Merge pull request #14 from luis5tb/jwt-validation-cloudrun

luis5tb · web-flow · commit 703c9963d271 · 2026-03-11T09:59:39.000+01:00
feat: block SKIP_JWT_VALIDATION in Cloud Run environments
diff --git a/deploy/cloudrun/marketplace-handler.yaml b/deploy/cloudrun/marketplace-handler.yaml
@@ -72,6 +72,9 @@ spec:
             # Red Hat SSO Configuration
             - name: RED_HAT_SSO_ISSUER
               value: "https://sso.redhat.com/auth/realms/redhat-external"
+            # Ensure production environment do not skip JWT validation
+            - name: SKIP_JWT_VALIDATION
+              value: "false"
             # DCR Configuration
             - name: DCR_ENABLED
               value: "true"
diff --git a/deploy/cloudrun/service.yaml b/deploy/cloudrun/service.yaml
@@ -88,6 +88,9 @@ spec:
               value: ""
             # Replace with the required scopes if any is needed
             #  value: "agent:insights"
+            # Ensure production environment do not skip JWT validation
+            - name: SKIP_JWT_VALIDATION
+              value: "false"
             # MCP Configuration
             # The agent connects to the MCP sidecar container over HTTP
             - name: MCP_TRANSPORT_MODE
diff --git a/src/lightspeed_agent/config/settings.py b/src/lightspeed_agent/config/settings.py
@@ -1,9 +1,10 @@
 """Application settings and configuration management."""
 
+import os
 from functools import lru_cache
 from typing import Literal
 
-from pydantic import Field
+from pydantic import Field, model_validator
 from pydantic_settings import BaseSettings, SettingsConfigDict
 
 
@@ -241,6 +242,21 @@ def keycloak_dcr_endpoint(self) -> str:
         description="Skip JWT validation (development only)",
     )
 
+    @model_validator(mode="after")
+    def _block_skip_jwt_in_production(self) -> "Settings":
+        """Prevent SKIP_JWT_VALIDATION from being enabled in production.
+
+        Cloud Run sets K_SERVICE automatically. If that variable is present,
+        this is a managed deployment and JWT validation must never be skipped.
+        """
+        if self.skip_jwt_validation and os.getenv("K_SERVICE"):
+            raise ValueError(
+                "SKIP_JWT_VALIDATION=true is not allowed in Cloud Run "
+                f"(K_SERVICE={os.getenv('K_SERVICE')}). "
+                "This setting is intended for local development only."
+            )
+        return self
+
     # OpenTelemetry Configuration
     otel_enabled: bool = Field(
         default=False,
diff --git a/tests/test_settings.py b/tests/test_settings.py
@@ -0,0 +1,52 @@
+"""Tests for application settings guards."""
+
+import os
+from unittest.mock import patch
+
+import pytest
+from pydantic import ValidationError
+
+from lightspeed_agent.config import Settings
+
+
+class TestSkipJwtProductionGuard:
+    """Verify SKIP_JWT_VALIDATION cannot be enabled in Cloud Run."""
+
+    def _env_without_k_service(self) -> dict[str, str]:
+        """Return a copy of os.environ without K_SERVICE."""
+        return {k: v for k, v in os.environ.items() if k != "K_SERVICE"}
+
+    def test_skip_jwt_allowed_without_k_service(self):
+        """SKIP_JWT_VALIDATION=true is fine when K_SERVICE is unset."""
+        with patch.dict(os.environ, self._env_without_k_service(), clear=True):
+            settings = Settings(skip_jwt_validation=True)
+            assert settings.skip_jwt_validation is True
+
+    def test_skip_jwt_blocked_in_cloud_run(self):
+        """SKIP_JWT_VALIDATION=true must fail when K_SERVICE is set."""
+        with patch.dict(
+            os.environ, {"K_SERVICE": "lightspeed-agent"}, clear=False
+        ):
+            with pytest.raises(
+                ValidationError, match="not allowed in Cloud Run"
+            ):
+                Settings(skip_jwt_validation=True)
+
+    def test_no_skip_jwt_allowed_in_cloud_run(self):
+        """SKIP_JWT_VALIDATION=false (default) is fine in Cloud Run."""
+        with patch.dict(
+            os.environ, {"K_SERVICE": "lightspeed-agent"}, clear=False
+        ):
+            settings = Settings(skip_jwt_validation=False)
+            assert settings.skip_jwt_validation is False
+
+    def test_skip_jwt_defaults_to_false(self):
+        """Default value of skip_jwt_validation is False."""
+        with patch.dict(
+            os.environ,
+            self._env_without_k_service()
+            | {"SKIP_JWT_VALIDATION": "false"},
+            clear=True,
+        ):
+            settings = Settings(skip_jwt_validation=False)
+            assert settings.skip_jwt_validation is False
