chore(ci): WIP attributes and multikas tests

.github/workflows/roundtrip/config-demo-idp.sh

@@ -1,4 +1,5 @@
 #!/usr/bin/env bash
+SCRIPT_DIR=$(cd -- "$(dirname -- "${BASH_SOURCE[0]}")" &>/dev/null && pwd)
 
 set -x
 
@@ -44,3 +45,6 @@ kcadm.sh create clients -r opentdf \
 
 kcadm.sh create users -r opentdf -s username=user1 -s enabled=true -s firstName=Alice -s lastName=User
 kcadm.sh set-password -r opentdf --username user1 --new-password testuser123
+
+OTDFCTL=$(${SCRIPT_DIR}/otdfctl.sh)
+

.github/workflows/roundtrip/otdfctl.sh

@@ -0,0 +1,24 @@
+#!/usr/bin/env bash
+# shellcheck disable=SC2206,SC1091
+
+# Wrapper for go otdfctl to quickly switch between local and released versions.
+#
+# Usage: ./otdfctl.sh [otdfctl options]
+#
+SCRIPT_DIR=$(cd -- "$(dirname -- "${BASH_SOURCE[0]}")" &>/dev/null && pwd)
+PROJECT_ROOT=$(cd -- "$SCRIPT_DIR/../../.." &>/dev/null && pwd)
+
+# shellcheck source=../../test.env
+source "$SCRIPT_DIR"/test.env
+
+cmd=("$SCRIPT_DIR"/otdfctl)
+if [ ! -f "$SCRIPT_DIR"/otdfctl ]; then
+  cmd=(go run github.com/opentdf/otdfctl@${OTDFCTL_REF-latest})
+fi
+
+cmd+=(--json)
+cmd+=(--host="$PLATFORMURL" --tls-no-verify --log-level=debug)
+cmd+=(--with-client-creds='{"clientId":"'$CLIENTID'","clientSecret":"'$CLIENTSECRET'"}')
+
+>&2 echo "${cmd[@]}" "$@"
+"${cmd[@]}" "$@"

.github/workflows/roundtrip/test.env

@@ -0,0 +1,9 @@
+CLIENTID=opentdf
+CLIENTSECRET=secret
+KCHOST=http://localhost:65432
+REALM=opentdf
+KCFULLURL=$KCHOST/auth/realms/$REALM
+TOKENENDPOINT=$KCFULLURL/protocol/openid-connect/token
+PLATFORMENDPOINT=localhost:65432
+PLATFORMURL=http://$PLATFORMENDPOINT
+KASURL=http://$PLATFORMENDPOINT/kas

cli/src/cli.ts

@@ -245,13 +245,13 @@ export const handleArgs = (args: string[]) => {
       })
       .option('noVerifyAssertions', {
         alias: 'no-verify-assertions',
-        group: 'Decrypt',
+        group: 'Decrypt: ',
         desc: 'Do not verify assertions',
         type: 'boolean',
       })
       .option('concurrencyLimit', {
         alias: 'concurrency-limit',
-        group: 'Decrypt',
+        group: 'Decrypt: ',
         desc: 'Enable concurrent key split and share lookups',
         type: 'number',
       })

web-app/src/App.tsx

@@ -2,7 +2,14 @@ import { clsx } from 'clsx';
 import { useState, useEffect, type ChangeEvent } from 'react';
 import { showSaveFilePicker } from 'native-file-system-adapter';
 import './App.css';
-import { type Chunker, type DecryptSource, NanoTDFClient, TDF3Client } from '@opentdf/sdk';
+import {
+  type Chunker,
+  type DecryptSource,
+  type SplitStep,
+  EncryptParams,
+  NanoTDFClient,
+  TDF3Client,
+} from '@opentdf/sdk';
 import { type SessionInformation, OidcClient } from './session.js';
 import { c } from './config.js';
 
@@ -204,10 +211,13 @@ function humanReadableDurationEstimate(ms: number) {
 
 function App() {
   const [authState, setAuthState] = useState<SessionInformation>({ sessionState: 'start' });
+  const [autoconfigure, setAutoconfigure] = useState<boolean>(true);
   const [decryptContainerType, setDecryptContainerType] = useState<Containers>('tdf');
   const [downloadState, setDownloadState] = useState<string | undefined>();
   const [encryptContainerType, setEncryptContainerType] = useState<Containers>('tdf');
   const [inputSource, setInputSource] = useState<InputSource | undefined>();
+  const [rawAttributeList, setRawAttributeList] = useState<string>('');
+  const [rawSplitPlan, setSplitPlan] = useState<string>('');
   const [sinkType, setSinkType] = useState<SinkType>('file');
   const [streamController, setStreamController] = useState<CurrentDataController>();
 
