[BUG]: Vault plugin fails to find X-Vault-Tokens header due to case-sensitive lookup

[MohanLaksh]

Summary

Vault plugin cannot find X-Vault-Tokens header despite it being present in the request and logged by tool service. Root cause: plugin does case-sensitive dict lookup but ASGI middleware lowercases all headers per spec.

Related JIRA Issues

• ICACF-41: Vault plugin fails to find X-Vault-Tokens header (symptom)
• ICACF-42: HttpAuthMiddleware lowercases headers (not a bug - per ASGI spec)

Root Cause

Not a bug: ASGI spec (RFC 7230) requires headers to be case-insensitive and ASGI standardizes them as lowercase bytes tuples. The middleware at mcpgateway/middleware/http_auth_middleware.py:227 correctly lowercases all headers.

Actual bug: Vault plugin at plugins/vault/vault_plugin.py:186-187 does case-sensitive dict lookup:

if self._sconfig.vault_header_name not in headers:  # "X-Vault-Tokens" not in {"x-vault-tokens": ...}
    return ToolPreInvokeResult()

Reproduction Steps

1. Configure gateway with passthrough headers including X-Vault-Tokens
2. Configure vault plugin with vault_header_name: "X-Vault-Tokens" (default config)
3. Send request with header: X-Vault-Tokens: {"github.com": "token123"}
4. Middleware lowercases to x-vault-tokens (per ASGI spec)
5. Tool service sends {"x-vault-tokens": "..."} to plugin
6. Plugin checks "X-Vault-Tokens" not in {"x-vault-tokens": ...} → FAILS
7. Plugin logs: "Vault header 'X-Vault-Tokens' not found in headers"

Impact

• Vault plugin fails silently in production
• OAuth2 token unwrapping does not work
• No bearer tokens generated for MCP servers requiring auth

Affected Code

File: plugins/vault/vault_plugin.py

• Line 177, 178: Case-sensitive lookup and delete in safe_headers
• Line 187: Case-sensitive lookup (main bug)
• Line 192, 196, 202: Case-sensitive access and delete
• Line 240: Case-sensitive write for AUTH_HEADER tag

Total: 7 operations affected

Solution

Follow the pattern from plugins/examples/simple_token_auth/simple_token_auth.py:105 which normalizes header names to lowercase:

# In __init__ (after line 95)
self._vault_header_key = self._sconfig.vault_header_name.lower()

# Replace all 6 read operations
if self._vault_header_key not in headers:  # Line 187
vault_tokens = orjson.loads(headers[self._vault_header_key])  # Line 192

# Normalize write operation
headers[auth_header.lower()] = str(token_value)  # Line 240

Test Coverage Gap

Critical: All existing tests use matching case for config AND payload headers (both "X-Vault-Tokens"). They bypass ASGI middleware and never test real production flow.

Required new tests:

1. test_vault_header_lowercase_headers - Config uppercase, headers lowercase (production)
2. test_vault_header_lowercase_config - Both lowercase
3. test_pat_token_custom_header_lowercase - AUTH_HEADER tag normalization

Files to Change

• plugins/vault/vault_plugin.py - 7 lines (production code)
• tests/unit/mcpgateway/plugins/plugins/vault/test_vault_plugin.py - 3 new tests

References

• ASGI spec: Headers must be lowercase bytes tuples
• RFC 7230: HTTP header names are case-insensitive
• Tests verifying lowercase: tests/unit/mcpgateway/middleware/test_http_auth_headers.py:377,387,1039
• Example pattern: plugins/examples/simple_token_auth/simple_token_auth.py:105

[popagruia]

Hi based on my investigation some additional problems:

Issue #1: CopyOnWriteDict.model_dump() Bug (CRITICAL)

Location: plugins/vault/vault_plugin.py lines 178 and 186

Current code

headers_dict = payload.headers.model_dump()  # Returns empty dict {}!

Why It Fails:

• payload.headers is a CopyOnWriteDict from the cpex framework
• Calling .model_dump() on it returns an empty dictionary in production
• This works in unit tests but fails with real HTTP requests
• The vault plugin can't read the X-Vault-Tokens header, so it never injects tokens

The Fix:

headers_dict = {k.lower(): v for k, v in payload.headers.root.items()}

Impact: Without this fix, the vault plugin completely fails to inject any tokens in production. All vault token injection is broken.

---

Issue #2: Gateway Cache Missing auth_value Field (CRITICAL)

Location: mcpgateway/services/tool_service.py line 1072-1093

The Bug:
The gateway cache payload is missing the auth_value field, which is required by the Gateway Pydantic model. This causes validation to fail when the vault plugin tries to read gateway metadata from cache.

Symptoms:

Failed to build PydanticGateway from cache payload: 1 validation error for Gateway
auth_value
  Field required

Result: The vault plugin logs "System cannot be determined from gateway metadata" and fails to inject tokens for Tests 4 and 5.

The Fix:

gateway_payload = {
    # ... other fields ...
    "auth_value": getattr(gateway, "auth_value", None),  # ADD THIS LINE
}

Impact: Without this fix, the vault plugin can't read gateway tags from cache, so it can't determine which vault token to use. Token injection fails for cached gateway metadata.

---