{"id":15071163,"url":"https://github.com/opentdf/platform","last_synced_at":"2026-05-07T00:03:04.942Z","repository":{"id":231788326,"uuid":"727351867","full_name":"opentdf/platform","owner":"opentdf","description":"Persistent data centric security that extends owner control wherever data travels","archived":false,"fork":false,"pushed_at":"2025-02-13T20:56:15.000Z","size":54061,"stargazers_count":22,"open_issues_count":116,"forks_count":13,"subscribers_count":16,"default_branch":"main","last_synced_at":"2025-02-13T21:33:46.903Z","etag":null,"topics":["data-encryption","data-tagging","drm","end-to-end-encryption","file-encryption","go","golang","open-source","opensource","opentdf","tdf","zero-trust","zero-trust-security"],"latest_commit_sha":null,"homepage":"","language":"Go","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"bsd-3-clause-clear","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/opentdf.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":"docs/Contributing-errors.md","funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":"CODEOWNERS","security":"SECURITY.md","support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2023-12-04T17:34:44.000Z","updated_at":"2025-02-07T21:10:28.000Z","dependencies_parsed_at":"2024-04-18T17:40:51.598Z","dependency_job_id":"8511aba7-b549-4846-b581-12c59ae50b13","html_url":"https://github.com/opentdf/platform","commit_stats":{"total_commits":803,"total_committers":32,"mean_commits":25.09375,"dds":0.8019925280199253,"last_synced_commit":"7dc0b91838d459cefbcd63ec311f963deca5f60f"},"previous_names":["opentdf/platform","opentdf/opentdf-v2-poc"],"tags_count":132,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/opentdf%2Fplatform","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/opentdf%2Fplatform/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/opentdf%2Fplatform/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/opentdf%2Fplatform/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/opentdf","download_url":"https://codeload.github.com/opentdf/platform/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":238963690,"owners_count":19559738,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["data-encryption","data-tagging","drm","end-to-end-encryption","file-encryption","go","golang","open-source","opensource","opentdf","tdf","zero-trust","zero-trust-security"],"created_at":"2024-09-25T02:35:37.088Z","updated_at":"2026-04-17T19:04:36.610Z","avatar_url":"https://github.com/opentdf.png","language":"Go","funding_links":[],"categories":[],"sub_categories":[],"readme":"# OpenTDF\n\n![Vulnerability Check](https://github.com/opentdf/platform/actions/workflows/vulnerability-check.yaml/badge.svg?branch=main)\n\n\u003e [!NOTE]\n\u003e It is advised to familiarize yourself with the [terms and concepts](./README.md#terms-and-concepts) used in the\n\u003e OpenTDF platform.\n\n## Documentation\n\n- [Configuration](./docs/Configuring.md)\n- [Multi-Strategy Entity Resolution Service](./ERS_TESTING.md)\n- [Development](#for-contributors)\n- [Policy Config Schema](./service/policy/db/schema_erd.md)\n- [Policy Config Testing Diagram](./service/integration/testing_diagram.png)\n\n### Prerequisites for Project Consumers \u0026 Contributors\n\n- [Go](https://go.dev/) (_see go.mod for specific version_)\n- Container runtime\n  - [Docker](https://www.docker.com/get-started/)\n  - [Podman](https://podman.io/docs/installation)\n- Compose - used to manage multi-container applications\n  - [Docker Compose](https://docs.docker.com/compose/install/)\n  - [Podman Compose](https://github.com/containers/podman-compose)\n- [Buf](https://buf.build/docs/ecosystem/cli-overview) is used for managing protobuf files.\n  - [protoc-gen-doc](https://github.com/pseudomuto/protoc-gen-doc) used for generating documentation from protobuf\n  - [protoc-gen-connect-openapi](https://github.com/sudorandom/protoc-gen-connect-openapi) used for generating OpenAPI v3.1 docs for ConnectRPC\n  Required for developing services.\n- [golangci-lint](https://golangci-lint.run/) is used for ensuring good coding practices.\n  Use `make go-lint` to run it before submitting a PR\n\nOn macOS, these can be installed with [brew](https://docs.brew.sh/Installation)\n\n```sh\nbrew install buf go golangci-lint\n```\n\n#### Optional tools\n\n- _Optional_ [Air](https://github.com/cosmtrek/air) is used for hot-reload development\n  - install with `go install github.com/air-verse/air@latest`\n- _Optional_ [grpcurl](https://github.com/fullstorydev/grpcurl) is used for testing gRPC services\n  - install with `brew install grpcurl`\n- _Optional_ [openssl](https://www.openssl.org/) is used for generating certificates\n  - install with `brew install openssl`\n\n## Audience\n\nThere are two primary audiences for this project. Consumers and Contributors\n\n1. Consuming\nConsumers of the OpenTDF platform should begin their journey [here](./docs/Consuming.md).\n\n2. Contributing\nTo contribute to the OpenTDF platform, you'll need a bit more setup and should start [here](./docs/Contributing.md).\n\n## Additional info for Project Consumers \u0026 Contributors\n\n## For Consumers\n\nThe OpenTDF service is the main entry point for the OpenTDF platform. [See service documentation](./service/README.md)\nfor more information.\n\n### Quick Start\n\nConsumers of the OpenTDF platform: [Running the Platform Locally](./docs/Consuming.md).\n\n### Multi-Strategy Entity Resolution Service\n\nThe OpenTDF platform supports a powerful multi-strategy Entity Resolution Service (ERS) that can integrate with multiple identity providers and data sources simultaneously.\n\n#### Quick Start with Multi-Strategy ERS (Preview)\n\n\u003e **⚠️ Preview Feature**: Multi-Strategy ERS is in preview (V2 only). APIs may change.\n\nTo run OpenTDF with comprehensive entity resolution using SQL and LDAP providers:\n\n```sh\n# Start core infrastructure + ERS test services\ndocker compose --profile ers-test up\n\n# Use the multi-strategy configuration\ngo run ./service start --config opentdf-ers-test.yaml\n```\n\nThis enables entity resolution from:\n- **JWT Claims** - Direct token claim extraction\n- **PostgreSQL** - SQL database queries for organizational data\n- **LDAP/Active Directory** - Directory service integration\n\n#### ERS Provider Testing\n\nTest the multi-strategy ERS functionality:\n\n```sh\n# Run integration tests (Docker services provide the backends automatically)\ngo test ./service/entityresolution/integration -run TestMultiStrategy -v\n```\n\n#### Configuration Options\n\n- **`opentdf-ers-test.yaml`** - Complete OpenTDF platform with multi-strategy ERS\n- **`ERS_TESTING.md`** - Comprehensive documentation and examples\n\nThe multi-strategy ERS (preview) provides enterprise-grade identity resolution with failover, multiple provider support, and flexible mapping strategies.\n\n## For Contributors\n\nThis section is focused on the development of the OpenTDF platform.\n\n### Libraries\n\nLibraries `./lib` are shared libraries that are used across the OpenTDF platform. These libraries are used to provide\ncommon functionality between the various sub-modules of the platform monorepo. Specifically, these libraries are shared\nbetween the services and the SDKs.\n\n### Services\n\nServices `./services` are the core building blocks of the OpenTDF platform. Generally, each service is one or more gRPC services that\nare scoped to a namespace. The essence of the service is that it takes a modular binary architecture approach enabling\nmultiple deployment models.\n\n### SDKs\n\nSDKs `./sdk` are the contracts which the platform uses to ensure that developers and services can interact with the\nplatform. The SDKs contain a native Go SDK and generated Go service SDKs. A full list of SDKs can be found at\n[github.com/opentdf](https://github.com/opentdf).\n\n### How To Add a New Go Module\n\nWithin this repo, to define a new, distinct [go module](https://go.dev/ref/mod),\nfor example to provide shared functionality between several existing modules,\nor to define new and unique functionality\nfollow these steps.\nFor this example, we will call our new module `lib/foo`.\n\n```sh\nmkdir -p lib/foo\ncd lib/foo\ngo mod init github.com/opentdf/platform/lib/foo\ngo work use .\n```\n\nIn this folder, create your go code as usual.\n\n#### Add a README.md and a LICENSE File\n\nA README is recommended to assist with orientation to use of your package.\nRemember, this will be published to \u003chttps://pkg.go.dev/\u003e as part of the module documentation.\n\nMake sure to add a LICENSE file to your module to support automated license checks.\nFeel free to copy the existing (BSD-clear) LICENSE file for most new modules.\n\n#### Updating the Makefile\n\n1. Add your module to the `MODS` variable:\n\n   ```Makefile\n   MODS=protocol/go sdk . examples lib/foo\n   ```\n\n2. _If required_ If your project does not generate a built artifact,\n   add a phony binary target to the `.PHONY` declaration.\n\n   ```Makefile\n   .PHONY: ...existing phony targets... lib/foo/foo\n   ```\n\n3. Add your build target to the `build` phony target.\n\n   ```Makefile\n   build: ...existing targets... lib/foo/foo\n   ```\n\n4. Add your build target and rule\n\n   ```Makefile\n   lib/foo/foo: $(shell find lib/foo)\n    (cd lib/foo \u0026\u0026 go build ./...)\n   ```\n\n#### Updating the Docker Images\n\nAdd any required `COPY` directives to `./Dockerfile`:\n\n```Dockerfile\nCOPY lib/foo/ lib/foo/\n```\n\n#### Updating the Workflow Files\n\n1. Add your new `go.mod` directory to the `.github/workflows/checks.yaml`'s `go` job's `strategy.matrix.directory` line.\n2. Add the module to the `license` job in the `checks` workflow as well, especially if you declare _any_ dependencies.\n3. Do the same for any other workflows that should be running on your folder, such as `vuln-check` and `lint`.\n\n---\n\n## Generating API Documentation\n\nTo generate all protobuf, gRPC, and OpenAPI documentation (including OpenAPI v2 and v3.1 for ConnectRPC), run:\n\n```fish\nmake proto-generate\n```\n\nThis will output documentation to `docs/openapi` and `docs/grpc`.\n\n### Required Tools\n\nInstall the following tools if you haven't already:\n\n```fish\n# Install buf\nbrew install bufbuild/buf/buf\n# or\ngo install github.com/bufbuild/buf/cmd/buf@latest\n\n# Install protoc-gen-doc\ngo install github.com/pseudomuto/protoc-gen-doc/cmd/protoc-gen-doc@v1.5.1\n\n# Install protoc-gen-connect-openapi\ngo install github.com/sudorandom/protoc-gen-connect-openapi@latest\n```\n\nMake sure your Go bin directory (usually `$HOME/go/bin`) is in your `PATH`.\n\n## Terms and Concepts\n\nCommon terms used in the OpenTDF platform.\n\n**Service** is the core service of the OpenTDF platform as well as the sub-services that make up the platform. The main\nservice follows a modular binary architecture, while the sub-services are gRPC services with HTTP gateways.\n\n**Policy** is the set of rules that govern access to the platform.\n\n**OIDC** is the OpenID Connect protocol used solely for authentication within the OpenTDF platform.\n\n- **IdP** - Identity Provider. This is the service that authenticates the user.\n- **Keycloak** is the turn-key OIDC provider used within the platform for proof-of-value, but should be replaced with a\n  production-grade OIDC provider or deployment.\n\n**Attribute Based Access Control** (ABAC) is the policy-based access control model used within the OpenTDF platform.\n\n- PEP - A Policy Enforcement Point. This is a service that enforces access control policies.\n- PDP - A Policy Decision Point. This is a service that makes access control decisions.\n\n**Entities** are the main actors within the OpenTDF platform. These include people and systems.\n\n- Person Entity (PE) - A person entity is a person that is interacting with the platform.\n- Non Person Entity (NPE) - A non-person entity is a service or system that is interacting with the platform.\n\n**SDKs** are the contracts which the platform uses to ensure that developers and services can interact with the platform.\n\n- SDK - The native Go OpenTDF SDK (other languages are outside the platform repo).\n  - A full list of SDKs can be found at [github.com/opentdf](https://github.com/opentdf).\n- Service SDK - The SDK generated from the service proto definitions.\n  - The proto definitions are maintained by each service.\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fopentdf%2Fplatform","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fopentdf%2Fplatform","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fopentdf%2Fplatform/lists"}