Skip to content

fix(api): query raw DbGateway in admin_test_gateway to avoid decode_auth crash on masked auth_value#3544

Merged
crivetimihai merged 3 commits intoIBM:mainfrom
omorros:fix/admin-test-gateway-decode-auth
Mar 9, 2026
Merged

fix(api): query raw DbGateway in admin_test_gateway to avoid decode_auth crash on masked auth_value#3544
crivetimihai merged 3 commits intoIBM:mainfrom
omorros:fix/admin-test-gateway-decode-auth

Conversation

@omorros
Copy link
Copy Markdown
Contributor

@omorros omorros commented Mar 8, 2026

🔗 Related Issue Closes #3539

📝 Summary

admin_test_gateway crashed with ValueError: Nonce must be between 8 and 128 bytes because it called decode_auth()
on a masked auth_value ("*****") returned by get_first_gateway_by_url(). This PR queries the raw DbGateway ORM
object directly and guards the decode_auth call with an explicit auth_type check, fixing the crash for all
gateways (with and without auth).

🏷️ Type of Change

  • Bug fix
  • Feature / Enhancement
  • Documentation
  • Refactor
  • Chore (deps, CI, tooling)
  • Other (describe below)

🧪 Verification

Check Command Status
Lint suite make lint ✅ No new issues (pre-existing black/ruff warnings on upstream main)
Unit tests make test ✅ 1001 passed, 4 pre-existing failures (TestPaginationSwapStyle)
Coverage ≥ 80% make coverage ✅ 97% on mcpgateway/admin.py

✅ Checklist

  • Code formatted (make black isort pre-commit)
  • Tests added/updated for changes
  • Documentation updated (if applicable)
  • No secrets or credentials committed

📓 Notes (optional)

Root cause: get_first_gateway_by_url() returns a GatewayRead.masked() where auth_value="*****". Passing that
to decode_auth() base64-decodes it to a 3-byte payload, then AES-GCM fails extracting a 12-byte nonce.

Fix:

  1. Replace gateway_service.get_first_gateway_by_url() with a direct select(DbGateway) query to get the unmasked
    auth value
  2. Replace the catch-all else with elif gateway.auth_type in ("basic", "bearer", "authheaders") so gateways with no
    auth skip decryption entirely
  3. Handle both dict and str auth_value formats from the raw DB object

The 4 TestPaginationSwapStyle failures are pre-existing on upstream main and unrelated to this change.

omorros and others added 2 commits March 9, 2026 00:10
@omorros @crivetimihai
fix(api): query raw DbGateway in admin_test_gateway to avoid decode_a…
0fdc821 
…uth crash on masked auth_value

Signed-off-by: Oriol Morros Vilaseca <OM368@student.aru.ac.uk>
@crivetimihai
test: add differential coverage for basic/bearer/authheaders auth bra…
020b61a 
…nch in admin_test_gateway

Cover the three new code paths introduced by the decode_auth fix:
- dict auth_value (raw DbGateway JSON) → headers.update directly
- str auth_value → decode_auth fallback
- auth_type=None gateway → no auth headers added

Signed-off-by: Mihai Criveti <crivetimihai@gmail.com>
@crivetimihai crivetimihai force-pushed the fix/admin-test-gateway-decode-auth branch from a9ef4ff to 4065954 Compare March 9, 2026 00:40
@crivetimihai
Copy link
Copy Markdown
Member

crivetimihai commented Mar 9, 2026

Maintainer changes

Rebased onto main (clean, no conflicts) and added two follow-up commits:

1. test: Differential coverage for the new elif branch

The original PR's new code path (basic/bearer/authheaders auth handling) had no test coverage. Added 3 tests:

  • dict auth_value — raw DbGateway JSON dict merged into headers
  • str auth_valuedecode_auth() fallback path
  • auth_type=None — no auth headers added

2. fix: Restore enabled filter + regression tests

Addressed during review: the original get_first_gateway_by_url() filtered by DbGateway.enabled by default. The direct select(DbGateway) query dropped that filter, which could match disabled gateways and inject stale credentials. Fixed by adding DbGateway.enabled back to the where() clause.

Also added 2 regression tests for behavior changes:

  • Header merge precedence — caller-supplied headers are preserved; stored gateway auth takes precedence over caller Authorization
  • Enabled filter — verifies the compiled SQL includes the enabled column filter

Summary

  • 3 commits total (1 original + 2 follow-up)
  • 22 gateway-related tests passing (15 existing updated + 5 new)
  • Verified on live deployment: no decode_auth crash, no ValueError: Nonce errors in logs
  • No security, performance, or correctness issues found in the original fix

@crivetimihai crivetimihai force-pushed the fix/admin-test-gateway-decode-auth branch from 4065954 to d7a7b59 Compare March 9, 2026 00:43
crivetimihai
crivetimihai previously approved these changes Mar 9, 2026
View reviewed changes
@crivetimihai
fix: restore enabled filter in gateway lookup and add regression tests
62831e0 
Address Codex review findings:
- Restore DbGateway.enabled filter that was dropped when replacing
  get_first_gateway_by_url() with a direct query, preventing disabled
  gateways from being matched for credential injection.
- Add test for header merge behavior: caller-supplied headers are
  preserved and stored gateway auth takes precedence.
- Add test verifying the enabled filter is present in the compiled query.

Signed-off-by: Mihai Criveti <crivetimihai@gmail.com>
@crivetimihai crivetimihai force-pushed the fix/admin-test-gateway-decode-auth branch from d7a7b59 to 62831e0 Compare March 9, 2026 01:00
@crivetimihai crivetimihai merged commit 6effe68 into IBM:main Mar 9, 2026
39 checks passed
@crivetimihai crivetimihai self-assigned this Mar 9, 2026
MohanLaksh pushed a commit that referenced this pull request Mar 12, 2026
@omorros @crivetimihai @MohanLaksh
fix(api): query raw DbGateway in admin_test_gateway to avoid decode_a…
e53b05a 
…uth crash on masked auth_value (#3544)

* fix(api): query raw DbGateway in admin_test_gateway to avoid decode_auth crash on masked auth_value

Signed-off-by: Oriol Morros Vilaseca <OM368@student.aru.ac.uk>

* test: add differential coverage for basic/bearer/authheaders auth branch in admin_test_gateway

Cover the three new code paths introduced by the decode_auth fix:
- dict auth_value (raw DbGateway JSON) → headers.update directly
- str auth_value → decode_auth fallback
- auth_type=None gateway → no auth headers added

Signed-off-by: Mihai Criveti <crivetimihai@gmail.com>

* fix: restore enabled filter in gateway lookup and add regression tests

Address Codex review findings:
- Restore DbGateway.enabled filter that was dropped when replacing
  get_first_gateway_by_url() with a direct query, preventing disabled
  gateways from being matched for credential injection.
- Add test for header merge behavior: caller-supplied headers are
  preserved and stored gateway auth takes precedence.
- Add test verifying the enabled filter is present in the compiled query.

Signed-off-by: Mihai Criveti <crivetimihai@gmail.com>

---------

Signed-off-by: Oriol Morros Vilaseca <OM368@student.aru.ac.uk>
Signed-off-by: Mihai Criveti <crivetimihai@gmail.com>
Co-authored-by: Mihai Criveti <crivetimihai@gmail.com>
Yosiefeyob pushed a commit that referenced this pull request Mar 13, 2026
@omorros @crivetimihai @Yosiefeyob
fix(api): query raw DbGateway in admin_test_gateway to avoid decode_a…
6efaecc 
…uth crash on masked auth_value (#3544)

* fix(api): query raw DbGateway in admin_test_gateway to avoid decode_auth crash on masked auth_value

Signed-off-by: Oriol Morros Vilaseca <OM368@student.aru.ac.uk>

* test: add differential coverage for basic/bearer/authheaders auth branch in admin_test_gateway

Cover the three new code paths introduced by the decode_auth fix:
- dict auth_value (raw DbGateway JSON) → headers.update directly
- str auth_value → decode_auth fallback
- auth_type=None gateway → no auth headers added

Signed-off-by: Mihai Criveti <crivetimihai@gmail.com>

* fix: restore enabled filter in gateway lookup and add regression tests

Address Codex review findings:
- Restore DbGateway.enabled filter that was dropped when replacing
  get_first_gateway_by_url() with a direct query, preventing disabled
  gateways from being matched for credential injection.
- Add test for header merge behavior: caller-supplied headers are
  preserved and stored gateway auth takes precedence.
- Add test verifying the enabled filter is present in the compiled query.

Signed-off-by: Mihai Criveti <crivetimihai@gmail.com>

---------

Signed-off-by: Oriol Morros Vilaseca <OM368@student.aru.ac.uk>
Signed-off-by: Mihai Criveti <crivetimihai@gmail.com>
Co-authored-by: Mihai Criveti <crivetimihai@gmail.com>
Signed-off-by: Yosief Eyob <yosiefogbazion@gmail.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@crivetimihai crivetimihai crivetimihai left review comments

@kevalmahajan kevalmahajan Awaiting requested review from kevalmahajan kevalmahajan is a code owner

@madhav165 madhav165 Awaiting requested review from madhav165 madhav165 is a code owner

Assignees

@crivetimihai crivetimihai

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

[BUG][API]: admin_test_gateway crashes with ValueError on decode_auth of masked auth_value

2 participants

@omorros @crivetimihai