Skip to content

vault refactor: move request authorization into gw handler#21688

Merged
prashantkumar1982 merged 6 commits intodevelopfrom
codex/vault-request-authorizer-in-gw
Mar 26, 2026
Merged

vault refactor: move request authorization into gw handler#21688
prashantkumar1982 merged 6 commits intodevelopfrom
codex/vault-request-authorizer-in-gw

Conversation

@prashantkumar1982
Copy link
Copy Markdown
Contributor

@prashantkumar1982 prashantkumar1982 commented Mar 24, 2026
edited
Loading

Summary

This refactors Vault node-side request authorization so the gateway handler owns authorization for incoming gateway requests, while the Vault capability stops depending on RequestAuthorizer.

This is so that we can consolidate all auth under a fixed place inside Vault node. After this change, the new jwt auth will also attach at same place, making the auth design cleaner.

What changed

  • inject RequestAuthorizer into the Vault node gw_handler and authorize create/update/delete/list requests there
  • prefix node request IDs in gw_handler after authorization and enforce owner consistency before calling the secrets service
  • remove RequestAuthorizer plumbing and auth checks from the Vault capability
  • update OCR2 delegate wiring so the authorizer is constructed once and passed to the gateway handler
  • extend the existing unit tests to cover the new auth boundary and remove capability tests that asserted the old behavior

@github-actions
Copy link
Copy Markdown
Contributor

github-actions bot commented Mar 24, 2026
edited
Loading

✅ No conflicts with other open PRs targeting develop

@trunk-io
Copy link
Copy Markdown

trunk-io bot commented Mar 24, 2026
edited
Loading

Static BadgeStatic BadgeStatic BadgeStatic Badge

View Full Report ↗︎Docs

@prashantkumar1982 prashantkumar1982 changed the title vault: move request authorization into gw handler vault refactor: move request authorization into gw handler Mar 25, 2026
prashantkumar1982
prashantkumar1982 commented Mar 25, 2026
View reviewed changes
core/capabilities/vault/gw_handler.go Outdated
func (h *GatewayHandler) handleSecretsCreate(ctx context.Context, gatewayID string, req *jsonrpc.Request[json.RawMessage]) *jsonrpc.Response[json.RawMessage] {
func (h *GatewayHandler) authorizeAndPrefixRequest(ctx context.Context, req *jsonrpc.Request[json.RawMessage]) (string, error) {
if h.requestAuthorizer == nil {
return "", errors.New("request authorizer is nil")
Copy link
Copy Markdown
Contributor Author

@prashantkumar1982 prashantkumar1982 Mar 24, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Add an error log here

prashantkumar1982
prashantkumar1982 commented Mar 25, 2026
View reviewed changes
@prashantkumar1982 prashantkumar1982 requested review from a team as code owners March 25, 2026 05:19
cedric-cordenier
cedric-cordenier reviewed Mar 25, 2026
View reviewed changes
vreff
vreff reviewed Mar 25, 2026
View reviewed changes
core/capabilities/vault/gw_handler.go
}

func (h *GatewayHandler) handleSecretsList(ctx context.Context, gatewayID string, req *jsonrpc.Request[json.RawMessage]) *jsonrpc.Response[json.RawMessage] {
func (h *GatewayHandler) handleSecretsList(ctx context.Context, gatewayID string, req *jsonrpc.Request[json.RawMessage], owner string) *jsonrpc.Response[json.RawMessage] {
Copy link
Copy Markdown
Contributor

@vreff vreff Mar 25, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Is there an explainer on the propagation of this field? Would just want to make sure the gateway can't make up an arbitrary owner field and make up secrets.

Copy link
Copy Markdown
Contributor Author

@prashantkumar1982 prashantkumar1982 Mar 25, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This section talks about what gw_handler will do for old and new auth flows: https://docs.google.com/document/d/1NATmKRcTnlMfyDaXwB8hlasOFJz_D7n3IYhYRPq6BUg/edit?tab=t.ryzdzwuy1ylp#heading=h.cnrwnnpd4wxa

In summary, gateway is untrusted. We lookup owner from our auth flows. So the owner will be trusted field after successful auth.
This code is going to be significantly refactored with both old and new flows. But for now, this owner field is derived from our RequestAuthorizer, which validates this owner from the onchain allowlist.

vreff
vreff previously approved these changes Mar 25, 2026
View reviewed changes
@cl-sonarqube-production
Copy link
Copy Markdown

cl-sonarqube-production bot commented Mar 25, 2026

Quality Gate passed Quality Gate passed

Issues
1 New issue
10 Fixed issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
5.1% Duplication on New Code

See analysis details on SonarQube

@prashantkumar1982 prashantkumar1982 added this pull request to the merge queue Mar 26, 2026
Merged via the queue into develop with commit f8abcbb Mar 26, 2026
214 checks passed
@prashantkumar1982 prashantkumar1982 deleted the codex/vault-request-authorizer-in-gw branch March 26, 2026 00:43
This was referenced Mar 26, 2026
Draft
Draft
Draft
Draft
Draft
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@jmank88 jmank88 jmank88 approved these changes

@vreff vreff vreff approved these changes

@cedric-cordenier cedric-cordenier cedric-cordenier left review comments

@silaslenihan silaslenihan Awaiting requested review from silaslenihan

@patrickhuie19 patrickhuie19 Awaiting requested review from patrickhuie19

@archseer archseer Awaiting requested review from archseer

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@prashantkumar1982 @jmank88 @cedric-cordenier @vreff