httprpc_8cpp_source.html

 // Copyright (c) 2015-2020 The Bitcoin Core developers
 // Distributed under the MIT software license, see the accompanying
 // file COPYING or http://www.opensource.org/licenses/mit-license.php.

 #include <httprpc.h>

 #include <chainparams.h>
 #include <crypto/hmac_sha256.h>
 #include <httpserver.h>
 #include <rpc/protocol.h>
 #include <rpc/server.h>
 #include <util/strencodings.h>
 #include <util/system.h>
 #include <util/translation.h>
 #include <walletinitinterface.h>

 #include <algorithm>
 #include <iterator>
 #include <map>
 #include <memory>
 #include <stdio.h>
 #include <set>
 #include <string>

 #include <boost/algorithm/string.hpp> // boost::trim

 static const char* WWW_AUTH_HEADER_DATA = "Basic realm=\"jsonrpc\"";

 class HTTPRPCTimer : public RPCTimerBase
 {
 public:
     HTTPRPCTimer(struct event_base* eventBase, std::function<void()>& func, int64_t millis) :
         ev(eventBase, false, func)
     {
         struct timeval tv;
         tv.tv_sec = millis/1000;
         tv.tv_usec = (millis%1000)*1000;
         ev.trigger(&tv);
     }
 private:
     HTTPEvent ev;
 };

 class HTTPRPCTimerInterface : public RPCTimerInterface
 {
 public:
     explicit HTTPRPCTimerInterface(struct event_base* _base) : base(_base)
     {
     }
     const char* Name() override
     {
         return "HTTP";
     }
     RPCTimerBase* NewTimer(std::function<void()>& func, int64_t millis) override
     {
         return new HTTPRPCTimer(base, func, millis);
     }
 private:
     struct event_base* base;
 };


 /* Pre-base64-encoded authentication token */
 static std::string strRPCUserColonPass;
 /* Stored RPC timer interface (for unregistration) */
 static std::unique_ptr<HTTPRPCTimerInterface> httpRPCTimerInterface;
 /* RPC Auth Whitelist */
 static std::map<std::string, std::set<std::string>> g_rpc_whitelist;
 static bool g_rpc_whitelist_default = false;

 static void JSONErrorReply(HTTPRequest* req, const UniValue& objError, const UniValue& id)
 {
     // Send error reply from json-rpc error object
     int nStatus = HTTP_INTERNAL_SERVER_ERROR;
     int code = find_value(objError, "code").get_int();

     if (code == RPC_INVALID_REQUEST)
         nStatus = HTTP_BAD_REQUEST;
     else if (code == RPC_METHOD_NOT_FOUND)
         nStatus = HTTP_NOT_FOUND;

     std::string strReply = JSONRPCReply(NullUniValue, objError, id);

     req->WriteHeader("Content-Type", "application/json");
     req->WriteReply(nStatus, strReply);
 }

 //This function checks username and password against -rpcauth
 //entries from config file.
 static bool multiUserAuthorized(std::string strUserPass)
 {
     if (strUserPass.find(':') == std::string::npos) {
         return false;
     }
     std::string strUser = strUserPass.substr(0, strUserPass.find(':'));
     std::string strPass = strUserPass.substr(strUserPass.find(':') + 1);

     for (const std::string& strRPCAuth : gArgs.GetArgs("-rpcauth")) {
         //Search for multi-user login/pass "rpcauth" from config
         std::vector<std::string> vFields;
         boost::split(vFields, strRPCAuth, boost::is_any_of(":$"));
         if (vFields.size() != 3) {
             //Incorrect formatting in config file
             continue;
         }

         std::string strName = vFields[0];
         if (!TimingResistantEqual(strName, strUser)) {
             continue;
         }

         std::string strSalt = vFields[1];
         std::string strHash = vFields[2];

         static const unsigned int KEY_SIZE = 32;
         unsigned char out[KEY_SIZE];

         CHMAC_SHA256(reinterpret_cast<const unsigned char*>(strSalt.data()), strSalt.size()).Write(reinterpret_cast<const unsigned char*>(strPass.data()), strPass.size()).Finalize(out);
         std::vector<unsigned char> hexvec(out, out+KEY_SIZE);
         std::string strHashFromPass = HexStr(hexvec);

         if (TimingResistantEqual(strHashFromPass, strHash)) {
             return true;
         }
     }
     return false;
 }

 static bool RPCAuthorized(const std::string& strAuth, std::string& strAuthUsernameOut)
 {
     if (strRPCUserColonPass.empty()) // Belt-and-suspenders measure if InitRPCAuthentication was not called
         return false;
     if (strAuth.substr(0, 6) != "Basic ")
         return false;
     std::string strUserPass64 = strAuth.substr(6);
     boost::trim(strUserPass64);
     std::string strUserPass = DecodeBase64(strUserPass64);

     if (strUserPass.find(':') != std::string::npos)
         strAuthUsernameOut = strUserPass.substr(0, strUserPass.find(':'));

