Skip to content

Commit

Permalink
consistent auth token for validator apis (#13747)
Browse files Browse the repository at this point in the history
* wip

* fixing tests

* adding more tests especially to handle legacy

* fixing linting

* fixing deepsource issues and flags

* fixing some deepsource issues,pathing issues, and logs

* some review items

* adding additional review feedback

* updating to follow updates from ethereum/keymanager-APIs#74

* adjusting functions to match changes in keymanagers PR

* Update validator/rpc/auth_token.go

Co-authored-by: Radosław Kapka <rkapka@wp.pl>

* Update validator/rpc/auth_token.go

Co-authored-by: Radosław Kapka <rkapka@wp.pl>

* Update validator/rpc/auth_token.go

Co-authored-by: Radosław Kapka <rkapka@wp.pl>

* review feedback

---------

Co-authored-by: Radosław Kapka <rkapka@wp.pl>
  • Loading branch information
2 people authored and nisdas committed Jun 19, 2024
1 parent eb9fe56 commit b7813e7
Show file tree
Hide file tree
Showing 21 changed files with 378 additions and 250 deletions.
15 changes: 14 additions & 1 deletion api/BUILD.bazel
Original file line number Diff line number Diff line change
@@ -1,11 +1,24 @@
load("@prysm//tools/go:def.bzl", "go_library")
load("@prysm//tools/go:def.bzl", "go_library", "go_test")

go_library(
name = "go_default_library",
srcs = [
"constants.go",
"headers.go",
"jwt.go",
],
importpath = "github.com/prysmaticlabs/prysm/v5/api",
visibility = ["//visibility:public"],
deps = [
"//crypto/rand:go_default_library",
"@com_github_ethereum_go_ethereum//common/hexutil:go_default_library",
"@com_github_pkg_errors//:go_default_library",
],
)

go_test(
name = "go_default_test",
srcs = ["jwt_test.go"],
embed = [":go_default_library"],
deps = ["//testing/require:go_default_library"],
)
2 changes: 2 additions & 0 deletions api/constants.go
Original file line number Diff line number Diff line change
Expand Up @@ -4,4 +4,6 @@ const (
WebUrlPrefix = "/v2/validator/"
WebApiUrlPrefix = "/api/v2/validator/"
KeymanagerApiPrefix = "/eth/v1"

AuthTokenFileName = "auth-token"
)
32 changes: 32 additions & 0 deletions api/jwt.go
Original file line number Diff line number Diff line change
@@ -0,0 +1,32 @@
package api

import (
"github.com/ethereum/go-ethereum/common/hexutil"
"github.com/pkg/errors"
"github.com/prysmaticlabs/prysm/v5/crypto/rand"
)

// GenerateRandomHexString generates a random hex string that follows the standards for jwt token
// used for beacon node -> execution client
// used for web client -> validator client
func GenerateRandomHexString() (string, error) {
secret := make([]byte, 32)
randGen := rand.NewGenerator()
n, err := randGen.Read(secret)
if err != nil {
return "", err
} else if n != 32 {
return "", errors.New("rand: unexpected length")
}
return hexutil.Encode(secret), nil
}

// ValidateAuthToken validating auth token for web
func ValidateAuthToken(token string) error {
b, err := hexutil.Decode(token)
// token should be hex-encoded and at least 256 bits
if err != nil || len(b) < 32 {
return errors.New("invalid auth token: token should be hex-encoded and at least 256 bits")
}
return nil
}
13 changes: 13 additions & 0 deletions api/jwt_test.go
Original file line number Diff line number Diff line change
@@ -0,0 +1,13 @@
package api

import (
"testing"

"github.com/prysmaticlabs/prysm/v5/testing/require"
)

func TestGenerateRandomHexString(t *testing.T) {
token, err := GenerateRandomHexString()
require.NoError(t, err)
require.NoError(t, ValidateAuthToken(token))
}
3 changes: 1 addition & 2 deletions cmd/beacon-chain/jwt/BUILD.bazel
Original file line number Diff line number Diff line change
Expand Up @@ -6,10 +6,9 @@ go_library(
importpath = "github.com/prysmaticlabs/prysm/v5/cmd/beacon-chain/jwt",
visibility = ["//visibility:public"],
deps = [
"//api:go_default_library",
"//cmd:go_default_library",
"//crypto/rand:go_default_library",
"//io/file:go_default_library",
"@com_github_ethereum_go_ethereum//common/hexutil:go_default_library",
"@com_github_sirupsen_logrus//:go_default_library",
"@com_github_urfave_cli_v2//:go_default_library",
],
Expand Down
18 changes: 2 additions & 16 deletions cmd/beacon-chain/jwt/jwt.go
Original file line number Diff line number Diff line change
@@ -1,12 +1,10 @@
package jwt

import (
"errors"
"path/filepath"

