prysm-pulse/validator/rpc/intercepter.go

package rpc

import (
	"context"
	"strings"
	"sync"

	"github.com/dgrijalva/jwt-go"
	"google.golang.org/grpc"
	"google.golang.org/grpc/codes"
	"google.golang.org/grpc/metadata"
	"google.golang.org/grpc/status"
)

// noAuthPaths keeps track of the paths which do not require
// authentication from our API.
var (
	noAuthPaths = map[string]bool{
		"/ethereum.validator.accounts.v2.Auth/Signup":              true,
		"/ethereum.validator.accounts.v2.Auth/Login":               true,
		"/ethereum.validator.accounts.v2.Wallet/HasWallet":         true,
		"/ethereum.validator.accounts.v2.Wallet/GenerateMnemonic":  true,
		"/ethereum.validator.accounts.v2.Wallet/DefaultWalletPath": true,
	}
	authLock sync.RWMutex
)

// JWTInterceptor is a gRPC unary interceptor to authorize incoming requests
// for methods that are NOT in the noAuthPaths configuration map.
func (s *Server) JWTInterceptor() grpc.UnaryServerInterceptor {
	return func(
		ctx context.Context,
		req interface{},
		info *grpc.UnaryServerInfo,
		handler grpc.UnaryHandler,
	) (interface{}, error) {
		// Skip authorize when the path doesn't require auth.
		authLock.RLock()
		shouldAuthenticate := !noAuthPaths[info.FullMethod]
		authLock.RUnlock()
		if shouldAuthenticate {
			if err := s.authorize(ctx); err != nil {
				return nil, err
			}
		}

		h, err := handler(ctx, req)
		log.Debugf("Request - Method: %s, Error: %v\n", info.FullMethod, err)
		return h, err
	}
}

// Authorize the token received is valid.
func (s *Server) authorize(ctx context.Context) error {
	md, ok := metadata.FromIncomingContext(ctx)
	if !ok {
		return status.Errorf(codes.InvalidArgument, "Retrieving metadata failed")
	}

	authHeader, ok := md["authorization"]
	if !ok {
		return status.Errorf(codes.Unauthenticated, "Authorization token could not be found")
	}
	checkParsedKey := func(*jwt.Token) (interface{}, error) {
		return s.jwtKey, nil
	}
	if len(authHeader) < 1 || !strings.Contains(authHeader[0], "Bearer ") {
		return status.Error(codes.Unauthenticated, "Invalid auth header, needs Bearer {token}")
	}
	token := strings.Split(authHeader[0], "Bearer ")[1]
	_, err := jwt.Parse(token, checkParsedKey)
	if err != nil {
		return status.Errorf(codes.Unauthenticated, "Could not parse JWT token: %v", err)
	}
	return nil
}
Add Authentication Functions to Validator RPC (#6968) * define auth endpoints * add intercepter with tests * auth functions * fix up the auth functions * add functions for storing and saving the hashed password from the validator db * validate strong password input and simplify jwt claims * tests for db funcs * comments for db funcs * wrap up the authentication tests * register auth srv * use proper db iface package and check if existing password * fix broken tests and add new test to check if password already exists * use roughtime * rlock to check the auth paths * Merge refs/heads/master into auth-rpc * Merge refs/heads/master into auth-rpc * Merge refs/heads/master into auth-rpc * leave out the stream interceptor * resolve confs * Merge branch 'master' into auth-rpc * confs * Merge branch 'auth-rpc' of github.com:prysmaticlabs/prysm into auth-rpc * Merge refs/heads/master into auth-rpc * Merge refs/heads/master into auth-rpc * Merge refs/heads/master into auth-rpc * Merge refs/heads/master into auth-rpc 2020-08-13 20:27:42 +00:00			`package rpc`

			`import (`
			`"context"`
Add Node Connection Endpoint to Validator Client (#7171) * add sync status checker * register healthz * simplify 2020-09-03 23:25:56 +00:00			`"strings"`
Add Authentication Functions to Validator RPC (#6968) * define auth endpoints * add intercepter with tests * auth functions * fix up the auth functions * add functions for storing and saving the hashed password from the validator db * validate strong password input and simplify jwt claims * tests for db funcs * comments for db funcs * wrap up the authentication tests * register auth srv * use proper db iface package and check if existing password * fix broken tests and add new test to check if password already exists * use roughtime * rlock to check the auth paths * Merge refs/heads/master into auth-rpc * Merge refs/heads/master into auth-rpc * Merge refs/heads/master into auth-rpc * leave out the stream interceptor * resolve confs * Merge branch 'master' into auth-rpc * confs * Merge branch 'auth-rpc' of github.com:prysmaticlabs/prysm into auth-rpc * Merge refs/heads/master into auth-rpc * Merge refs/heads/master into auth-rpc * Merge refs/heads/master into auth-rpc * Merge refs/heads/master into auth-rpc 2020-08-13 20:27:42 +00:00			`"sync"`

