opentdf · pflynn-virtru · Sep 5, 2024 · Sep 5, 2024 · Sep 5, 2024 · Sep 5, 2024
@@ -0,0 +1,60 @@
+# OpenTDF Platform Ory Hydra example
+
+## Overview
+
+This example shows how to integrate with [Ory Hydra](https://www.ory.sh/hydra/), a hardened and certified OAuth 2.0 and OpenID Connect provider.
+
+The highlight of this example is to show th webhook integration.
+
+## Setup
+
+### Install Ory Hydra
+
+```shell
+brew install ory/tap/hydra
+```
+
+### Start both public and administrative HTTP/2 APIs.
+Also, create a sqllite db
+
+```shell
+export DSN="sqlite://./db.sqlite?_fk=true"
+hydra migrate sql $DSN --yes
+hydra serve all --dev --config ./hydra.yaml
+```
+
+### Create clients
+
+client `opentdf`
+
+```shell
+hydra create oauth2-client \
+    --skip-tls-verify \
+    --endpoint http://127.0.0.1:4445/ \
+    --format json \
+    --grant-type client_credentials \
+    --name opentdf \
+    --secret secret
+```
+
+client `opentdf-sdk`
+
+```shell
+hydra create oauth2-client \
+    --skip-tls-verify \
+    --endpoint http://127.0.0.1:4445/ \
+    --format json \
+    --grant-type client_credentials \
+    --audience "http://localhost:8080" \
+    --name opentdf-sdk4 \
+    --secret secret
+```
+
+- Update `opentdf.yaml` with UUID client ids returned from hydra
+- Update `sdk.WithClientCredentials` and `sdk.WithTokenEndpoint` in `examples/cmd`
+
+### Start OpenTDF server
+
+```shell
+../../opentdf start
+```
@@ -0,0 +1,51 @@
+# copied from https://github.com/ory/hydra/blob/master/quickstart.yml
+###########################################################################
+#######             FOR DEMONSTRATION PURPOSES ONLY                 #######
+###########################################################################
+#                                                                         #
+# If you have not yet read the tutorial, do so now:                       #
+#  https://www.ory.sh/docs/hydra/5min-tutorial                            #
+#                                                                         #
+# This set up is only for demonstration purposes. The login               #
+# endpoint can only be used if you follow the steps in the tutorial.      #
+#                                                                         #
+###########################################################################
+version: "3.7"
+services:
+  hydra:
+    image: oryd/hydra:v2.2.0
+    ports:
+      - "4444:4444" # Public port
+      - "4445:4445" # Admin port
+      - "5555:5555" # Port for hydra token user
+    command: serve -c /etc/config/hydra/hydra.yml all --dev
+    volumes:
+      - ./hydra.yaml:/etc/config/hydra/hydra.yaml
+    environment:
+      - DSN=sqlite:///var/lib/sqlite/db.sqlite?_fk=true
+    restart: unless-stopped
+    depends_on:
+      - hydra-migrate
+    networks:
+      - intranet
+  hydra-migrate:
+    image: oryd/hydra:v2.2.0
+    environment:
+      - DSN=sqlite:///var/lib/sqlite/db.sqlite?_fk=true
+    command: migrate -c /etc/config/hydra/hydra.yml sql -e --yes
+    volumes:
+      - ./hydra.yaml:/etc/config/hydra/hydra.yaml
+    restart: on-failure
+    networks:
+      - intranet
+  consent:
+    environment:
+      - HYDRA_ADMIN_URL=http://hydra:4445
+    image: oryd/hydra-login-consent-node:v2.2.0
+    ports:
+      - "3000:3000"
+    restart: unless-stopped
+    networks:
+      - intranet
+networks:
+  intranet:
@@ -0,0 +1,41 @@
+serve:
+  cookies:
+    same_site_mode: Lax
+
+urls:
+  self:
+    issuer: http://127.0.0.1:4444
+  consent: http://127.0.0.1:3000/consent
+  login: http://127.0.0.1:3000/login
+  logout: http://127.0.0.1:3000/logout
+
+secrets:
+  system:
+    - youReallyNeedToChangeThis
+
+oidc:
+  subject_identifiers:
+    supported_types:
+      - pairwise
+      - public
+    pairwise:
+      salt: youReallyNeedToChangeThis
+
+strategies:
+  ## access_token ##
+  #
+  # Defines access token type. jwt is a bad idea, see https://www.ory.sh/docs/hydra/advanced#json-web-tokens
+  #
+  # Default value: opaque
+  #
+  # One of:
+  # - opaque
+  # - jwt
+  #
+  # Set this value using environment variables on
+  # - Linux/macOS:
+  #    $ export STRATEGIES_ACCESS_TOKEN=<value>
+  # - Windows Command Line (CMD):
+  #    > set STRATEGIES_ACCESS_TOKEN=<value>
+  #
+  access_token: jwt
@@ -61,11 +61,15 @@ func (aesGcm AesGcm) EncryptWithIV(iv, data []byte) ([]byte, error) {
 }
 
 // EncryptWithIVAndTagSize encrypts data with symmetric key.
+// Tag sizes between 12 and 16 bytes are allowed.
 // NOTE: This method expects gcm standard nonce size(12) of iv.
 func (aesGcm AesGcm) EncryptWithIVAndTagSize(iv, data []byte, authTagSize int) ([]byte, error) {
 	if len(iv) != GcmStandardNonceSize {
 		return nil, errors.New("invalid nonce size, expects GcmStandardNonceSize")
 	}
+	if authTagSize < 12 || authTagSize > 16 {
+		return nil, errors.New("invalid auth tag size, must be 12 to 16")
+	}
 
 	gcm, err := cipher.NewGCMWithTagSize(aesGcm.block, authTagSize)
 	if err != nil {

@@ -0,0 +1,4 @@
+-----BEGIN PUBLIC KEY-----
+MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEMLUYYICsSIDQJ+XnrAsM3x3jdNf2
+wJhIy/958wUXewDgZ6No/ndUr3G36wDpZHtuYaBXsZoC4jIBxb4+9hALSw==
+-----END PUBLIC KEY-----
@@ -0,0 +1,65 @@
+logger:
+  level: debug
+  type: text
+  output: stdout
+# DB and Server confgurations are defaulted for local development
+# db:
+#   host: localhost
+#   port: 5432
+#   user: postgres
+#   password: changeme
+services:
+  kas:
+    enabled: true
+  policy:
+    enabled: true
+  entitlements:
+    providers:
+      # - type: keycloak
+      #   name: gcp
+      #   keycloak:
+      #     host: "https://keycloak.example.com/auth"
+      #     realm: "test"
+      #     clientId: "test"
+      #     clientSecret:
+      #       fromEnv: "KEYCLOAK_CLIENT_SECRET"
+
+      - type: ldap
+        name: ad-1
+        ldap:
+          baseDN: "dc=dev,dc=example,dc=com"
+          host: ""
+          port: 389
+          bindUsername: ""
+          bindPassword:
+            fromEnv: "LDAP_BIND_PASSWORD"
+          attributeFilters:
+            exclude:
+              - "objectSid"
+              - "objectGUID"
+              - "msExchMailboxGuid"
+              - "msExchMailboxSecurityDescriptor"
+server:
+  auth:
+    enabled: false
+    audience: "http://localhost:8080"
+    issuer: http://localhost:8888/auth/realms/opentdf
+    clients:
+      - "opentdf"
+  grpc:
+    port: 8080
+    reflectionEnabled: true # Default is false
+  hsm:
+    enabled: true
+    # As configured by hsm-init-temporary-keys.sh
+    pin: "12345"
+    slotlabel: "dev-token"
+    keys:
+      rsa:
+        label: development-rsa-kas
+      ec:
+        label: development-ec-kas
+  http:
+    port: 8080
+opa:
+  embedded: true # Only for local development
@@ -0,0 +1,88 @@
+logger:
+  level: debug
+  type: text
+  output: stdout
+# DB and Server configurations are defaulted for local development
+# db:
+#   host: localhost
+#   port: 5432
+#   user: postgres
+#   password: changeme
+services:
+  kas:
+    enabled: true
+    issuer: http://127.0.0.1:4444
+  policy:
+    enabled: true
+  authorization:
+    enabled: true
+    url: http://localhost:8888
+    client: "tdf-entity-resolution"
+    secret: "secret"
+    realm: "opentdf"
+    legacy: true
+server:
+  auth:
+    enabled: true
+    audience: "http://localhost:8080"
+    issuer: http://127.0.0.1:4444
