Set Auth Differently In Our Powchain Constructor (#10501)

network/BUILD.bazel

@@ -3,24 +3,32 @@ load("@prysm//tools/go:def.bzl", "go_library", "go_test")
 go_library(
     name = "go_default_library",
     srcs = [
+        "auth.go",
         "endpoint.go",
         "external_ip.go",
     ],
     importpath = "github.com/prysmaticlabs/prysm/network",
     visibility = ["//visibility:public"],
-    deps = ["//network/authorization:go_default_library"],
+    deps = [
+        "//network/authorization:go_default_library",
+        "@com_github_golang_jwt_jwt_v4//:go_default_library",
+        "@com_github_pkg_errors//:go_default_library",
+    ],
 )
 
 go_test(
     name = "go_default_test",
     srcs = [
+        "auth_test.go",
         "endpoint_test.go",
         "external_ip_test.go",
     ],
     embed = [":go_default_library"],
     deps = [
+        "//encoding/bytesutil:go_default_library",
         "//network/authorization:go_default_library",
         "//testing/assert:go_default_library",
         "//testing/require:go_default_library",
+        "@com_github_golang_jwt_jwt_v4//:go_default_library",
     ],
 )

network/auth.go

@@ -0,0 +1,47 @@
+package network
+
+import (
+	"net/http"
+	"time"
+
+	"github.com/golang-jwt/jwt/v4"
+	"github.com/pkg/errors"
+)
+
+// DefaultRPCHTTPTimeout for HTTP requests via an RPC connection to an execution node.
+const DefaultRPCHTTPTimeout = time.Second * 6
+
+// This creates a custom HTTP transport which we can attach to our HTTP client
+// in order to inject JWT auth strings into our HTTP request headers. Authentication
+// is required when interacting with an Ethereum engine API server via HTTP, and JWT
+// is chosen as the scheme of choice.
+// For more details on the requirements of authentication when using the engine API, see
+// the specification here: https://github.com/ethereum/execution-apis/blob/main/src/engine/authentication.md
+//
+// To use this transport, initialize a new &http.Client{} from the standard library
+// and set the Transport field to &jwtTransport{} with values
+// http.DefaultTransport and a JWT secret.
+type jwtTransport struct {
+	underlyingTransport http.RoundTripper
+	jwtSecret           []byte
+}
+
+// RoundTrip ensures our transport implements http.RoundTripper interface from the
+// standard library. When used as the transport for an HTTP client, the code below
+// will run every time our client makes an HTTP request. This is used to inject
+// an JWT bearer token in the Authorization request header of every outgoing request
+// our HTTP client makes.
+func (t *jwtTransport) RoundTrip(req *http.Request) (*http.Response, error) {
+	token := jwt.NewWithClaims(jwt.SigningMethodHS256, jwt.MapClaims{
+		// Required claim for engine API auth. "iat" stands for issued at
+		// and it must be a unix timestamp that is +/- 5 seconds from the current
+		// timestamp at the moment the server verifies this value.
+		"iat": time.Now().Unix(),
+	})
+	tokenString, err := token.SignedString(t.jwtSecret)
+	if err != nil {
+		return nil, errors.Wrap(err, "could not produce signed JWT token")
+	}
+	req.Header.Set("Authorization", "Bearer "+tokenString)
+	return t.underlyingTransport.RoundTrip(req)
+}

network/auth_test.go

@@ -0,0 +1,53 @@
+package network
+
+import (
+	"net/http"
+	"net/http/httptest"
+	"strings"
+	"testing"
+	"time"
+
+	"github.com/golang-jwt/jwt/v4"
+	"github.com/prysmaticlabs/prysm/encoding/bytesutil"
+	"github.com/prysmaticlabs/prysm/testing/require"
+)
+
+func TestJWTAuthTransport(t *testing.T) {
+	secret := bytesutil.PadTo([]byte("foo"), 32)
+	authTransport := &jwtTransport{
+		underlyingTransport: http.DefaultTransport,
+		jwtSecret:           secret,
+	}
+	client := &http.Client{
+		Timeout:   DefaultRPCHTTPTimeout,
+		Transport: authTransport,
+	}
+	srv := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		reqToken := r.Header.Get("Authorization")
+		splitToken := strings.Split(reqToken, "Bearer")
+		// The format should be `Bearer ${token}`.
+		require.Equal(t, 2, len(splitToken))
+		reqToken = strings.TrimSpace(splitToken[1])
+		token, err := jwt.Parse(reqToken, func(token *jwt.Token) (interface{}, error) {
+			// We should be doing HMAC signing.
+			_, ok := token.Method.(*jwt.SigningMethodHMAC)
+			require.Equal(t, true, ok)
+			return secret, nil
+		})
+		require.NoError(t, err)
+		require.Equal(t, true, token.Valid)
+		claims, ok := token.Claims.(jwt.MapClaims)
+		require.Equal(t, true, ok)
+		item, ok := claims["iat"]
+		require.Equal(t, true, ok)
+		iat, ok := item.(float64)
+		require.Equal(t, true, ok)
+		issuedAt := time.Unix(int64(iat), 0)
+		// The claims should have an "iat" field (issued at) that is at most, 5 seconds ago.
+		since := time.Since(issuedAt)
+		require.Equal(t, true, since <= time.Second*5)
+	}))
+	defer srv.Close()
+	_, err := client.Get(srv.URL)
+	require.NoError(t, err)
+}

network/endpoint.go

@@ -2,6 +2,7 @@ package network
 
 import (
 	"errors"
+	"net/http"
 	"strings"
 
 	"github.com/prysmaticlabs/prysm/network/authorization"
@@ -24,6 +25,22 @@ func (e Endpoint) Equals(other Endpoint) bool {
 	return e.Url == other.Url && e.Auth.Equals(other.Auth)
 }
 
+// HttpClient creates a http client object dependant
+// on the properties of the network endpoint.
+func (e Endpoint) HttpClient() *http.Client {
+	if e.Auth.Method != authorization.Bearer {
+		return http.DefaultClient
+	}
+	authTransport := &jwtTransport{
+		underlyingTransport: http.DefaultTransport,
+		jwtSecret:           []byte(e.Auth.Value),
+	}
+	return &http.Client{
+		Timeout:   DefaultRPCHTTPTimeout,
+		Transport: authTransport,
+	}
+}
+
 // Equals compares two authorization data objects for equality.
 func (d AuthorizationData) Equals(other AuthorizationData) bool {
 	return d.Method == other.Method && d.Value == other.Value