-
Notifications
You must be signed in to change notification settings - Fork 1k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
consistent auth token for validator apis #13747
Conversation
validator/rpc/intercepter.go
Outdated
_, err := jwt.Parse(token, s.validateJWT) | ||
if err != nil { | ||
return status.Errorf(codes.Unauthenticated, "Could not parse JWT token: %v", err) | ||
if token != s.authToken || s.authToken == "" { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
should empty string be allowed?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
IMO, no.
When clicking on the link, got:
|
cmd/validator/flags/flags.go
Outdated
|
||
// AuthTokenPathFlag defines the path to the auth token used to secure the validator api. | ||
AuthTokenPathFlag = &cli.StringFlag{ | ||
Name: "token", |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
token
name could make the user believe he would write the token itself after --token
, while actually --token
waits for a path to a file containing a token.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
lets change the name
@@ -43,7 +45,12 @@ var Commands = &cli.Command{ | |||
gatewayHost := cliCtx.String(flags.GRPCGatewayHost.Name) | |||
gatewayPort := cliCtx.Int(flags.GRPCGatewayPort.Name) | |||
validatorWebAddr := fmt.Sprintf("%s:%d", gatewayHost, gatewayPort) | |||
if err := rpc.CreateAuthToken(walletDirPath, validatorWebAddr); err != nil { | |||
authTokenPath := filepath.Join(walletDirPath, api.AuthTokenFileName) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
--help
does not show any description:
➜ prysm git:(auth-token) ✗ bazel run //cmd/validator -- --holesky web
INFO: Analyzed target //cmd/validator:validator (0 packages loaded, 0 targets configured).
INFO: From GoLink cmd/validator/validator_/validator:
ld: warning: ignoring duplicate libraries: '-lc++', '-lm'
INFO: Found 1 target...
Target //cmd/validator:validator up-to-date:
bazel-bin/cmd/validator/validator_/validator
INFO: Elapsed time: 2.016s, Critical Path: 1.74s
INFO: 3 processes: 1 internal, 2 darwin-sandbox.
INFO: Build completed successfully, 3 total actions
INFO: Running command line: bazel-bin/cmd/validator/validator_/validator --holesky web
NAME:
validator web - Defines commands for interacting with the Prysm web interface.
USAGE:
validator web command [command options] [arguments...]
COMMANDS:
generate-auth-token
help, h Shows a list of commands or help for one command
@@ -43,7 +45,12 @@ var Commands = &cli.Command{ | |||
gatewayHost := cliCtx.String(flags.GRPCGatewayHost.Name) | |||
gatewayPort := cliCtx.Int(flags.GRPCGatewayPort.Name) | |||
validatorWebAddr := fmt.Sprintf("%s:%d", gatewayHost, gatewayPort) | |||
if err := rpc.CreateAuthToken(walletDirPath, validatorWebAddr); err != nil { | |||
authTokenPath := filepath.Join(walletDirPath, api.AuthTokenFileName) | |||
tempAuthTokenPath := cliCtx.String(flags.AuthTokenPathFlag.Name) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
AuthTokenPathFlag
is used here but not listed inFlags
.AcceptTosFlag
is listed inFlags
but not used here.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
not sure what this means, i think accepttosflag is at the edge where the command is launched
@@ -639,6 +639,15 @@ func (c *ValidatorClient) registerRPCService(router *mux.Router) error { | |||
walletDir := c.cliCtx.String(flags.WalletDirFlag.Name) | |||
grpcHeaders := c.cliCtx.String(flags.GrpcHeadersFlag.Name) | |||
clientCert := c.cliCtx.String(flags.CertFlag.Name) | |||
|
|||
authTokenPath := c.cliCtx.String(flags.AuthTokenPathFlag.Name) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Maybe it would be worth to add some comments here to explain how c.cliCtx.String(flags.AuthTokenPathFlag.Name)
could be ""
while flags.AuthTokenPathFlag.Name
is not ""
.
validator/rpc/auth_token.go
Outdated
jwtKeyHex := strings.TrimSpace(lines[0]) | ||
secret, err = hex.DecodeString(jwtKeyHex) | ||
if err != nil { | ||
return |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
No test covers this case.
