otdf-python 0.3.1__tar.gz

otdf_python-0.3.1/.github/check_entitlements.sh

@@ -0,0 +1,56 @@
+#!/bin/bash
+
+# Derive additional environment variables
+TOKEN_URL="${OIDC_OP_TOKEN_ENDPOINT}"
+OTDF_HOST_AND_PORT="${OPENTDF_PLATFORM_HOST}"
+OTDF_CLIENT="${OPENTDF_CLIENT_ID}"
+OTDF_CLIENT_SECRET="${OPENTDF_CLIENT_SECRET}"
+
+echo "🔧 Environment Configuration:"
+echo "   TOKEN_URL: ${TOKEN_URL}"
+echo "   OTDF_HOST_AND_PORT: ${OTDF_HOST_AND_PORT}"
+echo "   OTDF_CLIENT: ${OTDF_CLIENT}"
+echo "   OTDF_CLIENT_SECRET: ${OTDF_CLIENT_SECRET}"
+echo ""
+
+get_token() {
+    curl -k --location "$TOKEN_URL" \
+    --header "X-VirtruPubKey;" \
+    --header "Content-Type: application/x-www-form-urlencoded" \
+    --data-urlencode "grant_type=client_credentials" \
+    --data-urlencode "client_id=$OTDF_CLIENT" \
+    --data-urlencode "client_secret=$OTDF_CLIENT_SECRET"
+}
+
+echo "🔐 Getting access token..."
+BEARER=$( get_token | jq -r '.access_token' )
+# NOTE: It's always okay to print this token, because it will
+# only be valid / available in dummy / dev scenarios
+[[ "${DEBUG:-}" == "1" ]] && echo "Got Access Token: ${BEARER}"
+echo ""
+
+# Array of usernames to check
+USERNAMES=("opentdf" "sample-user" "sample-user-1" "cli-client" "opentdf-sdk")
+
+for USERNAME in "${USERNAMES[@]}"; do
+    echo "👤 Fetching entitlements for username: ${USERNAME}"
+    echo "━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━"
+
+    grpcurl -plaintext \
+      -H "authorization: Bearer $BEARER" \
+      -d "{
+      \"entities\": [
+        {
+          \"userName\": \"$USERNAME\"
+        }
+      ]
+    }" \
+      "$OTDF_HOST_AND_PORT" \
+      authorization.AuthorizationService/GetEntitlements
+
+    echo "━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━"
+    echo "✅ Entitlements retrieval complete for ${USERNAME}!"
+    echo ""
+done
+
+echo "🎉 All entitlement checks completed!"

otdf_python-0.3.1/.github/start_opentdf_docker.sh

@@ -0,0 +1,61 @@
+#!/usr/bin/env bash
+
+set -euo pipefail
+
+if ! [ -d platform ]; then
+  git clone https://github.com/opentdf/platform.git
+fi
+cd platform
+git checkout 3360befcb3e6e9791d7bfd2e89128aee0e7d2818 # Branch 'DSPX-1539-keytoolnomore'
+
+yq -i '.realms[0].clients[0].client.directAccessGrantsEnabled = true | .realms[0].clients[0].client.serviceAccountsEnabled = true' service/cmd/keycloak_data.yaml
+
+yq -i '.realms[0].clients[1].client.directAccessGrantsEnabled = true | .realms[0].clients[1].client.serviceAccountsEnabled = true' service/cmd/keycloak_data.yaml
+
+yq -i '.realms[0].clients[4].client.directAccessGrantsEnabled = true | .realms[0].clients[4].client.serviceAccountsEnabled = true' service/cmd/keycloak_data.yaml
+
+
+if ! [ -d ./keys ]; then
+  go mod download
+
+  go mod verify
+
+  .github/scripts/init-temp-keys.sh
+  cp opentdf-example.yaml opentdf.yaml
+
+  # Edit 'opentdf.yaml' for our use case
+  yq -i 'del(.db) | .services.entityresolution.url = "http://localhost:8888/auth" | .server.auth.issuer = "http://localhost:8888/auth/realms/opentdf"' opentdf.yaml
+  # The above expression can also be written as 3 separate commands:
+  # yq -i 'del(.db)' opentdf.yaml
+  # yq -i '.services.entityresolution.url = "http://localhost:8888/auth"' opentdf.yaml
+  # yq -i '.server.auth.issuer = "http://localhost:8888/auth/realms/opentdf"' opentdf.yaml
+
+  yq -i '
+.server.cryptoProvider = {
+  "type": "standard",
+  "standard": {
+    "keys": [
+      {
+        "kid": "r1",
+        "alg": "rsa:2048",
+        "private": "kas-private.pem",
+        "cert": "kas-cert.pem"
+      },
+      {
+        "kid": "e1",
+        "alg": "ec:secp256r1",
+        "private": "kas-ec-private.pem",
+        "cert": "kas-ec-cert.pem"
+      }
+    ]
+  }
+}
+' opentdf.yaml
+  chmod -R 700 ./keys
+fi
+
+docker compose up -d --wait --wait-timeout 360
+
+go run ./service provision keycloak
+
+go run ./service provision fixtures

otdf_python-0.3.1/.github/workflows/build-python.yaml

@@ -0,0 +1,42 @@
+# Build otdf-python wheel using uv and output the wheel path for downstream workflows
+name: "Build Python Wheel"
+on:
+  push:
+    branches:
+      - chore/rewrite
+  pull_request:
+
+jobs:
+  build:
+    runs-on: ubuntu-22.04
+    outputs:
+      wheel: ${{ steps.find_wheel.outputs.wheel_path }}
+    steps:
+      - name: Checkout this repo
+        uses: actions/checkout@v4
+
+      - name: Set up uv
+        uses: astral-sh/setup-uv@v6
+        with:
+          enable-cache: true
+          cache-dependency-glob: "uv.lock"
+
+      - name: Build otdf-python wheel using uv
+        run: |
+          uv sync --frozen
+          uv build
+        shell: bash
+
+      - name: Find built wheel
+        id: find_wheel
+        run: |
+          wheel_path=$(ls dist/*.whl | head -n1)
+          echo "wheel_path=$wheel_path" >> $GITHUB_OUTPUT
+        shell: bash
+
+      # - name: Upload wheel as artifact
+      #   uses: actions/upload-artifact@v4
+      #   with:
+      #     name: python-wheel
+      #     path: dist/*.whl
+      #     overwrite: true

