Merge #229: Improve bitcoind RPC user config
9b6a3ec835
generate-secrets: extract fn 'makeHMAC' (Erik Arvstedt)ca18ffb90a
generate-secrets: fetch rpcauth.py from github (Erik Arvstedt)4d6127bb76
bitcoind: clarify RPC whitelist test (Erik Arvstedt)9d610991be
bitcoind: remove custom rpc user names (Erik Arvstedt)1408403dec
bitcoind: clarify how bitcoin-cli RPC access is enabled (Erik Arvstedt)4790c601a1
bitcoind: move rpc user config to bitcoind (Erik Arvstedt)876cfadf1a
bitcoind: add rpc user option 'passwordHMACFromFile' (Erik Arvstedt)59434e79f0
bitcoind: simplify default rpc user name config (Erik Arvstedt)205829b91f
bitcoind: remove whitespace (Erik Arvstedt) Pull request description: ACKs for top commit: nixbitcoin: ACK9b6a3ec835
jonasnick: concept ACK9b6a3ec835
Tree-SHA512: ccb9a8d2dc1f360cc1f0bd77535fa8edfd9afec0a519719103fd059d5912a1ed4960c22ef14df616a731f6a88861fecb8d1653fb71c2288b851e4a02f9f49cb2
This commit is contained in:
commit
1c31208078
61
modules/bitcoind-rpc-public-whitelist.nix
Normal file
61
modules/bitcoind-rpc-public-whitelist.nix
Normal file
@ -0,0 +1,61 @@
|
|||||||
|
# RPC calls that are safe for public use
|
||||||
|
[
|
||||||
|
"echo"
|
||||||
|
"getinfo"
|
||||||
|
# Blockchain
|
||||||
|
"getbestblockhash"
|
||||||
|
"getblock"
|
||||||
|
"getblockchaininfo"
|
||||||
|
"getblockcount"
|
||||||
|
"getblockfilter"
|
||||||
|
"getblockhash"
|
||||||
|
"getblockheader"
|
||||||
|
"getblockstats"
|
||||||
|
"getchaintips"
|
||||||
|
"getchaintxstats"
|
||||||
|
"getdifficulty"
|
||||||
|
"getmempoolancestors"
|
||||||
|
"getmempooldescendants"
|
||||||
|
"getmempoolentry"
|
||||||
|
"getmempoolinfo"
|
||||||
|
"getrawmempool"
|
||||||
|
"gettxout"
|
||||||
|
"gettxoutproof"
|
||||||
|
"gettxoutsetinfo"
|
||||||
|
"scantxoutset"
|
||||||
|
"verifytxoutproof"
|
||||||
|
# Mining
|
||||||
|
"getblocktemplate"
|
||||||
|
"getmininginfo"
|
||||||
|
"getnetworkhashps"
|
||||||
|
# Network
|
||||||
|
"getnetworkinfo"
|
||||||
|
# Rawtransactions
|
||||||
|
"analyzepsbt"
|
||||||
|
"combinepsbt"
|
||||||
|
"combinerawtransaction"
|
||||||
|
"converttopsbt"
|
||||||
|
"createpsbt"
|
||||||
|
"createrawtransaction"
|
||||||
|
"decodepsbt"
|
||||||
|
"decoderawtransaction"
|
||||||
|
"decodescript"
|
||||||
|
"finalizepsbt"
|
||||||
|
"fundrawtransaction"
|
||||||
|
"getrawtransaction"
|
||||||
|
"joinpsbts"
|
||||||
|
"sendrawtransaction"
|
||||||
|
"signrawtransactionwithkey"
|
||||||
|
"testmempoolaccept"
|
||||||
|
"utxoupdatepsbt"
|
||||||
|
# Util
|
||||||
|
"createmultisig"
|
||||||
|
"deriveaddresses"
|
||||||
|
"estimatesmartfee"
|
||||||
|
"getdescriptorinfo"
|
||||||
|
"signmessagewithprivkey"
|
||||||
|
"validateaddress"
|
||||||
|
"verifymessage"
|
||||||
|
# Zmq
|
||||||
|
"getzmqnotifications"
|
||||||
|
]
|
@ -30,17 +30,14 @@ let
|
|||||||
${optionalString (cfg.rpcthreads != null) "rpcthreads=${toString cfg.rpcthreads}"}
|
${optionalString (cfg.rpcthreads != null) "rpcthreads=${toString cfg.rpcthreads}"}
|
||||||
rpcport=${toString cfg.rpc.port}
|
rpcport=${toString cfg.rpc.port}
|
||||||
rpcwhitelistdefault=0
|
rpcwhitelistdefault=0
|
||||||
${concatMapStringsSep "\n"
|
${concatMapStrings (user: ''
|
||||||
(rpcUser: ''
|
${optionalString (!user.passwordHMACFromFile) "rpcauth=${user.name}:${passwordHMAC}"}
|
||||||
rpcauth=${rpcUser.name}:${rpcUser.passwordHMAC}
|
${optionalString (user.rpcwhitelist != [])
|
||||||
${optionalString (rpcUser.rpcwhitelist != []) "rpcwhitelist=${rpcUser.name}:${lib.strings.concatStringsSep "," rpcUser.rpcwhitelist}"}
|
"rpcwhitelist=${user.name}:${lib.strings.concatStringsSep "," user.rpcwhitelist}"}
|
||||||
'')
|
'') (builtins.attrValues cfg.rpc.users)
|
||||||
(attrValues cfg.rpc.users)
|
|
||||||
}
|
}
|
||||||
${lib.concatMapStrings (rpcbind: "rpcbind=${rpcbind}\n") cfg.rpcbind}
|
${lib.concatMapStrings (rpcbind: "rpcbind=${rpcbind}\n") cfg.rpcbind}
|
||||||
${lib.concatMapStrings (rpcallowip: "rpcallowip=${rpcallowip}\n") cfg.rpcallowip}
|
${lib.concatMapStrings (rpcallowip: "rpcallowip=${rpcallowip}\n") cfg.rpcallowip}
|
||||||
# Credentials for bitcoin-cli
|
|
||||||
rpcuser=${cfg.rpc.users.privileged.name}
|
|
||||||
|
|
||||||
# Wallet options
|
# Wallet options
|
||||||
${optionalString (cfg.addresstype != null) "addresstype=${cfg.addresstype}"}
|
${optionalString (cfg.addresstype != null) "addresstype=${cfg.addresstype}"}
|
||||||
@ -109,6 +106,7 @@ in {
|
|||||||
options = {
|
options = {
|
||||||
name = mkOption {
|
name = mkOption {
|
||||||
type = types.str;
|
type = types.str;
|
||||||
|
default = name;
|
||||||
example = "alice";
|
example = "alice";
|
||||||
description = ''
|
description = ''
|
||||||
Username for JSON-RPC connections.
|
Username for JSON-RPC connections.
|
||||||
@ -122,6 +120,11 @@ in {
|
|||||||
format <SALT-HEX>$<HMAC-HEX>.
|
format <SALT-HEX>$<HMAC-HEX>.
|
||||||
'';
|
'';
|
||||||
};
|
};
|
||||||
|
passwordHMACFromFile = mkOption {
|
||||||
|
type = lib.types.bool;
|
||||||
|
internal = true;
|
||||||
|
default = false;
|
||||||
|
};
|
||||||
rpcwhitelist = mkOption {
|
rpcwhitelist = mkOption {
|
||||||
type = types.listOf types.str;
|
type = types.listOf types.str;
|
||||||
default = [];
|
default = [];
|
||||||
@ -131,9 +134,6 @@ in {
|
|||||||
'';
|
'';
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
config = {
|
|
||||||
name = mkDefault name;
|
|
||||||
};
|
|
||||||
}));
|
}));
|
||||||
description = ''
|
description = ''
|
||||||
RPC user information for JSON-RPC connections.
|
RPC user information for JSON-RPC connections.
|
||||||
@ -283,10 +283,21 @@ in {
|
|||||||
config = mkIf cfg.enable {
|
config = mkIf cfg.enable {
|
||||||
environment.systemPackages = [ cfg.package (hiPrio cfg.cli) ];
|
environment.systemPackages = [ cfg.package (hiPrio cfg.cli) ];
|
||||||
|
|
||||||
services.bitcoind = mkIf cfg.dataDirReadableByGroup {
|
services.bitcoind = mkMerge [
|
||||||
|
(mkIf cfg.dataDirReadableByGroup {
|
||||||
disablewallet = true;
|
disablewallet = true;
|
||||||
sysperms = true;
|
sysperms = true;
|
||||||
|
})
|
||||||
|
{
|
||||||
|
rpc.users.privileged = {
|
||||||
|
passwordHMACFromFile = true;
|
||||||
};
|
};
|
||||||
|
rpc.users.public = {
|
||||||
|
passwordHMACFromFile = true;
|
||||||
|
rpcwhitelist = import ./bitcoind-rpc-public-whitelist.nix;
|
||||||
|
};
|
||||||
|
}
|
||||||
|
];
|
||||||
|
|
||||||
systemd.tmpfiles.rules = [
|
systemd.tmpfiles.rules = [
|
||||||
"d '${cfg.dataDir}' 0770 ${cfg.user} ${cfg.group} - -"
|
"d '${cfg.dataDir}' 0770 ${cfg.user} ${cfg.group} - -"
|
||||||
@ -298,13 +309,21 @@ in {
|
|||||||
requires = [ "nix-bitcoin-secrets.target" ];
|
requires = [ "nix-bitcoin-secrets.target" ];
|
||||||
after = [ "network.target" "nix-bitcoin-secrets.target" ];
|
after = [ "network.target" "nix-bitcoin-secrets.target" ];
|
||||||
wantedBy = [ "multi-user.target" ];
|
wantedBy = [ "multi-user.target" ];
|
||||||
preStart = ''
|
preStart = let
|
||||||
|
extraRpcauth = concatMapStrings (name: let
|
||||||
|
user = cfg.rpc.users.${name};
|
||||||
|
in optionalString user.passwordHMACFromFile ''
|
||||||
|
echo "rpcauth=${user.name}:$(cat ${secretsDir}/bitcoin-HMAC-${name})"
|
||||||
|
''
|
||||||
|
) (builtins.attrNames cfg.rpc.users);
|
||||||
|
in ''
|
||||||
${optionalString cfg.dataDirReadableByGroup "chmod -R g+rX '${cfg.dataDir}/blocks'"}
|
${optionalString cfg.dataDirReadableByGroup "chmod -R g+rX '${cfg.dataDir}/blocks'"}
|
||||||
|
cfg=$(
|
||||||
cfgpre=$(cat ${configFile}; printf "rpcpassword="; cat "${secretsDir}/bitcoin-rpcpassword-privileged")
|
cat ${configFile};
|
||||||
cfg=$(echo "$cfgpre" | \
|
${extraRpcauth}
|
||||||
sed "s/bitcoin-HMAC-privileged/$(cat ${secretsDir}/bitcoin-HMAC-privileged)/g" | \
|
${/* Enable bitcoin-cli for group 'bitcoin' */ ""}
|
||||||
sed "s/bitcoin-HMAC-public/$(cat ${secretsDir}/bitcoin-HMAC-public)/g")
|
printf "rpcuser=${cfg.rpc.users.privileged.name}\nrpcpassword="; cat "${secretsDir}/bitcoin-rpcpassword-privileged";
|
||||||
|
)
|
||||||
confFile='${cfg.dataDir}/bitcoin.conf'
|
confFile='${cfg.dataDir}/bitcoin.conf'
|
||||||
if [[ ! -e $confFile || $cfg != $(cat $confFile) ]]; then
|
if [[ ! -e $confFile || $cfg != $(cat $confFile) ]]; then
|
||||||
install -o '${cfg.user}' -g '${cfg.group}' -m 640 <(echo "$cfg") $confFile
|
install -o '${cfg.user}' -g '${cfg.group}' -m 640 <(echo "$cfg") $confFile
|
||||||
|
@ -75,76 +75,6 @@ in {
|
|||||||
# higher rpcthread count due to reports that lightning implementations fail
|
# higher rpcthread count due to reports that lightning implementations fail
|
||||||
# under high bitcoind rpc load
|
# under high bitcoind rpc load
|
||||||
rpcthreads = 16;
|
rpcthreads = 16;
|
||||||
rpc.users.privileged = {
|
|
||||||
name = "bitcoinrpc";
|
|
||||||
# Placeholder to be sed'd out by bitcoind preStart
|
|
||||||
passwordHMAC = "bitcoin-HMAC-privileged";
|
|
||||||
};
|
|
||||||
rpc.users.public = {
|
|
||||||
name = "publicrpc";
|
|
||||||
# Placeholder to be sed'd out by bitcoind preStart
|
|
||||||
passwordHMAC = "bitcoin-HMAC-public";
|
|
||||||
rpcwhitelist = [
|
|
||||||
"echo"
|
|
||||||
"getinfo"
|
|
||||||
# Blockchain
|
|
||||||
"getbestblockhash"
|
|
||||||
"getblock"
|
|
||||||
"getblockchaininfo"
|
|
||||||
"getblockcount"
|
|
||||||
"getblockfilter"
|
|
||||||
"getblockhash"
|
|
||||||
"getblockheader"
|
|
||||||
"getblockstats"
|
|
||||||
"getchaintips"
|
|
||||||
"getchaintxstats"
|
|
||||||
"getdifficulty"
|
|
||||||
"getmempoolancestors"
|
|
||||||
"getmempooldescendants"
|
|
||||||
"getmempoolentry"
|
|
||||||
"getmempoolinfo"
|
|
||||||
"getrawmempool"
|
|
||||||
"gettxout"
|
|
||||||
"gettxoutproof"
|
|
||||||
"gettxoutsetinfo"
|
|
||||||
"scantxoutset"
|
|
||||||
"verifytxoutproof"
|
|
||||||
# Mining
|
|
||||||
"getblocktemplate"
|
|
||||||
"getmininginfo"
|
|
||||||
"getnetworkhashps"
|
|
||||||
# Network
|
|
||||||
"getnetworkinfo"
|
|
||||||
# Rawtransactions
|
|
||||||
"analyzepsbt"
|
|
||||||
"combinepsbt"
|
|
||||||
"combinerawtransaction"
|
|
||||||
"converttopsbt"
|
|
||||||
"createpsbt"
|
|
||||||
"createrawtransaction"
|
|
||||||
"decodepsbt"
|
|
||||||
"decoderawtransaction"
|
|
||||||
"decodescript"
|
|
||||||
"finalizepsbt"
|
|
||||||
"fundrawtransaction"
|
|
||||||
"getrawtransaction"
|
|
||||||
"joinpsbts"
|
|
||||||
"sendrawtransaction"
|
|
||||||
"signrawtransactionwithkey"
|
|
||||||
"testmempoolaccept"
|
|
||||||
"utxoupdatepsbt"
|
|
||||||
# Util
|
|
||||||
"createmultisig"
|
|
||||||
"deriveaddresses"
|
|
||||||
"estimatesmartfee"
|
|
||||||
"getdescriptorinfo"
|
|
||||||
"signmessagewithprivkey"
|
|
||||||
"validateaddress"
|
|
||||||
"verifymessage"
|
|
||||||
# Zmq
|
|
||||||
"getzmqnotifications"
|
|
||||||
];
|
|
||||||
};
|
|
||||||
};
|
};
|
||||||
services.tor.hiddenServices.bitcoind = mkHiddenService { port = cfg.bitcoind.port; toHost = cfg.bitcoind.bind; };
|
services.tor.hiddenServices.bitcoind = mkHiddenService { port = cfg.bitcoind.port; toHost = cfg.bitcoind.bind; };
|
||||||
|
|
||||||
|
@ -1,9 +1,15 @@
|
|||||||
{ pkgs }: with pkgs;
|
{ pkgs }: with pkgs;
|
||||||
|
|
||||||
let
|
let
|
||||||
rpcauth = pkgs.writeScriptBin "rpcauth" (builtins.readFile ./rpcauth/rpcauth.py);
|
rpcauthSrc = builtins.fetchurl {
|
||||||
|
url = "https://raw.githubusercontent.com/bitcoin/bitcoin/d6cde007db9d3e6ee93bd98a9bbfdce9bfa9b15b/share/rpcauth/rpcauth.py";
|
||||||
|
sha256 = "189mpplam6yzizssrgiyv70c9899ggh8cac76j4n7v0xqzfip07n";
|
||||||
|
};
|
||||||
|
rpcauth = pkgs.writeScriptBin "rpcauth" ''
|
||||||
|
exec ${pkgs.python35}/bin/python ${rpcauthSrc} "$@"
|
||||||
|
'';
|
||||||
in
|
in
|
||||||
writeScript "generate-secrets" ''
|
writeScript "generate-secrets" ''
|
||||||
export PATH=${lib.makeBinPath [ coreutils apg openssl gnugrep rpcauth python35 ]}
|
export PATH=${lib.makeBinPath [ coreutils apg openssl gnugrep rpcauth ]}
|
||||||
. ${./generate-secrets.sh} ${./openssl.cnf}
|
. ${./generate-secrets.sh} ${./openssl.cnf}
|
||||||
''
|
''
|
||||||
|
@ -5,6 +5,10 @@ opensslConf=${1:-openssl.cnf}
|
|||||||
makePasswordSecret() {
|
makePasswordSecret() {
|
||||||
[[ -e $1 ]] || apg -m 20 -x 20 -M Ncl -n 1 > "$1"
|
[[ -e $1 ]] || apg -m 20 -x 20 -M Ncl -n 1 > "$1"
|
||||||
}
|
}
|
||||||
|
makeHMAC() {
|
||||||
|
user=$1
|
||||||
|
rpcauth $user $(cat bitcoin-rpcpassword-$user) | grep rpcauth | cut -d ':' -f 2 > bitcoin-HMAC-$user
|
||||||
|
}
|
||||||
|
|
||||||
makePasswordSecret bitcoin-rpcpassword-privileged
|
makePasswordSecret bitcoin-rpcpassword-privileged
|
||||||
makePasswordSecret bitcoin-rpcpassword-public
|
makePasswordSecret bitcoin-rpcpassword-public
|
||||||
@ -14,8 +18,8 @@ makePasswordSecret lightning-charge-token
|
|||||||
makePasswordSecret spark-wallet-password
|
makePasswordSecret spark-wallet-password
|
||||||
makePasswordSecret backup-encryption-password
|
makePasswordSecret backup-encryption-password
|
||||||
|
|
||||||
[[ -e bitcoin-HMAC-privileged ]] || rpcauth privileged $(cat bitcoin-rpcpassword-privileged) | grep rpcauth | cut -d ':' -f 2 > bitcoin-HMAC-privileged
|
[[ -e bitcoin-HMAC-privileged ]] || makeHMAC privileged
|
||||||
[[ -e bitcoin-HMAC-public ]] || rpcauth public $(cat bitcoin-rpcpassword-public) | grep rpcauth | cut -d ':' -f 2 > bitcoin-HMAC-public
|
[[ -e bitcoin-HMAC-public ]] || makeHMAC public
|
||||||
[[ -e lightning-charge-env ]] || echo "API_TOKEN=$(cat lightning-charge-token)" > lightning-charge-env
|
[[ -e lightning-charge-env ]] || echo "API_TOKEN=$(cat lightning-charge-token)" > lightning-charge-env
|
||||||
[[ -e nanopos-env ]] || echo "CHARGE_TOKEN=$(cat lightning-charge-token)" > nanopos-env
|
[[ -e nanopos-env ]] || echo "CHARGE_TOKEN=$(cat lightning-charge-token)" > nanopos-env
|
||||||
[[ -e spark-wallet-login ]] || echo "login=spark-wallet:$(cat spark-wallet-password)" > spark-wallet-login
|
[[ -e spark-wallet-login ]] || echo "login=spark-wallet:$(cat spark-wallet-password)" > spark-wallet-login
