consistent auth token for validator apis (#13747)

* wip

* fixing tests

* adding more tests especially to handle legacy

* fixing linting

* fixing deepsource issues and flags

* fixing some deepsource issues,pathing issues, and logs

* some review items

* adding additional review feedback

* updating to follow updates from ethereum/keymanager-APIs#74

* adjusting functions to match changes in keymanagers PR

* Update validator/rpc/auth_token.go

Co-authored-by: Radosław Kapka <rkapka@wp.pl>

* Update validator/rpc/auth_token.go

Co-authored-by: Radosław Kapka <rkapka@wp.pl>

* Update validator/rpc/auth_token.go

Co-authored-by: Radosław Kapka <rkapka@wp.pl>

* review feedback

---------

Co-authored-by: Radosław Kapka <rkapka@wp.pl>

api/BUILD.bazel

@@ -1,11 +1,24 @@
-load("@prysm//tools/go:def.bzl", "go_library")
+load("@prysm//tools/go:def.bzl", "go_library", "go_test")
 
 go_library(
     name = "go_default_library",
     srcs = [
         "constants.go",
         "headers.go",
+        "jwt.go",
     ],
     importpath = "github.com/prysmaticlabs/prysm/v5/api",
     visibility = ["//visibility:public"],
+    deps = [
+        "//crypto/rand:go_default_library",
+        "@com_github_ethereum_go_ethereum//common/hexutil:go_default_library",
+        "@com_github_pkg_errors//:go_default_library",
+    ],
+)
+
+go_test(
+    name = "go_default_test",
+    srcs = ["jwt_test.go"],
+    embed = [":go_default_library"],
+    deps = ["//testing/require:go_default_library"],
 )

api/constants.go

@@ -4,4 +4,6 @@ const (
 	WebUrlPrefix        = "/v2/validator/"
 	WebApiUrlPrefix     = "/api/v2/validator/"
 	KeymanagerApiPrefix = "/eth/v1"
+
+	AuthTokenFileName = "auth-token"
 )

api/jwt.go

@@ -0,0 +1,32 @@
+package api
+
+import (
+	"github.com/ethereum/go-ethereum/common/hexutil"
+	"github.com/pkg/errors"
+	"github.com/prysmaticlabs/prysm/v5/crypto/rand"
+)
+
+// GenerateRandomHexString generates a random hex string that follows the standards for jwt token
+// used for beacon node -> execution client
+// used for web client -> validator client
+func GenerateRandomHexString() (string, error) {
+	secret := make([]byte, 32)
+	randGen := rand.NewGenerator()
+	n, err := randGen.Read(secret)
+	if err != nil {
+		return "", err
+	} else if n != 32 {
+		return "", errors.New("rand: unexpected length")
+	}
+	return hexutil.Encode(secret), nil
+}
+
+// ValidateAuthToken validating auth token for web
+func ValidateAuthToken(token string) error {
+	b, err := hexutil.Decode(token)
+	// token should be hex-encoded and at least 256 bits
+	if err != nil || len(b) < 32 {
+		return errors.New("invalid auth token: token should be hex-encoded and at least 256 bits")
+	}
+	return nil
+}

api/jwt_test.go

@@ -0,0 +1,13 @@
+package api
+
+import (
+	"testing"
+
+	"github.com/prysmaticlabs/prysm/v5/testing/require"
+)
+
+func TestGenerateRandomHexString(t *testing.T) {
+	token, err := GenerateRandomHexString()
+	require.NoError(t, err)
+	require.NoError(t, ValidateAuthToken(token))
+}

cmd/beacon-chain/jwt/BUILD.bazel

@@ -6,10 +6,9 @@ go_library(
     importpath = "github.com/prysmaticlabs/prysm/v5/cmd/beacon-chain/jwt",
     visibility = ["//visibility:public"],
     deps = [
+        "//api:go_default_library",
         "//cmd:go_default_library",
-        "//crypto/rand:go_default_library",
         "//io/file:go_default_library",
-        "@com_github_ethereum_go_ethereum//common/hexutil:go_default_library",
         "@com_github_sirupsen_logrus//:go_default_library",
         "@com_github_urfave_cli_v2//:go_default_library",
     ],

cmd/beacon-chain/jwt/jwt.go

@@ -1,12 +1,10 @@
 package jwt
 
 import (
-	"errors"
 	"path/filepath"
 
-	"github.com/ethereum/go-ethereum/common/hexutil"
+	"github.com/prysmaticlabs/prysm/v5/api"
 	"github.com/prysmaticlabs/prysm/v5/cmd"
-	"github.com/prysmaticlabs/prysm/v5/crypto/rand"
 	"github.com/prysmaticlabs/prysm/v5/io/file"
 	"github.com/sirupsen/logrus"
 	"github.com/urfave/cli/v2"
@@ -52,7 +50,7 @@ func generateAuthSecretInFile(c *cli.Context) error {
 			return err
 		}
 	}
-	secret, err := generateRandomHexString()
+	secret, err := api.GenerateRandomHexString()
 	if err != nil {
 		return err
 	}
@@ -62,15 +60,3 @@ func generateAuthSecretInFile(c *cli.Context) error {
 	logrus.Infof("Successfully wrote JSON-RPC authentication secret to file %s", fileName)
 	return nil
 }
-
-func generateRandomHexString() (string, error) {
-	secret := make([]byte, 32)
-	randGen := rand.NewGenerator()
-	n, err := randGen.Read(secret)
-	if err != nil {
-		return "", err
-	} else if n <= 0 {
-		return "", errors.New("rand: unexpected length")
-	}
-	return hexutil.Encode(secret), nil
-}

cmd/validator/flags/BUILD.bazel

@@ -15,6 +15,7 @@ go_library(
         "//validator:__subpackages__",
     ],
     deps = [
+        "//api:go_default_library",
         "//config/params:go_default_library",
         "//io/file:go_default_library",
         "@com_github_urfave_cli_v2//:go_default_library",

cmd/validator/flags/flags.go

@@ -8,6 +8,7 @@ import (
 	"runtime"
 	"time"
 
+	"github.com/prysmaticlabs/prysm/v5/api"
 	"github.com/prysmaticlabs/prysm/v5/config/params"
 	"github.com/prysmaticlabs/prysm/v5/io/file"
 	"github.com/urfave/cli/v2"
@@ -133,6 +134,15 @@ var (
 		Usage: "Port used to listening and respond metrics for Prometheus.",
 		Value: 8081,
 	}
+
+	// AuthTokenPathFlag defines the path to the auth token used to secure the validator api.
+	AuthTokenPathFlag = &cli.StringFlag{
+		Name:    "keymanager-token-file",
+		Usage:   "Path to auth token file used for validator apis.",
+		Value:   filepath.Join(filepath.Join(DefaultValidatorDir(), WalletDefaultDirName), api.AuthTokenFileName),
+		Aliases: []string{"validator-api-bearer-file"},
+	}
+
 	// WalletDirFlag defines the path to a wallet directory for Prysm accounts.
 	WalletDirFlag = &cli.StringFlag{
 		Name:  "wallet-dir",

cmd/validator/main.go

@@ -75,6 +75,7 @@ var appFlags = []cli.Flag{
 	flags.EnableWebFlag,
 	flags.GraffitiFileFlag,
 	flags.EnableDistributed,
+	flags.AuthTokenPathFlag,
 	// Consensys' Web3Signer flags
 	flags.Web3SignerURLFlag,
 	flags.Web3SignerPublicValidatorKeysFlag,

cmd/validator/usage.go

@@ -123,6 +123,7 @@ var appHelpFlagGroups = []flagGroup{
 			flags.BuilderGasLimitFlag,
 			flags.ValidatorsRegistrationBatchSizeFlag,
 			flags.EnableDistributed,
+			flags.AuthTokenPathFlag,
 		},
 	},
 	{

cmd/validator/web/BUILD.bazel

@@ -9,6 +9,7 @@ go_library(
     importpath = "github.com/prysmaticlabs/prysm/v5/cmd/validator/web",
     visibility = ["//visibility:public"],
     deps = [
+        "//api:go_default_library",
         "//cmd:go_default_library",
         "//cmd/validator/flags:go_default_library",
         "//config/features:go_default_library",

cmd/validator/web/web.go

@@ -2,7 +2,9 @@ package web
 
 import (
 	"fmt"
+	"path/filepath"
 
+	"github.com/prysmaticlabs/prysm/v5/api"
 	"github.com/prysmaticlabs/prysm/v5/cmd"
 	"github.com/prysmaticlabs/prysm/v5/cmd/validator/flags"
 	"github.com/prysmaticlabs/prysm/v5/config/features"
@@ -24,6 +26,7 @@ var Commands = &cli.Command{
 				flags.WalletDirFlag,
 				flags.GRPCGatewayHost,
 				flags.GRPCGatewayPort,
+				flags.AuthTokenPathFlag,
 				cmd.AcceptTosFlag,
 			}),
 			Before: func(cliCtx *cli.Context) error {
@@ -43,7 +46,12 @@ var Commands = &cli.Command{
 				gatewayHost := cliCtx.String(flags.GRPCGatewayHost.Name)
 				gatewayPort := cliCtx.Int(flags.GRPCGatewayPort.Name)
 				validatorWebAddr := fmt.Sprintf("%s:%d", gatewayHost, gatewayPort)
-				if err := rpc.CreateAuthToken(walletDirPath, validatorWebAddr); err != nil {
+				authTokenPath := filepath.Join(walletDirPath, api.AuthTokenFileName)
+				tempAuthTokenPath := cliCtx.String(flags.AuthTokenPathFlag.Name)
+				if tempAuthTokenPath != "" {
+					authTokenPath = tempAuthTokenPath
+				}
+				if err := rpc.CreateAuthToken(authTokenPath, validatorWebAddr); err != nil {
 					log.WithError(err).Fatal("Could not create web auth token")
 				}
 				return nil

validator/node/node.go

@@ -639,6 +639,17 @@ func (c *ValidatorClient) registerRPCService(router *mux.Router) error {
 	walletDir := c.cliCtx.String(flags.WalletDirFlag.Name)
 	grpcHeaders := c.cliCtx.String(flags.GrpcHeadersFlag.Name)
 	clientCert := c.cliCtx.String(flags.CertFlag.Name)
+
+	authTokenPath := c.cliCtx.String(flags.AuthTokenPathFlag.Name)
+	// if no auth token path flag was passed try to set a default value
+	if authTokenPath == "" {
+		authTokenPath = flags.AuthTokenPathFlag.Value
+		// if a wallet dir is passed without an auth token then override the default with the wallet dir
+		if walletDir != "" {
+			authTokenPath = filepath.Join(walletDir, api.AuthTokenFileName)
+		}
+	}
+
 	server := rpc.NewServer(c.cliCtx.Context, &rpc.Config{
 		ValDB:                    c.db,
 		Host:                     rpcHost,
@@ -648,6 +659,7 @@ func (c *ValidatorClient) registerRPCService(router *mux.Router) error {
 		SyncChecker:              vs,
 		GenesisFetcher:           vs,
 		NodeGatewayEndpoint:      nodeGatewayEndpoint,
+		AuthTokenPath:            authTokenPath,
 		WalletDir:                walletDir,
 		Wallet:                   c.wallet,
 		ValidatorGatewayHost:     validatorGatewayHost,

validator/rpc/BUILD.bazel

@@ -38,7 +38,6 @@ go_library(
         "//consensus-types/primitives:go_default_library",
         "//consensus-types/validator:go_default_library",
         "//crypto/bls:go_default_library",
-        "//crypto/rand:go_default_library",
         "//encoding/bytesutil:go_default_library",
         "//io/file:go_default_library",
         "//io/logs:go_default_library",
@@ -148,6 +147,7 @@ go_test(
         "@com_github_gorilla_mux//:go_default_library",
         "@com_github_grpc_ecosystem_grpc_gateway_v2//runtime:go_default_library",
         "@com_github_pkg_errors//:go_default_library",
+        "@com_github_sirupsen_logrus//hooks/test:go_default_library",
         "@com_github_tyler_smith_go_bip39//:go_default_library",
         "@com_github_wealdtech_go_eth2_wallet_encryptor_keystorev4//:go_default_library",
         "@org_golang_google_grpc//:go_default_library",