vault: validate encrypted value size in request validator

[prashantkumar1982]

Summary

• enforce VaultCiphertextSizeLimit in the Vault request validator for create/update requests
• reject oversized EncryptedValue payloads before label verification
• add validator unit tests covering boundary and oversized ciphertext cases

Testing

• go test ./core/capabilities/vault ./core/services/gateway/handlers/vault

[github-actions]

✅ No conflicts with other open PRs targeting release/2.39.2

[github-actions]

I see you updated files related to core. Please run make gocs in the root directory to add a changeset as well as in the text include at least one of the following tags:

• #added For any new functionality added.
• #breaking_change For any functionality that requires manual action for the node to boot.
• #bugfix For bug fixes.
• #changed For any change to the existing functionality.
• #db_update For any feature that introduces updates to database schema.
• #deprecation_notice For any upcoming deprecation functionality.
• #internal For changesets that need to be excluded from the final changelog.
• #nops For any feature that is NOP facing and needs to be in the official Release Notes for the release.
• #removed For any functionality/config that is removed.
• #updated For any functionality that is updated.
• #wip For any change that is not ready yet and external communication about it should be held off till it is feature complete.

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 5f9636c276

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[chatgpt-codex-connector]

Close ciphertext limiter on capability shutdown

NewCapability now allocates a second limiter for ciphertext size, but (*Capability).Close still only closes MaxRequestBatchSizeLimiter. On nodes where this capability is restarted (process reloads, integration tests, hot reconfiguration), the unclosed MaxCiphertextLengthLimiter can leave behind limiter resources/goroutines and accumulate over time; the new limiter should be closed alongside the existing one.

Useful? React with 👍 / 👎.

[chatgpt-codex-connector]

Close ciphertext limiter when vault handler stops

NewHandler now creates ciphertextLimiter, but (*handler).Close still closes only writeMethodsEnabled and MaxRequestBatchSizeLimiter. This introduces a lifecycle leak for the new limiter whenever the gateway handler is stopped and started again, so the ciphertext limiter needs to be included in the close path.

Useful? React with 👍 / 👎.

[cl-sonarqube-production]

Quality Gate passed

Issues
0 New issues
0 Fixed issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube

[trunk-io]

     

View Full Report ↗︎ ⋅ Docs