bitcoind: add rpcwhitelist feature

Default behavior for rpc whitelisting is set to 0, which means that
rpcwhitelisting is only enforced for rpc users for whom an `rpcwhitelist`
exists.
This commit is contained in:
nixbitcoin 2020-06-22 12:12:50 +00:00
parent 5a978a2836
commit 1bf45a9547
No known key found for this signature in database
GPG Key ID: DD11F9AD5308B3BA
2 changed files with 73 additions and 1 deletions

View File

@ -28,8 +28,12 @@ let
# RPC server options # RPC server options
rpcport=${toString cfg.rpc.port} rpcport=${toString cfg.rpc.port}
rpcwhitelistdefault=0
${concatMapStringsSep "\n" ${concatMapStringsSep "\n"
(rpcUser: "rpcauth=${rpcUser.name}:${rpcUser.passwordHMAC}") (rpcUser: ''
rpcauth=${rpcUser.name}:${rpcUser.passwordHMAC}
${optionalString (rpcUser.rpcwhitelist != []) "rpcwhitelist=${rpcUser.name}:${lib.strings.concatStringsSep "," rpcUser.rpcwhitelist}"}
'')
(attrValues cfg.rpc.users) (attrValues cfg.rpc.users)
} }
${lib.concatMapStrings (rpcbind: "rpcbind=${rpcbind}\n") cfg.rpcbind} ${lib.concatMapStrings (rpcbind: "rpcbind=${rpcbind}\n") cfg.rpcbind}
@ -118,6 +122,14 @@ in {
format <SALT-HEX>$<HMAC-HEX>. format <SALT-HEX>$<HMAC-HEX>.
''; '';
}; };
rpcwhitelist = mkOption {
type = types.listOf types.str;
default = [];
description = ''
List of allowed rpc calls for each user.
If empty list, rpcwhitelist is disabled for that user.
'';
};
}; };
config = { config = {
name = mkDefault name; name = mkDefault name;

View File

@ -82,6 +82,66 @@ in {
name = "publicrpc"; name = "publicrpc";
# Placeholder to be sed'd out by bitcoind preStart # Placeholder to be sed'd out by bitcoind preStart
passwordHMAC = "bitcoin-HMAC-public"; passwordHMAC = "bitcoin-HMAC-public";
rpcwhitelist = [
"echo"
"getinfo"
# Blockchain
"getbestblockhash"
"getblock"
"getblockchaininfo"
"getblockcount"
"getblockfilter"
"getblockhash"
"getblockheader"
"getblockstats"
"getchaintips"
"getchaintxstats"
"getdifficulty"
"getmempoolancestors"
"getmempooldescendants"
"getmempoolentry"
"getmempoolinfo"
"getrawmempool"
"gettxout"
"gettxoutproof"
"gettxoutsetinfo"
"scantxoutset"
"verifytxoutproof"
# Mining
"getblocktemplate"
"getmininginfo"
"getnetworkhashps"
# Network
"getnetworkinfo"
# Rawtransactions
"analyzepsbt"
"combinepsbt"
"combinerawtransaction"
"converttopsbt"
"createpsbt"
"createrawtransaction"
"decodepsbt"
"decoderawtransaction"
"decodescript"
"finalizepsbt"
"fundrawtransaction"
"getrawtransaction"
"joinpsbts"
"sendrawtransaction"
"signrawtransactionwithkey"
"testmempoolaccept"
"utxoupdatepsbt"
# Util
"createmultisig"
"deriveaddresses"
"estimatesmartfee"
"getdescriptorinfo"
"signmessagewithprivkey"
"validateaddress"
"verifymessage"
# Zmq
"getzmqnotifications"
];
}; };
}; };
services.tor.hiddenServices.bitcoind = mkHiddenService { port = cfg.bitcoind.port; toHost = cfg.bitcoind.bind; }; services.tor.hiddenServices.bitcoind = mkHiddenService { port = cfg.bitcoind.port; toHost = cfg.bitcoind.bind; };