Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Merged by Bors] - Add client authentication to Web3Signer validators #3170

Closed
wants to merge 5 commits into from
Closed

[Merged by Bors] - Add client authentication to Web3Signer validators #3170

wants to merge 5 commits into from

Conversation

petertdavies
Copy link
Contributor

Issue Addressed

Web3Signer validators do not support client authentication. This means the --tls-known-clients-file option on Web3Signer can't be used with Lighthouse.

Proposed Changes

Add two new fields to Web3Signer validators, client_identity_path and client_identity_password, which specify the path and password for a PKCS12 file containing a certificate and private key. If client_identity_path is present, use the certificate for SSL client authentication.

Additional Info

I am successfully validating on Prater using client authentication with Web3Signer and client authentication.

@CLAassistant
Copy link

CLAassistant commented May 5, 2022
edited
Loading

CLA assistant check
All committers have signed the CLA.

@petertdavies petertdavies changed the base branch from stable to unstable May 5, 2022 12:13
@michaelsproul michaelsproul added the ready-for-review The code is ready for review label May 6, 2022
@petertdavies petertdavies force-pushed the client-authentication branch from 022ef0d to 1f8f9a1 Compare May 10, 2022 11:52
@petertdavies
Copy link
Contributor Author

I'm struggling to reproduce the execution-engine-integration-ubuntu test failure. I don't think it is related to anything in this PR. I got it an one point on unstable, but it is difficult to reproduce.

@michaelsproul
Copy link
Member

I'm struggling to reproduce the execution-engine-integration-ubuntu test failure. I don't think it is related to anything in this PR.

Agree, based on this error it looks like an EE bug, which might have been fixed in the meantime (we depend on unpinned versions of Geth's master branch and Nethermind's kiln branch).

thread 'main' panicked at 'called `Result::unwrap()` on an `Err` value: EngineErrors([Api { id: "unknown", error: BadResponse("new_payload: response.status = VALID but invalid latest_valid_hash. Expected(ExecutionBlockHash(0x3832bacb7d88f7ff591235289037391b70fdb853a136de3cbfa0dccdd294cfcc)) Found(Some(ExecutionBlockHash(0x3b8fb240d288781d4aac94d3fd16809ee413bc99294a085798a589dae51ddd4a)))") }])', testing/execution_engine_integration/src/test_rig.rs:390:14

paulhauner
paulhauner reviewed May 18, 2022
View reviewed changes
Copy link
Member

@paulhauner paulhauner left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is great, super neat and tidy. Thanks for the helpful contribution ❤️

I only have one minor suggestion, but I don't feel too strongly either way.

validator_client/src/initialized_validators.rs Outdated Show resolved Hide resolved
@paulhauner paulhauner added waiting-on-author The reviewer has suggested changes and awaits thier implementation. and removed ready-for-review The code is ready for review labels May 18, 2022
@paulhauner
Copy link
Member

Beautiful! Thanks again.

bors r+

@paulhauner paulhauner added ready-for-merge This PR is ready to merge. and removed waiting-on-author The reviewer has suggested changes and awaits thier implementation. labels May 18, 2022
bors bot pushed a commit that referenced this pull request May 18, 2022
@petertdavies
Add client authentication to Web3Signer validators (#3170)
8072835 
## Issue Addressed

Web3Signer validators do not support client authentication. This means the `--tls-known-clients-file` option on Web3Signer can't be used with Lighthouse.

## Proposed Changes

Add two new fields to Web3Signer validators, `client_identity_path` and `client_identity_password`, which specify the path and password for a PKCS12 file containing a certificate and private key. If `client_identity_path` is present, use the certificate for SSL client authentication.

## Additional Info

I am successfully validating on Prater using client authentication with Web3Signer and client authentication.
@bors
Copy link

bors bot commented May 19, 2022

Pull request successfully merged into unstable.

Build succeeded:

@bors bors bot changed the title Add client authentication to Web3Signer validators [Merged by Bors] - Add client authentication to Web3Signer validators May 19, 2022
@bors bors bot closed this May 19, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@paulhauner paulhauner paulhauner left review comments

Assignees
No one assigned
Labels
ready-for-merge This PR is ready to merge.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@petertdavies @CLAassistant @michaelsproul @paulhauner