update engine API spec ref URLs from alpha.9 to beta.1 (#4030)
* update engine API spec ref URLs from alpha.9 to beta.1 * require exactly 256-bit JWT keys
This commit is contained in:
parent
184c3de02d
commit
61dc296046
|
@ -213,7 +213,7 @@ type
|
||||||
desc: "Number of worker threads (\"0\" = use as many threads as there are CPU cores available)"
|
desc: "Number of worker threads (\"0\" = use as many threads as there are CPU cores available)"
|
||||||
name: "num-threads" .}: int
|
name: "num-threads" .}: int
|
||||||
|
|
||||||
# https://github.com/ethereum/execution-apis/blob/v1.0.0-alpha.9/src/engine/authentication.md#key-distribution
|
# https://github.com/ethereum/execution-apis/blob/v1.0.0-beta.1/src/engine/authentication.md#key-distribution
|
||||||
jwtSecret* {.
|
jwtSecret* {.
|
||||||
desc: "A file containing the hex-encoded 256 bit secret key to be used for verifying/generating JWT tokens"
|
desc: "A file containing the hex-encoded 256 bit secret key to be used for verifying/generating JWT tokens"
|
||||||
name: "jwt-secret" .}: Option[string]
|
name: "jwt-secret" .}: Option[string]
|
||||||
|
|
|
@ -1100,8 +1100,8 @@ proc detectPrimaryProviderComingOnline(m: Eth1Monitor) {.async.} =
|
||||||
var tempProvider = tempProviderRes.get
|
var tempProvider = tempProviderRes.get
|
||||||
|
|
||||||
# Use one of the get/request-type methods from
|
# Use one of the get/request-type methods from
|
||||||
# https://github.com/ethereum/execution-apis/blob/v1.0.0-alpha.9/src/engine/specification.md#underlying-protocol
|
# https://github.com/ethereum/execution-apis/blob/v1.0.0-beta.1/src/engine/specification.md#underlying-protocol
|
||||||
# which does nit take parameters and returns a small structure, to ensure
|
# which doesn't take parameters and returns a small structure, to ensure
|
||||||
# this works with engine API endpoints.
|
# this works with engine API endpoints.
|
||||||
let testRequest = tempProvider.web3.provider.eth_syncing()
|
let testRequest = tempProvider.web3.provider.eth_syncing()
|
||||||
|
|
||||||
|
|
|
@ -1366,7 +1366,7 @@ proc onSecond(node: BeaconNode, time: Moment) =
|
||||||
updateThreadMetrics()
|
updateThreadMetrics()
|
||||||
|
|
||||||
## This procedure will be called once per minute.
|
## This procedure will be called once per minute.
|
||||||
# https://github.com/ethereum/execution-apis/blob/v1.0.0-alpha.9/src/engine/specification.md#engine_exchangetransitionconfigurationv1
|
# https://github.com/ethereum/execution-apis/blob/v1.0.0-beta.1/src/engine/specification.md#engine_exchangetransitionconfigurationv1
|
||||||
if time > node.nextExchangeTransitionConfTime and not node.eth1Monitor.isNil:
|
if time > node.nextExchangeTransitionConfTime and not node.eth1Monitor.isNil:
|
||||||
node.nextExchangeTransitionConfTime = time + chronos.minutes(1)
|
node.nextExchangeTransitionConfTime = time + chronos.minutes(1)
|
||||||
traceAsyncErrors node.eth1Monitor.exchangeTransitionConfiguration()
|
traceAsyncErrors node.eth1Monitor.exchangeTransitionConfiguration()
|
||||||
|
|
|
@ -31,10 +31,10 @@ const
|
||||||
# https://github.com/ethereum/consensus-specs/blob/v1.2.0-rc.1/specs/bellatrix/beacon-chain.md#transition-settings
|
# https://github.com/ethereum/consensus-specs/blob/v1.2.0-rc.1/specs/bellatrix/beacon-chain.md#transition-settings
|
||||||
TERMINAL_BLOCK_HASH_ACTIVATION_EPOCH* = FAR_FUTURE_EPOCH
|
TERMINAL_BLOCK_HASH_ACTIVATION_EPOCH* = FAR_FUTURE_EPOCH
|
||||||
|
|
||||||
# https://github.com/ethereum/execution-apis/blob/v1.0.0-alpha.9/src/engine/specification.md#request-1
|
# https://github.com/ethereum/execution-apis/blob/v1.0.0-beta.1/src/engine/specification.md#request-1
|
||||||
FORKCHOICEUPDATED_TIMEOUT* = 8.seconds
|
FORKCHOICEUPDATED_TIMEOUT* = 8.seconds
|
||||||
|
|
||||||
# https://github.com/ethereum/execution-apis/blob/v1.0.0-alpha.9/src/engine/specification.md#request
|
# https://github.com/ethereum/execution-apis/blob/v1.0.0-beta.1/src/engine/specification.md#request
|
||||||
NEWPAYLOAD_TIMEOUT* = 8.seconds
|
NEWPAYLOAD_TIMEOUT* = 8.seconds
|
||||||
|
|
||||||
type
|
type
|
||||||
|
|
|
@ -25,9 +25,9 @@ proc base64urlEncode(x: auto): string =
|
||||||
base64.encode(x, safe = true).replace("=", "")
|
base64.encode(x, safe = true).replace("=", "")
