From 501e5f32ffc92b6f4281bc107a7655e2c313304f Mon Sep 17 00:00:00 2001 From: Jose David Lutzardo Barroso Date: Tue, 28 Nov 2023 18:48:47 +0100 Subject: [PATCH 1/8] Add error messages on authentication failures with username and password Signed-off-by: David Lutzardo --- .../authentication/DefaultAuthenticationService.java | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/ethereum/api/src/main/java/org/hyperledger/besu/ethereum/api/jsonrpc/authentication/DefaultAuthenticationService.java b/ethereum/api/src/main/java/org/hyperledger/besu/ethereum/api/jsonrpc/authentication/DefaultAuthenticationService.java index 96a1a2d023f..bd4a8656463 100644 --- a/ethereum/api/src/main/java/org/hyperledger/besu/ethereum/api/jsonrpc/authentication/DefaultAuthenticationService.java +++ b/ethereum/api/src/main/java/org/hyperledger/besu/ethereum/api/jsonrpc/authentication/DefaultAuthenticationService.java @@ -171,12 +171,14 @@ private void login( final RoutingContext routingContext, final AuthenticationProvider credentialAuthProvider) { final JsonObject requestBody = routingContext.body().asJsonObject(); - if (requestBody == null) { + if (requestBody == null + || requestBody.getValue(USERNAME) == null + || requestBody.getValue("password") == null) { routingContext .response() .setStatusCode(HttpResponseStatus.BAD_REQUEST.code()) .setStatusMessage(HttpResponseStatus.BAD_REQUEST.reasonPhrase()) - .end(); + .end("Authentication failed: username and password are required."); return; } @@ -194,7 +196,7 @@ private void login( .response() .setStatusCode(HttpResponseStatus.UNAUTHORIZED.code()) .setStatusMessage(HttpResponseStatus.UNAUTHORIZED.reasonPhrase()) - .end(); + .end("Authentication failed: the username or password is incorrect."); } else { final User user = r.result(); From 242f219352a6756a6645762c4207528e6f6ae56a Mon Sep 17 00:00:00 2001 From: David Lutzardo Date: Mon, 4 Dec 2023 12:24:26 +0100 Subject: [PATCH 2/8] Add a constant for the 'password' Signed-off-by: David Lutzardo --- .../jsonrpc/authentication/DefaultAuthenticationService.java | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/ethereum/api/src/main/java/org/hyperledger/besu/ethereum/api/jsonrpc/authentication/DefaultAuthenticationService.java b/ethereum/api/src/main/java/org/hyperledger/besu/ethereum/api/jsonrpc/authentication/DefaultAuthenticationService.java index bd4a8656463..89f747d1710 100644 --- a/ethereum/api/src/main/java/org/hyperledger/besu/ethereum/api/jsonrpc/authentication/DefaultAuthenticationService.java +++ b/ethereum/api/src/main/java/org/hyperledger/besu/ethereum/api/jsonrpc/authentication/DefaultAuthenticationService.java @@ -46,6 +46,7 @@ public class DefaultAuthenticationService implements AuthenticationService { public static final String USERNAME = "username"; + public static final String PASSWORD = "password"; private final JWTAuth jwtAuthProvider; @VisibleForTesting public final JWTAuthOptions jwtAuthOptions; private final Optional credentialAuthProvider; @@ -173,7 +174,7 @@ private void login( if (requestBody == null || requestBody.getValue(USERNAME) == null - || requestBody.getValue("password") == null) { + || requestBody.getValue(PASSWORD) == null) { routingContext .response() .setStatusCode(HttpResponseStatus.BAD_REQUEST.code()) @@ -185,7 +186,7 @@ private void login( // Check user final JsonObject authParams = new JsonObject(); authParams.put(USERNAME, requestBody.getValue(USERNAME)); - authParams.put("password", requestBody.getValue("password")); + authParams.put(PASSWORD, requestBody.getValue(PASSWORD)); final Credentials credentials = new UsernamePasswordCredentials(authParams); credentialAuthProvider.authenticate( From c9ffc961143d389527312139cf06fd24c6fa5a6e Mon Sep 17 00:00:00 2001 From: David Lutzardo Date: Mon, 4 Dec 2023 12:24:54 +0100 Subject: [PATCH 3/8] Add test to check empty login and check response in body is not empty Signed-off-by: David Lutzardo --- .../jsonrpc/JsonRpcHttpServiceLoginTest.java | 17 +++++++++++++++++ 1 file changed, 17 insertions(+) diff --git a/ethereum/api/src/test/java/org/hyperledger/besu/ethereum/api/jsonrpc/JsonRpcHttpServiceLoginTest.java b/ethereum/api/src/test/java/org/hyperledger/besu/ethereum/api/jsonrpc/JsonRpcHttpServiceLoginTest.java index a00e7ed7cb8..37e6a3b5c0d 100644 --- a/ethereum/api/src/test/java/org/hyperledger/besu/ethereum/api/jsonrpc/JsonRpcHttpServiceLoginTest.java +++ b/ethereum/api/src/test/java/org/hyperledger/besu/ethereum/api/jsonrpc/JsonRpcHttpServiceLoginTest.java @@ -203,6 +203,20 @@ public static void shutdownServer() { service.stop().join(); } + @Test + public void loginWithEmptyCredentials() throws IOException { + final RequestBody body = + RequestBody.create("{}", JSON); + final Request request = new Request.Builder().post(body).url(baseUrl + "/login").build(); + try (final Response resp = client.newCall(request).execute()) { + assertThat(resp.code()).isEqualTo(400); + assertThat(resp.message()).isEqualTo("Bad Request"); + final String bodyString = resp.body().string(); + assertThat(bodyString).isNotNull(); + assertThat(bodyString).isNotBlank(); + } + } + @Test public void loginWithBadCredentials() throws IOException { final RequestBody body = @@ -211,6 +225,9 @@ public void loginWithBadCredentials() throws IOException { try (final Response resp = client.newCall(request).execute()) { assertThat(resp.code()).isEqualTo(401); assertThat(resp.message()).isEqualTo("Unauthorized"); + final String bodyString = resp.body().string(); + assertThat(bodyString).isNotNull(); + assertThat(bodyString).isNotBlank(); } } From b7a8d172d0608bcd1100a46f937c5e20ee270eda Mon Sep 17 00:00:00 2001 From: David Lutzardo Date: Mon, 4 Dec 2023 13:00:42 +0100 Subject: [PATCH 4/8] Correct format (spotless) Signed-off-by: David Lutzardo --- .../besu/ethereum/api/jsonrpc/JsonRpcHttpServiceLoginTest.java | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/ethereum/api/src/test/java/org/hyperledger/besu/ethereum/api/jsonrpc/JsonRpcHttpServiceLoginTest.java b/ethereum/api/src/test/java/org/hyperledger/besu/ethereum/api/jsonrpc/JsonRpcHttpServiceLoginTest.java index 37e6a3b5c0d..7eaf6edd425 100644 --- a/ethereum/api/src/test/java/org/hyperledger/besu/ethereum/api/jsonrpc/JsonRpcHttpServiceLoginTest.java +++ b/ethereum/api/src/test/java/org/hyperledger/besu/ethereum/api/jsonrpc/JsonRpcHttpServiceLoginTest.java @@ -205,8 +205,7 @@ public static void shutdownServer() { @Test public void loginWithEmptyCredentials() throws IOException { - final RequestBody body = - RequestBody.create("{}", JSON); + final RequestBody body = RequestBody.create("{}", JSON); final Request request = new Request.Builder().post(body).url(baseUrl + "/login").build(); try (final Response resp = client.newCall(request).execute()) { assertThat(resp.code()).isEqualTo(400); From 0f979337232787ab50dff9ae72c805a35c221d3d Mon Sep 17 00:00:00 2001 From: David Lutzardo Date: Mon, 4 Dec 2023 13:48:52 +0100 Subject: [PATCH 5/8] Update ethereum/api/src/test/java/org/hyperledger/besu/ethereum/api/jsonrpc/JsonRpcHttpServiceLoginTest.java Co-authored-by: Fabio Di Fabio Signed-off-by: David Lutzardo --- .../besu/ethereum/api/jsonrpc/JsonRpcHttpServiceLoginTest.java | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/ethereum/api/src/test/java/org/hyperledger/besu/ethereum/api/jsonrpc/JsonRpcHttpServiceLoginTest.java b/ethereum/api/src/test/java/org/hyperledger/besu/ethereum/api/jsonrpc/JsonRpcHttpServiceLoginTest.java index 7eaf6edd425..963f9e50056 100644 --- a/ethereum/api/src/test/java/org/hyperledger/besu/ethereum/api/jsonrpc/JsonRpcHttpServiceLoginTest.java +++ b/ethereum/api/src/test/java/org/hyperledger/besu/ethereum/api/jsonrpc/JsonRpcHttpServiceLoginTest.java @@ -211,8 +211,7 @@ public void loginWithEmptyCredentials() throws IOException { assertThat(resp.code()).isEqualTo(400); assertThat(resp.message()).isEqualTo("Bad Request"); final String bodyString = resp.body().string(); - assertThat(bodyString).isNotNull(); - assertThat(bodyString).isNotBlank(); +assertThat(bodyString).contains("username and password are required"); } } From 4a882d31d57f9a01a4195dcb70a583c24bdd9337 Mon Sep 17 00:00:00 2001 From: David Lutzardo Date: Mon, 4 Dec 2023 13:49:54 +0100 Subject: [PATCH 6/8] Update ethereum/api/src/test/java/org/hyperledger/besu/ethereum/api/jsonrpc/JsonRpcHttpServiceLoginTest.java Co-authored-by: Fabio Di Fabio Signed-off-by: David Lutzardo --- .../besu/ethereum/api/jsonrpc/JsonRpcHttpServiceLoginTest.java | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/ethereum/api/src/test/java/org/hyperledger/besu/ethereum/api/jsonrpc/JsonRpcHttpServiceLoginTest.java b/ethereum/api/src/test/java/org/hyperledger/besu/ethereum/api/jsonrpc/JsonRpcHttpServiceLoginTest.java index 963f9e50056..bb4afb7c999 100644 --- a/ethereum/api/src/test/java/org/hyperledger/besu/ethereum/api/jsonrpc/JsonRpcHttpServiceLoginTest.java +++ b/ethereum/api/src/test/java/org/hyperledger/besu/ethereum/api/jsonrpc/JsonRpcHttpServiceLoginTest.java @@ -224,8 +224,7 @@ public void loginWithBadCredentials() throws IOException { assertThat(resp.code()).isEqualTo(401); assertThat(resp.message()).isEqualTo("Unauthorized"); final String bodyString = resp.body().string(); - assertThat(bodyString).isNotNull(); - assertThat(bodyString).isNotBlank(); + assertThat(bodyString).contains("the username or password is incorrect"); } } From 24106ed41b4b849de40878ec5e055e93b9479aaf Mon Sep 17 00:00:00 2001 From: David Lutzardo Date: Mon, 4 Dec 2023 14:06:33 +0100 Subject: [PATCH 7/8] Update JsonRpcHttpServiceLoginTest.java use containsIgnoringCase Signed-off-by: David Lutzardo --- .../ethereum/api/jsonrpc/JsonRpcHttpServiceLoginTest.java | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/ethereum/api/src/test/java/org/hyperledger/besu/ethereum/api/jsonrpc/JsonRpcHttpServiceLoginTest.java b/ethereum/api/src/test/java/org/hyperledger/besu/ethereum/api/jsonrpc/JsonRpcHttpServiceLoginTest.java index bb4afb7c999..8d087bbd4e9 100644 --- a/ethereum/api/src/test/java/org/hyperledger/besu/ethereum/api/jsonrpc/JsonRpcHttpServiceLoginTest.java +++ b/ethereum/api/src/test/java/org/hyperledger/besu/ethereum/api/jsonrpc/JsonRpcHttpServiceLoginTest.java @@ -211,7 +211,7 @@ public void loginWithEmptyCredentials() throws IOException { assertThat(resp.code()).isEqualTo(400); assertThat(resp.message()).isEqualTo("Bad Request"); final String bodyString = resp.body().string(); -assertThat(bodyString).contains("username and password are required"); + assertThat(bodyString).containsIgnoringCase("username and password are required"); } } @@ -224,7 +224,7 @@ public void loginWithBadCredentials() throws IOException { assertThat(resp.code()).isEqualTo(401); assertThat(resp.message()).isEqualTo("Unauthorized"); final String bodyString = resp.body().string(); - assertThat(bodyString).contains("the username or password is incorrect"); + assertThat(bodyString).containsIgnoringCase("the username or password is incorrect"); } } From c36606851d627953dea3c926d7b36ae70e075d67 Mon Sep 17 00:00:00 2001 From: David Lutzardo Date: Mon, 4 Dec 2023 14:46:34 +0100 Subject: [PATCH 8/8] Add a CHANGELOG entry for PR 6212 Signed-off-by: David Lutzardo --- CHANGELOG.md | 1 + 1 file changed, 1 insertion(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index eaa028a84a0..f0a00eda376 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -15,6 +15,7 @@ - Add `rpc-gas-cap` to allow users to set gas limit to the RPC methods used to simulate transactions[#6156](https://github.com/hyperledger/besu/pull/6156) - Fix the unavailability of `address` field when returning an `Account` entity on GraphQL in case of unreachable world state [#6198](https://github.com/hyperledger/besu/pull/6198) - Update OpenJ9 Docker image to latest version [#6226](https://github.com/hyperledger/besu/pull/6226) +- Add error messages on authentication failures with username and password [#6212](https://github.com/hyperledger/besu/pull/6212) ### Bug fixes - Fix Docker image name clash between Besu and evmtool [#6194](https://github.com/hyperledger/besu/pull/6194)