Skip to content

feat(ci): add DPoP nonce-challenge and enforcement inputs to test actions (DSPX-3397) #3667

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
dmihalcik-virtru wants to merge 3 commits into
base: main
Choose a base branch
from
+55 −0
Open

feat(ci): add DPoP nonce-challenge and enforcement inputs to test actions (DSPX-3397) #3667

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
fd91f29
feat(ci): Adds enforce DPoP option to start-additional-kas
dmihalcik-virtru Jun 24, 2026
527ed49
feat(ci): enforce DPoP when enabling the nonce challenge flow
dmihalcik-virtru Jun 25, 2026
d9fdadd
feat(ci): add dpop-enforce-required input, decouple from nonce challenge
dmihalcik-virtru Jun 25, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
34 changes: 34 additions & 0 deletions test/start-additional-kas/action.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -34,6 +34,14 @@ inputs:
default: "text"
description: 'Log format type (text, json)'
required: false
dpop-challenge-enabled:
default: "false"
description: 'Whether to enable the DPoP nonce challenge flow (sets server.auth.dpop.require_nonce: true)'
required: false
dpop-enforce-required:
default: "false"
description: 'Whether to enforce DPoP-bound access tokens (sets server.auth.dpop.enforce: true)'
required: false

outputs:
log-file:
Expand All @@ -54,6 +62,8 @@ runs:
ROOT_KEY: ${{ inputs.root-key }}
LOG_LEVEL: ${{ inputs.log-level }}
LOG_TYPE: ${{ inputs.log-type }}
DPOP_CHALLENGE_ENABLED: ${{ inputs.dpop-challenge-enabled }}
DPOP_ENFORCE_REQUIRED: ${{ inputs.dpop-enforce-required }}
run: |
# Validate kas-port (must be a valid port number 1-65535)
if [[ ! "${KAS_PORT}" =~ ^[0-9]+$ ]] || (( KAS_PORT < 1 || KAS_PORT > 65535 )); then
Expand Down Expand Up @@ -122,6 +132,26 @@ runs:
exit 1
;;
esac

# Validate dpop-challenge-enabled (must be true or false)
case "${DPOP_CHALLENGE_ENABLED}" in
true|false)
;;
*)
echo "Error: dpop-challenge-enabled must be 'true' or 'false'."
exit 1
;;
esac

# Validate dpop-enforce-required (must be true or false)
case "${DPOP_ENFORCE_REQUIRED}" in
true|false)
;;
*)
echo "Error: dpop-enforce-required must be 'true' or 'false'."
exit 1
;;
esac
- name: Set log file path
id: log-path
shell: bash
Expand All @@ -143,6 +173,8 @@ runs:
ROOT_KEY: ${{ inputs.root-key }}
LOG_LEVEL: ${{ inputs.log-level }}
LOG_TYPE: ${{ inputs.log-type }}
DPOP_CHALLENGE_ENABLED: ${{ inputs.dpop-challenge-enabled }}
DPOP_ENFORCE_REQUIRED: ${{ inputs.dpop-enforce-required }}
with:
run: |
# Disable PQC if key files weren't generated by the platform
Expand All @@ -164,6 +196,8 @@ runs:
| del(.services.kas.root_key)
| (.logger.level = env(LOG_LEVEL))
| (.logger.type = env(LOG_TYPE))
| (.server.auth.dpop.require_nonce = (env(DPOP_CHALLENGE_ENABLED) == "true"))
| with(select(env(DPOP_ENFORCE_REQUIRED) == "true"); .server.auth.dpop.enforce = true)
Comment on lines +199 to +200

@gemini-code-assist gemini-code-assist Bot Jun 25, 2026

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

medium

To maintain consistency with start-up-with-containers/action.yaml and avoid writing explicit false values to the configuration file when the feature is disabled, use with(select(...)) for require_nonce as well. This ensures that the key is only written when enabled, preserving any default or pre-existing values.

            | with(select(env(DPOP_CHALLENGE_ENABLED) == "true"); .server.auth.dpop.require_nonce = true)
            | with(select(env(DPOP_ENFORCE_REQUIRED) == "true"); .server.auth.dpop.enforce = true)

| (.sdk_config = {"client_id":"opentdf","client_secret":"secret","core":{"endpoint":"http://localhost:8080","plaintext":true}})
' opentdf-dev.yaml > opentdf-${KAS_NAME}.yaml
if [ "${KEY_MANAGEMENT}" == "true" ]; then
Expand Down
21 changes: 21 additions & 0 deletions test/start-up-with-containers/action.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -35,6 +35,10 @@ inputs:
default: "false"
description: 'Whether to enable the DPoP nonce challenge flow (sets server.auth.dpop.require_nonce: true)'
required: false
dpop-enforce-required:
default: "false"
description: 'Whether to enforce DPoP-bound access tokens (sets server.auth.dpop.enforce: true)'
required: false

outputs:
platform-working-dir:
Expand All @@ -58,6 +62,7 @@ runs:
LOG_TYPE: ${{ inputs.log-type }}
PROVISION_POLICY_FIXTURES: ${{ inputs.provision-policy-fixtures }}
DPOP_CHALLENGE_ENABLED: ${{ inputs.dpop-challenge-enabled }}
DPOP_ENFORCE_REQUIRED: ${{ inputs.dpop-enforce-required }}
run: |
# Validate platform-ref (must contain only safe characters for a git ref)
if [[ ! "${PLATFORM_REF}" =~ ^[a-zA-Z0-9._/-]+$ ]]; then
Expand Down Expand Up @@ -130,6 +135,16 @@ runs:
exit 1
;;
esac

# Validate dpop-enforce-required (must be true or false)
case "${DPOP_ENFORCE_REQUIRED}" in
true|false)
;;
*)
echo "Error: dpop-enforce-required must be 'true' or 'false'."
exit 1
;;
esac
- name: Check out platform
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
with:
Expand Down Expand Up @@ -281,6 +296,12 @@ runs:
run: |
yq e '.server.auth.dpop.require_nonce = true' -i opentdf.yaml
working-directory: otdf-test-platform
- name: Enable DPoP enforcement
shell: bash
if: ${{ inputs.dpop-enforce-required == 'true' }}
run: |
yq e '.server.auth.dpop.enforce = true' -i opentdf.yaml
working-directory: otdf-test-platform
- name: Overlay DPoP-capable Keycloak (26.2)
# The default docker-compose pins Keycloak 25 so downstream consumers stay on
# it; DPoP testing needs Keycloak 26.2 plus the admin-fine-grained-authz:v1
Expand Down
Loading