[codex] Fix Vault JWT topology and owner responses

Author: prashantkumar1982

.github/workflows/cre-system-tests.yaml

@@ -86,6 +86,9 @@ jobs:
 
           # Add list of tests with certain topologies
           PER_TEST_TOPOLOGIES_JSON=${PER_TEST_TOPOLOGIES_JSON:-'{
+            "Test_CRE_V2_Suite_Bucket_B": [
+               {"topology":"workflow-gateway-capabilities-vault-flags-enabled","configs":"configs/workflow-gateway-capabilities-don-vault-flags-enabled.toml"}
+             ],
             "Test_CRE_V2_Aptos_Suite": [
                {"topology":"workflow-gateway-aptos","configs":"configs/workflow-gateway-don-aptos.toml"}
              ],

core/services/ocr2/plugins/vault/plugin.go

@@ -390,6 +390,18 @@ func (r *ReportingPlugin) orgIDAsSecretOwnerEnabled(ctx context.Context) bool {
 	return r.cfg.OrgIDAsSecretOwnerEnabled.AllowErr(ctx) == nil
 }
 
+func (r *ReportingPlugin) canonicalResponseID(ctx context.Context, id *vaultcommon.SecretIdentifier, orgID string) *vaultcommon.SecretIdentifier {
+	if id == nil || orgID == "" || !r.orgIDAsSecretOwnerEnabled(ctx) {
+		return id
+	}
+
+	return &vaultcommon.SecretIdentifier{
+		Key:       id.Key,
+		Namespace: id.Namespace,
+		Owner:     orgID,
+	}
+}
+
 type pendingQueueStore interface {
 	WritePendingQueue(ctx context.Context, pending []*vaultcommon.StoredPendingQueueItem) error
 }
@@ -1911,7 +1923,7 @@ func (r *ReportingPlugin) stateTransitionCreateSecrets(ctx context.Context, stor
 			})
 			continue
 		}
-		resp, err := r.stateTransitionCreateSecretsRequest(ctx, store, req, resp)
+		resp, err := r.stateTransitionCreateSecretsRequest(ctx, store, req, resp, first.GetCreateSecretsRequest().OrgId)
 		if err != nil {
 			logUserErrorAware(r.lggr, "failed to handle create secret request", err, "id", req.Id, "requestID", reqID)
 			errorMsg := userFacingError(err, "failed to handle create secret request")
@@ -1933,7 +1945,7 @@ func (r *ReportingPlugin) stateTransitionCreateSecrets(ctx context.Context, stor
 	}
 }
 
-func (r *ReportingPlugin) stateTransitionCreateSecretsRequest(ctx context.Context, store WriteKVStore, req *vaultcommon.EncryptedSecret, resp *vaultcommon.CreateSecretResponse) (*vaultcommon.CreateSecretResponse, error) {
+func (r *ReportingPlugin) stateTransitionCreateSecretsRequest(ctx context.Context, store WriteKVStore, req *vaultcommon.EncryptedSecret, resp *vaultcommon.CreateSecretResponse, orgID string) (*vaultcommon.CreateSecretResponse, error) {
 	if resp.GetError() != "" {
 		return resp, newUserError(resp.GetError())
 	}
@@ -1974,7 +1986,7 @@ func (r *ReportingPlugin) stateTransitionCreateSecretsRequest(ctx context.Contex
 	}
 
 	return &vaultcommon.CreateSecretResponse{
-		Id:      req.Id,
+		Id:      r.canonicalResponseID(ctx, req.Id, orgID),
 		Success: true,
 		Error:   "",
 	}, nil
@@ -2029,7 +2041,7 @@ func (r *ReportingPlugin) stateTransitionUpdateSecrets(ctx context.Context, stor
 			})
 			continue
 		}
-		resp, err := r.stateTransitionUpdateSecretsRequest(ctx, store, req, resp)
+		resp, err := r.stateTransitionUpdateSecretsRequest(ctx, store, req, resp, first.GetUpdateSecretsRequest().OrgId)
 		if err != nil {
 			logUserErrorAware(r.lggr, "failed to handle update secret request", err, "id", req.Id, "requestID", reqID)
 			errorMsg := userFacingError(err, "failed to handle update secret request")
@@ -2051,7 +2063,7 @@ func (r *ReportingPlugin) stateTransitionUpdateSecrets(ctx context.Context, stor
 	}
 }
 
