feat(sdk): KAS Allowlist (#245)

Adds an allowlist for kas urls

---------

Co-authored-by: Copilot <[email protected]>

Author: elizabethhealy

.github/workflows/checks.yaml

@@ -152,21 +152,21 @@ jobs:
           java -jar target/cmdline.jar \
             --client-id=opentdf-sdk \
             --client-secret=secret \
-            --platform-endpoint=localhost:8080 \
+            --platform-endpoint=http://localhost:8080 \
             -h\
-            encrypt --kas-url=localhost:8080 --mime-type=text/plain --attr https://example.com/attr/attr1/value/value1 --autoconfigure=false -f data -m 'here is some metadata' > test.tdf
+            encrypt --kas-url=http://localhost:8080 --mime-type=text/plain --attr https://example.com/attr/attr1/value/value1 --autoconfigure=false -f data -m 'here is some metadata' > test.tdf
 
           java -jar target/cmdline.jar \
             --client-id=opentdf-sdk \
             --client-secret=secret \
-            --platform-endpoint=localhost:8080 \
+            --platform-endpoint=http://localhost:8080 \
             -h\
             decrypt -f test.tdf > decrypted
 
           java -jar target/cmdline.jar \
             --client-id=opentdf-sdk \
             --client-secret=secret \
-            --platform-endpoint=localhost:8080 \
+            --platform-endpoint=http://localhost:8080 \
             -h\
             metadata -f test.tdf > metadata
 
@@ -188,14 +188,14 @@ jobs:
           java -jar target/cmdline.jar \
             --client-id=opentdf-sdk \
             --client-secret=secret \
-            --platform-endpoint=localhost:8080 \
+            --platform-endpoint=http://localhost:8080 \
             -h\
             encryptnano --kas-url=http://localhost:8080 --attr https://example.com/attr/attr1/value/value1 -f data -m 'here is some metadata' > nano.ntdf
 
           java -jar target/cmdline.jar \
             --client-id=opentdf-sdk \
             --client-secret=secret \
-            --platform-endpoint=localhost:8080 \
+            --platform-endpoint=http://localhost:8080 \
             -h\
             decryptnano -f nano.ntdf > decrypted
           
@@ -215,14 +215,14 @@ jobs:
           java -jar target/cmdline.jar \
             --client-id=opentdf-sdk \
             --client-secret=secret \
-            --platform-endpoint=localhost:8080 \
+            --platform-endpoint=http://localhost:8080 \
             -h\
-            encrypt --kas-url=localhost:8080 --mime-type=text/plain --with-assertions=$ASSERTIONS --autoconfigure=false -f data -m 'here is some metadata' > test.tdf
+            encrypt --kas-url=http://localhost:8080 --mime-type=text/plain --with-assertions=$ASSERTIONS --autoconfigure=false -f data -m 'here is some metadata' > test.tdf
 
           java -jar target/cmdline.jar \
             --client-id=opentdf-sdk \
             --client-secret=secret \
-            --platform-endpoint=localhost:8080 \
+            --platform-endpoint=http://localhost:8080 \
             -h\
             decrypt -f test.tdf > decrypted
           
@@ -246,14 +246,14 @@ jobs:
           java -jar target/cmdline.jar \
             --client-id=opentdf-sdk \
             --client-secret=secret \
-            --platform-endpoint=localhost:8080 \
+            --platform-endpoint=http://localhost:8080 \
             -h\
-            encrypt --kas-url=localhost:8080 --mime-type=text/plain --with-assertions="$SIGNED_ASSERTIONS_HS256" --autoconfigure=false -f data -m 'here is some metadata' > test.tdf
+            encrypt --kas-url=http://localhost:8080 --mime-type=text/plain --with-assertions="$SIGNED_ASSERTIONS_HS256" --autoconfigure=false -f data -m 'here is some metadata' > test.tdf
 
           java -jar target/cmdline.jar \
             --client-id=opentdf-sdk \
             --client-secret=secret \
-            --platform-endpoint=localhost:8080 \
+            --platform-endpoint=http://localhost:8080 \
             -h\
             decrypt --with-assertion-verification-keys="$SIGNED_ASSERTION_VERIFICATON_HS256" -f test.tdf > decrypted
           
@@ -267,14 +267,14 @@ jobs:
           java -jar target/cmdline.jar \
             --client-id=opentdf-sdk \
             --client-secret=secret \
-            --platform-endpoint=localhost:8080 \
+            --platform-endpoint=http://localhost:8080 \
             -h\
-            encrypt --kas-url=localhost:8080 --mime-type=text/plain --with-assertions "$SIGNED_ASSERTIONS_RS256" --autoconfigure=false -f data -m 'here is some metadata' > test.tdf
+            encrypt --kas-url=http://localhost:8080 --mime-type=text/plain --with-assertions "$SIGNED_ASSERTIONS_RS256" --autoconfigure=false -f data -m 'here is some metadata' > test.tdf
 
           java -jar target/cmdline.jar \
             --client-id=opentdf-sdk \
             --client-secret=secret \
-            --platform-endpoint=localhost:8080 \
+            --platform-endpoint=http://localhost:8080 \
             -h\
             decrypt --with-assertion-verification-keys "$SIGNED_ASSERTION_VERIFICATON_RS256" -f test.tdf > decrypted
           
@@ -300,23 +300,23 @@ jobs:
           java -jar target/cmdline.jar \
             --client-id=opentdf-sdk \
             --client-secret=secret \
-            --platform-endpoint=localhost:8080 \
+            --platform-endpoint=http://localhost:8080 \
             -h\
-            encrypt --kas-url=localhost:8080,localhost:8282 -f data -m 'here is some metadata' > test.tdf
+            encrypt --kas-url=http://localhost:8080,http://localhost:8282 -f data -m 'here is some metadata' > test.tdf
 
           java -jar target/cmdline.jar \
             --client-id=opentdf-sdk \
             --client-secret=secret \
-            --platform-endpoint=localhost:8080 \
+            --platform-endpoint=http://localhost:8080 \
             -h\
-            decrypt -f test.tdf > decrypted
+            decrypt -f test.tdf --kas-allowlist http://localhost:8080,http://localhost:8282  > decrypted
 
           java -jar target/cmdline.jar \
             --client-id=opentdf-sdk \
             --client-secret=secret \
-            --platform-endpoint=localhost:8080 \
+            --platform-endpoint=http://localhost:8080 \
             -h\
-            metadata -f test.tdf > metadata
+            metadata -f test.tdf --kas-allowlist http://localhost:8080,http://localhost:8282 > metadata
 
           if ! diff -q data decrypted; then
             printf 'decrypted data is incorrect [%s]' "$(< decrypted)"

README.md

@@ -38,7 +38,7 @@ public class Example {
     // Decrypt a file
     try (SeekableByteChannel in =
           FileChannel.open("input.ciphertext", StandardOpenOption.READ)) {
-        TDF.Reader reader = new TDF().loadTDF(in, sdk.getServices().kas());
+        TDF.Reader reader = new TDF().loadTDF(in, sdk.getServices().kas(), sdk.getServices().kasRegistry(), sdk.getPlatformUrl());
         reader.readPayload(System.out);
     }
 }}

cmdline/src/main/java/io/opentdf/platform/Command.java

@@ -24,6 +24,7 @@
 import java.io.FileInputStream;
 import java.io.IOException;
 import java.io.PrintWriter;
+import java.net.URISyntaxException;
 import java.nio.ByteBuffer;
 import java.nio.channels.FileChannel;
 import java.nio.charset.StandardCharsets;
@@ -245,8 +246,10 @@ private SDK buildSDK() {
     void decrypt(@Option(names = { "-f", "--file" }, required = true) Path tdfPath,
             @Option(names = { "--rewrap-key-type" }, defaultValue = Option.NULL_VALUE, description = "Preferred rewrap algorithm, one of ${COMPLETION-CANDIDATES}") Optional<KeyType> rewrapKeyType,
             @Option(names = { "--with-assertion-verification-disabled" }, defaultValue = "false") boolean disableAssertionVerification,
-            @Option(names = { "--with-assertion-verification-keys" }, defaultValue = Option.NULL_VALUE) Optional<String> assertionVerification)
-             throws IOException, TDF.FailedToCreateGMAC, JOSEException, ParseException, NoSuchAlgorithmException, DecoderException {
+            @Option(names = { "--with-assertion-verification-keys" }, defaultValue = Option.NULL_VALUE) Optional<String> assertionVerification,
+            @Option(names = { "--kas-allowlist" }, defaultValue = Option.NULL_VALUE) Optional<String> kasAllowlistStr,
+            @Option(names = { "--ignore-kas-allowlist" }, defaultValue = Option.NULL_VALUE) Optional<Boolean> ignoreAllowlist)
+             throws IOException, TDF.FailedToCreateGMAC, JOSEException, ParseException, NoSuchAlgorithmException, DecoderException, InterruptedException, ExecutionException, URISyntaxException {
         var sdk = buildSDK();
         var opts = new ArrayList<Consumer<Config.TDFReaderConfig>>();
         try (var in = FileChannel.open(tdfPath, StandardOpenOption.READ)) {
@@ -286,21 +289,39 @@ void decrypt(@Option(names = { "-f", "--file" }, required = true) Path tdfPath,
                 }
                 rewrapKeyType.map(Config::WithSessionKeyType).ifPresent(opts::add);
 
+                if (ignoreAllowlist.isPresent()) {
+                    opts.add(Config.WithIgnoreKasAllowlist(ignoreAllowlist.get()));
+                }
+                if (kasAllowlistStr.isPresent()) {
+                    opts.add(Config.WithKasAllowlist(kasAllowlistStr.get().split(",")));
+                }
+
                 var readerConfig = Config.newTDFReaderConfig(opts.toArray(new Consumer[0]));
-                var reader = new TDF().loadTDF(in, sdk.getServices().kas(), readerConfig);
+                var reader = new TDF().loadTDF(in, sdk.getServices().kas(), readerConfig, sdk.getServices().kasRegistry(), sdk.getPlatformUrl());
                 reader.readPayload(stdout);
             }
         }
     }
 
     @CommandLine.Command(name = "metadata")
-    void readMetadata(@Option(names = { "-f", "--file" }, required = true) Path tdfPath) throws IOException,
-            TDF.FailedToCreateGMAC, JOSEException, NoSuchAlgorithmException, ParseException, DecoderException {
+    void readMetadata(@Option(names = { "-f", "--file" }, required = true) Path tdfPath,
+    @Option(names = { "--kas-allowlist" }, defaultValue = Option.NULL_VALUE) Optional<String> kasAllowlistStr,
+            @Option(names = { "--ignore-kas-allowlist" }, defaultValue = Option.NULL_VALUE) Optional<Boolean> ignoreAllowlist) throws IOException,
+            TDF.FailedToCreateGMAC, JOSEException, NoSuchAlgorithmException, ParseException, DecoderException, InterruptedException, ExecutionException, URISyntaxException {
         var sdk = buildSDK();
-
+        var opts = new ArrayList<Consumer<Config.TDFReaderConfig>>();
         try (var in = FileChannel.open(tdfPath, StandardOpenOption.READ)) {
             try (var stdout = new PrintWriter(System.out)) {
-                var reader = new TDF().loadTDF(in, sdk.getServices().kas());
+
+                if (ignoreAllowlist.isPresent()) {
+                    opts.add(Config.WithIgnoreKasAllowlist(ignoreAllowlist.get()));
+                }
+                if (kasAllowlistStr.isPresent()) {
+                    opts.add(Config.WithKasAllowlist(kasAllowlistStr.get().split(",")));
+                }
+
+                var readerConfig = Config.newTDFReaderConfig(opts.toArray(new Consumer[0]));
+                var reader = new TDF().loadTDF(in, sdk.getServices().kas(), readerConfig, sdk.getServices().kasRegistry(), sdk.getPlatformUrl());
                 stdout.write(reader.getMetadata() == null ? "" : reader.getMetadata());
             }
         }
@@ -337,15 +358,25 @@ void createNanoTDF(
     }
 
     @CommandLine.Command(name = "decryptnano")
-    void readNanoTDF(@Option(names = { "-f", "--file" }, required = true) Path nanoTDFPath) throws Exception {
+    void readNanoTDF(@Option(names = { "-f", "--file" }, required = true) Path nanoTDFPath,
+                     @Option(names = { "--kas-allowlist" }, defaultValue = Option.NULL_VALUE) Optional<String> kasAllowlistStr,
+                     @Option(names = { "--ignore-kas-allowlist" }, defaultValue = Option.NULL_VALUE) Optional<Boolean> ignoreAllowlist) throws Exception {
         var sdk = buildSDK();
         try (var in = FileChannel.open(nanoTDFPath, StandardOpenOption.READ)) {
             try (var stdout = new BufferedOutputStream(System.out)) {
                 NanoTDF ntdf = new NanoTDF();
                 ByteBuffer buffer = ByteBuffer.allocate((int) in.size());
                 in.read(buffer);
                 buffer.flip();
-                ntdf.readNanoTDF(buffer, stdout, sdk.getServices().kas());
+                var opts = new ArrayList<Consumer<Config.NanoTDFReaderConfig>>();
+                if (ignoreAllowlist.isPresent()) {
+                    opts.add(Config.WithNanoIgnoreKasAllowlist(ignoreAllowlist.get()));
+                }
+                if (kasAllowlistStr.isPresent()) {
+                    opts.add(Config.WithNanoKasAllowlist(kasAllowlistStr.get().split(",")));
+                }
+                var readerConfig = Config.newNanoTDFReaderConfig(opts.toArray(new Consumer[0]));
+                ntdf.readNanoTDF(buffer, stdout, sdk.getServices().kas(), readerConfig, sdk.getServices().kasRegistry(), sdk.getPlatformUrl());
             }
         }
     }

examples/src/main/java/io/opentdf/platform/DecryptCollectionExample.java

@@ -9,12 +9,14 @@
 import java.io.FileInputStream;
 import java.io.FileOutputStream;
 import java.io.IOException;
+import java.net.URISyntaxException;
 import java.nio.ByteBuffer;
 import java.nio.charset.StandardCharsets;
 import java.security.NoSuchAlgorithmException;
+import java.util.concurrent.ExecutionException;
 
 public class DecryptCollectionExample {
-    public static void main(String[] args) throws IOException, NanoTDF.NanoTDFMaxSizeLimit, NanoTDF.UnsupportedNanoTDFFeature, NanoTDF.InvalidNanoTDFConfig, NoSuchAlgorithmException, InterruptedException {
+    public static void main(String[] args) throws IOException, NanoTDF.NanoTDFMaxSizeLimit, NanoTDF.UnsupportedNanoTDFFeature, NanoTDF.InvalidNanoTDFConfig, NoSuchAlgorithmException, InterruptedException, ExecutionException, URISyntaxException {
         String clientId = "opentdf-sdk";
         String clientSecret = "secret";
         String platformEndpoint = "localhost:8080";
@@ -33,7 +35,7 @@ public static void main(String[] args) throws IOException, NanoTDF.NanoTDFMaxSiz
 
         for (int i = 0; i < 50; i++) {
             FileInputStream fis = new FileInputStream(String.format("out/my.%d_ciphertext", i));
-            nanoTDFClient.readNanoTDF(ByteBuffer.wrap(fis.readAllBytes()), System.out, sdk.getServices().kas());
+            nanoTDFClient.readNanoTDF(ByteBuffer.wrap(fis.readAllBytes()), System.out, sdk.getServices().kas(), sdk.getServices().kasRegistry(), sdk.getPlatformUrl());
             fis.close();
         }
 

examples/src/main/java/io/opentdf/platform/DecryptExample.java

@@ -7,10 +7,13 @@
 import java.nio.file.Paths;
 import com.nimbusds.jose.JOSEException;
 import java.io.IOException;
+import java.net.URISyntaxException;
 import java.security.InvalidAlgorithmParameterException;
 import java.security.InvalidKeyException;
 import java.security.NoSuchAlgorithmException;
 import java.text.ParseException;
+import java.util.concurrent.ExecutionException;
+
 import javax.crypto.BadPaddingException;
 import javax.crypto.IllegalBlockSizeException;
 import javax.crypto.NoSuchPaddingException;
@@ -21,7 +24,7 @@ public class DecryptExample {
     public static void main(String[] args) throws IOException,
             InvalidAlgorithmParameterException, NoSuchPaddingException, IllegalBlockSizeException,
             BadPaddingException, InvalidKeyException, TDF.FailedToCreateGMAC,
-            JOSEException, ParseException, NoSuchAlgorithmException, DecoderException, org.apache.commons.cli.ParseException {
+            JOSEException, ParseException, NoSuchAlgorithmException, DecoderException, org.apache.commons.cli.ParseException, InterruptedException, ExecutionException, URISyntaxException {
 
         // Create Options object
         Options options = new Options();
@@ -53,7 +56,7 @@ public static void main(String[] args) throws IOException,
 
         Path path = Paths.get("my.ciphertext");
         try (var in = FileChannel.open(path, StandardOpenOption.READ)) {
-            var reader = new TDF().loadTDF(in, sdk.getServices().kas(), Config.newTDFReaderConfig(Config.WithSessionKeyType(sessionKeyType)));
+            var reader = new TDF().loadTDF(in, sdk.getServices().kas(), Config.newTDFReaderConfig(Config.WithSessionKeyType(sessionKeyType)), sdk.getServices().kasRegistry(), sdk.getPlatformUrl());
             reader.readPayload(System.out);
         }