|
||||||
|
|
||||||
func getIatToken*(time: int64): JsonNode =
|
func getIatToken*(time: int64): JsonNode =
|
||||||
# https://github.com/ethereum/execution-apis/blob/v1.0.0-alpha.9/src/engine/authentication.md#jwt-claims
|
# https://github.com/ethereum/execution-apis/blob/v1.0.0-beta.1/src/engine/authentication.md#jwt-claims
|
||||||
# "Required: iat (issued-at) claim. The EL SHOULD only accept iat timestamps
|
# "Required: iat (issued-at) claim. The EL SHOULD only accept iat timestamps
|
||||||
# which are within +-5 seconds from the current time."
|
# which are within +-60 seconds from the current time."
|
||||||
#
|
#
|
||||||
# https://datatracker.ietf.org/doc/html/rfc7519#section-4.1.6 describes iat
|
# https://datatracker.ietf.org/doc/html/rfc7519#section-4.1.6 describes iat
|
||||||
# claims.
|
# claims.
|
||||||
|
@ -37,7 +37,7 @@ func getIatToken*(time: int64): JsonNode =
|
||||||
%* {"iat": time}
|
%* {"iat": time}
|
||||||
|
|
||||||
proc getSignedToken*(key: openArray[byte], payload: string): string =
|
proc getSignedToken*(key: openArray[byte], payload: string): string =
|
||||||
# https://github.com/ethereum/execution-apis/blob/v1.0.0-alpha.9/src/engine/authentication.md#jwt-specifications
|
# https://github.com/ethereum/execution-apis/blob/v1.0.0-beta.1/src/engine/authentication.md#jwt-specifications
|
||||||
# "The EL MUST support at least the following alg: HMAC + SHA256 (HS256)"
|
# "The EL MUST support at least the following alg: HMAC + SHA256 (HS256)"
|
||||||
|
|
||||||
# https://datatracker.ietf.org/doc/html/rfc7515#appendix-A.1.1
|
# https://datatracker.ietf.org/doc/html/rfc7515#appendix-A.1.1
|
||||||
|
@ -57,12 +57,11 @@ proc getSignedIatToken*(key: openArray[byte], time: int64): string =
|
||||||
proc checkJwtSecret*(
|
proc checkJwtSecret*(
|
||||||
rng: var HmacDrbgContext, dataDir: string, jwtSecret: Option[string]):
|
rng: var HmacDrbgContext, dataDir: string, jwtSecret: Option[string]):
|
||||||
Result[seq[byte], cstring] =
|
Result[seq[byte], cstring] =
|
||||||
|
|
||||||
# If such a parameter is given, but the file cannot be read, or does not
|
# If such a parameter is given, but the file cannot be read, or does not
|
||||||
# contain a hex-encoded key of at least 256 bits, the client should treat
|
# contain a hex-encoded key of 256 bits, the client should treat this as an
|
||||||
# this as an error: either abort the startup, or show error and continue
|
# error: either abort the startup, or show error and continue without
|
||||||
# without exposing the authenticated port.
|
# exposing the authenticated port.
|
||||||
const MIN_SECRET_LEN = 32
|
const SECRET_LEN = 32
|
||||||
|
|
||||||
if jwtSecret.isNone:
|
if jwtSecret.isNone:
|
||||||
# If such a parameter is not given, the client SHOULD generate such a
|
# If such a parameter is not given, the client SHOULD generate such a
|
||||||
|
@ -70,11 +69,11 @@ proc checkJwtSecret*(
|
||||||
# hex-encoded secret as a jwt.hex file on the filesystem. This file can
|
# hex-encoded secret as a jwt.hex file on the filesystem. This file can
|
||||||
# then be used to provision the counterpart client.
|
# then be used to provision the counterpart client.
|
||||||
#
|
#
|
||||||
# https://github.com/ethereum/execution-apis/blob/v1.0.0-alpha.9/src/engine/authentication.md#key-distribution
|
# https://github.com/ethereum/execution-apis/blob/v1.0.0-beta.1/src/engine/authentication.md#key-distribution
|
||||||
const jwtSecretFilename = "jwt.hex"
|
const jwtSecretFilename = "jwt.hex"
|
||||||
let jwtSecretPath = dataDir / jwtSecretFilename
|
let jwtSecretPath = dataDir / jwtSecretFilename
|
||||||
|
|
||||||
let newSecret = rng.generateBytes(MIN_SECRET_LEN)
|
let newSecret = rng.generateBytes(SECRET_LEN)
|
||||||
try:
|
try:
|
||||||
writeFile(jwtSecretPath, newSecret.to0xHex())
|
writeFile(jwtSecretPath, newSecret.to0xHex())
|
||||||
except IOError as exc:
|
except IOError as exc:
|
||||||
|
@ -92,10 +91,10 @@ proc checkJwtSecret*(
|
||||||
# Secret JWT key is parsed in constant time using nimcrypto:
|
# Secret JWT key is parsed in constant time using nimcrypto:
|
||||||
# https://github.com/cheatfate/nimcrypto/pull/44
|
# https://github.com/cheatfate/nimcrypto/pull/44
|
||||||
let secret = utils.fromHex(lines[0])
|
let secret = utils.fromHex(lines[0])
|
||||||
if secret.len >= MIN_SECRET_LEN:
|
if secret.len == SECRET_LEN:
|
||||||
ok(secret)
|
ok(secret)
|
||||||
else:
|
else:
|
||||||
err("JWT secret not at least 256 bits")
|
err("JWT secret not 256 bits")
|
||||||
else:
|
else:
|
||||||
err("no hex string found")
|
err("no hex string found")
|
||||||
except IOError:
|
except IOError:
|
||||||
|
|
|
@ -390,7 +390,7 @@ proc getExecutionPayload(
|
||||||
# Minimize window for Eth1 monitor to shut down connection
|
# Minimize window for Eth1 monitor to shut down connection
|
||||||
await node.consensusManager.eth1Monitor.ensureDataProvider()
|
await node.consensusManager.eth1Monitor.ensureDataProvider()
|
||||||
|
|
||||||
# https://github.com/ethereum/execution-apis/blob/v1.0.0-alpha.9/src/engine/specification.md#request-2
|
# https://github.com/ethereum/execution-apis/blob/v1.0.0-beta.1/src/engine/specification.md#request-2
|
||||||
const GETPAYLOAD_TIMEOUT = 1.seconds
|
const GETPAYLOAD_TIMEOUT = 1.seconds
|
||||||
|
|
||||||
let
|
let
|
||||||
|
|
|
@ -29,11 +29,11 @@ from ../beacon_chain/spec/presets import Eth1Address, defaultRuntimeConfig
|
||||||
# TODO factor this out and have a version with the result of the JWT secret
|
# TODO factor this out and have a version with the result of the JWT secret
|
||||||
# slurp for testing purposes
|
# slurp for testing purposes
|
||||||
proc readJwtSecret(jwtSecretFile: string): Result[seq[byte], cstring] =
|
proc readJwtSecret(jwtSecretFile: string): Result[seq[byte], cstring] =
|
||||||
# https://github.com/ethereum/execution-apis/blob/v1.0.0-alpha.9/src/engine/authentication.md#key-distribution
|
# https://github.com/ethereum/execution-apis/blob/v1.0.0-beta.1/src/engine/authentication.md#key-distribution
|
||||||
# If such a parameter is given, but the file cannot be read, or does not
|
# If such a parameter is given, but the file cannot be read, or does not
|
||||||
# contain a hex-encoded key of at least 256 bits, the client should treat
|
# contain a hex-encoded key of 256 bits, the client should treat this as an
|
||||||
# this as an error: either abort the startup, or show error and continue
|
# error: either abort the startup, or show error and continue without
|
||||||
# without exposing the authenticated port.
|
# exposing the authenticated port.
|
||||||
const MIN_SECRET_LEN = 32
|
const MIN_SECRET_LEN = 32
|
||||||
|
|
||||||
try:
|
try:
|
||||||
|
|
|
@ -28,11 +28,11 @@ else:
|
||||||
# TODO hm, actually factor this out into a callable function
|
# TODO hm, actually factor this out into a callable function
|
||||||
# and have a version with the result of the JWT secret slurp for testing purposes
|
# and have a version with the result of the JWT secret slurp for testing purposes
|
||||||
proc readJwtSecret(jwtSecretFile: string): Result[seq[byte], cstring] =
|
proc readJwtSecret(jwtSecretFile: string): Result[seq[byte], cstring] =
|
||||||
# https://github.com/ethereum/execution-apis/blob/v1.0.0-alpha.9/src/engine/authentication.md#key-distribution
|
# https://github.com/ethereum/execution-apis/blob/v1.0.0-beta.1/src/engine/authentication.md#key-distribution
|
||||||
# If such a parameter is given, but the file cannot be read, or does not
|
# If such a parameter is given, but the file cannot be read, or does not
|
||||||
# contain a hex-encoded key of at least 256 bits, the client should treat
|
# contain a hex-encoded key of 256 bits, the client should treat this as an
|
||||||
# this as an error: either abort the startup, or show error and continue
|
# error: either abort the startup, or show error and continue without
|
||||||
# without exposing the authenticated port.
|
# exposing the authenticated port.
|
||||||
const MIN_SECRET_LEN = 32
|
const MIN_SECRET_LEN = 32
|
||||||
|
|
||||||
try:
|
try:
|
||||||
|
|
Loading…
Reference in New Issue