feat(kas): Add nano policy binding to rewrap audit. [backport to release/service/v0.11] #2878

opentdf-automation · 2025-11-04T22:30:16Z

Description

Backport of #2870 to release/service/v0.11.

### Proposed Changes 1.) Add nano policy binding to audit rewrap logs 2.) Bump sdk to version 0.10.1 ### Examples #### Nano - Encrypted Policy - Gmac ```json { "time": "2025-11-03T12:53:39.67596-06:00", "level": "AUDIT", "msg": "rewrap", "namespace": "kas", "audit": { "object": { "type": "key_object", "id": "ff1a2fe2-a942-11f0-9751-a6a754e79d24", "name": "", "attributes": { "assertions": [], "attrs": [ "https://test.obligations/attr/test_attr_for_triggers/value/test_valu_for_trigger" ], "permissions": [] } }, "action": { "type": "rewrap", "result": "error" }, "actor": { "id": "260a3342-65d8-4056-8d17-b362c932b9dc", "attributes": [] }, "eventMetaData": { "algorithm": "ec:secp256r1", "keyID": "e1", "policyBinding": "69750779a948846a", "tdfFormat": "Nano" }, "clientInfo": { "userAgent": "connect-go/1.18.1 (go1.24.6)", "platform": "kas", "requestIP": "None" }, "original": null, "updated": null, "requestID": "1eb13e08-963e-4abd-acfc-5a30fb3cb876", "timestamp": "2025-11-03T12:53:39-06:00" } } ``` #### Nano - Encrypted policy - ECDSA ```json { "time": "2025-11-03T13:06:52.920043-06:00", "level": "AUDIT", "msg": "rewrap", "namespace": "kas", "audit": { "object": { "type": "key_object", "id": "3c370940-b8e8-11f0-b395-a6a754e79d24", "name": "", "attributes": { "assertions": [], "attrs": [ "https://test.obligations/attr/test_attr_for_triggers/value/test_valu_for_trigger" ], "permissions": [] } }, "action": { "type": "rewrap", "result": "success" }, "actor": { "id": "260a3342-65d8-4056-8d17-b362c932b9dc", "attributes": [] }, "eventMetaData": { "algorithm": "ec:secp256r1", "keyID": "e1", "policyBinding": "07eb1084ee0e3f982d9374c184e88840abe5caa272cde5dd14798224db13107a", "tdfFormat": "Nano" }, "clientInfo": { "userAgent": "connect-go/1.18.1 (go1.24.6)", "platform": "kas", "requestIP": "None" }, "original": null, "updated": null, "requestID": "c27a751d-44a9-4866-beef-451b2fbef5ae", "timestamp": "2025-11-03T13:06:52-06:00" } } ``` #### Nano - Plaintext policy - GMAC ```json { "time": "2025-11-03T13:01:27.938945-06:00", "level": "AUDIT", "msg": "rewrap", "namespace": "kas", "audit": { "object": { "type": "key_object", "id": "7857a624-b8e7-11f0-aa9c-a6a754e79d24", "name": "", "attributes": { "assertions": [], "attrs": [ "https://test.obligations/attr/test_attr_for_triggers/value/test_valu_for_trigger" ], "permissions": [] } }, "action": { "type": "rewrap", "result": "success" }, "actor": { "id": "260a3342-65d8-4056-8d17-b362c932b9dc", "attributes": [] }, "eventMetaData": { "algorithm": "ec:secp256r1", "keyID": "e1", "policyBinding": "342b5951d82676fa", "tdfFormat": "Nano" }, "clientInfo": { "userAgent": "connect-go/1.18.1 (go1.24.6)", "platform": "kas", "requestIP": "None" }, "original": null, "updated": null, "requestID": "652cc0d2-fec8-49a4-8e0d-e5f01794bdaa", "timestamp": "2025-11-03T13:01:27-06:00" } } ``` #### Nano - Plaintext policy - ECDSA ```json { "time": "2025-11-03T13:03:17.645969-06:00", "level": "AUDIT", "msg": "rewrap", "namespace": "kas", "audit": { "object": { "type": "key_object", "id": "bb58d92a-b8e7-11f0-8556-a6a754e79d24", "name": "", "attributes": { "assertions": [], "attrs": [ "https://test.obligations/attr/test_attr_for_triggers/value/test_valu_for_trigger" ], "permissions": [] } }, "action": { "type": "rewrap", "result": "success" }, "actor": { "id": "260a3342-65d8-4056-8d17-b362c932b9dc", "attributes": [] }, "eventMetaData": { "algorithm": "ec:secp256r1", "keyID": "e1", "policyBinding": "7f50b172ceae7cb4eff9cff1849fed1022bb0f1abeb924060f50fdd5876bb09b", "tdfFormat": "Nano" }, "clientInfo": { "userAgent": "connect-go/1.18.1 (go1.24.6)", "platform": "kas", "requestIP": "None" }, "original": null, "updated": null, "requestID": "5a038826-43e8-42b6-9239-bd0cf3066cfd", "timestamp": "2025-11-03T13:03:17-06:00" } } ``` ### Checklist - [ ] I have added or updated unit tests - [ ] I have added or updated integration tests (if appropriate) - [ ] I have added or updated documentation ### Testing Instructions (cherry picked from commit a12d1d4)

