Byte 1: body length
+        body_len = len(body_bytes)
+
+        return bytes([protocol_and_id, body_len]) + body_bytes + identifier_bytes
 
     def get_total_size(self) -> int:
         return len(self.to_bytes())
@@ -26,19 +105,68 @@ class ResourceLocator:
         return len(data)
 
     @staticmethod
-    def from_bytes_with_size(buffer: bytes):
-        # Based on Java implementation: [url_len][url_bytes][id_len][id_bytes]
+    def from_bytes_with_size(buffer: bytes):  # noqa: C901
+        """
+        Parse NanoTDF Resource Locator from bytes per spec.
+
+        Format:
+        - Byte 0: Protocol Enum (bits 0-3) + Identifier Length (bits 4-7)
+        - Byte 1: Body Length
+        - Bytes 2-N: Body (URL path)
+        - Bytes N+1-M: Identifier (0/2/8/32 bytes)
+        """
         if len(buffer) < 2:
             raise ValueError("Buffer too short for ResourceLocator")
-        url_len = buffer[0]
-        if len(buffer) < 1 + url_len + 1:
-            raise ValueError("Buffer too short for ResourceLocator url")
-        url_bytes = buffer[1 : 1 + url_len]
-        id_len = buffer[1 + url_len]
-        if len(buffer) < 1 + url_len + 1 + id_len:
-            raise ValueError("Buffer too short for ResourceLocator id")
-        id_bytes = buffer[1 + url_len + 1 : 1 + url_len + 1 + id_len]
-        resource_url = url_bytes.decode()
-        identifier = id_bytes.decode()
-        size = 1 + url_len + 1 + id_len
+
+        # Parse byte 0: protocol and identifier length
+        protocol_and_id = buffer[0]
+        protocol = protocol_and_id & 0x0F  # Bits 0-3
+        identifier_enum = (protocol_and_id >> 4) & 0x0F  # Bits 4-7
+
+        # Parse byte 1: body length
+        body_len = buffer[1]
+
+        if len(buffer) < 2 + body_len:
+            raise ValueError(
+                f"Buffer too short for ResourceLocator body (need {2 + body_len}, have {len(buffer)})"
+            )
+
+        # Parse body (URL path)
+        body_bytes = buffer[2 : 2 + body_len]
+        body = body_bytes.decode()
+
+        # Reconstruct full URL with protocol
+        if protocol == ResourceLocator.PROTOCOL_HTTPS:
+            resource_url = f"https://{body}"
+        elif protocol == ResourceLocator.PROTOCOL_HTTP:
+            resource_url = f"http://{body}"
+        else:
+            resource_url = body
+
+        # Parse identifier based on identifier_enum
+        offset = 2 + body_len
+        if identifier_enum == ResourceLocator.IDENTIFIER_NONE:
+            identifier_len = 0
+        elif identifier_enum == ResourceLocator.IDENTIFIER_2_BYTES:
+            identifier_len = 2
+        elif identifier_enum == ResourceLocator.IDENTIFIER_8_BYTES:
+            identifier_len = 8
+        elif identifier_enum == ResourceLocator.IDENTIFIER_32_BYTES:
+            identifier_len = 32
+        else:
+            raise ValueError(f"Invalid identifier length enum: {identifier_enum}")
+
+        if len(buffer) < offset + identifier_len:
+            raise ValueError(
+                f"Buffer too short for ResourceLocator identifier (need {offset + identifier_len}, have {len(buffer)})"
+            )
+
+        if identifier_len > 0:
+            identifier_bytes = buffer[offset : offset + identifier_len]
+            # Remove padding
+            identifier = identifier_bytes.rstrip(b"\x00").decode()
+        else:
+            identifier = ""
+
+        size = 2 + body_len + identifier_len
         return ResourceLocator(resource_url, identifier), size

otdf_python/sdk.py

@@ -6,42 +6,12 @@ from contextlib import AbstractContextManager
 from io import BytesIO
 from typing import Any, BinaryIO
 
-from otdf_python.config import NanoTDFConfig, TDFConfig
+from otdf_python.config import KASInfo, NanoTDFConfig, TDFConfig
 from otdf_python.nanotdf import NanoTDF
 from otdf_python.sdk_exceptions import SDKException
 from otdf_python.tdf import TDF, TDFReader, TDFReaderConfig
 
 
-# Stubs for service client interfaces (to be implemented)
-class AttributesServiceClientInterface: ...
-
-
-class NamespaceServiceClientInterface: ...
-
-
-class SubjectMappingServiceClientInterface: ...
-
-
-class ResourceMappingServiceClientInterface: ...
-
-
-class AuthorizationServiceClientInterface: ...
-
-
-class KeyAccessServerRegistryServiceClientInterface: ...
-
-
-# Placeholder for ProtocolClient and Interceptor
-class ProtocolClient: ...
-
-
-class Interceptor: ...  # Can be dict in Python implementation
-
-
-# Placeholder for TrustManager
-class TrustManager: ...
-
-
 class KAS(AbstractContextManager):
     """
     KAS (Key Access Service) interface to define methods related to key access and management.
@@ -71,7 +41,6 @@ class KAS(AbstractContextManager):
         token_source=None,
         sdk_ssl_verify=True,
         use_plaintext=False,
-        auth_headers: dict | None = None,
     ):
         """
         Initialize the KAS client
@@ -81,7 +50,6 @@ class KAS(AbstractContextManager):
             token_source: Function that returns an authentication token
             sdk_ssl_verify: Whether to verify SSL certificates
             use_plaintext: Whether to use plaintext HTTP connections instead of HTTPS
-            auth_headers: Dictionary of authentication headers to include in requests
         """
         from .kas_client import KASClient
 
@@ -94,7 +62,6 @@ class KAS(AbstractContextManager):
         # Store the parameters for potential use
         self._sdk_ssl_verify = sdk_ssl_verify
         self._use_plaintext = use_plaintext
-        self._auth_headers = auth_headers
 
     def get_ec_public_key(self, kas_info: Any, curve: Any) -> Any:
         """
@@ -152,7 +119,7 @@ class KAS(AbstractContextManager):
             Unwrapped key as bytes
         """
         if mock and wrapped_key and kas_private_key:
-            from .asym_decryption import AsymDecryption
+            from .asym_crypto import AsymDecryption
 
             asym = AsymDecryption(private_key_pem=kas_private_key)
             return asym.decrypt(wrapped_key)
@@ -179,12 +146,14 @@ class KAS(AbstractContextManager):
 
 class SDK(AbstractContextManager):
     def new_tdf_config(
-        self, attributes: list[str] | None = None, **kwargs
+        self,
+        attributes: list[str] | None = None,
+        kas_info_list: list[KASInfo] | None = None,
+        **kwargs,
     ) -> TDFConfig:
         """
         Create a TDFConfig with default kas_info_list from the SDK's platform_url.
         """
-        from otdf_python.config import KASInfo
 
         if self.platform_url is None:
             raise SDKException("Cannot create TDFConfig: SDK platform_url is not set.")
@@ -232,10 +201,8 @@ class SDK(AbstractContextManager):
             # Use existing port with the determined scheme
             kas_url = f"{scheme}://{parsed_url.hostname}:{parsed_url.port}{parsed_url.path.rstrip('/')}/kas"
 
-        kas_info = KASInfo(url=kas_url, default=True)
-        # Accept user override for kas_info_list if provided
-        kas_info_list = kwargs.pop("kas_info_list", None)
         if kas_info_list is None:
+            kas_info = KASInfo(url=kas_url, default=True)
             kas_info_list = [kas_info]
         return TDFConfig(
             kas_info_list=kas_info_list, attributes=attributes or [], **kwargs
@@ -251,30 +218,6 @@ class SDK(AbstractContextManager):
         The Services interface provides access to various platform service clients and KAS.
         """
 
-        def attributes(self) -> AttributesServiceClientInterface:
-            """Returns the attributes service client"""
-            raise NotImplementedError
-
-        def namespaces(self) -> NamespaceServiceClientInterface:
-            """Returns the namespaces service client"""
-            raise NotImplementedError
-
-        def subject_mappings(self) -> SubjectMappingServiceClientInterface:
-            """Returns the subject mappings service client"""
-            raise NotImplementedError
-
-        def resource_mappings(self) -> ResourceMappingServiceClientInterface:
-            """Returns the resource mappings service client"""
-            raise NotImplementedError
-
-        def authorization(self) -> AuthorizationServiceClientInterface:
-            """Returns the authorization service client"""
-            raise NotImplementedError
-
-        def kas_registry(self) -> KeyAccessServerRegistryServiceClientInterface:
-            """Returns the KAS registry service client"""
-            raise NotImplementedError
-
         def kas(self) -> KAS:
             """
             Returns the KAS client for key access operations.
@@ -292,9 +235,6 @@ class SDK(AbstractContextManager):
     def __init__(
         self,
         services: "SDK.Services",
-        trust_manager: TrustManager | None = None,
-        auth_interceptor: Interceptor | dict[str, str] | None = None,
-        platform_services_client: ProtocolClient | None = None,
         platform_url: str | None = None,
         ssl_verify: bool = True,
         use_plaintext: bool = False,
@@ -304,17 +244,11 @@ class SDK(AbstractContextManager):
 
         Args:
             services: The services interface implementation
-            trust_manager: Optional trust manager for SSL validation
-            auth_interceptor: Optional auth interceptor for API requests
-            platform_services_client: Optional client for platform services
             platform_url: Optional platform base URL
             ssl_verify: Whether to verify SSL certificates (default: True)
             use_plaintext: Whether to use HTTP instead of HTTPS (default: False)
         """
         self.services = services
-        self.trust_manager = trust_manager
-        self.auth_interceptor = auth_interceptor
-        self.platform_services_client = platform_services_client
         self.platform_url = platform_url
         self.ssl_verify = ssl_verify
         self._use_plaintext = use_plaintext
@@ -332,27 +266,17 @@ class SDK(AbstractContextManager):
         """Returns the services interface"""
         return self.services
 
-    def get_trust_manager(self) -> TrustManager | None:
-        """Returns the trust manager if set"""
-        return self.trust_manager
-
-    def get_auth_interceptor(self) -> Interceptor | dict[str, str] | None:
-        """Returns the auth interceptor if set"""
-        return self.auth_interceptor
-
-    def get_platform_services_client(self) -> ProtocolClient | None:
-        """Returns the platform services client if set"""
-        return self.platform_services_client
-
     def get_platform_url(self) -> str | None:
         """Returns the platform URL if set"""
         return self.platform_url
 
-    def load_tdf_with_config(
-        self, tdf_data: bytes | BinaryIO | BytesIO, config: TDFReaderConfig
+    def load_tdf(
+        self,
+        tdf_data: bytes | BinaryIO | BytesIO,
+        config: TDFReaderConfig | None = None,
     ) -> TDFReader:
         """
-        Loads a TDF from the provided data according to the config.
+        Loads a TDF from the provided data, optionally according to the config.
 
         Args:
             tdf_data: The TDF data as bytes, file object, or BytesIO
@@ -365,26 +289,10 @@ class SDK(AbstractContextManager):
             SDKException: If there's an error loading the TDF
         """
         tdf = TDF(self.services)
-        return tdf.load_tdf(tdf_data, config)
+        if config is None:
+            config = TDFReaderConfig()
 
-    def load_tdf_without_config(
-        self, tdf_data: bytes | BinaryIO | BytesIO
-    ) -> TDFReader:
-        """
-        Loads a TDF from the provided data.
-
-        Args:
-            tdf_data: The TDF data as bytes, file object, or BytesIO
-
-        Returns:
-            TDFReader: Contains payload and manifest
-
-        Raises:
-            SDKException: If there's an error loading the TDF
-        """
-        tdf = TDF(self.services)
-        default = TDFReaderConfig()
-        return tdf.load_tdf(tdf_data, default)
+        return tdf.load_tdf(tdf_data, config)
 
     def create_tdf(
         self,

otdf_python/sdk_builder.py

@@ -4,10 +4,9 @@ Provides methods to configure and build SDK instances.
 """
 
 import logging
-import os
 import ssl
 from dataclasses import dataclass
-from typing import Any
+from pathlib import Path
 
 import httpx
 
@@ -77,9 +76,10 @@ class SDKBuilder:
         self.cert_paths = []
 
         # Find all .pem and .crt files in the directory
-        for filename in os.listdir(certs_dir_path):
-            if filename.endswith(".pem") or filename.endswith(".crt"):
-                self.cert_paths.append(os.path.join(certs_dir_path, filename))
+        certs_path = Path(certs_dir_path)
+        for cert_file in certs_path.iterdir():
+            if cert_file.suffix in (".pem", ".crt"):
+                self.cert_paths.append(str(cert_file))
 
         # Create SSL context with these certificates
         if self.cert_paths:
@@ -343,32 +343,6 @@ class SDKBuilder:
         except Exception as e:
             raise AutoConfigureException(f"Error during token acquisition: {e!s}")
 
-    def _create_auth_interceptor(self) -> Any:
-        """
-        Creates an authentication interceptor for API requests (httpx).
-        Returns:
-            Any: An auth interceptor object
-        Raises:
-            AutoConfigureException: If auth configuration fails
-        """
-        # For now, this is just a placeholder returning a dict with auth headers
-        # In a real implementation, this would create a proper interceptor object
-        # that injects auth headers into httpx requests
-
-        token = None
-
-        if self.auth_token:
-            # Use provided token
-            token = self.auth_token
-        elif self.oauth_config:
-            # Get token from OAuth
-            token = self._get_token_from_client_credentials()
-
-        if token:
-            return {"Authorization": f"Bearer {token}"}
-
-        return None
-
     def _create_services(self) -> SDK.Services:
         """
         Creates service client instances.
@@ -382,13 +356,11 @@ class SDKBuilder:
         # connecting to the platform endpoints
 
         ssl_verify = not self.insecure_skip_verify
-        auth_interceptor = self._create_auth_interceptor()
 
         class ServicesImpl(SDK.Services):
             def __init__(self, builder_instance):
                 self.closed = False
                 self._ssl_verify = ssl_verify
-                self._auth_headers = auth_interceptor if auth_interceptor else {}
                 self._builder = builder_instance
 
             def kas(self) -> KAS:
@@ -432,16 +404,12 @@ class SDKBuilder:
         if not self.platform_endpoint:
             raise AutoConfigureException("Platform endpoint is not set")
 
-        # Create the auth interceptor
-        auth_interceptor = self._create_auth_interceptor()
-
         # Create services
         services = self._create_services()
 
         # Return the SDK instance, platform_url is set for new_tdf_config
         return SDK(
             services=services,
-            auth_interceptor=auth_interceptor,
             platform_url=self.platform_endpoint,
             ssl_verify=not self.insecure_skip_verify,
             use_plaintext=getattr(self, "use_plaintext", False),

otdf_python/tdf.py

@@ -87,7 +87,7 @@ class TDF:
         import hashlib
         import hmac
 
-        from otdf_python.asym_crypto import AsymEncryption
+        from .asym_crypto import AsymEncryption
 
         key_access_objs = []
         for kas in kas_infos:
@@ -188,7 +188,7 @@ class TDF:
         """
         Unwraps the key locally using a provided private key (used for testing)
         """
-        from otdf_python.asym_decryption import AsymDecryption
+        from .asym_crypto import AsymDecryption
 
         key = None
         for ka in key_access_objs:
@@ -430,7 +430,8 @@ class TDF:
         import zipfile
 
         from otdf_python.aesgcm import AesGcm
-        from otdf_python.asym_crypto import AsymDecryption
+
+        from .asym_crypto import AsymDecryption
 
         with zipfile.ZipFile(io.BytesIO(tdf_bytes), "r") as z:
             manifest_json = z.read("0.manifest.json").decode()