lookup: hex-decode SALT_PKB before HMAC (AGG-117)#7
Merged
Conversation
vaultee-secrets returns SALT_PKB as an ASCII hex string (64 chars for a 32-byte salt). rebuild-encrypt in DDM decodes it via bytes.fromhex before using it as the HMAC key (pkb_beeline/scripts/encrypt/main.py:: read_hex_secret). LookupService was passing the raw ASCII response through to hmac.new, producing a different key and every lookup missed the replica. Verified by comparing what the API sent to DDM (`row_id_iin=92e49785…`) to what rebuild-encrypt would write for the same IIN under the decoded salt (`row_id_iin=81c9417a…`), and confirming the latter exists in aggregion.scoring_replica_pkb for real IINs from user_features_test. Fixture change: FakeSecrets now models the real vaultee-secrets shape (returns hex-string bytes, exposes decoded salt_bytes for assertions). Added tests/test_salt_decoding.py to pin the regression — asserts that the row_id_iin sent by LookupService equals the one rebuild-time HMAC produces over the *decoded* salt, and that the buggy path (raw hex bytes as HMAC key) produces a different value. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com> Co-authored-by: multica-agent <github@multica.ai>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
SALT_PKBas an ASCII hex string;LookupService._salt_pkbwas passing that through tohmac.newas the raw key. Rebuild-encrypt in DDM (pkb_beeline/scripts/encrypt/main.py::read_hex_secret) decodes it viabytes.fromhex. Different keys → every lookup missed the replica → 30-sec client timeout.row_id_iin== rebuild-time HMAC over decoded salt bytes, and ≠ the buggy path.Root cause verification
For real IIN
700205302324fromdatalab_test.user_features_test:hmac(bytes.fromhex(SALT_PKB), sha256hex(iin || iin_salt), sha256)=81c9417ac6eabf47…— matches the row actually stored inaggregion.scoring_replica_pkb.hmac(SALT_PKB_hex.utf8, sha256hex(iin || iin_salt), sha256)=92e49785e452a484…— this is exactly what DDM logs showed the API passing asrow_id_iinfor the failing run5018c464-6e18-4d50-8277-5a67fcca90bb.Test plan
pytest tests/locally — 51/51 pass, including newtests/test_salt_decoding.py.kartel-deployprod overlay → Argo sync →/single?iin=700205302324returns 200 with data (currently 408).🤖 Generated with Claude Code