opentdf · strantalis · Apr 28, 2025 · Apr 18, 2025 · Apr 18, 2025 · Apr 18, 2025
@@ -99,15 +99,19 @@ func encrypt(cmd *cobra.Command, args []string) error {
 		}
 	}
 
+	baseKasUrl := platformEndpoint
+	if !strings.HasPrefix(baseKasUrl, "http://") && !strings.HasPrefix(baseKasUrl, "https://") {
+		baseKasUrl = fmt.Sprintf("http://%s", baseKasUrl)
+	}
+
 	if !nanoFormat {
 		opts := []sdk.TDFOption{sdk.WithDataAttributes(dataAttributes...)}
 		if !autoconfigure {
 			opts = append(opts, sdk.WithAutoconfigure(autoconfigure))
 			opts = append(opts, sdk.WithWrappingKeyAlg(ocrypto.EC256Key))
 			opts = append(opts, sdk.WithKasInformation(
 				sdk.KASInfo{
-					// examples assume insecure http
-					URL:       fmt.Sprintf("http://%s", platformEndpoint),
+					URL:       baseKasUrl,
 					PublicKey: "",
 				}))
 		}
@@ -138,7 +142,7 @@ func encrypt(cmd *cobra.Command, args []string) error {
 		if collection > 0 {
 			nanoTDFConfig.EnableCollection()
 		}
-		err = nanoTDFConfig.SetKasURL(fmt.Sprintf("http://%s/kas", platformEndpoint))
+		err = nanoTDFConfig.SetKasURL(fmt.Sprintf("%s/kas", baseKasUrl))
 		if err != nil {
 			return err
 		}

@@ -29,7 +29,7 @@ func init() {
 	log.SetFlags(log.LstdFlags | log.Llongfile)
 	f := ExamplesCmd.PersistentFlags()
 	f.StringVarP(&clientCredentials, "creds", "", "opentdf-sdk:secret", "client id:secret credentials")
-	f.StringVarP(&platformEndpoint, "platformEndpoint", "e", "localhost:8080", "Platform Endpoint")
+	f.StringVarP(&platformEndpoint, "platformEndpoint", "e", "http://localhost:8080", "Platform Endpoint")
 	f.StringVarP(&tokenEndpoint, "tokenEndpoint", "t", "http://localhost:8888/auth/realms/opentdf/protocol/openid-connect/token", "OAuth token endpoint")
 	f.BoolVar(&storeCollectionHeaders, "storeCollectionHeaders", false, "Store collection headers")
 	f.BoolVar(&insecurePlaintextConn, "insecurePlaintextConn", false, "Use insecure plaintext connection")

@@ -5,6 +5,7 @@ import (
 	"errors"
 	"fmt"
 	"io"
+	"log/slog"
 
 	"github.com/opentdf/platform/protocol/go/kas"
 )
@@ -17,8 +18,12 @@ type BulkTDF struct {
 }
 
 type BulkDecryptRequest struct {
-	TDFs    []*BulkTDF
-	TDFType TdfType
+	TDFs                  []*BulkTDF
+	TDF3DecryptOptions    []TDFReaderOption     // Options for TDF3 Decryptor
+	NanoTDFDecryptOptions []NanoTDFReaderOption // Options for Nano TDF Decryptor
+	TDFType               TdfType
+	kasAllowlist          AllowList
+	ignoreAllowList       bool
 }
 
 // BulkErrors List of Errors that Failed during Bulk Decryption
@@ -39,52 +44,111 @@ func FromBulkErrors(err error) ([]error, bool) {
 	return list, ok
 }
 
-type BulkDecryptOption func(request *BulkDecryptRequest)
+type BulkDecryptOption func(request *BulkDecryptRequest) error
 
 // WithTDFs Adds Lists of TDFs to be decrypted
 func WithTDFs(tdfs ...*BulkTDF) BulkDecryptOption {
-	return func(request *BulkDecryptRequest) {
+	return func(request *BulkDecryptRequest) error {
 		request.appendTDFs(tdfs...)
+		return nil
 	}
 }
 
 // WithTDFType Type of TDFs to be decrypted
 func WithTDFType(tdfType TdfType) BulkDecryptOption {
-	return func(request *BulkDecryptRequest) {
+	return func(request *BulkDecryptRequest) error {
 		request.TDFType = tdfType
+		return nil
 	}
 }
 
-func createBulkRewrapRequest(options ...BulkDecryptOption) *BulkDecryptRequest {
+func WithBulkKasAllowlist(kasList []string) BulkDecryptOption {
+	return func(request *BulkDecryptRequest) error {
+		allowlist, err := newAllowList(kasList)
+		if err != nil {
+			return fmt.Errorf("failed to create kas allowlist: %w", err)
+		}
+		request.kasAllowlist = allowlist
+		return nil
+	}
+}
+
+func WithBulkIgnoreAllowlist(ignore bool) BulkDecryptOption {
+	return func(request *BulkDecryptRequest) error {
+		request.ignoreAllowList = ignore
+		return nil
+	}
+}
+
+func WithTDF3DecryptOptions(options ...TDFReaderOption) BulkDecryptOption {
+	return func(request *BulkDecryptRequest) error {
+		request.TDF3DecryptOptions = append(request.TDF3DecryptOptions, options...)
+		return nil
+	}
+}
+
+func WithNanoTDFDecryptOptions(options ...NanoTDFReaderOption) BulkDecryptOption {
+	return func(request *BulkDecryptRequest) error {
+		request.NanoTDFDecryptOptions = append(request.NanoTDFDecryptOptions, options...)
+		return nil
+	}
+}
+
+func createBulkRewrapRequest(options ...BulkDecryptOption) (*BulkDecryptRequest, error) {
 	req := &BulkDecryptRequest{}
 	for _, opt := range options {
-		opt(req)
+		err := opt(req)
+		if err != nil {
+			return nil, err
+		}
 	}
-	return req
+	return req, nil
 }
 
-func (s SDK) createDecryptor(tdf *BulkTDF, tdfType TdfType) (decryptor, error) {
-	switch tdfType {
+func (s SDK) createDecryptor(tdf *BulkTDF, req *BulkDecryptRequest) (decryptor, error) {
+	switch req.TDFType {
 	case Nano:
-		decryptor := createNanoTDFDecryptHandler(tdf.Reader, tdf.Writer)
-		return decryptor, nil
+		return createNanoTDFDecryptHandler(tdf.Reader, tdf.Writer, req.NanoTDFDecryptOptions...)
 	case Standard:
-		return s.createTDF3DecryptHandler(tdf.Writer, tdf.Reader)
+		return s.createTDF3DecryptHandler(tdf.Writer, tdf.Reader, req.TDF3DecryptOptions...)
 	case Invalid:
 	}
-	return nil, fmt.Errorf("unknown tdf type: %s", tdfType)
+	return nil, fmt.Errorf("unknown tdf type: %s", req.TDFType)
 }
 
 // BulkDecrypt Decrypts a list of BulkTDF and if a partial failure of TDFs unable to be decrypted, BulkErrors would be returned.
 func (s SDK) BulkDecrypt(ctx context.Context, opts ...BulkDecryptOption) error {
-	bulkReq := createBulkRewrapRequest(opts...)
+	bulkReq, createError := createBulkRewrapRequest(opts...)
+	if createError != nil {
+		return fmt.Errorf("failed to create bulk rewrap request: %w", createError)
+	}
 	kasRewrapRequests := make(map[string][]*kas.UnsignedRewrapRequest_WithPolicyRequest)
 	tdfDecryptors := make(map[string]decryptor)
 	policyTDF := make(map[string]*BulkTDF)
 
+	if !bulkReq.ignoreAllowList && len(bulkReq.kasAllowlist) == 0 { //nolint:nestif // if kasAllowlist is not set, we get it from the registry
+		if s.KeyAccessServerRegistry != nil {
+			platformEndpoint, err := s.PlatformConfiguration.platformEndpoint()
+			if err != nil {
+				return fmt.Errorf("retrieving platformEndpoint failed: %w", err)
+			}
+			// if no kasAllowlist is set, we get the allowlist from the registry
+			allowlist, err := allowListFromKASRegistry(ctx, s.KeyAccessServerRegistry, platformEndpoint)
+			if err != nil {
+				return fmt.Errorf("failed to get allowlist from registry: %w", err)
+			}
+			bulkReq.kasAllowlist = allowlist
+			bulkReq.NanoTDFDecryptOptions = append(bulkReq.NanoTDFDecryptOptions, withNanoKasAllowlist(bulkReq.kasAllowlist))
+			bulkReq.TDF3DecryptOptions = append(bulkReq.TDF3DecryptOptions, withKasAllowlist(bulkReq.kasAllowlist))
+		} else {
+			slog.Error("No KAS allowlist provided and no KeyAccessServerRegistry available")
+			return errors.New("no KAS allowlist provided and no KeyAccessServerRegistry available")
+		}
+	}
+
 	for i, tdf := range bulkReq.TDFs {
 		policyID := fmt.Sprintf("policy-%d", i)
-		decryptor, err := s.createDecryptor(tdf, bulkReq.TDFType)
+		decryptor, err := s.createDecryptor(tdf, bulkReq) //nolint:contextcheck // dont want to change signature of LoadTDF
 		if err != nil {
 			tdf.Error = err
 			continue
@@ -106,7 +170,22 @@ func (s SDK) BulkDecrypt(ctx context.Context, opts ...BulkDecryptOption) error {
 	kasClient := newKASClient(s.dialOptions, s.tokenSource, s.kasSessionKey)
 	allRewrapResp := make(map[string][]kaoResult)
 	var err error
-	for _, rewrapRequests := range kasRewrapRequests {
+	for kasurl, rewrapRequests := range kasRewrapRequests {
+		if bulkReq.ignoreAllowList {
+			slog.Warn(fmt.Sprintf("KasAllowlist is ignored, kas url %s is allowed", kasurl))
+		} else if !bulkReq.kasAllowlist.IsAllowed(kasurl) {
+			// if kas url is not allowed, the result for each kao in each rewrap request is set to error
+			for _, req := range rewrapRequests {
+				id := req.GetPolicy().GetId()
+				for _, kao := range req.GetKeyAccessObjects() {
+					allRewrapResp[id] = append(allRewrapResp[id], kaoResult{
+						Error:             fmt.Errorf("KasAllowlist: kas url %s is not allowed", kasurl),
+						KeyAccessObjectID: kao.GetKeyAccessObjectId(),
+					})
+				}
+			}
+			continue
+		}
 		var rewrapResp map[string][]kaoResult
 		switch bulkReq.TDFType {
 		case Nano:

@@ -907,13 +907,20 @@ type NanoTDFDecryptHandler struct {
 
 	header    NanoTDFHeader
 	headerBuf []byte
+
+	config *NanoTDFReaderConfig
 }
 
-func createNanoTDFDecryptHandler(reader io.ReadSeeker, writer io.Writer) *NanoTDFDecryptHandler {
+func createNanoTDFDecryptHandler(reader io.ReadSeeker, writer io.Writer, opts ...NanoTDFReaderOption) (*NanoTDFDecryptHandler, error) {
+	nanoTdfReaderConfig, err := newNanoTDFReaderConfig(opts...)
+	if err != nil {
+		return nil, fmt.Errorf("newNanoTDFReaderConfig failed: %w", err)
+	}
 	return &NanoTDFDecryptHandler{
 		reader: reader,
 		writer: writer,
-	}
+		config: nanoTdfReaderConfig,
+	}, nil
 }
 
 func (n *NanoTDFDecryptHandler) getRawHeader() []byte {
@@ -942,6 +949,12 @@ func (n *NanoTDFDecryptHandler) CreateRewrapRequest(_ context.Context) (map[stri
 		return nil, err
 	}
 
+	if n.config.ignoreAllowList {
+		slog.Warn(fmt.Sprintf("KasAllowlist is ignored, kas url %s is allowed", kasURL))
+	} else if !n.config.kasAllowlist.IsAllowed(kasURL) {
+		return nil, fmt.Errorf("KasAllowlist: kas url %s is not allowed", kasURL)
+	}
+
 	req := &kas.UnsignedRewrapRequest_WithPolicyRequest{
 		KeyAccessObjects: []*kas.UnsignedRewrapRequest_WithKeyAccessObject{
 			{
@@ -1017,13 +1030,30 @@ func (n *NanoTDFDecryptHandler) Decrypt(_ context.Context, result []kaoResult) (
 }
 
 // ReadNanoTDF - read the nano tdf and return the decrypted data from it
-func (s SDK) ReadNanoTDF(writer io.Writer, reader io.ReadSeeker) (int, error) {
-	return s.ReadNanoTDFContext(context.Background(), writer, reader)
+func (s SDK) ReadNanoTDF(writer io.Writer, reader io.ReadSeeker, opts ...NanoTDFReaderOption) (int, error) {
+	return s.ReadNanoTDFContext(context.Background(), writer, reader, opts...)
 }
 
 // ReadNanoTDFContext - allows cancelling the reader
-func (s SDK) ReadNanoTDFContext(ctx context.Context, writer io.Writer, reader io.ReadSeeker) (int, error) {
-	handler := createNanoTDFDecryptHandler(reader, writer)
+func (s SDK) ReadNanoTDFContext(ctx context.Context, writer io.Writer, reader io.ReadSeeker, opts ...NanoTDFReaderOption) (int, error) {
+	handler, err := createNanoTDFDecryptHandler(reader, writer, opts...)
+	if err != nil {
+		return 0, fmt.Errorf("createNanoTDFDecryptHandler failed: %w", err)
+	}
+
+	if len(handler.config.kasAllowlist) == 0 && !handler.config.ignoreAllowList {
+		if s.KeyAccessServerRegistry != nil {
+			// retrieve the registered kases if not provided
+			allowList, err := allowListFromKASRegistry(ctx, s.KeyAccessServerRegistry, s.conn.Target())
+			if err != nil {
+				return 0, fmt.Errorf("allowListFromKASRegistry failed: %w", err)
+			}
+			handler.config.kasAllowlist = allowList
+		} else {
+			slog.Error("No KAS allowlist provided and no KeyAccessServerRegistry available")
+			return 0, errors.New("no KAS allowlist provided and no KeyAccessServerRegistry available")
+		}
+	}
 
 	symmetricKey, err := s.getNanoRewrapKey(ctx, handler)
 	if err != nil {

@@ -110,3 +110,48 @@ func WithECDSAPolicyBinding() NanoTDFOption {
 		return nil
 	}
 }
+
+type NanoTDFReaderConfig struct {
+	kasAllowlist    AllowList
+	ignoreAllowList bool
+}
+
+func newNanoTDFReaderConfig(opt ...NanoTDFReaderOption) (*NanoTDFReaderConfig, error) {
+	c := &NanoTDFReaderConfig{}
+
+	for _, o := range opt {
+		err := o(c)
+		if err != nil {
+			return nil, err
+		}
+	}
+
+	return c, nil
+}
+
+type NanoTDFReaderOption func(*NanoTDFReaderConfig) error
+
+func WithNanoKasAllowlist(kasList []string) NanoTDFReaderOption {
+	return func(c *NanoTDFReaderConfig) error {
+		allowlist, err := newAllowList(kasList)
+		if err != nil {
+			return fmt.Errorf("failed to create kas allowlist: %w", err)
+		}
+		c.kasAllowlist = allowlist
+		return nil
+	}
+}
+
+func withNanoKasAllowlist(allowlist AllowList) NanoTDFReaderOption {
+	return func(c *NanoTDFReaderConfig) error {
+		c.kasAllowlist = allowlist
+		return nil
+	}
+}
+
+func WithNanoIgnoreAllowlist(ignore bool) NanoTDFReaderOption {
+	return func(c *NanoTDFReaderConfig) error {
+		c.ignoreAllowList = ignore
+		return nil
+	}
+}