Allow use of privacy public key in the credentials file (#196)

Signed-off-by: Jason Frame <jasonwframe@gmail.com>

besu/src/main/java/org/hyperledger/besu/cli/custom/RpcAuthFileValidator.java

@@ -14,6 +14,8 @@
  */
 package org.hyperledger.besu.cli.custom;
 
+import static org.hyperledger.besu.ethereum.api.jsonrpc.authentication.TomlAuth.PRIVACY_PUBLIC_KEY;
+
 import org.hyperledger.besu.ethereum.permissioning.TomlConfigFileParser;
 
 import java.io.File;
@@ -97,7 +99,19 @@ public class RpcAuthFileValidator {
         .dottedKeySet()
         .parallelStream()
         .filter(keySet -> !keySet.contains("password"))
-        .allMatch(dottedKey -> verifyArray(dottedKey, tomlParseResult));
+        .allMatch(dottedKey -> verifyEntry(dottedKey, tomlParseResult));
+  }
+
+  private static boolean verifyEntry(final String key, final TomlParseResult tomlParseResult) {
+    if (key.endsWith(PRIVACY_PUBLIC_KEY)) {
+      return verifyString(key, tomlParseResult);
+    } else {
+      return verifyArray(key, tomlParseResult);
+    }
+  }
+
+  private static boolean verifyString(final String key, final TomlParseResult tomlParseResult) {
+    return tomlParseResult.isString(key) && !tomlParseResult.getString(key, () -> "").isEmpty();
   }
 
   private static boolean verifyArray(final String key, final TomlParseResult tomlParseResult) {

besu/src/test/java/org/hyperledger/besu/cli/custom/RpcAuthFileValidatorTest.java

@@ -27,11 +27,16 @@ import picocli.CommandLine.ParameterException;
 @RunWith(MockitoJUnitRunner.StrictStubs.class)
 public class RpcAuthFileValidatorTest {
 
-  private static final String CORRECT_TOML = "/auth_correct.toml";
+  private static final String CORRECT_TOML = "/rpcauth/auth_correct.toml";
-  private static final String DUPLICATE_USER_TOML = "/auth_duplicate_user.toml";
+  private static final String DUPLICATE_USER_TOML = "/rpcauth/auth_duplicate_user.toml";
-  private static final String INVALID_TOML = "/auth_invalid.toml";
+  private static final String INVALID_TOML = "/rpcauth/auth_invalid.toml";
-  private static final String INVALID_VALUE_TOML = "/auth_invalid_value.toml";
+  private static final String INVALID_GROUPS_VALUE_TOML = "/rpcauth/auth_invalid_groups_value.toml";
-  private static final String NO_PASSWORD_TOML = "/auth_no_password.toml";
+  private static final String INVALID_PERMISSIONS_VALUE_TOML =
+      "/rpcauth/auth_invalid_permissions_value.toml";
+  private static final String INVALID_PRIVACY_PUBLIC_KEY_VALUE_TOML =
+      "/rpcauth/auth_invalid_privacy_public_key_value.toml";
+  private static final String NO_PASSWORD_TOML = "/rpcauth/auth_no_password.toml";
+
   @Mock CommandLine commandLine;
 
   @Test
@@ -67,10 +72,31 @@ public class RpcAuthFileValidatorTest {
   }
 
   @Test
-  public void shouldFailWhenInvalidKeyValue() {
+  public void shouldFailWhenInvalidGroupsKeyValue() {
+    assertThatThrownBy(
+            () ->
+                RpcAuthFileValidator.validate(
+                    commandLine, getFilePath(INVALID_GROUPS_VALUE_TOML), "HTTP"))
+        .isInstanceOf(ParameterException.class)
+        .hasMessage("RPC authentication configuration file contains invalid values.");
+  }
+
+  @Test
+  public void shouldFailWhenInvalidPermissionsKeyValue() {
     assertThatThrownBy(
             () ->
-                RpcAuthFileValidator.validate(commandLine, getFilePath(INVALID_VALUE_TOML), "HTTP"))
+                RpcAuthFileValidator.validate(
+                    commandLine, getFilePath(INVALID_PERMISSIONS_VALUE_TOML), "HTTP"))
+        .isInstanceOf(ParameterException.class)
+        .hasMessage("RPC authentication configuration file contains invalid values.");
+  }
+
+  @Test
+  public void shouldFailWhenInvalidEmptyPrivacyPublicKeyValue() {
+    assertThatThrownBy(
+            () ->
+                RpcAuthFileValidator.validate(
+                    commandLine, getFilePath(INVALID_PRIVACY_PUBLIC_KEY_VALUE_TOML), "HTTP"))
         .isInstanceOf(ParameterException.class)
         .hasMessage("RPC authentication configuration file contains invalid values.");
   }

besu/src/test/resources/rpcauth/auth_correct.toml

@@ -3,6 +3,7 @@ password = "$2a$10$l3GA7K8g6rJ/Yv.YFSygCuI9byngpEzxgWS9qEg5emYDZomQW7fGC"
 groups = ["admin"]
 permissions = ["eth:*", "perm:*"]
 roles = ["net"]
+privacyPublicKey="A1aVtMxLCUHmBVHXoZzzBgPbW/wj5axDpW9X8l91SGo="
 
 [Users.userB]
 password = "$2a$10$l3GA7K8g6rJ/Yv.YFSygCuI9byngpEzxgWS9qEg5emYDZomQW7fGC"

besu/src/test/resources/rpcauth/auth_invalid_permissions_value.toml

@@ -0,0 +1,21 @@
+[Users.userA]
+password = "$2a$10$l3GA7K8g6rJ/Yv.YFSygCuI9byngpEzxgWS9qEg5emYDZomQW7fGC"
+groups = ["admin"]
+# This line is invalid - should be an array
+permissions = "eth:*"
+roles = ["net"]
+
+[Users.userB]
+password = "$2a$10$l3GA7K8g6rJ/Yv.YFSygCuI9byngpEzxgWS9qEg5emYDZomQW7fGC"
+groups = ["admin"]
+permissions = ["eth:*", "perm:*"]
+roles = ["net"]
+
+[Groups.admins]
+roles = ["admin"]
+
+[Roles.admin]
+permissions = ["admin:*"]
+
+[Roles.net]
+permissions = ["net:*"]

besu/src/test/resources/rpcauth/auth_invalid_privacy_public_key_value.toml

@@ -0,0 +1,22 @@
+[Users.userA]
+password = "$2a$10$l3GA7K8g6rJ/Yv.YFSygCuI9byngpEzxgWS9qEg5emYDZomQW7fGC"
+groups = ["admin"]
+permissions = ["eth:*", "perm:*"]
+roles = ["net"]
+# This line is invalid - should be a non-empty value
+privacyPublicKey = ""
+
+[Users.userB]
+password = "$2a$10$l3GA7K8g6rJ/Yv.YFSygCuI9byngpEzxgWS9qEg5emYDZomQW7fGC"
+groups = ["admin"]
+permissions = ["eth:*", "perm:*"]
+roles = ["net"]
+
+[Groups.admins]
+roles = ["admin"]
+
+[Roles.admin]
+permissions = ["admin:*"]
+
+[Roles.net]
+permissions = ["net:*"]

ethereum/api/src/main/java/org/hyperledger/besu/ethereum/api/jsonrpc/authentication/AuthenticationService.java

@@ -186,6 +186,11 @@ public class AuthenticationService {
                 new JsonObject()
                     .put("permissions", user.principal().getValue("permissions"))
                     .put("username", user.principal().getValue("username"));
+            final String privacyPublicKey = user.principal().getString("privacyPublicKey");
+            if (privacyPublicKey != null) {
+              jwtContents.put("privacyPublicKey", privacyPublicKey);
+            }
+
             final String token = jwtAuthProvider.generateToken(jwtContents, options);
 
             final JsonObject responseBody = new JsonObject().put("token", token);

ethereum/api/src/main/java/org/hyperledger/besu/ethereum/api/jsonrpc/authentication/AuthenticationUtils.java

@@ -82,7 +82,7 @@ public class AuthenticationUtils {
                 (r) -> {
                   if (r.succeeded()) {
                     final Optional<User> user = Optional.ofNullable(r.result());
-                    validateExpExists(user);
+                    validateExpiryExists(user);
                     handler.handle(user);
                   } else {
                     LOG.debug("Invalid JWT token", r.cause());
@@ -95,7 +95,7 @@ public class AuthenticationUtils {
     }
   }
 
-  private static void validateExpExists(final Optional<User> user) {
+  private static void validateExpiryExists(final Optional<User> user) {
     if (!user.map(User::principal).map(p -> p.containsKey("exp")).orElse(false)) {
       throw new IllegalStateException("Invalid JWT doesn't have expiry");
     }

ethereum/api/src/main/java/org/hyperledger/besu/ethereum/api/jsonrpc/authentication/TomlAuth.java

@@ -16,6 +16,7 @@ package org.hyperledger.besu.ethereum.api.jsonrpc.authentication;
 
 import java.io.IOException;
 import java.util.List;
+import java.util.Optional;
 import java.util.stream.Collectors;
 
 import io.vertx.core.AsyncResult;
@@ -32,6 +33,7 @@ import org.springframework.security.crypto.bcrypt.BCrypt;
 
 public class TomlAuth implements AuthProvider {
 
+  public static final String PRIVACY_PUBLIC_KEY = "privacyPublicKey";
   private final Vertx vertx;
   private final TomlAuthOptions options;
 
@@ -124,8 +126,11 @@ public class TomlAuth implements AuthProvider {
         userData.getArrayOrEmpty("roles").toList().stream()
             .map(Object::toString)
             .collect(Collectors.toList());
+    final Optional<String> privacyPublicKey =
+        Optional.ofNullable(userData.getString(PRIVACY_PUBLIC_KEY));
 
-    return new TomlUser(username, saltedAndHashedPassword, groups, permissions, roles);
+    return new TomlUser(
+        username, saltedAndHashedPassword, groups, permissions, roles, privacyPublicKey);
   }
 
   private void checkPasswordHash(

ethereum/api/src/main/java/org/hyperledger/besu/ethereum/api/jsonrpc/authentication/TomlUser.java

@@ -15,6 +15,7 @@
 package org.hyperledger.besu.ethereum.api.jsonrpc.authentication;
 
 import java.util.List;
+import java.util.Optional;
 
 import io.vertx.core.AsyncResult;
 import io.vertx.core.Handler;
@@ -29,28 +30,34 @@ public class TomlUser extends AbstractUser {
   private final List<String> groups;
   private final List<String> permissions;
   private final List<String> roles;
+  private Optional<String> privacyPublicKey;
 
   TomlUser(
       final String username,
       final String password,
       final List<String> groups,
       final List<String> permissions,
-      final List<String> roles) {
+      final List<String> roles,
+      final Optional<String> privacyPublicKey) {
     this.username = username;
     this.password = password;
     this.groups = groups;
     this.permissions = permissions;
     this.roles = roles;
+    this.privacyPublicKey = privacyPublicKey;
   }
 
   @Override
   public JsonObject principal() {
-    return new JsonObject()
+    final JsonObject principle =
+        new JsonObject()
             .put("username", username)
             .put("password", password)
             .put("groups", groups)
             .put("permissions", permissions)
             .put("roles", roles);
+    privacyPublicKey.ifPresent(pk -> principle.put("privacyPublicKey", pk));
+    return principle;
   }
 
   @Override
@@ -85,4 +92,8 @@ public class TomlUser extends AbstractUser {
   public List<String> getRoles() {
     return roles;
   }
+
+  public Optional<String> getPrivacyPublicKey() {
+    return privacyPublicKey;
+  }
 }

ethereum/api/src/test/java/org/hyperledger/besu/ethereum/api/jsonrpc/JsonRpcHttpServiceLoginTest.java

@@ -14,7 +14,10 @@
  */
 package org.hyperledger.besu.ethereum.api.jsonrpc;
 
+import static java.nio.charset.StandardCharsets.UTF_8;
+import static java.util.concurrent.TimeUnit.MINUTES;
 import static org.assertj.core.api.Assertions.assertThat;
+import static org.assertj.core.util.Lists.list;
 import static org.mockito.Mockito.mock;
 import static org.mockito.Mockito.spy;
 
@@ -42,16 +45,14 @@ import org.hyperledger.besu.ethereum.p2p.rlpx.wire.Capability;
 import org.hyperledger.besu.metrics.noop.NoOpMetricsSystem;
 import org.hyperledger.besu.metrics.prometheus.MetricsConfiguration;
 
-import java.io.ByteArrayInputStream;
 import java.io.IOException;
-import java.io.InputStream;
 import java.math.BigInteger;
 import java.nio.file.Paths;
-import java.security.KeyStore;
 import java.security.KeyStoreException;
 import java.security.NoSuchAlgorithmException;
 import java.security.cert.CertificateException;
 import java.util.Arrays;
+import java.util.Base64;
 import java.util.Collection;
 import java.util.Collections;
 import java.util.HashSet;
@@ -60,19 +61,13 @@ import java.util.Map;
 import java.util.Optional;
 import java.util.Set;
 
+import com.google.common.base.Splitter;
 import io.vertx.core.Vertx;
-import io.vertx.core.buffer.Buffer;
 import io.vertx.core.json.Json;
+import io.vertx.core.json.JsonArray;
 import io.vertx.core.json.JsonObject;
-import io.vertx.ext.auth.KeyStoreOptions;
-import io.vertx.ext.auth.PubSecKeyOptions;
-import io.vertx.ext.auth.SecretOptions;
 import io.vertx.ext.auth.User;
 import io.vertx.ext.auth.jwt.JWTAuth;
-import io.vertx.ext.auth.jwt.JWTAuthOptions;
-import io.vertx.ext.auth.jwt.impl.JWTAuthProviderImpl;
-import io.vertx.ext.jwt.JWK;
-import io.vertx.ext.jwt.JWT;
 import okhttp3.MediaType;
 import okhttp3.OkHttpClient;
 import okhttp3.Request;
@@ -272,65 +267,35 @@ public class JsonRpcHttpServiceLoginTest {
     }
   }
 
-  private JWT makeJwt(final JWTAuthOptions config)
+  @Test
-      throws KeyStoreException, CertificateException, NoSuchAlgorithmException, IOException {
+  public void loginDoesntPopulateJWTPayloadWithPassword()
-    final KeyStoreOptions keyStoreOptions = config.getKeyStore();
+      throws IOException, KeyStoreException, CertificateException, NoSuchAlgorithmException {
-    if (keyStoreOptions != null) {
+    final RequestBody body =
-      final KeyStore ks = KeyStore.getInstance(keyStoreOptions.getType());
+        RequestBody.create(JSON, "{\"username\":\"user\",\"password\":\"pegasys\"}");
-
+    final Request request = new Request.Builder().post(body).url(baseUrl + "/login").build();
-      // synchronize on the class to avoid the case where multiple file accesses will overlap
+    try (final Response resp = client.newCall(request).execute()) {
-      synchronized (JWTAuthProviderImpl.class) {
+      assertThat(resp.code()).isEqualTo(200);
-        final Buffer keystore = vertx.fileSystem().readFileBlocking(keyStoreOptions.getPath());
+      assertThat(resp.message()).isEqualTo("OK");
-
+      assertThat(resp.body().contentType()).isNotNull();
-        try (final InputStream in = new ByteArrayInputStream(keystore.getBytes())) {
+      assertThat(resp.body().contentType().type()).isEqualTo("application");
-          ks.load(in, keyStoreOptions.getPassword().toCharArray());
+      assertThat(resp.body().contentType().subtype()).isEqualTo("json");
-        }
+      final String bodyString = resp.body().string();
-      }
+      assertThat(bodyString).isNotNull();
-
+      assertThat(bodyString).isNotBlank();
-      return new JWT(ks, keyStoreOptions.getPassword().toCharArray());
-    } else {
-      // no key file attempt to load pem keys
-      final JWT jwt = new JWT();
-
-      final List<PubSecKeyOptions> keys = config.getPubSecKeys();
-
-      if (keys != null) {
-        for (final PubSecKeyOptions pubSecKey : config.getPubSecKeys()) {
-          if (pubSecKey.isSymmetric()) {
-            jwt.addJWK(new JWK(pubSecKey.getAlgorithm(), pubSecKey.getPublicKey()));
-          } else {
-            jwt.addJWK(
-                new JWK(
-                    pubSecKey.getAlgorithm(),
-                    pubSecKey.isCertificate(),
-                    pubSecKey.getPublicKey(),
-                    pubSecKey.getSecretKey()));
-          }
-        }
-      }
-
-      // TODO: remove once the deprecation ends!
-      final List<SecretOptions> secrets = config.getSecrets();
-
-      if (secrets != null) {
-        for (final SecretOptions secret : secrets) {
-          jwt.addSecret(secret.getType(), secret.getSecret());
-        }
-      }
 
-      final List<JsonObject> jwks = config.getJwks();
+      final JsonObject respBody = new JsonObject(bodyString);
+      final String token = respBody.getString("token");
+      assertThat(token).isNotNull();
 
-      if (jwks != null) {
+      final JsonObject jwtPayload = decodeJwtPayload(token);
-        for (final JsonObject jwk : jwks) {
+      final String jwtPayloadString = jwtPayload.encode();
-          jwt.addJWK(new JWK(jwk));
+      assertThat(jwtPayloadString.contains("password")).isFalse();
-        }
+      assertThat(jwtPayloadString.contains("pegasys")).isFalse();
-      }
-      return jwt;
     }
   }
 
   @Test
-  public void loginDoesntPopulateJWTPayloadWithPassword()
+  public void loginPopulatesJWTPayloadWithRequiredValues()
       throws IOException, KeyStoreException, CertificateException, NoSuchAlgorithmException {
     final RequestBody body =
         RequestBody.create(JSON, "{\"username\":\"user\",\"password\":\"pegasys\"}");
@@ -348,12 +313,18 @@ public class JsonRpcHttpServiceLoginTest {
       final JsonObject respBody = new JsonObject(bodyString);
       final String token = respBody.getString("token");
       assertThat(token).isNotNull();
-      final JWT jwt = makeJwt(service.authenticationService.get().jwtAuthOptions);
 
-      final JsonObject jwtPayload = jwt.decode(token);
+      final JsonObject jwtPayload = decodeJwtPayload(token);
-      final String jwtPayloadString = jwtPayload.encode();
+      assertThat(jwtPayload.getString("username")).isEqualTo("user");
-      assertThat(jwtPayloadString.contains("password")).isFalse();
+      assertThat(jwtPayload.getJsonArray("permissions"))
-      assertThat(jwtPayloadString.contains("pegasys")).isFalse();
+          .isEqualTo(
+              new JsonArray(list("fakePermission", "eth:blockNumber", "eth:subscribe", "web3:*")));
+      assertThat(jwtPayload.getString("privacyPublicKey"))
+          .isEqualTo("A1aVtMxLCUHmBVHXoZzzBgPbW/wj5axDpW9X8l91SGo=");
+      assertThat(jwtPayload.containsKey("iat")).isTrue();
+      assertThat(jwtPayload.containsKey("exp")).isTrue();
+      final long tokenExpiry = jwtPayload.getLong("exp") - jwtPayload.getLong("iat");
+      assertThat(tokenExpiry).isEqualTo(MINUTES.toSeconds(5));
     }
   }
 
@@ -534,4 +505,10 @@ public class JsonRpcHttpServiceLoginTest {
     token.ifPresent(t -> request.addHeader("Authorization", "Bearer " + t));
     return request.build();
   }
+
+  private JsonObject decodeJwtPayload(final String token) {
+    final List<String> tokenParts = Splitter.on('.').splitToList(token);
+    final String payload = tokenParts.get(1);
+    return new JsonObject(new String(Base64.getUrlDecoder().decode(payload), UTF_8));
+  }
 }

ethereum/api/src/test/java/org/hyperledger/besu/ethereum/api/jsonrpc/authentication/TomlAuthTest.java

@@ -105,14 +105,16 @@ public class TomlAuthTest {
   }
 
   @Test
-  public void validPasswordShouldAuthenticateSuccessfully(final TestContext context) {
+  public void validPasswordWithAllValuesShouldAuthenticateAndCreateUserSuccessfully(
+      final TestContext context) {
     JsonObject expectedPrincipal =
         new JsonObject()
             .put("username", "userA")
             .put("password", "$2a$10$l3GA7K8g6rJ/Yv.YFSygCuI9byngpEzxgWS9qEg5emYDZomQW7fGC")
             .put("groups", new JsonArray().add("admin"))
             .put("permissions", new JsonArray().add("eth:*").add("perm:*"))
-            .put("roles", new JsonArray().add("net"));
+            .put("roles", new JsonArray().add("net"))
+            .put("privacyPublicKey", "A1aVtMxLCUHmBVHXoZzzBgPbW/wj5axDpW9X8l91SGo=");
 
     JsonObject authInfo = new JsonObject().put("username", "userA").put("password", "pegasys");
 
@@ -122,6 +124,25 @@ public class TomlAuthTest {
             res -> context.assertEquals(expectedPrincipal, res.principal())));
   }
 
+  @Test
+  public void validPasswordWithOptionalValuesShouldAuthenticateAndCreateUserSuccessfully(
+      final TestContext context) {
+    JsonObject expectedPrincipal =
+        new JsonObject()
+            .put("username", "userB")
+            .put("password", "$2a$10$l3GA7K8g6rJ/Yv.YFSygCuI9byngpEzxgWS9qEg5emYDZomQW7fGC")
+            .put("groups", new JsonArray())
+            .put("permissions", new JsonArray().add("net:*"))
+            .put("roles", new JsonArray());
+
+    JsonObject authInfo = new JsonObject().put("username", "userB").put("password", "pegasys");
+
+    tomlAuth.authenticate(
+        authInfo,
+        context.asyncAssertSuccess(
+            res -> context.assertEquals(expectedPrincipal, res.principal())));
+  }
+
   private String getTomlPath(final String tomlFileName) throws URISyntaxException {
     return Paths.get(ClassLoader.getSystemResource(tomlFileName).toURI())
         .toAbsolutePath()

ethereum/api/src/test/java/org/hyperledger/besu/ethereum/api/jsonrpc/authentication/TomlUserTest.java

@@ -0,0 +1,63 @@
+/*
+ * Copyright ConsenSys AG.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on
+ * an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the
+ * specific language governing permissions and limitations under the License.
+ *
+ * SPDX-License-Identifier: Apache-2.0
+ */
+package org.hyperledger.besu.ethereum.api.jsonrpc.authentication;
+
+import static org.assertj.core.api.Assertions.assertThat;
+import static org.assertj.core.util.Lists.list;
+
+import java.util.Optional;
+
+import io.vertx.core.json.JsonArray;
+import io.vertx.core.json.JsonObject;
+import org.junit.Test;
+
+public class TomlUserTest {
+
+  @Test
+  public void createsPrincipleWithAllValues() {
+    final TomlUser tomlUser =
+        new TomlUser(
+            "user",
+            "password",
+            list("admin"),
+            list("eth:*", "perm:*"),
+            list("net"),
+            Optional.of("A1aVtMxLCUHmBVHXoZzzBgPbW/wj5axDpW9X8l91SGo="));
+
+    final JsonObject principal = tomlUser.principal();
+    assertThat(principal.getString("username")).isEqualTo("user");
+    assertThat(principal.getString("password")).isEqualTo("password");
+    assertThat(principal.getJsonArray("groups")).isEqualTo(new JsonArray(list("admin")));
+    assertThat(principal.getJsonArray("permissions"))
+        .isEqualTo(new JsonArray(list("eth:*", "perm:*")));
+    assertThat(principal.getJsonArray("roles")).isEqualTo(new JsonArray(list("net")));
+    assertThat(principal.getString("privacyPublicKey"))
+        .isEqualTo("A1aVtMxLCUHmBVHXoZzzBgPbW/wj5axDpW9X8l91SGo=");
+  }
+
+  @Test
+  public void createsPrincipleWithOnlyRequiredValues() {
+    final TomlUser tomlUser =
+        new TomlUser("user", "password", list(), list(), list(), Optional.empty());
+
+    final JsonObject principal = tomlUser.principal();
+    assertThat(principal.getString("username")).isEqualTo("user");
+    assertThat(principal.getString("password")).isEqualTo("password");
+    assertThat(principal.getJsonArray("groups")).isEqualTo(new JsonArray());
+    assertThat(principal.getJsonArray("permissions")).isEqualTo(new JsonArray());
+    assertThat(principal.getJsonArray("roles")).isEqualTo(new JsonArray());
+    assertThat(principal.containsKey("privacyPublicKey")).isFalse();
+  }
+}

ethereum/api/src/test/java/org/hyperledger/besu/ethereum/api/jsonrpc/websocket/WebSocketServiceLoginTest.java

@@ -14,7 +14,10 @@
  */
 package org.hyperledger.besu.ethereum.api.jsonrpc.websocket;
 
+import static java.nio.charset.StandardCharsets.UTF_8;
+import static java.util.concurrent.TimeUnit.MINUTES;
 import static org.assertj.core.api.Assertions.assertThat;
+import static org.assertj.core.util.Lists.list;
 import static org.mockito.Mockito.reset;
 import static org.mockito.Mockito.spy;
 
@@ -25,10 +28,13 @@ import org.hyperledger.besu.metrics.noop.NoOpMetricsSystem;
 
 import java.net.URISyntaxException;
 import java.nio.file.Paths;
+import java.util.Base64;
 import java.util.Collections;
 import java.util.HashMap;
+import java.util.List;
 import java.util.Map;
 
+import com.google.common.base.Splitter;
 import com.google.common.collect.Lists;
 import io.vertx.core.MultiMap;
 import io.vertx.core.Vertx;
@@ -38,6 +44,7 @@ import io.vertx.core.http.HttpClientOptions;
 import io.vertx.core.http.HttpClientRequest;
 import io.vertx.core.http.RequestOptions;
 import io.vertx.core.http.impl.headers.VertxHttpHeaders;
+import io.vertx.core.json.JsonArray;
 import io.vertx.core.json.JsonObject;
 import io.vertx.ext.auth.User;
 import io.vertx.ext.auth.jwt.JWTAuth;
@@ -250,4 +257,53 @@ public class WebSocketServiceLoginTest {
 
     async.awaitSuccess(VERTX_AWAIT_TIMEOUT_MILLIS);
   }
+
+  @Test
+  public void loginPopulatesJWTPayloadWithRequiredValues(final TestContext context) {
+    final Async async = context.async();
+    final HttpClientRequest request =
+        httpClient.post(
+            websocketConfiguration.getPort(),
+            websocketConfiguration.getHost(),
+            "/login",
+            response -> {
+              response.bodyHandler(
+                  buffer -> {
+                    final String body = buffer.toString();
+                    assertThat(body).isNotBlank();
+
+                    final JsonObject respBody = new JsonObject(body);
+                    final String token = respBody.getString("token");
+
+                    final JsonObject jwtPayload = decodeJwtPayload(token);
+                    assertThat(jwtPayload.getString("username")).isEqualTo("user");
+                    assertThat(jwtPayload.getJsonArray("permissions"))
+                        .isEqualTo(
+                            new JsonArray(
+                                list(
+                                    "fakePermission",
+                                    "eth:blockNumber",
+                                    "eth:subscribe",
+                                    "web3:*")));
+                    assertThat(jwtPayload.getString("privacyPublicKey"))
+                        .isEqualTo("A1aVtMxLCUHmBVHXoZzzBgPbW/wj5axDpW9X8l91SGo=");
+                    assertThat(jwtPayload.containsKey("iat")).isTrue();
+                    assertThat(jwtPayload.containsKey("exp")).isTrue();
+                    final long tokenExpiry = jwtPayload.getLong("exp") - jwtPayload.getLong("iat");
+                    assertThat(tokenExpiry).isEqualTo(MINUTES.toSeconds(5));
+
+                    async.complete();
+                  });
+            });
+    request.putHeader("Content-Type", "application/json; charset=utf-8");
+    request.end("{\"username\":\"user\",\"password\":\"pegasys\"}");
+
+    async.awaitSuccess(VERTX_AWAIT_TIMEOUT_MILLIS);
+  }
+
+  private JsonObject decodeJwtPayload(final String token) {
+    final List<String> tokenParts = Splitter.on('.').splitToList(token);
+    final String payload = tokenParts.get(1);
+    return new JsonObject(new String(Base64.getUrlDecoder().decode(payload), UTF_8));
+  }
 }

ethereum/api/src/test/resources/JsonRpcHttpService/auth.toml

@@ -1,3 +1,4 @@
 [Users.user]
 password = "$2a$10$l3GA7K8g6rJ/Yv.YFSygCuI9byngpEzxgWS9qEg5emYDZomQW7fGC"
 permissions = ["fakePermission","eth:blockNumber","eth:subscribe","web3:*"]
+privacyPublicKey = "A1aVtMxLCUHmBVHXoZzzBgPbW/wj5axDpW9X8l91SGo="

ethereum/api/src/test/resources/authentication/auth.toml

@@ -3,6 +3,11 @@ password = "$2a$10$l3GA7K8g6rJ/Yv.YFSygCuI9byngpEzxgWS9qEg5emYDZomQW7fGC"
 groups = ["admin"]
 permissions = ["eth:*", "perm:*"]
 roles = ["net"]
+privacyPublicKey = "A1aVtMxLCUHmBVHXoZzzBgPbW/wj5axDpW9X8l91SGo="
+
+[Users.userB]
+password = "$2a$10$l3GA7K8g6rJ/Yv.YFSygCuI9byngpEzxgWS9qEg5emYDZomQW7fGC"
+permissions = ["net:*"]
 
 [Groups.admins]
 roles = ["admin"]

ethereum/referencetests/src/test/resources

@@ -1 +1 @@
-Subproject commit cfbcd15f91d4d6e1785d9cae5c5c37f47e8bad46
+Subproject commit 0327d9f76ce2a292a99e7a9dfc93627368ce589e