vault: add generic authorizer with jwt auth support

[prashantkumar1982]

Summary

This adds the Vault auth abstraction needed for gateway-side JWT support while keeping current behavior unchanged because JWT auth remains disabled.

What changed

• add a generic Authorizer used by both the Vault gateway handler and the Vault capability gateway handler
• model two first-class auth mechanisms: AllowListBasedAuth and JWTBasedAuth
• add a shared AuthResult contract and a shared RequestReplayGuard
• implement JWT auth validation plumbing behind JWTBasedAuth, gated internally and failing closed when disabled
• rename the old request-authorizer/replay-guard types and files to reflect the new mechanism names

Behavior

• runtime behavior is unchanged today because JWT auth is still disabled
• allowlist-based auth remains the active mechanism for existing traffic

[github-actions]

✅ No conflicts with other open PRs targeting develop

[prashantkumar1982]

This file is pretty much just a rename of previous request_authorizer.go file

[trunk-io]

     

View Full Report ↗︎ ⋅ Docs

[github-actions]

CORA - Analysis Skipped

Reason: The number of code owners (4) is less than the minimum required (5) and/or the number of CODEOWNERS entries with changed files (3) is less than the minimum required (2).

[elatoskinas]

Aren't we tying all secrets to the org ID? Or is this just for backwards compat and we're planning to remove it?

[prashantkumar1982]

This is for the allowlist based auth.
This is on gateway and on vault node before LinkingService.
So we haven't yet mapped workflowOwner to OrgID.
For old auth, workflowOwner is still the owner for the purpose of the request.
Conversion to orgID will happen later in the stack after auth is done.

[elatoskinas]

For old auth, workflowOwner is still the owner for the purpose of the request.

Isn't that model changing? What happens if wfOwner1 moves from Org X to Org Y - if we don't do that mapping prior, do we prevent wfOwner1 from managing Org X's secrets?

[elatoskinas]

For old auth, workflowOwner is still the owner for the purpose of the request.

Isn't that model changing? What happens if wfOwner1 moves from Org X to Org Y - if we don't do that mapping prior, do we prevent wfOwner1 from managing Org X's secrets?

[elatoskinas]

How are we planning to support m2m tokens in the future? They will likely need to have a different prefix. Is it worthwhile making this change now?

[elatoskinas]

We'll need to test the JWKS behaviour on the first call. It's generally good practice to hot-load the JWKS in the background even before a request comes through (i.e. on construction time)

[prashantkumar1982]

Sounds good, let me do it in a background thread

[cedric-cordenier]

What happened here? Did this need to change?

[prashantkumar1982]

I was trying to run the linter locally as it runs in CI, and it complained about this error. So I fixed it. Not sure if CI would've complained about it though. But the fix was simple, so just did it.

[prashantkumar1982]

For old auth, workflowOwner is still the owner for the purpose of the request.

Isn't that model changing? What happens if wfOwner1 moves from Org X to Org Y - if we don't do that mapping prior, do we prevent wfOwner1 from managing Org X's secrets?

@elatoskinas

When an incoming request comes in via old auth flow, this authorizer just authenticates if the calling request was authorized via allowlist, and to which workflowOwner key.
This is then passed into Vault Capability as-is, and that is where the linking service is called to check the correct owning orgID for it. That is where the OrgID gets superceded.
In this authorizer, we don't call the linking service.

[prashantkumar1982]

#21714 (comment)

@elatoskinas : I don't have more context on m2m tokens.
How will they be different?
In any case, when we support that, it will need to be supported fully at gateway webserver level too first.
Thus I was saying, lets keep that in a separate PR whenever needed.

[elatoskinas]

@prashantkumar1982

I don't have more context on m2m tokens.
How will they be different?

Depends on the implementation, but the verification mechanism might change. It's more efficient to pass in the key type e.g. MachineToken <token> rather than relying on this kind of flow:

if verify1() {
  // permit
} else if verify2() {
   // performing verify1() adds extra latency - because we're validating the key of the wrong format
  // permit
}

[elatoskinas]

Would strongly suggest tracking metrics in production, incl. latency to fetch JWKS & error rate

[github-actions]

I see you updated files related to core. Please run make gocs in the root directory to add a changeset as well as in the text include at least one of the following tags:

• #added For any new functionality added.
• #breaking_change For any functionality that requires manual action for the node to boot.
• #bugfix For bug fixes.
• #changed For any change to the existing functionality.
• #db_update For any feature that introduces updates to database schema.
• #deprecation_notice For any upcoming deprecation functionality.
• #internal For changesets that need to be excluded from the final changelog.
• #nops For any feature that is NOP facing and needs to be in the official Release Notes for the release.
• #removed For any functionality/config that is removed.
• #updated For any functionality that is updated.
• #wip For any change that is not ready yet and external communication about it should be held off till it is feature complete.

[cl-sonarqube-production]

Quality Gate passed

Issues
1 New issue
0 Fixed issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.2% Duplication on New Code

See analysis details on SonarQube