Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

consistent auth token for validator apis #13747

Merged
merged 26 commits into from
Apr 18, 2024
Merged
Show file tree
Hide file tree
Changes from 18 commits
Commits
Show all changes
26 commits
Select commit Hold shift + click to select a range
b5dfd5e
wip
james-prysm Mar 14, 2024
d575b2f
fixing tests
james-prysm Mar 14, 2024
ad72aa4
adding more tests especially to handle legacy
james-prysm Mar 15, 2024
cb156d7
fixing linting
james-prysm Mar 15, 2024
3629ebe
Merge branch 'develop' into auth-token
james-prysm Mar 15, 2024
82c0b33
fixing deepsource issues and flags
james-prysm Mar 15, 2024
7435093
fixing some deepsource issues,pathing issues, and logs
james-prysm Mar 15, 2024
352812c
Merge branch 'develop' into auth-token
james-prysm Mar 18, 2024
76920bd
Merge branch 'develop' into auth-token
james-prysm Mar 20, 2024
4f7ad89
some review items
james-prysm Mar 21, 2024
377f53b
Merge branch 'develop' into auth-token
james-prysm Mar 21, 2024
722c096
Merge branch 'develop' into auth-token
james-prysm Mar 21, 2024
4a0fc69
adding additional review feedback
james-prysm Mar 21, 2024
6d20c9b
Merge branch 'develop' into auth-token
james-prysm Mar 22, 2024
a2c9e52
Merge branch 'develop' into auth-token
james-prysm Mar 28, 2024
2b9eda6
updating to follow updates from https://github.com/ethereum/keymanage…
james-prysm Mar 28, 2024
1173ad8
adjusting functions to match changes in keymanagers PR
james-prysm Mar 28, 2024
415f6ad
Merge branch 'develop' into auth-token
james-prysm Mar 28, 2024
00a2ca6
Update validator/rpc/auth_token.go
james-prysm Mar 29, 2024
6a01eb4
Update validator/rpc/auth_token.go
james-prysm Mar 29, 2024
9b2c1e3
Update validator/rpc/auth_token.go
james-prysm Mar 29, 2024
ad42e4b
Merge branch 'develop' into auth-token
james-prysm Mar 29, 2024
25741af
review feedback
james-prysm Mar 29, 2024
e96ca2c
Merge branch 'develop' into auth-token
james-prysm Mar 29, 2024
2af2f05
Merge branch 'develop' into auth-token
james-prysm Apr 16, 2024
2aea1c9
Merge branch 'develop' into auth-token
james-prysm Apr 17, 2024
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
15 changes: 14 additions & 1 deletion api/BUILD.bazel
Original file line number Diff line number Diff line change
@@ -1,11 +1,24 @@
load("@prysm//tools/go:def.bzl", "go_library")
load("@prysm//tools/go:def.bzl", "go_library", "go_test")

go_library(
name = "go_default_library",
srcs = [
"constants.go",
"headers.go",
"jwt.go",
],
importpath = "github.com/prysmaticlabs/prysm/v5/api",
visibility = ["//visibility:public"],
deps = [
"//crypto/rand:go_default_library",
"@com_github_ethereum_go_ethereum//common/hexutil:go_default_library",
"@com_github_pkg_errors//:go_default_library",
],
)

go_test(
name = "go_default_test",
srcs = ["jwt_test.go"],
embed = [":go_default_library"],
deps = ["//testing/require:go_default_library"],
)
2 changes: 2 additions & 0 deletions api/constants.go
Original file line number Diff line number Diff line change
Expand Up @@ -4,4 +4,6 @@ const (
WebUrlPrefix = "/v2/validator/"
WebApiUrlPrefix = "/api/v2/validator/"
KeymanagerApiPrefix = "/eth/v1"

AuthTokenFileName = "auth-token"
)
32 changes: 32 additions & 0 deletions api/jwt.go
Original file line number Diff line number Diff line change
@@ -0,0 +1,32 @@
package api

import (
"github.com/ethereum/go-ethereum/common/hexutil"
"github.com/pkg/errors"
"github.com/prysmaticlabs/prysm/v5/crypto/rand"
)

