mirror of
https://github.com/fort-nix/nix-bitcoin.git
synced 2024-11-27 02:12:45 +03:00
Merge #229: Improve bitcoind RPC user config
9b6a3ec835
generate-secrets: extract fn 'makeHMAC' (Erik Arvstedt)ca18ffb90a
generate-secrets: fetch rpcauth.py from github (Erik Arvstedt)4d6127bb76
bitcoind: clarify RPC whitelist test (Erik Arvstedt)9d610991be
bitcoind: remove custom rpc user names (Erik Arvstedt)1408403dec
bitcoind: clarify how bitcoin-cli RPC access is enabled (Erik Arvstedt)4790c601a1
bitcoind: move rpc user config to bitcoind (Erik Arvstedt)876cfadf1a
bitcoind: add rpc user option 'passwordHMACFromFile' (Erik Arvstedt)59434e79f0
bitcoind: simplify default rpc user name config (Erik Arvstedt)205829b91f
bitcoind: remove whitespace (Erik Arvstedt) Pull request description: ACKs for top commit: nixbitcoin: ACK9b6a3ec835
jonasnick: concept ACK9b6a3ec835
Tree-SHA512: ccb9a8d2dc1f360cc1f0bd77535fa8edfd9afec0a519719103fd059d5912a1ed4960c22ef14df616a731f6a88861fecb8d1653fb71c2288b851e4a02f9f49cb2
This commit is contained in:
commit
1c31208078
61
modules/bitcoind-rpc-public-whitelist.nix
Normal file
61
modules/bitcoind-rpc-public-whitelist.nix
Normal file
@ -0,0 +1,61 @@
|
||||
# RPC calls that are safe for public use
|
||||
[
|
||||
"echo"
|
||||
"getinfo"
|
||||
# Blockchain
|
||||
"getbestblockhash"
|
||||
"getblock"
|
||||
"getblockchaininfo"
|
||||
"getblockcount"
|
||||
"getblockfilter"
|
||||
"getblockhash"
|
||||
"getblockheader"
|
||||
"getblockstats"
|
||||
"getchaintips"
|
||||
"getchaintxstats"
|
||||
"getdifficulty"
|
||||
"getmempoolancestors"
|
||||
"getmempooldescendants"
|
||||
"getmempoolentry"
|
||||
"getmempoolinfo"
|
||||
"getrawmempool"
|
||||
"gettxout"
|
||||
"gettxoutproof"
|
||||
"gettxoutsetinfo"
|
||||
"scantxoutset"
|
||||
"verifytxoutproof"
|
||||
# Mining
|
||||
"getblocktemplate"
|
||||
"getmininginfo"
|
||||
"getnetworkhashps"
|
||||
# Network
|
||||
"getnetworkinfo"
|
||||
# Rawtransactions
|
||||
"analyzepsbt"
|
||||
"combinepsbt"
|
||||
"combinerawtransaction"
|
||||
"converttopsbt"
|
||||
"createpsbt"
|
||||
"createrawtransaction"
|
||||
"decodepsbt"
|
||||
"decoderawtransaction"
|
||||
"decodescript"
|
||||
"finalizepsbt"
|
||||
"fundrawtransaction"
|
||||
"getrawtransaction"
|
||||
"joinpsbts"
|
||||
"sendrawtransaction"
|
||||
"signrawtransactionwithkey"
|
||||
"testmempoolaccept"
|
||||
"utxoupdatepsbt"
|
||||
# Util
|
||||
"createmultisig"
|
||||
"deriveaddresses"
|
||||
"estimatesmartfee"
|
||||
"getdescriptorinfo"
|
||||
"signmessagewithprivkey"
|
||||
"validateaddress"
|
||||
"verifymessage"
|
||||
# Zmq
|
||||
"getzmqnotifications"
|
||||
]
|
@ -30,17 +30,14 @@ let
|
||||
${optionalString (cfg.rpcthreads != null) "rpcthreads=${toString cfg.rpcthreads}"}
|
||||
rpcport=${toString cfg.rpc.port}
|
||||
rpcwhitelistdefault=0
|
||||
${concatMapStringsSep "\n"
|
||||
(rpcUser: ''
|
||||
rpcauth=${rpcUser.name}:${rpcUser.passwordHMAC}
|
||||
${optionalString (rpcUser.rpcwhitelist != []) "rpcwhitelist=${rpcUser.name}:${lib.strings.concatStringsSep "," rpcUser.rpcwhitelist}"}
|
||||
'')
|
||||
(attrValues cfg.rpc.users)
|
||||
${concatMapStrings (user: ''
|
||||
${optionalString (!user.passwordHMACFromFile) "rpcauth=${user.name}:${passwordHMAC}"}
|
||||
${optionalString (user.rpcwhitelist != [])
|
||||
"rpcwhitelist=${user.name}:${lib.strings.concatStringsSep "," user.rpcwhitelist}"}
|
||||
'') (builtins.attrValues cfg.rpc.users)
|
||||
}
|
||||
${lib.concatMapStrings (rpcbind: "rpcbind=${rpcbind}\n") cfg.rpcbind}
|
||||
${lib.concatMapStrings (rpcallowip: "rpcallowip=${rpcallowip}\n") cfg.rpcallowip}
|
||||
# Credentials for bitcoin-cli
|
||||
rpcuser=${cfg.rpc.users.privileged.name}
|
||||
|
||||
# Wallet options
|
||||
${optionalString (cfg.addresstype != null) "addresstype=${cfg.addresstype}"}
|
||||
@ -109,6 +106,7 @@ in {
|
||||
options = {
|
||||
name = mkOption {
|
||||
type = types.str;
|
||||
default = name;
|
||||
example = "alice";
|
||||
description = ''
|
||||
Username for JSON-RPC connections.
|
||||
@ -122,6 +120,11 @@ in {
|
||||
format <SALT-HEX>$<HMAC-HEX>.
|
||||
'';
|
||||
};
|
||||
passwordHMACFromFile = mkOption {
|
||||
type = lib.types.bool;
|
||||
internal = true;
|
||||
default = false;
|
||||
};
|
||||
rpcwhitelist = mkOption {
|
||||
type = types.listOf types.str;
|
||||
default = [];
|
||||
@ -131,9 +134,6 @@ in {
|
||||
'';
|
||||
};
|
||||
};
|
||||
config = {
|
||||
name = mkDefault name;
|
||||
};
|
||||
}));
|
||||
description = ''
|
||||
RPC user information for JSON-RPC connections.
|
||||
@ -283,10 +283,21 @@ in {
|
||||
config = mkIf cfg.enable {
|
||||
environment.systemPackages = [ cfg.package (hiPrio cfg.cli) ];
|
||||
|
||||
services.bitcoind = mkIf cfg.dataDirReadableByGroup {
|
||||
disablewallet = true;
|
||||
sysperms = true;
|
||||
};
|
||||
services.bitcoind = mkMerge [
|
||||
(mkIf cfg.dataDirReadableByGroup {
|
||||
disablewallet = true;
|
||||
sysperms = true;
|
||||
})
|
||||
{
|
||||
rpc.users.privileged = {
|
||||
passwordHMACFromFile = true;
|
||||
};
|
||||
rpc.users.public = {
|
||||
passwordHMACFromFile = true;
|
||||
rpcwhitelist = import ./bitcoind-rpc-public-whitelist.nix;
|
||||
};
|
||||
}
|
||||
];
|
||||
|
||||
systemd.tmpfiles.rules = [
|
||||
"d '${cfg.dataDir}' 0770 ${cfg.user} ${cfg.group} - -"
|
||||
@ -298,16 +309,24 @@ in {
|
||||
requires = [ "nix-bitcoin-secrets.target" ];
|
||||
after = [ "network.target" "nix-bitcoin-secrets.target" ];
|
||||
wantedBy = [ "multi-user.target" ];
|
||||
preStart = ''
|
||||
