Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

consistent auth token for validator apis #13747

Merged
merged 26 commits into from
Apr 18, 2024
Merged

consistent auth token for validator apis #13747

merged 26 commits into from
Apr 18, 2024

Conversation

james-prysm
Copy link
Contributor

@james-prysm james-prysm commented Mar 14, 2024

What type of PR is this?

Other

What does this PR do? Why is it needed?

This PR gives the capabilities to set an auth token via flag, it also removes the jwt component and simply uses the value as an opaque token.

a documentation page should be updated following this change https://docs.prylabs.network/docs/execution-node/authentication

Which issues(s) does this PR fix?

related to ethereum/keymanager-APIs#74

Other notes for review

@james-prysm james-prysm added Validator Client UX cosmetic / user experience related API Api related tasks labels Mar 14, 2024
@james-prysm james-prysm added the Blocked Blocked by research or external factors label Mar 15, 2024
_, err := jwt.Parse(token, s.validateJWT)
if err != nil {
return status.Errorf(codes.Unauthenticated, "Could not parse JWT token: %v", err)
if token != s.authToken || s.authToken == "" {
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

should empty string be allowed?

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

IMO, no.

@james-prysm james-prysm marked this pull request as ready for review March 15, 2024 22:22
@james-prysm james-prysm requested a review from a team as a code owner March 15, 2024 22:22
@james-prysm james-prysm requested review from potuz, rkapka, nisdas and nalepae and removed request for potuz March 15, 2024 22:22
@nalepae
Copy link
Contributor

nalepae commented Mar 18, 2024

When clicking on the link, got:

[2024-03-18 11:15:44]  INFO rpc: Once your validator process is running, navigate to the link below to authenticate with the Prysm web interface
[2024-03-18 11:15:44]  INFO rpc: http://127.0.0.1:7500/initialize?token=<xxx>
bazel run //cmd/validator -- --holesky --wallet-password-file /Users/manu/Downloads/password.txt --suggested-fee-recipient <yyy> --enable-beacon-rest-api --rpc

image


// AuthTokenPathFlag defines the path to the auth token used to secure the validator api.
AuthTokenPathFlag = &cli.StringFlag{
Name: "token",
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

token name could make the user believe he would write the token itself after --token, while actually --token waits for a path to a file containing a token.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

lets change the name

@@ -43,7 +45,12 @@ var Commands = &cli.Command{
gatewayHost := cliCtx.String(flags.GRPCGatewayHost.Name)
gatewayPort := cliCtx.Int(flags.GRPCGatewayPort.Name)
validatorWebAddr := fmt.Sprintf("%s:%d", gatewayHost, gatewayPort)
if err := rpc.CreateAuthToken(walletDirPath, validatorWebAddr); err != nil {
authTokenPath := filepath.Join(walletDirPath, api.AuthTokenFileName)
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

--help does not show any description:

➜  prysm git:(auth-token) ✗ bazel run //cmd/validator -- --holesky web
INFO: Analyzed target //cmd/validator:validator (0 packages loaded, 0 targets configured).
INFO: From GoLink cmd/validator/validator_/validator:
ld: warning: ignoring duplicate libraries: '-lc++', '-lm'
INFO: Found 1 target...
Target //cmd/validator:validator up-to-date:
  bazel-bin/cmd/validator/validator_/validator
INFO: Elapsed time: 2.016s, Critical Path: 1.74s
INFO: 3 processes: 1 internal, 2 darwin-sandbox.
INFO: Build completed successfully, 3 total actions
INFO: Running command line: bazel-bin/cmd/validator/validator_/validator --holesky web
NAME:
   validator web - Defines commands for interacting with the Prysm web interface.

USAGE:
   validator web command [command options] [arguments...]

COMMANDS:
   generate-auth-token
   help, h              Shows a list of commands or help for one command

@@ -43,7 +45,12 @@ var Commands = &cli.Command{
gatewayHost := cliCtx.String(flags.GRPCGatewayHost.Name)
gatewayPort := cliCtx.Int(flags.GRPCGatewayPort.Name)
validatorWebAddr := fmt.Sprintf("%s:%d", gatewayHost, gatewayPort)
if err := rpc.CreateAuthToken(walletDirPath, validatorWebAddr); err != nil {
authTokenPath := filepath.Join(walletDirPath, api.AuthTokenFileName)
tempAuthTokenPath := cliCtx.String(flags.AuthTokenPathFlag.Name)
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

  • AuthTokenPathFlag is used here but not listed in Flags.
  • AcceptTosFlag is listed in Flags but not used here.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

not sure what this means, i think accepttosflag is at the edge where the command is launched

@@ -639,6 +639,15 @@ func (c *ValidatorClient) registerRPCService(router *mux.Router) error {
walletDir := c.cliCtx.String(flags.WalletDirFlag.Name)
grpcHeaders := c.cliCtx.String(flags.GrpcHeadersFlag.Name)
clientCert := c.cliCtx.String(flags.CertFlag.Name)

authTokenPath := c.cliCtx.String(flags.AuthTokenPathFlag.Name)
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Maybe it would be worth to add some comments here to explain how c.cliCtx.String(flags.AuthTokenPathFlag.Name) could be "" while flags.AuthTokenPathFlag.Name is not "".

validator/rpc/auth_token.go Outdated Show resolved Hide resolved
jwtKeyHex := strings.TrimSpace(lines[0])
secret, err = hex.DecodeString(jwtKeyHex)
if err != nil {
return
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

No test covers this case.

_, err := jwt.Parse(token, s.validateJWT)
if err != nil {
return status.Errorf(codes.Unauthenticated, "Could not parse JWT token: %v", err)
if token != s.authToken || s.authToken == "" {
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

IMO, no.

}

if server.authTokenPath != "" {
log.Infof("at server start %s", server.authTokenPath)
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

[2024-03-18 11:07:50]  INFO rpc: at server start /Users/manu/Library/Eth2Validators/prysm-wallet-v2/auth-token

This log does not start with a capital letter and is not very clear to me.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

this should be removed*

api/jwt.go Outdated
n, err := randGen.Read(secret)
if err != nil {
return "", err
} else if n <= 0 {
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Do we even need this check? According to the doc it's the length of the slice and we already know it's 32. If you insist on having it, then it should be n != 32.

func (r *Rand) Read(p []byte) (n int, err error)
Read generates len(p) random bytes and writes them into p. It always returns len(p) and a nil error.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

this was something existing i just left it as is

validator/rpc/auth_token.go Outdated Show resolved Hide resolved
validator/rpc/auth_token.go Outdated Show resolved Hide resolved
validator/rpc/auth_token.go Show resolved Hide resolved
validator/rpc/auth_token.go Outdated Show resolved Hide resolved
james-prysm and others added 4 commits March 29, 2024 09:04
Co-authored-by: Radosław Kapka <rkapka@wp.pl>
Co-authored-by: Radosław Kapka <rkapka@wp.pl>
Co-authored-by: Radosław Kapka <rkapka@wp.pl>
Copy link
Contributor

@rauljordan rauljordan left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The changes make sense to me, but the only concern is just trying it out at runtime to be safe

Name: "keymanager-token-file",
Usage: "Path to auth token file used for validator apis.",
Value: filepath.Join(filepath.Join(DefaultValidatorDir(), WalletDefaultDirName), api.AuthTokenFileName),
Aliases: []string{"validator-api-bearer-file"},
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

we should probably include the term jwt here, for when people grep through help text

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

nvm...seems like the old thing is called jwt

@@ -106,16 +92,20 @@ func (s *Server) refreshAuthTokenFromFileChanges(ctx context.Context, authTokenP
}
for {
select {
case <-watcher.Events:
case event := <-watcher.Events:
if event.Op.String() == "REMOVE" {
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

should we trim string or any other safe things here to make sure we don't miss this request?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

yeah I can add something or see if there is a safer way to do this

@james-prysm james-prysm removed the Blocked Blocked by research or external factors label Apr 18, 2024
@james-prysm james-prysm dismissed nalepae’s stale review April 18, 2024 16:26

out on vacation, raul reviewed and oked it, other items will be addressed in a followup pr

@james-prysm
Copy link
Contributor Author

merging in with smaller items taken care of in a separate PR. tested locally via webui

@james-prysm james-prysm added this pull request to the merge queue Apr 18, 2024
Merged via the queue into develop with commit feb16ae Apr 18, 2024
16 of 17 checks passed
@james-prysm james-prysm deleted the auth-token branch April 18, 2024 16:33
rkapka added a commit that referenced this pull request Apr 30, 2024
* GET

* POST

* Revert "Auxiliary commit to revert individual files from 615feb1"

This reverts commit 55cf071c684019f3d6124179154c10b2277fda49.

* comment fix

* deepsource

config values

block protos

get_committee_indices

proto and ssz

attestation interface

Revert "Auxiliary commit to revert individual files from deadb21"

This reverts commit 32ad5009537bc5ec0e6caf9f52143d380d00be85.

todos

get_attesting_indices

Revert "Auxiliary commit to revert individual files from dd27897"

This reverts commit f39644ed3cb6f3964fc6c86fdf4bd5de2a9668c8.

beacon spec changes

Fix pending attestation. Build ok

Don't return error that can be internally handled (#13887)

Co-authored-by: Kasey Kirkham <kasey@users.noreply.github.com>

consistent auth token for validator apis (#13747)

* wip

* fixing tests

* adding more tests especially to handle legacy

* fixing linting

* fixing deepsource issues and flags

* fixing some deepsource issues,pathing issues, and logs

* some review items

* adding additional review feedback

* updating to follow updates from ethereum/keymanager-APIs#74

* adjusting functions to match changes in keymanagers PR

* Update validator/rpc/auth_token.go

Co-authored-by: Radosław Kapka <rkapka@wp.pl>

* Update validator/rpc/auth_token.go

Co-authored-by: Radosław Kapka <rkapka@wp.pl>

* Update validator/rpc/auth_token.go

Co-authored-by: Radosław Kapka <rkapka@wp.pl>

* review feedback

---------

Co-authored-by: Radosław Kapka <rkapka@wp.pl>

Use correct port for health check in Beacon API e2e evaluator (#13892)

Change example.org DNS record (#13904)

DNS Changed for this record causing tests to fail

Co-authored-by: Radosław Kapka <rkapka@wp.pl>

Electra beacon config (#13907)

* Update spectests to v1.5.0

* Add electra config

* Fix tests in beacon-chain/rpc/eth/config

* gofmt

Simplify prune invalid by reusing existing fork choice store call (#13878)

Do not remove blobs DB in slasher. (#13881)

Refactor beacon-chain/core/helpers tests to be black box (#13906)

spectests: fail hard on missing test folders (#13913)

Revert "zig: Update zig to recent main branch commit (#13142)" (#13908)

This reverts commit b24b60d.

Remove EnableEIP4881 flag (#13826)

* Remove EnableEIP4881 flag

* Gaz

* Fix missing error handler

* Remove old tree and fix tests

* Gaz

* Fix build import

* Replace depositcache

* Add pendingDeposit tests

* Nishant's fix

* Fix unsafe uint64 to int

* Fix other unsafe uint64 to int

* Remove: RemovePendingDeposit

* Deprecate and remove DisableEIP4881 flag

* Check: index not greater than deposit count

* Move index check

Protobufs for Electra devnet-0  (#13905)

* block protos

* proto and ssz

* stubs

* Enable Electra spec test

* Pull in EIP-7251 protobuf changes

From: #13903

* All EIP7549 containers are passing

* All EIP7251 containers passing

* including changes from eip7002

* Everything passing except for beacon state hash tree root

* fixing eletra state to use electra payload

* Fix minimal test. Skip beacon state test

* Perston's feedback

---------

Co-authored-by: rkapka <radoslaw.kapka@gmail.com>
Co-authored-by: james-prysm <james@prysmaticlabs.com>

use [32]byte keys in the filesystem cache (#13885)

Co-authored-by: Kasey Kirkham <kasey@users.noreply.github.com>

Electra: full beacon config (#13918)

* Electra: full beacon config

Fix TestGetSpec

* Fix beacon config spec compliance test so that it properly loads the config from spec tests. Tests failing for now.

* fix tests and comply with spec presets

beacon-chain/cache: Convert tests to cache_test blackbox testing (#13920)

* beacon-chain/cache: convert to blackbox tests (package cache_test)

* Move balanceCacheKey to its own file to satisify go fuzz build

Electra: Minor proto changes, cloner additions (#13923)

* Electra: more proto changes

* Roundtrip test for cloners

Electra: HTR util for DepositReceipt and ExecutionLayerWithdrawalRequest (#13924)

* Electra: HTR utils for DepositReceipts and ExecutionLayerWithdrawalRequests

* Tests for HTR utils

Electra: beacon-chain/core/helpers  (#13921)

* Electra helpers

* Electra helper tests and other fixes

* @terencechain feedback

Electra: add electra version

Electra: consensus types

gocognit exclusion

@potuz's suggestion

build fix

interfaces for indexed att and slashing

indexed att usage

BuildSignedBeaconBlockFromExecutionPayload

slashing usage

grpc stubs

remove unused methods

Electra attestation interfaces
rkapka added a commit that referenced this pull request Apr 30, 2024
* wip

* fixing tests

* adding more tests especially to handle legacy

* fixing linting

* fixing deepsource issues and flags

* fixing some deepsource issues,pathing issues, and logs

* some review items

* adding additional review feedback

* updating to follow updates from ethereum/keymanager-APIs#74

* adjusting functions to match changes in keymanagers PR

* Update validator/rpc/auth_token.go

Co-authored-by: Radosław Kapka <rkapka@wp.pl>

* Update validator/rpc/auth_token.go

Co-authored-by: Radosław Kapka <rkapka@wp.pl>

* Update validator/rpc/auth_token.go

Co-authored-by: Radosław Kapka <rkapka@wp.pl>

* review feedback

---------

Co-authored-by: Radosław Kapka <rkapka@wp.pl>
nisdas pushed a commit that referenced this pull request Jul 4, 2024
* wip

* fixing tests

* adding more tests especially to handle legacy

* fixing linting

* fixing deepsource issues and flags

* fixing some deepsource issues,pathing issues, and logs

* some review items

* adding additional review feedback

* updating to follow updates from ethereum/keymanager-APIs#74

* adjusting functions to match changes in keymanagers PR

* Update validator/rpc/auth_token.go

Co-authored-by: Radosław Kapka <rkapka@wp.pl>

* Update validator/rpc/auth_token.go

Co-authored-by: Radosław Kapka <rkapka@wp.pl>

* Update validator/rpc/auth_token.go

Co-authored-by: Radosław Kapka <rkapka@wp.pl>

* review feedback

---------

Co-authored-by: Radosław Kapka <rkapka@wp.pl>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
API Api related tasks UX cosmetic / user experience related Validator Client
Projects
None yet
Development

Successfully merging this pull request may close these issues.

4 participants