feat(sdk): Add a KAS allowlist #2085
Merged
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Standard Benchmark Skipped or FailedBulk Benchmark Results
|
Standard Benchmark Skipped or FailedBulk Benchmark Results
|
Standard Benchmark Skipped or FailedBulk Benchmark Results
|
Standard Benchmark Skipped or FailedBulk Benchmark Results
|
There was a problem hiding this comment.
Pull Request Overview
This PR adds a KAS allowlist feature to the SDK decryption functionality to restrict which KAS URLs may be used during decryption. Key changes include:
- Implementation of functions to construct and manage the allowlist in both TDF3 and Nano TDF reader configurations.
- Integration of allowlist checks in the decryption flows, including BulkDecrypt.
- Addition of extensive tests to validate the intended allowlist behavior.
Reviewed Changes
Copilot reviewed 9 out of 9 changed files in this pull request and generated 1 comment.
Show a summary per file
| File | Description |
|---|---|
| service/rttests/rt_test.go | Tests that decryption fails when using a disallowed KAS URL. |
| sdk/tdf_test.go | Introduces tests for KAS allowlist functionality in TDF decryption. |
| sdk/tdf_config_test.go | Updates tests to verify correct processing of valid and invalid KAS URLs. |
| sdk/tdf_config.go | Implements allowlist functions and new reader options. |
| sdk/tdf.go | Integrates KAS allowlist checking in the TDF decryption flow. |
| sdk/nanotdf_config_test.go | Adds tests for Nano TDF allowlist options and ignore settings. |
| sdk/nanotdf_config.go | Implements NanoTDFReaderConfig support for KAS allowlist. |
| sdk/nanotdf.go | Adds allowlist verification in the NanoTDF decryption flow. |
| sdk/bulk.go | Updates bulk decryption to incorporate new KAS allowlist options. |
Comments suppressed due to low confidence (1)
sdk/tdf_config.go:293
- The function getKasAddress returns an empty string for URLs without a scheme, which may lead to unintended errors when valid host:port values are provided without a scheme. Consider handling such cases explicitly by inferring a default scheme or adjusting the parsing logic.
if parsedURL.Host == "" && parsedURL.Port() == "" {
Standard Benchmark Skipped or FailedBulk Benchmark Results
|
…latform into dspx-966-kas-allowlist
Standard Benchmark Skipped or FailedBulk Benchmark Results
|
Standard Benchmark Skipped or FailedBulk Benchmark Results
|
jentfoo
reviewed
Apr 25, 2025
Standard Benchmark Skipped or FailedBulk Benchmark Results
|
jentfoo
previously approved these changes
Apr 25, 2025
policy-bot-opentdf
bot
dismissed
jentfoo’s stale review
Invalidated by push of bdf6ed4
Benchmark results, click to expandBulk Benchmark Results
TDF3 Benchmark Results:
NANOTDF Benchmark Results:
Error Summary:
Standard Benchmark Metrics Skipped or Failed |
jentfoo
previously approved these changes
Apr 25, 2025
Benchmark results, click to expandBulk Benchmark Results
TDF3 Benchmark Results:
NANOTDF Benchmark Results:
Error Summary:
Standard Benchmark Metrics Skipped or Failed |
Benchmark results, click to expandBulk Benchmark Results
TDF3 Benchmark Results:
NANOTDF Benchmark Results:
Error Summary:
Standard Benchmark Metrics Skipped or Failed |
strantalis
approved these changes
Apr 28, 2025
This was referenced Apr 28, 2025
github-merge-queue bot
pushed a commit
that referenced
this pull request
Apr 28, 2025
🤖 I have created a release *beep* *boop* --- ## [0.4.4](sdk/v0.4.3...sdk/v0.4.4) (2025-04-28) ### Features * **sdk:** Add a KAS allowlist ([#2085](#2085)) ([d7cfdf3](d7cfdf3)) ### Bug Fixes * **ci:** Update expired ca and certs in oauth unit tests ([#2113](#2113)) ([5440fcc](5440fcc)) --- This PR was generated with [Release Please](https://github.com/googleapis/release-please). See [documentation](https://github.com/googleapis/release-please#release-please). Co-authored-by: opentdf-automation[bot] <149537512+opentdf-automation[bot]@users.noreply.github.com>
github-merge-queue bot
pushed a commit
that referenced
this pull request
May 22, 2025
🤖 I have created a release *beep* *boop* --- ## [0.5.3](service/v0.5.2...service/v0.5.3) (2025-05-22) ### Features * **authz:** authz v2 versioning implementation ([#2173](#2173)) ([557fc21](557fc21)) * **authz:** authz v2, ers v2 protos and gencode for ABAC with actions & registered resource ([#2124](#2124)) ([ea7992a](ea7992a)) * **authz:** export entity id prefix constant from entity instead of authorization service v1 ([#2261](#2261)) ([94079a9](94079a9)) * **authz:** subject mapping plugin support for ABAC with actions ([#2223](#2223)) ([d08b939](d08b939)) * bulk keycloak provisioning ([#2205](#2205)) ([59e4485](59e4485)) * **core:** add otel to opentdf services ([#1858](#1858)) ([53a7aa0](53a7aa0)) * **core:** Adds EC withSalt options ([#2126](#2126)) ([67b6fb8](67b6fb8)) * **core:** enhance db configuration options ([#2285](#2285)) ([ed9ff59](ed9ff59)) * **core:** New Key Index and Manager Plugin SPI ([#2095](#2095)) ([eb446fc](eb446fc)) * **core:** support onConfigUpdate hook when registering services ([#1992](#1992)) ([366d4dc](366d4dc)) * **core:** v2 ERS with proto updates ([#2210](#2210)) ([a161ef8](a161ef8)) * **policy:** actions crud service endpoints and proto validation ([#2037](#2037)) ([e933fa9](e933fa9)) * **policy:** actions service RPCs should actually hit storage layer CRUD ([#2063](#2063)) ([da4faf5](da4faf5)) * **policy:** add enhanced standard/custom actions protos ([#2020](#2020)) ([bbac53f](bbac53f)) * **policy:** Add platform key indexer. ([#2189](#2189)) ([861ef8d](861ef8d)) * **policy:** consume lib/identifier parse function ([#2181](#2181)) ([1cef22b](1cef22b)) * **policy:** DSPX-1018 NDR retrieval by FQN support ([#2131](#2131)) ([0001041](0001041)) * **policy:** DSPX-1057 registered resource action attribute values (DB + Service implementation) ([#2191](#2191)) ([6bf1b2e](6bf1b2e)) * **policy:** DSPX-1057 registered resource action attribute values (protos only) ([#2217](#2217)) ([6375596](6375596)) * **policy:** DSPX-893 NDR define crud protos ([#2056](#2056)) ([55a5c27](55a5c27)) * **policy:** DSPX-898 NDR database schema ([#2055](#2055)) ([2a10a6a](2a10a6a)) * **policy:** DSPX-901 NDR database crud ([#2071](#2071)) ([20e0a5f](20e0a5f)) * **policy:** DSPX-902 NDR service crud implementation (2/2) ([#2066](#2066)) ([030ad33](030ad33)) * **policy:** DSPX-902 NDR service crud protos only (1/2) ([#2092](#2092)) ([24b6cb5](24b6cb5)) * **policy:** Finish resource mapping groups ([#2224](#2224)) ([5ff754e](5ff754e)) * **policy:** GetMatchedSubjectMappings should provide value FQN ([#2151](#2151)) ([ad80044](ad80044)) * **policy:** key management crud ([#2110](#2110)) ([4c3d53d](4c3d53d)) * **policy:** Key management proto ([#2115](#2115)) ([561f853](561f853)) * **policy:** Modify get request to search for keys by kasid with keyid. ([#2147](#2147)) ([780d2e4](780d2e4)) * **policy:** Restrict KAS deletion when tied to Key ([#2144](#2144)) ([4c4ab13](4c4ab13)) * **policy:** Return KAS Key structure ([#2172](#2172)) ([7f97b99](7f97b99)) * **policy:** rotate keys rpc ([#2180](#2180)) ([0d00743](0d00743)) * **policy:** stored enhanced actions database migration, CRUD queries, SM updates ([#2040](#2040)) ([e6b7c79](e6b7c79)) * **sdk:** Add a KAS allowlist ([#2085](#2085)) ([d7cfdf3](d7cfdf3)) * **sdk:** add nanotdf plaintext policy ([#2182](#2182)) ([e5c56db](e5c56db)) * **sdk:** Use ConnectRPC in the go client ([#2200](#2200)) ([fc34ee6](fc34ee6)) ### Bug Fixes * **core:** access pdp cleanup before actions in ABAC decisioning ([#2123](#2123)) ([9b38a3c](9b38a3c)) * **core:** Autobump service ([#2080](#2080)) ([006c724](006c724)) * **core:** Autobump service ([#2104](#2104)) ([1f72cc7](1f72cc7)) * **core:** Autobump service ([#2108](#2108)) ([be5b7d7](be5b7d7)) * **core:** bump to go 1.24 and bump service proto module dependencies ([#2064](#2064)) ([94891a0](94891a0)) * **core:** Fix DPoP with grpc-gateway ([#2044](#2044)) ([4483ef2](4483ef2)) * **core:** fix service go.mod ([#2141](#2141)) ([3b98f6d](3b98f6d)) * **core:** Improves errors when under heavy load ([#2132](#2132)) ([4490a14](4490a14)) * **core:** Let legacy KAOs use new trust plugins ([#2218](#2218)) ([5aa6916](5aa6916)) * **core:** migrate from mitchellh/mapstructure to go-viper/mapstructure ([#2087](#2087)) ([0a3a82e](0a3a82e)) * **core:** update viper to 1.20.1 ([#2088](#2088)) ([09099e9](09099e9)) * **core:** Updates vulnerable dep go/x/net ([#2072](#2072)) ([11c02cd](11c02cd)) * **deps:** bump github.com/creasty/defaults from 1.7.0 to 1.8.0 in /service ([#2242](#2242)) ([86a9b46](86a9b46)) * **deps:** bump github.com/jackc/pgx/v5 from 5.5.5 to 5.7.5 in /service ([#2249](#2249)) ([d8f3b67](d8f3b67)) * **deps:** bump the internal group across 1 directory with 2 updates ([#2296](#2296)) ([7f92c70](7f92c70)) * **deps:** bump toolchain in /lib/fixtures and /examples to resolve CVE GO-2025-3563 ([#2061](#2061)) ([9c16843](9c16843)) * handle empty private and public key ctx structs ([#2272](#2272)) ([f3fc647](f3fc647)) * **policy:** remove predefined rules in actions protos ([#2069](#2069)) ([060f059](060f059)) * **policy:** return kas uri on keys for definition, namespace and values ([#2186](#2186)) ([6c55fb8](6c55fb8)) * update key_mode to provide more context ([#2226](#2226)) ([44d0805](44d0805)) --- This PR was generated with [Release Please](https://github.com/googleapis/release-please). See [documentation](https://github.com/googleapis/release-please#release-please). Co-authored-by: opentdf-automation[bot] <149537512+opentdf-automation[bot]@users.noreply.github.com>
github-merge-queue bot
pushed a commit
that referenced
this pull request
Aug 26, 2025
🤖 I have created a release *beep* *boop* --- ## [0.7.0](sdk/v0.6.1...sdk/v0.7.0) (2025-08-25) ### ⚠ BREAKING CHANGES * **core:** Require go 1.23+ ([#1979](#1979)) ### Features * add system metadata assertions to TDFConfig ([#2446](#2446)) ([4eb9fff](4eb9fff)) * **authz:** authz v2 versioning implementation ([#2173](#2173)) ([557fc21](557fc21)) * **core:** adds bulk rewrap to sdk and service ([#1835](#1835)) ([11698ae](11698ae)) * **core:** Adds EC withSalt options ([#2126](#2126)) ([67b6fb8](67b6fb8)) * **core:** Adds ErrInvalidPerSchema ([#1860](#1860)) ([456639e](456639e)) * **core:** DSPX-608 - Deprecate public_client_id ([#2185](#2185)) ([0f58efa](0f58efa)) * **core:** EXPERIMENTAL: EC-wrapped key support ([#1902](#1902)) ([652266f](652266f)) * **core:** Expose version info ([#1841](#1841)) ([92a9f5e](92a9f5e)) * **core:** Require go 1.23+ ([#1979](#1979)) ([164c922](164c922)) * **core:** v2 ERS with proto updates ([#2210](#2210)) ([a161ef8](a161ef8)) * **policy:** actions service RPCs should actually hit storage layer CRUD ([#2063](#2063)) ([da4faf5](da4faf5)) * **policy:** Add list key mappings rpc. ([#2533](#2533)) ([fbc2724](fbc2724)) * **policy:** adds new public keys table ([#1836](#1836)) ([cad5048](cad5048)) * **policy:** Allow the deletion of a key. ([#2575](#2575)) ([82b96f0](82b96f0)) * **policy:** Default Platform Keys ([#2254](#2254)) ([d7447fe](d7447fe)) * **policy:** DSPX-902 NDR service crud implementation (2/2) ([#2066](#2066)) ([030ad33](030ad33)) * **policy:** key management crud ([#2110](#2110)) ([4c3d53d](4c3d53d)) * **sdk:** Add a KAS allowlist ([#2085](#2085)) ([d7cfdf3](d7cfdf3)) * **sdk:** add nanotdf plaintext policy ([#2182](#2182)) ([e5c56db](e5c56db)) * **sdk:** adds seeker interface to TDF Reader ([#2385](#2385)) ([63ccd9a](63ccd9a)) * **sdk:** Allow key splits with same algo ([#2454](#2454)) ([7422b15](7422b15)) * **sdk:** Allow schema validation during TDF decrypt ([#1870](#1870)) ([b7e6fb2](b7e6fb2)) * **sdk:** autoconfig kaos with kids ([#2438](#2438)) ([c272016](c272016)) * **sdk:** bump protocol/go v0.6.0 ([#2536](#2536)) ([23e4c2b](23e4c2b)) * **sdk:** CreateTDF option to run with specific target schema version ([#2045](#2045)) ([0976b15](0976b15)) * **sdk:** Enable base key support. ([#2425](#2425)) ([9ff3806](9ff3806)) * **sdk:** Expose connectrpc wrapper codegen for re-use ([#2322](#2322)) ([8b29392](8b29392)) * **sdk:** MIC-1436: User can decrypt TDF files created with FileWatcher2.0.8 and older. ([#1833](#1833)) ([f77d110](f77d110)) * **sdk:** remove hex encoding for segment hash ([#1805](#1805)) ([d7179c2](d7179c2)) * **sdk:** sdk.New should validate platform connectivity and provide precise error ([#1937](#1937)) ([aa3696d](aa3696d)) * **sdk:** Use ConnectRPC in the go client ([#2200](#2200)) ([fc34ee6](fc34ee6)) ### Bug Fixes * Allow parsing IPs as hostnames ([#1999](#1999)) ([d54b550](d54b550)) * **ci:** Fix intermittent failures from auth tests ([#2345](#2345)) ([395988a](395988a)) * **ci:** Update expired ca and certs in oauth unit tests ([#2113](#2113)) ([5440fcc](5440fcc)) * **core:** Autobump sdk ([#1863](#1863)) ([855cb2b](855cb2b)) * **core:** Autobump sdk ([#1873](#1873)) ([085ac7a](085ac7a)) * **core:** Autobump sdk ([#1894](#1894)) ([201244e](201244e)) * **core:** Autobump sdk ([#1917](#1917)) ([edeeb74](edeeb74)) * **core:** Autobump sdk ([#1941](#1941)) ([0a5a948](0a5a948)) * **core:** Autobump sdk ([#1948](#1948)) ([4dfb457](4dfb457)) * **core:** Autobump sdk ([#1968](#1968)) ([7084061](7084061)) * **core:** Autobump sdk ([#1972](#1972)) ([7258f5d](7258f5d)) * **core:** Autobump sdk ([#2102](#2102)) ([0315635](0315635)) * **core:** Fixes protoJSON parse bug on ec rewrap ([#1943](#1943)) ([9bebfd0](9bebfd0)) * **core:** Improves errors when under heavy load ([#2132](#2132)) ([4490a14](4490a14)) * **core:** Update fixtures and flattening in sdk and service ([#1827](#1827)) ([d6d6a7a](d6d6a7a)) * **core:** Updates ec-wrapped to newer salt ([#1961](#1961)) ([0e17968](0e17968)) * **deps:** bump github.com/docker/docker from 28.2.2+incompatible to 28.3.3+incompatible in /sdk ([#2597](#2597)) ([a68d00d](a68d00d)) * **deps:** bump github.com/opentdf/platform/lib/ocrypto from 0.2.0 to 0.3.0 in /sdk ([#2502](#2502)) ([3ec8b35](3ec8b35)) * **deps:** bump github.com/opentdf/platform/protocol/go from 0.3.6 to 0.4.0 in /sdk ([#2397](#2397)) ([99e3aa4](99e3aa4)) * **deps:** bump github.com/opentdf/platform/protocol/go from 0.4.0 to 0.5.0 in /sdk ([#2471](#2471)) ([e8f97e0](e8f97e0)) * **deps:** bump github.com/opentdf/platform/protocol/go from 0.5.0 to 0.5.1 in /sdk ([#2505](#2505)) ([4edab72](4edab72)) * **deps:** bump github.com/opentdf/platform/protocol/go from 0.6.0 to 0.6.2 in /sdk ([#2586](#2586)) ([4ed9856](4ed9856)) * **deps:** bump github.com/opentdf/platform/protocol/go from 0.6.2 to 0.7.0 in /sdk ([#2627](#2627)) ([e775e14](e775e14)) * **deps:** bump golang.org/x/oauth2 from 0.26.0 to 0.30.0 in /sdk ([#2252](#2252)) ([9b775a2](9b775a2)) * **deps:** bump google.golang.org/grpc from 1.71.0 to 1.72.1 in /sdk ([#2244](#2244)) ([49484e0](49484e0)) * **deps:** bump the external group across 1 directory with 5 updates ([#2400](#2400)) ([0b7ea79](0b7ea79)) * **deps:** bump toolchain in /lib/fixtures and /examples to resolve CVE GO-2025-3563 ([#2061](#2061)) ([9c16843](9c16843)) * Improve http.Client usage for security and performance ([#1910](#1910)) ([e6a53a3](e6a53a3)) * **sdk:** adds connection options to getPlatformConfiguration ([#2286](#2286)) ([a3af31e](a3af31e)) * **sdk:** Allow reuse of session key ([#2016](#2016)) ([d48c11e](d48c11e)) * **sdk:** bump lib/ocrypto to 0.1.8 ([#1938](#1938)) ([53fa8ab](53fa8ab)) * **sdk:** bump protocol/go module dependencies ([#2078](#2078)) ([e027f43](e027f43)) * **sdk:** Display proper error on kas rewrap failure ([#2081](#2081)) ([508cbcd](508cbcd)) * **sdk:** everything is `mixedSplits` now ([#1861](#1861)) ([ba78f14](ba78f14)) * **sdk:** Fix compatibility between bulk and non-bulk rewrap ([#1914](#1914)) ([74abbb6](74abbb6)) * **sdk:** Fixed token expiration time ([#1854](#1854)) ([c3cda1b](c3cda1b)) * **sdk:** perfsprint lint issues ([#2208](#2208)) ([d36a078](d36a078)) * **sdk:** Prefer KID and Algorithm selection from key maps ([#2475](#2475)) ([98fd392](98fd392)) * **sdk:** Removes unnecessary down-cast of `int` ([#1869](#1869)) ([66f0c14](66f0c14)) * **sdk:** Version config fix ([#1847](#1847)) ([be5d817](be5d817)) * Service utilize `httputil.SafeHttpClient` ([#1926](#1926)) ([af32700](af32700)) * set consistent system metadata id and schema ([#2451](#2451)) ([5db3cf2](5db3cf2)) --- This PR was generated with [Release Please](https://github.com/googleapis/release-please). See [documentation](https://github.com/googleapis/release-please#release-please). Co-authored-by: opentdf-automation[bot] <149537512+opentdf-automation[bot]@users.noreply.github.com>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Proposed Changes
scheme://host:portand adds that to a set, if no scheme provided, will default to httpsOther additions to support the above:
Things to note:
Checklist
Testing Instructions