Skip to content

feat(sdk): Add obligations support. #2759

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 18 commits into
base: main
Choose a base branch
from
Open

feat(sdk): Add obligations support. #2759

wants to merge 18 commits into from

Conversation

c-r33d
Copy link
Contributor

@c-r33d c-r33d commented Sep 23, 2025
edited
Loading

Proposed Changes

1.) Expose Obligations function to TDF/NanoTDF
2.) Expose new NanoTDFReader with LoadNanoTDF,Init functions
3.) Within Obligations function allow consumers to retrieve Obligations on-demand by calling AuthService
4.) Refactor bulk to allow consumers to retrieve Obligations before decrypting content
5.) Expose PrepareBulkDecrypt to retrieve Obligations before decrypting the content
6.) Expose ErrRewrapForbidden for consumption by downstream consumers of the SDK.

Manual E2E tests:

  • Ran benchmark and rt tests for bulk
  • Nano/ZTDF no access to resource regardless of obligations (returns empty slice of FQNs)
  • Nano/ZTDF has access to resource, but does not fulfill obligations (returns required obligations)
  • Nano/ZTDF has access to resource and fulfills obligations -> Decrypt successfully.
  • Multi-KAS decrypt successful when able to fulfill obligations, failure with returned obligations when not
  • Calling Obligations() before rewrap calls GetDecisions and returns obligations.

Caveats

Important

It's possible when making multiple reqs to different KAS's for the same policy,
if the last policy result for a specific KAS fails with a 500, the previous
obligations are cleared from the reader object.

This should be ok, since we allow customers to retrieve obligations on demand.

For bulk decryption, we do not allow on-demand obligation resolution.

Note

Bulk decrypt is designed in a way that will only allow
a global set of fulfillable obligations to be applied, not for
an individual TDF.

Important

We can not retrieve on-demand Obligations for NanoTDFs
where the policy is not plaintext.

Checklist

  • I have added or updated unit tests
  • I have added or updated integration tests (if appropriate)
  • I have added or updated documentation

Testing Instructions

@github-actions github-actions bot added comp:sdk A software development kit, including library, for client applications and inter-service communicati size/m labels Sep 23, 2025
@github-actions GitHub Actions
Copy link
Contributor

Benchmark results, click to expand

Benchmark authorization.GetDecisions Results:

Metric Value
Approved Decision Requests 1000
Denied Decision Requests 0
Total Time 176.523015ms

Benchmark authorization.v2.GetMultiResourceDecision Results:

Metric Value
Approved Decision Requests 1000
Denied Decision Requests 0
Total Time 96.097446ms

Standard Benchmark Metrics Skipped or Failed

Bulk Benchmark Results

Metric Value
Total Decrypts 100
Successful Decrypts 100
Failed Decrypts 0
Total Time 346.597111ms
Throughput 288.52 requests/second

TDF3 Benchmark Results:

Metric Value
Total Requests 5000
Successful Requests 5000
Failed Requests 0
Concurrent Requests 50
Total Time 36.884418596s
Average Latency 366.437234ms
Throughput 135.56 requests/second

NANOTDF Benchmark Results:

Metric Value
Total Requests 5000
Successful Requests 5000
Failed Requests 0
Concurrent Requests 50
Total Time 25.935593065s
Average Latency 258.232913ms
Throughput 192.79 requests/second

@github-actions GitHub Actions
Copy link
Contributor

github-actions bot commented Oct 8, 2025

Benchmark results, click to expand

Benchmark authorization.GetDecisions Results:

Metric Value
Approved Decision Requests 1000
Denied Decision Requests 0
Total Time 164.910864ms

Benchmark authorization.v2.GetMultiResourceDecision Results:

Metric Value
Approved Decision Requests 1000
Denied Decision Requests 0
Total Time 100.533361ms

Standard Benchmark Metrics Skipped or Failed

Bulk Benchmark Results

Metric Value
Total Decrypts 100
Successful Decrypts 100
Failed Decrypts 0
Total Time 366.74801ms
Throughput 272.67 requests/second

TDF3 Benchmark Results:

