Skip to content

feat: validate attestation gateway even on disabled#213

Merged
paolodamico merged 6 commits into
mainfrom
attestation-gateway-fix
Jul 16, 2026
Merged

feat: validate attestation gateway even on disabled#213
paolodamico merged 6 commits into
mainfrom
attestation-gateway-fix

Conversation

@paolodamico

@paolodamico paolodamico commented Jul 16, 2026

Copy link
Copy Markdown
Contributor

Changes

  1. For the config DISABLE_ATTESTATION_GATEWAY if set, instead of disabling attestation checks altogether, the service will verify the attestation gateway checks in full, log a warning and let the request continue. This way any failures can be diagnosed before turning on enforcement.
  2. When attestation validation is not enforced, if the verification fails, an attestation-failure header will be returned to the client to let it know that their request would've been rejected and be able to debug integrity computation errors. cc @SeanROlszewski @Guardiola31337
  3. Deprecates DISABLE_ATTESTATION_GATEWAY in favor of DISABLE_ATTESTATION_GATEWAY_ENFORCEMENT (naming; old version is still supported).
  4. Minor housekeeping to improve code quality.

Rationale

The env var that allowed disabling the attestation gateway checks altogether, which is problematic. The raison d'être of this config is to be able to monitor issues and allow bypassing for a progressive roll-out. If all checks are skipped, then there's no way to monitor the correct functionality of this functionality.


Note

High Risk
Changes how attestation bypass env vars behave (validation always runs) and can allow unauthenticated traffic when enforcement is disabled, which is security-critical for progressive rollout.

Overview
Attestation middleware always runs validation instead of skipping checks when a disable flag is set. A new do_not_enforce mode (from DISABLE_ATTESTATION_GATEWAY_ENFORCEMENT, with legacy DISABLE_ATTESTATION_GATEWAY still honored) logs failures, still returns HTTP 200 to the handler, and adds an attestation-failure response header with the message the client would have seen under enforcement.

Constructor/config cleanup: AttestationGateway::new drops AttestationGatewayConfig / enabled in favor of (base_url, env, do_not_enforce). Missing or bad attestation-token headers are collapsed to invalid_attestation_token_header (header helper now returns Option). ErrorResponse gains code() / message() for that header.

Unit and integration tests cover non-enforcing vs enforcing paths and updated error codes.

Reviewed by Cursor Bugbot for commit 6d6ea8c. Bugbot is set up for automated code reviews on this repo. Configure here.

@paolodamico

Copy link
Copy Markdown
Contributor Author

@codex review

Comment thread src/attestation_gateway.rs Outdated
Comment thread src/attestation_gateway.rs

@chatgpt-codex-connector chatgpt-codex-connector Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 43cdd77a7c

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

  • Open a pull request for review
  • Mark a draft as ready
  • Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

Comment thread src/attestation_gateway.rs Outdated
Comment thread src/attestation_gateway.rs Outdated

@cursor cursor Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Cursor Bugbot has reviewed your changes using default effort and found 1 potential issue.

Fix All in Cursor

❌ Bugbot Autofix is OFF. To automatically fix reported issues with cloud agents, have a team admin enable autofix in the Cursor dashboard.

Reviewed by Cursor Bugbot for commit 0c22d3f. Configure here.

Comment thread tests/retrieve_challenge_integration.rs
Comment thread src/attestation_gateway.rs
Comment thread src/attestation_gateway.rs Outdated

@thomas-waite thomas-waite left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Seems fine to me

@paolodamico
paolodamico merged commit ab6b4d0 into main Jul 16, 2026
12 checks passed
@paolodamico
paolodamico deleted the attestation-gateway-fix branch July 16, 2026 16:28
@github-actions github-actions Bot mentioned this pull request Jul 16, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants