feat(vault): restrict zone-b workflow DON GetSecrets to allowlisted owners#23145
feat(vault): restrict zone-b workflow DON GetSecrets to allowlisted owners#23145prashantkumar1982 wants to merge 7 commits into
Conversation
…wners Block GetSecrets reads originating from a zone-b workflow DON unless the calling workflow owner is allowlisted. Enforced in Capability.Execute before the OCR queue, so non-allowlisted owners get a deterministic rejection and zone-a / gateway paths are unaffected. - zoneBRestrictor (new file) owns the two gate limiters and the check; zone membership is resolved authoritatively via CapabilitiesRegistry.DONByID on the caller's WorkflowDonID, never from caller-supplied zone data. - Implement DONByID on LocalRegistry and delegate through the concrete Registry. - Fails closed if the caller DON cannot be resolved. Note: trusting WorkflowDonID assumes the transport binds it to the authenticated caller DON; see follow-up transport-layer binding change. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
|
👋 prashantkumar1982, thanks for creating this pull request! To help reviewers, please consider creating future PRs as drafts first. This allows you to self-review and make any final changes before notifying the team. Once you're ready, you can mark it as "Ready for review" to request feedback. Thanks! |
|
✅ No conflicts with other open PRs targeting |
|
I see you updated files related to
|
CORA - Pending Reviewers
Legend: ✅ Approved | ❌ Changes Requested | 💬 Commented | 🚫 Dismissed | ⏳ Pending | ❓ Unknown For more details, see the full review summary. |
… into vault-zone-b-restriction
|
|
/vault-audit |
|
❌ Vault audit failed to run for |
|
/vault-audit model=haiku |
|
✅ Vault audit complete for 📋 View the full report and findings — private tracking issue, visible to chainlink team members only. Resolve blocking findings there with |
|
/vault-audit |
|
📋 View the full report and findings — private tracking issue, visible to chainlink team members only. Resolve blocking findings there with |




What
Block
GetSecretsreads originating from a zone-b workflow DON unless the calling workflow owner is allowlisted. Enforced inCapability.Executebefore the OCR queue, so non-allowlisted owners get a deterministic rejection and zone-a / gateway paths are unaffected.zoneBRestrictor(own file) owns the two gate limiters and the check.CapabilitiesRegistry.DONByIDon the caller'sWorkflowDonIDand itsFamilies— never from caller-supplied zone data. FragileDON.Namematching is not used.DONByIDimplemented onLocalRegistryand delegated through the concreteRegistry.Gated by
VaultZoneBWorkflowGetSecretsRestrictEnabled(global, default off); allowlist via owner-scopedPerOwner.VaultZoneBGetSecretsAllowed.Dependencies
DONByID+ the cresettings gates). CI will fail until that merges and thechainlink-commonversion is bumped here (local dev used areplacedirective, intentionally not committed).Security note
Trusting
WorkflowDonIDassumes the transport binds it to the authenticated caller DON. A colluding zone-b DON could otherwise spoof it. The complementary transport-layer binding is a separate change (chainlink-common#2257 + the corresponding chainlink PR) and should be enabled in the same rollout.https://smartcontract-it.atlassian.net/browse/PRIV-593