Implement standard keystore API (#2736)

## Issue Addressed Implements the standard key manager API from https://ethereum.github.io/keymanager-APIs/, formerly https://github.com/ethereum/beacon-APIs/pull/151 Related to https://github.com/sigp/lighthouse/issues/2557 ## Proposed Changes - [x] Add all of the new endpoints from the standard API: GET, POST and DELETE. - [x] Add a `validators.enabled` column to the slashing protection database to support atomic disable + export. - [x] Add tests for all the common sequential accesses of the API - [x] Add tests for interactions with remote signer validators - [x] Add end-to-end tests for migration of validators from one VC to another - [x] Implement the authentication scheme from the standard (token bearer auth) ## Additional Info The `enabled` column in the validators SQL database is necessary to prevent a race condition when exporting slashing protection data. Without the slashing protection database having a way of knowing that a key has been disabled, a concurrent request to sign a message could insert a new record into the database. The `delete_concurrent_with_signing` test exercises this code path, and was indeed failing before the `enabled` column was added. The validator client authentication has been modified from basic auth to bearer auth, with basic auth preserved for backwards compatibility.
2026-04-27 01:33:33 +00:00 · 2022-01-30 23:22:04 +00:00
parent ee000d5219
commit e961ff60b4
32 changed files with 2284 additions and 127 deletions
--- a/book/src/api-vc-auth-header.md
+++ b/book/src/api-vc-auth-header.md
@@ -6,13 +6,13 @@ The validator client HTTP server requires that all requests have the following
 HTTP header:

 - Name: `Authorization`
- Value: `Basic <api-token>`
+- Value: `Bearer <api-token>`

 Where `<api-token>` is a string that can be obtained from the validator client
 host. Here is an example `Authorization` header:

 ```
-Authorization Basic api-token-0x03eace4c98e8f77477bb99efb74f9af10d800bd3318f92c33b719a4644254d4123
+Authorization: Bearer api-token-0x03eace4c98e8f77477bb99efb74f9af10d800bd3318f92c33b719a4644254d4123
 ```

 ## Obtaining the API token
@@ -35,12 +35,27 @@ to the file containing the api token.
 Sep 28 19:17:52.615 INFO HTTP API started                        api_token_file: "$HOME/prater/validators/api-token.txt", listen_address: 127.0.0.1:5062
 ```

+The _path_ to the API token may also be fetched from the HTTP API itself (this endpoint is the only
+one accessible without the token):
+
+```bash
+curl http://localhost:5062/lighthouse/auth
+```
+
+Response:
+
+```json
+{
+    "token_path": "/home/karlm/.lighthouse/prater/validators/api-token.txt"
+}
+```
+
 ## Example

 Here is an example `curl` command using the API token in the `Authorization` header:

 ```bash
-curl localhost:5062/lighthouse/version -H "Authorization: Basic api-token-0x03eace4c98e8f77477bb99efb74f9af10d800bd3318f92c33b719a4644254d4123"
+curl localhost:5062/lighthouse/version -H "Authorization: Bearer api-token-0x03eace4c98e8f77477bb99efb74f9af10d800bd3318f92c33b719a4644254d4123"
 ```

 The server should respond with its version:
--- a/book/src/api-vc-endpoints.md
+++ b/book/src/api-vc-endpoints.md
@@ -4,15 +4,19 @@

 HTTP Path | Description |
 | --- | -- |
-[`GET /lighthouse/version`](#get-lighthouseversion) | Get the Lighthouse software version
-[`GET /lighthouse/health`](#get-lighthousehealth) | Get information about the host machine
-[`GET /lighthouse/spec`](#get-lighthousespec) | Get the Eth2 specification used by the validator
-[`GET /lighthouse/validators`](#get-lighthousevalidators) | List all validators
-[`GET /lighthouse/validators/:voting_pubkey`](#get-lighthousevalidatorsvoting_pubkey) | Get a specific validator
-[`PATCH /lighthouse/validators/:voting_pubkey`](#patch-lighthousevalidatorsvoting_pubkey) | Update a specific validator
+[`GET /lighthouse/version`](#get-lighthouseversion) | Get the Lighthouse software version.
+[`GET /lighthouse/health`](#get-lighthousehealth) | Get information about the host machine.
+[`GET /lighthouse/spec`](#get-lighthousespec) | Get the Eth2 specification used by the validator.
+[`GET /lighthouse/auth`](#get-lighthouseauth) | Get the location of the authorization token.
+[`GET /lighthouse/validators`](#get-lighthousevalidators) | List all validators.
+[`GET /lighthouse/validators/:voting_pubkey`](#get-lighthousevalidatorsvoting_pubkey) | Get a specific validator.
+[`PATCH /lighthouse/validators/:voting_pubkey`](#patch-lighthousevalidatorsvoting_pubkey) | Update a specific validator.
 [`POST /lighthouse/validators`](#post-lighthousevalidators) | Create a new validator and mnemonic.
 [`POST /lighthouse/validators/keystore`](#post-lighthousevalidatorskeystore) | Import a keystore.
 [`POST /lighthouse/validators/mnemonic`](#post-lighthousevalidatorsmnemonic) | Create a new validator from an existing mnemonic.
+[`POST /lighthouse/validators/web3signer`](#post-lighthousevalidatorsweb3signer) | Add web3signer validators.
+
+In addition to the above endpoints Lighthouse also supports all of the [standard keymanager APIs](https://ethereum.github.io/keymanager-APIs/).

 ## `GET /lighthouse/version`

@@ -153,6 +157,37 @@ Typical Responses | 200
 }
 ```

+## `GET /lighthouse/auth`
+
+Fetch the filesystem path of the [authorization token](./api-vc-auth-header.md).
+Unlike the other endpoints this may be called _without_ providing an authorization token.
+
+This API is intended to be called from the same machine as the validator client, so that the token
+file may be read by a local user with access rights.
+
+### HTTP Specification
+
+| Property | Specification |
+| --- |--- |
+Path | `/lighthouse/auth`
+Method | GET
+Required Headers | -
+Typical Responses | 200
+
+### Example Path
+
+```
+localhost:5062/lighthouse/auth
+```
+
+### Example Response Body
+
+```json
+{
+    "token_path": "/home/karlm/.lighthouse/prater/validators/api-token.txt"
+}
+```
+
 ## `GET /lighthouse/validators`

 Lists all validators managed by this validator client.
--- a/book/src/api-vc.md
+++ b/book/src/api-vc.md
@@ -1,9 +1,12 @@
 # Validator Client API

-Lighthouse implements a HTTP/JSON API for the validator client. Since there is
-no Eth2 standard validator client API, Lighthouse has defined its own.
+Lighthouse implements a JSON HTTP API for the validator client which enables programmatic management
+of validators and keys.

-A full list of endpoints can be found in [Endpoints](./api-vc-endpoints.md).
+The API includes all of the endpoints from the [standard keymanager
+API](https://ethereum.github.io/keymanager-APIs/) that is implemented by other clients and remote
+signers. It also includes some Lighthouse-specific endpoints which are described in
+[Endpoints](./api-vc-endpoints.md).

 > Note: All requests to the HTTP server must supply an
 > [`Authorization`](./api-vc-auth-header.md) header. All responses contain a