diff --git a/test/start-additional-kas/action.yaml b/test/start-additional-kas/action.yaml index 94040f6ca5..aed075585b 100644 --- a/test/start-additional-kas/action.yaml +++ b/test/start-additional-kas/action.yaml @@ -16,6 +16,10 @@ inputs: default: "false" description: 'Whether to enable ECC wrapping for TDFs' required: false + pqc-enabled: + default: "false" + description: 'Whether to enable post-quantum and hybrid PQ/T wrapping for TDFs' + required: false key-management: default: "false" description: 'Whether or not key_management is enabled for this KAS' @@ -42,15 +46,18 @@ runs: - name: Validate inputs shell: bash env: + KAS_PORT: ${{ inputs.kas-port }} + KAS_NAME: ${{ inputs.kas-name }} + EC_TDF_ENABLED: ${{ inputs.ec-tdf-enabled }} + PQC_ENABLED: ${{ inputs.pqc-enabled }} KEY_MANAGEMENT: ${{ inputs.key-management }} ROOT_KEY: ${{ inputs.root-key }} - KAS_NAME: ${{ inputs.kas-name }} LOG_LEVEL: ${{ inputs.log-level }} LOG_TYPE: ${{ inputs.log-type }} run: | - # Validate key-management and root-key - if [[ "${KEY_MANAGEMENT}" == "true" && -z "${ROOT_KEY}" ]]; then - echo "Error: root-key is required when key-management is true." + # Validate kas-port (must be a valid port number 1-65535) + if [[ ! "${KAS_PORT}" =~ ^[0-9]+$ ]] || (( KAS_PORT < 1 || KAS_PORT > 65535 )); then + echo "Error: kas-port must be a valid port number between 1 and 65535." exit 1 fi @@ -60,6 +67,42 @@ runs: exit 1 fi + # Validate ec-tdf-enabled (must be true or false) + case "${EC_TDF_ENABLED}" in + true|false) + ;; + *) + echo "Error: ec-tdf-enabled must be 'true' or 'false'." + exit 1 + ;; + esac + + # Validate pqc-enabled (must be true or false) + case "${PQC_ENABLED}" in + true|false) + ;; + *) + echo "Error: pqc-enabled must be 'true' or 'false'." + exit 1 + ;; + esac + + # Validate key-management (must be true or false) + case "${KEY_MANAGEMENT}" in + true|false) + ;; + *) + echo "Error: key-management must be 'true' or 'false'." + exit 1 + ;; + esac + + # Validate key-management and root-key combination + if [[ "${KEY_MANAGEMENT}" == "true" && -z "${ROOT_KEY}" ]]; then + echo "Error: root-key is required when key-management is true." + exit 1 + fi + # Validate log-level (only allowed values) case "${LOG_LEVEL}" in audit|debug|info|warn|error) @@ -95,6 +138,7 @@ runs: KAS_NAME: ${{ inputs.kas-name }} KAS_PORT: ${{ inputs.kas-port }} EC_TDF_ENABLED: ${{ inputs.ec-tdf-enabled }} + PQC_ENABLED: ${{ inputs.pqc-enabled }} KEY_MANAGEMENT: ${{ inputs.key-management }} ROOT_KEY: ${{ inputs.root-key }} LOG_LEVEL: ${{ inputs.log-level }} @@ -104,8 +148,13 @@ runs: yq e ' (.server.port = env(KAS_PORT)) | (.mode = ["kas"]) - | (.services.kas.preview.ec_tdf_enabled = env(EC_TDF_ENABLED)) - | (.services.kas.preview.key_management = env(KEY_MANAGEMENT)) + | (.services.kas.preview.ec_tdf_enabled = (env(EC_TDF_ENABLED) == "true")) + | (.services.kas.preview.hybrid_tdf_enabled = (env(PQC_ENABLED) == "true")) + | (if env(PQC_ENABLED) == "true" then + (.services.kas.keyring += [{"kid":"x1","alg":"hpqt:xwing"},{"kid":"h1","alg":"hpqt:secp256r1-mlkem768"},{"kid":"h2","alg":"hpqt:secp384r1-mlkem1024"}]) + | (.server.cryptoProvider.standard.keys += [{"kid":"x1","alg":"hpqt:xwing","private":"kas-xwing-private.pem","cert":"kas-xwing-public.pem"},{"kid":"h1","alg":"hpqt:secp256r1-mlkem768","private":"kas-p256mlkem768-private.pem","cert":"kas-p256mlkem768-public.pem"},{"kid":"h2","alg":"hpqt:secp384r1-mlkem1024","private":"kas-p384mlkem1024-private.pem","cert":"kas-p384mlkem1024-public.pem"}]) + else . end) + | (.services.kas.preview.key_management = (env(KEY_MANAGEMENT) == "true")) | (.services.kas.registered_kas_uri = "http://localhost:" + env(KAS_PORT)) | del(.services.kas.root_key) | (.logger.level = env(LOG_LEVEL)) diff --git a/test/start-up-with-containers/action.yaml b/test/start-up-with-containers/action.yaml index ad206c9dbc..bc0e420f2e 100644 --- a/test/start-up-with-containers/action.yaml +++ b/test/start-up-with-containers/action.yaml @@ -15,6 +15,10 @@ inputs: default: "false" description: 'Whether to enable ECC wrapping for TDFs' required: false + pqc-enabled: + default: "false" + description: 'Whether to enable post-quantum and hybrid PQ/T wrapping for TDFs' + required: false log-level: default: "debug" description: 'Log level for the platform (audit, debug, info, warn, error)' @@ -39,6 +43,78 @@ outputs: runs: using: 'composite' steps: + - name: Validate inputs + shell: bash + env: + PLATFORM_REF: ${{ inputs.platform-ref }} + EXTRA_KEYS: ${{ inputs.extra-keys }} + EC_TDF_ENABLED: ${{ inputs.ec-tdf-enabled }} + PQC_ENABLED: ${{ inputs.pqc-enabled }} + LOG_LEVEL: ${{ inputs.log-level }} + LOG_TYPE: ${{ inputs.log-type }} + PROVISION_POLICY_FIXTURES: ${{ inputs.provision-policy-fixtures }} + run: | + # Validate platform-ref (must contain only safe characters for a git ref) + if [[ ! "${PLATFORM_REF}" =~ ^[a-zA-Z0-9._/-]+$ ]]; then + echo "Error: platform-ref must contain only alphanumeric characters, dots, underscores, hyphens, and forward slashes." + exit 1 + fi + + # Validate extra-keys (must be a valid JSON array) + if ! jq -e 'type == "array"' <<< "${EXTRA_KEYS}" > /dev/null 2>&1; then + echo "Error: extra-keys must be a valid JSON array." + exit 1 + fi + + # Validate ec-tdf-enabled (must be true or false) + case "${EC_TDF_ENABLED}" in + true|false) + ;; + *) + echo "Error: ec-tdf-enabled must be 'true' or 'false'." + exit 1 + ;; + esac + + # Validate pqc-enabled (must be true or false) + case "${PQC_ENABLED}" in + true|false) + ;; + *) + echo "Error: pqc-enabled must be 'true' or 'false'." + exit 1 + ;; + esac + + # Validate log-level (only allowed values) + case "${LOG_LEVEL}" in + audit|debug|info|warn|error) + ;; + *) + echo "Error: log-level must be one of: audit, debug, info, warn, error." + exit 1 + ;; + esac + + # Validate log-type (only allowed values) + case "${LOG_TYPE}" in + text|json) + ;; + *) + echo "Error: log-type must be one of: text, json." + exit 1 + ;; + esac + + # Validate provision-policy-fixtures (must be true or false) + case "${PROVISION_POLICY_FIXTURES}" in + true|false) + ;; + *) + echo "Error: provision-policy-fixtures must be 'true' or 'false'." + exit 1 + ;; + esac - name: Check out platform uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: @@ -161,35 +237,20 @@ runs: working-directory: otdf-test-platform - name: Enable ECC wrapping for TDFs shell: bash - if: ${{ inputs.ec-tdf-enabled }} + if: ${{ inputs.ec-tdf-enabled == 'true' }} run: | yq e '.services.kas.ec_tdf_enabled = true' -i opentdf.yaml working-directory: otdf-test-platform - - name: Validate logging inputs + - name: Enable PQ (mlkem, xwing, and hybrid) wrapping for TDFs shell: bash - env: - LOG_LEVEL: ${{ inputs.log-level }} - LOG_TYPE: ${{ inputs.log-type }} + if: ${{ inputs.pqc-enabled == 'true' }} run: | - # Validate log-level (only allowed values) - case "${LOG_LEVEL}" in - audit|debug|info|warn|error) - ;; - *) - echo "Error: log-level must be one of: audit, debug, info, warn, error." - exit 1 - ;; - esac - - # Validate log-type (only allowed values) - case "${LOG_TYPE}" in - text|json) - ;; - *) - echo "Error: log-type must be one of: text, json." - exit 1 - ;; - esac + yq e ' + (.services.kas.preview.hybrid_tdf_enabled = true) + | (.services.kas.keyring += [{"kid":"x1","alg":"hpqt:xwing"},{"kid":"h1","alg":"hpqt:secp256r1-mlkem768"},{"kid":"h2","alg":"hpqt:secp384r1-mlkem1024"}]) + | (.server.cryptoProvider.standard.keys += [{"kid":"x1","alg":"hpqt:xwing","private":"kas-xwing-private.pem","cert":"kas-xwing-public.pem"},{"kid":"h1","alg":"hpqt:secp256r1-mlkem768","private":"kas-p256mlkem768-private.pem","cert":"kas-p256mlkem768-public.pem"},{"kid":"h2","alg":"hpqt:secp384r1-mlkem1024","private":"kas-p384mlkem1024-private.pem","cert":"kas-p384mlkem1024-public.pem"}]) + ' -i opentdf.yaml + working-directory: otdf-test-platform - name: Configure logging shell: bash env: