Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

feat(rpc): Cookie auth system for the RPC endpoint #8900

Merged
merged 17 commits into from
Oct 22, 2024
Merged

Conversation

oxarbitrage
Copy link
Contributor

@oxarbitrage oxarbitrage commented Sep 30, 2024

Motivation

We want to authenticate the RPC method by the zcashd cookie method.

Close #8864

Solution

  • Added enable_cookie_auth config field to use cookie authentication, enabled by default.
  • Generate cookie when the RPC endpoint starts.
  • Start the RPC endpoint server with that generated cookie.
  • In the middleware, if auth is enabled, check for basic HTTP auth header.
    • Redirect to request if the user provided auth matches the one generated that the server has.
    • Else error 401.

Tests

  • Manual
  • All tests should remain working as we disabled auth for all of them.

Follow-up Work

  • Make the python RPC tests work with authproxy again, or/and:
    • Create a rust test to query with auth.

PR Author's Checklist

  • The PR name will make sense to users.
  • The PR provides a CHANGELOG summary.
  • The solution is tested.
  • The documentation is up to date.
  • The PR has a priority label.

PR Reviewer's Checklist

  • The PR Author's checklist is complete.
  • The PR resolves the issue.

@oxarbitrage oxarbitrage added C-security Category: Security issues A-rpc Area: Remote Procedure Call interfaces A-compatibility Area: Compatibility with other nodes or wallets, or standard rules labels Sep 30, 2024
@oxarbitrage oxarbitrage requested a review from a team as a code owner September 30, 2024 22:16
@oxarbitrage oxarbitrage requested review from upbqdn and removed request for a team September 30, 2024 22:16
@github-actions github-actions bot added the C-feature Category: New features label Sep 30, 2024
@mpguerra mpguerra linked an issue Oct 1, 2024 that may be closed by this pull request
@oxarbitrage
Copy link
Contributor Author

Requests from a remote host that don't have the cookie generated at startup will be rejected. In zcashd, the zcash-cli can be used in a remote host that has the cookie and authenticate. However, we are not targeting a specific application, we want to use the authentication method in a generic way from a remote client. One option can be to use curl with the cookie file and compare server side. Other options are welcome, i am still brainstorming it.

@oxarbitrage
Copy link
Contributor Author

We had a chat today about this with @upbqdn and @arya2, i am adding some more research here.

About the cookie auth method:

... Read access to this file controls who can access through RPC ...

https://bitcoin.org/en/release/v0.12.0#rpc-random-cookie-rpc-authentication

That means the cookie method is actually for local access. I think we should focus on that in this PR.

For remote access, we thought in username/password over TLS/SSL as an option. Bitcoin supported this for its RPC endpoint in the past however they don't do it anymore claiming that the RPC access should only be shared with trusted environments.

https://en.bitcoin.it/wiki/Enabling_SSL_on_original_client_daemon#:~:text=SSL%20for%20RPC%20in%20Bitcoin,was%20criticized%20for%20some%20time.

https://bitcoin.stackexchange.com/questions/108293/why-does-bitcoin-cores-rpc-interface-not-use-encryption

It seems that the remote access should be a combination of username and password, with the additional rpcallowip config option plus a vpn layer.

@oxarbitrage
Copy link
Contributor Author

Continuing with the cookie auth method, the zcash-cli sends the cookie content as basic HTTP credentials to the server: https://github.com/zcash/zcash/blob/master/src/bitcoin-cli.cpp#L251
https://github.com/zcash/zcash/blob/master/src/bitcoin-cli.cpp#L266

We want to do that but just with curl, we need to intercept the Authorization in the zebra RPC middleware and compare it with the cookie in the server side.

I got confused thinking the cookie method will work for remote access, my apologies for that.

@upbqdn
Copy link
Member

upbqdn commented Oct 2, 2024

That means the cookie method is actually for local access. I think we should focus on that in this PR.

Do we have any use cases that require authentication for local access, though?

@oxarbitrage
Copy link
Contributor Author

Do we have any use cases that require authentication for local access, though?

It's a security measure. You can't access the resources if you don't have read access to the cookie, even if you are in the same machine.

@oxarbitrage oxarbitrage requested a review from a team as a code owner October 7, 2024 12:02
upbqdn
upbqdn previously approved these changes Oct 8, 2024
zebra-rpc/src/config.rs Outdated Show resolved Hide resolved
zebra-rpc/src/methods.rs Outdated Show resolved Hide resolved
zebra-rpc/src/server/cookie.rs Outdated Show resolved Hide resolved
zebra-rpc/src/server/cookie.rs Outdated Show resolved Hide resolved
zebra-rpc/src/server/cookie.rs Outdated Show resolved Hide resolved
zebra-rpc/src/server/http_request_compatibility.rs Outdated Show resolved Hide resolved
zebra-rpc/src/server/http_request_compatibility.rs Outdated Show resolved Hide resolved
zebrad/tests/common/checkpoints.rs Outdated Show resolved Hide resolved
@oxarbitrage oxarbitrage added the do-not-merge Tells Mergify not to merge this PR label Oct 10, 2024
@mpguerra
Copy link
Contributor

Can this be merged once approved?

zebra-rpc/src/server/cookie.rs Outdated Show resolved Hide resolved
zebra-rpc/src/server/http_request_compatibility.rs Outdated Show resolved Hide resolved
@upbqdn
Copy link
Member

upbqdn commented Oct 15, 2024

Can this be merged once approved?

Nope.

@upbqdn upbqdn force-pushed the auth-rpc-endpoint branch from 9bb5716 to 7708294 Compare October 17, 2024 12:34
@upbqdn upbqdn removed the do-not-merge Tells Mergify not to merge this PR label Oct 17, 2024
@upbqdn
Copy link
Member

upbqdn commented Oct 17, 2024

This PR is missing a priority label.

@upbqdn
Copy link
Member

upbqdn commented Oct 22, 2024

Should we also update user docs and describe where users can find the cookie and how to use it?

@mergify mergify bot merged commit b1ffc89 into main Oct 22, 2024
205 checks passed
@mergify mergify bot deleted the auth-rpc-endpoint branch October 22, 2024 09:45
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
A-compatibility Area: Compatibility with other nodes or wallets, or standard rules A-rpc Area: Remote Procedure Call interfaces C-feature Category: New features C-security Category: Security issues P-Medium ⚡
Projects
None yet
Development

Successfully merging this pull request may close these issues.

Protect the Zebra RPC endpoint
4 participants