36static std::vector<std::vector<std::string>>
g_rpcauth;
57 req->
WriteHeader(
"Content-Type",
"application/json");
70 const std::string& salt = fields[1];
71 const std::string& hash = fields[2];
73 std::array<unsigned char, CHMAC_SHA256::OUTPUT_SIZE>
out;
84static bool RPCAuthorized(
const std::string& strAuth, std::string& strAuthUsernameOut)
86 if (!strAuth.starts_with(
"Basic "))
88 std::string_view strUserPass64 =
TrimStringView(std::string_view{strAuth}.substr(6));
90 std::string strUserPass;
91 if (!userpass_data)
return false;
92 strUserPass.assign(userpass_data->begin(), userpass_data->end());
94 size_t colon_pos = strUserPass.find(
':');
95 if (colon_pos == std::string::npos) {
98 std::string user = strUserPass.substr(0, colon_pos);
99 std::string pass = strUserPass.substr(colon_pos + 1);
100 strAuthUsernameOut = user;
112 std::pair<bool, std::string> authHeader = req->
GetHeader(
"authorization");
113 if (!authHeader.first) {
123 LogPrintf(
"ThreadRPCServer incorrect password attempt from %s\n", jreq.
peerAddr);
153 jreq.
parse(valRequest);
174 }
else if (valRequest.
isArray()) {
176 if (user_has_whitelist) {
177 for (
unsigned int reqIdx = 0; reqIdx < valRequest.
size(); reqIdx++) {
178 if (!valRequest[reqIdx].isObject()) {
185 LogPrintf(
"RPC User %s not allowed to call method %s\n", jreq.
authUser, strMethod);
195 for (
size_t i{0}; i < valRequest.
size(); ++i) {
200 jreq.
parse(valRequest[i]);
204 }
catch (
const std::exception& e) {
220 if (reply.
size() == 0 && valRequest.
size() > 0) {
228 req->
WriteHeader(
"Content-Type",
"application/json");
233 }
catch (
const std::exception& e) {
247 std::optional<fs::perms> cookie_perms{std::nullopt};
248 auto cookie_perms_arg{
gArgs.
GetArg(
"-rpccookieperms")};
249 if (cookie_perms_arg) {
252 LogError(
"Invalid -rpccookieperms=%s; must be one of 'owner', 'group', or 'all'.", *cookie_perms_arg);
255 cookie_perms = *perm_opt;
262 LogInfo(
"RPC authentication cookie file generation is disabled.");
265 LogInfo(
"Using random cookie authentication.");
269 LogInfo(
"Using rpcuser/rpcpassword authentication.");
270 LogWarning(
"The use of rpcuser/rpcpassword is less secure, because credentials are configured in plain text. It is recommended that locally-run instances switch to cookie-based auth, or otherwise to use hashed rpcauth credentials. See share/rpcauth in the source directory for more information.");
276 if (!user.empty() || !pass.empty()) {
278 std::array<unsigned char, 16> raw_salt;
280 std::string salt =
HexStr(raw_salt);
283 std::array<unsigned char, CHMAC_SHA256::OUTPUT_SIZE>
out;
291 LogInfo(
"Using rpcauth authentication.\n");
292 for (
const std::string& rpcauth :
gArgs.
GetArgs(
"-rpcauth")) {
293 std::vector<std::string> fields{
SplitString(rpcauth,
':')};
294 const std::vector<std::string> salt_hmac{
SplitString(fields.back(),
'$')};
295 if (fields.size() == 2 && salt_hmac.size() == 2) {
297 fields.insert(fields.end(), salt_hmac.begin(), salt_hmac.end());
300 LogPrintf(
"Invalid -rpcauth argument.\n");
307 for (
const std::string& strRPCWhitelist :
gArgs.
GetArgs(
"-rpcwhitelist")) {
308 auto pos = strRPCWhitelist.find(
':');
309 std::string strUser = strRPCWhitelist.substr(0, pos);
312 if (pos != std::string::npos) {
313 std::string strWhitelist = strRPCWhitelist.substr(pos + 1);
314 std::vector<std::string> whitelist_split =
SplitString(strWhitelist,
", ");
315 std::set<std::string> new_whitelist{
316 std::make_move_iterator(whitelist_split.begin()),
317 std::make_move_iterator(whitelist_split.end())};
319 std::set<std::string> tmp_whitelist;
320 std::set_intersection(new_whitelist.begin(), new_whitelist.end(),
321 whitelist.begin(), whitelist.end(), std::inserter(tmp_whitelist, tmp_whitelist.end()));
322 new_whitelist = std::move(tmp_whitelist);
324 whitelist = std::move(new_whitelist);
#define Assume(val)
Assume is the identity function.
std::vector< std::string > GetArgs(const std::string &strArg) const
Return a vector of strings of the given argument.
std::string GetArg(const std::string &strArg, const std::string &strDefault) const
Return string argument or default value.
bool GetBoolArg(const std::string &strArg, bool fDefault) const
Return boolean argument or default value.