-func (r *ReportingPlugin) stateTransitionUpdateSecretsRequest(ctx context.Context, store WriteKVStore, req *vaultcommon.EncryptedSecret, resp *vaultcommon.UpdateSecretResponse) (*vaultcommon.UpdateSecretResponse, error) {
+func (r *ReportingPlugin) stateTransitionUpdateSecretsRequest(ctx context.Context, store WriteKVStore, req *vaultcommon.EncryptedSecret, resp *vaultcommon.UpdateSecretResponse, orgID string) (*vaultcommon.UpdateSecretResponse, error) {
 	if resp.GetError() != "" {
 		return resp, newUserError(resp.GetError())
 	}
@@ -2078,7 +2090,7 @@ func (r *ReportingPlugin) stateTransitionUpdateSecretsRequest(ctx context.Contex
 	}
 
 	return &vaultcommon.UpdateSecretResponse{
-		Id:      req.Id,
+		Id:      r.canonicalResponseID(ctx, req.Id, orgID),
 		Success: true,
 		Error:   "",
 	}, nil
@@ -2133,7 +2145,7 @@ func (r *ReportingPlugin) stateTransitionDeleteSecrets(ctx context.Context, stor
 			})
 			continue
 		}
-		resp, err := r.stateTransitionDeleteSecretsRequest(ctx, store, req, resp)
+		resp, err := r.stateTransitionDeleteSecretsRequest(ctx, store, req, resp, first.GetDeleteSecretsRequest().OrgId)
 		if err != nil {
 			logUserErrorAware(r.lggr, "failed to handle delete secret request", err, "id", id, "requestId", reqID)
 			errorMsg := userFacingError(err, "failed to handle delete secret request")
@@ -2155,7 +2167,7 @@ func (r *ReportingPlugin) stateTransitionDeleteSecrets(ctx context.Context, stor
 	}
 }
 
-func (r *ReportingPlugin) stateTransitionDeleteSecretsRequest(ctx context.Context, store WriteKVStore, id *vaultcommon.SecretIdentifier, resp *vaultcommon.DeleteSecretResponse) (*vaultcommon.DeleteSecretResponse, error) {
+func (r *ReportingPlugin) stateTransitionDeleteSecretsRequest(ctx context.Context, store WriteKVStore, id *vaultcommon.SecretIdentifier, resp *vaultcommon.DeleteSecretResponse, orgID string) (*vaultcommon.DeleteSecretResponse, error) {
 	if resp.GetError() != "" {
 		return resp, newUserError(resp.GetError())
 	}
@@ -2166,7 +2178,7 @@ func (r *ReportingPlugin) stateTransitionDeleteSecretsRequest(ctx context.Contex
 	}
 
 	return &vaultcommon.DeleteSecretResponse{
-		Id:      id,
+		Id:      r.canonicalResponseID(ctx, id, orgID),
 		Success: true,
 		Error:   "",
 	}, nil

core/services/ocr2/plugins/vault/plugin_test.go

@@ -3723,6 +3723,114 @@ func TestPlugin_StateTransition_CreateSecretsRequest_UsesWorkflowOwnerMetadataWh
 	assert.Nil(t, ss)
 }
 
+func TestPlugin_StateTransition_CreateSecretsRequest_RewritesResponseOwnerToOrgIDWhenGateEnabled(t *testing.T) {
+	lggr, observed := logger.TestLoggerObserved(t, zapcore.DebugLevel)
+	store := requests.NewStore[*vaulttypes.Request]()
+	_, pk, shares, err := tdh2easy.GenerateKeys(1, 3)
+	require.NoError(t, err)
+	cfg := makeReportingPluginConfig(
+		t,
+		10,
+		pk,
+		shares[0],
+		5,
+		1024,
+		100,
+		100,
+		100,
+		10,
+	)
+	cfg.OrgIDAsSecretOwnerEnabled = limits.NewGateLimiter(true)
+	r := &ReportingPlugin{
+		lggr: lggr,
+		onchainCfg: ocr3types.ReportingPluginConfig{
+			N: 4,
+			F: 1,
+		},
+		store:   store,
+		metrics: newTestMetrics(t),
+		cfg:     cfg,
+	}
+
+	const (
+		orgID         = "org-create-success"
+		workflowOwner = "0x5555555555555555555555555555555555555555"
+	)
+
+	requestID := &vaultcommon.SecretIdentifier{
+		Owner:     workflowOwner,
+		Namespace: "main",
+		Key:       "secret",
+	}
+	canonicalID := &vaultcommon.SecretIdentifier{
+		Owner:     orgID,
+		Namespace: "main",
+		Key:       "secret",
+	}
+
+	value := []byte("encrypted-value")
+	req := &vaultcommon.CreateSecretsRequest{
+		RequestId: "request-id",
+		EncryptedSecrets: []*vaultcommon.EncryptedSecret{
+			{
+				Id:             requestID,
+				EncryptedValue: hex.EncodeToString(value),
+			},
+		},
+		OrgId:         orgID,
+		WorkflowOwner: workflowOwner,
+	}
+	resp := &vaultcommon.CreateSecretsResponse{
+		Responses: []*vaultcommon.CreateSecretResponse{
+			{
+				Id:      requestID,
+				Success: false,
+				Error:   "",
+			},
+		},
+	}
+
+	kv := &kv{m: make(map[string]response)}
+	rs := newTestReadStore(t, kv)
+	obsb := marshalObservations(t, observation{requestID, req, resp})
+	reportPrecursor, err := r.StateTransition(
+		t.Context(),
+		1,
+		types.AttributedQuery{},
+		[]types.AttributedObservation{
+			{Observer: 0, Observation: types.Observation(obsb)},
+			{Observer: 1, Observation: types.Observation(obsb)},
+			{Observer: 2, Observation: types.Observation(obsb)},
+		},
+		kv,
+		nil,
+	)
+	require.NoError(t, err)
+
+	os := &vaultcommon.Outcomes{}
+	require.NoError(t, proto.Unmarshal(reportPrecursor, os))
+	require.Len(t, os.Outcomes, 1)
+
+	o := os.Outcomes[0]
+	assert.True(t, proto.Equal(req, o.GetCreateSecretsRequest()))
+	expectedResp := &vaultcommon.CreateSecretsResponse{
+		Responses: []*vaultcommon.CreateSecretResponse{
+			{
+				Id:      canonicalID,
+				Success: true,
+				Error:   "",
+			},
+		},
+	}
+	assert.True(t, proto.Equal(expectedResp, o.GetCreateSecretsResponse()), o.GetCreateSecretsResponse())
+
+	ss, err := rs.GetSecret(t.Context(), canonicalID)
+	require.NoError(t, err)
+	assert.Equal(t, []byte("encrypted-value"), ss.EncryptedSecret)
+
+	assert.Equal(t, 1, observed.FilterMessage("sufficient observations for sha").Len())
+}
+
 func TestPlugin_Reports(t *testing.T) {
 	value := "encrypted-value"
 	id := &vaultcommon.SecretIdentifier{
@@ -4533,7 +4641,7 @@ func TestPlugin_StateTransition_UpdateSecretsRequest_MigratesWorkflowOwnerSecret
 		RequestId: "request-id",
 		EncryptedSecrets: []*vaultcommon.EncryptedSecret{
 			{
-				Id:             id,
+				Id:             legacyID,
 				EncryptedValue: hex.EncodeToString([]byte("encrypted-value")),
 			},
 		},
@@ -4543,14 +4651,14 @@ func TestPlugin_StateTransition_UpdateSecretsRequest_MigratesWorkflowOwnerSecret
 	resp := &vaultcommon.UpdateSecretsResponse{
 		Responses: []*vaultcommon.UpdateSecretResponse{
 			{
-				Id:      id,
+				Id:      legacyID,
 				Success: false,
 				Error:   "",
 			},
 		},
 	}
 
-	obsb := marshalObservations(t, observation{id, req, resp})
+	obsb := marshalObservations(t, observation{legacyID, req, resp})
 	reportPrecursor, err := r.StateTransition(
 		t.Context(),
 		1,
@@ -4573,6 +4681,7 @@ func TestPlugin_StateTransition_UpdateSecretsRequest_MigratesWorkflowOwnerSecret
 	assert.True(t, proto.Equal(req, o.GetUpdateSecretsRequest()), o.GetUpdateSecretsRequest())
 	require.Len(t, o.GetUpdateSecretsResponse().Responses, 1)
 	assert.True(t, o.GetUpdateSecretsResponse().Responses[0].Success)
+	assert.Equal(t, orgID, o.GetUpdateSecretsResponse().Responses[0].Id.Owner)
 
 	ss, err := rs.GetSecret(t.Context(), id)
 	require.NoError(t, err)
@@ -5059,21 +5168,21 @@ func TestPlugin_StateTransition_DeleteSecretsRequest_DeletesWorkflowOwnerSecretW
 	}
 	req := &vaultcommon.DeleteSecretsRequest{
 		RequestId:     "request-id",
-		Ids:           []*vaultcommon.SecretIdentifier{id},
+		Ids:           []*vaultcommon.SecretIdentifier{legacyID},
 		OrgId:         orgID,
 		WorkflowOwner: workflowOwner,
 	}
 	resp := &vaultcommon.DeleteSecretsResponse{
 		Responses: []*vaultcommon.DeleteSecretResponse{
 			{
-				Id:      id,
+				Id:      legacyID,
 				Success: false,
 				Error:   "",
 			},
 		},
 	}
 
