Skip to content

Pass JWT public key parameter to components#2789

Merged
aramprice merged 2 commits into
mainfrom
pass-jwt-params
Jul 17, 2026
Merged

Pass JWT public key parameter to components#2789
aramprice merged 2 commits into
mainfrom
pass-jwt-params

Conversation

@aramprice

@aramprice aramprice commented Jul 17, 2026

Copy link
Copy Markdown
Member

Depends on

@aramprice
aramprice requested a review from Copilot July 17, 2026 00:06
@coderabbitai

coderabbitai Bot commented Jul 17, 2026

Copy link
Copy Markdown

Review Change Stack

Walkthrough

Adds optional PEM-encoded UAA JWT signing public-key properties to Director, health monitor, and NATS configurations. Propagates the values through generated templates into authentication providers. Token decoders conditionally verify signatures when a key is configured, with tests covering default, configured-key, and invalid-signature behavior.

Suggested reviewers: ragaskar, selzoc

🚥 Pre-merge checks | ✅ 3 | ❌ 2

❌ Failed checks (2 warnings)

Check name Status Explanation Resolution
Docstring Coverage ⚠️ Warning Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%. Write docstrings for the functions missing them to satisfy the coverage threshold.
Description check ⚠️ Warning The description only notes a dependency and omits the required template sections, implementation context, testing, release notes, and breaking-change details. Fill in all template sections with a change summary, context, test results, release-note text, breaking-change answer, team tags, and AI review feedback status.
✅ Passed checks (3 passed)
Check name Status Explanation
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.
Title check ✅ Passed The title matches the main change: propagating a JWT public key parameter to multiple components.
✨ Finishing Touches
📝 Generate docstrings
  • Create stacked PR
  • Commit on current branch
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch pass-jwt-params

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands.

mkocher
mkocher previously approved these changes Jul 17, 2026

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR propagates a configurable UAA JWT signing public key through BOSH job templates into the relevant Ruby components, enabling optional signature verification when decoding UAA access tokens (while preserving the existing non-verifying behavior by default).

Changes:

  • Add uaa_public_key/public_key config fields and pass them into UAA token helper classes.
  • Decode UAA tokens with { verify: false } by default, and with { pkey: <public key>, verify: true } when a public key is configured.
  • Extend unit/template specs to cover default passthrough and configured-key behavior.

Reviewed changes

Copilot reviewed 15 out of 15 changed files in this pull request and generated no comments.

Show a summary per file
File Description
src/bosh-nats-sync/lib/nats_sync/auth_provider.rb Pass uaa_public_key into UAAToken and enable optional signature verification during token decoding.
src/bosh-nats-sync/spec/nats_sync/auth_provider_spec.rb Add coverage asserting decoding options differ based on presence of uaa_public_key.
src/bosh-monitor/lib/bosh/monitor/auth_provider.rb Pass uaa_public_key into UAAToken and enable optional signature verification during token decoding.
src/bosh-monitor/spec/unit/bosh/monitor/auth_provider_spec.rb Add coverage asserting decoding options differ based on presence of uaa_public_key.
src/bosh-director/lib/bosh/director/config_server/uaa_auth_provider.rb Thread public_key from config into UAAToken and conditionally verify JWT signatures when decoding.
src/bosh-director/spec/unit/bosh/director/config_server/uaa_auth_provider_spec.rb Add coverage asserting decoding options differ based on presence of public_key.
jobs/nats/templates/bosh_nats_sync_config.yml.erb Render nats.director_account.uaa_public_key into the nats-sync director config.
jobs/nats/spec Define new job property nats.director_account.uaa_public_key with default ''.
jobs/health_monitor/templates/health_monitor.yml.erb Render hm.director_account.uaa_public_key into the HM director config.
jobs/health_monitor/spec Define new job property hm.director_account.uaa_public_key with default ''.
jobs/director/templates/director.yml.erb Render director.config_server.uaa.public_key into the config_server UAA config.
jobs/director/spec Define new job property director.config_server.uaa.public_key with default ''.
spec/nats_templates_spec.rb Assert rendered nats-sync config includes uaa_public_key (default empty string).
spec/health_monitor_templates_spec.rb Assert rendered HM config includes uaa_public_key and passes through a configured PEM.
spec/director.yml.erb_spec.rb Assert rendered director config_server UAA config includes public_key and passes through a configured PEM.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 4

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)
src/bosh-monitor/lib/bosh/monitor/auth_provider.rb (1)

84-94: 🩺 Stability & Availability | 🟠 Major | ⚡ Quick win

Avoid partial token state on decode failure.
In src/bosh-monitor/lib/bosh/monitor/auth_provider.rb and src/bosh-nats-sync/lib/nats_sync/auth_provider.rb, compute the new token and decoded payload in locals first, then assign both only after decode succeeds. The current order can leave @uaa_token set while @token_data is nil, so the next auth_header call can raise in expires_soon?.

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@src/bosh-monitor/lib/bosh/monitor/auth_provider.rb` around lines 84 - 94,
Update fetch in src/bosh-monitor/lib/bosh/monitor/auth_provider.rb (lines 84-94)
and src/bosh-nats-sync/lib/nats_sync/auth_provider.rb (lines 84-94) to obtain
the token and decode its payload into local variables first, then assign
`@uaa_token` and `@token_data` only after decoding succeeds; preserve the existing
rescue behavior and ensure failed decoding cannot leave partial token state in
either file.
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@src/bosh-director/lib/bosh/director/config_server/uaa_auth_provider.rb`:
- Around line 21-23: In the surrounding class, remove the ineffective private
modifier before UAAToken, then add private_constant :UAAToken immediately after
the UAAToken class definition and before the enclosing class ends, preserving
the class implementation unchanged.

In `@src/bosh-monitor/lib/bosh/monitor/auth_provider.rb`:
- Around line 96-101: The decode_options method in
src/bosh-monitor/lib/bosh/monitor/auth_provider.rb (lines 96-101) must use a
whitespace-aware emptiness check for `@uaa_public_key`. Apply the same change in
src/bosh-nats-sync/lib/nats_sync/auth_provider.rb (lines 96-101), using
`@uaa_public_key.strip.empty`? so whitespace-only keys select verify: false while
valid keys retain signature verification.

In `@src/bosh-monitor/spec/unit/bosh/monitor/auth_provider_spec.rb`:
- Around line 176-177: Add a unit test for the token verification failure path
in the auth provider specs, exercising the relevant verification method and
asserting that the provider handles the error gracefully without partially
updating its state.

In `@src/bosh-nats-sync/spec/nats_sync/auth_provider_spec.rb`:
- Around line 182-183: Add a test in the auth provider specs covering token
verification failure, asserting the provider handles the error gracefully and
leaves its existing state unchanged. Anchor the test to the token verification
behavior and use the existing provider setup and error-handling expectations.

---

Outside diff comments:
In `@src/bosh-monitor/lib/bosh/monitor/auth_provider.rb`:
- Around line 84-94: Update fetch in
src/bosh-monitor/lib/bosh/monitor/auth_provider.rb (lines 84-94) and
src/bosh-nats-sync/lib/nats_sync/auth_provider.rb (lines 84-94) to obtain the
token and decode its payload into local variables first, then assign `@uaa_token`
and `@token_data` only after decoding succeeds; preserve the existing rescue
behavior and ensure failed decoding cannot leave partial token state in either
file.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: Organization UI

Review profile: ASSERTIVE

Plan: Pro

Run ID: d1975aad-036d-4674-ac3e-60ddcf47511f

📥 Commits

Reviewing files that changed from the base of the PR and between faff727 and 9d67a93.

📒 Files selected for processing (15)
  • jobs/director/spec
  • jobs/director/templates/director.yml.erb
  • jobs/health_monitor/spec
  • jobs/health_monitor/templates/health_monitor.yml.erb
  • jobs/nats/spec
  • jobs/nats/templates/bosh_nats_sync_config.yml.erb
  • spec/director.yml.erb_spec.rb
  • spec/health_monitor_templates_spec.rb
  • spec/nats_templates_spec.rb
  • src/bosh-director/lib/bosh/director/config_server/uaa_auth_provider.rb
  • src/bosh-director/spec/unit/bosh/director/config_server/uaa_auth_provider_spec.rb
  • src/bosh-monitor/lib/bosh/monitor/auth_provider.rb
  • src/bosh-monitor/spec/unit/bosh/monitor/auth_provider_spec.rb
  • src/bosh-nats-sync/lib/nats_sync/auth_provider.rb
  • src/bosh-nats-sync/spec/nats_sync/auth_provider_spec.rb

Comment thread src/bosh-monitor/lib/bosh/monitor/auth_provider.rb
Comment thread src/bosh-monitor/spec/unit/bosh/monitor/auth_provider_spec.rb
Comment thread src/bosh-nats-sync/spec/nats_sync/auth_provider_spec.rb

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 1

♻️ Duplicate comments (2)
src/bosh-monitor/lib/bosh/monitor/auth_provider.rb (1)

96-101: 🎯 Functional Correctness | 🟡 Minor | ⚡ Quick win

Use .strip.empty? to handle whitespace-only public keys safely.

If the configured @uaa_public_key contains only whitespace (e.g., due to trailing padding or multi-line misconfiguration), .empty? returns false. This causes the token coder to attempt signature verification with an invalid blank key.

  • src/bosh-monitor/lib/bosh/monitor/auth_provider.rb#L96-L101: Update the condition to use .strip.empty?.
  • src/bosh-nats-sync/lib/nats_sync/auth_provider.rb#L96-L101: Update the condition to use .strip.empty?.
🛡️ Proposed fix to handle whitespace
     def decode_options
-      if `@uaa_public_key.empty`?
+      if `@uaa_public_key.strip.empty`?
         { verify: false }
       else
         { pkey: `@uaa_public_key`, verify: true }
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@src/bosh-monitor/lib/bosh/monitor/auth_provider.rb` around lines 96 - 101,
Update the decode_options method in
src/bosh-monitor/lib/bosh/monitor/auth_provider.rb at lines 96-101 to use a
stripped emptiness check for `@uaa_public_key`, preserving the existing
verification options. Apply the same change in
src/bosh-nats-sync/lib/nats_sync/auth_provider.rb at lines 96-101 so
whitespace-only keys disable verification in both auth providers.
src/bosh-monitor/spec/unit/bosh/monitor/auth_provider_spec.rb (1)

170-176: 📐 Maintainability & Code Quality | 🔵 Trivial | 💤 Low value

Test error handling during token verification.

Consider adding a test case to verify that the provider gracefully handles a token verification failure without partially updating its state.

  • src/bosh-monitor/spec/unit/bosh/monitor/auth_provider_spec.rb#L170-L176: Add a test context for signature verification failure asserting that auth_provider.auth_header returns nil.
  • src/bosh-nats-sync/spec/nats_sync/auth_provider_spec.rb#L177-L183: Add the same test context for signature verification failure.
🧪 Proposed test case addition
         it 'decodes UAA tokens with signature verification using the configured public key' do
           expect(CF::UAA::TokenCoder).to receive(:decode)
             .with(anything, { pkey: uaa_public_key, verify: true })
             .and_return('exp' => Time.now.to_i + 3600)
           auth_provider.auth_header
         end
+
+        context 'when signature verification fails' do
+          it 'logs the error and avoids partial state updates' do
+            allow(CF::UAA::TokenCoder).to receive(:decode).and_raise(StandardError.new('invalid signature'))
+            expect(logger).to receive(:error).with(/Failed to obtain token from UAA/)
+            
+            expect(auth_provider.auth_header).to be_nil
+          end
+        end
       end
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@src/bosh-monitor/spec/unit/bosh/monitor/auth_provider_spec.rb` around lines
170 - 176, Add signature-verification failure examples alongside the existing
TokenCoder decode tests in
src/bosh-monitor/spec/unit/bosh/monitor/auth_provider_spec.rb (lines 170-176)
and src/bosh-nats-sync/spec/nats_sync/auth_provider_spec.rb (lines 177-183).
Stub CF::UAA::TokenCoder.decode to raise during verification, call
auth_provider.auth_header, and assert it returns nil without partially updating
provider state.
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@src/bosh-monitor/lib/bosh/monitor/auth_provider.rb`:
- Around line 93-95: Update the error handler in fetch to reset both `@uaa_token`
and `@token_data` when token retrieval or verification fails, ensuring failed
authentication cannot expose the unverified token or leave nil token data. Apply
this change in src/bosh-monitor/lib/bosh/monitor/auth_provider.rb at lines 93-95
and src/bosh-nats-sync/lib/nats_sync/auth_provider.rb at lines 93-95; both sites
require the same direct fix.

---

Duplicate comments:
In `@src/bosh-monitor/lib/bosh/monitor/auth_provider.rb`:
- Around line 96-101: Update the decode_options method in
src/bosh-monitor/lib/bosh/monitor/auth_provider.rb at lines 96-101 to use a
stripped emptiness check for `@uaa_public_key`, preserving the existing
verification options. Apply the same change in
src/bosh-nats-sync/lib/nats_sync/auth_provider.rb at lines 96-101 so
whitespace-only keys disable verification in both auth providers.

In `@src/bosh-monitor/spec/unit/bosh/monitor/auth_provider_spec.rb`:
- Around line 170-176: Add signature-verification failure examples alongside the
existing TokenCoder decode tests in
src/bosh-monitor/spec/unit/bosh/monitor/auth_provider_spec.rb (lines 170-176)
and src/bosh-nats-sync/spec/nats_sync/auth_provider_spec.rb (lines 177-183).
Stub CF::UAA::TokenCoder.decode to raise during verification, call
auth_provider.auth_header, and assert it returns nil without partially updating
provider state.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: Organization UI

Review profile: ASSERTIVE

Plan: Pro

Run ID: 1e21adeb-f509-41f6-bb5d-0c9f5d23ccd0

📥 Commits

Reviewing files that changed from the base of the PR and between 9d67a93 and 24666be.

📒 Files selected for processing (15)
  • jobs/director/spec
  • jobs/director/templates/director.yml.erb
  • jobs/health_monitor/spec
  • jobs/health_monitor/templates/health_monitor.yml.erb
  • jobs/nats/spec
  • jobs/nats/templates/bosh_nats_sync_config.yml.erb
  • spec/director.yml.erb_spec.rb
  • spec/health_monitor_templates_spec.rb
  • spec/nats_templates_spec.rb
  • src/bosh-director/lib/bosh/director/config_server/uaa_auth_provider.rb
  • src/bosh-director/spec/unit/bosh/director/config_server/uaa_auth_provider_spec.rb
  • src/bosh-monitor/lib/bosh/monitor/auth_provider.rb
  • src/bosh-monitor/spec/unit/bosh/monitor/auth_provider_spec.rb
  • src/bosh-nats-sync/lib/nats_sync/auth_provider.rb
  • src/bosh-nats-sync/spec/nats_sync/auth_provider_spec.rb

Comment thread src/bosh-monitor/lib/bosh/monitor/auth_provider.rb
coderabbitai[bot]
coderabbitai Bot previously requested changes Jul 17, 2026

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@src/bosh-director/lib/bosh/director/config_server/uaa_auth_provider.rb`:
- Around line 86-92: Update decode_options to use `@public_key.strip.empty`? when
determining whether verification should be disabled, so whitespace-only keys
follow the empty-key branch while valid keys retain the existing pkey and
verification behavior.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: Organization UI

Review profile: ASSERTIVE

Plan: Pro

Run ID: f535df39-4e69-4611-b06b-f893eadf94ee

📥 Commits

Reviewing files that changed from the base of the PR and between 24666be and 654de81.

📒 Files selected for processing (15)
  • jobs/director/spec
  • jobs/director/templates/director.yml.erb
  • jobs/health_monitor/spec
  • jobs/health_monitor/templates/health_monitor.yml.erb
  • jobs/nats/spec
  • jobs/nats/templates/bosh_nats_sync_config.yml.erb
  • spec/director.yml.erb_spec.rb
  • spec/health_monitor_templates_spec.rb
  • spec/nats_templates_spec.rb
  • src/bosh-director/lib/bosh/director/config_server/uaa_auth_provider.rb
  • src/bosh-director/spec/unit/bosh/director/config_server/uaa_auth_provider_spec.rb
  • src/bosh-monitor/lib/bosh/monitor/auth_provider.rb
  • src/bosh-monitor/spec/unit/bosh/monitor/auth_provider_spec.rb
  • src/bosh-nats-sync/lib/nats_sync/auth_provider.rb
  • src/bosh-nats-sync/spec/nats_sync/auth_provider_spec.rb

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Copilot reviewed 21 out of 21 changed files in this pull request and generated 4 comments.

Comment thread src/bosh-director/lib/bosh/director/config_server/uaa_auth_provider.rb Outdated
Comment thread src/bosh-nats-sync/spec/support/uaa_helpers.rb Outdated
Comment thread src/bosh-monitor/spec/support/uaa_helpers.rb Outdated
Comment thread src/bosh-director/spec/support/uaa_helpers.rb Outdated

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (2)
src/bosh-director/lib/bosh/director/config_server/uaa_auth_provider.rb (2)

66-84: 🎯 Functional Correctness | 🟡 Minor | ⚡ Quick win

Prevent partial state update on token verification failure.

To achieve parity with the identical fixes correctly applied in bosh-monitor and bosh-nats-sync, avoid assigning the fetched token to @uaa_token until it has been successfully verified.

If decode throws an exception (e.g., due to an invalid signature), the current implementation leaves @uaa_token populated with the unverified token. If a consumer catches the resulting UAAAuthorizationError and re-invokes auth_header on the same instance, it will return the unverified token and bypass signature verification.

🛡️ Proposed fix
     def fetch
-      `@uaa_token` = retryable.retryer do
+      token = retryable.retryer do
         `@uaa_token_issuer.client_credentials_grant`
       end
-      `@token_data` = decode
+      `@token_data` = decode_token(token)
+      `@uaa_token` = token
     rescue CF::UAA::SSLException => e
       error_message = "Failed to obtain valid token from UAA: Invalid SSL Cert for '#{`@uaa_url`}'"
       `@logger.error`("#{error_message}. Error thrown: #{e.inspect}")
       raise Bosh::Director::UAAAuthorizationError, error_message
     rescue Exception => e
       error_message = "Failed to obtain valid token from UAA: #{e.inspect}"
       `@logger.error`(error_message)
       raise Bosh::Director::UAAAuthorizationError, error_message
     end
 
-    def decode
-      access_token = `@uaa_token.info`['access_token'] || `@uaa_token.info`[:access_token]
+    def decode_token(token)
+      access_token = token.info['access_token'] || token.info[:access_token]
       CF::UAA::TokenCoder.decode(access_token, decode_options)
     end
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@src/bosh-director/lib/bosh/director/config_server/uaa_auth_provider.rb`
around lines 66 - 84, Update fetch so the token returned by
client_credentials_grant is held in a local variable, verified via decode before
assigning it to the instance variable `@uaa_token`. Ensure decode operates on the
fetched token during verification, and leave `@uaa_token` unchanged when
verification raises an exception, preventing auth_header from returning an
unverified token.

66-84: 🎯 Functional Correctness | 🟡 Minor | ⚡ Quick win

Prevent partial state update on token verification failure.

To achieve parity with the identical fixes correctly applied in bosh-monitor and bosh-nats-sync, avoid assigning the fetched token to @uaa_token until it has been successfully verified.

If decode throws an exception (e.g., due to an invalid signature), the current implementation leaves @uaa_token populated with the unverified token. If a consumer catches the resulting UAAAuthorizationError and re-invokes auth_header on the same instance, it will return the unverified token and bypass signature verification.

🛡️ Proposed fix
     def fetch
-      `@uaa_token` = retryable.retryer do
+      token = retryable.retryer do
         `@uaa_token_issuer.client_credentials_grant`
       end
-      `@token_data` = decode
+      `@token_data` = decode_token(token)
+      `@uaa_token` = token
     rescue CF::UAA::SSLException => e
       error_message = "Failed to obtain valid token from UAA: Invalid SSL Cert for '#{`@uaa_url`}'"
       `@logger.error`("#{error_message}. Error thrown: #{e.inspect}")
       raise Bosh::Director::UAAAuthorizationError, error_message
     rescue Exception => e
       error_message = "Failed to obtain valid token from UAA: #{e.inspect}"
       `@logger.error`(error_message)
       raise Bosh::Director::UAAAuthorizationError, error_message
     end
 
-    def decode
-      access_token = `@uaa_token.info`['access_token'] || `@uaa_token.info`[:access_token]
+    def decode_token(token)
+      access_token = token.info['access_token'] || token.info[:access_token]
       CF::UAA::TokenCoder.decode(access_token, decode_options)
     end
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@src/bosh-director/lib/bosh/director/config_server/uaa_auth_provider.rb`
around lines 66 - 84, Update fetch so the client-credentials result is held in a
temporary local variable, verified by decode using that candidate token, and
assigned to `@uaa_token` only after verification succeeds. Preserve the existing
rescue behavior and ensure subsequent auth_header calls cannot use an unverified
token after decode raises.
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Outside diff comments:
In `@src/bosh-director/lib/bosh/director/config_server/uaa_auth_provider.rb`:
- Around line 66-84: Update fetch so the token returned by
client_credentials_grant is held in a local variable, verified via decode before
assigning it to the instance variable `@uaa_token`. Ensure decode operates on the
fetched token during verification, and leave `@uaa_token` unchanged when
verification raises an exception, preventing auth_header from returning an
unverified token.
- Around line 66-84: Update fetch so the client-credentials result is held in a
temporary local variable, verified by decode using that candidate token, and
assigned to `@uaa_token` only after verification succeeds. Preserve the existing
rescue behavior and ensure subsequent auth_header calls cannot use an unverified
token after decode raises.

ℹ️ Review info
⚙️ Run configuration

Configuration used: Organization UI

Review profile: ASSERTIVE

Plan: Pro

Run ID: b4a5b09b-0c0b-4273-b4a4-653317bd1615

📥 Commits

Reviewing files that changed from the base of the PR and between 654de81 and 446f16d.

📒 Files selected for processing (21)
  • jobs/director/spec
  • jobs/director/templates/director.yml.erb
  • jobs/health_monitor/spec
  • jobs/health_monitor/templates/health_monitor.yml.erb
  • jobs/nats/spec
  • jobs/nats/templates/bosh_nats_sync_config.yml.erb
  • spec/director.yml.erb_spec.rb
  • spec/health_monitor_templates_spec.rb
  • spec/nats_templates_spec.rb
  • src/bosh-director/lib/bosh/director/config_server/uaa_auth_provider.rb
  • src/bosh-director/spec/support/uaa_helpers.rb
  • src/bosh-director/spec/unit/bosh/director/config_server/uaa_auth_provider_spec.rb
  • src/bosh-monitor/lib/bosh/monitor/auth_provider.rb
  • src/bosh-monitor/spec/support/uaa_helpers.rb
  • src/bosh-monitor/spec/unit/bosh/monitor/auth_provider_spec.rb
  • src/bosh-monitor/spec/unit/bosh/monitor/director_spec.rb
  • src/bosh-monitor/spec/unit/bosh/monitor/plugins/event_logger_spec.rb
  • src/bosh-monitor/spec/unit/bosh/monitor/plugins/resurrector_spec.rb
  • src/bosh-nats-sync/lib/nats_sync/auth_provider.rb
  • src/bosh-nats-sync/spec/nats_sync/auth_provider_spec.rb
  • src/bosh-nats-sync/spec/support/uaa_helpers.rb

@aramprice
aramprice force-pushed the pass-jwt-params branch 2 times, most recently from 570986f to e25f7aa Compare July 17, 2026 01:30
@aramprice
aramprice requested a review from Copilot July 17, 2026 01:30

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Copilot reviewed 21 out of 21 changed files in this pull request and generated 3 comments.

Comment thread src/bosh-nats-sync/spec/support/uaa_helpers.rb Outdated
Comment thread src/bosh-monitor/spec/support/uaa_helpers.rb Outdated
Comment thread src/bosh-director/spec/support/uaa_helpers.rb Outdated

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)
spec/nats_templates_spec.rb (1)

18-44: 🗄️ Data Integrity & Integration | 🟡 Minor | ⚡ Quick win

Add coverage for a configured multiline PEM key.

This only verifies the empty default. Add a non-empty PEM case to ensure the NATS template preserves YAML quoting and newlines before the value reaches signature verification.

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@spec/nats_templates_spec.rb` around lines 18 - 44, Extend the existing nats
template spec’s input configuration and expected_content coverage with a
non-empty multiline PEM value for uaa_public_key. Assert that the rendered YAML
preserves the required quoting and newline structure, while retaining the
existing empty-key case.
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Outside diff comments:
In `@spec/nats_templates_spec.rb`:
- Around line 18-44: Extend the existing nats template spec’s input
configuration and expected_content coverage with a non-empty multiline PEM value
for uaa_public_key. Assert that the rendered YAML preserves the required quoting
and newline structure, while retaining the existing empty-key case.

ℹ️ Review info
⚙️ Run configuration

Configuration used: Organization UI

Review profile: ASSERTIVE

Plan: Pro

Run ID: 3e92d2e2-4fea-47f1-97f2-220109aaac11

📥 Commits

Reviewing files that changed from the base of the PR and between 446f16d and e25f7aa.

📒 Files selected for processing (21)
  • jobs/director/spec
  • jobs/director/templates/director.yml.erb
  • jobs/health_monitor/spec
  • jobs/health_monitor/templates/health_monitor.yml.erb
  • jobs/nats/spec
  • jobs/nats/templates/bosh_nats_sync_config.yml.erb
  • spec/director.yml.erb_spec.rb
  • spec/health_monitor_templates_spec.rb
  • spec/nats_templates_spec.rb
  • src/bosh-director/lib/bosh/director/config_server/uaa_auth_provider.rb
  • src/bosh-director/spec/support/uaa_helpers.rb
  • src/bosh-director/spec/unit/bosh/director/config_server/uaa_auth_provider_spec.rb
  • src/bosh-monitor/lib/bosh/monitor/auth_provider.rb
  • src/bosh-monitor/spec/support/uaa_helpers.rb
  • src/bosh-monitor/spec/unit/bosh/monitor/auth_provider_spec.rb
  • src/bosh-monitor/spec/unit/bosh/monitor/director_spec.rb
  • src/bosh-monitor/spec/unit/bosh/monitor/plugins/event_logger_spec.rb
  • src/bosh-monitor/spec/unit/bosh/monitor/plugins/resurrector_spec.rb
  • src/bosh-nats-sync/lib/nats_sync/auth_provider.rb
  • src/bosh-nats-sync/spec/nats_sync/auth_provider_spec.rb
  • src/bosh-nats-sync/spec/support/uaa_helpers.rb

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 2

🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@src/bosh-director/spec/support/uaa_helpers.rb`:
- Around line 5-7: Update the uaa_token_key helper in both
src/bosh-director/spec/support/uaa_helpers.rb (lines 5-7) and
src/bosh-monitor/spec/support/uaa_helpers.rb (lines 5-7) to memoize the
generated RSA key using module-level state rather than the per-example
`@uaa_token_key` instance variable, preserving the existing 2048-bit key
generation and return behavior.

In `@src/bosh-monitor/lib/bosh/monitor/auth_provider.rb`:
- Around line 85-90: Update the token-refresh rescue in AuthProvider to clear
both `@uaa_token` and `@token_data` before logging the failure, preventing reuse of
the previous token. Apply this change in
src/bosh-monitor/lib/bosh/monitor/auth_provider.rb (lines 85-90) and
src/bosh-nats-sync/lib/nats_sync/auth_provider.rb (lines 85-90), and add
regression coverage confirming a refresh failure after successful initialization
leaves both token fields cleared.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: Organization UI

Review profile: ASSERTIVE

Plan: Pro

Run ID: e93a28db-d6b2-48da-9e05-06cf94aac1c6

📥 Commits

Reviewing files that changed from the base of the PR and between 446f16d and 7dc9c3e.

📒 Files selected for processing (21)
  • jobs/director/spec
  • jobs/director/templates/director.yml.erb
  • jobs/health_monitor/spec
  • jobs/health_monitor/templates/health_monitor.yml.erb
  • jobs/nats/spec
  • jobs/nats/templates/bosh_nats_sync_config.yml.erb
  • spec/director.yml.erb_spec.rb
  • spec/health_monitor_templates_spec.rb
  • spec/nats_templates_spec.rb
  • src/bosh-director/lib/bosh/director/config_server/uaa_auth_provider.rb
  • src/bosh-director/spec/support/uaa_helpers.rb
  • src/bosh-director/spec/unit/bosh/director/config_server/uaa_auth_provider_spec.rb
  • src/bosh-monitor/lib/bosh/monitor/auth_provider.rb
  • src/bosh-monitor/spec/support/uaa_helpers.rb
  • src/bosh-monitor/spec/unit/bosh/monitor/auth_provider_spec.rb
  • src/bosh-monitor/spec/unit/bosh/monitor/director_spec.rb
  • src/bosh-monitor/spec/unit/bosh/monitor/plugins/event_logger_spec.rb
  • src/bosh-monitor/spec/unit/bosh/monitor/plugins/resurrector_spec.rb
  • src/bosh-nats-sync/lib/nats_sync/auth_provider.rb
  • src/bosh-nats-sync/spec/nats_sync/auth_provider_spec.rb
  • src/bosh-nats-sync/spec/support/uaa_helpers.rb

Comment thread src/bosh-director/spec/support/uaa_helpers.rb
Comment thread src/bosh-monitor/lib/bosh/monitor/auth_provider.rb Outdated

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Copilot reviewed 21 out of 21 changed files in this pull request and generated 5 comments.

Comment thread src/bosh-nats-sync/lib/nats_sync/auth_provider.rb Outdated
Comment thread src/bosh-monitor/lib/bosh/monitor/auth_provider.rb Outdated
Comment thread src/bosh-nats-sync/spec/support/uaa_helpers.rb
Comment thread src/bosh-monitor/spec/support/uaa_helpers.rb
Comment thread src/bosh-director/spec/support/uaa_helpers.rb
@aramprice
aramprice force-pushed the pass-jwt-params branch 2 times, most recently from 98bc0ee to d5e8a27 Compare July 17, 2026 02:43
@aramprice
aramprice requested a review from Copilot July 17, 2026 02:45

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

♻️ Duplicate comments (1)
src/bosh-director/spec/support/uaa_helpers.rb (1)

5-12: 🚀 Performance & Scalability | 🔵 Trivial | ⚡ Quick win

Memoize the RSA key at the module level to improve test performance.

The addition of module_function :uaa_token_key does not prevent the instance variable @uaa_token_key from being re-initialized for every test. When Support::UaaHelpers is included into RSpec examples, the method still executes in the context of the test instance, meaning a new 2048-bit RSA key is generated per test block, keeping the test suite slow.

To genuinely cache the key across tests, store it on the module itself and delegate to it.

  • src/bosh-director/spec/support/uaa_helpers.rb#L5-L12: Update uaa_token_key and uaa_token_public_key to delegate to a module-level method.
  • src/bosh-monitor/spec/support/uaa_helpers.rb#L5-L12: Update uaa_token_key and uaa_token_public_key to delegate to a module-level method.
  • src/bosh-nats-sync/spec/support/uaa_helpers.rb#L5-L12: Update uaa_token_key and uaa_token_public_key to delegate to a module-level method.
♻️ Proposed refactor (apply to all 3 files)
-    def uaa_token_key
-      `@uaa_token_key` ||= OpenSSL::PKey::RSA.generate(2048)
-    end
-    module_function :uaa_token_key
-
-    def uaa_token_public_key
-      `@uaa_token_public_key` ||= uaa_token_key.public_key.to_pem
+    def self.uaa_token_key
+      `@uaa_token_key` ||= OpenSSL::PKey::RSA.generate(2048)
     end
+
+    def uaa_token_key
+      Support::UaaHelpers.uaa_token_key
+    end
+
+    def self.uaa_token_public_key
+      `@uaa_token_public_key` ||= uaa_token_key.public_key.to_pem
+    end
+
+    def uaa_token_public_key
+      Support::UaaHelpers.uaa_token_public_key
+    end
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@src/bosh-director/spec/support/uaa_helpers.rb` around lines 5 - 12, Memoize
the RSA key on the helper module rather than each included RSpec example
instance. In src/bosh-director/spec/support/uaa_helpers.rb lines 5-12,
src/bosh-monitor/spec/support/uaa_helpers.rb lines 5-12, and
src/bosh-nats-sync/spec/support/uaa_helpers.rb lines 5-12, update uaa_token_key
and uaa_token_public_key to delegate to module-level methods while preserving
their existing public helper behavior.
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Duplicate comments:
In `@src/bosh-director/spec/support/uaa_helpers.rb`:
- Around line 5-12: Memoize the RSA key on the helper module rather than each
included RSpec example instance. In
src/bosh-director/spec/support/uaa_helpers.rb lines 5-12,
src/bosh-monitor/spec/support/uaa_helpers.rb lines 5-12, and
src/bosh-nats-sync/spec/support/uaa_helpers.rb lines 5-12, update uaa_token_key
and uaa_token_public_key to delegate to module-level methods while preserving
their existing public helper behavior.

ℹ️ Review info
⚙️ Run configuration

Configuration used: Organization UI

Review profile: ASSERTIVE

Plan: Pro

Run ID: f32979f5-59a9-4e0d-87cc-e4acb8e769e8

📥 Commits

Reviewing files that changed from the base of the PR and between 98bc0ee and d5e8a27.

📒 Files selected for processing (9)
  • src/bosh-director/spec/support/uaa_helpers.rb
  • src/bosh-director/spec/unit/bosh/director/config_server/uaa_auth_provider_spec.rb
  • src/bosh-monitor/spec/support/uaa_helpers.rb
  • src/bosh-monitor/spec/unit/bosh/monitor/auth_provider_spec.rb
  • src/bosh-monitor/spec/unit/bosh/monitor/director_spec.rb
  • src/bosh-monitor/spec/unit/bosh/monitor/plugins/event_logger_spec.rb
  • src/bosh-monitor/spec/unit/bosh/monitor/plugins/resurrector_spec.rb
  • src/bosh-nats-sync/spec/nats_sync/auth_provider_spec.rb
  • src/bosh-nats-sync/spec/support/uaa_helpers.rb

coderabbitai[bot]
coderabbitai Bot previously approved these changes Jul 17, 2026
@github-project-automation github-project-automation Bot moved this from Waiting for Changes | Open for Contribution to Pending Merge | Prioritized in Foundational Infrastructure Working Group Jul 17, 2026

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Copilot reviewed 21 out of 21 changed files in this pull request and generated 1 comment.

Comment thread spec/nats_templates_spec.rb Outdated
Previously specs used HMAC token signing / validation which is not used
in production. This commit updates the uaa helper code to use RSA based
"pkey" token signing / validation.

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Copilot reviewed 21 out of 21 changed files in this pull request and generated no new comments.

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

♻️ Duplicate comments (1)
src/bosh-director/spec/support/uaa_helpers.rb (1)

1-13: 🚀 Performance & Scalability | 🔵 Trivial | ⚡ Quick win

Correct the module-level memoization to ensure tests reuse the RSA key.

Using module_function copies the instance method to the module's singleton class but leaves the instance method intact. Because test examples include Support::UaaHelpers, they call the instance method, assigning the @uaa_token_key instance variable to the test's self rather than the module. This causes the slow 2048-bit RSA key generation to still run once per test example.

  • src/bosh-director/spec/support/uaa_helpers.rb#L1-L13: Replace module_function with module-level methods for proper memoization.
  • src/bosh-monitor/spec/support/uaa_helpers.rb#L1-L13: Apply the same memoization fix.
♻️ Proposed refactor
   module UaaHelpers
+    def self.uaa_token_key
+      `@uaa_token_key` ||= OpenSSL::PKey::RSA.generate(2048)
+    end
+
     def uaa_token_key
-      `@uaa_token_key` ||= OpenSSL::PKey::RSA.generate(2048)
+      Support::UaaHelpers.uaa_token_key
     end
-    module_function :uaa_token_key
 
+    def self.uaa_token_public_key
+      `@uaa_token_public_key` ||= uaa_token_key.public_key.to_pem
+    end
+
     def uaa_token_public_key
-      `@uaa_token_public_key` ||= uaa_token_key.public_key.to_pem
+      Support::UaaHelpers.uaa_token_public_key
     end
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@src/bosh-director/spec/support/uaa_helpers.rb` around lines 1 - 13, Replace
module_function-based definitions in Support::UaaHelpers with module-level
singleton methods so `@uaa_token_key` and `@uaa_token_public_key` are memoized on
the module and reused across included test examples. Apply the same change to
src/bosh-director/spec/support/uaa_helpers.rb lines 1-13 and
src/bosh-monitor/spec/support/uaa_helpers.rb lines 1-13; preserve the existing
uaa_token_key and uaa_token_public_key behavior.
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Duplicate comments:
In `@src/bosh-director/spec/support/uaa_helpers.rb`:
- Around line 1-13: Replace module_function-based definitions in
Support::UaaHelpers with module-level singleton methods so `@uaa_token_key` and
`@uaa_token_public_key` are memoized on the module and reused across included test
examples. Apply the same change to src/bosh-director/spec/support/uaa_helpers.rb
lines 1-13 and src/bosh-monitor/spec/support/uaa_helpers.rb lines 1-13; preserve
the existing uaa_token_key and uaa_token_public_key behavior.

ℹ️ Review info
⚙️ Run configuration

Configuration used: Organization UI

Review profile: ASSERTIVE

Plan: Pro

Run ID: 32e08c4f-660b-4563-a5b9-7b429ee75763

📥 Commits

Reviewing files that changed from the base of the PR and between d5e8a27 and 2e9a4fa.

📒 Files selected for processing (21)
  • jobs/director/spec
  • jobs/director/templates/director.yml.erb
  • jobs/health_monitor/spec
  • jobs/health_monitor/templates/health_monitor.yml.erb
  • jobs/nats/spec
  • jobs/nats/templates/bosh_nats_sync_config.yml.erb
  • spec/director.yml.erb_spec.rb
  • spec/health_monitor_templates_spec.rb
  • spec/nats_templates_spec.rb
  • src/bosh-director/lib/bosh/director/config_server/uaa_auth_provider.rb
  • src/bosh-director/spec/support/uaa_helpers.rb
  • src/bosh-director/spec/unit/bosh/director/config_server/uaa_auth_provider_spec.rb
  • src/bosh-monitor/lib/bosh/monitor/auth_provider.rb
  • src/bosh-monitor/spec/support/uaa_helpers.rb
  • src/bosh-monitor/spec/unit/bosh/monitor/auth_provider_spec.rb
  • src/bosh-monitor/spec/unit/bosh/monitor/director_spec.rb
  • src/bosh-monitor/spec/unit/bosh/monitor/plugins/event_logger_spec.rb
  • src/bosh-monitor/spec/unit/bosh/monitor/plugins/resurrector_spec.rb
  • src/bosh-nats-sync/lib/nats_sync/auth_provider.rb
  • src/bosh-nats-sync/spec/nats_sync/auth_provider_spec.rb
  • src/bosh-nats-sync/spec/support/uaa_helpers.rb

@aramprice
aramprice requested a review from mkocher July 17, 2026 04:28
@aramprice
aramprice merged commit dcb2568 into main Jul 17, 2026
23 checks passed
@aramprice
aramprice deleted the pass-jwt-params branch July 17, 2026 18:21
@github-project-automation github-project-automation Bot moved this from Pending Merge | Prioritized to Done in Foundational Infrastructure Working Group Jul 17, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

Development

Successfully merging this pull request may close these issues.

3 participants