feat: HMAC authentication for covenant emulator and covenant signer (#109)

* feat: HMAC authentication for covenant emulator and covenant signer

* CHANGELOG

* fix: move hmac to middleware and wrap docs to 80 characters

* fix: client imports

* fix: imports on tests

* fix: imports in e2e tests

* fix: imports

Author: Vvaradinov

CHANGELOG.md

@@ -39,6 +39,7 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/)
 
 ### Improvements
 
+* [#109](https://github.com/babylonlabs-io/covenant-emulator/pull/109) HMAC authentication between signer and emulator.
 * [#110](https://github.com/babylonlabs-io/covenant-emulator/pull/110) bump babylon to v1.0.0-rc.7
 
 ### Bug Fixes

config/remotesigner.go

@@ -10,11 +10,13 @@ const (
 type RemoteSignerCfg struct {
 	URL     string        `long:"url" description:"URL of the remote signer"`
 	Timeout time.Duration `long:"timeout" description:"client when making requests to the remote signer"`
+	HMACKey string        `long:"hmackey" description:"HMAC key for authenticating requests to the remote signer - can be a direct key or reference to a cloud secret manager. Leave empty to disable HMAC authentication."`
 }
 
 func DefaultRemoteSignerConfig() RemoteSignerCfg {
 	return RemoteSignerCfg{
 		URL:     defaultUrl,
 		Timeout: defaultTimeout,
+		HMACKey: "",
 	}
 }

covenant-signer/config/config.go

@@ -94,6 +94,11 @@ idle-timeout = {{ .Server.IdleTimeout }}
 # Max content length in bytes
 max-content-length = {{ .Server.MaxContentLength }}
 
+# HMAC key for request authentication
+# This can be a direct key or a reference to a cloud secret manager
+# Leave empty to disable HMAC authentication
+hmac-key = "{{ .Server.HMACKey }}"
+
 [metrics]
 # The prometheus server host
 host = "{{ .Metrics.Host }}"

covenant-signer/config/server.go

@@ -9,6 +9,7 @@ type ServerConfig struct {
 	ReadTimeout      uint32 `mapstructure:"read-timeout"`
 	IdleTimeout      uint32 `mapstructure:"idle-timeout"`
 	MaxContentLength uint32 `mapstructure:"max-content-length"`
+	HMACKey          string `mapstructure:"hmac-key"`
 }
 
 type ParsedServerConfig struct {
@@ -18,6 +19,7 @@ type ParsedServerConfig struct {
 	ReadTimeout      time.Duration
 	IdleTimeout      time.Duration
 	MaxContentLength uint32
+	HMACKey          string
 }
 
 func (c *ServerConfig) Parse() (*ParsedServerConfig, error) {
@@ -29,6 +31,7 @@ func (c *ServerConfig) Parse() (*ParsedServerConfig, error) {
 		ReadTimeout:      time.Duration(c.ReadTimeout) * time.Second,
 		IdleTimeout:      time.Duration(c.IdleTimeout) * time.Second,
 		MaxContentLength: c.MaxContentLength,
+		HMACKey:          c.HMACKey,
 	}, nil
 }
 
@@ -40,5 +43,6 @@ func DefaultServerConfig() *ServerConfig {
 		ReadTimeout:      15,
 		IdleTimeout:      120,
 		MaxContentLength: 10 * 1024 * 1024, // 10MB,
+		HMACKey:          "",
 	}
 }

covenant-signer/itest/e2e_test.go

@@ -28,6 +28,7 @@ import (
 
 	"github.com/babylonlabs-io/covenant-emulator/covenant-signer/signerapp"
 	"github.com/babylonlabs-io/covenant-emulator/covenant-signer/signerservice"
+	"github.com/babylonlabs-io/covenant-emulator/covenant-signer/signerservice/middlewares"
 	"github.com/babylonlabs-io/covenant-emulator/covenant-signer/signerservice/types"
 )
 
@@ -130,24 +131,24 @@ func buildDataToSign(t *testing.T, covnenantPublicKey *btcec.PublicKey) signerap
 }
 
 func TestGetPublicKey(t *testing.T) {
-	tm := StartManager(t, 100, false)
+	tm := StartManager(t, 100, false, "")
 	// default passphrase is empty in non encrypted keyring
-	err := signerservice.Unlock(context.Background(), tm.SigningServerUrl(), 10*time.Second, "")
+	err := signerservice.Unlock(context.Background(), tm.SigningServerUrl(), 10*time.Second, "", "")
 	require.NoError(t, err)
 
-	pubKey, err := signerservice.GetPublicKey(context.Background(), tm.SigningServerUrl(), 10*time.Second)
+	pubKey, err := signerservice.GetPublicKey(context.Background(), tm.SigningServerUrl(), 10*time.Second, tm.hmacKey)
 	require.NoError(t, err)
 	require.NotNil(t, pubKey)
 
 }
 
 func TestSigningTransactions(t *testing.T) {
-	tm := StartManager(t, 100, false)
+	tm := StartManager(t, 100, false, "")
 	// default passphrase is empty in non encrypted keyring
-	err := signerservice.Unlock(context.Background(), tm.SigningServerUrl(), 10*time.Second, "")
+	err := signerservice.Unlock(context.Background(), tm.SigningServerUrl(), 10*time.Second, "", "")
 	require.NoError(t, err)
 
-	pubKey, err := signerservice.GetPublicKey(context.Background(), tm.SigningServerUrl(), 10*time.Second)
+	pubKey, err := signerservice.GetPublicKey(context.Background(), tm.SigningServerUrl(), 10*time.Second, tm.hmacKey)
 	require.NoError(t, err)
 	require.NotNil(t, pubKey)
 
@@ -158,6 +159,7 @@ func TestSigningTransactions(t *testing.T) {
 		tm.SigningServerUrl(),
 		10*time.Second,
 		&dataToSign,
+		"",
 	)
 
 	require.NoError(t, err)
@@ -168,7 +170,7 @@ func TestSigningTransactions(t *testing.T) {
 }
 
 func TestRejectToLargeRequest(t *testing.T) {
-	tm := StartManager(t, 100, false)
+	tm := StartManager(t, 100, false, "")
 	r := rand.New(rand.NewSource(time.Now().UnixNano()))
 	tmContentLimit := tm.signerConfig.Server.MaxContentLength
 	size := tmContentLimit + 1
@@ -200,12 +202,12 @@ func TestRejectToLargeRequest(t *testing.T) {
 }
 
 func TestSigningTransactionsUsingEncryptedFileKeyRing(t *testing.T) {
-	tm := StartManager(t, 100, true)
+	tm := StartManager(t, 100, true, "")
 
-	err := signerservice.Unlock(context.Background(), tm.SigningServerUrl(), 10*time.Second, "testtest")
+	err := signerservice.Unlock(context.Background(), tm.SigningServerUrl(), 10*time.Second, "testtest", "")
 	require.NoError(t, err)
 
-	pubKey, err := signerservice.GetPublicKey(context.Background(), tm.SigningServerUrl(), 10*time.Second)
+	pubKey, err := signerservice.GetPublicKey(context.Background(), tm.SigningServerUrl(), 10*time.Second, tm.hmacKey)
 	require.NoError(t, err)
 	require.NotNil(t, pubKey)
 
@@ -216,6 +218,7 @@ func TestSigningTransactionsUsingEncryptedFileKeyRing(t *testing.T) {
 		tm.SigningServerUrl(),
 		10*time.Second,
 		&dataToSign,
+		"",
 	)
 
 	require.NoError(t, err)
@@ -226,19 +229,19 @@ func TestSigningTransactionsUsingEncryptedFileKeyRing(t *testing.T) {
 }
 
 func TestLockingKeyring(t *testing.T) {
-	tm := StartManager(t, 100, true)
+	tm := StartManager(t, 100, true, "")
 
-	err := signerservice.Unlock(context.Background(), tm.SigningServerUrl(), 10*time.Second, "testtest")
+	err := signerservice.Unlock(context.Background(), tm.SigningServerUrl(), 10*time.Second, "testtest", "")
 	require.NoError(t, err)
 
-	pubKey, err := signerservice.GetPublicKey(context.Background(), tm.SigningServerUrl(), 10*time.Second)
+	pubKey, err := signerservice.GetPublicKey(context.Background(), tm.SigningServerUrl(), 10*time.Second, tm.hmacKey)
 	require.NoError(t, err)
 	require.NotNil(t, pubKey)
 
 	dataToSign := buildDataToSign(t, pubKey)
 
 	// lock the keyring, and clear the private key from memory
-	err = signerservice.Lock(context.Background(), tm.SigningServerUrl(), 10*time.Second)
+	err = signerservice.Lock(context.Background(), tm.SigningServerUrl(), 10*time.Second, "")
 	require.NoError(t, err)
 
