@opentdf/ctl

Node based CLI for opentdf


Keywords
data-encryption, data-tagging, drm, end-to-end-encryption, file-encryption, open-source, opensource, opentdf, tdf, webclient, zero-trust, zero-trust-security
License
BSD-3-Clause-Clear
Install
npm install @opentdf/ctl@0.1.0-beta.1701

Documentation

OpenTDF Web Browser Client opentdf

This project is focused on providing web client support for the OpenTDF platform. This includes encrypting and decrypting TDF content, and some management tasks for ABAC.

Usage (NanoTDF)

import { AuthProviders, NanoTDFClient } from '@opentdf/sdk';

// Configuration Options
const kasEndpoint = "http://localhost:65432/kas";

// Authentication options (vary by middleware)
const oidcOrigin = "http://localhost:65432/auth/realms/tdf";
const clientId = "applicationNameFromIdP";
const refreshToken = "refreshTokenValueFromIdP";

// AuthProviders are middlewares that add `Authorization` or other bearer tokens to requests.
// These include The `refresh` provider can be handed a refresh and optional access token. 
const authProvider = await AuthProviders.refreshAuthProvider({
  clientId,
  exchange: 'refresh',
  refreshToken,
  oidcOrigin,
});

const client = new NanoTDFClient({
  authProvider,
  kasEndpoint,
});
client.dataAttributes = ["http://opentdf.io/attr/class/value/secret"]
const cipherText = await client.encrypt(plainText);
const clearText = await client.decrypt(cipherText);

Authorization Middleware Options

Client Credentials

For long running server-side apps, a client id + secret is allowed with OAuth2. This should not be used in a browser, but within a Deno or Node process.

import { AuthProviders } from '@opentdf/sdk';

// Authentication options (vary by middleware)
const oidcOrigin = "http://localhost:65432/auth/realms/tdf";
const clientId = "username";
const clientSecret = "IdP_GENERATED_SECRET";

const authProvider = await AuthProviders.clientSecretAuthProvider({
  clientId,
  clientSecret,
  oidcOrigin,
  exchange: 'client',
});

Given Credentials

The refreshAuthProvider and externalAuthProvder allow the application developer to use existing tokens.

import { AuthProviders, NanoTDFClient } from '@opentdf/sdk';

const oidcCredentials: RefreshTokenCredentials = {
  clientId: keycloakClientId,
  exchange: 'refresh',
  refreshToken: refreshToken,
  oidcOrigin: keycloakUrlWithRealm,
}

Building your own provider

A more complete example of using an OIDC compatible provider with support for authorization code flow with PKCE and DPoP is available in the sample web-app folder

Build and Test

make

Contribute

Prerequisites

Developing with this code requires a recent version of npm and node. We develop using nvm, which allows us to pin to the same version of npm easily.

Build

To check out, build, and validate your installation, and test the sample web application, you may:

nvm use
make test
make start

Use the platform

Version 2 of this library adds support for ABAC management tasks. This is provided with the opentdf Platform.

Generate Typescript code from platform protobufs

scripts/platform.sh

This will clone the platform repo and generate Typescript code in lib/src/platform.

Import Typescript code

import { GetAttributeRequest } from './lib/src/platform/policy/attributes/attributes_pb';
import { Attribute, AttributeRuleTypeEnum } from './lib/src/platform/policy/objects_pb';
import {
    createConnectTransport,
} from '@connectrpc/connect-web'
import {
    createPromiseClient,
} from '@connectrpc/connect'

const attrData = {
    name: "my-attr",
    rule: AttributeRuleTypeEnum.ALL_OF,
    namespace: {name: 'my-namespace'},
    values: [{value: 'my-value'}],
    active: true,
    extraField: 'this will be ignored' // only proto defined fields and value types are respected
}
const attr = new Attribute(attrData);
console.log(attr.toJson());

// {
//     namespace: { name: 'my-namespace' },
//     name: 'my-attr',
//     rule: 'ATTRIBUTE_RULE_TYPE_ENUM_ALL_OF',
//     values: [ { value: 'my-value' } ],
//     active: true
// }

const req = new GetAttributeRequest({id: 'uuid-here'});
const client = createPromiseClient(
    AttributesService,
    createConnectTransport({
        baseUrl: 'localhost:8080',
    })
)

This is an example to instantiate an Attribute and create a GetAttributeRequest.