Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix(rpc): Refactor the cookie-based RPC authentication #8940

Merged
merged 4 commits into from
Oct 21, 2024
Merged

fix(rpc): Refactor the cookie-based RPC authentication #8940

merged 4 commits into from
Oct 21, 2024

Conversation

upbqdn
Copy link
Member

@upbqdn upbqdn commented Oct 17, 2024
edited
Loading

Motivation

Resolve #8900 (comment) and #8900 (comment).

Solution

  • Don't read the cookie from the disk at all.
  • Use a path to the cookie file when removing it.
  • Rename FixHttpRequestMiddleware to HttpRequestMiddleware since it doesn't contain only fixes anymore but also serves as an authentication layer.

Tests

No new tests.

PR Author's Checklist

  • The PR name is suitable for the change log.
  • The solution is tested.
  • The PR has a priority label.

PR Reviewer's Checklist

  • The PR resolves the issue.

@upbqdn upbqdn added C-security Category: Security issues A-rpc Area: Remote Procedure Call interfaces C-feature Category: New features A-compatibility Area: Compatibility with other nodes or wallets, or standard rules P-Medium ⚡ rust Pull requests that update Rust code labels Oct 17, 2024
@upbqdn upbqdn requested a review from arya2 October 17, 2024 12:42
@upbqdn upbqdn self-assigned this Oct 17, 2024
@upbqdn upbqdn requested a review from a team as a code owner October 17, 2024 12:42
@mergify Mergify
Copy link
Contributor

mergify bot commented Oct 17, 2024

⚠️ The sha of the head commit of this PR conflicts with #8900. Mergify cannot evaluate rules on this PR. ⚠️

arya2
arya2 reviewed Oct 18, 2024
View reviewed changes
Copy link
Contributor

@arya2 arya2 left a comment
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thank you! This is an excellent refactor, it fixes the issues mentioned in the PR description, and the new With trait looks like it'll be very useful later/elsewhere in Zebra (I'm looking forward to using it in the parameters::network::testnet module).

zebra-rpc/src/server.rs Outdated Show resolved Hide resolved
zebra-rpc/src/server/cookie.rs Show resolved Hide resolved
zebra-rpc/src/server/http_request_compatibility.rs
Comment on lines +50 to +54
/// A trait for updating an object, consuming it and returning the updated version.
pub trait With<T> {
/// Updates `self` with an instance of type `T` and returns the updated version of `self`.
fn with(self, _: T) -> Self;
}
Copy link
Contributor

@arya2 arya2 Oct 18, 2024
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This looks great, good idea!

Optional: This could be useful elsewhere in Zebra as well, such as in the testnet::ParametersBuilder, so it might fit better in zebra-chain, but it could also be moved in whenever we try implementing it for other structs.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm glad you like it. :) It pretty much randomly occurred to me to do it this way. It seems to go well with something like let foo = if cond1 {Foo::...with(...)} else if cond2 {Foo::...with(...)} else {Foo::...with(...)}.

Yea, let's move it somewhere else if we're using it in other places.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We could maybe add a macro which could take an arbitrary number of arguments: ...with!(a, b, c).

@mpguerra mpguerra linked an issue Oct 21, 2024 that may be closed by this pull request
Protect the Zebra RPC endpoint #8864
Closed
@upbqdn @arya2
Apply suggestions from code review
b970416 
Co-authored-by: Arya <aryasolhi@gmail.com>
oxarbitrage
oxarbitrage approved these changes Oct 21, 2024
View reviewed changes
Copy link
Contributor

@oxarbitrage oxarbitrage left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks really good and it works. Thanks for the refactor!

@oxarbitrage oxarbitrage merged commit 43131b8 into auth-rpc-endpoint Oct 21, 2024
129 of 145 checks passed
@oxarbitrage oxarbitrage deleted the refactor-cookie-auth branch October 21, 2024 22:48
mergify bot pushed a commit that referenced this pull request Oct 22, 2024
@oxarbitrage @upbqdn @arya2
feat(rpc): Cookie auth system for the RPC endpoint (#8900)
b1ffc89 
* add a cookie auth system for the rpc endpoint

* fix rand import

* fixes based on cookie method research

* add and use `cookie_dir` config, rpc client changes

* add missing dependency

* add a enable_cookie auth option to config and use it in all tests

* get rid of the unauthenticated method

* change config in qa python tests to run unauthenticated

* change return types in cookie methods

* change comment

* fix(rpc): Refactor the cookie-based RPC authentication (#8940)

* Refactor the cookie-based RPC authentication

* Rephrase docs

* Apply suggestions from code review

Co-authored-by: Arya <aryasolhi@gmail.com>

---------

Co-authored-by: Arya <aryasolhi@gmail.com>

* clippy

---------

Co-authored-by: Marek <mail@marek.onl>
Co-authored-by: Arya <aryasolhi@gmail.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@arya2 arya2 arya2 left review comments

@oxarbitrage oxarbitrage oxarbitrage approved these changes

Assignees

@upbqdn upbqdn

Labels
A-compatibility Area: Compatibility with other nodes or wallets, or standard rules A-rpc Area: Remote Procedure Call interfaces C-feature Category: New features C-security Category: Security issues P-Medium ⚡ rust Pull requests that update Rust code
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Protect the Zebra RPC endpoint
3 participants
@upbqdn @arya2 @oxarbitrage