feat(lib): add fallback to namespace kas (#166)

mkleene · dmihalcik-virtru · web-flow · commit 4368840fa6a0 · 2024-09-20T17:08:39.000-04:00
If there is no KAS specified for an attribute value, or attribute, then use the KAS specified on the namespace to mediate access to the key. Also refactor and clarify that we need attributes that have been hydrated by the service to provide a split plan. Addresses virtru-corp/data-security-platform#609 --------- Co-authored-by: Dave Mihalcik <dmihalcik@virtru.com>
diff --git a/cmdline/pom.xml b/cmdline/pom.xml
@@ -74,10 +74,22 @@
             <artifactId>picocli</artifactId>
             <version>4.7.6</version>
         </dependency>
+        <dependency>
+            <groupId>org.apache.logging.log4j</groupId>
+            <artifactId>log4j-slf4j2-impl</artifactId>
+        </dependency>
+        <dependency>
+            <groupId>org.apache.logging.log4j</groupId>
+            <artifactId>log4j-core</artifactId>
+        </dependency>
+        <dependency>
+            <groupId>org.apache.logging.log4j</groupId>
+            <artifactId>log4j-api</artifactId>
+        </dependency>
         <dependency>
             <groupId>io.opentdf.platform</groupId>
             <artifactId>sdk</artifactId>
             <version>${project.version}</version>
         </dependency>
     </dependencies>
-</project>
+</project>
diff --git a/cmdline/src/main/resources/log4j2.xml b/cmdline/src/main/resources/log4j2.xml
@@ -0,0 +1,16 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<configuration status="WARN">
+    <appenders>
+        <Console name="Console" target="SYSTEM_ERR">
+            <PatternLayout pattern="%d{HH:mm:ss.SSS} [%t] %-5level %logger{36} - %msg%n"/>
+        </Console>
+    </appenders>
+    <loggers>
+        <root level="trace">
+            <appender-ref ref="Console"/>
+        </root>
+        <Logger name="io.grpc.netty" level="error" additivity="false">
+            <AppenderRef ref="Console" />
+        </Logger>
+    </loggers>
+</configuration>
diff --git a/sdk/src/main/java/io/opentdf/platform/sdk/Autoconfigure.java b/sdk/src/main/java/io/opentdf/platform/sdk/Autoconfigure.java
@@ -1,5 +1,21 @@
 package io.opentdf.platform.sdk;
 
+import com.google.common.base.Supplier;
+import io.opentdf.platform.policy.Attribute;
+import io.opentdf.platform.policy.AttributeRuleTypeEnum;
+import io.opentdf.platform.policy.AttributeValueSelector;
+import io.opentdf.platform.policy.KasPublicKey;
+import io.opentdf.platform.policy.KasPublicKeyAlgEnum;
+import io.opentdf.platform.policy.KeyAccessServer;
+import io.opentdf.platform.policy.Value;
+import io.opentdf.platform.policy.attributes.AttributesServiceGrpc.AttributesServiceFutureStub;
+import io.opentdf.platform.policy.attributes.GetAttributeValuesByFqnsRequest;
+import io.opentdf.platform.policy.attributes.GetAttributeValuesByFqnsResponse;
+import io.opentdf.platform.policy.attributes.GetAttributeValuesByFqnsResponse.AttributeAndValue;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+
+import javax.annotation.Nullable;
 import java.io.UnsupportedEncodingException;
 import java.net.URLDecoder;
 import java.net.URLEncoder;
@@ -19,23 +35,6 @@
 import java.util.regex.Pattern;
 import java.util.stream.Collectors;
 
