consistent auth token for validator apis #13747
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
james-prysm
added
Validator Client
UX
james-prysm
commented
Mar 15, 2024
validator/rpc/intercepter.go
Outdated
| _, err := jwt.Parse(token, s.validateJWT) | ||
| if err != nil { | ||
| return status.Errorf(codes.Unauthenticated, "Could not parse JWT token: %v", err) | ||
| if token != s.authToken || s.authToken == "" { |
There was a problem hiding this comment.
should empty string be allowed?
james-prysm
commented
Mar 15, 2024
james-prysm
commented
Mar 15, 2024
james-prysm
requested review from
potuz,
rkapka,
nisdas and
nalepae
and removed request for
potuz
|
When clicking on the link, got:
|
nalepae
previously requested changes
Mar 18, 2024
cmd/validator/flags/flags.go
Outdated
|
|
||
| // AuthTokenPathFlag defines the path to the auth token used to secure the validator api. | ||
| AuthTokenPathFlag = &cli.StringFlag{ | ||
| Name: "token", |
There was a problem hiding this comment.
token name could make the user believe he would write the token itself after --token, while actually --token waits for a path to a file containing a token.
There was a problem hiding this comment.
lets change the name
| @@ -43,7 +45,12 @@ var Commands = &cli.Command{ | |||
| gatewayHost := cliCtx.String(flags.GRPCGatewayHost.Name) | |||
| gatewayPort := cliCtx.Int(flags.GRPCGatewayPort.Name) | |||
| validatorWebAddr := fmt.Sprintf("%s:%d", gatewayHost, gatewayPort) | |||
| if err := rpc.CreateAuthToken(walletDirPath, validatorWebAddr); err != nil { | |||
| authTokenPath := filepath.Join(walletDirPath, api.AuthTokenFileName) | |||
There was a problem hiding this comment.
--help does not show any description:
➜ prysm git:(auth-token) ✗ bazel run //cmd/validator -- --holesky web
INFO: Analyzed target //cmd/validator:validator (0 packages loaded, 0 targets configured).
INFO: From GoLink cmd/validator/validator_/validator:
ld: warning: ignoring duplicate libraries: '-lc++', '-lm'
INFO: Found 1 target...
Target //cmd/validator:validator up-to-date:
bazel-bin/cmd/validator/validator_/validator
INFO: Elapsed time: 2.016s, Critical Path: 1.74s
INFO: 3 processes: 1 internal, 2 darwin-sandbox.
INFO: Build completed successfully, 3 total actions
INFO: Running command line: bazel-bin/cmd/validator/validator_/validator --holesky web
NAME:
validator web - Defines commands for interacting with the Prysm web interface.
USAGE:
validator web command [command options] [arguments...]
COMMANDS:
generate-auth-token
help, h Shows a list of commands or help for one command
| @@ -43,7 +45,12 @@ var Commands = &cli.Command{ | |||
| gatewayHost := cliCtx.String(flags.GRPCGatewayHost.Name) | |||
| gatewayPort := cliCtx.Int(flags.GRPCGatewayPort.Name) | |||
| validatorWebAddr := fmt.Sprintf("%s:%d", gatewayHost, gatewayPort) | |||
| if err := rpc.CreateAuthToken(walletDirPath, validatorWebAddr); err != nil { | |||
| authTokenPath := filepath.Join(walletDirPath, api.AuthTokenFileName) | |||
| tempAuthTokenPath := cliCtx.String(flags.AuthTokenPathFlag.Name) | |||
There was a problem hiding this comment.
AuthTokenPathFlagis used here but not listed inFlags.AcceptTosFlagis listed inFlagsbut not used here.
There was a problem hiding this comment.
not sure what this means, i think accepttosflag is at the edge where the command is launched
| @@ -639,6 +639,15 @@ func (c *ValidatorClient) registerRPCService(router *mux.Router) error { | |||
| walletDir := c.cliCtx.String(flags.WalletDirFlag.Name) | |||
| grpcHeaders := c.cliCtx.String(flags.GrpcHeadersFlag.Name) | |||
| clientCert := c.cliCtx.String(flags.CertFlag.Name) | |||
|
|
|||
| authTokenPath := c.cliCtx.String(flags.AuthTokenPathFlag.Name) | |||
There was a problem hiding this comment.
Maybe it would be worth to add some comments here to explain how c.cliCtx.String(flags.AuthTokenPathFlag.Name) could be "" while flags.AuthTokenPathFlag.Name is not "".
validator/rpc/auth_token.go
Outdated
| jwtKeyHex := strings.TrimSpace(lines[0]) | ||
| secret, err = hex.DecodeString(jwtKeyHex) | ||
| if err != nil { | ||
| return |
validator/rpc/intercepter.go
Outdated
| _, err := jwt.Parse(token, s.validateJWT) | ||
| if err != nil { | ||
| return status.Errorf(codes.Unauthenticated, "Could not parse JWT token: %v", err) | ||
| if token != s.authToken || s.authToken == "" { |
validator/rpc/server.go
Outdated
| } | ||
|
|
||
| if server.authTokenPath != "" { | ||
| log.Infof("at server start %s", server.authTokenPath) |
There was a problem hiding this comment.
[2024-03-18 11:07:50] INFO rpc: at server start /Users/manu/Library/Eth2Validators/prysm-wallet-v2/auth-token
This log does not start with a capital letter and is not very clear to me.
There was a problem hiding this comment.
this should be removed*
rkapka
reviewed
Mar 29, 2024
api/jwt.go
Outdated
| n, err := randGen.Read(secret) | ||
| if err != nil { | ||
| return "", err | ||
| } else if n <= 0 { |
There was a problem hiding this comment.
Do we even need this check? According to the doc it's the length of the slice and we already know it's 32. If you insist on having it, then it should be n != 32.
func (r *Rand) Read(p []byte) (n int, err error)
Read generates len(p) random bytes and writes them into p. It always returns len(p) and a nil error.
There was a problem hiding this comment.
this was something existing i just left it as is
nalepae
reviewed
Mar 29, 2024
Co-authored-by: Radosław Kapka <[email protected]>
Co-authored-by: Radosław Kapka <[email protected]>
Co-authored-by: Radosław Kapka <[email protected]>
rauljordan
approved these changes
Apr 17, 2024
| Name: "keymanager-token-file", | ||
| Usage: "Path to auth token file used for validator apis.", | ||
| Value: filepath.Join(filepath.Join(DefaultValidatorDir(), WalletDefaultDirName), api.AuthTokenFileName), | ||
| Aliases: []string{"validator-api-bearer-file"}, |
There was a problem hiding this comment.
we should probably include the term jwt here, for when people grep through help text
There was a problem hiding this comment.
nvm...seems like the old thing is called jwt
| @@ -106,16 +92,20 @@ func (s *Server) refreshAuthTokenFromFileChanges(ctx context.Context, authTokenP | |||
| } | |||
| for { | |||
| select { | |||
| case <-watcher.Events: | |||
| case event := <-watcher.Events: | |||
| if event.Op.String() == "REMOVE" { | |||
There was a problem hiding this comment.
should we trim string or any other safe things here to make sure we don't miss this request?
There was a problem hiding this comment.
yeah I can add something or see if there is a safer way to do this
james-prysm
dismissed
nalepae’s stale review
out on vacation, raul reviewed and oked it, other items will be addressed in a followup pr
|
merging in with smaller items taken care of in a separate PR. tested locally via webui |
rkapka
added a commit
that referenced
this pull request
Apr 30, 2024
* GET * POST * Revert "Auxiliary commit to revert individual files from 615feb1" This reverts commit 55cf071c684019f3d6124179154c10b2277fda49. * comment fix * deepsource config values block protos get_committee_indices proto and ssz attestation interface Revert "Auxiliary commit to revert individual files from deadb21" This reverts commit 32ad5009537bc5ec0e6caf9f52143d380d00be85. todos get_attesting_indices Revert "Auxiliary commit to revert individual files from dd27897" This reverts commit f39644ed3cb6f3964fc6c86fdf4bd5de2a9668c8. beacon spec changes Fix pending attestation. Build ok Don't return error that can be internally handled (#13887) Co-authored-by: Kasey Kirkham <[email protected]> consistent auth token for validator apis (#13747) * wip * fixing tests * adding more tests especially to handle legacy * fixing linting * fixing deepsource issues and flags * fixing some deepsource issues,pathing issues, and logs * some review items * adding additional review feedback * updating to follow updates from ethereum/keymanager-APIs#74 * adjusting functions to match changes in keymanagers PR * Update validator/rpc/auth_token.go Co-authored-by: Radosław Kapka <[email protected]> * Update validator/rpc/auth_token.go Co-authored-by: Radosław Kapka <[email protected]> * Update validator/rpc/auth_token.go Co-authored-by: Radosław Kapka <[email protected]> * review feedback --------- Co-authored-by: Radosław Kapka <[email protected]> Use correct port for health check in Beacon API e2e evaluator (#13892) Change example.org DNS record (#13904) DNS Changed for this record causing tests to fail