otdf-python 0.4.2__py3-none-any.whl → 0.4.3__py3-none-any.whl

otdf_python/cli.py

@@ -112,33 +112,14 @@ def load_client_credentials(creds_file_path: str) -> tuple[str, str]:
         ) from e
 
 
-def build_sdk(args) -> SDK:
-    """Build SDK instance from CLI arguments."""
-    builder = SDKBuilder()
-
-    if args.platform_url:
-        builder.set_platform_endpoint(args.platform_url)
-
-        # Auto-detect HTTP URLs and enable plaintext mode
-        if args.platform_url.startswith("http://") and (
-            not hasattr(args, "plaintext") or not args.plaintext
-        ):
-            logger.debug(
-                f"Auto-detected HTTP URL {args.platform_url}, enabling plaintext mode"
-            )
-            builder.use_insecure_plaintext_connection(True)
-
-    if args.oidc_endpoint:
-        builder.set_issuer_endpoint(args.oidc_endpoint)
-
+def _configure_auth(builder: SDKBuilder, args) -> None:
+    """Configure authentication on the SDK builder."""
     if args.client_id and args.client_secret:
         builder.client_secret(args.client_id, args.client_secret)
     elif hasattr(args, "with_client_creds_file") and args.with_client_creds_file:
-        # Load credentials from file
         client_id, client_secret = load_client_credentials(args.with_client_creds_file)
         builder.client_secret(client_id, client_secret)
     elif hasattr(args, "auth") and args.auth:
-        # Parse combined auth string (clientId:clientSecret) - legacy support
         auth_parts = args.auth.split(":")
         if len(auth_parts) != 2:
             raise CLIError(
@@ -152,12 +133,49 @@ def build_sdk(args) -> SDK:
             "Authentication required: provide --with-client-creds-file OR --client-id and --client-secret",
         )
 
+
+def _configure_kas_allowlist(builder: SDKBuilder, args) -> None:
+    """Configure KAS allowlist on the SDK builder."""
+    if hasattr(args, "ignore_kas_allowlist") and args.ignore_kas_allowlist:
+        logger.warning(
+            "KAS allowlist validation is disabled. This may leak credentials "
+            "to malicious servers if decrypting untrusted TDF files."
+        )
+        builder.with_ignore_kas_allowlist(True)
+    elif hasattr(args, "kas_allowlist") and args.kas_allowlist:
+        kas_urls = [url.strip() for url in args.kas_allowlist.split(",") if url.strip()]
+        logger.debug(f"Using KAS allowlist: {kas_urls}")
+        builder.with_kas_allowlist(kas_urls)
+
+
+def build_sdk(args) -> SDK:
+    """Build SDK instance from CLI arguments."""
+    builder = SDKBuilder()
+
+    if args.platform_url:
+        builder.set_platform_endpoint(args.platform_url)
+        # Auto-detect HTTP URLs and enable plaintext mode
+        if args.platform_url.startswith("http://") and (
+            not hasattr(args, "plaintext") or not args.plaintext
+        ):
+            logger.debug(
+                f"Auto-detected HTTP URL {args.platform_url}, enabling plaintext mode"
+            )
+            builder.use_insecure_plaintext_connection(True)
+
+    if args.oidc_endpoint:
+        builder.set_issuer_endpoint(args.oidc_endpoint)
+
+    _configure_auth(builder, args)
+
     if hasattr(args, "plaintext") and args.plaintext:
         builder.use_insecure_plaintext_connection(True)
 
     if args.insecure:
         builder.use_insecure_skip_verify(True)
 
+    _configure_kas_allowlist(builder, args)
+
     return builder.build()
 
 
@@ -476,6 +494,17 @@ Where creds.json contains:
     security_group.add_argument(
         "--insecure", action="store_true", help="Skip TLS verification"
     )
+    security_group.add_argument(
+        "--kas-allowlist",
+        help="Comma-separated list of trusted KAS URLs. "
+        "By default, only the platform URL's KAS endpoint is trusted.",
+    )
+    security_group.add_argument(
+        "--ignore-kas-allowlist",
+        action="store_true",
+        help="WARNING: Disable KAS allowlist validation. This is insecure and "
+        "should only be used for testing. May leak credentials to malicious servers.",
+    )
 
