more fixes

.github/workflows/roundtrip/demo-idp.sh

@@ -12,10 +12,8 @@ kcadm.sh config credentials --server http://localhost:65432/auth --realm master
 changeme
 EOF
 
-# &response_type=code&scope=openid+profile+email+offline_access&state=XTM-A9nrcpX1p6rT88jsqg4iw30EmYdUq4Cqd1qEYOA
-
 kcadm.sh create clients -r opentdf -s clientId=browsertest -s enabled=true -s 'redirectUris=["http://localhost:65432/"]' -s consentRequired=false -s standardFlowEnabled=true -s directAccessGrantsEnabled=true -s serviceAccountsEnabled=false -s publicClient=true -s protocol=openid-connect
 kcadm.sh create users -r opentdf -s username=user1 -s enabled=true
 kcadm.sh set-password -r opentdf --username user1 --new-password testuser123
 
-go run ./platform/service start
+go run ./platform/service start

ecparams.tmp

@@ -0,0 +1,3 @@
+-----BEGIN EC PARAMETERS-----
+BggqhkjOPQMBBw==
+-----END EC PARAMETERS-----

kas-cert.pem

@@ -0,0 +1,19 @@
+-----BEGIN CERTIFICATE-----
+MIIC/TCCAeWgAwIBAgIUWEtllFrAoY4Dlkv0v1uD60xfoXkwDQYJKoZIhvcNAQEL
+BQAwDjEMMAoGA1UEAwwDa2FzMB4XDTI0MDQxOTE5NDcxOVoXDTI1MDQxOTE5NDcx
+OVowDjEMMAoGA1UEAwwDa2FzMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKC
+AQEAyaz9o1IP1Yfexvesq5hUzalJZIYxhnA1iFNnMgB/akjo1Otmzgp9zTTQ16oR
+GDcfGA+1O8NUGQPlPTh9j6TIKzFiBi2rNZybzcipS8VE37lfhE4HESOaFEE4M7bM
+5sgXUDvMrFYhErSUEG/kov21iv5A3IMOSBjRLSCWolnFRlS77QSyMoEORpf5J6Ey
+M2ULe23aDF7WS6fIVE9YycM0zwPbq3M+ls8IhwCPzAuXjf/R/6HxX4zXyDBy6yma
+0V7FT4F0gxwu7/KwLyMOMkQiUXelEZDpDkNlDyHkOE8L1wgI/l3cdVQW5qm3Sarg
+x/r0SskWg6YH56QtKFNY5Aqk5QIDAQABo1MwUTAdBgNVHQ4EFgQUt+lyAasVamTi
+QyXRFzpWsed/0xIwHwYDVR0jBBgwFoAUt+lyAasVamTiQyXRFzpWsed/0xIwDwYD
+VR0TAQH/BAUwAwEB/zANBgkqhkiG9w0BAQsFAAOCAQEACR1dpTKw375qqvNwE+MF
+gZDyavPFkaNqXyMzbyZbiFnKHBrqWF+Fa++aC6zZcqQ8dbpy3WFGrrCI1mbdlLst
+NUdAu0mhuvmLM58quUoEW1YT2sdQBNk3by6ssKXrbvmtAivP9e2Lpy3MtN0YR0w5
+M4PAzZROuD45o7Yj6Agphg6OhIQiBloNeMFC3FZ2+lOAg6uYM55gkOWNrfPNSi0j
+5nBdZQNOEiW5/IrPnjLcTFJR6zmi9fZWiVZoortlVbIBTyclr9hnGiajsEjRK81c
+ruMQQYQBoEwBbVFvXQ1np6S0OwpfijmIC5Kwxa5EnnKFppyhQc/usI0zgQr8bT9d
+yA==
+-----END CERTIFICATE-----

kas-ec-cert.pem

@@ -0,0 +1,10 @@
+-----BEGIN CERTIFICATE-----
+MIIBcDCCARegAwIBAgIUIFGwwyjriZ+3LJjK/ZD8I/zJIMYwCgYIKoZIzj0EAwIw
+DjEMMAoGA1UEAwwDa2FzMB4XDTI0MDQxOTE5NDcxOVoXDTI1MDQxOTE5NDcxOVow
+DjEMMAoGA1UEAwwDa2FzMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEf7HLWYKG
++pPzwi7ivTu9YjQ40mvJtUHAF8V8O5PyLtNGa1XE2FP3M921ufTKcop9oeUL3Blp
+mCMxJUG1tlEyFqNTMFEwHQYDVR0OBBYEFBqVa076DR49kuYwlUei4kv8oh5oMB8G
+A1UdIwQYMBaAFBqVa076DR49kuYwlUei4kv8oh5oMA8GA1UdEwEB/wQFMAMBAf8w
+CgYIKoZIzj0EAwIDRwAwRAIgbOFBSSg/GJ9BD5jGU09nbHLIfaUbks8kB2U0THyA
+zLECIGyzbADomr7wJXMElEmffxiW17xAX3kup6CyaIO6XttO
+-----END CERTIFICATE-----

kas-ec-private.pem

@@ -0,0 +1,5 @@
+-----BEGIN PRIVATE KEY-----
+MIGHAgEAMBMGByqGSM49AgEGCCqGSM49AwEHBG0wawIBAQQgqhc8ZGVXPkugpygf
+82+Nc+HuLMH78tnaxWWY+N19xwChRANCAAR/sctZgob6k/PCLuK9O71iNDjSa8m1
+QcAXxXw7k/Iu00ZrVcTYU/cz3bW59Mpyin2h5QvcGWmYIzElQbW2UTIW
+-----END PRIVATE KEY-----

kas-private.pem

@@ -0,0 +1,28 @@
+-----BEGIN PRIVATE KEY-----
+MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQDJrP2jUg/Vh97G
+96yrmFTNqUlkhjGGcDWIU2cyAH9qSOjU62bOCn3NNNDXqhEYNx8YD7U7w1QZA+U9
+OH2PpMgrMWIGLas1nJvNyKlLxUTfuV+ETgcRI5oUQTgztszmyBdQO8ysViEStJQQ
+b+Si/bWK/kDcgw5IGNEtIJaiWcVGVLvtBLIygQ5Gl/knoTIzZQt7bdoMXtZLp8hU
+T1jJwzTPA9urcz6WzwiHAI/MC5eN/9H/ofFfjNfIMHLrKZrRXsVPgXSDHC7v8rAv
+Iw4yRCJRd6URkOkOQ2UPIeQ4TwvXCAj+Xdx1VBbmqbdJquDH+vRKyRaDpgfnpC0o
+U1jkCqTlAgMBAAECggEAYIZqkyuopnO0XZiXTT3IgPKgTPupYoX8KTZ58sWoNi+V
+OKs+dikxUvEPb9lW+zcOq86A2IzBiIODyYxrFEAzCfFF0F01T6CYNaLv3HMbZtTr
+cYCDA2H90enxQ1cftOlZty4X5PgINlK1dzSGwrgZlt/gHWqggENYgnfRgPzkXadA
+zW4x0DeA3Fnl9jb9BJvhFCMKBtmYHozzhJXFx3xOaeq8pKlnOJCU1UeibHz848eN
+vq4KEQbgqwnhGFIgYeAjKEGxdpMf9cfBppTlHVlZpD1hRjqGxceXFUBF1YWu5V/n
+z4UXIFWmgJqzTRyrghBAW8xgITq91KTi8yWuoGBG9QKBgQDvEuTaKmHHl0+AdDws
+YJkSm/WvPyV81M+gUjMzWRTQwo+0lKF2egCNvXWIu8+JgTYzFXCCy41rZ8OO0ofc
+ldxrlgocdrQz7kQh7U42wN0gxsytw2C3D1ecgH53l6xlse3RtZGfoMAYxg4qzMYW
+BpBYSvpHy7D4FyvBfTiT2LAElwKBgQDX9EYP2kbZroBmOOqO8nbJGpcGNv3DVVMh
+4f4HDZFk3wJzeAWZgs0+d5kulIMMVoOyiHQSe91kgnyb3aWyFpUjSueCSjdVfC/8
+CLJlBH4FeH3776foR3T8kC2QcQqwC1aeBnqNeFsJCYJSkVBa0tGQAnqS5f89FSz8
+2Ac1ZPFl4wKBgQCkkZP5Xb1LQCwY12pofeJA/hykEsrCYFfAG3VlPkfm4Fc9ziZL
+QPZKm4Vhpy7Yj5p4laSKVIY3zgi+ssuVG4/Me07ggxHOwZAi7pCtfht5qX9RibF0
+sdn0QDtOJZkls9JqThs9D9HL++HasnUUylXogUxBycQ7MvAK1CDzHPElZwKBgD8e
+W3f4sWqgcVDvY8dCIOvohKnBWuxDvReTKR9AnPVhpSLAuspCi+CtLi2KJL9vbfC5
+p0tbvrrI1MjtwKdLqG13UDEppgCrWo8Mr6+M35STwibnxijC8fN75IVqNNh9h+SK
+OjmtKtZ6XAfsBxN0uOGhh9f1t2NQFCUWswytI01HAoGBAKVjegFJu1Geq5l3xMNx
+ngSRo68jEinY1aEOc+ioeD4XLz0YBjZwI9SgUha+7sNVZ11gbw+guqKpLtbjdH6j
+1yt+IRRmorBUPGorbs11xXMc82l4VfLUOcTu1US+qks3tb4R08lckHGc8EZMH7v3
+FN0UfdJOBVHZpfAprfpRBlp2
+-----END PRIVATE KEY-----

opentdf.yaml

@@ -0,0 +1,86 @@
+logger:
+  level: debug
+  type: text
+  output: stdout
+# DB and Server confgurations are defaulted for local development
+# db:
+#   host: localhost
+#   port: 5432
+#   user: postgres
+#   password: changeme
+services:
+  kas:
+    enabled: true
+  policy:
+    enabled: true
+  authorization:
+    enabled: true
+    url: http://localhost:8888
+    client: "tdf-entity-resolution"
+    secret: "secret"
+    realm: "opentdf"
+    legacy: true
+server:
+  auth:
+    enabled: true
+    audience: "http://localhost:8080"
+    issuer: http://localhost:8888/auth/realms/opentdf
+    clients:
+      - "opentdf"
+      - "opentdf-sdk"
+    policy:
+      ## Default policy for all requests
+      default: #"role:readonly"
+      ## Dot notation is used to access nested claims (i.e. realm_access.roles)
+      claim: # realm_access.roles
+      ## Maps the external role to the opentdf role
+      ## Note: left side is used in the policy, right side is the external role
+      map:
+      #  readonly: opentdf-readonly
+      #  admin: opentdf-admin
+      #  org-admin: opentdf-org-admin
+
+      ## Custom policy (see examples https://github.com/casbin/casbin/tree/master/examples)
+      csv: #|
+      #  p, role:org-admin, policy:attributes, *, *, allow
+      #  p, role:org-admin, policy:subject-mappings, *, *, allow
+      #  p, role:org-admin, policy:resource-mappings, *, *, allow
+      #  p, role:org-admin, policy:kas-registry, *, *, allow
+      ## Custom model (see https://casbin.org/docs/syntax-for-models/)
+      model: #|
+      #  [request_definition]
+      #  r = sub, res, act, obj
+      #
+      #  [policy_definition]
+      #  p = sub, res, act, obj, eft
+      #
+      #  [role_definition]
+      #  g = _, _
+      #
+      #  [policy_effect]
+      #  e = some(where (p.eft == allow)) && !some(where (p.eft == deny))
+      #
+      #  [matchers]
+      #  m = g(r.sub, p.sub) && globOrRegexMatch(r.res, p.res) && globOrRegexMatch(r.act, p.act) && globOrRegexMatch(r.obj, p.obj)
+
+  grpc:
+    reflectionEnabled: true # Default is false
+  cryptoProvider:
+    hsm:
+      enabled: false
+      pin:
+    standard:
+      rsa:
+        123:
+          privateKeyPath: kas-private.pem
+          publicKeyPath: kas-cert.pem
+        456:
+          privateKeyPath: kas-private.pem
+          publicKeyPath: kas-cert.pem
+      ec:
+        123:
+          privateKeyPath: kas-ec-private.pem
+          publicKeyPath: kas-ec-cert.pem
+  port: 8080
+opa:
+  embedded: true # Only for local development

scripts/demo-evironment.sh

@@ -8,13 +8,13 @@ ROOT_DIR="$(cd "${APP_DIR}/.." >/dev/null && pwd)"
 _run_platform() {
   git clone https://github.com/opentdf/platform.git
   docker compose -f .github/workflows/roundtrip/docker-compose.yaml up -d --wait --wait-timeout 240
-  
+
   cd platform
   .github/scripts/init-temp-keys.sh
   cp opentdf-example.yaml opentdf.yaml
   go run ./service provision keycloak
+  go run ./service start 
   cd ..
-
 }
 
 _wait-for() {

web-app/vite.config.ts

@@ -15,7 +15,7 @@ export default defineConfig({
   server: {
     port: 65432,
     proxy: {
-      '/kas': 'http://localhost:5432',
+      '/kas': 'http://localhost:8080',
       '/auth': 'http://localhost:8888',
     },
   },