A hasher class for HMAC-SHA-256.
CHMAC_SHA256 & Write(const unsigned char *data, size_t len)
void Finalize(unsigned char hash[OUTPUT_SIZE])
std::string ToStringAddrPort() const
std::pair< bool, std::string > GetHeader(const std::string &hdr) const
Get the request header specified by hdr, or an empty string.
std::string GetURI() const
Get requested URI.
void WriteReply(int nStatus, std::string_view reply="")
Write HTTP reply.
void WriteHeader(const std::string &hdr, const std::string &value)
Write output header.
RequestMethod GetRequestMethod() const
Get request method.
std::string ReadBody()
Read request body.
CService GetPeer() const
Get CService (address:ip) for the origin of the http request.
JSONRPCVersion m_json_version
bool IsNotification() const
void parse(const UniValue &valRequest)
std::optional< UniValue > id
void push_back(UniValue val)
const std::string & get_str() const
const UniValue & find_value(std::string_view key) const
std::string write(unsigned int prettyIndent=0, unsigned int indentLevel=0) const
const UniValue & get_obj() const
bool read(std::string_view raw)
virtual bool HasWalletSupport() const =0
Is the wallet component enabled.
const WalletInitInterface & g_wallet_init_interface
std::optional< fs::perms > InterpretPermString(const std::string &s)
Interpret a custom permissions level string as fs::perms.
std::string HexStr(const std::span< const uint8_t > s)
Convert a span of bytes to a lower-case hexadecimal string.
static const char * WWW_AUTH_HEADER_DATA
WWW-Authenticate to present with 401 Unauthorized response.
void InterruptHTTPRPC()
Interrupt HTTP RPC subsystem.
void StopHTTPRPC()
Stop HTTP RPC subsystem.
static bool CheckUserAuthorized(std::string_view user, std::string_view pass)
bool StartHTTPRPC(const std::any &context)
Start HTTP RPC subsystem.
static bool g_rpc_whitelist_default
static bool RPCAuthorized(const std::string &strAuth, std::string &strAuthUsernameOut)
static std::vector< std::vector< std::string > > g_rpcauth
static bool HTTPReq_JSONRPC(const std::any &context, HTTPRequest *req)
static bool InitRPCAuthentication()
static std::map< std::string, std::set< std::string > > g_rpc_whitelist
static void JSONErrorReply(HTTPRequest *req, UniValue objError, const JSONRPCRequest &jreq)
void UnregisterHTTPHandler(const std::string &prefix, bool exactMatch)
Unregister handler for prefix.
void RegisterHTTPHandler(const std::string &prefix, bool exactMatch, const HTTPRequestHandler &handler)
Register handler for prefix.
static struct event_base * eventBase
HTTP module state.
struct event_base * EventBase()
Return evhttp event base.
#define LogDebug(category,...)
std::vector< std::string > SplitString(std::string_view str, char sep)
std::string_view TrimStringView(std::string_view str, std::string_view pattern=" \f\n\r\t\v")
void GetStrongRandBytes(std::span< unsigned char > bytes) noexcept
Gather entropy from various sources, feed it into the internal PRNG, and generate random data using i...
GenerateAuthCookieResult GenerateAuthCookie(const std::optional< fs::perms > &cookie_perms, std::string &user, std::string &pass)
Generate a new RPC authentication cookie and write it to disk.
UniValue JSONRPCError(int code, const std::string &message)
UniValue JSONRPCReplyObj(UniValue result, UniValue error, std::optional< UniValue > id, JSONRPCVersion jsonrpc_version)
@ HTTP_INTERNAL_SERVER_ERROR
@ RPC_INVALID_REQUEST
Standard JSON-RPC 2.0 errors.
UniValue JSONRPCExec(const JSONRPCRequest &jreq, bool catch_errors)
unsigned char * UCharCast(char *c)
bool TimingResistantEqual(const T &a, const T &b)
Timing-attack-resistant comparison.
const UniValue NullUniValue
std::optional< std::vector< unsigned char > > DecodeBase64(std::string_view str)
void UninterruptibleSleep(const std::chrono::microseconds &n)