Skip to content

Commit d80bd7e

Browse files
authored
Merge branch 'main' into chore/rust-dockerfile
2 parents 8acc598 + fec89fb commit d80bd7e

17 files changed

Lines changed: 754 additions & 422 deletions

.github/workflows/build-and-deploy-rust.yml

Lines changed: 8 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -1,4 +1,4 @@
1-
name: Continuous Integration
1+
name: Ping Check
22

33
on: [push, pull_request]
44

@@ -7,8 +7,13 @@ concurrency:
77
cancel-in-progress: true
88

99
jobs:
10-
build-and-test:
11-
runs-on: ubuntu-latest
10+
ping-check:
11+
strategy:
12+
fail-fast: false
13+
matrix:
14+
platform: [ ubuntu-latest ]
15+
toolchain: [ stable, 1.85.0 ] # 1.85.0 is the MSRV
16+
runs-on: ${{ matrix.platform }}
1217

1318
services:
1419
postgres:

.github/workflows/impl_tests.yml

Lines changed: 42 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,42 @@
1+
name: Implementation Tests
2+
3+
on: [push, pull_request]
4+
5+
concurrency:
6+
group: ${{ github.workflow }}-${{ github.ref }}
7+
cancel-in-progress: true
8+
9+
jobs:
10+
test-postgres-backend:
11+
strategy:
12+
fail-fast: false
13+
matrix:
14+
platform: [ ubuntu-latest ]
15+
toolchain: [ stable, 1.85.0 ] # 1.85.0 is the MSRV
16+
runs-on: ${{ matrix.platform }}
17+
18+
services:
19+
postgres:
20+
image: postgres:latest
21+
ports:
22+
- 5432:5432
23+
env:
24+
POSTGRES_DB: postgres
25+
POSTGRES_USER: postgres
26+
POSTGRES_PASSWORD: postgres
27+
options: >-
28+
--health-cmd pg_isready
29+
--health-interval 10s
30+
--health-timeout 5s
31+
--health-retries 5
32+
33+
steps:
34+
- name: Checkout code
35+
uses: actions/checkout@v3
36+
with:
37+
path: vss-server
38+
39+
- name: Run postgres backend test suite
40+
run: |
41+
cd vss-server/rust/impls
42+
cargo test -- --test-threads=1

.github/workflows/ldk-node-integration.yml

Lines changed: 9 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -8,7 +8,12 @@ concurrency:
88

99
jobs:
1010
build-and-test:
11-
runs-on: ubuntu-latest
11+
strategy:
12+
fail-fast: false
13+
matrix:
14+
platform: [ ubuntu-latest ]
15+
toolchain: [ stable, 1.85.0 ] # 1.85.0 is the MSRV
16+
runs-on: ${{ matrix.platform }}
1217

1318
services:
1419
postgres:
@@ -40,10 +45,10 @@ jobs:
4045
run: |
4146
cd vss-server/rust
4247
cargo build
43-
cargo run server/vss-server-config.toml&
48+
cargo run --no-default-features server/vss-server-config.toml&
4449
- name: Run LDK Node Integration tests
4550
run: |
4651
cd ldk-node
4752
export TEST_VSS_BASE_URL="http://localhost:8080/vss"
48-
RUSTFLAGS="--cfg vss_test" cargo test io::vss_store
49-
RUSTFLAGS="--cfg vss_test" cargo test --test integration_tests_vss
53+
RUSTFLAGS="--cfg vss_test" cargo test io::vss_store -- --test-threads=1
54+
RUSTFLAGS="--cfg vss_test" cargo test --test integration_tests_vss -- --test-threads=1

rust/Cargo.toml

Lines changed: 3 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -3,6 +3,9 @@ resolver = "2"
33
members = ["server", "api", "impls", "auth-impls"]
44
default-members = ["server"]
55

6+
[workspace.package]
7+
rust-version = "1.85.0"
8+
69
[profile.release]
710
panic = "abort"
811
opt-level = 3

rust/README.md

Lines changed: 3 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -58,3 +58,6 @@ the [GitHub repository](https://github.com/lightningdevkit/vss-server/issues). F
5858
development of VSS, you can reach out to us in the [LDK Discord](https://discord.gg/5AcknnMfBw) in the `#vss` channel.
5959