 	// try to sign a transaction with a locked keyring, it should fail
@@ -247,9 +250,164 @@ func TestLockingKeyring(t *testing.T) {
 		tm.SigningServerUrl(),
 		10*time.Second,
 		&dataToSign,
+		"",
 	)
 
 	require.Error(t, err)
 	require.Nil(t, sigs)
+}
+
+func TestHMACAuthentication(t *testing.T) {
+	// Test with valid HMAC key
+	testHMACKey := "test-hmac-key-for-authentication"
+	tm := StartManager(t, 100, false, testHMACKey)
+
+	err := signerservice.Unlock(context.Background(), tm.SigningServerUrl(), 10*time.Second, "", testHMACKey)
+	require.NoError(t, err, "Unlock should succeed with valid HMAC key")
+
+	pubKey, err := signerservice.GetPublicKey(context.Background(), tm.SigningServerUrl(), 10*time.Second, testHMACKey)
+	require.NoError(t, err)
+	require.NotNil(t, pubKey)
+
+	dataToSign := buildDataToSign(t, pubKey)
+
+	sigs, err := signerservice.RequestCovenantSignaure(
+		context.Background(),
+		tm.SigningServerUrl(),
+		10*time.Second,
+		&dataToSign,
+		testHMACKey,
+	)
+	require.NoError(t, err, "Signing should succeed with valid HMAC key")
+	require.NotNil(t, sigs)
+
+	_, err = signerservice.RequestCovenantSignaure(
+		context.Background(),
+		tm.SigningServerUrl(),
+		10*time.Second,
+		&dataToSign,
+		"invalid-hmac-key",
+	)
+	require.Error(t, err, "Signing should fail with invalid HMAC key")
+	require.Contains(t, err.Error(), "401", "Error should be a 401 Unauthorized")
+
+	err = signerservice.Lock(context.Background(), tm.SigningServerUrl(), 10*time.Second, testHMACKey)
+	require.NoError(t, err, "Lock should succeed with valid HMAC key")
+
+	err = signerservice.Lock(context.Background(), tm.SigningServerUrl(), 10*time.Second, "invalid-hmac-key")
+	require.Error(t, err, "Lock should fail with invalid HMAC key")
+	require.Contains(t, err.Error(), "401", "Error should be a 401 Unauthorized")
+}
+
+func TestHMACDirectRequest(t *testing.T) {
+	testHMACKey := "test-hmac-key-for-direct-request"
+	tm := StartManager(t, 100, false, testHMACKey)
+
+	err := signerservice.Unlock(context.Background(), tm.SigningServerUrl(), 10*time.Second, "", testHMACKey)
+	require.NoError(t, err)
+
+	body := []byte(`{"passphrase":""}`)
+	route := fmt.Sprintf("%s/v1/unlock", tm.SigningServerUrl())
+
+	hmacValue, err := middlewares.GenerateHMAC(testHMACKey, body)
+	require.NoError(t, err)
+
+	httpRequest, err := http.NewRequestWithContext(context.Background(), "POST", route, bytes.NewReader(body))
+	require.NoError(t, err)
+	httpRequest.Header.Set("Content-Type", "application/json")
+	httpRequest.Header.Set(middlewares.HeaderCovenantHMAC, hmacValue)
+
+	client := http.Client{Timeout: 10 * time.Second}
+	res, err := client.Do(httpRequest)
+	require.NoError(t, err)
+	defer res.Body.Close()
+	require.Equal(t, http.StatusOK, res.StatusCode, "Request with valid HMAC should succeed")
+
+	httpRequest, err = http.NewRequestWithContext(context.Background(), "POST", route, bytes.NewReader(body))
+	require.NoError(t, err)
+	httpRequest.Header.Set("Content-Type", "application/json")
+	httpRequest.Header.Set(middlewares.HeaderCovenantHMAC, "invalidhmacvalue")
+
+	res, err = client.Do(httpRequest)
+	require.NoError(t, err)
+	defer res.Body.Close()
+	require.Equal(t, http.StatusUnauthorized, res.StatusCode, "Request with invalid HMAC should fail with 401")
+
+	httpRequest, err = http.NewRequestWithContext(context.Background(), "POST", route, bytes.NewReader(body))
+	require.NoError(t, err)
+	httpRequest.Header.Set("Content-Type", "application/json")
+
+	res, err = client.Do(httpRequest)
+	require.NoError(t, err)
+	defer res.Body.Close()
+	require.Equal(t, http.StatusUnauthorized, res.StatusCode, "Request with missing HMAC should fail with 401")
+
+	pkRoute := fmt.Sprintf("%s/v1/public-key", tm.SigningServerUrl())
 
+	httpRequest, err = http.NewRequestWithContext(context.Background(), "GET", pkRoute, nil)
+	require.NoError(t, err)
+
+	res, err = client.Do(httpRequest)
+	require.NoError(t, err)
+	defer res.Body.Close()
+	require.Equal(t, http.StatusUnauthorized, res.StatusCode, "Public key request without HMAC should fail with 401")
+
+	emptyBody := []byte{}
+	hmacValue, err = middlewares.GenerateHMAC(testHMACKey, emptyBody)
+	require.NoError(t, err)
+
+	httpRequest, err = http.NewRequestWithContext(context.Background(), "GET", pkRoute, nil)
+	require.NoError(t, err)
+	httpRequest.Header.Set(middlewares.HeaderCovenantHMAC, hmacValue)
+
+	res, err = client.Do(httpRequest)
+	require.NoError(t, err)
+	defer res.Body.Close()
+	require.Equal(t, http.StatusOK, res.StatusCode, "Public key request with valid HMAC should succeed")
+
+	var respData map[string]interface{}
+	err = json.NewDecoder(res.Body).Decode(&respData)
+	require.NoError(t, err, "Should receive valid JSON response")
+
+	dataObj, exists := respData["data"]
+	require.True(t, exists, "Response should contain a 'data' object")
+
+	dataMap, ok := dataObj.(map[string]interface{})
+	require.True(t, ok, "Data should be an object")
+
+	_, exists = dataMap["public_key_hex"]
+	require.True(t, exists, "Response should contain a public key")
+}
+
+func TestHMACMismatchedKeys(t *testing.T) {
+	// Test scenario where client and server have different HMAC keys
+	serverKey := "server-hmac-key"
+	clientKey := "different-client-hmac-key"
+
+	tm := StartManager(t, 100, false, serverKey)
+
+	err := signerservice.Unlock(context.Background(), tm.SigningServerUrl(), 10*time.Second, "", clientKey)
+	require.Error(t, err, "Unlock should fail with mismatched HMAC keys")
+	require.Contains(t, err.Error(), "401", "Error should be a 401 Unauthorized")
+
+	_, err = signerservice.GetPublicKey(context.Background(), tm.SigningServerUrl(), 10*time.Second, clientKey)
+	require.Error(t, err, "GetPublicKey should require HMAC")
+	require.Contains(t, err.Error(), "401", "Error should be a 401 Unauthorized")
+
+	err = signerservice.Unlock(context.Background(), tm.SigningServerUrl(), 10*time.Second, "", serverKey)
+	require.NoError(t, err, "Unlock should succeed with matching HMAC key")
+
+	route := fmt.Sprintf("%s/v1/public-key", tm.SigningServerUrl())
+	httpRequest, err := http.NewRequestWithContext(context.Background(), "GET", route, nil)
+	require.NoError(t, err)
+
+	hmacValue, err := middlewares.GenerateHMAC(serverKey, []byte{})
+	require.NoError(t, err)
+	httpRequest.Header.Set(middlewares.HeaderCovenantHMAC, hmacValue)
+
+	client := http.Client{Timeout: 10 * time.Second}
+	res, err := client.Do(httpRequest)
+	require.NoError(t, err)
+	defer res.Body.Close()
+	require.Equal(t, http.StatusOK, res.StatusCode, "Request with valid HMAC should succeed")
 }

covenant-signer/itest/testmanager.go

@@ -35,12 +35,14 @@ type TestManager struct {
 	signerConfig    *config.Config
 	app             *signerapp.SignerApp
 	server          *signerservice.SigningServer
+	hmacKey         string
 }
 
 func StartManager(
 	t *testing.T,
 	numMatureOutputsInWallet uint32,
 	useEncryptedFileKeyRing bool,
+	hmacKey string,
 ) *TestManager {
 	m, err := containers.NewManager()
 	require.NoError(t, err)
@@ -58,6 +60,11 @@ func StartManager(
 
 	appConfig := config.DefaultConfig()
 
+	// Configure HMAC key if provided
+	if hmacKey != "" {
+		appConfig.Server.HMACKey = hmacKey
+	}
+
 	var retriever *cosmos.CosmosKeyringRetriever
 
 	if useEncryptedFileKeyRing {
@@ -129,6 +136,7 @@ func StartManager(
 		signerConfig:    appConfig,
 		app:             app,
 		server:          server,
+		hmacKey:         hmacKey,
 	}
 }