fix(sdk): Additional comments and cleanup of Rewrap V2 code (#780)

elizabethhealy · pflynn-virtru · jakedoublev · web-flow · commit bb299623d825 · 2025-10-29T11:13:53.000-04:00
* feat(sdk): Move to rewrap v2 request/response format (#774) * feat: Certificates & Obligations (#755) * - Pin `@bufbuild/buf` and `@bufbuild/protoc-gen-es` dependencies to specific versions. - Update copyright notices in `http_pb.ts` and `validate_pb.ts`. * - Pin `@bufbuild/buf` and `@bufbuild/protoc-gen-es` dependencies to specific versions. - Update copyright notices in `http_pb.ts` and `validate_pb.ts`. * Add `obligations` and `rootCerts` attributes to test fixtures and mock data. Signed-off-by: Elizabeth Healy <ehealy@virtru.com> * feat: upgrade tdf clients to rewrap v2 proto structure Signed-off-by: Elizabeth Healy <ehealy@virtru.com> * updates to match go behavior Signed-off-by: Elizabeth Healy <ehealy@virtru.com> * feat: Get Namespace (#756) * - Pin `@bufbuild/buf` and `@bufbuild/protoc-gen-es` dependencies to specific versions. - Update copyright notices in `http_pb.ts` and `validate_pb.ts`. * - Pin `@bufbuild/buf` and `@bufbuild/protoc-gen-es` dependencies to specific versions. - Update copyright notices in `http_pb.ts` and `validate_pb.ts`. * Add `obligations` and `rootCerts` attributes to test fixtures and mock data. * Add `getRootCertsFromNamespace` function and include headers initialization in `authProvider` * Add input validation for `getRootCertsFromNamespace` and basic unit tests Signed-off-by: Elizabeth Healy <ehealy@virtru.com> * feat(sdk): initial obligations support in rewrap flow (#748) * feat(core): initial obligations support in rewrap flow * 🤖 🎨 Autoformat Signed-off-by: jakedoublev <jake.vanvorhis@virtru.com> * wip Signed-off-by: jakedoublev <jake.vanvorhis@virtru.com> * more wip * rm unused import * 🤖 🎨 Autoformat Signed-off-by: jakedoublev <jake.vanvorhis@virtru.com> * lint fix Signed-off-by: jakedoublev <jake.vanvorhis@virtru.com> * tests Signed-off-by: jakedoublev <jake.vanvorhis@virtru.com> * 🤖 🎨 Autoformat Signed-off-by: jakedoublev <jake.vanvorhis@virtru.com> * move file * tdf3 client * cleanup * obligations method on opentdf reader classes * requiredObligations on DecoratedReadableStream in tdf3 * wip: fetch decision if obligations haven't been set on reader * wip * 🤖 🎨 Autoformat Signed-off-by: jakedoublev <jake.vanvorhis@virtru.com> * bugfix in case of no data attributes leading to no obligations Signed-off-by: jakedoublev <jake.vanvorhis@virtru.com> * working state Signed-off-by: jakedoublev <jake.vanvorhis@virtru.com> * fix Signed-off-by: jakedoublev <jake.vanvorhis@virtru.com> * 🤖 🎨 Autoformat Signed-off-by: jakedoublev <jake.vanvorhis@virtru.com> * fix comments * rm example web app hardcoded attributes and obligations * unit tests for getRequiredObligations * improve nullish operators * cleanup * 🤖 🎨 Autoformat Signed-off-by: jakedoublev <jake.vanvorhis@virtru.com> * improvements * fix * 🤖 🎨 Autoformat Signed-off-by: jakedoublev <jake.vanvorhis@virtru.com> * improve log * put back package.json changes * pr feedback Signed-off-by: jakedoublev <jake.vanvorhis@virtru.com> * 🤖 🎨 Autoformat Signed-off-by: jakedoublev <jake.vanvorhis@virtru.com> * rm rewrap header for obligations over legacy http for older platforms --------- Signed-off-by: jakedoublev <jake.vanvorhis@virtru.com> Signed-off-by: Elizabeth Healy <ehealy@virtru.com> * chore: release sdk 0.5.0 (#658) * chore(main): release sdk 0.5.0 * Update dependencies --------- Co-authored-by: opentdf-automation[bot] <149537512+opentdf-automation[bot]@users.noreply.github.com> Signed-off-by: Elizabeth Healy <ehealy@virtru.com> * feat(ci): Add a workflow to update the generated code for new protocol/go versions (#767) * add a workflow to update the pbs * trigger on PR * correct platform location * add gh token to env * remove extra file after use * detect changes on regen * test with latest version * remove, test changes * test for signed commits * try with api * push the new branch * use a shorter file name in the message * fix for non existing files * run slightly after midnight to avoid queues Signed-off-by: Elizabeth Healy <ehealy@virtru.com> * 🤖 🎨 Autoformat Signed-off-by: Elizabeth Healy <ehealy@virtru.com> * handle rewrap response Signed-off-by: Elizabeth Healy <ehealy@virtru.com> * formatting Signed-off-by: Elizabeth Healy <ehealy@virtru.com> * passing unit tests Signed-off-by: Elizabeth Healy <ehealy@virtru.com> * format Signed-off-by: Elizabeth Healy <ehealy@virtru.com> * chore(docs): bump playwright and @playwright/test in /web-app/tests (#763) Bumps [playwright](https://github.com/microsoft/playwright) to 1.56.1 and updates ancestor dependency [@playwright/test](https://github.com/microsoft/playwright). These dependencies need to be updated together. Updates `playwright` from 1.50.1 to 1.56.1 - [Release notes](https://github.com/microsoft/playwright/releases) - [Commits](microsoft/playwright@v1.50.1...v1.56.1) Updates `@playwright/test` from 1.50.1 to 1.56.1 - [Release notes](https://github.com/microsoft/playwright/releases) - [Commits](microsoft/playwright@v1.50.1...v1.56.1) --- updated-dependencies: - dependency-name: playwright dependency-version: 1.56.1 dependency-type: indirect - dependency-name: "@playwright/test" dependency-version: 1.56.1 dependency-type: direct:development ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Signed-off-by: Elizabeth Healy <ehealy@virtru.com> * chore(docs): bump vite from 6.3.6 to 6.4.1 in /web-app (#764) Bumps [vite](https://github.com/vitejs/vite/tree/HEAD/packages/vite) from 6.3.6 to 6.4.1. - [Release notes](https://github.com/vitejs/vite/releases) - [Changelog](https://github.com/vitejs/vite/blob/main/packages/vite/CHANGELOG.md) - [Commits](https://github.com/vitejs/vite/commits/create-vite@6.4.1/packages/vite) --- updated-dependencies: - dependency-name: vite dependency-version: 6.4.1 dependency-type: direct:development ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Signed-off-by: Elizabeth Healy <ehealy@virtru.com> * v1 backwards compatability Signed-off-by: Elizabeth Healy <ehealy@virtru.com> * error handling Signed-off-by: Elizabeth Healy <ehealy@virtru.com> * cleanup Signed-off-by: Elizabeth Healy <ehealy@virtru.com> * chore(docs): bump playwright and @playwright/test in /web-app (#775) Bumps [playwright](https://github.com/microsoft/playwright) and [@playwright/test](https://github.com/microsoft/playwright). These dependencies needed to be updated together. Updates `playwright` from 1.50.1 to 1.56.1 - [Release notes](https://github.com/microsoft/playwright/releases) - [Commits](microsoft/playwright@v1.50.1...v1.56.1) Updates `@playwright/test` from 1.50.1 to 1.56.1 - [Release notes](https://github.com/microsoft/playwright/releases) - [Commits](microsoft/playwright@v1.50.1...v1.56.1) --- updated-dependencies: - dependency-name: playwright dependency-version: 1.56.1 dependency-type: direct:development - dependency-name: "@playwright/test" dependency-version: 1.56.1 dependency-type: direct:development ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Signed-off-by: Elizabeth Healy <ehealy@virtru.com> * suggestions --------- Signed-off-by: Elizabeth Healy <ehealy@virtru.com> Signed-off-by: jakedoublev <jake.vanvorhis@virtru.com> Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: Paul Flynn <43211074+pflynn-virtru@users.noreply.github.com> Co-authored-by: jakedoublev <jake.vanvorhis@virtru.com> Co-authored-by: Jake Van Vorhis <83739412+jakedoublev@users.noreply.github.com> Co-authored-by: opentdf-automation[bot] <149537512+opentdf-automation[bot]@users.noreply.github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Signed-off-by: Elizabeth Healy <ehealy@virtru.com> * additional comments and cleanup Signed-off-by: Elizabeth Healy <ehealy@virtru.com> * format * fix merge --------- Signed-off-by: Elizabeth Healy <ehealy@virtru.com> Signed-off-by: jakedoublev <jake.vanvorhis@virtru.com> Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: Paul Flynn <43211074+pflynn-virtru@users.noreply.github.com> Co-authored-by: jakedoublev <jake.vanvorhis@virtru.com> Co-authored-by: Jake Van Vorhis <83739412+jakedoublev@users.noreply.github.com> Co-authored-by: opentdf-automation[bot] <149537512+opentdf-automation[bot]@users.noreply.github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
diff --git a/lib/src/nanotdf/Client.ts b/lib/src/nanotdf/Client.ts
@@ -273,7 +273,7 @@ export default class Client {
         create(UnsignedRewrapRequest_WithPolicyRequestSchema, {
           keyAccessObjects: [
             {
-              keyAccessObjectId: 'kao-0',
+              keyAccessObjectId: 'kao-0', // only one kao, no bulk
               keyAccessObject: {
                 header: new Uint8Array(nanoTdfHeader),
                 kasUrl: '',
@@ -309,10 +309,16 @@ export default class Client {
       this.authProvider,
       this.fulfillableObligationFQNs
     );
+    // Upgrade any V1 responses to V2
     upgradeRewrapResponseV1(rewrapResp);
 
-    // Assume only one response and one result for now (V1 style)
-    const result = rewrapResp.responses[0].results[0];
+    const result = rewrapResp.responses?.[0]?.results?.[0];
+    if (!result) {
+      // This should not happen - KAS should always return at least one response and one result
+      // or the upgradeRewrapResponseV1 should have created them
+      throw new DecryptError('KAS rewrap response missing expected response or result');
+    }
+
     let entityWrappedKey: Uint8Array<ArrayBufferLike>;
     switch (result.result.case) {
       case 'kasWrappedKey': {
diff --git a/lib/src/utils.ts b/lib/src/utils.ts
@@ -263,6 +263,7 @@ export function getRequiredObligationFQNs(response: RewrapResponse) {
 
 /**
  * Upgrades a RewrapResponse from v1 format to v2.
+ * Note: This mutates the response in place.
  */
 export function upgradeRewrapResponseV1(response: RewrapResponse) {
   if (response.responses.length > 0) {
diff --git a/lib/tdf3/src/tdf.ts b/lib/tdf3/src/tdf.ts
@@ -844,11 +844,17 @@ async function unwrapKey({
       authProvider,
       fulfillableObligations
     );
+    // Upgrade V1 response to V2 format if needed
     upgradeRewrapResponseV1(rewrapResp);
     const { sessionPublicKey } = rewrapResp;
     const requiredObligations = getRequiredObligationFQNs(rewrapResp);
     // Assume only one response and one result for now (V1 style)
-    const result = rewrapResp.responses[0].results[0];
+    const result = rewrapResp.responses?.[0]?.results?.[0];
+    if (!result) {
+      // This should not happen - KAS should always return at least one response and one result
+      // or the upgradeRewrapResponseV1 should have created them
+      throw new DecryptError('KAS rewrap response missing expected response or result');
+    }
     const metadata = result.metadata;
     // Handle the different cases of result.result
     switch (result.result.case) {
diff --git a/lib/tests/server.ts b/lib/tests/server.ts
@@ -168,27 +168,27 @@ const kas: RequestListener = async (req, res) => {
         res.end('{"error": "Invalid client public key"}');
         return;
       }
-      const kaoheader = rewrap.requests?.[0]?.keyAccessObjects?.[0]?.keyAccessObject?.header;
+      const keyAccessObject = rewrap.requests?.[0]?.keyAccessObjects?.[0]?.keyAccessObject;
+      const kaoheader = keyAccessObject?.header;
       const isZTDF = !kaoheader || kaoheader.length === 0;
       if (isZTDF) {
-        const wk = rewrap.requests?.[0]?.keyAccessObjects?.[0]?.keyAccessObject?.wrappedKey;
+        const wk = keyAccessObject?.wrappedKey;
         if (!wk || wk.length === 0) {
           res.writeHead(400);
           res.end('{"error": "Invalid wrapped key"}');
           return;
         }
-        const isECWrapped =
-          rewrap.requests?.[0]?.keyAccessObjects?.[0]?.keyAccessObject?.kid == 'e1';
+        const isECWrapped = keyAccessObject?.kid == 'e1';
         // Decrypt the wrapped key from TDF3
         let dek: Binary;
         if (isECWrapped) {
-          if (!rewrap.requests?.[0]?.keyAccessObjects?.[0]?.keyAccessObject?.ephemeralPublicKey) {
+          if (!keyAccessObject?.ephemeralPublicKey) {
             res.writeHead(400);
             res.end('{"error": "Nil ephemeral public key"}');
             return;
           }
           const ephemeralKey: CryptoKey = await pemPublicToCrypto(
-            rewrap.requests?.[0]?.keyAccessObjects?.[0]?.keyAccessObject?.ephemeralPublicKey
+            keyAccessObject?.ephemeralPublicKey
           );
           const kasPrivateKeyBytes = base64.decodeArrayBuffer(
             removePemFormatting(Mocks.kasECPrivateKey)