|
||||||
|
@ -1,46 +0,0 @@
|
|||||||
#!/usr/bin/env python3
|
|
||||||
# Copyright (c) 2015-2018 The Bitcoin Core developers
|
|
||||||
# Distributed under the MIT software license, see the accompanying
|
|
||||||
# file COPYING or http://www.opensource.org/licenses/mit-license.php.
|
|
||||||
|
|
||||||
from argparse import ArgumentParser
|
|
||||||
from base64 import urlsafe_b64encode
|
|
||||||
from binascii import hexlify
|
|
||||||
from getpass import getpass
|
|
||||||
from os import urandom
|
|
||||||
|
|
||||||
import hmac
|
|
||||||
|
|
||||||
def generate_salt(size):
|
|
||||||
"""Create size byte hex salt"""
|
|
||||||
return hexlify(urandom(size)).decode()
|
|
||||||
|
|
||||||
def generate_password():
|
|
||||||
"""Create 32 byte b64 password"""
|
|
||||||
return urlsafe_b64encode(urandom(32)).decode('utf-8')
|
|
||||||
|
|
||||||
def password_to_hmac(salt, password):
|
|
||||||
m = hmac.new(bytearray(salt, 'utf-8'), bytearray(password, 'utf-8'), 'SHA256')
|
|
||||||
return m.hexdigest()
|
|
||||||
|
|
||||||
def main():
|
|
||||||
parser = ArgumentParser(description='Create login credentials for a JSON-RPC user')
|
|
||||||
parser.add_argument('username', help='the username for authentication')
|
|
||||||
parser.add_argument('password', help='leave empty to generate a random password or specify "-" to prompt for password', nargs='?')
|
|
||||||
args = parser.parse_args()
|
|
||||||
|
|
||||||
if not args.password:
|
|
||||||
args.password = generate_password()
|
|
||||||
elif args.password == '-':
|
|
||||||
args.password = getpass()
|
|
||||||
|
|
||||||
# Create 16 byte hex salt
|
|
||||||
salt = generate_salt(16)
|
|
||||||
password_hmac = password_to_hmac(salt, args.password)
|
|
||||||
|
|
||||||
print('String to be appended to bitcoin.conf:')
|
|
||||||
print('rpcauth={0}:{1}${2}'.format(args.username, salt, password_hmac))
|
|
||||||
print('Your password:\n{0}'.format(args.password))
|
|
||||||
|
|
||||||
if __name__ == '__main__':
|
|
||||||
main()
|
|
@ -46,14 +46,12 @@ def run_tests(extra_tests):
|
|||||||
assert_running("bitcoind")
|
assert_running("bitcoind")
|
||||||
machine.wait_until_succeeds("bitcoin-cli getnetworkinfo")
|
machine.wait_until_succeeds("bitcoin-cli getnetworkinfo")
|
||||||
assert_matches("su operator -c 'bitcoin-cli getnetworkinfo' | jq", '"version"')
|
assert_matches("su operator -c 'bitcoin-cli getnetworkinfo' | jq", '"version"')
|
||||||
# Test RPC Whitelist
|
# RPC access for user 'public' should be restricted
|
||||||
machine.wait_until_succeeds("su operator -c 'bitcoin-cli help'")
|
|
||||||
# Restating rpcuser & rpcpassword overrides privileged credentials
|
|
||||||
machine.fail(
|
machine.fail(
|
||||||
"bitcoin-cli -rpcuser=publicrpc -rpcpassword=$(cat /secrets/bitcoin-rpcpassword-public) help"
|
"bitcoin-cli -rpcuser=public -rpcpassword=$(cat /secrets/bitcoin-rpcpassword-public) stop"
|
||||||
)
|
)
|
||||||
machine.wait_until_succeeds(
|
machine.wait_until_succeeds(
|
||||||
log_has_string("bitcoind", "RPC User publicrpc not allowed to call method help")
|
log_has_string("bitcoind", "RPC User public not allowed to call method stop")
|
||||||
)
|
)
|
||||||
|
|
||||||
assert_running("electrs")
|
assert_running("electrs")
|
||||||
|
Loading…
Reference in New Issue
Block a user