feat: add code to create services for SDK (#35)

Also add `bom` for `junit` to lock down version --------- Co-authored-by: Sean Trantalis <strantalis@virtru.com> Co-authored-by: Timothy Tschampel <ttschampel@virtru.com>

Author: 3 people

.github/workflows/checks.yaml

@@ -13,6 +13,9 @@ on:
  types:
  - checks_requested
 
+permissions:
+ contents: read
+
 jobs:
  pr:
  name: Validate PR title

pom.xml

@@ -15,7 +15,7 @@
  <maven.compiler.source>11</maven.compiler.source>
  <maven.compiler.target>11</maven.compiler.target>
  <log4j.version>2.20.0</log4j.version>
- <grpc.version>1.57.2</grpc.version>
+ <grpc.version>1.63.0</grpc.version>
  <protobuf.version>3.25.3</protobuf.version>
  </properties>
  <modules>
@@ -25,9 +25,18 @@
  <dependencyManagement>
  <dependencies>
  <dependency>
- <groupId>io.opentdf.platform</groupId>
- <artifactId>platform-client</artifactId>
- <version>0.1.0-SNAPSHOT</version><!-- {x-version-update:java-sdk:current} -->
+ <groupId>io.grpc</groupId>
+ <artifactId>grpc-bom</artifactId>
+ <version>${grpc.version}</version>
+ <type>pom</type>
+ <scope>import</scope>
+ </dependency>
+ <dependency>
+ <groupId>org.junit</groupId>
+ <artifactId>junit-bom</artifactId>
+ <version>5.10.1</version>
+ <type>pom</type>
+ <scope>import</scope>
  </dependency>
  <dependency>
  <groupId>org.apache.logging.log4j</groupId>
@@ -50,12 +59,6 @@
  <version>1.18.30</version>
  <scope>provided</scope>
  </dependency>
- <dependency>
- <groupId>org.junit.jupiter</groupId>
- <artifactId>junit-jupiter-engine</artifactId>
- <version>5.9.2</version>
- <scope>test</scope>
- </dependency>
  <dependency>
  <groupId>org.mockito</groupId>
  <artifactId>mockito-core</artifactId>
@@ -68,13 +71,6 @@
  <version>5.2.0</version>
  <scope>test</scope>
  </dependency>
- <dependency>
- <groupId>org.junit.jupiter</groupId>
- <artifactId>junit-jupiter-api</artifactId>
- <version>5.9.2</version>
- <scope>test</scope>
- </dependency>
-
  <dependency>
  <groupId>org.apache.maven.plugin-tools</groupId>
  <artifactId>maven-plugin-annotations</artifactId>

protocol/pom.xml

@@ -32,12 +32,10 @@
  <dependency>
  <groupId>io.grpc</groupId>
  <artifactId>grpc-protobuf</artifactId>
- <version>${grpc.version}</version>
- </dependency>
+ </dependency>
  <dependency>
  <groupId>io.grpc</groupId>
  <artifactId>grpc-stub</artifactId>
- <version>${grpc.version}</version>
  </dependency>
  </dependencies>
  <build>

sdk/pom.xml

@@ -3,7 +3,6 @@
 <project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
  xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
  <modelVersion>4.0.0</modelVersion>
- <groupId>io.opentdf.platform</groupId>
  <name>sdk</name>
  <artifactId>sdk</artifactId>
  <parent>
@@ -20,7 +19,43 @@
  </dependency>
  <dependency>
  <groupId>org.junit.jupiter</groupId>
- <artifactId>junit-jupiter-engine</artifactId>
+ <artifactId>junit-jupiter</artifactId>
+ </dependency>
+ <dependency>
+ <groupId>com.nimbusds</groupId>
+ <artifactId>oauth2-oidc-sdk</artifactId>
+ <version>11.10.1</version>
+ </dependency>
+ <dependency>
+ <groupId>io.grpc</groupId>
+ <artifactId>grpc-netty-shaded</artifactId>
+ <scope>runtime</scope>
+ </dependency>
+ <dependency>
+ <groupId>io.grpc</groupId>
+ <artifactId>grpc-protobuf</artifactId>
+ </dependency>
+ <dependency>
+ <groupId>io.grpc</groupId>
+ <artifactId>grpc-stub</artifactId>
+ </dependency>
+ <dependency> <!-- necessary for Java 9+ -->
+ <groupId>org.apache.tomcat</groupId>
+ <artifactId>annotations-api</artifactId>
+ <version>6.0.53</version>
+ <scope>provided</scope>
+ </dependency>
+ <dependency>
+ <groupId>org.assertj</groupId>
+ <artifactId>assertj-core</artifactId>
+ <version>3.8.0</version>
+ <scope>test</scope>
+ </dependency>
+ <dependency>
+ <groupId>com.squareup.okhttp3</groupId>
+ <artifactId>mockwebserver</artifactId>
+ <version>5.0.0-alpha.14</version>
+ <scope>test</scope>
  </dependency>
  </dependencies>
 </project>

sdk/src/main/java/io/opentdf/platform/sdk/GRPCAuthInterceptor.java

@@ -0,0 +1,156 @@
+package io.opentdf.platform.sdk;
+
+import com.nimbusds.jose.JOSEException;
+import com.nimbusds.jose.JWSAlgorithm;
+import com.nimbusds.jose.jwk.RSAKey;
+import com.nimbusds.jwt.SignedJWT;
+import com.nimbusds.oauth2.sdk.AuthorizationGrant;
+import com.nimbusds.oauth2.sdk.ClientCredentialsGrant;
+import com.nimbusds.oauth2.sdk.ErrorObject;
+import com.nimbusds.oauth2.sdk.TokenRequest;
+import com.nimbusds.oauth2.sdk.TokenResponse;
+import com.nimbusds.oauth2.sdk.auth.ClientAuthentication;
+import com.nimbusds.oauth2.sdk.dpop.DPoPProofFactory;
+import com.nimbusds.oauth2.sdk.dpop.DefaultDPoPProofFactory;
+import com.nimbusds.oauth2.sdk.http.HTTPRequest;
+import com.nimbusds.oauth2.sdk.http.HTTPResponse;
+import com.nimbusds.oauth2.sdk.token.AccessToken;
+import com.nimbusds.oauth2.sdk.tokenexchange.TokenExchangeGrant;
+import io.grpc.CallOptions;
+import io.grpc.Channel;
+import io.grpc.ClientCall;
+import io.grpc.ClientInterceptor;
+import io.grpc.ForwardingClientCall;
+import io.grpc.Metadata;
+import io.grpc.MethodDescriptor;
+
+import java.net.URI;
+import java.net.URISyntaxException;
+import java.time.Instant;
+
+/**
+ * The GRPCAuthInterceptor class is responsible for intercepting client calls before they are sent
+ * to the server. It adds authentication headers to the requests by fetching and caching access
+ * tokens.
+ */
+class GRPCAuthInterceptor implements ClientInterceptor {
+ private Instant tokenExpiryTime;
+ private AccessToken token;
+ private final ClientAuthentication clientAuth;
+ private final RSAKey rsaKey;
+ private final URI tokenEndpointURI;
+
+ /**
+ * Constructs a new GRPCAuthInterceptor with the specified client authentication and RSA key.
+ *
+ * @param clientAuth the client authentication to be used by the interceptor
+ * @param rsaKey the RSA key to be used by the interceptor
+ */
+ public GRPCAuthInterceptor(ClientAuthentication clientAuth, RSAKey rsaKey, URI tokenEndpointURI) {
+ this.clientAuth = clientAuth;
+ this.rsaKey = rsaKey;
+ this.tokenEndpointURI = tokenEndpointURI;
+ }
+
+ /**
+ * Intercepts the client call before it is sent to the server.
+ *
+ * @param method The method descriptor for the call.
+ * @param callOptions The call options for the call.
+ * @param next The next channel in the channel pipeline.
+ * @param <ReqT> The type of the request message.
+ * @param <RespT> The type of the response message.
+ * @return A client call with the intercepted behavior.
+ */
+ @Override
+ public <ReqT, RespT> ClientCall<ReqT, RespT> interceptCall(MethodDescriptor<ReqT, RespT> method,
+ CallOptions callOptions, Channel next) {
+ return new ForwardingClientCall.SimpleForwardingClientCall<>(next.newCall(method, callOptions)) {
+ @Override
+ public void start(Listener<RespT> responseListener, Metadata headers) {
+ // Get the access token
+ AccessToken t = getToken();
+ headers.put(Metadata.Key.of("Authorization", Metadata.ASCII_STRING_MARSHALLER),
+ "DPoP " + t.getValue());
+
+ // Build the DPoP proof for each request
+ try {
+ DPoPProofFactory dpopFactory = new DefaultDPoPProofFactory(rsaKey, JWSAlgorithm.RS256);
+
+ URI uri = new URI("/" + method.getFullMethodName());
+ SignedJWT proof = dpopFactory.createDPoPJWT("POST", uri, t);
+ headers.put(Metadata.Key.of("DPoP", Metadata.ASCII_STRING_MARSHALLER),
+ proof.serialize());
+ } catch (URISyntaxException e) {
+ throw new RuntimeException("Invalid URI syntax for DPoP proof creation", e);
+ } catch (JOSEException e) {
+ throw new RuntimeException("Error creating DPoP proof", e);
+ }
+ super.start(responseListener, headers);
+ }
+ };
+ }
+
+ /**
+ * Either fetches a new access token or returns the cached access token if it is still valid.
+ *
+ * @return The access token.
+ */
+ private synchronized AccessToken getToken() {
+ try {
+ // If the token is expired or initially null, get a new token
+ if (token == null || isTokenExpired()) {
+
+ // Construct the client credentials grant
+ AuthorizationGrant clientGrant = new ClientCredentialsGrant();
+
+ // Make the token request
+ TokenRequest tokenRequest = new TokenRequest(this.tokenEndpointURI,
+ clientAuth, clientGrant, null);
+ HTTPRequest httpRequest = tokenRequest.toHTTPRequest();
+
+ DPoPProofFactory dpopFactory = new DefaultDPoPProofFactory(rsaKey, JWSAlgorithm.RS256);
+
+ SignedJWT proof = dpopFactory.createDPoPJWT(httpRequest.getMethod().name(), httpRequest.getURI());
+
+ httpRequest.setDPoP(proof);
+ TokenResponse tokenResponse;
+
+ HTTPResponse httpResponse = httpRequest.send();
+
+ tokenResponse = TokenResponse.parse(httpResponse);
+ if (!tokenResponse.indicatesSuccess()) {
+ ErrorObject error = tokenResponse.toErrorResponse().getErrorObject();
+ throw new RuntimeException("Token request failed: " + error);
+ }
+
+ this.token = tokenResponse.toSuccessResponse().getTokens().getAccessToken();
+ // DPoPAccessToken dPoPAccessToken = tokens.getDPoPAccessToken();
+
+
+ if (token.getLifetime() != 0) {
+ // Need some type of leeway but not sure whats best
+ this.tokenExpiryTime = Instant.now().plusSeconds(token.getLifetime() / 3);
+ }
+
+ } else {
+ // If the token is still valid or not initially null, return the cached token
+ return this.token;
+ }
+
+ } catch (Exception e) {
+ // TODO Auto-generated catch block
+ throw new RuntimeException("failed to get token", e);
+ }
+ return this.token;
+ }
+
+ /**
+ * Checks if the token has expired.
+ *
+ * @return true if the token has expired, false otherwise.
+ */
+ private boolean isTokenExpired() {
+ return this.tokenExpiryTime != null && this.tokenExpiryTime.isBefore(Instant.now());
+ }
+}

sdk/src/main/java/io/opentdf/platform/sdk/SDK.java

@@ -1,55 +1,60 @@
 package io.opentdf.platform.sdk;
 
+import io.grpc.Channel;
 import io.opentdf.platform.policy.attributes.AttributesServiceGrpc;
+import io.opentdf.platform.policy.attributes.AttributesServiceGrpc.AttributesServiceFutureStub;
+import io.opentdf.platform.policy.namespaces.NamespaceServiceGrpc;
+import io.opentdf.platform.policy.namespaces.NamespaceServiceGrpc.NamespaceServiceFutureStub;
 import io.opentdf.platform.policy.resourcemapping.ResourceMappingServiceGrpc;
+import io.opentdf.platform.policy.resourcemapping.ResourceMappingServiceGrpc.ResourceMappingServiceFutureStub;
+import io.opentdf.platform.policy.subjectmapping.SubjectMappingServiceGrpc;
+import io.opentdf.platform.policy.subjectmapping.SubjectMappingServiceGrpc.SubjectMappingServiceFutureStub;
 
 /**
- * Interact with OpenTDF platform services and perform TDF data operations with
- * this object.
+ * The SDK class represents a software development kit for interacting with the opentdf platform. It
+ * provides various services and stubs for making API calls to the opentdf platform.
  */
 public class SDK {
- private final String platformEndpoint;
- private AttributesServiceGrpc.AttributesServiceFutureStub attributesServiceFutureStub;
- private ResourceMappingServiceGrpc.ResourceMappingServiceFutureStub resourceMappingServiceFutureStub;
-
- public AttributesServiceGrpc.AttributesServiceFutureStub getAttributesServiceFutureStub() {
- return attributesServiceFutureStub;
- }
-
- public ResourceMappingServiceGrpc.ResourceMappingServiceFutureStub getResourceMappingServiceFutureStub() {
- return resourceMappingServiceFutureStub;
- }
-
-
- private SDK(String platformEndpoint) {
- this.platformEndpoint = platformEndpoint;
- }
-
- public String getPlatformEndpoint() {
- return this.platformEndpoint;
- }
-
- /**
- * Builder pattern for SDK objects
- */
- public static class Builder implements Cloneable {
- private String platformEndpoint;
-
- public Builder platformEndpoint(String platformEndpoint) {
- this.platformEndpoint = platformEndpoint;
- return this;
- }
-
- public SDK build() {
- return new SDK(this.platformEndpoint);
+ private final Services services;
+
+ // TODO: add KAS
+ public interface Services {
+ AttributesServiceFutureStub attributes();
+ NamespaceServiceFutureStub namespaces();
+ SubjectMappingServiceFutureStub subjectMappings();
+ ResourceMappingServiceFutureStub resourceMappings();
+
+ static Services newServices(Channel channel) {
+ var attributeService = AttributesServiceGrpc.newFutureStub(channel);
+ var namespaceService = NamespaceServiceGrpc.newFutureStub(channel);
+ var subjectMappingService = SubjectMappingServiceGrpc.newFutureStub(channel);
+ var resourceMappingService = ResourceMappingServiceGrpc.newFutureStub(channel);
+
+ return new Services() {
+ @Override
+ public AttributesServiceFutureStub attributes() {
+ return attributeService;
+ }
+
+ @Override
+ public NamespaceServiceFutureStub namespaces() {
+ return namespaceService;
+ }
+
+ @Override
+ public SubjectMappingServiceFutureStub subjectMappings() {
+ return subjectMappingService;
+ }
+
+ @Override
+ public ResourceMappingServiceFutureStub resourceMappings() {
+ return resourceMappingService;
+ }
+ };
+ }
  }
 
- @Override public Builder clone() {
- try {
- return (Builder) super.clone();
- } catch (CloneNotSupportedException e) {
- throw new RuntimeException(e);
- }
+ public SDK(Services services) {
+ this.services = services;
  }
- }
-}
+}