fix(sdk): add a test that has assertion statement values as objects (#…

…245) Filewatcher sets assertion values as JSON objects like ``` "statement": { "format": "string", "value": { "context": { "@base": "urn:nato:stanag:5636:A:1:elements:json" }, "ocl": { "catl": [ { "name": "Releasable To", "type": "P", "vals": [ "usa" ] } ], "pol": "2ccf11cb-6c9a-4e49-9746-a7f0a295945d", "cls": "SECRET", "dcr": "2024-12-17T13:00:52Z" } } ``` this adds a test that makes sure that all SDKs can properly deserialize such manifests when they have assertion verification disabled. In order to make this work we needed to pass through an option that disables assertion verification. Requires opentdf/platform#1833 and opentdf/java-sdk#219 to be merged before it will pass successful run against SDK branches: https://github.com/opentdf/tests/actions/runs/12992325319/job/36231902231
opentdf · Jan 29, 2025 · f3c156e · f3c156e
1 parent 2e5f213
commit f3c156e
Show file tree

Hide file tree

Showing 6 changed files with 34 additions and 9 deletions.
diff --git a/xtest/golden/with-json-object-assertions-java.tdf b/xtest/golden/with-json-object-assertions-java.tdf
diff --git a/xtest/sdk/go/cli.sh b/xtest/sdk/go/cli.sh
@@ -78,6 +78,9 @@ elif [ "$1" == "decrypt" ]; then
   if [ -n "$8" ]; then
     args+=(--with-assertion-verification-keys "$8")
   fi
+  if [ "$VERIFY_ASSERTIONS" == 'false' ]; then
+    args+=(--no-verify-assertions)
+  fi
   echo "${cmd[@]}" decrypt "${args[@]}" "$2"
   "${cmd[@]}" decrypt "${args[@]}" "$2"
 else

diff --git a/xtest/sdk/java/cli.sh b/xtest/sdk/java/cli.sh
@@ -77,5 +77,9 @@ if [ -n "$8" ]; then
   args+=(--with-assertion-verification-keys "$8")
 fi
 
+if [ "$VERIFY_ASSERTIONS" == 'false' ]; then
+  args+=(--with-assertion-verification-disabled)
+fi
+
 echo java -jar "$SCRIPT_DIR"/cmdline.jar "${args[@]}" -f "$2" ">" "$3"
 java -jar "$SCRIPT_DIR"/cmdline.jar "${args[@]}" -f "$2" >"$3"
diff --git a/xtest/sdk/js/cli/cli.sh b/xtest/sdk/js/cli/cli.sh
@@ -82,6 +82,9 @@ if [ "$1" == "encrypt" ]; then
 
   npx $CTL encrypt "$2" "${args[@]}"
 elif [ "$1" == "decrypt" ]; then
+  if [ "$VERIFY_ASSERTIONS" == 'false' ]; then
+    args+=(--noVerifyAssertions)
+  fi
   npx $CTL decrypt "$2" "${args[@]}"
 else
   echo "Incorrect argument provided"

diff --git a/xtest/tdfs.py b/xtest/tdfs.py
@@ -249,6 +249,7 @@ def decrypt(
     rt_file: str,
     fmt: format_type = "nano",
     assert_keys: str = "",
+    verify_assertions: bool = True,
 ):
     c = [
         sdk_paths[sdk],
@@ -265,8 +266,11 @@ def decrypt(
             "",
             assert_keys,
         ]
+    env = dict(os.environ)
+    if not verify_assertions:
+        env |= {"VERIFY_ASSERTIONS": "false"}
     logger.info(f"dec [{' '.join(c)}]")
-    subprocess.check_output(c, stderr=subprocess.STDOUT)
+    subprocess.check_output(c, stderr=subprocess.STDOUT, env=env)
 
 
 def supports(sdk: sdk_type, feature: feature_type) -> bool:

diff --git a/xtest/test_legacy.py b/xtest/test_legacy.py
@@ -26,31 +26,42 @@ def test_decrypt_small(
             assert b == expected_bytes
 
 
-def test_decrypt_no_splitid(
+def test_decrypt_big(
     decrypt_sdk: tdfs.sdk_type,
     tmp_dir,
 ):
-    ct_file = get_golden_file("no-splitids-java.tdf")
-    rt_file = os.path.join(tmp_dir, "no-splitids-java.untdf")
+    ct_file = get_golden_file("big-java-4.3.0-e0f8caf.tdf")
+    rt_file = os.path.join(tmp_dir, "big-java.untdf")
     tdfs.decrypt(decrypt_sdk, ct_file, rt_file, fmt="ztdf")
     file_stats = os.stat(rt_file)
-    assert file_stats.st_size == 5 * 2**10
+    assert file_stats.st_size == 10 * 2**20
     expected_bytes = bytes([0] * 1024)
     with open(rt_file, "rb") as f:
         while b := f.read(1024):
             assert b == expected_bytes
 
 
-def test_decrypt_big(
+def test_decrypt_no_splitid(
     decrypt_sdk: tdfs.sdk_type,
     tmp_dir,
 ):
-    ct_file = get_golden_file("big-java-4.3.0-e0f8caf.tdf")
-    rt_file = os.path.join(tmp_dir, "big-java.untdf")
+    ct_file = get_golden_file("no-splitids-java.tdf")
+    rt_file = os.path.join(tmp_dir, "no-splitids-java.untdf")
     tdfs.decrypt(decrypt_sdk, ct_file, rt_file, fmt="ztdf")
     file_stats = os.stat(rt_file)
-    assert file_stats.st_size == 10 * 2**20
+    assert file_stats.st_size == 5 * 2**10
     expected_bytes = bytes([0] * 1024)
     with open(rt_file, "rb") as f:
         while b := f.read(1024):
             assert b == expected_bytes
+
+
+def test_decrypt_object_statement_value_json(
+    decrypt_sdk: tdfs.sdk_type,
+    tmp_dir,
+):
+    ct_file = get_golden_file("with-json-object-assertions-java.tdf")
+    rt_file = os.path.join(tmp_dir, "with-json-object-assertions-java.untdf")
+    tdfs.decrypt(decrypt_sdk, ct_file, rt_file, fmt="ztdf", verify_assertions=False)
+    with open(rt_file, "rb") as f:
+        assert f.read().decode("utf-8") == "text"