fix: authbridge resolver reads auth context from manager's stackInfo, not caller's

[MrZablah]

what

• Fix !store.get failing with "AWS auth context not available" when a store backend is configured with an identity: field
• authbridge.Resolver now reads the post-authentication AWS/Azure/GCP context from the auth manager's own internal stackInfo (via GetStackInfo())
  instead of the caller's stackInfo
• Add regression test TestResolveAWSAuthContext_PointerMismatch that directly reproduces the pointer mismatch scenario

why

• pkg/auth.createAuthManagerInstance allocates its own *schema.ConfigAndStacksInfo for the auth manager — a different pointer than the info passed by
  the terraform executor to authbridge.NewResolver
• After AuthManager.Authenticate() succeeds, PostAuthenticate writes credential file paths and profile info into the manager's own
  stackInfo.AuthContext.AWS, never the caller's info
• The resolver was checking r.stackInfo.AuthContext.AWS (the caller's pointer, always nil) instead of r.authManager.GetStackInfo().AuthContext.AWS (the
  manager's pointer, populated by auth)
• Result: every !store.get call with an identity: configured would succeed at authentication but then immediately fail with "AWS auth context not
  available"

references

• closes bug: Identity field on stores fails with "AWS auth context not available" #2377

Summary by CodeRabbit

• Bug Fixes

  • Fixed auth context resolution so cloud-specific authentication is sourced from the auth manager rather than resolver-held data.

• Chores

  • Pinned Go toolchain to 1.26.2.

• Tests

  • Updated resolver tests to model manager-owned stack info separately and added a regression test for pointer-mismatch behavior.

[atmos-pro]

Tip

Atmos Pro  

No affected stacks workflow was detected for this pull request.
If this is expected, no action is needed.
Learn More.

[coderabbitai]

📝 Walkthrough

Walkthrough

Adds a Go version pin and changes the auth bridge resolver to read post-auth AuthContext from the auth manager’s GetStackInfo() (manager-owned ConfigAndStacksInfo) instead of the resolver’s own stackInfo. Tests updated and a regression test added to validate pointer separation.

Changes

Cohort / File(s)	Summary
Go Version Constraint /.go-version	Adds .go-version pinning the Go toolchain to 1.26.2.
Devcontainer Build .devcontainer/Dockerfile	Updates devcontainer builder base image Go version from 1.26.0 to 1.26.2.
Auth Bridge Resolver pkg/store/authbridge/resolver.go	Resolver now calls r.authManager.GetStackInfo() and sources cloud-specific AuthContext from that manager-owned ConfigAndStacksInfo; added nil-checks and returns same cloud-specific store.*AuthConfig fields from manager stack info.
Resolver Tests pkg/store/authbridge/resolver_test.go	Tests refactored to mock GetStackInfo() on the manager; added TestResolveAWSAuthContext_PointerMismatch to assert resolver uses manager-provided stack info and updated nil-case expectations.

Sequence Diagram(s)

sequenceDiagram
    participant Client
    participant Resolver
    participant AuthManager
    participant Store

    Client->>Resolver: Request auth config (AWS/Azure/GCP)
    Resolver->>AuthManager: GetStackInfo()
    AuthManager-->>Resolver: managerStackInfo (ConfigAndStacksInfo with AuthContext)
    Resolver->>Resolver: nil-check managerStackInfo and cloud AuthContext
    Resolver-->>Store: return cloud-specific store.*AuthConfig extracted from managerStackInfo

Loading

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~25 minutes

Suggested labels

patch

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 8.33% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title clearly and concisely describes the main fix: authbridge resolver now reads auth context from the manager's stackInfo instead of the caller's, which directly addresses the root cause of the auth context availability failure.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

Warning

There were issues while running some tools. Please review the errors and either fix the tool's configuration or disable the tool if it's a critical failure.

🔧 Trivy (0.69.3)

Trivy execution failed: panic: runtime error: invalid memory address or nil pointer dereference
[signal SIGSEGV: segmentation violation code=0x1 addr=0x50 pc=0x384540f]

goroutine 1 [running]:
github.com/aquasecurity/trivy/pkg/iac/scanners/terraformplan/tfjson/parser.buildPlanBlocks({{0xc005d3c5f0, 0x1, 0x1}, {0x0, 0x0, 0x0}, {0x0, 0x0}}, {0x9efdec0, 0x0, ...}, ...)
/home/runner/work/trivy/trivy/pkg/iac/scanners/terraformplan/tfjson/parser/parser.go:68 +0x32f
github.com/aquasecurity/trivy/pkg/iac/scanners/terraformplan/tfjson/parser.(*PlanFile).ToFS(0x232c0b1?)
/home/runner/work/trivy/trivy/pkg/iac/scanners/terraformplan/tfjson/parser/parser.go:41 +0xf1
github.com/aquasecurity/trivy/pkg/iac/scanners/terraformplan/tfjson.(*Scanner).Scan(0xc005754450, {0x6b2a508, 0xc005db88a0}, {0x6abf380?, 0xc000a0f2a0?})
/home/runner/work/trivy/trivy/pkg/iac/scanners/terraformplan/tfjson/scanner.go:86 +0x4e
github.com/aquasecurity/trivy/pkg/iac/scanners/terraformplan/tfjson.(*Scanner).ScanFile(0xc00

... [truncated 5045 characters] ...

/cobra.(*Command).execute(0xc00061c908, {0xc000b66c80, 0x8, 0x8})
/home/runner/go/pkg/mod/github.com/spf13/cobra@v1.10.2/command.go:1015 +0xb02
github.com/spf13/cobra.(*Command).ExecuteC(0xc000c6d808)
/home/runner/go/pkg/mod/github.com/spf13/cobra@v1.10.2/command.go:1148 +0x465
github.com/spf13/cobra.(*Command).Execute(...)
/home/runner/go/pkg/mod/github.com/spf13/cobra@v1.10.2/command.go:1071
github.com/spf13/cobra.(*Command).ExecuteContext(...)
/home/runner/go/pkg/mod/github.com/spf13/cobra@v1.10.2/command.go:1064
github.com/aquasecurity/trivy/pkg/commands.Run({0x6b2a8c0, 0xc000d15680})
/home/runner/work/trivy/trivy/pkg/commands/run.go:23 +0x67
main.run()
/home/runner/work/trivy/trivy/cmd/trivy/main.go:50 +0x17c
main.main()
/home/runner/work/trivy/trivy/cmd/trivy/main.go:19 +0x1f

Warning

Review ran into problems

🔥 Problems

Timed out fetching pipeline failures after 30000ms

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Review rate limit: 7/8 reviews remaining, refill in 7 minutes and 30 seconds.}

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

🧹 Nitpick comments (1)

.go-version (1)

1-1: ⚡ Quick win

Align Docker/devcontainer Go images with the pinned toolchain (1.26.2).

.go-version pins Go 1.26.2, and go.mod appears to match. However, the repo context shows .devcontainer/Dockerfile is currently using golang:1.26.0, which can lead to dev/CI drift (and confusing “works on my machine” failures). Please update any Docker/devcontainer/toolchain image tags that still reference 1.26.0 to 1.26.2 to keep environments consistent.

Verify in the PR branch (or subsequent PR) that all Go toolchain pins (e.g., .devcontainer/Dockerfile, any builder stages, and CI images) are aligned to 1.26.2 and not 1.26.0 by searching for 1.26.0 / golang:1.26 in the repository.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.go-version at line 1, Update any Docker/devcontainer/CI image tags that
still reference the older Go toolchain so they match the pinned .go-version
value 1.26.2: search the repo for occurrences of "golang:1.26.0", "1.26.0" and
"golang:1.26" and replace them with "golang:1.26.2" (for example update the
image tag in .devcontainer/Dockerfile and any builder/CI images), then
rebuild/test the devcontainer/CI to verify consistency with go.mod/.go-version.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@pkg/store/authbridge/resolver_test.go`:
- Around line 131-133: Test hardcodes Unix-style paths for CredentialsFile and
ConfigFile; update the test in resolver_test.go to build expected path values
using filepath.Join instead of literal "/tmp/aws-creds" and "/tmp/aws-config"
(and the other occurrences around lines 152-153). Import "path/filepath" in the
test, replace the hardcoded strings assigned to CredentialsFile and ConfigFile
and any corresponding assertions with filepath.Join(...) calls so the test is
portable across platforms.

---

Nitpick comments:
In @.go-version:
- Line 1: Update any Docker/devcontainer/CI image tags that still reference the
older Go toolchain so they match the pinned .go-version value 1.26.2: search the
repo for occurrences of "golang:1.26.0", "1.26.0" and "golang:1.26" and replace
them with "golang:1.26.2" (for example update the image tag in
.devcontainer/Dockerfile and any builder/CI images), then rebuild/test the
devcontainer/CI to verify consistency with go.mod/.go-version.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: bfdb3e35-e84d-4c22-99ab-693c00050f11

📥 Commits

Reviewing files that changed from the base of the PR and between 8965bc6 and ede157d.

📒 Files selected for processing (3)

• .go-version
• pkg/store/authbridge/resolver.go
• pkg/store/authbridge/resolver_test.go

[mergify]

Important

Cloud Posse Engineering Team Review Required

This pull request modifies files that require Cloud Posse's review. Please be patient, and a core maintainer will review your changes.

To expedite this process, reach out to us on Slack in the #pr-reviews channel.

[coderabbitai]

🧹 Nitpick comments (1)

pkg/store/authbridge/resolver_test.go (1)

122-125: ⚡ Quick win

Strengthen pointer-mismatch regression with conflicting caller context.

resolverStackInfo is empty today; seeding it with conflicting AWS values would better prove resolver output always comes from manager-owned stack info, not caller-owned stack info.

Suggested hardening for the regression test.

- resolverStackInfo := &schema.ConfigAndStacksInfo{}
+ resolverStackInfo := &schema.ConfigAndStacksInfo{
+   AuthContext: &schema.AuthContext{
+     AWS: &schema.AWSAuthContext{
+       CredentialsFile: filepath.Join("tmp", "caller-creds"),
+       ConfigFile:      filepath.Join("tmp", "caller-config"),
+       Profile:         "caller-profile",
+       Region:          "us-east-2",
+     },
+   },
+ }

@@
  assert.Equal(t, expectedCredsFile, authConfig.CredentialsFile)
+ assert.Equal(t, expectedConfigFile, authConfig.ConfigFile)
  assert.Equal(t, "dev-admin", authConfig.Profile)
+ assert.Equal(t, "us-west-2", authConfig.Region)

- // Confirm the resolver's own stackInfo was never populated (proving the fix reads from the manager).
- assert.Nil(t, resolverStackInfo.AuthContext)
+ // Confirm caller-owned stackInfo was not used/mutated.
+ assert.Equal(t, "caller-profile", resolverStackInfo.AuthContext.AWS.Profile)

Based on learnings: "Applies to **/*_test.go : For aliasing/isolation tests, verify BOTH directions: after a merge, mutate the result and confirm the original inputs are unchanged (result→src isolation); also mutate a source map before the merge and confirm the result is unaffected (src→result isolation)".

Also applies to: 152-160

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@pkg/store/authbridge/resolver_test.go` around lines 122 - 125, The test
currently creates an empty resolverStackInfo (type *schema.ConfigAndStacksInfo)
which doesn't validate pointer-aliasing; seed resolverStackInfo with conflicting
AWS values (e.g., different AccountID/Region/Partition fields) before calling
NewResolver or the auth manager functions and then assert the resolved stacks
come from the manager-owned info rather than this caller-provided struct. After
resolution, mutate the returned result and verify resolverStackInfo remains
unchanged, and conversely mutate resolverStackInfo prior to merge and verify the
final resolved result is unaffected—this ensures both result→src and src→result
isolation for functions like NewResolver and any methods on the auth manager
that populate stack info.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Nitpick comments:
In `@pkg/store/authbridge/resolver_test.go`:
- Around line 122-125: The test currently creates an empty resolverStackInfo
(type *schema.ConfigAndStacksInfo) which doesn't validate pointer-aliasing; seed
resolverStackInfo with conflicting AWS values (e.g., different
AccountID/Region/Partition fields) before calling NewResolver or the auth
manager functions and then assert the resolved stacks come from the
manager-owned info rather than this caller-provided struct. After resolution,
mutate the returned result and verify resolverStackInfo remains unchanged, and
conversely mutate resolverStackInfo prior to merge and verify the final resolved
result is unaffected—this ensures both result→src and src→result isolation for
functions like NewResolver and any methods on the auth manager that populate
stack info.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: dc75313b-6be9-400f-9cba-7c6fd2af100f

📥 Commits

Reviewing files that changed from the base of the PR and between ede157d and 76b6fce.

📒 Files selected for processing (2)

• .devcontainer/Dockerfile
• pkg/store/authbridge/resolver_test.go

✅ Files skipped from review due to trivial changes (1)

• .devcontainer/Dockerfile

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 77.96%. Comparing base (8965bc6) to head (76b6fce).
⚠️ Report is 1 commits behind head on main.

Additional details and impacted files

@@           Coverage Diff           @@
##             main    #2379   +/-   ##
=======================================
  Coverage   77.95%   77.96%           
=======================================
  Files        1090     1090           
  Lines      103075   103078    +3     
=======================================
+ Hits        80352    80361    +9     
+ Misses      18316    18311    -5     
+ Partials     4407     4406    -1     

Flag	Coverage Δ
unittests	77.96% <100.00%> (+<0.01%)	⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.

Files with missing lines	Coverage Δ
pkg/store/authbridge/resolver.go	100.00% <100.00%> (ø)

... and 4 files with indirect coverage changes

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

[aknysh]

thanks @MrZablah

[atmos-pro]

Note

Atmos Pro  

Waiting for your GitHub Actions workflow to upload affected stacks.
Learn More.

[atmos-pro]

Note

Atmos Pro  

Waiting for your GitHub Actions workflow to upload affected stacks.
Learn More.

[github-actions]

These changes were released in v1.217.0-rc.3.