github-actions · 2025-11-04T22:38:45Z

X-Test Failure Report

opentdf~~platform~~S4NQMT.dockerbuild
✅ java-v0.4.34
✅ js-v0.4.34
✅ go-v0.4.34

github-actions · 2025-11-04T22:38:46Z

X-Test Failure Report

opentdf~~platform~~RX36TJ.dockerbuild
✅ js-v0.4.34
✅ java-v0.4.34
✅ go-v0.4.34

github-actions · 2025-11-05T00:15:13Z

X-Test Failure Report

opentdf~~platform~~QO4PPZ.dockerbuild
✅ java-v0.4.34
✅ js-v0.4.34
✅ go-v0.4.34

…/service/v0.11] (#2879) # Description Backport of #2857 to `release/service/v0.11`. Co-authored-by: opentdf-automation[bot] <149537512+opentdf-automation[bot]@users.noreply.github.com>

### Proposed Changes 1.) Add nano policy binding to audit rewrap logs 2.) Bump sdk to version 0.10.1 ### Examples #### Nano - Encrypted Policy - Gmac ```json { "time": "2025-11-03T12:53:39.67596-06:00", "level": "AUDIT", "msg": "rewrap", "namespace": "kas", "audit": { "object": { "type": "key_object", "id": "ff1a2fe2-a942-11f0-9751-a6a754e79d24", "name": "", "attributes": { "assertions": [], "attrs": [ "https://test.obligations/attr/test_attr_for_triggers/value/test_valu_for_trigger" ], "permissions": [] } }, "action": { "type": "rewrap", "result": "error" }, "actor": { "id": "260a3342-65d8-4056-8d17-b362c932b9dc", "attributes": [] }, "eventMetaData": { "algorithm": "ec:secp256r1", "keyID": "e1", "policyBinding": "69750779a948846a", "tdfFormat": "Nano" }, "clientInfo": { "userAgent": "connect-go/1.18.1 (go1.24.6)", "platform": "kas", "requestIP": "None" }, "original": null, "updated": null, "requestID": "1eb13e08-963e-4abd-acfc-5a30fb3cb876", "timestamp": "2025-11-03T12:53:39-06:00" } } ``` #### Nano - Encrypted policy - ECDSA ```json { "time": "2025-11-03T13:06:52.920043-06:00", "level": "AUDIT", "msg": "rewrap", "namespace": "kas", "audit": { "object": { "type": "key_object", "id": "3c370940-b8e8-11f0-b395-a6a754e79d24", "name": "", "attributes": { "assertions": [], "attrs": [ "https://test.obligations/attr/test_attr_for_triggers/value/test_valu_for_trigger" ], "permissions": [] } }, "action": { "type": "rewrap", "result": "success" }, "actor": { "id": "260a3342-65d8-4056-8d17-b362c932b9dc", "attributes": [] }, "eventMetaData": { "algorithm": "ec:secp256r1", "keyID": "e1", "policyBinding": "07eb1084ee0e3f982d9374c184e88840abe5caa272cde5dd14798224db13107a", "tdfFormat": "Nano" }, "clientInfo": { "userAgent": "connect-go/1.18.1 (go1.24.6)", "platform": "kas", "requestIP": "None" }, "original": null, "updated": null, "requestID": "c27a751d-44a9-4866-beef-451b2fbef5ae", "timestamp": "2025-11-03T13:06:52-06:00" } } ``` #### Nano - Plaintext policy - GMAC ```json { "time": "2025-11-03T13:01:27.938945-06:00", "level": "AUDIT", "msg": "rewrap", "namespace": "kas", "audit": { "object": { "type": "key_object", "id": "7857a624-b8e7-11f0-aa9c-a6a754e79d24", "name": "", "attributes": { "assertions": [], "attrs": [ "https://test.obligations/attr/test_attr_for_triggers/value/test_valu_for_trigger" ], "permissions": [] } }, "action": { "type": "rewrap", "result": "success" }, "actor": { "id": "260a3342-65d8-4056-8d17-b362c932b9dc", "attributes": [] }, "eventMetaData": { "algorithm": "ec:secp256r1", "keyID": "e1", "policyBinding": "342b5951d82676fa", "tdfFormat": "Nano" }, "clientInfo": { "userAgent": "connect-go/1.18.1 (go1.24.6)", "platform": "kas", "requestIP": "None" }, "original": null, "updated": null, "requestID": "652cc0d2-fec8-49a4-8e0d-e5f01794bdaa", "timestamp": "2025-11-03T13:01:27-06:00" } } ``` #### Nano - Plaintext policy - ECDSA ```json { "time": "2025-11-03T13:03:17.645969-06:00", "level": "AUDIT", "msg": "rewrap", "namespace": "kas", "audit": { "object": { "type": "key_object", "id": "bb58d92a-b8e7-11f0-8556-a6a754e79d24", "name": "", "attributes": { "assertions": [], "attrs": [ "https://test.obligations/attr/test_attr_for_triggers/value/test_valu_for_trigger" ], "permissions": [] } }, "action": { "type": "rewrap", "result": "success" }, "actor": { "id": "260a3342-65d8-4056-8d17-b362c932b9dc", "attributes": [] }, "eventMetaData": { "algorithm": "ec:secp256r1", "keyID": "e1", "policyBinding": "7f50b172ceae7cb4eff9cff1849fed1022bb0f1abeb924060f50fdd5876bb09b", "tdfFormat": "Nano" }, "clientInfo": { "userAgent": "connect-go/1.18.1 (go1.24.6)", "platform": "kas", "requestIP": "None" }, "original": null, "updated": null, "requestID": "5a038826-43e8-42b6-9239-bd0cf3066cfd", "timestamp": "2025-11-03T13:03:17-06:00" } } ``` ### Checklist - [ ] I have added or updated unit tests - [ ] I have added or updated integration tests (if appropriate) - [ ] I have added or updated documentation ### Testing Instructions (cherry picked from commit a12d1d4)

…pentdf/platform into backport-2870-to-release/service/v0.11

github-actions · 2025-11-05T15:04:31Z

X-Test Failure Report

opentdf~~platform~~I4W324.dockerbuild
✅ java-v0.4.34
✅ js-v0.4.34
✅ go-v0.4.34

github-actions · 2025-11-05T15:07:40Z

Benchmark results, click to expand

Benchmark authorization.GetDecisions Results:

Metric	Value
Approved Decision Requests	1000
Denied Decision Requests	0
Total Time	183.641278ms

Benchmark authorization.v2.GetMultiResourceDecision Results:

Metric	Value
Approved Decision Requests	1000
Denied Decision Requests	0
Total Time	108.599315ms

Standard Benchmark Metrics Skipped or Failed

Bulk Benchmark Results

Metric	Value
Total Decrypts	100
Successful Decrypts	100
Failed Decrypts	0
Total Time	354.246751ms
Throughput	282.29 requests/second

