fix(auth): address gateway auth review follow-ups

Tighten the follow-up review points from PR 1404.

Restrict GetInferenceBundle to sandbox principals because the response carries provider route credentials. User callers continue to manage inference through the user-facing inference APIs.

Fail startup for in-cluster K8s ServiceAccount bootstrap when the Kubernetes driver config is missing instead of silently falling back to the default namespace.

Collapse sandbox-principal name lookups on supervisor-callable policy RPCs so missing and foreign sandbox names both return PermissionDenied, avoiding sandbox name enumeration.

Rename the local unauthenticated development identity provider from Internal to LocalDev, add Helm coverage for OIDC CA mounts with TLS disabled, fill generated sandboxJwt values docs, and document the current offline JWT signing-key rotation procedure.

Follow-up: created #1510 for online gateway sandbox JWT key rotation.

Validation: mise run pre-commit.

Author: TaylorMutch

architecture/gateway.md

@@ -62,6 +62,15 @@ JWTs in memory before expiry only while the sandbox record still exists. Older
 tokens are not server-revoked; deployments bound replay exposure with short
 `gateway_jwt.ttl_secs` lifetimes.
 
+Gateway JWT signing-key rotation is currently an offline operator action. The
+runtime loads one active signing key and one matching public verification key
+from the configured secret at startup. To rotate that key material today,
+operators must delete or replace the JWT key secret, let certgen recreate it,
+and restart the gateway pods. This invalidates outstanding supervisor tokens;
+running supervisors recover by re-running their bootstrap path where available
+or by reconnecting after sandbox restart. Online rotation with multiple
+verification keys keyed by `kid` is tracked separately.
+
 Sandbox JWTs are not user credentials. The gRPC router accepts
 `Principal::Sandbox` only on the supervisor-to-gateway RPC allowlist
 (`ConnectSupervisor`, `RelayStream`, token renewal, config sync, policy status,

crates/openshell-server/src/auth/identity.rs

@@ -39,6 +39,6 @@ pub enum IdentityProvider {
     Mtls,
     /// Cloudflare Access JWT.
     CloudflareAccess,
-    /// Internal (skip-listed methods, sandbox supervisor RPCs).
-    Internal,
+    /// Explicit unauthenticated local-development user principal.
+    LocalDev,
 }

crates/openshell-server/src/grpc/policy.rs

@@ -349,6 +349,41 @@ fn validate_sandbox_caller_update(req: &UpdateConfigRequest) -> Result<(), Statu
     Ok(())
 }
 
+async fn resolve_sandbox_by_name_for_principal(
+    store: &Store,
+    principal: &Principal,
+    name: &str,
+) -> Result<Sandbox, Status> {
+    let sandbox = store
+        .get_message_by_name::<Sandbox>(name)
+        .await
+        .map_err(|e| Status::internal(format!("fetch sandbox failed: {e}")))?;
+
+    match principal {
+        Principal::Sandbox(_) => {
+            let Some(sandbox) = sandbox else {
+                return Err(Status::permission_denied(
+                    "sandbox not found or not owned by caller",
+                ));
+            };
+            crate::auth::guard::ensure_sandbox_scope(principal, sandbox.object_id()).map_err(
+                |status| {
+                    if status.code() == tonic::Code::PermissionDenied {
+                        Status::permission_denied("sandbox not found or not owned by caller")
+                    } else {
+                        status
+                    }
+                },
+            )?;
+            Ok(sandbox)
+        }
+        Principal::User(_) => sandbox.ok_or_else(|| Status::not_found("sandbox not found")),
+        Principal::Anonymous => Err(Status::unauthenticated(
+            "sandbox-scoped methods require an authenticated caller",
+        )),
+    }
+}
+
 // ---------------------------------------------------------------------------
 // Config handlers
 // ---------------------------------------------------------------------------
@@ -672,21 +707,14 @@ pub(super) async fn handle_update_config(
     let req = request.into_inner();
     if sandbox_caller {
         validate_sandbox_caller_update(&req)?;
-        // Resolve req.name to a sandbox UUID and verify the calling
-        // sandbox principal owns it. User callers (CLI / TUI) bypass
-        // this check because RBAC was their gate.
-        let sandbox = state
-            .store
-            .get_message_by_name::<Sandbox>(&req.name)
-            .await
-            .map_err(|e| Status::internal(format!("fetch sandbox failed: {e}")))?
-            .ok_or_else(|| Status::not_found("sandbox not found"))?;
-        crate::auth::guard::ensure_sandbox_scope(
+        resolve_sandbox_by_name_for_principal(
+            state.store.as_ref(),
             principal
                 .as_ref()
                 .expect("sandbox_caller implies principal"),
-            sandbox.object_id(),
-        )?;
+            &req.name,
+        )
+        .await?;
     }
     let key = req.setting_key.trim();
     let has_policy = req.policy.is_some();
@@ -1413,16 +1441,9 @@ pub(super) async fn handle_submit_policy_analysis(
         return Err(Status::invalid_argument("name is required"));
     }
 
-    let sandbox = state
-        .store
-        .get_message_by_name::<Sandbox>(&req.name)
-        .await
-        .map_err(|e| Status::internal(format!("fetch sandbox failed: {e}")))?
-        .ok_or_else(|| Status::not_found("sandbox not found"))?;
+    let sandbox =
+        resolve_sandbox_by_name_for_principal(state.store.as_ref(), &principal, &req.name).await?;
     let sandbox_id = sandbox.object_id().to_string();
-    // Name → id resolved; now enforce that a sandbox principal only acts
-    // on its own sandbox. User principals are unaffected.
-    crate::auth::guard::ensure_sandbox_scope(&principal, &sandbox_id)?;
 
     let current_version = state
         .store
@@ -1549,14 +1570,9 @@ pub(super) async fn handle_get_draft_policy(
         return Err(Status::invalid_argument("name is required"));
     }
 
-    let sandbox = state
-        .store
-        .get_message_by_name::<Sandbox>(&req.name)
-        .await
-        .map_err(|e| Status::internal(format!("fetch sandbox failed: {e}")))?
-        .ok_or_else(|| Status::not_found("sandbox not found"))?;
+    let sandbox =
+        resolve_sandbox_by_name_for_principal(state.store.as_ref(), &principal, &req.name).await?;
     let sandbox_id = sandbox.object_id().to_string();
-    crate::auth::guard::ensure_sandbox_scope(&principal, &sandbox_id)?;
 
     let status_filter = if req.status_filter.is_empty() {
         None
@@ -3151,6 +3167,58 @@ mod tests {
         assert_eq!(err.code(), Code::PermissionDenied);
     }
 
+    #[tokio::test]
+    async fn sandbox_update_config_missing_name_returns_permission_denied() {
+        let state = test_server_state().await;
+        let req = with_sandbox(
+            Request::new(UpdateConfigRequest {
+                name: "missing-sandbox".to_string(),
+                policy: Some(ProtoSandboxPolicy::default()),
+                ..Default::default()
+            }),
+            "sb-a",
+        );
+
+        let err = handle_update_config(&state, req)
+            .await
+            .expect_err("missing name must not leak existence to sandbox callers");
+        assert_eq!(err.code(), Code::PermissionDenied);
+    }
+
+    #[tokio::test]
+    async fn sandbox_submit_policy_analysis_missing_name_returns_permission_denied() {
+        let state = test_server_state().await;
+        let req = with_sandbox(
+            Request::new(SubmitPolicyAnalysisRequest {
+                name: "missing-sandbox".to_string(),
+                ..Default::default()
+            }),
+            "sb-a",
+        );
+
+        let err = handle_submit_policy_analysis(&state, req)
+            .await
+            .expect_err("missing name must not leak existence to sandbox callers");
+        assert_eq!(err.code(), Code::PermissionDenied);
+    }
+
+    #[tokio::test]
+    async fn sandbox_get_draft_policy_missing_name_returns_permission_denied() {
+        let state = test_server_state().await;
+        let req = with_sandbox(
+            Request::new(GetDraftPolicyRequest {
+                name: "missing-sandbox".to_string(),
+                status_filter: String::new(),
+            }),
+            "sb-a",
+        );
+
+        let err = handle_get_draft_policy(&state, req)
+            .await
+            .expect_err("missing name must not leak existence to sandbox callers");
+        assert_eq!(err.code(), Code::PermissionDenied);
+    }
+
     #[tokio::test]
     async fn user_principal_can_read_any_sandbox_config() {
         // RBAC was the user gate; the IDOR guard must NOT trip for users.

crates/openshell-server/src/inference.rs

@@ -61,23 +61,11 @@ impl Inference for InferenceService {
         &self,
         request: Request<GetInferenceBundleRequest>,
     ) -> Result<Response<GetInferenceBundleResponse>, Status> {
-        // GetInferenceBundle is gateway-wide (no per-sandbox routes yet),
-        // so it has no `sandbox_id` to compare against. Just reject
-        // anonymous callers; both user and sandbox principals are allowed.
-        match request
-            .extensions()
-            .get::<crate::auth::principal::Principal>()
-        {
-            Some(
-                crate::auth::principal::Principal::User(_)
-                | crate::auth::principal::Principal::Sandbox(_),
-            ) => {}
-            Some(crate::auth::principal::Principal::Anonymous) | None => {
-                return Err(Status::unauthenticated(
-                    "GetInferenceBundle requires an authenticated caller",
-                ));
-            }
-        }
+        authorize_inference_bundle(
+            request
+                .extensions()
+                .get::<crate::auth::principal::Principal>(),
+        )?;
         resolve_inference_bundle(self.state.store.as_ref())
             .await
             .map(Response::new)
@@ -418,6 +406,20 @@ fn find_provider_config_value(provider: &Provider, preferred_keys: &[&str]) -> O
     None
 }
 
+fn authorize_inference_bundle(
+    principal: Option<&crate::auth::principal::Principal>,
+) -> Result<(), Status> {
+    match principal {
+        Some(crate::auth::principal::Principal::Sandbox(_)) => Ok(()),
+        Some(crate::auth::principal::Principal::User(_)) => Err(Status::permission_denied(
+            "GetInferenceBundle requires a sandbox principal",
+        )),
+        Some(crate::auth::principal::Principal::Anonymous) | None => Err(Status::unauthenticated(
+            "GetInferenceBundle requires an authenticated sandbox principal",
+        )),
+    }
+}
+
 /// Resolve the inference bundle (all managed routes + revision hash).
 async fn resolve_inference_bundle(store: &Store) -> Result<GetInferenceBundleResponse, Status> {
     let mut routes = Vec::new();
@@ -515,6 +517,10 @@ async fn resolve_route_by_name(
 #[cfg(test)]
 mod tests {
     use super::*;
+    use crate::auth::identity::{Identity, IdentityProvider};
+    use crate::auth::principal::{
+        Principal, SandboxIdentitySource, SandboxPrincipal, UserPrincipal,
+    };
     use openshell_core::ObjectId;
     use wiremock::matchers::{body_partial_json, header, method, path};
     use wiremock::{Mock, MockServer, ResponseTemplate};
@@ -525,6 +531,28 @@ mod tests {
             .expect("in-memory SQLite store should connect")
     }
 
+    fn test_user_principal() -> Principal {
+        Principal::User(UserPrincipal {
+            identity: Identity {
+                subject: "user-a".to_string(),
+                display_name: None,
+                roles: vec!["openshell-user".to_string()],
+                scopes: vec![],
+                provider: IdentityProvider::Oidc,
+            },
+        })
+    }
+
+    fn test_sandbox_principal() -> Principal {
+        Principal::Sandbox(SandboxPrincipal {
+            sandbox_id: "sandbox-a".to_string(),
+            source: SandboxIdentitySource::BootstrapJwt {
+                issuer: "openshell-gateway:test".to_string(),
+            },
+            trust_domain: Some("openshell".to_string()),
+        })
+    }
+
     fn make_route(name: &str, provider_name: &str, model_id: &str) -> InferenceRoute {
         InferenceRoute {
             metadata: Some(openshell_core::proto::datamodel::v1::ObjectMeta {
@@ -573,6 +601,19 @@ mod tests {
         }
     }
 
+    #[test]
+    fn inference_bundle_requires_sandbox_principal() {
+        let sandbox = test_sandbox_principal();
+        assert!(authorize_inference_bundle(Some(&sandbox)).is_ok());
+
+        let user = test_user_principal();
+        let err = authorize_inference_bundle(Some(&user)).expect_err("users cannot fetch bundle");
+        assert_eq!(err.code(), tonic::Code::PermissionDenied);
+
+        let err = authorize_inference_bundle(None).expect_err("missing principal rejected");
+        assert_eq!(err.code(), tonic::Code::Unauthenticated);
+    }
+
     #[tokio::test]
     async fn upsert_cluster_route_creates_and_increments_version() {
         let store = test_store().await;

crates/openshell-server/src/lib.rs

@@ -300,16 +300,8 @@ pub async fn run_server(
     // and without the issuer there's nothing to exchange the SA token for.
     if state.sandbox_jwt_issuer.is_some() && std::env::var_os("KUBERNETES_SERVICE_HOST").is_some() {
         // Pod lookups and TokenReview identity checks must match the sandbox
-        // namespace and service account used by the Kubernetes driver. Fall
-        // back to the historical "default" namespace only if driver config
-        // cannot be parsed while bootstrapping the authenticator.
-        let kubernetes_config =
-            kubernetes_config_from_file(config_file.as_ref()).unwrap_or_else(|_| {
-                KubernetesComputeConfig {
-                    namespace: "default".to_string(),
-                    ..Default::default()
-                }
-            });
+        // namespace and service account used by the Kubernetes driver.
+        let kubernetes_config = kubernetes_config_for_k8s_sa_bootstrap(config_file.as_ref())?;
         let sandbox_namespace = kubernetes_config.namespace;
         let sandbox_service_account = kubernetes_config.service_account_name;
         match kube::Client::try_default().await {
@@ -788,6 +780,22 @@ fn kubernetes_config_from_file(
         .map_err(|e| Error::config(format!("invalid [openshell.drivers.kubernetes] table: {e}")))
 }
 
+fn kubernetes_config_for_k8s_sa_bootstrap(
+    file: Option<&config_file::ConfigFile>,
+) -> Result<KubernetesComputeConfig> {
+    let Some(file) = file else {
+        return Err(Error::config(
+            "K8s ServiceAccount bootstrap requires [openshell.drivers.kubernetes] when sandbox JWT issuing is enabled in-cluster",
+        ));
+    };
+    if !file.openshell.drivers.contains_key("kubernetes") {
+        return Err(Error::config(
+            "K8s ServiceAccount bootstrap requires [openshell.drivers.kubernetes] when sandbox JWT issuing is enabled in-cluster",
+        ));
+    }
+    kubernetes_config_from_file(Some(file))
+}
+
 /// Same pattern as [`kubernetes_config_from_file`] but for Podman.
 fn podman_config_from_file(
     file: Option<&config_file::ConfigFile>,
@@ -863,6 +871,7 @@ mod tests {
         ConnectionProtocol, MultiplexService, ServerState, TlsAcceptor,
         allow_plaintext_service_http, classify_initial_bytes, configured_compute_driver,
         gateway_listener_addresses, is_benign_tls_handshake_failure, serve_gateway_listener,
+        kubernetes_config_for_k8s_sa_bootstrap,
     };
     use openshell_core::{
         ComputeDriverKind, Config,
@@ -1266,6 +1275,35 @@ mod tests {
         );
     }
 
+    #[test]
+    fn k8s_sa_bootstrap_rejects_missing_kubernetes_driver_config() {
+        let err = kubernetes_config_for_k8s_sa_bootstrap(None).unwrap_err();
+        assert!(err.to_string().contains("[openshell.drivers.kubernetes]"));
+
+        let file: crate::config_file::ConfigFile =
+            toml::from_str("[openshell.gateway]\n").expect("valid config");
+        let err = kubernetes_config_for_k8s_sa_bootstrap(Some(&file)).unwrap_err();
+        assert!(err.to_string().contains("[openshell.drivers.kubernetes]"));
+    }
+
+    #[test]
+    fn k8s_sa_bootstrap_uses_configured_namespace_and_service_account() {
+        let file: crate::config_file::ConfigFile = toml::from_str(
+            r#"
+[openshell.gateway]
+
+[openshell.drivers.kubernetes]
+namespace = "sandboxes"
+service_account_name = "sandbox-sa"
+"#,
+        )
+        .expect("valid config");
+
+        let cfg = kubernetes_config_for_k8s_sa_bootstrap(Some(&file)).unwrap();
+        assert_eq!(cfg.namespace, "sandboxes");
+        assert_eq!(cfg.service_account_name, "sandbox-sa");
+    }
+
     #[test]
     fn gateway_listener_addresses_skip_driver_address_covered_by_wildcard() {
         let primary: SocketAddr = "0.0.0.0:8080".parse().unwrap();