// GenerateRandomHexString generates a random hex string that follows the standards for jwt token
// used for beacon node -> execution client
// used for web client -> validator client
func GenerateRandomHexString() (string, error) {
secret := make([]byte, 32)
randGen := rand.NewGenerator()
n, err := randGen.Read(secret)
if err != nil {
return "", err
} else if n <= 0 {
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Do we even need this check? According to the doc it's the length of the slice and we already know it's 32. If you insist on having it, then it should be n != 32.

func (r *Rand) Read(p []byte) (n int, err error)
Read generates len(p) random bytes and writes them into p. It always returns len(p) and a nil error.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

this was something existing i just left it as is

return "", errors.New("rand: unexpected length")
}
return hexutil.Encode(secret), nil
}

// ValidateAuthToken validating auth token for web
func ValidateAuthToken(token string) error {
b, err := hexutil.Decode(token)
// token should be hex-encoded and at least 256 bits
if err != nil || len(b) < 32 {
return errors.New("invalid auth token: token should be hex-encoded and at least 256 bits")
}
return nil
}
13 changes: 13 additions & 0 deletions api/jwt_test.go
Original file line number Diff line number Diff line change
@@ -0,0 +1,13 @@
package api

import (
"testing"

"github.com/prysmaticlabs/prysm/v5/testing/require"
)

func TestGenerateRandomHexString(t *testing.T) {
token, err := GenerateRandomHexString()
require.NoError(t, err)
require.NoError(t, ValidateAuthToken(token))
}
3 changes: 1 addition & 2 deletions cmd/beacon-chain/jwt/BUILD.bazel
Original file line number Diff line number Diff line change
Expand Up @@ -6,10 +6,9 @@ go_library(
importpath = "github.com/prysmaticlabs/prysm/v5/cmd/beacon-chain/jwt",
visibility = ["//visibility:public"],
deps = [
"//api:go_default_library",
"//cmd:go_default_library",
"//crypto/rand:go_default_library",
"//io/file:go_default_library",
"@com_github_ethereum_go_ethereum//common/hexutil:go_default_library",
"@com_github_sirupsen_logrus//:go_default_library",
"@com_github_urfave_cli_v2//:go_default_library",
],
Expand Down
18 changes: 2 additions & 16 deletions cmd/beacon-chain/jwt/jwt.go
Original file line number Diff line number Diff line change
@@ -1,12 +1,10 @@
package jwt

import (
"errors"
"path/filepath"

"github.com/ethereum/go-ethereum/common/hexutil"
"github.com/prysmaticlabs/prysm/v5/api"
"github.com/prysmaticlabs/prysm/v5/cmd"
"github.com/prysmaticlabs/prysm/v5/crypto/rand"
"github.com/prysmaticlabs/prysm/v5/io/file"
"github.com/sirupsen/logrus"
"github.com/urfave/cli/v2"
Expand Down Expand Up @@ -52,7 +50,7 @@ func generateAuthSecretInFile(c *cli.Context) error {
return err
}
}
secret, err := generateRandomHexString()
secret, err := api.GenerateRandomHexString()
if err != nil {
return err
}
Expand All @@ -62,15 +60,3 @@ func generateAuthSecretInFile(c *cli.Context) error {
logrus.Infof("Successfully wrote JSON-RPC authentication secret to file %s", fileName)
return nil
}

func generateRandomHexString() (string, error) {
secret := make([]byte, 32)
randGen := rand.NewGenerator()
n, err := randGen.Read(secret)
if err != nil {
return "", err
} else if n <= 0 {
return "", errors.New("rand: unexpected length")
}
return hexutil.Encode(secret), nil
}
1 change: 1 addition & 0 deletions cmd/validator/flags/BUILD.bazel
Original file line number Diff line number Diff line change
Expand Up @@ -15,6 +15,7 @@ go_library(
"//validator:__subpackages__",
],
deps = [
"//api:go_default_library",
"//config/params:go_default_library",
"//io/file:go_default_library",
"@com_github_urfave_cli_v2//:go_default_library",
Expand Down
10 changes: 10 additions & 0 deletions cmd/validator/flags/flags.go
Original file line number Diff line number Diff line change
Expand Up @@ -8,6 +8,7 @@ import (
"runtime"
"time"

"github.com/prysmaticlabs/prysm/v5/api"
"github.com/prysmaticlabs/prysm/v5/config/params"
"github.com/prysmaticlabs/prysm/v5/io/file"
"github.com/urfave/cli/v2"
Expand Down Expand Up @@ -133,6 +134,15 @@ var (
Usage: "Port used to listening and respond metrics for Prometheus.",
Value: 8081,
}

// AuthTokenPathFlag defines the path to the auth token used to secure the validator api.
AuthTokenPathFlag = &cli.StringFlag{
Name: "keymanager-token-file",
Usage: "Path to auth token file used for validator apis",
james-prysm marked this conversation as resolved.
Show resolved Hide resolved
Value: filepath.Join(filepath.Join(DefaultValidatorDir(), WalletDefaultDirName), api.AuthTokenFileName),
Aliases: []string{"validator-api-bearer-file"},
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

we should probably include the term jwt here, for when people grep through help text

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

nvm...seems like the old thing is called jwt

}

// WalletDirFlag defines the path to a wallet directory for Prysm accounts.
WalletDirFlag = &cli.StringFlag{
Name: "wallet-dir",
Expand Down
1 change: 1 addition & 0 deletions cmd/validator/main.go
Original file line number Diff line number Diff line change
Expand Up @@ -75,6 +75,7 @@ var appFlags = []cli.Flag{
flags.EnableWebFlag,
flags.GraffitiFileFlag,
flags.EnableDistributed,
flags.AuthTokenPathFlag,
// Consensys' Web3Signer flags
flags.Web3SignerURLFlag,
flags.Web3SignerPublicValidatorKeysFlag,
Expand Down
1 change: 1 addition & 0 deletions cmd/validator/usage.go
Original file line number Diff line number Diff line change
Expand Up @@ -123,6 +123,7 @@ var appHelpFlagGroups = []flagGroup{
flags.BuilderGasLimitFlag,
flags.ValidatorsRegistrationBatchSizeFlag,
flags.EnableDistributed,
flags.AuthTokenPathFlag,
},
},
{
Expand Down
1 change: 1 addition & 0 deletions cmd/validator/web/BUILD.bazel
Original file line number Diff line number Diff line change
Expand Up @@ -9,6 +9,7 @@ go_library(
importpath = "github.com/prysmaticlabs/prysm/v5/cmd/validator/web",
visibility = ["//visibility:public"],
deps = [
"//api:go_default_library",
"//cmd:go_default_library",
"//cmd/validator/flags:go_default_library",
"//config/features:go_default_library",
Expand Down
10 changes: 9 additions & 1 deletion cmd/validator/web/web.go
Original file line number Diff line number Diff line change
Expand Up @@ -2,7 +2,9 @@ package web

import (
"fmt"
"path/filepath"

"github.com/prysmaticlabs/prysm/v5/api"
"github.com/prysmaticlabs/prysm/v5/cmd"
"github.com/prysmaticlabs/prysm/v5/cmd/validator/flags"
"github.com/prysmaticlabs/prysm/v5/config/features"
Expand All @@ -24,6 +26,7 @@ var Commands = &cli.Command{
flags.WalletDirFlag,
flags.GRPCGatewayHost,
flags.GRPCGatewayPort,
flags.AuthTokenPathFlag,
cmd.AcceptTosFlag,
}),
Before: func(cliCtx *cli.Context) error {
Expand All @@ -43,7 +46,12 @@ var Commands = &cli.Command{
gatewayHost := cliCtx.String(flags.GRPCGatewayHost.Name)
gatewayPort := cliCtx.Int(flags.GRPCGatewayPort.Name)
validatorWebAddr := fmt.Sprintf("%s:%d", gatewayHost, gatewayPort)
if err := rpc.CreateAuthToken(walletDirPath, validatorWebAddr); err != nil {
authTokenPath := filepath.Join(walletDirPath, api.AuthTokenFileName)
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

--help does not show any description:

➜  prysm git:(auth-token) ✗ bazel run //cmd/validator -- --holesky web
INFO: Analyzed target //cmd/validator:validator (0 packages loaded, 0 targets configured).
INFO: From GoLink cmd/validator/validator_/validator:
ld: warning: ignoring duplicate libraries: '-lc++', '-lm'
INFO: Found 1 target...
Target //cmd/validator:validator up-to-date:
  bazel-bin/cmd/validator/validator_/validator
INFO: Elapsed time: 2.016s, Critical Path: 1.74s
INFO: 3 processes: 1 internal, 2 darwin-sandbox.
INFO: Build completed successfully, 3 total actions
INFO: Running command line: bazel-bin/cmd/validator/validator_/validator --holesky web
NAME:
   validator web - Defines commands for interacting with the Prysm web interface.

USAGE:
   validator web command [command options] [arguments...]

COMMANDS:
   generate-auth-token
   help, h              Shows a list of commands or help for one command

tempAuthTokenPath := cliCtx.String(flags.AuthTokenPathFlag.Name)
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

  • AuthTokenPathFlag is used here but not listed in Flags.
  • AcceptTosFlag is listed in Flags but not used here.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

not sure what this means, i think accepttosflag is at the edge where the command is launched

if tempAuthTokenPath != "" {
authTokenPath = tempAuthTokenPath
}
if err := rpc.CreateAuthToken(authTokenPath, validatorWebAddr); err != nil {
log.WithError(err).Fatal("Could not create web auth token")
}
return nil
Expand Down
12 changes: 12 additions & 0 deletions validator/node/node.go
Original file line number Diff line number Diff line change
Expand Up @@ -639,6 +639,17 @@ func (c *ValidatorClient) registerRPCService(router *mux.Router) error {
walletDir := c.cliCtx.String(flags.WalletDirFlag.Name)
grpcHeaders := c.cliCtx.String(flags.GrpcHeadersFlag.Name)
clientCert := c.cliCtx.String(flags.CertFlag.Name)

authTokenPath := c.cliCtx.String(flags.AuthTokenPathFlag.Name)
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Maybe it would be worth to add some comments here to explain how c.cliCtx.String(flags.AuthTokenPathFlag.Name) could be "" while flags.AuthTokenPathFlag.Name is not "".

// if no auth token path flag was passed try to set a default value
if authTokenPath == "" {
authTokenPath = flags.AuthTokenPathFlag.Value
// if a wallet dir is passed without an auth token then override the default with the wallet dir
if walletDir != "" {
authTokenPath = filepath.Join(walletDir, api.AuthTokenFileName)
}
}

server := rpc.NewServer(c.cliCtx.Context, &rpc.Config{
ValDB: c.db,
Host: rpcHost,
Expand All @@ -648,6 +659,7 @@ func (c *ValidatorClient) registerRPCService(router *mux.Router) error {
SyncChecker: vs,
GenesisFetcher: vs,
NodeGatewayEndpoint: nodeGatewayEndpoint,
AuthTokenPath: authTokenPath,
WalletDir: walletDir,
Wallet: c.wallet,
ValidatorGatewayHost: validatorGatewayHost,
Expand Down
2 changes: 1 addition & 1 deletion validator/rpc/BUILD.bazel
Original file line number Diff line number Diff line change
Expand Up @@ -38,7 +38,6 @@ go_library(
"//consensus-types/primitives:go_default_library",
"//consensus-types/validator:go_default_library",
"//crypto/bls:go_default_library",
"//crypto/rand:go_default_library",
"//encoding/bytesutil:go_default_library",
"//io/file:go_default_library",
"//io/logs:go_default_library",
Expand Down Expand Up @@ -148,6 +147,7 @@ go_test(
"@com_github_gorilla_mux//:go_default_library",
"@com_github_grpc_ecosystem_grpc_gateway_v2//runtime:go_default_library",
"@com_github_pkg_errors//:go_default_library",
"@com_github_sirupsen_logrus//hooks/test:go_default_library",
"@com_github_tyler_smith_go_bip39//:go_default_library",
"@com_github_wealdtech_go_eth2_wallet_encryptor_keystorev4//:go_default_library",
"@org_golang_google_grpc//:go_default_library",
Expand Down
Loading
Loading