prysm-pulse/network/auth_test.go

package network

import (
	"net/http"
	"net/http/httptest"
	"strings"
	"testing"
	"time"

	"github.com/golang-jwt/jwt/v4"
	"github.com/prysmaticlabs/prysm/v5/encoding/bytesutil"
	"github.com/prysmaticlabs/prysm/v5/testing/require"
)

func TestJWTAuthTransport(t *testing.T) {
	secret := bytesutil.PadTo([]byte("foo"), 32)
	authTransport := &jwtTransport{
		underlyingTransport: http.DefaultTransport,
		jwtSecret:           secret,
	}
	client := &http.Client{
		Timeout:   DefaultRPCHTTPTimeout,
		Transport: authTransport,
	}
	srv := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
		reqToken := r.Header.Get("Authorization")
		splitToken := strings.Split(reqToken, "Bearer")
		// The format should be `Bearer ${token}`.
		require.Equal(t, 2, len(splitToken))
		reqToken = strings.TrimSpace(splitToken[1])
		token, err := jwt.Parse(reqToken, func(token *jwt.Token) (interface{}, error) {
			// We should be doing HMAC signing.
			_, ok := token.Method.(*jwt.SigningMethodHMAC)
			require.Equal(t, true, ok)
			return secret, nil
		})
		require.NoError(t, err)
		require.Equal(t, true, token.Valid)
		claims, ok := token.Claims.(jwt.MapClaims)
		require.Equal(t, true, ok)
		item, ok := claims["iat"]
		require.Equal(t, true, ok)
		iat, ok := item.(float64)
		require.Equal(t, true, ok)
		issuedAt := time.Unix(int64(iat), 0)
		// The claims should have an "iat" field (issued at) that is at most, 5 seconds ago.
		since := time.Since(issuedAt)
		require.Equal(t, true, since <= time.Second*5)
	}))
	defer srv.Close()
	_, err := client.Get(srv.URL)
	require.NoError(t, err)
}

func TestJWTWithId(t *testing.T) {
	secret := bytesutil.PadTo([]byte("foo"), 32)
	jwtId := "abc"
	authTransport := &jwtTransport{
		underlyingTransport: http.DefaultTransport,
		jwtSecret:           secret,
		jwtId:               jwtId,
	}
	client := &http.Client{
		Timeout:   DefaultRPCHTTPTimeout,
		Transport: authTransport,
	}
	srv := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
		reqToken := r.Header.Get("Authorization")
		splitToken := strings.Split(reqToken, "Bearer")
		// The format should be `Bearer ${token}`.
		require.Equal(t, 2, len(splitToken))
		reqToken = strings.TrimSpace(splitToken[1])
		token, err := jwt.Parse(reqToken, func(token *jwt.Token) (interface{}, error) {
			// We should be doing HMAC signing.
			_, ok := token.Method.(*jwt.SigningMethodHMAC)
			require.Equal(t, true, ok)
			return secret, nil
		})
		require.NoError(t, err)
		require.Equal(t, true, token.Valid)
		claims, ok := token.Claims.(jwt.MapClaims)
		require.Equal(t, true, ok)
		item, ok := claims["iat"]
		require.Equal(t, true, ok)
		iat, ok := item.(float64)
		require.Equal(t, true, ok)
		issuedAt := time.Unix(int64(iat), 0)
		// The claims should have an "iat" field (issued at) that is at most, 5 seconds ago.
		since := time.Since(issuedAt)
		require.Equal(t, true, since <= time.Second*5)
		// check jwt claims id
		id, ok := claims["id"]
		require.Equal(t, true, ok)
		require.Equal(t, id, jwtId)
	}))
	defer srv.Close()
	_, err := client.Get(srv.URL)
	require.NoError(t, err)
}

