Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

RPC: Allow rpcauth configs to specify a 4th parameter naming a specific wallet #10615

Closed
wants to merge 1 commit into from

Conversation

@luke-jr
Copy link
Member

@luke-jr luke-jr commented Jun 16, 2017

Simple rebase of current RPC stuff. No endpoints yet.

@luke-jr luke-jr force-pushed the luke-jr:multiwallet_rpc branch Jun 16, 2017
src/httprpc.cpp Outdated Show resolved Hide resolved
@luke-jr luke-jr changed the title RPC: Allow rpcauth configs to specify a 4th parameter naming a specific wallet RPC: Allow rpcauth configs to specify a 4th parameter naming a specific wallet (multiwallet RPC support) Jun 18, 2017
@luke-jr luke-jr force-pushed the luke-jr:multiwallet_rpc branch Jun 20, 2017
Copy link
Contributor

@ryanofsky ryanofsky left a comment

ACK b77b2f254cc365728790f345deedbed1204964bb.

Needs updated documentation, also would be good to have python tests.

Tested with:

bitcoind -regtest -wallet=w1.dat -wallet=w2.dat -debug=1
bitcoin-cli -regtest -rpcuser=user1 -rpcpassword=V6CGvawtTWCHzt51knRvFfTejjjfy06UzSt_FiB3Fxw= getwalletinfo
bitcoin-cli -regtest -rpcuser=user2 -rpcpassword=V6CGvawtTWCHzt51knRvFfTejjjfy06UzSt_FiB3Fxw= getwalletinfo
bitcoin-cli -regtest -rpcuser=user3 -rpcpassword=V6CGvawtTWCHzt51knRvFfTejjjfy06UzSt_FiB3Fxw= getwalletinfo

And $HOME/.bitcoin/bitcoin.conf:

rpcauth=user1:51902a7be9c9911079af388a927f$22904ad1bfec659ee1e61d1b3dd73f7b552c6d2d0d1e9f71f6ee833954d062da:w1.dat
rpcauth=user2:51902a7be9c9911079af388a927f$22904ad1bfec659ee1e61d1b3dd73f7b552c6d2d0d1e9f71f6ee833954d062da:w2.dat
rpcauth=user3:51902a7be9c9911079af388a927f$22904ad1bfec659ee1e61d1b3dd73f7b552c6d2d0d1e9f71f6ee833954d062da:-
src/rpc/server.h Outdated Show resolved Hide resolved
src/rpc/server.h Outdated
#endif

JSONRPCRequest() : id(NullUniValue), params(NullUniValue), fHelp(false)
#ifdef ENABLE_WALLET

This comment has been minimized.

@ryanofsky

ryanofsky Jun 20, 2017
Contributor

In commit "RPC: Pass wallet through JSONRPCRequest"

Could drop this ifdef also.

src/httprpc.cpp Outdated
@@ -119,14 +122,17 @@ static bool multiUserAuthorized(std::string strUserPass)
std::string strHashFromPass = HexStr(hexvec);

if (TimingResistantEqual(strHashFromPass, strHash)) {
if (vFields.size() > 3) {
walletNameOut = vFields[3];

This comment has been minimized.

@ryanofsky

ryanofsky Jun 20, 2017
Contributor

In commit "RPC: Allow rpcauth configs to specify..."

Should update -rpcauth documentation to mention the new field.

This comment has been minimized.

@promag

promag Aug 4, 2017
Member

Also add a test for the new parameter?

Copy link
Contributor

@ryanofsky ryanofsky left a comment

There was a lot of objection at last IRC meeting (https://botbot.me/freenode/bitcoin-core-dev/msg/87311878/) to choosing wallet based on RPC username & password, mostly for security reasons ("securing RPC for multiple users is absolutely a nightmare").

Personally, I don't like the choosing wallet based on username because I think it makes for a clumsy UI. Adding support for a simple -wallet= option to bitcoin-cli and working with regular cookie authentication just seems a lot more user-friendly than having to deal with -rpcauth, the share/rpcuser script, and all of that.

ACKing this PR though because it makes multiwallet usable, and the implementation is pretty clean. If we don't want to use rpcauth for wallet security, we could allow all users to access all wallets and just interpret the new rpcauth wallet option as the default wallet for the user.

src/httprpc.cpp Outdated
@@ -119,14 +122,17 @@ static bool multiUserAuthorized(std::string strUserPass)
std::string strHashFromPass = HexStr(hexvec);

if (TimingResistantEqual(strHashFromPass, strHash)) {
if (vFields.size() > 3) {
walletNameOut = vFields[3];

This comment has been minimized.

@ryanofsky

ryanofsky Jun 20, 2017
Contributor

In commit "RPC: Allow rpcauth configs to specify..."

I think instead of interpreting the 4th rpcauth field as a wallet filename field, it might be better to treat it as a generic options field (similar to the field in fstab files for mount options). E.g. instead of:

rpcauth=user:salt:hash:filename.dat

You would write:

rpcauth=user:salt:hash:wallet=filename.dat

This would be more extensible, also more readable.

@jnewbery
Copy link
Member

@jnewbery jnewbery commented Jun 28, 2017

Multi-user for multiwallet is definitely a very useful feature and one that we should be aiming for long-term, so this is good to see. I think the implementation some more work before its ready:

  • most importantly, having individual user wallet access authentication will give users the impression that it's safe to open RPC access to multiple users, which it absolutely isn't. Just using the standard RPC commands, a malicious user could cause mischief by stopping the node, changing consensus state using invalidateblock/preciousblock, eclipse the node using disconnectnode/addnode, etc. RPC is not a secure interface and we should be very careful to not give users the impression that it is.
  • this implementation adds a lot of #ifdef ENABLE_WALLETs to libbitcoin_server.a. We should be trying to remove those in order to remove circular dependency between libbitcoin_server.a and libbitcoin_wallet.a (see #7965). This PR would make future work to cleanly separate wallet from server more difficult.
  • this implementation needlessly binds multiwallet to multi-user. It does not allow a single user to have access to multiple wallets or select a wallet on a per-call basis.

So, definite concept ACK that we should do this, but I think it should be sequenced after wallet separation. That would make the implementation a lot cleaner and make it easier to provide an implementation that is secure and safe for users.

src/httprpc.cpp Outdated
@@ -119,14 +122,17 @@ static bool multiUserAuthorized(std::string strUserPass)
std::string strHashFromPass = HexStr(hexvec);

if (TimingResistantEqual(strHashFromPass, strHash)) {
if (vFields.size() > 3) {
walletNameOut = vFields[3];

This comment has been minimized.

@promag

promag Aug 4, 2017
Member

Also add a test for the new parameter?

src/httprpc.cpp Outdated
return true;
}
}
}
return false;
}

static bool RPCAuthorized(const std::string& strAuth, std::string& strAuthUsernameOut)
static bool RPCAuthorized(const std::string& strAuth, std::string& strAuthUsernameOut, std::string& walletNameOut)

This comment has been minimized.

@promag

promag Aug 4, 2017
Member

Just wallet_name?

src/httprpc.cpp Outdated
@@ -162,7 +168,8 @@ static bool HTTPReq_JSONRPC(HTTPRequest* req, const std::string &)
}

JSONRPCRequest jreq;
if (!RPCAuthorized(authHeader.second, jreq.authUser)) {
std::string walletName;

This comment has been minimized.

@promag

promag Aug 4, 2017
Member

wallet_name.

src/httprpc.cpp Outdated Show resolved Hide resolved
@luke-jr luke-jr force-pushed the luke-jr:multiwallet_rpc branch 2 times, most recently to 6a20988 Aug 25, 2017
@luke-jr luke-jr force-pushed the luke-jr:multiwallet_rpc branch from 6a20988 to 370d336 Sep 2, 2017
src/httprpc.cpp Outdated Show resolved Hide resolved
@luke-jr luke-jr force-pushed the luke-jr:multiwallet_rpc branch from 370d336 to eef48ee Mar 6, 2018
@luke-jr luke-jr changed the title RPC: Allow rpcauth configs to specify a 4th parameter naming a specific wallet (multiwallet RPC support) RPC: Allow rpcauth configs to specify a 4th parameter naming a specific wallet Nov 2, 2018
@luke-jr luke-jr force-pushed the luke-jr:multiwallet_rpc branch from eef48ee to 43b92a9 Nov 2, 2018
@luke-jr
Copy link
Member Author

@luke-jr luke-jr commented Nov 2, 2018

Rebased

@DrahtBot DrahtBot removed the Needs rebase label Nov 2, 2018
@DrahtBot
Copy link
Contributor

@DrahtBot DrahtBot commented Nov 2, 2018

The following sections might be updated with supplementary metadata relevant to reviewers and maintainers.

Conflicts

Reviewers, this pull request conflicts with the following ones:

  • #13756 (wallet: "avoid_reuse" wallet flag for improved privacy by kallewoof)

If you consider this pull request important, please also help to review the conflicting pull requests. Ideally, start with the one that should be merged first.

@jnewbery
Copy link
Member

@jnewbery jnewbery commented Nov 2, 2018

Concept ACK. I still have a few concerns about RPC security and the level of coupling between RPC users and wallets. I think the first thing to do is add release notes explaining the exact model, and update the PR description to match.

Copy link
Member

@promag promag left a comment

IIUC this limits one wallet per user (auth)?

This is incomplete now that there's dynamic support for wallets:

  • there should be a way to dynamically update access credentials?
  • rpcauth.py should be updated?
  • probably there's issues with external wallets (paths) and other characters?
  • already mentioned, needs tests.

Alternatively it could whitelist RPC categories (not wallets) by user/auth: For instance:

rpcauth=promag:ec94a02...$07e90e0...:blockchain,rawtransactions
@DrahtBot
Copy link
Contributor

@DrahtBot DrahtBot commented Jun 19, 2019

Needs rebase
@laanwj
Copy link
Member

@laanwj laanwj commented Sep 30, 2019

This seems to have been inactive for a long time, and it was controversial in the first place, closing.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Linked issues

Successfully merging this pull request may close these issues.

None yet

9 participants
You can’t perform that action at this time.