			`"github.com/dgrijalva/jwt-go"`
			`"google.golang.org/grpc"`
			`"google.golang.org/grpc/codes"`
			`"google.golang.org/grpc/metadata"`
			`"google.golang.org/grpc/status"`
			`)`

			`// noAuthPaths keeps track of the paths which do not require`
			`// authentication from our API.`
			`var (`
			`noAuthPaths = map[string]bool{`
Resolve Web UI Beta Testing Bugs (#7471) * more descriptive password validation error * include change wallet password fixes * balance and jwt improvements * allow for different wallet dirs specified on startup * ensure wallet password is always validated * fix up prysm tests * gaz * test pass * pass balances tests * wrap up fixes * radek feedback * fix up tests * cors fix * add tests for validator status * pass tests * fix n * skip content type test * package level cache and send over feed * package level cache for derived * all tests passing * gofmt Co-authored-by: Preston Van Loon <preston@prysmaticlabs.com> Co-authored-by: prylabs-bulldozer[bot] <58059840+prylabs-bulldozer[bot]@users.noreply.github.com> 2020-10-10 02:07:28 +00:00			`"/ethereum.validator.accounts.v2.Auth/Signup": true,`
			`"/ethereum.validator.accounts.v2.Auth/Login": true,`
			`"/ethereum.validator.accounts.v2.Wallet/HasWallet": true,`
			`"/ethereum.validator.accounts.v2.Wallet/GenerateMnemonic": true,`
			`"/ethereum.validator.accounts.v2.Wallet/DefaultWalletPath": true,`
Add Authentication Functions to Validator RPC (#6968) * define auth endpoints * add intercepter with tests * auth functions * fix up the auth functions * add functions for storing and saving the hashed password from the validator db * validate strong password input and simplify jwt claims * tests for db funcs * comments for db funcs * wrap up the authentication tests * register auth srv * use proper db iface package and check if existing password * fix broken tests and add new test to check if password already exists * use roughtime * rlock to check the auth paths * Merge refs/heads/master into auth-rpc * Merge refs/heads/master into auth-rpc * Merge refs/heads/master into auth-rpc * leave out the stream interceptor * resolve confs * Merge branch 'master' into auth-rpc * confs * Merge branch 'auth-rpc' of github.com:prysmaticlabs/prysm into auth-rpc * Merge refs/heads/master into auth-rpc * Merge refs/heads/master into auth-rpc * Merge refs/heads/master into auth-rpc * Merge refs/heads/master into auth-rpc 2020-08-13 20:27:42 +00:00			`}`
			`authLock sync.RWMutex`
			`)`

			`// JWTInterceptor is a gRPC unary interceptor to authorize incoming requests`
			`// for methods that are NOT in the noAuthPaths configuration map.`
			`func (s *Server) JWTInterceptor() grpc.UnaryServerInterceptor {`
			`return func(`
			`ctx context.Context,`
			`req interface{},`
			`info *grpc.UnaryServerInfo,`
			`handler grpc.UnaryHandler,`
			`) (interface{}, error) {`
			`// Skip authorize when the path doesn't require auth.`
			`authLock.RLock()`
			`shouldAuthenticate := !noAuthPaths[info.FullMethod]`
			`authLock.RUnlock()`
			`if shouldAuthenticate {`
			`if err := s.authorize(ctx); err != nil {`
			`return nil, err`
			`}`
			`}`

			`h, err := handler(ctx, req)`
			`log.Debugf("Request - Method: %s, Error: %v\n", info.FullMethod, err)`
			`return h, err`
			`}`
			`}`

			`// Authorize the token received is valid.`
			`func (s *Server) authorize(ctx context.Context) error {`
			`md, ok := metadata.FromIncomingContext(ctx)`
			`if !ok {`
Add Node Connection Endpoint to Validator Client (#7171) * add sync status checker * register healthz * simplify 2020-09-03 23:25:56 +00:00			`return status.Errorf(codes.InvalidArgument, "Retrieving metadata failed")`
Add Authentication Functions to Validator RPC (#6968) * define auth endpoints * add intercepter with tests * auth functions * fix up the auth functions * add functions for storing and saving the hashed password from the validator db * validate strong password input and simplify jwt claims * tests for db funcs * comments for db funcs * wrap up the authentication tests * register auth srv * use proper db iface package and check if existing password * fix broken tests and add new test to check if password already exists * use roughtime * rlock to check the auth paths * Merge refs/heads/master into auth-rpc * Merge refs/heads/master into auth-rpc * Merge refs/heads/master into auth-rpc * leave out the stream interceptor * resolve confs * Merge branch 'master' into auth-rpc * confs * Merge branch 'auth-rpc' of github.com:prysmaticlabs/prysm into auth-rpc * Merge refs/heads/master into auth-rpc * Merge refs/heads/master into auth-rpc * Merge refs/heads/master into auth-rpc * Merge refs/heads/master into auth-rpc 2020-08-13 20:27:42 +00:00			`}`

