feat(kas): support HSM and standard crypto #497

sujankota · 2024-04-02T21:50:46Z

No description provided.

internal/security/hsm.go

services/kas/access/publicKey.go

sujankota · 2024-04-02T22:33:05Z

Still working on getting NanoTDF working for both HSM and standard crypto.

opentdf-example.yaml

internal/security/hsm.go

🤖 I have created a release *beep* *boop* --- ## [0.1.0](lib/ocrypto-v0.1.0...lib/ocrypto/v0.1.0) (2024-04-22) ### Features * **kas:** support HSM and standard crypto ([#497](#497)) ([f0cbe03](f0cbe03)) * **PLAT-3112:** Add Elliptic Curve functionality to support nanotdf ([#576](#576)) ([504482a](504482a)) * **PLAT-3112:** Initial consumption of ec_key_pair functions by nanotdf ([#586](#586)) ([5e2cba0](5e2cba0)) --- This PR was generated with [Release Please](https://github.com/googleapis/release-please). See [documentation](https://github.com/googleapis/release-please#release-please). Co-authored-by: opentdf-automation[bot] <149537512+opentdf-automation[bot]@users.noreply.github.com>

🤖 I have created a release *beep* *boop* --- ## [0.1.0](sdk-v0.1.0...sdk/v0.1.0) (2024-04-22) ### Features * add structured schema policy config ([#51](#51)) ([8a6b876](8a6b876)) * **auth:** add authorization via casbin ([#417](#417)) ([292f2bd](292f2bd)) * in-process service to service communication ([#311](#311)) ([ec5eb76](ec5eb76)) * **kas:** support HSM and standard crypto ([#497](#497)) ([f0cbe03](f0cbe03)) * key access server assignments ([#111](#111)) ([a48d686](a48d686)), closes [#117](#117) * key access server registry impl ([#66](#66)) ([cf6b3c6](cf6b3c6)) * **namespaces CRUD:** protos, generated SDK, db interactivity for namespaces table ([#54](#54)) ([b3f32b1](b3f32b1)) * **PLAT-3112:** Initial consumption of ec_key_pair functions by nanotdf ([#586](#586)) ([5e2cba0](5e2cba0)) * **policy:** add FQN pivot table ([#208](#208)) ([abb734c](abb734c)) * **policy:** add soft-delete/deactivation to namespaces, attribute definitions, attribute values [#96](#96) [#108](#108) ([#191](#191)) ([02e92a6](02e92a6)) * **resourcemapping:** resource mapping implementation ([#83](#83)) ([c144db1](c144db1)) * **sdk:** BACK-1966 get auth wired up to SDK using `Options` ([#271](#271)) ([f1bacab](f1bacab)) * **sdk:** BACK-1966 implement fetching a DPoP token ([#45](#45)) ([dbd3cf9](dbd3cf9)) * **sdk:** BACK-1966 make the unwrapper retrieve public keys as well ([#260](#260)) ([7d051a1](7d051a1)) * **sdk:** BACK-1966 pull rewrap into auth config ([#252](#252)) ([84017aa](84017aa)) * **sdk:** Include auth token in grpc ([#367](#367)) ([75cb5cd](75cb5cd)) * **sdk:** normalize token exchange ([#546](#546)) ([9059dff](9059dff)) * **sdk:** Pass dpop key through to `rewrap` ([#435](#435)) ([2d283de](2d283de)) * **sdk:** read `expires_in` from token response and use it to refresh access tokens ([#445](#445)) ([8ecbe79](8ecbe79)) * **sdk:** sdk stub ([#10](#10)) ([8dfca6a](8dfca6a)) * **sdk:** take a function so that callers can use this the way that they want ([#340](#340)) ([72059cb](72059cb)) * **subject-mappings:** refactor to meet db schema ([#59](#59)) ([59a073b](59a073b)) * **tdf:** implement tdf3 encrypt and decrypt ([#73](#73)) ([9d0e0a0](9d0e0a0)) * **tdf:** sdk interface changes ([#123](#123)) ([2aa2422](2aa2422)) * **tdf:** sdk interface cleanup ([#201](#201)) ([6f7d815](6f7d815)) * **tdf:** TDFOption varargs interface ([#235](#235)) ([b3fb720](b3fb720)) ### Bug Fixes * **archive:** remove 10gb zip file test ([#373](#373)) ([6548f55](6548f55)) * attribute missing rpc method for listing attribute values ([#69](#69)) ([1b3a831](1b3a831)) * **attribute value:** fixes attribute value crud ([#86](#86)) ([568df9c](568df9c)) * **issue 90:** remove duplicate attribute_id from attribute value create/update, and consumes schema setup changes in namespaces that were introduced for integration testing ([#100](#100)) ([e0f6d07](e0f6d07)) * **issue-124:** SDK kas registry import name mismatch ([#125](#125)) ([112638b](112638b)), closes [#124](#124) * **proto/acre:** fix resource encoding service typo ([#30](#30)) ([fe709d2](fe709d2)) * remove padding when b64 encoding ([#437](#437)) ([d40e94a](d40e94a)) * SDK Quickstart ([#628](#628)) ([f27ab98](f27ab98)) * **sdk:** change unwrapper creation ([#346](#346)) ([9206435](9206435)) * **sdk:** double bearer token in auth config ([#350](#350)) ([1bf4699](1bf4699)) * **sdk:** fixes Manifests JSONs with OIDC ([#140](#140)) ([a4b6937](a4b6937)) * **sdk:** handle err ([#548](#548)) ([ebabb6c](ebabb6c)) * **sdk:** make KasInfo fields public ([#320](#320)) ([9a70498](9a70498)) * **sdk:** shutdown conn ([#352](#352)) ([3def038](3def038)) * **sdk:** temporarily move unwrapper creation into options func. ([#309](#309)) ([b34c2fe](b34c2fe)) * **sdk:** use the dialoptions even with no client credentials ([#400](#400)) ([a7f1908](a7f1908)) * **security:** add a new encryption keypair different from dpop keypair ([#461](#461)) ([7deb51e](7deb51e)) --- This PR was generated with [Release Please](https://github.com/googleapis/release-please). See [documentation](https://github.com/googleapis/release-please#release-please). Co-authored-by: opentdf-automation[bot] <149537512+opentdf-automation[bot]@users.noreply.github.com>

🤖 I have created a release *beep* *boop* --- ## [0.1.0](service-v0.1.0...service/v0.1.0) (2024-04-22) ### ⚠ BREAKING CHANGES * Singular platform/service ([#511](#511)) ### Features * ability to add public routes that bypass authn middleware ([#601](#601)) ([7c65308](7c65308)) * ability to set config key or config file from root cmd ([#502](#502)) ([56a0131](56a0131)) * allow --insecure in provision keycloak cmd ([#629](#629)) ([a672325](a672325)) * **kas:** support HSM and standard crypto ([#497](#497)) ([f0cbe03](f0cbe03)) * **opa:** Adding jq OPA builtin for selection ([#527](#527)) ([d4ab17a](d4ab17a)) * **policy:** add `created_at` and `updated_at` timestamps to metadata ([#538](#538)) ([e812563](e812563)) * **policy:** update fixtures, proto comments, and proto field names to reflect use of jq selector syntax within Conditions of Subject Sets ([#523](#523)) ([16f40f7](16f40f7)) * **sdk:** don't require `client_id` in the auth token ([#544](#544)) ([a1e70f9](a1e70f9)) * **sdk:** normalize token exchange ([#546](#546)) ([9059dff](9059dff)) ### Bug Fixes * **authorization:** Hierarchy working in GetDecisions ([#519](#519)) ([2856485](2856485)) * **core:** allow org-admin casbin role to call KAS rewrap endpoint ([#579](#579)) ([a64c62a](a64c62a)) * **core:** fix panic on nil pointer dereference by passing KAS the SDK instance on registration ([#574](#574)) ([327bfca](327bfca)) * **core:** fixes fixtures provisioning after filepath change with repo restructuring ([#521](#521)) ([f128e9f](f128e9f)) * load extraprops for a service config with remainder values ([#524](#524)) ([d3d72dc](d3d72dc)) * **PLAT-3069:** opentdf/platform, gRPC: Namespace with existed attribute(s) can be deactivated w/o any prompts ([#489](#489)) ([e5a3324](e5a3324)) * **policy:** remove hardcoded schema in goose migration 20240405000000 ([#596](#596)) ([36c3b16](36c3b16)) * **policy:** return `created_at` and `updated_at` timestamps in CREATE metadata ([#557](#557)) ([fcaaeea](fcaaeea)) * resolves issues auth policy configuration ([#498](#498)) ([08e67cf](08e67cf)) * **service:** go.mod version fix sync ([#604](#604)) ([6323efd](6323efd)) * url encode db password field to handle special characters ([#624](#624)) ([5069f9d](5069f9d)) ### Code Refactoring * Singular platform/service ([#511](#511)) ([40c8b97](40c8b97)) --- This PR was generated with [Release Please](https://github.com/googleapis/release-please). See [documentation](https://github.com/googleapis/release-please#release-please). Co-authored-by: opentdf-automation[bot] <149537512+opentdf-automation[bot]@users.noreply.github.com>

