fix(sdk): update opentdf java sdk to 0.7.9 (#51)

cassandrabailey293 · ttschampel · web-flow · commit 4375d4ff036c · 2025-05-08T14:28:14.000-06:00
addresses #47 by updating the opentdf java sdk version to the latest, 0.7.9. updates the ztdf conversion classes to use update config signatures. ~~I am having issues getting the tests to pass however~~ Thanks to Tim for help with this! --------- Co-authored-by: Tim Tschampel <timothy.tschampel@gmail.com>
diff --git a/.gitignore b/.gitignore
@@ -1,2 +1,5 @@
 /.idea/
 /**/target/
+/nifi-rel-nifi-*/
+Dockerfile*
+nifi-**.tar.gz 
diff --git a/Makefile b/Makefile
@@ -1,7 +1,16 @@
+NIFI_VERSION?=1.28.1
+
+nifi-image:
+	wget https://raw.githubusercontent.com/apache/nifi/refs/tags/rel/nifi-$(NIFI_VERSION)/nifi-docker/dockerhub/Dockerfile
+	curl -L https://github.com/apache/nifi/archive/refs/tags/rel/nifi-$(NIFI_VERSION).tar.gz -o nifi-$(NIFI_VERSION).tar.gz
+	tar -xzf nifi-$(NIFI_VERSION).tar.gz
+	docker build -t opentdf-nifi:local -f ./nifi-rel-nifi-$(NIFI_VERSION)/nifi-docker/dockerhub/Dockerfile --build-arg IMAGE_TAG=17-jre --build-arg BASE_URL=https://dlcdn.apache.org --build-arg NIFI_VERSION=$(NIFI_VERSION) --build-arg IMAGE_NAME=public.ecr.aws/docker/library/eclipse-temurin ./nifi-rel-nifi-$(NIFI_VERSION)/nifi-docker/dockerhub
+
 
 .PHONY: compose-package
 compose-package: nar-build
 	@echo "package for docker compose"
+	mkdir -p deploy/extensions
 	rm -rf deploy/extensions/*.nar
 	cp nifi-tdf-nar/target/*.nar deploy/extensions
 	cp nifi-tdf-controller-services-api-nar/target/*.nar deploy/extensions
diff --git a/README.md b/README.md
@@ -47,6 +47,12 @@ Upload and use this template in NiFi:
     export GITHUB_TOKEN=your gh token
     make compose-package
     ```
+1. Build local Nifi Image
+
+    ```shell
+    make nifi-image
+    ```
+
 1. Start docker compose
     ```shell
     docker compose up
diff --git a/docker-compose.yaml b/docker-compose.yaml
@@ -1,7 +1,7 @@
 version: '3'
 services:
   opentdf-nifi:
-    image: ghcr.io/ttschampel/nifi/nifi-1.25.0-jre17:latest
+    image: opentdf-nifi:local
     restart: always
     ulimits:
       nofile:
diff --git a/nifi-tdf-processors/src/main/java/io/opentdf/nifi/ConvertFromZTDF.java b/nifi-tdf-processors/src/main/java/io/opentdf/nifi/ConvertFromZTDF.java
@@ -1,8 +1,10 @@
 package io.opentdf.nifi;
 
 import io.opentdf.platform.sdk.Config;
+import io.opentdf.platform.sdk.Config.TDFConfig;
 import io.opentdf.platform.sdk.SDK;
 import io.opentdf.platform.sdk.TDF;
+import io.opentdf.platform.sdk.KeyType;
 import org.apache.commons.compress.utils.SeekableInMemoryByteChannel;
 import org.apache.nifi.annotation.documentation.CapabilityDescription;
 import org.apache.nifi.annotation.documentation.Tags;
@@ -65,15 +67,17 @@ public ConvertFromZTDF() {
     @Override
     void processFlowFiles(ProcessContext processContext, ProcessSession processSession, List<FlowFile> flowFiles) throws ProcessException {
         SDK sdk = getTDFSDK(processContext);
-        //TODO add assertion verification key list population
-        List<Config.AssertionVerificationKeys> assertionVerificationKeysList = new ArrayList<>();
+        
         for (FlowFile flowFile : flowFiles) {
             try {
                 try (SeekableByteChannel seekableByteChannel = new SeekableInMemoryByteChannel(readEntireFlowFile(flowFile, processSession))) {
                     FlowFile updatedFlowFile = processSession.write(flowFile, outputStream -> {
                         try {
-                            TDF.Reader reader = getTDF().loadTDF(seekableByteChannel, sdk.getServices().kas(), assertionVerificationKeysList.toArray(new Config.AssertionVerificationKeys[0]));
+                            TDF.Reader reader = getTDF().loadTDF(seekableByteChannel, sdk.getServices().kas(), Config.newTDFReaderConfig(Config.withDisableAssertionVerification(true)), sdk.getServices().kasRegistry(), sdk.getPlatformUrl());
                             reader.readPayload(outputStream);
+                        } catch (InterruptedException e) {
+                            getLogger().error("error decrypting ZTDF", e);
+                            Thread.currentThread().interrupt();
                         } catch (Exception e) {
                             getLogger().error("error decrypting ZTDF", e);
                             throw new IOException(e);
diff --git a/nifi-tdf-processors/src/main/java/io/opentdf/nifi/ConvertToZTDF.java b/nifi-tdf-processors/src/main/java/io/opentdf/nifi/ConvertToZTDF.java
@@ -255,7 +255,7 @@ private void addSigningInfoToAssertionConfig(ProcessContext processContext, Asse
                 getLogger().debug("adding signing configuration for assertion");
                 //TODO assumes RSA256 signing key
                 PrivateKey privateKey = privateKeyService.getPrivateKey();
-                assertionConfig.assertionKey = new AssertionConfig.AssertionKey(AssertionConfig.AssertionKeyAlg.RS256, privateKey);
+                assertionConfig.signingKey = new AssertionConfig.AssertionKey(AssertionConfig.AssertionKeyAlg.RS256, privateKey);
             }
         }
     }
diff --git a/nifi-tdf-processors/src/test/java/io/opentdf/nifi/ConvertFromZTDFTest.java b/nifi-tdf-processors/src/test/java/io/opentdf/nifi/ConvertFromZTDFTest.java
@@ -1,8 +1,12 @@
 package io.opentdf.nifi;
 
+import com.nimbusds.jose.JOSEException;
+import io.opentdf.platform.policy.kasregistry.KeyAccessServerRegistryServiceGrpc;
 import io.opentdf.platform.sdk.*;
+import io.opentdf.platform.sdk.Config;
 import io.opentdf.platform.sdk.TDF.Reader;
 import nl.altindag.ssl.util.KeyStoreUtils;
+import org.apache.commons.codec.DecoderException;
 import org.apache.commons.compress.utils.SeekableInMemoryByteChannel;
 import org.apache.nifi.ssl.SSLContextService;
 import org.apache.nifi.util.MockFlowFile;
@@ -14,11 +18,17 @@
 
 import java.io.File;
 import java.io.FileOutputStream;
+import java.io.IOException;
 import java.io.OutputStream;
+import java.lang.reflect.Field;
+import java.net.URISyntaxException;
 import java.nio.ByteBuffer;
 import java.nio.channels.SeekableByteChannel;
 import java.nio.file.Files;
+import java.security.NoSuchAlgorithmException;
+import java.text.ParseException;
 import java.util.*;
+import java.util.concurrent.ExecutionException;
 import java.util.concurrent.atomic.AtomicInteger;
 
 import static org.junit.jupiter.api.Assertions.*;
@@ -63,18 +73,24 @@ void testConvertFromTDF() throws Exception {
 
 
         runner.assertValid();
-
+        String platformEndpoint = "http://platform";
         SDK.Services mockServices = mock(SDK.Services.class);
         SDK.KAS mockKAS = mock(SDK.KAS.class);
         when(mockSDK.getServices()).thenReturn(mockServices);
         when(mockServices.kas()).thenReturn(mockKAS);
-        when(mockSDKBuilder.platformEndpoint("http://platform")).thenReturn(mockSDKBuilder);
+        when(mockSDK.getPlatformUrl()).thenReturn(platformEndpoint);
+        when(mockSDKBuilder.platformEndpoint(platformEndpoint)).thenReturn(mockSDKBuilder);
         when(mockSDKBuilder.clientSecret("my-client", "123-456")).thenReturn(mockSDKBuilder);
         when(mockSDKBuilder.sslFactoryFromKeyStore(TRUST_STORE_PATH, TRUST_STORE_PASSWORD)).thenReturn(mockSDKBuilder);
         when(mockSDKBuilder.build()).thenReturn(mockSDK);
 
         ArgumentCaptor<SeekableByteChannel> seekableByteChannelArgumentCaptor = ArgumentCaptor.forClass(SeekableByteChannel.class);
         ArgumentCaptor<SDK.KAS> kasArgumentCaptor = ArgumentCaptor.forClass(SDK.KAS.class);
+        ArgumentCaptor<Config.TDFReaderConfig> tdfReaderConfigArgumentCaptor = ArgumentCaptor.forClass(Config.TDFReaderConfig.class);
+        ArgumentCaptor<KeyAccessServerRegistryServiceGrpc.KeyAccessServerRegistryServiceFutureStub> keyAccessServerRegistryServiceGrpcArgumentCaptor =
+                ArgumentCaptor.forClass(KeyAccessServerRegistryServiceGrpc.KeyAccessServerRegistryServiceFutureStub.class);
+        ArgumentCaptor<String> platformUrlCaptor = ArgumentCaptor.forClass(String.class);
+
         Reader mockReader = mock(Reader.class);
 
