Skip to content

Commit

Permalink
jwt auth on websockets (hyperledger#4039)
Browse files Browse the repository at this point in the history 
* integration test covering websocket subscription without auth
* uses authenticated user on websocket handler when auth enabled and successful
* sonarlint fixes and copyright correction
* moved test specific class to test sources

Signed-off-by: Justin Florentine <justin+github@florentine.us>

Co-authored-by: garyschulte <garyschulte@gmail.com>
  • Loading branch information
@jflo @garyschulte
jflo and garyschulte authored Jul 1, 2022
1 parent 90f891b commit 043191a
Show file tree
Hide file tree
Showing 5 changed files with 438 additions and 24 deletions.
61 changes: 37 additions & 24 deletions ethereum/api/src/main/java/org/hyperledger/besu/ethereum/api/jsonrpc/JsonRpcService.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -87,11 +87,13 @@
import io.vertx.core.http.ServerWebSocket;
import io.vertx.core.net.PfxOptions;
import io.vertx.core.net.SocketAddress;
import io.vertx.ext.auth.User;
import io.vertx.ext.web.Route;
import io.vertx.ext.web.Router;
import io.vertx.ext.web.RoutingContext;
import io.vertx.ext.web.handler.BodyHandler;
import io.vertx.ext.web.handler.CorsHandler;
import org.jetbrains.annotations.NotNull;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

Expand Down Expand Up @@ -331,26 +333,21 @@ private Handler<ServerWebSocket> webSocketHandler() {
user -> {
if (user.isEmpty()) {
websocket.reject(403);
} else {
final Handler<Buffer> socketHandler =
handlerForUser(socketAddress, websocket, user);
websocket.textMessageHandler(text -> socketHandler.handle(Buffer.buffer(text)));
websocket.binaryMessageHandler(socketHandler);
}
});
} else {
final Handler<Buffer> socketHandler =
handlerForUser(socketAddress, websocket, Optional.empty());
websocket.textMessageHandler(text -> socketHandler.handle(Buffer.buffer(text)));
websocket.binaryMessageHandler(socketHandler);
}
LOG.debug("Websocket Connected ({})", socketAddressAsString(socketAddress));

final Handler<Buffer> socketHandler =
buffer -> {
LOG.debug(
"Received Websocket request (binary frame) {} ({})",
buffer.toString(),
socketAddressAsString(socketAddress));

if (webSocketMessageHandler.isPresent()) {
webSocketMessageHandler.get().handle(websocket, buffer, Optional.empty());
} else {
LOG.error("No socket request handler configured");
}
};
websocket.textMessageHandler(text -> socketHandler.handle(Buffer.buffer(text)));
websocket.binaryMessageHandler(socketHandler);
String addr = socketAddressAsString(socketAddress);
LOG.debug("Websocket Connected ({})", addr);

websocket.closeHandler(
v -> {
Expand All @@ -371,6 +368,24 @@ private Handler<ServerWebSocket> webSocketHandler() {
};
}

@NotNull
private Handler<Buffer> handlerForUser(
final SocketAddress socketAddress,
final ServerWebSocket websocket,
final Optional<User> user) {
return buffer -> {
String addr = socketAddressAsString(socketAddress);
LOG.debug("Received Websocket request (binary frame) {} ({})", buffer, addr);

if (webSocketMessageHandler.isPresent()) {
// if auth enabled and user empty will always 401
webSocketMessageHandler.get().handle(websocket, buffer, user);
} else {
LOG.error("No socket request handler configured");
}
};
}

private void validateConfig(final JsonRpcConfiguration config) {
checkArgument(
config.getPort() == 0 || NetworkUtility.isValidPort(config.getPort()),
Expand Down Expand Up @@ -588,20 +603,18 @@ private Optional<String> getAndValidateHostHeader(final RoutingContext event) {
: event.request().host();
final Iterable<String> splitHostHeader = Splitter.on(':').split(hostname);
final long hostPieces = stream(splitHostHeader).count();
if (hostPieces > 1) {
// If the host contains a colon, verify the host is correctly formed - host [ ":" port ]
if (hostPieces > 2 || !Iterables.get(splitHostHeader, 1).matches("\\d{1,5}+")) {
return Optional.empty();
}
// If the host contains a colon, verify the host is correctly formed - host [ ":" port ]
if (hostPieces > 2 || !Iterables.get(splitHostHeader, 1).matches("\\d{1,5}+")) {
return Optional.empty();
}

return Optional.ofNullable(Iterables.get(splitHostHeader, 0));
}

private boolean hostIsInAllowlist(final String hostHeader) {
if (config.getHostsAllowlist().contains("*")
|| config.getHostsAllowlist().stream()
.anyMatch(
allowlistEntry -> allowlistEntry.toLowerCase().equals(hostHeader.toLowerCase()))) {
.anyMatch(allowlistEntry -> allowlistEntry.equalsIgnoreCase(hostHeader))) {
return true;
} else {
LOG.trace("Host not in allowlist: '{}'", hostHeader);
Expand Down
6 changes: 6 additions & 0 deletions ...main/java/org/hyperledger/besu/ethereum/api/jsonrpc/authentication/EngineAuthService.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -52,6 +52,12 @@ public EngineAuthService(final Vertx vertx, final Optional<File> signingKey, fin
this.jwtAuthProvider = JWTAuth.create(vertx, jwtAuthOptions);
}

public String createToken() {
JsonObject claims = new JsonObject();
claims.put("iat", System.currentTimeMillis() / 1000);
return this.jwtAuthProvider.generateToken(claims);
}

private JWTAuthOptions engineApiJWTOptions(
final JwtAlgorithm jwtAlgorithm, final Optional<File> keyFile, final Path datadir) {
byte[] signingKey = null;
Expand Down
97 changes: 97 additions & 0 deletions ...yperledger/besu/ethereum/api/jsonrpc/internal/response/MutableJsonRpcSuccessResponse.java
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,97 @@
/*
* Copyright Hyperledger Besu contributors.
*
* Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with
* the License. You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on
* an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the
* specific language governing permissions and limitations under the License.
*
* SPDX-License-Identifier: Apache-2.0
*/
package org.hyperledger.besu.ethereum.api.jsonrpc.internal.response;

import java.util.Objects;

import com.fasterxml.jackson.annotation.JsonGetter;
import com.fasterxml.jackson.annotation.JsonIgnore;
import com.fasterxml.jackson.annotation.JsonPropertyOrder;
import com.fasterxml.jackson.annotation.JsonSetter;

@JsonPropertyOrder({"jsonrpc", "id", "result"})
public class MutableJsonRpcSuccessResponse {

private Object id;
private Object result;
private Object version;

public MutableJsonRpcSuccessResponse() {
this.id = null;
this.result = null;
}

public MutableJsonRpcSuccessResponse(final Object id, final Object result) {
this.id = id;
this.result = result;
}

public MutableJsonRpcSuccessResponse(final Object id) {
this.id = id;
this.result = "Success";
}

@JsonGetter("id")
public Object getId() {
return id;
}

@JsonGetter("result")
public Object getResult() {
return result;
}

@JsonSetter("id")
public void setId(final Object id) {
this.id = id;
}

@JsonSetter("result")
public void setResult(final Object result) {
this.result = result;
}

@JsonGetter("jsonrpc")
public Object getVersion() {
return version;
}

@JsonSetter("jsonrpc")
public void setVersion(final Object version) {
this.version = version;
}

@JsonIgnore
public JsonRpcResponseType getType() {
return JsonRpcResponseType.SUCCESS;
}

@Override
public boolean equals(final Object o) {
if (this == o) {
return true;
}
if (o == null || getClass() != o.getClass()) {
return false;
}
final MutableJsonRpcSuccessResponse that = (MutableJsonRpcSuccessResponse) o;
return Objects.equals(id, that.id) && Objects.equals(result, that.result);
}

@Override
public int hashCode() {
return Objects.hash(id, result);
}
}
Loading

0 comments on commit 043191a

Please sign in to comment.