Stricter validations for centralized registry workflows#23013
Stricter validations for centralized registry workflows#23013prashantkumar1982 wants to merge 13 commits into
Conversation
|
I see you updated files related to
|
|
✅ No conflicts with other open PRs targeting |
|
| // defaultTenantID is the fallback tenant numeric id for the CRE environment when none | ||
| // is configured on the job spec. It matches defaultJWTAuthJobSpecTenantID in | ||
| // core/capabilities/vault and cre-platform-graphql's account service. | ||
| const defaultTenantID uint64 = 1 |
There was a problem hiding this comment.
I think we should be very careful when using defaults - if the tenant ID ever disappears from the job spec by mistake, DONs will start rejecting requests. I would rather enforce it in the job spec if that's a possibility.
There was a problem hiding this comment.
We're using the same pattern in other vault checks too, to default to a tenantID of 1 if not provided.
My thinking is if you fail to set it, things will break, and you then must set it correctly in the right job-specs.
I could also make this an explicit failure if tenantID wasn't set. But that can only be done after we first fix all job-specs and deploy them across all environments. Otherwise this change will start breaking rollouts immediately.
There was a problem hiding this comment.
But if things break, isn't it harder for you to fix an invalid tenant ID because you have to go through the process of job spec rollout for the entire DON and the resolution time depends on how quickly a NOP can accept the updated job spec?
I understand that you can't get rid of defaults immediately due to what you have described above, but just asking to consider the risks one more time (I'm unfamiliar with this codebase, so I can't tell you if this is a bad or a good idea, but I'll defer to @cedric-cordenier to weigh in).
There was a problem hiding this comment.
My idea was to set the right tenantID on all environments job-specs, and push them out.
Once set correctly, there's no reason to believe somebody will incorrectly reset them.
Here was the PR for it: https://github.com/smartcontractkit/chainlink-deployments/pull/16126
| // claim without on-chain proof and therefore require independent owner<->orgID | ||
| // verification before the workflow is admitted. | ||
| func isCentralizedWorkflowSource(source string) bool { | ||
| return strings.HasPrefix(source, "grpc:") || strings.HasPrefix(source, "file:") |
There was a problem hiding this comment.
Where does this source string come from?
There was a problem hiding this comment.
Here:
And that field is set here:
I will also ask @cedric-cordenier to confirm again, that this is the right authoritative place to read the source from, and isn't spoofable.
There was a problem hiding this comment.
Okay, I'm asking because I'm pretty sure that the workflow registry does not provide this field, so the workflow metadata must have been augmented during processing on the node side.
| if orgID == "" { | ||
| // Without an orgID we cannot derive the expected owner; the resolution failure | ||
| // was already logged by fetchOrganizationID. | ||
| h.lggr.Warnw("skipping centralized workflow owner/orgID verification: no organization ID resolved", |
There was a problem hiding this comment.
Are we sure we don't want to treat this as an error instead? What happens when you can't resolve an org, do you usually just proceed?
There was a problem hiding this comment.
Yes, in my understanding too, if we cannot fetch orgID, we should likely fail even running any workflow, not just this specific check.
Because we have other sub-components depending on the orgID to be set correctly.
But not sure why the code currently is set to only warn on missing orgID.
I didn't explicitly force that for this check, because it means all workflows will start failing without orgID, which currently isn't so.
@cedric-cordenier do you know if there's a harm in enforcing strict orgID presence?
There was a problem hiding this comment.
Atm we fail open, so I wouldn't start enforcing this as part of this PR
I think we /should/ aim to enforce it long-term though, but in my mind this would be part of the "reliable org resolver" work we talked about the other day (with the static mapping)
| } | ||
| derivedHex := hex.EncodeToString(derived) | ||
|
|
||
| if !strings.EqualFold(strings.TrimPrefix(strings.TrimSpace(ownerHex), "0x"), derivedHex) { |
There was a problem hiding this comment.
Recommended to use ToLower as well, in case one of the addresses turns out in checksum format, and the other one doesn't.
CORA - Pending ReviewersAll codeowners have approved! ✅ Legend: ✅ Approved | ❌ Changes Requested | 💬 Commented | 🚫 Dismissed | ⏳ Pending | ❓ Unknown For more details, see the full review summary. |
| configJSON := spec.StandardCapabilitiesSpec.Config | ||
| if d.workflowRegistrySyncer != nil { | ||
| if tenantID, ok := parseTenantID(configJSON); ok { | ||
| d.workflowRegistrySyncer.SetTenantID(tenantID) |
There was a problem hiding this comment.
:( This feels pretty wrong tbh -- what happens if multiple capabilities have different tenant IDs? Atm the last one ones and we're probably not guaranteed that it will consistently win
| // so the caller rejects the workflow (fail-closed). If the orgID cannot be resolved | ||
| // or the derivation fails, verification is skipped (returns nil) rather than blocking | ||
| // legitimate workflows on a transient Linking Service outage. | ||
| func (h *eventHandler) verifyCentralizedOwnerOrgMapping(source, ownerHex, orgID string) error { |
There was a problem hiding this comment.
Did you consider putting this logic in the GRPC contract source instead? Feels like that is the more natural place for it -- we should check that we can re-derive the owner from the org ID + tenant ID there
|




https://smartcontract-it.atlassian.net/browse/PRIV-588