feat: oauth for builder (#44)

Cargo.toml

@@ -26,4 +26,4 @@ hex = { package = "const-hex", version = "1", default-features = false, features
 serde = { version = "1.0.197", features = ["derive"] }
 tracing = "0.1.40"
 
-zenith-types = { path = "crates/types" }
+zenith-types = { path = "crates/types" }

crates/builder/Cargo.toml

@@ -44,3 +44,4 @@ thiserror = "1.0.58"
 tokio = { version = "1.36.0", features = ["full", "macros", "rt-multi-thread"] }
 tracing-subscriber = "0.3.18"
 async-trait = "0.1.80"
+oauth2 = "4.4.2"

crates/builder/src/config.rs

@@ -26,6 +26,11 @@ const ROLLUP_BLOCK_GAS_LIMIT: &str = "ROLLUP_BLOCK_GAS_LIMIT";
 const TX_POOL_URL: &str = "TX_POOL_URL";
 const TX_POOL_POLL_INTERVAL: &str = "TX_POOL_POLL_INTERVAL";
 const TX_POOL_CACHE_DURATION: &str = "TX_POOL_CACHE_DURATION";
+const OAUTH_CLIENT_ID: &str = "OAUTH_CLIENT_ID";
+const OAUTH_CLIENT_SECRET: &str = "OAUTH_CLIENT_SECRET";
+const OAUTH_AUTHENTICATE_URL: &str = "OAUTH_AUTHENTICATE_URL";
+const OAUTH_TOKEN_URL: &str = "OAUTH_TOKEN_URL";
+const OAUTH_AUDIENCE: &str = "OAUTH_AUDIENCE";
 
 /// Configuration for a builder running a specific rollup on a specific host
 /// chain.
@@ -64,6 +69,16 @@ pub struct BuilderConfig {
     pub tx_pool_poll_interval: u64,
     /// Duration in seconds transactions can live in the tx-pool cache.
     pub tx_pool_cache_duration: u64,
+    /// OAuth client ID for the builder.
+    pub oauth_client_id: String,
+    /// OAuth client secret for the builder.
+    pub oauth_client_secret: String,
+    /// OAuth authenticate URL for the builder for performing OAuth logins.
+    pub oauth_authenticate_url: String,
+    /// OAuth token URL for the builder to get an OAuth2 access token
+    pub oauth_token_url: String,
+    /// OAuth audience for the builder.
+    pub oauth_audience: String,
 }
 
 #[derive(Debug, thiserror::Error)]
@@ -130,6 +145,11 @@ impl BuilderConfig {
             tx_pool_url: load_url(TX_POOL_URL)?,
             tx_pool_poll_interval: load_u64(TX_POOL_POLL_INTERVAL)?,
             tx_pool_cache_duration: load_u64(TX_POOL_CACHE_DURATION)?,
+            oauth_client_id: load_string(OAUTH_CLIENT_ID)?,
+            oauth_client_secret: load_string(OAUTH_CLIENT_SECRET)?,
+            oauth_authenticate_url: load_string(OAUTH_AUTHENTICATE_URL)?,
+            oauth_token_url: load_string(OAUTH_TOKEN_URL)?,
+            oauth_audience: load_string(OAUTH_AUDIENCE)?,
         })
     }
 

crates/builder/src/tasks/submit.rs

@@ -1,3 +1,8 @@
+use crate::{
+    config::{Provider, ZenithInstance},
+    signer::LocalOrAws,
+    tasks::block::InProgressBlock,
+};
 use alloy::consensus::SimpleCoder;
 use alloy::network::{TransactionBuilder, TransactionBuilder4844};
 use alloy::providers::{Provider as _, WalletProvider};
@@ -7,15 +12,16 @@ use alloy::sol_types::SolCall;
 use alloy::transports::TransportError;
 use alloy_primitives::{FixedBytes, U256};
 use eyre::{bail, eyre};
+use oauth2::{
+    basic::BasicClient, basic::BasicTokenType, reqwest::http_client, AuthUrl, ClientId,
+    ClientSecret, EmptyExtraTokenFields, StandardTokenResponse, TokenResponse, TokenUrl,
+};
 use tokio::{sync::mpsc, task::JoinHandle};
 use tracing::{debug, error, instrument, trace};
 use zenith_types::{SignRequest, SignResponse, Zenith};
 
-use crate::{
-    config::{Provider, ZenithInstance},
-    signer::LocalOrAws,
-    tasks::block::InProgressBlock,
-};
+/// OAuth Audience Claim Name, required param by IdP for client credential grant
+const OAUTH_AUDIENCE_CLAIM: &str = "audience";
 
 /// Submits sidecars in ethereum txns to mainnet ethereum
 pub struct SubmitTask {
@@ -43,10 +49,13 @@ impl SubmitTask {
             "pinging quincey for signature"
         );
 
+        let token = self.fetch_oauth_token().await?;
+
         let resp: reqwest::Response = self
             .client
             .post(self.config.quincey_url.as_ref())
             .json(sig_request)
+            .bearer_auth(token.access_token().secret())
             .send()
             .await?
             .error_for_status()?;
@@ -59,6 +68,24 @@ impl SubmitTask {
         serde_json::from_slice(&body).map_err(Into::into)
     }
 
+    async fn fetch_oauth_token(
+        &self,
+    ) -> eyre::Result<StandardTokenResponse<EmptyExtraTokenFields, BasicTokenType>> {
+        let client = BasicClient::new(
+            ClientId::new(self.config.oauth_client_id.clone()),
+            Some(ClientSecret::new(self.config.oauth_client_secret.clone())),
+            AuthUrl::new(self.config.oauth_authenticate_url.clone())?,
+            Some(TokenUrl::new(self.config.oauth_token_url.clone())?),
+        );
+
+        let token_result = client
+            .exchange_client_credentials()
+            .add_extra_param(OAUTH_AUDIENCE_CLAIM, self.config.oauth_audience.clone())
+            .request(http_client)?;
+
+        Ok(token_result)
+    }
+
     #[instrument(skip_all)]
     async fn construct_sig_request(&self, contents: &InProgressBlock) -> eyre::Result<SignRequest> {
         let ru_chain_id = U256::from(self.config.ru_chain_id);

crates/builder/tests/tx_poller_test.rs

@@ -71,6 +71,11 @@ mod tests {
             tx_pool_url: "http://localhost:9000".into(),
             tx_pool_cache_duration: 5,
             tx_pool_poll_interval: 5,
+            oauth_client_id: "some_client_id".into(),
+            oauth_client_secret: "some_client_secret".into(),
+            oauth_authenticate_url: "http://localhost:8080".into(),
+            oauth_token_url: "http://localhost:8080".into(),
+            oauth_audience: "some_audience".into(),
         };
         (BlockBuilder::new(&config), config)
     }