nimbus-eth1/tests/test_jwt_auth.nim

348 lines
11 KiB
Nim
Raw Normal View History

# Nimbus
Core db and aristo updates for destructor and tx logic (#1894) * Disable `TransactionID` related functions from `state_db.nim` why: Functions `getCommittedStorage()` and `updateOriginalRoot()` from the `state_db` module are nowhere used. The emulation of a legacy `TransactionID` type functionality is administratively expensive to provide by `Aristo` (the legacy DB version is only partially implemented, anyway). As there is no other place where `TransactionID`s are used, they will not be provided by the `Aristo` variant of the `CoreDb`. For the legacy DB API, nothing will change. * Fix copyright headers in source code * Get rid of compiler warning * Update Aristo code, remove unused `merge()` variant, export `hashify()` why: Adapt to upcoming `CoreDb` wrapper * Remove synced tx feature from `Aristo` why: + This feature allowed to synchronise transaction methods like begin, commit, and rollback for a group of descriptors. + The feature is over engineered and not needed for `CoreDb`, neither is it complete (some convergence features missing.) * Add debugging helpers to `Kvt` also: Update database iterator, add count variable yield argument similar to `Aristo`. * Provide optional destructors for `CoreDb` API why; For the upcoming Aristo wrapper, this allows to control when certain smart destruction and update can take place. The auto destructor works fine in general when the storage/cache strategy is known and acceptable when creating descriptors. * Add update option for `CoreDb` API function `hash()` why; The hash function is typically used to get the state root of the MPT. Due to lazy hashing, this might be not available on the `Aristo` DB. So the `update` function asks for re-hashing the gurrent state changes if needed. * Update API tracking log mode: `info` => `debug * Use shared `Kvt` descriptor in new Ledger API why: No need to create a new descriptor all the time
2023-11-16 19:35:03 +00:00
# Copyright (c) 2022-2023 Status Research & Development GmbH
# Licensed under either of
# * Apache License, version 2.0, ([LICENSE-APACHE](LICENSE-APACHE) or
# http://www.apache.org/licenses/LICENSE-2.0)
# * MIT license ([LICENSE-MIT](LICENSE-MIT) or
# http://opensource.org/licenses/MIT)
# at your option. This file may not be copied, modified, or distributed except
# according to those terms.
## Test Jwt Authorisation Functionality
## ====================================
import
std/[base64, json, options, os, strutils, times],
../nimbus/config,
../nimbus/rpc/jwt_auth,
./replay/pp,
chronicles,
chronos/apps/http/httpclient as chronoshttpclient,
chronos/apps/http/httptable,
eth/[common, keys, p2p],
json_rpc/rpcserver,
nimcrypto/[hmac, utils],
stew/results,
stint,
unittest2,
graphql,
graphql/[httpserver, httpclient]
type
UnGuardedKey =
array[jwtMinSecretLen,byte]
const
jwtKeyFile ="jwtsecret.txt" # external shared secret file
jwtKeyStripped ="jwtstripped.txt" # without leading 0x
jwtKeyCopy = jwtSecretFile # file containing effective data key
baseDir = [".", "..", ".."/"..", $DirSep]
repoDir = [".", "tests" / "test_jwt_auth"]
let
fakeKey = block:
var rc: JwtSharedKey
discard rc.fromHex((0..31).mapIt(15 - (it mod 16)).mapIt(it.byte).toHex)
rc
# ------------------------------------------------------------------------------
# Helpers
# ------------------------------------------------------------------------------
proc findFilePath(file: string): Result[string,void] =
for dir in baseDir:
for repo in repoDir:
let path = dir / repo / file
if path.fileExists:
return ok(path)
err()
proc say*(noisy = false; pfx = "***"; args: varargs[string, `$`]) =
if noisy:
if args.len == 0:
echo "*** ", pfx
elif 0 < pfx.len and pfx[^1] != ' ':
echo pfx, " ", args.toSeq.join
else:
echo pfx, args.toSeq.join
proc setTraceLevel =
discard
when defined(chronicles_runtime_filtering) and loggingEnabled:
setLogLevel(LogLevel.TRACE)
proc setErrorLevel =
discard
when defined(chronicles_runtime_filtering) and loggingEnabled:
setLogLevel(LogLevel.ERROR)
# ------------------------------------------------------------------------------
# Private Functions
# ------------------------------------------------------------------------------
proc fakeGenSecret(fake: JwtSharedKey): JwtGenSecret =
## Key random generator, fake version
result = proc: JwtSharedKey =
fake
proc base64urlEncode(x: auto): string =
## from nimbus-eth2, engine_authentication.nim
base64.encode(x, safe = true).replace("=", "")
func getIatToken*(time: uint64): JsonNode =
## from nimbus-eth2, engine_authentication.nim
%* {"iat": time}
proc getSignedToken*(key: openArray[byte], payload: string): string =
## from nimbus-eth2, engine_authentication.nim
# Using hard coded string for """{"typ": "JWT", "alg": "HS256"}"""
let sData = "eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9." & base64urlEncode(payload)
2022-04-08 04:54:11 +00:00
sData & "." & sha256.hmac(key, sData).data.base64urlEncode
proc getSignedToken2*(key: openArray[byte], payload: string): string =
## Variant of `getSignedToken()`: different algorithm encoding
let
jNode = %* {"alg": "HS256", "typ": "JWT" }
sData = base64urlEncode($jNode) & "." & base64urlEncode(payload)
2022-04-08 04:54:11 +00:00
sData & "." & sha256.hmac(key, sData).data.base64urlEncode
proc getHttpAuthReqHeader(secret: JwtSharedKey; time: uint64): HttpTable =
let bearer = secret.UnGuardedKey.getSignedToken($getIatToken(time))
result.add("aUtHoRiZaTiOn", "Bearer " & bearer)
proc getHttpAuthReqHeader2(secret: JwtSharedKey; time: uint64): HttpTable =
let bearer = secret.UnGuardedKey.getSignedToken2($getIatToken(time))
result.add("aUtHoRiZaTiOn", "Bearer " & bearer)
proc createServer(serverAddress: TransportAddress, authHooks: seq[HttpAuthHook] = @[]): GraphqlHttpServerRef =
let socketFlags = {ServerFlags.TcpNoDelay, ServerFlags.ReuseAddr}
var ctx = GraphqlRef.new()
const schema = """type Query {name: String}"""
let r = ctx.parseSchema(schema)
if r.isErr:
debugEcho r.error
return
let res = GraphqlHttpServerRef.new(
graphql = ctx,
address = serverAddress,
socketFlags = socketFlags,
authHooks = authHooks
)
if res.isErr():
debugEcho res.error
return
res.get()
proc setupClient(address: TransportAddress): GraphqlHttpClientRef =
GraphqlHttpClientRef.new(address, secure = false).get()
# ------------------------------------------------------------------------------
# Test Runners
# ------------------------------------------------------------------------------
proc runKeyLoader(noisy = true;
keyFile = jwtKeyFile; strippedFile = jwtKeyStripped) =
let
filePath = keyFile.findFilePath.value
fileInfo = keyFile.splitFile.name.split(".")[0]
strippedPath = strippedFile.findFilePath.value
strippedInfo = strippedFile.splitFile.name.split(".")[0]
dataDir = filePath.splitPath.head
localKeyFile = dataDir / jwtKeyCopy
dataDirCmdOpt = &"--data-dir={dataDir}"
jwtSecretCmdOpt = &"--jwt-secret={filePath}"
jwtStrippedCmdOpt = &"--jwt-secret={strippedPath}"
suite "EngineAuth: Load or generate shared secrets":
test &"Load shared key file {fileInfo}":
let
config = @[dataDirCmdOpt,jwtSecretCmdOpt].makeConfig
secret = fakeKey.fakeGenSecret.jwtSharedSecret(config)
lines = config.jwtSecret.get.string.readLines(1)
check secret.isOk
check 0 < lines.len
let
hexKey = "0x" & secret.value.UnGuardedKey.toHex
hexFake = "0x" & fakeKey.UnGuardedKey.toSeq.toHex
hexLine = lines[0].strip
noisy.say "***", "key=", hexKey
noisy.say " ", "text=", hexLine
noisy.say " ", "fake=", hexFake
# Compare key against tcontents of shared key file
check hexKey.cmpIgnoreCase(hexLine) == 0
# Just to make sure that there was no random generator used
check hexKey.cmpIgnoreCase(hexFake) != 0
test &"Load shared key file {strippedInfo}, missing 0x prefix":
let
config = @[dataDirCmdOpt,jwtStrippedCmdOpt].makeConfig
secret = fakeKey.fakeGenSecret.jwtSharedSecret(config)
lines = config.jwtSecret.get.string.readLines(1)
check secret.isOk
check 0 < lines.len
let
hexKey = secret.value.UnGuardedKey.toHex
hexFake = fakeKey.UnGuardedKey.toSeq.toHex
hexLine = lines[0].strip
noisy.say "***", "key=", hexKey
noisy.say " ", "text=", hexLine
noisy.say " ", "fake=", hexFake
# Compare key against tcontents of shared key file
check hexKey.cmpIgnoreCase(hexLine) == 0
# Just to make sure that there was no random generator used
check hexKey.cmpIgnoreCase(hexFake) != 0
test &"Generate shared key file, store it in {jwtKeyCopy}":
# Clean up after file generation
defer: localKeyFile.removeFile
# Maybe a stale left over
localKeyFile.removeFile
let
config = @[dataDirCmdOpt].makeConfig
secret = fakeKey.fakeGenSecret.jwtSharedSecret(config)
lines = localKeyFile.readLines(1)
check secret.isOk
let
hexKey = "0x" & secret.value.UnGuardedKey.toHex
hexLine = lines[0].strip
noisy.say "***", "key=", hexKey
noisy.say " ", "text=", hexLine
# Compare key against tcontents of shared key file
check hexKey.cmpIgnoreCase(hexLine) == 0
proc runJwtAuth(noisy = true; keyFile = jwtKeyFile) =
let
filePath = keyFile.findFilePath.value
fileInfo = keyFile.splitFile.name.split(".")[0]
dataDir = filePath.splitPath.head
dataDirCmdOpt = &"--data-dir={dataDir}"
jwtSecretCmdOpt = &"--jwt-secret={filePath}"
config = @[dataDirCmdOpt,jwtSecretCmdOpt].makeConfig
# The secret is just used for extracting the key, it would otherwise
# be hidden in the closure of the handler function
secret = fakeKey.fakeGenSecret.jwtSharedSecret(config)
# The wrapper contains the handler function with the captured shared key
authHook = secret.value.httpJwtAuth
const
serverAddress = initTAddress("127.0.0.1:8547")
query = """{ __type(name: "ID") { kind }}"""
suite "EngineAuth: Http/rpc authentication mechanics":
let server = createServer(serverAddress, @[authHook])
server.start()
test &"JSW/HS256 authentication using shared secret file {fileInfo}":
# Just to make sure that we made a proper choice. Typically, all
# ingredients shoud have been tested, already in the preceeding test
# suite.
let
lines = config.jwtSecret.get.string.readLines(1)
hexKey = "0x" & secret.value.UnGuardedKey.toHex
hexLine = lines[0].strip
noisy.say "***", "key=", hexKey
noisy.say " ", "text=", hexLine
check hexKey.cmpIgnoreCase(hexLine) == 0
let
time = getTime().toUnix.uint64
req = secret.value.getHttpAuthReqHeader(time)
noisy.say "***", "request",
" Authorization=", req.getString("Authorization")
setTraceLevel()
# Run http authorisation request
let client = setupClient(serverAddress)
let res = waitFor client.sendRequest(query, req.toList)
check res.isOk
if res.isErr:
noisy.say "***", res.error
return
let resp = res.get()
check resp.status == 200
check resp.reason == "OK"
check resp.response == """{"data":{"__type":{"kind":"SCALAR"}}}"""
setErrorLevel()
test &"JSW/HS256, ditto with protected header variant":
let
time = getTime().toUnix.uint64
req = secret.value.getHttpAuthReqHeader2(time)
# Assemble request header
noisy.say "***", "request",
" Authorization=", req.getString("Authorization")
setTraceLevel()
# Run http authorisation request
let client = setupClient(serverAddress)
let res = waitFor client.sendRequest(query, req.toList)
check res.isOk
if res.isErr:
noisy.say "***", res.error
return
let resp = res.get()
check resp.status == 200
check resp.reason == "OK"
check resp.response == """{"data":{"__type":{"kind":"SCALAR"}}}"""
setErrorLevel()
waitFor server.closeWait()
# ------------------------------------------------------------------------------
# Main function(s)
# ------------------------------------------------------------------------------
proc jwtAuthMain*(noisy = defined(debug)) =
noisy.runKeyLoader
noisy.runJwtAuth
when isMainModule:
const
noisy = defined(debug)
setErrorLevel()
noisy.runKeyLoader
noisy.runJwtAuth
# ------------------------------------------------------------------------------
# End
# ------------------------------------------------------------------------------