TDF3 Benchmark Results:

Metric	Value
Total Requests	5000
Successful Requests	5000
Failed Requests	0
Concurrent Requests	50
Total Time	42.928030557s
Average Latency	427.541493ms
Throughput	116.47 requests/second

NANOTDF Benchmark Results:

Metric	Value
Total Requests	5000
Successful Requests	5000
Failed Requests	0
Concurrent Requests	50
Total Time	29.832592212s
Average Latency	296.923177ms
Throughput	167.60 requests/second

github-actions · 2025-11-05T15:20:24Z

X-Test Results

opentdf~~platform~~BTPLFJ.dockerbuild
✅ js-v0.4.34
cukes-report
✅ java-v0.4.34
✅ go-v0.4.34
bats-test-results
test-cases-mapping-report
✅ js-pull-2878
✅ java-pull-2878
✅ go-pull-2878

opentdf-automation bot requested review from a team as code owners November 4, 2025 22:30

opentdf-automation bot mentioned this pull request Nov 4, 2025

feat(kas): Add nano policy binding to rewrap audit. #2870

Merged

3 tasks

opentdf-automation bot force-pushed the backport-2870-to-release/service/v0.11 branch from 63dc91d to befe7b9 Compare November 4, 2025 22:30

github-actions bot added comp:kas Key Access Server size/s labels Nov 4, 2025

opentdf-automation bot and others added 3 commits November 5, 2025 08:56

feat(sdk): Expose policy binding hash from Nano. [backport to release…

262eb53

…/service/v0.11] (#2879) # Description Backport of #2857 to `release/service/v0.11`. Co-authored-by: opentdf-automation[bot] <149537512+opentdf-automation[bot]@users.noreply.github.com>

Merge branch 'backport-2870-to-release/service/v0.11' of github.com:o…

d953f92

…pentdf/platform into backport-2870-to-release/service/v0.11

c-r33d requested a review from a team as a code owner November 5, 2025 15:02

c-r33d closed this Nov 5, 2025

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

feat(kas): Add nano policy binding to rewrap audit. [backport to release/service/v0.11] #2878

feat(kas): Add nano policy binding to rewrap audit. [backport to release/service/v0.11] #2878

Uh oh!

opentdf-automation bot commented Nov 4, 2025

Uh oh!

github-actions bot commented Nov 4, 2025

Uh oh!

github-actions bot commented Nov 4, 2025

Uh oh!

github-actions bot commented Nov 5, 2025

Uh oh!

github-actions bot commented Nov 5, 2025

Uh oh!

github-actions bot commented Nov 5, 2025

Benchmark authorization.GetDecisions Results:

Benchmark authorization.v2.GetMultiResourceDecision Results:

Standard Benchmark Metrics Skipped or Failed

Bulk Benchmark Results

TDF3 Benchmark Results:

NANOTDF Benchmark Results:

Uh oh!

github-actions bot commented Nov 5, 2025

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

2 participants

feat(kas): Add nano policy binding to rewrap audit. [backport to release/service/v0.11] #2878

feat(kas): Add nano policy binding to rewrap audit. [backport to release/service/v0.11] #2878

Uh oh!

Conversation

opentdf-automation bot commented Nov 4, 2025

Description

Uh oh!

github-actions bot commented Nov 4, 2025

X-Test Failure Report

Uh oh!

github-actions bot commented Nov 4, 2025

X-Test Failure Report

Uh oh!

github-actions bot commented Nov 5, 2025

X-Test Failure Report

Uh oh!

github-actions bot commented Nov 5, 2025

X-Test Failure Report

Uh oh!

github-actions bot commented Nov 5, 2025

Benchmark authorization.GetDecisions Results:

Benchmark authorization.v2.GetMultiResourceDecision Results:

Standard Benchmark Metrics Skipped or Failed

Bulk Benchmark Results

TDF3 Benchmark Results:

NANOTDF Benchmark Results:

Uh oh!

github-actions bot commented Nov 5, 2025

X-Test Results

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

2 participants