Add TLS capability to the beacon node HTTP API (#2668)

Currently, the beacon node has no ability to serve the HTTP API over TLS.
Adding this functionality would be helpful for certain use cases, such as when you need a validator client to connect to a backup beacon node which is outside your local network, and the use of an SSH tunnel or reverse proxy would be inappropriate.

## Proposed Changes

- Add three new CLI flags to the beacon node
  - `--http-enable-tls`: enables TLS
  - `--http-tls-cert`: to specify the path to the certificate file
  - `--http-tls-key`: to specify the path to the key file
- Update the HTTP API to optionally use `warp`'s [`TlsServer`](https://docs.rs/warp/0.3.1/warp/struct.TlsServer.html) depending on the presence of the `--http-enable-tls` flag
- Update tests and docs
- Use a custom branch for `warp` to ensure proper error handling

## Additional Info

Serving the API over TLS should currently be considered experimental. The reason for this is that it uses code from an [unmerged PR](https://github.com/seanmonstar/warp/pull/717). This commit provides the `try_bind_with_graceful_shutdown` method to `warp`, which is helpful for controlling error flow when the TLS configuration is invalid (cert/key files don't exist, incorrect permissions, etc). 
I've implemented the same code in my [branch here](https://github.com/macladson/warp/tree/tls).

Once the code has been reviewed and merged upstream into `warp`, we can remove the dependency on my branch and the feature can be considered more stable.

Currently, the private key file must not be password-protected in order to be read into Lighthouse.

beacon_node/http_api/Cargo.toml

@@ -6,7 +6,7 @@ edition = "2018"
 autotests = false # using a single test binary compiles faster
 
 [dependencies]
-warp = { git = "https://github.com/paulhauner/warp ", branch = "cors-wildcard" }
+warp = { git = "https://github.com/macladson/warp", rev ="dfa259e", features = ["tls"] }
 serde = { version = "1.0.116", features = ["derive"] }
 tokio = { version = "1.10.0", features = ["macros","sync"] }
 tokio-stream = { version = "0.1.3", features = ["sync"] }

beacon_node/http_api/src/lib.rs

@@ -36,6 +36,8 @@ use std::borrow::Cow;
 use std::convert::TryInto;
 use std::future::Future;
 use std::net::{Ipv4Addr, SocketAddr, SocketAddrV4};
+use std::path::PathBuf;
+use std::pin::Pin;
 use std::sync::Arc;
 use tokio::sync::mpsc::UnboundedSender;
 use tokio_stream::{wrappers::BroadcastStream, StreamExt};
@@ -61,6 +63,16 @@ const API_PREFIX: &str = "eth";
 /// finalized head.
 const SYNC_TOLERANCE_EPOCHS: u64 = 8;
 
+/// A custom type which allows for both unsecured and TLS-enabled HTTP servers.
+type HttpServer = (SocketAddr, Pin<Box<dyn Future<Output = ()> + Send>>);
+
+/// Configuration used when serving the HTTP server over TLS.
+#[derive(PartialEq, Debug, Clone, Serialize, Deserialize)]
+pub struct TlsConfig {
+    pub cert: PathBuf,
+    pub key: PathBuf,
+}
+
 /// A wrapper around all the items required to spawn the HTTP server.
 ///
 /// The server will gracefully handle the case where any fields are `None`.
@@ -81,6 +93,7 @@ pub struct Config {
     pub listen_port: u16,
     pub allow_origin: Option<String>,
     pub serve_legacy_spec: bool,
+    pub tls_config: Option<TlsConfig>,
 }
 
 impl Default for Config {
@@ -91,6 +104,7 @@ impl Default for Config {
             listen_port: 5052,
             allow_origin: None,
             serve_legacy_spec: true,
+            tls_config: None,
         }
     }
 }
@@ -218,7 +232,7 @@ pub fn prometheus_metrics() -> warp::filters::log::Log<impl Fn(warp::filters::lo
 pub fn serve<T: BeaconChainTypes>(
     ctx: Arc<Context<T>>,
     shutdown: impl Future<Output = ()> + Send + Sync + 'static,
-) -> Result<(SocketAddr, impl Future<Output = ()>), Error> {
+) -> Result<HttpServer, Error> {
     let config = ctx.config.clone();
     let log = ctx.log.clone();
 
@@ -2587,22 +2601,37 @@ pub fn serve<T: BeaconChainTypes>(
         .map(|reply| warp::reply::with_header(reply, "Server", &version_with_platform()))
         .with(cors_builder.build());
 
-    let (listening_socket, server) = {
-        warp::serve(routes).try_bind_with_graceful_shutdown(
-            SocketAddrV4::new(config.listen_addr, config.listen_port),
-            async {
-                shutdown.await;
-            },
-        )?
+    let http_socket: SocketAddrV4 = SocketAddrV4::new(config.listen_addr, config.listen_port);
+    let http_server: HttpServer = match config.tls_config {
+        Some(tls_config) => {
+            let (socket, server) = warp::serve(routes)
+                .tls()
+                .cert_path(tls_config.cert)
+                .key_path(tls_config.key)
+                .try_bind_with_graceful_shutdown(http_socket, async {
+                    shutdown.await;
+                })?;
+
+            info!(log, "HTTP API is being served over TLS";);
+
+            (socket, Box::pin(server))
+        }
+        None => {
+            let (socket, server) =
+                warp::serve(routes).try_bind_with_graceful_shutdown(http_socket, async {
+                    shutdown.await;
+                })?;
+            (socket, Box::pin(server))
+        }
     };
 
     info!(
         log,
         "HTTP API started";
-        "listen_address" => listening_socket.to_string(),
+        "listen_address" => %http_server.0,
     );
 
-    Ok((listening_socket, server))
+    Ok(http_server)
 }
 
 /// Publish a message to the libp2p pubsub network.

beacon_node/http_api/tests/common.rs

@@ -131,6 +131,7 @@ pub async fn create_api_server<T: BeaconChainTypes>(
             listen_port: 0,
             allow_origin: None,
             serve_legacy_spec: true,
+            tls_config: None,
         },
         chain: Some(chain.clone()),
         network_tx: Some(network_tx),