feat(kas): Add nano policy binding to rewrap audit. (#2870)

c-r33d · web-flow · commit a12d1d4a6953 · 2025-11-04T22:11:06.000Z
### Proposed Changes 1.) Add nano policy binding to audit rewrap logs 2.) Bump sdk to version 0.10.1 ### Examples #### Nano - Encrypted Policy - Gmac ```json { "time": "2025-11-03T12:53:39.67596-06:00", "level": "AUDIT", "msg": "rewrap", "namespace": "kas", "audit": { "object": { "type": "key_object", "id": "ff1a2fe2-a942-11f0-9751-a6a754e79d24", "name": "", "attributes": { "assertions": [], "attrs": [ "https://test.obligations/attr/test_attr_for_triggers/value/test_valu_for_trigger" ], "permissions": [] } }, "action": { "type": "rewrap", "result": "error" }, "actor": { "id": "260a3342-65d8-4056-8d17-b362c932b9dc", "attributes": [] }, "eventMetaData": { "algorithm": "ec:secp256r1", "keyID": "e1", "policyBinding": "69750779a948846a", "tdfFormat": "Nano" }, "clientInfo": { "userAgent": "connect-go/1.18.1 (go1.24.6)", "platform": "kas", "requestIP": "None" }, "original": null, "updated": null, "requestID": "1eb13e08-963e-4abd-acfc-5a30fb3cb876", "timestamp": "2025-11-03T12:53:39-06:00" } } ``` #### Nano - Encrypted policy - ECDSA ```json { "time": "2025-11-03T13:06:52.920043-06:00", "level": "AUDIT", "msg": "rewrap", "namespace": "kas", "audit": { "object": { "type": "key_object", "id": "3c370940-b8e8-11f0-b395-a6a754e79d24", "name": "", "attributes": { "assertions": [], "attrs": [ "https://test.obligations/attr/test_attr_for_triggers/value/test_valu_for_trigger" ], "permissions": [] } }, "action": { "type": "rewrap", "result": "success" }, "actor": { "id": "260a3342-65d8-4056-8d17-b362c932b9dc", "attributes": [] }, "eventMetaData": { "algorithm": "ec:secp256r1", "keyID": "e1", "policyBinding": "07eb1084ee0e3f982d9374c184e88840abe5caa272cde5dd14798224db13107a", "tdfFormat": "Nano" }, "clientInfo": { "userAgent": "connect-go/1.18.1 (go1.24.6)", "platform": "kas", "requestIP": "None" }, "original": null, "updated": null, "requestID": "c27a751d-44a9-4866-beef-451b2fbef5ae", "timestamp": "2025-11-03T13:06:52-06:00" } } ``` #### Nano - Plaintext policy - GMAC ```json { "time": "2025-11-03T13:01:27.938945-06:00", "level": "AUDIT", "msg": "rewrap", "namespace": "kas", "audit": { "object": { "type": "key_object", "id": "7857a624-b8e7-11f0-aa9c-a6a754e79d24", "name": "", "attributes": { "assertions": [], "attrs": [ "https://test.obligations/attr/test_attr_for_triggers/value/test_valu_for_trigger" ], "permissions": [] } }, "action": { "type": "rewrap", "result": "success" }, "actor": { "id": "260a3342-65d8-4056-8d17-b362c932b9dc", "attributes": [] }, "eventMetaData": { "algorithm": "ec:secp256r1", "keyID": "e1", "policyBinding": "342b5951d82676fa", "tdfFormat": "Nano" }, "clientInfo": { "userAgent": "connect-go/1.18.1 (go1.24.6)", "platform": "kas", "requestIP": "None" }, "original": null, "updated": null, "requestID": "652cc0d2-fec8-49a4-8e0d-e5f01794bdaa", "timestamp": "2025-11-03T13:01:27-06:00" } } ``` #### Nano - Plaintext policy - ECDSA ```json { "time": "2025-11-03T13:03:17.645969-06:00", "level": "AUDIT", "msg": "rewrap", "namespace": "kas", "audit": { "object": { "type": "key_object", "id": "bb58d92a-b8e7-11f0-8556-a6a754e79d24", "name": "", "attributes": { "assertions": [], "attrs": [ "https://test.obligations/attr/test_attr_for_triggers/value/test_valu_for_trigger" ], "permissions": [] } }, "action": { "type": "rewrap", "result": "success" }, "actor": { "id": "260a3342-65d8-4056-8d17-b362c932b9dc", "attributes": [] }, "eventMetaData": { "algorithm": "ec:secp256r1", "keyID": "e1", "policyBinding": "7f50b172ceae7cb4eff9cff1849fed1022bb0f1abeb924060f50fdd5876bb09b", "tdfFormat": "Nano" }, "clientInfo": { "userAgent": "connect-go/1.18.1 (go1.24.6)", "platform": "kas", "requestIP": "None" }, "original": null, "updated": null, "requestID": "5a038826-43e8-42b6-9239-bd0cf3066cfd", "timestamp": "2025-11-03T13:03:17-06:00" } } ``` ### Checklist - [ ] I have added or updated unit tests - [ ] I have added or updated integration tests (if appropriate) - [ ] I have added or updated documentation ### Testing Instructions
diff --git a/service/go.mod b/service/go.mod
@@ -37,7 +37,7 @@ require (
 	github.com/opentdf/platform/lib/identifier v0.2.0
 	github.com/opentdf/platform/lib/ocrypto v0.7.0
 	github.com/opentdf/platform/protocol/go v0.13.0
-	github.com/opentdf/platform/sdk v0.10.0
+	github.com/opentdf/platform/sdk v0.10.1
 	github.com/pressly/goose/v3 v3.24.3
 	github.com/spf13/cobra v1.9.1
 	github.com/spf13/viper v1.20.1
diff --git a/service/go.sum b/service/go.sum
@@ -257,8 +257,8 @@ github.com/opentdf/platform/lib/ocrypto v0.7.0 h1:uBZJXisuXU3V8681aP8FVMJkyWBrwW
 github.com/opentdf/platform/lib/ocrypto v0.7.0/go.mod h1:sYhoBL1bQYgQVSSNpxU13RsrE5JAk8BABT1hfr9L3j8=
 github.com/opentdf/platform/protocol/go v0.13.0 h1:vrOOHyhYDPzJgNenz/1g0M5nWtkOYKkPggMNHKzeMcs=
 github.com/opentdf/platform/protocol/go v0.13.0/go.mod h1:GRycoDGDxaz91sOvGZFWVEKJLluZFg2wM3NJmhucDHo=
-github.com/opentdf/platform/sdk v0.10.0 h1:OU0pdAnEkcpvLHKZQsynkJJ4lOnVPIBP13W2+9jR80Y=
-github.com/opentdf/platform/sdk v0.10.0/go.mod h1:EIh7cTBrtKfjav+5WXA1PZQYjI+fJtTeSXl6Ibw79Bw=
+github.com/opentdf/platform/sdk v0.10.1 h1:kBrTK48xle7mdGc+atlr4kDh94f6kVj+0OB76K8rozI=
+github.com/opentdf/platform/sdk v0.10.1/go.mod h1:+yaTi/c/GWHZPPmO27sq2s7Tcb2P/USkK8LuW1krhI8=
 github.com/opentracing/opentracing-go v1.2.0 h1:uEJPy/1a5RIPAJ0Ov+OIO8OxWu77jEv+1B0VhjKrZUs=
 github.com/opentracing/opentracing-go v1.2.0/go.mod h1:GxEUsuufX4nBwe+T+Wl9TAgYrxe9dPLANfrWvHYVTgc=
 github.com/pelletier/go-toml/v2 v2.2.4 h1:mye9XuhQ6gvn5h28+VilKrrPoQVanw5PMw/TB0t5Ec4=
diff --git a/service/kas/access/rewrap.go b/service/kas/access/rewrap.go
@@ -84,8 +84,9 @@ type kaoResult struct {
 	EphemeralPublicKey  []byte
 	RequiredObligations []string
 