🤖 I have created a release *beep* *boop* --- ## [0.1.0](opentdf/platform@lib/ocrypto-v0.1.0...lib/ocrypto/v0.1.0) (2024-04-22) ### Features * **kas:** support HSM and standard crypto ([#497](opentdf/platform#497)) ([f0cbe03](opentdf/platform@f0cbe03)) * **PLAT-3112:** Add Elliptic Curve functionality to support nanotdf ([#576](opentdf/platform#576)) ([504482a](opentdf/platform@504482a)) * **PLAT-3112:** Initial consumption of ec_key_pair functions by nanotdf ([#586](opentdf/platform#586)) ([5e2cba0](opentdf/platform@5e2cba0)) --- This PR was generated with [Release Please](https://github.com/googleapis/release-please). See [documentation](https://github.com/googleapis/release-please#release-please). Co-authored-by: opentdf-automation[bot] <149537512+opentdf-automation[bot]@users.noreply.github.com>

🤖 I have created a release *beep* *boop* --- ## [0.1.0](opentdf/platform@sdk-v0.1.0...sdk/v0.1.0) (2024-04-22) ### Features * add structured schema policy config ([#51](opentdf/platform#51)) ([8a6b876](opentdf/platform@8a6b876)) * **auth:** add authorization via casbin ([#417](opentdf/platform#417)) ([292f2bd](opentdf/platform@292f2bd)) * in-process service to service communication ([#311](opentdf/platform#311)) ([ec5eb76](opentdf/platform@ec5eb76)) * **kas:** support HSM and standard crypto ([#497](opentdf/platform#497)) ([f0cbe03](opentdf/platform@f0cbe03)) * key access server assignments ([#111](opentdf/platform#111)) ([a48d686](opentdf/platform@a48d686)), closes [#117](opentdf/platform#117) * key access server registry impl ([#66](opentdf/platform#66)) ([cf6b3c6](opentdf/platform@cf6b3c6)) * **namespaces CRUD:** protos, generated SDK, db interactivity for namespaces table ([#54](opentdf/platform#54)) ([b3f32b1](opentdf/platform@b3f32b1)) * **PLAT-3112:** Initial consumption of ec_key_pair functions by nanotdf ([#586](opentdf/platform#586)) ([5e2cba0](opentdf/platform@5e2cba0)) * **policy:** add FQN pivot table ([#208](opentdf/platform#208)) ([abb734c](opentdf/platform@abb734c)) * **policy:** add soft-delete/deactivation to namespaces, attribute definitions, attribute values [#96](opentdf/platform#96) [#108](opentdf/platform#108) ([#191](opentdf/platform#191)) ([02e92a6](opentdf/platform@02e92a6)) * **resourcemapping:** resource mapping implementation ([#83](opentdf/platform#83)) ([c144db1](opentdf/platform@c144db1)) * **sdk:** BACK-1966 get auth wired up to SDK using `Options` ([#271](opentdf/platform#271)) ([f1bacab](opentdf/platform@f1bacab)) * **sdk:** BACK-1966 implement fetching a DPoP token ([#45](opentdf/platform#45)) ([dbd3cf9](opentdf/platform@dbd3cf9)) * **sdk:** BACK-1966 make the unwrapper retrieve public keys as well ([#260](opentdf/platform#260)) ([7d051a1](opentdf/platform@7d051a1)) * **sdk:** BACK-1966 pull rewrap into auth config ([#252](opentdf/platform#252)) ([84017aa](opentdf/platform@84017aa)) * **sdk:** Include auth token in grpc ([#367](opentdf/platform#367)) ([75cb5cd](opentdf/platform@75cb5cd)) * **sdk:** normalize token exchange ([#546](opentdf/platform#546)) ([9059dff](opentdf/platform@9059dff)) * **sdk:** Pass dpop key through to `rewrap` ([#435](opentdf/platform#435)) ([2d283de](opentdf/platform@2d283de)) * **sdk:** read `expires_in` from token response and use it to refresh access tokens ([#445](opentdf/platform#445)) ([8ecbe79](opentdf/platform@8ecbe79)) * **sdk:** sdk stub ([#10](opentdf/platform#10)) ([8dfca6a](opentdf/platform@8dfca6a)) * **sdk:** take a function so that callers can use this the way that they want ([#340](opentdf/platform#340)) ([72059cb](opentdf/platform@72059cb)) * **subject-mappings:** refactor to meet db schema ([#59](opentdf/platform#59)) ([59a073b](opentdf/platform@59a073b)) * **tdf:** implement tdf3 encrypt and decrypt ([#73](opentdf/platform#73)) ([9d0e0a0](opentdf/platform@9d0e0a0)) * **tdf:** sdk interface changes ([#123](opentdf/platform#123)) ([2aa2422](opentdf/platform@2aa2422)) * **tdf:** sdk interface cleanup ([#201](opentdf/platform#201)) ([6f7d815](opentdf/platform@6f7d815)) * **tdf:** TDFOption varargs interface ([#235](opentdf/platform#235)) ([b3fb720](opentdf/platform@b3fb720)) ### Bug Fixes * **archive:** remove 10gb zip file test ([#373](opentdf/platform#373)) ([6548f55](opentdf/platform@6548f55)) * attribute missing rpc method for listing attribute values ([#69](opentdf/platform#69)) ([1b3a831](opentdf/platform@1b3a831)) * **attribute value:** fixes attribute value crud ([#86](opentdf/platform#86)) ([568df9c](opentdf/platform@568df9c)) * **issue 90:** remove duplicate attribute_id from attribute value create/update, and consumes schema setup changes in namespaces that were introduced for integration testing ([#100](opentdf/platform#100)) ([e0f6d07](opentdf/platform@e0f6d07)) * **issue-124:** SDK kas registry import name mismatch ([#125](opentdf/platform#125)) ([112638b](opentdf/platform@112638b)), closes [#124](opentdf/platform#124) * **proto/acre:** fix resource encoding service typo ([#30](opentdf/platform#30)) ([fe709d2](opentdf/platform@fe709d2)) * remove padding when b64 encoding ([#437](opentdf/platform#437)) ([d40e94a](opentdf/platform@d40e94a)) * SDK Quickstart ([#628](opentdf/platform#628)) ([f27ab98](opentdf/platform@f27ab98)) * **sdk:** change unwrapper creation ([#346](opentdf/platform#346)) ([9206435](opentdf/platform@9206435)) * **sdk:** double bearer token in auth config ([#350](opentdf/platform#350)) ([1bf4699](opentdf/platform@1bf4699)) * **sdk:** fixes Manifests JSONs with OIDC ([#140](opentdf/platform#140)) ([a4b6937](opentdf/platform@a4b6937)) * **sdk:** handle err ([#548](opentdf/platform#548)) ([ebabb6c](opentdf/platform@ebabb6c)) * **sdk:** make KasInfo fields public ([#320](opentdf/platform#320)) ([9a70498](opentdf/platform@9a70498)) * **sdk:** shutdown conn ([#352](opentdf/platform#352)) ([3def038](opentdf/platform@3def038)) * **sdk:** temporarily move unwrapper creation into options func. ([#309](opentdf/platform#309)) ([b34c2fe](opentdf/platform@b34c2fe)) * **sdk:** use the dialoptions even with no client credentials ([#400](opentdf/platform#400)) ([a7f1908](opentdf/platform@a7f1908)) * **security:** add a new encryption keypair different from dpop keypair ([#461](opentdf/platform#461)) ([7deb51e](opentdf/platform@7deb51e)) --- This PR was generated with [Release Please](https://github.com/googleapis/release-please). See [documentation](https://github.com/googleapis/release-please#release-please). Co-authored-by: opentdf-automation[bot] <149537512+opentdf-automation[bot]@users.noreply.github.com>

