feat(lib): offline abac KAO configuration (#349)

Author: dmihalcik-virtru

lib/src/policy/attributes.ts

@@ -0,0 +1,103 @@
+export type Metadata = {
+  /**
+   * created_at set by server (entity who created will recorded in an audit event)
+   * Format: date-time
+   */
+  createdAt?: string;
+
+  /**
+   * updated_at set by server (entity who updated will recorded in an audit event)
+   * Format: date-time
+   */
+  updatedAt?: string;
+
+  /** optional short description */
+  labels?: Record<string, string>;
+};
+
+export type KasPublicKeyAlgorithm =
+  | 'KAS_PUBLIC_KEY_ALG_ENUM_UNSPECIFIED'
+  | 'KAS_PUBLIC_KEY_ALG_ENUM_RSA_2048'
+  | 'KAS_PUBLIC_KEY_ALG_ENUM_EC_SECP256R1';
+
+export type KasPublicKey = {
+  /** x509 ASN.1 content in PEM envelope, usually */
+  pem: string;
+  /** A unique string identifier for this key */
+  kid: string;
+  /**
+   * @description A known algorithm type with any additional parameters encoded.
+   * To start, these may be `rsa:2048` for encrypting ZTDF files and
+   * `ec:secp256r1` for nanoTDF, but more formats may be added as needed.
+   */
+  alg: KasPublicKeyAlgorithm;
+};
+
+export type KasPublicKeySet = {
+  keys: KasPublicKey[];
+};
+
+export type PublicKey = {
+  /** kas public key url - optional since can also be retrieved via public key */
+  remote?: string;
+  /** public key; PEM of RSA public key; prefer `cached` */
+  local?: string;
+  /** public key with additional information. Current preferred version */
+  cached?: KasPublicKeySet;
+};
+
+export type KeyAccessServer = {
+  id?: string;
+  /** Address of a KAS instance */
+  uri: string;
+  publicKey?: PublicKey;
+  metadata?: Metadata;
+};
+
+export type Namespace = {
+  /** uuid */
+  id?: string;
+  /** used to partition Attribute Definitions, support by namespace AuthN and enable federation */
+  name?: string;
+  fqn: string;
+  /** active by default until explicitly deactivated */
+  active?: boolean;
+  metadata?: Metadata;
+  grants?: KeyAccessServer[];
+};
+
+export type AttributeRuleType =
+  | 'ATTRIBUTE_RULE_TYPE_ENUM_UNSPECIFIED'
+  | 'ATTRIBUTE_RULE_TYPE_ENUM_ALL_OF'
+  | 'ATTRIBUTE_RULE_TYPE_ENUM_ANY_OF'
+  | 'ATTRIBUTE_RULE_TYPE_ENUM_HIERARCHY';
+
+export type Attribute = {
+  /** UUID */
+  id?: string;
+  namespace?: Namespace;
+  /** attribute name */
+  name?: string;
+  /** attribute rule enum */
+  rule?: AttributeRuleType;
+  values?: Value[];
+  grants?: KeyAccessServer[];
+  fqn: string;
+  /** active by default until explicitly deactivated */
+  active?: boolean;
+  /** Common metadata */
+  metadata?: Metadata;
+};
+
+export type Value = {
+  id?: string;
+  attribute?: Attribute;
+  value?: string;
+  /** list of key access servers */
+  grants?: KeyAccessServer[];
+  fqn: string;
+  /** active by default until explicitly deactivated */
+  active?: boolean;
+  /** Common metadata */
+  metadata?: Metadata;
+};

lib/src/policy/granter.ts

@@ -0,0 +1,180 @@
+import { Attribute, AttributeRuleType, KeyAccessServer, Value } from './attributes.js';
+
+export type KeySplitStep = {
+  kas: KeyAccessServer;
+  sid?: string;
+};
+
+type AttributeClause = {
+  def: Attribute;
+  values: string[];
+};
+
+type AndClause = {
+  op: 'allOf';
+  kases: string[];
+};
+
+type HeirarchyClause = {
+  op: 'hierarchy';
+  kases: string[];
+};
+
+type OrClause = {
+  op: 'anyOf';
+  kases: string[];
+};
+
+type BooleanClause = AndClause | OrClause | HeirarchyClause;
+
+type BooleanOperator = BooleanClause['op'];
+
+type ComplexBooleanClause = {
+  op: BooleanOperator;
+  children: BooleanClause[];
+};
+
+export function booleanOperatorFor(rule?: AttributeRuleType): BooleanOperator {
+  if (!rule) {
+    return 'allOf';
+  }
+  switch (rule) {
+    case 'ATTRIBUTE_RULE_TYPE_ENUM_UNSPECIFIED':
+    case 'ATTRIBUTE_RULE_TYPE_ENUM_ALL_OF':
+      return 'allOf';
+    case 'ATTRIBUTE_RULE_TYPE_ENUM_ANY_OF':
+      return 'anyOf';
+    case 'ATTRIBUTE_RULE_TYPE_ENUM_HIERARCHY':
+      return 'hierarchy';
+  }
+}
+
+export function plan(dataAttrs: Value[]): KeySplitStep[] {
+  // KASes by value
+  const grants: Record<string, Set<string>> = {};
+  // KAS detail by KAS url
+  const kasInfo: Record<string, KeyAccessServer> = {};
+  // Attribute definitions in use
+  const prefixes: Set<string> = new Set();
+  // Values grouped by normalized attribute prefix
+  const allClauses: Record<string, AttributeClause> = {};
+  // Values by normalized FQN
+  const allValues: Record<string, Value> = {};
+
+  const addGrants = (val: string, gs?: KeyAccessServer[]): boolean => {
+    if (!gs?.length) {
+      if (!(val in grants)) {
+        grants[val] = new Set();
+      }
+      return false;
+    }
+    for (const g of gs) {
+      if (val in grants) {
+        grants[val].add(g.uri);
+      } else {
+        grants[val] = new Set([g.uri]);
+      }
+      kasInfo[g.uri] = g;
+    }
+    return true;
+  };
+
+  for (const v of dataAttrs) {
+    const { attribute, fqn } = v;
+    if (!attribute) {
+      throw new Error(`attribute not defined for [${fqn}]`);
+    }
+    const valFqn = fqn.toLowerCase();
+    const attrFqn = attribute.fqn.toLowerCase();
+    if (!prefixes.has(attrFqn)) {
+      prefixes.add(attrFqn);
+      allClauses[attrFqn] = {
+        def: attribute,
+        values: [],
+      };
+    }
+    allClauses[attrFqn].values.push(valFqn);
+    allValues[valFqn] = v;
+    if (!addGrants(valFqn, v.grants)) {
+      if (!addGrants(valFqn, attribute.grants)) {
+        addGrants(valFqn, attribute.namespace?.grants);
+      }
+    }
+  }
+  const kcs: ComplexBooleanClause[] = [];
+  for (const attrClause of Object.values(allClauses)) {
+    const ccv: BooleanClause[] = [];
+    for (const term of attrClause.values) {
+      const grantsForTerm = Array.from(grants[term] || []);
+      if (grantsForTerm?.length) {
+        ccv.push({
+          op: 'anyOf',
+          kases: grantsForTerm,
+        });
+      }
+    }
+    const op = booleanOperatorFor(attrClause.def.rule);
+    kcs.push({
+      op,
+      children: ccv,
+    });
+  }
+  return simplify(kcs, kasInfo);
+}
+
+function simplify(
+  clauses: ComplexBooleanClause[],
+  kasInfo: Record<string, KeyAccessServer>
+): KeySplitStep[] {
+  const conjunction: Record<string, string[]> = {};
+  function keyFor(kases: string[]): string {
+    const k = Array.from(new Set([kases])).sort();
+    return k.join('|');
+  }
+  for (const { op, children } of clauses) {
+    if (!children) {
+      continue;
+    }
+    if (op === 'anyOf') {
+      const anyKids = [];
+      for (const bc of children) {
+        if (bc.op != 'anyOf') {
+          throw new Error('inversion');
+        }
+        if (!bc.kases?.length) {
+          continue;
+        }
+        anyKids.push(...bc.kases);
+      }
+      if (!anyKids?.length) {
+        continue;
+      }
+      const k = keyFor(anyKids);
+      conjunction[k] = anyKids;
+    } else {
+      for (const bc of children) {
+        if (bc.op != 'anyOf') {
+          throw new Error('inversion');
+        }
+        if (!bc.kases?.length) {
+          continue;
+        }
+        const k = keyFor(bc.kases);
+        conjunction[k] = bc.kases;
+      }
+    }
+  }
+  const t: KeySplitStep[] = [];
+  let i = 0;
+  for (const k of Object.keys(conjunction).sort()) {
+    if (!conjunction[k]) {
+      continue;
+    }
+    i += 1;
+    const sid = '' + i;
+    for (const kas of conjunction[k]) {
+      t.push({ sid, kas: kasInfo[kas] });
+    }
+  }
+  return t;
+}

lib/tdf3/src/client/builders.ts

@@ -8,13 +8,15 @@ import { PemKeyPair } from '../crypto/declarations.js';
 import { EntityObject } from '../../../src/tdf/EntityObject.js';
 import { DecoratedReadableStream } from './DecoratedReadableStream.js';
 import { type Chunker } from '../utils/chunkers.js';
+import { Value } from '../../../src/policy/attributes.js';
 
 export const DEFAULT_SEGMENT_SIZE: number = 1024 * 1024;
 export type Scope = {
   dissem?: string[];
   policyId?: string;
   policyObject?: Policy;
   attributes?: (string | AttributeObject)[];
+  attributeValues?: Value[];
 };
 
 export type EncryptKeyMiddleware = (...args: unknown[]) => Promise<{