Metric Value
Total Requests 5000
Successful Requests 5000
Failed Requests 0
Concurrent Requests 50
Total Time 38.537614652s
Average Latency 383.697599ms
Throughput 129.74 requests/second

NANOTDF Benchmark Results:

Metric Value
Total Requests 5000
Successful Requests 5000
Failed Requests 0
Concurrent Requests 50
Total Time 27.101774045s
Average Latency 269.950583ms
Throughput 184.49 requests/second

@github-actions GitHub Actions
Copy link
Contributor

github-actions bot commented Oct 8, 2025

Benchmark results, click to expand

Benchmark authorization.GetDecisions Results:

Metric Value
Approved Decision Requests 1000
Denied Decision Requests 0
Total Time 191.757217ms

Benchmark authorization.v2.GetMultiResourceDecision Results:

Metric Value
Approved Decision Requests 1000
Denied Decision Requests 0
Total Time 104.768664ms

Standard Benchmark Metrics Skipped or Failed

Bulk Benchmark Results

Metric Value
Total Decrypts 100
Successful Decrypts 100
Failed Decrypts 0
Total Time 384.942807ms
Throughput 259.78 requests/second

TDF3 Benchmark Results:

Metric Value
Total Requests 5000
Successful Requests 5000
Failed Requests 0
Concurrent Requests 50
Total Time 40.974875659s
Average Latency 408.355437ms
Throughput 122.03 requests/second

NANOTDF Benchmark Results:

Metric Value
Total Requests 5000
Successful Requests 5000
Failed Requests 0
Concurrent Requests 50
Total Time 28.54378908s
Average Latency 284.49637ms
Throughput 175.17 requests/second

@github-actions GitHub Actions
Copy link
Contributor

github-actions bot commented Oct 8, 2025

Benchmark results, click to expand

Benchmark authorization.GetDecisions Results:

Metric Value
Approved Decision Requests 1000
Denied Decision Requests 0
Total Time 175.513914ms

Benchmark authorization.v2.GetMultiResourceDecision Results:

Metric Value
Approved Decision Requests 1000
Denied Decision Requests 0
Total Time 98.70004ms

Standard Benchmark Metrics Skipped or Failed

Bulk Benchmark Results

Metric Value
Total Decrypts 100
Successful Decrypts 100
Failed Decrypts 0
Total Time 358.280632ms
Throughput 279.11 requests/second

TDF3 Benchmark Results:

Metric Value
Total Requests 5000
Successful Requests 5000
Failed Requests 0
Concurrent Requests 50
Total Time 38.522988539s
Average Latency 383.371023ms
Throughput 129.79 requests/second

NANOTDF Benchmark Results:

Metric Value
Total Requests 5000
Successful Requests 5000
Failed Requests 0
Concurrent Requests 50
Total Time 26.858259201s
Average Latency 267.744349ms
Throughput 186.16 requests/second

@github-actions GitHub Actions
Copy link
Contributor

github-actions bot commented Oct 8, 2025

Benchmark results, click to expand

Benchmark authorization.GetDecisions Results:

Metric Value
Approved Decision Requests 1000
Denied Decision Requests 0
Total Time 179.922629ms

Benchmark authorization.v2.GetMultiResourceDecision Results:

Metric Value
Approved Decision Requests 1000
Denied Decision Requests 0
Total Time 99.626766ms

Standard Benchmark Metrics Skipped or Failed

Bulk Benchmark Results

Metric Value
Total Decrypts 100
Successful Decrypts 100
Failed Decrypts 0
Total Time 358.103853ms
Throughput 279.25 requests/second

TDF3 Benchmark Results:

Metric Value
Total Requests 5000
Successful Requests 5000
Failed Requests 0
Concurrent Requests 50
Total Time 38.136281891s
Average Latency 379.16309ms
Throughput 131.11 requests/second

NANOTDF Benchmark Results:

Metric Value
Total Requests 5000
Successful Requests 5000
Failed Requests 0
Concurrent Requests 50
Total Time 26.813380545s
Average Latency 266.852995ms
Throughput 186.47 requests/second

@github-actions GitHub Actions
Copy link
Contributor

github-actions bot commented Oct 8, 2025

Benchmark results, click to expand

Benchmark authorization.GetDecisions Results:

Metric Value
Approved Decision Requests 1000
Denied Decision Requests 0
Total Time 184.018078ms

Benchmark authorization.v2.GetMultiResourceDecision Results:

Metric Value
Approved Decision Requests 1000
Denied Decision Requests 0
Total Time 101.96059ms

Standard Benchmark Metrics Skipped or Failed

Bulk Benchmark Results

Metric Value
Total Decrypts 100
Successful Decrypts 100
Failed Decrypts 0
Total Time 376.4141ms
Throughput 265.66 requests/second

TDF3 Benchmark Results:

Metric Value
Total Requests 5000
Successful Requests 5000
Failed Requests 0
Concurrent Requests 50
Total Time 40.941153951s
Average Latency 407.859429ms
Throughput 122.13 requests/second

NANOTDF Benchmark Results:

Metric Value
Total Requests 5000
Successful Requests 5000
Failed Requests 0
Concurrent Requests 50
Total Time 28.30463278s
Average Latency 281.91763ms
Throughput 176.65 requests/second

@c-r33d c-r33d marked this pull request as ready for review October 8, 2025 20:41
@c-r33d c-r33d requested review from a team as code owners October 8, 2025 20:41
@c-r33d
Copy link
Contributor Author

c-r33d commented Oct 8, 2025

/gemini review

gemini-code-assist[bot]
gemini-code-assist bot reviewed Oct 8, 2025
View reviewed changes
Copy link
Contributor

@gemini-code-assist gemini-code-assist bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Code Review

This pull request introduces significant and valuable enhancements for handling obligations within the SDK. The refactoring of the bulk decryption process and the introduction of NanoTDFReader are excellent architectural improvements that increase the flexibility and usability of the library.

I've identified a few areas for improvement, including a critical issue related to variable shadowing, a high-severity issue concerning context propagation, and some medium-severity suggestions to enhance efficiency and maintainability. Addressing these points will further solidify the quality of this new feature.

@github-actions GitHub Actions
Copy link
Contributor

github-actions bot commented Oct 9, 2025

Benchmark results, click to expand

Benchmark authorization.GetDecisions Results:

Metric Value
Approved Decision Requests 1000
Denied Decision Requests 0
Total Time 184.411804ms

Benchmark authorization.v2.GetMultiResourceDecision Results:

Metric Value
Approved Decision Requests 1000
Denied Decision Requests 0
Total Time 99.560378ms

Standard Benchmark Metrics Skipped or Failed

Bulk Benchmark Results

Metric Value
Total Decrypts 100
Successful Decrypts 100
Failed Decrypts 0
Total Time 381.223055ms
Throughput 262.31 requests/second

TDF3 Benchmark Results:

Metric Value
Total Requests 5000
Successful Requests 5000
Failed Requests 0
Concurrent Requests 50
Total Time 43.406595544s
Average Latency 432.175959ms
Throughput 115.19 requests/second

NANOTDF Benchmark Results:

Metric Value
Total Requests 5000
Successful Requests 5000
Failed Requests 0
Concurrent Requests 50
Total Time 28.531769659s
Average Latency 284.529168ms
Throughput 175.24 requests/second

@github-actions GitHub Actions
Copy link
Contributor

Benchmark results, click to expand

Benchmark authorization.GetDecisions Results:

Metric Value
Approved Decision Requests 1000
Denied Decision Requests 0
Total Time 167.47285ms

Benchmark authorization.v2.GetMultiResourceDecision Results:

Metric Value
Approved Decision Requests 1000
Denied Decision Requests 0
Total Time 106.886674ms

Standard Benchmark Metrics Skipped or Failed

Bulk Benchmark Results

Metric Value
Total Decrypts 100
Successful Decrypts 100
Failed Decrypts 0
Total Time 365.732384ms
Throughput 273.42 requests/second

TDF3 Benchmark Results:

Metric Value
Total Requests 5000
Successful Requests 5000
Failed Requests 0
Concurrent Requests 50
Total Time 40.26864933s
Average Latency 400.861923ms
Throughput 124.17 requests/second

NANOTDF Benchmark Results:

Metric Value
Total Requests 5000
Successful Requests 5000
Failed Requests 0
Concurrent Requests 50
Total Time 28.530393627s
Average Latency 284.31857ms
Throughput 175.25 requests/second

@github-actions GitHub Actions
Copy link
Contributor

Benchmark results, click to expand

Benchmark authorization.GetDecisions Results:

Metric Value
Approved Decision Requests 1000
Denied Decision Requests 0
Total Time 173.165472ms

Benchmark authorization.v2.GetMultiResourceDecision Results:

Metric Value
Approved Decision Requests 1000
Denied Decision Requests 0
Total Time 100.528779ms

Standard Benchmark Metrics Skipped or Failed

Bulk Benchmark Results

Metric Value
Total Decrypts 100
Successful Decrypts 100
Failed Decrypts 0
Total Time 377.616481ms
Throughput 264.82 requests/second

TDF3 Benchmark Results:

Metric Value
Total Requests 5000
Successful Requests 5000
Failed Requests 0
Concurrent Requests 50
Total Time 40.934413648s
Average Latency 407.607029ms
Throughput 122.15 requests/second

NANOTDF Benchmark Results:

Metric Value
Total Requests 5000
Successful Requests 5000
Failed Requests 0
Concurrent Requests 50
Total Time 27.167902984s
Average Latency 270.613516ms
Throughput 184.04 requests/second

@github-actions GitHub Actions
Copy link
Contributor

Benchmark results, click to expand

Benchmark authorization.GetDecisions Results:

Metric Value
Approved Decision Requests 1000
Denied Decision Requests 0
Total Time 176.725849ms

Benchmark authorization.v2.GetMultiResourceDecision Results:

Metric Value
Approved Decision Requests 1000
Denied Decision Requests 0
Total Time 102.719013ms

Standard Benchmark Metrics Skipped or Failed

Bulk Benchmark Results

Metric Value
Total Decrypts 100
Successful Decrypts 100
Failed Decrypts 0
Total Time 365.566348ms
Throughput 273.55 requests/second

TDF3 Benchmark Results:

Metric Value
Total Requests 5000
Successful Requests 5000
Failed Requests 0
Concurrent Requests 50
Total Time 39.716634794s
Average Latency 394.93236ms
Throughput 125.89 requests/second

NANOTDF Benchmark Results:

Metric Value
Total Requests 5000
Successful Requests 5000
Failed Requests 0
Concurrent Requests 50
Total Time 26.477506165s
Average Latency 264.029176ms
Throughput 188.84 requests/second

@github-actions GitHub Actions
Copy link
Contributor

Benchmark results, click to expand

Benchmark authorization.GetDecisions Results:

Metric Value
Approved Decision Requests 1000
Denied Decision Requests 0
Total Time 173.899384ms

Benchmark authorization.v2.GetMultiResourceDecision Results:

Metric Value
Approved Decision Requests 1000
Denied Decision Requests 0
Total Time 107.08734ms

Standard Benchmark Metrics Skipped or Failed

Bulk Benchmark Results

Metric Value
Total Decrypts 100
Successful Decrypts 100
Failed Decrypts 0
Total Time 365.568826ms
Throughput 273.55 requests/second

TDF3 Benchmark Results:

Metric Value
Total Requests 5000
Successful Requests 5000
Failed Requests 0
Concurrent Requests 50
Total Time 38.877515851s
Average Latency 387.372466ms
Throughput 128.61 requests/second

NANOTDF Benchmark Results:

Metric Value
Total Requests 5000
Successful Requests 5000
Failed Requests 0
Concurrent Requests 50
Total Time 27.538212609s
Average Latency 274.516808ms
Throughput 181.57 requests/second

@github-actions GitHub Actions
Copy link
Contributor

Benchmark results, click to expand

Benchmark authorization.GetDecisions Results:

Metric Value
Approved Decision Requests 1000
Denied Decision Requests 0
Total Time 175.509531ms

Benchmark authorization.v2.GetMultiResourceDecision Results:

Metric Value
Approved Decision Requests 1000
Denied Decision Requests 0
Total Time 89.113707ms

Standard Benchmark Metrics Skipped or Failed

Bulk Benchmark Results

Metric Value
Total Decrypts 100
Successful Decrypts 100
Failed Decrypts 0
Total Time 364.084566ms
Throughput 274.66 requests/second

TDF3 Benchmark Results:

Metric Value
Total Requests 5000
Successful Requests 5000
Failed Requests 0
Concurrent Requests 50
Total Time 39.096573341s
Average Latency 389.157944ms
Throughput 127.89 requests/second

NANOTDF Benchmark Results:

Metric Value
Total Requests 5000
Successful Requests 5000
Failed Requests 0
Concurrent Requests 50
Total Time 27.686038641s
Average Latency 275.898134ms
Throughput 180.60 requests/second

jakedoublev
jakedoublev reviewed Oct 15, 2025
View reviewed changes
@github-actions GitHub Actions
Copy link
Contributor

Benchmark results, click to expand

Benchmark authorization.GetDecisions Results:

Metric Value
Approved Decision Requests 1000
Denied Decision Requests 0
Total Time 175.68539ms

Benchmark authorization.v2.GetMultiResourceDecision Results:

Metric Value
Approved Decision Requests 1000
Denied Decision Requests 0
Total Time 103.384347ms

Standard Benchmark Metrics Skipped or Failed

Bulk Benchmark Results

Metric Value
Total Decrypts 100
Successful Decrypts 100
Failed Decrypts 0
Total Time 360.196725ms
Throughput 277.63 requests/second

TDF3 Benchmark Results:

Metric Value
Total Requests 5000
Successful Requests 5000
Failed Requests 0
Concurrent Requests 50
Total Time 38.858922302s
Average Latency 386.925663ms
Throughput 128.67 requests/second

NANOTDF Benchmark Results:

Metric Value
Total Requests 5000
Successful Requests 5000
Failed Requests 0
Concurrent Requests 50
Total Time 27.198765061s
Average Latency 270.903601ms
Throughput 183.83 requests/second

@github-actions GitHub Actions
Copy link
Contributor

Benchmark results, click to expand

Benchmark authorization.GetDecisions Results:

Metric Value
Approved Decision Requests 1000
Denied Decision Requests 0
Total Time 180.464882ms

Benchmark authorization.v2.GetMultiResourceDecision Results:

Metric Value
Approved Decision Requests 1000
Denied Decision Requests 0
Total Time 101.53585ms

Standard Benchmark Metrics Skipped or Failed

Bulk Benchmark Results

Metric Value
Total Decrypts 100
Successful Decrypts 100
Failed Decrypts 0
Total Time 358.544268ms
Throughput 278.91 requests/second

TDF3 Benchmark Results:

Metric Value
Total Requests 5000
Successful Requests 5000
Failed Requests 0
Concurrent Requests 50
Total Time 40.222989898s
Average Latency 400.463775ms
Throughput 124.31 requests/second

NANOTDF Benchmark Results:

Metric Value
Total Requests 5000
Successful Requests 5000
Failed Requests 0
Concurrent Requests 50
Total Time 27.816585463s
Average Latency 276.948684ms
Throughput 179.75 requests/second

pflynn-virtru
pflynn-virtru reviewed Oct 15, 2025
View reviewed changes
pflynn-virtru
pflynn-virtru approved these changes Oct 15, 2025
View reviewed changes
Copy link
Member

@pflynn-virtru pflynn-virtru left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The NanoTDF changes are more extensive than I would have thought. Let's make sure nano has good regression test coverage

strantalis
strantalis reviewed Oct 15, 2025
View reviewed changes
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@jakedoublev jakedoublev jakedoublev approved these changes

@sujankota sujankota sujankota approved these changes

@imdominicreed imdominicreed imdominicreed approved these changes

@strantalis strantalis strantalis approved these changes

@pflynn-virtru pflynn-virtru pflynn-virtru approved these changes

+1 more reviewer

@gemini-code-assist gemini-code-assist[bot] gemini-code-assist[bot] left review comments

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

comp:sdk A software development kit, including library, for client applications and inter-service communicati size/m

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

6 participants

@c-r33d @sujankota @imdominicreed @strantalis @pflynn-virtru @jakedoublev