From d7c2b9fbbdf69529905750f70af5a35c3aae423f Mon Sep 17 00:00:00 2001 From: rauljordan Date: Fri, 26 Jun 2020 15:34:07 -0500 Subject: [PATCH 1/4] begin with generating self-signed certs by default --- beacon-chain/rpc/BUILD.bazel | 5 +- beacon-chain/rpc/service.go | 35 +++++++++--- beacon-chain/rpc/tls.go | 106 +++++++++++++++++++++++++++++++++++ 3 files changed, 136 insertions(+), 10 deletions(-) create mode 100644 beacon-chain/rpc/tls.go diff --git a/beacon-chain/rpc/BUILD.bazel b/beacon-chain/rpc/BUILD.bazel index 15f0129ba871..69349f692391 100644 --- a/beacon-chain/rpc/BUILD.bazel +++ b/beacon-chain/rpc/BUILD.bazel @@ -3,7 +3,10 @@ load("@io_bazel_rules_go//go:def.bzl", "go_test") go_library( name = "go_default_library", - srcs = ["service.go"], + srcs = [ + "service.go", + "tls.go", + ], importpath = "github.com/prysmaticlabs/prysm/beacon-chain/rpc", visibility = ["//beacon-chain:__subpackages__"], deps = [ diff --git a/beacon-chain/rpc/service.go b/beacon-chain/rpc/service.go index 8b9df15c392c..2cbe660e172d 100644 --- a/beacon-chain/rpc/service.go +++ b/beacon-chain/rpc/service.go @@ -12,6 +12,13 @@ import ( grpc_opentracing "github.com/grpc-ecosystem/go-grpc-middleware/tracing/opentracing" grpc_prometheus "github.com/grpc-ecosystem/go-grpc-prometheus" ethpb "github.com/prysmaticlabs/ethereumapis/eth/v1alpha1" + "github.com/sirupsen/logrus" + "go.opencensus.io/plugin/ocgrpc" + "google.golang.org/grpc" + "google.golang.org/grpc/credentials" + "google.golang.org/grpc/peer" + "google.golang.org/grpc/reflection" + "github.com/prysmaticlabs/prysm/beacon-chain/blockchain" "github.com/prysmaticlabs/prysm/beacon-chain/cache" "github.com/prysmaticlabs/prysm/beacon-chain/cache/depositcache" @@ -36,12 +43,6 @@ import ( "github.com/prysmaticlabs/prysm/shared/featureconfig" "github.com/prysmaticlabs/prysm/shared/params" "github.com/prysmaticlabs/prysm/shared/traceutil" - "github.com/sirupsen/logrus" - "go.opencensus.io/plugin/ocgrpc" - "google.golang.org/grpc" - "google.golang.org/grpc/credentials" - "google.golang.org/grpc/peer" - "google.golang.org/grpc/reflection" ) var log logrus.FieldLogger @@ -208,6 +209,16 @@ func (s *Service) Start() { )), } grpc_prometheus.EnableHandlingTimeHistogram() + + //// Determine if no TLS certs were specified in order to generate + //// self-signed certificates by default for secure gRPC connections. + //noCert := !cliCtx.IsSet(flags.CertFlag.Name) + //noTLSKey := !cliCtx.IsSet(flags.KeyFlag.Name) + //if noCert && noTLSKey { + // baseDir := cliCtx.String(cmd.DataDirFlag.Name) + // // Generate self-signed certs. + //} + if s.withCert != "" && s.withKey != "" { creds, err := credentials.NewServerTLSFromFile(s.withCert, s.withKey) if err != nil { @@ -216,9 +227,15 @@ func (s *Service) Start() { } opts = append(opts, grpc.Creds(creds)) } else { - log.Warn("You are using an insecure gRPC server. If you are running your beacon node and " + - "validator on the same machines, you can ignore this message. If you want to know " + - "how to enable secure connections, see: https://docs.prylabs.network/docs/prysm-usage/secure-grpc") + //if s.insecureGRPC { + // + //} + //log.Warn("You are using an insecure gRPC server. If you are running your beacon node and " + + // "validator on the same machines, you can ignore this message. If you want to know " + + // "how to enable secure connections, see: https://docs.prylabs.network/docs/prysm-usage/secure-grpc") + + // Generate self-signed certs by default + generateSelfSignedCerts() } s.grpcServer = grpc.NewServer(opts...) diff --git a/beacon-chain/rpc/tls.go b/beacon-chain/rpc/tls.go new file mode 100644 index 000000000000..ac274962cab5 --- /dev/null +++ b/beacon-chain/rpc/tls.go @@ -0,0 +1,106 @@ +package rpc + +import ( + "crypto/ecdsa" + "crypto/ed25519" + "crypto/rand" + "crypto/rsa" + "crypto/x509" + "crypto/x509/pkix" + "encoding/pem" + "math/big" + "net" + "os" + "time" +) + +const ( + rsaBits = 2048 + validFor = 365 * 24 * time.Hour +) + +func publicKey(priv interface{}) interface{} { + switch k := priv.(type) { + case *rsa.PrivateKey: + return &k.PublicKey + case *ecdsa.PrivateKey: + return &k.PublicKey + case ed25519.PrivateKey: + return k.Public().(ed25519.PublicKey) + default: + return nil + } +} + +func generateSelfSignedCerts() { + var err error + priv, err := rsa.GenerateKey(rand.Reader, rsaBits) + if err != nil { + log.Fatalf("Failed to generate private key: %v", err) + } + + var notBefore time.Time + notBefore = time.Now() + notAfter := notBefore.Add(validFor) + + serialNumberLimit := new(big.Int).Lsh(big.NewInt(1), 128) + serialNumber, err := rand.Int(rand.Reader, serialNumberLimit) + if err != nil { + log.Fatalf("Failed to generate serial number: %v", err) + } + + template := x509.Certificate{ + SerialNumber: serialNumber, + Subject: pkix.Name{ + Organization: []string{"Prysm"}, + }, + NotBefore: notBefore, + NotAfter: notAfter, + KeyUsage: x509.KeyUsageKeyEncipherment | x509.KeyUsageDigitalSignature, + ExtKeyUsage: []x509.ExtKeyUsage{x509.ExtKeyUsageServerAuth}, + BasicConstraintsValid: true, + } + + if ip := net.ParseIP("localhost"); ip != nil { + template.IPAddresses = append(template.IPAddresses, ip) + } else { + template.DNSNames = append(template.DNSNames, "localhost") + } + + template.IsCA = true + template.KeyUsage |= x509.KeyUsageCertSign + + derBytes, err := x509.CreateCertificate(rand.Reader, &template, &template, &priv.PublicKey, priv) + if err != nil { + log.Fatalf("Failed to create certificate: %v", err) + } + + certOut, err := os.Create("/tmp/cert.pem") + if err != nil { + log.Fatalf("Failed to open cert.pem for writing: %v", err) + } + if err := pem.Encode(certOut, &pem.Block{Type: "CERTIFICATE", Bytes: derBytes}); err != nil { + log.Fatalf("Failed to write data to cert.pem: %v", err) + } + if err := certOut.Close(); err != nil { + log.Fatalf("Error closing cert.pem: %v", err) + } + log.Info("wrote /tmp/cert.pem") + + keyOut, err := os.OpenFile("/tmp/key.pem", os.O_WRONLY|os.O_CREATE|os.O_TRUNC, 0600) + if err != nil { + log.Fatalf("Failed to open key.pem for writing: %v", err) + return + } + privBytes, err := x509.MarshalPKCS8PrivateKey(priv) + if err != nil { + log.Fatalf("Unable to marshal private key: %v", err) + } + if err := pem.Encode(keyOut, &pem.Block{Type: "PRIVATE KEY", Bytes: privBytes}); err != nil { + log.Fatalf("Failed to write data to key.pem: %v", err) + } + if err := keyOut.Close(); err != nil { + log.Fatalf("Error closing key.pem: %v", err) + } + log.Info("Wrote /tmp/key.pem") +} From ccb64e2320cf4ceb816305d1169b32500c0f01cd Mon Sep 17 00:00:00 2001 From: rauljordan Date: Fri, 26 Jun 2020 16:21:41 -0500 Subject: [PATCH 2/4] secure grpc --- beacon-chain/main.go | 1 + beacon-chain/node/node.go | 4 ++ beacon-chain/rpc/BUILD.bazel | 3 + beacon-chain/rpc/service.go | 99 ++++++++++++++------------- beacon-chain/rpc/tls.go | 81 +++++++++------------- beacon-chain/usage.go | 1 + shared/cmd/flags.go | 8 ++- validator/client/polling/service.go | 41 +++++++---- validator/client/streaming/service.go | 62 +++++++++++------ validator/main.go | 1 + validator/node/node.go | 4 ++ validator/usage.go | 1 + 12 files changed, 177 insertions(+), 129 deletions(-) diff --git a/beacon-chain/main.go b/beacon-chain/main.go index 30585b54c071..869663b7ec5e 100644 --- a/beacon-chain/main.go +++ b/beacon-chain/main.go @@ -79,6 +79,7 @@ var appFlags = []cli.Flag{ cmd.TracingEndpointFlag, cmd.TraceSampleFractionFlag, cmd.MonitoringHostFlag, + cmd.InsecureGRPCFlag, flags.MonitoringPortFlag, cmd.DisableMonitoringFlag, cmd.ClearDB, diff --git a/beacon-chain/node/node.go b/beacon-chain/node/node.go index 297caac00c02..4c53aefc3f9e 100644 --- a/beacon-chain/node/node.go +++ b/beacon-chain/node/node.go @@ -562,20 +562,24 @@ func (b *BeaconNode) registerRPCService() error { port := b.cliCtx.String(flags.RPCPort.Name) cert := b.cliCtx.String(flags.CertFlag.Name) key := b.cliCtx.String(flags.KeyFlag.Name) + datadir := b.cliCtx.String(cmd.DataDirFlag.Name) slasherCert := b.cliCtx.String(flags.SlasherCertFlag.Name) slasherProvider := b.cliCtx.String(flags.SlasherProviderFlag.Name) mockEth1DataVotes := b.cliCtx.Bool(flags.InteropMockEth1DataVotesFlag.Name) enableDebugRPCEndpoints := b.cliCtx.Bool(flags.EnableDebugRPCEndpoints.Name) + insecureGRPC := b.cliCtx.Bool(cmd.InsecureGRPCFlag.Name) p2pService := b.fetchP2P() rpcService := rpc.NewService(b.ctx, &rpc.Config{ Host: host, Port: port, CertFlag: cert, KeyFlag: key, + DataDir: datadir, BeaconDB: b.db, Broadcaster: p2pService, PeersFetcher: p2pService, PeerManager: p2pService, + InsecureGRPC: insecureGRPC, HeadFetcher: chainService, ForkFetcher: chainService, FinalizationFetcher: chainService, diff --git a/beacon-chain/rpc/BUILD.bazel b/beacon-chain/rpc/BUILD.bazel index 69349f692391..3c6891c61a18 100644 --- a/beacon-chain/rpc/BUILD.bazel +++ b/beacon-chain/rpc/BUILD.bazel @@ -33,11 +33,14 @@ go_library( "//proto/slashing:go_default_library", "//shared/featureconfig:go_default_library", "//shared/params:go_default_library", + "//shared/rand:go_default_library", + "//shared/roughtime:go_default_library", "//shared/traceutil:go_default_library", "@com_github_grpc_ecosystem_go_grpc_middleware//:go_default_library", "@com_github_grpc_ecosystem_go_grpc_middleware//recovery:go_default_library", "@com_github_grpc_ecosystem_go_grpc_middleware//tracing/opentracing:go_default_library", "@com_github_grpc_ecosystem_go_grpc_prometheus//:go_default_library", + "@com_github_pkg_errors//:go_default_library", "@com_github_prysmaticlabs_ethereumapis//eth/v1alpha1:go_default_library", "@com_github_sirupsen_logrus//:go_default_library", "@io_opencensus_go//plugin/ocgrpc:go_default_library", diff --git a/beacon-chain/rpc/service.go b/beacon-chain/rpc/service.go index 2cbe660e172d..4b08e2a01968 100644 --- a/beacon-chain/rpc/service.go +++ b/beacon-chain/rpc/service.go @@ -53,49 +53,51 @@ func init() { // Service defining an RPC server for a beacon node. type Service struct { - ctx context.Context - cancel context.CancelFunc - beaconDB db.HeadAccessDatabase - headFetcher blockchain.HeadFetcher - forkFetcher blockchain.ForkFetcher - finalizationFetcher blockchain.FinalizationFetcher - participationFetcher blockchain.ParticipationFetcher - genesisTimeFetcher blockchain.TimeFetcher - genesisFetcher blockchain.GenesisFetcher - attestationReceiver blockchain.AttestationReceiver - blockReceiver blockchain.BlockReceiver - powChainService powchain.Chain - chainStartFetcher powchain.ChainStartFetcher + insecureGRPC bool mockEth1Votes bool enableDebugRPCEndpoints bool - attestationsPool attestations.Pool - exitPool *voluntaryexits.Pool slashingsPool *slashings.Pool - syncService sync.Checker - host string - port string - listener net.Listener - withCert string - withKey string + cancel context.CancelFunc + exitPool *voluntaryexits.Pool + slasherConn *grpc.ClientConn + stateGen *stategen.State grpcServer *grpc.Server canonicalStateChan chan *pbp2p.BeaconState + connectedRPCClients map[net.Addr]bool incomingAttestation chan *ethpb.Attestation - credentialError error - p2p p2p.Broadcaster + pendingDepositFetcher depositcache.PendingDepositsFetcher peersFetcher p2p.PeersProvider - peerManager p2p.PeerManager + p2p p2p.Broadcaster + credentialError error depositFetcher depositcache.DepositFetcher - pendingDepositFetcher depositcache.PendingDepositsFetcher stateNotifier statefeed.Notifier blockNotifier blockfeed.Notifier + datadir string + withKey string + withCert string + ctx context.Context operationNotifier opfeed.Notifier - slasherConn *grpc.ClientConn + port string + host string + syncService sync.Checker + listener net.Listener slasherProvider string + attestationsPool attestations.Pool slasherCert string slasherCredentialError error + chainStartFetcher powchain.ChainStartFetcher + powChainService powchain.Chain + blockReceiver blockchain.BlockReceiver + attestationReceiver blockchain.AttestationReceiver + genesisFetcher blockchain.GenesisFetcher + genesisTimeFetcher blockchain.TimeFetcher + participationFetcher blockchain.ParticipationFetcher + finalizationFetcher blockchain.FinalizationFetcher + forkFetcher blockchain.ForkFetcher + headFetcher blockchain.HeadFetcher + beaconDB db.HeadAccessDatabase slasherClient slashpb.SlasherClient - stateGen *stategen.State - connectedRPCClients map[net.Addr]bool + peerManager p2p.PeerManager } // Config options for the beacon node RPC server. @@ -104,6 +106,7 @@ type Config struct { Port string CertFlag string KeyFlag string + DataDir string BeaconDB db.HeadAccessDatabase HeadFetcher blockchain.HeadFetcher ForkFetcher blockchain.ForkFetcher @@ -116,6 +119,7 @@ type Config struct { GenesisTimeFetcher blockchain.TimeFetcher GenesisFetcher blockchain.GenesisFetcher EnableDebugRPCEndpoints bool + InsecureGRPC bool MockEth1Votes bool AttestationsPool attestations.Pool ExitPool *voluntaryexits.Pool @@ -148,9 +152,11 @@ func NewService(ctx context.Context, cfg *Config) *Service { participationFetcher: cfg.ParticipationFetcher, genesisTimeFetcher: cfg.GenesisTimeFetcher, genesisFetcher: cfg.GenesisFetcher, + datadir: cfg.DataDir, attestationReceiver: cfg.AttestationReceiver, blockReceiver: cfg.BlockReceiver, p2p: cfg.Broadcaster, + insecureGRPC: cfg.InsecureGRPC, peersFetcher: cfg.PeersFetcher, peerManager: cfg.PeerManager, powChainService: cfg.POWChainService, @@ -210,15 +216,6 @@ func (s *Service) Start() { } grpc_prometheus.EnableHandlingTimeHistogram() - //// Determine if no TLS certs were specified in order to generate - //// self-signed certificates by default for secure gRPC connections. - //noCert := !cliCtx.IsSet(flags.CertFlag.Name) - //noTLSKey := !cliCtx.IsSet(flags.KeyFlag.Name) - //if noCert && noTLSKey { - // baseDir := cliCtx.String(cmd.DataDirFlag.Name) - // // Generate self-signed certs. - //} - if s.withCert != "" && s.withKey != "" { creds, err := credentials.NewServerTLSFromFile(s.withCert, s.withKey) if err != nil { @@ -227,16 +224,26 @@ func (s *Service) Start() { } opts = append(opts, grpc.Creds(creds)) } else { - //if s.insecureGRPC { - // - //} - //log.Warn("You are using an insecure gRPC server. If you are running your beacon node and " + - // "validator on the same machines, you can ignore this message. If you want to know " + - // "how to enable secure connections, see: https://docs.prylabs.network/docs/prysm-usage/secure-grpc") - - // Generate self-signed certs by default - generateSelfSignedCerts() + if s.insecureGRPC { + log.Warn("You are using an insecure gRPC server. If you are running your beacon node and " + + "validator on the same machines, you can ignore this message. If you want to know " + + "how to enable secure connections, see: https://docs.prylabs.network/docs/prysm-usage/secure-grpc") + } else { + // Generate self-signed certs by default. + certPath, certKeyPath, err := generateSelfSignedCerts(s.datadir) + if err != nil { + log.Fatalf("Could not generate self-signed, secure gRPC certificates: %v", err) + } + creds, err := credentials.NewServerTLSFromFile(certPath, certKeyPath) + if err != nil { + log.Errorf("Could not load TLS keys: %s", err) + s.credentialError = err + } + opts = append(opts, grpc.Creds(creds)) + log.Info("Establishing secure gRPC server using self-signed certificates") + } } + s.grpcServer = grpc.NewServer(opts...) validatorServer := &validator.Server{ diff --git a/beacon-chain/rpc/tls.go b/beacon-chain/rpc/tls.go index ac274962cab5..9ee19734c8c8 100644 --- a/beacon-chain/rpc/tls.go +++ b/beacon-chain/rpc/tls.go @@ -1,9 +1,6 @@ package rpc import ( - "crypto/ecdsa" - "crypto/ed25519" - "crypto/rand" "crypto/rsa" "crypto/x509" "crypto/x509/pkix" @@ -11,7 +8,12 @@ import ( "math/big" "net" "os" + "path" "time" + + "github.com/pkg/errors" + "github.com/prysmaticlabs/prysm/shared/rand" + "github.com/prysmaticlabs/prysm/shared/roughtime" ) const ( @@ -19,36 +21,24 @@ const ( validFor = 365 * 24 * time.Hour ) -func publicKey(priv interface{}) interface{} { - switch k := priv.(type) { - case *rsa.PrivateKey: - return &k.PublicKey - case *ecdsa.PrivateKey: - return &k.PublicKey - case ed25519.PrivateKey: - return k.Public().(ed25519.PublicKey) - default: - return nil - } -} +var ( + selfSignedCertName = "beacon.pem" + selfSignedCertKeyName = "key.pem" +) -func generateSelfSignedCerts() { - var err error - priv, err := rsa.GenerateKey(rand.Reader, rsaBits) +// Generates self-signed certificates at a datadir path. This function +// returns the paths of the cert.pem and key.pem files that +// were generated as a result. +func generateSelfSignedCerts(datadir string) (string, string, error) { + priv, err := rsa.GenerateKey(rand.NewGenerator(), rsaBits) if err != nil { - log.Fatalf("Failed to generate private key: %v", err) + return "", "", errors.Wrap(err, "nailed to generate private key") } - var notBefore time.Time - notBefore = time.Now() + notBefore := roughtime.Now() notAfter := notBefore.Add(validFor) - serialNumberLimit := new(big.Int).Lsh(big.NewInt(1), 128) - serialNumber, err := rand.Int(rand.Reader, serialNumberLimit) - if err != nil { - log.Fatalf("Failed to generate serial number: %v", err) - } - + serialNumber := big.NewInt(int64(rand.NewGenerator().Int() % 128)) template := x509.Certificate{ SerialNumber: serialNumber, Subject: pkix.Name{ @@ -60,47 +50,44 @@ func generateSelfSignedCerts() { ExtKeyUsage: []x509.ExtKeyUsage{x509.ExtKeyUsageServerAuth}, BasicConstraintsValid: true, } - - if ip := net.ParseIP("localhost"); ip != nil { - template.IPAddresses = append(template.IPAddresses, ip) - } else { - template.DNSNames = append(template.DNSNames, "localhost") - } + template.IPAddresses = append(template.IPAddresses, net.ParseIP("127.0.0.1")) template.IsCA = true template.KeyUsage |= x509.KeyUsageCertSign - derBytes, err := x509.CreateCertificate(rand.Reader, &template, &template, &priv.PublicKey, priv) + derBytes, err := x509.CreateCertificate(rand.NewGenerator(), &template, &template, &priv.PublicKey, priv) if err != nil { - log.Fatalf("Failed to create certificate: %v", err) + return "", "", errors.Wrap(err, "failed to create x509 certificate") } - certOut, err := os.Create("/tmp/cert.pem") + certPath := path.Join(datadir, selfSignedCertName) + certKeyPath := path.Join(datadir, selfSignedCertKeyName) + certOut, err := os.Create(certPath) if err != nil { - log.Fatalf("Failed to open cert.pem for writing: %v", err) + return "", "", errors.Wrapf(err, "failed to open %s for writing", certPath) } if err := pem.Encode(certOut, &pem.Block{Type: "CERTIFICATE", Bytes: derBytes}); err != nil { - log.Fatalf("Failed to write data to cert.pem: %v", err) + return "", "", errors.Wrapf(err, "failed to write data to %s", certPath) } if err := certOut.Close(); err != nil { - log.Fatalf("Error closing cert.pem: %v", err) + return "", "", errors.Wrapf(err, "error closing write buffer: %s", certPath) } - log.Info("wrote /tmp/cert.pem") + log.WithField("certPath", certPath).Info("Wrote self-signed certificate file") - keyOut, err := os.OpenFile("/tmp/key.pem", os.O_WRONLY|os.O_CREATE|os.O_TRUNC, 0600) + keyOut, err := os.OpenFile(certKeyPath, os.O_WRONLY|os.O_CREATE|os.O_TRUNC, 0600) if err != nil { - log.Fatalf("Failed to open key.pem for writing: %v", err) - return + return "", "", errors.Wrapf(err, "failed to open %s for writing", certKeyPath) } privBytes, err := x509.MarshalPKCS8PrivateKey(priv) if err != nil { - log.Fatalf("Unable to marshal private key: %v", err) + return "", "", errors.Wrap(err, "unable to marshal private key") } if err := pem.Encode(keyOut, &pem.Block{Type: "PRIVATE KEY", Bytes: privBytes}); err != nil { - log.Fatalf("Failed to write data to key.pem: %v", err) + return "", "", errors.Wrapf(err, "failed to write data to %s", certKeyPath) } if err := keyOut.Close(); err != nil { - log.Fatalf("Error closing key.pem: %v", err) + return "", "", errors.Wrapf(err, "error closing write buffer: %s", certKeyPath) } - log.Info("Wrote /tmp/key.pem") + log.WithField("certKeyPath", certKeyPath).Info("Wrote self-signed certificate key file") + return certPath, certKeyPath, nil } diff --git a/beacon-chain/usage.go b/beacon-chain/usage.go index 67dfde5ca8ea..59d41df8ef54 100644 --- a/beacon-chain/usage.go +++ b/beacon-chain/usage.go @@ -67,6 +67,7 @@ var appHelpFlagGroups = []flagGroup{ cmd.ConfigFileFlag, cmd.ChainConfigFileFlag, cmd.GrpcMaxCallRecvMsgSizeFlag, + cmd.InsecureGRPCFlag, }, }, { diff --git a/shared/cmd/flags.go b/shared/cmd/flags.go index 40128546ed66..93f152b02b72 100644 --- a/shared/cmd/flags.go +++ b/shared/cmd/flags.go @@ -205,7 +205,13 @@ var ( // GrpcMaxCallRecvMsgSizeFlag defines the max call message size for GRPC GrpcMaxCallRecvMsgSizeFlag = &cli.IntFlag{ Name: "grpc-max-msg-size", - Usage: "Integer to define max recieve message call size (default: 4194304 (for 4MB))", + Usage: "Integer to define max receive message call size (default: 4194304 (for 4MB))", Value: 1 << 22, } + // InsecureGRPCFlag defines using an insecure gRPC connection (not recommended). + InsecureGRPCFlag = &cli.BoolFlag{ + Name: "insecure-grpc-flag", + Usage: "Utilize an insecure grpc connection (not recommended)", + Value: false, + } ) diff --git a/validator/client/polling/service.go b/validator/client/polling/service.go index 38de2e807537..1933b1d5c2e3 100644 --- a/validator/client/polling/service.go +++ b/validator/client/polling/service.go @@ -2,6 +2,7 @@ package polling import ( "context" + "crypto/tls" "strings" "github.com/dgraph-io/ristretto" @@ -33,21 +34,22 @@ var log = logrus.WithField("prefix", "validator") // ValidatorService represents a service to manage the validator client // routine. type ValidatorService struct { - ctx context.Context + insecureGRPC bool + emitAccountMetrics bool + logValidatorBalances bool cancel context.CancelFunc - validator Validator - graffiti []byte + grpcRetries uint + maxCallRecvMsgSize int conn *grpc.ClientConn - endpoint string - withCert string + protector slashingprotection.Protector dataDir string + withCert string + endpoint string keyManager keymanager.KeyManager - logValidatorBalances bool - emitAccountMetrics bool - maxCallRecvMsgSize int - grpcRetries uint + validator Validator + ctx context.Context + graffiti []byte grpcHeaders []string - protector slashingprotection.Protector } // Config for the validator service. @@ -59,6 +61,7 @@ type Config struct { KeyManager keymanager.KeyManager LogValidatorBalances bool EmitAccountMetrics bool + InsecureGRPC bool GrpcMaxCallRecvMsgSizeFlag int GrpcRetriesFlag uint GrpcHeadersFlag string @@ -76,6 +79,7 @@ func NewValidatorService(ctx context.Context, cfg *Config) (*ValidatorService, e withCert: cfg.CertFlag, dataDir: cfg.DataDir, graffiti: []byte(cfg.GraffitiFlag), + insecureGRPC: cfg.InsecureGRPC, keyManager: cfg.KeyManager, logValidatorBalances: cfg.LogValidatorBalances, emitAccountMetrics: cfg.EmitAccountMetrics, @@ -99,6 +103,7 @@ func (v *ValidatorService) Start() { v.withCert, v.grpcHeaders, v.grpcRetries, + v.insecureGRPC, streamInterceptor, ) if dialOpts == nil { @@ -202,6 +207,7 @@ func ConstructDialOptions( withCert string, grpcHeaders []string, grpcRetries uint, + insecureGRPC bool, extraOpts ...grpc.DialOption, ) []grpc.DialOption { var transportSecurity grpc.DialOption @@ -213,10 +219,17 @@ func ConstructDialOptions( } transportSecurity = grpc.WithTransportCredentials(creds) } else { - transportSecurity = grpc.WithInsecure() - log.Warn("You are using an insecure gRPC connection. If you are running your beacon node and " + - "validator on the same machines, you can ignore this message. If you want to know " + - "how to enable secure connections, see: https://docs.prylabs.network/docs/prysm-usage/secure-grpc") + if insecureGRPC { + transportSecurity = grpc.WithInsecure() + log.Warn("You are using an insecure gRPC connection. If you are running your beacon node and " + + "validator on the same machines, you can ignore this message. If you want to know " + + "how to enable secure connections, see: https://docs.prylabs.network/docs/prysm-usage/secure-grpc") + } else { + transportSecurity = grpc.WithTransportCredentials(credentials.NewTLS(&tls.Config{ + InsecureSkipVerify: true, + })) + log.Info("Establishing secure gRPC connection") + } } if maxCallRecvMsgSize == 0 { diff --git a/validator/client/streaming/service.go b/validator/client/streaming/service.go index d3a8f22b15ba..3c409156dc1c 100644 --- a/validator/client/streaming/service.go +++ b/validator/client/streaming/service.go @@ -2,6 +2,7 @@ package streaming import ( "context" + "crypto/tls" "strings" "github.com/dgraph-io/ristretto" @@ -33,36 +34,38 @@ var log = logrus.WithField("prefix", "validator") // ValidatorService represents a service to manage the validator client // routine. type ValidatorService struct { - ctx context.Context + insecureGRPC bool + emitAccountMetrics bool + logValidatorBalances bool cancel context.CancelFunc - validator Validator - graffiti []byte + grpcRetries uint + maxCallRecvMsgSize int conn *grpc.ClientConn - endpoint string - withCert string + protector slashingprotection.Protector dataDir string + withCert string + endpoint string keyManager keymanager.KeyManager - logValidatorBalances bool - emitAccountMetrics bool - maxCallRecvMsgSize int - grpcRetries uint + validator Validator + ctx context.Context + graffiti []byte grpcHeaders []string - protector slashingprotection.Protector } // Config for the validator service. type Config struct { - Endpoint string - DataDir string - CertFlag string - GraffitiFlag string - KeyManager keymanager.KeyManager - LogValidatorBalances bool + InsecureGRPC bool EmitAccountMetrics bool - GrpcMaxCallRecvMsgSizeFlag int + LogValidatorBalances bool GrpcRetriesFlag uint - GrpcHeadersFlag string + GrpcMaxCallRecvMsgSizeFlag int Protector slashingprotection.Protector + KeyManager keymanager.KeyManager + GrpcHeadersFlag string + GraffitiFlag string + CertFlag string + DataDir string + Endpoint string } // NewValidatorService creates a new validator service for the service @@ -75,6 +78,7 @@ func NewValidatorService(ctx context.Context, cfg *Config) (*ValidatorService, e endpoint: cfg.Endpoint, withCert: cfg.CertFlag, dataDir: cfg.DataDir, + insecureGRPC: cfg.InsecureGRPC, graffiti: []byte(cfg.GraffitiFlag), keyManager: cfg.KeyManager, logValidatorBalances: cfg.LogValidatorBalances, @@ -95,7 +99,13 @@ func (v *ValidatorService) Start() { grpc_retry.StreamClientInterceptor(), )) dialOpts := ConstructDialOptions( - v.maxCallRecvMsgSize, v.withCert, v.grpcHeaders, v.grpcRetries, streamInterceptor) + v.maxCallRecvMsgSize, + v.withCert, + v.grpcHeaders, + v.grpcRetries, + v.insecureGRPC, + streamInterceptor, + ) if dialOpts == nil { return } @@ -194,6 +204,7 @@ func ConstructDialOptions( withCert string, grpcHeaders []string, grpcRetries uint, + insecureGRPC bool, extraOpts ...grpc.DialOption, ) []grpc.DialOption { var transportSecurity grpc.DialOption @@ -205,8 +216,17 @@ func ConstructDialOptions( } transportSecurity = grpc.WithTransportCredentials(creds) } else { - transportSecurity = grpc.WithInsecure() - log.Warn("You are using an insecure gRPC connection! Please provide a certificate and key to use a secure connection.") + if insecureGRPC { + transportSecurity = grpc.WithInsecure() + log.Warn("You are using an insecure gRPC connection. If you are running your beacon node and " + + "validator on the same machines, you can ignore this message. If you want to know " + + "how to enable secure connections, see: https://docs.prylabs.network/docs/prysm-usage/secure-grpc") + } else { + transportSecurity = grpc.WithTransportCredentials(credentials.NewTLS(&tls.Config{ + InsecureSkipVerify: true, + })) + log.Info("Establishing secure gRPC connection") + } } if maxCallRecvMsgSize == 0 { diff --git a/validator/main.go b/validator/main.go index 4017c9a13907..a6683d45463a 100644 --- a/validator/main.go +++ b/validator/main.go @@ -189,6 +189,7 @@ contract in order to activate the validator client`, cliCtx.String(flags.CertFlag.Name), strings.Split(cliCtx.String(flags.GrpcHeadersFlag.Name), ","), cliCtx.Uint(flags.GrpcRetriesFlag.Name), + false, /* insecure grpc */ grpc.WithBlock()) endpoint := cliCtx.String(flags.BeaconRPCProviderFlag.Name) conn, err := grpc.DialContext(ctx, endpoint, dialOpts...) diff --git a/validator/node/node.go b/validator/node/node.go index 09eb1790504f..e32379482065 100644 --- a/validator/node/node.go +++ b/validator/node/node.go @@ -199,6 +199,8 @@ func (s *ValidatorClient) registerClientService(keyManager keymanager.KeyManager graffiti := s.cliCtx.String(flags.GraffitiFlag.Name) maxCallRecvMsgSize := s.cliCtx.Int(cmd.GrpcMaxCallRecvMsgSizeFlag.Name) grpcRetries := s.cliCtx.Uint(flags.GrpcRetriesFlag.Name) + insecureGRPC := s.cliCtx.Bool(cmd.InsecureGRPCFlag.Name) + var sp *slashing_protection.Service var protector slashing_protection.Protector if err := s.services.FetchService(&sp); err == nil { @@ -213,6 +215,7 @@ func (s *ValidatorClient) registerClientService(keyManager keymanager.KeyManager EmitAccountMetrics: emitAccountMetrics, CertFlag: cert, GraffitiFlag: graffiti, + InsecureGRPC: insecureGRPC, GrpcMaxCallRecvMsgSizeFlag: maxCallRecvMsgSize, GrpcRetriesFlag: grpcRetries, GrpcHeadersFlag: s.cliCtx.String(flags.GrpcHeadersFlag.Name), @@ -232,6 +235,7 @@ func (s *ValidatorClient) registerClientService(keyManager keymanager.KeyManager EmitAccountMetrics: emitAccountMetrics, CertFlag: cert, GraffitiFlag: graffiti, + InsecureGRPC: insecureGRPC, GrpcMaxCallRecvMsgSizeFlag: maxCallRecvMsgSize, GrpcRetriesFlag: grpcRetries, GrpcHeadersFlag: s.cliCtx.String(flags.GrpcHeadersFlag.Name), diff --git a/validator/usage.go b/validator/usage.go index 7ce2ae8691c3..2809eb3c78c5 100644 --- a/validator/usage.go +++ b/validator/usage.go @@ -61,6 +61,7 @@ var appHelpFlagGroups = []flagGroup{ cmd.ConfigFileFlag, cmd.ChainConfigFileFlag, cmd.GrpcMaxCallRecvMsgSizeFlag, + cmd.InsecureGRPCFlag, }, }, { From 41ddcd5114775b31430d2c83c1228bc70de5d8b4 Mon Sep 17 00:00:00 2001 From: Raul Jordan Date: Fri, 26 Jun 2020 16:23:41 -0500 Subject: [PATCH 3/4] Update beacon-chain/rpc/service.go --- beacon-chain/rpc/service.go | 1 - 1 file changed, 1 deletion(-) diff --git a/beacon-chain/rpc/service.go b/beacon-chain/rpc/service.go index 4b08e2a01968..22490adf3983 100644 --- a/beacon-chain/rpc/service.go +++ b/beacon-chain/rpc/service.go @@ -18,7 +18,6 @@ import ( "google.golang.org/grpc/credentials" "google.golang.org/grpc/peer" "google.golang.org/grpc/reflection" - "github.com/prysmaticlabs/prysm/beacon-chain/blockchain" "github.com/prysmaticlabs/prysm/beacon-chain/cache" "github.com/prysmaticlabs/prysm/beacon-chain/cache/depositcache" From 82b5b78cb4c217052a15cc423856bad70c56f98b Mon Sep 17 00:00:00 2001 From: Raul Jordan Date: Fri, 26 Jun 2020 21:43:24 -0500 Subject: [PATCH 4/4] fmt and flag add --- beacon-chain/rpc/service.go | 12 ++++++------ validator/main.go | 1 + 2 files changed, 7 insertions(+), 6 deletions(-) diff --git a/beacon-chain/rpc/service.go b/beacon-chain/rpc/service.go index 22490adf3983..d54cb3016086 100644 --- a/beacon-chain/rpc/service.go +++ b/beacon-chain/rpc/service.go @@ -12,12 +12,6 @@ import ( grpc_opentracing "github.com/grpc-ecosystem/go-grpc-middleware/tracing/opentracing" grpc_prometheus "github.com/grpc-ecosystem/go-grpc-prometheus" ethpb "github.com/prysmaticlabs/ethereumapis/eth/v1alpha1" - "github.com/sirupsen/logrus" - "go.opencensus.io/plugin/ocgrpc" - "google.golang.org/grpc" - "google.golang.org/grpc/credentials" - "google.golang.org/grpc/peer" - "google.golang.org/grpc/reflection" "github.com/prysmaticlabs/prysm/beacon-chain/blockchain" "github.com/prysmaticlabs/prysm/beacon-chain/cache" "github.com/prysmaticlabs/prysm/beacon-chain/cache/depositcache" @@ -42,6 +36,12 @@ import ( "github.com/prysmaticlabs/prysm/shared/featureconfig" "github.com/prysmaticlabs/prysm/shared/params" "github.com/prysmaticlabs/prysm/shared/traceutil" + "github.com/sirupsen/logrus" + "go.opencensus.io/plugin/ocgrpc" + "google.golang.org/grpc" + "google.golang.org/grpc/credentials" + "google.golang.org/grpc/peer" + "google.golang.org/grpc/reflection" ) var log logrus.FieldLogger diff --git a/validator/main.go b/validator/main.go index a6683d45463a..7644545195c8 100644 --- a/validator/main.go +++ b/validator/main.go @@ -81,6 +81,7 @@ var appFlags = []cli.Flag{ cmd.ConfigFileFlag, cmd.ChainConfigFileFlag, cmd.GrpcMaxCallRecvMsgSizeFlag, + cmd.InsecureGRPCFlag, debug.PProfFlag, debug.PProfAddrFlag, debug.PProfPortFlag,