vault: add generic authorizer with jwt auth support

[prashantkumar1982]

Summary

• add a generic vault authorizer that selects between AllowListBasedAuth and JWTBasedAuth
• wire the authorizer through both gateway handler layers while keeping JWT auth disabled behind VaultJWTAuthEnabled
• add request replay protection, JWT validation, background JWKS refresh, and the related unit tests

Notes

• this PR is a clean replacement for the earlier branch history after the backup recovery. Comments and discussion are in there: vault: add generic authorizer with jwt auth support #21714
• runtime behavior is unchanged today because JWT auth remains disabled by default

[github-actions]

I see you updated files related to core. Please run make gocs in the root directory to add a changeset as well as in the text include at least one of the following tags:

• #added For any new functionality added.
• #breaking_change For any functionality that requires manual action for the node to boot.
• #bugfix For bug fixes.
• #changed For any change to the existing functionality.
• #db_update For any feature that introduces updates to database schema.
• #deprecation_notice For any upcoming deprecation functionality.
• #internal For changesets that need to be excluded from the final changelog.
• #nops For any feature that is NOP facing and needs to be in the official Release Notes for the release.
• #removed For any functionality/config that is removed.
• #updated For any functionality that is updated.
• #wip For any change that is not ready yet and external communication about it should be held off till it is feature complete.

[github-actions]

✅ No conflicts with other open PRs targeting develop

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 45f2fc131c

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[chatgpt-codex-connector]

Remove unconditional WithDisabledJWTBasedAuth wiring

NewHandler constructs JWT auth with WithDisabledJWTBasedAuth(), which hard-sets the gate limiter to false (see jwt_based_auth.go) instead of honoring VaultJWTAuthEnabled. As a result, requests that include req.Auth are always rejected as disabled, so enabling the setting cannot actually turn on JWT auth in this runtime path; the same hard-disable pattern is also present in core/capabilities/vault/gw_handler.go. Runtime wiring should use the normal JWT constructor (with real issuer/audience config) and reserve WithDisabledJWTBasedAuth for tests only.

Useful? React with 👍 / 👎.

[cl-sonarqube-production]

Quality Gate passed

Issues
1 New issue
0 Fixed issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.2% Duplication on New Code

See analysis details on SonarQube

[trunk-io]

     

View Full Report ↗︎ ⋅ Docs