otdf_python-0.3.1/.github/workflows/platform-integration-test.yaml

@@ -0,0 +1,213 @@
+# Based on
+#   https://github.com/opentdf/java-sdk/blob/v0.6.1/.github/workflows/checks.yaml
+#
+# Except, that this is a "Composite Action", and specifies 'shell: bash' for
+# each 'run:' step.
+name: "NEW: Platform Integration testing"
+
+on:
+  workflow_call:
+    inputs:
+      wheel:
+        required: true
+        type: string
+      python_version:
+        required: true
+        type: string
+
+permissions:
+  contents: read
+
+jobs:
+  integration_test:
+    runs-on: ubuntu-22.04
+    steps:
+      - name: Checkout this repo
+        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11
+
+      # - uses: bufbuild/buf-setup-action@382440cdb8ec7bc25a68d7b4711163d95f7cc3aa
+      #   with:
+      #     github_token: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Check out platform
+        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11
+        with:
+          repository: opentdf/platform
+          ref: main
+          path: platform
+      - name: Set up go
+        uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491
+        with:
+          go-version: "1.24.x"
+          check-latest: false
+          cache-dependency-path: |
+            platform/service/go.sum
+            platform/examples/go.sum
+            platform/protocol/go/go.sum
+            platform/sdk/go.sum
+      - run: go mod download
+        shell: bash
+        working-directory: platform
+      - run: go mod verify
+        shell: bash
+        working-directory: platform
+      - name: Create keys
+        shell: bash
+        run: |
+          .github/scripts/init-temp-keys.sh
+          # Edit Keycloak sample file for our use case
+          yq -i '.realms[0].clients[0].client.directAccessGrantsEnabled = true | .realms[0].clients[0].client.serviceAccountsEnabled = true' service/cmd/keycloak_data.yaml
+          yq -i '.realms[0].clients[1].client.directAccessGrantsEnabled = true | .realms[0].clients[1].client.serviceAccountsEnabled = true' service/cmd/keycloak_data.yaml
+          yq -i '.realms[0].clients[4].client.directAccessGrantsEnabled = true | .realms[0].clients[4].client.serviceAccountsEnabled = true' service/cmd/keycloak_data.yaml
+
+          cp opentdf-example.yaml opentdf.yaml
+          # Edit 'opentdf.yaml' for our use case
+          yq -i 'del(.db) | .services.entityresolution.url = "http://localhost:8888/auth" | .server.auth.issuer = "http://localhost:8888/auth/realms/opentdf"' opentdf.yaml
+          # The above expression can also be written as 3 separate commands:
+          # yq -i 'del(.db)' opentdf.yaml
+          # yq -i '.services.entityresolution.url = "http://localhost:8888/auth"' opentdf.yaml
+          # yq -i '.server.auth.issuer = "http://localhost:8888/auth/realms/opentdf"' opentdf.yaml
+          yq -i '
+          .server.cryptoProvider = {
+            "type": "standard",
+            "standard": {
+              "keys": [
+                {
+                  "kid": "r1",
+                  "alg": "rsa:2048",
+                  "private": "kas-private.pem",
+                  "cert": "kas-cert.pem"
+                },
+                {
+                  "kid": "e1",
+                  "alg": "ec:secp256r1",
+                  "private": "kas-ec-private.pem",
+                  "cert": "kas-ec-cert.pem"
+                }
+              ]
+            }
+          }
+          ' opentdf.yaml
+          sudo chmod -R 777 ./keys
+        working-directory: platform
+      # - name: Trust the locally issued cert
+      #   run: |
+      #     keytool \
+      #       -importcert \
+      #       -storepass changeit \
+      #       -noprompt \
+      #       -file localhost.crt \
+      #       -keystore $JAVA_HOME/lib/security/cacerts \
+      #       -alias localhost-for-tests
+      #   working-directory: platform/keys
+      - name: Bring the services up
+        shell: bash
+        run: docker compose up -d --wait --wait-timeout 240
+        working-directory: platform
+      - name: Provision keycloak
+        shell: bash
+        run: go run ./service provision keycloak
+        working-directory: platform
+      - name: Provision fixtures
+        shell: bash
+        run: go run ./service provision fixtures
+        working-directory: platform
+      - name: Start server in background
+        uses: JarvusInnovations/background-action@2428e7b970a846423095c79d43f759abf979a635
+        with:
+          run: |
+            go run ./service start
+          wait-on: |
+            tcp:localhost:8080
+          log-output-if: true
+          wait-for: 90s
+          working-directory: platform
+      - name: Get grpcurl
+        shell: bash
+        run: go install github.com/fullstorydev/grpcurl/cmd/grpcurl@v1.8.9
+      - name: Make sure that the platform is up
+        shell: bash
+        run: |
+          grpcurl -plaintext localhost:8080 list && \
+          grpcurl -plaintext localhost:8080 kas.AccessService/PublicKey
+
+      - name: Install otdfctl
+        run: go install github.com/opentdf/otdfctl@latest
+        shell: bash
+
+      - name: Create creds.json for otdfctl
+        run: echo -n '{"clientId":"opentdf-sdk","clientSecret":"secret"}' > creds.json
+        shell: bash
+
+      - name: Create a plaintext file
+        run: echo "integration test secret" > secret.txt
+        shell: bash
+
+      - name: Encrypt file with otdfctl (no attributes)
+        run: |
+          export PATH=$PATH:$(go env GOPATH)/bin
+          otdfctl encrypt -o secret.txt.tdf --host http://localhost:8080 --tls-no-verify --with-client-creds-file creds.json secret.txt
+        shell: bash
+
+      - name: Set up uv
+        uses: astral-sh/setup-uv@v6
+        with:
+          enable-cache: true
+          cache-dependency-glob: "uv.lock"
+
+      - name: Run all tests, minus integration tests
+        env:
+          OPENTDF_CLIENT_ID: "opentdf"
+          OPENTDF_CLIENT_SECRET: "secret"
+          OPENTDF_HOSTNAME: "localhost:8080"
+          OIDC_TOKEN_ENDPOINT: "http://localhost:8888/auth/realms/opentdf/protocol/openid-connect/token"
+          OPENTDF_KAS_URL: "http://localhost:8080/kas"
+          INSECURE_SKIP_VERIFY: "TRUE"
+          TEST_OPENTDF_ATTRIBUTE_1: "https://example.net/attr/attr1/value/value1"
+          TEST_OPENTDF_ATTRIBUTE_2: "https://example.com/attr/attr1/value/value1"
+        run: |
+          uv sync
+          # Skip the tests marked "integration"
+          uv run pytest -m "not integration" --tb=short -vv tests
+        shell: bash
+
+      - name: Run integration tests
+        env:
+          OPENTDF_CLIENT_ID: "opentdf"
+          OPENTDF_CLIENT_SECRET: "secret"
+          OPENTDF_PLATFORM_HOST: "localhost:8080"
+          OPENTDF_PLATFORM_URL: "http://localhost:8080"
+          OIDC_OP_TOKEN_ENDPOINT: "http://localhost:8888/auth/realms/opentdf/protocol/openid-connect/token"
+          OPENTDF_KAS_URL: "http://localhost:8080/kas"
+          INSECURE_SKIP_VERIFY: "TRUE"
+          TEST_OPENTDF_ATTRIBUTE_1: "https://example.net/attr/attr1/value/value1"
+          TEST_OPENTDF_ATTRIBUTE_2: "https://example.com/attr/attr1/value/value1"
+        run: |
+          # Run check_entitlements.sh
+          ./.github/check_entitlements.sh
+
+          uv sync
+          # Skip the tests marked "integration"
+          uv run pytest -m "integration" --tb=short -vv tests
+        shell: bash
+
+  # platform-xtest:
+  #   permissions:
+  #     contents: read
+  #     packages: read
+  #   needs: platform-integration
+  #   uses: opentdf/tests/.github/workflows/xtest.yml@main
+  #   with:
+  #     java-ref: ${{ github.ref }}
+
+  # ci:
+  #   needs:
+  #     - platform-integration
+  #     - platform-xtest
+  #     - mavenverify
+  #     - pr
+  #   runs-on: ubuntu-22.04
+  #   if: always()
+  #   steps:
+  #     - if: contains(needs.*.result, 'failure')
+  #       run: echo "Failed due to ${{ contains(needs.*.result, 'failure') }}" && exit 1

otdf_python-0.3.1/.github/workflows/release-please.yaml

@@ -0,0 +1,139 @@
+name: Release Please
+
+on:
+  push:
+    branches:
+      - main
+      - develop
+  workflow_dispatch:
+
+permissions:
+  contents: write
+  pull-requests: write
+
+jobs:
+  # Run full test suite before any release operations
+  test-suite:
+    uses: ./.github/workflows/test-suite.yaml
+
+  release-please:
+    runs-on: ubuntu-latest
+    needs: test-suite
+    if: needs.test-suite.outputs.tests_passed == 'true'
+    outputs:
+      releases_created: ${{ steps.release-develop.outputs.releases_created || steps.release-main.outputs.releases_created }}
+      paths_released: ${{ steps.release-develop.outputs.paths_released || steps.release-main.outputs.paths_released }}
+    steps:
+      - uses: actions/checkout@v4
+
+      # Release-please for develop branch (creates alpha prereleases)
+      - uses: googleapis/release-please-action@v4
+        if: github.ref == 'refs/heads/develop'
+        id: release-develop
+        with:
+          config-file: .release-please-config-develop.json
+          manifest-file: .release-please-manifest-develop.json
+          target-branch: develop
+          token: ${{ secrets.GITHUB_TOKEN }}
+
+      # Release-please for main branch (creates stable releases)
+      - uses: googleapis/release-please-action@v4
+        if: github.ref == 'refs/heads/main'
+        id: release-main
+        with:
+          config-file: .release-please-config.json
+          manifest-file: .release-please-manifest.json
+          target-branch: main
+          token: ${{ secrets.GITHUB_TOKEN }}
+
+  # Trigger appropriate publish workflows based on release type
+  trigger-publish:
+    permissions:
+      contents: write
+      # This permission is mandatory for PyPI's trusted publishing
+      id-token: write
+    needs: release-please
+    if: ${{ needs.release-please.outputs.releases_created }}
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Install uv
+        uses: astral-sh/setup-uv@v6
+        with:
+          version: "latest"
+
+      - name: Build package
+        shell: bash
+        run: |
+          uv build
+
+      - name: Test import
+        shell: bash
+        run: |
+          uv run python -c 'import otdf_python; print("Package imported successfully")'
+
+      # While we improve the release process, prevent publishing to TestPyPI for versions <= 0.3.2
+      - name: Store version and determine if should publish to TestPyPI
+        id: check_version
+        shell: bash
+        run: |
+          PROJECT_VERSION=$(uv version --short)
+          echo "PROJECT_VERSION=$PROJECT_VERSION" >> $GITHUB_ENV
+
+          if [[ "$PROJECT_VERSION" =~ [0-9]+\.[0-9]+\.[0-9]+a[0-9]+ ]]; then
+            echo "is_alpha=true" >> $GITHUB_OUTPUT
+            echo "Alpha version detected: $PROJECT_VERSION"
+          else
+            echo "is_alpha=false" >> $GITHUB_OUTPUT
+            echo "Stable version detected: $PROJECT_VERSION"
+          fi
+
+          # Remove any alpha/beta/rc suffixes for comparison
+          CLEAN_VERSION=$(echo "$PROJECT_VERSION" | sed 's/[a-zA-Z].*//')
+          echo "clean_version=$CLEAN_VERSION" >> $GITHUB_OUTPUT
+
+          # Convert versions to comparable format (e.g., "0.3.2" -> "000300020000")
+          version_to_number() {
+            echo "$1" | awk -F. '{ printf("%04d%04d%04d\n", $1,$2,$3); }'
+          }
+
+          CURRENT_NUM=$(version_to_number "$CLEAN_VERSION")
+          THRESHOLD_NUM=$(version_to_number "0.3.2")
+
+          if [ "$CURRENT_NUM" -gt "$THRESHOLD_NUM" ]; then
+            echo "should_publish=true" >> $GITHUB_OUTPUT
+            echo "Version $PROJECT_VERSION (clean: $CLEAN_VERSION) is > 0.3.2, will publish to TestPyPI"
+          else
+            echo "should_publish=false" >> $GITHUB_OUTPUT
+            echo "Version $PROJECT_VERSION (clean: $CLEAN_VERSION) is <= 0.3.2, skipping TestPyPI publish"
+          fi
+
+      # For develop branch: trigger TestPyPI build (alpha prereleases go to TestPyPI from develop)
+
+      # Publish with "trusted publisher" mechanism:
+      # https://docs.pypi.org/trusted-publishers/
+      #
+      # Requires GHA token permission (above in YAML) and PyPI management:
+      #   https://test.pypi.org/manage/project/otdf-python/settings/publishing/
+      - name: Publish package distributions to TestPyPI
+        if: github.ref == 'refs/heads/develop' && steps.check_version.outputs.should_publish == 'true'
+        uses: pypa/gh-action-pypi-publish@release/v1
+        with:
+          repository-url: https://test.pypi.org/legacy/
+          verbose: true
+          packages-dir: dist/
+
+      # For main branch: trigger PyPI build (stable releases go to PyPI from main)
+      # Publish with "trusted publisher" mechanism:
+      # https://docs.pypi.org/trusted-publishers/
+      #
+      # Requires GHA token permission (above in YAML) and PyPI management:
+      #   https://pypi.org/manage/project/otdf-python/settings/publishing/
+      - name: Publish package distributions to PyPI
+        if: github.ref == 'refs/heads/main'
+        uses: pypa/gh-action-pypi-publish@release/v1
+        with:
+          # repository-url: https://pypi.org/legacy/
+          packages-dir: dist/
+          verbose: true

