Add Vault JWT local CRE coverage and topology docs (#22048)

* [codex] Add Vault JWT local CRE test coverage

* [codex] Fix Vault JWT topology and owner responses

* [codex] Fix Vault config lint

* [codex] Trim non-Vault CRE changes

* increase test timeout

* [codex] Add disabled Vault topology coverage

* [codex] Simplify Vault handler wiring

* [codex] Align Vault JWT behavior with topology flags

* [codex] Simplify Vault CRE topologies

* [codex] Refactor Vault smoke helpers

* [codex] Fix Vault smoke CI wiring

* [codex] Fix Vault smoke copylocks lint

* [codex] Add local CRE skill docs

* [codex] Address local CRE review feedback

* [codex] Fix vault linking config in CI

* [codex] Fix vault workflow linking config

* [codex] Speed up vault Bucket B workflow checks

* [codex] Reuse vault workflows across Bucket B phases

* [codex] Remove unused vault workflow helpers

* [codex] Increase go_core_tests runner memory

* [codex] Move go_core_tests off tmpfs runner

* [codex] Start shared test linking service

* [codex] Fix linking service errname lint

Author: prashantkumar1982

.github/workflows/ci-core.yml

@@ -206,7 +206,7 @@ jobs:
       matrix:
         type:
           - cmd: go_core_tests
-            os: runs-on=${{ github.run_id }}-unit/cpu=48/ram=96/family=c6i/spot=false/image=ubuntu24-full-x64/extras=s3-cache+tmpfs
+            os: runs-on=${{ github.run_id }}-unit/cpu=48/ram=96/family=c6id+c5ad/spot=false/image=ubuntu24-full-x64/extras=s3-cache
             should-run: ${{ needs.filter.outputs.should-run-core-tests }}
             trunk-auto-quarantine: "true"
 

.github/workflows/cre-system-tests.yaml

@@ -86,6 +86,10 @@ jobs:
 
           # Add list of tests with certain topologies
           PER_TEST_TOPOLOGIES_JSON=${PER_TEST_TOPOLOGIES_JSON:-'{
+            "Test_CRE_V2_Suite_Bucket_B": [
+               {"topology":"workflow-gateway-capabilities","configs":"configs/workflow-gateway-capabilities-don.toml"},
+               {"topology":"workflow-gateway-capabilities-vault-jwt_auth-enabled","configs":"configs/workflow-gateway-capabilities-don-vault-jwt_auth-enabled.toml"}
+             ],
             "Test_CRE_V2_Aptos_Suite": [
                {"topology":"workflow-gateway-aptos","configs":"configs/workflow-gateway-don-aptos.toml"}
              ],

core/capabilities/vault/authorizer_test.go

@@ -11,29 +11,20 @@ import (
 
 	vaultcommon "github.com/smartcontractkit/chainlink-common/pkg/capabilities/actions/vault"
 	jsonrpc "github.com/smartcontractkit/chainlink-common/pkg/jsonrpc2"
-	"github.com/smartcontractkit/chainlink-common/pkg/settings/cresettings"
-	"github.com/smartcontractkit/chainlink-common/pkg/settings/limits"
 	vault "github.com/smartcontractkit/chainlink/v2/core/capabilities/vault"
 	vaultmocks "github.com/smartcontractkit/chainlink/v2/core/capabilities/vault/mocks"
 	"github.com/smartcontractkit/chainlink/v2/core/capabilities/vault/vaulttypes"
 	"github.com/smartcontractkit/chainlink/v2/core/logger"
 )
 
-func testLimitsFactory() limits.Factory {
-	return limits.Factory{Settings: cresettings.DefaultGetter}
-}
-
-func TestAuthorizer_RejectsJWTBasedAuthWhenDisabled(t *testing.T) {
+func TestAuthorizer_RejectsJWTBasedAuthWhenUnavailable(t *testing.T) {
 	params, err := json.Marshal(vaultcommon.CreateSecretsRequest{})
 	require.NoError(t, err)
 
 	allowListBasedAuth := vaultmocks.NewAuthorizer(t)
 	allowListBasedAuth.EXPECT().AuthorizeRequest(mock.Anything, mock.Anything).Maybe()
 
