Skip to content

vault: add generic authorizer with jwt auth support#21714

Open
prashantkumar1982 wants to merge 12 commits intodevelopfrom
codex/vault-gwt-auth-authorizer
Open

vault: add generic authorizer with jwt auth support#21714
prashantkumar1982 wants to merge 12 commits intodevelopfrom
codex/vault-gwt-auth-authorizer

Conversation

@prashantkumar1982
Copy link
Contributor

@prashantkumar1982 prashantkumar1982 commented Mar 26, 2026
edited
Loading

Summary

This adds the Vault auth abstraction needed for gateway-side JWT support while keeping current behavior unchanged because JWT auth remains disabled.

What changed

  • add a generic Authorizer used by both the Vault gateway handler and the Vault capability gateway handler
  • model two first-class auth mechanisms: AllowListBasedAuth and JWTBasedAuth
  • add a shared AuthResult contract and a shared RequestReplayGuard
  • implement JWT auth validation plumbing behind JWTBasedAuth, gated internally and failing closed when disabled
  • rename the old request-authorizer/replay-guard types and files to reflect the new mechanism names

Behavior

  • runtime behavior is unchanged today because JWT auth is still disabled
  • allowlist-based auth remains the active mechanism for existing traffic

@prashantkumar1982 prashantkumar1982 requested review from a team as code owners March 26, 2026 03:44
@prashantkumar1982
Merge remote-tracking branch 'origin/develop' into codex/vault-gwt-au…
a6fdab8 
…th-authorizer

# Conflicts:
#	core/capabilities/vault/gw_handler.go
#	core/capabilities/vault/gw_handler_test.go
#	core/services/ocr2/delegate.go
@github-actions
Copy link
Contributor

github-actions bot commented Mar 26, 2026
edited
Loading

✅ No conflicts with other open PRs targeting develop

@github-actions
Copy link
Contributor

github-actions bot commented Mar 26, 2026

I see you updated files related to core. Please run make gocs in the root directory to add a changeset as well as in the text include at least one of the following tags:

  • #added For any new functionality added.
  • #breaking_change For any functionality that requires manual action for the node to boot.
  • #bugfix For bug fixes.
  • #changed For any change to the existing functionality.
  • #db_update For any feature that introduces updates to database schema.
  • #deprecation_notice For any upcoming deprecation functionality.
  • #internal For changesets that need to be excluded from the final changelog.
  • #nops For any feature that is NOP facing and needs to be in the official Release Notes for the release.
  • #removed For any functionality/config that is removed.
  • #updated For any functionality that is updated.
  • #wip For any change that is not ready yet and external communication about it should be held off till it is feature complete.

prashantkumar1982
prashantkumar1982 commented Mar 26, 2026
View reviewed changes
core/capabilities/vault/allow_list_based_auth.go
Copy link
Contributor Author

@prashantkumar1982 prashantkumar1982 Mar 26, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This file is pretty much just a rename of previous request_authorizer.go file

@trunk-io
Copy link

trunk-io bot commented Mar 26, 2026
edited
Loading

Static BadgeStatic BadgeStatic BadgeStatic Badge

View Full Report ↗︎Docs

@cl-sonarqube-production
Copy link

cl-sonarqube-production bot commented Mar 26, 2026

Quality Gate passed Quality Gate passed

Issues
1 New issue
0 Fixed issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube

@prashantkumar1982
vault: harden auth review findings
68f66e2 
- Cap JWKS response body to 1 MB to prevent resource exhaustion
- Make all AuthResult fields unexported with accessor methods
- Add iat claim validation to JWT parser
- Annotate unreachable return in allowlist retry loop
- Fix misleading test name for digest verification delegation

Made-with: Cursor
@prashantkumar1982 prashantkumar1982 force-pushed the codex/vault-gwt-auth-authorizer branch from 77cda12 to 68f66e2 Compare March 26, 2026 06:43
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@justinkaseman justinkaseman Awaiting requested review from justinkaseman

@archseer archseer Awaiting requested review from archseer

At least 2 approving reviews are required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@prashantkumar1982