vault: normalize forwarded request IDs before node auth

Author: prashantkumar1982

core/capabilities/vault/gw_handler.go

@@ -177,6 +177,10 @@ func (h *GatewayHandler) authorizeAndPrefixRequest(ctx context.Context, req *jso
 
 	authReq := *req
 	authReq.ID = originalRequestID
+	if err := stripPrefixedRequestIDFromParams(&authReq, originalRequestID); err != nil {
+		h.lggr.Errorw("failed to normalize gateway request for authorization", "method", req.Method, "requestID", originalRequestID, "error", err)
+		return "", err
+	}
 
 	h.lggr.Debugw("authorizing gateway request", "method", req.Method, "requestID", originalRequestID)
 	isAuthorized, owner, err := h.requestAuthorizer.AuthorizeRequest(ctx, authReq)
@@ -196,6 +200,55 @@ func (h *GatewayHandler) authorizeAndPrefixRequest(ctx context.Context, req *jso
 	return owner, nil
 }
 
+func stripPrefixedRequestIDFromParams(req *jsonrpc.Request[json.RawMessage], originalRequestID string) error {
+	if req.Params == nil {
+		return nil
+	}
+
+	switch req.Method {
+	case vaulttypes.MethodSecretsCreate:
+		parsed := vaultcommon.CreateSecretsRequest{}
+		if err := json.Unmarshal(*req.Params, &parsed); err != nil {
+			return err
+		}
+		parsed.RequestId = originalRequestID
+		return rewriteRequestParams(req, parsed)
+	case vaulttypes.MethodSecretsUpdate:
+		parsed := vaultcommon.UpdateSecretsRequest{}
+		if err := json.Unmarshal(*req.Params, &parsed); err != nil {
+			return err
+		}
+		parsed.RequestId = originalRequestID
+		return rewriteRequestParams(req, parsed)
+	case vaulttypes.MethodSecretsDelete:
+		parsed := vaultcommon.DeleteSecretsRequest{}
+		if err := json.Unmarshal(*req.Params, &parsed); err != nil {
+			return err
+		}
+		parsed.RequestId = originalRequestID
+		return rewriteRequestParams(req, parsed)
+	case vaulttypes.MethodSecretsList:
+		parsed := vaultcommon.ListSecretIdentifiersRequest{}
+		if err := json.Unmarshal(*req.Params, &parsed); err != nil {
+			return err
+		}
+		parsed.RequestId = originalRequestID
+		return rewriteRequestParams(req, parsed)
+	default:
+		return nil
+	}
+}
+
+func rewriteRequestParams(req *jsonrpc.Request[json.RawMessage], payload any) error {
+	params, err := json.Marshal(payload)
+	if err != nil {
+		return err
+	}
+	raw := json.RawMessage(params)
+	req.Params = &raw
+	return nil
+}
+
 func (h *GatewayHandler) handleSecretsCreate(ctx context.Context, gatewayID string, req *jsonrpc.Request[json.RawMessage], owner string) *jsonrpc.Response[json.RawMessage] {
 	vaultCapRequest := vaultcommon.CreateSecretsRequest{}
 	if err := json.Unmarshal(*req.Params, &vaultCapRequest); err != nil {

core/capabilities/vault/gw_handler_test.go

@@ -119,10 +119,9 @@ func TestGatewayHandler_HandleGatewayMessage(t *testing.T) {
 		{
 			name: "failure - invalid request params",
 			setupMocks: func(ss *vaulttypesmocks.SecretsService, gc *connector_mocks.GatewayConnector, ra *vaultcapmocks.RequestAuthorizer) {
-				ra.EXPECT().AuthorizeRequest(mock.Anything, mock.Anything).Return(true, "0xabc", nil)
 				gc.On("SendToGateway", mock.Anything, "gateway-1", mock.MatchedBy(func(resp *jsonrpc.Response[json.RawMessage]) bool {
 					return resp.Error != nil &&
-						resp.Error.Code == api.ToJSONRPCErrorCode(api.UserMessageParseError)
+						resp.Error.Code == api.ToJSONRPCErrorCode(api.FatalError)
 				})).Return(nil)
 			},
 			request: &jsonrpc.Request[json.RawMessage]{
@@ -204,6 +203,54 @@ func TestGatewayHandler_HandleGatewayMessage(t *testing.T) {
 			},
 			expectedError: false,
 		},
+		{
+			name: "success - strips owner prefix from forwarded request before authorization",
+			setupMocks: func(ss *vaulttypesmocks.SecretsService, gc *connector_mocks.GatewayConnector, ra *vaultcapmocks.RequestAuthorizer) {
+				ra.EXPECT().AuthorizeRequest(mock.Anything, mock.MatchedBy(func(req jsonrpc.Request[json.RawMessage]) bool {
+					if req.Method != vaulttypes.MethodSecretsCreate || req.ID != "1" || req.Params == nil {
+						return false
+					}
+
+					var parsed vaultcommon.CreateSecretsRequest
+					if err := json.Unmarshal(*req.Params, &parsed); err != nil {
+						return false
+					}
+
+					return parsed.RequestId == "1" &&
+						len(parsed.EncryptedSecrets) == 1 &&
+						parsed.EncryptedSecrets[0].Id != nil &&
+						parsed.EncryptedSecrets[0].Id.Owner == "0xAbC"
+				})).Return(true, "0xabc", nil)
+				ss.EXPECT().CreateSecrets(mock.Anything, mock.MatchedBy(func(req *vaultcommon.CreateSecretsRequest) bool {
+					return req.RequestId == "0xabc"+vaulttypes.RequestIDSeparator+"1"
+				})).Return(&vaulttypes.Response{ID: "test-secret"}, nil)
+
+				gc.On("SendToGateway", mock.Anything, "gateway-1", mock.MatchedBy(func(resp *jsonrpc.Response[json.RawMessage]) bool {
+					return resp.Error == nil
+				})).Return(nil)
+			},
+			request: &jsonrpc.Request[json.RawMessage]{
+				Method: vaulttypes.MethodSecretsCreate,
+				ID:     "0xAbC" + vaulttypes.RequestIDSeparator + "1",
+				Params: func() *json.RawMessage {
+					params, _ := json.Marshal(vaultcommon.CreateSecretsRequest{
+						RequestId: "0xAbC" + vaulttypes.RequestIDSeparator + "1",
+						EncryptedSecrets: []*vaultcommon.EncryptedSecret{
+							{
+								Id: &vaultcommon.SecretIdentifier{
+									Key:   "test-secret",
+									Owner: "0xAbC",
+								},
+								EncryptedValue: "encrypted-value",
+							},
+						},
+					})
+					raw := json.RawMessage(params)
+					return &raw
+				}(),
+			},
+			expectedError: false,
+		},
 		{
 			name: "failure - owner mismatch against authorized owner",
 			setupMocks: func(ss *vaulttypesmocks.SecretsService, gc *connector_mocks.GatewayConnector, ra *vaultcapmocks.RequestAuthorizer) {