auth for engine api (#3046)

## Issue Addressed Resolves #3015 ## Proposed Changes Add JWT token based authentication to engine api requests. The jwt secret key is read from the provided file and is used to sign tokens that are used for authenticated communication with the EL node. - [x] Interop with geth (synced `merge-devnet-4` with the `merge-kiln-v2` branch on geth) - [x] Interop with other EL clients (nethermind on `merge-devnet-4`) - [x] ~Implement `zeroize` for jwt secrets~ - [x] Add auth server tests with `mock_execution_layer` - [x] Get auth working with the `execution_engine_integration` tests Co-authored-by: Paul Hauner <paul@paulhauner.com>
2026-03-03 00:31:50 +00:00 · 2022-03-08 06:46:24 +00:00
parent 3b4865c3ae
commit 381d0ece3c
18 changed files with 735 additions and 79 deletions
--- a/testing/execution_engine_integration/src/execution_engine.rs
+++ b/testing/execution_engine_integration/src/execution_engine.rs
@@ -1,4 +1,5 @@
 use crate::{genesis_json::geth_genesis_json, SUPPRESS_LOGS};
+use execution_layer::DEFAULT_JWT_FILE;
 use sensitive_url::SensitiveUrl;
 use std::path::PathBuf;
 use std::process::{Child, Command, Output, Stdio};
@@ -9,7 +10,12 @@ use unused_port::unused_tcp_port;
 /// Defined for each EE type (e.g., Geth, Nethermind, etc).
 pub trait GenericExecutionEngine: Clone {
    fn init_datadir() -> TempDir;
-    fn start_client(datadir: &TempDir, http_port: u16, http_auth_port: u16) -> Child;
+    fn start_client(
+        datadir: &TempDir,
+        http_port: u16,
+        http_auth_port: u16,
+        jwt_secret_path: PathBuf,
+    ) -> Child;
 }

 /// Holds handle to a running EE process, plus some other metadata.
@@ -35,9 +41,10 @@ impl<E> Drop for ExecutionEngine<E> {
 impl<E: GenericExecutionEngine> ExecutionEngine<E> {
    pub fn new(engine: E) -> Self {
        let datadir = E::init_datadir();
+        let jwt_secret_path = datadir.path().join(DEFAULT_JWT_FILE);
        let http_port = unused_tcp_port().unwrap();
        let http_auth_port = unused_tcp_port().unwrap();
-        let child = E::start_client(&datadir, http_port, http_auth_port);
+        let child = E::start_client(&datadir, http_port, http_auth_port, jwt_secret_path);
        Self {
            engine,
            datadir,
@@ -51,10 +58,13 @@ impl<E: GenericExecutionEngine> ExecutionEngine<E> {
        SensitiveUrl::parse(&format!("http://127.0.0.1:{}", self.http_port)).unwrap()
    }

-    #[allow(dead_code)] // Future use.
-    pub fn http_ath_url(&self) -> SensitiveUrl {
+    pub fn http_auth_url(&self) -> SensitiveUrl {
        SensitiveUrl::parse(&format!("http://127.0.0.1:{}", self.http_auth_port)).unwrap()
    }
+
+    pub fn datadir(&self) -> PathBuf {
+        self.datadir.path().to_path_buf()
+    }
 }

 /*
@@ -98,7 +108,12 @@ impl GenericExecutionEngine for Geth {
        datadir
    }

-    fn start_client(datadir: &TempDir, http_port: u16, http_auth_port: u16) -> Child {
+    fn start_client(
+        datadir: &TempDir,
+        http_port: u16,
+        http_auth_port: u16,
+        jwt_secret_path: PathBuf,
+    ) -> Child {
        let network_port = unused_tcp_port().unwrap();

        Command::new(Self::binary_path())
@@ -113,6 +128,8 @@ impl GenericExecutionEngine for Geth {
            .arg(http_auth_port.to_string())
            .arg("--port")
            .arg(network_port.to_string())
+            .arg("--authrpc.jwtsecret")
+            .arg(jwt_secret_path.as_path().to_str().unwrap())
            .stdout(build_stdio())
            .stderr(build_stdio())
            .spawn()
--- a/testing/execution_engine_integration/src/test_rig.rs
+++ b/testing/execution_engine_integration/src/test_rig.rs
@@ -46,10 +46,17 @@ impl<E: GenericExecutionEngine> TestRig<E> {

        let ee_a = {
            let execution_engine = ExecutionEngine::new(generic_engine.clone());
-            let urls = vec![execution_engine.http_url()];
+            let urls = vec![execution_engine.http_auth_url()];
+
+            let config = execution_layer::Config {
+                execution_endpoints: urls,
+                secret_files: vec![],
+                suggested_fee_recipient: Some(Address::repeat_byte(42)),
+                default_datadir: execution_engine.datadir(),
+                ..Default::default()
+            };
            let execution_layer =
-                ExecutionLayer::from_urls(urls, fee_recipient, executor.clone(), log.clone())
-                    .unwrap();
+                ExecutionLayer::from_config(config, executor.clone(), log.clone()).unwrap();
            ExecutionPair {
                execution_engine,
                execution_layer,
@@ -59,8 +66,16 @@ impl<E: GenericExecutionEngine> TestRig<E> {
        let ee_b = {
            let execution_engine = ExecutionEngine::new(generic_engine);
            let urls = vec![execution_engine.http_url()];
+
+            let config = execution_layer::Config {
+                execution_endpoints: urls,
+                secret_files: vec![],
+                suggested_fee_recipient: fee_recipient,
+                default_datadir: execution_engine.datadir(),
+                ..Default::default()
+            };
            let execution_layer =
-                ExecutionLayer::from_urls(urls, fee_recipient, executor, log).unwrap();
+                ExecutionLayer::from_config(config, executor, log.clone()).unwrap();
            ExecutionPair {
                execution_engine,
                execution_layer,