Merge branch 'main' into codeql-v3

hyperledger · Feb 17, 2025 · 3611ed2 · 3611ed2
2 parents e83028d + efcefad
commit 3611ed2
Show file tree

Hide file tree

Showing 36 changed files with 1,670 additions and 557 deletions.
diff --git a/.github/workflows/acceptance-tests.yml b/.github/workflows/acceptance-tests.yml
@@ -79,7 +79,7 @@ jobs:
           name: test-args-${{ matrix.runner_index }}.txt
           path: '*.txt'
       - name: run acceptance tests
-        run: ./gradlew --max-workers 1 acceptanceTestNotPrivacy `cat gradleArgs.txt` -Dorg.gradle.caching=true
+        run: ./gradlew acceptanceTestNotPrivacy `cat gradleArgs.txt` -Dorg.gradle.caching=true
       - name: Remove downloaded test results
         run: rm -rf tmp/junit-xml-reports-downloaded
       - name: Upload Acceptance Test Results

diff --git a/...l/src/main/java/org/hyperledger/besu/tests/acceptance/dsl/node/ProcessBesuNodeRunner.java b/...l/src/main/java/org/hyperledger/besu/tests/acceptance/dsl/node/ProcessBesuNodeRunner.java
@@ -48,6 +48,7 @@
 import java.util.concurrent.Executors;
 import java.util.concurrent.TimeUnit;
 import java.util.stream.Collectors;
+import java.util.stream.Stream;
 
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
@@ -529,8 +530,7 @@ private void killBesuProcess(final String name) {
       return;
     }
 
-    process
-        .descendants()
+    Stream.concat(process.descendants(), Stream.of(process.toHandle()))
         .peek(
             processHandle ->
                 LOG.info("Killing {} process, pid {}", processHandle.info(), processHandle.pid()))

diff --git a/acceptance-tests/tests/build.gradle b/acceptance-tests/tests/build.gradle
@@ -12,8 +12,8 @@
  */
 
 plugins {
-  id 'org.web3j' version '4.11.3'
-  id 'org.web3j.solidity' version '0.4.1'
+  id 'org.web3j' version '4.12.2'
+  id 'org.web3j.solidity' version '0.5.2'
 }
 
 web3j { generatedPackageName = 'org.hyperledger.besu.tests.web3j.generated' }

diff --git a/acceptance-tests/tests/shanghai/build.gradle b/acceptance-tests/tests/shanghai/build.gradle
@@ -1,7 +1,7 @@
 
 plugins {
-  id 'org.web3j' version '4.11.3'
-  id 'org.web3j.solidity' version '0.4.1'
+  id 'org.web3j' version '4.12.2'
+  id 'org.web3j.solidity' version '0.5.2'
 }
 
 jar { enabled = true }

diff --git a/.../tests/src/test/java/org/hyperledger/besu/tests/acceptance/bftsoak/BftMiningSoakTest.java b/.../tests/src/test/java/org/hyperledger/besu/tests/acceptance/bftsoak/BftMiningSoakTest.java
@@ -30,6 +30,7 @@
 
 import com.fasterxml.jackson.databind.node.ObjectNode;
 import org.assertj.core.api.Assertions;
+import org.junit.jupiter.api.AfterEach;
 import org.junit.jupiter.params.ParameterizedTest;
 import org.junit.jupiter.params.provider.MethodSource;
 
@@ -344,6 +345,7 @@ private void stopNode(final BesuNode node) throws InterruptedException {
     Thread.sleep(TEN_SECONDS);
   }
 
+  @AfterEach
   @Override
   public void tearDownAcceptanceTestBase() {
     cluster.stop();

diff --git a/...ava/org/hyperledger/besu/tests/acceptance/bootstrap/ClusterNoDiscoveryAcceptanceTest.java b/...ava/org/hyperledger/besu/tests/acceptance/bootstrap/ClusterNoDiscoveryAcceptanceTest.java
@@ -20,6 +20,7 @@
 import org.hyperledger.besu.tests.acceptance.dsl.node.cluster.ClusterConfiguration;
 import org.hyperledger.besu.tests.acceptance.dsl.node.cluster.ClusterConfigurationBuilder;
 
+import org.junit.jupiter.api.AfterEach;
 import org.junit.jupiter.api.BeforeEach;
 import org.junit.jupiter.api.Test;
 
