feat(sdk): Allow custom KAO array templates (#307)

- Adds the ability to share and split DEKs - Reconstructs keys using share ids This will allow opening of files with multi-kas splits. Step 1 of #314 While I'm here I also: 1. Lets platform-xtest job run in parallel with other e2e tests 2. Updates config for platform-roundtrip job, since the `provision fixture keycloak` needs a new config file 3. Adds a new phony make target to simplify development, you can now `make cli` to get the cli without having to guess the version number 4. Adds a `prettier ignore` directive so `make format` no longer formats the generated protocol buffer code 5. Updates the fetching of KAS public keys to happen during encrypt, not during client creation. This makes more sense now that we don't know at client start time which kases will actually be involved in the encrypt step --- Co-authored-by: Patrick Bacon-Blaber <pbacon-blaber@virtru.com>
opentdf · Aug 21, 2024 · fd1b386 · fd1b386
1 parent 6d01eff
commit fd1b386
Show file tree

Hide file tree

Showing 20 changed files with 350 additions and 146 deletions.
diff --git a/.github/workflows/build.yaml b/.github/workflows/build.yaml
@@ -253,7 +253,9 @@ jobs:
           ./wait-and-test.sh platform
 
   platform-xtest:
-    needs: platform-roundtrip
+    needs: 
+      - cli
+      - lib
     uses: opentdf/tests/.github/workflows/xtest.yml@main
     with:
       js-ref: ${{ github.ref }}

diff --git a/.github/workflows/roundtrip/keycloak_data.yaml b/.github/workflows/roundtrip/keycloak_data.yaml
@@ -0,0 +1,114 @@
+baseUrl: &baseUrl http://localhost:8888
+serverBaseUrl: &serverBaseUrl http://localhost:8080
+customAudMapper: &customAudMapper
+  name: audience-mapper
+  protocol: openid-connect
+  protocolMapper: oidc-audience-mapper
+  config:
+    included.custom.audience: *serverBaseUrl
+    access.token.claim: "true"
+    id.token.claim: "true"
+realms:
+  - realm_repepresentation:
+      realm: opentdf
+      enabled: true
+    custom_realm_roles:
+      - name: opentdf-org-admin
+      - name: opentdf-admin
+      - name: opentdf-standard
+    custom_client_roles:
+      tdf-entity-resolution:
+        - name: entity-resolution-test-role
+    custom_groups:
+      - name: mygroup
+        attributes:
+          mygroupattribute: 
+            - mygroupvalue
+    clients:
+      - client:
+          clientID: opentdf
+          enabled: true
+          name: opentdf
+          serviceAccountsEnabled: true
+          clientAuthenticatorType: client-secret
+          secret: secret
+          protocolMappers:
+            - *customAudMapper
+        sa_realm_roles: 
+          - opentdf-org-admin
+      - client:
+          clientID: opentdf-sdk
+          enabled: true
+          name: opentdf-sdk
+          serviceAccountsEnabled: true
+          clientAuthenticatorType: client-secret
+          secret: secret
+          protocolMappers:
+            - *customAudMapper
+        sa_realm_roles: 
+          - opentdf-standard
+      - client:
+          clientID: tdf-entity-resolution
+          enabled: true
+          name: tdf-entity-resolution
+          serviceAccountsEnabled: true
+          clientAuthenticatorType: client-secret
+          secret: secret
+          protocolMappers:
+            - *customAudMapper
+        sa_client_roles:
+          realm-management:
+            - view-clients
+            - query-clients
+            - view-users
+            - query-users
+      - client:
+          clientID: tdf-authorization-svc
+          enabled: true
+          name: tdf-authorization-svc
+          serviceAccountsEnabled: true
+          clientAuthenticatorType: client-secret
+          secret: secret
+          protocolMappers:
+            - *customAudMapper
+      - client:
+          clientID: opentdf-public
+          enabled: true
+          name: opentdf-public
+          serviceAccountsEnabled: false
+          publicClient: true
+          redirectUris:
+            - 'http://localhost:9000/*' # otdfctl CLI tool
+          protocolMappers:
+            - *customAudMapper
+    users:
+      - username: sample-user
+        enabled: true
+        firstName: sample
+        lastName: user
+        email: sampleuser@sample.com
+        credentials:
+          - value: testuser123
+            type: password
+        attributes:
+          superhero_name: 
+            - thor
+          superhero_group: 
+            - avengers
+        groups:
+          - mygroup
+        realmRoles:
+          - opentdf-org-admin
+        clientRoles:
+          realm-management:
+            - view-clients
+            - query-clients
+            - view-users
+            - query-users
+          tdf-entity-resolution:
+            - entity-resolution-test-role
+    token_exchanges:
+      - start_client: opentdf
+        target_client: opentdf-sdk
+
+
diff --git a/.github/workflows/roundtrip/opentdf.yaml b/.github/workflows/roundtrip/opentdf.yaml
@@ -10,25 +10,18 @@ logger:
 #   password: changeme
 services:
   kas:
-    enabled: true
     keyring:
       - kid: e1
         alg: ec:secp256r1
+      - kid: e1
+        alg: ec:secp256r1
+        legacy: true
       - kid: r1
         alg: rsa:2048
       - kid: r1
         alg: rsa:2048
         legacy: true
-  policy:
-    enabled: true
-  authorization:
-    enabled: true
-    ersurl: http://localhost:65432/entityresolution/resolve
-    clientid: tdf-authorization-svc
-    clientsecret: secret
-    tokenendpoint: http://localhost:65432/auth/realms/opentdf/protocol/openid-connect/token
   entityresolution:
-    enabled: true
     url: http://localhost:65432/auth
     clientid: 'tdf-entity-resolution'
     clientsecret: 'secret'
@@ -41,6 +34,7 @@ services:
 server:
   auth:
     enabled: true
+    public_client_id: 'opentdf-public'
     audience: 'http://localhost:65432'
     issuer: http://localhost:65432/auth/realms/opentdf
     policy:

diff --git a/.github/workflows/roundtrip/wait-and-test.sh b/.github/workflows/roundtrip/wait-and-test.sh
@@ -106,7 +106,7 @@ _init_platform() {
   if [ -f go.work ]; then
     svc=github.com/opentdf/platform/service
   fi
-  if ! go run "${svc}" provision keycloak; then
+  if ! go run "${svc}" provision keycloak -f "${APP_DIR}/keycloak_data.yaml"; then
     echo "[ERROR] unable to provision keycloak"
     return 1
   fi

diff --git a/Makefile b/Makefile
@@ -3,11 +3,13 @@ version=2.0.0
 extras=cli remote-store web-app
 pkgs=lib $(extras)
 
-.PHONY: all audit license-check lint test ci i start format clean
+.PHONY: all audit ci clean cli format i license-check lint start test
 
 start: all
 	(cd web-app && npm run dev)
 
+cli: cli/opentdf-cli-$(version).tgz
+
 clean:
 	rm -f *.tgz
 	rm -f */*.tgz

diff --git a/cli/package-lock.json b/cli/package-lock.json
diff --git a/lib/.prettierignore b/lib/.prettierignore
@@ -0,0 +1 @@
+/src/platform