fix(egress+orchestrator): inject per-bottle auth tokens in the shared gateway
The cut-over dropped the per-bottle token flow, so an authed egress route on the shared gateway failed with 'env var EGRESS_TOKEN_0 is unset' — the gateway reads the token from its env, but a shared gateway has no per-bottle env. Now the bottle's egress auth tokens travel to the gateway over /resolve and the addon injects from them, mirroring what the per-bottle sidecar's env did: - launch resolves the token values from the host env and hands them to the orchestrator, which holds them IN MEMORY (keyed by bottle_id, never written to the registry DB) and serves them on /resolve; - PolicyResolver.resolve_policy_and_bottle_id + resolve_client_context now return the token map alongside policy + bottle_id (one round-trip); - the egress addon overlays the process env with the bottle's tokens per request and uses that env for auth injection AND DLP — the agent never sees the credential. Secrets stay off disk (validated: /resolve returns the token, the registry DB does not contain it). SecretProvider (#355) is the future hardening. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com> Claude-Session: https://claude.ai/code/session_01WBMWTEtQdJ4W5UrWuLHCck
This commit is contained in:
@@ -450,28 +450,31 @@ def resolve_client_config(
|
||||
|
||||
class ContextResolverLike(typing.Protocol):
|
||||
"""The bit of `policy_resolver.PolicyResolver` `resolve_client_context`
|
||||
needs — one round-trip returning both policy and bottle id."""
|
||||
needs — one round-trip returning policy, bottle id, and auth tokens."""
|
||||
|
||||
def resolve_policy_and_bottle_id(
|
||||
self, source_ip: str, identity_token: str = ...,
|
||||
) -> "tuple[str | None, str | None]":
|
||||
) -> "tuple[str | None, str | None, dict[str, str]]":
|
||||
...
|
||||
|
||||
|
||||
def resolve_client_context(
|
||||
resolver: ContextResolverLike, client_ip: str, identity_token: str = "",
|
||||
) -> "tuple[Config, str]":
|
||||
"""The calling client's `(Config, bottle_id)` in one round-trip —
|
||||
) -> "tuple[Config, str, dict[str, str]]":
|
||||
"""The calling client's `(Config, bottle_id, tokens)` in one round-trip —
|
||||
**fail-closed**. The Config follows `resolve_client_config`'s deny-all
|
||||
rules; the bottle id is `""` whenever unattributed or the orchestrator
|
||||
errored, which the caller treats as "supervise unavailable for this
|
||||
bottle" (never another bottle's queue). One `/resolve` keys both the
|
||||
per-request egress policy and the per-bottle supervise queue + safelist."""
|
||||
errored (caller treats as "supervise unavailable", never another bottle's
|
||||
queue); `tokens` are the per-bottle upstream auth values the addon injects.
|
||||
One `/resolve` keys the egress policy, the supervise queue + safelist, and
|
||||
auth injection."""
|
||||
try:
|
||||
policy, bottle_id = resolver.resolve_policy_and_bottle_id(client_ip, identity_token)
|
||||
policy, bottle_id, tokens = resolver.resolve_policy_and_bottle_id(
|
||||
client_ip, identity_token,
|
||||
)
|
||||
except Exception: # noqa: BLE001 # pylint: disable=broad-exception-caught
|
||||
return Config(routes=()), "" # orchestrator unreachable/errored → deny
|
||||
return _config_from_policy(policy), (bottle_id or "")
|
||||
return Config(routes=()), "", {} # orchestrator unreachable/errored → deny
|
||||
return _config_from_policy(policy), (bottle_id or ""), tokens
|
||||
|
||||
|
||||
# ---------------------------------------------------------------------------
|
||||
|
||||
Reference in New Issue
Block a user