feat(sdk): sdk to use connect rpc calls (#596)

* feat: refactored access.ts http calls
* feat: refactor api fqns calls
* chore: fix roundtrip
* fix: refactor api fqns calls types
* chore: increase text coverage for rpc calls
* fix: platformUrl guess from kasEndpoint
* feat: call legacy api in case of rpc call failure for support with legacy servers

Author: eugenioenko

cli/package-lock.json

@@ -367,6 +367,11 @@ export const handleArgs = (args: string[]) => {
         type: 'string',
         description: 'URL to non-default KAS instance (https://mykas.net)',
       })
+      .option('platformUrl', {
+        group: 'Server Endpoints:',
+        type: 'string',
+        description: 'Location of policy service and KAS (https://opentdf.demo)',
+      })
       .option('oidcEndpoint', {
         group: 'Server Endpoints:',
         type: 'string',
@@ -585,6 +590,7 @@ export const handleArgs = (args: string[]) => {
         async (argv) => {
           log('DEBUG', 'Running inspect command');
           const ct = new OpenTDF({
+            platformUrl: argv.platformUrl || guessPolicyUrl(argv),
             authProvider: new InvalidAuthProvider(),
           });
           try {
@@ -635,7 +641,7 @@ export const handleArgs = (args: string[]) => {
             },
             disableDPoP: !argv.dpop,
             policyEndpoint: guessedPolicyEndpoint,
-            platformUrl: guessedPolicyEndpoint,
+            platformUrl: argv.platformUrl || guessedPolicyEndpoint,
           });
           try {
             log('SILLY', `Initialized client`);
@@ -685,14 +691,16 @@ export const handleArgs = (args: string[]) => {
           log('DEBUG', 'Running encrypt command');
           const authProvider = await processAuth(argv);
           log('DEBUG', `Initialized auth provider ${JSON.stringify(authProvider)}`);
+          const guessedPolicyEndpoint = guessPolicyUrl(argv);
 
           const client = new OpenTDF({
             authProvider,
             defaultCreateOptions: {
               defaultKASEndpoint: argv.kasEndpoint,
             },
             disableDPoP: !argv.dpop,
-            policyEndpoint: guessPolicyUrl(argv),
+            policyEndpoint: guessedPolicyEndpoint,
+            platformUrl: argv.platformUrl || guessedPolicyEndpoint,
           });
           try {
             log('SILLY', `Initialized client`);

cli/src/cli.ts

@@ -70,6 +70,7 @@
     "lint": "eslint ./src/**/*.ts ./tdf3/**/*.ts ./tests/**/*.ts",
     "prepack": "npm run build",
     "test": "npm run build && npm run test:with-server",
+    "mock:platform": "npm run build && node dist/web/tests/server.js",
     "test:with-server": "node dist/web/tests/server.js & trap \"node dist/web/tests/stopServer.js\" EXIT; npm run test:mocha && npm run test:wtr && npm run test:browser && npm run coverage:merge",
     "test:browser": "npx webpack --config webpack.test.config.cjs && npx karma start karma.conf.cjs",
     "test:mocha": "c8 --exclude=\"dist/web/tests/**/*\" --report-dir=./coverage/mocha mocha 'dist/web/tests/mocha/**/*.spec.js' && npx c8 report --reporter=json --report-dir=./coverage/mocha",

lib/package.json

@@ -1,25 +1,19 @@
 import { type AuthProvider } from './auth/auth.js';
-import {
-  ConfigurationError,
-  InvalidFileError,
-  NetworkError,
-  PermissionDeniedError,
-  ServiceError,
-  UnauthenticatedError,
-} from './errors.js';
-import { pemToCryptoPublicKey, validateSecureUrl } from './utils.js';
+import { ServiceError } from './errors.js';
+import { RewrapResponse } from './platform/kas/kas_pb.js';
+import { getPlatformUrlFromKasEndpoint, validateSecureUrl } from './utils.js';
+
+import { fetchKeyAccessServers as fetchKeyAccessServersRpc } from './access/access-rpc.js';
+import { fetchKeyAccessServers as fetchKeyAccessServersLegacy } from './access/access-fetch.js';
+import { fetchWrappedKey as fetchWrappedKeysRpc } from './access/access-rpc.js';
+import { fetchWrappedKey as fetchWrappedKeysLegacy } from './access/access-fetch.js';
+import { fetchKasPubKey as fetchKasPubKeyRpc } from './access/access-rpc.js';
+import { fetchKasPubKey as fetchKasPubKeyLegacy } from './access/access-fetch.js';
 
 export type RewrapRequest = {
   signedRequestToken: string;
 };
 
-export type RewrapResponse = {
-  metadata: Record<string, unknown>;
-  entityWrappedKey: string;
-  sessionPublicKey: string;
-  schemaVersion: string;
-};
-
 /**
  * Get a rewrapped access key to the document, if possible
  * @param url Key access server rewrap endpoint
@@ -29,59 +23,20 @@ export type RewrapResponse = {
  */
 export async function fetchWrappedKey(
   url: string,
-  requestBody: RewrapRequest,
-  authProvider: AuthProvider,
-  clientVersion: string
+  signedRequestToken: string,
+  authProvider: AuthProvider
 ): Promise<RewrapResponse> {
-  const req = await authProvider.withCreds({
-    url,
-    method: 'POST',
-    headers: {
-      'Content-Type': 'application/json',
-    },
-    body: JSON.stringify(requestBody),
-  });
-
-  let response: Response;
-
-  try {
-    response = await fetch(req.url, {
-      method: req.method,
-      mode: 'cors', // no-cors, *cors, same-origin
-      cache: 'no-cache', // *default, no-cache, reload, force-cache, only-if-cached
-      credentials: 'same-origin', // include, *same-origin, omit
-      headers: req.headers,
-      redirect: 'follow', // manual, *follow, error
-      referrerPolicy: 'no-referrer', // no-referrer, *no-referrer-when-downgrade, origin, origin-when-cross-origin, same-origin, strict-origin, strict-origin-when-cross-origin, unsafe-url
-      body: req.body as BodyInit,
-    });
-  } catch (e) {
-    throw new NetworkError(`unable to fetch wrapped key from [${url}]`, e);
-  }
-
-  if (!response.ok) {
-    switch (response.status) {
-      case 400:
-        throw new InvalidFileError(
-          `400 for [${req.url}]: rewrap bad request [${await response.text()}]`
-        );
-      case 401:
-        throw new UnauthenticatedError(`401 for [${req.url}]; rewrap auth failure`);
-      case 403:
-        throw new PermissionDeniedError(`403 for [${req.url}]; rewrap permission denied`);
-      default:
-        if (response.status >= 500) {
-          throw new ServiceError(
-            `${response.status} for [${req.url}]: rewrap failure due to service error [${await response.text()}]`
-          );
-        }
-        throw new NetworkError(
-          `${req.method} ${req.url} => ${response.status} ${response.statusText}`
-        );
-    }
-  }
-
-  return response.json();
+  const platformUrl = getPlatformUrlFromKasEndpoint(url);
+
+  return await tryPromisesUntilFirstSuccess(
+    () => fetchWrappedKeysRpc(platformUrl, signedRequestToken, authProvider),
+    () =>
+      fetchWrappedKeysLegacy(
+        url,
+        { signedRequestToken },
+        authProvider
+      ) as unknown as Promise<RewrapResponse>
+  );
 }
 
 export type KasPublicKeyAlgorithm = 'ec:secp256r1' | 'rsa:2048';
@@ -145,7 +100,7 @@ export type KasPublicKeyInfo = {
   key: Promise<CryptoKey>;
 };
 
-async function noteInvalidPublicKey(url: URL, r: Promise<CryptoKey>): Promise<CryptoKey> {
+export async function noteInvalidPublicKey(url: URL, r: Promise<CryptoKey>): Promise<CryptoKey> {
   try {
     return await r;
   } catch (e) {
@@ -160,49 +115,10 @@ export async function fetchKeyAccessServers(
   platformUrl: string,
   authProvider: AuthProvider
 ): Promise<OriginAllowList> {
-  let nextOffset = 0;
-  const allServers = [];
-  do {
-    const req = await authProvider.withCreds({
-      url: `${platformUrl}/key-access-servers?pagination.offset=${nextOffset}`,
-      method: 'GET',
-      headers: {
-        'Content-Type': 'application/json',
-      },
-    });
-    let response: Response;
-    try {
-      response = await fetch(req.url, {
-        method: req.method,
-        headers: req.headers,
-        body: req.body as BodyInit,
-        mode: 'cors',
-        cache: 'no-cache',
-        credentials: 'same-origin',
-        redirect: 'follow',
-        referrerPolicy: 'no-referrer',
-      });
-    } catch (e) {
-      throw new NetworkError(`unable to fetch kas list from [${req.url}]`, e);
-    }
-    // if we get an error from the kas registry, throw an error
-    if (!response.ok) {
-      throw new ServiceError(
-        `unable to fetch kas list from [${req.url}], status: ${response.status}`
-      );
-    }
-    const { keyAccessServers = [], pagination = {} } = await response.json();
-    allServers.push(...keyAccessServers);
-    nextOffset = pagination.nextOffset || 0;
-  } while (nextOffset > 0);
-
-  const serverUrls = allServers.map((server) => server.uri);
-  // add base platform kas
-  if (!serverUrls.includes(`${platformUrl}/kas`)) {
-    serverUrls.push(`${platformUrl}/kas`);
-  }
-
-  return new OriginAllowList(serverUrls, false);
+  return await tryPromisesUntilFirstSuccess(
+    () => fetchKeyAccessServersRpc(platformUrl, authProvider),
+    () => fetchKeyAccessServersLegacy(platformUrl, authProvider)
+  );
 }
 
 /**
@@ -217,64 +133,10 @@ export async function fetchKasPubKey(
   kasEndpoint: string,
   algorithm?: KasPublicKeyAlgorithm
 ): Promise<KasPublicKeyInfo> {
-  if (!kasEndpoint) {
-    throw new ConfigurationError('KAS definition not found');
-  }
-  // Logs insecure KAS. Secure is enforced in constructor
-  validateSecureUrl(kasEndpoint);
-
-  // Parse kasEndpoint to URL, then append to its path and update its query parameters
-  let pkUrlV2: URL;
-  try {
-    pkUrlV2 = new URL(kasEndpoint);
-  } catch (e) {
-    throw new ConfigurationError(`KAS definition invalid: [${kasEndpoint}]`, e);
-  }
-  if (!pkUrlV2.pathname.endsWith('kas_public_key')) {
-    if (!pkUrlV2.pathname.endsWith('/')) {
-      pkUrlV2.pathname += '/';
-    }
-    pkUrlV2.pathname += 'v2/kas_public_key';
-  }
-  pkUrlV2.searchParams.set('algorithm', algorithm || 'rsa:2048');
-  if (!pkUrlV2.searchParams.get('v')) {
-    pkUrlV2.searchParams.set('v', '2');
-  }
-
-  let kasPubKeyResponseV2: Response;
-  try {
-    kasPubKeyResponseV2 = await fetch(pkUrlV2);
-  } catch (e) {
-    throw new NetworkError(`unable to fetch public key from [${pkUrlV2}]`, e);
-  }
-  if (!kasPubKeyResponseV2.ok) {
-    switch (kasPubKeyResponseV2.status) {
-      case 404:
-        throw new ConfigurationError(`404 for [${pkUrlV2}]`);
-      case 401:
-        throw new UnauthenticatedError(`401 for [${pkUrlV2}]`);
-      case 403:
-        throw new PermissionDeniedError(`403 for [${pkUrlV2}]`);
-      default:
-        throw new NetworkError(
-          `${pkUrlV2} => ${kasPubKeyResponseV2.status} ${kasPubKeyResponseV2.statusText}`
-        );
-    }
-  }
-  const jsonContent = await kasPubKeyResponseV2.json();
-  const { publicKey, kid }: KasPublicKeyInfo = jsonContent;
-  if (!publicKey) {
-    throw new NetworkError(
-      `invalid response from public key endpoint [${JSON.stringify(jsonContent)}]`
-    );
-  }
-  return {
-    key: noteInvalidPublicKey(pkUrlV2, pemToCryptoPublicKey(publicKey)),
-    publicKey,
-    url: kasEndpoint,
-    algorithm: algorithm || 'rsa:2048',
-    ...(kid && { kid }),
-  };
+  return await tryPromisesUntilFirstSuccess(
+    () => fetchKasPubKeyRpc(kasEndpoint, algorithm),
+    () => fetchKasPubKeyLegacy(kasEndpoint, algorithm)
+  );
 }
 
 const origin = (u: string): string => {
@@ -301,3 +163,25 @@ export class OriginAllowList {
     return this.origins.includes(origin(url));
   }
 }
+
+/**
+ * Tries two promise-returning functions in order and returns the first successful result.
+ * If both fail, throws the error from the second.
+ * @param first First function returning a promise to try.
+ * @param second Second function returning a promise to try if the first fails.
+ */
+async function tryPromisesUntilFirstSuccess<T>(
+  first: () => Promise<T>,
+  second: () => Promise<T>
+): Promise<T> {
+  try {
+    return await first();
+  } catch (e1) {
+    console.info('v2 request error', e1);
+    try {
+      return await second();
+    } catch (err) {
+      throw err;
+    }
+  }
+}