     # Subcommands
     subparsers = parser.add_subparsers(dest="command", help="Available commands")

otdf_python/kas_allowlist.py

@@ -0,0 +1,182 @@
+"""KAS Allowlist: Validates KAS URLs against a list of trusted hosts.
+
+This module provides protection against SSRF attacks where malicious TDF files
+could contain attacker-controlled KAS URLs to steal OIDC credentials.
+"""
+
+import logging
+from urllib.parse import urlparse
+
+
+class KASAllowlist:
+    """Validates KAS URLs against an allowlist of trusted hosts.
+
+    This class prevents credential theft by ensuring the SDK only sends
+    authentication tokens to trusted KAS endpoints.
+
+    Example:
+        allowlist = KASAllowlist(["https://kas.example.com"])
+        allowlist.is_allowed("https://kas.example.com/kas")  # True
+        allowlist.is_allowed("https://evil.com/kas")  # False
+
+    """
+
+    def __init__(self, allowed_urls: list[str] | None = None, allow_all: bool = False):
+        """Initialize the KAS allowlist.
+
+        Args:
+            allowed_urls: List of trusted KAS URLs. Each URL is normalized to
+                its origin (scheme://host:port) for comparison.
+            allow_all: If True, all URLs are allowed. Use only for testing.
+                A warning is logged when this is enabled.
+
+        """
+        self._allowed_origins: set[str] = set()
+        self._allow_all = allow_all
+
+        if allow_all:
+            logging.warning(
+                "KAS allowlist is disabled (allow_all=True). "
+                "This is insecure and should only be used for testing."
+            )
+
+        if allowed_urls:
+            for url in allowed_urls:
+                self.add(url)
+
+    def add(self, url: str) -> None:
+        """Add a URL to the allowlist.
+
+        The URL is normalized to its origin (scheme://host:port) before storage.
+        Paths and query strings are stripped.
+
+        Args:
+            url: The KAS URL to allow. Can include path components which
+                will be stripped for origin comparison.
+
+        """
+        origin = self._get_origin(url)
+        self._allowed_origins.add(origin)
+        logging.debug(f"Added KAS origin to allowlist: {origin}")
+
+    def is_allowed(self, url: str) -> bool:
+        """Check if a URL is allowed by the allowlist.
+
+        Args:
+            url: The KAS URL to check.
+
+        Returns:
+            True if the URL's origin is in the allowlist or allow_all is True.
+            False otherwise.
+
+        """
+        if self._allow_all:
+            logging.debug(f"KAS URL allowed (allow_all=True): {url}")
+            return True
+
+        if not self._allowed_origins:
+            logging.debug(f"KAS URL rejected (empty allowlist): {url}")
+            return False
+
+        origin = self._get_origin(url)
+        allowed = origin in self._allowed_origins
+        if allowed:
+            logging.debug(f"KAS URL allowed: {url} (origin: {origin})")
+        else:
+            logging.debug(
+                f"KAS URL rejected: {url} (origin: {origin}, "
+                f"allowed: {self._allowed_origins})"
+            )
+        return allowed
+
+    def validate(self, url: str) -> None:
+        """Validate a URL against the allowlist, raising an exception if not allowed.
+
+        Args:
+            url: The KAS URL to validate.
+
+        Raises:
+            SDK.KasAllowlistException: If the URL is not in the allowlist.
+
+        """
+        if not self.is_allowed(url):
+            # Import here to avoid circular imports
+            from .sdk import SDK
+
+            raise SDK.KasAllowlistException(url, self._allowed_origins)
+
+    @property
+    def allowed_origins(self) -> set[str]:
+        """Return the set of allowed origins (read-only copy)."""
+        return self._allowed_origins.copy()
+
+    @property
+    def allow_all(self) -> bool:
+        """Return whether all URLs are allowed."""
+        return self._allow_all
+
+    @staticmethod
+    def _get_origin(url: str) -> str:
+        """Extract the origin (scheme://host:port) from a URL.
+
+        This normalizes URLs for comparison by stripping paths and query strings.
+        Default ports (80 for http, 443 for https) are included explicitly.
+
+        Args:
+            url: The URL to extract the origin from.
+
+        Returns:
+            Normalized origin string in format scheme://host:port
+
+        """
+        # Add scheme if missing
+        if "://" not in url:
+            url = "https://" + url
+
+        try:
+            parsed = urlparse(url)
+        except Exception as e:
+            logging.warning(f"Failed to parse URL {url}: {e}")
+            # Return the URL as-is if parsing fails
+            return url.lower()
+
+        scheme = (parsed.scheme or "https").lower()
+        hostname = (parsed.hostname or "").lower()
+
+        if not hostname:
+            # URL might be malformed, return as-is
+            logging.warning(f"Could not extract hostname from URL: {url}")
+            return url.lower()
+
+        # Determine port (use explicit port or default for scheme)
+        if parsed.port:
+            port = parsed.port
+        elif scheme == "http":
+            port = 80
+        else:
+            port = 443
+
+        return f"{scheme}://{hostname}:{port}"
+
+    @classmethod
+    def from_platform_url(cls, platform_url: str) -> "KASAllowlist":
+        """Create an allowlist from a platform URL.
+
+        This is the default behavior: auto-allow the platform's KAS endpoint.
+
+        Args:
+            platform_url: The OpenTDF platform URL. The KAS endpoint is
+                assumed to be at {platform_url}/kas.
+
+        Returns:
+            KASAllowlist configured to allow the platform's KAS endpoint.
+
+        """
+        allowlist = cls()
+        # Add the platform URL itself (KAS might be at root or /kas)
+        allowlist.add(platform_url)
+        # Also construct the /kas endpoint explicitly
+        kas_url = platform_url.rstrip("/") + "/kas"
+        allowlist.add(kas_url)
+        logging.info(f"Created KAS allowlist from platform URL: {platform_url}")
+        return allowlist

