auth for engine api (#3046)

## Issue Addressed

Resolves #3015 

## Proposed Changes

Add JWT token based authentication to engine api requests. The jwt secret key is read from the provided file and is used to sign tokens that are used for authenticated communication with the EL node.

- [x] Interop with geth (synced `merge-devnet-4` with the `merge-kiln-v2` branch on geth)
- [x] Interop with other EL clients (nethermind on `merge-devnet-4`)
- [x] ~Implement `zeroize` for jwt secrets~
- [x] Add auth server tests with `mock_execution_layer`
- [x] Get auth working with the `execution_engine_integration` tests






Co-authored-by: Paul Hauner <paul@paulhauner.com>

beacon_node/Cargo.toml

@@ -29,6 +29,7 @@ environment = { path = "../lighthouse/environment" }
 task_executor = { path = "../common/task_executor" }
 genesis = { path = "genesis" }
 eth2_network_config = { path = "../common/eth2_network_config" }
+execution_layer = { path = "execution_layer" }
 lighthouse_network = { path = "./lighthouse_network" }
 serde = "1.0.116"
 clap_utils = { path = "../common/clap_utils" }

beacon_node/beacon_chain/src/test_utils.rs

@@ -337,14 +337,20 @@ where
 
         let el_runtime = ExecutionLayerRuntime::default();
 
-        let urls = urls
+        let urls: Vec<SensitiveUrl> = urls
             .iter()
             .map(|s| SensitiveUrl::parse(*s))
             .collect::<Result<_, _>>()
             .unwrap();
-        let execution_layer = ExecutionLayer::from_urls(
-            urls,
-            Some(Address::repeat_byte(42)),
+
+        let config = execution_layer::Config {
+            execution_endpoints: urls,
+            secret_files: vec![],
+            suggested_fee_recipient: Some(Address::repeat_byte(42)),
+            ..Default::default()
+        };
+        let execution_layer = ExecutionLayer::from_config(
+            config,
             el_runtime.task_executor.clone(),
             el_runtime.log.clone(),
         )

beacon_node/client/src/builder.rs

@@ -149,11 +149,10 @@ where
             None
         };
 
-        let execution_layer = if let Some(execution_endpoints) = config.execution_endpoints {
+        let execution_layer = if let Some(config) = config.execution_layer {
             let context = runtime_context.service_context("exec".into());
-            let execution_layer = ExecutionLayer::from_urls(
-                execution_endpoints,
-                config.suggested_fee_recipient,
+            let execution_layer = ExecutionLayer::from_config(
+                config,
                 context.executor.clone(),
                 context.log().clone(),
             )

beacon_node/client/src/config.rs

@@ -4,7 +4,7 @@ use sensitive_url::SensitiveUrl;
 use serde_derive::{Deserialize, Serialize};
 use std::fs;
 use std::path::PathBuf;
-use types::{Address, Graffiti, PublicKeyBytes};
+use types::{Graffiti, PublicKeyBytes};
 
 /// Default directory name for the freezer database under the top-level data dir.
 const DEFAULT_FREEZER_DB_DIR: &str = "freezer_db";
@@ -72,8 +72,7 @@ pub struct Config {
     pub network: network::NetworkConfig,
     pub chain: beacon_chain::ChainConfig,
     pub eth1: eth1::Config,
-    pub execution_endpoints: Option<Vec<SensitiveUrl>>,
-    pub suggested_fee_recipient: Option<Address>,
+    pub execution_layer: Option<execution_layer::Config>,
     pub http_api: http_api::Config,
     pub http_metrics: http_metrics::Config,
     pub monitoring_api: Option<monitoring_api::Config>,
@@ -94,8 +93,7 @@ impl Default for Config {
             dummy_eth1_backend: false,
             sync_eth1_chain: false,
             eth1: <_>::default(),
-            execution_endpoints: None,
-            suggested_fee_recipient: None,
+            execution_layer: None,
             graffiti: Graffiti::default(),
             http_api: <_>::default(),
             http_metrics: <_>::default(),

beacon_node/execution_layer/Cargo.toml

@@ -18,6 +18,7 @@ serde_json = "1.0.58"
 serde = { version = "1.0.116", features = ["derive"] }
 eth1 = { path = "../eth1" }
 warp = { git = "https://github.com/macladson/warp", rev ="dfa259e", features = ["tls"] }
+jsonwebtoken = "8"
 environment = { path = "../../lighthouse/environment" }
 bytes = "1.1.0"
 task_executor = { path = "../../common/task_executor" }
@@ -29,3 +30,6 @@ tree_hash = "0.4.1"
 tree_hash_derive = { path = "../../consensus/tree_hash_derive"}
 parking_lot = "0.11.0"
 slot_clock = { path = "../../common/slot_clock" }
+tempfile = "3.1.0"
+rand = "0.7.3"
+zeroize = { version = "1.4.2", features = ["zeroize_derive"] }

beacon_node/execution_layer/src/engine_api.rs

@@ -1,5 +1,6 @@
 use async_trait::async_trait;
 use eth1::http::RpcError;
+use reqwest::StatusCode;
 use serde::{Deserialize, Serialize};
 
 pub const LATEST_TAG: &str = "latest";
@@ -8,6 +9,7 @@ use crate::engines::ForkChoiceState;
 pub use json_structures::TransitionConfigurationV1;
 pub use types::{Address, EthSpec, ExecutionBlockHash, ExecutionPayload, Hash256, Uint256};
 
+pub mod auth;
 pub mod http;
 pub mod json_structures;
 
@@ -16,6 +18,7 @@ pub type PayloadId = [u8; 8];
 #[derive(Debug)]
 pub enum Error {
     Reqwest(reqwest::Error),
+    Auth(auth::Error),
     BadResponse(String),
     RequestFailed(String),
     InvalidExecutePayloadResponse(&'static str),
@@ -33,7 +36,14 @@ pub enum Error {
 
 impl From<reqwest::Error> for Error {
     fn from(e: reqwest::Error) -> Self {
-        Error::Reqwest(e)
+        if matches!(
+            e.status(),
+            Some(StatusCode::UNAUTHORIZED) | Some(StatusCode::FORBIDDEN)
+        ) {
+            Error::Auth(auth::Error::InvalidToken)
+        } else {
+            Error::Reqwest(e)
+        }
     }
 }
 
@@ -43,6 +53,12 @@ impl From<serde_json::Error> for Error {
     }
 }
 
+impl From<auth::Error> for Error {
+    fn from(e: auth::Error) -> Self {
+        Error::Auth(e)
+    }
+}
+
 /// A generic interface for an execution engine API.
 #[async_trait]
 pub trait EngineApi {