Skip to content

Commit 0612ea8

Browse files
feat(ci): add DPoP nonce-challenge and enforcement inputs to test actions (DSPX-3397) (#3667)
## Summary Part of DSPX-3397. Adds two independent inputs to the composite test actions so xtest can exercise DPoP end-to-end: - `dpop-challenge-enabled` (default `false`) → sets `server.auth.dpop.require_nonce: true`. - When receiving a resource request (i.e. a rewrap or policy service request) with a `DPoP` authorization header, issue a `challenge` to make sure the requestor is in possession of the DPoP secret. - This was already present for `start-up-with-containers`, but adding to `start-additional-kas` to allow testing in multi-kas scenarios, including making sure that the kases expect and require unique nonce values. - `dpop-enforce-required` (default `false`) → sets `server.auth.dpop.enforce: true`. - Disable plain `Bearer` authZ in favor of *ONLY* DPoP tokens. Useful for testing, but not ready for deployment. The two are decoupled: enforcement (reject non-DPoP tokens) is separate from the nonce-challenge feature. ## Changes - `test/start-additional-kas/action.yaml` and `test/start-up-with-containers/action.yaml`: new inputs + true/false validation + env wiring. - The `enforce` knob only ever turns enforcement **on** — it never writes `enforce: false` (so any base value is preserved): start-additional-kas uses `with(select(...))`, start-up-with-containers sets it in a step gated on the flag. ## Note on dependency The `enforce` setting relies on `server.auth.dpop.enforce` (introduced in #3666). Setting it before that lands is harmless (an older platform ignores the unknown config key), and these actions build the platform from the checked-out ref, so the field is honored within a PR run. ## Testing - Both action YAMLs validated with `yq`. - Verified: flag off → `enforce` untouched (no `false` written); flag on → `enforce: true`; `require_nonce` tracks only `dpop-challenge-enabled`. <!-- This is an auto-generated comment: release notes by coderabbit.ai --> ## Summary by CodeRabbit ## Summary by CodeRabbit * **New Features** * Added boolean-like inputs to control DPoP behavior in test startup workflows: enabling nonce challenges and enforcing DPoP-bound access tokens. * Additional KAS and container-based startup flows now conditionally apply these DPoP settings when generating/updating configuration. * **Validation** * Updated input validation to accept only `true` or `false` for the new DPoP options. <!-- end of auto-generated comment: release notes by coderabbit.ai --> --------- Signed-off-by: Dave Mihalcik <dmihalcik@virtru.com>
1 parent ed2a0a5 commit 0612ea8

2 files changed

Lines changed: 55 additions & 0 deletions

File tree

test/start-additional-kas/action.yaml

Lines changed: 34 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -34,6 +34,14 @@ inputs:
3434
default: "text"
3535
description: 'Log format type (text, json)'
3636
required: false
37+
dpop-challenge-enabled:
38+
default: "false"
39+
description: 'Whether to enable the DPoP nonce challenge flow (sets server.auth.dpop.require_nonce: true)'
40+
required: false
41+
dpop-enforce-required:
42+
default: "false"
43+
description: 'Whether to enforce DPoP-bound access tokens (sets server.auth.dpop.enforce: true)'
44+
required: false
3745

3846
outputs:
3947
log-file:
@@ -54,6 +62,8 @@ runs:
5462
ROOT_KEY: ${{ inputs.root-key }}
5563
LOG_LEVEL: ${{ inputs.log-level }}
5664
LOG_TYPE: ${{ inputs.log-type }}
65+
DPOP_CHALLENGE_ENABLED: ${{ inputs.dpop-challenge-enabled }}
66+
DPOP_ENFORCE_REQUIRED: ${{ inputs.dpop-enforce-required }}
5767
run: |
5868
# Validate kas-port (must be a valid port number 1-65535)
5969
if [[ ! "${KAS_PORT}" =~ ^[0-9]+$ ]] || (( KAS_PORT < 1 || KAS_PORT > 65535 )); then
@@ -122,6 +132,26 @@ runs:
122132
exit 1
123133
;;
124134
esac
135+
136+
# Validate dpop-challenge-enabled (must be true or false)
137+
case "${DPOP_CHALLENGE_ENABLED}" in
138+
true|false)
139+
;;
140+
*)
141+
echo "Error: dpop-challenge-enabled must be 'true' or 'false'."
142+
exit 1
143+
;;
144+
esac
145+
146+
# Validate dpop-enforce-required (must be true or false)
147+
case "${DPOP_ENFORCE_REQUIRED}" in
148+
true|false)
149+
;;
150+
*)
151+
echo "Error: dpop-enforce-required must be 'true' or 'false'."
152+
exit 1
153+
;;
154+
esac
125155
- name: Set log file path
126156
id: log-path
127157
shell: bash
@@ -143,6 +173,8 @@ runs:
143173
ROOT_KEY: ${{ inputs.root-key }}
144174
LOG_LEVEL: ${{ inputs.log-level }}
145175
LOG_TYPE: ${{ inputs.log-type }}
176+
DPOP_CHALLENGE_ENABLED: ${{ inputs.dpop-challenge-enabled }}
177+
DPOP_ENFORCE_REQUIRED: ${{ inputs.dpop-enforce-required }}
146178
with:
147179
run: |
148180
# Disable PQC if key files weren't generated by the platform
@@ -164,6 +196,8 @@ runs:
164196
| del(.services.kas.root_key)
165197
| (.logger.level = env(LOG_LEVEL))
166198
| (.logger.type = env(LOG_TYPE))
199+
| with(select(env(DPOP_CHALLENGE_ENABLED) == "true"); .server.auth.dpop.require_nonce = true)
200+
| with(select(env(DPOP_ENFORCE_REQUIRED) == "true"); .server.auth.dpop.enforce = true)
167201
| (.sdk_config = {"client_id":"opentdf","client_secret":"secret","core":{"endpoint":"http://localhost:8080","plaintext":true}})
168202
' opentdf-dev.yaml > opentdf-${KAS_NAME}.yaml
169203
if [ "${KEY_MANAGEMENT}" == "true" ]; then

test/start-up-with-containers/action.yaml

Lines changed: 21 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -35,6 +35,10 @@ inputs:
3535
default: "false"
3636
description: 'Whether to enable the DPoP nonce challenge flow (sets server.auth.dpop.require_nonce: true)'
3737
required: false
38+
dpop-enforce-required:
39+
default: "false"
40+
description: 'Whether to enforce DPoP-bound access tokens (sets server.auth.dpop.enforce: true)'
41+
required: false
3842

3943
outputs:
4044
platform-working-dir:
@@ -58,6 +62,7 @@ runs:
5862
LOG_TYPE: ${{ inputs.log-type }}
5963
PROVISION_POLICY_FIXTURES: ${{ inputs.provision-policy-fixtures }}
6064
DPOP_CHALLENGE_ENABLED: ${{ inputs.dpop-challenge-enabled }}
65+
DPOP_ENFORCE_REQUIRED: ${{ inputs.dpop-enforce-required }}
6166
run: |
6267
# Validate platform-ref (must contain only safe characters for a git ref)
6368
if [[ ! "${PLATFORM_REF}" =~ ^[a-zA-Z0-9._/-]+$ ]]; then
@@ -130,6 +135,16 @@ runs:
130135
exit 1
131136
;;
132137
esac
138+
139+
# Validate dpop-enforce-required (must be true or false)
140+
case "${DPOP_ENFORCE_REQUIRED}" in
141+
true|false)
142+
;;
143+
*)
144+
echo "Error: dpop-enforce-required must be 'true' or 'false'."
145+
exit 1
146+
;;
147+
esac
133148
- name: Check out platform
134149
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
135150
with:
@@ -281,6 +296,12 @@ runs:
281296
run: |
282297
yq e '.server.auth.dpop.require_nonce = true' -i opentdf.yaml
283298
working-directory: otdf-test-platform
299+
- name: Enable DPoP enforcement
300+
shell: bash
301+
if: ${{ inputs.dpop-enforce-required == 'true' }}
302+
run: |
303+
yq e '.server.auth.dpop.enforce = true' -i opentdf.yaml
304+
working-directory: otdf-test-platform
284305
- name: Overlay DPoP-capable Keycloak (26.2)
285306
# The default docker-compose pins Keycloak 25 so downstream consumers stay on
286307
# it; DPoP testing needs Keycloak 26.2 plus the admin-fine-grained-authz:v1

0 commit comments

Comments
 (0)