${optionalString cfg.dataDirReadableByGroup "chmod -R g+rX '${cfg.dataDir}/blocks'"}
|
||||
|
||||
cfgpre=$(cat ${configFile}; printf "rpcpassword="; cat "${secretsDir}/bitcoin-rpcpassword-privileged")
|
||||
cfg=$(echo "$cfgpre" | \
|
||||
sed "s/bitcoin-HMAC-privileged/$(cat ${secretsDir}/bitcoin-HMAC-privileged)/g" | \
|
||||
sed "s/bitcoin-HMAC-public/$(cat ${secretsDir}/bitcoin-HMAC-public)/g")
|
||||
preStart = let
|
||||
extraRpcauth = concatMapStrings (name: let
|
||||
user = cfg.rpc.users.${name};
|
||||
in optionalString user.passwordHMACFromFile ''
|
||||
echo "rpcauth=${user.name}:$(cat ${secretsDir}/bitcoin-HMAC-${name})"
|
||||
''
|
||||
) (builtins.attrNames cfg.rpc.users);
|
||||
in ''
|
||||
${optionalString cfg.dataDirReadableByGroup "chmod -R g+rX '${cfg.dataDir}/blocks'"}
|
||||
cfg=$(
|
||||
cat ${configFile};
|
||||
${extraRpcauth}
|
||||
${/* Enable bitcoin-cli for group 'bitcoin' */ ""}
|
||||
printf "rpcuser=${cfg.rpc.users.privileged.name}\nrpcpassword="; cat "${secretsDir}/bitcoin-rpcpassword-privileged";
|
||||
)
|
||||
confFile='${cfg.dataDir}/bitcoin.conf'
|
||||
if [[ ! -e $confFile || $cfg != $(cat $confFile) ]]; then
|
||||
install -o '${cfg.user}' -g '${cfg.group}' -m 640 <(echo "$cfg") $confFile
|
||||
install -o '${cfg.user}' -g '${cfg.group}' -m 640 <(echo "$cfg") $confFile
|
||||
fi
|
||||
'';
|
||||
postStart = ''
|
||||
|
@ -75,76 +75,6 @@ in {
|
||||
# higher rpcthread count due to reports that lightning implementations fail
|
||||
# under high bitcoind rpc load
|
||||
rpcthreads = 16;
|
||||
rpc.users.privileged = {
|
||||
name = "bitcoinrpc";
|
||||
# Placeholder to be sed'd out by bitcoind preStart
|
||||
passwordHMAC = "bitcoin-HMAC-privileged";
|
||||
};
|
||||
rpc.users.public = {
|
||||
name = "publicrpc";
|
||||
# Placeholder to be sed'd out by bitcoind preStart
|
||||
passwordHMAC = "bitcoin-HMAC-public";
|
||||
rpcwhitelist = [
|
||||
"echo"
|
||||
"getinfo"
|
||||
# Blockchain
|
||||
"getbestblockhash"
|
||||
"getblock"
|
||||
"getblockchaininfo"
|
||||
"getblockcount"
|
||||
"getblockfilter"
|
||||
"getblockhash"
|
||||
"getblockheader"
|
||||
"getblockstats"
|
||||
"getchaintips"
|
||||
"getchaintxstats"
|
||||
"getdifficulty"
|
||||
"getmempoolancestors"
|
||||
"getmempooldescendants"
|
||||
"getmempoolentry"
|
||||
"getmempoolinfo"
|
||||
"getrawmempool"
|
||||
"gettxout"
|
||||
"gettxoutproof"
|
||||
"gettxoutsetinfo"
|
||||
"scantxoutset"
|
||||
"verifytxoutproof"
|
||||
# Mining
|
||||
"getblocktemplate"
|
||||
"getmininginfo"
|
||||
"getnetworkhashps"
|
||||
# Network
|
||||
"getnetworkinfo"
|
||||
# Rawtransactions
|
||||
"analyzepsbt"
|
||||
"combinepsbt"
|
||||
"combinerawtransaction"
|
||||
"converttopsbt"
|
||||
"createpsbt"
|
||||
"createrawtransaction"
|
||||
"decodepsbt"
|
||||
"decoderawtransaction"
|
||||
"decodescript"
|
||||
"finalizepsbt"
|
||||
"fundrawtransaction"
|
||||
"getrawtransaction"
|
||||
"joinpsbts"
|
||||
"sendrawtransaction"
|
||||
"signrawtransactionwithkey"
|
||||
"testmempoolaccept"
|
||||
"utxoupdatepsbt"
|
||||
# Util
|
||||
"createmultisig"
|
||||
"deriveaddresses"
|
||||
"estimatesmartfee"
|
||||
"getdescriptorinfo"
|
||||
"signmessagewithprivkey"
|
||||
"validateaddress"
|
||||
"verifymessage"
|
||||
# Zmq
|
||||
"getzmqnotifications"
|
||||
];
|
||||
};
|
||||
};
|
||||
services.tor.hiddenServices.bitcoind = mkHiddenService { port = cfg.bitcoind.port; toHost = cfg.bitcoind.bind; };
|
||||
|
||||
|
@ -1,9 +1,15 @@
|
||||
{ pkgs }: with pkgs;
|
||||
|
||||
let
|
||||
rpcauth = pkgs.writeScriptBin "rpcauth" (builtins.readFile ./rpcauth/rpcauth.py);
|
||||
rpcauthSrc = builtins.fetchurl {
|
||||
url = "https://raw.githubusercontent.com/bitcoin/bitcoin/d6cde007db9d3e6ee93bd98a9bbfdce9bfa9b15b/share/rpcauth/rpcauth.py";
|
||||
sha256 = "189mpplam6yzizssrgiyv70c9899ggh8cac76j4n7v0xqzfip07n";
|
||||
};
|
||||
rpcauth = pkgs.writeScriptBin "rpcauth" ''
|
||||
exec ${pkgs.python35}/bin/python ${rpcauthSrc} "$@"
|
||||
'';
|
||||
in
|
||||
writeScript "generate-secrets" ''
|
||||
export PATH=${lib.makeBinPath [ coreutils apg openssl gnugrep rpcauth python35 ]}
|
||||
export PATH=${lib.makeBinPath [ coreutils apg openssl gnugrep rpcauth ]}
|
||||
. ${./generate-secrets.sh} ${./openssl.cnf}
|
||||
''
|
||||
|
@ -5,6 +5,10 @@ opensslConf=${1:-openssl.cnf}
|
||||
makePasswordSecret() {
|
||||
[[ -e $1 ]] || apg -m 20 -x 20 -M Ncl -n 1 > "$1"
|
||||
}
|
||||
makeHMAC() {
|
||||
user=$1
|
||||
rpcauth $user $(cat bitcoin-rpcpassword-$user) | grep rpcauth | cut -d ':' -f 2 > bitcoin-HMAC-$user
|
||||
}
|
||||
|
||||
makePasswordSecret bitcoin-rpcpassword-privileged
|
||||
makePasswordSecret bitcoin-rpcpassword-public
|
||||
@ -14,8 +18,8 @@ makePasswordSecret lightning-charge-token
|
||||
makePasswordSecret spark-wallet-password
|
||||
makePasswordSecret backup-encryption-password
|
||||
|
||||
[[ -e bitcoin-HMAC-privileged ]] || rpcauth privileged $(cat bitcoin-rpcpassword-privileged) | grep rpcauth | cut -d ':' -f 2 > bitcoin-HMAC-privileged
|
||||
[[ -e bitcoin-HMAC-public ]] || rpcauth public $(cat bitcoin-rpcpassword-public) | grep rpcauth | cut -d ':' -f 2 > bitcoin-HMAC-public
|
||||
[[ -e bitcoin-HMAC-privileged ]] || makeHMAC privileged
|
||||
[[ -e bitcoin-HMAC-public ]] || makeHMAC public
|
||||
[[ -e lightning-charge-env ]] || echo "API_TOKEN=$(cat lightning-charge-token)" > lightning-charge-env
|
||||
[[ -e nanopos-env ]] || echo "CHARGE_TOKEN=$(cat lightning-charge-token)" > nanopos-env
|
||||
[[ -e spark-wallet-login ]] || echo "login=spark-wallet:$(cat spark-wallet-password)" > spark-wallet-login