-	jwtBasedAuth, err := vault.NewJWTBasedAuth(vault.JWTBasedAuthConfig{}, testLimitsFactory(), logger.TestLogger(t), vault.WithDisabledJWTBasedAuth())
-	require.NoError(t, err)
-
-	a := vault.NewAuthorizer(allowListBasedAuth, jwtBasedAuth, logger.TestLogger(t))
+	a := vault.NewAuthorizer(allowListBasedAuth, nil, logger.TestLogger(t))
 
 	authResult, err := a.AuthorizeRequest(t.Context(), jsonrpc.Request[json.RawMessage]{
 		ID:     "1",
@@ -42,7 +33,7 @@ func TestAuthorizer_RejectsJWTBasedAuthWhenDisabled(t *testing.T) {
 		Auth:   "jwt-token",
 	})
 	require.Nil(t, authResult)
-	require.ErrorContains(t, err, "JWTBasedAuth is disabled")
+	require.ErrorContains(t, err, "JWTBasedAuth is nil")
 	allowListBasedAuth.AssertNotCalled(t, "AuthorizeRequest", mock.Anything, mock.Anything)
 }
 
@@ -126,10 +117,7 @@ func TestAuthorizer_RejectsAllowListBasedAuthReplay(t *testing.T) {
 	req := jsonrpc.Request[json.RawMessage]{ID: "1", Method: vaulttypes.MethodSecretsCreate}
 	allowListBasedAuth.EXPECT().AuthorizeRequest(mock.Anything, req).Return(vault.NewAuthResult("", "0xabc", "digest-1", time.Now().Add(time.Minute).Unix()), nil).Twice()
 
-	jwtBasedAuth, err := vault.NewJWTBasedAuth(vault.JWTBasedAuthConfig{}, testLimitsFactory(), logger.TestLogger(t), vault.WithDisabledJWTBasedAuth())
-	require.NoError(t, err)
-
-	a := vault.NewAuthorizer(allowListBasedAuth, jwtBasedAuth, logger.TestLogger(t))
+	a := vault.NewAuthorizer(allowListBasedAuth, nil, logger.TestLogger(t))
 
 	authResult, err := a.AuthorizeRequest(t.Context(), req)
 	require.NoError(t, err)

core/capabilities/vault/gw_handler.go

@@ -58,20 +58,6 @@ type gatewayConnector interface {
 	RemoveHandler(ctx context.Context, methods []string) error
 }
 
-type gatewayHandlerConfig struct {
-	authorizer Authorizer
-}
-
-// GatewayHandlerOption customizes GatewayHandler construction for tests and future auth extensions.
-type GatewayHandlerOption func(*gatewayHandlerConfig)
-
-// WithAuthorizer overrides the default Vault request authorizer.
-func WithAuthorizer(authorizer Authorizer) GatewayHandlerOption {
-	return func(cfg *gatewayHandlerConfig) {
-		cfg.authorizer = authorizer
-	}
-}
-
 // GatewayHandler serves Vault requests received from the gateway on the node side.
 type GatewayHandler struct {
 	services.Service
@@ -86,24 +72,36 @@ type GatewayHandler struct {
 }
 
 // NewGatewayHandler creates a Vault gateway connector handler with internal auth wiring.
-func NewGatewayHandler(secretsService vaulttypes.SecretsService, connector gatewayConnector, workflowRegistrySyncer workflowsyncerv2.WorkflowRegistrySyncer, lggr logger.Logger, limitsFactory limits.Factory, opts ...GatewayHandlerOption) (*GatewayHandler, error) {
-	cfg := gatewayHandlerConfig{}
-	for _, opt := range opts {
-		opt(&cfg)
-	}
-	if cfg.authorizer == nil {
-		allowListBasedAuth := NewAllowListBasedAuth(lggr, workflowRegistrySyncer)
-		jwtBasedAuth, err := NewJWTBasedAuth(JWTBasedAuthConfig{}, limitsFactory, lggr, WithDisabledJWTBasedAuth())
+// Pass a non-nil authorizer only in tests or other cases that need to override the default
+// allowlist/JWT authorization chain.
+func NewGatewayHandler(
+	secretsService vaulttypes.SecretsService,
+	connector gatewayConnector,
+	workflowRegistrySyncer workflowsyncerv2.WorkflowRegistrySyncer,
+	lggr logger.Logger,
+	limitsFactory limits.Factory,
+	authorizer Authorizer,
+	auth0 *Auth0Config,
+) (*GatewayHandler, error) {
+	var jwtAuthService services.Service
+	var jwtBasedAuth Authorizer
+	if auth0 != nil {
+		var err error
+		jwtAuthService, err = NewJWTBasedAuth(JWTBasedAuthConfig{
+			IssuerURL: auth0.IssuerURL,
+			Audience:  auth0.Audience,
+		}, limitsFactory, lggr)
 		if err != nil {
 			return nil, fmt.Errorf("failed to create JWTBasedAuth: %w", err)
 		}
-		cfg.authorizer = NewAuthorizer(allowListBasedAuth, jwtBasedAuth, lggr)
-		return newGatewayHandlerWithAuthorizer(secretsService, connector, cfg.authorizer, jwtBasedAuth, lggr)
+		jwtBasedAuth = jwtAuthService.(Authorizer)
+	}
+
+	if authorizer == nil {
+		allowListBasedAuth := NewAllowListBasedAuth(lggr, workflowRegistrySyncer)
+		authorizer = NewAuthorizer(allowListBasedAuth, jwtBasedAuth, lggr)
 	}
-	return newGatewayHandlerWithAuthorizer(secretsService, connector, cfg.authorizer, nil, lggr)
-}
 
-func newGatewayHandlerWithAuthorizer(secretsService vaulttypes.SecretsService, connector gatewayConnector, authorizer Authorizer, jwtAuthService services.Service, lggr logger.Logger) (*GatewayHandler, error) {
 	metrics, err := newMetrics()
 	if err != nil {
 		return nil, fmt.Errorf("failed to create metrics: %w", err)
@@ -227,6 +225,11 @@ func (h *GatewayHandler) authorizeAndPrefixRequest(ctx context.Context, req *jso
 		h.lggr.Errorw("failed to normalize gateway request for authorization", "method", req.Method, "requestID", originalRequestID, "error", err)
 		return nil, err
 	}
+	authReq, err := StripRequestIdentity(authReq)
+	if err != nil {
+		h.lggr.Errorw("failed to strip authorized identity fields before authorization", "method", req.Method, "requestID", originalRequestID, "error", err)
+		return nil, err
+	}
 
 	h.lggr.Debugw("authorizing gateway request", "method", req.Method, "requestID", originalRequestID)
 	authResult, err := h.authorizer.AuthorizeRequest(ctx, authReq)

core/capabilities/vault/gw_handler_test.go

@@ -121,6 +121,56 @@ func TestGatewayHandler_HandleGatewayMessage(t *testing.T) {
 			},
 			expectedError: false,
 		},
+		{
+			name: "success - create secrets strips forwarded identity before reauthorization",
+			setupMocks: func(ss *vaulttypesmocks.SecretsService, gc *connector_mocks.GatewayConnector, ra *vaultcapmocks.Authorizer) {
+				ra.EXPECT().AuthorizeRequest(mock.Anything, mock.MatchedBy(func(req jsonrpc.Request[json.RawMessage]) bool {
+					if req.Method != vaulttypes.MethodSecretsCreate || req.ID != "1" || req.Params == nil {
+						return false
+					}
+					parsed := &vaultcommon.CreateSecretsRequest{}
+					if err := json.Unmarshal(*req.Params, parsed); err != nil {
+						return false
+					}
+					return parsed.OrgId == "" && parsed.WorkflowOwner == ""
+				})).Return(authResult("org-1", "0xworkflow"), nil)
+				ss.EXPECT().CreateSecrets(mock.Anything, mock.MatchedBy(func(req *vaultcommon.CreateSecretsRequest) bool {
+					return len(req.EncryptedSecrets) == 1 &&
+						req.EncryptedSecrets[0].Id.Key == "test-secret" &&
+						req.EncryptedSecrets[0].Id.Owner == "org-1" &&
+						req.RequestId == "org-1"+vaulttypes.RequestIDSeparator+"1" &&
+						req.OrgId == "org-1" &&
+						req.WorkflowOwner == "0xworkflow"
+				})).Return(&vaulttypes.Response{ID: "test-secret"}, nil)
+
+				gc.On("SendToGateway", mock.Anything, "gateway-1", mock.MatchedBy(func(resp *jsonrpc.Response[json.RawMessage]) bool {
+					return resp.Error == nil
+				})).Return(nil)
+			},
+			request: &jsonrpc.Request[json.RawMessage]{
+				Method: vaulttypes.MethodSecretsCreate,
+				ID:     "org-1" + vaulttypes.RequestIDSeparator + "1",
+				Params: func() *json.RawMessage {
+					params, _ := json.Marshal(vaultcommon.CreateSecretsRequest{
+						RequestId:     "org-1" + vaulttypes.RequestIDSeparator + "1",
+						OrgId:         "org-1",
+						WorkflowOwner: "0xworkflow",
+						EncryptedSecrets: []*vaultcommon.EncryptedSecret{
+							{
+								Id: &vaultcommon.SecretIdentifier{
+									Key:   "test-secret",
+									Owner: "org-1",
+								},
+								EncryptedValue: "encrypted-value",
+							},
+						},
+					})
+					raw := json.RawMessage(params)
+					return &raw
+				}(),
+			},
+			expectedError: false,
+		},
 		{
 			name: "failure - service error",
 			setupMocks: func(ss *vaulttypesmocks.SecretsService, gc *connector_mocks.GatewayConnector, ra *vaultcapmocks.Authorizer) {
@@ -456,9 +506,6 @@ func TestGatewayHandler_HandleGatewayMessage(t *testing.T) {
 			secretsService := vaulttypesmocks.NewSecretsService(t)
 			gwConnector := connector_mocks.NewGatewayConnector(t)
 			allowListBasedAuth := vaultcapmocks.NewAuthorizer(t)
-			limitsFactory := limits.Factory{Settings: cresettings.DefaultGetter}
-			jwtBasedAuth, err := vaultcap.NewJWTBasedAuth(vaultcap.JWTBasedAuthConfig{}, limitsFactory, lggr, vaultcap.WithDisabledJWTBasedAuth())
-			require.NoError(t, err)
 
 			tt.setupMocks(secretsService, gwConnector, allowListBasedAuth)
 
@@ -467,8 +514,9 @@ func TestGatewayHandler_HandleGatewayMessage(t *testing.T) {
 				gwConnector,
 				nil,
 				lggr,
-				limitsFactory,
-				vaultcap.WithAuthorizer(vaultcap.NewAuthorizer(allowListBasedAuth, jwtBasedAuth, lggr)),
+				limits.Factory{Settings: cresettings.DefaultGetter},
+				vaultcap.NewAuthorizer(allowListBasedAuth, nil, lggr),
+				nil,
 			)
 			require.NoError(t, err)
 
@@ -490,17 +538,15 @@ func TestGatewayHandler_Lifecycle(t *testing.T) {
 	secretsService := vaulttypesmocks.NewSecretsService(t)
 	gwConnector := connector_mocks.NewGatewayConnector(t)
 	allowListBasedAuth := vaultcapmocks.NewAuthorizer(t)
-	limitsFactory := limits.Factory{Settings: cresettings.DefaultGetter}
-	jwtBasedAuth, err := vaultcap.NewJWTBasedAuth(vaultcap.JWTBasedAuthConfig{}, limitsFactory, lggr, vaultcap.WithDisabledJWTBasedAuth())
-	require.NoError(t, err)
 
 	handler, err := vaultcap.NewGatewayHandler(
 		secretsService,
 		gwConnector,
 		nil,
 		lggr,
-		limitsFactory,
-		vaultcap.WithAuthorizer(vaultcap.NewAuthorizer(allowListBasedAuth, jwtBasedAuth, lggr)),
+		limits.Factory{Settings: cresettings.DefaultGetter},
+		vaultcap.NewAuthorizer(allowListBasedAuth, nil, lggr),
+		nil,
 	)
 	require.NoError(t, err)
 
@@ -522,3 +568,28 @@ func TestGatewayHandler_Lifecycle(t *testing.T) {
 		assert.Equal(t, vaultcap.HandlerName, id)
 	})
 }
+
+func TestGatewayHandler_Lifecycle_DefaultAuthorizer_NoJWTConfig(t *testing.T) {
+	lggr := logger.TestLogger(t)
+	ctx := t.Context()
+
+	secretsService := vaulttypesmocks.NewSecretsService(t)
+	gwConnector := connector_mocks.NewGatewayConnector(t)
+
+	handler, err := vaultcap.NewGatewayHandler(
+		secretsService,
+		gwConnector,
+		nil,
+		lggr,
+		limits.Factory{Settings: cresettings.DefaultGetter},
+		nil,
+		nil,
+	)
+	require.NoError(t, err)
+
+	gwConnector.On("AddHandler", mock.Anything, vaulttypes.Methods, handler).Return(nil).Once()
+	require.NoError(t, handler.Start(ctx))
+
+	gwConnector.On("RemoveHandler", mock.Anything, vaulttypes.Methods).Return(nil).Once()
+	require.NoError(t, handler.Close())
+}