"github.com/ethereum/go-ethereum/common/hexutil"
"github.com/prysmaticlabs/prysm/v5/api"
"github.com/prysmaticlabs/prysm/v5/cmd"
"github.com/prysmaticlabs/prysm/v5/crypto/rand"
"github.com/prysmaticlabs/prysm/v5/io/file"
"github.com/sirupsen/logrus"
"github.com/urfave/cli/v2"
Expand Down Expand Up @@ -52,7 +50,7 @@ func generateAuthSecretInFile(c *cli.Context) error {
return err
}
}
secret, err := generateRandomHexString()
secret, err := api.GenerateRandomHexString()
if err != nil {
return err
}
Expand All @@ -62,15 +60,3 @@ func generateAuthSecretInFile(c *cli.Context) error {
logrus.Infof("Successfully wrote JSON-RPC authentication secret to file %s", fileName)
return nil
}

func generateRandomHexString() (string, error) {
secret := make([]byte, 32)
randGen := rand.NewGenerator()
n, err := randGen.Read(secret)
if err != nil {
return "", err
} else if n <= 0 {
return "", errors.New("rand: unexpected length")
}
return hexutil.Encode(secret), nil
}
1 change: 1 addition & 0 deletions cmd/validator/flags/BUILD.bazel
Original file line number Diff line number Diff line change
Expand Up @@ -15,6 +15,7 @@ go_library(
"//validator:__subpackages__",
],
deps = [
"//api:go_default_library",
"//config/params:go_default_library",
"//io/file:go_default_library",
"@com_github_urfave_cli_v2//:go_default_library",
Expand Down
10 changes: 10 additions & 0 deletions cmd/validator/flags/flags.go
Original file line number Diff line number Diff line change
Expand Up @@ -8,6 +8,7 @@ import (
"runtime"
"time"

"github.com/prysmaticlabs/prysm/v5/api"
"github.com/prysmaticlabs/prysm/v5/config/params"
"github.com/prysmaticlabs/prysm/v5/io/file"
"github.com/urfave/cli/v2"
Expand Down Expand Up @@ -133,6 +134,15 @@ var (
Usage: "Port used to listening and respond metrics for Prometheus.",
Value: 8081,
}

// AuthTokenPathFlag defines the path to the auth token used to secure the validator api.
AuthTokenPathFlag = &cli.StringFlag{
Name: "keymanager-token-file",
Usage: "Path to auth token file used for validator apis.",
Value: filepath.Join(filepath.Join(DefaultValidatorDir(), WalletDefaultDirName), api.AuthTokenFileName),
Aliases: []string{"validator-api-bearer-file"},
}

// WalletDirFlag defines the path to a wallet directory for Prysm accounts.
WalletDirFlag = &cli.StringFlag{
Name: "wallet-dir",
Expand Down
1 change: 1 addition & 0 deletions cmd/validator/main.go
Original file line number Diff line number Diff line change
Expand Up @@ -75,6 +75,7 @@ var appFlags = []cli.Flag{
flags.EnableWebFlag,
flags.GraffitiFileFlag,
flags.EnableDistributed,
flags.AuthTokenPathFlag,
// Consensys' Web3Signer flags
flags.Web3SignerURLFlag,
flags.Web3SignerPublicValidatorKeysFlag,
Expand Down
1 change: 1 addition & 0 deletions cmd/validator/usage.go
Original file line number Diff line number Diff line change
Expand Up @@ -123,6 +123,7 @@ var appHelpFlagGroups = []flagGroup{
flags.BuilderGasLimitFlag,
flags.ValidatorsRegistrationBatchSizeFlag,
flags.EnableDistributed,
flags.AuthTokenPathFlag,
},
},
{
Expand Down
1 change: 1 addition & 0 deletions cmd/validator/web/BUILD.bazel
Original file line number Diff line number Diff line change
Expand Up @@ -9,6 +9,7 @@ go_library(
importpath = "github.com/prysmaticlabs/prysm/v5/cmd/validator/web",
visibility = ["//visibility:public"],
deps = [
"//api:go_default_library",
"//cmd:go_default_library",
"//cmd/validator/flags:go_default_library",
"//config/features:go_default_library",
Expand Down
10 changes: 9 additions & 1 deletion cmd/validator/web/web.go
Original file line number Diff line number Diff line change
Expand Up @@ -2,7 +2,9 @@ package web

import (
"fmt"
"path/filepath"

"github.com/prysmaticlabs/prysm/v5/api"
"github.com/prysmaticlabs/prysm/v5/cmd"
"github.com/prysmaticlabs/prysm/v5/cmd/validator/flags"
"github.com/prysmaticlabs/prysm/v5/config/features"
Expand All @@ -24,6 +26,7 @@ var Commands = &cli.Command{
flags.WalletDirFlag,
flags.GRPCGatewayHost,
flags.GRPCGatewayPort,
flags.AuthTokenPathFlag,
cmd.AcceptTosFlag,
}),
Before: func(cliCtx *cli.Context) error {
Expand All @@ -43,7 +46,12 @@ var Commands = &cli.Command{
gatewayHost := cliCtx.String(flags.GRPCGatewayHost.Name)
gatewayPort := cliCtx.Int(flags.GRPCGatewayPort.Name)
validatorWebAddr := fmt.Sprintf("%s:%d", gatewayHost, gatewayPort)
if err := rpc.CreateAuthToken(walletDirPath, validatorWebAddr); err != nil {
authTokenPath := filepath.Join(walletDirPath, api.AuthTokenFileName)
tempAuthTokenPath := cliCtx.String(flags.AuthTokenPathFlag.Name)
if tempAuthTokenPath != "" {
authTokenPath = tempAuthTokenPath
}
if err := rpc.CreateAuthToken(authTokenPath, validatorWebAddr); err != nil {
log.WithError(err).Fatal("Could not create web auth token")
}
return nil
Expand Down
12 changes: 12 additions & 0 deletions validator/node/node.go
Original file line number Diff line number Diff line change
Expand Up @@ -639,6 +639,17 @@ func (c *ValidatorClient) registerRPCService(router *mux.Router) error {
walletDir := c.cliCtx.String(flags.WalletDirFlag.Name)
grpcHeaders := c.cliCtx.String(flags.GrpcHeadersFlag.Name)
clientCert := c.cliCtx.String(flags.CertFlag.Name)

authTokenPath := c.cliCtx.String(flags.AuthTokenPathFlag.Name)
// if no auth token path flag was passed try to set a default value
if authTokenPath == "" {
authTokenPath = flags.AuthTokenPathFlag.Value
// if a wallet dir is passed without an auth token then override the default with the wallet dir
if walletDir != "" {
authTokenPath = filepath.Join(walletDir, api.AuthTokenFileName)
}
}

server := rpc.NewServer(c.cliCtx.Context, &rpc.Config{
ValDB: c.db,
Host: rpcHost,
Expand All @@ -648,6 +659,7 @@ func (c *ValidatorClient) registerRPCService(router *mux.Router) error {
SyncChecker: vs,
GenesisFetcher: vs,
NodeGatewayEndpoint: nodeGatewayEndpoint,
AuthTokenPath: authTokenPath,
WalletDir: walletDir,
Wallet: c.wallet,
ValidatorGatewayHost: validatorGatewayHost,
Expand Down
2 changes: 1 addition & 1 deletion validator/rpc/BUILD.bazel
Original file line number Diff line number Diff line change
Expand Up @@ -38,7 +38,6 @@ go_library(
"//consensus-types/primitives:go_default_library",
"//consensus-types/validator:go_default_library",
"//crypto/bls:go_default_library",
"//crypto/rand:go_default_library",
"//encoding/bytesutil:go_default_library",
"//io/file:go_default_library",
"//io/logs:go_default_library",
Expand Down Expand Up @@ -148,6 +147,7 @@ go_test(
"@com_github_gorilla_mux//:go_default_library",
"@com_github_grpc_ecosystem_grpc_gateway_v2//runtime:go_default_library",
"@com_github_pkg_errors//:go_default_library",
"@com_github_sirupsen_logrus//hooks/test:go_default_library",
"@com_github_tyler_smith_go_bip39//:go_default_library",
"@com_github_wealdtech_go_eth2_wallet_encryptor_keystorev4//:go_default_library",
"@org_golang_google_grpc//:go_default_library",
Expand Down
Loading

0 comments on commit b7813e7

Please sign in to comment.