Skip to content

Commit 7dfa6b5

Browse files
hmm basekye
1 parent 1f8be50 commit 7dfa6b5

3 files changed

Lines changed: 23 additions & 6 deletions

File tree

xtest/tdfs.py

Lines changed: 13 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -114,17 +114,27 @@ def has_base_key(self) -> bool:
114114
115115
When base_key is present, SDKs automatically use EC wrapping.
116116
"""
117+
return self.base_key_kas_uri is not None
118+
119+
@property
120+
def base_key_kas_uri(self) -> str | None:
121+
"""Get the KAS URI from the platform's base_key configuration.
122+
123+
Returns None if base_key is not configured.
124+
"""
117125
import json
118-
import subprocess
119126
import urllib.request
120127

121128
platformurl = os.getenv("PLATFORMURL", "http://localhost:8080")
122129
try:
123130
with urllib.request.urlopen(f"{platformurl}/.well-known/opentdf-configuration", timeout=5) as response:
124131
config = json.loads(response.read().decode())
125-
return "base_key" in config.get("configuration", {})
132+
base_key = config.get("configuration", {}).get("base_key")
133+
if base_key:
134+
return base_key.get("kas_uri")
135+
return None
126136
except Exception:
127-
return False
137+
return None
128138

129139
def skip_if_unsupported(self, *features: feature_type):
130140
for feature in features:

xtest/test_abac.py

Lines changed: 6 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -51,7 +51,7 @@ def assert_decrypt_fails_with_patterns(
5151
unexpected_patterns: Patterns that should NOT appear in SDK error output
5252
audit_logs: Optional AuditLogAsserter for server-side audit validation
5353
audit_attr_fqn: Optional attribute FQN to verify in audit decision logs
54-
ignore_kas_allowlist: If True, bypass KAS allowlist validation
54+
ignore_kas_allowlist: Bypass KAS allowlist validation
5555
"""
5656
try:
5757
decrypt_sdk.decrypt(
@@ -657,6 +657,10 @@ def test_obligations_not_entitled(
657657
# Mark timestamp before decrypt attempt
658658
audit_logs.mark("before_decrypt")
659659

660+
# Bypass KAS allowlist when base_key is enabled (SDK bug: allowlist not respected)
661+
pfs = tdfs.PlatformFeatureSet()
662+
ignore_allowlist = pfs.has_base_key
663+
660664
assert_decrypt_fails_with_patterns(
661665
decrypt_sdk=decrypt_sdk,
662666
ct_file=ct_file,
@@ -666,7 +670,7 @@ def test_obligations_not_entitled(
666670
unexpected_patterns=[obligations_pattern],
667671
audit_logs=audit_logs,
668672
audit_attr_fqn=attr_val.fqn,
669-
ignore_kas_allowlist=True,
673+
ignore_kas_allowlist=ignore_allowlist,
670674
)
671675

672676

xtest/test_tdfs.py

Lines changed: 4 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -135,7 +135,10 @@ def test_tdf_roundtrip(
135135

136136
fname = ct_file.stem
137137
rt_file = tmp_dir / f"{fname}.untdf"
138-
decrypt_sdk.decrypt(ct_file, rt_file, container)
138+
139+
# When base_key is enabled, bypass KAS allowlist (SDK bug: allowlist not respected with base_key)
140+
ignore_allowlist = pfs.has_base_key
141+
decrypt_sdk.decrypt(ct_file, rt_file, container, ignore_kas_allowlist=ignore_allowlist)
139142
assert filecmp.cmp(pt_file, rt_file)
140143

141144
if (

0 commit comments

Comments
 (0)