feat(ci): add DPoP nonce-challenge and enforcement inputs to test actions (DSPX-3397)#3667
feat(ci): add DPoP nonce-challenge and enforcement inputs to test actions (DSPX-3397)#3667dmihalcik-virtru wants to merge 3 commits into
Conversation
The DPoP nonce challenge only applies to DPoP-bound requests; without enforcement a plain Bearer token bypasses DPoP validation and never sees a challenge. When dpop-challenge-enabled is set, also set server.auth.dpop.enforce alongside require_nonce in both start actions. The flag only ever turns enforcement on: start-additional-kas uses with(select(...)) so it never writes enforce: false (preserving any base value), and start-up-with-containers sets it inside the step already gated on the flag. Signed-off-by: Dave Mihalcik <dmihalcik@virtru.com>
DPoP enforcement and the nonce-challenge flow are separate concerns. Replace the coupling (where dpop-challenge-enabled also set server.auth.dpop.enforce) with a dedicated dpop-enforce-required input (default false) that drives enforcement on its own. dpop-challenge-enabled again sets only require_nonce. The enforce knob only ever turns enforcement on: start-additional-kas uses with(select(...)) keyed on DPOP_ENFORCE_REQUIRED, and start-up-with-containers sets it in a new step gated on the flag, so enforce: false is never written. Signed-off-by: Dave Mihalcik <dmihalcik@virtru.com>
|
Warning Review limit reached
More reviews will be available in 59 minutes and 27 seconds. Learn how PR review limits work. Your organization has used up its prepaid credits, and credit purchases are no longer available. Enable the review add-on in the billing tab to keep reviews running — you're only billed for reviews past your plan's rate limits ($0.25/file). ⌛ How to resolve this issue?After more reviews become available, a review can be triggered using the To avoid repeated limits, reduce automatic review volume by pausing incremental auto-reviews earlier, using label-based review opt-in, excluding WIP or generated PR titles, or requesting reviews manually when the PR is ready. If your team needs uninterrupted high-volume reviews, an organization admin can enable usage-based credits. 🚦 How do rate limits work?CodeRabbit enforces per-developer PR review limits for each organization. Most developers receive the normal plan review availability. For paid Pro and Pro+ PR reviews, CodeRabbit uses adaptive limits for sustained high-volume activity. When a developer's recent PR review activity reaches the 95th percentile or higher among CodeRabbit users, additional reviews become available more gradually as earlier reviews age out of the rolling window. Please see our Fair Usage Limits Policy for further information. ℹ️ Review info⚙️ Run configurationConfiguration used: Repository UI Review profile: ASSERTIVE Plan: Pro Run ID: 📒 Files selected for processing (2)
✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
Summary of ChangesHello, I'm Gemini Code Assist1! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed! This pull request introduces configuration flexibility to the CI test actions, enabling developers to exercise DPoP (Demonstrating Proof-of-Possession) flows in end-to-end tests. By adding decoupled inputs for nonce-challenge and enforcement, the changes allow for granular control over security settings without modifying the underlying platform code, facilitating more robust testing of authentication features. Highlights
New Features🧠 You can now enable Memory (public preview) to help Gemini Code Assist learn from your team's feedback. This makes future code reviews more consistent and personalized to your project's style. Click here to enable Memory in your admin console. Using Gemini Code AssistThe full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips. Invoking Gemini You can request assistance from Gemini at any point by creating a comment using either
Customization To customize the Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a Limitations & Feedback Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counterproductive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for GitHub and other Google products, sign up here. The tokens dance with DPoP grace, Security tightened in every place. With flags now set to true or false, The tests perform their steady waltz. Footnotes
|
![gemini-code-assist[bot]](https://avatars.githubusercontent.com/in/956858?s=60&v=4){kind=small}
There was a problem hiding this comment.
Code Review
This pull request introduces configuration options to enable and enforce DPoP (Demonstrating Proof-of-Possession) in the test actions start-additional-kas and start-up-with-containers. It adds the dpop-challenge-enabled and dpop-enforce-required inputs, validates their values, and updates the configuration files using yq. The feedback suggests modifying the yq command in start-additional-kas/action.yaml to conditionally set require_nonce only when enabled, ensuring consistency and avoiding writing explicit false values to the configuration.
Important
The consumer version of Gemini Code Assist on GitHub is being sunset. Starting June 18, 2026, new organization installations will be blocked, and all code review activity will officially cease on July 17, 2026.
For more details on the timeline and next steps, please review the Help Documentation.
| | (.server.auth.dpop.require_nonce = (env(DPOP_CHALLENGE_ENABLED) == "true")) | ||
| | with(select(env(DPOP_ENFORCE_REQUIRED) == "true"); .server.auth.dpop.enforce = true) |
There was a problem hiding this comment.
To maintain consistency with start-up-with-containers/action.yaml and avoid writing explicit false values to the configuration file when the feature is disabled, use with(select(...)) for require_nonce as well. This ensures that the key is only written when enabled, preserving any default or pre-existing values.
| with(select(env(DPOP_CHALLENGE_ENABLED) == "true"); .server.auth.dpop.require_nonce = true)
| with(select(env(DPOP_ENFORCE_REQUIRED) == "true"); .server.auth.dpop.enforce = true)
Benchmark results, click to expandBenchmark authorization.GetDecisions Results:
Benchmark authorization.v2.GetMultiResourceDecision Results:
Benchmark Statistics
Bulk Benchmark Results
TDF3 Benchmark Results:
|
|
1 participant
Summary
Part of DSPX-3397. Adds two independent inputs to the composite test actions so xtest can exercise DPoP end-to-end:
dpop-challenge-enabled(defaultfalse) → setsserver.auth.dpop.require_nonce: true.dpop-enforce-required(defaultfalse) → setsserver.auth.dpop.enforce: true.The two are decoupled: enforcement (reject non-DPoP tokens) is separate from the nonce-challenge feature.
Changes
test/start-additional-kas/action.yamlandtest/start-up-with-containers/action.yaml: new inputs + true/false validation + env wiring.enforceknob only ever turns enforcement on — it never writesenforce: false(so any base value is preserved): start-additional-kas useswith(select(...)), start-up-with-containers sets it in a step gated on the flag.Note on dependency
The
enforcesetting relies onserver.auth.dpop.enforce(introduced in #3666). Setting it before that lands is harmless (an older platform ignores the unknown config key), and these actions build the platform from the checked-out ref, so the field is honored within a PR run.Testing
yq.enforceuntouched (nofalsewritten); flag on →enforce: true;require_noncetracks onlydpop-challenge-enabled.