feat(sdk): Move to rewrap v2 request/response format (#774)

* feat: Certificates & Obligations (#755)

* - Pin `@bufbuild/buf` and `@bufbuild/protoc-gen-es` dependencies to specific versions.
- Update copyright notices in `http_pb.ts` and `validate_pb.ts`.

* - Pin `@bufbuild/buf` and `@bufbuild/protoc-gen-es` dependencies to specific versions.
- Update copyright notices in `http_pb.ts` and `validate_pb.ts`.

* Add `obligations` and `rootCerts` attributes to test fixtures and mock data.

Signed-off-by: Elizabeth Healy <ehealy@virtru.com>

* feat: upgrade tdf clients to rewrap v2 proto structure

Signed-off-by: Elizabeth Healy <ehealy@virtru.com>

* updates to match go behavior

Signed-off-by: Elizabeth Healy <ehealy@virtru.com>

* feat: Get Namespace (#756)

* - Pin `@bufbuild/buf` and `@bufbuild/protoc-gen-es` dependencies to specific versions.
- Update copyright notices in `http_pb.ts` and `validate_pb.ts`.

* - Pin `@bufbuild/buf` and `@bufbuild/protoc-gen-es` dependencies to specific versions.
- Update copyright notices in `http_pb.ts` and `validate_pb.ts`.

* Add `obligations` and `rootCerts` attributes to test fixtures and mock data.

* Add `getRootCertsFromNamespace` function and include headers initialization in `authProvider`

* Add input validation for `getRootCertsFromNamespace` and basic unit tests

Signed-off-by: Elizabeth Healy <ehealy@virtru.com>

* feat(sdk): initial obligations support in rewrap flow (#748)

* feat(core): initial obligations support in rewrap flow

* 🤖 🎨 Autoformat

Signed-off-by: jakedoublev <jake.vanvorhis@virtru.com>

* wip

Signed-off-by: jakedoublev <jake.vanvorhis@virtru.com>

* more wip

* rm unused import

* 🤖 🎨 Autoformat

Signed-off-by: jakedoublev <jake.vanvorhis@virtru.com>

* lint fix

Signed-off-by: jakedoublev <jake.vanvorhis@virtru.com>

* tests

Signed-off-by: jakedoublev <jake.vanvorhis@virtru.com>

* 🤖 🎨 Autoformat

Signed-off-by: jakedoublev <jake.vanvorhis@virtru.com>

* move file

* tdf3 client

* cleanup

* obligations method on opentdf reader classes

* requiredObligations on DecoratedReadableStream in tdf3

* wip: fetch decision if obligations haven't been set on reader

* wip

* 🤖 🎨 Autoformat

Signed-off-by: jakedoublev <jake.vanvorhis@virtru.com>

* bugfix in case of no data attributes leading to no obligations

Signed-off-by: jakedoublev <jake.vanvorhis@virtru.com>

* working state

Signed-off-by: jakedoublev <jake.vanvorhis@virtru.com>

* fix

Signed-off-by: jakedoublev <jake.vanvorhis@virtru.com>

* 🤖 🎨 Autoformat

Signed-off-by: jakedoublev <jake.vanvorhis@virtru.com>

* fix comments

* rm example web app hardcoded attributes and obligations

* unit tests for getRequiredObligations

* improve nullish operators

* cleanup

* 🤖 🎨 Autoformat

Signed-off-by: jakedoublev <jake.vanvorhis@virtru.com>

* improvements

* fix

* 🤖 🎨 Autoformat

Signed-off-by: jakedoublev <jake.vanvorhis@virtru.com>

* improve log

* put back package.json changes

* pr feedback

Signed-off-by: jakedoublev <jake.vanvorhis@virtru.com>

* 🤖 🎨 Autoformat

Signed-off-by: jakedoublev <jake.vanvorhis@virtru.com>

* rm rewrap header for obligations over legacy http for older platforms

---------

Signed-off-by: jakedoublev <jake.vanvorhis@virtru.com>
Signed-off-by: Elizabeth Healy <ehealy@virtru.com>

* chore: release sdk 0.5.0 (#658)

* chore(main): release sdk 0.5.0

* Update dependencies

---------

Co-authored-by: opentdf-automation[bot] <149537512+opentdf-automation[bot]@users.noreply.github.com>
Signed-off-by: Elizabeth Healy <ehealy@virtru.com>

* feat(ci): Add a workflow to update the generated code for new protocol/go versions (#767)

* add a workflow to update the pbs

* trigger on PR

* correct platform location

* add gh token to env

* remove extra file after use

* detect changes on regen

* test with latest version

* remove, test changes

* test for signed commits

* try with api

* push the new branch

* use a shorter file name in the message

* fix for non existing files

* run slightly after midnight to avoid queues

Signed-off-by: Elizabeth Healy <ehealy@virtru.com>

* 🤖 🎨 Autoformat

Signed-off-by: Elizabeth Healy <ehealy@virtru.com>

* handle rewrap response

Signed-off-by: Elizabeth Healy <ehealy@virtru.com>

* formatting

Signed-off-by: Elizabeth Healy <ehealy@virtru.com>

* passing unit tests

Signed-off-by: Elizabeth Healy <ehealy@virtru.com>

* format

Signed-off-by: Elizabeth Healy <ehealy@virtru.com>

* chore(docs): bump playwright and @playwright/test in /web-app/tests (#763)

Bumps [playwright](https://github.com/microsoft/playwright) to 1.56.1 and updates ancestor dependency [@playwright/test](https://github.com/microsoft/playwright). These dependencies need to be updated together.

Updates `playwright` from 1.50.1 to 1.56.1
- [Release notes](https://github.com/microsoft/playwright/releases)
- [Commits](microsoft/playwright@v1.50.1...v1.56.1)

Updates `@playwright/test` from 1.50.1 to 1.56.1
- [Release notes](https://github.com/microsoft/playwright/releases)
- [Commits](microsoft/playwright@v1.50.1...v1.56.1)

---
updated-dependencies:
- dependency-name: playwright
  dependency-version: 1.56.1
  dependency-type: indirect
- dependency-name: "@playwright/test"
  dependency-version: 1.56.1
  dependency-type: direct:development
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Signed-off-by: Elizabeth Healy <ehealy@virtru.com>

* chore(docs): bump vite from 6.3.6 to 6.4.1 in /web-app (#764)

Bumps [vite](https://github.com/vitejs/vite/tree/HEAD/packages/vite) from 6.3.6 to 6.4.1.
- [Release notes](https://github.com/vitejs/vite/releases)
- [Changelog](https://github.com/vitejs/vite/blob/main/packages/vite/CHANGELOG.md)
- [Commits](https://github.com/vitejs/vite/commits/create-vite@6.4.1/packages/vite)

---
updated-dependencies:
- dependency-name: vite
  dependency-version: 6.4.1
  dependency-type: direct:development
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Signed-off-by: Elizabeth Healy <ehealy@virtru.com>

* v1 backwards compatability

Signed-off-by: Elizabeth Healy <ehealy@virtru.com>

* error handling

Signed-off-by: Elizabeth Healy <ehealy@virtru.com>

* cleanup

Signed-off-by: Elizabeth Healy <ehealy@virtru.com>

* chore(docs): bump playwright and @playwright/test in /web-app (#775)

Bumps [playwright](https://github.com/microsoft/playwright) and [@playwright/test](https://github.com/microsoft/playwright). These dependencies needed to be updated together.

Updates `playwright` from 1.50.1 to 1.56.1
- [Release notes](https://github.com/microsoft/playwright/releases)
- [Commits](microsoft/playwright@v1.50.1...v1.56.1)

Updates `@playwright/test` from 1.50.1 to 1.56.1
- [Release notes](https://github.com/microsoft/playwright/releases)
- [Commits](microsoft/playwright@v1.50.1...v1.56.1)

---
updated-dependencies:
- dependency-name: playwright
  dependency-version: 1.56.1
  dependency-type: direct:development
- dependency-name: "@playwright/test"
  dependency-version: 1.56.1
  dependency-type: direct:development
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Signed-off-by: Elizabeth Healy <ehealy@virtru.com>

* suggestions

---------

Signed-off-by: Elizabeth Healy <ehealy@virtru.com>
Signed-off-by: jakedoublev <jake.vanvorhis@virtru.com>
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: Paul Flynn <43211074+pflynn-virtru@users.noreply.github.com>
Co-authored-by: jakedoublev <jake.vanvorhis@virtru.com>
Co-authored-by: Jake Van Vorhis <83739412+jakedoublev@users.noreply.github.com>
Co-authored-by: opentdf-automation[bot] <149537512+opentdf-automation[bot]@users.noreply.github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

Author: 5 people

lib/src/access/access-rpc.ts

@@ -8,7 +8,14 @@ import {
 } from '../access.js';
 
 import { type AuthProvider } from '../auth/auth.js';
-import { ConfigurationError, NetworkError } from '../errors.js';
+import {
+  ConfigurationError,
+  InvalidFileError,
+  NetworkError,
+  PermissionDeniedError,
+  ServiceError,
+  UnauthenticatedError,
+} from '../errors.js';
 import { PlatformClient } from '../platform.js';
 import { RewrapResponse } from '../platform/kas/kas_pb.js';
 import { ListKeyAccessServersResponse } from '../platform/policy/kasregistry/key_access_server_registry_pb.js';
@@ -19,6 +26,7 @@ import {
   validateSecureUrl,
 } from '../utils.js';
 import { X_REWRAP_ADDITIONAL_CONTEXT } from './constants.js';
+import { ConnectError, Code } from '@connectrpc/connect';
 
