Dzejkop/auth debug api

Cargo.toml

@@ -8,6 +8,7 @@ op-alloy-rpc-types-engine = "0.12.0"
 alloy-rpc-types-engine = "0.13.0"
 alloy-rpc-types-eth = "0.13.0"
 alloy-primitives = { version = "0.8.10", features = ["rand"] }
+reth-rpc-layer = { git = "https://github.com/paradigmxyz/reth.git", rev = "v1.3.7" }
 tokio = { version = "1", features = ["full"] }
 tracing = "0.1.4"
 tracing-subscriber = { version = "0.3.11", features = ["env-filter", "json"] }
@@ -20,8 +21,8 @@ http = "1.1.0"
 dotenv = "0.15.0"
 tower = "0.4.13"
 tower-http = { version = "0.5.2", features = [
-    "decompression-full",
-    "sensitive-headers",
+  "decompression-full",
+  "sensitive-headers",
 ] }
 http-body-util = "0.1.2"
 hyper = { version = "1.4.1", features = ["full"] }
@@ -31,11 +32,11 @@ rustls = { version = "0.23.23", features = ["ring"] }
 serde_json = "1.0.96"
 opentelemetry = { version = "0.28.0", features = ["trace"] }
 opentelemetry-otlp = { version = "0.28.0", features = [
-    "http-proto",
-    "http-json",
-    "reqwest-client",
-    "trace",
-    "grpc-tonic",
+  "http-proto",
+  "http-json",
+  "reqwest-client",
+  "trace",
+  "grpc-tonic",
 ] }
 opentelemetry_sdk = { version = "0.28.0", features = ["rt-tokio"] }
 tracing-opentelemetry = "0.29.0"
@@ -59,7 +60,6 @@ assert_cmd = "2.0.10"
 predicates = "3.1.2"
 tokio-util = { version = "0.7.13" }
 bytes = "1.2"
-reth-rpc-layer = { git = "https://github.com/paradigmxyz/reth.git", rev = "v1.3.7" }
 ctor = "0.4.1"
 reqwest = "0.12.15"
 

src/cli.rs

@@ -2,7 +2,7 @@ use std::{net::SocketAddr, path::PathBuf};
 
 use alloy_rpc_types_engine::JwtSecret;
 use clap::{Parser, Subcommand};
-use eyre::bail;
+use eyre::{Context, bail};
 use jsonrpsee::{RpcModule, server::Server};
 use tokio::signal::unix::{SignalKind, signal as unix_signal};
 use tracing::{Level, info};
@@ -83,6 +83,14 @@ pub struct Args {
     #[arg(long, env, default_value = "5555")]
     pub debug_server_port: u16,
 
+    /// Hex encoded JWT secret
+    #[arg(long, env, value_name = "HEX")]
+    pub debug_jwt_token: Option<JwtSecret>,
+
+    /// Path to a JWT secret to use for the authenticated engine-API RPC server.
+    #[arg(long, env, value_name = "PATH")]
+    pub debug_jwt_path: Option<PathBuf>,
+
     /// Execution mode to start rollup boost with
     #[arg(long, env, default_value = "enabled")]
     pub execution_mode: ExecutionMode,
@@ -94,6 +102,7 @@ impl Args {
             .install_default()
             .expect("Failed to install TLS ring CryptoProvider");
 
+        let debug_jwt = self.debug_jwt()?;
         let debug_addr = format!("{}:{}", self.debug_host, self.debug_server_port);
 
         // Handle commands if present
@@ -102,14 +111,14 @@ impl Args {
             return match cmd {
                 Commands::Debug { command } => match command {
                     DebugCommands::SetExecutionMode { execution_mode } => {
-                        let client = DebugClient::new(debug_addr.as_str())?;
+                        let client = DebugClient::new(debug_addr.as_str(), debug_jwt)?;
                         let result = client.set_execution_mode(execution_mode).await.unwrap();
                         println!("Response: {:?}", result.execution_mode);
 
                         Ok(())
                     }
                     DebugCommands::ExecutionMode {} => {
-                        let client = DebugClient::new(debug_addr.as_str())?;
+                        let client = DebugClient::new(debug_addr.as_str(), debug_jwt)?;
                         let result = client.get_execution_mode().await?;
                         println!("Execution mode: {:?}", result.execution_mode);
 
@@ -167,7 +176,9 @@ impl Args {
         );
 
         // Spawn the debug server
-        rollup_boost.start_debug_server(debug_addr.as_str()).await?;
+        rollup_boost
+            .start_debug_server(debug_addr.as_str(), debug_jwt)
+            .await?;
 
         let module: RpcModule<()> = rollup_boost.try_into()?;
 
@@ -213,6 +224,16 @@ impl Args {
 
         Ok(())
     }
+
+    fn debug_jwt(&self) -> eyre::Result<JwtSecret> {
+        if let Some(secret) = self.debug_jwt_token {
+            Ok(secret)
+        } else if let Some(path) = self.debug_jwt_path.as_ref() {
+            JwtSecret::from_file(path).context("Loading debug JWT")
+        } else {
+            bail!("Missing Debug Server JWT secret");
+        }
+    }
 }
 
 #[derive(Clone, Debug)]

src/debug_api.rs

@@ -1,11 +1,15 @@
 use jsonrpsee::core::{RpcResult, async_trait};
-use jsonrpsee::http_client::HttpClient;
+use jsonrpsee::http_client::transport::HttpBackend;
+use jsonrpsee::http_client::{HttpClient, HttpClientBuilder};
 use jsonrpsee::proc_macros::rpc;
 use jsonrpsee::server::Server;
 use parking_lot::Mutex;
+use reth_rpc_layer::{JwtAuthValidator, JwtSecret};
 use serde::{Deserialize, Serialize};
 use std::sync::Arc;
 
+use crate::{Auth, AuthLayer};
+
 #[derive(Serialize, Deserialize, Debug, Copy, Clone, PartialEq, clap::ValueEnum)]
 #[serde(rename_all = "snake_case")]
 pub enum ExecutionMode {
@@ -63,8 +67,14 @@ impl DebugServer {
         Self { execution_mode }
     }
 
-    pub async fn run(self, debug_addr: &str) -> eyre::Result<()> {
-        let server = Server::builder().build(debug_addr).await?;
+    pub async fn run(self, debug_addr: &str, jwt_secret: JwtSecret) -> eyre::Result<()> {
+        let auth_layer = reth_rpc_layer::AuthLayer::new(JwtAuthValidator::new(jwt_secret));
+        let http_middleware = tower::ServiceBuilder::new().layer(auth_layer);
+
+        let server = Server::builder()
+            .set_http_middleware(http_middleware)
+            .build(debug_addr)
+            .await?;
 
         let handle = server.start(self.into_rpc());
 
@@ -109,12 +119,15 @@ impl DebugApiServer for DebugServer {
 }
 
 pub struct DebugClient {
-    client: HttpClient,
+    client: HttpClient<Auth<HttpBackend>>,
 }
 
 impl DebugClient {
-    pub fn new(url: &str) -> eyre::Result<Self> {
-        let client = HttpClient::builder().build(url)?;
+    pub fn new(url: &str, jwt_secret: JwtSecret) -> eyre::Result<Self> {
+        let auth_layer = AuthLayer::new(jwt_secret);
+        let client = HttpClientBuilder::new()
+            .set_http_middleware(tower::ServiceBuilder::new().layer(auth_layer))
+            .build(url)?;
 
         Ok(Self { client })
     }
@@ -140,15 +153,21 @@ mod tests {
 
     const DEFAULT_ADDR: &str = "127.0.0.1:5555";
 
+    const DEFAULT_AUTH_SECRET: &str =
+        "f79ae8046bc11c9927afe911db7143c51a806c4a537cc08e0d37140b0192f430";
+
     #[tokio::test]
     async fn test_debug_client() {
         // spawn the server and try to modify it with the client
         let execution_mode = Arc::new(Mutex::new(ExecutionMode::Enabled));
 
         let server = DebugServer::new(execution_mode.clone());
-        server.run(DEFAULT_ADDR).await.unwrap();
+        let jwt_secret = JwtSecret::from_hex(DEFAULT_AUTH_SECRET).unwrap();
+
+        server.run(DEFAULT_ADDR, jwt_secret).await.unwrap();
 
-        let client = DebugClient::new(format!("http://{}", DEFAULT_ADDR).as_str()).unwrap();
+        let client =
+            DebugClient::new(format!("http://{}", DEFAULT_ADDR).as_str(), jwt_secret).unwrap();
 
         // Test setting execution mode to Disabled
         let result = client

src/server.rs

@@ -11,6 +11,7 @@ use metrics::counter;
 use moka::future::Cache;
 use opentelemetry::trace::SpanKind;
 use parking_lot::Mutex;
+use reth_rpc_layer::JwtSecret;
 use std::sync::Arc;
 
 use crate::debug_api::ExecutionMode;
@@ -157,9 +158,13 @@ impl RollupBoostServer {
         }
     }
 
-    pub async fn start_debug_server(&self, debug_addr: &str) -> eyre::Result<()> {
+    pub async fn start_debug_server(
+        &self,
+        debug_addr: &str,
+        jwt_secret: JwtSecret,
+    ) -> eyre::Result<()> {
         let server = DebugServer::new(self.execution_mode.clone());
-        server.run(debug_addr).await?;
+        server.run(debug_addr, jwt_secret).await?;
         Ok(())
     }
 

tests/common/mod.rs

@@ -346,6 +346,8 @@ impl RollupBoostTestHarnessBuilder {
         rollup_boost.args.l2_client.l2_url = l2.auth_rpc().await?;
         rollup_boost.args.builder.builder_url = builder_url.try_into().unwrap();
         rollup_boost.args.log_file = Some(rollup_boost_log_file_path);
+        let debug_jwt = JwtSecret::from_hex(JWT_SECRET).unwrap();
+        rollup_boost.args.debug_jwt_token = Some(debug_jwt);
         let rollup_boost = rollup_boost.start().await;
         println!("rollup-boost authrpc: {}", rollup_boost.rpc_endpoint());
         println!("rollup-boost metrics: {}", rollup_boost.metrics_endpoint());
@@ -373,7 +375,8 @@ impl RollupBoostTestHarness {
     }
 
     pub async fn debug_client(&self) -> DebugClient {
-        DebugClient::new(&self.rollup_boost.debug_endpoint()).unwrap()
+        let jwt_secret = JwtSecret::from_hex(JWT_SECRET).unwrap();
+        DebugClient::new(&self.rollup_boost.debug_endpoint(), jwt_secret).unwrap()
     }
 }