     //Check if authorized under single-user field
     if (TimingResistantEqual(strUserPass, strRPCUserColonPass)) {
         return true;
     }
     return multiUserAuthorized(strUserPass);
 }

 static bool HTTPReq_JSONRPC(const util::Ref& context, HTTPRequest* req)
 {
     // JSONRPC handles only POST
     if (req->GetRequestMethod() != HTTPRequest::POST) {
         req->WriteReply(HTTP_BAD_METHOD, "JSONRPC server handles only POST requests");
         return false;
     }
     // Check authorization
     std::pair<bool, std::string> authHeader = req->GetHeader("authorization");
     if (!authHeader.first) {
         req->WriteHeader("WWW-Authenticate", WWW_AUTH_HEADER_DATA);
         req->WriteReply(HTTP_UNAUTHORIZED);
         return false;
     }

     JSONRPCRequest jreq(context);
     jreq.peerAddr = req->GetPeer().ToString();
     if (!RPCAuthorized(authHeader.second, jreq.authUser)) {
         LogPrintf("ThreadRPCServer incorrect password attempt from %s\n", jreq.peerAddr);

         /* Deter brute-forcing
            If this results in a DoS the user really
            shouldn't have their RPC port exposed. */
         UninterruptibleSleep(std::chrono::milliseconds{250});

         req->WriteHeader("WWW-Authenticate", WWW_AUTH_HEADER_DATA);
         req->WriteReply(HTTP_UNAUTHORIZED);
         return false;
     }

     try {
         // Parse request
         UniValue valRequest;
         if (!valRequest.read(req->ReadBody()))
             throw JSONRPCError(RPC_PARSE_ERROR, "Parse error");

         // Set the URI
         jreq.URI = req->GetURI();

         std::string strReply;
         bool user_has_whitelist = g_rpc_whitelist.count(jreq.authUser);
         if (!user_has_whitelist && g_rpc_whitelist_default) {
             LogPrintf("RPC User %s not allowed to call any methods\n", jreq.authUser);
             req->WriteReply(HTTP_FORBIDDEN);
             return false;

         // singleton request
         } else if (valRequest.isObject()) {
             jreq.parse(valRequest);
             if (user_has_whitelist && !g_rpc_whitelist[jreq.authUser].count(jreq.strMethod)) {
                 LogPrintf("RPC User %s not allowed to call method %s\n", jreq.authUser, jreq.strMethod);
                 req->WriteReply(HTTP_FORBIDDEN);
                 return false;
             }
             UniValue result = tableRPC.execute(jreq);

             // Send reply
             strReply = JSONRPCReply(result, NullUniValue, jreq.id);

         // array of requests
         } else if (valRequest.isArray()) {
             if (user_has_whitelist) {
                 for (unsigned int reqIdx = 0; reqIdx < valRequest.size(); reqIdx++) {
                     if (!valRequest[reqIdx].isObject()) {
                         throw JSONRPCError(RPC_INVALID_REQUEST, "Invalid Request object");
                     } else {
                         const UniValue& request = valRequest[reqIdx].get_obj();
                         // Parse method
                         std::string strMethod = find_value(request, "method").get_str();
                         if (!g_rpc_whitelist[jreq.authUser].count(strMethod)) {
                             LogPrintf("RPC User %s not allowed to call method %s\n", jreq.authUser, strMethod);
                             req->WriteReply(HTTP_FORBIDDEN);
                             return false;
                         }
                     }
                 }
             }
             strReply = JSONRPCExecBatch(jreq, valRequest.get_array());
         }
         else
             throw JSONRPCError(RPC_PARSE_ERROR, "Top-level object parse error");

         req->WriteHeader("Content-Type", "application/json");
         req->WriteReply(HTTP_OK, strReply);
     } catch (const UniValue& objError) {
         JSONErrorReply(req, objError, jreq.id);
         return false;
     } catch (const std::exception& e) {
         JSONErrorReply(req, JSONRPCError(RPC_PARSE_ERROR, e.what()), jreq.id);
         return false;
     }
     return true;
 }

