opentdf · jrschumacher · Mar 29, 2025 · Mar 29, 2025 · Mar 29, 2025 · Mar 29, 2025
@@ -59,10 +59,9 @@ type CustomRego struct {
 func NewRegistration() *serviceregistry.Service[authorizationconnect.AuthorizationServiceHandler] {
 	return &serviceregistry.Service[authorizationconnect.AuthorizationServiceHandler]{
 		ServiceOptions: serviceregistry.ServiceOptions[authorizationconnect.AuthorizationServiceHandler]{
-			Namespace:       "authorization",
-			ServiceDesc:     &authorization.AuthorizationService_ServiceDesc,
-			ConnectRPCFunc:  authorizationconnect.NewAuthorizationServiceHandler,
-			GRPCGatewayFunc: authorization.RegisterAuthorizationServiceHandler,
+			Namespace:      "authorization",
+			ServiceDesc:    &authorization.AuthorizationService_ServiceDesc,
+			ConnectRPCFunc: authorizationconnect.NewAuthorizationServiceHandler,
 			RegisterFunc: func(srp serviceregistry.RegistrationParams) (authorizationconnect.AuthorizationServiceHandler, serviceregistry.HandlerServer) {
 				var (
 					err             error

@@ -25,10 +25,9 @@ type EntityResolution struct {
 func NewRegistration() *serviceregistry.Service[entityresolutionconnect.EntityResolutionServiceHandler] {
 	return &serviceregistry.Service[entityresolutionconnect.EntityResolutionServiceHandler]{
 		ServiceOptions: serviceregistry.ServiceOptions[entityresolutionconnect.EntityResolutionServiceHandler]{
-			Namespace:       "entityresolution",
-			ServiceDesc:     &entityresolution.EntityResolutionService_ServiceDesc,
-			ConnectRPCFunc:  entityresolutionconnect.NewEntityResolutionServiceHandler,
-			GRPCGatewayFunc: entityresolution.RegisterEntityResolutionServiceHandler,
+			Namespace:      "entityresolution",
+			ServiceDesc:    &entityresolution.EntityResolutionService_ServiceDesc,
+			ConnectRPCFunc: entityresolutionconnect.NewEntityResolutionServiceHandler,
 			RegisterFunc: func(srp serviceregistry.RegistrationParams) (entityresolutionconnect.EntityResolutionServiceHandler, serviceregistry.HandlerServer) {
 				var inputConfig ERSConfig
 

@@ -41,6 +41,8 @@ var (
 		"/kas.AccessService/Info",
 		"/kas/kas_public_key",
 		"/kas/v2/kas_public_key",
+		"/kas_mux/kas_public_key",
+		"/kas_mux/v2/kas_public_key",
 		// HealthZ
 		"/healthz",
 		"/grpc.health.v1.Health/Check",

@@ -0,0 +1,86 @@
+package access
+
+import (
+	"encoding/json"
+	"fmt"
+	"net/http"
+
+	"connectrpc.com/connect"
+	kaspb "github.com/opentdf/platform/protocol/go/kas" // Ensure this path is correct and matches the actual package location
+)
+
+type LegacyMuxEndpoint struct {
+	Method string
+	Path   string
+}
+
+var (
+	LegacyPublicKey = LegacyMuxEndpoint{
+		Method: "GET",
+		Path:   "/kas/kas_public_key",
+	}
+	LegacyPublicKeyV2 = LegacyMuxEndpoint{
+		Method: "GET",
+		Path:   "/kas/v2/kas_public_key",
+	}
+	LegacyRewrap = LegacyMuxEndpoint{
+		Method: "POST",
+		Path:   "/kas/v2/rewrap",
+	}
+)
+
+func (p *Provider) LegacyMuxHandlerPublicKey(w http.ResponseWriter, r *http.Request, _ map[string]string) {
+	// Example handler for PublicKey RPC
+	req := &kaspb.PublicKeyRequest{}
+	req.Reset()
+	connectReq := connect.NewRequest(req)
+	response, err := p.PublicKey(r.Context(), connectReq)
+	if err != nil {
+		http.Error(w, fmt.Sprintf("Failed to get public key: %v", err), http.StatusInternalServerError)
+		return
+	}
+	w.Header().Set("Content-Type", "application/json")
+	w.WriteHeader(http.StatusOK)
+	responseBytes, err := json.Marshal(struct {
+		PublicKey string `json:"publicKey"`
+		Kid       string `json:"kid"`
+	}{
+		PublicKey: response.Msg.GetPublicKey(),
+		Kid:       response.Msg.GetKid(),
+	})
+	if err != nil {
+		http.Error(w, "Failed to encode response", http.StatusInternalServerError)
+		return
+	}
+	if _, err := w.Write(responseBytes); err != nil {
+		http.Error(w, "Failed to write response", http.StatusInternalServerError)
+		return
+	}
+}
+
+func (p *Provider) LegacyMuxHandlerRewrap(w http.ResponseWriter, r *http.Request, _ map[string]string) {
+	// Example handler for Rewrap RPC
+	req := &kaspb.RewrapRequest{}
+	req.Reset()
+	connectReq := connect.NewRequest(req)
+	response, err := p.Rewrap(r.Context(), connectReq)
+	if err != nil {
+		http.Error(w, fmt.Sprintf("Failed to get public key: %v", err), http.StatusInternalServerError)
+		return
+	}
+	w.Header().Set("Content-Type", "application/json")
+	w.WriteHeader(http.StatusOK)
+	responseBytes, err := json.Marshal(struct {
+		SessionPublicKey string `json:"sessionPublicKey"`
+	}{
+		SessionPublicKey: response.Msg.GetSessionPublicKey(),
+	})
+	if err != nil {
+		http.Error(w, "Failed to encode response", http.StatusInternalServerError)
+		return
+	}
+	if _, err := w.Write(responseBytes); err != nil {
+		http.Error(w, "Failed to write response", http.StatusInternalServerError)
+		return
+	}
+}
@@ -1,11 +1,13 @@
 package kas
 
 import (
+	"context"
 	"fmt"
 	"log/slog"
 	"net/url"
 	"strings"
 
+	"github.com/grpc-ecosystem/grpc-gateway/v2/runtime"
 	"github.com/mitchellh/mapstructure"
 	kaspb "github.com/opentdf/platform/protocol/go/kas"
 	"github.com/opentdf/platform/protocol/go/kas/kasconnect"
@@ -16,12 +18,11 @@ import (
 func NewRegistration() *serviceregistry.Service[kasconnect.AccessServiceHandler] {
 	return &serviceregistry.Service[kasconnect.AccessServiceHandler]{
 		ServiceOptions: serviceregistry.ServiceOptions[kasconnect.AccessServiceHandler]{
-			Namespace:       "kas",
-			ServiceDesc:     &kaspb.AccessService_ServiceDesc,
-			ConnectRPCFunc:  kasconnect.NewAccessServiceHandler,
-			GRPCGatewayFunc: kaspb.RegisterAccessServiceHandler,
+			Namespace:      "kas",
+			ServiceDesc:    &kaspb.AccessService_ServiceDesc,
+			ConnectRPCFunc: kasconnect.NewAccessServiceHandler,
 			RegisterFunc: func(srp serviceregistry.RegistrationParams) (kasconnect.AccessServiceHandler, serviceregistry.HandlerServer) {
-				// FIXME msg="mismatched key access url" keyAccessURL=http://localhost:9000 kasURL=https://:9000
+				// Existing logic for KAS setup
 				hostWithPort := srp.OTDF.HTTPServer.Addr
 				if strings.HasPrefix(hostWithPort, ":") {
 					hostWithPort = "localhost" + hostWithPort
@@ -54,7 +55,23 @@ func NewRegistration() *serviceregistry.Service[kasconnect.AccessServiceHandler]
 					srp.Logger.Error("failed to register kas readiness check", slog.String("error", err.Error()))
 				}
 
-				return p, nil
+				// Register the KAS legacy REST handlers for backwards compatibility
+				// These were previously handled by gRPC-gateway which is now deprecated
+				// legacy support is required to ensure TDFs are still accessible
+				handlerServer := func(_ context.Context, mux *runtime.ServeMux) error {
+					if err := mux.HandlePath(access.LegacyPublicKey.Method, access.LegacyPublicKey.Path, p.LegacyMuxHandlerPublicKey); err != nil {
+						return fmt.Errorf("failed to register handler for %s %s: %w", access.LegacyPublicKey.Method, access.LegacyPublicKey.Path, err)
+					}
+					if err := mux.HandlePath(access.LegacyPublicKeyV2.Method, access.LegacyPublicKeyV2.Path, p.LegacyMuxHandlerPublicKey); err != nil {
+						return fmt.Errorf("failed to register handler for %s %s: %w", access.LegacyPublicKeyV2.Method, access.LegacyPublicKeyV2.Path, err)
+					}
+					if err := mux.HandlePath(access.LegacyRewrap.Method, access.LegacyRewrap.Path, p.LegacyMuxHandlerRewrap); err != nil {
+						return fmt.Errorf("failed to register handler for %s %s: %w", access.LegacyRewrap.Method, access.LegacyRewrap.Path, err)
+					}
+					return nil
+				}
+
+				return p, handlerServer
 			},
 		},
 	}

@@ -188,11 +188,6 @@ func startServices(ctx context.Context, cfg config.Config, otdf *server.OpenTDFS
 				logger.Info("service did not register a connect-rpc handler", slog.String("namespace", ns))
 			}
 
-			// Register GRPC Gateway Handler using the in-process connect rpc
-			if err := svc.RegisterGRPCGatewayHandler(ctx, otdf.GRPCGatewayMux, otdf.ConnectRPCInProcess.Conn()); err != nil {
-				logger.Info("service did not register a grpc gateway handler", slog.String("namespace", ns))
-			}
-
 			// Register Extra Handlers
 			if err := svc.RegisterHTTPHandlers(ctx, otdf.GRPCGatewayMux); err != nil {
 				logger.Info("service did not register extra http handlers", slog.String("namespace", ns))

@@ -75,7 +75,6 @@ type IService interface {
 	IsStarted() bool
 	Shutdown() error
 	RegisterConnectRPCServiceHandler(context.Context, *server.ConnectRPC) error
-	RegisterGRPCGatewayHandler(context.Context, *runtime.ServeMux, *grpc.ClientConn) error
 	RegisterHTTPHandlers(context.Context, *runtime.ServeMux) error
 }
 
@@ -105,8 +104,6 @@ type ServiceOptions[S any] struct {
 	httpHandlerFunc HandlerServer
 	// ConnectRPCServiceHandler is the function that will be called to register the service with the
 	ConnectRPCFunc func(S, ...connect.HandlerOption) (string, http.Handler)
-	// Deprecated: Registers a gRPC service with the gRPC gateway
-	GRPCGatewayFunc func(ctx context.Context, mux *runtime.ServeMux, conn *grpc.ClientConn) error
 	// DB is optional and used to register the service with a database
 	DB DBRegister
 }
@@ -183,18 +180,6 @@ func (s *Service[S]) RegisterHTTPHandlers(ctx context.Context, mux *runtime.Serv
 	return s.httpHandlerFunc(ctx, mux)
 }
 
-// Deprecated: RegisterConnectRPCServiceHandler is deprecated and should not be used going forward.
-// We will be looking onto other alternatives like bufconnect to replace this.
-// RegisterConnectRPCServiceHandler registers an HTTP server with the service.
-// It takes a context, a ServeMux, and an implementation function as parameters.
-// If the service did not register a handler, it returns an error.
-func (s Service[S]) RegisterGRPCGatewayHandler(ctx context.Context, mux *runtime.ServeMux, conn *grpc.ClientConn) error {
-	if s.GRPCGatewayFunc == nil {
-		return fmt.Errorf("service did not register a handler")
-	}
-	return s.GRPCGatewayFunc(ctx, mux, conn)
-}
-
 // namespace represents a namespace in the service registry.
 type Namespace struct {
 	Mode     string

@@ -26,11 +26,10 @@ type AttributesService struct { //nolint:revive // AttributesService is a valid
 func NewRegistration(ns string, dbRegister serviceregistry.DBRegister) *serviceregistry.Service[attributesconnect.AttributesServiceHandler] {
 	return &serviceregistry.Service[attributesconnect.AttributesServiceHandler]{
 		ServiceOptions: serviceregistry.ServiceOptions[attributesconnect.AttributesServiceHandler]{
-			Namespace:       ns,
-			DB:              dbRegister,
-			ServiceDesc:     &attributes.AttributesService_ServiceDesc,
-			ConnectRPCFunc:  attributesconnect.NewAttributesServiceHandler,
-			GRPCGatewayFunc: attributes.RegisterAttributesServiceHandler,
+			Namespace:      ns,
+			DB:             dbRegister,
+			ServiceDesc:    &attributes.AttributesService_ServiceDesc,
+			ConnectRPCFunc: attributesconnect.NewAttributesServiceHandler,
 			RegisterFunc: func(srp serviceregistry.RegistrationParams) (attributesconnect.AttributesServiceHandler, serviceregistry.HandlerServer) {
 				cfg := policyconfig.GetSharedPolicyConfig(srp)
 				return &AttributesService{

@@ -37,11 +37,10 @@ type KeyAccessServerRegistry struct {
 func NewRegistration(ns string, dbRegister serviceregistry.DBRegister) *serviceregistry.Service[kasregistryconnect.KeyAccessServerRegistryServiceHandler] {
 	return &serviceregistry.Service[kasregistryconnect.KeyAccessServerRegistryServiceHandler]{
 		ServiceOptions: serviceregistry.ServiceOptions[kasregistryconnect.KeyAccessServerRegistryServiceHandler]{
-			Namespace:       ns,
-			DB:              dbRegister,
-			ServiceDesc:     &kasr.KeyAccessServerRegistryService_ServiceDesc,
-			ConnectRPCFunc:  kasregistryconnect.NewKeyAccessServerRegistryServiceHandler,
-			GRPCGatewayFunc: kasr.RegisterKeyAccessServerRegistryServiceHandler,
+			Namespace:      ns,
+			DB:             dbRegister,
+			ServiceDesc:    &kasr.KeyAccessServerRegistryService_ServiceDesc,
+			ConnectRPCFunc: kasregistryconnect.NewKeyAccessServerRegistryServiceHandler,
 			RegisterFunc: func(srp serviceregistry.RegistrationParams) (kasregistryconnect.KeyAccessServerRegistryServiceHandler, serviceregistry.HandlerServer) {
 				cfg := policyconfig.GetSharedPolicyConfig(srp)
 				return &KeyAccessServerRegistry{

@@ -26,11 +26,10 @@ type NamespacesService struct { //nolint:revive // NamespacesService is a valid
 func NewRegistration(ns string, dbRegister serviceregistry.DBRegister) *serviceregistry.Service[namespacesconnect.NamespaceServiceHandler] {
 	return &serviceregistry.Service[namespacesconnect.NamespaceServiceHandler]{
 		ServiceOptions: serviceregistry.ServiceOptions[namespacesconnect.NamespaceServiceHandler]{
-			Namespace:       ns,
-			DB:              dbRegister,
-			ServiceDesc:     &namespaces.NamespaceService_ServiceDesc,
-			ConnectRPCFunc:  namespacesconnect.NewNamespaceServiceHandler,
-			GRPCGatewayFunc: namespaces.RegisterNamespaceServiceHandler,
+			Namespace:      ns,
+			DB:             dbRegister,
+			ServiceDesc:    &namespaces.NamespaceService_ServiceDesc,
+			ConnectRPCFunc: namespacesconnect.NewNamespaceServiceHandler,
 			RegisterFunc: func(srp serviceregistry.RegistrationParams) (namespacesconnect.NamespaceServiceHandler, serviceregistry.HandlerServer) {
 				cfg := policyconfig.GetSharedPolicyConfig(srp)
 				ns := &NamespacesService{

@@ -25,11 +25,10 @@ type ResourceMappingService struct { //nolint:revive // ResourceMappingService i
 func NewRegistration(ns string, dbRegister serviceregistry.DBRegister) *serviceregistry.Service[resourcemappingconnect.ResourceMappingServiceHandler] {
 	return &serviceregistry.Service[resourcemappingconnect.ResourceMappingServiceHandler]{
 		ServiceOptions: serviceregistry.ServiceOptions[resourcemappingconnect.ResourceMappingServiceHandler]{
-			Namespace:       ns,
-			DB:              dbRegister,
-			ServiceDesc:     &resourcemapping.ResourceMappingService_ServiceDesc,
-			ConnectRPCFunc:  resourcemappingconnect.NewResourceMappingServiceHandler,
-			GRPCGatewayFunc: resourcemapping.RegisterResourceMappingServiceHandler,
+			Namespace:      ns,
+			DB:             dbRegister,
+			ServiceDesc:    &resourcemapping.ResourceMappingService_ServiceDesc,
+			ConnectRPCFunc: resourcemappingconnect.NewResourceMappingServiceHandler,
 			RegisterFunc: func(srp serviceregistry.RegistrationParams) (resourcemappingconnect.ResourceMappingServiceHandler, serviceregistry.HandlerServer) {
 				cfg := policyconfig.GetSharedPolicyConfig(srp)
 				return &ResourceMappingService{

@@ -25,11 +25,10 @@ type SubjectMappingService struct { //nolint:revive // SubjectMappingService is
 func NewRegistration(ns string, dbRegister serviceregistry.DBRegister) *serviceregistry.Service[subjectmappingconnect.SubjectMappingServiceHandler] {
 	return &serviceregistry.Service[subjectmappingconnect.SubjectMappingServiceHandler]{
 		ServiceOptions: serviceregistry.ServiceOptions[subjectmappingconnect.SubjectMappingServiceHandler]{
-			Namespace:       ns,
-			DB:              dbRegister,
-			ServiceDesc:     &sm.SubjectMappingService_ServiceDesc,
-			ConnectRPCFunc:  subjectmappingconnect.NewSubjectMappingServiceHandler,
-			GRPCGatewayFunc: sm.RegisterSubjectMappingServiceHandler,
+			Namespace:      ns,
+			DB:             dbRegister,
+			ServiceDesc:    &sm.SubjectMappingService_ServiceDesc,
+			ConnectRPCFunc: subjectmappingconnect.NewSubjectMappingServiceHandler,
 			RegisterFunc: func(srp serviceregistry.RegistrationParams) (subjectmappingconnect.SubjectMappingServiceHandler, serviceregistry.HandlerServer) {
 				cfg := policyconfig.GetSharedPolicyConfig(srp)
 				return &SubjectMappingService{

@@ -37,10 +37,9 @@ func RegisterConfiguration(namespace string, config any) error {
 func NewRegistration() *serviceregistry.Service[wellknownconfigurationconnect.WellKnownServiceHandler] {
 	return &serviceregistry.Service[wellknownconfigurationconnect.WellKnownServiceHandler]{
 		ServiceOptions: serviceregistry.ServiceOptions[wellknownconfigurationconnect.WellKnownServiceHandler]{
-			Namespace:       "wellknown",
-			ServiceDesc:     &wellknown.WellKnownService_ServiceDesc,
-			ConnectRPCFunc:  wellknownconfigurationconnect.NewWellKnownServiceHandler,
-			GRPCGatewayFunc: wellknown.RegisterWellKnownServiceHandler,
+			Namespace:      "wellknown",
+			ServiceDesc:    &wellknown.WellKnownService_ServiceDesc,
+			ConnectRPCFunc: wellknownconfigurationconnect.NewWellKnownServiceHandler,
 			RegisterFunc: func(srp serviceregistry.RegistrationParams) (wellknownconfigurationconnect.WellKnownServiceHandler, serviceregistry.HandlerServer) {
 				wk := &WellKnownService{logger: srp.Logger}
 				return wk, nil