Vault DON: e2e testing with auth enabled #19543

prashantkumar1982 · 2025-09-24T20:11:53Z

Workflow Registry v2 was using WaitforDon() as a way to ensure contractReader was ready. It had to be changed because in a gateway node, WaitForDON() hangs indefinitely. So changed to a sync loop checking contractreader init.
Fixed few bugs in how to fetch allowlist from onchain contract via ChainReader, fixed bugs in application.go where WR wasn't populated
DigestForRequest() wasn't consistent, causing major debugging nightmares because digest was computed differently for same requests, and it was non-deterministic behavior. Fixed that.

… into vault_e2e_auth

github-actions · 2025-10-08T09:02:50Z

I see you updated files related to core. Please run pnpm changeset in the root directory to add a changeset as well as in the text include at least one of the following tags:

#added For any new functionality added.
#breaking_change For any functionality that requires manual action for the node to boot.
#bugfix For bug fixes.
#changed For any change to the existing functionality.
#db_update For any feature that introduces updates to database schema.
#deprecation_notice For any upcoming deprecation functionality.
#internal For changesets that need to be excluded from the final changelog.
#nops For any feature that is NOP facing and needs to be in the official Release Notes for the release.
#removed For any functionality/config that is removed.
#updated For any functionality that is updated.
#wip For any change that is not ready yet and external communication about it should be held off till it is feature complete.

core/capabilities/vault/request_authorizer.go

… into vault_e2e_auth

cl-sonarqube-production · 2025-10-09T04:31:34Z

Quality Gate passed

Issues
4 New issues
13 Fixed issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube

DeividasK · 2025-10-09T05:55:49Z

core/services/chainlink/application.go

 		getPeerID:               getPeerID,
 		srvs:                    srvcs,
-		workflowRegistrySyncer:  workflowRegistrySyncer,
-		orgResolver:             orgResolver,


Was this line removed intentionally?

No, seems like caused during merge conflicts resolution. Will fix it asap

DeividasK · 2025-10-09T05:59:41Z

core/services/gateway/handlers/vault/handler.go

+	} else if req.Method == vaulttypes.MethodSecretsGet {
+		ar := h.newActiveRequest(req, callback)
+		return h.handleSecretsGet(ctx, ar)


Why this change? Could use a comment for why Get differs from other methods.

Yeah I'm not sure I understand this bit either

Get is not exposed to users. It is only there on dev builds for e2e testing. So no point doing auth for this method.
Once we write different tests for workflows fetching and decrypting secrets, we can remove Get entirely from gateway.
I will add a comment here.

DeividasK · 2025-10-09T06:02:28Z

core/services/workflows/syncer/v2/workflow_registry.go

+					// Async initialization of contract reader because there is an on-chain
+					// call dependency.  Blocking on initialization results in a
+					// deadlock.  Instead wait until the node has identified it's DON
+					// as a proxy for a DON and on-chain ready state .
+					reader, err := w.newWorkflowRegistryContractReader(ctx)
+					if err != nil {
+						w.lggr.Errorw("contract reader unavailable", "error", err.Error())
+						break
+					}
+					w.contractReader = reader


If I read this comment correctly, then the error might occur even when everything is fine (we are waiting for the on-chain state to be ready). In that case, the log should be a debug or info log.

Yes, error level seems too much. Will update it.

DeividasK · 2025-10-09T06:05:57Z

system-tests/tests/smoke/cre/v2_vault_don_test.go

+	require.NoError(t, err, "failed to allowlist request")
+
+	framework.L.Info().Msgf("Allowlisting request digest at contract %s, for owner: %s, digestHexStr: %s", wfRegistryContract.Address().Hex(), owner, hex.EncodeToString(digest[:]))
+	time.Sleep(5 * time.Second) // wait a bit to ensure the allowlist is propagated


We should be able to mine/advance the block instead of sleeping.

So some more context is that the sleep is also there to allow the vault don and gateway to sync this list using workflow registry syncer.
If we quickly send a request after allowlisting, it might fail because vault don/gateway haven't yet fetched the latest list.

DeividasK · 2025-10-09T09:36:22Z

Enabled merge to unblock other PRs

wip e2e testing with auth enalbed

5e71f55

chudilka1 added the run-e2e-regression This label triggers regression system tests on PR label Sep 26, 2025

prashantkumar1982 added 5 commits October 7, 2025 06:29

wip

fb3b534

merge develop

48a6f44

Merge branch 'develop' of https://github.com/smartcontractkit/chainlink…

d7a9a83

… into vault_e2e_auth

enable auth in e2e tests final

4416688

Merge branch 'develop' of https://github.com/smartcontractkit/chainlink…

b288cb7

… into vault_e2e_auth

minor changes

6d678d9

prashantkumar1982 changed the title ~~wip e2e testing with auth enalbed~~ Vault DON: e2e testing with auth enabled Oct 8, 2025

elatoskinas reviewed Oct 8, 2025

View reviewed changes

core/capabilities/vault/request_authorizer.go Show resolved Hide resolved

prashantkumar1982 added 6 commits October 8, 2025 11:34

lint fixes

acef1e4

Merge branch 'develop' of https://github.com/smartcontractkit/chainlink…

9e858bf

… into vault_e2e_auth

lint fixes 1

04c66d5

lint fixes 2

5ec2a5e

wr version fix

e93524a

merge develop

39cfd29

prashantkumar1982 marked this pull request as ready for review October 9, 2025 04:30

prashantkumar1982 requested review from a team as code owners October 9, 2025 04:30

product-security-plaid-production bot requested review from DeividasK and jmank88 October 9, 2025 04:30

prashantkumar1982 mentioned this pull request Oct 9, 2025

Use new getActiveAllowlistedRequestsReverse workflow registry method #19784

Merged

DeividasK reviewed Oct 9, 2025

View reviewed changes

cedric-cordenier approved these changes Oct 9, 2025

View reviewed changes

DeividasK approved these changes Oct 9, 2025

View reviewed changes

DeividasK added this pull request to the merge queue Oct 9, 2025

Merged via the queue into develop with commit a15d780 Oct 9, 2025
200 of 201 checks passed

DeividasK deleted the vault_e2e_auth branch October 9, 2025 09:58

prashantkumar1982 mentioned this pull request Oct 9, 2025

Vault DON: Misc fixes #19824

Merged

Vault DON: e2e testing with auth enabled #19543

Vault DON: e2e testing with auth enabled #19543

Uh oh!

Conversation

prashantkumar1982 commented Sep 24, 2025 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

github-actions bot commented Oct 8, 2025

Uh oh!

Uh oh!

cl-sonarqube-production bot commented Oct 9, 2025

Quality Gate passed

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Choose a reason for hiding this comment

Uh oh!

DeividasK commented Oct 9, 2025

Uh oh!

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

5 participants

prashantkumar1982 commented Sep 24, 2025 •

edited

Loading