bitcoind: add rpcwhitelist feature

Default behavior for rpc whitelisting is set to 0, which means that rpcwhitelisting is only enforced for rpc users for whom an `rpcwhitelist` exists.
2020-06-22 12:12:50 +00:00 · 2020-06-22 12:12:50 +00:00 · 1bf45a9547
commit 1bf45a9547
parent 5a978a2836
2 changed files with 73 additions and 1 deletions
--- a/modules/bitcoind.nix
+++ b/modules/bitcoind.nix
@ -28,8 +28,12 @@ let

    # RPC server options
    rpcport=${toString cfg.rpc.port}
+    rpcwhitelistdefault=0
    ${concatMapStringsSep  "\n"
-      (rpcUser: "rpcauth=${rpcUser.name}:${rpcUser.passwordHMAC}")
+      (rpcUser: ''
+        rpcauth=${rpcUser.name}:${rpcUser.passwordHMAC}
+        ${optionalString (rpcUser.rpcwhitelist != []) "rpcwhitelist=${rpcUser.name}:${lib.strings.concatStringsSep "," rpcUser.rpcwhitelist}"}
+      '')
      (attrValues cfg.rpc.users)
    }
    ${lib.concatMapStrings (rpcbind: "rpcbind=${rpcbind}\n") cfg.rpcbind}
@ -118,6 +122,14 @@ in {
                  format <SALT-HEX>$<HMAC-HEX>.
                '';
              };
+              rpcwhitelist = mkOption {
+                type = types.listOf types.str;
+                default = [];
+                description = ''
+                  List of allowed rpc calls for each user.
+                  If empty list, rpcwhitelist is disabled for that user.
+                '';
+              };
            };
            config = {
              name = mkDefault name;
--- a/modules/presets/secure-node.nix
+++ b/modules/presets/secure-node.nix
@ -82,6 +82,66 @@ in {
        name = "publicrpc";
        # Placeholder to be sed'd out by bitcoind preStart
        passwordHMAC = "bitcoin-HMAC-public";
+        rpcwhitelist = [
+          "echo"
+          "getinfo"
+          # Blockchain
+          "getbestblockhash"
+          "getblock"
+          "getblockchaininfo"
+          "getblockcount"
+          "getblockfilter"
+          "getblockhash"
+          "getblockheader"
+          "getblockstats"
+          "getchaintips"
+          "getchaintxstats"
+          "getdifficulty"
+          "getmempoolancestors"
+          "getmempooldescendants"
+          "getmempoolentry"
+          "getmempoolinfo"
+          "getrawmempool"
+          "gettxout"
+          "gettxoutproof"
+          "gettxoutsetinfo"
+          "scantxoutset"
+          "verifytxoutproof"
+          # Mining
+          "getblocktemplate"
+          "getmininginfo"
+          "getnetworkhashps"
+          # Network
+          "getnetworkinfo"
+          # Rawtransactions
+          "analyzepsbt"
+          "combinepsbt"
+          "combinerawtransaction"
+          "converttopsbt"
+          "createpsbt"
+          "createrawtransaction"
+          "decodepsbt"
+          "decoderawtransaction"
+          "decodescript"
+          "finalizepsbt"
+          "fundrawtransaction"
+          "getrawtransaction"
+          "joinpsbts"
+          "sendrawtransaction"
+          "signrawtransactionwithkey"
+          "testmempoolaccept"
+          "utxoupdatepsbt"
+          # Util
+          "createmultisig"
+          "deriveaddresses"
+          "estimatesmartfee"
+          "getdescriptorinfo"
+          "signmessagewithprivkey"
+          "validateaddress"
+          "verifymessage"
+          # Zmq
+          "getzmqnotifications"
+        ];
      };
    };
    services.tor.hiddenServices.bitcoind = mkHiddenService { port = cfg.bitcoind.port; toHost = cfg.bitcoind.bind; };