Skip to content

feat(vault): restrict zone-b workflow DON GetSecrets to allowlisted owners#23145

Open
prashantkumar1982 wants to merge 7 commits into
developfrom
vault-zone-b-restriction
Open

feat(vault): restrict zone-b workflow DON GetSecrets to allowlisted owners#23145
prashantkumar1982 wants to merge 7 commits into
developfrom
vault-zone-b-restriction

Conversation

@prashantkumar1982

@prashantkumar1982 prashantkumar1982 commented Jul 16, 2026

Copy link
Copy Markdown
Contributor

What

Block GetSecrets reads originating from a zone-b workflow DON unless the calling workflow owner is allowlisted. Enforced in Capability.Execute before the OCR queue, so non-allowlisted owners get a deterministic rejection and zone-a / gateway paths are unaffected.

  • New zoneBRestrictor (own file) owns the two gate limiters and the check.
  • Zone membership is resolved authoritatively via CapabilitiesRegistry.DONByID on the caller's WorkflowDonID and its Families — never from caller-supplied zone data. Fragile DON.Name matching is not used.
  • DONByID implemented on LocalRegistry and delegated through the concrete Registry.
  • Fails closed if the caller DON cannot be resolved.

Gated by VaultZoneBWorkflowGetSecretsRestrictEnabled (global, default off); allowlist via owner-scoped PerOwner.VaultZoneBGetSecretsAllowed.

Dependencies

Security note

Trusting WorkflowDonID assumes the transport binds it to the authenticated caller DON. A colluding zone-b DON could otherwise spoof it. The complementary transport-layer binding is a separate change (chainlink-common#2257 + the corresponding chainlink PR) and should be enabled in the same rollout.

https://smartcontract-it.atlassian.net/browse/PRIV-593

…wners

Block GetSecrets reads originating from a zone-b workflow DON unless the calling
workflow owner is allowlisted. Enforced in Capability.Execute before the OCR
queue, so non-allowlisted owners get a deterministic rejection and zone-a /
gateway paths are unaffected.

- zoneBRestrictor (new file) owns the two gate limiters and the check; zone
  membership is resolved authoritatively via CapabilitiesRegistry.DONByID on the
  caller's WorkflowDonID, never from caller-supplied zone data.
- Implement DONByID on LocalRegistry and delegate through the concrete Registry.
- Fails closed if the caller DON cannot be resolved.

Note: trusting WorkflowDonID assumes the transport binds it to the authenticated
caller DON; see follow-up transport-layer binding change.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
@github-actions

Copy link
Copy Markdown
Contributor

👋 prashantkumar1982, thanks for creating this pull request!

To help reviewers, please consider creating future PRs as drafts first. This allows you to self-review and make any final changes before notifying the team.

Once you're ready, you can mark it as "Ready for review" to request feedback. Thanks!

@github-actions

Copy link
Copy Markdown
Contributor

✅ No conflicts with other open PRs targeting develop

@prashantkumar1982
prashantkumar1982 marked this pull request as draft July 16, 2026 02:47
@github-actions

Copy link
Copy Markdown
Contributor

I see you updated files related to core. Please run make gocs in the root directory to add a changeset as well as in the text include at least one of the following tags:

  • #added For any new functionality added.
  • #breaking_change For any functionality that requires manual action for the node to boot.
  • #bugfix For bug fixes.
  • #changed For any change to the existing functionality.
  • #db_update For any feature that introduces updates to database schema.
  • #deprecation_notice For any upcoming deprecation functionality.
  • #internal For changesets that need to be excluded from the final changelog.
  • #nops For any feature that is NOP facing and needs to be in the official Release Notes for the release.
  • #removed For any functionality/config that is removed.
  • #updated For any functionality that is updated.
  • #wip For any change that is not ready yet and external communication about it should be held off till it is feature complete.

@trunk-io

trunk-io Bot commented Jul 16, 2026

Copy link
Copy Markdown

Static BadgeStatic BadgeStatic BadgeStatic Badge

View Full Report ↗︎Docs

@github-actions

github-actions Bot commented Jul 16, 2026

Copy link
Copy Markdown
Contributor

CORA - Pending Reviewers

Codeowners Entry Overall Num Files Owners
/core/capabilities/ 4 @smartcontractkit/keystone, @smartcontractkit/capabilities-team
/core/services/registrysyncer/ 2 @smartcontractkit/keystone
/core/services/workflows/ 1 @smartcontractkit/keystone
go.mod 6 @smartcontractkit/core, @smartcontractkit/foundations
go.sum 6 @smartcontractkit/core, @smartcontractkit/foundations
integration-tests/go.mod 1 @smartcontractkit/core, @smartcontractkit/devex-tooling, @smartcontractkit/foundations
integration-tests/go.sum 1 @smartcontractkit/core, @smartcontractkit/devex-tooling, @smartcontractkit/foundations

Legend: ✅ Approved | ❌ Changes Requested | 💬 Commented | 🚫 Dismissed | ⏳ Pending | ❓ Unknown

For more details, see the full review summary.

@prashantkumar1982
prashantkumar1982 marked this pull request as ready for review July 16, 2026 06:08
@prashantkumar1982
prashantkumar1982 requested review from a team as code owners July 16, 2026 06:08
@cl-sonarqube-production

Copy link
Copy Markdown

@prashantkumar1982

Copy link
Copy Markdown
Contributor Author

/vault-audit

@app-token-issuer-foundations

app-token-issuer-foundations Bot commented Jul 16, 2026

Copy link
Copy Markdown

Vault audit failed to run for 2dbfda79. A maintainer should check the Actions logs in cre-docs and re-run /vault-audit.

@russell-stern

Copy link
Copy Markdown
Contributor

/vault-audit model=haiku

@app-token-issuer-foundations

app-token-issuer-foundations Bot commented Jul 17, 2026

Copy link
Copy Markdown

Vault audit complete for 2dbfda79 — no blocking findings.

📋 View the full report and findings — private tracking issue, visible to chainlink team members only. Resolve blocking findings there with /resolved <FINDING-ID> <reason>.

@russell-stern

Copy link
Copy Markdown
Contributor

/vault-audit

@app-token-issuer-foundations

app-token-issuer-foundations Bot commented Jul 18, 2026

Copy link
Copy Markdown

⚠️ Vault audit complete for 2dbfda791 blocking finding(s) (CRITICAL/MUST FIX) must be addressed before merge.

📋 View the full report and findings — private tracking issue, visible to chainlink team members only. Resolve blocking findings there with /resolved <FINDING-ID> <reason>.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants