libp2phttp: HTTP Peer ID Authentication

p2p/http/auth/auth.go

@@ -0,0 +1,10 @@
+package httppeeridauth
+
+import (
+	logging "github.com/ipfs/go-log/v2"
+	"github.com/libp2p/go-libp2p/p2p/http/auth/internal/handshake"
+)
+
+const PeerIDAuthScheme = handshake.PeerIDAuthScheme
+
+var log = logging.Logger("httppeeridauth")

p2p/http/auth/auth_test.go

@@ -0,0 +1,213 @@
+package httppeeridauth
+
+import (
+	"bytes"
+	"crypto/hmac"
+	"crypto/rand"
+	"crypto/sha256"
+	"crypto/tls"
+	"hash"
+	"io"
+	"net/http"
+	"net/http/httptest"
+	"sync"
+	"testing"
+	"time"
+
+	logging "github.com/ipfs/go-log/v2"
+	"github.com/libp2p/go-libp2p/core/crypto"
+	"github.com/libp2p/go-libp2p/core/peer"
+	"github.com/stretchr/testify/require"
+)
+
+// TestMutualAuth tests that we can do a mutually authenticated round trip
+func TestMutualAuth(t *testing.T) {
+	logging.SetLogLevel("httppeeridauth", "DEBUG")
+
+	zeroBytes := make([]byte, 64)
+	serverKey, _, err := crypto.GenerateEd25519Key(bytes.NewReader(zeroBytes))
+	require.NoError(t, err)
+
+	type clientTestCase struct {
+		name         string
+		clientKeyGen func(t *testing.T) crypto.PrivKey
+	}
+
+	clientTestCases := []clientTestCase{
+		{
+			name: "ED25519",
+			clientKeyGen: func(t *testing.T) crypto.PrivKey {
+				t.Helper()
+				clientKey, _, err := crypto.GenerateEd25519Key(rand.Reader)
+				require.NoError(t, err)
+				return clientKey
+			},
+		},
+		{
+			name: "RSA",
+			clientKeyGen: func(t *testing.T) crypto.PrivKey {
+				t.Helper()
+				clientKey, _, err := crypto.GenerateRSAKeyPair(2048, rand.Reader)
+				require.NoError(t, err)
+				return clientKey
+			},
+		},
+	}
+
+	type serverTestCase struct {
+		name      string
+		serverGen func(t *testing.T) (*httptest.Server, *ServerPeerIDAuth)
+	}
+
+	serverTestCases := []serverTestCase{
+		{
+			name: "no TLS",
+			serverGen: func(t *testing.T) (*httptest.Server, *ServerPeerIDAuth) {
+				t.Helper()
+				auth := ServerPeerIDAuth{
+					PrivKey: serverKey,
+					ValidHostnameFn: func(s string) bool {
+						return s == "example.com"
+					},
+					TokenTTL: time.Hour,
+					NoTLS:    true,
+				}
+
+				ts := httptest.NewServer(&auth)
+				t.Cleanup(ts.Close)
+				return ts, &auth
+			},
+		},
+		{
+			name: "TLS",
+			serverGen: func(t *testing.T) (*httptest.Server, *ServerPeerIDAuth) {
+				t.Helper()
+				auth := ServerPeerIDAuth{
+					PrivKey: serverKey,
+					ValidHostnameFn: func(s string) bool {
+						return s == "example.com"
+					},
+					TokenTTL: time.Hour,
+				}
+
+				ts := httptest.NewTLSServer(&auth)
+				t.Cleanup(ts.Close)
+				return ts, &auth
+			},
+		},
+	}
+
+	for _, ctc := range clientTestCases {
+		for _, stc := range serverTestCases {
+			t.Run(ctc.name+"+"+stc.name, func(t *testing.T) {
+				ts, server := stc.serverGen(t)
+				client := ts.Client()
+				roundTripper := instrumentedRoundTripper{client.Transport, 0}
+				client.Transport = &roundTripper
+				requestsSent := func() int {
+					defer func() { roundTripper.timesRoundtripped = 0 }()
+					return roundTripper.timesRoundtripped
+				}
+
+				tlsClientConfig := roundTripper.TLSClientConfig()
+				if tlsClientConfig != nil {
+					// If we're using TLS, we need to set the SNI so that the
+					// server can verify the request Host matches it.
+					tlsClientConfig.ServerName = "example.com"
+				}
+				clientKey := ctc.clientKeyGen(t)
+				clientAuth := ClientPeerIDAuth{PrivKey: clientKey}
+
+				expectedServerID, err := peer.IDFromPrivateKey(serverKey)
+				require.NoError(t, err)
+
+				req, err := http.NewRequest("POST", ts.URL, nil)
+				require.NoError(t, err)
+				req.Host = "example.com"
+				serverID, resp, err := clientAuth.AuthenticatedDo(client, req)
+				require.NoError(t, err)
+				require.Equal(t, expectedServerID, serverID)
+				require.NotZero(t, clientAuth.tokenMap["example.com"])
+				require.Equal(t, http.StatusOK, resp.StatusCode)
+				require.Equal(t, 2, requestsSent())
+
+				// Once more with the auth token
+				req, err = http.NewRequest("POST", ts.URL, nil)
+				require.NoError(t, err)
+				req.Host = "example.com"
+				serverID, resp, err = clientAuth.AuthenticatedDo(client, req)
+				require.NotEmpty(t, req.Header.Get("Authorization"))
+				require.NoError(t, err)
+				require.Equal(t, expectedServerID, serverID)
+				require.NotZero(t, clientAuth.tokenMap["example.com"])
+				require.Equal(t, http.StatusOK, resp.StatusCode)
+				require.Equal(t, 1, requestsSent(), "should only call newRequest once since we have a token")
+
+				t.Run("Tokens Expired", func(t *testing.T) {
+					// Clear the auth token on the server side
+					server.TokenTTL = 1 // Small TTL
+					time.Sleep(100 * time.Millisecond)
+					resetServerTokenTTL := sync.OnceFunc(func() {
+						server.TokenTTL = time.Hour
+					})
+
+					req, err := http.NewRequest("POST", ts.URL, nil)
+					require.NoError(t, err)
+					req.Host = "example.com"
+					req.GetBody = func() (io.ReadCloser, error) {
+						resetServerTokenTTL()
+						return nil, nil
+					}
+					serverID, resp, err = clientAuth.AuthenticatedDo(client, req)
+					require.NoError(t, err)
+					require.NotEmpty(t, req.Header.Get("Authorization"))
+					require.Equal(t, http.StatusOK, resp.StatusCode)
+					require.Equal(t, expectedServerID, serverID)
+					require.NotZero(t, clientAuth.tokenMap["example.com"])
+					require.Equal(t, 3, requestsSent(), "should call newRequest 3x since our token expired")
+				})
+
+				t.Run("Tokens Invalidated", func(t *testing.T) {
+					// Clear the auth token on the server side
+					server.Hmac = func() hash.Hash {
+						key := make([]byte, 32)
+						_, err := rand.Read(key)
+						if err != nil {
+							panic(err)
+						}
+						return hmac.New(sha256.New, key)
+					}()
+
+					req, err := http.NewRequest("POST", ts.URL, nil)
+					req.GetBody = func() (io.ReadCloser, error) {
+						return nil, nil
+					}
+					require.NoError(t, err)
+					req.Host = "example.com"
+					serverID, resp, err = clientAuth.AuthenticatedDo(client, req)
+					require.NoError(t, err)
+					require.NotEmpty(t, req.Header.Get("Authorization"))
+					require.Equal(t, http.StatusOK, resp.StatusCode)
+					require.Equal(t, expectedServerID, serverID)
+					require.NotZero(t, clientAuth.tokenMap["example.com"])
+					require.Equal(t, 3, requestsSent(), "should call newRequest 3x since our token expired")
+				})
+
+			})
+		}
+	}
+}
+
+type instrumentedRoundTripper struct {
+	http.RoundTripper
+	timesRoundtripped int
+}
+
+func (irt *instrumentedRoundTripper) RoundTrip(req *http.Request) (*http.Response, error) {
+	irt.timesRoundtripped++
+	return irt.RoundTripper.RoundTrip(req)
+}
+
+func (irt *instrumentedRoundTripper) TLSClientConfig() *tls.Config {
+	return irt.RoundTripper.(*http.Transport).TLSClientConfig
+}

p2p/http/auth/client.go

@@ -0,0 +1,165 @@
+package httppeeridauth
+
+import (
+	"errors"
+	"fmt"
+	"net/http"
+	"sync"
+	"time"
+
+	"github.com/libp2p/go-libp2p/core/crypto"
+	"github.com/libp2p/go-libp2p/core/peer"
+	"github.com/libp2p/go-libp2p/p2p/http/auth/internal/handshake"
+)
+
+type ClientPeerIDAuth struct {
+	PrivKey  crypto.PrivKey
+	TokenTTL time.Duration
+
+	tokenMapMu sync.Mutex
+	tokenMap   map[string]tokenInfo
+}
+
+type tokenInfo struct {
+	token      string
+	insertedAt time.Time
+	peerID     peer.ID
+}
+
+// AuthenticatedDo is like http.Client.Do, but it does the libp2p peer ID auth
+// handshake if needed.
+//
+// It is recommended to pass in an http.Request with `GetBody` set, so that this
+// method can retry sending the request in case a previously used token has
+// expired.
+func (a *ClientPeerIDAuth) AuthenticatedDo(client *http.Client, req *http.Request) (peer.ID, *http.Response, error) {
+	hostname := req.Host
+	a.tokenMapMu.Lock()
+	if a.tokenMap == nil {
+		a.tokenMap = make(map[string]tokenInfo)
+	}
+	ti, hasToken := a.tokenMap[hostname]
+	if hasToken && a.TokenTTL != 0 && time.Since(ti.insertedAt) > a.TokenTTL {
+		hasToken = false
+		delete(a.tokenMap, hostname)
+	}
+	a.tokenMapMu.Unlock()
+
+	clientIntiatesHandshake := !hasToken
+	handshake := handshake.PeerIDAuthHandshakeClient{
+		Hostname: hostname,
+		PrivKey:  a.PrivKey,
+	}
+	if clientIntiatesHandshake {
+		handshake.SetInitiateChallenge()
+	}
+
+	if hasToken {
+		// Try to make the request with the token
+		req.Header.Set("Authorization", ti.token)
+		resp, err := client.Do(req)
+		if err != nil {
+			return "", nil, err
+		}
+		if resp.StatusCode != http.StatusUnauthorized {
+			// our token is still valid
+			return ti.peerID, resp, nil
+		}
+		if req.GetBody == nil {
+			// We can't retry this request even if we wanted to.
+			// Return the response and an error
+			return "", resp, errors.New("expired token. Couldn't run handshake because req.GetBody is nil")
+		}
+		resp.Body.Close()
+
+		// Token didn't work, we need to re-authenticate.
+		// Run the server-initiated handshake
+		req = req.Clone(req.Context())
+		req.Body, err = req.GetBody()
+		if err != nil {
+			return "", nil, err
+		}
+
+		handshake.ParseHeader(resp.Header)
+	}
+	originalBody := req.Body
+
+	handshake.Run()
+	handshake.SetHeader(req.Header)
+
+	// Don't send the body before we've authenticated the server
+	req.Body = nil
+	resp, err := client.Do(req)
+	if err != nil {
+		return "", nil, err
+	}
+	resp.Body.Close()
+
+	err = handshake.ParseHeader(resp.Header)
+	if err != nil {
+		return "", nil, fmt.Errorf("failed to parse auth header: %w", err)
+	}
+	err = handshake.Run()
+	if err != nil {
+		return "", nil, fmt.Errorf("failed to run handshake: %w", err)
+	}
+
+	serverWasAuthenticated := false
+	_, err = handshake.PeerID()
+	if err == nil {
+		serverWasAuthenticated = true
+	}
+
+	req = req.Clone(req.Context())
+	if serverWasAuthenticated {
+		req.Body = originalBody
+	} else {
+		// Don't send the body before we've authenticated the server
+		req.Body = nil
+	}
+	handshake.SetHeader(req.Header)
+	resp, err = client.Do(req)
+	if err != nil {
+		return "", nil, fmt.Errorf("failed to do authenticated request: %w", err)
+	}
+
+	err = handshake.ParseHeader(resp.Header)
+	if err != nil {
+		resp.Body.Close()
+		return "", nil, fmt.Errorf("failed to parse auth info header: %w", err)
+	}
+	err = handshake.Run()
+	if err != nil {
+		resp.Body.Close()
+		return "", nil, fmt.Errorf("failed to run auth info handshake: %w", err)
+	}
+
+	serverPeerID, err := handshake.PeerID()
+	if err != nil {
+		resp.Body.Close()
+		return "", nil, fmt.Errorf("failed to get server's peer ID: %w", err)
+	}
+	a.tokenMapMu.Lock()
+	a.tokenMap[hostname] = tokenInfo{
+		token:      handshake.BearerToken(),
+		insertedAt: time.Now(),
+		peerID:     serverPeerID,
+	}
+	a.tokenMapMu.Unlock()
+
+	if serverWasAuthenticated {
+		return serverPeerID, resp, nil
+	}
+
+	// Server wasn't authenticated earlier.
+	// We need to make one final request with the body now that we authenticated
+	// the server.
+	req = req.Clone(req.Context())
+	req.Body = originalBody
+	handshake.SetHeader(req.Header)
+	resp, err = client.Do(req)
+	if err != nil {
+		return "", nil, fmt.Errorf("failed to do authenticated request: %w", err)
+	}
+	return serverPeerID, resp, nil
+}