func TestJWTWithoutId(t *testing.T) {
	secret := bytesutil.PadTo([]byte("foo"), 32)
	authTransport := &jwtTransport{
		underlyingTransport: http.DefaultTransport,
		jwtSecret:           secret,
	}
	client := &http.Client{
		Timeout:   DefaultRPCHTTPTimeout,
		Transport: authTransport,
	}
	srv := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
		reqToken := r.Header.Get("Authorization")
		splitToken := strings.Split(reqToken, "Bearer")
		// The format should be `Bearer ${token}`.
		require.Equal(t, 2, len(splitToken))
		reqToken = strings.TrimSpace(splitToken[1])
		token, err := jwt.Parse(reqToken, func(token *jwt.Token) (interface{}, error) {
			// We should be doing HMAC signing.
			_, ok := token.Method.(*jwt.SigningMethodHMAC)
			require.Equal(t, true, ok)
			return secret, nil
		})
		require.NoError(t, err)
		require.Equal(t, true, token.Valid)
		claims, ok := token.Claims.(jwt.MapClaims)
		require.Equal(t, true, ok)
		item, ok := claims["iat"]
		require.Equal(t, true, ok)
		iat, ok := item.(float64)
		require.Equal(t, true, ok)
		issuedAt := time.Unix(int64(iat), 0)
		// The claims should have an "iat" field (issued at) that is at most, 5 seconds ago.
		since := time.Since(issuedAt)
		require.Equal(t, true, since <= time.Second*5)
		_, ok = claims["id"]
		require.Equal(t, false, ok)
	}))
	defer srv.Close()
	_, err := client.Get(srv.URL)
	require.NoError(t, err)
}
Set Auth Differently In Our Powchain Constructor (#10501) 2022-04-09 09:03:05 +00:00			`package network`
Engine API Client Authentication for the Merge via HTTP (#10236) * round tripper with claims * auth * edit auth * test out jwt * passing * jwt flag * comment * passing * commentary * fix up jwt parsing * gaz * update jwt libs * tidy * gaz * lint * tidy up * comment too long Co-authored-by: james-prysm <90280386+james-prysm@users.noreply.github.com> 2022-02-25 19:08:43 +00:00
			`import (`
			`"net/http"`
			`"net/http/httptest"`
			`"strings"`
			`"testing"`
			`"time"`

			`"github.com/golang-jwt/jwt/v4"`
Update to V5 (#13622) * First take at updating everything to v5 * Patch gRPC gateway to use prysm v5 Fix patch * Update go ssz --------- Co-authored-by: Preston Van Loon <pvanloon@offchainlabs.com> 2024-02-15 05:46:47 +00:00			`"github.com/prysmaticlabs/prysm/v5/encoding/bytesutil"`
			`"github.com/prysmaticlabs/prysm/v5/testing/require"`
Engine API Client Authentication for the Merge via HTTP (#10236) * round tripper with claims * auth * edit auth * test out jwt * passing * jwt flag * comment * passing * commentary * fix up jwt parsing * gaz * update jwt libs * tidy * gaz * lint * tidy up * comment too long Co-authored-by: james-prysm <90280386+james-prysm@users.noreply.github.com> 2022-02-25 19:08:43 +00:00			`)`

			`func TestJWTAuthTransport(t *testing.T) {`
			`secret := bytesutil.PadTo([]byte("foo"), 32)`
			`authTransport := &jwtTransport{`
			`underlyingTransport: http.DefaultTransport,`
			`jwtSecret: secret,`
			`}`
			`client := &http.Client{`
Move Engine API to Powchain and Consolidate Connection Management (#10438) * gazelle * tests passing * use the same engine client * pass * initialize in right place * erge * build * imports * ensure engine checks work * pass powchain tests * powchain tests pass * deepsource * fix up node issues * gaz * endpoint use * baz * b * conf * lint * gaz * move to start function * test pass 2022-04-01 18:04:24 +00:00			`Timeout: DefaultRPCHTTPTimeout,`
Engine API Client Authentication for the Merge via HTTP (#10236) * round tripper with claims * auth * edit auth * test out jwt * passing * jwt flag * comment * passing * commentary * fix up jwt parsing * gaz * update jwt libs * tidy * gaz * lint * tidy up * comment too long Co-authored-by: james-prysm <90280386+james-prysm@users.noreply.github.com> 2022-02-25 19:08:43 +00:00			`Transport: authTransport,`
			`}`
			`srv := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {`
			`reqToken := r.Header.Get("Authorization")`
			`splitToken := strings.Split(reqToken, "Bearer")`
			// The format should be `Bearer ${token}`.
			`require.Equal(t, 2, len(splitToken))`
			`reqToken = strings.TrimSpace(splitToken[1])`
			`token, err := jwt.Parse(reqToken, func(token *jwt.Token) (interface{}, error) {`
			`// We should be doing HMAC signing.`
			`_, ok := token.Method.(*jwt.SigningMethodHMAC)`
			`require.Equal(t, true, ok)`
			`return secret, nil`
			`})`
			`require.NoError(t, err)`
			`require.Equal(t, true, token.Valid)`
			`claims, ok := token.Claims.(jwt.MapClaims)`
			`require.Equal(t, true, ok)`
			`item, ok := claims["iat"]`
			`require.Equal(t, true, ok)`
			`iat, ok := item.(float64)`
			`require.Equal(t, true, ok)`
			`issuedAt := time.Unix(int64(iat), 0)`
			`// The claims should have an "iat" field (issued at) that is at most, 5 seconds ago.`
			`since := time.Since(issuedAt)`
			`require.Equal(t, true, since <= time.Second*5)`
			`}))`
			`defer srv.Close()`
			`_, err := client.Get(srv.URL)`
			`require.NoError(t, err)`
			`}`
Add `--jwt-id` flag (#13218) * add jwt-id flag * optimize unit test for jwt-id * Add jwt-id to help text * gofmt --------- Co-authored-by: Preston Van Loon <pvanloon@offchainlabs.com> 2023-12-05 19:02:25 +00:00
			`func TestJWTWithId(t *testing.T) {`
			`secret := bytesutil.PadTo([]byte("foo"), 32)`
			`jwtId := "abc"`
			`authTransport := &jwtTransport{`
			`underlyingTransport: http.DefaultTransport,`
			`jwtSecret: secret,`
			`jwtId: jwtId,`
			`}`
			`client := &http.Client{`
			`Timeout: DefaultRPCHTTPTimeout,`
			`Transport: authTransport,`
			`}`
			`srv := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {`
			`reqToken := r.Header.Get("Authorization")`
			`splitToken := strings.Split(reqToken, "Bearer")`
			// The format should be `Bearer ${token}`.
			`require.Equal(t, 2, len(splitToken))`
			`reqToken = strings.TrimSpace(splitToken[1])`
			`token, err := jwt.Parse(reqToken, func(token *jwt.Token) (interface{}, error) {`
			`// We should be doing HMAC signing.`
			`_, ok := token.Method.(*jwt.SigningMethodHMAC)`
			`require.Equal(t, true, ok)`
			`return secret, nil`
			`})`
			`require.NoError(t, err)`
			`require.Equal(t, true, token.Valid)`
			`claims, ok := token.Claims.(jwt.MapClaims)`
			`require.Equal(t, true, ok)`
			`item, ok := claims["iat"]`
			`require.Equal(t, true, ok)`
			`iat, ok := item.(float64)`
			`require.Equal(t, true, ok)`
			`issuedAt := time.Unix(int64(iat), 0)`
			`// The claims should have an "iat" field (issued at) that is at most, 5 seconds ago.`
			`since := time.Since(issuedAt)`
			`require.Equal(t, true, since <= time.Second*5)`
			`// check jwt claims id`
			`id, ok := claims["id"]`
			`require.Equal(t, true, ok)`
			`require.Equal(t, id, jwtId)`
			`}))`
			`defer srv.Close()`
			`_, err := client.Get(srv.URL)`
			`require.NoError(t, err)`
			`}`

			`func TestJWTWithoutId(t *testing.T) {`
			`secret := bytesutil.PadTo([]byte("foo"), 32)`
			`authTransport := &jwtTransport{`
			`underlyingTransport: http.DefaultTransport,`
			`jwtSecret: secret,`
			`}`
			`client := &http.Client{`
			`Timeout: DefaultRPCHTTPTimeout,`
			`Transport: authTransport,`
			`}`
			`srv := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {`
			`reqToken := r.Header.Get("Authorization")`
			`splitToken := strings.Split(reqToken, "Bearer")`
			// The format should be `Bearer ${token}`.
			`require.Equal(t, 2, len(splitToken))`
			`reqToken = strings.TrimSpace(splitToken[1])`
			`token, err := jwt.Parse(reqToken, func(token *jwt.Token) (interface{}, error) {`
			`// We should be doing HMAC signing.`
			`_, ok := token.Method.(*jwt.SigningMethodHMAC)`
			`require.Equal(t, true, ok)`
			`return secret, nil`
			`})`
			`require.NoError(t, err)`
			`require.Equal(t, true, token.Valid)`
			`claims, ok := token.Claims.(jwt.MapClaims)`
			`require.Equal(t, true, ok)`
			`item, ok := claims["iat"]`
			`require.Equal(t, true, ok)`
			`iat, ok := item.(float64)`
			`require.Equal(t, true, ok)`
			`issuedAt := time.Unix(int64(iat), 0)`
			`// The claims should have an "iat" field (issued at) that is at most, 5 seconds ago.`
			`since := time.Since(issuedAt)`
			`require.Equal(t, true, since <= time.Second*5)`
			`_, ok = claims["id"]`
			`require.Equal(t, false, ok)`
			`}))`
			`defer srv.Close()`
			`_, err := client.Get(srv.URL)`
			`require.NoError(t, err)`
			`}`