feat: add code to create services for SDK

.github/workflows/checks.yaml

@@ -13,6 +13,9 @@ on:
     types:
       - checks_requested
 
+permissions:
+  contents: read
+
 jobs:
   pr:
     name: Validate PR title

pom.xml

@@ -15,7 +15,7 @@
         <maven.compiler.source>11</maven.compiler.source>
         <maven.compiler.target>11</maven.compiler.target>
         <log4j.version>2.20.0</log4j.version>
-        <grpc.version>1.57.2</grpc.version>
+        <grpc.version>1.63.0</grpc.version>
         <protobuf.version>3.25.3</protobuf.version>
     </properties>
     <modules>
@@ -25,9 +25,18 @@
     <dependencyManagement>
         <dependencies>
             <dependency>
-                <groupId>io.opentdf.platform</groupId>
-                <artifactId>platform-client</artifactId>
-                <version>0.1.0-SNAPSHOT</version><!-- {x-version-update:java-sdk:current} -->
+                <groupId>io.grpc</groupId>
+                <artifactId>grpc-bom</artifactId>
+                <version>${grpc.version}</version>
+                <type>pom</type>
+                <scope>import</scope>
+            </dependency>
+            <dependency>
+                <groupId>org.junit</groupId>
+                <artifactId>junit-bom</artifactId>
+                <version>5.10.1</version>
+                <type>pom</type>
+                <scope>import</scope>
             </dependency>
              <dependency>
                 <groupId>org.apache.logging.log4j</groupId>
@@ -50,12 +59,6 @@
                 <version>1.18.30</version>
                 <scope>provided</scope>
             </dependency>
-            <dependency>
-                <groupId>org.junit.jupiter</groupId>
-                <artifactId>junit-jupiter-engine</artifactId>
-                <version>5.9.2</version>
-                <scope>test</scope>
-            </dependency>
             <dependency>
                 <groupId>org.mockito</groupId>
                 <artifactId>mockito-core</artifactId>
@@ -68,13 +71,6 @@
                 <version>5.2.0</version>
                 <scope>test</scope>
             </dependency>
-            <dependency>
-                <groupId>org.junit.jupiter</groupId>
-                <artifactId>junit-jupiter-api</artifactId>
-                <version>5.9.2</version>
-                <scope>test</scope>
-            </dependency>
-
             <dependency>
                 <groupId>org.apache.maven.plugin-tools</groupId>
                 <artifactId>maven-plugin-annotations</artifactId>

protocol/pom.xml

@@ -32,12 +32,10 @@
         <dependency>
             <groupId>io.grpc</groupId>
             <artifactId>grpc-protobuf</artifactId>
-            <version>${grpc.version}</version>
-        </dependency>
+       </dependency>
         <dependency>
             <groupId>io.grpc</groupId>
             <artifactId>grpc-stub</artifactId>
-            <version>${grpc.version}</version>
         </dependency>
     </dependencies>
     <build>

sdk/pom.xml

@@ -3,7 +3,6 @@
 <project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
          xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
     <modelVersion>4.0.0</modelVersion>
-    <groupId>io.opentdf.platform</groupId>
     <name>sdk</name>
     <artifactId>sdk</artifactId>
     <parent>
@@ -20,7 +19,43 @@
         </dependency>
         <dependency>
             <groupId>org.junit.jupiter</groupId>
-            <artifactId>junit-jupiter-engine</artifactId>
+            <artifactId>junit-jupiter</artifactId>
+        </dependency>
+        <dependency>
+            <groupId>com.nimbusds</groupId>
+            <artifactId>oauth2-oidc-sdk</artifactId>
+            <version>11.10.1</version>
+        </dependency>
+        <dependency>
+            <groupId>io.grpc</groupId>
+            <artifactId>grpc-netty-shaded</artifactId>
+            <scope>runtime</scope>
+        </dependency>
+        <dependency>
+            <groupId>io.grpc</groupId>
+            <artifactId>grpc-protobuf</artifactId>
+        </dependency>
+        <dependency>
+            <groupId>io.grpc</groupId>
+            <artifactId>grpc-stub</artifactId>
+        </dependency>
+        <dependency> <!-- necessary for Java 9+ -->
+            <groupId>org.apache.tomcat</groupId>
+            <artifactId>annotations-api</artifactId>
+            <version>6.0.53</version>
+            <scope>provided</scope>
+        </dependency>
+        <dependency>
+            <groupId>org.assertj</groupId>
+            <artifactId>assertj-core</artifactId>
+            <version>3.8.0</version>
+            <scope>test</scope>
+        </dependency>
+        <dependency>
+            <groupId>com.squareup.okhttp3</groupId>
+            <artifactId>mockwebserver</artifactId>
+            <version>5.0.0-alpha.14</version>
+            <scope>test</scope>
         </dependency>
     </dependencies>
 </project>

sdk/src/main/java/io/opentdf/platform/sdk/GRPCAuthInterceptor.java

@@ -0,0 +1,156 @@
+package io.opentdf.platform.sdk;
+
+import com.nimbusds.jose.JOSEException;
+import com.nimbusds.jose.JWSAlgorithm;
+import com.nimbusds.jose.jwk.RSAKey;
+import com.nimbusds.jwt.SignedJWT;
+import com.nimbusds.oauth2.sdk.AuthorizationGrant;
+import com.nimbusds.oauth2.sdk.ClientCredentialsGrant;
+import com.nimbusds.oauth2.sdk.ErrorObject;
+import com.nimbusds.oauth2.sdk.TokenRequest;
+import com.nimbusds.oauth2.sdk.TokenResponse;
+import com.nimbusds.oauth2.sdk.auth.ClientAuthentication;
+import com.nimbusds.oauth2.sdk.dpop.DPoPProofFactory;
+import com.nimbusds.oauth2.sdk.dpop.DefaultDPoPProofFactory;
+import com.nimbusds.oauth2.sdk.http.HTTPRequest;
+import com.nimbusds.oauth2.sdk.http.HTTPResponse;
+import com.nimbusds.oauth2.sdk.token.AccessToken;
+import com.nimbusds.oauth2.sdk.tokenexchange.TokenExchangeGrant;
+import io.grpc.CallOptions;
+import io.grpc.Channel;
+import io.grpc.ClientCall;
+import io.grpc.ClientInterceptor;
+import io.grpc.ForwardingClientCall;
+import io.grpc.Metadata;
+import io.grpc.MethodDescriptor;
+
+import java.net.URI;
+import java.net.URISyntaxException;
+import java.time.Instant;
+
+/**
+ * The GRPCAuthInterceptor class is responsible for intercepting client calls before they are sent
+ * to the server. It adds authentication headers to the requests by fetching and caching access
+ * tokens.
+ */
+class GRPCAuthInterceptor implements ClientInterceptor {
+    private Instant tokenExpiryTime;
+    private AccessToken token;
+    private final ClientAuthentication clientAuth;
+    private final RSAKey rsaKey;
+    private final URI tokenEndpointURI;
+
+    /**
+     * Constructs a new GRPCAuthInterceptor with the specified client authentication and RSA key.
+     *
+     * @param clientAuth the client authentication to be used by the interceptor
+     * @param rsaKey     the RSA key to be used by the interceptor
+     */
+    public GRPCAuthInterceptor(ClientAuthentication clientAuth, RSAKey rsaKey, URI tokenEndpointURI) {
+        this.clientAuth = clientAuth;
+        this.rsaKey = rsaKey;
+        this.tokenEndpointURI = tokenEndpointURI;
+    }
+
+    /**
+     * Intercepts the client call before it is sent to the server.
+     *
+     * @param method      The method descriptor for the call.
+     * @param callOptions The call options for the call.
+     * @param next        The next channel in the channel pipeline.
+     * @param <ReqT>      The type of the request message.
+     * @param <RespT>     The type of the response message.
+     * @return A client call with the intercepted behavior.
+     */
+    @Override
+    public <ReqT, RespT> ClientCall<ReqT, RespT> interceptCall(MethodDescriptor<ReqT, RespT> method,
+                                                               CallOptions callOptions, Channel next) {
+        return new ForwardingClientCall.SimpleForwardingClientCall<>(next.newCall(method, callOptions)) {
+            @Override
+            public void start(Listener<RespT> responseListener, Metadata headers) {
+                // Get the access token
+                AccessToken t = getToken();
+                headers.put(Metadata.Key.of("Authorization", Metadata.ASCII_STRING_MARSHALLER),
+                        "DPoP " + t.getValue());
+
+                // Build the DPoP proof for each request
+                try {
+                    DPoPProofFactory dpopFactory = new DefaultDPoPProofFactory(rsaKey, JWSAlgorithm.RS256);
+
+                    URI uri = new URI("/" + method.getFullMethodName());
+                    SignedJWT proof = dpopFactory.createDPoPJWT("POST", uri, t);
+                    headers.put(Metadata.Key.of("DPoP", Metadata.ASCII_STRING_MARSHALLER),
+                            proof.serialize());
+                } catch (URISyntaxException e) {
+                    throw new RuntimeException("Invalid URI syntax for DPoP proof creation", e);
+                } catch (JOSEException e) {
+                    throw new RuntimeException("Error creating DPoP proof", e);
+                }
+                super.start(responseListener, headers);
+            }
+        };
+    }
+
+    /**
+     * Either fetches a new access token or returns the cached access token if it is still valid.
+     *
+     * @return The access token.
+     */
+    private synchronized AccessToken getToken() {
+        try {
+            // If the token is expired or initially null, get a new token
+            if (token == null || isTokenExpired()) {
+
+                // Construct the client credentials grant
+                AuthorizationGrant clientGrant = new ClientCredentialsGrant();
+
+                // Make the token request
+                TokenRequest tokenRequest = new TokenRequest(this.tokenEndpointURI,
+                        clientAuth, clientGrant, null);
+                HTTPRequest httpRequest = tokenRequest.toHTTPRequest();
+
+                DPoPProofFactory dpopFactory = new DefaultDPoPProofFactory(rsaKey, JWSAlgorithm.RS256);
+
+                SignedJWT proof = dpopFactory.createDPoPJWT(httpRequest.getMethod().name(), httpRequest.getURI());
+
+                httpRequest.setDPoP(proof);
+                TokenResponse tokenResponse;
+
+                HTTPResponse httpResponse = httpRequest.send();
+
+                tokenResponse = TokenResponse.parse(httpResponse);
+                if (!tokenResponse.indicatesSuccess()) {
+                    ErrorObject error = tokenResponse.toErrorResponse().getErrorObject();
+                    throw new RuntimeException("Token request failed: " + error);
+                }
+
+                this.token = tokenResponse.toSuccessResponse().getTokens().getAccessToken();
+                // DPoPAccessToken dPoPAccessToken = tokens.getDPoPAccessToken();
+
+
+                if (token.getLifetime() != 0) {
+                    // Need some type of leeway but not sure whats best
+                    this.tokenExpiryTime = Instant.now().plusSeconds(token.getLifetime() / 3);
+                }
+
+            } else {
+                // If the token is still valid or not initially null, return the cached token
+                return this.token;
+            }
+
+        } catch (Exception e) {
+            // TODO Auto-generated catch block
+            throw new RuntimeException("failed to get token", e);
+        }
+        return this.token;
+    }
+
+    /**
+     * Checks if the token has expired.
+     *
+     * @return true if the token has expired, false otherwise.
+     */
+    private boolean isTokenExpired() {
+        return this.tokenExpiryTime != null && this.tokenExpiryTime.isBefore(Instant.now());
+    }
+}

sdk/src/main/java/io/opentdf/platform/sdk/SDK.java

@@ -1,55 +1,60 @@
 package io.opentdf.platform.sdk;
 
+import io.grpc.Channel;
 import io.opentdf.platform.policy.attributes.AttributesServiceGrpc;
+import io.opentdf.platform.policy.attributes.AttributesServiceGrpc.AttributesServiceFutureStub;
+import io.opentdf.platform.policy.namespaces.NamespaceServiceGrpc;
+import io.opentdf.platform.policy.namespaces.NamespaceServiceGrpc.NamespaceServiceFutureStub;
 import io.opentdf.platform.policy.resourcemapping.ResourceMappingServiceGrpc;
+import io.opentdf.platform.policy.resourcemapping.ResourceMappingServiceGrpc.ResourceMappingServiceFutureStub;
+import io.opentdf.platform.policy.subjectmapping.SubjectMappingServiceGrpc;
+import io.opentdf.platform.policy.subjectmapping.SubjectMappingServiceGrpc.SubjectMappingServiceFutureStub;
 
 /**
- * Interact with OpenTDF platform services and perform TDF data operations with
- * this object.
+ * The SDK class represents a software development kit for interacting with the opentdf platform. It
+ * provides various services and stubs for making API calls to the opentdf platform.
  */
 public class SDK {
-  private final String platformEndpoint;
-  private AttributesServiceGrpc.AttributesServiceFutureStub attributesServiceFutureStub;
-  private ResourceMappingServiceGrpc.ResourceMappingServiceFutureStub resourceMappingServiceFutureStub;
-
-  public AttributesServiceGrpc.AttributesServiceFutureStub getAttributesServiceFutureStub() {
-    return attributesServiceFutureStub;
-  }
-
-  public ResourceMappingServiceGrpc.ResourceMappingServiceFutureStub getResourceMappingServiceFutureStub() {
-    return resourceMappingServiceFutureStub;
-  }
-
-
-  private SDK(String platformEndpoint) {
-    this.platformEndpoint = platformEndpoint;
-  }
-
-  public String getPlatformEndpoint() {
-    return this.platformEndpoint;
-  }
-
-  /**
-   * Builder pattern for SDK objects
-   */
-  public static class Builder implements Cloneable {
-    private String platformEndpoint;
-
-    public Builder platformEndpoint(String platformEndpoint) {
-      this.platformEndpoint = platformEndpoint;
-      return this;
-    }
-
-    public SDK build() {
-      return new SDK(this.platformEndpoint);
+    private final Services services;
+
+    // TODO: add KAS
+    public interface Services {
+        AttributesServiceFutureStub attributes();
+        NamespaceServiceFutureStub namespaces();
+        SubjectMappingServiceFutureStub subjectMappings();
+        ResourceMappingServiceFutureStub resourceMappings();
+
+        static Services newServices(Channel channel) {
+            var attributeService = AttributesServiceGrpc.newFutureStub(channel);
+            var namespaceService = NamespaceServiceGrpc.newFutureStub(channel);
+            var subjectMappingService = SubjectMappingServiceGrpc.newFutureStub(channel);
+            var resourceMappingService = ResourceMappingServiceGrpc.newFutureStub(channel);
+
+            return new Services() {
+                @Override
+                public AttributesServiceFutureStub attributes() {
+                    return attributeService;
+                }
+
+                @Override
+                public NamespaceServiceFutureStub namespaces() {
+                    return namespaceService;
+                }
+
+                @Override
+                public SubjectMappingServiceFutureStub subjectMappings() {
+                    return subjectMappingService;
+                }
+
+                @Override
+                public ResourceMappingServiceFutureStub resourceMappings() {
+                    return resourceMappingService;
+                }
+            };
+        }
     }
 
-    @Override public Builder clone() {
-      try {
-        return (Builder) super.clone();
-      } catch (CloneNotSupportedException e) {
-        throw new RuntimeException(e);
-      }
+    public SDK(Services services) {
+        this.services = services;
     }
-  }
-}
+}