WIP: RPC Auth

infrastructure/config/config.go

@@ -54,6 +54,7 @@ const (
 	sampleConfigFilename    = "sample-kaspad.conf"
 	defaultMaxUTXOCacheSize = 5_000_000_000
 	defaultProtocolVersion  = 5
+	defaultRPCAuth          = "none"
 )
 
 var (
@@ -92,8 +93,9 @@ type Flags struct {
 	BanThreshold                    uint32        `long:"banthreshold" description:"Maximum allowed ban score before disconnecting and banning misbehaving peers."`
 	Whitelists                      []string      `long:"whitelist" description:"Add an IP network or IP that will not be banned. (eg. 192.168.1.0/24 or ::1)"`
 	RPCListeners                    []string      `long:"rpclisten" description:"Add an interface/port to listen for RPC connections (default port: 16110, testnet: 16210)"`
-	RPCCert                         string        `long:"rpccert" description:"File containing the certificate file"`
-	RPCKey                          string        `long:"rpckey" description:"File containing the certificate key"`
+	RPCAuth                         string        `long:"rpcauth" description:"RPC Authentication type to use: tls, none. Use tls option with RPCCert and RPCKey"`
+	RPCCert                         string        `long:"rpccert" description:"File containing the certificate file, for TLS"`
+	RPCKey                          string        `long:"rpckey" description:"File containing the certificate key, for TLS"`
 	RPCMaxClients                   int           `long:"rpcmaxclients" description:"Max number of RPC clients for standard connections"`
 	RPCMaxWebsockets                int           `long:"rpcmaxwebsockets" description:"Max number of RPC websocket connections"`
 	RPCMaxConcurrentReqs            int           `long:"rpcmaxconcurrentreqs" description:"Max number of concurrent RPC requests that may be processed concurrently"`
@@ -183,6 +185,7 @@ func defaultFlags() *Flags {
 		RPCMaxWebsockets:     defaultMaxRPCWebsockets,
 		RPCMaxConcurrentReqs: defaultMaxRPCConcurrentReqs,
 		AppDir:               defaultDataDir,
+		RPCAuth:              defaultRPCAuth,
 		RPCKey:               defaultRPCKeyFile,
 		RPCCert:              defaultRPCCertFile,
 		BlockMaxMass:         defaultBlockMaxMass,
@@ -202,6 +205,7 @@ func DefaultConfig() *Config {
 	return config
 }
 
+// Test
 // LoadConfig initializes and parses the config using a config file and command
 // line options.
 //

infrastructure/network/netadapter/netadapter.go

@@ -42,11 +42,13 @@ func NewNetAdapter(cfg *config.Config) (*NetAdapter, error) {
 	if err != nil {
 		return nil, err
 	}
+	// p2pServer is a gRCP server for internodes communication
 	p2pServer, err := grpcserver.NewP2PServer(cfg.Listeners)
 	if err != nil {
 		return nil, err
 	}
-	rpcServer, err := grpcserver.NewRPCServer(cfg.RPCListeners, cfg.RPCMaxClients)
+	// rpcServer is for gRCP miner, wallet and certain kaspactl utility communications
+	rpcServer, err := grpcserver.NewRPCServer(cfg.RPCListeners, cfg.RPCMaxClients, cfg.RPCAuth, cfg.RPCCert, cfg.RPCKey)
 	if err != nil {
 		return nil, err
 	}

infrastructure/network/netadapter/server/grpcserver/grpc_server.go

@@ -3,37 +3,60 @@ package grpcserver
 import (
 	"context"
 	"fmt"
+	"net"
+	"sync"
+	"time"
+
 	"github.com/kaspanet/kaspad/infrastructure/network/netadapter/server"
 	"github.com/kaspanet/kaspad/util/panics"
 	"github.com/pkg/errors"
 	"google.golang.org/grpc"
+	"google.golang.org/grpc/credentials"
 	"google.golang.org/grpc/peer"
-	"net"
-	"sync"
-	"time"
 )
 
+// RequestModifier can modify the http request
+type RequestModifier func(r *grpc.Server)
+
 type gRPCServer struct {
+	// modifiers are applied before any request
+	//modifiers          []RequestModifier
 	onConnectedHandler server.OnConnectedHandler
 	listeningAddresses []string
 	server             *grpc.Server
 	name               string
+	auth               string
 
 	maxInboundConnections      int
 	inboundConnectionCount     int
 	inboundConnectionCountLock *sync.Mutex
 }
 
 // newGRPCServer creates a gRPC server
-func newGRPCServer(listeningAddresses []string, maxMessageSize int, maxInboundConnections int, name string) *gRPCServer {
+func newGRPCServer(listeningAddresses []string, maxMessageSize int, maxInboundConnections int, name string, auth string, certFile string, keyFile string) *gRPCServer {
 	log.Debugf("Created new %s GRPC server with maxMessageSize %d and maxInboundConnections %d", name, maxMessageSize, maxInboundConnections)
-	return &gRPCServer{
-		server:                     grpc.NewServer(grpc.MaxRecvMsgSize(maxMessageSize), grpc.MaxSendMsgSize(maxMessageSize)),
-		listeningAddresses:         listeningAddresses,
-		name:                       name,
-		maxInboundConnections:      maxInboundConnections,
-		inboundConnectionCount:     0,
-		inboundConnectionCountLock: &sync.Mutex{},
+	log.Warnf("Name: %s for grpc auth type: %s", name, auth)
+	if auth == "tls" {
+		creds, _ := credentials.NewServerTLSFromFile(certFile, keyFile)
+		return &gRPCServer{
+			server:                     grpc.NewServer(grpc.Creds(creds), grpc.MaxRecvMsgSize(maxMessageSize), grpc.MaxSendMsgSize(maxMessageSize)),
+			listeningAddresses:         listeningAddresses,
+			name:                       name,
+			auth:                       auth,
+			maxInboundConnections:      maxInboundConnections,
+			inboundConnectionCount:     0,
+			inboundConnectionCountLock: &sync.Mutex{},
+		}
+	} else {
+		return &gRPCServer{
+			server:                     grpc.NewServer(grpc.MaxRecvMsgSize(maxMessageSize), grpc.MaxSendMsgSize(maxMessageSize)),
+			listeningAddresses:         listeningAddresses,
+			name:                       name,
+			auth:                       auth,
+			maxInboundConnections:      maxInboundConnections,
+			inboundConnectionCount:     0,
+			inboundConnectionCountLock: &sync.Mutex{},
+		}
 	}
 }
 

infrastructure/network/netadapter/server/grpcserver/p2pserver.go

@@ -2,17 +2,20 @@ package grpcserver
 
 import (
 	"context"
+	"net"
+	"time"
+
 	"github.com/kaspanet/kaspad/infrastructure/network/netadapter/server"
 	"github.com/kaspanet/kaspad/infrastructure/network/netadapter/server/grpcserver/protowire"
 	"github.com/kaspanet/kaspad/util/panics"
 	"github.com/pkg/errors"
 	"google.golang.org/grpc"
 	"google.golang.org/grpc/encoding/gzip"
 	"google.golang.org/grpc/peer"
-	"net"
-	"time"
 )
 
+// p2pServer is a gRCP server for internodes communication
+
 type p2pServer struct {
 	protowire.UnimplementedP2PServer
 	gRPCServer
@@ -28,7 +31,7 @@ const p2pMaxInboundConnections = 0
 
 // NewP2PServer creates a new P2PServer
 func NewP2PServer(listeningAddresses []string) (server.P2PServer, error) {
-	gRPCServer := newGRPCServer(listeningAddresses, p2pMaxMessageSize, p2pMaxInboundConnections, "P2P")
+	gRPCServer := newGRPCServer(listeningAddresses, p2pMaxMessageSize, p2pMaxInboundConnections, "P2P", "none", "", "")
 	p2pServer := &p2pServer{gRPCServer: *gRPCServer}
 	protowire.RegisterP2PServer(gRPCServer.server, p2pServer)
 	return p2pServer, nil

infrastructure/network/netadapter/server/grpcserver/rpcserver.go

@@ -6,6 +6,8 @@ import (
 	"github.com/kaspanet/kaspad/util/panics"
 )
 
+// rpcServer is for gRCP miner, wallet and certain kaspactl utility communications
+// This is for outside querying of the node's state.
 type rpcServer struct {
 	protowire.UnimplementedRPCServer
 	gRPCServer
@@ -15,8 +17,9 @@ type rpcServer struct {
 const RPCMaxMessageSize = 1024 * 1024 * 1024 // 1 GB
 
 // NewRPCServer creates a new RPCServer
-func NewRPCServer(listeningAddresses []string, rpcMaxInboundConnections int) (server.Server, error) {
-	gRPCServer := newGRPCServer(listeningAddresses, RPCMaxMessageSize, rpcMaxInboundConnections, "RPC")
+// @TODO make this a variadic function for better middleware and number of variable args passed in
+func NewRPCServer(listeningAddresses []string, rpcMaxInboundConnections int, rpcAuth string, rpcCert string, rpcKey string) (server.Server, error) {
+	gRPCServer := newGRPCServer(listeningAddresses, RPCMaxMessageSize, rpcMaxInboundConnections, "RPC", rpcAuth, rpcCert, rpcKey)
 	rpcServer := &rpcServer{gRPCServer: *gRPCServer}
 	protowire.RegisterRPCServer(gRPCServer.server, rpcServer)
 	return rpcServer, nil