Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

cmd/geth, node, rpc: implement jwt tokens #24364

Merged
merged 9 commits into from Mar 7, 2022

Conversation

holiman
Copy link
Contributor

@holiman holiman commented Feb 9, 2022

This PR implements support for JWT. An rpc.API can now be Authenticated, meaning that it will only be exposed over an authenticated API point, meaning:

  • ipc,
  • or http endpoint with jwt support,
  • or ws endpoint with jwt support.

The jwt-secret can be given via CLI param, loaded like the nodeKey (i.e: loaded or generated+stored).
While the node is setting up the RPC endpoints, if it detects that there are Authenticated services, a new servre will be created. For now, using the port 8551 for both http and ws.

I think this PR does not break existing functionality in master, but will cause breakage in --catalyst mode. The idea is to be able to merge this into master, and then make the TheMerge branches make use of it.

This PR does not implement client-side suport, doing e.g geth attach ws://localhost:8551 --jwt-secret 0x.... Might be better to do that in a separate PR(?)

@fjl
Copy link
Contributor

fjl commented Feb 11, 2022

I will add support in client later.

@holiman
Copy link
Contributor Author

holiman commented Feb 16, 2022

Some testvectors extracted from the testcase here

Current time: 1644994971, secret: 736563726574
Exp ok: "Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpYXQiOjE2NDQ5OTQ5NzF9.3MaCM_vL7Dl50v0FMEJeVWwYckxifqxGtA2dlZA9YHQ"
Exp ok: "Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpYXQiOjE2NDQ5OTQ5NzV9.QRtFFE5NnbK_mMu-3qtPGPiAgTRCvb-Z1Ti_uwBjgDk"
Exp ok: "Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpYXQiOjE2NDQ5OTQ5Njd9.lJP7Nw_Lio-gP78ZW-Uv3PVdLbuaIMVgU9uvLw1V1BY"
Exp ok: "Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJleHAiOjE2NDQ5OTQ5NzMsImlhdCI6MTY0NDk5NDk3MX0.1RVPaAjpjQWFqm33C87zdUThUbob96C5SHBVn_LDLDc"
Exp ok: "Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJiYXIiOiJiYXoiLCJpYXQiOjE2NDQ5OTQ5NzF9.EU7c1vsCWHU9fCV888yf1IwJR7uczhk5pKCB6CAd_NI"
Exp fail: "Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpYXQiOjE2NDQ5OTQ5Nzd9.r_MM-6TLGUtsf_EalbJKxgO-Vw6LOkTEqKjcEBSCRHw"
Exp fail: "Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpYXQiOjE2NDQ5OTQ5NjV9.sWMMjsne2hK0S20OL3lP_qVvnGIGvBc5fa7sUvJUiqM"
Exp fail: "Bearer eyJhbGciOiJIUzUxMiIsInR5cCI6IkpXVCJ9.eyJpYXQiOjE2NDQ5OTQ5NzV9.Av2ZI-xeXA8-VuSoYxCsnn0cCg_4St2zOSgFKbvsS1ObTZKLeltSV4CcTcraukYL_HNun3rI4iDjDxs6EJgbCA"
Exp fail: "Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJleHAiOjE2NDQ5OTQ5NzEsImlhdCI6MTY0NDk5NDk3MX0.Nc6fT-W8bknDUqnjEwHKLreTguYgzMBlbsPAMO2OOHM"
Exp fail: "Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.e30.t-IDcSemACt8x4iTMCda8Yhe3iZaWbvV5XKSTbuAn0M"
Exp fail: "Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpYXQiOjE2NDQ5OTQ5NzF9.tICF9zHKdMOwccLLA2LGqbA_P1X8WHD-KMe5R4GpgkE"
Exp fail: "Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpYXQiOjE2NDQ5OTQ5NzF9.JxoxCpDIzhNLqBCvSWJjddHQ87SynxgwTjJP0-PapA4"
Exp fail: "Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpYXQiOjE2NDQ5OTQ5NzF9.JxoxCpDIzhNLqBCvSWJjddHQ87SynxgwTjJP0-PapA4"
Exp fail: "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpYXQiOjE2NDQ5OTQ5NzF9.3MaCM_vL7Dl50v0FMEJeVWwYckxifqxGtA2dlZA9YHQ"
Exp fail: "Bearer  eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpYXQiOjE2NDQ5OTQ5NzF9.3MaCM_vL7Dl50v0FMEJeVWwYckxifqxGtA2dlZA9YHQ"
Exp fail: "bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpYXQiOjE2NDQ5OTQ5NzF9.3MaCM_vL7Dl50v0FMEJeVWwYckxifqxGtA2dlZA9YHQ"
Exp fail: "Bearer: eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpYXQiOjE2NDQ5OTQ5NzF9.3MaCM_vL7Dl50v0FMEJeVWwYckxifqxGtA2dlZA9YHQ"
Exp fail: "Bearer:eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpYXQiOjE2NDQ5OTQ5NzF9.3MaCM_vL7Dl50v0FMEJeVWwYckxifqxGtA2dlZA9YHQ"
Exp fail: "Bearer\teyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpYXQiOjE2NDQ5OTQ5NzF9.3MaCM_vL7Dl50v0FMEJeVWwYckxifqxGtA2dlZA9YHQ"
Exp fail: "Bearer \teyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpYXQiOjE2NDQ5OTQ5NzF9.3MaCM_vL7Dl50v0FMEJeVWwYckxifqxGtA2dlZA9YHQ"

@MariusVanDerWijden
Copy link
Member

MariusVanDerWijden commented Feb 17, 2022

diff --git a/cmd/clef/main.go b/cmd/clef/main.go
index 3aaf898db..f7c3adebc 100644
--- a/cmd/clef/main.go
+++ b/cmd/clef/main.go
@@ -661,7 +661,7 @@ func signer(c *cli.Context) error {
                if err != nil {
                        utils.Fatalf("Could not register API: %w", err)
                }
-               handler := node.NewHTTPHandlerStack(srv, cors, vhosts)
+               handler := node.NewHTTPHandlerStack(srv, cors, vhosts, nil)
 
                // set port
                port := c.Int(rpcPortFlag.Name)

cmd/utils/flags.go Outdated Show resolved Hide resolved
node/node.go Outdated Show resolved Hide resolved
cmd/utils/flags.go Outdated Show resolved Hide resolved
node/config.go Show resolved Hide resolved
cmd/utils/flags.go Outdated Show resolved Hide resolved
node/node.go Outdated Show resolved Hide resolved
node/node.go Show resolved Hide resolved
node/node.go Outdated Show resolved Hide resolved
node/node.go Outdated Show resolved Hide resolved
node/config.go Outdated Show resolved Hide resolved
@karalabe karalabe added this to the 1.10.17 milestone Mar 7, 2022
Copy link
Member

@karalabe karalabe left a comment

SGTM

@karalabe karalabe merged commit 4860e50 into ethereum:master Mar 7, 2022
1 check failed
sidhujag added a commit to syscoin/go-ethereum that referenced this issue Mar 8, 2022
JacekGlen pushed a commit to JacekGlen/go-ethereum that referenced this issue May 26, 2022
* rpc, node: refactor request validation and add jwt validation

* node, rpc: fix error message, ignore engine api in RegisterAPIs

* node: make authenticated port configurable

* eth/catalyst: enable unauthenticated version of engine api

* node: rework obtainjwtsecret (backport later)

* cmd/geth: added auth port flag

* node: happy lint, happy life

* node: refactor authenticated api

Modifies the authentication mechanism to use default values

* node: trim spaces and newline away from secret

Co-authored-by: Marius van der Wijden <m.vanderwijden@live.de>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

None yet

4 participants