Skip to content

fix(op-signer): allow anon auth when mTLS is disabled (for local testing only) #263

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
wants to merge 4 commits into
base: main
Choose a base branch
from
Open

fix(op-signer): allow anon auth when mTLS is disabled (for local testing only) #263

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
b3837ce
feat: add anon auth middleware
ddaws Mar 27, 2025
ac30799
feat: swap auth middleware if mtls is disabled
ddaws Mar 27, 2025
86d7508
feat: add GetAllProviders funcs to simplify new provider impl
ddaws Mar 29, 2025
82497e7
feat: updated logging
ddaws Mar 29, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
10 changes: 8 additions & 2 deletions op-signer/app.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -113,6 +113,7 @@ func (s *SignerApp) initMetrics(cfg *Config) error {

func (s *SignerApp) initRPC(cfg *Config) error {
var httpOptions = []httputil.Option{}
var authMiddleware oprpc.Middleware

if cfg.TLSConfig.Enabled {
caCert, err := os.ReadFile(cfg.TLSConfig.TLSCaCert)
Expand Down Expand Up @@ -141,8 +142,13 @@ func (s *SignerApp) initRPC(cfg *Config) error {
}

httpOptions = append(httpOptions, httputil.WithServerTLS(serverTlsConfig))

// Set the auth middleware to the default auth middleware
authMiddleware = service.NewAuthMiddleware()
} else {
s.log.Warn("TLS disabled. This is insecure and only supported for local development. Please enable TLS in production environments!")
s.log.Warn("TLS disabled. This disables authentication and is INSECURE! Please enable TLS in production environments!")
s.log.Info("Using anonymous authentication. You must explicitly set the 'auth[].name' config field to 'anonymous' to allow unauthenticated anonymous usage.")
authMiddleware = service.NewAnonMiddleware()
}

rpcCfg := cfg.RPCConfig
Expand All @@ -152,7 +158,7 @@ func (s *SignerApp) initRPC(cfg *Config) error {
Host: rpcCfg.ListenAddr,
Port: rpcCfg.ListenPort,
RpcOptions: []oprpc.Option{
oprpc.WithMiddleware(service.NewAuthMiddleware()),
oprpc.WithMiddleware(authMiddleware),
oprpc.WithHTTPRecorder(opmetrics.NewPromHTTPRecorder(s.registry, "signer")),
oprpc.WithLogger(s.log),
},
Expand Down
3 changes: 2 additions & 1 deletion op-signer/provider/config.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -49,7 +49,8 @@ func ReadConfig(path string) (ProviderConfig, error) {
}

if !config.ProviderType.IsValid() {
return config, fmt.Errorf("invalid provider '%s' in config. Must be 'AWS', 'GCP', or 'LOCAL'", config.ProviderType)
providerTypesStr := GetAllProviderTypesString()
return config, fmt.Errorf("invalid provider '%s' in config. Must be %s", config.ProviderType, providerTypesStr)
}

for _, authConfig := range config.Auth {
Expand Down
30 changes: 23 additions & 7 deletions op-signer/provider/provider.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -4,6 +4,8 @@ package provider
import (
"context"
"fmt"
"slices"
"strings"

"github.com/ethereum/go-ethereum/log"
)
Expand All @@ -13,7 +15,7 @@ type SignatureProvider interface {
GetPublicKey(ctx context.Context, keyName string) ([]byte, error)
}

// ProviderType represents the provider for the key management service
// ProviderType represents the provider for the key management service.
type ProviderType string

const (
Expand All @@ -22,14 +24,28 @@ const (
KeyProviderLocal ProviderType = "LOCAL"
)

func GetAllProviderTypes() []ProviderType {
return []ProviderType{KeyProviderAWS, KeyProviderGCP, KeyProviderLocal}
}

// GetAllProviderTypesString returns a string of all the provider types separated
// by commas and wrapped in single quotes. This is useful for logging the available
// provider types.
func GetAllProviderTypesString() string {
types := GetAllProviderTypes()
result := make([]string, len(types))
for i, t := range types {
result[i] = string(t)
}
if len(result) == 1 {
return result[0]
}
return fmt.Sprintf("'%s' or '%s'", strings.Join(result[:len(result)-1], "', '"), result[len(result)-1])
}

// IsValid checks if the KeyProvider value is valid
func (k ProviderType) IsValid() bool {
switch k {
case KeyProviderAWS, KeyProviderGCP, KeyProviderLocal:
return true
default:
return false
}
return slices.Contains(GetAllProviderTypes(), k)
}

// NewSignatureProvider creates a new SignatureProvider based on the provider type
Expand Down
15 changes: 15 additions & 0 deletions op-signer/service/auth.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -38,6 +38,21 @@ func NewAuthMiddleware() oprpc.Middleware {
}
}

// NewAnonMiddleware is a middleware that sets the client info to "anonymous". This is applied when mTLS is disabled to
// ensure a value is set for the ClientInfo.ClientName, but should only be used for local development. This effectively
// disables authentication.
func NewAnonMiddleware() oprpc.Middleware {
return func(next http.Handler) http.Handler {
return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
clientInfo := ClientInfo{
ClientName: "anonymous",
}
ctx := context.WithValue(r.Context(), clientInfoContextKey{}, clientInfo)
next.ServeHTTP(w, r.WithContext(ctx))
})
}
}

func ClientInfoFromContext(ctx context.Context) ClientInfo {
info, _ := ctx.Value(clientInfoContextKey{}).(ClientInfo)
return info
Expand Down