@@ -44,6 +45,7 @@ public void shouldNotConnectToOtherPeer() {
     fullNode.verify(net.awaitPeerCount(0));
   }
 
+  @AfterEach
   @Override
   public void tearDownAcceptanceTestBase() {
     noDiscoveryCluster.stop();

diff --git a/...rg/hyperledger/besu/tests/acceptance/bootstrap/ClusterThreadNodeRunnerAcceptanceTest.java b/...rg/hyperledger/besu/tests/acceptance/bootstrap/ClusterThreadNodeRunnerAcceptanceTest.java
@@ -31,6 +31,7 @@
 
 import java.util.List;
 
+import org.junit.jupiter.api.AfterEach;
 import org.junit.jupiter.api.BeforeEach;
 import org.junit.jupiter.api.Test;
 
@@ -79,6 +80,7 @@ void shouldMineTransactionsEvenAfterRestart() {
     miner.verify(recipient.balanceEquals(2));
   }
 
+  @AfterEach
   @Override
   public void tearDownAcceptanceTestBase() {
     noDiscoveryCluster.stop();

diff --git a/.../test/java/org/hyperledger/besu/tests/acceptance/bootstrap/P2pDisabledAcceptanceTest.java b/.../test/java/org/hyperledger/besu/tests/acceptance/bootstrap/P2pDisabledAcceptanceTest.java
@@ -20,6 +20,7 @@
 import org.hyperledger.besu.tests.acceptance.dsl.node.cluster.ClusterConfiguration;
 import org.hyperledger.besu.tests.acceptance.dsl.node.cluster.ClusterConfigurationBuilder;
 
+import org.junit.jupiter.api.AfterEach;
 import org.junit.jupiter.api.BeforeEach;
 import org.junit.jupiter.api.Test;
 
@@ -37,6 +38,7 @@ public void setUp() throws Exception {
     p2pDisabledCluster.start(node);
   }
 
+  @AfterEach
   @Override
   public void tearDownAcceptanceTestBase() {
     p2pDisabledCluster.stop();

diff --git a/...s/src/test/java/org/hyperledger/besu/tests/acceptance/crypto/SECP256R1AcceptanceTest.java b/...s/src/test/java/org/hyperledger/besu/tests/acceptance/crypto/SECP256R1AcceptanceTest.java
@@ -31,6 +31,7 @@
 import java.util.List;
 
 import org.apache.tuweni.bytes.Bytes32;
+import org.junit.jupiter.api.AfterEach;
 import org.junit.jupiter.api.BeforeEach;
 import org.junit.jupiter.api.Test;
 
@@ -93,6 +94,7 @@ public void transactionShouldBeSuccessful() {
     noDiscoveryCluster.verify(recipient.balanceEquals(5));
   }
 
+  @AfterEach
   @Override
   public void tearDownAcceptanceTestBase() {
     super.tearDownAcceptanceTestBase();

