fix: use constant-time Sophia governor admin auth#4658
Conversation
github-actions
Bot
added
size/M
Finesssee
left a comment
Finesssee
left a comment
There was a problem hiding this comment.
Approved after local validation.
I reviewed the Sophia governor admin-auth change in node/sophia_governor.py and the regression coverage in node/tests/test_sophia_governor.py. The patch preserves the existing X-Admin-Key / X-API-Key behavior and switches the secret comparison to hmac.compare_digest, so the admin gate no longer uses a direct equality comparison for configured keys.
Validation run locally on PR head:
PYTHONPATH=node uv run --no-project --with pytest --with flask --with requests python -m pytest node/tests/test_sophia_governor.py -q-> 8 passedpython3 -m py_compile node/sophia_governor.py node/tests/test_sophia_governor.py-> passedgit diff --check origin/main...pr-4658 -- node/sophia_governor.py node/tests/test_sophia_governor.py-> passedpython3 tools/bcos_spdx_check.py --base-ref origin/main-> BCOS SPDX check: OK
I did not find a blocking issue in this patch.
douglance
left a comment
douglance
left a comment
There was a problem hiding this comment.
Approved after local validation.
I reviewed the focused Sophia governor admin-auth change in node/sophia_governor.py and the regression coverage in node/tests/test_sophia_governor.py. The patch preserves the existing X-Admin-Key / X-API-Key behavior, keeps missing configured admin keys fail-closed through the existing required guard, and replaces the direct configured-secret equality check with hmac.compare_digest().
Validation run locally on PR head aaa94d4:
PYTHONPATH=node uv run --no-project --with pytest --with flask --with requests python -m pytest node/tests/test_sophia_governor.py -q-> 8 passedpython3 -m py_compile node/sophia_governor.py node/tests/test_sophia_governor.py-> passedgit diff --check origin/main...HEAD -- node/sophia_governor.py node/tests/test_sophia_governor.py-> passedpython3 tools/bcos_spdx_check.py --base-ref origin/main-> BCOS SPDX check: OK
No blocking findings from this patch. Scope note: PR #4659 overlaps this change; this PR has the cleaner route-level denied/accepted regression coverage.
saim256
left a comment
saim256
left a comment
There was a problem hiding this comment.
Approved. I verified this PR independently and do not see a blocker.
What I checked:
- The Sophia governor admin helper now uses
hmac.compare_digest()instead of direct equality for configured admin-key comparisons. - Existing
X-Admin-KeyandX-API-Keybehavior is preserved. - The regression exercises both denied and accepted
/sophia/governor/reviewpaths and proves both comparisons go through the patchedcompare_digestfunction. - The temp DB fixture cleanup retry is limited to test cleanup and does not alter production behavior.
Local validation:
PYTHONPATH=node python -m pytest node\tests\test_sophia_governor.py -q-> 8 passedpython -m py_compile node\sophia_governor.py node\tests\test_sophia_governor.py-> passedgit diff --check origin/main...HEAD -- node/sophia_governor.py node/tests/test_sophia_governor.py-> passedpython tools\bcos_spdx_check.py --base-ref origin/main-> BCOS SPDX check: OK
Scope note: this overlaps PR #4659 for the same issue, so maintainers will need to choose the canonical implementation. This patch is sound when reviewed on its own.
jaxint
left a comment
jaxint
left a comment
There was a problem hiding this comment.
LGTM! Thanks for contributing. Approved.
jaxint
left a comment
jaxint
left a comment
There was a problem hiding this comment.
LGTM! Thanks for contributing. Approved.
jaxint
left a comment
jaxint
left a comment
There was a problem hiding this comment.
LGTM! Thanks for contributing. Approved.
jaxint
left a comment
jaxint
left a comment
There was a problem hiding this comment.
LGTM! Thanks for contributing. Approved.
jaxint
left a comment
jaxint
left a comment
There was a problem hiding this comment.
LGTM! Thanks for contributing. Approved.
jaxint
left a comment
jaxint
left a comment
There was a problem hiding this comment.
LGTM! Thanks for contributing. Approved.
jaxint
left a comment
jaxint
left a comment
There was a problem hiding this comment.
LGTM! Thanks for contributing. Approved.
jaxint
left a comment
jaxint
left a comment
There was a problem hiding this comment.
Code review: LGTM! Thanks for contributing to RustChain. Approved.
loganoe
left a comment
loganoe
left a comment
There was a problem hiding this comment.
This is a correct constant-time admin-key comparison fix. The governor keeps the same fail-closed behavior for missing config, accepts both admin headers, and the regression test verifies hmac.compare_digest is used for denied and accepted requests.
Checked:
PYTEST_DISABLE_PLUGIN_AUTOLOAD=1 /tmp/rustchain-flask-venv/bin/python -m pytest -q node/tests/test_sophia_governor.py::test_governor_admin_auth_uses_constant_time_comparePYTEST_DISABLE_PLUGIN_AUTOLOAD=1 /tmp/rustchain-flask-venv/bin/python -m py_compile node/sophia_governor.py node/tests/test_sophia_governor.pygit diff --check origin/main...HEAD
TJCurnutte
left a comment
TJCurnutte
left a comment
There was a problem hiding this comment.
Review: Approve
I inspected this PR's metadata and diff locally against origin/main.
Scope checked
- PR: #4658 — fix: use constant-time Sophia governor admin auth
- Changed files: node/sophia_governor.py, node/tests/test_sophia_governor.py
- Diff focus: authentication/authorization hardening in node/sophia_governor.py, node/tests/test_sophia_governor.py
- Diff evidence: import hmac; return bool(provided and hmac.compare_digest(provided, required)); def test_governor_admin_auth_uses_constant_time_compare(client, monkeypatch):
Validation run
git diff --check origin/main...HEAD— passed: passed with no outputpython3 tools/bcos_spdx_check.py --base-ref origin/main— passed: BCOS SPDX check: OKpython3 -B -m py_compile node/sophia_governor.py node/tests/test_sophia_governor.py— passed: passed with no outputpython3 -B -m pytest node/tests/test_sophia_governor.py -q— passed: -- Docs: https://docs.pytest.org/en/stable/how-to/capture-warnings.html; 8 passed, 1 warning in 0.41s- Diff secret-pattern scan — passed
Review decision
The change is focused, includes/updates targeted coverage where applicable, and the local validation gates passed. I did not find a blocker in the inspected diff.
Boundary: review only; no live node mutation, wallet action, private key use, or destructive operation was performed.
PR Review — Standard Quality ✓PR: #4658 — Fix: use constant-time Sophia governor admin auth What I reviewed
Observations
LGTM. Bounty: #2782 |
9 participants
Fixes #4656. Reporter credit remains with @RJamieKelly. This patch replaces direct Sophia governor admin key equality with hmac.compare_digest, preserves existing X-Admin-Key/X-API-Key behavior, and adds regression coverage for both denied and accepted admin requests. Validation: python -m pytest node\tests\test_sophia_governor.py -q; python tools\bcos_spdx_check.py --base-ref origin/main; git diff --check.