Commit 0612ea8
authored
feat(ci): add DPoP nonce-challenge and enforcement inputs to test actions (DSPX-3397) (#3667)
## Summary
Part of DSPX-3397. Adds two independent inputs to the composite test
actions so xtest can exercise DPoP end-to-end:
- `dpop-challenge-enabled` (default `false`) → sets
`server.auth.dpop.require_nonce: true`.
- When receiving a resource request (i.e. a rewrap or policy service
request) with a `DPoP` authorization header, issue a `challenge` to make
sure the requestor is in possession of the DPoP secret.
- This was already present for `start-up-with-containers`, but adding to
`start-additional-kas` to allow testing in multi-kas scenarios,
including making sure that the kases expect and require unique nonce
values.
- `dpop-enforce-required` (default `false`) → sets
`server.auth.dpop.enforce: true`.
- Disable plain `Bearer` authZ in favor of *ONLY* DPoP tokens. Useful
for testing, but not ready for deployment.
The two are decoupled: enforcement (reject non-DPoP tokens) is separate
from the nonce-challenge feature.
## Changes
- `test/start-additional-kas/action.yaml` and
`test/start-up-with-containers/action.yaml`: new inputs + true/false
validation + env wiring.
- The `enforce` knob only ever turns enforcement **on** — it never
writes `enforce: false` (so any base value is preserved):
start-additional-kas uses `with(select(...))`, start-up-with-containers
sets it in a step gated on the flag.
## Note on dependency
The `enforce` setting relies on `server.auth.dpop.enforce` (introduced
in #3666). Setting it before that lands is harmless (an older platform
ignores the unknown config key), and these actions build the platform
from the checked-out ref, so the field is honored within a PR run.
## Testing
- Both action YAMLs validated with `yq`.
- Verified: flag off → `enforce` untouched (no `false` written); flag on
→ `enforce: true`; `require_nonce` tracks only `dpop-challenge-enabled`.
<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit
## Summary by CodeRabbit
* **New Features**
* Added boolean-like inputs to control DPoP behavior in test startup
workflows: enabling nonce challenges and enforcing DPoP-bound access
tokens.
* Additional KAS and container-based startup flows now conditionally
apply these DPoP settings when generating/updating configuration.
* **Validation**
* Updated input validation to accept only `true` or `false` for the new
DPoP options.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->
---------
Signed-off-by: Dave Mihalcik <dmihalcik@virtru.com>1 parent ed2a0a5 commit 0612ea8
2 files changed
Lines changed: 55 additions & 0 deletions
| Original file line number | Diff line number | Diff line change | |
|---|---|---|---|
| |||
34 | 34 | | |
35 | 35 | | |
36 | 36 | | |
| 37 | + | |
| 38 | + | |
| 39 | + | |
| 40 | + | |
| 41 | + | |
| 42 | + | |
| 43 | + | |
| 44 | + | |
37 | 45 | | |
38 | 46 | | |
39 | 47 | | |
| |||
54 | 62 | | |
55 | 63 | | |
56 | 64 | | |
| 65 | + | |
| 66 | + | |
57 | 67 | | |
58 | 68 | | |
59 | 69 | | |
| |||
122 | 132 | | |
123 | 133 | | |
124 | 134 | | |
| 135 | + | |
| 136 | + | |
| 137 | + | |
| 138 | + | |
| 139 | + | |
| 140 | + | |
| 141 | + | |
| 142 | + | |
| 143 | + | |
| 144 | + | |
| 145 | + | |
| 146 | + | |
| 147 | + | |
| 148 | + | |
| 149 | + | |
| 150 | + | |
| 151 | + | |
| 152 | + | |
| 153 | + | |
| 154 | + | |
125 | 155 | | |
126 | 156 | | |
127 | 157 | | |
| |||
143 | 173 | | |
144 | 174 | | |
145 | 175 | | |
| 176 | + | |
| 177 | + | |
146 | 178 | | |
147 | 179 | | |
148 | 180 | | |
| |||
164 | 196 | | |
165 | 197 | | |
166 | 198 | | |
| 199 | + | |
| 200 | + | |
167 | 201 | | |
168 | 202 | | |
169 | 203 | | |
| |||
| Original file line number | Diff line number | Diff line change | |
|---|---|---|---|
| |||
35 | 35 | | |
36 | 36 | | |
37 | 37 | | |
| 38 | + | |
| 39 | + | |
| 40 | + | |
| 41 | + | |
38 | 42 | | |
39 | 43 | | |
40 | 44 | | |
| |||
58 | 62 | | |
59 | 63 | | |
60 | 64 | | |
| 65 | + | |
61 | 66 | | |
62 | 67 | | |
63 | 68 | | |
| |||
130 | 135 | | |
131 | 136 | | |
132 | 137 | | |
| 138 | + | |
| 139 | + | |
| 140 | + | |
| 141 | + | |
| 142 | + | |
| 143 | + | |
| 144 | + | |
| 145 | + | |
| 146 | + | |
| 147 | + | |
133 | 148 | | |
134 | 149 | | |
135 | 150 | | |
| |||
281 | 296 | | |
282 | 297 | | |
283 | 298 | | |
| 299 | + | |
| 300 | + | |
| 301 | + | |
| 302 | + | |
| 303 | + | |
| 304 | + | |
284 | 305 | | |
285 | 306 | | |
286 | 307 | | |
| |||
0 commit comments