CBST2-06: Implement rate limiting for JWT auth failures (#310)

Co-authored-by: eltitanb <[email protected]>
Co-authored-by: ltitanb <[email protected]>

Author: jclapis

Cargo.lock

@@ -36,6 +36,7 @@ color-eyre = "0.6.3"
 ctr = "0.9.2"
 derive_more = { version = "2.0.1", features = ["deref", "display", "from", "into"] }
 docker-compose-types = "0.16.0"
+docker-image = "0.2.1"
 eth2_keystore = { git = "https://github.com/sigp/lighthouse", tag = "v7.0.1" }
 ethereum_serde_utils = "0.7.0"
 ethereum_ssz = "0.8"
@@ -58,6 +59,7 @@ serde_json = "1.0.117"
 serde_yaml = "0.9.33"
 sha2 = "0.10.8"
 ssz_types = "0.10"
+tempfile = "3.20.0"
 thiserror = "2.0.12"
 tokio = { version = "1.37.0", features = ["full"] }
 toml = "0.8.13"

Cargo.toml

@@ -154,6 +154,12 @@ host = "127.0.0.1"
 # Port to listen for Signer API calls on
 # OPTIONAL, DEFAULT: 20000
 port = 20000
+# Number of JWT authentication attempts a client can fail before blocking that client temporarily from Signer access
+# OPTIONAL, DEFAULT: 3
+jwt_auth_fail_limit = 3
+# How long to block a client from Signer access, in seconds, if it failed JWT authentication too many times
+# OPTIONAL, DEFAULT: 300
+jwt_auth_fail_timeout_seconds = 300
 
 # For Remote signer:
 # [signer.remote]

config.example.toml

@@ -16,6 +16,7 @@ blst.workspace = true
 cipher.workspace = true
 ctr.workspace = true
 derive_more.workspace = true
+docker-image.workspace = true
 eth2_keystore.workspace = true
 ethereum_serde_utils.workspace = true
 ethereum_ssz.workspace = true

crates/common/Cargo.toml

@@ -35,6 +35,11 @@ pub const SIGNER_MODULE_NAME: &str = "signer";
 /// Where the signer module should open the server
 pub const SIGNER_ENDPOINT_ENV: &str = "CB_SIGNER_ENDPOINT";
 
+// JWT authentication settings
+pub const SIGNER_JWT_AUTH_FAIL_LIMIT_ENV: &str = "CB_SIGNER_JWT_AUTH_FAIL_LIMIT";
+pub const SIGNER_JWT_AUTH_FAIL_TIMEOUT_SECONDS_ENV: &str =
+    "CB_SIGNER_JWT_AUTH_FAIL_TIMEOUT_SECONDS";
+
 /// Comma separated list module_id=jwt_secret
 pub const JWTS_ENV: &str = "CB_JWTS";
 

crates/common/src/config/constants.rs

@@ -41,6 +41,9 @@ impl CommitBoostConfig {
     /// Validate config
     pub async fn validate(&self) -> Result<()> {
         self.pbs.pbs_config.validate(self.chain).await?;
+        if let Some(signer) = &self.signer {
+            signer.validate().await?;
+        }
         Ok(())
     }
 

crates/common/src/config/mod.rs

@@ -4,20 +4,25 @@ use std::{
     path::PathBuf,
 };
 
-use eyre::{bail, OptionExt, Result};
+use docker_image::DockerImage;
+use eyre::{bail, ensure, OptionExt, Result};
 use serde::{Deserialize, Serialize};
 use tonic::transport::{Certificate, Identity};
 use url::Url;
 
 use super::{
     load_jwt_secrets, load_optional_env_var, utils::load_env_var, CommitBoostConfig,
-    SIGNER_ENDPOINT_ENV, SIGNER_IMAGE_DEFAULT,
+    SIGNER_ENDPOINT_ENV, SIGNER_IMAGE_DEFAULT, SIGNER_JWT_AUTH_FAIL_LIMIT_ENV,
+    SIGNER_JWT_AUTH_FAIL_TIMEOUT_SECONDS_ENV,
 };
 use crate::{
     config::{DIRK_CA_CERT_ENV, DIRK_CERT_ENV, DIRK_DIR_SECRETS_ENV, DIRK_KEY_ENV},
-    signer::{ProxyStore, SignerLoader, DEFAULT_SIGNER_PORT},
+    signer::{
+        ProxyStore, SignerLoader, DEFAULT_JWT_AUTH_FAIL_LIMIT,
+        DEFAULT_JWT_AUTH_FAIL_TIMEOUT_SECONDS, DEFAULT_SIGNER_PORT,
+    },
     types::{Chain, ModuleId},
-    utils::{default_host, default_u16},
+    utils::{default_host, default_u16, default_u32},
 };
 
 #[derive(Debug, Serialize, Deserialize, Clone)]
@@ -32,11 +37,39 @@ pub struct SignerConfig {
     /// Docker image of the module
     #[serde(default = "default_signer")]
     pub docker_image: String,
+
+    /// Number of JWT auth failures before rate limiting an endpoint
+    /// If set to 0, no rate limiting will be applied
+    #[serde(default = "default_u32::<DEFAULT_JWT_AUTH_FAIL_LIMIT>")]
+    pub jwt_auth_fail_limit: u32,
+
+    /// Duration in seconds to rate limit an endpoint after the JWT auth failure
+    /// limit has been reached
+    #[serde(default = "default_u32::<DEFAULT_JWT_AUTH_FAIL_TIMEOUT_SECONDS>")]
+    pub jwt_auth_fail_timeout_seconds: u32,
+
     /// Inner type-specific configuration
     #[serde(flatten)]
     pub inner: SignerType,
 }
 
+impl SignerConfig {
+    /// Validate the signer config
+    pub async fn validate(&self) -> Result<()> {
+        // Port must be positive
+        ensure!(self.port > 0, "Port must be positive");
+
+        // The Docker tag must parse
+        ensure!(!self.docker_image.is_empty(), "Docker image is empty");
+        ensure!(
+            DockerImage::parse(&self.docker_image).is_ok(),
+            format!("Invalid Docker image: {}", self.docker_image)
+        );
+
+        Ok(())
+    }
+}
+
 fn default_signer() -> String {
     SIGNER_IMAGE_DEFAULT.to_string()
 }
@@ -100,6 +133,8 @@ pub struct StartSignerConfig {
     pub store: Option<ProxyStore>,
     pub endpoint: SocketAddr,
     pub jwts: HashMap<ModuleId, String>,
+    pub jwt_auth_fail_limit: u32,
+    pub jwt_auth_fail_timeout_seconds: u32,
     pub dirk: Option<DirkConfig>,
 }
 
@@ -119,12 +154,31 @@ impl StartSignerConfig {
             SocketAddr::from((signer_config.host, signer_config.port))
         };
 
+        // Load the JWT auth fail limit the same way
+        let jwt_auth_fail_limit =
+            if let Some(limit) = load_optional_env_var(SIGNER_JWT_AUTH_FAIL_LIMIT_ENV) {
+                limit.parse()?
+            } else {
+                signer_config.jwt_auth_fail_limit
+            };
+
+        // Load the JWT auth fail timeout the same way
+        let jwt_auth_fail_timeout_seconds = if let Some(timeout) =
+            load_optional_env_var(SIGNER_JWT_AUTH_FAIL_TIMEOUT_SECONDS_ENV)
+        {
+            timeout.parse()?
+        } else {
+            signer_config.jwt_auth_fail_timeout_seconds
+        };
+
         match signer_config.inner {
             SignerType::Local { loader, store, .. } => Ok(StartSignerConfig {
                 chain: config.chain,
                 loader: Some(loader),
                 endpoint,
                 jwts,
+                jwt_auth_fail_limit,
+                jwt_auth_fail_timeout_seconds,
                 store,
                 dirk: None,
             }),
@@ -153,6 +207,8 @@ impl StartSignerConfig {
                     chain: config.chain,
                     endpoint,
                     jwts,
+                    jwt_auth_fail_limit,
+                    jwt_auth_fail_timeout_seconds,
                     loader: None,
                     store,
                     dirk: Some(DirkConfig {

crates/common/src/config/signer.rs

@@ -1 +1,6 @@
 pub const DEFAULT_SIGNER_PORT: u16 = 20000;
+
+// Rate limit signer API requests for 5 minutes after the endpoint has 3 JWT
+// auth failures
+pub const DEFAULT_JWT_AUTH_FAIL_LIMIT: u32 = 3;
+pub const DEFAULT_JWT_AUTH_FAIL_TIMEOUT_SECONDS: u32 = 5 * 60;

crates/common/src/signer/constants.rs

@@ -18,6 +18,7 @@ futures.workspace = true
 headers.workspace = true
 jsonwebtoken.workspace = true
 lazy_static.workspace = true
+parking_lot.workspace = true
 prometheus.workspace = true
 prost.workspace = true
 rand.workspace = true

crates/signer/Cargo.toml

@@ -27,6 +27,9 @@ pub enum SignerModuleError {
 
     #[error("internal error: {0}")]
     Internal(String),
+
+    #[error("rate limited for {0} more seconds")]
+    RateLimited(f64),
 }
 
 impl IntoResponse for SignerModuleError {
@@ -45,6 +48,9 @@ impl IntoResponse for SignerModuleError {
                 (StatusCode::INTERNAL_SERVER_ERROR, "internal error".to_string())
             }
             SignerModuleError::SignerError(err) => (StatusCode::BAD_REQUEST, err.to_string()),
+            SignerModuleError::RateLimited(duration) => {
+                (StatusCode::TOO_MANY_REQUESTS, format!("rate limited for {duration:?}"))
+            }
         }
         .into_response()
     }