feat(core): bump SDK and consume new platform connection validation (#493)

- bumps SDK and its modules
- differentiates between a platform configuration error and a platform
unreachability error with new SDK validation

Author: jakedoublev

cmd/root.go

@@ -177,8 +177,11 @@ func NewHandler(c *cli.Cli) handlers.Handler {
 	}
 
 	if err := auth.ValidateProfileAuthCredentials(c.Context(), cp); err != nil {
-		if errors.Is(err, auth.ErrPlatformConfigNotFound) {
-			cli.ExitWithError(fmt.Sprintf("Failed to get platform configuration. Is the platform accepting connections at '%s'?", cp.GetEndpoint()), nil)
+		if errors.Is(err, sdk.ErrPlatformUnreachable) {
+			cli.ExitWithError(fmt.Sprintf("Failed to connect to the platform. Is the platform accepting connections at '%s'?", cp.GetEndpoint()), nil)
+		}
+		if errors.Is(err, sdk.ErrPlatformConfigFailed) {
+			cli.ExitWithError(fmt.Sprintf("Failed to get the platform configuration. Is the platform serving a well-known configuration at '%s'?", cp.GetEndpoint()), nil)
 		}
 		if inMemoryProfile {
 			cli.ExitWithError("Failed to authenticate with flag-provided client credentials.", err)

e2e/auth.bats

@@ -28,7 +28,7 @@ teardown_file() {
     BAD_HOST='--host http://localhost:9000'
     run_otdfctl $BAD_HOST $WITH_CREDS policy attributes list
     assert_failure
-    assert_output --partial "Failed to get platform configuration. Is the platform accepting connections at"
+    assert_output --partial "Failed to connect to the platform. Is the platform accepting connections at"
 }
 
 @test "helpful error if bad credentials" {

go.mod

@@ -16,8 +16,8 @@ require (
 	github.com/golang-jwt/jwt v3.2.2+incompatible
 	github.com/google/uuid v1.6.0
 	github.com/opentdf/platform/lib/flattening v0.1.3
-	github.com/opentdf/platform/protocol/go v0.2.26
-	github.com/opentdf/platform/sdk v0.3.25
+	github.com/opentdf/platform/protocol/go v0.2.27
+	github.com/opentdf/platform/sdk v0.3.27
 	github.com/spf13/cobra v1.8.1
 	github.com/spf13/viper v1.19.0
 	github.com/stretchr/testify v1.10.0
@@ -79,7 +79,7 @@ require (
 	github.com/muesli/reflow v0.3.0 // indirect
 	github.com/muesli/termenv v0.15.3-0.20240618155329-98d742f6907a // indirect
 	github.com/muhlemmer/gu v0.3.1 // indirect
-	github.com/opentdf/platform/lib/ocrypto v0.1.7 // indirect
+	github.com/opentdf/platform/lib/ocrypto v0.1.8 // indirect
 	github.com/pelletier/go-toml/v2 v2.2.2 // indirect
 	github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2 // indirect
 	github.com/rivo/uniseg v0.4.7 // indirect

go.sum

@@ -226,12 +226,12 @@ github.com/opentdf/platform/lib/fixtures v0.2.10 h1:R688b98ctsEiDRlQSvLxmAWT7bXv
 github.com/opentdf/platform/lib/fixtures v0.2.10/go.mod h1:wGhclxDeDXf8bp5VAWztT1nY2gWVNGQLd8rWs5wtXV0=
 github.com/opentdf/platform/lib/flattening v0.1.3 h1:IuOm/wJVXNrzOV676Ticgr0wyBkL+lVjsoSfh+WSkNo=
 github.com/opentdf/platform/lib/flattening v0.1.3/go.mod h1:Gs/T+6FGZKk9OAdz2Jf1R8CTGeNRYrq1lZGDeYT3hrY=
-github.com/opentdf/platform/lib/ocrypto v0.1.7 h1:IcCYRrwmMqntqUE8frmUDg5EZ0WMdldpGeGhbv9+/A8=
-github.com/opentdf/platform/lib/ocrypto v0.1.7/go.mod h1:4bhKPbRFzURMerH5Vr/LlszHvcoXQbfJXa0bpY7/7yg=
-github.com/opentdf/platform/protocol/go v0.2.26 h1:22ugJFhAjlz7BRAky3eBljIQrsLzmsdkKVM+pjuG09k=
-github.com/opentdf/platform/protocol/go v0.2.26/go.mod h1:eldxqX2oF2ADtG8ivhfwn1lALVMX4aaUM+Lp9ynOJXs=
-github.com/opentdf/platform/sdk v0.3.25 h1:dZEVeWKfbjrnEXKzSado8ebpzIrk2n6R7RSZRbX+FwE=
-github.com/opentdf/platform/sdk v0.3.25/go.mod h1:F+RGbT2o9GlzWH9s8VkZyUNUEEAWA3V2RSs8jNQHbqM=
+github.com/opentdf/platform/lib/ocrypto v0.1.8 h1:FUKMHsVCjU4NmgaXgS1RFstl19tkX/7USTIubAuUBlA=
+github.com/opentdf/platform/lib/ocrypto v0.1.8/go.mod h1:UTtqh8mvhAYA+sEnaMxpr/406e84L5Q1sAxtKGIXfu4=
+github.com/opentdf/platform/protocol/go v0.2.27 h1:ZnfXvVio+j/LzfEY8cHo8/tS45XAPWa2xO7Y1tn/hWs=
+github.com/opentdf/platform/protocol/go v0.2.27/go.mod h1:eldxqX2oF2ADtG8ivhfwn1lALVMX4aaUM+Lp9ynOJXs=
+github.com/opentdf/platform/sdk v0.3.27 h1:O9jCdpnxz3FEaTXj/hAOixR5mk/APsalcWCexGxfwkM=
+github.com/opentdf/platform/sdk v0.3.27/go.mod h1:ZJyz6hy0CMiD3MFfG4PrByTnSJnEtArTGA6ZoR1Xg6E=
 github.com/opentracing/opentracing-go v1.2.0 h1:uEJPy/1a5RIPAJ0Ov+OIO8OxWu77jEv+1B0VhjKrZUs=
 github.com/opentracing/opentracing-go v1.2.0/go.mod h1:GxEUsuufX4nBwe+T+Wl9TAgYrxe9dPLANfrWvHYVTgc=
 github.com/pelletier/go-toml/v2 v2.2.2 h1:aYUidT7k73Pcl9nb2gScu7NSrKCSHIDE89b3+6Wq+LM=

pkg/auth/auth.go

@@ -83,7 +83,7 @@ func getPlatformConfiguration(endpoint, publicClientID string, tlsNoVerify bool)
 		return c, err
 	}
 
-	opts := []sdk.Option{}
+	opts := []sdk.Option{sdk.WithConnectionValidation()}
 	if tlsNoVerify {
 		opts = append(opts, sdk.WithInsecureSkipVerifyConn())
 	}
@@ -309,9 +309,6 @@ func newOidcRelyingParty(ctx context.Context, endpoint string, tlsNoVerify bool,
 
 	pc, err := getPlatformConfiguration(endpoint, pcClient, tlsNoVerify)
 	if err != nil {
-		if errors.Is(err, sdk.ErrPlatformConfigFailed) {
-			return nil, ErrPlatformConfigNotFound
-		}
 		return nil, err
 	}
 

pkg/auth/errors.go

@@ -3,15 +3,11 @@ package auth
 import "errors"
 
 var (
-	ErrAccessTokenExpired        = errors.New("access token expired")
-	ErrAccessTokenNotFound       = errors.New("no access token found")
-	ErrClientCredentialsNotFound = errors.New("client credentials not found")
-	ErrInvalidAuthType           = errors.New("invalid auth type")
-	ErrUnauthenticated           = errors.New("not logged in")
-	ErrParsingAccessToken        = errors.New("failed to parse access token")
-)
-
-var (
+	ErrAccessTokenExpired         = errors.New("access token expired")
+	ErrAccessTokenNotFound        = errors.New("no access token found")
+	ErrClientCredentialsNotFound  = errors.New("client credentials not found")
+	ErrInvalidAuthType            = errors.New("invalid auth type")
+	ErrUnauthenticated            = errors.New("not logged in")
+	ErrParsingAccessToken         = errors.New("failed to parse access token")
 	ErrProfileCredentialsNotFound = errors.New("profile missing credentials")
-	ErrPlatformConfigNotFound     = errors.New("platform configuration not found")
 )

pkg/handlers/kas-grants.go

@@ -111,5 +111,6 @@ func (h Handler) ListKasGrants(ctx context.Context, kas_id, kas_uri string, limi
 	if err != nil {
 		return nil, nil, err
 	}
+	//nolint:staticcheck // deprecated but not removed while public keys work is experimental
 	return resp.GetGrants(), resp.GetPagination(), nil
 }

pkg/handlers/sdk.go

@@ -84,14 +84,12 @@ func New(opts ...handlerOptsFunc) (Handler, error) {
 		o.sdkOpts = append(o.sdkOpts, sdk.WithInsecureSkipVerifyConn())
 	}
 
-	// TODO let's make sure we still support plaintext connections
-
 	// get auth
-	ao, err := auth.GetSDKAuthOptionFromProfile(o.profile)
+	authSDKOpt, err := auth.GetSDKAuthOptionFromProfile(o.profile)
 	if err != nil {
 		return Handler{}, err
 	}
-	o.sdkOpts = append(o.sdkOpts, ao)
+	o.sdkOpts = append(o.sdkOpts, authSDKOpt, sdk.WithConnectionValidation())
 
 	if u.Scheme == "http" {
 		o.sdkOpts = append(o.sdkOpts, sdk.WithInsecurePlaintextConn())