feat(gateway): wire authority chain verification into PEP middleware#69
Merged
feat(gateway): wire authority chain verification into PEP middleware#69
Conversation
Implements RFC-008 §9.2 Step 7 — the gateway PEP now calls VerifyChain() on incoming X-Capiscio-Authority / X-Capiscio-Authority-Chain headers before querying the PDP. Changes: - Add header extraction functions (headers.go) with base64url chain decoding - Add ValidateChainLeafConsistency() for subject/badge-DID cross-check - Wire verifyAuthorityChain() into serveHTTP() between badge verify and PDP query - Enrich PDP request with verified chain data (LeafCapability, DelegationDepth, etc.) - Add handleChainError() with EM-OBSERVE pass-through (RFC-005 §6.3) - Map all 14 RFC-008 error codes to HTTP status codes (400/401/403) - Add ErrCodeChainTooDeep constant to envelope errors - Support enforcement mode escalation from envelope EnforcementModeMin field Tests: - 12 unit tests for header extraction and chain consistency validation - 11 integration tests covering: badge-only compat, single envelope, two-hop chain, max depth enforcement, tampered signature rejection, PDP enrichment verification, nil verifier bypass, HTTP error code mapping, EM-OBSERVE pass-through, and enforcement mode escalation All 40+ existing gateway tests continue to pass (backward compatible).
Codecov Report❌ Patch coverage is
📢 Thoughts on this report? Let us know! |
Contributor
There was a problem hiding this comment.
Pull request overview
This PR updates the gateway Policy Enforcement Point (PEP) middleware to verify RFC-008 Authority Envelope chains from X-Capiscio-Authority / X-Capiscio-Authority-Chain headers before querying the PDP, and to enrich the PDP (PIP) decision request with verified chain-derived attributes.
Changes:
- Added RFC-008 authority chain header extraction/decoding helpers and leaf/chain consistency checks.
- Wired chain verification into the PEP request flow and enriched PIP requests with verified capability, depth, constraints, envelope ID, and enforcement mode data.
- Introduced a new RFC-008 error code for PEP-level max chain-length enforcement and added HTTP status mapping for chain verification errors.
Reviewed changes
Copilot reviewed 5 out of 5 changed files in this pull request and generated 3 comments.
Show a summary per file
| File | Description |
|---|---|
| pkg/gateway/middleware.go | Integrates chain verification into the PEP flow, enriches PIP requests with verified chain data, and maps verification errors to HTTP responses. |
| pkg/gateway/headers.go | Adds RFC-008 header constants and helpers to extract leaf envelope, decode chain and badge-map headers, and validate basic header consistency. |
| pkg/gateway/headers_test.go | Adds unit tests covering the new gateway header helper functions. |
| pkg/gateway/chain_verification_test.go | Adds integration tests for chain verification behavior, HTTP mappings, and PIP request enrichment. |
| pkg/envelope/errors.go | Adds ENVELOPE_CHAIN_TOO_DEEP for PEP-level chain-length enforcement. |
Comment on lines
+142
to
+146
| // --- 2-8. Verify authority chain (RFC-008 §9.2 steps 2–8) --- | ||
| var chainResult *envelope.ChainVerifyResult | ||
| if p.config.EnvelopeVerifier != nil { | ||
| var err error | ||
| chainResult, err = p.verifyAuthorityChain(r, token) |
Comment on lines
+239
to
+243
| for _, link := range chain.Links { | ||
| linkMode, _ := pip.ParseEnforcementMode(link.EffectiveMode.String()) | ||
| if linkMode > p.config.EnforcementMode { | ||
| req.Context.EnforcementMode = linkMode.String() | ||
| } |
Comment on lines
+297
to
+301
| opts := envelope.VerifyOptions{ | ||
| Now: func() time.Time { return time.Now() }, | ||
| } | ||
|
|
||
| result, err := p.config.EnvelopeVerifier.VerifyChain(r.Context(), chain, badgeMap, opts) |
Previously the loop compared each link's mode to the config baseline, which could downgrade the selected mode if a stricter link was followed by a less-strict one. Now tracks the max seen so far and only updates once at the end. Also handles ParseEnforcementMode errors.
RFC-008 §9.2 step 6: The leaf envelope's subject_did MUST match the authenticated caller's badge subject. This prevents a valid chain from being replayed by a different agent. Also ensures the caller's badge JWS is present in the badge map passed to chain verification, preventing lookup failures. Updated tests to align badge subject with envelope subject_did.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Implements RFC-008 §9.2 Step 7 — the gateway PEP now calls
VerifyChain()on incomingX-Capiscio-Authority/X-Capiscio-Authority-Chainheaders before querying the PDP.Changes
Header Extraction (
pkg/gateway/headers.go)ExtractLeafAuthority()— readsX-Capiscio-AuthorityheaderExtractAuthorityChain()— decodes base64url chain fromX-Capiscio-Authority-ChainValidateChainLeafConsistency()— cross-checks leaf envelope subject DID against badge subjectMiddleware Wiring (
pkg/gateway/middleware.go)PEPConfiggainsEnvelopeVerifier,MaxChainDepth,OrgTrustBoundaryfieldsverifyAuthorityChain()inserted between badge verification and PDP query inserveHTTP()buildPIPRequest()enriched with verified chain data (LeafCapability, DelegationDepth, Constraints, EnforcementMode)handleChainError()with EM-OBSERVE pass-through (RFC-005 §6.3)ChainErrorHTTPStatus()maps 14 RFC-008 error codes to HTTP 400/401/403EnforcementModeMinfieldError Constants (
pkg/envelope/errors.go)ErrCodeChainTooDeepforMaxChainDepthenforcement (distinct fromErrCodeDepthExceededwhich is per-envelope depth)Test Coverage
headers_test.go: header extraction, chain decoding, leaf consistency validationchain_verification_test.go:EnforcementModeMinoverrides PEP config)All 40+ pre-existing gateway tests continue to pass — fully backward compatible.
Backward Compatibility
EnvelopeVerifieris optional inPEPConfig. When nil, the middleware skips chain verification entirely (existing behavior).PEPConfigstruct (all new fields have zero-value semantics).Related