From c7785a3eae03d3470a3e797d676d05d95f28893d Mon Sep 17 00:00:00 2001 From: Thomas Letan Date: Tue, 22 Jul 2025 13:59:30 +0200 Subject: [PATCH] EVM Node: Fix token refresh by avoiding handler aliasing * What This change corrects the GCP KMS authentication token refresh mechanism to ensure that the active handler used by the application receives all subsequent token updates from the background refresh process. * Why The previous implementation suffered from a subtle record aliasing bug. The background process responsible for refreshing the authentication token was given a reference to an initial, partial version of the KMS handler. However, the function then returned a *copy* of this handler to the rest of the application. Consequently, the background process was updating the token in a handler record that was no longer in use. The active handler's token was never refreshed, which caused it to expire, leading to the intermittent `invalid_token` authentication failures that were observed. * How The fix restructures the handler's creation flow. The final, complete KMS handler record is now created *before* the background token refresh process is initiated. The background process is then given a reference to this final, active handler. This ensures that token updates are applied to the exact same record that the rest of the application uses for its API calls, resolving the aliasing issue and ensuring the token remains valid. --- etherlink/CHANGES_NODE.md | 1 + etherlink/bin_node/lib_dev/gcp_kms.ml | 3 ++- 2 files changed, 3 insertions(+), 1 deletion(-) diff --git a/etherlink/CHANGES_NODE.md b/etherlink/CHANGES_NODE.md index d71c16d02987..314acb11b42c 100644 --- a/etherlink/CHANGES_NODE.md +++ b/etherlink/CHANGES_NODE.md @@ -20,6 +20,7 @@ the parser would silently ignore any content that appeared after the first valid JSON object. Now, any extraneous data will cause the function to return an error. (!18745) +- Fixes GCP KMS token refresh. (!18795) ### Storage changes diff --git a/etherlink/bin_node/lib_dev/gcp_kms.ml b/etherlink/bin_node/lib_dev/gcp_kms.ml index 2ea31a2366b1..1f43c5eb8801 100644 --- a/etherlink/bin_node/lib_dev/gcp_kms.ml +++ b/etherlink/bin_node/lib_dev/gcp_kms.ml @@ -376,11 +376,12 @@ let from_gcp_key (config : Configuration.gcp_kms) gcp_key = (* We fetch the necessary information which will allow us to interpret the KMS response and wrap them into the correct Signature.t constructor. *) let* public_key = public_key kms_handler in + let kms_handler = {kms_handler with public_key} in let*! () = Gcp_kms_events.is_ready public_key in Lwt.dont_wait (fun () -> Octez_connpool.warm kms_handler.pool) ignore ; Lwt.dont_wait (fun () -> wait_and_refresh config kms_handler) ignore ; (* We return the full handler *) - return {kms_handler with public_key} + return kms_handler let public_key t = t.public_key -- GitLab