add some tests

Author: mkleene

sdk/src/main/java/io/opentdf/platform/sdk/Autoconfigure.java

@@ -361,6 +361,8 @@ List<KeySplitStep> getSplits(List<String> defaultKases, Supplier<String> genSpli
             }
 
             logger.warn("no grants or mapped keys found, generating plan from default KASes. this is deprecated");
+            // this is a little bit weird because we don't take into account the KIDs here. This is the way
+            // that it works in
             return generatePlanFromDefaultKases(defaultKases, genSplitID);
         }
 

sdk/src/main/java/io/opentdf/platform/sdk/Planner.java

@@ -1,28 +1,38 @@
 package io.opentdf.platform.sdk;
 
+import com.connectrpc.ConnectException;
+import com.google.gson.Gson;
+import com.google.gson.JsonSyntaxException;
+import com.google.gson.annotations.SerializedName;
+import io.opentdf.platform.policy.Algorithm;
+import io.opentdf.platform.policy.SimpleKasKey;
+import io.opentdf.platform.policy.SimpleKasPublicKey;
 import io.opentdf.platform.policy.Value;
+import io.opentdf.platform.wellknownconfiguration.GetWellKnownConfigurationRequest;
+import io.opentdf.platform.wellknownconfiguration.GetWellKnownConfigurationResponse;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 
 import java.util.ArrayList;
+import java.util.Collections;
 import java.util.HashMap;
 import java.util.List;
 import java.util.Map;
 import java.util.Objects;
 import java.util.Optional;
 import java.util.UUID;
 
-import static io.opentdf.platform.sdk.Autoconfigure.Granter.generatePlanFromDefaultKases;
-
 public class Planner {
+    private static final String BASE_KEY = "base_key";
     private final Config.TDFConfig tdfConfig;
-    private final SDK.Services sdkServices;
+    private final SDK.Services services;
+
 
     private static final Logger logger = LoggerFactory.getLogger(Planner.class);
 
     public Planner(Config.TDFConfig config, SDK.Services services) {
-        tdfConfig = Objects.requireNonNull(config);
-        sdkServices = Objects.requireNonNull(services) ;
+        this.tdfConfig = Objects.requireNonNull(config);
+        this.services = Objects.requireNonNull(services);
     }
 
     private static String getUUID() {
@@ -31,43 +41,107 @@ private static String getUUID() {
 
     Map<String, List<Config.KASInfo>> getSplits(Config.TDFConfig tdfConfig) {
         List<Autoconfigure.KeySplitStep> splitPlan;
-        List<String> defaultKases = defaultKases(tdfConfig);
         if (tdfConfig.autoconfigure) {
+            if (tdfConfig.splitPlan != null && !tdfConfig.splitPlan.isEmpty()) {
+                throw new IllegalArgumentException("cannot use autoconfigure with a split plan provided in the TDFConfig");
+            }
             splitPlan = getAutoconfigurePlan(tdfConfig);
         } else if (tdfConfig.splitPlan == null || tdfConfig.splitPlan.isEmpty()) {
-            splitPlan = defaultKases.isEmpty()
-                    ? createPlanFromBaseKey()
-                    : generatePlanFromDefaultKases(defaultKases, Planner::getUUID);
+            splitPlan = generatePlanFromProvidedKases(tdfConfig.kasInfoList);
         } else {
             splitPlan = tdfConfig.splitPlan;
         }
 
         if (tdfConfig.kasInfoList.isEmpty() && tdfConfig.splitPlan.isEmpty()) {
             throw new SDK.KasInfoMissing("kas information is missing, no key access template specified or inferred");
         }
-
-        // split plan: restructure by conjunctions
         return fillInKeys(tdfConfig, splitPlan);
     }
 
     private List<Autoconfigure.KeySplitStep> getAutoconfigurePlan(Config.TDFConfig tdfConfig) {
-        if (tdfConfig.splitPlan != null && !tdfConfig.splitPlan.isEmpty()) {
-            throw new IllegalArgumentException("cannot use autoconfigure with a split plan provided in the TDFConfig");
-        }
         Autoconfigure.Granter granter = new Autoconfigure.Granter(new ArrayList<>());
         if (tdfConfig.attributeValues != null && !tdfConfig.attributeValues.isEmpty()) {
-            granter = Autoconfigure.newGranterFromAttributes(sdkServices.kas().getKeyCache(), tdfConfig.attributeValues.toArray(new Value[0]));
+            granter = Autoconfigure.newGranterFromAttributes(services.kas().getKeyCache(), tdfConfig.attributeValues.toArray(new Value[0]));
         } else if (tdfConfig.attributes != null && !tdfConfig.attributes.isEmpty()) {
-            granter = Autoconfigure.newGranterFromService(sdkServices.attributes(), sdkServices.kas().getKeyCache(),
+            granter = Autoconfigure.newGranterFromService(services.attributes(), services.kas().getKeyCache(),
                     tdfConfig.attributes.toArray(new Autoconfigure.AttributeValueFQN[0]));
         }
-        return granter.getSplits(defaultKases(tdfConfig), Planner::getUUID, Optional::empty);
+        return granter.getSplits(defaultKases(tdfConfig), Planner::getUUID, this::fetchBaseKey);
+    }
+
+    List<Autoconfigure.KeySplitStep> generatePlanFromProvidedKases(List<Config.KASInfo> kases) {
+        if (kases.size() == 1) {
+            var kasInfo = kases.get(0);
+            return Collections.singletonList(new Autoconfigure.KeySplitStep(kasInfo.URL, "", kasInfo.KID));
+        }
+        List<Autoconfigure.KeySplitStep> splitPlan = new ArrayList<>();
+        for (var kasInfo : kases) {
+            splitPlan.add(new Autoconfigure.KeySplitStep(kasInfo.URL, getUUID(), kasInfo.KID));
+        }
+        return splitPlan;
+    }
+
+    Optional<SimpleKasKey> fetchBaseKey() {
+        var responseMessage = services.wellknown()
+                .getWellKnownConfigurationBlocking(GetWellKnownConfigurationRequest.getDefaultInstance(), Collections.emptyMap())
+                .execute();
+        GetWellKnownConfigurationResponse response;
+        try {
+            response = RequestHelper.getOrThrow(responseMessage);
+        } catch (ConnectException e) {
+            logger.error("unable to retrieve configuration from well known endpoint", e);
+            throw new SDKException("unable to retrieve base key from well known endpoint", e);
+        }
+
+        String baseKeyJson;
+        try {
+            baseKeyJson = response
+                    .getConfiguration()
+                    .getFieldsOrThrow(BASE_KEY)
+                    .getStringValue();
+        } catch (IllegalArgumentException e) {
+            logger.info( "no `" + BASE_KEY + "` found in well known configuration.", e);
+            return Optional.empty();
+        }
+
+        BaseKey baseKey;
+        try {
+            baseKey = gson.fromJson(baseKeyJson, BaseKey.class);
+        } catch (JsonSyntaxException e) {
+            throw new SDKException("base key in well known configuration is malformed [" + baseKeyJson + "]", e);
+        }
+
+        if (baseKey == null || baseKey.kasUrl == null || baseKey.publicKey == null || baseKey.publicKey.kid == null || baseKey.publicKey.pem == null || baseKey.publicKey.algorithm == null) {
+            throw new SDKException("base key in well known configuration is missing required fields [" + baseKeyJson + "]");
+        }
+
+        return Optional.of(SimpleKasKey.newBuilder()
+                .setKasUri(baseKey.kasUrl)
+                .setPublicKey(SimpleKasPublicKey.newBuilder()
+                        .setKid(baseKey.publicKey.kid)
+                        .setAlgorithm(baseKey.publicKey.algorithm)
+                        .setPem(baseKey.publicKey.pem)
+                        .build())
+                .build());
     }
 
-    private List<Autoconfigure.KeySplitStep> createPlanFromBaseKey() {
-        return null;
+    private static Gson gson = new Gson();
+
+    private static class BaseKey {
+        @SerializedName("kas_url")
+        String kasUrl;
+
+        @SerializedName("public_key")
+        Key publicKey;
+
+        private static class Key {
+            String kid;
+            String pem;
+            Algorithm algorithm;
+        }
     }
 
+
     private Map<String, List<Config.KASInfo>> fillInKeys(Config.TDFConfig tdfConfig, List<Autoconfigure.KeySplitStep> splitPlan) {
         Map<String, List<Config.KASInfo>> conjunction = new HashMap<>();
         var latestKASInfo = new HashMap<String, Config.KASInfo>();
@@ -87,7 +161,7 @@ private Map<String, List<Config.KASInfo>> fillInKeys(Config.TDFConfig tdfConfig,
                 var getKI = new Config.KASInfo();
                 getKI.URL = splitInfo.kas;
                 getKI.Algorithm = tdfConfig.wrappingKeyType.toString();
-                getKI = sdkServices.kas().getPublicKey(getKI);
+                getKI = services.kas().getPublicKey(getKI);
                 latestKASInfo.put(splitInfo.kas, getKI);
                 ki = getKI;
             }

sdk/src/main/java/io/opentdf/platform/sdk/SDK.java

@@ -9,6 +9,7 @@
 import io.opentdf.platform.policy.namespaces.NamespaceServiceClientInterface;
 import io.opentdf.platform.policy.resourcemapping.ResourceMappingServiceClientInterface;
 import io.opentdf.platform.policy.subjectmapping.SubjectMappingServiceClientInterface;
+import io.opentdf.platform.wellknownconfiguration.WellKnownServiceClientInterface;
 
 import javax.net.ssl.TrustManager;
 import java.io.IOException;
@@ -75,6 +76,8 @@ public interface Services extends AutoCloseable {
 
         KeyAccessServerRegistryServiceClientInterface kasRegistry();
 
+        WellKnownServiceClientInterface wellknown();
+
         KAS kas();
     }
 

sdk/src/main/java/io/opentdf/platform/sdk/SDKBuilder.java

@@ -33,6 +33,7 @@
 import io.opentdf.platform.wellknownconfiguration.GetWellKnownConfigurationRequest;
 import io.opentdf.platform.wellknownconfiguration.GetWellKnownConfigurationResponse;
 import io.opentdf.platform.wellknownconfiguration.WellKnownServiceClient;
+import io.opentdf.platform.wellknownconfiguration.WellKnownServiceClientInterface;
 import nl.altindag.ssl.SSLFactory;
 import nl.altindag.ssl.pem.util.PemUtils;
 import okhttp3.OkHttpClient;
@@ -251,6 +252,7 @@ ServicesAndInternals buildServices() {
         var resourceMappingService = new ResourceMappingServiceClient(client);
         var authorizationService = new AuthorizationServiceClient(client);
         var kasRegistryService = new KeyAccessServerRegistryServiceClient(client);
+        var wellKnownService = new WellKnownServiceClient(client);
 
         var services = new SDK.Services() {
             @Override
@@ -290,6 +292,11 @@ public KeyAccessServerRegistryServiceClient kasRegistry() {
                 return kasRegistryService;
             }
 
+            @Override
+            public WellKnownServiceClientInterface wellknown() {
+                return wellKnownService;
+            }
+
             @Override
             public SDK.KAS kas() {
                 return kasClient;

sdk/src/main/java/io/opentdf/platform/sdk/TDF.java

@@ -7,7 +7,6 @@
 
 import io.opentdf.platform.policy.kasregistry.ListKeyAccessServersRequest;
 import io.opentdf.platform.policy.kasregistry.ListKeyAccessServersResponse;
-import io.opentdf.platform.sdk.Config.TDFConfig;
 import io.opentdf.platform.sdk.Config.KASInfo;
 
 import org.apache.commons.codec.DecoderException;
@@ -346,7 +345,6 @@ private static byte[] calculateSignature(byte[] data, byte[] secret, Config.Inte
     }
 
     TDFObject createTDF(InputStream payload, OutputStream outputStream, Config.TDFConfig tdfConfig) throws SDKException, IOException {
-
         Planner planner = new Planner(tdfConfig, services);
         Map<String, List<KASInfo>> splits = planner.getSplits(tdfConfig);
 

sdk/src/test/java/io/opentdf/platform/sdk/FakeServices.java

@@ -1,71 +1,86 @@
 package io.opentdf.platform.sdk;
 
 import io.opentdf.platform.authorization.AuthorizationServiceClient;
+import io.opentdf.platform.authorization.AuthorizationServiceClientInterface;
 import io.opentdf.platform.policy.attributes.AttributesServiceClient;
+import io.opentdf.platform.policy.attributes.AttributesServiceClientInterface;
 import io.opentdf.platform.policy.kasregistry.KeyAccessServerRegistryServiceClient;
+import io.opentdf.platform.policy.kasregistry.KeyAccessServerRegistryServiceClientInterface;
 import io.opentdf.platform.policy.namespaces.NamespaceServiceClient;
+import io.opentdf.platform.policy.namespaces.NamespaceServiceClientInterface;
 import io.opentdf.platform.policy.resourcemapping.ResourceMappingServiceClient;
+import io.opentdf.platform.policy.resourcemapping.ResourceMappingServiceClientInterface;
 import io.opentdf.platform.policy.subjectmapping.SubjectMappingServiceClient;
+import io.opentdf.platform.policy.subjectmapping.SubjectMappingServiceClientInterface;
+import io.opentdf.platform.wellknownconfiguration.WellKnownServiceClientInterface;
 
 import java.util.Objects;
 
 public class FakeServices implements SDK.Services {
 
-    private final AuthorizationServiceClient authorizationService;
-    private final AttributesServiceClient attributesService;
-    private final NamespaceServiceClient namespaceService;
-    private final SubjectMappingServiceClient subjectMappingService;
-    private final ResourceMappingServiceClient resourceMappingService;
-    private final KeyAccessServerRegistryServiceClient keyAccessServerRegistryServiceFutureStub;
+    private final AuthorizationServiceClientInterface authorizationService;
+    private final AttributesServiceClientInterface attributesService;
+    private final NamespaceServiceClientInterface namespaceService;
+    private final SubjectMappingServiceClientInterface subjectMappingService;
+    private final ResourceMappingServiceClientInterface resourceMappingService;
+    private final KeyAccessServerRegistryServiceClientInterface keyAccessServerRegistryServiceFutureStub;
+    private final WellKnownServiceClientInterface wellKnownService;
     private final SDK.KAS kas;
 
     public FakeServices(
-            AuthorizationServiceClient authorizationService,
-            AttributesServiceClient attributesService,
-            NamespaceServiceClient namespaceService,
-            SubjectMappingServiceClient subjectMappingService,
-            ResourceMappingServiceClient resourceMappingService,
-            KeyAccessServerRegistryServiceClient keyAccessServerRegistryServiceFutureStub,
+            AuthorizationServiceClientInterface authorizationService,
+            AttributesServiceClientInterface attributesService,
+            NamespaceServiceClientInterface namespaceService,
+            SubjectMappingServiceClientInterface subjectMappingService,
+            ResourceMappingServiceClientInterface resourceMappingService,
+            KeyAccessServerRegistryServiceClientInterface keyAccessServerRegistryServiceFutureStub,
+            WellKnownServiceClientInterface wellKnownServiceClient,
             SDK.KAS kas) {
         this.authorizationService = authorizationService;
         this.attributesService = attributesService;
         this.namespaceService = namespaceService;
         this.subjectMappingService = subjectMappingService;
         this.resourceMappingService = resourceMappingService;
         this.keyAccessServerRegistryServiceFutureStub = keyAccessServerRegistryServiceFutureStub;
+        this.wellKnownService = wellKnownServiceClient;
         this.kas = kas;
     }
 
     @Override
-    public AuthorizationServiceClient authorization() {
+    public AuthorizationServiceClientInterface authorization() {
         return Objects.requireNonNull(authorizationService);
     }
 
     @Override
-    public AttributesServiceClient attributes() {
+    public AttributesServiceClientInterface attributes() {
         return Objects.requireNonNull(attributesService);
     }
 
     @Override
-    public NamespaceServiceClient namespaces() {
+    public NamespaceServiceClientInterface namespaces() {
         return Objects.requireNonNull(namespaceService);
     }
 
     @Override
-    public SubjectMappingServiceClient subjectMappings() {
+    public SubjectMappingServiceClientInterface subjectMappings() {
         return Objects.requireNonNull(subjectMappingService);
     }
 
     @Override
-    public ResourceMappingServiceClient resourceMappings() {
+    public ResourceMappingServiceClientInterface resourceMappings() {
         return Objects.requireNonNull(resourceMappingService);
     }
 
     @Override
-    public KeyAccessServerRegistryServiceClient kasRegistry() {
+    public KeyAccessServerRegistryServiceClientInterface kasRegistry() {
         return Objects.requireNonNull(keyAccessServerRegistryServiceFutureStub);
     }
 
+    @Override
+    public WellKnownServiceClientInterface wellknown() {
+        return Objects.requireNonNull(wellKnownService);
+    }
+
     @Override
     public SDK.KAS kas() {
         return Objects.requireNonNull(kas);