 static bool InitRPCAuthentication()
 {
     if (gArgs.GetArg("-rpcpassword", "") == "")
     {
         LogPrintf("Using random cookie authentication.\n");
         if (!GenerateAuthCookie(&strRPCUserColonPass)) {
             return false;
         }
     } else {
         LogPrintf("Config options rpcuser and rpcpassword will soon be deprecated. Locally-run instances may remove rpcuser to use cookie-based auth, or may be replaced with rpcauth. Please see share/rpcauth for rpcauth auth generation.\n");
         strRPCUserColonPass = gArgs.GetArg("-rpcuser", "") + ":" + gArgs.GetArg("-rpcpassword", "");
     }
     if (gArgs.GetArg("-rpcauth","") != "")
     {
         LogPrintf("Using rpcauth authentication.\n");
     }

     g_rpc_whitelist_default = gArgs.GetBoolArg("-rpcwhitelistdefault", gArgs.IsArgSet("-rpcwhitelist"));
     for (const std::string& strRPCWhitelist : gArgs.GetArgs("-rpcwhitelist")) {
         auto pos = strRPCWhitelist.find(':');
         std::string strUser = strRPCWhitelist.substr(0, pos);
         bool intersect = g_rpc_whitelist.count(strUser);
         std::set<std::string>& whitelist = g_rpc_whitelist[strUser];
         if (pos != std::string::npos) {
             std::string strWhitelist = strRPCWhitelist.substr(pos + 1);
             std::set<std::string> new_whitelist;
             boost::split(new_whitelist, strWhitelist, boost::is_any_of(", "));
             if (intersect) {
                 std::set<std::string> tmp_whitelist;
                 std::set_intersection(new_whitelist.begin(), new_whitelist.end(),
                        whitelist.begin(), whitelist.end(), std::inserter(tmp_whitelist, tmp_whitelist.end()));
                 new_whitelist = std::move(tmp_whitelist);
             }
             whitelist = std::move(new_whitelist);
         }
     }

     return true;
 }

 bool StartHTTPRPC(const util::Ref& context)
 {
     LogPrint(BCLog::RPC, "Starting HTTP RPC server\n");
     if (!InitRPCAuthentication())
         return false;

     auto handle_rpc = [&context](HTTPRequest* req, const std::string&) { return HTTPReq_JSONRPC(context, req); };
     RegisterHTTPHandler("/", true, handle_rpc);
     if (g_wallet_init_interface.HasWalletSupport()) {
         RegisterHTTPHandler("/wallet/", false, handle_rpc);
     }
     struct event_base* eventBase = EventBase();
     assert(eventBase);
     httpRPCTimerInterface = MakeUnique<HTTPRPCTimerInterface>(eventBase);
     RPCSetTimerInterface(httpRPCTimerInterface.get());
     return true;
 }

 void InterruptHTTPRPC()
 {
     LogPrint(BCLog::RPC, "Interrupting HTTP RPC server\n");
 }

 void StopHTTPRPC()
 {
     LogPrint(BCLog::RPC, "Stopping HTTP RPC server\n");
     UnregisterHTTPHandler("/", true);
     if (g_wallet_init_interface.HasWalletSupport()) {
         UnregisterHTTPHandler("/wallet/", false);
     }
     if (httpRPCTimerInterface) {
         RPCUnsetTimerInterface(httpRPCTimerInterface.get());
         httpRPCTimerInterface.reset();
     }
 }
UniValue::isObject
bool isObject() const
Definition: univalue.h:84

HTTP_FORBIDDEN
Definition: protocol.h:15

ArgsManager::IsArgSet
bool IsArgSet(const std::string &strArg) const
Return true if the given argument has been manually set.
Definition: system.cpp:370

TimingResistantEqual
bool TimingResistantEqual(const T &a, const T &b)
Timing-attack-resistant comparison.
Definition: strencodings.h:156

RPCTimerInterface
RPC timer "driver".
Definition: server.h:59

HTTP_OK
Definition: protocol.h:12

LogPrint
#define LogPrint(category,...)
Definition: logging.h:182

HTTPRPCTimerInterface::HTTPRPCTimerInterface
HTTPRPCTimerInterface(struct event_base *_base)
Definition: httprpc.cpp:51

HTTP_BAD_REQUEST
Definition: protocol.h:13

HTTPRPCTimerInterface::Name
const char * Name() override
Implementation name.
Definition: httprpc.cpp:54

WWW_AUTH_HEADER_DATA
static const char * WWW_AUTH_HEADER_DATA
WWW-Authenticate to present with 401 Unauthorized response.
Definition: httprpc.cpp:28

HTTP_NOT_FOUND
Definition: protocol.h:16

UniValue::read
bool read(const char *raw, size_t len)
Definition: univalue_read.cpp:259

strRPCUserColonPass
static std::string strRPCUserColonPass
Definition: httprpc.cpp:68

HTTPRPCTimer::ev
HTTPEvent ev
Definition: httprpc.cpp:45

HTTPEvent
Event class.
Definition: httpserver.h:129

InitRPCAuthentication
static bool InitRPCAuthentication()
Definition: httprpc.cpp:247

httprpc.h

HTTPRPCTimerInterface::base
struct event_base * base
Definition: httprpc.cpp:63

JSONErrorReply
static void JSONErrorReply(HTTPRequest *req, const UniValue &objError, const UniValue &id)
Definition: httprpc.cpp:75

strencodings.h

CHMAC_SHA256
A hasher class for HMAC-SHA-256.
Definition: hmac_sha256.h:14

HTTPRPCTimerInterface::NewTimer
RPCTimerBase * NewTimer(std::function< void()> &func, int64_t millis) override
Factory function for timers.
Definition: httprpc.cpp:58

UniValue
Definition: univalue.h:19

chainparams.h

LogPrintf
static void LogPrintf(const char *fmt, const Args &... args)
Definition: logging.h:166

HTTPRequest::POST
Definition: httpserver.h:69

UniValue::get_str
const std::string & get_str() const
Definition: univalue_get.cpp:97

DecodeBase64
std::vector< unsigned char > DecodeBase64(const char *p, bool *pf_invalid)
Definition: strencodings.cpp:145

UniValue::get_array
const UniValue & get_array() const
Definition: univalue_get.cpp:141

ArgsManager::GetBoolArg
bool GetBoolArg(const std::string &strArg, bool fDefault) const
Return boolean argument or default value.
Definition: system.cpp:392

InterruptHTTPRPC
void InterruptHTTPRPC()
Interrupt HTTP RPC subsystem.
Definition: httprpc.cpp:305

httpserver.h

RPCUnsetTimerInterface
void RPCUnsetTimerInterface(RPCTimerInterface *iface)
Unset factory function for timers.
Definition: server.cpp:496

find_value
const UniValue & find_value(const UniValue &obj, const std::string &name)
Definition: univalue.cpp:234

RegisterHTTPHandler
void RegisterHTTPHandler(const std::string &prefix, bool exactMatch, const HTTPRequestHandler &handler)
Register handler for prefix.
Definition: httpserver.cpp:641

hmac_sha256.h

protocol.h

HTTPRPCTimerInterface
Definition: httprpc.cpp:48

CRPCTable::execute
UniValue execute(const JSONRPCRequest &request) const
Execute a method.
Definition: server.cpp:438

JSONRPCRequest::strMethod
std::string strMethod
Definition: request.h:35

httpRPCTimerInterface
static std::unique_ptr< HTTPRPCTimerInterface > httpRPCTimerInterface
Definition: httprpc.cpp:70

RPCAuthorized
static bool RPCAuthorized(const std::string &strAuth, std::string &strAuthUsernameOut)
Definition: httprpc.cpp:133

tableRPC
CRPCTable tableRPC
Definition: server.cpp:520

JSONRPCRequest::peerAddr
std::string peerAddr
Definition: request.h:40

multiUserAuthorized
static bool multiUserAuthorized(std::string strUserPass)
Definition: httprpc.cpp:94

JSONRPCError
UniValue JSONRPCError(int code, const std::string &message)
Definition: request.cpp:51

HTTPReq_JSONRPC
static bool HTTPReq_JSONRPC(const util::Ref &context, HTTPRequest *req)
Definition: httprpc.cpp:153

HTTPRequest::WriteReply
void WriteReply(int nStatus, const std::string &strReply="")
Write HTTP reply.
Definition: httpserver.cpp:571

HTTPRPCTimer
Simple one-shot callback timer to be used by the RPC mechanism to e.g.
Definition: httprpc.cpp:33

HTTPRequest::GetRequestMethod
RequestMethod GetRequestMethod() const
Get request method.
Definition: httpserver.cpp:620

server.h

JSONRPCExecBatch
std::string JSONRPCExecBatch(const JSONRPCRequest &jreq, const UniValue &vReq)
Definition: server.cpp:379

JSONRPCRequest::id
UniValue id
Definition: request.h:34

UnregisterHTTPHandler
void UnregisterHTTPHandler(const std::string &prefix, bool exactMatch)
Unregister handler for prefix.
Definition: httpserver.cpp:647

translation.h

UniValue::get_int
int get_int() const
Definition: univalue_get.cpp:104

HTTP_UNAUTHORIZED
Definition: protocol.h:14

EventBase
struct event_base * EventBase()
Return evhttp event base.
Definition: httpserver.cpp:483

util::Ref
Type-safe dynamic reference.
Definition: ref.h:21

JSONRPCReply
std::string JSONRPCReply(const UniValue &result, const UniValue &error, const UniValue &id)
Definition: request.cpp:45

StopHTTPRPC
void StopHTTPRPC()
Stop HTTP RPC subsystem.
Definition: httprpc.cpp:310

HTTP_INTERNAL_SERVER_ERROR
Definition: protocol.h:18

HTTP_BAD_METHOD
Definition: protocol.h:17

g_wallet_init_interface
const WalletInitInterface & g_wallet_init_interface
Definition: dummywallet.cpp:59

JSONRPCRequest::parse
void parse(const UniValue &valRequest)
Definition: request.cpp:153

StartHTTPRPC
bool StartHTTPRPC(const util::Ref &context)
Start HTTP RPC subsystem.
Definition: httprpc.cpp:287

g_rpc_whitelist_default
static bool g_rpc_whitelist_default
Definition: httprpc.cpp:73

HTTPRPCTimer::HTTPRPCTimer
HTTPRPCTimer(struct event_base *eventBase, std::function< void()> &func, int64_t millis)
Definition: httprpc.cpp:36

UninterruptibleSleep
void UninterruptibleSleep(const std::chrono::microseconds &n)
Definition: time.cpp:19

HTTPRequest::WriteHeader
void WriteHeader(const std::string &hdr, const std::string &value)
Write output header.
Definition: httpserver.cpp:559

HTTPEvent::trigger
void trigger(struct timeval *tv)
Trigger the event.
Definition: httpserver.cpp:507

RPC_PARSE_ERROR
Definition: protocol.h:36

WalletInitInterface::HasWalletSupport
virtual bool HasWalletSupport() const =0
Is the wallet component enabled.

UniValue::get_obj
const UniValue & get_obj() const
Definition: univalue_get.cpp:134

ArgsManager::GetArg
std::string GetArg(const std::string &strArg, const std::string &strDefault) const
Return string argument or default value.
Definition: system.cpp:380

system.h

JSONRPCRequest::URI
std::string URI
Definition: request.h:38

JSONRPCRequest::authUser
std::string authUser
Definition: request.h:39

RPCSetTimerInterface
void RPCSetTimerInterface(RPCTimerInterface *iface)
Set the factory function for timers.
Definition: server.cpp:491

HTTPRequest::GetHeader
std::pair< bool, std::string > GetHeader(const std::string &hdr) const
Get the request header specified by hdr, or an empty string.
Definition: httpserver.cpp:528

RPCTimerBase
Opaque base class for timers returned by NewTimerFunc.
Definition: server.h:50

RPC_METHOD_NOT_FOUND
Definition: protocol.h:31

JSONRPCRequest
Definition: request.h:31

GenerateAuthCookie
bool GenerateAuthCookie(std::string *cookie_out)
Generate a new RPC authentication cookie and write it to disk.
Definition: request.cpp:76

HexStr
std::string HexStr(const T itbegin, const T itend)
Definition: strencodings.h:123

gArgs
ArgsManager gArgs
Definition: system.cpp:77

NullUniValue
const UniValue NullUniValue
Definition: univalue.cpp:13

HTTPRequest::GetPeer
CService GetPeer() const
Get CService (address:ip) for the origin of the http request.
Definition: httpserver.cpp:601

HTTPRequest::ReadBody
std::string ReadBody()
Read request body.
Definition: httpserver.cpp:539

RPC_INVALID_REQUEST
Standard JSON-RPC 2.0 errors.
Definition: protocol.h:28

CService::ToString
std::string ToString() const
Definition: netaddress.cpp:751

HTTPRequest
In-flight HTTP request.
Definition: httpserver.h:56

UniValue::size
size_t size() const
Definition: univalue.h:68

g_rpc_whitelist
static std::map< std::string, std::set< std::string > > g_rpc_whitelist
Definition: httprpc.cpp:72

ArgsManager::GetArgs
std::vector< std::string > GetArgs(const std::string &strArg) const
Return a vector of strings of the given argument.
Definition: system.cpp:361

BCLog::RPC
Definition: logging.h:44

UniValue::isArray
bool isArray() const
Definition: univalue.h:83

HTTPRequest::GetURI
std::string GetURI() const
Get requested URI.
Definition: httpserver.cpp:615

eventBase
static struct event_base * eventBase
HTTP module state.
Definition: httpserver.cpp:141

walletinitinterface.h