2020-08-13 20:27:42 +00:00
|
|
|
package rpc
|
|
|
|
|
|
|
|
|
|
import (
|
|
|
|
|
"context"
|
2024-01-22 22:16:10 +00:00
|
|
|
"net/http"
|
|
|
|
|
"net/http/httptest"
|
2020-08-13 20:27:42 +00:00
|
|
|
"testing"
|
|
|
|
|
|
2022-02-25 19:08:43 +00:00
|
|
|
"github.com/golang-jwt/jwt/v4"
|
2024-02-15 05:46:47 +00:00
|
|
|
"github.com/prysmaticlabs/prysm/v5/api"
|
|
|
|
|
"github.com/prysmaticlabs/prysm/v5/testing/require"
|
2020-08-13 20:27:42 +00:00
|
|
|
"google.golang.org/grpc"
|
|
|
|
|
"google.golang.org/grpc/metadata"
|
|
|
|
|
)
|
|
|
|
|
|
|
|
|
|
func TestServer_JWTInterceptor_Verify(t *testing.T) {
|
|
|
|
|
s := Server{
|
2021-10-28 14:24:39 +00:00
|
|
|
jwtSecret: []byte("testKey"),
|
2020-08-13 20:27:42 +00:00
|
|
|
}
|
|
|
|
|
interceptor := s.JWTInterceptor()
|
|
|
|
|
|
|
|
|
|
unaryInfo := &grpc.UnaryServerInfo{
|
|
|
|
|
FullMethod: "Proto.CreateWallet",
|
|
|
|
|
}
|
|
|
|
|
unaryHandler := func(ctx context.Context, req interface{}) (interface{}, error) {
|
|
|
|
|
return nil, nil
|
|
|
|
|
}
|
2021-10-28 14:24:39 +00:00
|
|
|
token, err := createTokenString(s.jwtSecret)
|
2020-08-25 15:23:06 +00:00
|
|
|
require.NoError(t, err)
|
2020-08-13 20:27:42 +00:00
|
|
|
ctxMD := map[string][]string{
|
2020-09-03 23:25:56 +00:00
|
|
|
"authorization": {"Bearer " + token},
|
2020-08-13 20:27:42 +00:00
|
|
|
}
|
|
|
|
|
ctx := context.Background()
|
|
|
|
|
ctx = metadata.NewIncomingContext(ctx, ctxMD)
|
|
|
|
|
_, err = interceptor(ctx, "xyz", unaryInfo, unaryHandler)
|
2020-08-25 15:23:06 +00:00
|
|
|
require.NoError(t, err)
|
2020-08-13 20:27:42 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
func TestServer_JWTInterceptor_BadToken(t *testing.T) {
|
|
|
|
|
s := Server{
|
2021-10-28 14:24:39 +00:00
|
|
|
jwtSecret: []byte("testKey"),
|
2020-08-13 20:27:42 +00:00
|
|
|
}
|
|
|
|
|
interceptor := s.JWTInterceptor()
|
|
|
|
|
|
|
|
|
|
unaryInfo := &grpc.UnaryServerInfo{
|
|
|
|
|
FullMethod: "Proto.CreateWallet",
|
|
|
|
|
}
|
|
|
|
|
unaryHandler := func(ctx context.Context, req interface{}) (interface{}, error) {
|
|
|
|
|
return nil, nil
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
badServer := Server{
|
2021-10-28 14:24:39 +00:00
|
|
|
jwtSecret: []byte("badTestKey"),
|
2020-08-13 20:27:42 +00:00
|
|
|
}
|
2021-10-28 14:24:39 +00:00
|
|
|
token, err := createTokenString(badServer.jwtSecret)
|
2020-08-25 15:23:06 +00:00
|
|
|
require.NoError(t, err)
|
2020-08-13 20:27:42 +00:00
|
|
|
ctxMD := map[string][]string{
|
2020-09-03 23:25:56 +00:00
|
|
|
"authorization": {"Bearer " + token},
|
2020-08-13 20:27:42 +00:00
|
|
|
}
|
|
|
|
|
ctx := context.Background()
|
|
|
|
|
ctx = metadata.NewIncomingContext(ctx, ctxMD)
|
|
|
|
|
_, err = interceptor(ctx, "xyz", unaryInfo, unaryHandler)
|
2020-10-01 14:38:53 +00:00
|
|
|
require.ErrorContains(t, "signature is invalid", err)
|
2020-08-13 20:27:42 +00:00
|
|
|
}
|
2020-10-20 05:37:12 +00:00
|
|
|
|
|
|
|
|
func TestServer_JWTInterceptor_InvalidSigningType(t *testing.T) {
|
2021-10-28 14:24:39 +00:00
|
|
|
ss := &Server{jwtSecret: make([]byte, 32)}
|
2020-10-20 05:37:12 +00:00
|
|
|
// Use a different signing type than the expected, HMAC.
|
2022-08-17 04:10:11 +00:00
|
|
|
token := jwt.NewWithClaims(jwt.SigningMethodRS256, jwt.RegisteredClaims{})
|
2020-10-20 05:37:12 +00:00
|
|
|
_, err := ss.validateJWT(token)
|
|
|
|
|
require.ErrorContains(t, "unexpected JWT signing method", err)
|
|
|
|
|
}
|
2024-01-22 22:16:10 +00:00
|
|
|
|
|
|
|
|
func TestServer_JwtHttpInterceptor(t *testing.T) {
|
|
|
|
|
jwtKey, err := createRandomJWTSecret()
|
|
|
|
|
require.NoError(t, err)
|
|
|
|
|
|
|
|
|
|
s := &Server{jwtSecret: jwtKey}
|
|
|
|
|
testHandler := s.JwtHttpInterceptor(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
|
|
|
|
|
// Your test handler logic here
|
|
|
|
|
w.WriteHeader(http.StatusOK)
|
|
|
|
|
_, err := w.Write([]byte("Test Response"))
|
|
|
|
|
require.NoError(t, err)
|
|
|
|
|
}))
|
|
|
|
|
t.Run("no jwt was sent", func(t *testing.T) {
|
|
|
|
|
rr := httptest.NewRecorder()
|
|
|
|
|
req, err := http.NewRequest(http.MethodGet, "/eth/v1/keystores", nil)
|
|
|
|
|
require.NoError(t, err)
|
|
|
|
|
testHandler.ServeHTTP(rr, req)
|
|
|
|
|
require.Equal(t, http.StatusUnauthorized, rr.Code)
|
|
|
|
|
})
|
|
|
|
|
t.Run("wrong jwt was sent", func(t *testing.T) {
|
|
|
|
|
rr := httptest.NewRecorder()
|
|
|
|
|
req, err := http.NewRequest(http.MethodGet, "/eth/v1/keystores", nil)
|
|
|
|
|
require.NoError(t, err)
|
|
|
|
|
req.Header.Set("Authorization", "Bearer YOUR_JWT_TOKEN") // Replace with a valid JWT token
|
|
|
|
|
testHandler.ServeHTTP(rr, req)
|
|
|
|
|
require.Equal(t, http.StatusForbidden, rr.Code)
|
|
|
|
|
})
|
|
|
|
|
t.Run("jwt was sent", func(t *testing.T) {
|
|
|
|
|
rr := httptest.NewRecorder()
|
|
|
|
|
req, err := http.NewRequest(http.MethodGet, "/eth/v1/keystores", nil)
|
|
|
|
|
require.NoError(t, err)
|
|
|
|
|
token, err := createTokenString(jwtKey)
|
|
|
|
|
require.NoError(t, err)
|
|
|
|
|
req.Header.Set("Authorization", "Bearer "+token) // Replace with a valid JWT token
|
|
|
|
|
testHandler.ServeHTTP(rr, req)
|
|
|
|
|
require.Equal(t, http.StatusOK, rr.Code)
|
|
|
|
|
})
|
2024-02-01 16:59:40 +00:00
|
|
|
t.Run("wrong jwt format was sent", func(t *testing.T) {
|
|
|
|
|
rr := httptest.NewRecorder()
|
|
|
|
|
req, err := http.NewRequest(http.MethodGet, "/eth/v1/keystores", nil)
|
|
|
|
|
require.NoError(t, err)
|
|
|
|
|
token, err := createTokenString(jwtKey)
|
|
|
|
|
require.NoError(t, err)
|
|
|
|
|
req.Header.Set("Authorization", "Bearer"+token) // no space was added // Replace with a valid JWT token
|
|
|
|
|
testHandler.ServeHTTP(rr, req)
|
|
|
|
|
require.Equal(t, http.StatusBadRequest, rr.Code)
|
|
|
|
|
})
|
|
|
|
|
t.Run("wrong jwt no bearer format was sent", func(t *testing.T) {
|
|
|
|
|
rr := httptest.NewRecorder()
|
|
|
|
|
req, err := http.NewRequest(http.MethodGet, "/eth/v1/keystores", nil)
|
|
|
|
|
require.NoError(t, err)
|
|
|
|
|
token, err := createTokenString(jwtKey)
|
|
|
|
|
require.NoError(t, err)
|
|
|
|
|
req.Header.Set("Authorization", token) // Replace with a valid JWT token
|
|
|
|
|
testHandler.ServeHTTP(rr, req)
|
|
|
|
|
require.Equal(t, http.StatusBadRequest, rr.Code)
|
|
|
|
|
})
|
|
|
|
|
t.Run("broken jwt token format was sent", func(t *testing.T) {
|
|
|
|
|
rr := httptest.NewRecorder()
|
|
|
|
|
req, err := http.NewRequest(http.MethodGet, "/eth/v1/keystores", nil)
|
|
|
|
|
require.NoError(t, err)
|
|
|
|
|
token, err := createTokenString(jwtKey)
|
|
|
|
|
require.NoError(t, err)
|
|
|
|
|
req.Header.Set("Authorization", "Bearer "+token[0:2]+" "+token[2:]) // Replace with a valid JWT token
|
|
|
|
|
testHandler.ServeHTTP(rr, req)
|
|
|
|
|
require.Equal(t, http.StatusForbidden, rr.Code)
|
|
|
|
|
})
|
|
|
|
|
t.Run("web endpoint needs jwt token", func(t *testing.T) {
|
|
|
|
|
rr := httptest.NewRecorder()
|
|
|
|
|
req, err := http.NewRequest(http.MethodGet, "/api/v2/validator/beacon/status", nil)
|
|
|
|
|
require.NoError(t, err)
|
|
|
|
|
testHandler.ServeHTTP(rr, req)
|
|
|
|
|
require.Equal(t, http.StatusUnauthorized, rr.Code)
|
|
|
|
|
})
|
2024-01-22 22:16:10 +00:00
|
|
|
t.Run("initialize does not need jwt", func(t *testing.T) {
|
|
|
|
|
rr := httptest.NewRecorder()
|
|
|
|
|
req, err := http.NewRequest(http.MethodGet, api.WebUrlPrefix+"initialize", nil)
|
|
|
|
|
require.NoError(t, err)
|
|
|
|
|
testHandler.ServeHTTP(rr, req)
|
|
|
|
|
require.Equal(t, http.StatusOK, rr.Code)
|
|
|
|
|
})
|
|
|
|
|
t.Run("health does not need jwt", func(t *testing.T) {
|
|
|
|
|
rr := httptest.NewRecorder()
|
|
|
|
|
req, err := http.NewRequest(http.MethodGet, api.WebUrlPrefix+"health/logs", nil)
|
|
|
|
|
require.NoError(t, err)
|
|
|
|
|
testHandler.ServeHTTP(rr, req)
|
|
|
|
|
require.Equal(t, http.StatusOK, rr.Code)
|
|
|
|
|
})
|
|
|
|
|
}
|
