feat(authz): move DPoP enforcement into dpop.enforce config (DSPX-3397)#3666
Conversation
|
Warning Review limit reached
More reviews will be available in 59 minutes and 2 seconds. Learn how PR review limits work. Your organization has used up its prepaid credits, and credit purchases are no longer available. Enable the review add-on in the billing tab to keep reviews running — you're only billed for reviews past your plan's rate limits ($0.25/file). ⌛ How to resolve this issue?After more reviews become available, a review can be triggered using the To avoid repeated limits, reduce automatic review volume by pausing incremental auto-reviews earlier, using label-based review opt-in, excluding WIP or generated PR titles, or requesting reviews manually when the PR is ready. If your team needs uninterrupted high-volume reviews, an organization admin can enable usage-based credits. 🚦 How do rate limits work?CodeRabbit enforces per-developer PR review limits for each organization. Most developers receive the normal plan review availability. For paid Pro and Pro+ PR reviews, CodeRabbit uses adaptive limits for sustained high-volume activity. When a developer's recent PR review activity reaches the 95th percentile or higher among CodeRabbit users, additional reviews become available more gradually as earlier reviews age out of the rolling window. Please see our Fair Usage Limits Policy for further information. ℹ️ Review info⚙️ Run configurationConfiguration used: Repository UI Review profile: ASSERTIVE Plan: Pro Run ID: 📒 Files selected for processing (12)
✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
Summary of ChangesHello, I'm Gemini Code Assist1! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed! This pull request consolidates DPoP-related configuration settings by moving the enforcement toggle into the existing Highlights
New Features🧠 You can now enable Memory (public preview) to help Gemini Code Assist learn from your team's feedback. This makes future code reviews more consistent and personalized to your project's style. Click here to enable Memory in your admin console. Using Gemini Code AssistThe full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips. Invoking Gemini You can request assistance from Gemini at any point by creating a comment using either
Customization To customize the Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a Limitations & Feedback Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counterproductive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for GitHub and other Google products, sign up here. A setting moved to a new home, Where DPoP logic starts to roam. Old keys still work, a bridge we keep, While code evolves and secrets sleep. Footnotes
|
There was a problem hiding this comment.
Code Review
This pull request migrates the configuration option server.auth.enforceDPoP to server.auth.dpop.enforce. It deprecates the old option while maintaining backward compatibility by enforcing DPoP if either field is set to true. Updates have been applied across documentation, configuration YAML files, authentication logic, and unit tests. There are no review comments, and I have no additional feedback to provide.
Important
The consumer version of Gemini Code Assist on GitHub is being sunset. Starting June 18, 2026, new organization installations will be blocked, and all code review activity will officially cease on July 17, 2026.
For more details on the timeline and next steps, please review the Help Documentation.
Benchmark results, click to expandBenchmark authorization.GetDecisions Results:
Benchmark authorization.v2.GetMultiResourceDecision Results:
Benchmark Statistics
Bulk Benchmark Results
TDF3 Benchmark Results:
|
192fd99 to
48e86d6
Compare
…SPX-3397) Enforcement lived at the top of the auth block (server.auth.enforceDPoP) while every other DPoP knob is nested under server.auth.dpop. Consolidate it: add server.auth.dpop.enforce and deprecate the old top-level field. The old field keeps working during the migration window. Both are defaulted bools, so mapstructure cannot distinguish "explicitly false" from "unset"; enforcement therefore uses OR semantics via a new dpopEnforced() helper (DPoP.Enforce || EnforceDPoP), and config validation warns when the deprecated field is set. - config.go: add DPoPConfig.Enforce, deprecate AuthNConfig.EnforceDPoP, add dpopEnforced(); update validateAuthNConfig warnings. - authn.go: NewAuthenticator uses cfg.dpopEnforced(). - server.go: warning strings reference server.auth.dpop.enforce. - example configs + docs/Configuring.md: use the nested dpop.enforce form; keep testdata/all-no-config.yaml on the legacy key for back-compat coverage. - tests: migrate to DPoP.Enforce and add TestDPoPEnforcement_Migration. Signed-off-by: Dave Mihalcik <dmihalcik@virtru.com>
02a542f to
9c95ae6
Compare
Benchmark results, click to expandBenchmark authorization.GetDecisions Results:
Benchmark authorization.v2.GetMultiResourceDecision Results:
Benchmark Statistics
Bulk Benchmark Results
TDF3 Benchmark Results:
|
|
Summary
Part of DSPX-3397. Consolidates DPoP config: enforcement lived at the top of the auth block (
server.auth.enforceDPoP) while every other DPoP knob is nested underserver.auth.dpop. This addsserver.auth.dpop.enforceand deprecates the old top-level field.Changes
config.go: addDPoPConfig.Enforce; deprecateAuthNConfig.EnforceDPoP; adddpopEnforced()helper (DPoP.Enforce || EnforceDPoP); update validation warnings.authn.go:NewAuthenticatorusescfg.dpopEnforced().server.go: warning strings referenceserver.auth.dpop.enforce.docs/Configuring.md: nesteddpop.enforceform;testdata/all-no-config.yamlintentionally left on the legacy key for backward-compat parse coverage.DPoP.Enforce+ newTestDPoPEnforcement_Migration.Backward compatibility
Both fields are defaulted bools, so mapstructure can't tell "explicitly false" from "unset"; enforcement therefore uses OR semantics (on if either field is true) and validation warns when the deprecated field is set. The deprecated field keeps working during the migration window.
Testing
go test ./service/internal/auth/...passes (incl. the migration test).golangci-lintadds no new issues.