Skip to content

feat(ci): add DPoP nonce-challenge and enforcement inputs to test actions (DSPX-3397)#3667

Merged
dmihalcik-virtru merged 4 commits into
mainfrom
DSPX-3397-platform-ci-part-2
Jun 30, 2026
Merged

feat(ci): add DPoP nonce-challenge and enforcement inputs to test actions (DSPX-3397)#3667
dmihalcik-virtru merged 4 commits into
mainfrom
DSPX-3397-platform-ci-part-2

Conversation

@dmihalcik-virtru

@dmihalcik-virtru dmihalcik-virtru commented Jun 25, 2026

Copy link
Copy Markdown
Member

Summary

Part of DSPX-3397. Adds two independent inputs to the composite test actions so xtest can exercise DPoP end-to-end:

  • dpop-challenge-enabled (default false) → sets server.auth.dpop.require_nonce: true.
    • When receiving a resource request (i.e. a rewrap or policy service request) with a DPoP authorization header, issue a challenge to make sure the requestor is in possession of the DPoP secret.
    • This was already present for start-up-with-containers, but adding to start-additional-kas to allow testing in multi-kas scenarios, including making sure that the kases expect and require unique nonce values.
  • dpop-enforce-required (default false) → sets server.auth.dpop.enforce: true.
    • Disable plain Bearer authZ in favor of ONLY DPoP tokens. Useful for testing, but not ready for deployment.

The two are decoupled: enforcement (reject non-DPoP tokens) is separate from the nonce-challenge feature.

Changes

  • test/start-additional-kas/action.yaml and test/start-up-with-containers/action.yaml: new inputs + true/false validation + env wiring.
  • The enforce knob only ever turns enforcement on — it never writes enforce: false (so any base value is preserved): start-additional-kas uses with(select(...)), start-up-with-containers sets it in a step gated on the flag.

Note on dependency

The enforce setting relies on server.auth.dpop.enforce (introduced in #3666). Setting it before that lands is harmless (an older platform ignores the unknown config key), and these actions build the platform from the checked-out ref, so the field is honored within a PR run.

Testing

  • Both action YAMLs validated with yq.
  • Verified: flag off → enforce untouched (no false written); flag on → enforce: true; require_nonce tracks only dpop-challenge-enabled.

Summary by CodeRabbit

Summary by CodeRabbit

  • New Features

    • Added boolean-like inputs to control DPoP behavior in test startup workflows: enabling nonce challenges and enforcing DPoP-bound access tokens.
    • Additional KAS and container-based startup flows now conditionally apply these DPoP settings when generating/updating configuration.
  • Validation

    • Updated input validation to accept only true or false for the new DPoP options.

@dmihalcik-virtru dmihalcik-virtru requested a review from a team as a code owner June 25, 2026 14:10
@coderabbitai

coderabbitai Bot commented Jun 25, 2026

Copy link
Copy Markdown

Review Change Stack

📝 Walkthrough

Walkthrough

The startup composite actions now accept DPoP-related boolean inputs, validate them, and propagate them into generated OpenTDF and KAS configuration so DPoP enforcement settings can be applied during startup.

Changes

DPoP startup action inputs

Layer / File(s) Summary
Container enforcement input
test/start-up-with-containers/action.yaml
Adds dpop-enforce-required, validates it as true or false, and sets .server.auth.dpop.enforce = true in opentdf.yaml when enabled.
Additional KAS DPoP wiring
test/start-additional-kas/action.yaml
Adds dpop-challenge-enabled and dpop-enforce-required, validates both inputs, passes them into start-kas, and updates opentdf-${KAS_NAME}.yaml to set require_nonce and optional enforcement.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

Suggested reviewers

  • pflynn-virtru

Poem

A bunny hopped through YAML sprigs,
With DPoP flags tucked into rigs.
Nonces danced, then enforcement too,
While KAS and containers learned anew.
Hoppity hop, the config sings 🐇

🚥 Pre-merge checks | ✅ 5
✅ Passed checks (5 passed)
Check name Status Explanation
Title check ✅ Passed The title accurately summarizes the main change: adding DPoP nonce-challenge and enforcement inputs to test actions.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
✨ Finishing Touches
📝 Generate docstrings
  • Create stacked PR
  • Commit on current branch
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch DSPX-3397-platform-ci-part-2

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands.

@gemini-code-assist

Copy link
Copy Markdown
Contributor

Summary of Changes

Hello, I'm Gemini Code Assist1! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!

This pull request introduces configuration flexibility to the CI test actions, enabling developers to exercise DPoP (Demonstrating Proof-of-Possession) flows in end-to-end tests. By adding decoupled inputs for nonce-challenge and enforcement, the changes allow for granular control over security settings without modifying the underlying platform code, facilitating more robust testing of authentication features.

Highlights

  • New CI Inputs: Added 'dpop-challenge-enabled' and 'dpop-enforce-required' inputs to composite test actions to support end-to-end DPoP testing.
  • Configuration Wiring: Updated test action scripts to dynamically inject DPoP configuration settings into the platform environment using yq.
  • Input Validation: Implemented strict boolean validation for the new inputs to ensure configuration integrity during test execution.
New Features

🧠 You can now enable Memory (public preview) to help Gemini Code Assist learn from your team's feedback. This makes future code reviews more consistent and personalized to your project's style. Click here to enable Memory in your admin console.

Using Gemini Code Assist

The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.

Invoking Gemini

You can request assistance from Gemini at any point by creating a comment using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands on the current page.

Feature Command Description
Code Review /gemini review Performs a code review for the current pull request in its current state.
Pull Request Summary /gemini summary Provides a summary of the current pull request in its current state.
Comment @gemini-code-assist Responds in comments when explicitly tagged, both in pull request comments and review comments.
Help /gemini help Displays a list of available commands.

Customization

To customize the Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.

Limitations & Feedback

Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counterproductive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for GitHub and other Google products, sign up here.


The tokens dance with DPoP grace, Security tightened in every place. With flags now set to true or false, The tests perform their steady waltz.

Footnotes

  1. Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution.

@gemini-code-assist gemini-code-assist Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Code Review

This pull request introduces configuration options to enable and enforce DPoP (Demonstrating Proof-of-Possession) in the test actions start-additional-kas and start-up-with-containers. It adds the dpop-challenge-enabled and dpop-enforce-required inputs, validates their values, and updates the configuration files using yq. The feedback suggests modifying the yq command in start-additional-kas/action.yaml to conditionally set require_nonce only when enabled, ensuring consistency and avoiding writing explicit false values to the configuration.

Important

The consumer version of Gemini Code Assist on GitHub is being sunset. Starting June 18, 2026, new organization installations will be blocked, and all code review activity will officially cease on July 17, 2026.
For more details on the timeline and next steps, please review the Help Documentation.

Comment thread test/start-additional-kas/action.yaml Outdated
@github-actions

Copy link
Copy Markdown
Contributor
Benchmark results, click to expand

Benchmark authorization.GetDecisions Results:

Metric Value
Approved Decision Requests 1000
Denied Decision Requests 0
Total Time 203.069251ms

Benchmark authorization.v2.GetMultiResourceDecision Results:

Metric Value
Approved Decision Requests 1000
Denied Decision Requests 0
Total Time 106.719523ms

Benchmark Statistics

Name № Requests Avg Duration Min Duration Max Duration

Bulk Benchmark Results

Metric Value
Total Decrypts 100
Successful Decrypts 100
Failed Decrypts 0
Total Time 579.871557ms
Throughput 172.45 requests/second

TDF3 Benchmark Results:

Metric Value
Total Requests 5000
Successful Requests 5000
Failed Requests 0
Concurrent Requests 50
Total Time 44.709529536s
Average Latency 445.668104ms
Throughput 111.83 requests/second

@dmihalcik-virtru dmihalcik-virtru force-pushed the DSPX-3397-platform-ci-part-2 branch from d9fdadd to 925e626 Compare June 26, 2026 21:20

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 3

🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@test/start-additional-kas/action.yaml`:
- Line 43: The additional KAS action description is pointing to the wrong
runtime config key; update the DPoP enforcement reference in the action metadata
to use server.auth.enforceDPoP instead of server.auth.dpop.enforce. Make the
same correction anywhere the dpop-enforce-required flow references that setting
so the action actually enables enforcement, and verify the relevant
action/inputs definitions in action.yaml stay consistent.

In `@test/start-up-with-containers/action.yaml`:
- Line 40: The DPoP enforcement setting is being written to the wrong config
path, so update the startup/config mapping in the action and related config
writer to use AuthNConfig.EnforceDPoP -> server.auth.enforceDPoP instead of
server.auth.dpop.enforce; keep server.auth.dpop reserved for nonce-related
fields. Locate the mapping in the start-up-with-containers action and any
mirrored config serialization code, and ensure the generated config key matches
what the platform reads at runtime.
- Around line 38-41: The DPoP-capable Keycloak overlay is currently gated only
by the dpop-challenge-enabled input, so enforcement-only runs can still start
with a non-DPoP-capable issuer. Update the condition in the
start-up-with-containers action so the Keycloak 26.2 overlay is enabled when
either dpop-challenge-enabled or dpop-enforce-required is true, and keep the
existing DPoP settings aligned with the inputs. Use the existing
dpop-challenge-enabled and dpop-enforce-required symbols to locate the gating
logic.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: Repository UI

Review profile: ASSERTIVE

Plan: Pro

Run ID: 07f0f800-c7e4-40b4-9eb9-73d8144b8642

📥 Commits

Reviewing files that changed from the base of the PR and between d7caacd and 925e626.

