Add Vault JWT local CRE test coverage

Author: prashantkumar1982

core/capabilities/vault/gw_handler.go

@@ -60,6 +60,7 @@ type gatewayConnector interface {
 
 type gatewayHandlerConfig struct {
 	authorizer Authorizer
+	auth0      *Auth0Config
 }
 
 // GatewayHandlerOption customizes GatewayHandler construction for tests and future auth extensions.
@@ -72,6 +73,13 @@ func WithAuthorizer(authorizer Authorizer) GatewayHandlerOption {
 	}
 }
 
+// WithJWTAuth0Config enables JWT-based request validation for the node-side Vault handler.
+func WithJWTAuth0Config(auth0 *Auth0Config) GatewayHandlerOption {
+	return func(cfg *gatewayHandlerConfig) {
+		cfg.auth0 = auth0
+	}
+}
+
 // GatewayHandler serves Vault requests received from the gateway on the node side.
 type GatewayHandler struct {
 	services.Service
@@ -93,7 +101,7 @@ func NewGatewayHandler(secretsService vaulttypes.SecretsService, connector gatew
 	}
 	if cfg.authorizer == nil {
 		allowListBasedAuth := NewAllowListBasedAuth(lggr, workflowRegistrySyncer)
-		jwtBasedAuth, err := NewJWTBasedAuth(JWTBasedAuthConfig{}, limitsFactory, lggr, WithDisabledJWTBasedAuth())
+		jwtBasedAuth, err := NewJWTBasedAuthFromAuth0Config(cfg.auth0, limitsFactory, lggr)
 		if err != nil {
 			return nil, fmt.Errorf("failed to create JWTBasedAuth: %w", err)
 		}

core/capabilities/vault/jwt_based_auth.go

@@ -37,6 +37,12 @@ const (
 	defaultHTTPTimeout         = 5 * time.Second
 )
 
+// Auth0Config captures the Vault JWT issuer settings shared by gateway and node handlers.
+type Auth0Config struct {
+	IssuerURL string `json:"issuerURL" toml:"issuerURL" yaml:"issuerURL"`
+	Audience  string `json:"audience" toml:"audience" yaml:"audience"`
+}
+
 // JWTBasedAuthConfig holds the configuration for JWTBasedAuth validation.
 type JWTBasedAuthConfig struct {
 	IssuerURL           string
@@ -119,6 +125,19 @@ func WithDisabledJWTBasedAuth() JWTBasedAuthOption {
 	}
 }
 
+// NewJWTBasedAuthFromAuth0Config constructs JWT auth from an optional Auth0 config.
+// When auth0 is not configured, the validator is created in a fail-closed disabled state.
+func NewJWTBasedAuthFromAuth0Config(auth0 *Auth0Config, limitsFactory limits.Factory, lggr logger.Logger) (*jwtBasedAuth, error) {
+	if auth0 == nil || (auth0.IssuerURL == "" && auth0.Audience == "") {
+		return NewJWTBasedAuth(JWTBasedAuthConfig{}, limitsFactory, lggr, WithDisabledJWTBasedAuth())
+	}
+
+	return NewJWTBasedAuth(JWTBasedAuthConfig{
+		IssuerURL: auth0.IssuerURL,
+		Audience:  auth0.Audience,
+	}, limitsFactory, lggr)
+}
+
 // NewJWTBasedAuth creates a JWTBasedAuth authorizer that verifies Auth0-issued JWTs
 // against the provider's JWKS endpoint. The JWKS is fetched lazily on first
 // use and refreshed on key-ID cache misses (rate-limited).
@@ -209,21 +228,27 @@ func (v *jwtBasedAuth) AuthorizeRequest(ctx context.Context, req jsonrpc.Request
 		return nil, errors.New("JWTBasedAuth is disabled")
 	}
 
-	requestDigest, err := req.Digest()
-	if err != nil {
-		v.lggr.Debugw("JWTBasedAuth failed to compute request digest", "method", req.Method, "requestID", req.ID, "error", err)
-		return nil, fmt.Errorf("failed to compute request digest: %w", err)
-	}
-
 	claims, err := v.validateToken(ctx, req.Auth)
 	if err != nil {
 		v.lggr.Debugw("JWTBasedAuth token validation failed", "method", req.Method, "requestID", req.ID, "error", err)
 		return nil, fmt.Errorf("invalid JWT auth token: %w", err)
 	}
 
+	normalizedReq, err := NormalizeRequestWithIdentity(req, claims.OrgID, claims.WorkflowOwner)
+	if err != nil {
+		v.lggr.Debugw("JWTBasedAuth failed to normalize request identity", "method", req.Method, "requestID", req.ID, "orgID", claims.OrgID, "workflowOwner", claims.WorkflowOwner, "error", err)
+		return nil, fmt.Errorf("failed to normalize request identity: %w", err)
+	}
+
+	requestDigest, err := normalizedReq.Digest()
+	if err != nil {
+		v.lggr.Debugw("JWTBasedAuth failed to compute request digest", "method", req.Method, "requestID", req.ID, "orgID", claims.OrgID, "workflowOwner", claims.WorkflowOwner, "error", err)
+		return nil, fmt.Errorf("failed to compute request digest: %w", err)
+	}
+
 	if !strings.EqualFold(requestDigest, claims.RequestDigest) {
 		v.lggr.Debugw("JWTBasedAuth request digest mismatch", "method", req.Method, "requestID", req.ID, "orgID", claims.OrgID, "workflowOwner", claims.WorkflowOwner, "computedDigest", requestDigest, "claimedDigest", claims.RequestDigest)
-		return nil, errors.New("request digest mismatch")
+		return nil, fmt.Errorf("request digest mismatch: computed=%s claimed=%s", requestDigest, claims.RequestDigest)
 	}
 
 	v.lggr.Debugw("JWTBasedAuth authorization succeeded", "method", req.Method, "requestID", req.ID, "orgID", claims.OrgID, "workflowOwner", claims.WorkflowOwner, "digest", requestDigest, "expiresAt", claims.ExpiresAt.UTC().Unix())

core/capabilities/vault/jwt_based_auth_test.go

@@ -519,6 +519,51 @@ func TestNewJWTBasedAuth_UsesVaultJWTAuthEnabledLimiter_Enabled(t *testing.T) {
 	require.ErrorContains(t, err, ErrMissingToken.Error())
 }
 
+func TestJWTBasedAuth_AuthorizeCreateRequestFromRawJSON(t *testing.T) {
+	rsaKey := generateTestRSAKey(t, "key-1")
+	jwksServer := newTestJWKSServer(t, rsaKey)
+
+	issuer := jwksServer.URL() + "/"
+	audience := "https://vault.test.chain.link"
+	v := newTestValidator(t, issuer, audience)
+
+	rawRequest := []byte(`{"jsonrpc":"2.0","id":"req-1","method":"vault.secrets.create","params":{"request_id":"req-1","encrypted_secrets":[{"id":{"key":"7611","namespace":"main","owner":"org-123"},"encrypted_value":"cipher+/=="}]}}`)
+	req, err := jsonrpc.DecodeRequest[json.RawMessage](rawRequest, "")
+	require.NoError(t, err)
+
+	normalizedReq, err := NormalizeRequestWithIdentity(req, "org-123", "0xAbCdEf0123456789AbCdEf0123456789AbCdEf01")
+	require.NoError(t, err)
+
+	digest, err := normalizedReq.Digest()
+	require.NoError(t, err)
+
+	token := createTestJWT(t, rsaKey, jwt.MapClaims{
+		"iss":    issuer,
+		"aud":    audience,
+		"exp":    jwt.NewNumericDate(time.Now().Add(5 * time.Minute)),
+		"iat":    jwt.NewNumericDate(time.Now()),
+		"org_id": "org-123",
+		"authorization_details": []interface{}{
+			map[string]interface{}{
+				"type":  "request_digest",
+				"value": digest,
+			},
+			map[string]interface{}{
+				"type":  "workflow_owner",
+				"value": "0xAbCdEf0123456789AbCdEf0123456789AbCdEf01",
+			},
+		},
+	})
+
+	req, err = jsonrpc.DecodeRequest[json.RawMessage](rawRequest, token)
+	require.NoError(t, err)
+
+	authResult, err := v.AuthorizeRequest(t.Context(), req)
+	require.NoError(t, err)
+	require.Equal(t, "org-123", authResult.OrgID())
+	require.Equal(t, digest, authResult.Digest())
+}
+
 func setDefaultGetter(t *testing.T, payload string) {
 	t.Helper()
 

core/capabilities/vault/request_normalization.go

@@ -0,0 +1,66 @@
+package vault
+
+import (
+	"encoding/json"
+
+	vaultcommon "github.com/smartcontractkit/chainlink-common/pkg/capabilities/actions/vault"
+	jsonrpc "github.com/smartcontractkit/chainlink-common/pkg/jsonrpc2"
+	"github.com/smartcontractkit/chainlink/v2/core/capabilities/vault/vaulttypes"
+)
+
+// NormalizeRequestWithIdentity returns a copy of req with the JWT-derived identity
+// fields materialized into params for Vault secret-management methods. Requests with
+// malformed params are returned unchanged so downstream parsing can surface the
+// existing method-specific error paths.
+func NormalizeRequestWithIdentity(req jsonrpc.Request[json.RawMessage], orgID, workflowOwner string) (jsonrpc.Request[json.RawMessage], error) {
+	if req.Params == nil {
+		return req, nil
+	}
+
+	rewrite := func(payload any) error {
+		b, err := json.Marshal(payload)
+		if err != nil {
+			return err
+		}
+		raw := json.RawMessage(b)
+		req.Params = &raw
+		return nil
+	}
+
+	switch req.Method {
+	case vaulttypes.MethodSecretsCreate:
+		parsed := &vaultcommon.CreateSecretsRequest{}
+		if err := json.Unmarshal(*req.Params, parsed); err != nil {
+			return req, nil
+		}
+		parsed.OrgId = orgID
+		parsed.WorkflowOwner = workflowOwner
+		return req, rewrite(parsed)
+	case vaulttypes.MethodSecretsUpdate:
+		parsed := &vaultcommon.UpdateSecretsRequest{}
+		if err := json.Unmarshal(*req.Params, parsed); err != nil {
+			return req, nil
+		}
+		parsed.OrgId = orgID
+		parsed.WorkflowOwner = workflowOwner
+		return req, rewrite(parsed)
+	case vaulttypes.MethodSecretsDelete:
+		parsed := &vaultcommon.DeleteSecretsRequest{}
+		if err := json.Unmarshal(*req.Params, parsed); err != nil {
+			return req, nil
+		}
+		parsed.OrgId = orgID
+		parsed.WorkflowOwner = workflowOwner
+		return req, rewrite(parsed)
+	case vaulttypes.MethodSecretsList:
+		parsed := &vaultcommon.ListSecretIdentifiersRequest{}
+		if err := json.Unmarshal(*req.Params, parsed); err != nil {
+			return req, nil
+		}
+		parsed.OrgId = orgID
+		parsed.WorkflowOwner = workflowOwner
+		return req, rewrite(parsed)
+	default:
+		return req, nil
+	}
+}

core/capabilities/vault/validator.go

@@ -23,16 +23,16 @@ type RequestValidator struct {
 }
 
 func (r *RequestValidator) ValidateCreateSecretsRequest(publicKey *tdh2easy.PublicKey, request *vaultcommon.CreateSecretsRequest) error {
-	return r.validateWriteRequest(publicKey, request.RequestId, request.EncryptedSecrets)
+	return r.validateWriteRequest(publicKey, request.RequestId, request.OrgId, request.WorkflowOwner, request.EncryptedSecrets)
 }
 
 func (r *RequestValidator) ValidateUpdateSecretsRequest(publicKey *tdh2easy.PublicKey, request *vaultcommon.UpdateSecretsRequest) error {
-	return r.validateWriteRequest(publicKey, request.RequestId, request.EncryptedSecrets)
+	return r.validateWriteRequest(publicKey, request.RequestId, request.OrgId, request.WorkflowOwner, request.EncryptedSecrets)
 }
 
 // validateWriteRequest performs common validation for CreateSecrets and UpdateSecrets requests
 // It treats publicKey as optional, since it can be nil if the gateway nodes don't have the public key cached yet
-func (r *RequestValidator) validateWriteRequest(publicKey *tdh2easy.PublicKey, id string, encryptedSecrets []*vaultcommon.EncryptedSecret) error {
+func (r *RequestValidator) validateWriteRequest(publicKey *tdh2easy.PublicKey, id string, orgID string, workflowOwner string, encryptedSecrets []*vaultcommon.EncryptedSecret) error {
 	if id == "" {
 		return errors.New("request ID must not be empty")
 	}
@@ -66,7 +66,11 @@ func (r *RequestValidator) validateWriteRequest(publicKey *tdh2easy.PublicKey, i
 		if err := r.validateCiphertextSize(req.EncryptedValue); err != nil {
 			return fmt.Errorf("secret encrypted value at index %d is invalid: %w", idx, err)
 		}
-		err := EnsureRightLabelOnSecret(publicKey, req.EncryptedValue, req.Id.Owner, "")
+		expectedWorkflowOwner := workflowOwner
+		if expectedWorkflowOwner == "" && orgID == "" {
+			expectedWorkflowOwner = req.Id.Owner
+		}
+		err := EnsureRightLabelOnSecret(publicKey, req.EncryptedValue, expectedWorkflowOwner, orgID)
 		if err != nil {
 			return errors.New("Encrypted Secret at index [" + strconv.Itoa(idx) + "] doesn't have owner as the label. Error: " + err.Error())
 		}

core/capabilities/vault/validator_test.go

@@ -298,3 +298,60 @@ func TestRequestValidator_CiphertextSizeLimit(t *testing.T) {
 		})
 	}
 }
+
+func TestRequestValidator_ValidateCreateSecretsRequest_UsesRequestIdentityForOrgLabels(t *testing.T) {
+	pk, _ := generateTestKeys(t)
+	validator := NewRequestValidator(
+		limits.NewUpperBoundLimiter(10),
+		limits.NewUpperBoundLimiter[pkgconfig.Size](10*pkgconfig.KByte),
+	)
+
+	orgID := "org_2xAbCdEfGhIjKlMnOpQrStUvWxYz"
+	workflowOwner := "0x0001020304050607080900010203040506070809"
+	encrypted := encryptWithOrgIDLabel(t, pk, orgID)
+
+	err := validator.ValidateCreateSecretsRequest(pk, &vaultcommon.CreateSecretsRequest{
+		RequestId:     "request-id",
+		OrgId:         orgID,
+		WorkflowOwner: workflowOwner,
+		EncryptedSecrets: []*vaultcommon.EncryptedSecret{
+			{
+				Id: &vaultcommon.SecretIdentifier{
+					Key:       "key",
+					Namespace: "namespace",
+					Owner:     orgID,
+				},
+				EncryptedValue: encrypted,
+			},
+		},
+	})
+
+	require.NoError(t, err)
+}
+
+func TestRequestValidator_ValidateCreateSecretsRequest_FallsBackToSecretOwnerForLegacyRequests(t *testing.T) {
+	pk, _ := generateTestKeys(t)
+	validator := NewRequestValidator(
+		limits.NewUpperBoundLimiter(10),
+		limits.NewUpperBoundLimiter[pkgconfig.Size](10*pkgconfig.KByte),
+	)
+
+	workflowOwner := "0x0001020304050607080900010203040506070809"
+	encrypted := encryptWithEthAddressLabel(t, pk, workflowOwner)
+
+	err := validator.ValidateCreateSecretsRequest(pk, &vaultcommon.CreateSecretsRequest{
+		RequestId: "request-id",
+		EncryptedSecrets: []*vaultcommon.EncryptedSecret{
+			{
+				Id: &vaultcommon.SecretIdentifier{
+					Key:       "key",
+					Namespace: "namespace",
+					Owner:     workflowOwner,
+				},
+				EncryptedValue: encrypted,
+			},
+		},
+	})
+
+	require.NoError(t, err)
+}

core/scripts/cre/environment/environment/setup.go

@@ -18,7 +18,6 @@ import (
 	"github.com/Masterminds/semver/v3"
 	"github.com/docker/docker/api/types/image"
 	"github.com/docker/docker/client"
-	"github.com/ethereum/go-ethereum/log"
 	"github.com/pelletier/go-toml/v2"
 	"github.com/pkg/errors"
 	"github.com/rs/zerolog"
@@ -289,15 +288,12 @@ func (c BuildConfig) Build(ctx context.Context) (localImage string, err error) {
 	}
 
 	// Build Docker image
-	args := []string{"build", "-t", c.LocalImage, "-f", c.Dockerfile, c.DockerCtx}
-	if c.RequireGithubToken {
-		args = append(args, "--build-arg", "GITHUB_TOKEN="+os.Getenv("GITHUB_TOKEN"))
-	}
+	args := c.dockerBuildArgs()
 
 	cmd := exec.CommandContext(ctx, "docker", args...)
 	cmd.Stdout = os.Stdout
 	cmd.Stderr = os.Stderr
-	log.Info("Running command:", "cmd", cmd.String(), "dir", workingDir)
+	logger.Info().Str("cmd", cmd.String()).Str("dir", workingDir).Msg("Running docker build command")
 	if err := cmd.Run(); err != nil {
 		return "", fmt.Errorf("failed to build Docker image: %w", err)
 	}
@@ -306,6 +302,14 @@ func (c BuildConfig) Build(ctx context.Context) (localImage string, err error) {
 	return c.LocalImage, nil
 }
 
+func (c BuildConfig) dockerBuildArgs() []string {
+	args := []string{"build", "-t", c.LocalImage, "-f", c.Dockerfile}
+	if c.RequireGithubToken {
+		args = append(args, "--build-arg", "GITHUB_TOKEN="+os.Getenv("GITHUB_TOKEN"))
+	}
+	return append(args, c.DockerCtx)
+}
+
 type PullConfig struct {
 	LocalImage string `toml:"local_image"`
 	EcrImage   string `toml:"ecr_image"`

core/scripts/cre/environment/environment/setup_test.go

@@ -0,0 +1,44 @@
+package environment
+
+import (
+	"os"
+	"testing"
+
+	"github.com/stretchr/testify/require"
+)
+
+func TestBuildConfigDockerBuildArgs(t *testing.T) {
+	t.Setenv("GITHUB_TOKEN", "test-token")
+
+	cfg := BuildConfig{
+		LocalImage:         "test-image:latest",
+		Dockerfile:         "Dockerfile.test",
+		DockerCtx:          ".",
+		RequireGithubToken: true,
+	}
+
+	require.Equal(t, []string{
+		"build",
+		"-t", "test-image:latest",
+		"-f", "Dockerfile.test",
+		"--build-arg", "GITHUB_TOKEN=test-token",
+		".",
+	}, cfg.dockerBuildArgs())
+}
+
+func TestBuildConfigDockerBuildArgs_WithoutGithubToken(t *testing.T) {
+	require.NoError(t, os.Unsetenv("GITHUB_TOKEN"))
+
+	cfg := BuildConfig{
+		LocalImage: "test-image:latest",
+		Dockerfile: "Dockerfile.test",
+		DockerCtx:  ".",
+	}
+
+	require.Equal(t, []string{
+		"build",
+		"-t", "test-image:latest",
+		"-f", "Dockerfile.test",
+		".",
+	}, cfg.dockerBuildArgs())
+}