Co-authored-by: Radosław Kapka <[email protected]> Electra beacon config (#13907) * Update spectests to v1.5.0 * Add electra config * Fix tests in beacon-chain/rpc/eth/config * gofmt Simplify prune invalid by reusing existing fork choice store call (#13878) Do not remove blobs DB in slasher. (#13881) Refactor beacon-chain/core/helpers tests to be black box (#13906) spectests: fail hard on missing test folders (#13913) Revert "zig: Update zig to recent main branch commit (#13142)" (#13908) This reverts commit b24b60d. Remove EnableEIP4881 flag (#13826) * Remove EnableEIP4881 flag * Gaz * Fix missing error handler * Remove old tree and fix tests * Gaz * Fix build import * Replace depositcache * Add pendingDeposit tests * Nishant's fix * Fix unsafe uint64 to int * Fix other unsafe uint64 to int * Remove: RemovePendingDeposit * Deprecate and remove DisableEIP4881 flag * Check: index not greater than deposit count * Move index check Protobufs for Electra devnet-0 (#13905) * block protos * proto and ssz * stubs * Enable Electra spec test * Pull in EIP-7251 protobuf changes From: #13903 * All EIP7549 containers are passing * All EIP7251 containers passing * including changes from eip7002 * Everything passing except for beacon state hash tree root * fixing eletra state to use electra payload * Fix minimal test. Skip beacon state test * Perston's feedback --------- Co-authored-by: rkapka <[email protected]> Co-authored-by: james-prysm <[email protected]> use [32]byte keys in the filesystem cache (#13885) Co-authored-by: Kasey Kirkham <[email protected]> Electra: full beacon config (#13918) * Electra: full beacon config Fix TestGetSpec * Fix beacon config spec compliance test so that it properly loads the config from spec tests. Tests failing for now. * fix tests and comply with spec presets beacon-chain/cache: Convert tests to cache_test blackbox testing (#13920) * beacon-chain/cache: convert to blackbox tests (package cache_test) * Move balanceCacheKey to its own file to satisify go fuzz build Electra: Minor proto changes, cloner additions (#13923) * Electra: more proto changes * Roundtrip test for cloners Electra: HTR util for DepositReceipt and ExecutionLayerWithdrawalRequest (#13924) * Electra: HTR utils for DepositReceipts and ExecutionLayerWithdrawalRequests * Tests for HTR utils Electra: beacon-chain/core/helpers (#13921) * Electra helpers * Electra helper tests and other fixes * @terencechain feedback Electra: add electra version Electra: consensus types gocognit exclusion @potuz's suggestion build fix interfaces for indexed att and slashing indexed att usage BuildSignedBeaconBlockFromExecutionPayload slashing usage grpc stubs remove unused methods Electra attestation interfaces
rkapka
added a commit
that referenced
this pull request
Apr 30, 2024
* wip * fixing tests * adding more tests especially to handle legacy * fixing linting * fixing deepsource issues and flags * fixing some deepsource issues,pathing issues, and logs * some review items * adding additional review feedback * updating to follow updates from ethereum/keymanager-APIs#74 * adjusting functions to match changes in keymanagers PR * Update validator/rpc/auth_token.go Co-authored-by: Radosław Kapka <[email protected]> * Update validator/rpc/auth_token.go Co-authored-by: Radosław Kapka <[email protected]> * Update validator/rpc/auth_token.go Co-authored-by: Radosław Kapka <[email protected]> * review feedback --------- Co-authored-by: Radosław Kapka <[email protected]>
nisdas
pushed a commit
that referenced
this pull request
Jul 4, 2024
* wip * fixing tests * adding more tests especially to handle legacy * fixing linting * fixing deepsource issues and flags * fixing some deepsource issues,pathing issues, and logs * some review items * adding additional review feedback * updating to follow updates from ethereum/keymanager-APIs#74 * adjusting functions to match changes in keymanagers PR * Update validator/rpc/auth_token.go Co-authored-by: Radosław Kapka <[email protected]> * Update validator/rpc/auth_token.go Co-authored-by: Radosław Kapka <[email protected]> * Update validator/rpc/auth_token.go Co-authored-by: Radosław Kapka <[email protected]> * review feedback --------- Co-authored-by: Radosław Kapka <[email protected]>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
What type of PR is this?
Other
What does this PR do? Why is it needed?
This PR gives the capabilities to set an auth token via flag, it also removes the jwt component and simply uses the value as an opaque token.
a documentation page should be updated following this change https://docs.prylabs.network/docs/execution-node/authentication
Which issues(s) does this PR fix?
related to ethereum/keymanager-APIs#74
Other notes for review