Skip to content

feat(docs): document WithPolicyFrom re-wrap helper #323

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Draft
marythought wants to merge 1 commit into
base: main
Choose a base branch
from
Draft

feat(docs): document WithPolicyFrom re-wrap helper #323

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
49 changes: 49 additions & 0 deletions docs/sdks/tdf.mdx
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -600,6 +600,55 @@ A non-nil error (Go) or `IOException` (Java) indicates an I/O failure reading th

---

## WithPolicyFrom

Returns a `TDFOption` that binds the source TDF's policy — its attribute value FQNs — to the new TDF being created. Use this in re-wrap pipelines to preserve the source policy without having to know about the manifest's base64 + JSON encoding.

**Signature**

<Tabs>
<TabItem value="go" label="Go">

<SdkVersion language="go" version="0.21.0" source="opentdf" />

```go
func WithPolicyFrom(r *Reader) TDFOption
```

This is a package-level function in the `sdk` package, not a method on the client.

</TabItem>
</Tabs>

**Parameters**

| Parameter | Required | Description |
|-----------|----------|-------------|
| `r` | Required | An initialized `*sdk.Reader`, typically returned by [`LoadTDF`](#loadtdf). Must have `Init(ctx)` called before being passed here — `Reader.DataAttributes` requires the policy field to be parsed. |
Copy link
Copy Markdown
Contributor

@gemini-code-assist gemini-code-assist Bot May 18, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

medium

This parameter description states that Init(ctx) must be called because Reader.DataAttributes requires the policy field to be parsed. However, the existing documentation and examples for DataAttributes() (lines 903-917) do not mention this requirement, and the example there shows the method being called without a preceding Init(). This inconsistency should be resolved to avoid confusing users—either by updating the DataAttributes documentation or by clarifying why Init is specifically required in this context.


**Example**

<Tabs>
<TabItem value="go" label="Go">

```go
if ok, _ := sdk.IsValidTdf(file); !ok {
// pass through unchanged
}
reader, _ := s.LoadTDF(file)
_ = reader.Init(ctx)
_, _ = s.CreateTDF(out, transformed, sdk.WithPolicyFrom(reader))
Comment on lines +635 to +640
Copy link
Copy Markdown
Contributor

@gemini-code-assist gemini-code-assist Bot May 18, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

medium

The example code contains a logic error and a naming inconsistency:

  1. The if block for IsValidTdf is missing a return statement. Without it, the code would proceed to call LoadTDF even if the validation fails, which contradicts the "pass through unchanged" comment.
  2. The variable s is used for the SDK client, but the rest of this document consistently uses client (e.g., lines 52, 63, 71, 234, 401).
if ok, _ := sdk.IsValidTdf(file); !ok {
    return // pass through unchanged
}
reader, _ := client.LoadTDF(file)
_ = reader.Init(ctx)
_, _ = client.CreateTDF(out, transformed, sdk.WithPolicyFrom(reader))

```

</TabItem>
</Tabs>

**Returns**

A `TDFOption` that, when applied to a `TDFConfig` via [`CreateTDF`](#createtdf), binds all attribute value FQNs from the source TDF's policy to the new TDF. Returns an error during config application if the source `Reader` is nil or its `DataAttributes` cannot be read.

---

## BulkDecrypt

Decrypts multiple TDFs in a single operation, batching KAS key rewrap requests to reduce round-trip overhead.
Expand Down
Loading