|
||||
|
@ -1,46 +0,0 @@
|
||||
#!/usr/bin/env python3
|
||||
# Copyright (c) 2015-2018 The Bitcoin Core developers
|
||||
# Distributed under the MIT software license, see the accompanying
|
||||
# file COPYING or http://www.opensource.org/licenses/mit-license.php.
|
||||
|
||||
from argparse import ArgumentParser
|
||||
from base64 import urlsafe_b64encode
|
||||
from binascii import hexlify
|
||||
from getpass import getpass
|
||||
from os import urandom
|
||||
|
||||
import hmac
|
||||
|
||||
def generate_salt(size):
|
||||
"""Create size byte hex salt"""
|
||||
return hexlify(urandom(size)).decode()
|
||||
|
||||
def generate_password():
|
||||
"""Create 32 byte b64 password"""
|
||||
return urlsafe_b64encode(urandom(32)).decode('utf-8')
|
||||
|
||||
def password_to_hmac(salt, password):
|
||||
m = hmac.new(bytearray(salt, 'utf-8'), bytearray(password, 'utf-8'), 'SHA256')
|
||||
return m.hexdigest()
|
||||
|
||||
def main():
|
||||
parser = ArgumentParser(description='Create login credentials for a JSON-RPC user')
|
||||
parser.add_argument('username', help='the username for authentication')
|
||||
parser.add_argument('password', help='leave empty to generate a random password or specify "-" to prompt for password', nargs='?')
|
||||
args = parser.parse_args()
|
||||
|
||||
if not args.password:
|
||||
args.password = generate_password()
|
||||
elif args.password == '-':
|
||||
args.password = getpass()
|
||||
|
||||
# Create 16 byte hex salt
|
||||
salt = generate_salt(16)
|
||||
password_hmac = password_to_hmac(salt, args.password)
|
||||
|
||||
print('String to be appended to bitcoin.conf:')
|
||||
print('rpcauth={0}:{1}${2}'.format(args.username, salt, password_hmac))
|
||||
print('Your password:\n{0}'.format(args.password))
|
||||
|
||||
if __name__ == '__main__':
|
||||
main()
|
@ -46,14 +46,12 @@ def run_tests(extra_tests):
|
||||
assert_running("bitcoind")
|
||||
machine.wait_until_succeeds("bitcoin-cli getnetworkinfo")
|
||||
assert_matches("su operator -c 'bitcoin-cli getnetworkinfo' | jq", '"version"')
|
||||
# Test RPC Whitelist
|
||||
machine.wait_until_succeeds("su operator -c 'bitcoin-cli help'")
|
||||
# Restating rpcuser & rpcpassword overrides privileged credentials
|
||||
# RPC access for user 'public' should be restricted
|
||||
machine.fail(
|
||||
"bitcoin-cli -rpcuser=publicrpc -rpcpassword=$(cat /secrets/bitcoin-rpcpassword-public) help"
|
||||
"bitcoin-cli -rpcuser=public -rpcpassword=$(cat /secrets/bitcoin-rpcpassword-public) stop"
|
||||
)
|
||||
machine.wait_until_succeeds(
|
||||
log_has_string("bitcoind", "RPC User publicrpc not allowed to call method help")
|
||||
log_has_string("bitcoind", "RPC User public not allowed to call method stop")
|
||||
)
|
||||
|
||||
assert_running("electrs")
|
||||
|
Loading…
Reference in New Issue
Block a user