 /**
  * Get a rewrapped access key to the document, if possible
@@ -42,11 +50,66 @@ export async function fetchWrappedKey(
       [X_REWRAP_ADDITIONAL_CONTEXT]: rewrapAdditionalContextHeader,
     };
   }
+  let response: RewrapResponse;
   try {
-    return await platform.v1.access.rewrap({ signedRequestToken }, options);
+    response = await platform.v1.access.rewrap({ signedRequestToken }, options);
   } catch (e) {
-    throw new NetworkError(`[${platformUrl}] [Rewrap] ${extractRpcErrorMessage(e)}`);
+    handleRpcRewrapError(e, platformUrl);
+  }
+  return response;
+}
+
+export function handleRpcRewrapError(e: unknown, platformUrl: string): never {
+  if (e instanceof ConnectError) {
+    console.log('Error is a ConnectError with code:', e.code);
+    switch (e.code) {
+      case Code.InvalidArgument: // 400 Bad Request
+        throw new InvalidFileError(`400 for [${platformUrl}]: rewrap bad request [${e.message}]`);
+      case Code.PermissionDenied: // 403 Forbidden
+        throw new PermissionDeniedError(`403 for [${platformUrl}]; rewrap permission denied`);
+      case Code.Unauthenticated: // 401 Unauthorized
+        throw new UnauthenticatedError(`401 for [${platformUrl}]; rewrap auth failure`);
+      case Code.Internal:
+      case Code.Unimplemented:
+      case Code.DataLoss:
+      case Code.Unknown:
+      case Code.DeadlineExceeded:
+      case Code.Unavailable: // >=500 Server Error
+        throw new ServiceError(
+          `${e.code} for [${platformUrl}]: rewrap failure due to service error [${e.message}]`
+        );
+      default:
+        throw new NetworkError(`[${platformUrl}] [Rewrap] ${e.message}`);
+    }
+  }
+  throw new NetworkError(`[${platformUrl}] [Rewrap] ${extractRpcErrorMessage(e)}`);
+}
+
+export function handleRpcRewrapErrorString(e: string, platformUrl: string): never {
+  if (e.includes(Code[Code.InvalidArgument])) {
+    // 400 Bad Request
+    throw new InvalidFileError(`400 for [${platformUrl}]: rewrap bad request [${e}]`);
+  }
+  if (e.includes(Code[Code.PermissionDenied])) {
+    // 403 Forbidden
+    throw new PermissionDeniedError(`403 for [${platformUrl}]; rewrap permission denied`);
+  }
+  if (e.includes(Code[Code.Unauthenticated])) {
+    // 401 Unauthorized
+    throw new UnauthenticatedError(`401 for [${platformUrl}]; rewrap auth failure`);
+  }
+  if (
+    e.includes(Code[Code.Internal]) ||
+    e.includes(Code[Code.Unimplemented]) ||
+    e.includes(Code[Code.DataLoss]) ||
+    e.includes(Code[Code.Unknown]) ||
+    e.includes(Code[Code.DeadlineExceeded]) ||
+    e.includes(Code[Code.Unavailable])
+  ) {
+    // >=500
+    throw new ServiceError(`500+ [${platformUrl}]: rewrap failure due to service error [${e}]`);
   }
+  throw new NetworkError(`[${platformUrl}] [Rewrap] ${e}`);
 }
 
 export async function fetchKeyAccessServers(

lib/src/nanotdf/Client.ts

@@ -1,4 +1,8 @@
-import * as base64 from '../encodings/base64.js';
+import { create, toJsonString } from '@bufbuild/protobuf';
+import {
+  UnsignedRewrapRequest_WithPolicyRequestSchema,
+  UnsignedRewrapRequestSchema,
+} from '../platform/kas/kas_pb.js';
 import { generateKeyPair, keyAgreement } from '../nanotdf-crypto/index.js';
 import getHkdfSalt from './helpers/getHkdfSalt.js';
 import DefaultParams from './models/DefaultParams.js';
@@ -8,13 +12,16 @@ import {
   KasPublicKeyInfo,
   OriginAllowList,
 } from '../access.js';
+import { handleRpcRewrapErrorString } from '../../src/access/access-rpc.js';
 import { AuthProvider, isAuthProvider, reqSignature } from '../auth/providers.js';
 import { ConfigurationError, DecryptError, TdfError, UnsafeUrlError } from '../errors.js';
 import {
   cryptoPublicToPem,
   getRequiredObligationFQNs,
   pemToCryptoPublicKey,
+  upgradeRewrapResponseV1,
   validateSecureUrl,
+  getPlatformUrlFromKasEndpoint,
 } from '../utils.js';
 
 export interface ClientConfig {
@@ -260,18 +267,35 @@ export default class Client {
       throw new ConfigurationError('Signer key has not been set or generated');
     }
 
-    const requestBodyStr = JSON.stringify({
-      algorithm: DefaultParams.defaultECAlgorithm,
-      // nano keyAccess minimum, header is used for nano
+    const unsignedRequest = create(UnsignedRewrapRequestSchema, {
+      clientPublicKey: await cryptoPublicToPem(ephemeralKeyPair.publicKey),
+      requests: [
+        create(UnsignedRewrapRequest_WithPolicyRequestSchema, {
+          keyAccessObjects: [
+            {
+              keyAccessObjectId: 'kao-0',
+              keyAccessObject: {
+                header: new Uint8Array(nanoTdfHeader),
+                kasUrl: '',
+                protocol: Client.KAS_PROTOCOL,
+                keyType: Client.KEY_ACCESS_REMOTE,
+              },
+            },
+          ],
+          algorithm: DefaultParams.defaultECAlgorithm,
+        }),
+      ],
       keyAccess: {
-        type: Client.KEY_ACCESS_REMOTE,
-        url: '',
+        header: new Uint8Array(nanoTdfHeader),
+        kasUrl: '',
         protocol: Client.KAS_PROTOCOL,
-        header: base64.encodeArrayBuffer(nanoTdfHeader),
+        keyType: Client.KEY_ACCESS_REMOTE,
       },
-      clientPublicKey: await cryptoPublicToPem(ephemeralKeyPair.publicKey),
+      algorithm: DefaultParams.defaultECAlgorithm,
     });
 
+    const requestBodyStr = toJsonString(UnsignedRewrapRequestSchema, unsignedRequest);
+
     const jwtPayload = { requestBody: requestBodyStr };
 
     const signedRequestToken = await reqSignature(jwtPayload, requestSignerKeyPair.privateKey, {
@@ -285,9 +309,28 @@ export default class Client {
       this.authProvider,
       this.fulfillableObligationFQNs
     );
+    upgradeRewrapResponseV1(rewrapResp);
+
+    // Assume only one response and one result for now (V1 style)
+    const result = rewrapResp.responses[0].results[0];
+    let entityWrappedKey: Uint8Array<ArrayBufferLike>;
+    switch (result.result.case) {
+      case 'kasWrappedKey': {
+        entityWrappedKey = result.result.value;
+        break;
+      }
+      case 'error': {
+        handleRpcRewrapErrorString(
+          result.result.value,
+          getPlatformUrlFromKasEndpoint(kasRewrapUrl)
+        );
+      }
+      default: {
+        throw new DecryptError('KAS rewrap response missing wrapped key');
+      }
+    }
 
     // Extract the iv and ciphertext
-    const entityWrappedKey = rewrapResp.entityWrappedKey;
     const ivLength =
       clientVersion == Client.SDK_INITIAL_RELEASE ? Client.INITIAL_RELEASE_IV_SIZE : Client.IV_SIZE;
     const iv = entityWrappedKey.subarray(0, ivLength);

lib/src/utils.ts

@@ -3,7 +3,12 @@ import { exportSPKI, importX509 } from 'jose';
 import { base64 } from './encodings/index.js';
 import { pemCertToCrypto, pemPublicToCrypto } from './nanotdf-crypto/pemPublicToCrypto.js';
 import { ConfigurationError } from './errors.js';
-import { RewrapResponse } from './platform/kas/kas_pb.js';
+import {
+  RewrapResponse,
+  PolicyRewrapResultSchema,
+  KeyAccessRewrapResultSchema,
+} from './platform/kas/kas_pb.js';
+import { create } from '@bufbuild/protobuf';
 import { ConnectError } from '@connectrpc/connect';
 
 const REQUIRED_OBLIGATIONS_METADATA_KEY = 'X-Required-Obligations';
@@ -255,3 +260,31 @@ export function getRequiredObligationFQNs(response: RewrapResponse) {
 
   return [...requiredObligations.values()];
 }
+
+/**
+ * Upgrades a RewrapResponse from v1 format to v2.
+ */
+export function upgradeRewrapResponseV1(response: RewrapResponse) {
+  if (response.responses.length > 0) {
+    return;
+  }
+  if (response.entityWrappedKey.length === 0) {
+    return;
+  }
+
+  response.responses = [
+    create(PolicyRewrapResultSchema, {
+      policyId: 'policy',
+      results: [
+        create(KeyAccessRewrapResultSchema, {
+          keyAccessObjectId: 'kao-0',
+          status: 'permit',
+          result: {
+            case: 'kasWrappedKey',
+            value: response.entityWrappedKey,
+          },
+        }),
+      ],
+    }),
+  ];
+}