diff --git a/...yperledger/besu/tests/acceptance/jsonrpc/AbstractJsonRpcAuthenticationAcceptanceTest.java b/...yperledger/besu/tests/acceptance/jsonrpc/AbstractJsonRpcAuthenticationAcceptanceTest.java
@@ -0,0 +1,168 @@
+/*
+ * Copyright contributors to Besu.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on
+ * an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations under the License.
+ *
+ * SPDX-License-Identifier: Apache-2.0
+ */
+package org.hyperledger.besu.tests.acceptance.jsonrpc;
+
+import org.hyperledger.besu.tests.acceptance.dsl.AcceptanceTestBase;
+import org.hyperledger.besu.tests.acceptance.dsl.node.BesuNode;
+import org.hyperledger.besu.tests.acceptance.dsl.node.cluster.Cluster;
+
+import java.util.Arrays;
+import java.util.List;
+
+import org.junit.jupiter.api.AfterEach;
+import org.junit.jupiter.api.Test;
+
+public abstract class AbstractJsonRpcAuthenticationAcceptanceTest extends AcceptanceTestBase {
+  protected Cluster authenticatedCluster;
+  protected BesuNode nodeUsingAuthFile;
+  protected BesuNode nodeUsingRsaJwtPublicKey;
+  protected BesuNode nodeUsingEcdsaJwtPublicKey;
+  protected BesuNode nodeUsingAuthFileWithNoAuthApi;
+  protected static final String AUTH_FILE = "authentication/auth.toml";
+
+  // token with payload{"iat": 1516239022,"exp": 4729363200,"permissions": ["net:peerCount"]}
+  protected static final String RSA_TOKEN_ALLOWING_NET_PEER_COUNT =
+      "eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9.eyJpYXQiOjE1MTYyMzkwMjIsImV4cCI6NDcyOTM2MzIwMCwicGVybWl"
+          + "zc2lvbnMiOlsibmV0OnBlZXJDb3VudCJdfQ.Y6mNV0nvjzOdqAgMgxknFAOUTKoeRAo4aifNgNrWtuXbJJgz6-"
+          + "H_0GvLgjlToohPiDZbBJXJJlgb4zzLLB-sRtFnGoPaMgz_d_6z958GjFD7x_Fl0HW-WrTjRNenZNfTyD86OEAf"
+          + "XHy-7N3OYY2a5yeDbppTJy6nnHTq9hY-ad22-oWL1RbK3T_hnUJII_uXCZ9bJggSfu5m-NNUrm3TeqdnQzIaIz"
+          + "DqHlL0wNZwVPB4cFGN7zKghReBpkRJ8OFlxexQ491Q5eSpuYquhef-yGCIaMfy7GVtpDSD3Y-hjOErr7gUNCUh"
+          + "1wlc3Rb7ru_0qNgCWTBPJeRK32GppYotwQ";
+
+  protected static final String ECDSA_TOKEN_ALLOWING_NET_PEER_COUNT =
+      "eyJhbGciOiJFUzI1NiIsInR5cCI6IkpXVCJ9.eyJpYXQiOjE1MTYyMzkwMjIsImV4cCI6NDcyOTM2MzIwMCwicGVybWlz"
+          + "c2lvbnMiOlsibmV0OnBlZXJDb3VudCJdfQ.pWXniN6XQ7G8b1nawy8sviPCMxrfbcI6c7UFzeXm26CMGMUEZxiC"
+          + "JjRntB8ueuZcsxnGlEhCHt-KngpFEmx5TA";
+
+  protected static final List<String> NO_AUTH_API_METHODS = Arrays.asList("net_services");
+
+  @Test
+  public void shouldFailLoginWithWrongCredentials() {
+    nodeUsingAuthFile.verify(login.failure("user", "badpassword"));
+    nodeUsingAuthFileWithNoAuthApi.verify(login.failure("user", "badpassword"));
+  }
+
+  @Test
+  public void shouldSucceedLoginWithCorrectCredentials() {
+    nodeUsingAuthFile.verify(login.success("user", "pegasys"));
+    nodeUsingAuthFileWithNoAuthApi.verify(login.success("user", "pegasys"));
+  }
+
+  @Test
+  public void jsonRpcMethodShouldSucceedWithAuthenticatedUserAndPermission() {
+    String token =
+        nodeUsingAuthFile.execute(
+            permissioningTransactions.createSuccessfulLogin("user", "pegasys"));
+    nodeUsingAuthFile.useAuthenticationTokenInHeaderForJsonRpc(token);
+    nodeUsingAuthFile.verify(net.awaitPeerCount(3));
+
+    token =
+        nodeUsingAuthFileWithNoAuthApi.execute(
+            permissioningTransactions.createSuccessfulLogin("user", "pegasys"));
+    nodeUsingAuthFileWithNoAuthApi.useAuthenticationTokenInHeaderForJsonRpc(token);
+    nodeUsingAuthFileWithNoAuthApi.verify(net.awaitPeerCount(3));
+  }
+
+  @Test
+  public void jsonRpcMethodShouldFailOnNonPermittedMethod() {
+    String token =
+        nodeUsingAuthFile.execute(
+            permissioningTransactions.createSuccessfulLogin("user", "pegasys"));
+    nodeUsingAuthFile.useAuthenticationTokenInHeaderForJsonRpc(token);
+    nodeUsingAuthFile.verify(net.netVersionUnauthorized());
+    nodeUsingAuthFile.verify(net.netServicesUnauthorized());
+
+    token =
+        nodeUsingAuthFileWithNoAuthApi.execute(
+            permissioningTransactions.createSuccessfulLogin("user", "pegasys"));
+    nodeUsingAuthFileWithNoAuthApi.useAuthenticationTokenInHeaderForJsonRpc(token);
+    nodeUsingAuthFileWithNoAuthApi.verify(net.netVersionUnauthorized());
+  }
+
+  @Test
+  public void jsonRpcMethodsNotIncludedInNoAuthListShouldFailWithoutToken() {
+    nodeUsingAuthFile.verify(net.netVersionUnauthorized());
+    nodeUsingAuthFileWithNoAuthApi.verify(net.netVersionUnauthorized());
+  }
+
+  @Test
+  public void noAuthJsonRpcMethodShouldSucceedWithoutToken() {
+    nodeUsingAuthFileWithNoAuthApi.verify(net.netServicesAllActive());
+  }
+
+  @Test
+  public void noAuthJsonRpcConfiguredNodeShouldWorkAsIntended() {
+    // No token -> all methods other than specified no auth methods should fail
+    nodeUsingAuthFileWithNoAuthApi.verify(net.netVersionUnauthorized());
+    nodeUsingAuthFileWithNoAuthApi.verify(net.netServicesAllActive());
+
+    // Should behave the same with valid token
+    String token =
+        nodeUsingAuthFileWithNoAuthApi.execute(
+            permissioningTransactions.createSuccessfulLogin("user", "pegasys"));
+    nodeUsingAuthFileWithNoAuthApi.useAuthenticationTokenInHeaderForJsonRpc(token);
+    nodeUsingAuthFileWithNoAuthApi.verify(net.netVersionUnauthorized());
+    nodeUsingAuthFileWithNoAuthApi.verify(net.netServicesAllActive());
+    nodeUsingAuthFileWithNoAuthApi.verify(net.awaitPeerCount(3));
+  }
+
+  @Test
+  public void externalRsaJwtPublicKeyUsedOnJsonRpcMethodShouldSucceed() {
+    nodeUsingRsaJwtPublicKey.useAuthenticationTokenInHeaderForJsonRpc(
+        RSA_TOKEN_ALLOWING_NET_PEER_COUNT);
+    nodeUsingRsaJwtPublicKey.verify(net.awaitPeerCount(3));
+  }
+
+  @Test
+  public void externalRsaJwtPublicKeyUsedOnJsonRpcMethodShouldFailOnNonPermittedMethod() {
+    nodeUsingRsaJwtPublicKey.useAuthenticationTokenInHeaderForJsonRpc(
+        RSA_TOKEN_ALLOWING_NET_PEER_COUNT);
+    nodeUsingRsaJwtPublicKey.verify(net.netVersionUnauthorized());
+    nodeUsingRsaJwtPublicKey.verify(net.netServicesUnauthorized());
+  }
+
+  @Test
+  public void externalEcdsaJwtPublicKeyUsedOnJsonRpcMethodShouldSucceed() {
+    nodeUsingEcdsaJwtPublicKey.useAuthenticationTokenInHeaderForJsonRpc(
+        ECDSA_TOKEN_ALLOWING_NET_PEER_COUNT);
+    nodeUsingEcdsaJwtPublicKey.verify(net.awaitPeerCount(3));
+  }
+
+  @Test
+  public void externalEcdsaJwtPublicKeyUsedOnJsonRpcMethodShouldFailOnNonPermittedMethod() {
+    nodeUsingEcdsaJwtPublicKey.useAuthenticationTokenInHeaderForJsonRpc(
+        ECDSA_TOKEN_ALLOWING_NET_PEER_COUNT);
+    nodeUsingEcdsaJwtPublicKey.verify(net.netVersionUnauthorized());
+    nodeUsingEcdsaJwtPublicKey.verify(net.netServicesUnauthorized());
+  }
+
+  @Test
+  public void jsonRpcMethodShouldFailWhenThereIsNoToken() {
+    nodeUsingRsaJwtPublicKey.verify(net.netVersionUnauthorized());
+    nodeUsingRsaJwtPublicKey.verify(net.netServicesUnauthorized());
+  }
+
+  @Test
+  public void loginShouldBeDisabledWhenUsingExternalJwtPublicKey() {
+    nodeUsingRsaJwtPublicKey.verify(login.disabled());
+  }
+
+  @AfterEach
+  @Override
+  public void tearDownAcceptanceTestBase() {
+    authenticatedCluster.stop();
+    super.tearDownAcceptanceTestBase();
+  }
+}