node: prevent exposing engine API on unauthenticated endpoint (#25939)

* node: prevent exposing engine API on unauthenticated endpoint

* node: improve RPC setup
This commit is contained in:
Felix Lange 2022-10-06 14:01:04 +02:00 committed by GitHub
parent 067bac3f24
commit 9cddfe92a3
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
2 changed files with 16 additions and 16 deletions

@ -269,7 +269,7 @@ func (api *adminAPI) StartWS(host *string, port *int, allowedOrigins *string, ap
if err := server.setListenAddr(*host, *port); err != nil { if err := server.setListenAddr(*host, *port); err != nil {
return false, err return false, err
} }
openApis, _ := api.node.GetAPIs() openApis, _ := api.node.getAPIs()
if err := server.enableWS(openApis, config); err != nil { if err := server.enableWS(openApis, config); err != nil {
return false, err return false, err
} }

@ -392,15 +392,15 @@ func (n *Node) startRPC() error {
} }
} }
var ( var (
servers []*httpServer servers []*httpServer
open, all = n.GetAPIs() openAPIs, allAPIs = n.getAPIs()
) )
initHttp := func(server *httpServer, apis []rpc.API, port int) error { initHttp := func(server *httpServer, port int) error {
if err := server.setListenAddr(n.config.HTTPHost, port); err != nil { if err := server.setListenAddr(n.config.HTTPHost, port); err != nil {
return err return err
} }
if err := server.enableRPC(apis, httpConfig{ if err := server.enableRPC(openAPIs, httpConfig{
CorsAllowedOrigins: n.config.HTTPCors, CorsAllowedOrigins: n.config.HTTPCors,
Vhosts: n.config.HTTPVirtualHosts, Vhosts: n.config.HTTPVirtualHosts,
Modules: n.config.HTTPModules, Modules: n.config.HTTPModules,
@ -412,12 +412,12 @@ func (n *Node) startRPC() error {
return nil return nil
} }
initWS := func(apis []rpc.API, port int) error { initWS := func(port int) error {
server := n.wsServerForPort(port, false) server := n.wsServerForPort(port, false)
if err := server.setListenAddr(n.config.WSHost, port); err != nil { if err := server.setListenAddr(n.config.WSHost, port); err != nil {
return err return err
} }
if err := server.enableWS(n.rpcAPIs, wsConfig{ if err := server.enableWS(openAPIs, wsConfig{
Modules: n.config.WSModules, Modules: n.config.WSModules,
Origins: n.config.WSOrigins, Origins: n.config.WSOrigins,
prefix: n.config.WSPathPrefix, prefix: n.config.WSPathPrefix,
@ -428,13 +428,13 @@ func (n *Node) startRPC() error {
return nil return nil
} }
initAuth := func(apis []rpc.API, port int, secret []byte) error { initAuth := func(port int, secret []byte) error {
// Enable auth via HTTP // Enable auth via HTTP
server := n.httpAuth server := n.httpAuth
if err := server.setListenAddr(n.config.AuthAddr, port); err != nil { if err := server.setListenAddr(n.config.AuthAddr, port); err != nil {
return err return err
} }
if err := server.enableRPC(apis, httpConfig{ if err := server.enableRPC(allAPIs, httpConfig{
CorsAllowedOrigins: DefaultAuthCors, CorsAllowedOrigins: DefaultAuthCors,
Vhosts: n.config.AuthVirtualHosts, Vhosts: n.config.AuthVirtualHosts,
Modules: DefaultAuthModules, Modules: DefaultAuthModules,
@ -449,7 +449,7 @@ func (n *Node) startRPC() error {
if err := server.setListenAddr(n.config.AuthAddr, port); err != nil { if err := server.setListenAddr(n.config.AuthAddr, port); err != nil {
return err return err
} }
if err := server.enableWS(apis, wsConfig{ if err := server.enableWS(allAPIs, wsConfig{
Modules: DefaultAuthModules, Modules: DefaultAuthModules,
Origins: DefaultAuthOrigins, Origins: DefaultAuthOrigins,
prefix: DefaultAuthPrefix, prefix: DefaultAuthPrefix,
@ -464,24 +464,24 @@ func (n *Node) startRPC() error {
// Set up HTTP. // Set up HTTP.
if n.config.HTTPHost != "" { if n.config.HTTPHost != "" {
// Configure legacy unauthenticated HTTP. // Configure legacy unauthenticated HTTP.
if err := initHttp(n.http, open, n.config.HTTPPort); err != nil { if err := initHttp(n.http, n.config.HTTPPort); err != nil {
return err return err
} }
} }
// Configure WebSocket. // Configure WebSocket.
if n.config.WSHost != "" { if n.config.WSHost != "" {
// legacy unauthenticated // legacy unauthenticated
if err := initWS(open, n.config.WSPort); err != nil { if err := initWS(n.config.WSPort); err != nil {
return err return err
} }
} }
// Configure authenticated API // Configure authenticated API
if len(open) != len(all) { if len(openAPIs) != len(allAPIs) {
jwtSecret, err := n.obtainJWTSecret(n.config.JWTSecret) jwtSecret, err := n.obtainJWTSecret(n.config.JWTSecret)
if err != nil { if err != nil {
return err return err
} }
if err := initAuth(all, n.config.AuthPort, jwtSecret); err != nil { if err := initAuth(n.config.AuthPort, jwtSecret); err != nil {
return err return err
} }
} }
@ -570,9 +570,9 @@ func (n *Node) RegisterAPIs(apis []rpc.API) {
n.rpcAPIs = append(n.rpcAPIs, apis...) n.rpcAPIs = append(n.rpcAPIs, apis...)
} }
// GetAPIs return two sets of APIs, both the ones that do not require // getAPIs return two sets of APIs, both the ones that do not require
// authentication, and the complete set // authentication, and the complete set
func (n *Node) GetAPIs() (unauthenticated, all []rpc.API) { func (n *Node) getAPIs() (unauthenticated, all []rpc.API) {
for _, api := range n.rpcAPIs { for _, api := range n.rpcAPIs {
if !api.Authenticated { if !api.Authenticated {
unauthenticated = append(unauthenticated, api) unauthenticated = append(unauthenticated, api)