From 413cbfec84b41359ae169a0f985299f626819c82 Mon Sep 17 00:00:00 2001 From: Dave Mihalcik Date: Thu, 4 Jun 2026 17:45:18 -0400 Subject: [PATCH 1/6] feat(ci): Enable pq/t service run action option Adds `pqc-enabled` boolean parameter to `start-up-with-containers` and `start-additional-kas` actions, which when set to true will enable the post-quantum and hybrid PQ/T wrapping option for TDFs in the KAS service. --- test/start-additional-kas/action.yaml | 6 ++++++ test/start-up-with-containers/action.yaml | 10 ++++++++++ 2 files changed, 16 insertions(+) diff --git a/test/start-additional-kas/action.yaml b/test/start-additional-kas/action.yaml index 94040f6ca5..3996fb2d1e 100644 --- a/test/start-additional-kas/action.yaml +++ b/test/start-additional-kas/action.yaml @@ -16,6 +16,10 @@ inputs: default: "false" description: 'Whether to enable ECC wrapping for TDFs' required: false + pqc-enabled: + default: "false" + description: 'Whether to enable post-quantum and hybrid PQ/T wrapping for TDFs' + required: false key-management: default: "false" description: 'Whether or not key_management is enabled for this KAS' @@ -95,6 +99,7 @@ runs: KAS_NAME: ${{ inputs.kas-name }} KAS_PORT: ${{ inputs.kas-port }} EC_TDF_ENABLED: ${{ inputs.ec-tdf-enabled }} + PQC_ENABLED: ${{ inputs.pqc-enabled }} KEY_MANAGEMENT: ${{ inputs.key-management }} ROOT_KEY: ${{ inputs.root-key }} LOG_LEVEL: ${{ inputs.log-level }} @@ -105,6 +110,7 @@ runs: (.server.port = env(KAS_PORT)) | (.mode = ["kas"]) | (.services.kas.preview.ec_tdf_enabled = env(EC_TDF_ENABLED)) + | (.services.kas.preview.hybrid_tdf_enabled = env(PQC_ENABLED)) | (.services.kas.preview.key_management = env(KEY_MANAGEMENT)) | (.services.kas.registered_kas_uri = "http://localhost:" + env(KAS_PORT)) | del(.services.kas.root_key) diff --git a/test/start-up-with-containers/action.yaml b/test/start-up-with-containers/action.yaml index ad206c9dbc..b675005b61 100644 --- a/test/start-up-with-containers/action.yaml +++ b/test/start-up-with-containers/action.yaml @@ -15,6 +15,10 @@ inputs: default: "false" description: 'Whether to enable ECC wrapping for TDFs' required: false + pqc-enabled: + default: "false" + description: 'Whether to enable post-quantum and hybrid PQ/T wrapping for TDFs' + required: false log-level: default: "debug" description: 'Log level for the platform (audit, debug, info, warn, error)' @@ -165,6 +169,12 @@ runs: run: | yq e '.services.kas.ec_tdf_enabled = true' -i opentdf.yaml working-directory: otdf-test-platform + - name: Enable PQ (mlkem, xwing, and hybrid) wrapping for TDFs + shell: bash + if: ${{ inputs.pqc-enabled }} + run: | + yq e '.services.kas.hybrid_tdf_enabled = true' -i opentdf.yaml + working-directory: otdf-test-platform - name: Validate logging inputs shell: bash env: From 82bab51bb972019e8202afd6400f09f352c3511b Mon Sep 17 00:00:00 2001 From: Dave Mihalcik Date: Fri, 5 Jun 2026 08:29:40 -0400 Subject: [PATCH 2/6] fix(ci): validate all inputs in composite actions Expand input validation in start-additional-kas and start-up-with-containers to cover every parameter, not just a subset. Unvalidated inputs were passed directly into yq expressions and shell filenames, creating YAML-injection and command-injection risk and producing confusing late failures. - start-additional-kas: adds kas-port (numeric 1-65535), ec-tdf-enabled, pqc-enabled, and key-management boolean guards before the existing checks - start-up-with-containers: renames step to "Validate inputs", adds platform-ref (safe-char regex), extra-keys (jq type check), ec-tdf-enabled, pqc-enabled, and provision-policy-fixtures boolean guards Co-Authored-By: Claude Sonnet 4.6 Signed-off-by: Dave Mihalcik --- test/start-additional-kas/action.yaml | 47 ++++++++++++++++++++-- test/start-up-with-containers/action.yaml | 49 ++++++++++++++++++++++- 2 files changed, 91 insertions(+), 5 deletions(-) diff --git a/test/start-additional-kas/action.yaml b/test/start-additional-kas/action.yaml index 3996fb2d1e..18215d6ead 100644 --- a/test/start-additional-kas/action.yaml +++ b/test/start-additional-kas/action.yaml @@ -46,15 +46,18 @@ runs: - name: Validate inputs shell: bash env: + KAS_PORT: ${{ inputs.kas-port }} + KAS_NAME: ${{ inputs.kas-name }} + EC_TDF_ENABLED: ${{ inputs.ec-tdf-enabled }} + PQC_ENABLED: ${{ inputs.pqc-enabled }} KEY_MANAGEMENT: ${{ inputs.key-management }} ROOT_KEY: ${{ inputs.root-key }} - KAS_NAME: ${{ inputs.kas-name }} LOG_LEVEL: ${{ inputs.log-level }} LOG_TYPE: ${{ inputs.log-type }} run: | - # Validate key-management and root-key - if [[ "${KEY_MANAGEMENT}" == "true" && -z "${ROOT_KEY}" ]]; then - echo "Error: root-key is required when key-management is true." + # Validate kas-port (must be a valid port number 1-65535) + if [[ ! "${KAS_PORT}" =~ ^[0-9]+$ ]] || (( KAS_PORT < 1 || KAS_PORT > 65535 )); then + echo "Error: kas-port must be a valid port number between 1 and 65535." exit 1 fi @@ -64,6 +67,42 @@ runs: exit 1 fi + # Validate ec-tdf-enabled (must be true or false) + case "${EC_TDF_ENABLED}" in + true|false) + ;; + *) + echo "Error: ec-tdf-enabled must be 'true' or 'false'." + exit 1 + ;; + esac + + # Validate pqc-enabled (must be true or false) + case "${PQC_ENABLED}" in + true|false) + ;; + *) + echo "Error: pqc-enabled must be 'true' or 'false'." + exit 1 + ;; + esac + + # Validate key-management (must be true or false) + case "${KEY_MANAGEMENT}" in + true|false) + ;; + *) + echo "Error: key-management must be 'true' or 'false'." + exit 1 + ;; + esac + + # Validate key-management and root-key combination + if [[ "${KEY_MANAGEMENT}" == "true" && -z "${ROOT_KEY}" ]]; then + echo "Error: root-key is required when key-management is true." + exit 1 + fi + # Validate log-level (only allowed values) case "${LOG_LEVEL}" in audit|debug|info|warn|error) diff --git a/test/start-up-with-containers/action.yaml b/test/start-up-with-containers/action.yaml index b675005b61..dbe4dea549 100644 --- a/test/start-up-with-containers/action.yaml +++ b/test/start-up-with-containers/action.yaml @@ -175,12 +175,49 @@ runs: run: | yq e '.services.kas.hybrid_tdf_enabled = true' -i opentdf.yaml working-directory: otdf-test-platform - - name: Validate logging inputs + - name: Validate inputs shell: bash env: + PLATFORM_REF: ${{ inputs.platform-ref }} + EXTRA_KEYS: ${{ inputs.extra-keys }} + EC_TDF_ENABLED: ${{ inputs.ec-tdf-enabled }} + PQC_ENABLED: ${{ inputs.pqc-enabled }} LOG_LEVEL: ${{ inputs.log-level }} LOG_TYPE: ${{ inputs.log-type }} + PROVISION_POLICY_FIXTURES: ${{ inputs.provision-policy-fixtures }} run: | + # Validate platform-ref (safe characters only — prevents path/command injection) + if [[ ! "${PLATFORM_REF}" =~ ^[a-zA-Z0-9._/-]+$ ]]; then + echo "Error: platform-ref must contain only alphanumeric characters, dots, underscores, hyphens, and forward slashes." + exit 1 + fi + + # Validate extra-keys (must be a valid JSON array) + if ! jq -e 'type == "array"' <<< "${EXTRA_KEYS}" > /dev/null 2>&1; then + echo "Error: extra-keys must be a valid JSON array." + exit 1 + fi + + # Validate ec-tdf-enabled (must be true or false) + case "${EC_TDF_ENABLED}" in + true|false) + ;; + *) + echo "Error: ec-tdf-enabled must be 'true' or 'false'." + exit 1 + ;; + esac + + # Validate pqc-enabled (must be true or false) + case "${PQC_ENABLED}" in + true|false) + ;; + *) + echo "Error: pqc-enabled must be 'true' or 'false'." + exit 1 + ;; + esac + # Validate log-level (only allowed values) case "${LOG_LEVEL}" in audit|debug|info|warn|error) @@ -200,6 +237,16 @@ runs: exit 1 ;; esac + + # Validate provision-policy-fixtures (must be true or false) + case "${PROVISION_POLICY_FIXTURES}" in + true|false) + ;; + *) + echo "Error: provision-policy-fixtures must be 'true' or 'false'." + exit 1 + ;; + esac - name: Configure logging shell: bash env: From 1266ed4951aee848651a502e5ceb30c84bf4b2b0 Mon Sep 17 00:00:00 2001 From: Dave Mihalcik Date: Fri, 5 Jun 2026 08:26:38 -0400 Subject: [PATCH 3/6] let static keys load pqc in ci test scenario Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com> --- test/start-up-with-containers/action.yaml | 10 ++++++---- 1 file changed, 6 insertions(+), 4 deletions(-) diff --git a/test/start-up-with-containers/action.yaml b/test/start-up-with-containers/action.yaml index dbe4dea549..aeabcd3d41 100644 --- a/test/start-up-with-containers/action.yaml +++ b/test/start-up-with-containers/action.yaml @@ -169,11 +169,13 @@ runs: run: | yq e '.services.kas.ec_tdf_enabled = true' -i opentdf.yaml working-directory: otdf-test-platform - - name: Enable PQ (mlkem, xwing, and hybrid) wrapping for TDFs - shell: bash - if: ${{ inputs.pqc-enabled }} + if: ${{ inputs.pqc-enabled == 'true' }} run: | - yq e '.services.kas.hybrid_tdf_enabled = true' -i opentdf.yaml + yq e ' + (.services.kas.preview.hybrid_tdf_enabled = true) + | (.services.kas.keyring += [{"kid":"x1","alg":"hpqt:xwing"},{"kid":"h1","alg":"hpqt:secp256r1-mlkem768"},{"kid":"h2","alg":"hpqt:secp384r1-mlkem1024"}]) + | (.server.cryptoProvider.standard.keys += [{"kid":"x1","alg":"hpqt:xwing","private":"kas-xwing-private.pem","cert":"kas-xwing-public.pem"},{"kid":"h1","alg":"hpqt:secp256r1-mlkem768","private":"kas-p256mlkem768-private.pem","cert":"kas-p256mlkem768-public.pem"},{"kid":"h2","alg":"hpqt:secp384r1-mlkem1024","private":"kas-p384mlkem1024-private.pem","cert":"kas-p384mlkem1024-public.pem"}]) + ' -i opentdf.yaml working-directory: otdf-test-platform - name: Validate inputs shell: bash From 2fbc92005a2dd1161df4394e7a74fcdcfd5bebbc Mon Sep 17 00:00:00 2001 From: Dave