From cf9dc2f4729be652d3fd0c21239fb991be2ea27d Mon Sep 17 00:00:00 2001 From: David Mihalcik Date: Wed, 14 Aug 2024 12:39:34 -0400 Subject: [PATCH 01/10] chore(ci): Adds test of new kids Deferred to not block releases until everything is bumped --- examples/cmd/kas.go | 26 ++++++++++++++++++++++++-- test/policy-service.bats | 5 +++++ 2 files changed, 29 insertions(+), 2 deletions(-) diff --git a/examples/cmd/kas.go b/examples/cmd/kas.go index 54474e47ef..f936e85b0f 100644 --- a/examples/cmd/kas.go +++ b/examples/cmd/kas.go @@ -12,7 +12,7 @@ import ( "github.com/spf13/cobra" ) -var key string +var algorithm, key, keyIdentifier string func init() { kasc := &cobra.Command{ @@ -28,8 +28,12 @@ func init() { return updateKas(cmd) }, } + // Note we currently only store one pk at a time. must be fixed for nano tests + update.Flags().StringVarP(&algorithm, "algorithm", "", "", "algorithm used with the public key") update.Flags().StringVarP(&kas, "kas", "k", "", "kas uri") update.Flags().StringVarP(&key, "public-key", "", "", "public key value, e.g. $( Date: Wed, 14 Aug 2024 12:56:52 -0400 Subject: [PATCH 02/10] refactor(sdk): Moves autoconfigure from internal Lots of things are declared in the sdk package, so this is easier than factoring shared items into a helper package that would otherwise introduce bidirectional package deps between sdk (root) and autoconfigure (internal) packages --- sdk/{internal/autoconfigure => }/granter.go | 68 ++++++------------- .../autoconfigure => }/granter_test.go | 56 +++++++-------- sdk/nanotdf_config.go | 9 ++- sdk/tdf.go | 17 +++-- sdk/tdf_config.go | 17 +++-- sdk/tdf_test.go | 21 +++--- 6 files changed, 78 insertions(+), 110 deletions(-) rename sdk/{internal/autoconfigure => }/granter.go (86%) rename sdk/{internal/autoconfigure => }/granter_test.go (88%) diff --git a/sdk/internal/autoconfigure/granter.go b/sdk/granter.go similarity index 86% rename from sdk/internal/autoconfigure/granter.go rename to sdk/granter.go index ca68575326..220fe77c78 100644 --- a/sdk/internal/autoconfigure/granter.go +++ b/sdk/granter.go @@ -1,4 +1,4 @@ -package autoconfigure +package sdk import ( "context" @@ -28,7 +28,7 @@ const ( ) // Represents a which KAS a split with the associated ID should shared with. -type SplitStep struct { +type keySplitStep struct { KAS, SplitID string } @@ -163,7 +163,7 @@ func (a AttributeValueFQN) Name() string { } // Structure capable of generating a split plan from a given set of data tags. -type Granter struct { +type granter struct { policy []AttributeValueFQN grants map[string]*keyAccessGrant } @@ -173,7 +173,7 @@ type keyAccessGrant struct { kases []string } -func (r Granter) addGrant(fqn AttributeValueFQN, kas string, attr *policy.Attribute) { +func (r granter) addGrant(fqn AttributeValueFQN, kas string, attr *policy.Attribute) { if _, ok := r.grants[fqn.key]; ok { r.grants[fqn.key].kases = append(r.grants[fqn.key].kases, kas) } else { @@ -181,7 +181,7 @@ func (r Granter) addGrant(fqn AttributeValueFQN, kas string, attr *policy.Attrib } } -func (r Granter) addAllGrants(fqn AttributeValueFQN, gs []*policy.KeyAccessServer, attr *policy.Attribute) { +func (r granter) addAllGrants(fqn AttributeValueFQN, gs []*policy.KeyAccessServer, attr *policy.Attribute) { for _, g := range gs { if g != nil { r.addGrant(fqn, g.GetUri(), attr) @@ -194,12 +194,12 @@ func (r Granter) addAllGrants(fqn AttributeValueFQN, gs []*policy.KeyAccessServe } } -func (r Granter) byAttribute(fqn AttributeValueFQN) *keyAccessGrant { +func (r granter) byAttribute(fqn AttributeValueFQN) *keyAccessGrant { return r.grants[fqn.key] } // Gets a list of directory of KAS grants for a list of attribute FQNs -func NewGranterFromService(ctx context.Context, as attributes.AttributesServiceClient, fqns ...AttributeValueFQN) (Granter, error) { +func newGranterFromService(ctx context.Context, as attributes.AttributesServiceClient, fqns ...AttributeValueFQN) (granter, error) { fqnsStr := make([]string, len(fqns)) for i, v := range fqns { fqnsStr[i] = v.String() @@ -213,10 +213,10 @@ func NewGranterFromService(ctx context.Context, as attributes.AttributesServiceC }, }) if err != nil { - return Granter{}, err + return granter{}, err } - grants := Granter{ + grants := granter{ policy: fqns, grants: make(map[string]*keyAccessGrant), } @@ -241,8 +241,8 @@ func NewGranterFromService(ctx context.Context, as attributes.AttributesServiceC // Given a policy (list of data attributes or tags), // get a set of grants from attribute values to KASes. // Unlike `NewGranterFromService`, this works offline. -func NewGranterFromAttributes(attrs ...*policy.Value) (Granter, error) { - grants := Granter{ +func newGranterFromAttributes(attrs ...*policy.Value) (granter, error) { + grants := granter{ grants: make(map[string]*keyAccessGrant), policy: make([]AttributeValueFQN, len(attrs)), } @@ -254,7 +254,7 @@ func NewGranterFromAttributes(attrs ...*policy.Value) (Granter, error) { grants.policy[i] = fqn def := v.GetAttribute() if def == nil { - return Granter{}, fmt.Errorf("no associated definition with value [%s]", fqn) + return granter{}, fmt.Errorf("no associated definition with value [%s]", fqn) } grants.addAllGrants(fqn, def.GetGrants(), def) grants.addAllGrants(fqn, v.GetGrants(), def) @@ -263,34 +263,6 @@ func NewGranterFromAttributes(attrs ...*policy.Value) (Granter, error) { return grants, nil } -type AttributeService struct { - dict map[AttributeNameFQN]*policy.Attribute -} - -func (s *AttributeService) Put(ad *policy.Attribute) error { - if s.dict == nil { - s.dict = make(map[AttributeNameFQN]*policy.Attribute) - } - prefix, err := NewAttributeNameFQN(ad.GetFqn()) - if err != nil { - return err - } - if _, exists := s.dict[prefix]; exists { - return fmt.Errorf("ad prefix already found [%s]", prefix) - } - s.dict[prefix] = ad - return nil -} - -// Given an attribute without a value (everything before /value/...), get the definition -func (s *AttributeService) Get(prefix AttributeNameFQN) (*policy.Attribute, error) { - ad, exists := s.dict[prefix] - if !exists { - return nil, fmt.Errorf("[404] Unknown attribute type: [%s], not in [%v]", prefix, s.dict) - } - return ad, nil -} - type singleAttributeClause struct { def *policy.Attribute values []AttributeValueFQN @@ -329,7 +301,7 @@ func (e attributeBooleanExpression) String() string { return sb.String() } -func (r Granter) Plan(defaultKas []string, genSplitID func() string) ([]SplitStep, error) { +func (r granter) plan(defaultKas []string, genSplitID func() string) ([]keySplitStep, error) { b := r.constructAttributeBoolean() k, err := r.insertKeysForAttribute(*b) if err != nil { @@ -344,29 +316,29 @@ func (r Granter) Plan(defaultKas []string, genSplitID func() string) ([]SplitSte case 0: return nil, fmt.Errorf("no default KAS specified; required for grantless plans") case 1: - return []SplitStep{{KAS: defaultKas[0]}}, nil + return []keySplitStep{{KAS: defaultKas[0]}}, nil default: - p := make([]SplitStep, 0, len(defaultKas)) + p := make([]keySplitStep, 0, len(defaultKas)) for _, kas := range defaultKas { - p = append(p, SplitStep{KAS: kas, SplitID: genSplitID()}) + p = append(p, keySplitStep{KAS: kas, SplitID: genSplitID()}) } return p, nil } } - p := make([]SplitStep, 0, l) + p := make([]keySplitStep, 0, l) for _, v := range k.values { splitID := "" if l > 1 { splitID = genSplitID() } for _, o := range v.values { - p = append(p, SplitStep{KAS: o.kas, SplitID: splitID}) + p = append(p, keySplitStep{KAS: o.kas, SplitID: splitID}) } } return p, nil } -func (r Granter) constructAttributeBoolean() *attributeBooleanExpression { +func (r granter) constructAttributeBoolean() *attributeBooleanExpression { prefixes := make(map[string]*singleAttributeClause) sortedPrefixes := make([]string, 0) for _, aP := range r.policy { @@ -447,7 +419,7 @@ func ruleToOperator(e policy.AttributeRuleTypeEnum) string { return "" } -func (r *Granter) insertKeysForAttribute(e attributeBooleanExpression) (booleanKeyExpression, error) { +func (r *granter) insertKeysForAttribute(e attributeBooleanExpression) (booleanKeyExpression, error) { kcs := make([]keyClause, 0, len(e.must)) for _, clause := range e.must { kcv := make([]publicKeyInfo, 0, len(clause.values)) diff --git a/sdk/internal/autoconfigure/granter_test.go b/sdk/granter_test.go similarity index 88% rename from sdk/internal/autoconfigure/granter_test.go rename to sdk/granter_test.go index 3a4b76bc77..5e4ae349a3 100644 --- a/sdk/internal/autoconfigure/granter_test.go +++ b/sdk/granter_test.go @@ -1,4 +1,4 @@ -package autoconfigure +package sdk import ( "fmt" @@ -13,13 +13,13 @@ import ( ) const ( - kasAu = "http://kas.au/" - kasCa = "http://kas.ca/" - kasUk = "http://kas.uk/" - kasNz = "http://kas.nz/" - kasUs = "http://kas.us/" - kasUsHCS = "http://hcs.kas.us/" - kasUsSA = "http://si.kas.us/" + kasAu = "https://kas.au/" + kasCa = "https://kas.ca/" + kasUk = "https://kas.uk/" + kasNz = "https://kas.nz/" + kasUs = "https://kas.us/" + kasUsHCS = "https://hcs.kas.us/" + kasUsSA = "https://si.kas.us/" authority = "https://virtru.com/" ) @@ -38,7 +38,7 @@ var ( n2kSI, _ = NewAttributeValueFQN("https://virtru.com/attr/Need%20to%20Know/value/SI") // rel25eye, _ = NewAttributeValueFQN("https://virtru.com/attr/Releasable%20To/value/FVEY") - // rel2aus, _ = NewAttributeValueFQN("https://virtru.com/attr/Releasable%20To/value/AUS") + rel2aus, _ = NewAttributeValueFQN("https://virtru.com/attr/Releasable%20To/value/AUS") rel2can, _ = NewAttributeValueFQN("https://virtru.com/attr/Releasable%20To/value/CAN") rel2gbr, _ = NewAttributeValueFQN("https://virtru.com/attr/Releasable%20To/value/GBR") rel2nzl, _ = NewAttributeValueFQN("https://virtru.com/attr/Releasable%20To/value/NZL") @@ -284,7 +284,7 @@ func TestConfigurationServicePutGet(t *testing.T) { } { t.Run(tc.n, func(t *testing.T) { v := valuesToPolicy(tc.policy...) - grants, err := NewGranterFromAttributes(v...) + grants, err := newGranterFromAttributes(v...) require.NoError(t, err) assert.Len(t, grants.grants, tc.size) assert.Subset(t, policyToStringKeys(tc.policy), maps.Keys(grants.grants)) @@ -306,16 +306,16 @@ func TestReasonerConstructAttributeBoolean(t *testing.T) { policy []AttributeValueFQN defaults []string ats, keyed, reduced string - plan []SplitStep + plan []keySplitStep }{ { "one actual with default", []AttributeValueFQN{clsS, rel2can}, []string{kasUs}, "https://virtru.com/attr/Classification/value/Secret&https://virtru.com/attr/Releasable%20To/value/CAN", - "[DEFAULT]&(http://kas.ca/)", - "(http://kas.ca/)", - []SplitStep{{kasCa, ""}}, + "[DEFAULT]&(https://kas.ca/)", + "(https://kas.ca/)", + []keySplitStep{{kasCa, ""}}, }, { "one defaulted attr", @@ -324,7 +324,7 @@ func TestReasonerConstructAttributeBoolean(t *testing.T) { "https://virtru.com/attr/Classification/value/Secret", "[DEFAULT]", "", - []SplitStep{{kasUs, ""}}, + []keySplitStep{{kasUs, ""}}, }, { "empty policy", @@ -333,7 +333,7 @@ func TestReasonerConstructAttributeBoolean(t *testing.T) { "∅", "", "", - []SplitStep{{kasUs, ""}}, + []keySplitStep{{kasUs, ""}}, }, { "old school splits", @@ -342,38 +342,38 @@ func TestReasonerConstructAttributeBoolean(t *testing.T) { "∅", "", "", - []SplitStep{{kasAu, "1"}, {kasCa, "2"}, {kasUs, "3"}}, + []keySplitStep{{kasAu, "1"}, {kasCa, "2"}, {kasUs, "3"}}, }, { "simple with all three ops", []AttributeValueFQN{clsS, rel2gbr, n2kInt}, []string{kasUs}, "https://virtru.com/attr/Classification/value/Secret&https://virtru.com/attr/Releasable%20To/value/GBR&https://virtru.com/attr/Need%20to%20Know/value/INT", - "[DEFAULT]&(http://kas.uk/)&(http://kas.uk/)", - "(http://kas.uk/)", - []SplitStep{{kasUk, ""}}, + "[DEFAULT]&(https://kas.uk/)&(https://kas.uk/)", + "(https://kas.uk/)", + []keySplitStep{{kasUk, ""}}, }, { "compartments", []AttributeValueFQN{clsS, rel2gbr, rel2usa, n2kHCS, n2kSI}, []string{kasUs}, "https://virtru.com/attr/Classification/value/Secret&https://virtru.com/attr/Releasable%20To/value/{GBR,USA}&https://virtru.com/attr/Need%20to%20Know/value/{HCS,SI}", - "[DEFAULT]&(http://kas.uk/⋁http://kas.us/)&(http://hcs.kas.us/⋀http://si.kas.us/)", - "(http://kas.uk/⋁http://kas.us/)&(http://hcs.kas.us/)&(http://si.kas.us/)", - []SplitStep{{kasUk, "1"}, {kasUs, "1"}, {kasUsHCS, "2"}, {kasUsSA, "3"}}, + "[DEFAULT]&(https://kas.uk/⋁https://kas.us/)&(https://hcs.kas.us/⋀https://si.kas.us/)", + "(https://kas.uk/⋁https://kas.us/)&(https://hcs.kas.us/)&(https://si.kas.us/)", + []keySplitStep{{kasUk, "1"}, {kasUs, "1"}, {kasUsHCS, "2"}, {kasUsSA, "3"}}, }, { "compartments - case insensitive", []AttributeValueFQN{messUpV(t, clsS), messUpV(t, rel2gbr), messUpV(t, rel2usa), messUpV(t, n2kHCS), messUpV(t, n2kSI)}, []string{kasUs}, "https://virtru.com/attr/Classification/value/Secret&https://virtru.com/attr/Releasable%20To/value/{GBR,USA}&https://virtru.com/attr/Need%20to%20Know/value/{HCS,SI}", - "[DEFAULT]&(http://kas.uk/⋁http://kas.us/)&(http://hcs.kas.us/⋀http://si.kas.us/)", - "(http://kas.uk/⋁http://kas.us/)&(http://hcs.kas.us/)&(http://si.kas.us/)", - []SplitStep{{kasUk, "1"}, {kasUs, "1"}, {kasUsHCS, "2"}, {kasUsSA, "3"}}, + "[DEFAULT]&(https://kas.uk/⋁https://kas.us/)&(https://hcs.kas.us/⋀https://si.kas.us/)", + "(https://kas.uk/⋁https://kas.us/)&(https://hcs.kas.us/)&(https://si.kas.us/)", + []keySplitStep{{kasUk, "1"}, {kasUs, "1"}, {kasUsHCS, "2"}, {kasUsSA, "3"}}, }, } { t.Run(tc.n, func(t *testing.T) { - reasoner, err := NewGranterFromAttributes(valuesToPolicy(tc.policy...)...) + reasoner, err := newGranterFromAttributes(valuesToPolicy(tc.policy...)...) require.NoError(t, err) actualAB := reasoner.constructAttributeBoolean() @@ -387,7 +387,7 @@ func TestReasonerConstructAttributeBoolean(t *testing.T) { assert.Equal(t, tc.reduced, r.String()) i := 0 - plan, err := reasoner.Plan(tc.defaults, func() string { + plan, err := reasoner.plan(tc.defaults, func() string { i++ return fmt.Sprintf("%d", i) }) diff --git a/sdk/nanotdf_config.go b/sdk/nanotdf_config.go index 7a4092c0f5..9f3543bdb2 100644 --- a/sdk/nanotdf_config.go +++ b/sdk/nanotdf_config.go @@ -5,7 +5,6 @@ import ( "fmt" "github.com/opentdf/platform/lib/ocrypto" - "github.com/opentdf/platform/sdk/internal/autoconfigure" ) // ============================================================================================================ @@ -20,7 +19,7 @@ import ( type NanoTDFConfig struct { keyPair ocrypto.ECKeyPair kasPublicKey *ecdh.PublicKey - attributes []autoconfigure.AttributeValueFQN + attributes []AttributeValueFQN cipher CipherMode kasURL ResourceLocator sigCfg signatureConfig @@ -63,9 +62,9 @@ func (config *NanoTDFConfig) SetKasURL(url string) error { // SetAttributes - set the attributes to be used for this nanoTDF func (config *NanoTDFConfig) SetAttributes(attributes []string) error { - config.attributes = make([]autoconfigure.AttributeValueFQN, len(attributes)) + config.attributes = make([]AttributeValueFQN, len(attributes)) for i, a := range attributes { - v, err := autoconfigure.NewAttributeValueFQN(a) + v, err := NewAttributeValueFQN(a) if err != nil { return err } @@ -83,7 +82,7 @@ func (config *NanoTDFConfig) EnableECDSAPolicyBinding() { func WithNanoDataAttributes(attributes ...string) NanoTDFOption { return func(c *NanoTDFConfig) error { for _, a := range attributes { - v, err := autoconfigure.NewAttributeValueFQN(a) + v, err := NewAttributeValueFQN(a) if err != nil { return err } diff --git a/sdk/tdf.go b/sdk/tdf.go index df2306b06f..b02b61c850 100644 --- a/sdk/tdf.go +++ b/sdk/tdf.go @@ -15,7 +15,6 @@ import ( "github.com/opentdf/platform/lib/ocrypto" "github.com/opentdf/platform/sdk/auth" "github.com/opentdf/platform/sdk/internal/archive" - "github.com/opentdf/platform/sdk/internal/autoconfigure" "google.golang.org/grpc" ) @@ -132,18 +131,18 @@ func (s SDK) CreateTDFContext(ctx context.Context, writer io.Writer, reader io.R } if tdfConfig.autoconfigure { - var g autoconfigure.Granter + var g granter if len(tdfConfig.attributeValues) > 0 { - g, err = autoconfigure.NewGranterFromAttributes(tdfConfig.attributeValues...) + g, err = newGranterFromAttributes(tdfConfig.attributeValues...) } else if len(tdfConfig.attributes) > 0 { - g, err = autoconfigure.NewGranterFromService(ctx, s.Attributes, tdfConfig.attributes...) + g, err = newGranterFromService(ctx, s.Attributes, tdfConfig.attributes...) } if err != nil { return nil, err } dk := s.defaultKases(tdfConfig) - tdfConfig.splitPlan, err = g.Plan(dk, func() string { + tdfConfig.splitPlan, err = g.plan(dk, func() string { return uuid.New().String() }) if err != nil { @@ -355,7 +354,7 @@ func (s SDK) prepareManifest(ctx context.Context, t *TDFObject, tdfConfig TDFCon latestKASInfo := make(map[string]KASInfo) if len(tdfConfig.splitPlan) == 0 { // Default split plan: Split keys across all kases - tdfConfig.splitPlan = make([]autoconfigure.SplitStep, len(tdfConfig.kasInfoList)) + tdfConfig.splitPlan = make([]keySplitStep, len(tdfConfig.kasInfoList)) for i, kasInfo := range tdfConfig.kasInfoList { tdfConfig.splitPlan[i].KAS = kasInfo.URL if len(tdfConfig.kasInfoList) > 1 { @@ -491,7 +490,7 @@ func (s SDK) prepareManifest(ctx context.Context, t *TDFObject, tdfConfig TDFCon } // create policy object -func createPolicyObject(attributes []autoconfigure.AttributeValueFQN) (PolicyObject, error) { +func createPolicyObject(attributes []AttributeValueFQN) (PolicyObject, error) { uuidObj, err := uuid.NewUUID() if err != nil { return PolicyObject{}, fmt.Errorf("uuid.NewUUID failed: %w", err) @@ -802,7 +801,7 @@ func (r *Reader) doPayloadKeyUnwrap(ctx context.Context) error { //nolint:gocogn var payloadKey [kKeySize]byte knownSplits := make(map[string]bool) foundSplits := make(map[string]bool) - skippedSplits := make(map[autoconfigure.SplitStep]error) + skippedSplits := make(map[keySplitStep]error) mixedSplits := len(r.manifest.KeyAccessObjs) > 1 && r.manifest.KeyAccessObjs[0].SplitID != "" for _, keyAccessObj := range r.manifest.EncryptionInformation.KeyAccessObjs { @@ -811,7 +810,7 @@ func (r *Reader) doPayloadKeyUnwrap(ctx context.Context) error { //nolint:gocogn return fmt.Errorf("newKASClient failed:%w", err) } - ss := autoconfigure.SplitStep{KAS: keyAccessObj.KasURL, SplitID: keyAccessObj.SplitID} + ss := keySplitStep{KAS: keyAccessObj.KasURL, SplitID: keyAccessObj.SplitID} var wrappedKey []byte if !mixedSplits { diff --git a/sdk/tdf_config.go b/sdk/tdf_config.go index 0829d67a21..5c00803139 100644 --- a/sdk/tdf_config.go +++ b/sdk/tdf_config.go @@ -5,7 +5,6 @@ import ( "github.com/opentdf/platform/lib/ocrypto" "github.com/opentdf/platform/protocol/go/policy" - "github.com/opentdf/platform/sdk/internal/autoconfigure" ) const ( @@ -58,10 +57,10 @@ type TDFConfig struct { integrityAlgorithm IntegrityAlgorithm segmentIntegrityAlgorithm IntegrityAlgorithm assertions []AssertionConfig - attributes []autoconfigure.AttributeValueFQN + attributes []AttributeValueFQN attributeValues []*policy.Value kasInfoList []KASInfo - splitPlan []autoconfigure.SplitStep + splitPlan []keySplitStep } func newTDFConfig(opt ...TDFOption) (*TDFConfig, error) { @@ -106,7 +105,7 @@ func WithDataAttributes(attributes ...string) TDFOption { return func(c *TDFConfig) error { c.attributeValues = nil for _, a := range attributes { - v, err := autoconfigure.NewAttributeValueFQN(a) + v, err := NewAttributeValueFQN(a) if err != nil { return err } @@ -118,16 +117,16 @@ func WithDataAttributes(attributes ...string) TDFOption { // WithDataAttributeValues appends the given data attributes to the bound policy. // Unlike `WithDataAttributes`, this will not trigger an attribute definition lookup -// during autoconfigure. That is, to use autoconfigure in an 'offline' context, +// during That is, to use autoconfigure in an 'offline' context, // you must first store the relevant attribute information locally and load // it to the `CreateTDF` method with this option. func WithDataAttributeValues(attributes ...*policy.Value) TDFOption { return func(c *TDFConfig) error { - c.attributes = make([]autoconfigure.AttributeValueFQN, len(attributes)) + c.attributes = make([]AttributeValueFQN, len(attributes)) c.attributeValues = make([]*policy.Value, len(attributes)) for i, a := range attributes { c.attributeValues[i] = a - afqn, err := autoconfigure.NewAttributeValueFQN(a.GetFqn()) + afqn, err := NewAttributeValueFQN(a.GetFqn()) if err != nil { // TODO: update service to validate and encode FQNs properly return err @@ -154,9 +153,9 @@ func WithKasInformation(kasInfoList ...KASInfo) TDFOption { } } -func withSplitPlan(p ...autoconfigure.SplitStep) TDFOption { +func withSplitPlan(p ...keySplitStep) TDFOption { return func(c *TDFConfig) error { - c.splitPlan = make([]autoconfigure.SplitStep, len(p)) + c.splitPlan = make([]keySplitStep, len(p)) copy(c.splitPlan, p) c.autoconfigure = false return nil diff --git a/sdk/tdf_test.go b/sdk/tdf_test.go index 2aee76969c..949141c98b 100644 --- a/sdk/tdf_test.go +++ b/sdk/tdf_test.go @@ -21,10 +21,8 @@ import ( "github.com/lestrrat-go/jwx/v2/jwt" "github.com/opentdf/platform/lib/ocrypto" kaspb "github.com/opentdf/platform/protocol/go/kas" - "github.com/opentdf/platform/protocol/go/policy" attributespb "github.com/opentdf/platform/protocol/go/policy/attributes" wellknownpb "github.com/opentdf/platform/protocol/go/wellknownconfiguration" - "github.com/opentdf/platform/sdk/internal/autoconfigure" "google.golang.org/grpc" "google.golang.org/grpc/codes" "google.golang.org/grpc/status" @@ -54,8 +52,8 @@ type tdfTest struct { tdfFileSize float64 checksum string mimeType string - splitPlan []autoconfigure.SplitStep - policy []autoconfigure.AttributeValueFQN + splitPlan []keySplitStep + policy []AttributeValueFQN expectedPlanSize int } @@ -978,7 +976,7 @@ func (s *TDFSuite) Test_KeySplits() { fileSize: 5, tdfFileSize: 2664, checksum: "ed968e840d10d2d313a870bc131a4e2c311d7ad09bdf32b3418147221f51a6e2", - splitPlan: []autoconfigure.SplitStep{ + splitPlan: []keySplitStep{ {KAS: "https://a.kas/", SplitID: "a"}, {KAS: "https://b.kas/", SplitID: "a"}, {KAS: `https://c.kas/`, SplitID: "a"}, @@ -989,7 +987,7 @@ func (s *TDFSuite) Test_KeySplits() { fileSize: 5, tdfFileSize: 2664, checksum: "ed968e840d10d2d313a870bc131a4e2c311d7ad09bdf32b3418147221f51a6e2", - splitPlan: []autoconfigure.SplitStep{ + splitPlan: []keySplitStep{ {KAS: "https://a.kas/", SplitID: "a"}, {KAS: "https://b.kas/", SplitID: "b"}, {KAS: "https://c.kas/", SplitID: "c"}, @@ -1000,7 +998,7 @@ func (s *TDFSuite) Test_KeySplits() { fileSize: 5, tdfFileSize: 3211, checksum: "ed968e840d10d2d313a870bc131a4e2c311d7ad09bdf32b3418147221f51a6e2", - splitPlan: []autoconfigure.SplitStep{ + splitPlan: []keySplitStep{ {KAS: "https://a.kas/", SplitID: "a"}, {KAS: "https://b.kas/", SplitID: "a"}, {KAS: "https://b.kas/", SplitID: "b"}, @@ -1043,7 +1041,7 @@ func (s *TDFSuite) Test_Autoconfigure() { fileSize: 5, tdfFileSize: 1733, checksum: "ed968e840d10d2d313a870bc131a4e2c311d7ad09bdf32b3418147221f51a6e2", - policy: []autoconfigure.AttributeValueFQN{clsAllowed}, + policy: []AttributeValueFQN{clsA}, expectedPlanSize: 1, }, { @@ -1051,7 +1049,7 @@ func (s *TDFSuite) Test_Autoconfigure() { fileSize: 5, tdfFileSize: 2517, checksum: "ed968e840d10d2d313a870bc131a4e2c311d7ad09bdf32b3418147221f51a6e2", - policy: []autoconfigure.AttributeValueFQN{rel2aus, rel2usa}, + policy: []AttributeValueFQN{rel2aus, rel2usa}, expectedPlanSize: 2, }, } { @@ -1069,6 +1067,7 @@ func (s *TDFSuite) Test_Autoconfigure() { _ = os.Remove(plaintTextFileName) _ = os.Remove(tdfFileName) }() + s.sdk.kasKeyCache.store(KASInfo{}) // test encrypt tdo := s.testEncrypt(s.sdk, kasInfoList, plaintTextFileName, tdfFileName, test) @@ -1248,7 +1247,7 @@ func (s *TDFSuite) startBackend() { {"https://c.kas/", mockRSAPrivateKey3, mockRSAPublicKey3}, {kasAu, mockRSAPrivateKey1, mockRSAPublicKey1}, {kasCa, mockRSAPrivateKey2, mockRSAPublicKey2}, - {lasUk, mockRSAPrivateKey2, mockRSAPublicKey2}, + {kasUk, mockRSAPrivateKey2, mockRSAPublicKey2}, {kasNz, mockRSAPrivateKey3, mockRSAPublicKey3}, {kasUs, mockRSAPrivateKey1, mockRSAPublicKey1}, } { @@ -1430,7 +1429,7 @@ type FakeAttributes struct { func (f *FakeAttributes) GetAttributeValuesByFqns(_ context.Context, in *attributespb.GetAttributeValuesByFqnsRequest) (*attributespb.GetAttributeValuesByFqnsResponse, error) { r := make(map[string]*attributespb.GetAttributeValuesByFqnsResponse_AttributeAndValue) for _, fqn := range in.GetFqns() { - av, err := autoconfigure.NewAttributeValueFQN(fqn) + av, err := NewAttributeValueFQN(fqn) if err != nil { slog.Error("invalid fqn", "notfqn", fqn, "error", err) return nil, status.New(codes.InvalidArgument, fmt.Sprintf("invalid attribute fqn [%s]", fqn)).Err() From 3b3749bc23625f92bc558fcad6c7037be7cce506 Mon Sep 17 00:00:00 2001 From: David Mihalcik Date: Wed, 14 Aug 2024 13:39:02 -0400 Subject: [PATCH 03/10] feat(sdk): Use kas keys in registry - Lets the SDK load kas keys from the policy service - This was removed/unsupported before, since the SDK requires Key IDs, but the service previously did not store them - Adds a sample round trip that loads a key from a non-existant KAS to validate that the SDK doesn't call out when the key is loaded into the policy service --- examples/cmd/attributes.go | 49 +++++++++++++++++++------------------- examples/cmd/kas.go | 2 +- sdk/granter.go | 21 +++++++++++++++- sdk/tdf.go | 4 ++-- test/policy-service.bats | 4 ++-- test/tdf-roundtrips.bats | 29 ++++++++++++++++++++++ 6 files changed, 79 insertions(+), 30 deletions(-) diff --git a/examples/cmd/attributes.go b/examples/cmd/attributes.go index 1c9f8bb941..7720d4ab7c 100644 --- a/examples/cmd/attributes.go +++ b/examples/cmd/attributes.go @@ -21,10 +21,10 @@ import ( var ( ns string attr string - kas string + kases []string longformat bool rule string - values string + values []string unsafeBool bool ) @@ -43,7 +43,7 @@ func init() { } add.Flags().StringVarP(&attr, "attr", "a", "", "attribute prefix, e.g. http://name.space/attr/name") add.Flags().StringVarP(&rule, "rule", "", "allof", "attribute type, either allof, anyof, or hierarchy") - add.Flags().StringVarP(&values, "values", "v", "", "list of attribute values") + add.Flags().StringSliceVarP(&values, "values", "v", []string{}, "list of attribute values") attributes.AddCommand(add) assign := &cobra.Command{ @@ -54,8 +54,8 @@ func init() { }, } assign.Flags().StringVarP(&attr, "attr", "a", "", "attribute prefix, e.g. https://name.space/attr/name") - assign.Flags().StringVarP(&kas, "kas", "k", "", "which kas to assign") - assign.Flags().StringVarP(&values, "values", "v", "", "any attribute values to include; if empty, applies to all") + assign.Flags().StringSliceVarP(&kases, "kas", "k", []string{}, "which kas to assign") + assign.Flags().StringSliceVarP(&values, "values", "v", []string{}, "any attribute values to include; if empty, applies to all") attributes.AddCommand(assign) list := &cobra.Command{ @@ -80,7 +80,7 @@ func init() { }, } remove.Flags().StringVarP(&attr, "attr", "a", "", "attribute prefix, e.g. http://name.space/attr/name") - remove.Flags().StringVarP(&values, "values", "v", "", "list of attribute values to remove; if absent, removes all") + remove.Flags().StringSliceVarP(&values, "values", "v", []string{}, "list of attribute values to remove; if absent, removes all") remove.Flags().BoolVarP(&unsafeBool, "unsafe", "f", false, "delete for real; otherwise deactivate (soft delete)") attributes.AddCommand(remove) @@ -92,8 +92,8 @@ func init() { }, } unassign.Flags().StringVarP(&attr, "attr", "a", "", "attribute prefix, e.g. https://name.space/attr/name") - unassign.Flags().StringVarP(&kas, "kas", "k", "", "which kas to assign") - unassign.Flags().StringVarP(&values, "values", "v", "", "any attribute values to include; if empty, applies to all") + unassign.Flags().StringSliceVarP(&kases, "kas", "k", []string{}, "which kases to assign") + unassign.Flags().StringSliceVarP(&values, "values", "v", []string{}, "any attribute values to include; if empty, applies to all") attributes.AddCommand(unassign) ExamplesCmd.AddCommand(attributes) @@ -245,7 +245,7 @@ func addAttribute(cmd *cobra.Command) error { slog.Error("url.PathUnescape(attr)", "err", err, "attr", m[2]) return err } - aid, err := upsertAttr(cmd.Context(), s, nsu, attr, strings.Split(values, " ")) + aid, err := upsertAttr(cmd.Context(), s, nsu, attr, values) if err != nil { return err } @@ -275,7 +275,7 @@ func removeAttribute(cmd *cobra.Command) error { if err != nil { return err } - if values == "" { + if len(values) == 0 { if unsafeBool { resp, err := s.Unsafe.UnsafeDeleteAttribute(cmd.Context(), &unsafe.UnsafeDeleteAttributeRequest{ Id: auuid, @@ -298,7 +298,7 @@ func removeAttribute(cmd *cobra.Command) error { slog.Info("deactivated attribute", "attr", attr, "resp", resp) return nil } else { - for _, v := range strings.Split(values, " ") { + for _, v := range values { avu, err := avuuid(cmd.Context(), s, auuid, v) if err != nil { return err @@ -359,16 +359,18 @@ func assignAttribute(cmd *cobra.Command, assign bool) error { var kasids []string switch { - case kas != "": - kasid, err := upsertKasRegistration(cmd.Context(), s, kas, nil) - if err != nil { - return err + case len(kases) != 0: + for _, kas := range kases { + kasid, err := upsertKasRegistration(cmd.Context(), s, kas, nil) + if err != nil { + return err + } + kasids = append(kasids, kasid) + kasById[kasid] = kas } - kasids = append(kasids, kasid) - kasById[kasid] = kas case assign: return fmt.Errorf("assign must take a `--kas` parameter") - case values == "": + case len(values) == 0: // look up all kasids associated with the attribute ar, err := s.Attributes.GetAttribute(cmd.Context(), &attributes.GetAttributeRequest{Id: auuid}) if err != nil { @@ -378,12 +380,11 @@ func assignAttribute(cmd *cobra.Command, assign bool) error { kasids = append(kasids, b.GetId()) kasById[b.GetId()] = b.GetUri() } + case len(values) > 1: + return fmt.Errorf("TODO: unassign from multiple values at a time") default: // look up all kasids associated with the value - if strings.Index(values, " ") >= 0 { - return fmt.Errorf("TODO: unassign from multiple values at a time") - } - avu, err := avuuid(cmd.Context(), s, auuid, values) + avu, err := avuuid(cmd.Context(), s, auuid, values[0]) if err != nil { return err } @@ -398,7 +399,7 @@ func assignAttribute(cmd *cobra.Command, assign bool) error { } for _, kasid := range kasids { - if values == "" { + if len(values) == 0 { if assign { r, err := s.Attributes.AssignKeyAccessServerToAttribute(cmd.Context(), &attributes.AssignKeyAccessServerToAttributeRequest{ AttributeKeyAccessServer: &attributes.AttributeKeyAccessServer{ @@ -423,7 +424,7 @@ func assignAttribute(cmd *cobra.Command, assign bool) error { cmd.Printf("successfully unassigned [%s] from [%s] (binding %v)\n", attr, kasById[kasid], *r.GetAttributeKeyAccessServer()) } } else { - for _, v := range strings.Split(values, " ") { + for _, v := range values { avu, err := avuuid(cmd.Context(), s, auuid, v) if err != nil { return err diff --git a/examples/cmd/kas.go b/examples/cmd/kas.go index f936e85b0f..abfe68949a 100644 --- a/examples/cmd/kas.go +++ b/examples/cmd/kas.go @@ -12,7 +12,7 @@ import ( "github.com/spf13/cobra" ) -var algorithm, key, keyIdentifier string +var algorithm, kas, key, keyIdentifier string func init() { kasc := &cobra.Command{ diff --git a/sdk/granter.go b/sdk/granter.go index 220fe77c78..f55ebb3336 100644 --- a/sdk/granter.go +++ b/sdk/granter.go @@ -199,7 +199,7 @@ func (r granter) byAttribute(fqn AttributeValueFQN) *keyAccessGrant { } // Gets a list of directory of KAS grants for a list of attribute FQNs -func newGranterFromService(ctx context.Context, as attributes.AttributesServiceClient, fqns ...AttributeValueFQN) (granter, error) { +func newGranterFromService(ctx context.Context, keyCache *kasKeyCache, as attributes.AttributesServiceClient, fqns ...AttributeValueFQN) (granter, error) { fqnsStr := make([]string, len(fqns)) for i, v := range fqns { fqnsStr[i] = v.String() @@ -228,16 +228,35 @@ func newGranterFromService(ctx context.Context, as attributes.AttributesServiceC def := pair.GetAttribute() if def != nil { grants.addAllGrants(fqn, def.GetGrants(), def) + storeKeysToCache(def.GetGrants(), keyCache) } v := pair.GetValue() if v != nil { grants.addAllGrants(fqn, v.GetGrants(), def) + storeKeysToCache(v.GetGrants(), keyCache) } } return grants, nil } +func storeKeysToCache(kases []*policy.KeyAccessServer, c *kasKeyCache) { + for _, kas := range kases { + if kas.GetPublicKey() == nil || kas.GetPublicKey().GetCached() == nil || kas.GetPublicKey().GetCached().GetKeys() == nil || len(kas.GetPublicKey().GetCached().GetKeys()) == 0 { + slog.Debug("no cached key in policy service", "kas", kas.GetUri()) + continue + } + for _, ki := range kas.GetPublicKey().GetCached().GetKeys() { + c.store(KASInfo{ + URL: kas.GetUri(), + KID: ki.GetKid(), + Algorithm: ki.GetAlg(), + PublicKey: ki.GetPem(), + }) + } + } +} + // Given a policy (list of data attributes or tags), // get a set of grants from attribute values to KASes. // Unlike `NewGranterFromService`, this works offline. diff --git a/sdk/tdf.go b/sdk/tdf.go index b02b61c850..463923afa4 100644 --- a/sdk/tdf.go +++ b/sdk/tdf.go @@ -135,7 +135,7 @@ func (s SDK) CreateTDFContext(ctx context.Context, writer io.Writer, reader io.R if len(tdfConfig.attributeValues) > 0 { g, err = newGranterFromAttributes(tdfConfig.attributeValues...) } else if len(tdfConfig.attributes) > 0 { - g, err = newGranterFromService(ctx, s.Attributes, tdfConfig.attributes...) + g, err = newGranterFromService(ctx, s.kasKeyCache, s.Attributes, tdfConfig.attributes...) } if err != nil { return nil, err @@ -440,7 +440,7 @@ func (s SDK) prepareManifest(ctx context.Context, t *TDFObject, tdfConfig TDFCon for _, kasInfo := range conjunction[splitID] { if len(kasInfo.PublicKey) == 0 { - return errKasPubKeyMissing + return fmt.Errorf("splitID:[%s], kas:[%s]: %w", splitID, kasInfo.URL, errKasPubKeyMissing) } // wrap the key with kas public key diff --git a/test/policy-service.bats b/test/policy-service.bats index d42f87e590..f08c042f1f 100755 --- a/test/policy-service.bats +++ b/test/policy-service.bats @@ -16,7 +16,7 @@ [[ $output = *"listing namespaces"* ]] [ $status = 0 ] - run go run ./examples --creds opentdf:secret attributes add -a https://example.io/attr/IntellectualProperty -v "TradeSecret Proprietary BusinessSensitive Open" --rule hierarchy + run go run ./examples --creds opentdf:secret attributes add -a https://example.io/attr/IntellectualProperty -v "TradeSecret,Proprietary,BusinessSensitive,Open" --rule hierarchy echo "$output" [[ $output = *"created attribute"* ]] [ $status = 0 ] @@ -71,7 +71,7 @@ [[ $output = *"https://c.example.io"* ]] [ $status = 0 ] - go run ./examples --creds opentdf:secret attributes add -a https://grant.example.io/attr/test -v "a b c" + go run ./examples --creds opentdf:secret attributes add -a https://grant.example.io/attr/test -v "a,b,c" go run ./examples --creds opentdf:secret attributes assign -a https://grant.example.io/attr/test -v a -k https://a.example.io go run ./examples --creds opentdf:secret attributes assign -a https://grant.example.io/attr/test -v b -k https://b.example.io diff --git a/test/tdf-roundtrips.bats b/test/tdf-roundtrips.bats index 75bcea3bbc..b1605ea91e 100755 --- a/test/tdf-roundtrips.bats +++ b/test/tdf-roundtrips.bats @@ -27,6 +27,35 @@ printf '%s\n' "$output" | grep "Hello Zero Trust" } +@test "examples: roundtrip Z-TDF with extra unnecessary, invalid kas" { + # TODO: add subject mapping here to remove reliance on `provision fixtures` + echo "[INFO] configure attribute with grant for local kas" + go run ./examples --creds opentdf:secret kas add --kas http://localhost:8080 --public-key "$(<${BATS_TEST_DIRNAME}/../kas-cert.pem)" + go run ./examples --creds opentdf:secret kas add --kas http://localhost:9090 --algorithm "rsa:2048" --kid r2 --public-key "$(<${BATS_TEST_DIRNAME}/../kas-cert.pem)" + go run ./examples --creds opentdf:secret attributes unassign -a https://example.com/attr/attr1 -v value1 + go run ./examples --creds opentdf:secret attributes unassign -a https://example.com/attr/attr1 + go run ./examples --creds opentdf:secret attributes assign -a https://example.com/attr/attr1 -v value1 -k "http://localhost:8080,http://localhost:9090" + + echo "[INFO] create a tdf3 format file" + run go run ./examples encrypt "Hello multikao split" + echo "[INFO] echoing output; if successful, this is just the manifest" + echo "$output" + + echo "[INFO] Validate the manifest lists the expected kid in its KAO" + u1=$(jq -r '.encryptionInformation.keyAccess[0].url' <<<"${output}") + u2=$(jq -r '.encryptionInformation.keyAccess[1].url' <<<"${output}") + sid1=$(jq -r '.encryptionInformation.keyAccess[0].sid' <<<"${output}") + sid2=$(jq -r '.encryptionInformation.keyAccess[1].sid' <<<"${output}") + echo "${u1},${sid1} ?= ${u2},${sid2}" + [ $u1 != $u2 ] + [ $sid1 = $sid2 ] + + echo "[INFO] decrypting..." + run go run ./examples decrypt sensitive.txt.tdf + echo "$output" + printf '%s\n' "$output" | grep "Hello multikao split" +} + @test "examples: roundtrip nanoTDF" { echo "[INFO] creating nanotdf file" go run ./examples encrypt -o sensitive.txt.ntdf --nano "Hello NanoTDF" From acefa10fd6326075047f4f7429ad117f395b93a6 Mon Sep 17 00:00:00 2001 From: David Mihalcik Date: Wed, 14 Aug 2024 16:17:20 -0400 Subject: [PATCH 04/10] fixes for proto enums in alg field --- examples/cmd/kas.go | 12 +++++++++++- sdk/granter.go | 14 +++++++++++++- 2 files changed, 24 insertions(+), 2 deletions(-) diff --git a/examples/cmd/kas.go b/examples/cmd/kas.go index abfe68949a..ee80745440 100644 --- a/examples/cmd/kas.go +++ b/examples/cmd/kas.go @@ -141,6 +141,16 @@ func upsertKasRegistration(ctx context.Context, s *sdk.SDK, uri string, pk *poli return ur.KeyAccessServer.GetId(), nil } +func algString2Proto(a string) policy.KasPublicKeyAlgEnum { + switch strings.ToLower(a) { + case "ec:secp256r1": + return policy.KasPublicKeyAlgEnum_KAS_PUBLIC_KEY_ALG_ENUM_EC_SECP256R1 + case "rsa:2048": + return policy.KasPublicKeyAlgEnum_KAS_PUBLIC_KEY_ALG_ENUM_RSA_2048 + } + return policy.KasPublicKeyAlgEnum_KAS_PUBLIC_KEY_ALG_ENUM_UNSPECIFIED +} + func updateKas(cmd *cobra.Command) error { s, err := newSDK() if err != nil { @@ -163,7 +173,7 @@ func updateKas(cmd *cobra.Command) error { { Pem: key, Kid: keyIdentifier, - Alg: algorithm, + Alg: algString2Proto(algorithm), }, }, }, diff --git a/sdk/granter.go b/sdk/granter.go index f55ebb3336..ff34afe977 100644 --- a/sdk/granter.go +++ b/sdk/granter.go @@ -240,6 +240,18 @@ func newGranterFromService(ctx context.Context, keyCache *kasKeyCache, as attrib return grants, nil } +func algProto2String(e policy.KasPublicKeyAlgEnum) string { + switch e { + case policy.KasPublicKeyAlgEnum_KAS_PUBLIC_KEY_ALG_ENUM_EC_SECP256R1: + return "ec:secp256r1" + case policy.KasPublicKeyAlgEnum_KAS_PUBLIC_KEY_ALG_ENUM_RSA_2048: + return "rsa:2048" + case policy.KasPublicKeyAlgEnum_KAS_PUBLIC_KEY_ALG_ENUM_UNSPECIFIED: + return "" + } + return "" +} + func storeKeysToCache(kases []*policy.KeyAccessServer, c *kasKeyCache) { for _, kas := range kases { if kas.GetPublicKey() == nil || kas.GetPublicKey().GetCached() == nil || kas.GetPublicKey().GetCached().GetKeys() == nil || len(kas.GetPublicKey().GetCached().GetKeys()) == 0 { @@ -250,7 +262,7 @@ func storeKeysToCache(kases []*policy.KeyAccessServer, c *kasKeyCache) { c.store(KASInfo{ URL: kas.GetUri(), KID: ki.GetKid(), - Algorithm: ki.GetAlg(), + Algorithm: algProto2String(ki.GetAlg()), PublicKey: ki.GetPem(), }) } From 04e7b4301fbb8fb9b8cb01f58685c6c94e037984 Mon Sep 17 00:00:00 2001 From: David Mihalcik Date: Mon, 19 Aug 2024 15:33:08 -0500 Subject: [PATCH 05/10] fixups --- sdk/granter.go | 5 +++-- service/policy/objects.proto | 6 ++++-- 2 files changed, 7 insertions(+), 4 deletions(-) diff --git a/sdk/granter.go b/sdk/granter.go index ff34afe977..47d1874214 100644 --- a/sdk/granter.go +++ b/sdk/granter.go @@ -254,11 +254,12 @@ func algProto2String(e policy.KasPublicKeyAlgEnum) string { func storeKeysToCache(kases []*policy.KeyAccessServer, c *kasKeyCache) { for _, kas := range kases { - if kas.GetPublicKey() == nil || kas.GetPublicKey().GetCached() == nil || kas.GetPublicKey().GetCached().GetKeys() == nil || len(kas.GetPublicKey().GetCached().GetKeys()) == 0 { + keys := kas.GetPublicKey().GetCached().GetKeys() + if len(keys) == 0 { slog.Debug("no cached key in policy service", "kas", kas.GetUri()) continue } - for _, ki := range kas.GetPublicKey().GetCached().GetKeys() { + for _, ki := range keys { c.store(KASInfo{ URL: kas.GetUri(), KID: ki.GetKid(), diff --git a/service/policy/objects.proto b/service/policy/objects.proto index 10da55d418..12ca2e1ba2 100644 --- a/service/policy/objects.proto +++ b/service/policy/objects.proto @@ -305,8 +305,10 @@ message PublicKey { expression: "this.matches('^https://[a-zA-Z0-9]([a-zA-Z0-9\\\\-]{0,61}[a-zA-Z0-9])?(\\\\.[a-zA-Z0-9]([a-zA-Z0-9\\\\-]{0,61}[a-zA-Z0-9])?)*(/.*)?$')" }]; - // public key - optional since can also be retrieved via url - string local = 2; + // public key; PEM of RSA public key; prefer `cached` + string local = 2 [ + deprecated = true, + ]; // public key with additional information. Current preferred version KasPublicKeySet cached = 3; From bcfc0d7bca1b4c51582ec013056388bd40c081b9 Mon Sep 17 00:00:00 2001 From: David Mihalcik Date: Mon, 19 Aug 2024 15:39:12 -0500 Subject: [PATCH 06/10] fixups --- sdk/granter_test.go | 1 + sdk/tdf_test.go | 111 -------------------------------------------- 2 files changed, 1 insertion(+), 111 deletions(-) diff --git a/sdk/granter_test.go b/sdk/granter_test.go index 5e4ae349a3..bd01e53f0b 100644 --- a/sdk/granter_test.go +++ b/sdk/granter_test.go @@ -118,6 +118,7 @@ func mockAttributeFor(fqn AttributeNameFQN) *policy.Attribute { } return nil } + func mockValueFor(fqn AttributeValueFQN) *policy.Value { an := fqn.Prefix() a := mockAttributeFor(an) diff --git a/sdk/tdf_test.go b/sdk/tdf_test.go index 949141c98b..fe86ee40ae 100644 --- a/sdk/tdf_test.go +++ b/sdk/tdf_test.go @@ -1311,117 +1311,6 @@ func (f *FakeWellKnown) GetWellKnownConfiguration(_ context.Context, _ *wellknow }, nil } -const ( - kasAu = "https://kas.au/" - kasCa = "https://kas.ca/" - lasUk = "https://kas.uk/" - kasNz = "https://kas.nz/" - kasUs = "https://kas.us/" - kasUsHcs = "https://hcs.kas.us/" - kasUsSI = "https://si.kas.us/" - authority = "https://virtru.com/" -) - -var ( - CLS, _ = autoconfigure.NewAttributeNameFQN("https://virtru.com/attr/Classification") - N2K, _ = autoconfigure.NewAttributeNameFQN("https://virtru.com/attr/Need%20to%20Know") - REL, _ = autoconfigure.NewAttributeNameFQN("https://virtru.com/attr/Releasable%20To") - - clsAllowed, _ = autoconfigure.NewAttributeValueFQN("https://virtru.com/attr/Classification/value/Allowed") - - rel2aus, _ = autoconfigure.NewAttributeValueFQN("https://virtru.com/attr/Releasable%20To/value/AUS") - rel2usa, _ = autoconfigure.NewAttributeValueFQN("https://virtru.com/attr/Releasable%20To/value/USA") -) - -func mockAttributeFor(fqn autoconfigure.AttributeNameFQN) *policy.Attribute { - ns := policy.Namespace{ - Id: "v", - Name: "virtru.com", - Fqn: "https://virtru.com", - } - switch fqn { - case CLS: - return &policy.Attribute{ - Id: "CLS", - Namespace: &ns, - Name: "Classification", - Rule: policy.AttributeRuleTypeEnum_ATTRIBUTE_RULE_TYPE_ENUM_HIERARCHY, - Fqn: fqn.String(), - } - case N2K: - return &policy.Attribute{ - Id: "N2K", - Namespace: &ns, - Name: "Need to Know", - Rule: policy.AttributeRuleTypeEnum_ATTRIBUTE_RULE_TYPE_ENUM_ALL_OF, - Fqn: fqn.String(), - } - case REL: - return &policy.Attribute{ - Id: "REL", - Namespace: &ns, - Name: "Releasable To", - Rule: policy.AttributeRuleTypeEnum_ATTRIBUTE_RULE_TYPE_ENUM_ANY_OF, - Fqn: fqn.String(), - } - } - return nil -} - -func mockValueFor(fqn autoconfigure.AttributeValueFQN) *policy.Value { - an := fqn.Prefix() - a := mockAttributeFor(an) - v := fqn.Value() - p := policy.Value{ - Id: a.GetId() + ":" + v, - Attribute: a, - Value: v, - Fqn: fqn.String(), - } - - switch an { - case N2K: - switch fqn.Value() { - case "INT": - p.Grants = make([]*policy.KeyAccessServer, 1) - p.Grants[0] = &policy.KeyAccessServer{Uri: lasUk} - case "HCS": - p.Grants = make([]*policy.KeyAccessServer, 1) - p.Grants[0] = &policy.KeyAccessServer{Uri: kasUsHcs} - case "SI": - p.Grants = make([]*policy.KeyAccessServer, 1) - p.Grants[0] = &policy.KeyAccessServer{Uri: kasUsSI} - } - - case REL: - switch fqn.Value() { - case "FVEY": - p.Grants = make([]*policy.KeyAccessServer, 5) - p.Grants[0] = &policy.KeyAccessServer{Uri: kasAu} - p.Grants[1] = &policy.KeyAccessServer{Uri: kasCa} - p.Grants[2] = &policy.KeyAccessServer{Uri: lasUk} - p.Grants[3] = &policy.KeyAccessServer{Uri: kasNz} - p.Grants[4] = &policy.KeyAccessServer{Uri: kasUs} - case "AUS": - p.Grants = make([]*policy.KeyAccessServer, 1) - p.Grants[0] = &policy.KeyAccessServer{Uri: kasAu} - case "CAN": - p.Grants = make([]*policy.KeyAccessServer, 1) - p.Grants[0] = &policy.KeyAccessServer{Uri: kasCa} - case "GBR": - p.Grants = make([]*policy.KeyAccessServer, 1) - p.Grants[0] = &policy.KeyAccessServer{Uri: lasUk} - case "NZL": - p.Grants = make([]*policy.KeyAccessServer, 1) - p.Grants[0] = &policy.KeyAccessServer{Uri: kasNz} - case "USA": - p.Grants = make([]*policy.KeyAccessServer, 1) - p.Grants[0] = &policy.KeyAccessServer{Uri: kasUs} - } - } - return &p -} - type FakeAttributes struct { attributespb.UnimplementedAttributesServiceServer } From 7ec3287c58da2a63b91f7d1a35964f60f44718d2 Mon Sep 17 00:00:00 2001 From: David Mihalcik Date: Mon, 19 Aug 2024 15:43:24 -0500 Subject: [PATCH 07/10] uptodate --- docs/grpc/index.html | 23 +++- .../policy/attributes/attributes.swagger.json | 2 +- .../key_access_server_registry.swagger.json | 2 +- .../policy/namespaces/namespaces.swagger.json | 2 +- .../resource_mapping.swagger.json | 2 +- .../subject_mapping.swagger.json | 2 +- .../openapi/policy/unsafe/unsafe.swagger.json | 2 +- protocol/go/policy/objects.pb.go | 121 +++++++++--------- service/policy/objects.proto | 2 +- 9 files changed, 91 insertions(+), 67 deletions(-) diff --git a/docs/grpc/index.html b/docs/grpc/index.html index 2071a7b4db..cc84d00f71 100644 --- a/docs/grpc/index.html +++ b/docs/grpc/index.html @@ -1679,7 +1679,7 @@

PublicKey

local string -

public key - optional since can also be retrieved via url

+

Deprecated. public key; PEM of RSA public key; prefer `cached`

@@ -1693,6 +1693,27 @@

PublicKey

+ + +

Fields with deprecated option

+ + + + + + + + + + + + + + + +
NameOption
local

true

+ + diff --git a/docs/openapi/policy/attributes/attributes.swagger.json b/docs/openapi/policy/attributes/attributes.swagger.json index 01d68183d2..195eaa9e8a 100644 --- a/docs/openapi/policy/attributes/attributes.swagger.json +++ b/docs/openapi/policy/attributes/attributes.swagger.json @@ -1091,7 +1091,7 @@ }, "local": { "type": "string", - "title": "public key - optional since can also be retrieved via url" + "title": "public key; PEM of RSA public key; prefer `cached`" }, "cached": { "$ref": "#/definitions/policyKasPublicKeySet", diff --git a/docs/openapi/policy/kasregistry/key_access_server_registry.swagger.json b/docs/openapi/policy/kasregistry/key_access_server_registry.swagger.json index af67abf55a..2b269b788a 100644 --- a/docs/openapi/policy/kasregistry/key_access_server_registry.swagger.json +++ b/docs/openapi/policy/kasregistry/key_access_server_registry.swagger.json @@ -444,7 +444,7 @@ }, "local": { "type": "string", - "title": "public key - optional since can also be retrieved via url" + "title": "public key; PEM of RSA public key; prefer `cached`" }, "cached": { "$ref": "#/definitions/policyKasPublicKeySet", diff --git a/docs/openapi/policy/namespaces/namespaces.swagger.json b/docs/openapi/policy/namespaces/namespaces.swagger.json index aad8b5f1ad..95d3e07cdc 100644 --- a/docs/openapi/policy/namespaces/namespaces.swagger.json +++ b/docs/openapi/policy/namespaces/namespaces.swagger.json @@ -492,7 +492,7 @@ }, "local": { "type": "string", - "title": "public key - optional since can also be retrieved via url" + "title": "public key; PEM of RSA public key; prefer `cached`" }, "cached": { "$ref": "#/definitions/policyKasPublicKeySet", diff --git a/docs/openapi/policy/resourcemapping/resource_mapping.swagger.json b/docs/openapi/policy/resourcemapping/resource_mapping.swagger.json index 63e2b9ae9d..7c5ae24d92 100644 --- a/docs/openapi/policy/resourcemapping/resource_mapping.swagger.json +++ b/docs/openapi/policy/resourcemapping/resource_mapping.swagger.json @@ -457,7 +457,7 @@ }, "local": { "type": "string", - "title": "public key - optional since can also be retrieved via url" + "title": "public key; PEM of RSA public key; prefer `cached`" }, "cached": { "$ref": "#/definitions/policyKasPublicKeySet", diff --git a/docs/openapi/policy/subjectmapping/subject_mapping.swagger.json b/docs/openapi/policy/subjectmapping/subject_mapping.swagger.json index c32d59a988..41847340a4 100644 --- a/docs/openapi/policy/subjectmapping/subject_mapping.swagger.json +++ b/docs/openapi/policy/subjectmapping/subject_mapping.swagger.json @@ -659,7 +659,7 @@ }, "local": { "type": "string", - "title": "public key - optional since can also be retrieved via url" + "title": "public key; PEM of RSA public key; prefer `cached`" }, "cached": { "$ref": "#/definitions/policyKasPublicKeySet", diff --git a/docs/openapi/policy/unsafe/unsafe.swagger.json b/docs/openapi/policy/unsafe/unsafe.swagger.json index a917b49d1f..ccde3740da 100644 --- a/docs/openapi/policy/unsafe/unsafe.swagger.json +++ b/docs/openapi/policy/unsafe/unsafe.swagger.json @@ -605,7 +605,7 @@ }, "local": { "type": "string", - "title": "public key - optional since can also be retrieved via url" + "title": "public key; PEM of RSA public key; prefer `cached`" }, "cached": { "$ref": "#/definitions/policyKasPublicKeySet", diff --git a/protocol/go/policy/objects.pb.go b/protocol/go/policy/objects.pb.go index ace9fc48d9..659184c3a9 100644 --- a/protocol/go/policy/objects.pb.go +++ b/protocol/go/policy/objects.pb.go @@ -1481,6 +1481,7 @@ func (x *PublicKey) GetRemote() string { return "" } +// Deprecated: Marked as deprecated in policy/objects.proto. func (x *PublicKey) GetLocal() string { if x, ok := x.GetPublicKey().(*PublicKey_Local); ok { return x.Local @@ -1505,7 +1506,9 @@ type PublicKey_Remote struct { } type PublicKey_Local struct { - // public key - optional since can also be retrieved via url + // public key; PEM of RSA public key; prefer `cached` + // + // Deprecated: Marked as deprecated in policy/objects.proto. Local string `protobuf:"bytes,2,opt,name=local,proto3,oneof"` } @@ -1728,7 +1731,7 @@ var file_policy_objects_proto_rawDesc = []byte{ 0x3b, 0x0a, 0x0f, 0x4b, 0x61, 0x73, 0x50, 0x75, 0x62, 0x6c, 0x69, 0x63, 0x4b, 0x65, 0x79, 0x53, 0x65, 0x74, 0x12, 0x28, 0x0a, 0x04, 0x6b, 0x65, 0x79, 0x73, 0x18, 0x01, 0x20, 0x03, 0x28, 0x0b, 0x32, 0x14, 0x2e, 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x2e, 0x4b, 0x61, 0x73, 0x50, 0x75, 0x62, - 0x6c, 0x69, 0x63, 0x4b, 0x65, 0x79, 0x52, 0x04, 0x6b, 0x65, 0x79, 0x73, 0x22, 0xeb, 0x03, 0x0a, + 0x6c, 0x69, 0x63, 0x4b, 0x65, 0x79, 0x52, 0x04, 0x6b, 0x65, 0x79, 0x73, 0x22, 0xef, 0x03, 0x0a, 0x09, 0x50, 0x75, 0x62, 0x6c, 0x69, 0x63, 0x4b, 0x65, 0x79, 0x12, 0x84, 0x03, 0x0a, 0x06, 0x72, 0x65, 0x6d, 0x6f, 0x74, 0x65, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x42, 0xe9, 0x02, 0xba, 0x48, 0xe5, 0x02, 0xba, 0x01, 0xe1, 0x02, 0x0a, 0x0a, 0x75, 0x72, 0x69, 0x5f, 0x66, 0x6f, 0x72, 0x6d, @@ -1754,64 +1757,64 @@ var file_policy_objects_proto_rawDesc = []byte{ 0x2d, 0x5a, 0x30, 0x2d, 0x39, 0x5c, 0x5c, 0x2d, 0x5d, 0x7b, 0x30, 0x2c, 0x36, 0x31, 0x7d, 0x5b, 0x61, 0x2d, 0x7a, 0x41, 0x2d, 0x5a, 0x30, 0x2d, 0x39, 0x5d, 0x29, 0x3f, 0x29, 0x2a, 0x28, 0x2f, 0x2e, 0x2a, 0x29, 0x3f, 0x24, 0x27, 0x29, 0x48, 0x00, 0x52, 0x06, 0x72, 0x65, 0x6d, 0x6f, 0x74, - 0x65, 0x12, 0x16, 0x0a, 0x05, 0x6c, 0x6f, 0x63, 0x61, 0x6c, 0x18, 0x02, 0x20, 0x01, 0x28, 0x09, - 0x48, 0x00, 0x52, 0x05, 0x6c, 0x6f, 0x63, 0x61, 0x6c, 0x12, 0x31, 0x0a, 0x06, 0x63, 0x61, 0x63, - 0x68, 0x65, 0x64, 0x18, 0x03, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x17, 0x2e, 0x70, 0x6f, 0x6c, 0x69, - 0x63, 0x79, 0x2e, 0x4b, 0x61, 0x73, 0x50, 0x75, 0x62, 0x6c, 0x69, 0x63, 0x4b, 0x65, 0x79, 0x53, - 0x65, 0x74, 0x48, 0x00, 0x52, 0x06, 0x63, 0x61, 0x63, 0x68, 0x65, 0x64, 0x42, 0x0c, 0x0a, 0x0a, - 0x70, 0x75, 0x62, 0x6c, 0x69, 0x63, 0x5f, 0x6b, 0x65, 0x79, 0x2a, 0xb3, 0x01, 0x0a, 0x15, 0x41, - 0x74, 0x74, 0x72, 0x69, 0x62, 0x75, 0x74, 0x65, 0x52, 0x75, 0x6c, 0x65, 0x54, 0x79, 0x70, 0x65, - 0x45, 0x6e, 0x75, 0x6d, 0x12, 0x28, 0x0a, 0x24, 0x41, 0x54, 0x54, 0x52, 0x49, 0x42, 0x55, 0x54, - 0x45, 0x5f, 0x52, 0x55, 0x4c, 0x45, 0x5f, 0x54, 0x59, 0x50, 0x45, 0x5f, 0x45, 0x4e, 0x55, 0x4d, - 0x5f, 0x55, 0x4e, 0x53, 0x50, 0x45, 0x43, 0x49, 0x46, 0x49, 0x45, 0x44, 0x10, 0x00, 0x12, 0x23, - 0x0a, 0x1f, 0x41, 0x54, 0x54, 0x52, 0x49, 0x42, 0x55, 0x54, 0x45, 0x5f, 0x52, 0x55, 0x4c, 0x45, - 0x5f, 0x54, 0x59, 0x50, 0x45, 0x5f, 0x45, 0x4e, 0x55, 0x4d, 0x5f, 0x41, 0x4c, 0x4c, 0x5f, 0x4f, - 0x46, 0x10, 0x01, 0x12, 0x23, 0x0a, 0x1f, 0x41, 0x54, 0x54, 0x52, 0x49, 0x42, 0x55, 0x54, 0x45, - 0x5f, 0x52, 0x55, 0x4c, 0x45, 0x5f, 0x54, 0x59, 0x50, 0x45, 0x5f, 0x45, 0x4e, 0x55, 0x4d, 0x5f, - 0x41, 0x4e, 0x59, 0x5f, 0x4f, 0x46, 0x10, 0x02, 0x12, 0x26, 0x0a, 0x22, 0x41, 0x54, 0x54, 0x52, + 0x65, 0x12, 0x1a, 0x0a, 0x05, 0x6c, 0x6f, 0x63, 0x61, 0x6c, 0x18, 0x02, 0x20, 0x01, 0x28, 0x09, + 0x42, 0x02, 0x18, 0x01, 0x48, 0x00, 0x52, 0x05, 0x6c, 0x6f, 0x63, 0x61, 0x6c, 0x12, 0x31, 0x0a, + 0x06, 0x63, 0x61, 0x63, 0x68, 0x65, 0x64, 0x18, 0x03, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x17, 0x2e, + 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x2e, 0x4b, 0x61, 0x73, 0x50, 0x75, 0x62, 0x6c, 0x69, 0x63, + 0x4b, 0x65, 0x79, 0x53, 0x65, 0x74, 0x48, 0x00, 0x52, 0x06, 0x63, 0x61, 0x63, 0x68, 0x65, 0x64, + 0x42, 0x0c, 0x0a, 0x0a, 0x70, 0x75, 0x62, 0x6c, 0x69, 0x63, 0x5f, 0x6b, 0x65, 0x79, 0x2a, 0xb3, + 0x01, 0x0a, 0x15, 0x41, 0x74, 0x74, 0x72, 0x69, 0x62, 0x75, 0x74, 0x65, 0x52, 0x75, 0x6c, 0x65, + 0x54, 0x79, 0x70, 0x65, 0x45, 0x6e, 0x75, 0x6d, 0x12, 0x28, 0x0a, 0x24, 0x41, 0x54, 0x54, 0x52, 0x49, 0x42, 0x55, 0x54, 0x45, 0x5f, 0x52, 0x55, 0x4c, 0x45, 0x5f, 0x54, 0x59, 0x50, 0x45, 0x5f, - 0x45, 0x4e, 0x55, 0x4d, 0x5f, 0x48, 0x49, 0x45, 0x52, 0x41, 0x52, 0x43, 0x48, 0x59, 0x10, 0x03, - 0x2a, 0xca, 0x01, 0x0a, 0x1a, 0x53, 0x75, 0x62, 0x6a, 0x65, 0x63, 0x74, 0x4d, 0x61, 0x70, 0x70, - 0x69, 0x6e, 0x67, 0x4f, 0x70, 0x65, 0x72, 0x61, 0x74, 0x6f, 0x72, 0x45, 0x6e, 0x75, 0x6d, 0x12, - 0x2d, 0x0a, 0x29, 0x53, 0x55, 0x42, 0x4a, 0x45, 0x43, 0x54, 0x5f, 0x4d, 0x41, 0x50, 0x50, 0x49, - 0x4e, 0x47, 0x5f, 0x4f, 0x50, 0x45, 0x52, 0x41, 0x54, 0x4f, 0x52, 0x5f, 0x45, 0x4e, 0x55, 0x4d, - 0x5f, 0x55, 0x4e, 0x53, 0x50, 0x45, 0x43, 0x49, 0x46, 0x49, 0x45, 0x44, 0x10, 0x00, 0x12, 0x24, - 0x0a, 0x20, 0x53, 0x55, 0x42, 0x4a, 0x45, 0x43, 0x54, 0x5f, 0x4d, 0x41, 0x50, 0x50, 0x49, 0x4e, - 0x47, 0x5f, 0x4f, 0x50, 0x45, 0x52, 0x41, 0x54, 0x4f, 0x52, 0x5f, 0x45, 0x4e, 0x55, 0x4d, 0x5f, - 0x49, 0x4e, 0x10, 0x01, 0x12, 0x28, 0x0a, 0x24, 0x53, 0x55, 0x42, 0x4a, 0x45, 0x43, 0x54, 0x5f, - 0x4d, 0x41, 0x50, 0x50, 0x49, 0x4e, 0x47, 0x5f, 0x4f, 0x50, 0x45, 0x52, 0x41, 0x54, 0x4f, 0x52, - 0x5f, 0x45, 0x4e, 0x55, 0x4d, 0x5f, 0x4e, 0x4f, 0x54, 0x5f, 0x49, 0x4e, 0x10, 0x02, 0x12, 0x2d, - 0x0a, 0x29, 0x53, 0x55, 0x42, 0x4a, 0x45, 0x43, 0x54, 0x5f, 0x4d, 0x41, 0x50, 0x50, 0x49, 0x4e, - 0x47, 0x5f, 0x4f, 0x50, 0x45, 0x52, 0x41, 0x54, 0x4f, 0x52, 0x5f, 0x45, 0x4e, 0x55, 0x4d, 0x5f, - 0x49, 0x4e, 0x5f, 0x43, 0x4f, 0x4e, 0x54, 0x41, 0x49, 0x4e, 0x53, 0x10, 0x03, 0x2a, 0x90, 0x01, - 0x0a, 0x18, 0x43, 0x6f, 0x6e, 0x64, 0x69, 0x74, 0x69, 0x6f, 0x6e, 0x42, 0x6f, 0x6f, 0x6c, 0x65, - 0x61, 0x6e, 0x54, 0x79, 0x70, 0x65, 0x45, 0x6e, 0x75, 0x6d, 0x12, 0x2b, 0x0a, 0x27, 0x43, 0x4f, - 0x4e, 0x44, 0x49, 0x54, 0x49, 0x4f, 0x4e, 0x5f, 0x42, 0x4f, 0x4f, 0x4c, 0x45, 0x41, 0x4e, 0x5f, - 0x54, 0x59, 0x50, 0x45, 0x5f, 0x45, 0x4e, 0x55, 0x4d, 0x5f, 0x55, 0x4e, 0x53, 0x50, 0x45, 0x43, - 0x49, 0x46, 0x49, 0x45, 0x44, 0x10, 0x00, 0x12, 0x23, 0x0a, 0x1f, 0x43, 0x4f, 0x4e, 0x44, 0x49, - 0x54, 0x49, 0x4f, 0x4e, 0x5f, 0x42, 0x4f, 0x4f, 0x4c, 0x45, 0x41, 0x4e, 0x5f, 0x54, 0x59, 0x50, - 0x45, 0x5f, 0x45, 0x4e, 0x55, 0x4d, 0x5f, 0x41, 0x4e, 0x44, 0x10, 0x01, 0x12, 0x22, 0x0a, 0x1e, - 0x43, 0x4f, 0x4e, 0x44, 0x49, 0x54, 0x49, 0x4f, 0x4e, 0x5f, 0x42, 0x4f, 0x4f, 0x4c, 0x45, 0x41, - 0x4e, 0x5f, 0x54, 0x59, 0x50, 0x45, 0x5f, 0x45, 0x4e, 0x55, 0x4d, 0x5f, 0x4f, 0x52, 0x10, 0x02, - 0x2a, 0x9a, 0x01, 0x0a, 0x13, 0x4b, 0x61, 0x73, 0x50, 0x75, 0x62, 0x6c, 0x69, 0x63, 0x4b, 0x65, - 0x79, 0x41, 0x6c, 0x67, 0x45, 0x6e, 0x75, 0x6d, 0x12, 0x27, 0x0a, 0x23, 0x4b, 0x41, 0x53, 0x5f, - 0x50, 0x55, 0x42, 0x4c, 0x49, 0x43, 0x5f, 0x4b, 0x45, 0x59, 0x5f, 0x41, 0x4c, 0x47, 0x5f, 0x45, - 0x4e, 0x55, 0x4d, 0x5f, 0x55, 0x4e, 0x53, 0x50, 0x45, 0x43, 0x49, 0x46, 0x49, 0x45, 0x44, 0x10, - 0x00, 0x12, 0x24, 0x0a, 0x20, 0x4b, 0x41, 0x53, 0x5f, 0x50, 0x55, 0x42, 0x4c, 0x49, 0x43, 0x5f, - 0x4b, 0x45, 0x59, 0x5f, 0x41, 0x4c, 0x47, 0x5f, 0x45, 0x4e, 0x55, 0x4d, 0x5f, 0x52, 0x53, 0x41, - 0x5f, 0x32, 0x30, 0x34, 0x38, 0x10, 0x01, 0x12, 0x28, 0x0a, 0x24, 0x4b, 0x41, 0x53, 0x5f, 0x50, - 0x55, 0x42, 0x4c, 0x49, 0x43, 0x5f, 0x4b, 0x45, 0x59, 0x5f, 0x41, 0x4c, 0x47, 0x5f, 0x45, 0x4e, - 0x55, 0x4d, 0x5f, 0x45, 0x43, 0x5f, 0x53, 0x45, 0x43, 0x50, 0x32, 0x35, 0x36, 0x52, 0x31, 0x10, - 0x05, 0x22, 0x04, 0x08, 0x02, 0x10, 0x04, 0x22, 0x04, 0x08, 0x06, 0x10, 0x64, 0x42, 0x82, 0x01, - 0x0a, 0x0a, 0x63, 0x6f, 0x6d, 0x2e, 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x42, 0x0c, 0x4f, 0x62, - 0x6a, 0x65, 0x63, 0x74, 0x73, 0x50, 0x72, 0x6f, 0x74, 0x6f, 0x50, 0x01, 0x5a, 0x2e, 0x67, 0x69, - 0x74, 0x68, 0x75, 0x62, 0x2e, 0x63, 0x6f, 0x6d, 0x2f, 0x6f, 0x70, 0x65, 0x6e, 0x74, 0x64, 0x66, - 0x2f, 0x70, 0x6c, 0x61, 0x74, 0x66, 0x6f, 0x72, 0x6d, 0x2f, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x63, - 0x6f, 0x6c, 0x2f, 0x67, 0x6f, 0x2f, 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0xa2, 0x02, 0x03, 0x50, - 0x58, 0x58, 0xaa, 0x02, 0x06, 0x50, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0xca, 0x02, 0x06, 0x50, 0x6f, - 0x6c, 0x69, 0x63, 0x79, 0xe2, 0x02, 0x12, 0x50, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x5c, 0x47, 0x50, - 0x42, 0x4d, 0x65, 0x74, 0x61, 0x64, 0x61, 0x74, 0x61, 0xea, 0x02, 0x06, 0x50, 0x6f, 0x6c, 0x69, - 0x63, 0x79, 0x62, 0x06, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x33, + 0x45, 0x4e, 0x55, 0x4d, 0x5f, 0x55, 0x4e, 0x53, 0x50, 0x45, 0x43, 0x49, 0x46, 0x49, 0x45, 0x44, + 0x10, 0x00, 0x12, 0x23, 0x0a, 0x1f, 0x41, 0x54, 0x54, 0x52, 0x49, 0x42, 0x55, 0x54, 0x45, 0x5f, + 0x52, 0x55, 0x4c, 0x45, 0x5f, 0x54, 0x59, 0x50, 0x45, 0x5f, 0x45, 0x4e, 0x55, 0x4d, 0x5f, 0x41, + 0x4c, 0x4c, 0x5f, 0x4f, 0x46, 0x10, 0x01, 0x12, 0x23, 0x0a, 0x1f, 0x41, 0x54, 0x54, 0x52, 0x49, + 0x42, 0x55, 0x54, 0x45, 0x5f, 0x52, 0x55, 0x4c, 0x45, 0x5f, 0x54, 0x59, 0x50, 0x45, 0x5f, 0x45, + 0x4e, 0x55, 0x4d, 0x5f, 0x41, 0x4e, 0x59, 0x5f, 0x4f, 0x46, 0x10, 0x02, 0x12, 0x26, 0x0a, 0x22, + 0x41, 0x54, 0x54, 0x52, 0x49, 0x42, 0x55, 0x54, 0x45, 0x5f, 0x52, 0x55, 0x4c, 0x45, 0x5f, 0x54, + 0x59, 0x50, 0x45, 0x5f, 0x45, 0x4e, 0x55, 0x4d, 0x5f, 0x48, 0x49, 0x45, 0x52, 0x41, 0x52, 0x43, + 0x48, 0x59, 0x10, 0x03, 0x2a, 0xca, 0x01, 0x0a, 0x1a, 0x53, 0x75, 0x62, 0x6a, 0x65, 0x63, 0x74, + 0x4d, 0x61, 0x70, 0x70, 0x69, 0x6e, 0x67, 0x4f, 0x70, 0x65, 0x72, 0x61, 0x74, 0x6f, 0x72, 0x45, + 0x6e, 0x75, 0x6d, 0x12, 0x2d, 0x0a, 0x29, 0x53, 0x55, 0x42, 0x4a, 0x45, 0x43, 0x54, 0x5f, 0x4d, + 0x41, 0x50, 0x50, 0x49, 0x4e, 0x47, 0x5f, 0x4f, 0x50, 0x45, 0x52, 0x41, 0x54, 0x4f, 0x52, 0x5f, + 0x45, 0x4e, 0x55, 0x4d, 0x5f, 0x55, 0x4e, 0x53, 0x50, 0x45, 0x43, 0x49, 0x46, 0x49, 0x45, 0x44, + 0x10, 0x00, 0x12, 0x24, 0x0a, 0x20, 0x53, 0x55, 0x42, 0x4a, 0x45, 0x43, 0x54, 0x5f, 0x4d, 0x41, + 0x50, 0x50, 0x49, 0x4e, 0x47, 0x5f, 0x4f, 0x50, 0x45, 0x52, 0x41, 0x54, 0x4f, 0x52, 0x5f, 0x45, + 0x4e, 0x55, 0x4d, 0x5f, 0x49, 0x4e, 0x10, 0x01, 0x12, 0x28, 0x0a, 0x24, 0x53, 0x55, 0x42, 0x4a, + 0x45, 0x43, 0x54, 0x5f, 0x4d, 0x41, 0x50, 0x50, 0x49, 0x4e, 0x47, 0x5f, 0x4f, 0x50, 0x45, 0x52, + 0x41, 0x54, 0x4f, 0x52, 0x5f, 0x45, 0x4e, 0x55, 0x4d, 0x5f, 0x4e, 0x4f, 0x54, 0x5f, 0x49, 0x4e, + 0x10, 0x02, 0x12, 0x2d, 0x0a, 0x29, 0x53, 0x55, 0x42, 0x4a, 0x45, 0x43, 0x54, 0x5f, 0x4d, 0x41, + 0x50, 0x50, 0x49, 0x4e, 0x47, 0x5f, 0x4f, 0x50, 0x45, 0x52, 0x41, 0x54, 0x4f, 0x52, 0x5f, 0x45, + 0x4e, 0x55, 0x4d, 0x5f, 0x49, 0x4e, 0x5f, 0x43, 0x4f, 0x4e, 0x54, 0x41, 0x49, 0x4e, 0x53, 0x10, + 0x03, 0x2a, 0x90, 0x01, 0x0a, 0x18, 0x43, 0x6f, 0x6e, 0x64, 0x69, 0x74, 0x69, 0x6f, 0x6e, 0x42, + 0x6f, 0x6f, 0x6c, 0x65, 0x61, 0x6e, 0x54, 0x79, 0x70, 0x65, 0x45, 0x6e, 0x75, 0x6d, 0x12, 0x2b, + 0x0a, 0x27, 0x43, 0x4f, 0x4e, 0x44, 0x49, 0x54, 0x49, 0x4f, 0x4e, 0x5f, 0x42, 0x4f, 0x4f, 0x4c, + 0x45, 0x41, 0x4e, 0x5f, 0x54, 0x59, 0x50, 0x45, 0x5f, 0x45, 0x4e, 0x55, 0x4d, 0x5f, 0x55, 0x4e, + 0x53, 0x50, 0x45, 0x43, 0x49, 0x46, 0x49, 0x45, 0x44, 0x10, 0x00, 0x12, 0x23, 0x0a, 0x1f, 0x43, + 0x4f, 0x4e, 0x44, 0x49, 0x54, 0x49, 0x4f, 0x4e, 0x5f, 0x42, 0x4f, 0x4f, 0x4c, 0x45, 0x41, 0x4e, + 0x5f, 0x54, 0x59, 0x50, 0x45, 0x5f, 0x45, 0x4e, 0x55, 0x4d, 0x5f, 0x41, 0x4e, 0x44, 0x10, 0x01, + 0x12, 0x22, 0x0a, 0x1e, 0x43, 0x4f, 0x4e, 0x44, 0x49, 0x54, 0x49, 0x4f, 0x4e, 0x5f, 0x42, 0x4f, + 0x4f, 0x4c, 0x45, 0x41, 0x4e, 0x5f, 0x54, 0x59, 0x50, 0x45, 0x5f, 0x45, 0x4e, 0x55, 0x4d, 0x5f, + 0x4f, 0x52, 0x10, 0x02, 0x2a, 0x9a, 0x01, 0x0a, 0x13, 0x4b, 0x61, 0x73, 0x50, 0x75, 0x62, 0x6c, + 0x69, 0x63, 0x4b, 0x65, 0x79, 0x41, 0x6c, 0x67, 0x45, 0x6e, 0x75, 0x6d, 0x12, 0x27, 0x0a, 0x23, + 0x4b, 0x41, 0x53, 0x5f, 0x50, 0x55, 0x42, 0x4c, 0x49, 0x43, 0x5f, 0x4b, 0x45, 0x59, 0x5f, 0x41, + 0x4c, 0x47, 0x5f, 0x45, 0x4e, 0x55, 0x4d, 0x5f, 0x55, 0x4e, 0x53, 0x50, 0x45, 0x43, 0x49, 0x46, + 0x49, 0x45, 0x44, 0x10, 0x00, 0x12, 0x24, 0x0a, 0x20, 0x4b, 0x41, 0x53, 0x5f, 0x50, 0x55, 0x42, + 0x4c, 0x49, 0x43, 0x5f, 0x4b, 0x45, 0x59, 0x5f, 0x41, 0x4c, 0x47, 0x5f, 0x45, 0x4e, 0x55, 0x4d, + 0x5f, 0x52, 0x53, 0x41, 0x5f, 0x32, 0x30, 0x34, 0x38, 0x10, 0x01, 0x12, 0x28, 0x0a, 0x24, 0x4b, + 0x41, 0x53, 0x5f, 0x50, 0x55, 0x42, 0x4c, 0x49, 0x43, 0x5f, 0x4b, 0x45, 0x59, 0x5f, 0x41, 0x4c, + 0x47, 0x5f, 0x45, 0x4e, 0x55, 0x4d, 0x5f, 0x45, 0x43, 0x5f, 0x53, 0x45, 0x43, 0x50, 0x32, 0x35, + 0x36, 0x52, 0x31, 0x10, 0x05, 0x22, 0x04, 0x08, 0x02, 0x10, 0x04, 0x22, 0x04, 0x08, 0x06, 0x10, + 0x64, 0x42, 0x82, 0x01, 0x0a, 0x0a, 0x63, 0x6f, 0x6d, 0x2e, 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, + 0x42, 0x0c, 0x4f, 0x62, 0x6a, 0x65, 0x63, 0x74, 0x73, 0x50, 0x72, 0x6f, 0x74, 0x6f, 0x50, 0x01, + 0x5a, 0x2e, 0x67, 0x69, 0x74, 0x68, 0x75, 0x62, 0x2e, 0x63, 0x6f, 0x6d, 0x2f, 0x6f, 0x70, 0x65, + 0x6e, 0x74, 0x64, 0x66, 0x2f, 0x70, 0x6c, 0x61, 0x74, 0x66, 0x6f, 0x72, 0x6d, 0x2f, 0x70, 0x72, + 0x6f, 0x74, 0x6f, 0x63, 0x6f, 0x6c, 0x2f, 0x67, 0x6f, 0x2f, 0x70, 0x6f, 0x6c, 0x69, 0x63, 0x79, + 0xa2, 0x02, 0x03, 0x50, 0x58, 0x58, 0xaa, 0x02, 0x06, 0x50, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0xca, + 0x02, 0x06, 0x50, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0xe2, 0x02, 0x12, 0x50, 0x6f, 0x6c, 0x69, 0x63, + 0x79, 0x5c, 0x47, 0x50, 0x42, 0x4d, 0x65, 0x74, 0x61, 0x64, 0x61, 0x74, 0x61, 0xea, 0x02, 0x06, + 0x50, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x62, 0x06, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x33, } var ( diff --git a/service/policy/objects.proto b/service/policy/objects.proto index 12ca2e1ba2..675b041e88 100644 --- a/service/policy/objects.proto +++ b/service/policy/objects.proto @@ -307,7 +307,7 @@ message PublicKey { // public key; PEM of RSA public key; prefer `cached` string local = 2 [ - deprecated = true, + deprecated = true ]; // public key with additional information. Current preferred version From c691a1050f36221bee7e943ab4b8d4953da51167 Mon Sep 17 00:00:00 2001 From: David Mihalcik Date: Mon, 19 Aug 2024 16:35:12 -0500 Subject: [PATCH 08/10] updates --- service/integration/kas_registry_test.go | 31 ++++++++++++------- service/internal/fixtures/fixtures.go | 5 +-- .../internal/fixtures/policy_fixtures.yaml | 6 +++- 3 files changed, 27 insertions(+), 15 deletions(-) diff --git a/service/integration/kas_registry_test.go b/service/integration/kas_registry_test.go index 727f413f5c..f08a61adbc 100644 --- a/service/integration/kas_registry_test.go +++ b/service/integration/kas_registry_test.go @@ -59,7 +59,7 @@ func (s *KasRegistrySuite) Test_ListKeyAccessServers() { if item.GetPublicKey().GetRemote() != "" { s.Equal(fixture.PubKey.Remote, item.GetPublicKey().GetRemote()) } else { - s.Equal(fixture.PubKey.Local, item.GetPublicKey().GetLocal()) + s.Equal(fixture.PubKey.Cached, item.GetPublicKey().GetCached()) } s.Equal(fixture.URI, item.GetUri()) } @@ -83,7 +83,7 @@ func (s *KasRegistrySuite) Test_GetKeyAccessServer() { s.NotNil(local) s.Equal(localFixture.ID, local.GetId()) s.Equal(localFixture.URI, local.GetUri()) - s.Equal(localFixture.PubKey.Local, local.GetPublicKey().GetLocal()) + s.Equal(localFixture.PubKey.Cached, local.GetPublicKey().GetCached()) } func (s *KasRegistrySuite) Test_GetKeyAccessServer_WithNonExistentId_Fails() { @@ -231,7 +231,8 @@ func (s *KasRegistrySuite) Test_UpdateKeyAccessServer_Everything() { s.Equal(created.GetId(), got.GetId()) s.Equal(updatedURI, got.GetUri()) s.Equal(updatedPubKeyRemote, got.GetPublicKey().GetRemote()) - s.Zero(got.GetPublicKey().GetLocal()) + s.Zero(got.GetPublicKey().GetLocal()) //nolint:staticcheck // deprecated but this is a test + s.Zero(got.GetPublicKey().GetCached()) s.Equal(fixedLabel, got.GetMetadata().GetLabels()["fixed"]) s.Equal(updatedLabel, got.GetMetadata().GetLabels()["update"]) s.Equal(newLabel, got.GetMetadata().GetLabels()["new"]) @@ -275,7 +276,7 @@ func (s *KasRegistrySuite) Test_UpdateKeyAccessServer_Metadata_DoesNotAlterOther s.Equal(created.GetId(), got.GetId()) s.Equal(uri, got.GetUri()) s.Equal(pubKeyRemote, got.GetPublicKey().GetRemote()) - s.Zero(got.GetPublicKey().GetLocal()) + s.Zero(got.GetPublicKey().GetCached()) s.Equal("new label", got.GetMetadata().GetLabels()["new"]) } @@ -310,7 +311,8 @@ func (s *KasRegistrySuite) Test_UpdateKeyAccessServer_Uri_DoesNotAlterOtherValue s.Equal(created.GetId(), got.GetId()) s.Equal(updatedURI, got.GetUri()) s.Equal(pubKeyRemote, got.GetPublicKey().GetRemote()) - s.Zero(got.GetPublicKey().GetLocal()) + s.Zero(got.GetPublicKey().GetLocal()) //nolint:staticcheck // deprecated but this is a test + s.Zero(got.GetPublicKey().GetCached()) s.Nil(got.GetMetadata().GetLabels()) } @@ -318,7 +320,16 @@ func (s *KasRegistrySuite) Test_UpdateKeyAccessServer_Uri_DoesNotAlterOtherValue func (s *KasRegistrySuite) Test_UpdateKeyAccessServer_PublicKey_DoesNotAlterOtherValues() { uri := "before_pubkey_only.com" pubKeyRemote := "https://remote.com/key" - updatedPubKeyLocal := "my_key" + updatedKeySet := &policy.KasPublicKeySet{ + Keys: []*policy.KasPublicKey{ + &policy.KasPublicKey{}, + }, + } + updatedPubKey := &policy.PublicKey{ + PublicKey: &policy.PublicKey_Cached{ + Cached: updatedKeySet, + }, + } // create a test KAS created, err := s.db.PolicyClient.CreateKeyAccessServer(s.ctx, &kasregistry.CreateKeyAccessServerRequest{ @@ -339,11 +350,7 @@ func (s *KasRegistrySuite) Test_UpdateKeyAccessServer_PublicKey_DoesNotAlterOthe // update it with new key updated, err := s.db.PolicyClient.UpdateKeyAccessServer(s.ctx, created.GetId(), &kasregistry.UpdateKeyAccessServerRequest{ - PublicKey: &policy.PublicKey{ - PublicKey: &policy.PublicKey_Local{ - Local: updatedPubKeyLocal, - }, - }, + PublicKey: updatedPubKey, }) s.Require().NoError(err) s.NotNil(updated) @@ -354,7 +361,7 @@ func (s *KasRegistrySuite) Test_UpdateKeyAccessServer_PublicKey_DoesNotAlterOthe s.NotNil(got) s.Equal(created.GetId(), got.GetId()) s.Equal(uri, got.GetUri()) - s.Equal(updatedPubKeyLocal, got.GetPublicKey().GetLocal()) + s.Equal(updatedKeySet, got.GetPublicKey().GetCached()) s.Zero(got.GetPublicKey().GetRemote()) s.Equal("unchanged label", got.GetMetadata().GetLabels()["unchanged"]) } diff --git a/service/internal/fixtures/fixtures.go b/service/internal/fixtures/fixtures.go index 240090f4c7..d4eb049a5f 100644 --- a/service/internal/fixtures/fixtures.go +++ b/service/internal/fixtures/fixtures.go @@ -6,6 +6,7 @@ import ( "log/slog" "os" + policypb "github.com/opentdf/platform/protocol/go/policy" "github.com/opentdf/platform/service/policy" "gopkg.in/yaml.v2" ) @@ -93,8 +94,8 @@ type FixtureDataKasRegistry struct { ID string `yaml:"id"` URI string `yaml:"uri"` PubKey struct { - Remote string `yaml:"remote" json:"remote,omitempty"` - Local string `yaml:"local" json:"local,omitempty"` + Remote string `yaml:"remote" json:"remote,omitempty"` + Cached *policypb.KasPublicKeySet `yaml:"cached" json:"cached,omitempty"` } `yaml:"public_key" json:"public_key"` } diff --git a/service/internal/fixtures/policy_fixtures.yaml b/service/internal/fixtures/policy_fixtures.yaml index f540131670..a47ac03292 100644 --- a/service/internal/fixtures/policy_fixtures.yaml +++ b/service/internal/fixtures/policy_fixtures.yaml @@ -424,4 +424,8 @@ kas_registry: id: e36640a6-61c5-4d4c-a45b-0e0a26d1c45f uri: https://local.kas.com:3000 public_key: - local: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUJ6ekNDQVhXZ0F3SUJBZ0lVT1J1VjNhdlU5QUU2enNCNlp4eWxsSHBpNWQ0d0NnWUlLb1pJemowRUF3SXcKUFRFTE1Ba0dBMVVFQmhNQ2RYTXhDekFKQmdOVkJBZ01BbU4wTVNFd0h3WURWUVFLREJoSmJuUmxjbTVsZENCWAphV1JuYVhSeklGQjBlU0JNZEdRd0hoY05NalF3TVRBeU1UWTFOalUyV2hjTk1qVXdNVEF4TVRZMU5qVTJXakE5Ck1Rc3dDUVlEVlFRR0V3SjFjekVMTUFrR0ExVUVDQXdDWTNReElUQWZCZ05WQkFvTUdFbHVkR1Z5Ym1WMElGZHAKWkdkcGRITWdVSFI1SUV4MFpEQlpNQk1HQnlxR1NNNDlBZ0VHQ0NxR1NNNDlBd0VIQTBJQUJMVjlmQ0pIRC9rYwpyWHJVSFF3QVp4ME1jMGRQdkxqc0ovb2pFdE1NbjBST2RlT3g4eWd4Z2NRVEZGQXh5Q3RCdWFkaEFkbS9pVkh0CjhnMkVNejVkTzNXalV6QlJNQjBHQTFVZERnUVdCQlFZTmt1aytKSXVSV3luK2JFOHNCaFJ3MjdPVlRBZkJnTlYKSFNNRUdEQVdnQlFZTmt1aytKSXVSV3luK2JFOHNCaFJ3MjdPVlRBUEJnTlZIUk1CQWY4RUJUQURBUUgvTUFvRwpDQ3FHU000OUJBTUNBMGdBTUVVQ0lRQ0FCMmppWWU4QVk2TUo0QURQU1FHRTQ3K2Eza1dGTGNHc0pob1pieHRnClV3SWdjZklJdVBmaDRmYmN2OGNUaTJCbEkzazdzV1B1QW1JRlZyaUkyZDNVeDVRPQotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0tCg== + cached: + keys: + - pem: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUJ6ekNDQVhXZ0F3SUJBZ0lVT1J1VjNhdlU5QUU2enNCNlp4eWxsSHBpNWQ0d0NnWUlLb1pJemowRUF3SXcKUFRFTE1Ba0dBMVVFQmhNQ2RYTXhDekFKQmdOVkJBZ01BbU4wTVNFd0h3WURWUVFLREJoSmJuUmxjbTVsZENCWAphV1JuYVhSeklGQjBlU0JNZEdRd0hoY05NalF3TVRBeU1UWTFOalUyV2hjTk1qVXdNVEF4TVRZMU5qVTJXakE5Ck1Rc3dDUVlEVlFRR0V3SjFjekVMTUFrR0ExVUVDQXdDWTNReElUQWZCZ05WQkFvTUdFbHVkR1Z5Ym1WMElGZHAKWkdkcGRITWdVSFI1SUV4MFpEQlpNQk1HQnlxR1NNNDlBZ0VHQ0NxR1NNNDlBd0VIQTBJQUJMVjlmQ0pIRC9rYwpyWHJVSFF3QVp4ME1jMGRQdkxqc0ovb2pFdE1NbjBST2RlT3g4eWd4Z2NRVEZGQXh5Q3RCdWFkaEFkbS9pVkh0CjhnMkVNejVkTzNXalV6QlJNQjBHQTFVZERnUVdCQlFZTmt1aytKSXVSV3luK2JFOHNCaFJ3MjdPVlRBZkJnTlYKSFNNRUdEQVdnQlFZTmt1aytKSXVSV3luK2JFOHNCaFJ3MjdPVlRBUEJnTlZIUk1CQWY4RUJUQURBUUgvTUFvRwpDQ3FHU000OUJBTUNBMGdBTUVVQ0lRQ0FCMmppWWU4QVk2TUo0QURQU1FHRTQ3K2Eza1dGTGNHc0pob1pieHRnClV3SWdjZklJdVBmaDRmYmN2OGNUaTJCbEkzazdzV1B1QW1JRlZyaUkyZDNVeDVRPQotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0tCg== + kid: r1 + alg: "rsa:2048" From f3042d90732187fa6b45702fbd3ddd0966b8a3f5 Mon Sep 17 00:00:00 2001 From: David Mihalcik Date: Mon, 19 Aug 2024 16:42:11 -0500 Subject: [PATCH 09/10] fixups --- service/integration/kas_registry_test.go | 6 +++++- service/internal/fixtures/policy_fixtures.yaml | 2 +- 2 files changed, 6 insertions(+), 2 deletions(-) diff --git a/service/integration/kas_registry_test.go b/service/integration/kas_registry_test.go index f08a61adbc..9f9c73c6d5 100644 --- a/service/integration/kas_registry_test.go +++ b/service/integration/kas_registry_test.go @@ -322,7 +322,11 @@ func (s *KasRegistrySuite) Test_UpdateKeyAccessServer_PublicKey_DoesNotAlterOthe pubKeyRemote := "https://remote.com/key" updatedKeySet := &policy.KasPublicKeySet{ Keys: []*policy.KasPublicKey{ - &policy.KasPublicKey{}, + { + Pem: "some-pem-data", + Alg: policy.KasPublicKeyAlgEnum_KAS_PUBLIC_KEY_ALG_ENUM_RSA_2048, + Kid: "r1", + }, }, } updatedPubKey := &policy.PublicKey{ diff --git a/service/internal/fixtures/policy_fixtures.yaml b/service/internal/fixtures/policy_fixtures.yaml index a47ac03292..538baa6786 100644 --- a/service/internal/fixtures/policy_fixtures.yaml +++ b/service/internal/fixtures/policy_fixtures.yaml @@ -428,4 +428,4 @@ kas_registry: keys: - pem: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUJ6ekNDQVhXZ0F3SUJBZ0lVT1J1VjNhdlU5QUU2enNCNlp4eWxsSHBpNWQ0d0NnWUlLb1pJemowRUF3SXcKUFRFTE1Ba0dBMVVFQmhNQ2RYTXhDekFKQmdOVkJBZ01BbU4wTVNFd0h3WURWUVFLREJoSmJuUmxjbTVsZENCWAphV1JuYVhSeklGQjBlU0JNZEdRd0hoY05NalF3TVRBeU1UWTFOalUyV2hjTk1qVXdNVEF4TVRZMU5qVTJXakE5Ck1Rc3dDUVlEVlFRR0V3SjFjekVMTUFrR0ExVUVDQXdDWTNReElUQWZCZ05WQkFvTUdFbHVkR1Z5Ym1WMElGZHAKWkdkcGRITWdVSFI1SUV4MFpEQlpNQk1HQnlxR1NNNDlBZ0VHQ0NxR1NNNDlBd0VIQTBJQUJMVjlmQ0pIRC9rYwpyWHJVSFF3QVp4ME1jMGRQdkxqc0ovb2pFdE1NbjBST2RlT3g4eWd4Z2NRVEZGQXh5Q3RCdWFkaEFkbS9pVkh0CjhnMkVNejVkTzNXalV6QlJNQjBHQTFVZERnUVdCQlFZTmt1aytKSXVSV3luK2JFOHNCaFJ3MjdPVlRBZkJnTlYKSFNNRUdEQVdnQlFZTmt1aytKSXVSV3luK2JFOHNCaFJ3MjdPVlRBUEJnTlZIUk1CQWY4RUJUQURBUUgvTUFvRwpDQ3FHU000OUJBTUNBMGdBTUVVQ0lRQ0FCMmppWWU4QVk2TUo0QURQU1FHRTQ3K2Eza1dGTGNHc0pob1pieHRnClV3SWdjZklJdVBmaDRmYmN2OGNUaTJCbEkzazdzV1B1QW1JRlZyaUkyZDNVeDVRPQotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0tCg== kid: r1 - alg: "rsa:2048" + alg: 1 From 86406466d6810a1785de88ce9626fe4bfb81475d Mon Sep 17 00:00:00 2001 From: David Mihalcik Date: Mon, 19 Aug 2024 19:17:21 -0500 Subject: [PATCH 10/10] Update tdf_config.go --- sdk/tdf_config.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/sdk/tdf_config.go b/sdk/tdf_config.go index 5c00803139..cd025d7176 100644 --- a/sdk/tdf_config.go +++ b/sdk/tdf_config.go @@ -117,7 +117,7 @@ func WithDataAttributes(attributes ...string) TDFOption { // WithDataAttributeValues appends the given data attributes to the bound policy. // Unlike `WithDataAttributes`, this will not trigger an attribute definition lookup -// during That is, to use autoconfigure in an 'offline' context, +// during autoconfigure. That is, to use autoconfigure in an 'offline' context, // you must first store the relevant attribute information locally and load // it to the `CreateTDF` method with this option. func WithDataAttributeValues(attributes ...*policy.Value) TDFOption {