-	// Only populated for Nano auditing, since policy is encrypted
-	KeyID string
+	// Only populated for Nano auditing
+	KeyID         string
+	PolicyBinding string
 }
 
 // From policy ID to KAO ID to result
@@ -901,11 +902,12 @@ func (p *Provider) nanoTDFRewrap(ctx context.Context, requests []*kaspb.Unsigned
 			}
 
 			auditEventParams := audit.RewrapAuditEventParams{
-				Policy:    kasPolicy,
-				IsSuccess: access,
-				TDFFormat: "Nano",
-				Algorithm: req.GetAlgorithm(),
-				KeyID:     kaoInfo.KeyID,
+				Policy:        kasPolicy,
+				IsSuccess:     access,
+				TDFFormat:     "Nano",
+				Algorithm:     req.GetAlgorithm(),
+				KeyID:         kaoInfo.KeyID,
+				PolicyBinding: kaoInfo.PolicyBinding,
 			}
 
 			if !access {
@@ -986,9 +988,15 @@ func (p *Provider) verifyNanoRewrapRequests(ctx context.Context, req *kaspb.Unsi
 		}
 
 		// check the policy binding
-		verify, err := header.VerifyPolicyBinding()
+		binding, err := header.PolicyBinding()
+		if err != nil {
+			failedKAORewrap(results, kao, fmt.Errorf("failed to retrieve policy binding: %w", err))
+			return nil, results
+		}
+
+		verify, err := binding.Verify()
 		if err != nil {
-			failedKAORewrap(results, kao, fmt.Errorf("failed to verify policy binding: %w", err))
+			failedKAORewrap(results, kao, fmt.Errorf("error verifying policy binding: %w", err))
 			return nil, results
 		}
 
@@ -997,9 +1005,10 @@ func (p *Provider) verifyNanoRewrapRequests(ctx context.Context, req *kaspb.Unsi
 			return nil, results
 		}
 		results[kao.GetKeyAccessObjectId()] = kaoResult{
-			ID:    kao.GetKeyAccessObjectId(),
-			DEK:   symmetricKey,
-			KeyID: kid,
+			ID:            kao.GetKeyAccessObjectId(),
+			DEK:           symmetricKey,
+			KeyID:         kid,
+			PolicyBinding: binding.String(),
 		}
 		return policy, results
 	}