         ArgumentCaptor<OutputStream> outputStreamArgumentCaptor = ArgumentCaptor.forClass(OutputStream.class);
@@ -96,7 +112,10 @@ void testConvertFromTDF() throws Exception {
             assertSame(mockKAS, kas, "Expected KAS passed in");
             return mockReader;
         }).when(mockTDF).loadTDF(seekableByteChannelArgumentCaptor.capture(),
-                kasArgumentCaptor.capture()
+                kasArgumentCaptor.capture(),
+                tdfReaderConfigArgumentCaptor.capture(),
+                keyAccessServerRegistryServiceGrpcArgumentCaptor.capture(),
+                platformUrlCaptor.capture()
                 );
         MockFlowFile messageOne = runner.enqueue("message one".getBytes());
         MockFlowFile messageTwo = runner.enqueue("message two".getBytes());
@@ -112,6 +131,13 @@ void testConvertFromTDF() throws Exception {
 
         assertTrue(messages.contains("message one"));
         assertTrue(messages.contains("message two"));
+
+        assertEquals(platformEndpoint, platformUrlCaptor.getValue());
+        // disableAssertionVerification is a private field
+        Field field = Config.TDFReaderConfig.class.getDeclaredField("disableAssertionVerification");
+        field.setAccessible(true);
+        boolean disableAssertionVerification = (boolean) field.get(tdfReaderConfigArgumentCaptor.getValue());
+        assertTrue(disableAssertionVerification);
     }
 
     public static class MockRunner extends ConvertFromZTDF {
diff --git a/nifi-tdf-processors/src/test/java/io/opentdf/nifi/ConvertToZTDFTest.java b/nifi-tdf-processors/src/test/java/io/opentdf/nifi/ConvertToZTDFTest.java
@@ -4,6 +4,7 @@
 import io.opentdf.platform.policy.attributes.AttributesServiceGrpc;
 import io.opentdf.platform.sdk.*;
 import io.opentdf.platform.sdk.Config;
+import org.apache.commons.codec.DecoderException;
 import org.apache.commons.io.IOUtils;
 import org.apache.nifi.key.service.api.PrivateKeyService;
 import org.apache.nifi.processor.ProcessContext;
@@ -133,8 +134,8 @@ void testToTDF_WithAssertionsOn_And_Assertions_Provided() throws Exception {
         assertEquals(1, assertionConfigList.size());
         AssertionConfig assertionConfig = assertionConfigList.get(0);
         assertNotNull(assertionConfig, "Assertion configuration present");
-        assertNotNull(assertionConfig.assertionKey.key, "signing key present");
-        assertEquals(AssertionConfig.AssertionKeyAlg.RS256, assertionConfig.assertionKey.alg);
+        assertNotNull(assertionConfig.signingKey.key, "signing key present");
+        assertEquals(AssertionConfig.AssertionKeyAlg.RS256, assertionConfig.signingKey.alg);
         assertEquals("a test assertion", assertionConfig.statement.value);
         assertEquals("sample", assertionConfig.statement.format);
         assertEquals(AssertionConfig.Scope.Payload, assertionConfig.scope);
@@ -146,7 +147,7 @@ void testToTDF_WithAssertionsOn_And_Assertions_Provided() throws Exception {
         assertEquals(1, flowFileList.size(), "one success flow file");
     }
 
-    private Captures commonProcessorTestSetup(TestRunner runner) throws IOException, JOSEException, ExecutionException, InterruptedException {
+    private Captures commonProcessorTestSetup(TestRunner runner) throws IOException, JOSEException, ExecutionException, InterruptedException, DecoderException {
         ((ConvertToZTDFTest.MockRunner) runner.getProcessor()).mockSDK = mockSDK;
         ((ConvertToZTDFTest.MockRunner) runner.getProcessor()).mockTDF = mockTDF;
         runner.setProperty(ConvertToZTDF.KAS_URL, "https://kas1");
diff --git a/pom.xml b/pom.xml
@@ -66,7 +66,7 @@
             <dependency>
                 <groupId>io.opentdf.platform</groupId>
                 <artifactId>sdk</artifactId>
-                <version>0.7.3</version>
+                <version>0.7.9</version>
             </dependency>
             <dependency>
                 <groupId>org.apache.commons</groupId>

Original file line number	Diff line number	Diff line change
`@@ -255,7 +255,7 @@ private void addSigningInfoToAssertionConfig(ProcessContext processContext, Asse`
`255`	`255`	`getLogger().debug("adding signing configuration for assertion");`
`256`	`256`	`//TODO assumes RSA256 signing key`
`257`	`257`	`PrivateKey privateKey = privateKeyService.getPrivateKey();`
`258`		`- assertionConfig.assertionKey = new AssertionConfig.AssertionKey(AssertionConfig.AssertionKeyAlg.RS256, privateKey);`
	`258`	`+ assertionConfig.signingKey = new AssertionConfig.AssertionKey(AssertionConfig.AssertionKeyAlg.RS256, privateKey);`
`259`	`259`	`}`
`260`	`260`	`}`
`261`	`261`	`}`