vault: add generic authorizer with jwt auth support

.mockery.yaml

@@ -27,7 +27,7 @@ packages:
       DonSubscriber:
   github.com/smartcontractkit/chainlink/v2/core/capabilities/vault:
     interfaces:
-      RequestAuthorizer:
+      Authorizer:
   github.com/smartcontractkit/chainlink/v2/core/capabilities/vault/vaulttypes:
     interfaces:
       SecretsService:
@@ -434,4 +434,3 @@ packages:
   github.com/smartcontractkit/chainlink/v2/core/services/workflows/metering:
     interfaces:
       BillingClient:
-

core/capabilities/vault/allow_list_based_auth.go

@@ -0,0 +1,139 @@
+package vault
+
+import (
+	"context"
+	"encoding/hex"
+	"encoding/json"
+	"errors"
+	"fmt"
+	"time"
+
+	jsonrpc "github.com/smartcontractkit/chainlink-common/pkg/jsonrpc2"
+	"github.com/smartcontractkit/chainlink-common/pkg/logger"
+	"github.com/smartcontractkit/chainlink-evm/gethwrappers/workflow/generated/workflow_registry_wrapper_v2"
+	workflowsyncerv2 "github.com/smartcontractkit/chainlink/v2/core/services/workflows/syncer/v2"
+)
+
+const (
+	allowListBasedAuthRetryCount    = 3
+	allowListBasedAuthRetryInterval = 3 * time.Second
+)
+
+type allowListBasedAuth struct {
+	workflowRegistrySyncer workflowsyncerv2.WorkflowRegistrySyncer
+	lggr                   logger.Logger
+	retryCount             int
+	retryInterval          time.Duration
+}
+
+// AuthorizeRequest authorizes a request using AllowListBasedAuth.
+// It does NOT check if the request method is allowed.
+func (r *allowListBasedAuth) AuthorizeRequest(ctx context.Context, req jsonrpc.Request[json.RawMessage]) (*AuthResult, error) {
+	r.lggr.Debugw("AllowListBasedAuth authorizing request", "method", req.Method, "requestID", req.ID)
+	requestDigest, err := req.Digest()
+	if err != nil {
+		r.lggr.Debugw("AllowListBasedAuth failed to create digest", "method", req.Method, "requestID", req.ID, "error", err)
+		return nil, err
+	}
+	requestDigestBytes, err := hex.DecodeString(requestDigest)
+	if err != nil {
+		r.lggr.Debugw("AllowListBasedAuth failed to decode digest", "method", req.Method, "requestID", req.ID, "requestDigest", requestDigest, "error", err)
+		return nil, err
+	}
+	requestDigestBytes32 := [32]byte(requestDigestBytes)
+	if r.workflowRegistrySyncer == nil {
+		r.lggr.Errorw("AllowListBasedAuth workflowRegistrySyncer is nil", "method", req.Method, "requestID", req.ID)
+		return nil, errors.New("internal error: workflowRegistrySyncer is nil")
+	}
+	allowlistedRequest, allowedRequestsStrs, err := r.findAllowlistedItemWithRetry(ctx, req, requestDigest, requestDigestBytes32)
+	if err != nil {
+		return nil, err
+	}
+	if allowlistedRequest == nil {
+		r.lggr.Debugw("AllowListBasedAuth request digest not allowlisted",
+			"method", req.Method,
+			"requestID", req.ID,
+			"digestHexStr", requestDigest,
+			"allowedRequestsStrs", allowedRequestsStrs)
+		return nil, errors.New("request not allowlisted")
+	}
+
+	if time.Now().UTC().Unix() > int64(allowlistedRequest.ExpiryTimestamp) {
+		authorizedRequestStr := string(allowlistedRequest.RequestDigest[:])
+		r.lggr.Debugw("AllowListBasedAuth authorization expired", "method", req.Method, "requestID", req.ID, "authorizedRequestStr", authorizedRequestStr, "expiryTimestamp", allowlistedRequest.ExpiryTimestamp)
+		return nil, errors.New("request authorization expired")
+	}
+
+	digestKey := string(allowlistedRequest.RequestDigest[:])
+	r.lggr.Debugw("AllowListBasedAuth authorization succeeded", "method", req.Method, "requestID", req.ID, "authorizedRequestStr", digestKey, "owner", allowlistedRequest.Owner.Hex(), "expiryTimestamp", allowlistedRequest.ExpiryTimestamp)
+	return &AuthResult{
+		workflowOwner: allowlistedRequest.Owner.Hex(),
+		digest:        digestKey,
+		expiresAt:     int64(allowlistedRequest.ExpiryTimestamp),
+	}, nil
+}
+
+func (r *allowListBasedAuth) findAllowlistedItemWithRetry(ctx context.Context, req jsonrpc.Request[json.RawMessage], requestDigest string, requestDigestBytes32 [32]byte) (*workflow_registry_wrapper_v2.WorkflowRegistryOwnerAllowlistedRequest, []string, error) {
+	for attempt := 0; attempt <= r.retryCount; attempt++ {
+		allowedRequests := r.workflowRegistrySyncer.GetAllowlistedRequests(ctx)
+		allowedRequestsStrs := make([]string, 0, len(allowedRequests))
+		for _, rr := range allowedRequests {
+			allowedReqStr := fmt.Sprintf("AuthorizedOwner: %s, RequestDigest: %s, ExpiryTimestamp: %d", rr.Owner.Hex(), hex.EncodeToString(rr.RequestDigest[:]), rr.ExpiryTimestamp)
+			allowedRequestsStrs = append(allowedRequestsStrs, allowedReqStr)
+		}
+		r.lggr.Debugw("AllowListBasedAuth loaded allowlisted requests", "method", req.Method, "requestID", req.ID, "attempt", attempt+1, "allowedRequests", allowedRequestsStrs)
+
+		allowlistedRequest := r.fetchAllowlistedItem(allowedRequests, requestDigestBytes32)
+		if allowlistedRequest != nil {
+			return allowlistedRequest, allowedRequestsStrs, nil
+		}
+		if attempt == r.retryCount {
+			return nil, allowedRequestsStrs, nil
+		}
+
+		r.lggr.Debugw("AllowListBasedAuth request digest not yet allowlisted, retrying",
+			"method", req.Method,
+			"requestID", req.ID,
+			"digestHexStr", requestDigest,
+			"attempt", attempt+1,
+			"maxAttempts", r.retryCount+1,
+			"retryInterval", r.retryInterval)
+		if err := sleepWithContext(ctx, r.retryInterval); err != nil {
+			r.lggr.Debugw("AllowListBasedAuth retry canceled", "method", req.Method, "requestID", req.ID, "error", err)
+			return nil, nil, err
+		}
+	}
+
+	return nil, nil, nil // unreachable: loop always returns
+}
+
+func (r *allowListBasedAuth) fetchAllowlistedItem(allowListedRequests []workflow_registry_wrapper_v2.WorkflowRegistryOwnerAllowlistedRequest, digest [32]byte) *workflow_registry_wrapper_v2.WorkflowRegistryOwnerAllowlistedRequest {
+	for _, item := range allowListedRequests {
+		if item.RequestDigest == digest {
+			return &item
+		}
+	}
+	return nil
+}
+
+// NewAllowListBasedAuth creates the allowlist-backed Vault auth mechanism.
+func NewAllowListBasedAuth(lggr logger.Logger, workflowRegistrySyncer workflowsyncerv2.WorkflowRegistrySyncer) *allowListBasedAuth {
+	return &allowListBasedAuth{
+		workflowRegistrySyncer: workflowRegistrySyncer,
+		lggr:                   logger.Named(lggr, "VaultAllowListBasedAuth"),
+		retryCount:             allowListBasedAuthRetryCount,
+		retryInterval:          allowListBasedAuthRetryInterval,
+	}
+}
+
+func sleepWithContext(ctx context.Context, d time.Duration) error {
+	timer := time.NewTimer(d)
+	defer timer.Stop()
+
+	select {
+	case <-ctx.Done():
+		return ctx.Err()
+	case <-timer.C:
+		return nil
+	}
+}

core/capabilities/vault/request_authorizer_test.go → core/capabilities/vault/allow_list_based_auth_test.go

@@ -19,7 +19,7 @@ import (
 	syncerv2mocks "github.com/smartcontractkit/chainlink/v2/core/services/workflows/syncer/v2/mocks"
 )
 
-func TestRequestAuthorizer_CreateSecrets(t *testing.T) {
+func TestAllowListBasedAuth_CreateSecrets(t *testing.T) {
 	params, err := json.Marshal(vaultcommon.CreateSecretsRequest{
 		EncryptedSecrets: []*vaultcommon.EncryptedSecret{
 			{
@@ -59,7 +59,7 @@ func TestRequestAuthorizer_CreateSecrets(t *testing.T) {
 	testAuthForRequests(t, allowListedReq, notAllowListedReq)
 }
 
-func TestRequestAuthorizer_UpdateSecrets(t *testing.T) {
+func TestAllowListBasedAuth_UpdateSecrets(t *testing.T) {
 	params, err := json.Marshal(vaultcommon.UpdateSecretsRequest{
 		EncryptedSecrets: []*vaultcommon.EncryptedSecret{
 			{
@@ -98,7 +98,7 @@ func TestRequestAuthorizer_UpdateSecrets(t *testing.T) {
 	testAuthForRequests(t, allowListedReq, notAllowListedReq)
 }
 
-func TestRequestAuthorizer_DeleteSecrets(t *testing.T) {
+func TestAllowListBasedAuth_DeleteSecrets(t *testing.T) {
 	params, err := json.Marshal(vaultcommon.DeleteSecretsRequest{
 		Ids: []*vaultcommon.SecretIdentifier{
 			{
@@ -131,7 +131,7 @@ func TestRequestAuthorizer_DeleteSecrets(t *testing.T) {
 	testAuthForRequests(t, allowListedReq, notAllowListedReq)
 }
 
-func TestRequestAuthorizer_ListSecrets(t *testing.T) {
+func TestAllowListBasedAuth_ListSecrets(t *testing.T) {
 	params, err := json.Marshal(vaultcommon.ListSecretIdentifiersRequest{
 		Namespace: "b",
 	})
@@ -159,14 +159,16 @@ func testAuthForRequests(t *testing.T, allowlistedRequest, notAllowlistedRequest
 	owner := common.Address{1, 2, 3, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0}
 
 	mockSyncer := syncerv2mocks.NewWorkflowRegistrySyncer(t)
-	auth := NewRequestAuthorizer(lggr, mockSyncer)
+	auth := NewAllowListBasedAuth(lggr, mockSyncer)
+	auth.retryCount = 0
+	auth.retryInterval = time.Millisecond
 
 	// Happy path
 	digest, err := allowlistedRequest.Digest()
 	require.NoError(t, err)
 	digestBytes, err := hex.DecodeString(digest)
 	require.NoError(t, err)
-	expiry := uint64(time.Now().UTC().Unix() + 100) //nolint:gosec // it is a safe conversion
+	expiry := time.Now().UTC().Unix() + 100
 	allowlisted := []workflow_registry_wrapper_v2.WorkflowRegistryOwnerAllowlistedRequest{
 		{
 			RequestDigest:   [32]byte(digestBytes),
@@ -175,15 +177,16 @@ func testAuthForRequests(t *testing.T, allowlistedRequest, notAllowlistedRequest
 		},
 	}
 	mockSyncer.On("GetAllowlistedRequests", mock.Anything).Return(allowlisted)
-	isAuthorized, gotOwner, err := auth.AuthorizeRequest(t.Context(), allowlistedRequest)
-	require.True(t, isAuthorized, err)
-	require.Equal(t, owner.Hex(), gotOwner)
+	authResult, err := auth.AuthorizeRequest(t.Context(), allowlistedRequest)
 	require.NoError(t, err)
+	require.Equal(t, owner.Hex(), authResult.AuthorizedOwner())
+	require.Equal(t, expiry, authResult.GetExpiresAt())
+	require.NotEmpty(t, authResult.GetDigest())
 
-	// Already authorized
-	isAuthorized, _, err = auth.AuthorizeRequest(t.Context(), allowlistedRequest)
-	require.False(t, isAuthorized)
-	require.ErrorContains(t, err, "already authorized previously")
+	// Same request is still authorized here; replay protection lives in the generic Authorizer.
+	authResult, err = auth.AuthorizeRequest(t.Context(), allowlistedRequest)
+	require.NoError(t, err)
+	require.Equal(t, owner.Hex(), authResult.AuthorizedOwner())
 
 	// Expired request
 	allowlistedReqCopy := allowlistedRequest
@@ -195,16 +198,16 @@ func testAuthForRequests(t *testing.T, allowlistedRequest, notAllowlistedRequest
 	allowlisted[0].RequestDigest = [32]byte(allowlistedReqCopyDigestBytes)
 	allowlisted[0].ExpiryTimestamp = uint32(time.Now().UTC().Unix() - 1) //nolint:gosec // it is a safe conversion
 	mockSyncer.On("GetAllowlistedRequests", mock.Anything).Return(allowlisted)
-	isAuthorized, _, err = auth.AuthorizeRequest(t.Context(), allowlistedReqCopy)
-	require.False(t, isAuthorized)
+	authResult, err = auth.AuthorizeRequest(t.Context(), allowlistedReqCopy)
+	require.Nil(t, authResult)
 	require.ErrorContains(t, err, "authorization expired")
 
-	isAuthorized, _, err = auth.AuthorizeRequest(t.Context(), notAllowlistedRequest)
-	require.False(t, isAuthorized)
+	authResult, err = auth.AuthorizeRequest(t.Context(), notAllowlistedRequest)
+	require.Nil(t, authResult)
 	require.ErrorContains(t, err, "not allowlisted")
 }
 
-func TestRequestAuthorizer_RetriesAllowlistReadsUntilDigestAppears(t *testing.T) {
+func TestAllowListBasedAuth_RetriesUntilRequestIsAllowlisted(t *testing.T) {
 	lggr := logger.TestLogger(t)
 	owner := common.Address{1, 2, 3}
 	req := makeListSecretsRequest(t, "123", "b")
@@ -213,55 +216,47 @@ func TestRequestAuthorizer_RetriesAllowlistReadsUntilDigestAppears(t *testing.T)
 	require.NoError(t, err)
 	digestBytes, err := hex.DecodeString(digest)
 	require.NoError(t, err)
-
+	expiry := time.Now().UTC().Unix() + 100
 	allowlisted := []workflow_registry_wrapper_v2.WorkflowRegistryOwnerAllowlistedRequest{
 		{
 			RequestDigest:   [32]byte(digestBytes),
 			Owner:           owner,
-			ExpiryTimestamp: uint32(time.Now().UTC().Unix() + 100), //nolint:gosec // test fixture expiry is bounded and safe here
+			ExpiryTimestamp: uint32(expiry), //nolint:gosec // it is a safe conversion
 		},
 	}
 
 	mockSyncer := syncerv2mocks.NewWorkflowRegistrySyncer(t)
+	auth := NewAllowListBasedAuth(lggr, mockSyncer)
+	auth.retryCount = 2
+	auth.retryInterval = time.Millisecond
+
 	mockSyncer.On("GetAllowlistedRequests", mock.Anything).Return([]workflow_registry_wrapper_v2.WorkflowRegistryOwnerAllowlistedRequest{}).Once()
 	mockSyncer.On("GetAllowlistedRequests", mock.Anything).Return([]workflow_registry_wrapper_v2.WorkflowRegistryOwnerAllowlistedRequest{}).Once()
 	mockSyncer.On("GetAllowlistedRequests", mock.Anything).Return(allowlisted).Once()
 
-	auth := NewRequestAuthorizer(lggr, mockSyncer)
-	sleepCalls := 0
-	auth.sleep = func(d time.Duration) {
-		require.Equal(t, allowlistReadRetryInterval, d)
-		sleepCalls++
-	}
-
-	isAuthorized, gotOwner, err := auth.AuthorizeRequest(t.Context(), req)
-	require.True(t, isAuthorized, err)
+	authResult, err := auth.AuthorizeRequest(t.Context(), req)
 	require.NoError(t, err)
-	require.Equal(t, owner.Hex(), gotOwner)
-	require.Equal(t, 2, sleepCalls)
+	require.Equal(t, owner.Hex(), authResult.AuthorizedOwner())
+	require.Equal(t, expiry, authResult.GetExpiresAt())
 }
 
-func TestRequestAuthorizer_FailsAfterAllowlistReadRetries(t *testing.T) {
+func TestAllowListBasedAuth_FailsAfterAllowlistReadRetries(t *testing.T) {
 	lggr := logger.TestLogger(t)
 	req := makeListSecretsRequest(t, "123", "b")
 
 	mockSyncer := syncerv2mocks.NewWorkflowRegistrySyncer(t)
-	mockSyncer.On("GetAllowlistedRequests", mock.Anything).Return([]workflow_registry_wrapper_v2.WorkflowRegistryOwnerAllowlistedRequest{}).Times(allowlistReadRetryCount + 1)
+	mockSyncer.On("GetAllowlistedRequests", mock.Anything).Return([]workflow_registry_wrapper_v2.WorkflowRegistryOwnerAllowlistedRequest{}).Times(3)
 
-	auth := NewRequestAuthorizer(lggr, mockSyncer)
-	sleepCalls := 0
-	auth.sleep = func(d time.Duration) {
-		require.Equal(t, allowlistReadRetryInterval, d)
-		sleepCalls++
-	}
+	auth := NewAllowListBasedAuth(lggr, mockSyncer)
+	auth.retryCount = 2
+	auth.retryInterval = time.Millisecond
 
-	isAuthorized, _, err := auth.AuthorizeRequest(t.Context(), req)
-	require.False(t, isAuthorized)
+	authResult, err := auth.AuthorizeRequest(t.Context(), req)
+	require.Nil(t, authResult)
 	require.ErrorContains(t, err, "not allowlisted")
-	require.Equal(t, allowlistReadRetryCount, sleepCalls)
 }
 
-func TestRequestAuthorizer_StopsRetriesWhenContextCanceled(t *testing.T) {
+func TestAllowListBasedAuth_StopsRetriesWhenContextCanceled(t *testing.T) {
 	lggr := logger.TestLogger(t)
 	req := makeListSecretsRequest(t, "123", "b")
 
@@ -271,16 +266,13 @@ func TestRequestAuthorizer_StopsRetriesWhenContextCanceled(t *testing.T) {
 	mockSyncer := syncerv2mocks.NewWorkflowRegistrySyncer(t)
 	mockSyncer.On("GetAllowlistedRequests", mock.Anything).Return([]workflow_registry_wrapper_v2.WorkflowRegistryOwnerAllowlistedRequest{}).Once()
 
-	auth := NewRequestAuthorizer(lggr, mockSyncer)
-	sleepCalls := 0
-	auth.sleep = func(time.Duration) {
-		sleepCalls++
-	}
+	auth := NewAllowListBasedAuth(lggr, mockSyncer)
+	auth.retryCount = 2
+	auth.retryInterval = time.Second
 
-	isAuthorized, _, err := auth.AuthorizeRequest(ctx, req)
-	require.False(t, isAuthorized)
-	require.ErrorContains(t, err, "not allowlisted")
-	require.Zero(t, sleepCalls)
+	authResult, err := auth.AuthorizeRequest(ctx, req)
+	require.Nil(t, authResult)
+	require.ErrorIs(t, err, context.Canceled)
 }
 
 func makeListSecretsRequest(t *testing.T, id, namespace string) jsonrpc.Request[json.RawMessage] {