Add rpc whitelist (#2)

* Add rpc whitelist

* fix password hash format

.github/workflows/ci.yml

@@ -77,7 +77,8 @@ jobs:
           docker pull ${{ needs.build.outputs.IMAGE }}
           docker tag ${{ needs.build.outputs.IMAGE }} bitcoin-core-docker
       - uses: actions/checkout@v4
-      - run: ./examples/${CONTAINER_NAME}.sh
+      - name: Start ${{ env.CONTAINER_NAME }}
+        run: ./examples/${CONTAINER_NAME}.sh
       - name: Wait for healthy
         run: |
           while ! docker exec -i ${CONTAINER_NAME} /opt/wallet-health.sh; do
@@ -102,4 +103,6 @@ jobs:
             echo "waiting for ${CONTAINER_NAME} health"
             echo "Last log: $(docker logs -n1 ${CONTAINER_NAME})"
             sleep 15
-          done
+          done
+      - name: Ensure default user works with whitelist
+        run: docker exec ${CONTAINER_NAME} bitcoin-cli -rpcuser=default -rpcpassword=default getblockcount

Dockerfile

@@ -1,7 +1,7 @@
 FROM debian:bullseye-slim
 
 RUN apt-get update -y \
-  && apt-get install -y curl procps procps jq \
+  && apt-get install -y curl procps procps jq xxd \
   && apt-get clean \
   && rm -rf /var/lib/apt/lists/* /tmp/* /var/tmp/*
 
@@ -24,4 +24,4 @@ RUN bitcoind -version | grep "Bitcoin Core version v${BITCOIN_VERSION}"
 
 COPY wallet.sh wallet-health.sh /opt/
 
-CMD ["bitcoind"]
+CMD ["bitcoind"]

examples/testnet4.sh

@@ -5,6 +5,8 @@ docker run -d \
   -e CHAIN=testnet4 \
   -e RPC_USER=default \
   -e RPC_PASSWORD=default \
+  -e ADMIN_RPC_USER=admin \
+  -e ADMIN_RPC_PASSWORD=admin \
   -e WALLET_NAME=default \
   -e WALLET_ADDRESS=tb1qfm8a8pxer0kmfa4xlk34e44xpr8g46ae0v04dw \
-  bitcoin-core-docker /opt/wallet.sh
+  bitcoin-core-docker /opt/wallet.sh

wallet.sh

@@ -1,13 +1,36 @@
 #!/bin/bash
 
+generate_rpcauth_entry() {
+  local user="$1"
+  local password="$2"
+
+  if [[ -z "$user" || -z "$password" ]]; then
+      echo "Usage: generate_rpcauth_entry <user> <password>"
+      return 1
+  fi
+
+  local salt
+  local hashed_password
+  salt=$(head -c 16 /dev/urandom | xxd -ps | tr -d '\n')
+  hashed_password=$(echo -n "${password}" | openssl dgst -sha256 -hmac "${salt}" -binary | xxd -p -c 64)
+
+  echo "rpcauth=${user}:${salt}\$${hashed_password}"
+}
+
 # set default config
 # this makes running bitcoin-cli interactively much easier
+# the admin user is the default user when running commands locally
+# the rpc user is for remote usage
 
 echo "
 chain=${CHAIN}
-rpcuser=${RPC_USER}
-rpcpassword=${RPC_PASSWORD}
+rpcuser=${ADMIN_RPC_USER}
+rpcpassword=${ADMIN_RPC_PASSWORD}
 rpcallowip=0.0.0.0/0
+$(generate_rpcauth_entry $ADMIN_RPC_USER $ADMIN_RPC_PASSWORD)
+$(generate_rpcauth_entry $RPC_USER $RPC_PASSWORD)
+rpcwhitelist=${RPC_USER}:getnetworkinfo,getbalance,sendrawtransaction,listunspent,listunspentminmaxaddresses,estimatesmartfee,gettransaction,getrawtransaction,getrawtransactionverbose,getblockcount,getblockhash,getblockverbose,getblockverbosetx,getblockheader
+rpcwhitelistdefault=0
 
 [${CHAIN}]
 rpcbind=0.0.0.0