diff --git a/xtest/sdk/java/cli.sh b/xtest/sdk/java/cli.sh index 44974444..420bbb7b 100755 --- a/xtest/sdk/java/cli.sh +++ b/xtest/sdk/java/cli.sh @@ -40,18 +40,28 @@ if [ "$1" == "supports" ]; then exit 0 ;; assertions) + set -o pipefail java -jar "$SCRIPT_DIR"/cmdline.jar help encrypt | grep with-assertions exit $? ;; assertion_verification) + set -o pipefail java -jar "$SCRIPT_DIR"/cmdline.jar help decrypt | grep with-assertion-verification-keys exit $? ;; kasallowlist) + set -o pipefail java -jar "$SCRIPT_DIR"/cmdline.jar help decrypt | grep kas-allowlist exit $? ;; + key_management) + # Advanced key management from SDK version >= 0.10.0 + set -o pipefail + java -jar "$SCRIPT_DIR"/cmdline.jar --version | jq -re .version | awk -F. '{ if ($1 > 0 || ($1 == 0 && $2 >= 10)) exit 0; else exit 1; }' + exit $? + ;; ecwrap) + set -o pipefail if java -jar "$SCRIPT_DIR"/cmdline.jar help encrypt | grep encap-key; then # versions 0.7.6 and earlier used an older value for EC HKDF salt; check for 0.7.7 or later java -jar "$SCRIPT_DIR"/cmdline.jar --version | jq -re .version | awk -F. '{ if ($1 > 0 || ($1 == 0 && $2 > 7) || ($1 == 0 && $2 == 7 && $3 >= 7)) exit 0; else exit 1; }' @@ -69,6 +79,7 @@ if [ "$1" == "supports" ]; then ;; hexaflexible) + set -o pipefail java -jar "$SCRIPT_DIR"/cmdline.jar help encrypt | grep with-target-mode exit $? ;; diff --git a/xtest/sdk/js/cli.sh b/xtest/sdk/js/cli.sh index 175e0e15..b59f3306 100755 --- a/xtest/sdk/js/cli.sh +++ b/xtest/sdk/js/cli.sh @@ -33,25 +33,30 @@ if [ "$1" == "supports" ]; then fi case "$2" in assertions) + set -o pipefail npx $CTL help | grep assertions exit $? ;; assertion_verification) + set -o pipefail npx $CTL help | grep assertionVerificationKeys exit $? ;; autoconfigure | ns_grants) + set -o pipefail npx $CTL help | grep autoconfigure exit $? ;; kasallowlist) + set -o pipefail npx $CTL help | grep 'from "/key-access-servers" endpoint' exit $? ;; ecwrap) + set -o pipefail if npx $CTL help | grep encapKeyType; then # Claims to support ecwrap, but maybe with old salt? Look up version - npx $CTL --version | jq -re '.["@opentdf/sdk"]' | awk -F. '{ if ($1 > 2) exit 0; else exit 1; }' + npx $CTL --version | jq -re '.["@opentdf/sdk"]' | awk -F. '{ if ($1 > 0 || ($1 == 0 && $2 > 4)) exit 0; else exit 1; }' exit $? else echo "ecwrap not supported" @@ -64,9 +69,16 @@ if [ "$1" == "supports" ]; then exit $? ;; hexaflexible) + set -o pipefail npx $CTL help | grep tdfSpecVersion exit $? ;; + key_management) + # Advanced key management from SDK version >= 0.8.0 + set -o pipefail + npx $CTL --version | jq -re '.["@opentdf/sdk"]' | awk -F. '{ if ($1 > 0 || ($1 == 0 && $2 > 7)) exit 0; else exit 1; }' + exit $? + ;; obligations) # Obligations support from SDK version >= 0.6.0 set -o pipefail diff --git a/xtest/test_abac.py b/xtest/test_abac.py index eae3b377..39e4ce0f 100644 --- a/xtest/test_abac.py +++ b/xtest/test_abac.py @@ -31,6 +31,13 @@ def skip_dspx1153(encrypt_sdk: tdfs.SDK, decrypt_sdk: tdfs.SDK): pytest.skip("dspx1153 fails with this SDK version combination") +def skip_dspx2457(encrypt_sdk: tdfs.SDK): + if encrypt_sdk.sdk == "java": + pytest.skip( + "DSPX-2457 Java SDK unable to handle KAS grants with different types" + ) + + def assert_decrypt_fails_with_patterns( decrypt_sdk: tdfs.SDK, ct_file: Path, @@ -71,6 +78,7 @@ def test_key_mapping_multiple_mechanisms( global counter tdfs.skip_if_unsupported(encrypt_sdk, "key_management") + skip_dspx2457(encrypt_sdk) skip_dspx1153(encrypt_sdk, decrypt_sdk) if not in_focus & {encrypt_sdk, decrypt_sdk}: pytest.skip("Not in focus") @@ -815,6 +823,7 @@ def test_autoconfigure_key_management_two_kas_two_keys( pytest.skip("Not in focus") tdfs.skip_if_unsupported(encrypt_sdk, "key_management") tdfs.skip_if_unsupported(encrypt_sdk, "autoconfigure") + skip_dspx2457(encrypt_sdk) pfs = tdfs.PlatformFeatureSet() tdfs.skip_connectrpc_skew(encrypt_sdk, decrypt_sdk, pfs) tdfs.skip_hexless_skew(encrypt_sdk, decrypt_sdk)