+    clients:
+      - "e2465b5a-5371-4fe3-8f21-8b7938d928df"
+      - "e213c08f-9327-4778-80da-a590671fcf3c"
+      - "75a697cd-2770-4cbb-bd1b-e3cf9b3c5f2d"
+    policy:
+      ## Default policy for all requests
+      default: #"role:readonly"
+      ## Dot notation is used to access nested claims (i.e. realm_access.roles)
+      claim: # realm_access.roles
+      ## Maps the external role to the opentdf role
+      ## Note: left side is used in the policy, right side is the external role
+      map:
+      #  readonly: opentdf-readonly
+      #  admin: opentdf-admin
+      #  org-admin: opentdf-org-admin
+
+      ## Custom policy (see examples https://github.com/casbin/casbin/tree/master/examples)
+      csv: #|
+      #  p, role:org-admin, policy:attributes, *, *, allow
+      #  p, role:org-admin, policy:subject-mappings, *, *, allow
+      #  p, role:org-admin, policy:resource-mappings, *, *, allow
+      #  p, role:org-admin, policy:kas-registry, *, *, allow
+      ## Custom model (see https://casbin.org/docs/syntax-for-models/)
+      model: #|
+      #  [request_definition]
+      #  r = sub, res, act, obj
+      #
+      #  [policy_definition]
+      #  p = sub, res, act, obj, eft
+      #
+      #  [role_definition]
+      #  g = _, _
+      #
+      #  [policy_effect]
+      #  e = some(where (p.eft == allow)) && !some(where (p.eft == deny))
+      #
+      #  [matchers]
+      #  m = g(r.sub, p.sub) && globOrRegexMatch(r.res, p.res) && globOrRegexMatch(r.act, p.act) && globOrRegexMatch(r.obj, p.obj)
+
+  grpc:
+    reflectionEnabled: true # Default is false
+  cryptoProvider:
+    hsm:
+      enabled: false
+      pin: 12345
+    standard:
+      rsa:
+        123:
+          privateKeyPath: ../kas-private.pem
+          publicKeyPath: ../kas-cert.pem
+        456:
+          privateKeyPath: ../kas-private.pem
+          publicKeyPath: ../kas-cert.pem
+      ec:
+        123:
+          privateKeyPath: kas-ec-private.pem
+          publicKeyPath: kas-ec-cert.pem
+  port: 8080
+opa:
+  embedded: true # Only for local development
@@ -0,0 +1,31 @@
+package opentdf.conditions
+
+import rego.v1
+
+# condition_group
+condition_group_evaluate(payload, boolean_operator, conditions) if {
+	# AND
+	boolean_operator == 1
+	some condition in conditions
+	condition_evaluate(payload[condition.subject_external_field], condition.operator, condition.subject_external_values)
+} else if {
+	# OR
+	boolean_operator == 2
+	payload[key]
+	some condition in conditions
+	condition_evaluate(payload[condition.subject_external_field], condition.operator, condition.subject_external_values)
+}
+
+# condition
+condition_evaluate(property_values, operator, values) if {
+	# IN
+	operator == 1
+	some property_value in property_values
+	property_value in values
+} else if {
+	# NOT IN
+	operator == 2
+	some property_value in property_values
+	not property_value in values
+}
+