🤖 I have created a release *beep* *boop* --- ## [0.1.0](opentdf/platform@service-v0.1.0...service/v0.1.0) (2024-04-22) ### ⚠ BREAKING CHANGES * Singular platform/service ([#511](opentdf/platform#511)) ### Features * ability to add public routes that bypass authn middleware ([#601](opentdf/platform#601)) ([7c65308](opentdf/platform@7c65308)) * ability to set config key or config file from root cmd ([#502](opentdf/platform#502)) ([56a0131](opentdf/platform@56a0131)) * allow --insecure in provision keycloak cmd ([#629](opentdf/platform#629)) ([a672325](opentdf/platform@a672325)) * **kas:** support HSM and standard crypto ([#497](opentdf/platform#497)) ([f0cbe03](opentdf/platform@f0cbe03)) * **opa:** Adding jq OPA builtin for selection ([#527](opentdf/platform#527)) ([d4ab17a](opentdf/platform@d4ab17a)) * **policy:** add `created_at` and `updated_at` timestamps to metadata ([#538](opentdf/platform#538)) ([e812563](opentdf/platform@e812563)) * **policy:** update fixtures, proto comments, and proto field names to reflect use of jq selector syntax within Conditions of Subject Sets ([#523](opentdf/platform#523)) ([16f40f7](opentdf/platform@16f40f7)) * **sdk:** don't require `client_id` in the auth token ([#544](opentdf/platform#544)) ([a1e70f9](opentdf/platform@a1e70f9)) * **sdk:** normalize token exchange ([#546](opentdf/platform#546)) ([9059dff](opentdf/platform@9059dff)) ### Bug Fixes * **authorization:** Hierarchy working in GetDecisions ([#519](opentdf/platform#519)) ([2856485](opentdf/platform@2856485)) * **core:** allow org-admin casbin role to call KAS rewrap endpoint ([#579](opentdf/platform#579)) ([a64c62a](opentdf/platform@a64c62a)) * **core:** fix panic on nil pointer dereference by passing KAS the SDK instance on registration ([#574](opentdf/platform#574)) ([327bfca](opentdf/platform@327bfca)) * **core:** fixes fixtures provisioning after filepath change with repo restructuring ([#521](opentdf/platform#521)) ([f128e9f](opentdf/platform@f128e9f)) * load extraprops for a service config with remainder values ([#524](opentdf/platform#524)) ([d3d72dc](opentdf/platform@d3d72dc)) * **PLAT-3069:** opentdf/platform, gRPC: Namespace with existed attribute(s) can be deactivated w/o any prompts ([#489](opentdf/platform#489)) ([e5a3324](opentdf/platform@e5a3324)) * **policy:** remove hardcoded schema in goose migration 20240405000000 ([#596](opentdf/platform#596)) ([36c3b16](opentdf/platform@36c3b16)) * **policy:** return `created_at` and `updated_at` timestamps in CREATE metadata ([#557](opentdf/platform#557)) ([fcaaeea](opentdf/platform@fcaaeea)) * resolves issues auth policy configuration ([#498](opentdf/platform#498)) ([08e67cf](opentdf/platform@08e67cf)) * **service:** go.mod version fix sync ([#604](opentdf/platform#604)) ([6323efd](opentdf/platform@6323efd)) * url encode db password field to handle special characters ([#624](opentdf/platform#624)) ([5069f9d](opentdf/platform@5069f9d)) ### Code Refactoring * Singular platform/service ([#511](opentdf/platform#511)) ([40c8b97](opentdf/platform@40c8b97)) --- This PR was generated with [Release Please](https://github.com/googleapis/release-please). See [documentation](https://github.com/googleapis/release-please#release-please). Co-authored-by: opentdf-automation[bot] <149537512+opentdf-automation[bot]@users.noreply.github.com>

🤖 I have created a release *beep* *boop* --- ## [0.1.0](opentdf/platform@lib/ocrypto-v0.1.0...lib/ocrypto/v0.1.0) (2024-04-22) ### Features * **kas:** support HSM and standard crypto ([#497](opentdf/platform#497)) ([f0cbe03](opentdf/platform@f0cbe03)) * **PLAT-3112:** Add Elliptic Curve functionality to support nanotdf ([#576](opentdf/platform#576)) ([504482a](opentdf/platform@504482a)) * **PLAT-3112:** Initial consumption of ec_key_pair functions by nanotdf ([#586](opentdf/platform#586)) ([5e2cba0](opentdf/platform@5e2cba0)) --- This PR was generated with [Release Please](https://github.com/googleapis/release-please). See [documentation](https://github.com/googleapis/release-please#release-please). Co-authored-by: opentdf-automation[bot] <149537512+opentdf-automation[bot]@users.noreply.github.com>

🤖 I have created a release *beep* *boop* --- ## [0.1.0](opentdf/platform@sdk-v0.1.0...sdk/v0.1.0) (2024-04-22) ### Features * add structured schema policy config ([#51](opentdf/platform#51)) ([8a6b876](opentdf/platform@8a6b876)) * **auth:** add authorization via casbin ([#417](opentdf/platform#417)) ([292f2bd](opentdf/platform@292f2bd)) * in-process service to service communication ([#311](opentdf/platform#311)) ([ec5eb76](opentdf/platform@ec5eb76)) * **kas:** support HSM and standard crypto ([#497](opentdf/platform#497)) ([f0cbe03](opentdf/platform@f0cbe03)) * key access server assignments ([#111](opentdf/platform#111)) ([a48d686](opentdf/platform@a48d686)), closes [#117](opentdf/platform#117) * key access server registry impl ([#66](opentdf/platform#66)) ([cf6b3c6](opentdf/platform@cf6b3c6)) * **namespaces CRUD:** protos, generated SDK, db interactivity for namespaces table ([#54](opentdf/platform#54)) ([b3f32b1](opentdf/platform@b3f32b1)) * **PLAT-3112:** Initial consumption of ec_key_pair functions by nanotdf ([#586](opentdf/platform#586)) ([5e2cba0](opentdf/platform@5e2cba0)) * **policy:** add FQN pivot table ([#208](opentdf/platform#208)) ([abb734c](opentdf/platform@abb734c)) * **policy:** add soft-delete/deactivation to namespaces, attribute definitions, attribute values [#96](opentdf/platform#96) [#108](opentdf/platform#108) ([#191](opentdf/platform#191)) ([02e92a6](opentdf/platform@02e92a6)) * **resourcemapping:** resource mapping implementation ([#83](opentdf/platform#83)) ([c144db1](opentdf/platform@c144db1)) * **sdk:** BACK-1966 get auth wired up to SDK using `Options` ([#271](opentdf/platform#271)) ([f1bacab](opentdf/platform@f1bacab)) * **sdk:** BACK-1966 implement fetching a DPoP token ([#45](opentdf/platform#45)) ([dbd3cf9](opentdf/platform@dbd3cf9)) * **sdk:** BACK-1966 make the unwrapper retrieve public keys as well ([#260](opentdf/platform#260)) ([7d051a1](opentdf/platform@7d051a1)) * **sdk:** BACK-1966 pull rewrap into auth config ([#252](opentdf/platform#252)) ([84017aa](opentdf/platform@84017aa)) * **sdk:** Include auth token in grpc ([#367](opentdf/platform#367)) ([75cb5cd](opentdf/platform@75cb5cd)) * **sdk:** normalize token exchange ([#546](opentdf/platform#546)) ([9059dff](opentdf/platform@9059dff)) * **sdk:** Pass dpop key through to `rewrap` ([#435](opentdf/platform#435)) ([2d283de](opentdf/platform@2d283de)) * **sdk:** read `expires_in` from token response and use it to refresh access tokens ([#445](opentdf/platform#445)) ([8ecbe79](opentdf/platform@8ecbe79)) * **sdk:** sdk stub ([#10](opentdf/platform#10)) ([8dfca6a](opentdf/platform@8dfca6a)) * **sdk:** take a function so that callers can use this the way that they want ([#340](opentdf/platform#340)) ([72059cb](opentdf/platform@72059cb)) * **subject-mappings:** refactor to meet db schema ([#59](opentdf/platform#59)) ([59a073b](opentdf/platform@59a073b)) * **tdf:** implement tdf3 encrypt and decrypt ([#73](opentdf/platform#73)) ([9d0e0a0](opentdf/platform@9d0e0a0)) * **tdf:** sdk interface changes ([#123](opentdf/platform#123)) ([2aa2422](opentdf/platform@2aa2422)) * **tdf:** sdk interface cleanup ([#201](opentdf/platform#201)) ([6f7d815](opentdf/platform@6f7d815)) * **tdf:** TDFOption varargs interface ([#235](opentdf/platform#235)) ([b3fb720](opentdf/platform@b3fb720)) ### Bug Fixes * **archive:** remove 10gb zip file test ([#373](opentdf/platform#373)) ([6548f55](opentdf/platform@6548f55)) * attribute missing rpc method for listing attribute values ([#69](opentdf/platform#69)) ([1b3a831](opentdf/platform@1b3a831)) * **attribute value:** fixes attribute value crud ([#86](opentdf/platform#86)) ([568df9c](opentdf/platform@568df9c)) * **issue 90:** remove duplicate attribute_id from attribute value create/update, and consumes schema setup changes in namespaces that were introduced for integration testing ([#100](opentdf/platform#100)) ([e0f6d07](opentdf/platform@e0f6d07)) * **issue-124:** SDK kas registry import name mismatch ([#125](opentdf/platform#125)) ([112638b](opentdf/platform@112638b)), closes [#124](opentdf/platform#124) * **proto/acre:** fix resource encoding service typo ([#30](opentdf/platform#30)) ([fe709d2](opentdf/platform@fe709d2)) * remove padding when b64 encoding ([#437](opentdf/platform#437)) ([d40e94a](opentdf/platform@d40e94a)) * SDK Quickstart ([#628](opentdf/platform#628)) ([f27ab98](opentdf/platform@f27ab98)) * **sdk:** change unwrapper creation ([#346](opentdf/platform#346)) ([9206435](opentdf/platform@9206435)) * **sdk:** double bearer token in auth config ([#350](opentdf/platform#350)) ([1bf4699](opentdf/platform@1bf4699)) * **sdk:** fixes Manifests JSONs with OIDC ([#140](opentdf/platform#140)) ([a4b6937](opentdf/platform@a4b6937)) * **sdk:** handle err ([#548](opentdf/platform#548)) ([ebabb6c](opentdf/platform@ebabb6c)) * **sdk:** make KasInfo fields public ([#320](opentdf/platform#320)) ([9a70498](opentdf/platform@9a70498)) * **sdk:** shutdown conn ([#352](opentdf/platform#352)) ([3def038](opentdf/platform@3def038)) * **sdk:** temporarily move unwrapper creation into options func. ([#309](opentdf/platform#309)) ([b34c2fe](opentdf/platform@b34c2fe)) * **sdk:** use the dialoptions even with no client credentials ([#400](opentdf/platform#400)) ([a7f1908](opentdf/platform@a7f1908)) * **security:** add a new encryption keypair different from dpop keypair ([#461](opentdf/platform#461)) ([7deb51e](opentdf/platform@7deb51e)) --- This PR was generated with [Release Please](https://github.com/googleapis/release-please). See [documentation](https://github.com/googleapis/release-please#release-please). Co-authored-by: opentdf-automation[bot] <149537512+opentdf-automation[bot]@users.noreply.github.com>

🤖 I have created a release *beep* *boop* --- ## [0.1.0](opentdf/platform@service-v0.1.0...service/v0.1.0) (2024-04-22) ### ⚠ BREAKING CHANGES * Singular platform/service ([#511](opentdf/platform#511)) ### Features * ability to add public routes that bypass authn middleware ([#601](opentdf/platform#601)) ([7c65308](opentdf/platform@7c65308)) * ability to set config key or config file from root cmd ([#502](opentdf/platform#502)) ([56a0131](opentdf/platform@56a0131)) * allow --insecure in provision keycloak cmd ([#629](opentdf/platform#629)) ([a672325](opentdf/platform@a672325)) * **kas:** support HSM and standard crypto ([#497](opentdf/platform#497)) ([f0cbe03](opentdf/platform@f0cbe03)) * **opa:** Adding jq OPA builtin for selection ([#527](opentdf/platform#527)) ([d4ab17a](opentdf/platform@d4ab17a)) * **policy:** add `created_at` and `updated_at` timestamps to metadata ([#538](opentdf/platform#538)) ([e812563](opentdf/platform@e812563)) * **policy:** update fixtures, proto comments, and proto field names to reflect use of jq selector syntax within Conditions of Subject Sets ([#523](opentdf/platform#523)) ([16f40f7](opentdf/platform@16f40f7)) * **sdk:** don't require `client_id` in the auth token ([#544](opentdf/platform#544)) ([a1e70f9](opentdf/platform@a1e70f9)) * **sdk:** normalize token exchange ([#546](opentdf/platform#546)) ([9059dff](opentdf/platform@9059dff)) ### Bug Fixes * **authorization:** Hierarchy working in GetDecisions ([#519](opentdf/platform#519)) ([2856485](opentdf/platform@2856485)) * **core:** allow org-admin casbin role to call KAS rewrap endpoint ([#579](opentdf/platform#579)) ([a64c62a](opentdf/platform@a64c62a)) * **core:** fix panic on nil pointer dereference by passing KAS the SDK instance on registration ([#574](opentdf/platform#574)) ([327bfca](opentdf/platform@327bfca)) * **core:** fixes fixtures provisioning after filepath change with repo restructuring ([#521](opentdf/platform#521)) ([f128e9f](opentdf/platform@f128e9f)) * load extraprops for a service config with remainder values ([#524](opentdf/platform#524)) ([d3d72dc](opentdf/platform@d3d72dc)) * **PLAT-3069:** opentdf/platform, gRPC: Namespace with existed attribute(s) can be deactivated w/o any prompts ([#489](opentdf/platform#489)) ([e5a3324](opentdf/platform@e5a3324)) * **policy:** remove hardcoded schema in goose migration 20240405000000 ([#596](opentdf/platform#596)) ([36c3b16](opentdf/platform@36c3b16)) * **policy:** return `created_at` and `updated_at` timestamps in CREATE metadata ([#557](opentdf/platform#557)) ([fcaaeea](opentdf/platform@fcaaeea)) * resolves issues auth policy configuration ([#498](opentdf/platform#498)) ([08e67cf](opentdf/platform@08e67cf)) * **service:** go.mod version fix sync ([#604](opentdf/platform#604)) ([6323efd](opentdf/platform@6323efd)) * url encode db password field to handle special characters ([#624](opentdf/platform#624)) ([5069f9d](opentdf/platform@5069f9d)) ### Code Refactoring * Singular platform/service ([#511](opentdf/platform#511)) ([40c8b97](opentdf/platform@40c8b97)) --- This PR was generated with [Release Please](https://github.com/googleapis/release-please). See [documentation](https://github.com/googleapis/release-please#release-please). Co-authored-by: opentdf-automation[bot] <149537512+opentdf-automation[bot]@users.noreply.github.com>

feat(kas): support HSM and standard crypto

3cb3e5e

sujankota requested review from biscoe916, dmihalcik-virtru, mkleene and strantalis April 2, 2024 21:50

sujankota requested a review from a team as a code owner April 2, 2024 21:50

strantalis requested changes Apr 2, 2024

View reviewed changes

internal/security/hsm.go Outdated Show resolved Hide resolved

services/kas/access/publicKey.go Outdated Show resolved Hide resolved

sujankota added 13 commits April 2, 2024 19:03

fix the integeration test

b993e3c

fix test

d6e0600

rename lib/crypto to lib/ocrypto

ddd1b94

after merge

c1c7c5c

Fix Dockerfile

f7955dd

Fix build

b40a49e

fix the build

b920593

go lint fix

eb94914

fix lint errors

4ab185f

fix lint errors

8214acd

Fix lint error

dcc1435

merge main

1f372a5

Fix lint errors

3483990

sujankota requested review from a team as code owners April 4, 2024 21:09

sujankota and others added 7 commits April 4, 2024 17:14

github flow fixes

98307e2

Merge branch 'main' into support-standard-crypto

4602072

fix the build

1d200d4

Fix lint error

d4c4a10

Fixed lint errors

9a13e79

Fix the integeration test

9a5987e

Fix lint errors

30deeda

strantalis requested changes Apr 5, 2024

View reviewed changes

opentdf-example.yaml Outdated Show resolved Hide resolved

sujankota and others added 9 commits April 5, 2024 10:10

Fix service test

2e29d88

Fix service test

49185c8

Fix service tests

199987d

Fix service tests

342432a

Fix service tests

cdcc223

Fix service test

373a137

Disable HSM

c7d192d

Fix the ocrypto package

a48949b

Merge branch 'main' into support-standard-crypto

08e2e41

strantalis approved these changes Apr 5, 2024

View reviewed changes

sujankota enabled auto-merge April 5, 2024 16:02

dmihalcik-virtru approved these changes Apr 5, 2024

View reviewed changes

internal/security/hsm.go Outdated Show resolved Hide resolved

sujankota added this pull request to the merge queue Apr 5, 2024

Merged via the queue into main with commit f0cbe03 Apr 5, 2024

sujankota deleted the support-standard-crypto branch April 5, 2024 16:23

strantalis mentioned this pull request Apr 15, 2024

Temporarily remove hsm #462

Closed

This was referenced Apr 18, 2024

chore(main): release lib/ocrypto 0.1.0 #613

Merged

chore(main): release service 0.1.0 #614

Merged

chore(main): release sdk 0.1.0 #612

Merged

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

feat(kas): support HSM and standard crypto #497

feat(kas): support HSM and standard crypto #497

Uh oh!

sujankota commented Apr 2, 2024

Uh oh!

Uh oh!

Uh oh!

sujankota commented Apr 2, 2024

Uh oh!

Uh oh!

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

4 participants

feat(kas): support HSM and standard crypto #497

feat(kas): support HSM and standard crypto #497

Uh oh!

Conversation

sujankota commented Apr 2, 2024

Uh oh!

Uh oh!

Uh oh!

sujankota commented Apr 2, 2024

Uh oh!

Uh oh!

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

4 participants