From 9b2e49099431e52a746893d28acaad26b8592f5e Mon Sep 17 00:00:00 2001 From: Pavel Zbitskiy Date: Fri, 12 Jul 2024 17:07:43 -0400 Subject: [PATCH 1/3] rest api: Fix to Disable API authentication --- daemon/algod/api/server/router.go | 19 ++++++++++++++----- test/e2e-go/restAPI/other/misc_test.go | 20 +++++++++++++++----- test/framework/fixtures/libgoalFixture.go | 2 +- 3 files changed, 30 insertions(+), 11 deletions(-) diff --git a/daemon/algod/api/server/router.go b/daemon/algod/api/server/router.go index cd0899c176..d4f2405197 100644 --- a/daemon/algod/api/server/router.go +++ b/daemon/algod/api/server/router.go @@ -19,10 +19,11 @@ package server import ( "fmt" - "golang.org/x/sync/semaphore" "net" "net/http" + "golang.org/x/sync/semaphore" + "github.com/labstack/echo/v4" "github.com/labstack/echo/v4/middleware" @@ -74,18 +75,26 @@ func registerHandlers(router *echo.Echo, prefix string, routes lib.Routes, ctx l // NewRouter builds and returns a new router with our REST handlers registered. func NewRouter(logger logging.Logger, node APINodeInterface, shutdown <-chan struct{}, apiToken string, adminAPIToken string, listener net.Listener, numConnectionsLimit uint64) *echo.Echo { - if err := tokens.ValidateAPIToken(apiToken); err != nil { - logger.Errorf("Invalid apiToken was passed to NewRouter ('%s'): %v", apiToken, err) - } + // check admin token and init admin middleware if err := tokens.ValidateAPIToken(adminAPIToken); err != nil { logger.Errorf("Invalid adminAPIToken was passed to NewRouter ('%s'): %v", adminAPIToken, err) } adminMiddleware := []echo.MiddlewareFunc{ middlewares.MakeAuth(TokenHeader, []string{adminAPIToken}), } + + // check public api tokens and init public middleware publicMiddleware := []echo.MiddlewareFunc{ middleware.BodyLimit(MaxRequestBodyBytes), - middlewares.MakeAuth(TokenHeader, []string{adminAPIToken, apiToken}), + } + if apiToken == "" { + logger.Warn("Running with empty apiToken") + } else { + if err := tokens.ValidateAPIToken(apiToken); err != nil { + logger.Errorf("Invalid apiToken was passed to NewRouter ('%s'): %v", apiToken, err) + } + publicMiddleware = append(publicMiddleware, middlewares.MakeAuth(TokenHeader, []string{adminAPIToken, apiToken})) + } e := echo.New() diff --git a/test/e2e-go/restAPI/other/misc_test.go b/test/e2e-go/restAPI/other/misc_test.go index 3f9da07c4a..3bf65cf073 100644 --- a/test/e2e-go/restAPI/other/misc_test.go +++ b/test/e2e-go/restAPI/other/misc_test.go @@ -39,12 +39,12 @@ func TestDisabledAPIConfig(t *testing.T) { localFixture.Setup(t, filepath.Join("nettemplates", "DisableAPIAuth.json")) defer localFixture.Shutdown() - testClient := localFixture.LibGoalClient + libgoalClient := localFixture.LibGoalClient - statusResponse, err := testClient.Status() + statusResponse, err := libgoalClient.Status() a.NoError(err) a.NotEmpty(statusResponse) - statusResponse2, err := testClient.Status() + statusResponse2, err := libgoalClient.Status() a.NoError(err) a.NotEmpty(statusResponse2) a.True(statusResponse2.LastRound >= statusResponse.LastRound) @@ -58,12 +58,22 @@ func TestDisabledAPIConfig(t *testing.T) { assert.True(t, os.IsNotExist(err)) // check public api works without a token - testClient.WaitForRound(1) + url, err := localFixture.NC.ServerURL() + a.NoError(err) + testClient := client.MakeRestClient(url, "") // empty token + + _, err = testClient.WaitForBlock(1) + assert.NoError(t, err) _, err = testClient.Block(1) assert.NoError(t, err) + _, err = testClient.Status() + a.NoError(err) + // check admin api works with the generated token - _, err = testClient.GetParticipationKeys() + adminClient := localFixture.LibGoalClient + _, err = adminClient.GetParticipationKeys() assert.NoError(t, err) + // check admin api doesn't work with an invalid token algodURL, err := nc.ServerURL() assert.NoError(t, err) diff --git a/test/framework/fixtures/libgoalFixture.go b/test/framework/fixtures/libgoalFixture.go index de1a06623d..bd4f615ae7 100644 --- a/test/framework/fixtures/libgoalFixture.go +++ b/test/framework/fixtures/libgoalFixture.go @@ -390,7 +390,7 @@ func (f *LibGoalFixture) dumpLogs(filePath string) { fmt.Fprintf(os.Stderr, "%s/%s:\n", parts[len(parts)-2], parts[len(parts)-1]) // Primary/node.log scanner := bufio.NewScanner(file) for scanner.Scan() { - fmt.Fprint(os.Stderr, scanner.Text()) + fmt.Fprintln(os.Stderr, scanner.Text()) } fmt.Fprintln(os.Stderr) } From 69d6ba96503b7411c25c6871295853af67d69494 Mon Sep 17 00:00:00 2001 From: Pavel Zbitskiy <65323360+algorandskiy@users.noreply.github.com> Date: Mon, 15 Jul 2024 12:29:18 -0400 Subject: [PATCH 2/3] Apply suggestions from code review Co-authored-by: Gary Malouf <982483+gmalouf@users.noreply.github.com> --- daemon/algod/api/server/router.go | 2 +- test/e2e-go/restAPI/other/misc_test.go | 3 +-- 2 files changed, 2 insertions(+), 3 deletions(-) diff --git a/daemon/algod/api/server/router.go b/daemon/algod/api/server/router.go index d4f2405197..6611fe688e 100644 --- a/daemon/algod/api/server/router.go +++ b/daemon/algod/api/server/router.go @@ -88,7 +88,7 @@ func NewRouter(logger logging.Logger, node APINodeInterface, shutdown <-chan str middleware.BodyLimit(MaxRequestBodyBytes), } if apiToken == "" { - logger.Warn("Running with empty apiToken") + logger.Warn("Running with with public API authentication disabled") } else { if err := tokens.ValidateAPIToken(apiToken); err != nil { logger.Errorf("Invalid apiToken was passed to NewRouter ('%s'): %v", apiToken, err) diff --git a/test/e2e-go/restAPI/other/misc_test.go b/test/e2e-go/restAPI/other/misc_test.go index 3bf65cf073..eeaff9fcd1 100644 --- a/test/e2e-go/restAPI/other/misc_test.go +++ b/test/e2e-go/restAPI/other/misc_test.go @@ -70,8 +70,7 @@ func TestDisabledAPIConfig(t *testing.T) { a.NoError(err) // check admin api works with the generated token - adminClient := localFixture.LibGoalClient - _, err = adminClient.GetParticipationKeys() + _, err = libgoalClient.GetParticipationKeys() assert.NoError(t, err) // check admin api doesn't work with an invalid token From c7ec69df0cc2012500c2ab59c53aa2d3acc65152 Mon Sep 17 00:00:00 2001 From: Pavel Zbitskiy <65323360+algorandskiy@users.noreply.github.com> Date: Mon, 15 Jul 2024 12:47:23 -0400 Subject: [PATCH 3/3] Update daemon/algod/api/server/router.go --- daemon/algod/api/server/router.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/daemon/algod/api/server/router.go b/daemon/algod/api/server/router.go index 6611fe688e..0b02bb8566 100644 --- a/daemon/algod/api/server/router.go +++ b/daemon/algod/api/server/router.go @@ -88,7 +88,7 @@ func NewRouter(logger logging.Logger, node APINodeInterface, shutdown <-chan str middleware.BodyLimit(MaxRequestBodyBytes), } if apiToken == "" { - logger.Warn("Running with with public API authentication disabled") + logger.Warn("Running with public API authentication disabled") } else { if err := tokens.ValidateAPIToken(apiToken); err != nil { logger.Errorf("Invalid apiToken was passed to NewRouter ('%s'): %v", apiToken, err)