Merge remote-tracking branch 'origin/main' into feature/sdk-encrypt

Author: mkleene

CODEOWNERS

@@ -1,6 +1,6 @@
 # CODEOWNERS
 
-* @opentdf/java-sdk
+* @opentdf/java-sdk @opentdf/architecture
 
 ## High Security Area
 

README.md

@@ -1,3 +1,6 @@
 # java-sdk
 
 OpenTDF Java SDK
+
+### Logging
+We use [slf4j](https://www.slf4j.org/), without providing a backend. We use log4j2 in our tests.

pom.xml

@@ -37,21 +37,13 @@
  <version>5.10.1</version>
  <type>pom</type>
  <scope>import</scope>
- </dependency>
- <dependency>
- <groupId>org.apache.logging.log4j</groupId>
- <artifactId>log4j-api</artifactId>
- <version>${log4j.version}</version>
  </dependency>
  <dependency>
  <groupId>org.apache.logging.log4j</groupId>
- <artifactId>log4j-core</artifactId>
- <version>${log4j.version}</version>
- </dependency>
- <dependency>
- <groupId>org.apache.logging.log4j</groupId>
- <artifactId>log4j-slf4j2-impl</artifactId>
- <version>${log4j.version}</version>
+ <artifactId>log4j-bom</artifactId>
+ <version>2.23.1</version>
+ <type>pom</type>
+ <scope>import</scope>
  </dependency>
  <dependency>
  <groupId>org.projectlombok</groupId>

protocol/pom.xml

@@ -57,8 +57,6 @@
  <exec executable="buf" dir="../">
  <arg value="generate" />
  <arg value="https://github.com/opentdf/platform.git#branch=main,subdir=service" />
- <arg value="--exclude-path"/>
- <arg value="authorization/idp_plugin.proto"/>
  </exec>
  <exec executable="buf" dir="../">
  <arg value="generate" />

sdk/pom.xml

@@ -29,6 +29,26 @@
  <artifactId>protocol</artifactId>
  <version>0.1.0-SNAPSHOT</version><!-- {x-version-update:java-sdk:current} -->
  </dependency>
+ <dependency>
+ <groupId>org.slf4j</groupId>
+ <artifactId>slf4j-api</artifactId>
+ <version>2.0.13</version>
+ </dependency>
+ <dependency>
+ <groupId>org.apache.logging.log4j</groupId>
+ <artifactId>log4j-slf4j2-impl</artifactId>
+ <scope>test</scope>
+ </dependency>
+ <dependency>
+ <groupId>org.apache.logging.log4j</groupId>
+ <artifactId>log4j-core</artifactId>
+ <scope>test</scope>
+ </dependency>
+ <dependency>
+ <groupId>org.apache.logging.log4j</groupId>
+ <artifactId>log4j-api</artifactId>
+ <scope>test</scope>
+ </dependency>
  <dependency>
  <groupId>org.junit.jupiter</groupId>
  <artifactId>junit-jupiter</artifactId>
@@ -81,14 +101,10 @@
  <version>2.10.1</version>
  </dependency>
  <dependency>
- <groupId>commons-codec</groupId>
- <artifactId>commons-codec</artifactId>
- <version>1.17.0</version>
- </dependency>
- <dependency>
- <groupId>commons-io</groupId>
- <artifactId>commons-io</artifactId>
- <version>2.11.0</version>
+ <groupId>org.apache.commons</groupId>
+ <artifactId>commons-compress</artifactId>
+ <version>1.26.1</version>
+ <scope>test</scope>
  </dependency>
  </dependencies>
 </project>

sdk/src/main/java/io/opentdf/platform/sdk/GRPCAuthInterceptor.java

@@ -15,14 +15,15 @@
 import com.nimbusds.oauth2.sdk.http.HTTPRequest;
 import com.nimbusds.oauth2.sdk.http.HTTPResponse;
 import com.nimbusds.oauth2.sdk.token.AccessToken;
-import com.nimbusds.oauth2.sdk.tokenexchange.TokenExchangeGrant;
 import io.grpc.CallOptions;
 import io.grpc.Channel;
 import io.grpc.ClientCall;
 import io.grpc.ClientInterceptor;
 import io.grpc.ForwardingClientCall;
 import io.grpc.Metadata;
 import io.grpc.MethodDescriptor;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
 
 import java.net.URI;
 import java.net.URISyntaxException;
@@ -40,6 +41,9 @@ class GRPCAuthInterceptor implements ClientInterceptor {
  private final RSAKey rsaKey;
  private final URI tokenEndpointURI;
 
+ private static final Logger logger = LoggerFactory.getLogger(GRPCAuthInterceptor.class);
+
+
  /**
  * Constructs a new GRPCAuthInterceptor with the specified client authentication and RSA key.
  *
@@ -101,6 +105,8 @@ private synchronized AccessToken getToken() {
  // If the token is expired or initially null, get a new token
  if (token == null || isTokenExpired()) {
 
