phantom/bitcoin
1
0
Fork 0
mirror of https://github.com/bitcoin/bitcoin.git synced 2025-04-29 14:59:39 -04:00
Code Issues Projects Releases Packages Wiki Activity Actions 1

args: Support -norpccookiefile for bitcoind and bitcoin-cli

Browse source 
Replaces belt & suspenders check for initialization in RPCAuthorized() with not allowing empty passwords further down.
This commit is contained in:
Hodlinator 2024-12-03 10:20:31 +01:00
parent e82ad88452
commit 39cbd4f37c
No known key found for this signature in database
2 changed files with 18 additions and 6 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

15
src/httprpc.cpp
View file

@ -134,8 +134,6 @@ static bool multiUserAuthorized(std::string strUserPass)
static bool RPCAuthorized(const std::string& strAuth, std::string& strAuthUsernameOut) static bool RPCAuthorized(const std::string& strAuth, std::string& strAuthUsernameOut)
{ {
if (strRPCUserColonPass.empty()) // Belt-and-suspenders measure if InitRPCAuthentication was not called
return false;
if (strAuth.substr(0, 6) != "Basic ") if (strAuth.substr(0, 6) != "Basic ")
return false; return false;
std::string_view strUserPass64 = TrimStringView(std::string_view{strAuth}.substr(6)); std::string_view strUserPass64 = TrimStringView(std::string_view{strAuth}.substr(6));
@ -147,8 +145,9 @@ static bool RPCAuthorized(const std::string& strAuth, std::string& strAuthUserna
if (strUserPass.find(':') != std::string::npos) if (strUserPass.find(':') != std::string::npos)
strAuthUsernameOut = strUserPass.substr(0, strUserPass.find(':')); strAuthUsernameOut = strUserPass.substr(0, strUserPass.find(':'));
//Check if authorized under single-user field // Check if authorized under single-user field.
if (TimingResistantEqual(strUserPass, strRPCUserColonPass)) { // (strRPCUserColonPass is empty when -norpccookiefile is specified).
if (!strRPCUserColonPass.empty() && TimingResistantEqual(strUserPass, strRPCUserColonPass)) {
return true; return true;
} }
return multiUserAuthorized(strUserPass); return multiUserAuthorized(strUserPass);
@ -294,8 +293,6 @@ static bool InitRPCAuthentication()
{ {
if (gArgs.GetArg("-rpcpassword", "") == "") if (gArgs.GetArg("-rpcpassword", "") == "")
{ {
LogInfo("Using random cookie authentication.\n");
std::optional<fs::perms> cookie_perms{std::nullopt}; std::optional<fs::perms> cookie_perms{std::nullopt};
auto cookie_perms_arg{gArgs.GetArg("-rpccookieperms")}; auto cookie_perms_arg{gArgs.GetArg("-rpccookieperms")};
if (cookie_perms_arg) { if (cookie_perms_arg) {
@ -307,9 +304,15 @@ static bool InitRPCAuthentication()
cookie_perms = *perm_opt; cookie_perms = *perm_opt;
} }
assert(strRPCUserColonPass.empty()); // Only support initializing once
if (!GenerateAuthCookie(&strRPCUserColonPass, cookie_perms)) { if (!GenerateAuthCookie(&strRPCUserColonPass, cookie_perms)) {
return false; return false;
} }
if (strRPCUserColonPass.empty()) {
LogInfo("RPC authentication cookie file generation is disabled.");
} else {
LogInfo("Using random cookie authentication.");
}
} else { } else {
LogPrintf("Config options rpcuser and rpcpassword will soon be deprecated. Locally-run instances may remove rpcuser to use cookie-based auth, or may be replaced with rpcauth. Please see share/rpcauth for rpcauth auth generation.\n"); LogPrintf("Config options rpcuser and rpcpassword will soon be deprecated. Locally-run instances may remove rpcuser to use cookie-based auth, or may be replaced with rpcauth. Please see share/rpcauth for rpcauth auth generation.\n");
strRPCUserColonPass = gArgs.GetArg("-rpcuser", "") + ":" + gArgs.GetArg("-rpcpassword", ""); strRPCUserColonPass = gArgs.GetArg("-rpcuser", "") + ":" + gArgs.GetArg("-rpcpassword", "");

9
src/rpc/request.cpp
View file

@ -86,6 +86,9 @@ static const char* const COOKIEAUTH_FILE = ".cookie";
static fs::path GetAuthCookieFile(bool temp=false) static fs::path GetAuthCookieFile(bool temp=false)
{ {
fs::path arg = gArgs.GetPathArg("-rpccookiefile", COOKIEAUTH_FILE); fs::path arg = gArgs.GetPathArg("-rpccookiefile", COOKIEAUTH_FILE);
if (arg.empty()) {
return {}; // -norpccookiefile was specified
}
if (temp) { if (temp) {
arg += ".tmp"; arg += ".tmp";
} }
@ -106,6 +109,9 @@ bool GenerateAuthCookie(std::string* cookie_out, std::optional<fs::perms> cookie
*/ */
std::ofstream file; std::ofstream file;
fs::path filepath_tmp = GetAuthCookieFile(true); fs::path filepath_tmp = GetAuthCookieFile(true);
if (filepath_tmp.empty()) {
return true; // -norpccookiefile
}
file.open(filepath_tmp); file.open(filepath_tmp);
if (!file.is_open()) { if (!file.is_open()) {
LogWarning("Unable to open cookie authentication file %s for writing", fs::PathToString(filepath_tmp)); LogWarning("Unable to open cookie authentication file %s for writing", fs::PathToString(filepath_tmp));
@ -142,6 +148,9 @@ bool GetAuthCookie(std::string *cookie_out)
std::ifstream file; std::ifstream file;
std::string cookie; std::string cookie;
fs::path filepath = GetAuthCookieFile(); fs::path filepath = GetAuthCookieFile();
if (filepath.empty()) {
return true; // -norpccookiefile
}
file.open(filepath); file.open(filepath);
if (!file.is_open()) if (!file.is_open())
return false; return false;