			`authHeader, ok := md["authorization"]`
			`if !ok {`
Add Node Connection Endpoint to Validator Client (#7171) * add sync status checker * register healthz * simplify 2020-09-03 23:25:56 +00:00			`return status.Errorf(codes.Unauthenticated, "Authorization token could not be found")`
Add Authentication Functions to Validator RPC (#6968) * define auth endpoints * add intercepter with tests * auth functions * fix up the auth functions * add functions for storing and saving the hashed password from the validator db * validate strong password input and simplify jwt claims * tests for db funcs * comments for db funcs * wrap up the authentication tests * register auth srv * use proper db iface package and check if existing password * fix broken tests and add new test to check if password already exists * use roughtime * rlock to check the auth paths * Merge refs/heads/master into auth-rpc * Merge refs/heads/master into auth-rpc * Merge refs/heads/master into auth-rpc * leave out the stream interceptor * resolve confs * Merge branch 'master' into auth-rpc * confs * Merge branch 'auth-rpc' of github.com:prysmaticlabs/prysm into auth-rpc * Merge refs/heads/master into auth-rpc * Merge refs/heads/master into auth-rpc * Merge refs/heads/master into auth-rpc * Merge refs/heads/master into auth-rpc 2020-08-13 20:27:42 +00:00			`}`
			`checkParsedKey := func(*jwt.Token) (interface{}, error) {`
			`return s.jwtKey, nil`
			`}`
Add Node Connection Endpoint to Validator Client (#7171) * add sync status checker * register healthz * simplify 2020-09-03 23:25:56 +00:00			`if len(authHeader) < 1 \|\| !strings.Contains(authHeader[0], "Bearer ") {`
			`return status.Error(codes.Unauthenticated, "Invalid auth header, needs Bearer {token}")`
			`}`
			`token := strings.Split(authHeader[0], "Bearer ")[1]`
Fix Validator RPC JWT Response (#7001) * fix jwt response * fix jwt parse * ken naming * gaz 2020-08-14 16:30:11 +00:00			`_, err := jwt.Parse(token, checkParsedKey)`
Add Authentication Functions to Validator RPC (#6968) * define auth endpoints * add intercepter with tests * auth functions * fix up the auth functions * add functions for storing and saving the hashed password from the validator db * validate strong password input and simplify jwt claims * tests for db funcs * comments for db funcs * wrap up the authentication tests * register auth srv * use proper db iface package and check if existing password * fix broken tests and add new test to check if password already exists * use roughtime * rlock to check the auth paths * Merge refs/heads/master into auth-rpc * Merge refs/heads/master into auth-rpc * Merge refs/heads/master into auth-rpc * leave out the stream interceptor * resolve confs * Merge branch 'master' into auth-rpc * confs * Merge branch 'auth-rpc' of github.com:prysmaticlabs/prysm into auth-rpc * Merge refs/heads/master into auth-rpc * Merge refs/heads/master into auth-rpc * Merge refs/heads/master into auth-rpc * Merge refs/heads/master into auth-rpc 2020-08-13 20:27:42 +00:00			`if err != nil {`
Resolve Web UI Beta Testing Bugs (#7471) * more descriptive password validation error * include change wallet password fixes * balance and jwt improvements * allow for different wallet dirs specified on startup * ensure wallet password is always validated * fix up prysm tests * gaz * test pass * pass balances tests * wrap up fixes * radek feedback * fix up tests * cors fix * add tests for validator status * pass tests * fix n * skip content type test * package level cache and send over feed * package level cache for derived * all tests passing * gofmt Co-authored-by: Preston Van Loon <preston@prysmaticlabs.com> Co-authored-by: prylabs-bulldozer[bot] <58059840+prylabs-bulldozer[bot]@users.noreply.github.com> 2020-10-10 02:07:28 +00:00			`return status.Errorf(codes.Unauthenticated, "Could not parse JWT token: %v", err)`
Add Authentication Functions to Validator RPC (#6968) * define auth endpoints * add intercepter with tests * auth functions * fix up the auth functions * add functions for storing and saving the hashed password from the validator db * validate strong password input and simplify jwt claims * tests for db funcs * comments for db funcs * wrap up the authentication tests * register auth srv * use proper db iface package and check if existing password * fix broken tests and add new test to check if password already exists * use roughtime * rlock to check the auth paths * Merge refs/heads/master into auth-rpc * Merge refs/heads/master into auth-rpc * Merge refs/heads/master into auth-rpc * leave out the stream interceptor * resolve confs * Merge branch 'master' into auth-rpc * confs * Merge branch 'auth-rpc' of github.com:prysmaticlabs/prysm into auth-rpc * Merge refs/heads/master into auth-rpc * Merge refs/heads/master into auth-rpc * Merge refs/heads/master into auth-rpc * Merge refs/heads/master into auth-rpc 2020-08-13 20:27:42 +00:00			`}`
			`return nil`
			`}`