Skip to content

Stricter validations for centralized registry workflows#23013

Open
prashantkumar1982 wants to merge 10 commits into
developfrom
fix/h1-centralized-workflow-owner-org-verification
Open

Stricter validations for centralized registry workflows#23013
prashantkumar1982 wants to merge 10 commits into
developfrom
fix/h1-centralized-workflow-owner-org-verification

Conversation

@prashantkumar1982

@prashantkumar1982 prashantkumar1982 commented Jul 1, 2026

Copy link
Copy Markdown
Contributor

@github-actions

github-actions Bot commented Jul 1, 2026

Copy link
Copy Markdown
Contributor

I see you updated files related to core. Please run make gocs in the root directory to add a changeset as well as in the text include at least one of the following tags:

  • #added For any new functionality added.
  • #breaking_change For any functionality that requires manual action for the node to boot.
  • #bugfix For bug fixes.
  • #changed For any change to the existing functionality.
  • #db_update For any feature that introduces updates to database schema.
  • #deprecation_notice For any upcoming deprecation functionality.
  • #internal For changesets that need to be excluded from the final changelog.
  • #nops For any feature that is NOP facing and needs to be in the official Release Notes for the release.
  • #removed For any functionality/config that is removed.
  • #updated For any functionality that is updated.
  • #wip For any change that is not ready yet and external communication about it should be held off till it is feature complete.

@github-actions

github-actions Bot commented Jul 1, 2026

Copy link
Copy Markdown
Contributor

✅ No conflicts with other open PRs targeting develop

@trunk-io

trunk-io Bot commented Jul 1, 2026

Copy link
Copy Markdown

Static BadgeStatic BadgeStatic BadgeStatic Badge

Failed Test Failure Summary Logs
Test_CCIP_AptosMessageHasher_OnChainVerification Logs ↗︎
Test_CCIP_TokenTransfer_BnM_Aptos2EVM The test failed due to an error related to the Aptos node API port configuration or container setup. Logs ↗︎
Test_CCIP_TokenTransfer_BnM_Aptos2EVM Logs ↗︎
Test_CCIP_RegulatedTokenTransfer_Aptos2EVM The test failed because the Aptos node API was not accessible on the expected port 8080, preventing the test from proceeding. Logs ↗︎

... and 16 more

View Full Report ↗︎Docs

@prashantkumar1982 prashantkumar1982 marked this pull request as ready for review July 2, 2026 23:24
@prashantkumar1982 prashantkumar1982 requested review from a team as code owners July 2, 2026 23:24
// defaultTenantID is the fallback tenant numeric id for the CRE environment when none
// is configured on the job spec. It matches defaultJWTAuthJobSpecTenantID in
// core/capabilities/vault and cre-platform-graphql's account service.
const defaultTenantID uint64 = 1

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think we should be very careful when using defaults - if the tenant ID ever disappears from the job spec by mistake, DONs will start rejecting requests. I would rather enforce it in the job spec if that's a possibility.

Copy link
Copy Markdown
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We're using the same pattern in other vault checks too, to default to a tenantID of 1 if not provided.
My thinking is if you fail to set it, things will break, and you then must set it correctly in the right job-specs.

I could also make this an explicit failure if tenantID wasn't set. But that can only be done after we first fix all job-specs and deploy them across all environments. Otherwise this change will start breaking rollouts immediately.

// claim without on-chain proof and therefore require independent owner<->orgID
// verification before the workflow is admitted.
func isCentralizedWorkflowSource(source string) bool {
return strings.HasPrefix(source, "grpc:") || strings.HasPrefix(source, "file:")

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Where does this source string come from?

Copy link
Copy Markdown
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Here:

Source string // source that provided this workflow metadata

And that field is set here:

I will also ask @cedric-cordenier to confirm again, that this is the right authoritative place to read the source from, and isn't spoofable.

if orgID == "" {
// Without an orgID we cannot derive the expected owner; the resolution failure
// was already logged by fetchOrganizationID.
h.lggr.Warnw("skipping centralized workflow owner/orgID verification: no organization ID resolved",

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Are we sure we don't want to treat this as an error instead? What happens when you can't resolve an org, do you usually just proceed?

Copy link
Copy Markdown
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yes, in my understanding too, if we cannot fetch orgID, we should likely fail even running any workflow, not just this specific check.
Because we have other sub-components depending on the orgID to be set correctly.
But not sure why the code currently is set to only warn on missing orgID.

I didn't explicitly force that for this check, because it means all workflows will start failing without orgID, which currently isn't so.

@cedric-cordenier do you know if there's a harm in enforcing strict orgID presence?

}
derivedHex := hex.EncodeToString(derived)

if !strings.EqualFold(strings.TrimPrefix(strings.TrimSpace(ownerHex), "0x"), derivedHex) {

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Recommended to use ToLower as well, in case one of the addresses turns out in checksum format, and the other one doesn't.

Copy link
Copy Markdown
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

done

@prashantkumar1982 prashantkumar1982 requested a review from a team as a code owner July 3, 2026 21:04
@cl-sonarqube-production

Copy link
Copy Markdown

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants