Added smoke test for validation

Author: russell-stern

system-tests/tests/smoke/cre/v2_vault_don_test.go

@@ -118,6 +118,29 @@ func ExecuteVaultTest(t *testing.T, testEnv *ttypes.TestEnvironment) {
 		executeVaultSecretsDeleteTest(t, secretID, owner, gwURL, []string{"alt"}, sc, wfReg)
 		executeVaultSecretsGetNotFoundViaWorkflowTest(t, subEnv, "bdela1", secretID, "alt", ulCh, bmCh)
 	})
+
+	t.Run("identifier_validation", func(t *testing.T) {
+		if parallelEnabled {
+			t.Parallel()
+		}
+		subEnv := t_helpers.SetupTestEnvironmentWithPerTestKeys(t, testEnv.TestConfig)
+		sc := subEnv.CreEnvironment.Blockchains[0].(*evm.Blockchain).SethClient
+		owner := sc.MustGetRootKeyAddress().Hex()
+		wfRegAddr := crecontracts.MustGetAddressFromDataStore(subEnv.CreEnvironment.CldfEnvironment.DataStore, subEnv.CreEnvironment.Blockchains[0].ChainSelector(), keystone_changeset.WorkflowRegistry.String(), subEnv.CreEnvironment.ContractVersions[keystone_changeset.WorkflowRegistry.String()], "")
+		wfReg, err := workflow_registry_v2_wrapper.NewWorkflowRegistry(common.HexToAddress(wfRegAddr), sc.Client)
+		require.NoError(t, err)
+		require.NoError(t, creworkflow.LinkOwner(sc, common.HexToAddress(wfRegAddr), subEnv.CreEnvironment.ContractVersions[keystone_changeset.WorkflowRegistry.String()]))
+		ulCh := make(chan *workflowevents.UserLogs, 1000)
+		bmCh := make(chan *commonevents.BaseMessage, 1000)
+		sink := t_helpers.StartChipTestSink(t, t_helpers.GetPublishFn(testLogger, ulCh, bmCh))
+		t.Cleanup(func() {
+			ctx, cancel := context.WithTimeout(context.Background(), 5*time.Second)
+			defer cancel()
+			t_helpers.ShutdownChipSinkWithDrain(ctx, sink, ulCh, bmCh)
+		})
+		executeVaultSecretsIdentifierValidationTest(t, owner, gwURL, sc, wfReg)
+		executeVaultSecretsGetInvalidIdentifierViaWorkflowTest(t, subEnv, "vget1", ulCh, bmCh)
+	})
 }
 
 func executeVaultSecretsCreateTest(t *testing.T, encryptedSecret, secretID, owner, gatewayURL string, namespaces []string, sethClient *seth.Client, wfRegistryContract *workflow_registry_v2_wrapper.WorkflowRegistry) {
@@ -619,3 +642,118 @@ func allowlistRequest(t *testing.T, owner string, request jsonrpc.Request[json.R
 		framework.L.Info().Msgf("Allowlisted request digestHexStr: %s, owner: %s, expiry: %d", hex.EncodeToString(req.RequestDigest[:]), req.Owner.Hex(), req.ExpiryTimestamp)
 	}
 }
+
+func executeVaultSecretsGetInvalidIdentifierViaWorkflowTest(
+	t *testing.T, testEnv *ttypes.TestEnvironment,
+	workflowBaseName string,
+	userLogsCh chan *workflowevents.UserLogs, baseMessageCh chan *commonevents.BaseMessage,
+) {
+	testLogger := framework.L
+	testLogger.Info().Msg("Verifying get secret is rejected for invalid identifier via workflow...")
+
+	const workflowFileLocation = "./vaultsecret/main.go"
+
+	workflowName := t_helpers.UniqueWorkflowName(testEnv, workflowBaseName)
+	workflowID := t_helpers.CompileAndDeployWorkflow(t, testEnv, testLogger, workflowName, &vaultsecret_config.Config{
+		SecretKey:               "invalid-key-with-hyphens",      // hyphen not in [a-zA-Z0-9_]; tests invalid key
+		SecretNamespace:         "main",
+		SecretKey2:              "validkey",
+		SecretNamespace2:        "invalid-namespace-with-hyphens", // hyphen not in [a-zA-Z0-9_]; tests invalid namespace
+		ExpectInvalidIdentifier: true,
+	}, workflowFileLocation)
+
+	// Both invalid-key and invalid-namespace checks run in the same cron trigger; a single
+	// success log is emitted only after both GetSecret calls are correctly rejected.
+	t_helpers.WatchWorkflowLogs(t, testLogger, userLogsCh, baseMessageCh, t_helpers.WorkflowEngineInitErrorLog,
+		"Vault get correctly rejected invalid identifier", 4*time.Minute, t_helpers.WithUserLogWorkflowID(workflowID))
+	testLogger.Info().Msg("Vault get invalid identifier via workflow test completed")
+}
+
+// executeVaultSecretsIdentifierValidationTest verifies that the gateway rejects requests whose
+// secret identifiers contain characters outside the allowed alphanumeric+underscore set.
+// All four management request types (create, update, delete, list) are exercised across
+// invalid key, invalid namespace, and invalid owner cases. Positive-path coverage is provided
+// by basic_crud; this test focuses only on rejection behaviour.
+func executeVaultSecretsIdentifierValidationTest(t *testing.T, owner, gatewayURL string, sethClient *seth.Client, wfRegistryContract *workflow_registry_v2_wrapper.WorkflowRegistry) {
+	t.Helper()
+
+	const (
+		validKey         = "validkey"
+		invalidKey       = "invalid-key-with-hyphens"   // hyphen not in [a-zA-Z0-9_]
+		validNamespace   = "main"
+		invalidNamespace = "invalid-namespace-hyphens"  // hyphen not in [a-zA-Z0-9_]
+		invalidOwner     = "invalid-owner-with-hyphens" // hyphen not in [a-zA-Z0-9_]
+	)
+	// dummyEncrypted is a placeholder; identifier validation fires before ciphertext checks.
+	const dummyEncrypted = "deadbeef"
+
+	sendWriteAndAssert := func(t *testing.T, method, caseName string, secret *vault_helpers.EncryptedSecret) {
+		t.Helper()
+		uniqueRequestID := uuid.New().String()
+		var body []byte
+		var err error
+		switch method {
+		case vaulttypes.MethodSecretsCreate:
+			body, err = json.Marshal(vault_helpers.CreateSecretsRequest{RequestId: uniqueRequestID, EncryptedSecrets: []*vault_helpers.EncryptedSecret{secret}})
+		case vaulttypes.MethodSecretsUpdate:
+			body, err = json.Marshal(vault_helpers.UpdateSecretsRequest{RequestId: uniqueRequestID, EncryptedSecrets: []*vault_helpers.EncryptedSecret{secret}})
+		case vaulttypes.MethodSecretsDelete:
+			body, err = json.Marshal(vault_helpers.DeleteSecretsRequest{RequestId: uniqueRequestID, Ids: []*vault_helpers.SecretIdentifier{secret.Id}})
+		}
+		require.NoError(t, err)
+		bodyJSON := json.RawMessage(body)
+		req := jsonrpc.Request[json.RawMessage]{Version: jsonrpc.JsonRpcVersion, ID: uniqueRequestID, Method: method, Params: &bodyJSON}
+		allowlistRequest(t, owner, req, sethClient, wfRegistryContract)
+		reqBody, err := json.Marshal(req)
+		require.NoError(t, err)
+		_, respBody := sendVaultRequestToGateway(t, gatewayURL, reqBody)
+		require.Contains(t, string(respBody), "alphanumeric", "[%s] expected alphanumeric rejection for %s", method, caseName)
+		framework.L.Info().Msgf("[%s] %s correctly rejected: %s", method, caseName, string(respBody))
+	}
+
+	type writeCase struct {
+		name         string
+		key, own, ns string
+	}
+	writeCases := []writeCase{
+		{"invalid key",       invalidKey, owner,        validNamespace},
+		{"invalid namespace", validKey,   owner,        invalidNamespace},
+		{"invalid owner",     validKey,   invalidOwner, validNamespace},
+	}
+
+	for _, op := range []string{vaulttypes.MethodSecretsCreate, vaulttypes.MethodSecretsUpdate, vaulttypes.MethodSecretsDelete} {
+		framework.L.Info().Msgf("Testing identifier validation for %s request...", op)
+		for _, tc := range writeCases {
+			sendWriteAndAssert(t, op, tc.name, &vault_helpers.EncryptedSecret{
+				Id:             &vault_helpers.SecretIdentifier{Key: tc.key, Owner: tc.own, Namespace: tc.ns},
+				EncryptedValue: dummyEncrypted,
+			})
+		}
+	}
+
+	type listCase struct {
+		name    string
+		own, ns string
+	}
+	listCases := []listCase{
+		{"invalid namespace", owner,        invalidNamespace},
+		{"invalid owner",     invalidOwner, validNamespace},
+	}
+
+	framework.L.Info().Msg("Testing identifier validation for list request...")
+	for _, tc := range listCases {
+		uniqueRequestID := uuid.New().String()
+		body, err := json.Marshal(vault_helpers.ListSecretIdentifiersRequest{RequestId: uniqueRequestID, Owner: tc.own, Namespace: tc.ns})
+		require.NoError(t, err)
+		bodyJSON := json.RawMessage(body)
+		req := jsonrpc.Request[json.RawMessage]{Version: jsonrpc.JsonRpcVersion, ID: uniqueRequestID, Method: vaulttypes.MethodSecretsList, Params: &bodyJSON}
+		allowlistRequest(t, owner, req, sethClient, wfRegistryContract)
+		reqBody, err := json.Marshal(req)
+		require.NoError(t, err)
+		_, respBody := sendVaultRequestToGateway(t, gatewayURL, reqBody)
+		require.Contains(t, string(respBody), "alphanumeric", "[list] expected alphanumeric rejection for %s", tc.name)
+		framework.L.Info().Msgf("[list] %s correctly rejected: %s", tc.name, string(respBody))
+	}
+
+	framework.L.Info().Msg("All identifier validation checks passed")
+}

system-tests/tests/smoke/cre/vaultsecret/config/config.go

@@ -1,7 +1,10 @@
 package config
 
 type Config struct {
-	SecretKey       string `yaml:"secretKey"`
-	SecretNamespace string `yaml:"secretNamespace"`
-	ExpectNotFound  bool   `yaml:"expectNotFound"`
+	SecretKey               string `yaml:"secretKey"`
+	SecretNamespace         string `yaml:"secretNamespace"`
+	SecretKey2              string `yaml:"secretKey2"`
+	SecretNamespace2        string `yaml:"secretNamespace2"`
+	ExpectNotFound          bool   `yaml:"expectNotFound"`
+	ExpectInvalidIdentifier bool   `yaml:"expectInvalidIdentifier"`
 }

system-tests/tests/smoke/cre/vaultsecret/main.go

@@ -61,6 +61,37 @@ func onTrigger(cfg config.Config, runtime cre.Runtime, _ *cron.Payload) (string,
 		return "", fmt.Errorf("expected secret key=%s to be deleted, but it was still found", cfg.SecretKey)
 	}
 
+	if cfg.ExpectInvalidIdentifier {
+		if err == nil {
+			runtime.Logger().Error("Expected identifier validation to fail but GetSecret succeeded", "secretKey", cfg.SecretKey)
+			return "", fmt.Errorf("expected identifier validation failure for key=%s, but secret was retrieved", cfg.SecretKey)
+		}
+		runtime.Logger().Info("Vault get correctly rejected invalid identifier", "secretKey", cfg.SecretKey, "error", err)
+
+		if cfg.SecretKey2 != "" || cfg.SecretNamespace2 != "" {
+			key2 := cfg.SecretKey2
+			if key2 == "" {
+				key2 = cfg.SecretKey
+			}
+			ns2 := cfg.SecretNamespace2
+			if ns2 == "" {
+				ns2 = cfg.SecretNamespace
+			}
+			_, err2 := runtime.GetSecret(&cre.SecretRequest{
+				Namespace: ns2,
+				Id:        key2,
+			}).Await()
+			if err2 == nil {
+				runtime.Logger().Error("Expected identifier validation to fail for secondary identifier but GetSecret succeeded",
+					"secretKey2", key2, "secretNamespace2", ns2)
+				return "", fmt.Errorf("expected identifier validation failure for key=%s namespace=%s, but secret was retrieved", key2, ns2)
+			}
+			runtime.Logger().Info("Vault get correctly rejected invalid identifier", "secretKey", key2, "error", err2)
+		}
+
+		return fmt.Sprintf("Invalid identifier correctly rejected: key=%s", cfg.SecretKey), nil
+	}
+
 	if err != nil {
 		runtime.Logger().Error("Failed to get secret via workflow", "error", err)
 		return "", fmt.Errorf("failed to get secret: %w", err)