📒 Files selected for processing (2)
  • test/start-additional-kas/action.yaml
  • test/start-up-with-containers/action.yaml

Comment thread test/start-additional-kas/action.yaml
Comment thread test/start-up-with-containers/action.yaml
Comment thread test/start-up-with-containers/action.yaml
@github-actions

Copy link
Copy Markdown
Contributor
Benchmark results, click to expand

Benchmark authorization.GetDecisions Results:

Metric Value
Approved Decision Requests 1000
Denied Decision Requests 0
Total Time 160.108101ms

Benchmark authorization.v2.GetMultiResourceDecision Results:

Metric Value
Approved Decision Requests 1000
Denied Decision Requests 0
Total Time 80.074824ms

Benchmark Statistics

Name № Requests Avg Duration Min Duration Max Duration

Bulk Benchmark Results

Metric Value
Total Decrypts 100
Successful Decrypts 100
Failed Decrypts 0
Total Time 364.740211ms
Throughput 274.17 requests/second

TDF3 Benchmark Results:

Metric Value
Total Requests 5000
Successful Requests 5000
Failed Requests 0
Concurrent Requests 50
Total Time 35.599809263s
Average Latency 354.865116ms
Throughput 140.45 requests/second

The DPoP nonce challenge only applies to DPoP-bound requests; without enforcement
a plain Bearer token bypasses DPoP validation and never sees a challenge. When
dpop-challenge-enabled is set, also set server.auth.dpop.enforce alongside
require_nonce in both start actions.

The flag only ever turns enforcement on: start-additional-kas uses
with(select(...)) so it never writes enforce: false (preserving any base value),
and start-up-with-containers sets it inside the step already gated on the flag.

Signed-off-by: Dave Mihalcik <dmihalcik@virtru.com>
DPoP enforcement and the nonce-challenge flow are separate concerns. Replace the
coupling (where dpop-challenge-enabled also set server.auth.dpop.enforce) with a
dedicated dpop-enforce-required input (default false) that drives enforcement on
its own. dpop-challenge-enabled again sets only require_nonce.

The enforce knob only ever turns enforcement on: start-additional-kas uses
with(select(...)) keyed on DPOP_ENFORCE_REQUIRED, and start-up-with-containers
sets it in a new step gated on the flag, so enforce: false is never written.

Signed-off-by: Dave Mihalcik <dmihalcik@virtru.com>
@dmihalcik-virtru dmihalcik-virtru force-pushed the DSPX-3397-platform-ci-part-2 branch from 925e626 to edd1961 Compare June 30, 2026 15:14
@github-actions

Copy link
Copy Markdown
Contributor
Benchmark results, click to expand

Benchmark authorization.GetDecisions Results:

Metric Value
Approved Decision Requests 1000
Denied Decision Requests 0
Total Time 212.233483ms

Benchmark authorization.v2.GetMultiResourceDecision Results:

Metric Value
Approved Decision Requests 1000
Denied Decision Requests 0
Total Time 119.78268ms

Benchmark Statistics

Name № Requests Avg Duration Min Duration Max Duration

Bulk Benchmark Results

Metric Value
Total Decrypts 100
Successful Decrypts 100
Failed Decrypts 0
Total Time 418.585078ms
Throughput 238.90 requests/second

TDF3 Benchmark Results:

Metric Value
Total Requests 5000
Successful Requests 5000
Failed Requests 0
Concurrent Requests 50
Total Time 46.075491286s
Average Latency 457.890361ms
Throughput 108.52 requests/second

@github-actions

Copy link
Copy Markdown
Contributor

⚠️ Govulncheck found vulnerabilities ⚠️

The following modules have known vulnerabilities:

  • examples
  • otdfctl
  • sdk
  • service
  • lib/fixtures
  • tests-bdd

See the workflow run for details.

@dmihalcik-virtru dmihalcik-virtru added this pull request to the merge queue Jun 30, 2026
Merged via the queue into main with commit 0612ea8 Jun 30, 2026
47 checks passed
@dmihalcik-virtru dmihalcik-virtru deleted the DSPX-3397-platform-ci-part-2 branch June 30, 2026 16:00
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants