feat(sdk): Allow custom KAO array templates

.github/workflows/build.yaml

@@ -253,7 +253,9 @@ jobs:
           ./wait-and-test.sh platform
 
   platform-xtest:
-    needs: platform-roundtrip
+    needs: 
+      - cli
+      - lib
     uses: opentdf/tests/.github/workflows/xtest.yml@main
     with:
       js-ref: ${{ github.ref }}

.github/workflows/roundtrip/keycloak_data.yaml

@@ -0,0 +1,114 @@
+baseUrl: &baseUrl http://localhost:8888
+serverBaseUrl: &serverBaseUrl http://localhost:8080
+customAudMapper: &customAudMapper
+  name: audience-mapper
+  protocol: openid-connect
+  protocolMapper: oidc-audience-mapper
+  config:
+    included.custom.audience: *serverBaseUrl
+    access.token.claim: "true"
+    id.token.claim: "true"
+realms:
+  - realm_repepresentation:
+      realm: opentdf
+      enabled: true
+    custom_realm_roles:
+      - name: opentdf-org-admin
+      - name: opentdf-admin
+      - name: opentdf-standard
+    custom_client_roles:
+      tdf-entity-resolution:
+        - name: entity-resolution-test-role
+    custom_groups:
+      - name: mygroup
+        attributes:
+          mygroupattribute: 
+            - mygroupvalue
+    clients:
+      - client:
+          clientID: opentdf
+          enabled: true
+          name: opentdf
+          serviceAccountsEnabled: true
+          clientAuthenticatorType: client-secret
+          secret: secret
+          protocolMappers:
+            - *customAudMapper
+        sa_realm_roles: 
+          - opentdf-org-admin
+      - client:
+          clientID: opentdf-sdk
+          enabled: true
+          name: opentdf-sdk
+          serviceAccountsEnabled: true
+          clientAuthenticatorType: client-secret
+          secret: secret
+          protocolMappers:
+            - *customAudMapper
+        sa_realm_roles: 
+          - opentdf-standard
+      - client:
+          clientID: tdf-entity-resolution
+          enabled: true
+          name: tdf-entity-resolution
+          serviceAccountsEnabled: true
+          clientAuthenticatorType: client-secret
+          secret: secret
+          protocolMappers:
+            - *customAudMapper
+        sa_client_roles:
+          realm-management:
+            - view-clients
+            - query-clients
+            - view-users
+            - query-users
+      - client:
+          clientID: tdf-authorization-svc
+          enabled: true
+          name: tdf-authorization-svc
+          serviceAccountsEnabled: true
+          clientAuthenticatorType: client-secret
+          secret: secret
+          protocolMappers:
+            - *customAudMapper
+      - client:
+          clientID: opentdf-public
+          enabled: true
+          name: opentdf-public
+          serviceAccountsEnabled: false
+          publicClient: true
+          redirectUris:
+            - 'http://localhost:9000/*' # otdfctl CLI tool
+          protocolMappers:
+            - *customAudMapper
+    users:
+      - username: sample-user
+        enabled: true
+        firstName: sample
+        lastName: user
+        email: sampleuser@sample.com
+        credentials:
+          - value: testuser123
+            type: password
+        attributes:
+          superhero_name: 
+            - thor
+          superhero_group: 
+            - avengers
+        groups:
+          - mygroup
+        realmRoles:
+          - opentdf-org-admin
+        clientRoles:
+          realm-management:
+            - view-clients
+            - query-clients
+            - view-users
+            - query-users
+          tdf-entity-resolution:
+            - entity-resolution-test-role
+    token_exchanges:
+      - start_client: opentdf
+        target_client: opentdf-sdk
+
+

.github/workflows/roundtrip/opentdf.yaml

@@ -10,25 +10,18 @@ logger:
 #   password: changeme
 services:
   kas:
-    enabled: true
     keyring:
       - kid: e1
         alg: ec:secp256r1
+      - kid: e1
+        alg: ec:secp256r1
+        legacy: true
       - kid: r1
         alg: rsa:2048
       - kid: r1
         alg: rsa:2048
         legacy: true
-  policy:
-    enabled: true
-  authorization:
-    enabled: true
-    ersurl: http://localhost:65432/entityresolution/resolve
-    clientid: tdf-authorization-svc
-    clientsecret: secret
-    tokenendpoint: http://localhost:65432/auth/realms/opentdf/protocol/openid-connect/token
   entityresolution:
-    enabled: true
     url: http://localhost:65432/auth
     clientid: 'tdf-entity-resolution'
     clientsecret: 'secret'
@@ -41,6 +34,7 @@ services:
 server:
   auth:
     enabled: true
+    public_client_id: 'opentdf-public'
     audience: 'http://localhost:65432'
     issuer: http://localhost:65432/auth/realms/opentdf
     policy:

.github/workflows/roundtrip/wait-and-test.sh

@@ -106,7 +106,7 @@ _init_platform() {
   if [ -f go.work ]; then
     svc=github.com/opentdf/platform/service
   fi
-  if ! go run "${svc}" provision keycloak; then
+  if ! go run "${svc}" provision keycloak -f "${APP_DIR}/keycloak_data.yaml"; then
     echo "[ERROR] unable to provision keycloak"
     return 1
   fi

Makefile

@@ -3,11 +3,13 @@ version=2.0.0
 extras=cli remote-store web-app
 pkgs=lib $(extras)
 
-.PHONY: all audit license-check lint test ci i start format clean
+.PHONY: all audit ci clean cli format i license-check lint start test
 
 start: all
 	(cd web-app && npm run dev)
 
+cli: cli/opentdf-cli-$(version).tgz
+
 clean:
 	rm -f *.tgz
 	rm -f */*.tgz

lib/.prettierignore

@@ -0,0 +1 @@
+/src/platform