fix(jwt): remove attestation from global managed-wallet token scope#3360
Conversation
PR #3353 added "attestation" to the global managed-wallet provider JWT scope unconditionally. Field and non-TEE providers validate the scope against an enum that does not include "attestation" and reject the entire JWT with "JWT has invalid claims", so manifest sends fail for every managed deployment and the deployment never goes active. Revert the global scope back to the base set. The attestation scope is only needed to call the provider attestationQuote endpoint, which has no consumer on this token; it moves to a per-provider granular token for confidential compute attestation-evidence downloads (#3359).
|
No actionable comments were generated in the recent review. 🎉 ℹ️ Recent review info⚙️ Run configurationConfiguration used: Path: .coderabbit.yaml Review profile: CHILL Plan: Pro Run ID: 📒 Files selected for processing (2)
📝 WalkthroughWalkthroughThe provider JWT request no longer includes the ChangesProvider JWT scope update
Estimated code review effort🎯 1 (Trivial) | ⏱️ ~2 minutes Suggested labels
Suggested reviewers
✨ Finishing Touches📝 Generate docstrings
🧪 Generate unit tests (beta)
Warning There were issues while running some tools. Please review the errors and either fix the tool's configuration or disable the tool if it's a critical failure. 🔧 ESLint
ESLint install failed: one or more packages not found in the registry. Comment |
Codecov Report✅ All modified and coverable lines are covered by tests. Additional details and impacted files@@ Coverage Diff @@
## main #3360 +/- ##
==========================================
- Coverage 69.62% 68.24% -1.39%
==========================================
Files 1088 998 -90
Lines 26651 24330 -2321
Branches 6406 5949 -457
==========================================
- Hits 18555 16603 -1952
+ Misses 7105 6768 -337
+ Partials 991 959 -32
*This pull request uses carry forward flags. Click here to find out more.
🚀 New features to boost your workflow:
|
…wnload The provider attestationQuote endpoint requires the `attestation` JWT scope. #3360 removed that scope from the shared global managed-wallet token because non-TEE providers reject it. Add useProviderJwt.generateScopedProviderToken to mint an ephemeral, single-provider granular token carrying only `attestation`, and use it from useAttestationQuoteMutation instead of the global token. Only TEE-capable providers accept the scope, and the download trigger already renders solely for confidential-compute leases, so the scoped token is requested only where the provider accepts it. Ref CON-575
…wnload The provider attestationQuote endpoint requires the `attestation` JWT scope. #3360 removed that scope from the shared global managed-wallet token because non-TEE providers reject it. Add useProviderJwt.generateScopedProviderToken to mint an ephemeral, single-provider granular token carrying only `attestation`, and use it from useAttestationQuoteMutation instead of the global token. Only TEE-capable providers accept the scope, and the download trigger already renders solely for confidential-compute leases, so the scoped token is requested only where the provider accepts it. Ref CON-575
…ute leases (akash-network#3359) * fix(jwt): remove attestation from global managed-wallet token scope PR akash-network#3353 added "attestation" to the global managed-wallet provider JWT scope unconditionally. Field and non-TEE providers validate the scope against an enum that does not include "attestation" and reject the entire JWT with "JWT has invalid claims", so manifest sends fail for every managed deployment and the deployment never goes active. Revert the global scope back to the base set. The attestation scope is only needed to call the provider attestationQuote endpoint, which has no consumer on this token; it moves to a per-provider granular token for confidential compute attestation-evidence downloads (akash-network#3359). * feat(deployment): download attestation evidence for confidential compute leases Surface a download for a running Confidential Compute lease's hardware-signed attestation evidence (AEP-83 §5). A fresh 64-byte nonce is sent per request so the returned evidence is bound to that request; the preview distinguishes the single CPU report from per-GPU reports and saves the full bundle as JSON. Fetched over the existing JWT provider-proxy path (the managed-wallet token carries the `attestation` scope) — front-end only, no backend change. Gated behind the new `ui_confidential_compute` flag and only shown for running deployments whose on-chain group declares a tee/type. Part of CON-540 * refactor(deployment): guard attestation download on resolved provider and extract report label * feat(deployment): mint per-provider token for attestation evidence download The provider attestationQuote endpoint requires the `attestation` JWT scope. akash-network#3360 removed that scope from the shared global managed-wallet token because non-TEE providers reject it. Add useProviderJwt.generateScopedProviderToken to mint an ephemeral, single-provider granular token carrying only `attestation`, and use it from useAttestationQuoteMutation instead of the global token. Only TEE-capable providers accept the scope, and the download trigger already renders solely for confidential-compute leases, so the scoped token is requested only where the provider accepts it. Ref CON-575 * fix(deployment): bind attestation evidence to its nonce and time-bound the fetch Return the per-request nonce alongside the quote and include it in the downloaded bundle so the evidence can be verified for freshness against the hardware-signed report_data. Give the attestation quote fetch a finite 60s timeout so a stalled provider surfaces the modal's error/retry UI instead of hanging in a pending state. Addresses CodeRabbit review feedback on PR akash-network#3359. * refactor(deployment): drop ui_confidential_compute flag from attestation download The download already only renders for live leases whose on-chain group declares a TEE type, so it never surfaces for non-Confidential-Compute deployments. The feature flag was redundant.
Why
PR #3353 (CON-575 console rollout) added
"attestation"to the global managed-wallet provider JWT scope unconditionally. Field and non-TEE providers validate the scope against an enum that does not include"attestation"and reject the entire JWT with "JWT has invalid claims". As a result manifest sends fail for every managed deployment (not just CC ones), the deployment never goes active, and the two real-deployment E2E specs time out atvalidateLease():apps/deploy-web/tests/ui/managed-wallet-deployment.spec.tsapps/deploy-web/tests/ui/managed-wallet-alerts.spec.tsThe
attestationscope is a distinctActionScopevalue that only gates the providerattestationQuoteendpoint (/v1/lease/attestation/quote); it is not needed to send a manifest, and nothing on the global token calls that endpoint. Deploying a CC (TEE) workload does not need it either, since sidecar injection rides the manifesttee.attestationflag (auto-set by chain-sdkgenerateManifest), not the JWT.This reverts the global scope to the base set. The attestation scope moves to a per-provider granular token, requested only for confidential-compute attestation-evidence downloads, in #3359.
Ref CON-575
What
Remove
"attestation"from the globalaccess: "scoped"token request inuseProviderJwt.tsand update the corresponding spec expectation. No other behavior changes.Summary by CodeRabbit