Merge remote-tracking branch 'origin/main' into feature/sdk-encrypt

CODEOWNERS

@@ -1,6 +1,6 @@
 # CODEOWNERS
 
-* @opentdf/java-sdk
+* @opentdf/java-sdk @opentdf/architecture
 
 ## High Security Area
 

README.md

@@ -1,3 +1,6 @@
 # java-sdk
 
 OpenTDF Java SDK
+
+### Logging
+We use [slf4j](https://www.slf4j.org/), without providing a backend. We use log4j2 in our tests.

pom.xml

@@ -37,21 +37,13 @@
                 <version>5.10.1</version>
                 <type>pom</type>
                 <scope>import</scope>
-            </dependency>
-             <dependency>
-                <groupId>org.apache.logging.log4j</groupId>
-                <artifactId>log4j-api</artifactId>
-                <version>${log4j.version}</version>
             </dependency>
             <dependency>
                 <groupId>org.apache.logging.log4j</groupId>
-                <artifactId>log4j-core</artifactId>
-                <version>${log4j.version}</version>
-            </dependency>
-            <dependency>
-                <groupId>org.apache.logging.log4j</groupId>
-                <artifactId>log4j-slf4j2-impl</artifactId>
-                <version>${log4j.version}</version>
+                <artifactId>log4j-bom</artifactId>
+                <version>2.23.1</version>
+                <type>pom</type>
+                <scope>import</scope>
             </dependency>
             <dependency>
                 <groupId>org.projectlombok</groupId>

protocol/pom.xml

@@ -57,8 +57,6 @@
                                 <exec executable="buf" dir="../">
                                     <arg value="generate" />
                                     <arg value="https://github.com/opentdf/platform.git#branch=main,subdir=service" />
-                                    <arg value="--exclude-path"/>
-                                    <arg value="authorization/idp_plugin.proto"/>
                                 </exec>
                                 <exec executable="buf" dir="../">
                                     <arg value="generate" />

sdk/pom.xml

@@ -10,8 +10,8 @@
                 <groupId>org.apache.maven.plugins</groupId>
                 <artifactId>maven-compiler-plugin</artifactId>
                 <configuration>
-                    <source>15</source>
-                    <target>15</target>
+                    <source>11</source>
+                    <target>11</target>
                 </configuration>
             </plugin>
         </plugins>
@@ -29,6 +29,26 @@
             <artifactId>protocol</artifactId>
             <version>0.1.0-SNAPSHOT</version><!-- {x-version-update:java-sdk:current} -->
         </dependency>
+        <dependency>
+            <groupId>org.slf4j</groupId>
+            <artifactId>slf4j-api</artifactId>
+            <version>2.0.13</version>
+        </dependency>
+        <dependency>
+            <groupId>org.apache.logging.log4j</groupId>
+            <artifactId>log4j-slf4j2-impl</artifactId>
+            <scope>test</scope>
+        </dependency>
+        <dependency>
+        <groupId>org.apache.logging.log4j</groupId>
+            <artifactId>log4j-core</artifactId>
+            <scope>test</scope>
+        </dependency>
+        <dependency>
+            <groupId>org.apache.logging.log4j</groupId>
+            <artifactId>log4j-api</artifactId>
+            <scope>test</scope>
+        </dependency>
         <dependency>
             <groupId>org.junit.jupiter</groupId>
             <artifactId>junit-jupiter</artifactId>
@@ -86,9 +106,10 @@
             <version>1.17.0</version>
         </dependency>
         <dependency>
-            <groupId>commons-io</groupId>
-            <artifactId>commons-io</artifactId>
-            <version>2.11.0</version>
+            <groupId>org.apache.commons</groupId>
+            <artifactId>commons-compress</artifactId>
+            <version>1.26.1</version>
+            <scope>test</scope>
         </dependency>
     </dependencies>
 </project>

sdk/src/main/java/io/opentdf/platform/sdk/GRPCAuthInterceptor.java

@@ -15,14 +15,15 @@
 import com.nimbusds.oauth2.sdk.http.HTTPRequest;
 import com.nimbusds.oauth2.sdk.http.HTTPResponse;
 import com.nimbusds.oauth2.sdk.token.AccessToken;
-import com.nimbusds.oauth2.sdk.tokenexchange.TokenExchangeGrant;
 import io.grpc.CallOptions;
 import io.grpc.Channel;
 import io.grpc.ClientCall;
 import io.grpc.ClientInterceptor;
 import io.grpc.ForwardingClientCall;
 import io.grpc.Metadata;
 import io.grpc.MethodDescriptor;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
 
 import java.net.URI;
 import java.net.URISyntaxException;
@@ -40,6 +41,9 @@ class GRPCAuthInterceptor implements ClientInterceptor {
     private final RSAKey rsaKey;
     private final URI tokenEndpointURI;
 
+    private static final Logger logger = LoggerFactory.getLogger(GRPCAuthInterceptor.class);
+
+
     /**
      * Constructs a new GRPCAuthInterceptor with the specified client authentication and RSA key.
      *
@@ -101,6 +105,8 @@ private synchronized AccessToken getToken() {
             // If the token is expired or initially null, get a new token
             if (token == null || isTokenExpired()) {
 
+                logger.trace("The current access token is expired or empty, getting a new one");
+
                 // Construct the client credentials grant
                 AuthorizationGrant clientGrant = new ClientCredentialsGrant();
 
@@ -124,9 +130,17 @@ private synchronized AccessToken getToken() {
                     throw new RuntimeException("Token request failed: " + error);
                 }
 
-                this.token = tokenResponse.toSuccessResponse().getTokens().getAccessToken();
-                // DPoPAccessToken dPoPAccessToken = tokens.getDPoPAccessToken();
 
+                var tokens = tokenResponse.toSuccessResponse().getTokens();
+                if (tokens.getDPoPAccessToken() != null) {
+                    logger.trace("retrieved a new DPoP access token");
+                } else if (tokens.getAccessToken() != null) {
+                    logger.trace("retrieved a new access token");
+                } else {
+                    logger.trace("got an access token of unknown type");
+                }
+
+                this.token = tokens.getAccessToken();
 
                 if (token.getLifetime() != 0) {
                     // Need some type of leeway but not sure whats best

sdk/src/main/java/io/opentdf/platform/sdk/KASClient.java

@@ -0,0 +1,41 @@
+package io.opentdf.platform.sdk;
+
+import io.grpc.Channel;
+import io.opentdf.platform.kas.AccessServiceGrpc;
+import io.opentdf.platform.kas.PublicKeyRequest;
+import io.opentdf.platform.kas.RewrapRequest;
+
+import java.util.HashMap;
+import java.util.function.Function;
+
+public class KASClient implements SDK.KAS {
+
+    private final Function<SDK.KASInfo, Channel> channelFactory;
+
+    public KASClient(Function <SDK.KASInfo, Channel> channelFactory) {
+        this.channelFactory = channelFactory;
+    }
+
+    @Override
+    public String getPublicKey(SDK.KASInfo kasInfo) {
+        return getStub(kasInfo).publicKey(PublicKeyRequest.getDefaultInstance()).getPublicKey();
+    }
+
+    @Override
+    public byte[] unwrap(SDK.KASInfo kasInfo, SDK.Policy policy) {
+        // this is obviously wrong. we still have to generate a correct request and decrypt the payload
+        return getStub(kasInfo).rewrap(RewrapRequest.getDefaultInstance()).getEntityWrappedKey().toByteArray();
+    }
+
+    private final HashMap<SDK.KASInfo, AccessServiceGrpc.AccessServiceBlockingStub> stubs = new HashMap<>();
+
+    private synchronized AccessServiceGrpc.AccessServiceBlockingStub getStub(SDK.KASInfo kasInfo) {
+        if (!stubs.containsKey(kasInfo)) {
+            var channel = channelFactory.apply(kasInfo);
+            var stub = AccessServiceGrpc.newBlockingStub(channel);
+            stubs.put(kasInfo, stub);
+        }
+
+        return stubs.get(kasInfo);
+    }
+}

sdk/src/main/java/io/opentdf/platform/sdk/SDK.java

@@ -17,14 +17,25 @@
 public class SDK {
     private final Services services;
 
+    public interface KASInfo{
+        String getAddress();
+    }
+    public interface Policy{}
+
+    interface KAS {
+        String getPublicKey(KASInfo kasInfo);
+        byte[] unwrap(KASInfo kasInfo, Policy policy);
+    }
+
     // TODO: add KAS
-    public interface Services {
+    interface Services {
         AttributesServiceFutureStub attributes();
         NamespaceServiceFutureStub namespaces();
         SubjectMappingServiceFutureStub subjectMappings();
         ResourceMappingServiceFutureStub resourceMappings();
+        KAS kas();
 
-        static Services newServices(Channel channel) {
+        static Services newServices(Channel channel, KAS kas) {
             var attributeService = AttributesServiceGrpc.newFutureStub(channel);
             var namespaceService = NamespaceServiceGrpc.newFutureStub(channel);
             var subjectMappingService = SubjectMappingServiceGrpc.newFutureStub(channel);
@@ -50,11 +61,16 @@ public SubjectMappingServiceFutureStub subjectMappings() {
                 public ResourceMappingServiceFutureStub resourceMappings() {
                     return resourceMappingService;
                 }
+
+                @Override
+                public KAS kas() {
+                    return kas;
+                }
             };
         }
     }
 
-    public SDK(Services services) {
+    SDK(Services services) {
         this.services = services;
     }
 }

sdk/src/main/java/io/opentdf/platform/sdk/SDKBuilder.java

@@ -11,15 +11,20 @@
 import com.nimbusds.oauth2.sdk.id.ClientID;
 import com.nimbusds.oauth2.sdk.id.Issuer;
 import com.nimbusds.openid.connect.sdk.op.OIDCProviderMetadata;
+import io.grpc.Channel;
 import io.grpc.ManagedChannel;
 import io.grpc.ManagedChannelBuilder;
 import io.grpc.Status;
+import io.grpc.StatusRuntimeException;
 import io.opentdf.platform.wellknownconfiguration.GetWellKnownConfigurationRequest;
 import io.opentdf.platform.wellknownconfiguration.GetWellKnownConfigurationResponse;
 import io.opentdf.platform.wellknownconfiguration.WellKnownServiceGrpc;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
 
 import java.io.IOException;
 import java.util.UUID;
+import java.util.function.Function;
 
 /**
  * A builder class for creating instances of the SDK class.
@@ -30,9 +35,13 @@ public class SDKBuilder {
     private ClientAuthentication clientAuth = null;
     private Boolean usePlainText;
 
+    private static final Logger logger = LoggerFactory.getLogger(SDKBuilder.class);
+
     public static SDKBuilder newBuilder() {
         SDKBuilder builder = new SDKBuilder();
         builder.usePlainText = false;
+        builder.clientAuth = null;
+        builder.platformEndpoint = null;
 
         return builder;
     }
@@ -54,8 +63,16 @@ public SDKBuilder useInsecurePlaintextConnection(Boolean usePlainText) {
         return this;
     }
 
-    // this is not exposed publicly so that it can be tested
-    ManagedChannel buildChannel() {
+    private GRPCAuthInterceptor getGrpcAuthInterceptor() {
+        if (platformEndpoint == null) {
+            throw new SDKException("cannot build an SDK without specifying the platform endpoint");
+        }
+
+        if (clientAuth == null) {
+            // this simplifies things for now, if we need to support this case we can revisit
+            throw new SDKException("cannot build an SDK without specifying OAuth credentials");
+        }
+
         // we don't add the auth listener to this channel since it is only used to call the
         //    well known endpoint
         ManagedChannel bootstrapChannel = null;
@@ -65,7 +82,7 @@ ManagedChannel buildChannel() {
             var stub = WellKnownServiceGrpc.newBlockingStub(bootstrapChannel);
             try {
                 config = stub.getWellKnownConfiguration(GetWellKnownConfigurationRequest.getDefaultInstance());
-            } catch (Exception e) {
+            } catch (StatusRuntimeException e) {
                 Status status = Status.fromThrowable(e);
                 throw new SDKException(String.format("Got grpc status [%s] when getting configuration", status), e);
             }
@@ -82,7 +99,7 @@ ManagedChannel buildChannel() {
                     .getFieldsOrThrow(PLATFORM_ISSUER)
                     .getStringValue();
 
-        } catch (Exception e) {
+        } catch (StatusRuntimeException e) {
             throw new SDKException("Error getting the issuer from the platform", e);
         }
 
@@ -104,24 +121,39 @@ ManagedChannel buildChannel() {
             throw new SDKException("Error generating DPoP key", e);
         }
 
-        GRPCAuthInterceptor interceptor = new GRPCAuthInterceptor(clientAuth, rsaKey, providerMetadata.getTokenEndpointURI());
+        return new GRPCAuthInterceptor(clientAuth, rsaKey, providerMetadata.getTokenEndpointURI());
+    }
 
-        return getManagedChannelBuilder()
-                .intercept(interceptor)
-                .build();
+    SDK.Services buildServices() {
+        var authInterceptor = getGrpcAuthInterceptor();
+        var channel = getManagedChannelBuilder().intercept(authInterceptor).build();
+        var client = new KASClient(getChannelFactory(authInterceptor));
+        return SDK.Services.newServices(channel, client);
     }
 
     public SDK build() {
-        return new SDK(SDK.Services.newServices(buildChannel()));
+        return new SDK(buildServices());
     }
 
     private ManagedChannelBuilder<?> getManagedChannelBuilder() {
-        ManagedChannelBuilder<?> channelBuilder = ManagedChannelBuilder
-                .forTarget(platformEndpoint);
+        ManagedChannelBuilder<?> channelBuilder = ManagedChannelBuilder.forTarget(platformEndpoint);
 
         if (usePlainText) {
             channelBuilder = channelBuilder.usePlaintext();
         }
         return channelBuilder;
     }
+
+    Function<SDK.KASInfo, Channel> getChannelFactory(GRPCAuthInterceptor authInterceptor) {
+        var pt = usePlainText; // no need to have the builder be able to influence things from beyond the grave
+        return (SDK.KASInfo kasInfo) -> {
+            ManagedChannelBuilder<?> channelBuilder = ManagedChannelBuilder
+                    .forTarget(kasInfo.getAddress())
+                    .intercept(authInterceptor);
+            if (pt) {
+                channelBuilder = channelBuilder.usePlaintext();
+            }
+            return channelBuilder.build();
+        };
+    }
 }

sdk/src/main/java/io/opentdf/platform/sdk/SDKException.java

@@ -4,4 +4,8 @@ public class SDKException extends RuntimeException {
     public SDKException(String message, Exception reason) {
         super(message, reason);
     }
+
+    public SDKException(String message) {
+        super(message);
+    }
 }