+ logger.trace("The current access token is expired or empty, getting a new one");
+
  // Construct the client credentials grant
  AuthorizationGrant clientGrant = new ClientCredentialsGrant();
 
@@ -124,9 +130,17 @@ private synchronized AccessToken getToken() {
  throw new RuntimeException("Token request failed: " + error);
  }
 
- this.token = tokenResponse.toSuccessResponse().getTokens().getAccessToken();
- // DPoPAccessToken dPoPAccessToken = tokens.getDPoPAccessToken();
 
+ var tokens = tokenResponse.toSuccessResponse().getTokens();
+ if (tokens.getDPoPAccessToken() != null) {
+ logger.trace("retrieved a new DPoP access token");
+ } else if (tokens.getAccessToken() != null) {
+ logger.trace("retrieved a new access token");
+ } else {
+ logger.trace("got an access token of unknown type");
+ }
+
+ this.token = tokens.getAccessToken();
 
  if (token.getLifetime() != 0) {
  // Need some type of leeway but not sure whats best

sdk/src/main/java/io/opentdf/platform/sdk/KASClient.java

@@ -0,0 +1,41 @@
+package io.opentdf.platform.sdk;
+
+import io.grpc.Channel;
+import io.opentdf.platform.kas.AccessServiceGrpc;
+import io.opentdf.platform.kas.PublicKeyRequest;
+import io.opentdf.platform.kas.RewrapRequest;
+
+import java.util.HashMap;
+import java.util.function.Function;
+
+public class KASClient implements SDK.KAS {
+
+ private final Function<SDK.KASInfo, Channel> channelFactory;
+
+ public KASClient(Function <SDK.KASInfo, Channel> channelFactory) {
+ this.channelFactory = channelFactory;
+ }
+
+ @Override
+ public String getPublicKey(SDK.KASInfo kasInfo) {
+ return getStub(kasInfo).publicKey(PublicKeyRequest.getDefaultInstance()).getPublicKey();
+ }
+
+ @Override
+ public byte[] unwrap(SDK.KASInfo kasInfo, SDK.Policy policy) {
+ // this is obviously wrong. we still have to generate a correct request and decrypt the payload
+ return getStub(kasInfo).rewrap(RewrapRequest.getDefaultInstance()).getEntityWrappedKey().toByteArray();
+ }
+
+ private final HashMap<SDK.KASInfo, AccessServiceGrpc.AccessServiceBlockingStub> stubs = new HashMap<>();
+
+ private synchronized AccessServiceGrpc.AccessServiceBlockingStub getStub(SDK.KASInfo kasInfo) {
+ if (!stubs.containsKey(kasInfo)) {
+ var channel = channelFactory.apply(kasInfo);
+ var stub = AccessServiceGrpc.newBlockingStub(channel);
+ stubs.put(kasInfo, stub);
+ }
+
+ return stubs.get(kasInfo);
+ }
+}

sdk/src/main/java/io/opentdf/platform/sdk/SDK.java

@@ -17,14 +17,25 @@
 public class SDK {
  private final Services services;
 
+ public interface KASInfo{
+ String getAddress();
+ }
+ public interface Policy{}
+
+ interface KAS {
+ String getPublicKey(KASInfo kasInfo);
+ byte[] unwrap(KASInfo kasInfo, Policy policy);
+ }
+
  // TODO: add KAS
- public interface Services {
+ interface Services {
  AttributesServiceFutureStub attributes();
  NamespaceServiceFutureStub namespaces();
  SubjectMappingServiceFutureStub subjectMappings();
  ResourceMappingServiceFutureStub resourceMappings();
+ KAS kas();
 
- static Services newServices(Channel channel) {
+ static Services newServices(Channel channel, KAS kas) {
  var attributeService = AttributesServiceGrpc.newFutureStub(channel);
  var namespaceService = NamespaceServiceGrpc.newFutureStub(channel);
  var subjectMappingService = SubjectMappingServiceGrpc.newFutureStub(channel);
@@ -50,11 +61,16 @@ public SubjectMappingServiceFutureStub subjectMappings() {
  public ResourceMappingServiceFutureStub resourceMappings() {
  return resourceMappingService;
  }
+
+ @Override
+ public KAS kas() {
+ return kas;
+ }
  };
  }
  }
 
- public SDK(Services services) {
+ SDK(Services services) {
  this.services = services;
  }
 }

sdk/src/main/java/io/opentdf/platform/sdk/SDKBuilder.java

@@ -11,15 +11,20 @@
 import com.nimbusds.oauth2.sdk.id.ClientID;
 import com.nimbusds.oauth2.sdk.id.Issuer;
 import com.nimbusds.openid.connect.sdk.op.OIDCProviderMetadata;
+import io.grpc.Channel;
 import io.grpc.ManagedChannel;
 import io.grpc.ManagedChannelBuilder;
 import io.grpc.Status;
+import io.grpc.StatusRuntimeException;
 import io.opentdf.platform.wellknownconfiguration.GetWellKnownConfigurationRequest;
 import io.opentdf.platform.wellknownconfiguration.GetWellKnownConfigurationResponse;
 import io.opentdf.platform.wellknownconfiguration.WellKnownServiceGrpc;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
 
 import java.io.IOException;
 import java.util.UUID;
+import java.util.function.Function;
 
 /**
  * A builder class for creating instances of the SDK class.
@@ -30,9 +35,13 @@ public class SDKBuilder {
  private ClientAuthentication clientAuth = null;
  private Boolean usePlainText;
 
+ private static final Logger logger = LoggerFactory.getLogger(SDKBuilder.class);
+
  public static SDKBuilder newBuilder() {
  SDKBuilder builder = new SDKBuilder();
  builder.usePlainText = false;
+ builder.clientAuth = null;
+ builder.platformEndpoint = null;
 
  return builder;
  }
@@ -54,8 +63,16 @@ public SDKBuilder useInsecurePlaintextConnection(Boolean usePlainText) {
  return this;
  }
 
- // this is not exposed publicly so that it can be tested
- ManagedChannel buildChannel() {
+ private GRPCAuthInterceptor getGrpcAuthInterceptor() {
+ if (platformEndpoint == null) {
+ throw new SDKException("cannot build an SDK without specifying the platform endpoint");
+ }
+
+ if (clientAuth == null) {
+ // this simplifies things for now, if we need to support this case we can revisit
+ throw new SDKException("cannot build an SDK without specifying OAuth credentials");
+ }
+
  // we don't add the auth listener to this channel since it is only used to call the
  // well known endpoint
  ManagedChannel bootstrapChannel = null;
@@ -65,7 +82,7 @@ ManagedChannel buildChannel() {
  var stub = WellKnownServiceGrpc.newBlockingStub(bootstrapChannel);
  try {
  config = stub.getWellKnownConfiguration(GetWellKnownConfigurationRequest.getDefaultInstance());
- } catch (Exception e) {
+ } catch (StatusRuntimeException e) {
  Status status = Status.fromThrowable(e);
  throw new SDKException(String.format("Got grpc status [%s] when getting configuration", status), e);
  }
@@ -82,7 +99,7 @@ ManagedChannel buildChannel() {
  .getFieldsOrThrow(PLATFORM_ISSUER)
  .getStringValue();
 
- } catch (Exception e) {
+ } catch (StatusRuntimeException e) {
  throw new SDKException("Error getting the issuer from the platform", e);
  }
 
@@ -104,24 +121,39 @@ ManagedChannel buildChannel() {
  throw new SDKException("Error generating DPoP key", e);
  }
 
- GRPCAuthInterceptor interceptor = new GRPCAuthInterceptor(clientAuth, rsaKey, providerMetadata.getTokenEndpointURI());
+ return new GRPCAuthInterceptor(clientAuth, rsaKey, providerMetadata.getTokenEndpointURI());
+ }
 
- return getManagedChannelBuilder()
- .intercept(interceptor)
- .build();
+ SDK.Services buildServices() {
+ var authInterceptor = getGrpcAuthInterceptor();
+ var channel = getManagedChannelBuilder().intercept(authInterceptor).build();
+ var client = new KASClient(getChannelFactory(authInterceptor));
+ return SDK.Services.newServices(channel, client);
  }
 
  public SDK build() {
- return new SDK(SDK.Services.newServices(buildChannel()));
+ return new SDK(buildServices());
  }
 
  private ManagedChannelBuilder<?> getManagedChannelBuilder() {
- ManagedChannelBuilder<?> channelBuilder = ManagedChannelBuilder
- .forTarget(platformEndpoint);
+ ManagedChannelBuilder<?> channelBuilder = ManagedChannelBuilder.forTarget(platformEndpoint);
 
  if (usePlainText) {
  channelBuilder = channelBuilder.usePlaintext();
  }
  return channelBuilder;
  }
+
+ Function<SDK.KASInfo, Channel> getChannelFactory(GRPCAuthInterceptor authInterceptor) {
+ var pt = usePlainText; // no need to have the builder be able to influence things from beyond the grave
+ return (SDK.KASInfo kasInfo) -> {
+ ManagedChannelBuilder<?> channelBuilder = ManagedChannelBuilder
+ .forTarget(kasInfo.getAddress())
+ .intercept(authInterceptor);
+ if (pt) {
+ channelBuilder = channelBuilder.usePlaintext();
+ }
+ return channelBuilder.build();
+ };
+ }
 }

sdk/src/main/java/io/opentdf/platform/sdk/SDKException.java

@@ -4,4 +4,8 @@ public class SDKException extends RuntimeException {
  public SDKException(String message, Exception reason) {
  super(message, reason);
  }
+
+ public SDKException(String message) {
+ super(message);
+ }
 }