Skip to content

Fix vault gateway auth propagation#21865

Merged
prashantkumar1982 merged 2 commits intodevelopfrom
codex/vault-gw-auth-identity
Apr 3, 2026
Merged

Fix vault gateway auth propagation#21865
prashantkumar1982 merged 2 commits intodevelopfrom
codex/vault-gw-auth-identity

Conversation

@prashantkumar1982
Copy link
Copy Markdown
Contributor

@prashantkumar1982 prashantkumar1982 commented Apr 3, 2026
edited
Loading

Summary

  • propagate the authorizer's orgID and workflowOwner onto all authenticated gateway vault requests
  • extend allowlist auth retries to tolerate longer propagation lag
  • include the checked expectedLabels in vault label-validation errors

Root Cause

The vault capability's gateway handler was forwarding capability requests without overwriting identity fields from the trusted auth result, so the vault capability was seeing empty fields. Separately, allowlist propagation could lag long enough for gateway and node authorization to disagree, and validator errors did not show which labels were compared.

@github-actions
Copy link
Copy Markdown
Contributor

github-actions bot commented Apr 3, 2026

I see you updated files related to core. Please run make gocs in the root directory to add a changeset as well as in the text include at least one of the following tags:

  • #added For any new functionality added.
  • #breaking_change For any functionality that requires manual action for the node to boot.
  • #bugfix For bug fixes.
  • #changed For any change to the existing functionality.
  • #db_update For any feature that introduces updates to database schema.
  • #deprecation_notice For any upcoming deprecation functionality.
  • #internal For changesets that need to be excluded from the final changelog.
  • #nops For any feature that is NOP facing and needs to be in the official Release Notes for the release.
  • #removed For any functionality/config that is removed.
  • #updated For any functionality that is updated.
  • #wip For any change that is not ready yet and external communication about it should be held off till it is feature complete.

@github-actions
Copy link
Copy Markdown
Contributor

github-actions bot commented Apr 3, 2026
edited
Loading

✅ No conflicts with other open PRs targeting develop

@prashantkumar1982 prashantkumar1982 force-pushed the codex/vault-gw-auth-identity branch from 18fde74 to 57c9a35 Compare April 3, 2026 18:48
@trunk-io
Copy link
Copy Markdown

trunk-io bot commented Apr 3, 2026
edited
Loading

Static BadgeStatic BadgeStatic BadgeStatic Badge

Failed Test Failure Summary Logs
TestAddEVMSolanaLaneBidirectional/MCMS_disabled The test failed during the deployment or interaction with smart contracts on the blockchain. Logs ↗︎

View Full Report ↗︎Docs

@prashantkumar1982 prashantkumar1982 marked this pull request as ready for review April 3, 2026 19:20
@prashantkumar1982 prashantkumar1982 requested review from a team as code owners April 3, 2026 19:20
@prashantkumar1982 prashantkumar1982 mentioned this pull request Apr 3, 2026
Closed
@prashantkumar1982 prashantkumar1982 changed the title [codex] Fix vault gateway auth propagation Fix vault gateway auth propagation Apr 3, 2026
@prashantkumar1982 prashantkumar1982 force-pushed the codex/vault-gw-auth-identity branch from 5c334a2 to 4279bb8 Compare April 3, 2026 21:23
@prashantkumar1982 prashantkumar1982 added this pull request to the merge queue Apr 3, 2026
@cl-sonarqube-production
Copy link
Copy Markdown

cl-sonarqube-production bot commented Apr 3, 2026

Quality Gate passed Quality Gate passed

Issues
1 New issue
1 Fixed issue
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
4.8% Duplication on New Code

See analysis details on SonarQube

@github-merge-queue github-merge-queue bot removed this pull request from the merge queue due to failed status checks Apr 3, 2026
@prashantkumar1982 prashantkumar1982 added this pull request to the merge queue Apr 3, 2026
@github-merge-queue github-merge-queue bot removed this pull request from the merge queue due to failed status checks Apr 3, 2026
@prashantkumar1982 prashantkumar1982 added this pull request to the merge queue Apr 3, 2026
@github-merge-queue github-merge-queue bot removed this pull request from the merge queue due to failed status checks Apr 3, 2026
@prashantkumar1982 prashantkumar1982 added this pull request to the merge queue Apr 3, 2026
Merged via the queue into develop with commit 577eba4 Apr 3, 2026
301 of 304 checks passed
@prashantkumar1982 prashantkumar1982 deleted the codex/vault-gw-auth-identity branch April 3, 2026 23:35
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@jmank88 jmank88 jmank88 approved these changes

@justinkaseman justinkaseman justinkaseman approved these changes

@silaslenihan silaslenihan Awaiting requested review from silaslenihan

@shileiwill shileiwill Awaiting requested review from shileiwill

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@prashantkumar1982 @jmank88 @justinkaseman