Merge branch 'main' into sdk-contributor-guidelines

Author: jp-ayyappan

.github/workflows/vale.yaml

@@ -3,7 +3,7 @@ name: Vale
 on:
   pull_request:
     branches:
-      - main
+      - disabled
 
 jobs:
   vale-check:

.gitignore

@@ -1,3 +1,7 @@
+specs-processed/
+docs/OpenAPI-clients/
+docs/SDK-Samples/
+
 # Dependencies
 /node_modules
 

.languagetool.yml

@@ -0,0 +1,14 @@
+language: en-US
+disabledRules: []
+enabledRules: []
+disabledCategories: []
+dictionary:
+  - OpenTDF
+  - SDKs
+# This helps LanguageTool understand Markdown format
+markup:
+  - markdown
+# Skip code blocks and inline code
+skipPatterns:
+  - '```[\s\S]*?```'  # Skip fenced code blocks
+  - '`[^`]*`'          # Skip inline code

docs/components/core/authz.md

@@ -0,0 +1,98 @@
+---
+title: Authorization Configuration
+description: Learn about the standard authorization (AuthZ) configuration and role-based access control in the OpenTDF platform
+sidebar_position: 2
+---
+
+# Standard Authorization (AuthZ) Configuration for opentdf Platform
+
+The opentdf platform uses **Casbin** to manage authorization (AuthZ) for its routes, which are defined using **ConnectRPC**. This document outlines the standard AuthZ configuration, role mappings, and administrative responsibilities for managing and customizing the platform to meet specific security requirements.
+
+## Default Authorization Roles and Policies
+
+By default, the platform provides three role mappings (`admin`, `standard`, and `unknown`) and a concept of **public endpoints**. These roles are tied to the `realmsRole` claim of the OIDC token issued by the Keycloak Identity Provider.
+
+### Role Mappings and Their Permissions
+
+1. **`admin`**
+   - **Description**: Administrators of the platform.
+   - **Permissions**:
+     - Perform all actions.
+     - Modify and mutate policy data.
+     - Access private and public endpoints.
+   - **Requirements**: Must have a valid OIDC token with a claim mapping to the `admin` role.
+
+2. **`standard`**
+   - **Description**: Standard users of the platform.
+   - **Permissions**:
+     - Perform basic actions.
+     - Cannot modify policy data.
+     - Access private and public endpoints.
+   - **Requirements**: Must have a valid OIDC token with a claim mapping to the `standard` role.
+
+3. **`unknown`**
+   - **Description**: Users with valid OIDC tokens who are not mappable into the platform's predefined roles.
+   - **Permissions**:
+     - Can only perform public functions.
+     - Cannot access private endpoints.
+   - **Requirements**: Must have a valid OIDC token, but no mapping exists for the `realmsRole` claim.
+
+### Public Endpoints
+
+- **Description**: Certain routes are designated as public endpoints and **bypass AuthZ entirely**.
+- **Use Case**: These routes are accessible to all users, regardless of their role or token validity.
+
+## Responsibilities of Administrators
+
+It is critical to note that the opentdf platform provides a **basic configuration** for authorization. Administrators are fully responsible for customizing and managing authorization policies to align with their organization's security posture. This includes:
+
+1. **Configuring the Platform for Security Posture**:
+   - Review and customize the default Casbin policy to meet organizational needs.
+   - Ensure that sensitive routes are properly protected.
+
+2. **Managing Role Mappings**:
+   - Update and maintain the mappings for the `realmsRole` claim in Keycloak to ensure accurate role assignment.
+   - Ensure that users are correctly categorized into `admin`, `standard`, or custom roles as required.
+
+3. **Monitoring and Updating Policies**:
+   - Regularly review policy files to ensure compliance with evolving security requirements.
+   - Keep track of updates and changes in the Casbin model and policy files.
+
+## Default Casbin Policy
+
+The platform leverages Casbin to enforce role-based access control (RBAC). Below is an outline of the default policy:
+
+### Default Role Mapping
+
+- `admin` → Full permissions to all resources and actions.
+- `standard` → Limited permissions to basic resources and actions.
+- `unknown` → Only permitted to access public functions.
+
+### Casbin Access Control Model
+
+The Casbin model supports **extensibility** so that administrators can define custom access control logic to meet their specific needs. For example, administrators can override the default policy using custom mapping logic or additional claims.
+
+## Example Configuration
+
+Here is an example of how the `realmsRole` claim in Keycloak maps to Casbin roles:
+
+```yaml
+server:
+  auth:
+    policy:
+      csv: |
+        p, role:admin, *, *, allow
+        p, role:standard, /basic/*, GET|POST, allow
+        p, role:unknown, /public/*, GET, allow
+        g, opentdf-admin, role:admin
+        g, opentdf-standard, role:standard
+```
+
+## Key Takeaways
+
+- The opentdf platform provides a basic AuthZ configuration as a starting point.
+- Administrators are responsible for ensuring the platform's configuration aligns with their security policies.
+- It is the organization's responsibility to manage role mappings and to ensure that the `realmsRole` claim in Keycloak is configured correctly.
+- By default, `admin`, `standard`, and `unknown` roles are provided, with respective permissions. Public endpoints bypass AuthZ entirely.
+
+For more advanced configurations, refer to the [Casbin documentation](https://casbin.org/docs/syntax-for-models) for guidance on customizing policies and models.

docs/components/core/index.md

@@ -0,0 +1,44 @@
+---
+title: Core Components
+description: Learn about the core components and fundamental services of the OpenTDF platform
+sidebar_position: 1
+---
+
+# Core Components
+
+The core components of the OpenTDF platform provide the fundamental building blocks for secure data access and control. These components implement the essential services and configurations that enable the platform's data-centric security capabilities.
+
+## Key Components
+
+### Authorization (AuthZ)
+
+The standard authorization configuration manages access control using Casbin and ConnectRPC. It provides role-based access control through predefined roles (admin, standard, unknown) and public endpoints, integrating with the platform's OIDC token system.
+
+### Service Registration and Configuration
+
+Core services in the platform are designed to work together through standardized registration and configuration patterns. This includes:
+
+- Service discovery and communication
+- Standard health checks and monitoring
+- Configuration management and validation
+- Security and authentication setup
+
+### Platform Integration Points
+
+The core components establish crucial integration points for:
+
+- Identity Provider (IdP) integration
+- Key management and access control
+- Policy enforcement points
+- Service-to-service communication
+
+## Purpose
+
+The core components documentation provides essential information about:
+
+- Standard configuration patterns
+- Service initialization and bootstrap processes
+- Security configurations and best practices
+- Integration guidelines for platform services
+
+These components form the foundation of the OpenTDF platform, ensuring consistent behavior, security, and interoperability across all platform services.

docs/sdks/overview.mdx

@@ -6,40 +6,7 @@ sidebar_position: 1
 
 OpenTDF supports native SDKs in the Go, Java and JavaScript languages. 
 
-## Supported Features
-
-|                            | Go       | Java     | C++      | JavaScript |
-| :------------------------- | -------- | -------- | -------- | ---------- |
-| **Lifecycle**              | Beta     | Alpha    | Alpha    | Alpha      |
-| **Support**[^101]          | Official | Official | Official | Official   |
-|                            |          |          |          |            |
-| **Encrypt/Decrypt**[^103]  | Stable   | Unstable | Planned  | Unstable   |
-| - ZTDF[^110]               | Stable   | Unstable | Planned  | Unstable   |
-| - NanoTDF[^111]            | Stable   | Planned  | Planned  | Unstable   |
-| - ABAC[^112]               | Stable   | Unstable | Planned  | Unstable   |
-| - Dissem[^113]             | Unstable | Unstable | Planned  | Unstable   |
-|                            |          |          |          |            |
-| **Service APIs**[^105]     | Stable   | Stable   | Planned  | Planned    |
-| - Authorization [^120]     |          |          |          |            |
-| - Key Access Server [^121] |          |          |          |            |
-| - Policy: Attributes[^130] |          |          |          |            |
-
-[^101]: Support is the level of support for the SDK (Official, Community).
-[^103]: Encrypt is the ability to encrypt data.
-[^105]: Service APIs are APIs that are provided by the library to interact with the service.
-
-<!-- SDK Footnotes -->
-
-[^110]: Support for the [Zero Trust Data Format](https://github.com/opentdf/spec/tree/main/schema/tdf) utilizing JSON manifests.
-[^111]: Support for the [Nano Trusted Data Format](https://github.com/opentdf/spec/tree/main/schema/nanotdf).
-[^112]: ABAC is Attribute Based Access Control.
-[^113]: Dissem is Dissemination List (i.e. email lists).
-
-<!-- Service Footnotes -->
-
-[^120]: Authorization APIs for managing authorization policies.
-[^121]: Key Access Server (KAS) APIs for accessing key management.
-[^130]: APIs for managing policy attributes [proto](https://github.com/opentdf/platform/blob/main/service/policy/attributes/attributes.proto).
+Please refer to the [SDK Feature Matrix](../appendix/matrix.mdx#sdk) in the Appendix for the supported features in each SDK.
 
 ## Repositories
 

docusaurus.config.ts

@@ -9,6 +9,8 @@ import type { Config } from "@docusaurus/types";
 import type * as Preset from "@docusaurus/preset-classic";
 import matter from "gray-matter";
 import listRemote from "./docusaurus-lib-list-remote";
+import { openApiSpecs } from "./preprocessing";
+import languageTabs from "./openapi-generated-clients";
 
 const otdfctl = listRemote.createRepo("opentdf", "otdfctl", "main");
 
@@ -46,10 +48,11 @@ const config: Config = {
 
   onBrokenLinks: "throw",
   onBrokenMarkdownLinks: "warn",
+  onBrokenAnchors: "warn",
   markdown: {
     mermaid: true,
   },
-  themes: ["@docusaurus/theme-mermaid", "docusaurus-theme-github-codeblock"],
+  themes: ["@docusaurus/theme-mermaid", "docusaurus-theme-github-codeblock", "docusaurus-theme-openapi-docs"],
 
   // Even if you don't use internationalization, you can use this field to set
   // useful metadata like html lang. For example, if your site is Chinese, you
@@ -67,6 +70,7 @@ const config: Config = {
         docs: {
           routeBasePath: "/",
           sidebarPath: "./sidebars.js",
+          docItemComponent: "@theme/ApiItem", // Derived from docusaurus-theme-openapi
           // Please change this to your repo.
           // Remove this to remove the "edit this page" links.
           // editUrl:
@@ -108,6 +112,10 @@ const config: Config = {
           label: "GitHub",
           position: "right",
         },
+        {
+          type: "search",
+          position: "right",
+        },
       ],
     },
     footer: {
@@ -188,6 +196,7 @@ const config: Config = {
       //   template: '#zoom-template',
       // },
     },
+    languageTabs: languageTabs,
   } satisfies Preset.ThemeConfig,
   plugins: [
     [
@@ -731,6 +740,15 @@ ${updatedContent}`,
         },
       },
     ],
+    [
+      "docusaurus-plugin-openapi-docs",
+      {
+        id: "api", // plugin id
+        docsPluginId: "classic", // configured for preset-classic
+        config: openApiSpecs 
+      },
+    ],
+    require.resolve("docusaurus-lunr-search"),
   ],
 };
 

openapi-generated-clients.ts

@@ -0,0 +1,102 @@
+/**
+ * This file defines language tabs configuration for OpenAPI documentation
+ * 
+ * TODO: Note that the languages commented below have been removed, since we offer
+ * official SDKs for them, and we don't want to duplicate code or cause confusion.
+ */
+const languageTabs = [
+    // {
+    //   highlight: "go",
+    //   language: "go",
+    //   logoClass: "go",
+    // },
+    // {
+    //   highlight: "javascript",
+    //   language: "nodejs",
+    //   logoClass: "nodejs",
+    // },
+    // {
+    //   highlight: "java",
+    //   language: "java",
+    //   logoClass: "java",
+    //   variant: "unirest",
+    // },
+    // {
+    //   highlight: "javascript",
+    //   language: "javascript",
+    //   logoClass: "javascript",
+    // },       
+    {
+        highlight: "bash",
+        language: "curl",
+        logoClass: "curl",
+    },
+    {
+        highlight: "csharp",
+        language: "csharp",
+        logoClass: "csharp",
+    },
+    {
+        highlight: "ruby",
+        language: "ruby",
+        logoClass: "ruby",
+    },
+    {
+        highlight: "php",
+        language: "php",
+        logoClass: "php",
+    },
+    {
+        highlight: "powershell",
+        language: "powershell",
+        logoClass: "powershell",
+    },
+    {
+        highlight: "dart",
+        language: "dart",
+        logoClass: "dart",
+    },
+    {
+        highlight: "c",
+        language: "c",
+        logoClass: "c",
+    },
+    {
+        highlight: "objective-c",
+        language: "objective-c",
+        logoClass: "objective-c",
+    },
+    {
+        highlight: "ocaml",
+        language: "ocaml",
+        logoClass: "ocaml",
+    },
+    {
+        highlight: "r",
+        language: "r",
+        logoClass: "r",
+    },
+    {
+        highlight: "swift",
+        language: "swift",
+        logoClass: "swift",
+    },
+    {
+        highlight: "kotlin",
+        language: "kotlin",
+        logoClass: "kotlin",
+    },
+    {
+        highlight: "rust",
+        language: "rust",
+        logoClass: "rust",
+    },
+    {
+        highlight: "python",
+        language: "python",
+        logoClass: "python",
+    },
+];
+
+// export it
+export default languageTabs;