otdf_python-0.3.1/.github/workflows/test-suite.yaml

@@ -0,0 +1,121 @@
+name: Test Suite
+
+on:
+  push:
+    branches:
+      - main
+      - develop
+  pull_request:
+  workflow_call:
+    outputs:
+      tests_passed:
+        description: "Whether all tests passed"
+        value: ${{ jobs.report.outputs.success }}
+  workflow_dispatch:
+
+jobs:
+  # Step 1: Fast lint and format checks (fail fast on code style)
+  lint-check:
+    runs-on: ubuntu-22.04
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Set up uv
+        uses: astral-sh/setup-uv@v6
+        with:
+          enable-cache: true
+          cache-dependency-glob: "uv.lock"
+
+      - name: Run linting (fail fast)
+        run: |
+          uv sync --frozen
+          uv run ruff check
+          uv run ruff format --check
+
+  # Step 2: Build (only after linting passes)
+  build:
+    runs-on: ubuntu-22.04
+    needs: lint-check
+    outputs:
+      wheel: ${{ steps.find_wheel.outputs.wheel_path }}
+    steps:
+      - name: Checkout this repo
+        uses: actions/checkout@v4
+
+      - name: Set up uv
+        uses: astral-sh/setup-uv@v6
+        with:
+          enable-cache: true
+          cache-dependency-glob: "uv.lock"
+
+      - name: Build otdf-python wheel using uv
+        run: |
+          uv sync --frozen
+          uv build
+        shell: bash
+
+      - name: Find built wheel
+        id: find_wheel
+        run: |
+          wheel_path=$(ls dist/*.whl | head -n1)
+          echo "wheel_path=$wheel_path" >> $GITHUB_OUTPUT
+        shell: bash
+
+      - name: Upload wheel as artifact
+        uses: actions/upload-artifact@v4
+        with:
+          name: python-wheel
+          path: dist/*.whl
+
+  # Step 3: Unit tests (only after build succeeds)
+  unit-tests:
+    runs-on: ubuntu-22.04
+    needs: build
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Set up uv
+        uses: astral-sh/setup-uv@v6
+        with:
+          enable-cache: true
+          cache-dependency-glob: "uv.lock"
+
+      - name: Run unit tests
+        run: |
+          uv sync --frozen
+          uv run pytest -m "not integration" --tb=short -v tests/
+
+  # Step 4: Integration tests (only after unit tests pass)
+  integration-tests:
+    strategy:
+      fail-fast: true
+      matrix:
+        python3_version: ["3.10", "3.11", "3.12", "3.13"]
+    needs: [build, unit-tests]
+    uses: ./.github/workflows/platform-integration-test.yaml
+    with:
+      wheel: ${{ needs.build.outputs.wheel }}
+      python_version: ${{ matrix.python3_version }}
+
+  report:
+    runs-on: ubuntu-22.04
+    needs: [lint-check, build, unit-tests, integration-tests]
+    if: always()
+    outputs:
+      success: ${{ steps.check.outputs.success }}
+    steps:
+      - name: Check all jobs succeeded
+        id: check
+        run: |
+          if [[ "${{ needs.lint-check.result }}" == "success" && "${{ needs.build.result }}" == "success" && "${{ needs.unit-tests.result }}" == "success" && "${{ needs.integration-tests.result }}" == "success" ]]; then
+            echo "success=true" >> $GITHUB_OUTPUT
+            echo "✅ All tests passed!"
+          else
+            echo "success=false" >> $GITHUB_OUTPUT
+            echo "❌ Some tests failed:"
+            echo "  Lint Check: ${{ needs.lint-check.result }}"
+            echo "  Build: ${{ needs.build.result }}"
+            echo "  Unit Tests: ${{ needs.unit-tests.result }}"
+            echo "  Integration Tests: ${{ needs.integration-tests.result }}"
+            exit 1
+          fi