diff --git a/.github/workflows/vulnerability.yml b/.github/workflows/vulnerability.yml index 9eadc620f..2c7acf9a3 100644 --- a/.github/workflows/vulnerability.yml +++ b/.github/workflows/vulnerability.yml @@ -36,7 +36,7 @@ jobs: npm ci - name: Check out and start up platform with deps/containers id: run-platform - uses: opentdf/platform/test/start-up-with-containers@main + uses: opentdf/platform/test/start-up-with-containers@11af44a5d4826ed281bf2e0e4e31d6ff6154b393 # pqc-enabled with: platform-ref: ${{ inputs.platform-ref }} - name: Get grpcurl diff --git a/.github/workflows/xtest.yml b/.github/workflows/xtest.yml index 59484bdfc..8abb8c25d 100644 --- a/.github/workflows/xtest.yml +++ b/.github/workflows/xtest.yml @@ -278,12 +278,13 @@ jobs: ######## SPIN UP PLATFORM BACKEND ############# - name: Check out and start up platform with deps/containers id: run-platform - uses: opentdf/platform/test/start-up-with-containers@998929e5c66d41f928b90e6af7dbaa0a14302ca6 # watch-sh-fix + uses: opentdf/platform/test/start-up-with-containers@11af44a5d4826ed281bf2e0e4e31d6ff6154b393 # pqc-enabled with: platform-ref: ${{ fromJSON(needs.resolve-versions.outputs.platform-tag-to-sha)[matrix.platform-tag] }} ec-tdf-enabled: true extra-keys: ${{ steps.load-extra-keys.outputs.EXTRA_KEYS }} log-type: json + pqc-enabled: true - name: Install uv uses: astral-sh/setup-uv@61cb8a9741eeb8a550a1b8544337180c0fc8476b # v7.2.0 @@ -567,69 +568,75 @@ jobs: - name: Start additional kas id: kas-alpha if: ${{ steps.multikas.outputs.supported == 'true' }} - uses: opentdf/platform/test/start-additional-kas@998929e5c66d41f928b90e6af7dbaa0a14302ca6 # watch-sh-fix + uses: opentdf/platform/test/start-additional-kas@11af44a5d4826ed281bf2e0e4e31d6ff6154b393 # pqc-enabled with: ec-tdf-enabled: true kas-name: alpha kas-port: 8181 log-type: json + pqc-enabled: true root-key: ${{ steps.km-check.outputs.root_key }} - name: Start additional kas id: kas-beta if: ${{ steps.multikas.outputs.supported == 'true' }} - uses: opentdf/platform/test/start-additional-kas@998929e5c66d41f928b90e6af7dbaa0a14302ca6 # watch-sh-fix + uses: opentdf/platform/test/start-additional-kas@11af44a5d4826ed281bf2e0e4e31d6ff6154b393 # pqc-enabled with: ec-tdf-enabled: true kas-name: beta kas-port: 8282 log-type: json + pqc-enabled: true root-key: ${{ steps.km-check.outputs.root_key }} - name: Start additional kas id: kas-gamma if: ${{ steps.multikas.outputs.supported == 'true' }} - uses: opentdf/platform/test/start-additional-kas@998929e5c66d41f928b90e6af7dbaa0a14302ca6 # watch-sh-fix + uses: opentdf/platform/test/start-additional-kas@11af44a5d4826ed281bf2e0e4e31d6ff6154b393 # pqc-enabled with: ec-tdf-enabled: true kas-name: gamma kas-port: 8383 log-type: json + pqc-enabled: true root-key: ${{ steps.km-check.outputs.root_key }} - name: Start additional kas id: kas-delta if: ${{ steps.multikas.outputs.supported == 'true' }} - uses: opentdf/platform/test/start-additional-kas@998929e5c66d41f928b90e6af7dbaa0a14302ca6 # watch-sh-fix + uses: opentdf/platform/test/start-additional-kas@11af44a5d4826ed281bf2e0e4e31d6ff6154b393 # pqc-enabled with: ec-tdf-enabled: true kas-port: 8484 kas-name: delta log-type: json + pqc-enabled: true root-key: ${{ steps.km-check.outputs.root_key }} - name: Start additional KM kas (km1) id: kas-km1 if: ${{ steps.multikas.outputs.supported == 'true' }} - uses: opentdf/platform/test/start-additional-kas@998929e5c66d41f928b90e6af7dbaa0a14302ca6 # watch-sh-fix + uses: opentdf/platform/test/start-additional-kas@11af44a5d4826ed281bf2e0e4e31d6ff6154b393 # pqc-enabled with: ec-tdf-enabled: true key-management: ${{ steps.km-check.outputs.supported }} kas-name: km1 kas-port: 8585 log-type: json + pqc-enabled: true root-key: ${{ steps.km-check.outputs.root_key }} - name: Start additional KM kas (km2) id: kas-km2 if: ${{ steps.multikas.outputs.supported == 'true' }} - uses: opentdf/platform/test/start-additional-kas@998929e5c66d41f928b90e6af7dbaa0a14302ca6 # watch-sh-fix + uses: opentdf/platform/test/start-additional-kas@11af44a5d4826ed281bf2e0e4e31d6ff6154b393 # pqc-enabled with: ec-tdf-enabled: true kas-name: km2 key-management: ${{ steps.km-check.outputs.supported }} kas-port: 8686 log-type: json + pqc-enabled: true root-key: ${{ steps.km-check.outputs.root_key }} - name: Run attribute based configuration tests diff --git a/otdf-local/src/otdf_local/services/kas.py b/otdf-local/src/otdf_local/services/kas.py index 0b7adfa64..00de6a2cd 100644 --- a/otdf-local/src/otdf_local/services/kas.py +++ b/otdf-local/src/otdf_local/services/kas.py @@ -77,6 +77,7 @@ def _generate_config(self) -> Path: if self.is_key_management: updates["services.kas.preview.key_management"] = True updates["services.kas.preview.ec_tdf_enabled"] = True + updates["services.kas.preview.hybrid_tdf_enabled"] = True # registered_kas_uri should NOT have /kas suffix updates["services.kas.registered_kas_uri"] = f"http://localhost:{self.port}" diff --git a/spec/DSPX-3499.md b/spec/DSPX-3499.md new file mode 100644 index 000000000..0291e2b7c --- /dev/null +++ b/spec/DSPX-3499.md @@ -0,0 +1,38 @@ +--- +ticket: DSPX-3499 +title: xtest pqc and hybrid pq/t tests skipped or not skipped correctly +status: draft +authors: + - dmihalcik@virtru.com +branches: + - opentdf/tests:DSPX-3499-pqcrun +prs: [] +created: 2026-06-05T00:00:00Z +updated: 2026-06-05T00:00:00Z +jira_priority: Medium +--- + + +# xtest pqc and hybrid pq/t tests skipped or not skipped correctly + +## Summary +Make sure the tests are run if all components could support them. + +## Problem / Motivation +_Why does this work need to happen? What is the user/business pain?_ + +## Proposed Solution +_What will you build, at a functional level? Sketch the approach._ + +## Inputs / Outputs / Contracts +_Function signatures, data shapes, API contracts, CLI flags._ + +## Edge Cases & Constraints +_Boundary conditions, error states, performance limits, security considerations._ + +## Out of Scope +_What this work item explicitly does not cover._ + +## Acceptance Criteria +- [ ] _Clear, testable condition_ +- [ ] _…_ diff --git a/xtest/tdfs.py b/xtest/tdfs.py index f07f45950..560ea5a8b 100644 --- a/xtest/tdfs.py +++ b/xtest/tdfs.py @@ -35,8 +35,8 @@ def _km1_log_path() -> Path | None: def _algs_from_km1_log() -> set[str]: """Scan km1's startup log to extract the set of configured key algorithms. - Prefers the INFO 'kas initialized' entry added by DSPX-3456; falls back to - the DEBUG 'kas config' entry available on current platform versions. + Prefers the INFO 'kas trust mechanisms initialized' summary; falls back to + the DEBUG 'kas config loaded' keyring dump. """ log = _km1_log_path() if not log or not log.exists(): @@ -49,11 +49,12 @@ def _algs_from_km1_log() -> set[str]: entry = json.loads(line) except json.JSONDecodeError: continue - # Preferred: explicit INFO summary (DSPX-3456, not yet landed) - if entry.get("msg") == "kas initialized" and "mechanisms" in entry: + if ( + entry.get("msg") == "kas trust mechanisms initialized" + and "mechanisms" in entry + ): return set(entry["mechanisms"]) - # Fallback: DEBUG keyring dump present in current platform - if entry.get("msg") == "kas config" and "config" in entry: + if entry.get("msg") == "kas config loaded" and "config" in entry: for k in entry["config"].get("keyring", []): if alg := k.get("alg"): algs.add(alg)