README
¶
OpenTDF Data Security SDK
A Go implementation of the OpenTDF protocol, and access library for services included in the Data Security Platform.
Note: if you are consuming the SDK as a submodule you may need to add replace directives as follows:
replace (
github.com/opentdf/platform/service => ./opentdf/service
github.com/opentdf/platform/lib/fixtures => ./opentdf/lib/fixtures
github.com/opentdf/platform/protocol/go => ./opentdf/protocol/go
github.com/opentdf/platform/lib/ocrypto => ./opentdf/lib/ocrypto
github.com/opentdf/platform/sdk => ./opentdf/sdk
github.com/opentdf/platform/service => ./opentdf/service
)
Quick Start of the Go SDK
package main
import "fmt"
import "bytes"
import "io"
import "os"
import "strings"
import "github.com/opentdf/platform/sdk"
func main() {
s, _ := sdk.New(
sdk.WithAuth(mtls.NewGRPCAuthorizer(creds) /* or OIDC or whatever */),
sdk.WithDataSecurityConfig(/* attribute schemas, kas multi-attribute mapping */),
)
plaintext := strings.NewReader("Hello, world!")
var ciphertext bytes.Buffer
_, err := s.CreateTDF(
ciphertext,
plaintext,
sdk.WithAttributes("https://example.com/attr/Classification/value/Open"),
)
if err != nil {
panic(err)
}
fmt.Printf("Ciphertext is %s bytes long", ciphertext.Len())
ct2 := make([]byte, ciphertext.Len())
copy(ct2, ciphertext.Bytes())
r, err := s.NewTDFReader(bytes.NewReader(ct2))
f, err := os.Create("output.txt")
if err != nil {
panic(err)
}
io.Copy(f, r)
}
Development
To test, run
go test ./... -short -race -cover
Documentation
¶
Index ¶
- Constants
- func NewCertExchangeTokenSource(info oauth.CertExchangeInfo, credentials oauth.ClientCredentials, ...) (auth.AccessTokenSource, error)
- type Assertion
- type CertExchangeTokenSource
- type EncryptedMetadata
- type EncryptionInformation
- type Error
- type IDPAccessTokenSource
- type IDPTokenExchangeTokenSource
- type IntegrityAlgorithm
- type IntegrityInformation
- type KASClient
- type KASInfo
- type KeyAccess
- type Manifest
- type Method
- type NanoTdf
- type Option
- func WithClientCredentials(clientID, clientSecret string, scopes []string) Option
- func WithCustomAuthorizationConnection(conn *grpc.ClientConn) Option
- func WithCustomEntityResolutionConnection(conn *grpc.ClientConn) Option
- func WithCustomPolicyConnection(conn *grpc.ClientConn) Option
- func WithExtraDialOptions(dialOptions ...grpc.DialOption) Option
- func WithInsecurePlaintextConn() Option
- func WithInsecureSkipVerifyConn() Option
- func WithTLSCredentials(tls *tls.Config, audience []string) Option
- func WithTokenEndpoint(tokenEndpoint string) Option
- func WithTokenExchange(subjectToken string, audience []string) Option
- type Payload
- type PolicyBody
- type PolicyObject
- type Reader
- func (r *Reader) DataAttributes() ([]string, error)
- func (r *Reader) Manifest() Manifest
- func (r *Reader) Policy() (PolicyObject, error)
- func (r *Reader) Read(p []byte) (int, error)
- func (r *Reader) ReadAt(buf []byte, offset int64) (int, error)
- func (r *Reader) UnencryptedMetadata() ([]byte, error)
- func (r *Reader) WriteTo(writer io.Writer) (int64, error)
- type RequestBody
- type RootSignature
- type SDK
- type Segment
- type TDFConfig
- type TDFFormat
- type TDFObject
- type TDFOption
Constants ¶
const ( ErrGrpcDialFailed = Error("failed to dial grpc endpoint") ErrShutdownFailed = Error("failed to shutdown sdk") )
const ( JSONFormat = iota XMLFormat )
const ( HS256 = iota GMAC )
const (
ErrNanoTdfRead = Error("nanotdf read error")
)
Variables ¶
This section is empty.
Functions ¶
func NewCertExchangeTokenSource ¶ added in v0.2.1
func NewCertExchangeTokenSource(info oauth.CertExchangeInfo, credentials oauth.ClientCredentials, idpTokenEndpoint string) (auth.AccessTokenSource, error)
Types ¶
type CertExchangeTokenSource ¶ added in v0.2.1
type CertExchangeTokenSource struct {
auth.AccessTokenSource
IdpEndpoint string
// contains filtered or unexported fields
}
func (*CertExchangeTokenSource) AccessToken ¶ added in v0.2.1
func (c *CertExchangeTokenSource) AccessToken(ctx context.Context, client *http.Client) (auth.AccessToken, error)
type EncryptedMetadata ¶
type EncryptionInformation ¶
type EncryptionInformation struct {
KeyAccessType string `json:"type"`
Policy string `json:"policy"`
KeyAccessObjs []KeyAccess `json:"keyAccess"`
Method Method `json:"method"`
IntegrityInformation `json:"integrityInformation"`
}
type IDPAccessTokenSource ¶
type IDPAccessTokenSource struct {
// contains filtered or unexported fields
}
IDPAccessTokenSource credentials that allow us to connect to an IDP and obtain an access token that is bound to a DPoP key
func NewIDPAccessTokenSource ¶
func NewIDPAccessTokenSource( credentials oauth.ClientCredentials, idpTokenEndpoint string, scopes []string) (*IDPAccessTokenSource, error)
func (*IDPAccessTokenSource) AccessToken ¶
func (t *IDPAccessTokenSource) AccessToken(ctx context.Context, client *http.Client) (auth.AccessToken, error)
AccessToken use a pointer receiver so that the token state is shared
type IDPTokenExchangeTokenSource ¶
type IDPTokenExchangeTokenSource struct {
IDPAccessTokenSource
oauth.TokenExchangeInfo
}
func NewIDPTokenExchangeTokenSource ¶
func NewIDPTokenExchangeTokenSource(exchangeInfo oauth.TokenExchangeInfo, credentials oauth.ClientCredentials, idpTokenEndpoint string, scopes []string) (*IDPTokenExchangeTokenSource, error)
func (*IDPTokenExchangeTokenSource) AccessToken ¶
func (i *IDPTokenExchangeTokenSource) AccessToken(ctx context.Context, client *http.Client) (auth.AccessToken, error)
type IntegrityAlgorithm ¶
type IntegrityAlgorithm = int
type IntegrityInformation ¶
type IntegrityInformation struct {
RootSignature `json:"rootSignature"`
SegmentHashAlgorithm string `json:"segmentHashAlg"`
DefaultSegmentSize int64 `json:"segmentSizeDefault"`
DefaultEncryptedSegSize int64 `json:"encryptedSegmentSizeDefault"`
Segments []Segment `json:"segments"`
}
type KASInfo ¶
type KASInfo struct {
// URL of the KAS server“
URL string
// Public key can be empty. If it is empty, the public key will be fetched from the KAS server.
PublicKey string
}
KASInfo contains Key Access Server information.
type Manifest ¶
type Manifest struct {
EncryptionInformation `json:"encryptionInformation"`
Payload `json:"payload"`
}
type NanoTdf ¶ added in v0.2.1
type NanoTdf struct {
EphemeralPublicKey *eccKey
// contains filtered or unexported fields
}
type Option ¶
type Option func(*config)
func WithClientCredentials ¶
WithClientCredentials returns an Option that sets up authentication with client credentials.
func WithCustomAuthorizationConnection ¶
func WithCustomAuthorizationConnection(conn *grpc.ClientConn) Option
func WithCustomEntityResolutionConnection ¶ added in v0.2.3
func WithCustomEntityResolutionConnection(conn *grpc.ClientConn) Option
func WithCustomPolicyConnection ¶
func WithCustomPolicyConnection(conn *grpc.ClientConn) Option
func WithExtraDialOptions ¶
func WithExtraDialOptions(dialOptions ...grpc.DialOption) Option
func WithInsecurePlaintextConn ¶ added in v0.2.1
func WithInsecurePlaintextConn() Option
WithInsecurePlaintextConn returns an Option that sets up HTTP connection sent in the clear.
func WithInsecureSkipVerifyConn ¶ added in v0.2.1
func WithInsecureSkipVerifyConn() Option
WithInsecureSkipVerifyConn returns an Option that sets up HTTPS connection without verification.
func WithTLSCredentials ¶ added in v0.2.1
func WithTokenEndpoint ¶
WithTokenEndpoint When we implement service discovery using a .well-known endpoint this option may become deprecated
func WithTokenExchange ¶
WithTokenExchange specifies that the SDK should obtain its access token by exchanging the given token for a new one
type PolicyBody ¶
type PolicyBody interface {
// contains filtered or unexported methods
}
type PolicyObject ¶
type Reader ¶
type Reader struct {
// contains filtered or unexported fields
}
func (*Reader) DataAttributes ¶
DataAttributes return the data attributes present in tdf.
func (*Reader) Policy ¶
func (r *Reader) Policy() (PolicyObject, error)
Policy returns a copy of the policy object in manifest, if it is valid. Otherwise, returns an error.
func (*Reader) Read ¶
Read reads up to len(p) bytes into p. It returns the number of bytes read (0 <= n <= len(p)) and any error encountered. It returns an io.EOF error when the stream ends.
func (*Reader) ReadAt ¶
ReadAt reads len(p) bytes into p starting at offset off in the underlying input source. It returns the number of bytes read (0 <= n <= len(p)) and any error encountered. It returns an io.EOF error when the stream ends. NOTE: For larger tdf sizes use sdk.GetTDFPayload for better performance
func (*Reader) UnencryptedMetadata ¶
UnencryptedMetadata return decrypted metadata in manifest.
type RequestBody ¶
type RootSignature ¶
type SDK ¶
type SDK struct {
Namespaces namespaces.NamespaceServiceClient
Attributes attributes.AttributesServiceClient
ResourceMapping resourcemapping.ResourceMappingServiceClient
SubjectMapping subjectmapping.SubjectMappingServiceClient
KeyAccessServerRegistry kasregistry.KeyAccessServerRegistryServiceClient
Authorization authorization.AuthorizationServiceClient
EntityResoution entityresolution.EntityResolutionServiceClient
// contains filtered or unexported fields
}
type TDFConfig ¶
type TDFConfig struct {
// contains filtered or unexported fields
}
TDFConfig Internal config struct for building TDF options.
func NewTDFConfig ¶
NewTDFConfig CreateTDF a new instance of tdf config.
type TDFOption ¶
func WithDataAttributes ¶
WithDataAttributes appends the given data attributes to the bound policy
func WithKasInformation ¶
WithKasInformation adds all the kas urls and their corresponding public keys that is required to create and read the tdf.
func WithMetaData ¶
WithMetaData returns an Option that add metadata to TDF.
func WithMimeType ¶ added in v0.2.3
func WithSegmentSize ¶
WithSegmentSize returns an Option that set the default segment size to TDF.
Source Files
Directories