Mihalcik Date: Fri, 5 Jun 2026 08:30:50 -0400 Subject: [PATCH 4/6] Potential fix for pull request finding Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com> --- test/start-additional-kas/action.yaml | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/test/start-additional-kas/action.yaml b/test/start-additional-kas/action.yaml index 18215d6ead..0b94a32b23 100644 --- a/test/start-additional-kas/action.yaml +++ b/test/start-additional-kas/action.yaml @@ -149,7 +149,11 @@ runs: (.server.port = env(KAS_PORT)) | (.mode = ["kas"]) | (.services.kas.preview.ec_tdf_enabled = env(EC_TDF_ENABLED)) - | (.services.kas.preview.hybrid_tdf_enabled = env(PQC_ENABLED)) + | (.services.kas.preview.hybrid_tdf_enabled = (env(PQC_ENABLED) == "true")) + | (if env(PQC_ENABLED) == "true" then + (.services.kas.keyring += [{"kid":"x1","alg":"hpqt:xwing"},{"kid":"h1","alg":"hpqt:secp256r1-mlkem768"},{"kid":"h2","alg":"hpqt:secp384r1-mlkem1024"}]) + | (.server.cryptoProvider.standard.keys += [{"kid":"x1","alg":"hpqt:xwing","private":"kas-xwing-private.pem","cert":"kas-xwing-public.pem"},{"kid":"h1","alg":"hpqt:secp256r1-mlkem768","private":"kas-p256mlkem768-private.pem","cert":"kas-p256mlkem768-public.pem"},{"kid":"h2","alg":"hpqt:secp384r1-mlkem1024","private":"kas-p384mlkem1024-private.pem","cert":"kas-p384mlkem1024-public.pem"}]) + else . end) | (.services.kas.preview.key_management = env(KEY_MANAGEMENT)) | (.services.kas.registered_kas_uri = "http://localhost:" + env(KAS_PORT)) | del(.services.kas.root_key) From 58b5eb8884ade2a244b6a438896ec62b1f07b211 Mon Sep 17 00:00:00 2001 From: Dave Mihalcik Date: Fri, 5 Jun 2026 08:54:06 -0400 Subject: [PATCH 5/6] fix(ci): correct three bugs in composite action steps - start-up-with-containers: move Validate inputs to first step so invalid inputs are caught before checkout and yq mutations consume them - start-up-with-containers: fix YAML structural bug where the PQC config block was injected as duplicate keys inside the Enable ECC wrapping step (YAML last-key-wins silently discarded the ECC if-condition and run block, so ECC wrapping never applied); promote it to a proper step and fix the ECC if-condition from bare value to == 'true' - start-additional-kas: write ec_tdf_enabled as a boolean in yq ((env(EC_TDF_ENABLED) == "true")) consistent with hybrid_tdf_enabled Co-Authored-By: Claude Sonnet 4.6 Signed-off-by: Dave Mihalcik --- test/start-additional-kas/action.yaml | 2 +- test/start-up-with-containers/action.yaml | 148 +++++++++++----------- 2 files changed, 76 insertions(+), 74 deletions(-) diff --git a/test/start-additional-kas/action.yaml b/test/start-additional-kas/action.yaml index 0b94a32b23..e23471aa6e 100644 --- a/test/start-additional-kas/action.yaml +++ b/test/start-additional-kas/action.yaml @@ -148,7 +148,7 @@ runs: yq e ' (.server.port = env(KAS_PORT)) | (.mode = ["kas"]) - | (.services.kas.preview.ec_tdf_enabled = env(EC_TDF_ENABLED)) + | (.services.kas.preview.ec_tdf_enabled = (env(EC_TDF_ENABLED) == "true")) | (.services.kas.preview.hybrid_tdf_enabled = (env(PQC_ENABLED) == "true")) | (if env(PQC_ENABLED) == "true" then (.services.kas.keyring += [{"kid":"x1","alg":"hpqt:xwing"},{"kid":"h1","alg":"hpqt:secp256r1-mlkem768"},{"kid":"h2","alg":"hpqt:secp384r1-mlkem1024"}]) diff --git a/test/start-up-with-containers/action.yaml b/test/start-up-with-containers/action.yaml index aeabcd3d41..bc0e420f2e 100644 --- a/test/start-up-with-containers/action.yaml +++ b/test/start-up-with-containers/action.yaml @@ -43,6 +43,78 @@ outputs: runs: using: 'composite' steps: + - name: Validate inputs + shell: bash + env: + PLATFORM_REF: ${{ inputs.platform-ref }} + EXTRA_KEYS: ${{ inputs.extra-keys }} + EC_TDF_ENABLED: ${{ inputs.ec-tdf-enabled }} + PQC_ENABLED: ${{ inputs.pqc-enabled }} + LOG_LEVEL: ${{ inputs.log-level }} + LOG_TYPE: ${{ inputs.log-type }} + PROVISION_POLICY_FIXTURES: ${{ inputs.provision-policy-fixtures }} + run: | + # Validate platform-ref (must contain only safe characters for a git ref) + if [[ ! "${PLATFORM_REF}" =~ ^[a-zA-Z0-9._/-]+$ ]]; then + echo "Error: platform-ref must contain only alphanumeric characters, dots, underscores, hyphens, and forward slashes." + exit 1 + fi + + # Validate extra-keys (must be a valid JSON array) + if ! jq -e 'type == "array"' <<< "${EXTRA_KEYS}" > /dev/null 2>&1; then + echo "Error: extra-keys must be a valid JSON array." + exit 1 + fi + + # Validate ec-tdf-enabled (must be true or false) + case "${EC_TDF_ENABLED}" in + true|false) + ;; + *) + echo "Error: ec-tdf-enabled must be 'true' or 'false'." + exit 1 + ;; + esac + + # Validate pqc-enabled (must be true or false) + case "${PQC_ENABLED}" in + true|false) + ;; + *) + echo "Error: pqc-enabled must be 'true' or 'false'." + exit 1 + ;; + esac + + # Validate log-level (only allowed values) + case "${LOG_LEVEL}" in + audit|debug|info|warn|error) + ;; + *) + echo "Error: log-level must be one of: audit, debug, info, warn, error." + exit 1 + ;; + esac + + # Validate log-type (only allowed values) + case "${LOG_TYPE}" in + text|json) + ;; + *) + echo "Error: log-type must be one of: text, json." + exit 1 + ;; + esac + + # Validate provision-policy-fixtures (must be true or false) + case "${PROVISION_POLICY_FIXTURES}" in + true|false) + ;; + *) + echo "Error: provision-policy-fixtures must be 'true' or 'false'." + exit 1 + ;; + esac - name: Check out platform uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2 with: @@ -165,10 +237,12 @@ runs: working-directory: otdf-test-platform - name: Enable ECC wrapping for TDFs shell: bash - if: ${{ inputs.ec-tdf-enabled }} + if: ${{ inputs.ec-tdf-enabled == 'true' }} run: | yq e '.services.kas.ec_tdf_enabled = true' -i opentdf.yaml working-directory: otdf-test-platform + - name: Enable PQ (mlkem, xwing, and hybrid) wrapping for TDFs + shell: bash if: ${{ inputs.pqc-enabled == 'true' }} run: | yq e ' @@ -177,78 +251,6 @@ runs: | (.server.cryptoProvider.standard.keys += [{"kid":"x1","alg":"hpqt:xwing","private":"kas-xwing-private.pem","cert":"kas-xwing-public.pem"},{"kid":"h1","alg":"hpqt:secp256r1-mlkem768","private":"kas-p256mlkem768-private.pem","cert":"kas-p256mlkem768-public.pem"},{"kid":"h2","alg":"hpqt:secp384r1-mlkem1024","private":"kas-p384mlkem1024-private.pem","cert":"kas-p384mlkem1024-public.pem"}]) ' -i opentdf.yaml working-directory: otdf-test-platform - - name: Validate inputs - shell: bash - env: - PLATFORM_REF: ${{ inputs.platform-ref }} - EXTRA_KEYS: ${{ inputs.extra-keys }} - EC_TDF_ENABLED: ${{ inputs.ec-tdf-enabled }} - PQC_ENABLED: ${{ inputs.pqc-enabled }} - LOG_LEVEL: ${{ inputs.log-level }} - LOG_TYPE: ${{ inputs.log-type }} - PROVISION_POLICY_FIXTURES: ${{ inputs.provision-policy-fixtures }} - run: | - # Validate platform-ref (safe characters only — prevents path/command injection) - if [[ ! "${PLATFORM_REF}" =~ ^[a-zA-Z0-9._/-]+$ ]]; then - echo "Error: platform-ref must contain only alphanumeric characters, dots, underscores, hyphens, and forward slashes." - exit 1 - fi - - # Validate extra-keys (must be a valid JSON array) - if ! jq -e 'type == "array"' <<< "${EXTRA_KEYS}" > /dev/null 2>&1; then - echo "Error: extra-keys must be a valid JSON array." - exit 1 - fi - - # Validate ec-tdf-enabled (must be true or false) - case "${EC_TDF_ENABLED}" in - true|false) - ;; - *) - echo "Error: ec-tdf-enabled must be 'true' or 'false'." - exit 1 - ;; - esac - - # Validate pqc-enabled (must be true or false) - case "${PQC_ENABLED}" in - true|false) - ;; - *) - echo "Error: pqc-enabled must be 'true' or 'false'." - exit 1 - ;; - esac - - # Validate log-level (only allowed values) - case "${LOG_LEVEL}" in - audit|debug|info|warn|error) - ;; - *) - echo "Error: log-level must be one of: audit, debug, info, warn, error." - exit 1 - ;; - esac - - # Validate log-type (only allowed values) - case "${LOG_TYPE}" in - text|json) - ;; - *) - echo "Error: log-type must be one of: text, json." - exit 1 - ;; - esac - - # Validate provision-policy-fixtures (must be true or false) - case "${PROVISION_POLICY_FIXTURES}" in - true|false) - ;; - *) - echo "Error: provision-policy-fixtures must be 'true' or 'false'." - exit 1 - ;; - esac - name: Configure logging shell: bash env: From 4fe32702f6727d210c306283cd07f8d19ebcb349 Mon Sep 17 00:00:00 2001 From: Dave Mihalcik Date: Fri, 5 Jun 2026 10:01:54 -0400 Subject: [PATCH 6/6] fixup suggestion --- test/start-additional-kas/action.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/test/start-additional-kas/action.yaml b/test/start-additional-kas/action.yaml index e23471aa6e..aed075585b 100644 --- a/test/start-additional-kas/action.yaml +++ b/test/start-additional-kas/action.yaml @@ -154,7 +154,7 @@ runs: (.services.kas.keyring += [{"kid":"x1","alg":"hpqt:xwing"},{"kid":"h1","alg":"hpqt:secp256r1-mlkem768"},{"kid":"h2","alg":"hpqt:secp384r1-mlkem1024"}]) | (.server.cryptoProvider.standard.keys += [{"kid":"x1","alg":"hpqt:xwing","private":"kas-xwing-private.pem","cert":"kas-xwing-public.pem"},{"kid":"h1","alg":"hpqt:secp256r1-mlkem768","private":"kas-p256mlkem768-private.pem","cert":"kas-p256mlkem768-public.pem"},{"kid":"h2","alg":"hpqt:secp384r1-mlkem1024","private":"kas-p384mlkem1024-private.pem","cert":"kas-p384mlkem1024-public.pem"}]) else . end) - | (.services.kas.preview.key_management = env(KEY_MANAGEMENT)) + | (.services.kas.preview.key_management = (env(KEY_MANAGEMENT) == "true")) | (.services.kas.registered_kas_uri = "http://localhost:" + env(KAS_PORT)) | del(.services.kas.root_key) | (.logger.level = env(LOG_LEVEL))