otdf_python/kas_client.py

@@ -38,13 +38,26 @@ class KASClient:
         cache=None,
         use_plaintext=False,
         verify_ssl=True,
+        kas_allowlist=None,
     ):
-        """Initialize KAS client."""
+        """Initialize KAS client.
+
+        Args:
+            kas_url: Default KAS URL
+            token_source: Function that returns an authentication token
+            cache: Optional KASKeyCache for caching public keys
+            use_plaintext: Whether to use HTTP instead of HTTPS
+            verify_ssl: Whether to verify SSL certificates
+            kas_allowlist: Optional KASAllowlist for URL validation. If provided,
+                only URLs in the allowlist will be contacted.
+
+        """
         self.kas_url = kas_url
         self.token_source = token_source
         self.cache = cache or KASKeyCache()
         self.use_plaintext = use_plaintext
         self.verify_ssl = verify_ssl
+        self.kas_allowlist = kas_allowlist
         self.decryptor = None
         self.client_public_key = None
 
@@ -86,15 +99,26 @@ class KASClient:
     def _normalize_kas_url(self, url: str) -> str:
         """Normalize KAS URLs based on client security settings.
 
+        This method also validates the URL against the KAS allowlist if one
+        is configured. This prevents SSRF attacks where malicious TDF files
+        could contain attacker-controlled KAS URLs to steal OIDC credentials.
+
         Args:
             url: The KAS URL to normalize
 
         Returns:
             Normalized URL with appropriate protocol and port
 
+        Raises:
+            KASAllowlistException: If the URL is not in the allowlist
+
         """
         from urllib.parse import urlparse
 
+        # Validate against allowlist BEFORE making any requests
+        if self.kas_allowlist is not None:
+            self.kas_allowlist.validate(url)
+
         try:
             # Parse the URL
             parsed = urlparse(url)
@@ -154,7 +178,7 @@ class KASClient:
         # Reconstruct URL preserving the path (especially /kas prefix)
         try:
             # Create URL preserving the path component for proper endpoint routing
-            path = parsed.path if parsed.path else ""
+            path = parsed.path or ""
             normalized_url = f"{scheme}://{parsed.hostname}:{port}{path}"
             logging.debug(f"normalized url [{parsed.geturl()}] to [{normalized_url}]")
             return normalized_url

otdf_python/nanotdf.py

@@ -70,8 +70,8 @@ class NanoTDF:
         if isinstance(obj, PolicyBody):
             # Convert data_attributes to dataAttributes and use null instead of empty array
             result = {
-                "dataAttributes": obj.data_attributes if obj.data_attributes else None,
-                "dissem": obj.dissem if obj.dissem else None,
+                "dataAttributes": obj.data_attributes or None,
+                "dissem": obj.dissem or None,
             }
             return result
         elif isinstance(obj, AttributeObject):
@@ -115,14 +115,12 @@ class NanoTDF:
             tuple: (policy_body, policy_type)
 
         """
-        attributes = config.attributes if config.attributes else []
+        attributes = config.attributes or []
         policy_object = self._create_policy_object(attributes)
         policy_json = json.dumps(
             policy_object, default=self._serialize_policy_object
         ).encode("utf-8")
-        policy_type = (
-            config.policy_type if config.policy_type else "EMBEDDED_POLICY_PLAIN_TEXT"
-        )
+        policy_type = config.policy_type or "EMBEDDED_POLICY_PLAIN_TEXT"
 
         if policy_type == "EMBEDDED_POLICY_PLAIN_TEXT":
             policy_body = policy_json

otdf_python/sdk.py

@@ -37,6 +37,7 @@ class KAS(AbstractContextManager):
         token_source=None,
         sdk_ssl_verify=True,
         use_plaintext=False,
+        kas_allowlist=None,
     ):
         """Initialize the KAS client.
 
@@ -45,6 +46,7 @@ class KAS(AbstractContextManager):
             token_source: Function that returns an authentication token
             sdk_ssl_verify: Whether to verify SSL certificates
             use_plaintext: Whether to use plaintext HTTP connections instead of HTTPS
+            kas_allowlist: Optional KASAllowlist for URL validation
 
         """
         from .kas_client import KASClient
@@ -54,6 +56,7 @@ class KAS(AbstractContextManager):
             token_source=token_source,
             verify_ssl=sdk_ssl_verify,
             use_plaintext=use_plaintext,
+            kas_allowlist=kas_allowlist,
         )
         # Store the parameters for potential use
         self._sdk_ssl_verify = sdk_ssl_verify
@@ -405,6 +408,33 @@ class SDK(AbstractContextManager):
     class KasAllowlistException(SDKException):
         """Throw when KAS allowlist check fails."""
 
+        def __init__(
+            self,
+            url: str,
+            allowed_origins: set[str] | None = None,
+            message: str | None = None,
+        ):
+            """Initialize exception.
+
+            Args:
+                url: The KAS URL that was rejected
+                allowed_origins: Set of allowed origin URLs
+                message: Optional custom message (auto-generated if not provided)
+
+            """
+            self.url = url
+            self.allowed_origins = allowed_origins or set()
+            if message is None:
+                origins_str = (
+                    ", ".join(sorted(self.allowed_origins))
+                    if self.allowed_origins
+                    else "none"
+                )
+                message = (
+                    f"KAS URL not in allowlist: {url}. Allowed origins: {origins_str}"
+                )
+            super().__init__(message)
+
     class AssertionException(SDKException):
         """Throw when an assertion validation fails."""
 

otdf_python/sdk_builder.py

@@ -10,6 +10,7 @@ from pathlib import Path
 
 import httpx
 
+from otdf_python.kas_allowlist import KASAllowlist
 from otdf_python.sdk import KAS, SDK
 from otdf_python.sdk_exceptions import AutoConfigureException
 
@@ -47,6 +48,8 @@ class SDKBuilder:
         self.ssl_context: ssl.SSLContext | None = None
         self.auth_token: str | None = None
         self.cert_paths: list[str] = []
+        self._kas_allowlist_urls: list[str] | None = None
+        self._ignore_kas_allowlist: bool = False
 
     @staticmethod
     def new_builder() -> "SDKBuilder":
@@ -201,6 +204,54 @@ class SDKBuilder:
         self.auth_token = token
         return self
 
+    def with_kas_allowlist(self, urls: list[str]) -> "SDKBuilder":
+        """Set the KAS allowlist to restrict which KAS servers the SDK will contact.
+
+        This provides protection against SSRF attacks where malicious TDF files
+        could contain attacker-controlled KAS URLs to steal OIDC credentials.
+
+        By default (if no allowlist is set), only the platform's KAS endpoint
+        is allowed.
+
+        Args:
+            urls: List of trusted KAS URLs. Each URL is normalized to its
+                origin (scheme://host:port) for comparison.
+
+        Returns:
+            self: The builder instance for chaining
+
+        Example:
+            builder.with_kas_allowlist([
+                "https://kas.example.com",
+                "https://kas2.example.com:8443"
+            ])
+
+        """
+        self._kas_allowlist_urls = urls
+        return self
+
+    def with_ignore_kas_allowlist(self, ignore: bool = True) -> "SDKBuilder":
+        """Configure whether to skip KAS allowlist validation.
+
+        WARNING: This is insecure and should only be used for testing or
+        development. When enabled, the SDK will contact any KAS URL found
+        in TDF files, potentially leaking credentials to malicious servers.
+
+        Args:
+            ignore: Whether to ignore the KAS allowlist (default: True)
+
+        Returns:
+            self: The builder instance for chaining
+
+        """
+        self._ignore_kas_allowlist = ignore
+        if ignore:
+            logger.warning(
+                "KAS allowlist validation is disabled. This is insecure and "
+                "should only be used for testing."
+            )
+        return self
+
     def _discover_token_endpoint_from_platform(self) -> None:
         """Discover token endpoint using OpenTDF platform configuration.
 
@@ -356,6 +407,34 @@ class SDKBuilder:
                 f"Error during token acquisition: {e!s}"
             ) from e
 
+    def _create_kas_allowlist(self) -> KASAllowlist | None:
+        """Create the KAS allowlist based on builder configuration.
+
+        Returns:
+            KASAllowlist configured based on builder settings, or None if
+            allowlist validation is disabled.
+
+        """
+        # If ignoring allowlist, return an allow-all instance
+        if self._ignore_kas_allowlist:
+            return KASAllowlist(allow_all=True)
+
+        # If explicit allowlist provided, use it
+        if self._kas_allowlist_urls:
+            allowlist = KASAllowlist(self._kas_allowlist_urls)
+            # Also add the platform URL for convenience
+            if self.platform_endpoint:
+                allowlist.add(self.platform_endpoint)
+                allowlist.add(self.platform_endpoint.rstrip("/") + "/kas")
+            return allowlist
+
+        # Default: create allowlist from platform URL only
+        if self.platform_endpoint:
+            return KASAllowlist.from_platform_url(self.platform_endpoint)
+
+        # No platform endpoint set yet - return None and let SDK handle it
+        return None
+
     def _create_services(self) -> SDK.Services:
         """Create service client instances.
 
@@ -371,11 +450,15 @@ class SDKBuilder:
 
         ssl_verify = not self.insecure_skip_verify
 
+        # Create the KAS allowlist
+        kas_allowlist = self._create_kas_allowlist()
+
         class ServicesImpl(SDK.Services):
-            def __init__(self, builder_instance):
+            def __init__(self, builder_instance, allowlist: KASAllowlist | None):
                 self.closed = False
                 self._ssl_verify = ssl_verify
                 self._builder = builder_instance
+                self._kas_allowlist = allowlist
 
             def kas(self) -> KAS:
                 """Return the KAS interface with SSL verification settings."""
@@ -394,6 +477,7 @@ class SDKBuilder:
                     token_source=token_source,
                     sdk_ssl_verify=self._ssl_verify,
                     use_plaintext=self._builder.use_plaintext,
+                    kas_allowlist=self._kas_allowlist,
                 )
                 return kas_impl
 
@@ -403,7 +487,7 @@ class SDKBuilder:
             def __exit__(self, exc_type, exc_val, exc_tb):
                 self.close()
 
-        return ServicesImpl(self)
+        return ServicesImpl(self, kas_allowlist)
 
     def build(self) -> SDK:
         """Build and return an SDK instance with configured properties.

otdf_python/tdf.py

@@ -183,8 +183,8 @@ class TDF:
         if isinstance(obj, PolicyBody):
             # Convert data_attributes to dataAttributes and use null instead of empty array
             result = {
-                "dataAttributes": obj.data_attributes if obj.data_attributes else None,
-                "dissem": obj.dissem if obj.dissem else None,
+                "dataAttributes": obj.data_attributes or None,
+                "dissem": obj.dissem or None,
             }
             return result
         elif isinstance(obj, AttributeObject):

{otdf_python-0.4.2.dist-info → otdf_python-0.4.3.dist-info}/METADATA

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: otdf-python
-Version: 0.4.2
+Version: 0.4.3
 Summary: Unofficial OpenTDF SDK for Python
 Project-URL: Homepage, https://github.com/b-long/opentdf-python-sdk
 Project-URL: Repository, https://github.com/b-long/opentdf-python-sdk

{otdf_python-0.4.2.dist-info → otdf_python-0.4.3.dist-info}/RECORD

@@ -6,7 +6,7 @@ otdf_python/assertion_config.py,sha256=rw0SIB3xG-nAeb5r_liuxLphU4tcj-zlq8rVvXncX
 otdf_python/asym_crypto.py,sha256=EYkMNhZJP5khH0IvICTOG2bMg_TMvd6wXDu5zW0jpj4,7234
 otdf_python/auth_headers.py,sha256=uOLflFunBCw59nwk23rdiFQWOFrS19HugQXuQPGv3xE,986
 otdf_python/autoconfigure_utils.py,sha256=W5aJ0tC7HWfGb_1Mva_oxgduUzSpPoyDeaq0rPwgPAs,3689
-otdf_python/cli.py,sha256=HKIzuIXIW2sBwW3jy9sGq8WVFlxlKrdKac9MjJig88Y,19940
+otdf_python/cli.py,sha256=icooiGgRh8H1IlP-_iO7paLB60IXUSaSacODABeqrS4,21165
 otdf_python/collection_store.py,sha256=sYL6VMFDBfHfCCLk14iybeC_qoUlpJFB0wOMt1bdwpY,1429
 otdf_python/collection_store_impl.py,sha256=3RqO3rvDCosajKpuls5DiO2_SWYsNQul9_9L7n-lQ68,758
 otdf_python/config.py,sha256=l1Ykg1gFUrFZTnd6bwMI6oi_clR5uCZ_Y1qH7QKtW90,2523
@@ -20,14 +20,15 @@ otdf_python/ecdh.py,sha256=fwxE80qFSIkfJeUz3GNhEndRKkZrBN06FE1gnvwUHHI,10201
 otdf_python/eckeypair.py,sha256=qcPKv0OS1lYxRICj9dhAW_eMz32anFBtpI8EJfXxpX0,2470
 otdf_python/header.py,sha256=peG14kE_KAUCW4fY82sqcWF5zTAVAnJfFXCHtC8Z0iQ,7189
 otdf_python/invalid_zip_exception.py,sha256=M_bAiXEjJdxPfA178YH-uHGRwMrNBKzjQzlQ54aDP2w,292
-otdf_python/kas_client.py,sha256=6q61WHUPAaDdLET0EkFbIpGMy9hHFCJoA3gs4xbd9FE,26542
+otdf_python/kas_allowlist.py,sha256=0yX3J9J1od_ew0sp3pX6kfav39pTz7aBBpMnVkE5T7s,5884
+otdf_python/kas_client.py,sha256=N5mQubRUrnJCtSxTiiyjf7DEfsg2wVZ02xufuZBH_b0,27532
 otdf_python/kas_connect_rpc_client.py,sha256=cB3cBomCClmu-InUpw8R35cLyJQ8X0PoEsFvYSH0RUM,8950
 otdf_python/kas_info.py,sha256=V-5om8k4RKbhE0h1CS1Rxb18TYcHKvq_hEPP6ah8K_o,738
 otdf_python/kas_key_cache.py,sha256=6hfzRAg9o_IfRErWSe-_gGTG9kRyYENMizMY1Shkmfk,1548
 otdf_python/key_type.py,sha256=2gQlXOj35J3ISCcWjU3sGYUxmlZR47BMq6Xr2yoKA8k,928
 otdf_python/key_type_constants.py,sha256=MV2Dsea3A6nnnYztoD0N1QxhrbQXZfaXaqCr2rI6sqo,954
 otdf_python/manifest.py,sha256=aglGw9EdtZZIxmwqy82sV5wum_mKkjzew4brSgxmJjc,7047
-otdf_python/nanotdf.py,sha256=lJgO7Go6qhdvQ8TTvglMBkxn0fg2VTDkPNgcfOhJabY,34033
+otdf_python/nanotdf.py,sha256=y1mLktlZ-mRCup2vzGY4ZbFeNEhWpCYLOZYjzTSPEtc,33921
 otdf_python/nanotdf_ecdsa_struct.py,sha256=jTQKFAicTfMfN9CxJZYQcnEYGmtfAQoDOhz8ta-pGAQ,4066
 otdf_python/nanotdf_type.py,sha256=3MQzT6lJ3WJKMICFyyYZXX2_cFYcZ5G4m1uif-l9Nxo,1112
 otdf_python/policy_binding_serializer.py,sha256=oOcGBYOISPTzHRtk8JszwLTraY_F2OoevOf0a53jGHA,1271
@@ -35,11 +36,11 @@ otdf_python/policy_info.py,sha256=aq74dZg9PhTZ6cMkZyFsu3D754C5YijFMiuoYEL-1bY,20
 otdf_python/policy_object.py,sha256=LikIsahPkKr-iYA0lhgQitCbh8CsmxUBYyBs6VYfmxY,512
 otdf_python/policy_stub.py,sha256=RfU_fICqsAOnTXOHpKhtKC0RJ3KoWhDxO0XecZWM548,159
 otdf_python/resource_locator.py,sha256=bjK935XcfNq-PyqidHNq8eIiPeZEStYdQvmQ9B9GY20,6290
-otdf_python/sdk.py,sha256=4aIdIDhx2dMPRMfp9U8gzpwiqSeBf7SrEewb2BjB6PM,14012
-otdf_python/sdk_builder.py,sha256=ltnFZD7ClVVwhGwu6ew4WNiNj0NB3n2Xn_MTEcbIMxo,14497
+otdf_python/sdk.py,sha256=-3Zuyfvf8ZM6iqxFpFDRAxCSfe35r6-TIuOOGUbPNPM,15058
+otdf_python/sdk_builder.py,sha256=xTPoBjB3eGwoWjfSgiPmiNnEZJ8g-LUQVZDmo7BM9cY,17649
 otdf_python/sdk_exceptions.py,sha256=2GElGyM5LKN8Uh_lAiT6Ho4oNRWYRQsMNOK5s2jiv28,687
 otdf_python/symmetric_and_payload_config.py,sha256=iPHeZSeY9BjsQ-wkvdm6-FIR7773EgGiaIvSG-ICOHw,1158
-otdf_python/tdf.py,sha256=PtVBY_vAPIGz1I4gUlHPLPxa1gCCsd2nlRm0SrbaoJA,20840
+otdf_python/tdf.py,sha256=lqaSSGfd-nzlmjpYoXa6ZLihZIJA170dwodKt_iRko8,20799
 otdf_python/tdf_reader.py,sha256=WMetzX4CIKJ15f4J_zyFGtObQO6bQ33KC_ykIonH9ik,5228
 otdf_python/tdf_writer.py,sha256=FLm1P26J4p6WPyKsjOb7QLYJqDIMDsBONqBW_JuFxyw,798
 otdf_python/token_source.py,sha256=YHbP7deSSXo1CvzVGJX7DkOuBgqwfP_Ockm8CE-MN0o,1011
@@ -140,7 +141,7 @@ otdf_python_proto/wellknownconfiguration/__init__.py,sha256=xK8XUrwCL9elWuMTx6vV
 otdf_python_proto/wellknownconfiguration/wellknown_configuration_connect.py,sha256=fVQfo4OsTK8e63ytmiGyMe1AxgirktNqI_O3rQ6o6Nc,6342
 otdf_python_proto/wellknownconfiguration/wellknown_configuration_pb2.py,sha256=g9xSm9TxX0IPMqiFCaridJvI2TrL8PrXVFPgu8tX9VM,3863
 otdf_python_proto/wellknownconfiguration/wellknown_configuration_pb2.pyi,sha256=Zw4vROvTgomnFqsalJrYda632ojXH0FVXSzTXxerybw,1490
-otdf_python-0.4.2.dist-info/METADATA,sha256=bbTfB1zZ1j7iv1lUmw01ZzHIGpfBhSlI78l8bN2UuXE,5175
-otdf_python-0.4.2.dist-info/WHEEL,sha256=WLgqFyCfm_KASv4WHyYy0P3pM_m7J5L9k2skdKLirC8,87
-otdf_python-0.4.2.dist-info/licenses/LICENSE,sha256=DPrPHdI6tfZcqk9kzQ37vh1Ftk7LJYdMrUtwKl7L3Pw,1074
-otdf_python-0.4.2.dist-info/RECORD,,
+otdf_python-0.4.3.dist-info/METADATA,sha256=OCF50LC7pWodNWzwurJp5yWLBleo01O7g3p6QhRo5Ug,5175
+otdf_python-0.4.3.dist-info/WHEEL,sha256=WLgqFyCfm_KASv4WHyYy0P3pM_m7J5L9k2skdKLirC8,87
+otdf_python-0.4.3.dist-info/licenses/LICENSE,sha256=DPrPHdI6tfZcqk9kzQ37vh1Ftk7LJYdMrUtwKl7L3Pw,1074
+otdf_python-0.4.3.dist-info/RECORD,,