-import org.slf4j.Logger;
-import org.slf4j.LoggerFactory;
-
-import com.google.common.base.Supplier;
-
-import io.opentdf.platform.policy.KeyAccessServer;
-import io.opentdf.platform.policy.attributes.AttributesServiceGrpc.AttributesServiceFutureStub;
-import io.opentdf.platform.policy.attributes.GetAttributeValuesByFqnsRequest;
-import io.opentdf.platform.policy.attributes.GetAttributeValuesByFqnsResponse;
-import io.opentdf.platform.policy.attributes.GetAttributeValuesByFqnsResponse.AttributeAndValue;
-import io.opentdf.platform.policy.Attribute;
-import io.opentdf.platform.policy.Value;
-import io.opentdf.platform.policy.KasPublicKey;
-import io.opentdf.platform.policy.AttributeValueSelector;
-import io.opentdf.platform.policy.AttributeRuleTypeEnum;
-import io.opentdf.platform.policy.KasPublicKeyAlgEnum;
-
 // Attribute rule types: operators!
 class RuleType {
     public static final String HIERARCHY = "hierarchy";
@@ -349,7 +348,7 @@ BooleanKeyExpression insertKeysForAttribute(AttributeBooleanExpression e) throws
                 }
 
                 String op = ruleToOperator(clause.def.getRule());
-                if (op == RuleType.UNSPECIFIED) {
+                if (op.equals(RuleType.UNSPECIFIED)) {
                     logger.warn("Unknown attribute rule type: " + clause);
                 }
 
@@ -672,80 +671,81 @@ public static String ruleToOperator(AttributeRuleTypeEnum e) {
 
     }
 
+    // Given a policy (list of data attributes or tags),
+    // get a set of grants from attribute values to KASes.
+    // Unlike `NewGranterFromService`, this works offline.
+    public static Granter newGranterFromAttributes(Value... attrValues) throws AutoConfigureException {
+        var attrsAndValues = Arrays.stream(attrValues).map(v -> {
+            if (!v.hasAttribute()) {
+                throw new AutoConfigureException("tried to use an attribute that is not initialized");
+            }
+            return AttributeAndValue.newBuilder()
+                    .setValue(v)
+                    .setAttribute(v.getAttribute())
+                    .build();
+        }).collect(Collectors.toList());
+
+        return getGranter(null, attrsAndValues);
+    }
+
     // Gets a list of directory of KAS grants for a list of attribute FQNs
-    public static Granter newGranterFromService(AttributesServiceFutureStub as, KASKeyCache keyCache,
-            AttributeValueFQN... fqns) throws AutoConfigureException, InterruptedException, ExecutionException {
-        String[] fqnsStr = new String[fqns.length];
-        for (int i = 0; i < fqns.length; i++) {
-            fqnsStr[i] = fqns[i].toString();
-        }
+    public static Granter newGranterFromService(AttributesServiceFutureStub as, KASKeyCache keyCache, AttributeValueFQN... fqns) throws AutoConfigureException, ExecutionException, InterruptedException {
 
         GetAttributeValuesByFqnsRequest request = GetAttributeValuesByFqnsRequest.newBuilder()
-                .addAllFqns(Arrays.asList(fqnsStr))
+                .addAllFqns(Arrays.stream(fqns).map(AttributeValueFQN::toString).collect(Collectors.toList()))
                 .setWithValue(AttributeValueSelector.newBuilder().setWithKeyAccessGrants(true).build())
                 .build();
 
-        GetAttributeValuesByFqnsResponse av;
-        av = as.getAttributeValuesByFqns(request).get();
+        GetAttributeValuesByFqnsResponse av = as.getAttributeValuesByFqns(request).get();
 
-        Granter grants = new Granter(Arrays.asList(fqns));
+        return getGranter(keyCache, new ArrayList<>(av.getFqnAttributeValuesMap().values()));
+    }
 
-        for (Map.Entry<String, GetAttributeValuesByFqnsResponse.AttributeAndValue> entry : av.getFqnAttributeValuesMap()
-                .entrySet()) {
-            String fqnstr = entry.getKey();
-            AttributeAndValue pair = entry.getValue();
+    private static Granter getGranter(@Nullable KASKeyCache keyCache, List<AttributeAndValue> values) {
+        Granter grants = new Granter(values.stream().map(AttributeAndValue::getValue).map(Value::getFqn).map(AttributeValueFQN::new).collect(Collectors.toList()));
 
-            AttributeValueFQN fqn;
-            try {
-                fqn = new AttributeValueFQN(fqnstr);
-            } catch (Exception e) {
-                return grants;
-            }
+        for (var attributeAndValue: values) {
+            var val = attributeAndValue.getValue();
+            var attribute = attributeAndValue.getAttribute();
+            String fqnstr = val.getFqn();
+            AttributeValueFQN fqn = new AttributeValueFQN(fqnstr);
 
-            Attribute def = pair.getAttribute();
-            Value v = pair.getValue();
-            if (v != null && !v.getGrantsList().isEmpty()) {
-                grants.addAllGrants(fqn, v.getGrantsList(), def);
-                storeKeysToCache(v.getGrantsList(), keyCache);
-            } else {
-                if (def != null) {
-                    grants.addAllGrants(fqn, def.getGrantsList(), def);
-                    storeKeysToCache(def.getGrantsList(), keyCache);
+            if (!val.getGrantsList().isEmpty()) {
+                if (logger.isDebugEnabled()) {
+                    logger.debug("adding grants from attribute value [{}]: {}", val.getFqn(), val.getGrantsList().stream().map(KeyAccessServer::getUri).collect(Collectors.toList()));
+                }
+                grants.addAllGrants(fqn, val.getGrantsList(), attribute);
+                if (keyCache != null) {
+                    storeKeysToCache(val.getGrantsList(), keyCache);
+                }
+            } else if (!attribute.getGrantsList().isEmpty()) {
+                var attributeGrants = attribute.getGrantsList();
+                if (logger.isDebugEnabled()) {
+                    logger.debug("adding grants from attribute [{}]: {}", attribute.getFqn(), attributeGrants.stream().map(KeyAccessServer::getId).collect(Collectors.toList()));
+                }
+                grants.addAllGrants(fqn, attributeGrants, attribute);
+                if (keyCache != null) {
+                    storeKeysToCache(attributeGrants, keyCache);
+                }
+            } else if (!attribute.getNamespace().getGrantsList().isEmpty()) {
+                var nsGrants = attribute.getNamespace().getGrantsList();
+                if (logger.isDebugEnabled()) {
+                    logger.debug("adding grants from namespace [{}]: [{}]", attribute.getNamespace().getName(), nsGrants.stream().map(KeyAccessServer::getId).collect(Collectors.toList()));
+                }
+                grants.addAllGrants(fqn, nsGrants, attribute);
+                if (keyCache != null) {
+                    storeKeysToCache(nsGrants, keyCache);
                 }
+            } else {
+                // this is needed to mark the fact that we have an empty
+                grants.addAllGrants(fqn, List.of(), attribute);
+                logger.debug("didn't find any grants on value, attribute, or namespace for attribute value [{}]", fqnstr);
             }
         }
 
         return grants;
     }
 
-    // Given a policy (list of data attributes or tags),
-    // get a set of grants from attribute values to KASes.
-    // Unlike `NewGranterFromService`, this works offline.
-    public static Granter newGranterFromAttributes(Value... attrs) throws AutoConfigureException {
-        List<AttributeValueFQN> policyList = new ArrayList<>(attrs.length);
-
-        Granter grants = new Granter(policyList);
-
-        for (Value v : attrs) {
-            AttributeValueFQN fqn;
-            try {
-                fqn = new AttributeValueFQN(v.getFqn());
-            } catch (Exception e) {
-                return grants;
-            }
-
-            grants.policy.add(fqn);
-            Attribute def = v.getAttribute();
-            if (def == null) {
-                throw new AutoConfigureException("No associated definition with value [" + fqn.toString() + "]");
-            }
-
-            grants.addAllGrants(fqn, def.getGrantsList(), def);
-            grants.addAllGrants(fqn, v.getGrantsList(), def);
-        }
-
-        return grants;
-    }
 
     static void storeKeysToCache(List<KeyAccessServer> kases, KASKeyCache keyCache) {
         for (KeyAccessServer kas : kases) {
diff --git a/sdk/src/test/java/io/opentdf/platform/sdk/AutoconfigureTest.java b/sdk/src/test/java/io/opentdf/platform/sdk/AutoconfigureTest.java
