Update README.md

opentdf · Jun 18, 2024 · 0533b68 · 0533b68
1 parent 022870f
commit 0533b68
Showing 1 changed file with 56 additions and 1 deletion.
diff --git a/sdk/README.md b/sdk/README.md
@@ -14,7 +14,7 @@ import io.opentdf.platform.sdk.abac.Policy;
 public class Example {
   public static void main(String args[]) {
     OAuthClientCredentials creds = new OAuthClientCredentials("myClient", "token");
-    Client c = new Client.Builder().auth(creds).build();
+    Client c = new Client.Builder().auth(creds).config("https://opentdf.io/configService").build();
     try { 
       Policy p = new Policy.Builder().attr("something").build();
       c.encrypt(/* reader or channel */, policyDetails)
@@ -25,3 +25,58 @@ public class Example {
   }
 }
 ```
+
+### Config Service
+
+The config services will provide the ability to assign a given KAS to a
+combination of a user and policy. The configuration service can be loaded first,
+and given its nature probably should be immutable with the life of a Client
+object. It resolves which KAS (es) to use for a given rewrap request, as well
+as possibly more information about other services.
+
+Without the config service, we need to be explicit about which KAS we are using
+for encrypt, and which are allowed for decrypt. This will mean exposing the
+'key plan' as an interface object, or something similar to it. Sample without
+config service:
+
+```java
+Client c = new Client.Builder()
+    .auth(creds)
+    .withKas("https://opentdf.io/api/kas")
+      // Used for encrypt rewraps; default keyplan
+    .withPermittedKas("https://external.kas.io/")
+      // Allowed for decrypt rewraps
+    .build();
+Policy p = new Policy.Builder()
+    .attr("something")
+    .keyPlan(
+        KeyPlan.And(
+            KeyPlan.KAS("https://opentdf.io/api/kas"),
+            KeyPlan.KAS("https://somewhere.io/api/kas")))
+    .build();
+c.encrypt(/* reader or channel */, policyDetails)
+```
+
+### Create/Read (encrypt/decrypt)
+
+The encrypt method must take in a reference to plain text and list of
+data attributes reflecting the policy. Our configuration service with Key
+Grants allows the client to automatically generate a key plan, which can produce
+a set of Key Access objects. We will at first support encrypting.
+
+Input Options:
+
+- `File`: Gives us the name. But maybe too specific.
+- `InputStream`: classic, good for reading bytes. Doesn't have type, length, or name attributes.
+- `ReadableByteChannel`: nio variant of `InputStream`, which maybe is better somehow?
+- `Reader`: text oriented version of stream; less useful for generic encryption
+
+* Do we want to add mime type and file name attributes?
+
+```java
+c.encrypt(/* reader or channel */, policyDetails)
+```
+
+
+
+### Management Services