Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

cmd/geth, node, rpc: implement jwt tokens #24364

Merged
merged 9 commits into from
Mar 7, 2022
Merged

cmd/geth, node, rpc: implement jwt tokens #24364

merged 9 commits into from
Mar 7, 2022

Conversation

holiman
Copy link
Contributor

@holiman holiman commented Feb 9, 2022

This PR implements support for JWT. An rpc.API can now be Authenticated, meaning that it will only be exposed over an authenticated API point, meaning:

  • ipc,
  • or http endpoint with jwt support,
  • or ws endpoint with jwt support.

The jwt-secret can be given via CLI param, loaded like the nodeKey (i.e: loaded or generated+stored).
While the node is setting up the RPC endpoints, if it detects that there are Authenticated services, a new servre will be created. For now, using the port 8551 for both http and ws.

I think this PR does not break existing functionality in master, but will cause breakage in --catalyst mode. The idea is to be able to merge this into master, and then make the TheMerge branches make use of it.

This PR does not implement client-side suport, doing e.g geth attach ws://localhost:8551 --jwt-secret 0x.... Might be better to do that in a separate PR(?)

@holiman holiman mentioned this pull request Feb 9, 2022
Closed
@fjl
Copy link
Contributor

fjl commented Feb 11, 2022

I will add support in client later.

@holiman
Copy link
Contributor Author

holiman commented Feb 16, 2022
edited
Loading

Some testvectors extracted from the testcase here

Current time: 1644994971, secret: 736563726574
Exp ok: "Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpYXQiOjE2NDQ5OTQ5NzF9.3MaCM_vL7Dl50v0FMEJeVWwYckxifqxGtA2dlZA9YHQ"
Exp ok: "Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpYXQiOjE2NDQ5OTQ5NzV9.QRtFFE5NnbK_mMu-3qtPGPiAgTRCvb-Z1Ti_uwBjgDk"
Exp ok: "Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpYXQiOjE2NDQ5OTQ5Njd9.lJP7Nw_Lio-gP78ZW-Uv3PVdLbuaIMVgU9uvLw1V1BY"
Exp ok: "Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJleHAiOjE2NDQ5OTQ5NzMsImlhdCI6MTY0NDk5NDk3MX0.1RVPaAjpjQWFqm33C87zdUThUbob96C5SHBVn_LDLDc"
Exp ok: "Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJiYXIiOiJiYXoiLCJpYXQiOjE2NDQ5OTQ5NzF9.EU7c1vsCWHU9fCV888yf1IwJR7uczhk5pKCB6CAd_NI"
Exp fail: "Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpYXQiOjE2NDQ5OTQ5Nzd9.r_MM-6TLGUtsf_EalbJKxgO-Vw6LOkTEqKjcEBSCRHw"
Exp fail: "Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpYXQiOjE2NDQ5OTQ5NjV9.sWMMjsne2hK0S20OL3lP_qVvnGIGvBc5fa7sUvJUiqM"
Exp fail: "Bearer eyJhbGciOiJIUzUxMiIsInR5cCI6IkpXVCJ9.eyJpYXQiOjE2NDQ5OTQ5NzV9.Av2ZI-xeXA8-VuSoYxCsnn0cCg_4St2zOSgFKbvsS1ObTZKLeltSV4CcTcraukYL_HNun3rI4iDjDxs6EJgbCA"
Exp fail: "Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJleHAiOjE2NDQ5OTQ5NzEsImlhdCI6MTY0NDk5NDk3MX0.Nc6fT-W8bknDUqnjEwHKLreTguYgzMBlbsPAMO2OOHM"
Exp fail: "Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.e30.t-IDcSemACt8x4iTMCda8Yhe3iZaWbvV5XKSTbuAn0M"
Exp fail: "Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpYXQiOjE2NDQ5OTQ5NzF9.tICF9zHKdMOwccLLA2LGqbA_P1X8WHD-KMe5R4GpgkE"
Exp fail: "Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpYXQiOjE2NDQ5OTQ5NzF9.JxoxCpDIzhNLqBCvSWJjddHQ87SynxgwTjJP0-PapA4"
Exp fail: "Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpYXQiOjE2NDQ5OTQ5NzF9.JxoxCpDIzhNLqBCvSWJjddHQ87SynxgwTjJP0-PapA4"
Exp fail: "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpYXQiOjE2NDQ5OTQ5NzF9.3MaCM_vL7Dl50v0FMEJeVWwYckxifqxGtA2dlZA9YHQ"
Exp fail: "Bearer  eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpYXQiOjE2NDQ5OTQ5NzF9.3MaCM_vL7Dl50v0FMEJeVWwYckxifqxGtA2dlZA9YHQ"
Exp fail: "bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpYXQiOjE2NDQ5OTQ5NzF9.3MaCM_vL7Dl50v0FMEJeVWwYckxifqxGtA2dlZA9YHQ"
Exp fail: "Bearer: eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpYXQiOjE2NDQ5OTQ5NzF9.3MaCM_vL7Dl50v0FMEJeVWwYckxifqxGtA2dlZA9YHQ"
Exp fail: "Bearer:eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpYXQiOjE2NDQ5OTQ5NzF9.3MaCM_vL7Dl50v0FMEJeVWwYckxifqxGtA2dlZA9YHQ"
Exp fail: "Bearer\teyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpYXQiOjE2NDQ5OTQ5NzF9.3MaCM_vL7Dl50v0FMEJeVWwYckxifqxGtA2dlZA9YHQ"
Exp fail: "Bearer \teyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpYXQiOjE2NDQ5OTQ5NzF9.3MaCM_vL7Dl50v0FMEJeVWwYckxifqxGtA2dlZA9YHQ"

@MariusVanDerWijden
Copy link
Member 

diff --git a/cmd/clef/main.go b/cmd/clef/main.go
index 3aaf898db..f7c3adebc 100644
--- a/cmd/clef/main.go
+++ b/cmd/clef/main.go
@@ -661,7 +661,7 @@ func signer(c *cli.Context) error {
                if err != nil {
                        utils.Fatalf("Could not register API: %w", err)
                }
-               handler := node.NewHTTPHandlerStack(srv, cors, vhosts)
+               handler := node.NewHTTPHandlerStack(srv, cors, vhosts, nil)
 
                // set port
                port := c.Int(rpcPortFlag.Name)

MariusVanDerWijden
MariusVanDerWijden reviewed Feb 20, 2022
View reviewed changes
node/node.go Outdated Show resolved Hide resolved
karalabe
karalabe reviewed Mar 2, 2022
View reviewed changes
cmd/utils/flags.go Outdated Show resolved Hide resolved
karalabe
karalabe reviewed Mar 2, 2022
View reviewed changes
cmd/utils/flags.go Outdated Show resolved Hide resolved
karalabe
karalabe reviewed Mar 2, 2022
View reviewed changes
node/node.go Outdated Show resolved Hide resolved
karalabe
karalabe reviewed Mar 2, 2022
View reviewed changes
node/node.go Show resolved Hide resolved
karalabe
karalabe reviewed Mar 2, 2022
View reviewed changes
node/node.go Outdated Show resolved Hide resolved
karalabe
karalabe reviewed Mar 2, 2022
View reviewed changes
node/node.go Outdated Show resolved Hide resolved
karalabe
karalabe reviewed Mar 2, 2022
View reviewed changes
node/config.go Outdated Show resolved Hide resolved
@karalabe karalabe added this to the 1.10.17 milestone Mar 7, 2022
karalabe
karalabe reviewed Mar 7, 2022
View reviewed changes
Copy link
Member

@karalabe karalabe left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

SGTM

@karalabe karalabe merged commit 4860e50 into ethereum:master Mar 7, 2022
sidhujag pushed a commit to syscoin/go-ethereum that referenced this pull request Mar 8, 2022
cmd/geth, node, rpc: implement jwt tokens (ethereum#24364)
41b310b
JacekGlen pushed a commit to JacekGlen/go-ethereum that referenced this pull request May 26, 2022
@holiman @MariusVanDerWijden @JacekGlen
cmd/geth, node, rpc: implement jwt tokens (ethereum#24364)
c456ff4 
* rpc, node: refactor request validation and add jwt validation

* node, rpc: fix error message, ignore engine api in RegisterAPIs

* node: make authenticated port configurable

* eth/catalyst: enable unauthenticated version of engine api

* node: rework obtainjwtsecret (backport later)

* cmd/geth: added auth port flag

* node: happy lint, happy life

* node: refactor authenticated api

Modifies the authentication mechanism to use default values

* node: trim spaces and newline away from secret

Co-authored-by: Marius van der Wijden <m.vanderwijden@live.de>
cp-wjhan pushed a commit to cp-yoonjin/go-wemix that referenced this pull request Nov 16, 2022
@holiman @MariusVanDerWijden @cp-wjhan
cmd/geth, node, rpc: implement jwt tokens (ethereum#24364)
cd3b017 
* rpc, node: refactor request validation and add jwt validation

* node, rpc: fix error message, ignore engine api in RegisterAPIs

* node: make authenticated port configurable

* eth/catalyst: enable unauthenticated version of engine api

* node: rework obtainjwtsecret (backport later)

* cmd/geth: added auth port flag

* node: happy lint, happy life

* node: refactor authenticated api

Modifies the authentication mechanism to use default values

* node: trim spaces and newline away from secret

Co-authored-by: Marius van der Wijden <m.vanderwijden@live.de>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@MariusVanDerWijden MariusVanDerWijden MariusVanDerWijden left review comments

@karalabe karalabe karalabe left review comments

@fjl fjl Awaiting requested review from fjl fjl is a code owner

@gballet gballet Awaiting requested review from gballet gballet is a code owner

@rjl493456442 rjl493456442 Awaiting requested review from rjl493456442 rjl493456442 is a code owner

@zsfelfoldi zsfelfoldi Awaiting requested review from zsfelfoldi zsfelfoldi is a code owner

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
1.10.17
Development

Successfully merging this pull request may close these issues.
4 participants
@holiman @fjl @MariusVanDerWijden @karalabe