validator/rpc/intercepter.go
Outdated
_, err := jwt.Parse(token, s.validateJWT) | ||
if err != nil { | ||
return status.Errorf(codes.Unauthenticated, "Could not parse JWT token: %v", err) | ||
if token != s.authToken || s.authToken == "" { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
IMO, no.
validator/rpc/server.go
Outdated
} | ||
|
||
if server.authTokenPath != "" { | ||
log.Infof("at server start %s", server.authTokenPath) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
[2024-03-18 11:07:50] INFO rpc: at server start /Users/manu/Library/Eth2Validators/prysm-wallet-v2/auth-token
This log does not start with a capital letter and is not very clear to me.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
this should be removed*
api/jwt.go
Outdated
n, err := randGen.Read(secret) | ||
if err != nil { | ||
return "", err | ||
} else if n <= 0 { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Do we even need this check? According to the doc it's the length of the slice and we already know it's 32. If you insist on having it, then it should be n != 32
.
func (r *Rand) Read(p []byte) (n int, err error)
Read generates len(p) random bytes and writes them into p. It always returns len(p) and a nil error.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
this was something existing i just left it as is
Co-authored-by: Radosław Kapka <rkapka@wp.pl>
Co-authored-by: Radosław Kapka <rkapka@wp.pl>
Co-authored-by: Radosław Kapka <rkapka@wp.pl>
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The changes make sense to me, but the only concern is just trying it out at runtime to be safe
Name: "keymanager-token-file", | ||
Usage: "Path to auth token file used for validator apis.", | ||
Value: filepath.Join(filepath.Join(DefaultValidatorDir(), WalletDefaultDirName), api.AuthTokenFileName), | ||
Aliases: []string{"validator-api-bearer-file"}, |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
we should probably include the term jwt
here, for when people grep through help text
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
nvm...seems like the old thing is called jwt
@@ -106,16 +92,20 @@ func (s *Server) refreshAuthTokenFromFileChanges(ctx context.Context, authTokenP | |||
} | |||
for { | |||
select { | |||
case <-watcher.Events: | |||
case event := <-watcher.Events: | |||
if event.Op.String() == "REMOVE" { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
should we trim string or any other safe things here to make sure we don't miss this request?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
yeah I can add something or see if there is a safer way to do this
out on vacation, raul reviewed and oked it, other items will be addressed in a followup pr
merging in with smaller items taken care of in a separate PR. tested locally via webui |
* GET * POST * Revert "Auxiliary commit to revert individual files from 615feb1" This reverts commit 55cf071c684019f3d6124179154c10b2277fda49. * comment fix * deepsource config values block protos get_committee_indices proto and ssz attestation interface Revert "Auxiliary commit to revert individual files from deadb21" This reverts commit 32ad5009537bc5ec0e6caf9f52143d380d00be85. todos get_attesting_indices Revert "Auxiliary commit to revert individual files from dd27897" This reverts commit f39644ed3cb6f3964fc6c86fdf4bd5de2a9668c8. beacon spec changes Fix pending attestation. Build ok Don't return error that can be internally handled (#13887) Co-authored-by: Kasey Kirkham <kasey@users.noreply.github.com> consistent auth token for validator apis (#13747) * wip * fixing tests * adding more tests especially to handle legacy * fixing linting * fixing deepsource issues and flags * fixing some deepsource issues,pathing issues, and logs * some review items * adding additional review feedback * updating to follow updates from ethereum/keymanager-APIs#74 * adjusting functions to match changes in keymanagers PR * Update validator/rpc/auth_token.go Co-authored-by: Radosław Kapka <rkapka@wp.pl> * Update validator/rpc/auth_token.go Co-authored-by: Radosław Kapka <rkapka@wp.pl> * Update validator/rpc/auth_token.go Co-authored-by: Radosław Kapka <rkapka@wp.pl> * review feedback --------- Co-authored-by: Radosław Kapka <rkapka@wp.pl> Use correct port for health check in Beacon API e2e evaluator (#13892) Change example.org DNS record (#13904) DNS Changed for this record causing tests to fail Co-authored-by: Radosław Kapka <rkapka@wp.pl> Electra beacon config (#13907) * Update spectests to v1.5.0 * Add electra config * Fix tests in beacon-chain/rpc/eth/config * gofmt Simplify prune invalid by reusing existing fork choice store call (#13878) Do not remove blobs DB in slasher. (#13881) Refactor beacon-chain/core/helpers tests to be black box (#13906) spectests: fail hard on missing test folders (#13913) Revert "zig: Update zig to recent main branch commit (#13142)" (#13908) This reverts commit b24b60d. Remove EnableEIP4881 flag (#13826) * Remove EnableEIP4881 flag * Gaz * Fix missing error handler * Remove old tree and fix tests * Gaz * Fix build import * Replace depositcache * Add pendingDeposit tests * Nishant's fix * Fix unsafe uint64 to int * Fix other unsafe uint64 to int * Remove: RemovePendingDeposit * Deprecate and remove DisableEIP4881 flag * Check: index not greater than deposit count * Move index check Protobufs for Electra devnet-0 (#13905) * block protos * proto and ssz * stubs * Enable Electra spec test * Pull in EIP-7251 protobuf changes From: #13903 * All EIP7549 containers are passing * All EIP7251 containers passing * including changes from eip7002 * Everything passing except for beacon state hash tree root * fixing eletra state to use electra payload * Fix minimal test. Skip beacon state test * Perston's feedback --------- Co-authored-by: rkapka <radoslaw.kapka@gmail.com> Co-authored-by: james-prysm <james@prysmaticlabs.com> use [32]byte keys in the filesystem cache (#13885) Co-authored-by: Kasey Kirkham <kasey@users.noreply.github.com> Electra: full beacon config (#13918) * Electra: full beacon config Fix TestGetSpec * Fix beacon config spec compliance test so that it properly loads the config from spec tests. Tests failing for now. * fix tests and comply with spec presets beacon-chain/cache: Convert tests to cache_test blackbox testing (#13920) * beacon-chain/cache: convert to blackbox tests (package cache_test) * Move balanceCacheKey to its own file to satisify go fuzz build Electra: Minor proto changes, cloner additions (#13923) * Electra: more proto changes * Roundtrip test for cloners Electra: HTR util for DepositReceipt and ExecutionLayerWithdrawalRequest (#13924) * Electra: HTR utils for DepositReceipts and ExecutionLayerWithdrawalRequests * Tests for HTR utils Electra: beacon-chain/core/helpers (#13921) * Electra helpers * Electra helper tests and other fixes * @terencechain feedback Electra: add electra version Electra: consensus types gocognit exclusion @potuz's suggestion build fix interfaces for indexed att and slashing indexed att usage BuildSignedBeaconBlockFromExecutionPayload slashing usage grpc stubs remove unused methods Electra attestation interfaces
* wip * fixing tests * adding more tests especially to handle legacy * fixing linting * fixing deepsource issues and flags * fixing some deepsource issues,pathing issues, and logs * some review items * adding additional review feedback * updating to follow updates from ethereum/keymanager-APIs#74 * adjusting functions to match changes in keymanagers PR * Update validator/rpc/auth_token.go Co-authored-by: Radosław Kapka <rkapka@wp.pl> * Update validator/rpc/auth_token.go Co-authored-by: Radosław Kapka <rkapka@wp.pl> * Update validator/rpc/auth_token.go Co-authored-by: Radosław Kapka <rkapka@wp.pl> * review feedback --------- Co-authored-by: Radosław Kapka <rkapka@wp.pl>
* wip * fixing tests * adding more tests especially to handle legacy * fixing linting * fixing deepsource issues and flags * fixing some deepsource issues,pathing issues, and logs * some review items * adding additional review feedback * updating to follow updates from ethereum/keymanager-APIs#74 * adjusting functions to match changes in keymanagers PR * Update validator/rpc/auth_token.go Co-authored-by: Radosław Kapka <rkapka@wp.pl> * Update validator/rpc/auth_token.go Co-authored-by: Radosław Kapka <rkapka@wp.pl> * Update validator/rpc/auth_token.go Co-authored-by: Radosław Kapka <rkapka@wp.pl> * review feedback --------- Co-authored-by: Radosław Kapka <rkapka@wp.pl>
What type of PR is this?
Other
What does this PR do? Why is it needed?
This PR gives the capabilities to set an auth token via flag, it also removes the jwt component and simply uses the value as an opaque token.
a documentation page should be updated following this change https://docs.prylabs.network/docs/execution-node/authentication
Which issues(s) does this PR fix?
related to ethereum/keymanager-APIs#74
Other notes for review