@@ -330,6 +340,11 @@ function App() {
     }
     const inputFileName = fileNameFor(inputSource);
     console.log(`Encrypting [${inputFileName}] as ${encryptContainerType} to ${sinkType}`);
+    let attributeList: URL[] = [];
+    if (rawAttributeList?.trim()) {
+      // split rawAttributeList by whitespace
+      attributeList = rawAttributeList.split(/\s+/).map((url) => new URL(url));
+    }
     switch (encryptContainerType) {
       case 'nano': {
         if ('url' in inputSource) {
@@ -344,6 +359,9 @@ function App() {
           kasEndpoint: c.kas,
           dpopKeys: oidcClient.getSigningKey(),
         });
+        if (attributeList.length) {
+          nanoClient.dataAttributes = attributeList.map((url) => url.toString());
+        }
         setDownloadState('Encrypting...');
         switch (sinkType) {
           case 'file':
@@ -417,10 +435,22 @@ function App() {
             f = await getNewFileHandle('html', downloadName);
           }
           const progressTransformers = makeProgressPair(size, 'Encrypt');
+          const splitPlan: SplitStep[] = autoconfigure ? undefined : JSON.parse(rawSplitPlan);
+          console.log('Split Plan', splitPlan);
+
+          let scope: EncryptParams['scope'];
+          if (attributeList.length) {
+            scope = {
+              attributes: attributeList.map((url) => url.toString()),
+            };
+          }
+
           const cipherText = await client.encrypt({
             source: source.pipeThrough(progressTransformers.reader),
             offline: true,
             asHtml: true,
+            scope,
+            splitPlan,
           });
           cipherText.stream = cipherText.stream.pipeThrough(progressTransformers.writer);
           switch (sinkType) {
@@ -451,6 +481,12 @@ function App() {
           dpopKeys: oidcClient.getSigningKey(),
           kasEndpoint: c.kas,
         });
+        let scope: EncryptParams['scope'];
+        if (attributeList.length) {
+          scope = {
+            attributes: attributeList.map((url) => url.toString()),
+          };
+        }
         const sc = new AbortController();
         setStreamController(sc);
         let source: ReadableStream<Uint8Array>, size: number;
@@ -486,9 +522,13 @@ function App() {
             f = await getNewFileHandle('tdf', downloadName);
           }
           const progressTransformers = makeProgressPair(size, 'Encrypt');
+          const splitPlan: SplitStep[] = autoconfigure ? undefined : JSON.parse(rawSplitPlan);
+          console.log('Split Plan', splitPlan);
           const cipherText = await client.encrypt({
             source: source.pipeThrough(progressTransformers.reader),
             offline: true,
+            scope,
+            splitPlan,
           });
           cipherText.stream = cipherText.stream.pipeThrough(progressTransformers.writer);
           switch (sinkType) {
@@ -779,7 +819,8 @@ function App() {
             <form className="column">
               <h2>Encrypt</h2>
               <div className="card horizontal-flow">
-                <div>
+                <fieldset className="Output">
+                  <legend>Container</legend>
                   <input
                     type="radio"
                     id="htmlEncrypt"
@@ -809,7 +850,37 @@ function App() {
                     checked={encryptContainerType === 'nano'}
                   />{' '}
                   <label htmlFor="nanoEncrypt">nano</label>
-                </div>
+                </fieldset>
+                <fieldset className="Output">
+                  <legend>🏷️ Attributes</legend>
+                  <textarea
+                    id="attributeList"
+                    name="attributeList"
+                    placeholder={`https://kas/attr/a/value/1\nhttps://kas/attr/b/value/1`}
+                    onChange={(e) => setRawAttributeList(e.target.value)}
+                  />
+                </fieldset>
+                <fieldset className="Output">
+                  <legend>🔐 KAO generation</legend>
+                  <input
+                    type="checkbox"
+                    id="autoconfigure"
+                    name="autoconfigure"
+                    value={autoconfigure}
+                    checked={autoconfigure}
+                    onChange={(e) => setAutoconfigure(e.target.checked)}
+                    disabled={encryptContainerType == 'nano'}
+                  />
+                  <label htmlFor="autoconfigure">Autoconfigure</label>
+                  <br />
+                  <textarea
+                    id="splitPlan"
+                    name="splitPlan"
+                    placeholder={JSON.stringify([{ sid: 'a', kas: c.kas }])}
+                    disabled={autoconfigure || encryptContainerType == 'nano'}
+                    onChange={(e) => setSplitPlan(e.target.value)}
+                  />
+                </fieldset>
                 <button id="encryptButton" onClick={() => handleEncrypt()} type="button">
                   Encrypt
                 </button>
@@ -818,7 +889,8 @@ function App() {
             <form className="column">
               <h2>Decrypt</h2>
               <div className="card horizontal-flow">
-                <div>
+                <fieldset className="Output">
+                  <legend>Container</legend>
                   <input
                     type="radio"
                     id="tdfDecrypt"
@@ -838,7 +910,7 @@ function App() {
                     checked={decryptContainerType === 'nano'}
                   />{' '}
                   <label htmlFor="nanoDecrypt">nano</label>
-                </div>
+                </fieldset>
                 <button id="decryptButton" onClick={() => handleDecrypt()} type="button">
                   decrypt
                 </button>

web-app/src/session.ts

@@ -73,6 +73,10 @@ export type SessionInformation = {
   user?: User;
 };
 
+export function prettyUserDetails(user: User): string {
+  return `User ${user.userId} expires at ${new Date(user.expiresAt).toISOString()}`;
+}
+
 type AuthRequestState = SessionInformation & {
   redirectUri: string;
   /** Random state parameter. Unique per redirect request; can identify them. Proves the redirect is for the correct request. */