import type { AuthProvider } from '@opentdf/sdk'; import { AuthProviders, OpenTDF } from '@opentdf/sdk'; import { type CryptoService } from '@opentdf/sdk/singlecontainer'; import type { Certificate } from '../gen/virtru/policy/objects_pb'; import type { Interceptor as Inter } from '@connectrpc/connect'; export type Interceptor = Inter; export type ObligationFeatureMap = { fully_qualified_names: string[]; }; export type SupportedObligations = { watermark?: ObligationFeatureMap; prevent_download?: ObligationFeatureMap; }; export type GetUserEntitlementsResponse = { entitlements: { entityId: string; attributeValueFqns: string[]; }[]; }; /** * Creates an interceptor that adds authentication headers to outgoing requests. * * This function uses the provided `AuthProvider` to generate authentication credentials * for each request. The `AuthProvider` is expected to implement a `withCreds` method * that returns an object containing authentication headers. These headers are then * added to the request before it is sent to the server. * * @param authProvider - An instance of `AuthProvider` used to generate authentication credentials. * @returns An `Interceptor` function that modifies requests to include authentication headers. */ export declare function createAuthInterceptor(authProvider: AuthProvider, _cryptoService?: CryptoService): Interceptor; /** Creates a new instance of an OIDC Auth Provider consumed by the TDF Clients */ export declare function createAuthProvider(options: { oidc: { clientId: string; tokenEndpoint: string; userInfoEndpoint: string; }; refreshToken: string; cryptoService?: CryptoService; }): Promise; export declare function createOpenTDFClient(options: { oidc: { clientId: string; tokenEndpoint: string; userInfoEndpoint: string; }; platformEndpoint: string; refreshToken: string; obligations: string[]; cryptoService?: CryptoService; }): Promise; export declare const getObligations: (ciphertext: ArrayBuffer, options: { oidc: { clientId: string; tokenEndpoint: string; userInfoEndpoint: string; }; platformEndpoint: string; refreshToken: string; obligations: string[]; cryptoService?: CryptoService; }) => Promise; export declare function getUserEntitlements(options: { oidc: { clientId: string; tokenEndpoint: string; userInfoEndpoint: string; }; platformEndpoint: string; refreshToken: string; cryptoService?: CryptoService; }): Promise; export declare const flattenObligations: (obligations: SupportedObligations) => string[]; /** * Retrieves all trusted certificates from active namespaces in the platform. * * This function uses the new CertificateService API to retrieve certificates from all active * namespaces. It automatically handles pagination to ensure all certificates are retrieved. * * The function performs the following steps: * 1. Creates an authenticated auth provider with DPoP signing keys * 2. Lists all active namespaces using the PlatformClient * 3. For each namespace, retrieves all associated certificates using the CertificateService * 4. Aggregates and returns all certificates from all namespaces * * @param options - The options object containing the platform endpoint, OIDC configuration, and refresh token. * @param options.oidc - The OIDC configuration object. * @param options.oidc.clientId - The OIDC client ID. * @param options.oidc.tokenEndpoint - The OIDC token endpoint URL. * @param options.oidc.userInfoEndpoint - The OIDC user info endpoint URL. * @param options.platformEndpoint - The base URL of the platform. * @param options.refreshToken - The refresh token for authentication. * @returns A promise that resolves to an array of trusted certificates from all active namespaces. * @throws If there is an error retrieving namespaces or certificates. * * @example * ```typescript * const certificates = await getTrustedCertificates({ * oidc: { * clientId: 'my-client-id', * tokenEndpoint: 'https://auth.example.com/token', * userInfoEndpoint: 'https://auth.example.com/userinfo', * }, * platformEndpoint: 'https://platform.example.com', * refreshToken: 'my-refresh-token', * }); * ``` */ export declare function getTrustedCertificates(options: { oidc: { clientId: string; tokenEndpoint: string; userInfoEndpoint: string; }; platformEndpoint: string; refreshToken: string; cryptoService?: CryptoService; }): Promise; export type JWSValidationResult = { valid: boolean; validationResult: Record; }; /** * Validate that a certificate chain from JWS x5c header chains to a trusted root. * * This function is designed to be portable and can be moved to another repository. * It validates that the certificate chain presented in a JWS x5c header builds a * valid chain to one of the provided trusted root certificates. * * Expectations and behavior: * - `x5c` must be ordered leaf-first and contain base64-encoded DER certs. * - `trustedRootCertificates` should contain PEM-encoded root certificates. * - Performs basic input size checks and safe base64 decoding. * - Uses PKI.js `CertificateChainValidationEngine` for comprehensive path validation * (validity dates, signatures, policies when present, etc.). * - Returns detailed error messages including the leaf subject/issuer and parsing warnings. * * @param x5c - Array of base64-encoded DER certificates from JWS header (leaf first) * @param trustedRootCertificates - Array of Certificate objects containing trusted roots in PEM format * @returns Object with validation result and warnings * @throws {Error} if validation fails * * @example * ```typescript * try { * const result = await validateJWSCertificateChain( * jwsHeader.x5c, * namespaceCertificates * ); * console.log('Chain validates to trusted root', result.validationResult.warnings); * } catch (error) { * console.error('Validation failed:', error.message); * } * ``` */ export declare function validateJWSCertificateChain(x5c: string[], trustedRootCertificates: Certificate[], _cryptoService?: CryptoService): Promise;