Skip to content

feat(authz): move DPoP enforcement into dpop.enforce config (DSPX-3397)#3666

Merged
dmihalcik-virtru merged 1 commit into
mainfrom
DSPX-3397-platform-service-part-3
Jun 30, 2026
Merged

feat(authz): move DPoP enforcement into dpop.enforce config (DSPX-3397)#3666
dmihalcik-virtru merged 1 commit into
mainfrom
DSPX-3397-platform-service-part-3

Conversation

@dmihalcik-virtru

Copy link
Copy Markdown
Member

Summary

Part of DSPX-3397. Consolidates DPoP config: enforcement lived at the top of the auth block (server.auth.enforceDPoP) while every other DPoP knob is nested under server.auth.dpop. This adds server.auth.dpop.enforce and deprecates the old top-level field.

Stacked PR: based on DSPX-3397-platform-service-part-2 (#3665), not main. GitHub will retarget this to main once that merges. Review only the latest commit here.

Changes

  • config.go: add DPoPConfig.Enforce; deprecate AuthNConfig.EnforceDPoP; add dpopEnforced() helper (DPoP.Enforce || EnforceDPoP); update validation warnings.
  • authn.go: NewAuthenticator uses cfg.dpopEnforced().
  • server.go: warning strings reference server.auth.dpop.enforce.
  • Example configs + docs/Configuring.md: nested dpop.enforce form; testdata/all-no-config.yaml intentionally left on the legacy key for backward-compat parse coverage.
  • Tests migrated to DPoP.Enforce + new TestDPoPEnforcement_Migration.

Backward compatibility

Both fields are defaulted bools, so mapstructure can't tell "explicitly false" from "unset"; enforcement therefore uses OR semantics (on if either field is true) and validation warns when the deprecated field is set. The deprecated field keeps working during the migration window.

Testing

  • go test ./service/internal/auth/... passes (incl. the migration test).
  • golangci-lint adds no new issues.

@dmihalcik-virtru dmihalcik-virtru requested a review from a team as a code owner June 25, 2026 14:10
@coderabbitai

coderabbitai Bot commented Jun 25, 2026

Copy link
Copy Markdown

Warning

Review limit reached

@dmihalcik-virtru, we couldn't start this review because you've reached your PR review rate limit.

More reviews will be available in 59 minutes and 2 seconds. Learn how PR review limits work.

Your organization has used up its prepaid credits, and credit purchases are no longer available. Enable the review add-on in the billing tab to keep reviews running — you're only billed for reviews past your plan's rate limits ($0.25/file).

⌛ How to resolve this issue?

After more reviews become available, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

To avoid repeated limits, reduce automatic review volume by pausing incremental auto-reviews earlier, using label-based review opt-in, excluding WIP or generated PR titles, or requesting reviews manually when the PR is ready. If your team needs uninterrupted high-volume reviews, an organization admin can enable usage-based credits.

🚦 How do rate limits work?

CodeRabbit enforces per-developer PR review limits for each organization. Most developers receive the normal plan review availability.

For paid Pro and Pro+ PR reviews, CodeRabbit uses adaptive limits for sustained high-volume activity. When a developer's recent PR review activity reaches the 95th percentile or higher among CodeRabbit users, additional reviews become available more gradually as earlier reviews age out of the rolling window.

Please see our Fair Usage Limits Policy for further information.

ℹ️ Review info
⚙️ Run configuration

Configuration used: Repository UI

Review profile: ASSERTIVE

Plan: Pro

Run ID: a2c070d7-48a3-41d7-8ec7-0dddc4a99fde

📥 Commits

Reviewing files that changed from the base of the PR and between d7caacd and 9c95ae6.

📒 Files selected for processing (12)
  • docs/Configuring.md
  • opentdf-core-mode.yaml
  • opentdf-dev.yaml
  • opentdf-ers-mode.yaml
  • opentdf-example.yaml
  • opentdf-kas-mode.yaml
  • service/internal/auth/authn.go
  • service/internal/auth/authn_test.go
  • service/internal/auth/config.go
  • service/internal/auth/dpop_nonce_test.go
  • service/internal/server/server.go
  • service/pkg/server/testdata/all-no-config.yaml
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch DSPX-3397-platform-service-part-3

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands.

@gemini-code-assist

Copy link
Copy Markdown
Contributor

Summary of Changes

Hello, I'm Gemini Code Assist1! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!

This pull request consolidates DPoP-related configuration settings by moving the enforcement toggle into the existing dpop configuration block. This change improves configuration consistency while maintaining backward compatibility for existing deployments by supporting both the new and deprecated fields during a transition period.

Highlights

  • Configuration Consolidation: Moved DPoP enforcement configuration from the top-level server.auth.enforceDPoP to the nested server.auth.dpop.enforce field.
  • Backward Compatibility: Implemented OR-based logic in dpopEnforced() to ensure the deprecated enforceDPoP field remains functional during the migration period.
  • Documentation and Logging: Updated documentation, example configuration files, and warning logs to reflect the new configuration structure.
New Features

🧠 You can now enable Memory (public preview) to help Gemini Code Assist learn from your team's feedback. This makes future code reviews more consistent and personalized to your project's style. Click here to enable Memory in your admin console.

Using Gemini Code Assist

The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.

Invoking Gemini

You can request assistance from Gemini at any point by creating a comment using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands on the current page.

Feature Command Description
Code Review /gemini review Performs a code review for the current pull request in its current state.
Pull Request Summary /gemini summary Provides a summary of the current pull request in its current state.
Comment @gemini-code-assist Responds in comments when explicitly tagged, both in pull request comments and review comments.
Help /gemini help Displays a list of available commands.

Customization

To customize the Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.

Limitations & Feedback

Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counterproductive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for GitHub and other Google products, sign up here.


A setting moved to a new home, Where DPoP logic starts to roam. Old keys still work, a bridge we keep, While code evolves and secrets sleep.

Footnotes

  1. Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution.

@gemini-code-assist gemini-code-assist Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Code Review

This pull request migrates the configuration option server.auth.enforceDPoP to server.auth.dpop.enforce. It deprecates the old option while maintaining backward compatibility by enforcing DPoP if either field is set to true. Updates have been applied across documentation, configuration YAML files, authentication logic, and unit tests. There are no review comments, and I have no additional feedback to provide.

Important

The consumer version of Gemini Code Assist on GitHub is being sunset. Starting June 18, 2026, new organization installations will be blocked, and all code review activity will officially cease on July 17, 2026.
For more details on the timeline and next steps, please review the Help Documentation.

@github-actions

Copy link
Copy Markdown
Contributor
Benchmark results, click to expand

Benchmark authorization.GetDecisions Results:

Metric Value
Approved Decision Requests 1000
Denied Decision Requests 0
Total Time 246.827696ms

Benchmark authorization.v2.GetMultiResourceDecision Results:

Metric Value
Approved Decision Requests 1000
Denied Decision Requests 0
Total Time 107.797228ms

Benchmark Statistics

Name № Requests Avg Duration Min Duration Max Duration

Bulk Benchmark Results

Metric Value
Total Decrypts 100
Successful Decrypts 100
Failed Decrypts 0
Total Time 583.809826ms
Throughput 171.29 requests/second

TDF3 Benchmark Results:

Metric Value
Total Requests 5000
Successful Requests 5000
Failed Requests 0
Concurrent Requests 50
Total Time 45.24342319s
Average Latency 450.857693ms
Throughput 110.51 requests/second

@dmihalcik-virtru dmihalcik-virtru changed the title feat(service/auth): move DPoP enforcement into dpop.enforce config (DSPX-3397) feat(authz): move DPoP enforcement into dpop.enforce config (DSPX-3397) Jun 25, 2026
@dmihalcik-virtru dmihalcik-virtru force-pushed the DSPX-3397-platform-service-part-2 branch 2 times, most recently from 192fd99 to 48e86d6 Compare June 26, 2026 19:29
Base automatically changed from DSPX-3397-platform-service-part-2 to main June 26, 2026 20:03
…SPX-3397)

Enforcement lived at the top of the auth block (server.auth.enforceDPoP) while
every other DPoP knob is nested under server.auth.dpop. Consolidate it: add
server.auth.dpop.enforce and deprecate the old top-level field.

The old field keeps working during the migration window. Both are defaulted
bools, so mapstructure cannot distinguish "explicitly false" from "unset";
enforcement therefore uses OR semantics via a new dpopEnforced() helper
(DPoP.Enforce || EnforceDPoP), and config validation warns when the deprecated
field is set.

- config.go: add DPoPConfig.Enforce, deprecate AuthNConfig.EnforceDPoP, add
  dpopEnforced(); update validateAuthNConfig warnings.
- authn.go: NewAuthenticator uses cfg.dpopEnforced().
- server.go: warning strings reference server.auth.dpop.enforce.
- example configs + docs/Configuring.md: use the nested dpop.enforce form;
  keep testdata/all-no-config.yaml on the legacy key for back-compat coverage.
- tests: migrate to DPoP.Enforce and add TestDPoPEnforcement_Migration.

Signed-off-by: Dave Mihalcik <dmihalcik@virtru.com>
@dmihalcik-virtru dmihalcik-virtru force-pushed the DSPX-3397-platform-service-part-3 branch from 02a542f to 9c95ae6 Compare June 26, 2026 21:21
@github-actions

Copy link
Copy Markdown
Contributor
Benchmark results, click to expand

Benchmark authorization.GetDecisions Results:

Metric Value
Approved Decision Requests 1000
Denied Decision Requests 0
Total Time 221.780751ms

Benchmark authorization.v2.GetMultiResourceDecision Results:

Metric Value
Approved Decision Requests 1000
Denied Decision Requests 0
Total Time 140.769957ms

Benchmark Statistics

Name № Requests Avg Duration Min Duration Max Duration

Bulk Benchmark Results

Metric Value
Total Decrypts 100
Successful Decrypts 100
Failed Decrypts 0
Total Time 423.445778ms
Throughput 236.16 requests/second

TDF3 Benchmark Results:

Metric Value
Total Requests 5000
Successful Requests 5000
Failed Requests 0
Concurrent Requests 50
Total Time 44.250224546s
Average Latency 441.454277ms
Throughput 112.99 requests/second

@github-actions

Copy link
Copy Markdown
Contributor

⚠️ Govulncheck found vulnerabilities ⚠️

The following modules have known vulnerabilities:

  • examples
  • otdfctl
  • sdk
  • service
  • lib/fixtures
  • tests-bdd

See the workflow run for details.

@dmihalcik-virtru dmihalcik-virtru added this pull request to the merge queue Jun 30, 2026
Merged via the queue into main with commit daebade Jun 30, 2026
45 checks passed
@dmihalcik-virtru dmihalcik-virtru deleted the DSPX-3397-platform-service-part-3 branch June 30, 2026 15:04
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants