Added additional config option for multiple RPC users.
This commit is contained in:
parent
e54ebbf600
commit
d52fbf00e3
@ -78,6 +78,7 @@ testScripts = [
|
|||||||
'mempool_spendcoinbase.py',
|
'mempool_spendcoinbase.py',
|
||||||
'mempool_coinbase_spends.py',
|
'mempool_coinbase_spends.py',
|
||||||
'httpbasics.py',
|
'httpbasics.py',
|
||||||
|
'multi_rpc.py',
|
||||||
'zapwallettxes.py',
|
'zapwallettxes.py',
|
||||||
'proxy_test.py',
|
'proxy_test.py',
|
||||||
'merkle_blocks.py',
|
'merkle_blocks.py',
|
||||||
|
122
qa/rpc-tests/multi_rpc.py
Executable file
122
qa/rpc-tests/multi_rpc.py
Executable file
@ -0,0 +1,122 @@
|
|||||||
|
#!/usr/bin/env python2
|
||||||
|
# Copyright (c) 2015 The Bitcoin Core developers
|
||||||
|
# Distributed under the MIT software license, see the accompanying
|
||||||
|
# file COPYING or http://www.opensource.org/licenses/mit-license.php.
|
||||||
|
|
||||||
|
#
|
||||||
|
# Test mulitple rpc user config option rpcauth
|
||||||
|
#
|
||||||
|
|
||||||
|
from test_framework.test_framework import BitcoinTestFramework
|
||||||
|
from test_framework.util import *
|
||||||
|
import base64
|
||||||
|
|
||||||
|
try:
|
||||||
|
import http.client as httplib
|
||||||
|
except ImportError:
|
||||||
|
import httplib
|
||||||
|
try:
|
||||||
|
import urllib.parse as urlparse
|
||||||
|
except ImportError:
|
||||||
|
import urlparse
|
||||||
|
|
||||||
|
class HTTPBasicsTest (BitcoinTestFramework):
|
||||||
|
def setup_nodes(self):
|
||||||
|
return start_nodes(4, self.options.tmpdir)
|
||||||
|
|
||||||
|
def setup_chain(self):
|
||||||
|
print("Initializing test directory "+self.options.tmpdir)
|
||||||
|
initialize_chain(self.options.tmpdir)
|
||||||
|
#Append rpcauth to bitcoin.conf before initialization
|
||||||
|
rpcauth = "rpcauth=rt:93648e835a54c573682c2eb19f882535$7681e9c5b74bdd85e78166031d2058e1069b3ed7ed967c93fc63abba06f31144"
|
||||||
|
rpcauth2 = "rpcauth=rt2:f8607b1a88861fac29dfccf9b52ff9f$ff36a0c23c8c62b4846112e50fa888416e94c17bfd4c42f88fd8f55ec6a3137e"
|
||||||
|
with open(os.path.join(self.options.tmpdir+"/node0", "bitcoin.conf"), 'a') as f:
|
||||||
|
f.write(rpcauth+"\n")
|
||||||
|
f.write(rpcauth2+"\n")
|
||||||
|
|
||||||
|
def run_test(self):
|
||||||
|
|
||||||
|
##################################################
|
||||||
|
# Check correctness of the rpcauth config option #
|
||||||
|
##################################################
|
||||||
|
url = urlparse.urlparse(self.nodes[0].url)
|
||||||
|
|
||||||
|
#Old authpair
|
||||||
|
authpair = url.username + ':' + url.password
|
||||||
|
|
||||||
|
#New authpair generated via contrib/rpcuser tool
|
||||||
|
rpcauth = "rpcauth=rt:93648e835a54c573682c2eb19f882535$7681e9c5b74bdd85e78166031d2058e1069b3ed7ed967c93fc63abba06f31144"
|
||||||
|
password = "cA773lm788buwYe4g4WT+05pKyNruVKjQ25x3n0DQcM="
|
||||||
|
|
||||||
|
#Second authpair with different username
|
||||||
|
rpcauth2 = "rpcauth=rt2:f8607b1a88861fac29dfccf9b52ff9f$ff36a0c23c8c62b4846112e50fa888416e94c17bfd4c42f88fd8f55ec6a3137e"
|
||||||
|
password2 = "8/F3uMDw4KSEbw96U3CA1C4X05dkHDN2BPFjTgZW4KI="
|
||||||
|
authpairnew = "rt:"+password
|
||||||
|
|
||||||
|
headers = {"Authorization": "Basic " + base64.b64encode(authpair)}
|
||||||
|
|
||||||
|
conn = httplib.HTTPConnection(url.hostname, url.port)
|
||||||
|
conn.connect()
|
||||||
|
conn.request('POST', '/', '{"method": "getbestblockhash"}', headers)
|
||||||
|
resp = conn.getresponse()
|
||||||
|
assert_equal(resp.status==401, False)
|
||||||
|
conn.close()
|
||||||
|
|
||||||
|
#Use new authpair to confirm both work
|
||||||
|
headers = {"Authorization": "Basic " + base64.b64encode(authpairnew)}
|
||||||
|
|
||||||
|
conn = httplib.HTTPConnection(url.hostname, url.port)
|
||||||
|
conn.connect()
|
||||||
|
conn.request('POST', '/', '{"method": "getbestblockhash"}', headers)
|
||||||
|
resp = conn.getresponse()
|
||||||
|
assert_equal(resp.status==401, False)
|
||||||
|
conn.close()
|
||||||
|
|
||||||
|
#Wrong login name with rt's password
|
||||||
|
authpairnew = "rtwrong:"+password
|
||||||
|
headers = {"Authorization": "Basic " + base64.b64encode(authpairnew)}
|
||||||
|
|
||||||
|
conn = httplib.HTTPConnection(url.hostname, url.port)
|
||||||
|
conn.connect()
|
||||||
|
conn.request('POST', '/', '{"method": "getbestblockhash"}', headers)
|
||||||
|
resp = conn.getresponse()
|
||||||
|
assert_equal(resp.status==401, True)
|
||||||
|
conn.close()
|
||||||
|
|
||||||
|
#Wrong password for rt
|
||||||
|
authpairnew = "rt:"+password+"wrong"
|
||||||
|
headers = {"Authorization": "Basic " + base64.b64encode(authpairnew)}
|
||||||
|
|
||||||
|
conn = httplib.HTTPConnection(url.hostname, url.port)
|
||||||
|
conn.connect()
|
||||||
|
conn.request('POST', '/', '{"method": "getbestblockhash"}', headers)
|
||||||
|
resp = conn.getresponse()
|
||||||
|
assert_equal(resp.status==401, True)
|
||||||
|
conn.close()
|
||||||
|
|
||||||
|
#Correct for rt2
|
||||||
|
authpairnew = "rt2:"+password2
|
||||||
|
headers = {"Authorization": "Basic " + base64.b64encode(authpairnew)}
|
||||||
|
|
||||||
|
conn = httplib.HTTPConnection(url.hostname, url.port)
|
||||||
|
conn.connect()
|
||||||
|
conn.request('POST', '/', '{"method": "getbestblockhash"}', headers)
|
||||||
|
resp = conn.getresponse()
|
||||||
|
assert_equal(resp.status==401, False)
|
||||||
|
conn.close()
|
||||||
|
|
||||||
|
#Wrong password for rt2
|
||||||
|
authpairnew = "rt2:"+password2+"wrong"
|
||||||
|
headers = {"Authorization": "Basic " + base64.b64encode(authpairnew)}
|
||||||
|
|
||||||
|
conn = httplib.HTTPConnection(url.hostname, url.port)
|
||||||
|
conn.connect()
|
||||||
|
conn.request('POST', '/', '{"method": "getbestblockhash"}', headers)
|
||||||
|
resp = conn.getresponse()
|
||||||
|
assert_equal(resp.status==401, True)
|
||||||
|
conn.close()
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
if __name__ == '__main__':
|
||||||
|
HTTPBasicsTest ().main ()
|
11
share/rpcuser/README.md
Normal file
11
share/rpcuser/README.md
Normal file
@ -0,0 +1,11 @@
|
|||||||
|
RPC Tools
|
||||||
|
---------------------
|
||||||
|
|
||||||
|
### [RPCUser](/share/rpcuser) ###
|
||||||
|
|
||||||
|
Create an RPC user login credential.
|
||||||
|
|
||||||
|
Usage:
|
||||||
|
|
||||||
|
./rpcuser.py <username>
|
||||||
|
|
41
share/rpcuser/rpcuser.py
Executable file
41
share/rpcuser/rpcuser.py
Executable file
@ -0,0 +1,41 @@
|
|||||||
|
#!/usr/bin/env python2
|
||||||
|
# Copyright (c) 2015 The Bitcoin Core developers
|
||||||
|
# Distributed under the MIT software license, see the accompanying
|
||||||
|
# file COPYING or http://www.opensource.org/licenses/mit-license.php.
|
||||||
|
|
||||||
|
import hashlib
|
||||||
|
import sys
|
||||||
|
import os
|
||||||
|
from random import SystemRandom
|
||||||
|
import base64
|
||||||
|
import hmac
|
||||||
|
|
||||||
|
if len(sys.argv) < 2:
|
||||||
|
sys.stderr.write('Please include username as an argument.\n')
|
||||||
|
sys.exit(0)
|
||||||
|
|
||||||
|
username = sys.argv[1]
|
||||||
|
|
||||||
|
#This uses os.urandom() underneath
|
||||||
|
cryptogen = SystemRandom()
|
||||||
|
|
||||||
|
#Create 16 byte hex salt
|
||||||
|
salt_sequence = [cryptogen.randrange(256) for i in range(16)]
|
||||||
|
hexseq = list(map(hex, salt_sequence))
|
||||||
|
salt = "".join([x[2:] for x in hexseq])
|
||||||
|
|
||||||
|
#Create 32 byte b64 password
|
||||||
|
password = base64.urlsafe_b64encode(os.urandom(32))
|
||||||
|
|
||||||
|
digestmod = hashlib.sha256
|
||||||
|
|
||||||
|
if sys.version_info.major >= 3:
|
||||||
|
password = password.decode('utf-8')
|
||||||
|
digestmod = 'SHA256'
|
||||||
|
|
||||||
|
m = hmac.new(bytearray(salt, 'utf-8'), bytearray(password, 'utf-8'), digestmod)
|
||||||
|
result = m.hexdigest()
|
||||||
|
|
||||||
|
print("String to be appended to bitcoin.conf:")
|
||||||
|
print("rpcauth="+username+":"+salt+"$"+result)
|
||||||
|
print("Your password:\n"+password)
|
@ -10,8 +10,12 @@
|
|||||||
#include "util.h"
|
#include "util.h"
|
||||||
#include "utilstrencodings.h"
|
#include "utilstrencodings.h"
|
||||||
#include "ui_interface.h"
|
#include "ui_interface.h"
|
||||||
|
#include "crypto/hmac_sha256.h"
|
||||||
|
#include <stdio.h>
|
||||||
|
#include "utilstrencodings.h"
|
||||||
|
|
||||||
#include <boost/algorithm/string.hpp> // boost::trim
|
#include <boost/algorithm/string.hpp> // boost::trim
|
||||||
|
#include <boost/foreach.hpp> //BOOST_FOREACH
|
||||||
|
|
||||||
/** Simple one-shot callback timer to be used by the RPC mechanism to e.g.
|
/** Simple one-shot callback timer to be used by the RPC mechanism to e.g.
|
||||||
* re-lock the wellet.
|
* re-lock the wellet.
|
||||||
@ -72,6 +76,50 @@ static void JSONErrorReply(HTTPRequest* req, const UniValue& objError, const Uni
|
|||||||
req->WriteReply(nStatus, strReply);
|
req->WriteReply(nStatus, strReply);
|
||||||
}
|
}
|
||||||
|
|
||||||
|
//This function checks username and password against -rpcauth
|
||||||
|
//entries from config file.
|
||||||
|
static bool multiUserAuthorized(std::string strUserPass)
|
||||||
|
{
|
||||||
|
if (strUserPass.find(":") == std::string::npos) {
|
||||||
|
return false;
|
||||||
|
}
|
||||||
|
std::string strUser = strUserPass.substr(0, strUserPass.find(":"));
|
||||||
|
std::string strPass = strUserPass.substr(strUserPass.find(":") + 1);
|
||||||
|
|
||||||
|
if (mapMultiArgs.count("-rpcauth") > 0) {
|
||||||
|
//Search for multi-user login/pass "rpcauth" from config
|
||||||
|
BOOST_FOREACH(std::string strRPCAuth, mapMultiArgs["-rpcauth"])
|
||||||
|
{
|
||||||
|
std::vector<std::string> vFields;
|
||||||
|
boost::split(vFields, strRPCAuth, boost::is_any_of(":$"));
|
||||||
|
if (vFields.size() != 3) {
|
||||||
|
//Incorrect formatting in config file
|
||||||
|
continue;
|
||||||
|
}
|
||||||
|
|
||||||
|
std::string strName = vFields[0];
|
||||||
|
if (!TimingResistantEqual(strName, strUser)) {
|
||||||
|
continue;
|
||||||
|
}
|
||||||
|
|
||||||
|
std::string strSalt = vFields[1];
|
||||||
|
std::string strHash = vFields[2];
|
||||||
|
|
||||||
|
unsigned int KEY_SIZE = 32;
|
||||||
|
unsigned char *out = new unsigned char[KEY_SIZE];
|
||||||
|
|
||||||
|
CHMAC_SHA256(reinterpret_cast<const unsigned char*>(strSalt.c_str()), strSalt.size()).Write(reinterpret_cast<const unsigned char*>(strPass.c_str()), strPass.size()).Finalize(out);
|
||||||
|
std::vector<unsigned char> hexvec(out, out+KEY_SIZE);
|
||||||
|
std::string strHashFromPass = HexStr(hexvec);
|
||||||
|
|
||||||
|
if (TimingResistantEqual(strHashFromPass, strHash)) {
|
||||||
|
return true;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
return false;
|
||||||
|
}
|
||||||
|
|
||||||
static bool RPCAuthorized(const std::string& strAuth)
|
static bool RPCAuthorized(const std::string& strAuth)
|
||||||
{
|
{
|
||||||
if (strRPCUserColonPass.empty()) // Belt-and-suspenders measure if InitRPCAuthentication was not called
|
if (strRPCUserColonPass.empty()) // Belt-and-suspenders measure if InitRPCAuthentication was not called
|
||||||
@ -81,7 +129,12 @@ static bool RPCAuthorized(const std::string& strAuth)
|
|||||||
std::string strUserPass64 = strAuth.substr(6);
|
std::string strUserPass64 = strAuth.substr(6);
|
||||||
boost::trim(strUserPass64);
|
boost::trim(strUserPass64);
|
||||||
std::string strUserPass = DecodeBase64(strUserPass64);
|
std::string strUserPass = DecodeBase64(strUserPass64);
|
||||||
return TimingResistantEqual(strUserPass, strRPCUserColonPass);
|
|
||||||
|
//Check if authorized under single-user field
|
||||||
|
if (TimingResistantEqual(strUserPass, strRPCUserColonPass)) {
|
||||||
|
return true;
|
||||||
|
}
|
||||||
|
return multiUserAuthorized(strUserPass);
|
||||||
}
|
}
|
||||||
|
|
||||||
static bool HTTPReq_JSONRPC(HTTPRequest* req, const std::string &)
|
static bool HTTPReq_JSONRPC(HTTPRequest* req, const std::string &)
|
||||||
@ -157,6 +210,7 @@ static bool InitRPCAuthentication()
|
|||||||
return false;
|
return false;
|
||||||
}
|
}
|
||||||
} else {
|
} else {
|
||||||
|
LogPrintf("Config options rpcuser and rpcpassword will soon be deprecated. Locally-run instances may remove rpcuser to use cookie-based auth, or may be replaced with rpcauth. Please see share/rpcuser for rpcauth auth generation.");
|
||||||
strRPCUserColonPass = mapArgs["-rpcuser"] + ":" + mapArgs["-rpcpassword"];
|
strRPCUserColonPass = mapArgs["-rpcuser"] + ":" + mapArgs["-rpcpassword"];
|
||||||
}
|
}
|
||||||
return true;
|
return true;
|
||||||
|
@ -482,6 +482,7 @@ std::string HelpMessage(HelpMessageMode mode)
|
|||||||
strUsage += HelpMessageOpt("-rpcbind=<addr>", _("Bind to given address to listen for JSON-RPC connections. Use [host]:port notation for IPv6. This option can be specified multiple times (default: bind to all interfaces)"));
|
strUsage += HelpMessageOpt("-rpcbind=<addr>", _("Bind to given address to listen for JSON-RPC connections. Use [host]:port notation for IPv6. This option can be specified multiple times (default: bind to all interfaces)"));
|
||||||
strUsage += HelpMessageOpt("-rpcuser=<user>", _("Username for JSON-RPC connections"));
|
strUsage += HelpMessageOpt("-rpcuser=<user>", _("Username for JSON-RPC connections"));
|
||||||
strUsage += HelpMessageOpt("-rpcpassword=<pw>", _("Password for JSON-RPC connections"));
|
strUsage += HelpMessageOpt("-rpcpassword=<pw>", _("Password for JSON-RPC connections"));
|
||||||
|
strUsage += HelpMessageOpt("-rpcauth=<userpw>", _("Username and hashed password for JSON-RPC connections. The field <userpw> comes in the format: <USERNAME>:<SALT>$<HASH>. A canonical python script is included in share/rpcuser. This option can be specified multiple times"));
|
||||||
strUsage += HelpMessageOpt("-rpcport=<port>", strprintf(_("Listen for JSON-RPC connections on <port> (default: %u or testnet: %u)"), 8332, 18332));
|
strUsage += HelpMessageOpt("-rpcport=<port>", strprintf(_("Listen for JSON-RPC connections on <port> (default: %u or testnet: %u)"), 8332, 18332));
|
||||||
strUsage += HelpMessageOpt("-rpcallowip=<ip>", _("Allow JSON-RPC connections from specified source. Valid for <ip> are a single IP (e.g. 1.2.3.4), a network/netmask (e.g. 1.2.3.4/255.255.255.0) or a network/CIDR (e.g. 1.2.3.4/24). This option can be specified multiple times"));
|
strUsage += HelpMessageOpt("-rpcallowip=<ip>", _("Allow JSON-RPC connections from specified source. Valid for <ip> are a single IP (e.g. 1.2.3.4), a network/netmask (e.g. 1.2.3.4/255.255.255.0) or a network/CIDR (e.g. 1.2.3.4/24). This option can be specified multiple times"));
|
||||||
strUsage += HelpMessageOpt("-rpcthreads=<n>", strprintf(_("Set the number of threads to service RPC calls (default: %d)"), DEFAULT_HTTP_THREADS));
|
strUsage += HelpMessageOpt("-rpcthreads=<n>", strprintf(_("Set the number of threads to service RPC calls (default: %d)"), DEFAULT_HTTP_THREADS));
|
||||||
|
Loading…
Reference in New Issue
Block a user