feat(sdk): add CLI and integration tests (#64)

Add a simple CLI and set up the platform so we can run e2e tests against
it.

Also includes a fix for using encrypted metadata (#67). The correct transform is
```
encryptedMetadata = base64(string({ "iv": base64(iv), "ciphertext": base64(ciphertext) })
```

Author: mkleene

.github/workflows/checks.yaml

@@ -30,7 +30,6 @@ jobs:
 
   mavenverify:
     runs-on: ubuntu-latest
-    if: always()
     needs:
       - pr
     steps:
@@ -52,8 +51,127 @@ jobs:
           BUF_INPUT_HTTPS_USERNAME: opentdf-bot
           BUF_INPUT_HTTPS_PASSWORD: ${{ secrets.PERSONAL_ACCESS_TOKEN_OPENTDF }}
 
+  platform-integration:
+    runs-on: ubuntu-22.04
+    needs:
+      - pr
+    steps:
+      - name: Checkout Java SDK
+        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11
+      - uses: bufbuild/buf-setup-action@382440cdb8ec7bc25a68d7b4711163d95f7cc3aa
+        with:
+          github_token: ${{ secrets.GITHUB_TOKEN }}
+      - name: Set up JDK
+        uses: actions/setup-java@5896cecc08fd8a1fbdfaf517e29b571164b031f7
+        with:
+          java-version: "11"
+          distribution: "adopt"
+          server-id: github
+      - name: Build java SDK
+        run: |
+          mvn --batch-mode clean install -DskipTests
+        env:
+          BUF_INPUT_HTTPS_USERNAME: opentdf-bot
+          BUF_INPUT_HTTPS_PASSWORD: ${{ secrets.PERSONAL_ACCESS_TOKEN_OPENTDF }}
+      - name: Check out platform
+        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11
+        with:
+          repository: opentdf/platform
+          ref: main
+          path: platform
+      - name: Set up go
+        uses: actions/setup-go@0c52d547c9bc32b1aa3301fd7a9cb496313a4491
+        with:
+          go-version: "1.22.3"
+          check-latest: false
+          cache-dependency-path: |
+            platform/service/go.sum
+            platform/examples/go.sum
+            platform/protocol/go/go.sum
+            platform/sdk/go.sum
+      - run: go mod download
+        working-directory: platform
+      - run: go mod verify
+        working-directory: platform
+      - name: Create keys
+        run: |
+          .github/scripts/init-temp-keys.sh
+          cp opentdf-dev.yaml opentdf.yaml
+          sudo chmod -R 777 ./keys
+        working-directory: platform
+      - name: Trust the locally issued cert
+        run: |
+          keytool \
+            -importcert \
+            -storepass changeit \
+            -noprompt \
+            -file localhost.crt \
+            -keystore $JAVA_HOME/lib/security/cacerts \
+            -alias localhost-for-tests
+        working-directory: platform/keys
+      - name: Bring the services up
+        run: docker compose up -d --wait --wait-timeout 240
+        working-directory: platform
+      - name: Provision keycloak
+        run: go run ./service provision keycloak
+        working-directory: platform
+      - name: Provision fixtures
+        run: go run ./service provision fixtures
+        working-directory: platform
+      - name: Start server in background
+        uses: JarvusInnovations/background-action@2428e7b970a846423095c79d43f759abf979a635
+        with:
+          run: |
+            go run ./service start
+          wait-on: |
+            tcp:localhost:8080
+          log-output-if: true
+          wait-for: 90s
+          working-directory: platform
+      - name: Get grpcurl
+        run: go install github.com/fullstorydev/grpcurl/cmd/[email protected]
+      - name: Make sure that the platform is up
+        run: |
+          grpcurl -plaintext localhost:8080 list && \
+          grpcurl -plaintext localhost:8080 kas.AccessService/PublicKey
+      - name: Validate the SDK through the command line interface
+        run: |
+          printf 'here is some data to encrypt' > data
+
+          java -jar target/cmdline.jar \
+            --client-id=opentdf-sdk \
+            --client-secret=secret \
+            --platform-endpoint=localhost:8080 \
+            -i \
+            encrypt --kas-url=localhost:8080 -f data -m 'here is some metadata' > test.tdf
+
+          java -jar target/cmdline.jar \
+            --client-id=opentdf-sdk \
+            --client-secret=secret \
+            --platform-endpoint=localhost:8080 \
+            -i \
+            decrypt -f test.tdf > decrypted
+
+          java -jar target/cmdline.jar \
+            --client-id=opentdf-sdk \
+            --client-secret=secret \
+            --platform-endpoint=localhost:8080 \
+            -i \
+            metadata -f test.tdf > metadata
+
+          if ! diff -q data decrypted; then
+            printf 'decrypted data is incorrect [%s]' "$(< decrypted)"
+            exit 1
+          fi
+
+          if [ "$(< metadata)" != 'here is some metadata' ]; then
+            printf 'metadata is incorrect [%s]\n' "$(< metadata)"
+            exit 1
+          fi
+        working-directory: cmdline
   ci:
     needs:
+      - platform-integration
       - mavenverify
       - pr
     runs-on: ubuntu-latest

.gitignore

@@ -1,6 +1,5 @@
 protocol/src/main/protogen
 /.idea/
-/protocol/target/
-/sdk/target/
+target/
 .vscode/
 .DS_Store

cmdline/pom.xml

@@ -0,0 +1,58 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<project xmlns="http://maven.apache.org/POM/4.0.0"
+         xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+         xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
+    <modelVersion>4.0.0</modelVersion>
+    <parent>
+        <groupId>io.opentdf.platform</groupId>
+        <artifactId>sdk-pom</artifactId>
+        <version>0.1.0-SNAPSHOT</version>
+    </parent>
+    <artifactId>cmdline</artifactId>
+    <properties>
+        <maven.compiler.source>11</maven.compiler.source>
+        <maven.compiler.target>11</maven.compiler.target>
+        <project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
+    </properties>
+    <build>
+        <plugins>
+            <plugin>
+                <groupId>org.apache.maven.plugins</groupId>
+                <artifactId>maven-assembly-plugin</artifactId>
+                <version>3.7.1</version>
+                <executions>
+                    <execution>
+                        <phase>package</phase>
+                        <goals>
+                            <goal>single</goal>
+                        </goals>
+                    </execution>
+                </executions>
+                <configuration>
+                    <descriptorRefs>
+                        <descriptorRef>jar-with-dependencies</descriptorRef>
+                    </descriptorRefs>
+                    <finalName>cmdline</finalName>
+                    <appendAssemblyId>false</appendAssemblyId>
+                    <archive>
+                        <manifest>
+                            <mainClass>io.opentdf.platform.TDF</mainClass>
+                        </manifest>
+                    </archive>
+                </configuration>
+            </plugin>
+        </plugins>
+    </build>
+    <dependencies>
+        <dependency>
+            <groupId>info.picocli</groupId>
+            <artifactId>picocli</artifactId>
+            <version>4.7.6</version>
+        </dependency>
+        <dependency>
+            <groupId>io.opentdf.platform</groupId>
+            <artifactId>sdk</artifactId>
+            <version>0.1.0-SNAPSHOT</version>
+        </dependency>
+    </dependencies>
+</project>

cmdline/src/main/java/io/opentdf/platform/Command.java

@@ -0,0 +1,101 @@
+package io.opentdf.platform;
+
+import io.opentdf.platform.sdk.Config;
+import io.opentdf.platform.sdk.SDK;
+import io.opentdf.platform.sdk.SDKBuilder;
+import io.opentdf.platform.sdk.TDF;
+import picocli.CommandLine;
+import picocli.CommandLine.Option;
+
+import javax.crypto.BadPaddingException;
+import javax.crypto.IllegalBlockSizeException;
+import javax.crypto.NoSuchPaddingException;
+import java.io.BufferedInputStream;
+import java.io.BufferedOutputStream;
+import java.io.ByteArrayOutputStream;
+import java.io.File;
+import java.io.FileInputStream;
+import java.io.IOException;
+import java.io.PrintWriter;
+import java.io.StringWriter;
+import java.nio.channels.FileChannel;
+import java.nio.file.Path;
+import java.nio.file.StandardOpenOption;
+import java.security.InvalidAlgorithmParameterException;
+import java.security.InvalidKeyException;
+import java.security.NoSuchAlgorithmException;
+import java.util.ArrayList;
+import java.util.List;
+import java.util.Optional;
+import java.util.function.Consumer;
+
+@CommandLine.Command(name = "tdf")
+class Command {
+
+    @Option(names = {"--client-secret"}, required = true)
+    private String clientSecret;
+
+    @Option(names = {"-i", "--insecure-connection"}, defaultValue = "false")
+    private boolean insecure;
+
+    @Option(names = {"--client-id"}, required = true)
+    private String clientId;
+
+    @Option(names = {"-p", "--platform-endpoint"}, required = true)
+    private String platformEndpoint;
+
+    @CommandLine.Command(name = "encrypt")
+    void encrypt(
+            @Option(names = {"-f", "--file"}, defaultValue = Option.NULL_VALUE) Optional<File> file,
+            @Option(names = {"-k", "--kas-url"}, required = true) List<String> kas,
+            @Option(names = {"-m", "--metadata"}, defaultValue = Option.NULL_VALUE) Optional<String> metadata) throws IOException {
+
+        var sdk = buildSDK();
+        var kasInfos = kas.stream().map(k -> {
+            var ki = new Config.KASInfo();
+            ki.URL = k;
+            return ki;
+        }).toArray(Config.KASInfo[]::new);
+
+        List<Consumer<Config.TDFConfig>> configs = new ArrayList<>();
+        configs.add(Config.withKasInformation(kasInfos));
+        metadata.map(Config::withMetaData).ifPresent(configs::add);
+
+        var tdfConfig = Config.newTDFConfig(configs.toArray(Consumer[]::new));
+        try (var in = file.isEmpty() ? new BufferedInputStream(System.in) : new FileInputStream(file.get())) {
+            try (var out = new BufferedOutputStream(System.out)) {
+                new TDF().createTDF(in, out, tdfConfig, sdk.getServices().kas());
+            }
+        }
+    }
+
+    private SDK buildSDK() {
+        return new SDKBuilder()
+                .platformEndpoint(platformEndpoint)
+                .clientSecret(clientId, clientSecret)
+                .useInsecurePlaintextConnection(insecure)
+                .build();
+    }
+
+    @CommandLine.Command(name = "decrypt")
+    void decrypt(@Option(names = {"-f", "--file"}, required = true) Path tdfPath) throws IOException, InvalidAlgorithmParameterException, NoSuchPaddingException, IllegalBlockSizeException, NoSuchAlgorithmException, BadPaddingException, InvalidKeyException {
+        var sdk = buildSDK();
+        try (var in = FileChannel.open(tdfPath, StandardOpenOption.READ)) {
+            try (var stdout = new BufferedOutputStream(System.out)) {
+                    var reader = new TDF().loadTDF(in, sdk.getServices().kas());
+                    reader.readPayload(stdout);
+                }
+        }
+    }
+    @CommandLine.Command(name = "metadata")
+    void readMetadata(@Option(names = {"-f", "--file"}, required = true) Path tdfPath) throws IOException, InvalidAlgorithmParameterException, NoSuchPaddingException, IllegalBlockSizeException, NoSuchAlgorithmException, BadPaddingException, InvalidKeyException {
+        var sdk = buildSDK();
+
+        try (var in = FileChannel.open(tdfPath, StandardOpenOption.READ)) {
+            try (var stdout = new PrintWriter(System.out)) {
+                var reader = new TDF().loadTDF(in, sdk.getServices().kas());
+                stdout.write(reader.getMetadata() == null ? "" : reader.getMetadata());
+            }
+        }
+    }
+}

cmdline/src/main/java/io/opentdf/platform/TDF.java

@@ -0,0 +1,10 @@
+package io.opentdf.platform;
+
+import picocli.CommandLine;
+
+public class TDF {
+    public static void main(String[] args) {
+        var result = new CommandLine(new Command()).execute(args);
+        System.exit(result);
+    }
+}

pom.xml

@@ -22,6 +22,7 @@
     <modules>
         <module>protocol</module>
         <module>sdk</module>
+        <module>cmdline</module>
     </modules>
     <dependencyManagement>
         <dependencies>

sdk/pom.xml

@@ -49,7 +49,6 @@
         <dependency>
             <groupId>io.grpc</groupId>
             <artifactId>grpc-netty-shaded</artifactId>
-            <scope>runtime</scope>
         </dependency>
         <dependency>
             <groupId>io.grpc</groupId>