-	obsb := marshalObservations(t, observation{id, req, resp})
+	obsb := marshalObservations(t, observation{legacyID, req, resp})
 	reportPrecursor, err := r.StateTransition(
 		t.Context(),
 		1,
@@ -5096,6 +5205,7 @@ func TestPlugin_StateTransition_DeleteSecretsRequest_DeletesWorkflowOwnerSecretW
 	assert.True(t, proto.Equal(req, o.GetDeleteSecretsRequest()), o.GetDeleteSecretsRequest())
 	require.Len(t, o.GetDeleteSecretsResponse().Responses, 1)
 	assert.True(t, o.GetDeleteSecretsResponse().Responses[0].Success)
+	assert.True(t, proto.Equal(id, o.GetDeleteSecretsResponse().Responses[0].Id), o.GetDeleteSecretsResponse().Responses[0].Id)
 
 	ss, err := rs.GetSecret(t.Context(), legacyID)
 	require.NoError(t, err)

system-tests/lib/cre/environment/config/config.go

@@ -174,6 +174,8 @@ func (c *Config) Load(absPath string) error {
 		return errors.Wrap(loadErr, "failed to load environment configuration")
 	}
 
+	transformHostDockerInternalReferences(in)
+
 	for _, nodeSet := range in.NodeSets {
 		if err := nodeSet.ValidateChainCapabilities(in.Blockchains); err != nil {
 			return errors.Wrap(err, "failed to validate chain capabilities")
@@ -186,6 +188,78 @@ func (c *Config) Load(absPath string) error {
 	return nil
 }
 
+func transformHostDockerInternalReferences(cfg *Config) {
+	if cfg == nil {
+		return
+	}
+
+	for _, nodeSet := range cfg.NodeSets {
+		if nodeSet == nil {
+			continue
+		}
+
+		for _, nodeSpec := range nodeSet.NodeSpecs {
+			if nodeSpec == nil || nodeSpec.Node == nil || nodeSpec.Node.UserConfigOverrides == "" {
+				continue
+			}
+			nodeSpec.Node.UserConfigOverrides = replaceHostDockerInternal(nodeSpec.Node.UserConfigOverrides)
+		}
+
+		transformCapabilityConfigs(nodeSet.CapabilityConfigs)
+	}
+
+	transformCapabilityConfigs(cfg.CapabilityConfigs)
+}
+
+func transformCapabilityConfigs(capabilityConfigs map[string]cre.CapabilityConfig) {
+	if len(capabilityConfigs) == 0 {
+		return
+	}
+
+	for key, cfg := range capabilityConfigs {
+		cfg.Values = transformCapabilityConfigValues(cfg.Values)
+		capabilityConfigs[key] = cfg
+	}
+}
+
+func transformCapabilityConfigValues(values map[string]any) map[string]any {
+	if len(values) == 0 {
+		return values
+	}
+
+	transformed := make(map[string]any, len(values))
+	for key, value := range values {
+		transformed[key] = transformCapabilityConfigValue(value)
+	}
+
+	return transformed
+}
+
+func transformCapabilityConfigValue(value any) any {
+	switch typed := value.(type) {
+	case string:
+		return replaceHostDockerInternal(typed)
+	case map[string]any:
+		return transformCapabilityConfigValues(typed)
+	case []any:
+		transformed := make([]any, len(typed))
+		for i, element := range typed {
+			transformed[i] = transformCapabilityConfigValue(element)
+		}
+		return transformed
+	default:
+		return value
+	}
+}
+
+func replaceHostDockerInternal(value string) string {
+	if value == "" {
+		return value
+	}
+
+	return strings.ReplaceAll(value, "host.docker.internal", strings.TrimPrefix(framework.HostDockerInternal(), "http://"))
+}
+
 const (
 	StateDirname          = "core/scripts/cre/environment/state"
 	LocalCREStateFilename = "local_cre.toml"