feat(libp2phttp): More ergonomic auth

Auth is now more uniform across HTTP and stream transports.

Author: MarcoPolo

p2p/http/auth/auth_test.go

@@ -139,6 +139,7 @@ func TestMutualAuth(t *testing.T) {
 				req.Host = "example.com"
 				serverID, resp, err = clientAuth.AuthenticatedDo(client, req)
 				require.NotEmpty(t, req.Header.Get("Authorization"))
+				require.True(t, HasAuthHeader(req))
 				require.NoError(t, err)
 				require.Equal(t, expectedServerID, serverID)
 				require.NotZero(t, clientAuth.tm.tokenMap["example.com"])

p2p/http/auth/server.go

@@ -7,6 +7,7 @@ import (
 	"errors"
 	"hash"
 	"net/http"
+	"strings"
 	"sync"
 	"time"
 
@@ -35,6 +36,10 @@ type ServerPeerIDAuth struct {
 // scheme. If a Next handler is set, it will be called on authenticated
 // requests.
 func (a *ServerPeerIDAuth) ServeHTTP(w http.ResponseWriter, r *http.Request) {
+	a.ServeHTTPWithNextHandler(w, r, a.Next)
+}
+
+func (a *ServerPeerIDAuth) ServeHTTPWithNextHandler(w http.ResponseWriter, r *http.Request, next func(peer.ID, http.ResponseWriter, *http.Request)) {
 	a.initHmac.Do(func() {
 		if a.Hmac == nil {
 			key := make([]byte, 32)
@@ -101,7 +106,7 @@ func (a *ServerPeerIDAuth) ServeHTTP(w http.ResponseWriter, r *http.Request) {
 				TokenTTL: a.TokenTTL,
 				Hmac:     a.Hmac,
 			}
-			hs.Run()
+			_ = hs.Run() // First run will never err
 			hs.SetHeader(w.Header())
 			w.WriteHeader(http.StatusUnauthorized)
 
@@ -120,9 +125,16 @@ func (a *ServerPeerIDAuth) ServeHTTP(w http.ResponseWriter, r *http.Request) {
 		return
 	}
 
-	if a.Next == nil {
+	if next == nil {
 		w.WriteHeader(http.StatusOK)
 		return
 	}
-	a.Next(peer, w, r)
+	next(peer, w, r)
+}
+
+// HasAuthHeader checks if the HTTP request contains an Authorization header
+// that starts with the PeerIDAuthScheme prefix.
+func HasAuthHeader(r *http.Request) bool {
+	h := r.Header.Get("Authorization")
+	return h != "" && strings.HasPrefix(h, handshake.PeerIDAuthScheme)
 }

p2p/http/libp2phttp.go

@@ -25,6 +25,7 @@ import (
 	"github.com/libp2p/go-libp2p/core/peer"
 	"github.com/libp2p/go-libp2p/core/peerstore"
 	"github.com/libp2p/go-libp2p/core/protocol"
+	httpauth "github.com/libp2p/go-libp2p/p2p/http/auth"
 	gostream "github.com/libp2p/go-libp2p/p2p/net/gostream"
 	ma "github.com/multiformats/go-multiaddr"
 )
@@ -44,6 +45,23 @@ const LegacyWellKnownProtocols = "/.well-known/libp2p"
 const peerMetadataLimit = 8 << 10 // 8KB
 const peerMetadataLRUSize = 256   // How many different peer's metadata to keep in our LRU cache
 
+type clientPeerIDContextKey struct{}
+type serverPeerIDContextKey struct{}
+
+func ClientPeerID(r *http.Request) peer.ID {
+	if id, ok := r.Context().Value(clientPeerIDContextKey{}).(peer.ID); ok {
+		return id
+	}
+	return ""
+}
+
+func ServerPeerID(r *http.Response) peer.ID {
+	if id, ok := r.Request.Context().Value(serverPeerIDContextKey{}).(peer.ID); ok {
+		return id
+	}
+	return ""
+}
+
 // ProtocolMeta is metadata about a protocol.
 type ProtocolMeta struct {
 	// Path defines the HTTP Path prefix used for this protocol
@@ -134,6 +152,12 @@ type Host struct {
 	// InsecureAllowHTTP indicates if the server is allowed to serve unencrypted
 	// HTTP requests over TCP.
 	InsecureAllowHTTP bool
+
+	// ServerPeerIDAuth TODO add comment
+	ServerPeerIDAuth *httpauth.ServerPeerIDAuth
+	// ClientPeerIDAuth TODO add comment
+	ClientPeerIDAuth *httpauth.ClientPeerIDAuth
+
 	// ServeMux is the http.ServeMux used by the server to serve requests. If
 	// nil, a new serve mux will be created. Users may manually add handlers to
 	// this mux instead of using `SetHTTPHandler`, but if they do, they should
@@ -264,15 +288,18 @@ func (h *Host) setupListeners(listenerErrCh chan error) error {
 		if parsedAddr.useHTTPS {
 			go func() {
 				srv := http.Server{
-					Handler:   h.ServeMux,
+					Handler:   maybeDecorateContextWithAuthMiddleware(h.ServerPeerIDAuth, h.ServeMux),
 					TLSConfig: h.TLSConfig,
 				}
 				listenerErrCh <- srv.ServeTLS(l, "", "")
 			}()
 			h.httpTransport.listenAddrs = append(h.httpTransport.listenAddrs, listenAddr)
 		} else if h.InsecureAllowHTTP {
 			go func() {
-				listenerErrCh <- http.Serve(l, h.ServeMux)
+				srv := http.Server{
+					Handler: maybeDecorateContextWithAuthMiddleware(h.ServerPeerIDAuth, h.ServeMux),
+				}
+				listenerErrCh <- srv.Serve(l)
 			}()
 			h.httpTransport.listenAddrs = append(h.httpTransport.listenAddrs, listenAddr)
 		} else {
@@ -332,7 +359,20 @@ func (h *Host) Serve() error {
 		h.httpTransport.listenAddrs = append(h.httpTransport.listenAddrs, h.StreamHost.Addrs()...)
 
 		go func() {
-			errCh <- http.Serve(listener, connectionCloseHeaderMiddleware(h.ServeMux))
+			srv := &http.Server{
+				Handler: connectionCloseHeaderMiddleware(h.ServeMux),
+				ConnContext: func(ctx context.Context, c net.Conn) context.Context {
+					remote := c.RemoteAddr()
+					if remote.Network() == gostream.Network {
+						remoteID, err := peer.Decode(remote.String())
+						if err == nil {
+							return context.WithValue(ctx, clientPeerIDContextKey{}, remoteID)
+						}
+					}
+					return ctx
+				},
+			}
+			errCh <- srv.Serve(listener)
 		}()
 	}
 
@@ -497,6 +537,8 @@ func (rt *streamRoundTripper) RoundTrip(r *http.Request) (*http.Response, error)
 		}
 	}
 
+	ctxWithServerID := context.WithValue(r.Context(), serverPeerIDContextKey{}, rt.server)
+	resp.Request = resp.Request.WithContext(ctxWithServerID)
 	return resp, nil
 }
 
@@ -529,10 +571,16 @@ func relativeMultiaddrURIToAbs(original *url.URL, relative *url.URL) (*url.URL,
 		return nil, errors.New("relative path is not a valid http-path")
 	}
 
-	withoutPath, _ := ma.SplitFunc(originalMa, func(c ma.Component) bool {
+	withoutPath, afterAndIncludingPath := ma.SplitFunc(originalMa, func(c ma.Component) bool {
 		return c.Protocol().Code == ma.P_HTTP_PATH
 	})
 	withNewPath := withoutPath.Encapsulate(relativePathComponent)
+	_, afterPath := ma.SplitFirst(afterAndIncludingPath)
+
+	// Include after path since it may include other relevant parts (/p2p?)
+	if afterPath != nil {
+		withNewPath = withNewPath.Encapsulate(afterPath)
+	}
 	return url.Parse("multiaddr:" + withNewPath.String())
 }
 
@@ -743,6 +791,35 @@ func (h *Host) RoundTrip(r *http.Request) (*http.Response, error) {
 			rt.TLSClientConfig.ServerName = parsed.sni
 		}
 
+		if parsed.peer != "" {
+			// The peer ID is present. We are making an authenticated request
+			if h.ClientPeerIDAuth == nil {
+				return nil, fmt.Errorf("can not authenticate server. Host.ClientPeerIDAuth field is not set")
+			}
+
+			if r.Host == "" {
+				// Missing a host header. Default to what we parsed earlier
+				r.Host = u.Host
+			}
+
+			// thin client as ClientPeerIDAuth expects an *http.Client
+			c := http.Client{Transport: rt}
+			serverID, resp, err := h.ClientPeerIDAuth.AuthenticatedDo(&c, r)
+			if err != nil {
+				return nil, err
+			}
+
+			if serverID != parsed.peer {
+				resp.Body.Close()
+				return nil, fmt.Errorf("authenticated server ID does not match expected server ID")
+			}
+
+			ctxWithServerID := context.WithValue(r.Context(), serverPeerIDContextKey{}, serverID)
+			resp.Request = resp.Request.WithContext(ctxWithServerID)
+
+			return resp, nil
+		}
+
 		return rt.RoundTrip(r)
 	}
 
@@ -1086,3 +1163,19 @@ func connectionCloseHeaderMiddleware(next http.Handler) http.Handler {
 		next.ServeHTTP(w, r)
 	})
 }
+
+// maybeDecorateContextWithAuth decorates the request context with
+// authentication information if serverAuth is provided.
+func maybeDecorateContextWithAuthMiddleware(serverAuth *httpauth.ServerPeerIDAuth, next http.Handler) http.Handler {
+	if serverAuth == nil {
+		return next
+	}
+	return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		if httpauth.HasAuthHeader(r) {
+			serverAuth.ServeHTTPWithNextHandler(w, r, func(p peer.ID, w http.ResponseWriter, r *http.Request) {
+				r = r.WithContext(context.WithValue(r.Context(), clientPeerIDContextKey{}, p))
+				next.ServeHTTP(w, r)
+			})
+		}
+	})
+}

p2p/http/libp2phttp_test.go

@@ -24,9 +24,11 @@ import (
 	"time"
 
 	"github.com/libp2p/go-libp2p"
+	"github.com/libp2p/go-libp2p/core/crypto"
 	host "github.com/libp2p/go-libp2p/core/host"
 	"github.com/libp2p/go-libp2p/core/peer"
 	libp2phttp "github.com/libp2p/go-libp2p/p2p/http"
+	httpauth "github.com/libp2p/go-libp2p/p2p/http/auth"
 	httpping "github.com/libp2p/go-libp2p/p2p/http/ping"
 	libp2pquic "github.com/libp2p/go-libp2p/p2p/transport/quic"
 	ma "github.com/multiformats/go-multiaddr"
@@ -1014,3 +1016,117 @@ func TestErrServerClosed(t *testing.T) {
 	server.Close()
 	<-done
 }
+
+func TestHTTPOverStreamsGetClientID(t *testing.T) {
+	serverHost, err := libp2p.New(
+		libp2p.ListenAddrStrings("/ip4/127.0.0.1/udp/0/quic-v1"),
+	)
+	require.NoError(t, err)
+
+	httpHost := libp2phttp.Host{StreamHost: serverHost}
+
+	httpHost.SetHTTPHandler("/echo-id", http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		clientID := libp2phttp.ClientPeerID(r)
+		w.Write([]byte(clientID.String()))
+	}))
+
+	// Start server
+	go httpHost.Serve()
+	defer httpHost.Close()
+
+	// Start client
+	clientHost, err := libp2p.New(libp2p.NoListenAddrs)
+	require.NoError(t, err)
+	clientHost.Connect(context.Background(), peer.AddrInfo{
+		ID:    serverHost.ID(),
+		Addrs: serverHost.Addrs(),
+	})
+
+	client := http.Client{
+		Transport: &libp2phttp.Host{StreamHost: clientHost},
+	}
+	require.NoError(t, err)
+
+	resp, err := client.Get("multiaddr:" + serverHost.Addrs()[0].String() + "/p2p/" + serverHost.ID().String() + "/http-path/echo-id")
+	require.NoError(t, err)
+	defer resp.Body.Close()
+
+	body, err := io.ReadAll(resp.Body)
+	require.NoError(t, err)
+
+	require.Equal(t, clientHost.ID().String(), string(body))
+}
+
+func TestAuthenticatedRequest(t *testing.T) {
+	serverSK, _, err := crypto.GenerateEd25519Key(rand.Reader)
+	require.NoError(t, err)
+	serverID, err := peer.IDFromPrivateKey(serverSK)
+	require.NoError(t, err)
+
+	serverStreamHost, err := libp2p.New(
+		libp2p.Identity(serverSK),
+		libp2p.ListenAddrStrings("/ip4/127.0.0.1/udp/0/quic-v1"),
+		libp2p.Transport(libp2pquic.NewTransport),
+	)
+	require.NoError(t, err)
+
+	server := libp2phttp.Host{
+		InsecureAllowHTTP: true,
+		StreamHost:        serverStreamHost,
+		ListenAddrs:       []ma.Multiaddr{ma.StringCast("/ip4/127.0.0.1/tcp/0/http")},
+		ServerPeerIDAuth: &httpauth.ServerPeerIDAuth{
+			TokenTTL: time.Hour,
+			PrivKey:  serverSK,
+			NoTLS:    true,
+			ValidHostnameFn: func(hostname string) bool {
+				return strings.HasPrefix(hostname, "127.0.0.1")
+			},
+		},
+	}
+	server.SetHTTPHandler("/echo-id", http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		clientID := libp2phttp.ClientPeerID(r)
+		w.Write([]byte(clientID.String()))
+	}))
+
+	go server.Serve()
+
+	clientSK, _, err := crypto.GenerateEd25519Key(rand.Reader)
+	require.NoError(t, err)
+
+	clientStreamHost, err := libp2p.New(
+		libp2p.Identity(clientSK),
+		libp2p.NoListenAddrs,
+		libp2p.Transport(libp2pquic.NewTransport))
+	require.NoError(t, err)
+
+	client := &http.Client{
+		Transport: &libp2phttp.Host{
+			StreamHost: clientStreamHost,
+			ClientPeerIDAuth: &httpauth.ClientPeerIDAuth{
+				TokenTTL: time.Hour,
+				PrivKey:  clientSK,
+			},
+		},
+	}
+
+	clientID, err := peer.IDFromPrivateKey(clientSK)
+	require.NoError(t, err)
+
+	for _, serverAddr := range server.Addrs() {
+		_, tpt := ma.SplitLast(serverAddr)
+		t.Run(tpt.String(), func(t *testing.T) {
+			url := fmt.Sprintf("multiaddr:%s/p2p/%s/http-path/echo-id", serverAddr, serverID)
+			t.Log("Making a GET request to:", url)
+			resp, err := client.Get(url)
+			require.NoError(t, err)
+
+			observedServerID := libp2phttp.ServerPeerID(resp)
+			require.Equal(t, serverID, observedServerID)
+
+			body, err := io.ReadAll(resp.Body)
+			require.NoError(t, err)
+
+			require.Equal(t, clientID.String(), string(body))
+		})
+	}
+}