6060
[LDK Discord]: https://discord.gg/5AcknnMfBw
61+
62+
### MSRV
63+
The Minimum Supported Rust Version (MSRV) is currently 1.85.0.

rust/api/Cargo.toml

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -2,6 +2,7 @@
22
name = "api"
33
version = "0.1.0"
44
edition = "2021"
5+
rust-version.workspace = true
56

67
[dependencies]
78
async-trait = "0.1.77"

rust/auth-impls/Cargo.toml

Lines changed: 11 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -2,12 +2,21 @@
22
name = "auth-impls"
33
version = "0.1.0"
44
edition = "2021"
5+
rust-version.workspace = true
6+
7+
[features]
8+
jwt = [ "jsonwebtoken", "serde" ]
9+
sigs = [ "bitcoin_hashes", "hex-conservative", "secp256k1" ]
510

611
[dependencies]
712
async-trait = "0.1.77"
813
api = { path = "../api" }
9-
jsonwebtoken = { version = "9.3.0", default-features = false, features = ["use_pem"] }
10-
serde = { version = "1.0.210", features = ["derive"] }
14+
jsonwebtoken = { version = "9.3.0", optional = true, default-features = false, features = ["use_pem"] }
15+
serde = { version = "1.0.210", optional = true, default-features = false, features = ["derive"] }
16+
17+
bitcoin_hashes = { version = "0.19", optional = true, default-features = false }
18+
hex-conservative = { version = "1.0", optional = true, default-features = false }
19+
secp256k1 = { version = "0.31", optional = true, default-features = false, features = [ "global-context" ] }
1120

1221
[dev-dependencies]
1322
tokio = { version = "1.38.0", default-features = false, features = ["rt-multi-thread", "macros"] }

rust/auth-impls/src/jwt.rs

Lines changed: 196 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,196 @@
1+
//! Hosts a VSS protocol compliant [`Authorizer`] implementation using JSON Web Tokens.
2+
//!
3+
//! [`Authorizer`]: api::auth::Authorizer
4+
5+
use api::auth::{AuthResponse, Authorizer};
6+
use api::error::VssError;
7+
use async_trait::async_trait;
8+
use jsonwebtoken::{decode, Algorithm, DecodingKey, Validation};
9+
use serde::{Deserialize, Serialize};
10+
use std::collections::HashMap;
11+
12+
/// A JWT based authorizer, only allows requests with verified 'JsonWebToken' signed by the given
13+
/// issuer key.
14+
///
15+
/// Refer: https://datatracker.ietf.org/doc/html/rfc7519
16+
pub struct JWTAuthorizer {
17+
jwt_issuer_key: DecodingKey,
18+
}
19+
20+
/// A set of Claims claimed by 'JsonWebToken'
21+
///
22+
/// Refer: https://datatracker.ietf.org/doc/html/rfc7519#section-4
23+
#[derive(Serialize, Deserialize, Debug)]
24+
pub(crate) struct Claims {
25+
/// The "sub" (subject) claim identifies the principal that is the subject of the JWT.
26+
/// The claims in a JWT are statements about the subject. This can be used as user identifier.
27+
///
28+
/// Refer: https://datatracker.ietf.org/doc/html/rfc7519#section-4.1.2
29+
sub: String,
30+
}
31+
32+
const BEARER_PREFIX: &str = "Bearer ";
33+
34+
impl JWTAuthorizer {
35+
/// Creates a new instance of [`JWTAuthorizer`], fails on failure to parse the PEM formatted RSA public key
36+
pub async fn new(rsa_pem: &str) -> Result<Self, String> {
37+
let jwt_issuer_key = DecodingKey::from_rsa_pem(rsa_pem.as_bytes())
38+
.map_err(|e| format!("Failed to parse the PEM formatted RSA public key: {}", e))?;
39+
Ok(Self { jwt_issuer_key })
40+
}
41+
}
42+
43+
#[async_trait]
44+
impl Authorizer for JWTAuthorizer {
45+
async fn verify(
46+
&self, headers_map: &HashMap<String, String>,
47+
) -> Result<AuthResponse, VssError> {
48+
let auth_header = headers_map
49+
.get("authorization")
50+
.ok_or(VssError::AuthError("Authorization header not found.".to_string()))?;
51+
52+
let token = auth_header
53+
.strip_prefix(BEARER_PREFIX)
54+
.ok_or(VssError::AuthError("Invalid token format.".to_string()))?;
55+
56+
let claims =
57+
decode::<Claims>(token, &self.jwt_issuer_key, &Validation::new(Algorithm::RS256))
58+
.map_err(|e| VssError::AuthError(format!("Authentication failure. {}", e)))?
59+
.claims;
60+
61+
Ok(AuthResponse { user_token: claims.sub })
62+
}
63+
}
64+
65+
#[cfg(test)]
66+
mod tests {
67+
use crate::jwt::JWTAuthorizer;
68+
use api::auth::Authorizer;
69+
use api::error::VssError;
70+
use jsonwebtoken::{encode, Algorithm, EncodingKey, Header};
71+
use serde::{Deserialize, Serialize};
72+
use std::collections::HashMap;
73+
use std::time::SystemTime;
74+
75+
#[derive(Deserialize, Serialize)]
76+
struct TestClaims {
77+
sub: String,
78+
iat: i64,
79+
nbf: i64,
80+
exp: i64,
81+
}
82+
83+
#[tokio::test]
84+
async fn test_valid_jwt_token() -> Result<(), VssError> {
85+
let now =
86+
SystemTime::now().duration_since(SystemTime::UNIX_EPOCH).unwrap().as_secs() as i64;
87+
let user_id = "valid_user_id";
88+
let claims = TestClaims {
89+
sub: user_id.to_owned(),
90+
iat: now,
91+
nbf: now,
92+
exp: now + 30556889864403199,
93+
};
94+
95+
let valid_encoding_key = EncodingKey::from_rsa_pem(
96+
"-----BEGIN PRIVATE KEY-----\
97+
MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQDKwakpT4j2L1v5\
98+
BlIA278TFoDrDiqJB0Vlpd5F6LPj2vWgN8AHAogVb2Ar+Q2eucv0fw/6lh+PuOpQ\
99+
n+CWaCoyy8GyFtsPYWHHK1JLSaGxuHpDFSGVqfKY9xJRTIoEPq/tbQIZSFLmW4eW\
100+
wIWfjKyUWTilq9wG0ZqnQNNRzzLPSP/GeZJBt2NaCbRrBsc3jy4i1E7dSEsA560b\
101+
4HOVYJHxixNrmmJXwqAmkb+vBhMZe67eVwKadbCOZt4OrXMUWsIMNWRogeQYmBG4\
102+
UgM9dofJTDkfYe8qU/3jJJu9MMtdZmPpPLMcQcNuy2qzgOC+6sH9siGL91DvMrcQ\
103+
hcvwpEGHAgMBAAECggEAZJZ5Fq6HkyLhrQRusFBUVeLnKDXJ8lsyGYCVafdNL3BU\
104+
RR0DXjbqTkAH5SjUkfc48N4MjlPl6oZhcIgwgk3BCZw+RtzB5rp4KLgcRo+L8UBF\
105+
H3yfQcGjQjHo235uRjbXTqGy1dokjnXAKZDvebzvbVVqHf7J1HQuFmW5sK9rVJvP\
106+
CstC7HqJL15iYTshObnlskB+bnhhBc3LA+UpwyRmvOxPd60XOSxLJ8PMvwki5Qsx\
107+
afFCOFpT17474199SxmZtnVpcan7xf9dET8AENTIg8iUAFzLIsl5YekyRAeXj0QW\
108+
p9ln6Sl/TsWF+0yJPbeZ1kmvk52MMW7G56SqWt3bAQKBgQDy9mi9hRyfpfBMGrrk\
109+
MFDAo1cUvkfuFfBLAfUE9HoEpnQYBqAVFRWCqy6vAa5WdNpVMCDhZkGrn1KDDd/n\
110+
ZE/26WBTL95BzXQIO3Laiqmifnio01K2zvjvJt7aGMQOFUEJj8Ts8hUTbRMXfmXz\
111+
wbueKeHmcvAUOXbZb5ylC/gkgQKBgQDVovBSib6FnJdv5Clxf1t4gyIbOYWTUPj3\
112+
nmkFguBpTLwprzkYjyhyhrGuRaFbcqOVNopgt4KC6enpLtaAMffXwduge+TDKqsS\
113+
X1o3OhSzpsya3TrWQMDXKszKTTlNogESOejHxj7LIzts4JmKJcRN4dEVEKhP/CxA\
114+
2b05YnJCBwKBgEiAuc7ceyc1GJlNXLodpOtnkuPwyHxG9bccdWauIf9jQL+usnS4\
115+
HvwoYzz8Tm8kXccQHq/EmRJC8BeFu2xMpgQzrngEj9mpGtgeDW8j8+02uoD+1u8Q\
116+
on6TZetFerQNKaRVz9k5gIqUgR8ArCHqjTdsninr4LLYVxwZz2/9O2aBAoGBAISQ\
117+
ziW5ebL5P3NcFmdqSv1WCeTw5bVLSqKE9tBHrS9KQXxwUbKuqr+eW0UzyfOwCFf/\
118+
9xAa726C7fYXbV0xJIUKs1k7Z/G/WVZWOuoILW5pM49pdigbGE6sLVXfY46L17RS\
119+
oOLOXoq4+xgNqtjxpIVbed1jb73qUh+PvX6NWy8jAoGBAOvE6mhHBig5YYdidAGG\
120+
kF2oYp06+JG5ZpOu+MFT34ZDbgTwxx3+yuzfxPyBS68RHFfz+vG4BqX3P+pDOJQS\
121+
FeGjkLHWEoW7ol5rh1D1ubhWf1MAVOd7O8vp9APnAwd11uraVky2xAVXvplgmSpT\
122+
vHSUrqBuEFZ5mIWJxwkGElKN\
123+
-----END PRIVATE KEY-----"
124+
.as_bytes(),
125+
)
126+
.expect("Failed to create Encoding Key.");
127+
128+
let decoding_key = String::from(
129+
"-----BEGIN PUBLIC KEY-----\
130+
MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAysGpKU+I9i9b+QZSANu/\
131+
ExaA6w4qiQdFZaXeReiz49r1oDfABwKIFW9gK/kNnrnL9H8P+pYfj7jqUJ/glmgq\
132+
MsvBshbbD2FhxytSS0mhsbh6QxUhlanymPcSUUyKBD6v7W0CGUhS5luHlsCFn4ys\
133+
lFk4pavcBtGap0DTUc8yz0j/xnmSQbdjWgm0awbHN48uItRO3UhLAOetG+BzlWCR\
134+
8YsTa5piV8KgJpG/rwYTGXuu3lcCmnWwjmbeDq1zFFrCDDVkaIHkGJgRuFIDPXaH\
135+
yUw5H2HvKlP94ySbvTDLXWZj6TyzHEHDbstqs4DgvurB/bIhi/dQ7zK3EIXL8KRB\
136+
hwIDAQAB\
137+
-----END PUBLIC KEY-----",
138+
);
139+
140+
let jwt_authorizer = JWTAuthorizer::new(&decoding_key).await.unwrap();
141+
142+
let valid_jwt_token =
143+
encode(&Header::new(Algorithm::RS256), &claims, &valid_encoding_key).unwrap();
144+
let mut headers_map: HashMap<String, String> = HashMap::new();
145+
let header_value = format!("Bearer {}", valid_jwt_token);
146+
headers_map.insert("authorization".to_string(), header_value.clone());
147+
println!("headers_map: {:?}", headers_map);
148+
149+
// JWT signed by valid key results in authenticated user.
150+
assert_eq!(jwt_authorizer.verify(&headers_map).await?.user_token, user_id);
151+
152+
let invalid_encoding_key = EncodingKey::from_rsa_pem(
153+
"-----BEGIN PRIVATE KEY-----
154+
MIIEvwIBADANBgkqhkiG9w0BAQEFAASCBKkwggSlAgEAAoIBAQC77KWE/VUi7QTc\
155+
odlj5yRaawPO4z+Ik4c2r2W1BaivIn2dkeTYKT9cQUEcU3sP/i4bQ/DnSuOWAmmG\
156+
yaR4NvUvJyGxm6PSBf/kgzDbfvf/8sCi9OEpJEe/xYOhLFaPumtcJAB5mKrdaKsH\
157+
XBKJaxJInJsiA6eB67d6SESXG/q1H8f00VLxIAKLK32z5Uahuzc9HQvl4dya+dAI\
158+
Xcw0TJg+JoBIqv5ATlcoXKqguiAyQdG2nW5nRnArhvCl9blKjg26cjbhiJcVEZCf\
159+
z8vv56IEPhvYEtA8OaiP6vEquqA+vwNipKxqhLzfsjgqYMf18PtrftHjn7nkIvlW\
160+
RMnG4+IbAgMBAAECggEAXZf+171UKZDiWwBAxQDZmi6yNtf3TI4tSY8RmJa47IDB\
161+
DzkaQI5KgCf/xZvOLqjpTasI0Cj8MDoDVJ4Yy8aTVmim304kyPUz/RtZufgCi/ba\
162+
+k371gG7ukckx6DNe8fcsIc9tVHTx3HZvFCe6tHoyUE2AjrPsmUzfDOB9cB5nLrc\
163+
JFyKVRUwByeG76AgDJaYMq6cK53+GZih3F9e2exxdnlBuk11R2yJMr638yOfgYbY\
164+
9vzq49OvleLEH1AdAxkcNYuUiPNC7KUeS84MAn+Ok65WvSlyJC3IjVS+swv4p/SB\
165+
u0S38ljqisqr0qgfupEJJA/VQaXXo5NJDw48TDuEAQKBgQDuFt7sCoDyqm7XwzWf\
166+
f9t9VFnPrLjJbNF7ll2zNlzfArzwk6cDrps2sXoNY0r37ObAdK+awWYRDyoCXJCe\
167+
t1wP/leYMp8opn2axQVHSJCq8K2fZO3xRn98p6jy9Hub0l2r9EN6v3JGQmPffl03\
168+
qrtYvU8as1ppUXj8Rgw4EGOWRQKBgQDKD7LJ5l/GXotYdOW93y/AXKmEzUjfi1gN\
169+
QMxu4TxvK4Q5+CjALYtXb0swbOd7ThcYTU1vgD2Vf5t4z8L/0gSRssGxmMOw8UaS\
170+
lay3ONFPRUhffzCMB4wkaomt1km3t9J1LJJ8h8131x2604MrIKmPMIAU6wnikdNN\
171+
G5VXx6HM3wKBgQCBzqBdiuCA7WEfa8PJoTj23M1Wh7H7x8NyoSmW8tWxlNmURLwz\
172+
KrhfGmYT9IXEJDouxa+ULUtLk7vwq60Bi7C6243AYiEaVaN3hWF6WtrdB/lxROLh\
173+
v/Dz8qkPRTI7Y3dEsBk2TDiui7XN/SQvnHsmR5hgU1bAwvW2fS5eRrk1DQKBgQCf\
174+
Dq55ukwoNiJQtmxnA3puXULgFEzKE8FzZU/H9KuDA2lpzIwfg3qNkEFK1F9/s+AA\
175+
NFHBdNyFg1baSgnBIQyRuHo6l/trnPIlz4aPED3LvckTy2ZmxEYwIGFSoz2STjRw\
176+
Im8JcklujbqMZ5V4bJSs78vTK5WzcYE40H7GA5K9VwKBgQCMNL9R7GUGxfQaOxiI\
177+
4mjwus2eQ0fEodIXfU5XFppScHgtKhPWNWNfbrSICyFkfvGBBgQDLCZgt/fO+GAK\
178+
r0kIP0GD3KvsLVHsSTR6Fsnz+05HYUEwbc6ebjOegJu+ZO9C4MXnWIaiOzd6vxUz\
179+
UIOZiBd7mcNJ6ccxdZ39YIPTew==\
180+
-----END PRIVATE KEY-----"
181+
.as_bytes(),
182+
)
183+
.expect("Failed to create Encoding Key.");
184+
185+
let invalid_jwt_token =
186+
encode(&Header::new(Algorithm::RS256), &claims, &invalid_encoding_key).unwrap();
187+
headers_map.insert("authorization".to_string(), format!("Bearer {}", invalid_jwt_token));
188+
189+
// JWT signed by invalid key results in AuthError.
190+
assert!(matches!(
191+
jwt_authorizer.verify(&headers_map).await.unwrap_err(),
192+
VssError::AuthError(_)
193+
));
194+
Ok(())
195+
}
196+
}

0 commit comments

Comments
 (0)