Allow use of privacy public key in the credentials file (#196)

Signed-off-by: Jason Frame <jasonwframe@gmail.com>
5 years ago · c1ddab52fb
parent a449e81b2d
commit c1ddab52fb
20 changed files with 319 additions and 91 deletions
--- a/besu/src/main/java/org/hyperledger/besu/cli/custom/RpcAuthFileValidator.java
+++ b/besu/src/main/java/org/hyperledger/besu/cli/custom/RpcAuthFileValidator.java
@ -14,6 +14,8 @@
 */
 package org.hyperledger.besu.cli.custom;

+import static org.hyperledger.besu.ethereum.api.jsonrpc.authentication.TomlAuth.PRIVACY_PUBLIC_KEY;
+
 import org.hyperledger.besu.ethereum.permissioning.TomlConfigFileParser;

 import java.io.File;
@ -97,7 +99,19 @@ public class RpcAuthFileValidator {
        .dottedKeySet()
        .parallelStream()
        .filter(keySet -> !keySet.contains("password"))
-        .allMatch(dottedKey -> verifyArray(dottedKey, tomlParseResult));
+        .allMatch(dottedKey -> verifyEntry(dottedKey, tomlParseResult));
+  }
+
+  private static boolean verifyEntry(final String key, final TomlParseResult tomlParseResult) {
+    if (key.endsWith(PRIVACY_PUBLIC_KEY)) {
+      return verifyString(key, tomlParseResult);
+    } else {
+      return verifyArray(key, tomlParseResult);
+    }
+  }
+
+  private static boolean verifyString(final String key, final TomlParseResult tomlParseResult) {
+    return tomlParseResult.isString(key) && !tomlParseResult.getString(key, () -> "").isEmpty();
  }

  private static boolean verifyArray(final String key, final TomlParseResult tomlParseResult) {
--- a/besu/src/test/java/org/hyperledger/besu/cli/custom/RpcAuthFileValidatorTest.java
+++ b/besu/src/test/java/org/hyperledger/besu/cli/custom/RpcAuthFileValidatorTest.java
@ -27,11 +27,16 @@ import picocli.CommandLine.ParameterException;
@RunWith(MockitoJUnitRunner.StrictStubs.class)
 public class RpcAuthFileValidatorTest {

-  private static final String CORRECT_TOML = "/auth_correct.toml";
-  private static final String DUPLICATE_USER_TOML = "/auth_duplicate_user.toml";
-  private static final String INVALID_TOML = "/auth_invalid.toml";
-  private static final String INVALID_VALUE_TOML = "/auth_invalid_value.toml";
-  private static final String NO_PASSWORD_TOML = "/auth_no_password.toml";
+  private static final String CORRECT_TOML = "/rpcauth/auth_correct.toml";
+  private static final String DUPLICATE_USER_TOML = "/rpcauth/auth_duplicate_user.toml";
+  private static final String INVALID_TOML = "/rpcauth/auth_invalid.toml";
+  private static final String INVALID_GROUPS_VALUE_TOML = "/rpcauth/auth_invalid_groups_value.toml";
+  private static final String INVALID_PERMISSIONS_VALUE_TOML =
+      "/rpcauth/auth_invalid_permissions_value.toml";
+  private static final String INVALID_PRIVACY_PUBLIC_KEY_VALUE_TOML =
+      "/rpcauth/auth_invalid_privacy_public_key_value.toml";
+  private static final String NO_PASSWORD_TOML = "/rpcauth/auth_no_password.toml";
+
  @Mock CommandLine commandLine;

  @Test
@ -67,10 +72,31 @@ public class RpcAuthFileValidatorTest {
  }

  @Test
-  public void shouldFailWhenInvalidKeyValue() {
+  public void shouldFailWhenInvalidGroupsKeyValue() {
+    assertThatThrownBy(
+            () ->
+                RpcAuthFileValidator.validate(
+                    commandLine, getFilePath(INVALID_GROUPS_VALUE_TOML), "HTTP"))
+        .isInstanceOf(ParameterException.class)
+        .hasMessage("RPC authentication configuration file contains invalid values.");
+  }
+
+  @Test
+  public void shouldFailWhenInvalidPermissionsKeyValue() {
    assertThatThrownBy(
            () ->
-                RpcAuthFileValidator.validate(commandLine, getFilePath(INVALID_VALUE_TOML), "HTTP"))
+                RpcAuthFileValidator.validate(
+                    commandLine, getFilePath(INVALID_PERMISSIONS_VALUE_TOML), "HTTP"))
+        .isInstanceOf(ParameterException.class)
+        .hasMessage("RPC authentication configuration file contains invalid values.");
+  }
+
+  @Test
+  public void shouldFailWhenInvalidEmptyPrivacyPublicKeyValue() {
+    assertThatThrownBy(
+            () ->
+                RpcAuthFileValidator.validate(
+                    commandLine, getFilePath(INVALID_PRIVACY_PUBLIC_KEY_VALUE_TOML), "HTTP"))
        .isInstanceOf(ParameterException.class)
        .hasMessage("RPC authentication configuration file contains invalid values.");
  }
--- a/besu/src/test/resources/rpcauth/auth_correct.toml
+++ b/besu/src/test/resources/rpcauth/auth_correct.toml
@ -3,6 +3,7 @@ password = "$2a$10$l3GA7K8g6rJ/Yv.YFSygCuI9byngpEzxgWS9qEg5emYDZomQW7fGC"
 groups = ["admin"]
 permissions = ["eth:*", "perm:*"]
 roles = ["net"]
+privacyPublicKey="A1aVtMxLCUHmBVHXoZzzBgPbW/wj5axDpW9X8l91SGo="

 [Users.userB]
 password = "$2a$10$l3GA7K8g6rJ/Yv.YFSygCuI9byngpEzxgWS9qEg5emYDZomQW7fGC"
--- a/besu/src/test/resources/rpcauth/auth_duplicate_user.toml
+++ b/besu/src/test/resources/rpcauth/auth_duplicate_user.toml
--- a/besu/src/test/resources/rpcauth/auth_invalid.toml
+++ b/besu/src/test/resources/rpcauth/auth_invalid.toml
--- a/besu/src/test/resources/rpcauth/auth_invalid_groups_value.toml
+++ b/besu/src/test/resources/rpcauth/auth_invalid_groups_value.toml
--- a/besu/src/test/resources/rpcauth/auth_invalid_permissions_value.toml
+++ b/besu/src/test/resources/rpcauth/auth_invalid_permissions_value.toml
@ -0,0 +1,21 @@
+[Users.userA]
+password = "$2a$10$l3GA7K8g6rJ/Yv.YFSygCuI9byngpEzxgWS9qEg5emYDZomQW7fGC"
+groups = ["admin"]
+# This line is invalid - should be an array
+permissions = "eth:*"
+roles = ["net"]
+
+[Users.userB]
+password = "$2a$10$l3GA7K8g6rJ/Yv.YFSygCuI9byngpEzxgWS9qEg5emYDZomQW7fGC"
+groups = ["admin"]
+permissions = ["eth:*", "perm:*"]
+roles = ["net"]
+
+[Groups.admins]
+roles = ["admin"]
+
+[Roles.admin]
+permissions = ["admin:*"]
+
+[Roles.net]
+permissions = ["net:*"]
--- a/besu/src/test/resources/rpcauth/auth_invalid_privacy_public_key_value.toml
+++ b/besu/src/test/resources/rpcauth/auth_invalid_privacy_public_key_value.toml
@ -0,0 +1,22 @@
+[Users.userA]
+password = "$2a$10$l3GA7K8g6rJ/Yv.YFSygCuI9byngpEzxgWS9qEg5emYDZomQW7fGC"
+groups = ["admin"]
+permissions = ["eth:*", "perm:*"]
+roles = ["net"]
+# This line is invalid - should be a non-empty value
+privacyPublicKey = ""
+
+[Users.userB]
+password = "$2a$10$l3GA7K8g6rJ/Yv.YFSygCuI9byngpEzxgWS9qEg5emYDZomQW7fGC"
+groups = ["admin"]
+permissions = ["eth:*", "perm:*"]
+roles = ["net"]
+
+[Groups.admins]
+roles = ["admin"]
+
+[Roles.admin]
+permissions = ["admin:*"]
+
+[Roles.net]
+permissions = ["net:*"]
--- a/besu/src/test/resources/rpcauth/auth_no_password.toml
+++ b/besu/src/test/resources/rpcauth/auth_no_password.toml
--- a/ethereum/api/src/main/java/org/hyperledger/besu/ethereum/api/jsonrpc/authentication/AuthenticationService.java
+++ b/ethereum/api/src/main/java/org/hyperledger/besu/ethereum/api/jsonrpc/authentication/AuthenticationService.java
@ -186,6 +186,11 @@ public class AuthenticationService {
                new JsonObject()
                    .put("permissions", user.principal().getValue("permissions"))
                    .put("username", user.principal().getValue("username"));
+            final String privacyPublicKey = user.principal().getString("privacyPublicKey");
+            if (privacyPublicKey != null) {
+              jwtContents.put("privacyPublicKey", privacyPublicKey);
+            }
+
            final String token = jwtAuthProvider.generateToken(jwtContents, options);

            final JsonObject responseBody = new JsonObject().put("token", token);
--- a/ethereum/api/src/main/java/org/hyperledger/besu/ethereum/api/jsonrpc/authentication/AuthenticationUtils.java
+++ b/ethereum/api/src/main/java/org/hyperledger/besu/ethereum/api/jsonrpc/authentication/AuthenticationUtils.java
@ -82,7 +82,7 @@ public class AuthenticationUtils {
                (r) -> {
                  if (r.succeeded()) {
                    final Optional<User> user = Optional.ofNullable(r.result());
-                    validateExpExists(user);
+                    validateExpiryExists(user);
                    handler.handle(user);
                  } else {
                    LOG.debug("Invalid JWT token", r.cause());
@ -95,7 +95,7 @@ public class AuthenticationUtils {
    }
  }

-  private static void validateExpExists(final Optional<User> user) {
+  private static void validateExpiryExists(final Optional<User> user) {
    if (!user.map(User::principal).map(p -> p.containsKey("exp")).orElse(false)) {
      throw new IllegalStateException("Invalid JWT doesn't have expiry");
    }
--- a/ethereum/api/src/main/java/org/hyperledger/besu/ethereum/api/jsonrpc/authentication/TomlAuth.java
+++ b/ethereum/api/src/main/java/org/hyperledger/besu/ethereum/api/jsonrpc/authentication/TomlAuth.java
@ -16,6 +16,7 @@ package org.hyperledger.besu.ethereum.api.jsonrpc.authentication;

 import java.io.IOException;
 import java.util.List;
+import java.util.Optional;
 import java.util.stream.Collectors;

 import io.vertx.core.AsyncResult;
@ -32,6 +33,7 @@ import org.springframework.security.crypto.bcrypt.BCrypt;

 public class TomlAuth implements AuthProvider {

+  public static final String PRIVACY_PUBLIC_KEY = "privacyPublicKey";
  private final Vertx vertx;
  private final TomlAuthOptions options;

@ -124,8 +126,11 @@ public class TomlAuth implements AuthProvider {
        userData.getArrayOrEmpty("roles").toList().stream()
            .map(Object::toString)
            .collect(Collectors.toList());
+    final Optional<String> privacyPublicKey =
+        Optional.ofNullable(userData.getString(PRIVACY_PUBLIC_KEY));

-    return new TomlUser(username, saltedAndHashedPassword, groups, permissions, roles);
+    return new TomlUser(
+        username, saltedAndHashedPassword, groups, permissions, roles, privacyPublicKey);
  }

  private void checkPasswordHash(
--- a/ethereum/api/src/main/java/org/hyperledger/besu/ethereum/api/jsonrpc/authentication/TomlUser.java
+++ b/ethereum/api/src/main/java/org/hyperledger/besu/ethereum/api/jsonrpc/authentication/TomlUser.java
@ -15,6 +15,7 @@
 package org.hyperledger.besu.ethereum.api.jsonrpc.authentication;

 import java.util.List;
+import java.util.Optional;

 import io.vertx.core.AsyncResult;
 import io.vertx.core.Handler;
@ -29,28 +30,34 @@ public class TomlUser extends AbstractUser {
  private final List<String> groups;
  private final List<String> permissions;
  private final List<String> roles;
+  private Optional<String> privacyPublicKey;

  TomlUser(
      final String username,
      final String password,
      final List<String> groups,
      final List<String> permissions,
-      final List<String> roles) {
+      final List<String> roles,
+      final Optional<String> privacyPublicKey) {
    this.username = username;
    this.password = password;
    this.groups = groups;
    this.permissions = permissions;
    this.roles = roles;
+    this.privacyPublicKey = privacyPublicKey;
  }

  @Override
  public JsonObject principal() {
-    return new JsonObject()
-        .put("username", username)
-        .put("password", password)
-        .put("groups", groups)
-        .put("permissions", permissions)
-        .put("roles", roles);
+    final JsonObject principle =
+        new JsonObject()
+            .put("username", username)
+            .put("password", password)
+            .put("groups", groups)
+            .put("permissions", permissions)
+            .put("roles", roles);
+    privacyPublicKey.ifPresent(pk -> principle.put("privacyPublicKey", pk));
+    return principle;
  }

  @Override
@ -85,4 +92,8 @@ public class TomlUser extends AbstractUser {
  public List<String> getRoles() {
    return roles;
  }
+
+  public Optional<String> getPrivacyPublicKey() {
+    return privacyPublicKey;
+  }
 }
--- a/ethereum/api/src/test/java/org/hyperledger/besu/ethereum/api/jsonrpc/JsonRpcHttpServiceLoginTest.java
+++ b/ethereum/api/src/test/java/org/hyperledger/besu/ethereum/api/jsonrpc/JsonRpcHttpServiceLoginTest.java
@ -14,7 +14,10 @@
 */
 package org.hyperledger.besu.ethereum.api.jsonrpc;

+import static java.nio.charset.StandardCharsets.UTF_8;
+import static java.util.concurrent.TimeUnit.MINUTES;
 import static org.assertj.core.api.Assertions.assertThat;
+import static org.assertj.core.util.Lists.list;
 import static org.mockito.Mockito.mock;
 import static org.mockito.Mockito.spy;

@ -42,16 +45,14 @@ import org.hyperledger.besu.ethereum.p2p.rlpx.wire.Capability;
 import org.hyperledger.besu.metrics.noop.NoOpMetricsSystem;
 import org.hyperledger.besu.metrics.prometheus.MetricsConfiguration;

-import java.io.ByteArrayInputStream;
 import java.io.IOException;
-import java.io.InputStream;
 import java.math.BigInteger;
 import java.nio.file.Paths;
-import java.security.KeyStore;
 import java.security.KeyStoreException;
 import java.security.NoSuchAlgorithmException;
 import java.security.cert.CertificateException;
 import java.util.Arrays;
+import java.util.Base64;
 import java.util.Collection;
 import java.util.Collections;
 import java.util.HashSet;
@ -60,19 +61,13 @@ import java.util.Map;
 import java.util.Optional;
 import java.util.Set;

+import com.google.common.base.Splitter;
 import io.vertx.core.Vertx;
-import io.vertx.core.buffer.Buffer;
 import io.vertx.core.json.Json;
+import io.vertx.core.json.JsonArray;
 import io.vertx.core.json.JsonObject;
-import io.vertx.ext.auth.KeyStoreOptions;
-import io.vertx.ext.auth.PubSecKeyOptions;
-import io.vertx.ext.auth.SecretOptions;
 import io.vertx.ext.auth.User;
 import io.vertx.ext.auth.jwt.JWTAuth;
-import io.vertx.ext.auth.jwt.JWTAuthOptions;
-import io.vertx.ext.auth.jwt.impl.JWTAuthProviderImpl;
-import io.vertx.ext.jwt.JWK;
-import io.vertx.ext.jwt.JWT;
 import okhttp3.MediaType;
 import okhttp3.OkHttpClient;
 import okhttp3.Request;
@ -272,63 +267,6 @@ public class JsonRpcHttpServiceLoginTest {
    }
  }

-  private JWT makeJwt(final JWTAuthOptions config)
-      throws KeyStoreException, CertificateException, NoSuchAlgorithmException, IOException {
-    final KeyStoreOptions keyStoreOptions = config.getKeyStore();
-    if (keyStoreOptions != null) {
-      final KeyStore ks = KeyStore.getInstance(keyStoreOptions.getType());
-
-      // synchronize on the class to avoid the case where multiple file accesses will overlap
-      synchronized (JWTAuthProviderImpl.class) {
-        final Buffer keystore = vertx.fileSystem().readFileBlocking(keyStoreOptions.getPath());
-
-        try (final InputStream in = new ByteArrayInputStream(keystore.getBytes())) {
-          ks.load(in, keyStoreOptions.getPassword().toCharArray());
-        }
-      }
-
-      return new JWT(ks, keyStoreOptions.getPassword().toCharArray());
-    } else {
-      // no key file attempt to load pem keys
-      final JWT jwt = new JWT();
-
-      final List<PubSecKeyOptions> keys = config.getPubSecKeys();
-
-      if (keys != null) {
-        for (final PubSecKeyOptions pubSecKey : config.getPubSecKeys()) {
-          if (pubSecKey.isSymmetric()) {
-            jwt.addJWK(new JWK(pubSecKey.getAlgorithm(), pubSecKey.getPublicKey()));
-          } else {
-            jwt.addJWK(
-                new JWK(
-                    pubSecKey.getAlgorithm(),
-                    pubSecKey.isCertificate(),
-                    pubSecKey.getPublicKey(),
-                    pubSecKey.getSecretKey()));
-          }
-        }
-      }
-
-      // TODO: remove once the deprecation ends!
-      final List<SecretOptions> secrets = config.getSecrets();
-
-      if (secrets != null) {
-        for (final SecretOptions secret : secrets) {
-          jwt.addSecret(secret.getType(), secret.getSecret());
-        }
-      }
-
-      final List<JsonObject> jwks = config.getJwks();
-
-      if (jwks != null) {
-        for (final JsonObject jwk : jwks) {
-          jwt.addJWK(new JWK(jwk));
-        }
-      }
-      return jwt;
-    }
-  }
-
  @Test
  public void loginDoesntPopulateJWTPayloadWithPassword()
      throws IOException, KeyStoreException, CertificateException, NoSuchAlgorithmException {
@ -348,15 +286,48 @@ public class JsonRpcHttpServiceLoginTest {
      final JsonObject respBody = new JsonObject(bodyString);
      final String token = respBody.getString("token");
      assertThat(token).isNotNull();
-      final JWT jwt = makeJwt(service.authenticationService.get().jwtAuthOptions);

-      final JsonObject jwtPayload = jwt.decode(token);
+      final JsonObject jwtPayload = decodeJwtPayload(token);
      final String jwtPayloadString = jwtPayload.encode();
      assertThat(jwtPayloadString.contains("password")).isFalse();
      assertThat(jwtPayloadString.contains("pegasys")).isFalse();
    }
  }

+  @Test
+  public void loginPopulatesJWTPayloadWithRequiredValues()
+      throws IOException, KeyStoreException, CertificateException, NoSuchAlgorithmException {
+    final RequestBody body =
+        RequestBody.create(JSON, "{\"username\":\"user\",\"password\":\"pegasys\"}");
+    final Request request = new Request.Builder().post(body).url(baseUrl + "/login").build();
+    try (final Response resp = client.newCall(request).execute()) {
+      assertThat(resp.code()).isEqualTo(200);
+      assertThat(resp.message()).isEqualTo("OK");
+      assertThat(resp.body().contentType()).isNotNull();
+      assertThat(resp.body().contentType().type()).isEqualTo("application");
+      assertThat(resp.body().contentType().subtype()).isEqualTo("json");
+      final String bodyString = resp.body().string();
+      assertThat(bodyString).isNotNull();
+      assertThat(bodyString).isNotBlank();
+
+      final JsonObject respBody = new JsonObject(bodyString);
+      final String token = respBody.getString("token");
+      assertThat(token).isNotNull();
+
+      final JsonObject jwtPayload = decodeJwtPayload(token);
+      assertThat(jwtPayload.getString("username")).isEqualTo("user");
+      assertThat(jwtPayload.getJsonArray("permissions"))
+          .isEqualTo(
+              new JsonArray(list("fakePermission", "eth:blockNumber", "eth:subscribe", "web3:*")));
+      assertThat(jwtPayload.getString("privacyPublicKey"))
+          .isEqualTo("A1aVtMxLCUHmBVHXoZzzBgPbW/wj5axDpW9X8l91SGo=");
+      assertThat(jwtPayload.containsKey("iat")).isTrue();
+      assertThat(jwtPayload.containsKey("exp")).isTrue();
+      final long tokenExpiry = jwtPayload.getLong("exp") - jwtPayload.getLong("iat");
+      assertThat(tokenExpiry).isEqualTo(MINUTES.toSeconds(5));
+    }
+  }
+
  private String login(final String username, final String password) throws IOException {
    final RequestBody loginBody =
        RequestBody.create(
@ -534,4 +505,10 @@ public class JsonRpcHttpServiceLoginTest {
    token.ifPresent(t -> request.addHeader("Authorization", "Bearer " + t));
    return request.build();
  }
+
+  private JsonObject decodeJwtPayload(final String token) {
+    final List<String> tokenParts = Splitter.on('.').splitToList(token);
+    final String payload = tokenParts.get(1);
+    return new JsonObject(new String(Base64.getUrlDecoder().decode(payload), UTF_8));
+  }
 }
--- a/ethereum/api/src/test/java/org/hyperledger/besu/ethereum/api/jsonrpc/authentication/TomlAuthTest.java
+++ b/ethereum/api/src/test/java/org/hyperledger/besu/ethereum/api/jsonrpc/authentication/TomlAuthTest.java
@ -105,14 +105,16 @@ public class TomlAuthTest {
  }

  @Test
-  public void validPasswordShouldAuthenticateSuccessfully(final TestContext context) {
+  public void validPasswordWithAllValuesShouldAuthenticateAndCreateUserSuccessfully(
+      final TestContext context) {
    JsonObject expectedPrincipal =
        new JsonObject()
            .put("username", "userA")
            .put("password", "$2a$10$l3GA7K8g6rJ/Yv.YFSygCuI9byngpEzxgWS9qEg5emYDZomQW7fGC")
            .put("groups", new JsonArray().add("admin"))
            .put("permissions", new JsonArray().add("eth:*").add("perm:*"))
-            .put("roles", new JsonArray().add("net"));
+            .put("roles", new JsonArray().add("net"))
+            .put("privacyPublicKey", "A1aVtMxLCUHmBVHXoZzzBgPbW/wj5axDpW9X8l91SGo=");

    JsonObject authInfo = new JsonObject().put("username", "userA").put("password", "pegasys");

@ -122,6 +124,25 @@ public class TomlAuthTest {
            res -> context.assertEquals(expectedPrincipal, res.principal())));
  }

+  @Test
+  public void validPasswordWithOptionalValuesShouldAuthenticateAndCreateUserSuccessfully(
+      final TestContext context) {
+    JsonObject expectedPrincipal =
+        new JsonObject()
+            .put("username", "userB")
+            .put("password", "$2a$10$l3GA7K8g6rJ/Yv.YFSygCuI9byngpEzxgWS9qEg5emYDZomQW7fGC")
+            .put("groups", new JsonArray())
+            .put("permissions", new JsonArray().add("net:*"))
+            .put("roles", new JsonArray());
+
+    JsonObject authInfo = new JsonObject().put("username", "userB").put("password", "pegasys");
+
+    tomlAuth.authenticate(
+        authInfo,
+        context.asyncAssertSuccess(
+            res -> context.assertEquals(expectedPrincipal, res.principal())));
+  }
+
  private String getTomlPath(final String tomlFileName) throws URISyntaxException {
    return Paths.get(ClassLoader.getSystemResource(tomlFileName).toURI())
        .toAbsolutePath()
--- a/ethereum/api/src/test/java/org/hyperledger/besu/ethereum/api/jsonrpc/authentication/TomlUserTest.java
+++ b/ethereum/api/src/test/java/org/hyperledger/besu/ethereum/api/jsonrpc/authentication/TomlUserTest.java
@ -0,0 +1,63 @@
+/*
+ * Copyright ConsenSys AG.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on
+ * an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations under the License.
+ *
+ * SPDX-License-Identifier: Apache-2.0
+ */
+package org.hyperledger.besu.ethereum.api.jsonrpc.authentication;
+
+import static org.assertj.core.api.Assertions.assertThat;
+import static org.assertj.core.util.Lists.list;
+
+import java.util.Optional;
+
+import io.vertx.core.json.JsonArray;
+import io.vertx.core.json.JsonObject;
+import org.junit.Test;
+
+public class TomlUserTest {
+
+  @Test
+  public void createsPrincipleWithAllValues() {
+    final TomlUser tomlUser =
+        new TomlUser(
+            "user",
+            "password",
+            list("admin"),
+            list("eth:*", "perm:*"),
+            list("net"),
+            Optional.of("A1aVtMxLCUHmBVHXoZzzBgPbW/wj5axDpW9X8l91SGo="));
+
+    final JsonObject principal = tomlUser.principal();
+    assertThat(principal.getString("username")).isEqualTo("user");
+    assertThat(principal.getString("password")).isEqualTo("password");
+    assertThat(principal.getJsonArray("groups")).isEqualTo(new JsonArray(list("admin")));
+    assertThat(principal.getJsonArray("permissions"))
+        .isEqualTo(new JsonArray(list("eth:*", "perm:*")));
+    assertThat(principal.getJsonArray("roles")).isEqualTo(new JsonArray(list("net")));
+    assertThat(principal.getString("privacyPublicKey"))
+        .isEqualTo("A1aVtMxLCUHmBVHXoZzzBgPbW/wj5axDpW9X8l91SGo=");
+  }
+
+  @Test
+  public void createsPrincipleWithOnlyRequiredValues() {
+    final TomlUser tomlUser =
+        new TomlUser("user", "password", list(), list(), list(), Optional.empty());
+
+    final JsonObject principal = tomlUser.principal();
+    assertThat(principal.getString("username")).isEqualTo("user");
+    assertThat(principal.getString("password")).isEqualTo("password");
+    assertThat(principal.getJsonArray("groups")).isEqualTo(new JsonArray());
+    assertThat(principal.getJsonArray("permissions")).isEqualTo(new JsonArray());
+    assertThat(principal.getJsonArray("roles")).isEqualTo(new JsonArray());
+    assertThat(principal.containsKey("privacyPublicKey")).isFalse();
+  }
+}
--- a/ethereum/api/src/test/java/org/hyperledger/besu/ethereum/api/jsonrpc/websocket/WebSocketServiceLoginTest.java
+++ b/ethereum/api/src/test/java/org/hyperledger/besu/ethereum/api/jsonrpc/websocket/WebSocketServiceLoginTest.java
@ -14,7 +14,10 @@
 */
 package org.hyperledger.besu.ethereum.api.jsonrpc.websocket;

+import static java.nio.charset.StandardCharsets.UTF_8;
+import static java.util.concurrent.TimeUnit.MINUTES;
 import static org.assertj.core.api.Assertions.assertThat;
+import static org.assertj.core.util.Lists.list;
 import static org.mockito.Mockito.reset;
 import static org.mockito.Mockito.spy;

@ -25,10 +28,13 @@ import org.hyperledger.besu.metrics.noop.NoOpMetricsSystem;

 import java.net.URISyntaxException;
 import java.nio.file.Paths;
+import java.util.Base64;
 import java.util.Collections;
 import java.util.HashMap;
+import java.util.List;
 import java.util.Map;

+import com.google.common.base.Splitter;
 import com.google.common.collect.Lists;
 import io.vertx.core.MultiMap;
 import io.vertx.core.Vertx;
@ -38,6 +44,7 @@ import io.vertx.core.http.HttpClientOptions;
 import io.vertx.core.http.HttpClientRequest;
 import io.vertx.core.http.RequestOptions;
 import io.vertx.core.http.impl.headers.VertxHttpHeaders;
+import io.vertx.core.json.JsonArray;
 import io.vertx.core.json.JsonObject;
 import io.vertx.ext.auth.User;
 import io.vertx.ext.auth.jwt.JWTAuth;
@ -250,4 +257,53 @@ public class WebSocketServiceLoginTest {

    async.awaitSuccess(VERTX_AWAIT_TIMEOUT_MILLIS);
  }
+
+  @Test
+  public void loginPopulatesJWTPayloadWithRequiredValues(final TestContext context) {
+    final Async async = context.async();
+    final HttpClientRequest request =
+        httpClient.post(
+            websocketConfiguration.getPort(),
+            websocketConfiguration.getHost(),
+            "/login",
+            response -> {
+              response.bodyHandler(
+                  buffer -> {
+                    final String body = buffer.toString();
+                    assertThat(body).isNotBlank();
+
+                    final JsonObject respBody = new JsonObject(body);
+                    final String token = respBody.getString("token");
+
+                    final JsonObject jwtPayload = decodeJwtPayload(token);
+                    assertThat(jwtPayload.getString("username")).isEqualTo("user");
+                    assertThat(jwtPayload.getJsonArray("permissions"))
+                        .isEqualTo(
+                            new JsonArray(
+                                list(
+                                    "fakePermission",
+                                    "eth:blockNumber",
+                                    "eth:subscribe",
+                                    "web3:*")));
+                    assertThat(jwtPayload.getString("privacyPublicKey"))
+                        .isEqualTo("A1aVtMxLCUHmBVHXoZzzBgPbW/wj5axDpW9X8l91SGo=");
+                    assertThat(jwtPayload.containsKey("iat")).isTrue();
+                    assertThat(jwtPayload.containsKey("exp")).isTrue();
+                    final long tokenExpiry = jwtPayload.getLong("exp") - jwtPayload.getLong("iat");
+                    assertThat(tokenExpiry).isEqualTo(MINUTES.toSeconds(5));
+
+                    async.complete();
+                  });
+            });
+    request.putHeader("Content-Type", "application/json; charset=utf-8");
+    request.end("{\"username\":\"user\",\"password\":\"pegasys\"}");
+
+    async.awaitSuccess(VERTX_AWAIT_TIMEOUT_MILLIS);
+  }
+
+  private JsonObject decodeJwtPayload(final String token) {
+    final List<String> tokenParts = Splitter.on('.').splitToList(token);
+    final String payload = tokenParts.get(1);
+    return new JsonObject(new String(Base64.getUrlDecoder().decode(payload), UTF_8));
+  }
 }
--- a/ethereum/api/src/test/resources/JsonRpcHttpService/auth.toml
+++ b/ethereum/api/src/test/resources/JsonRpcHttpService/auth.toml
@ -1,3 +1,4 @@
 [Users.user]
 password = "$2a$10$l3GA7K8g6rJ/Yv.YFSygCuI9byngpEzxgWS9qEg5emYDZomQW7fGC"
 permissions = ["fakePermission","eth:blockNumber","eth:subscribe","web3:*"]
+privacyPublicKey = "A1aVtMxLCUHmBVHXoZzzBgPbW/wj5axDpW9X8l91SGo="
--- a/ethereum/api/src/test/resources/authentication/auth.toml
+++ b/ethereum/api/src/test/resources/authentication/auth.toml
@ -3,6 +3,11 @@ password = "$2a$10$l3GA7K8g6rJ/Yv.YFSygCuI9byngpEzxgWS9qEg5emYDZomQW7fGC"
 groups = ["admin"]
 permissions = ["eth:*", "perm:*"]
 roles = ["net"]
+privacyPublicKey = "A1aVtMxLCUHmBVHXoZzzBgPbW/wj5axDpW9X8l91SGo="
+
+[Users.userB]
+password = "$2a$10$l3GA7K8g6rJ/Yv.YFSygCuI9byngpEzxgWS9qEg5emYDZomQW7fGC"
+permissions = ["net:*"]

 [Groups.admins]
 roles = ["admin"]
--- a/ethereum/referencetests/src/test/resources
+++ b/ethereum/referencetests/src/test/resources
@ -1 +1 @@
-Subproject commit cfbcd15f91d4d6e1785d9cae5c5c37f47e8bad46
+Subproject commit 0327d9f76ce2a292a99e7a9dfc93627368ce589e