Skip to content

feat(drivers): expose authenticated RPC caller to @rpc handlers#54

Merged
kavya-chennoju merged 1 commit into
arm:mainfrom
cagataycali:feat/rpc-caller-identity-hook
Jun 12, 2026
Merged

feat(drivers): expose authenticated RPC caller to @rpc handlers#54
kavya-chennoju merged 1 commit into
arm:mainfrom
cagataycali:feat/rpc-caller-identity-hook

Conversation

@cagataycali

Copy link
Copy Markdown
Contributor

Summary

Adds get_rpc_source_device() so device drivers can perform per-call authorization without changing their handler signatures.

The @rpc wrapper already receives the authenticated source device id (injected by DeviceRuntime). This change additionally publishes it on a contextvar for the duration of the handler call and resets it afterwards, so a handler can look up who called it and gate state-mutating operations accordingly.

Motivation

Device drivers that wrap physical hardware need to authorize callers on state-mutating RPCs (e.g. execute/stop). Today the source identity is only used for logging/tracing and is popped before the handler body runs. Exposing it via a small, opt-in accessor lets driver authors add caller-based access control as a security-hardening measure.

Backward compatibility

Fully backward compatible:

  • Handlers that don't call get_rpc_source_device() are unaffected.
  • Returns None when no source identity is present (local routine/internal calls).
  • source_device is still consumed by the wrapper (not leaked into handler kwargs).

Changes

  • drivers/decorators.py: _rpc_source_device contextvar + get_rpc_source_device() accessor; set/reset around the handler invocation.
  • drivers/__init__.py: export get_rpc_source_device.
  • tests/test_rpc_source_device.py: visible-inside-handler, None-when-absent, reset-after-call, and kwarg-non-leak.

Tests

tests/test_drivers.py .......................................... (60 passed)
tests/test_rpc_source_device.py .... (4 passed)

Add get_rpc_source_device() so device drivers can perform per-call
authorization without changing handler signatures. The @rpc wrapper
already receives the authenticated source device id; it now also
publishes it on a contextvar for the duration of the handler call and
resets it afterwards.

This enables drivers to enforce caller-based access control on
state-mutating RPCs (security hardening) while remaining fully
backward compatible: handlers that do not call get_rpc_source_device()
are unaffected, and the value is None when no source identity is
present (e.g. local routine/internal calls).

- drivers/decorators.py: _rpc_source_device contextvar + accessor,
  set/reset around the handler invocation
- drivers/__init__.py: export get_rpc_source_device
- tests: cover visible-inside-handler, None-when-absent, reset-after,
  and kwarg non-leak

@kavya-chennoju kavya-chennoju left a comment

Copy link
Copy Markdown
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Approving — tested end to end.

E2E (real D2D, Zenoh mesh): ran two live DeviceRuntime devices (controller-1 + sensor-001); controller-1 called invoke_remote("sensor-001", "whoami"). The runtime stamped source_device itself, and the handler read it back via get_rpc_source_device():

[sensor-001] whoami handler sees source_device = 'controller-1'
PASS: handler saw caller='controller-1' (expected 'controller-1')

Also confirmed the absent path: an agent-tools caller (not a device) yields caller=None, as intended. Unit tests pass (54).

The contextvar plumbing, reset-after-call, and no-kwarg-leak all behave correctly. LGTM as a caller-identity hook.

Non-blocking note for a follow-up: source_device is currently self-asserted by the caller and not yet bound to a transport-authenticated identity, so it shouldn't be relied on for authorization decisions until receiver-side identity verification lands. Tracking that separately.

@kavya-chennoju kavya-chennoju merged commit a84618f into arm:main Jun 12, 2026
9 checks passed
kavya-chennoju added a commit that referenced this pull request Jun 13, 2026
Bumps device-connect-edge, -server, and -agent-tools to 0.2.5 (covers #39, #47, #49, #52, #54).
@cagataycali cagataycali deleted the feat/rpc-caller-identity-hook branch June 16, 2026 15:03
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants