From ae7bd7dd2e46f7c905d70a730135130e45399f0b Mon Sep 17 00:00:00 2001 From: Alex Gartner Date: Tue, 3 Dec 2024 12:18:05 -0800 Subject: [PATCH 1/2] Add rpc whitelist --- Dockerfile | 4 ++-- examples/testnet4.sh | 4 +++- wallet.sh | 27 +++++++++++++++++++++++++-- 3 files changed, 30 insertions(+), 5 deletions(-) diff --git a/Dockerfile b/Dockerfile index f29287b..962fc41 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,7 +1,7 @@ FROM debian:bullseye-slim RUN apt-get update -y \ - && apt-get install -y curl procps procps jq \ + && apt-get install -y curl procps procps jq xxd \ && apt-get clean \ && rm -rf /var/lib/apt/lists/* /tmp/* /var/tmp/* @@ -24,4 +24,4 @@ RUN bitcoind -version | grep "Bitcoin Core version v${BITCOIN_VERSION}" COPY wallet.sh wallet-health.sh /opt/ -CMD ["bitcoind"] \ No newline at end of file +CMD ["bitcoind"] diff --git a/examples/testnet4.sh b/examples/testnet4.sh index e73733b..e77d469 100755 --- a/examples/testnet4.sh +++ b/examples/testnet4.sh @@ -5,6 +5,8 @@ docker run -d \ -e CHAIN=testnet4 \ -e RPC_USER=default \ -e RPC_PASSWORD=default \ + -e ADMIN_RPC_USER=admin \ + -e ADMIN_RPC_PASSWORD=admin \ -e WALLET_NAME=default \ -e WALLET_ADDRESS=tb1qfm8a8pxer0kmfa4xlk34e44xpr8g46ae0v04dw \ - bitcoin-core-docker /opt/wallet.sh \ No newline at end of file + bitcoin-core-docker /opt/wallet.sh diff --git a/wallet.sh b/wallet.sh index efef279..5b89c22 100755 --- a/wallet.sh +++ b/wallet.sh @@ -1,13 +1,36 @@ #!/bin/bash +generate_rpcauth_entry() { + local user="$1" + local password="$2" + + if [[ -z "$user" || -z "$password" ]]; then + echo "Usage: generate_rpcauth_entry " + return 1 + fi + + local salt + local hashed_password + salt=$(head -c 16 /dev/urandom | xxd -ps | tr -d '\n') + hashed_password=$(echo -n "${password}${salt}" | sha256sum | awk '{print $1}') + + echo "rpcauth=${user}:${salt}\$${hashed_password}" +} + # set default config # this makes running bitcoin-cli interactively much easier +# the admin user is the default user when running commands locally +# the rpc user is for remote usage echo " chain=${CHAIN} -rpcuser=${RPC_USER} -rpcpassword=${RPC_PASSWORD} +rpcuser=${ADMIN_RPC_USER} +rpcpassword=${ADMIN_RPC_PASSWORD} rpcallowip=0.0.0.0/0 +$(generate_rpcauth_entry $ADMIN_RPC_USER $ADMIN_RPC_PASSWORD) +$(generate_rpcauth_entry $RPC_USER $RPC_PASSWORD) +rpcwhitelist=${RPC_USER}:getnetworkinfo,getbalance,sendrawtransaction,listunspent,listunspentminmaxaddresses,estimatesmartfee,gettransaction,getrawtransaction,getrawtransactionverbose,getblockcount,getblockhash,getblockverbose,getblockverbosetx,getblockheader +rpcwhitelistdefault=0 [${CHAIN}] rpcbind=0.0.0.0 From 642ef87e80f28075e2b7790df4349df0e10fefae Mon Sep 17 00:00:00 2001 From: Alex Gartner Date: Tue, 3 Dec 2024 13:44:36 -0800 Subject: [PATCH 2/2] fix password hash format --- .github/workflows/ci.yml | 7 +++++-- wallet.sh | 2 +- 2 files changed, 6 insertions(+), 3 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 875b77a..4b78e67 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -77,7 +77,8 @@ jobs: docker pull ${{ needs.build.outputs.IMAGE }} docker tag ${{ needs.build.outputs.IMAGE }} bitcoin-core-docker - uses: actions/checkout@v4 - - run: ./examples/${CONTAINER_NAME}.sh + - name: Start ${{ env.CONTAINER_NAME }} + run: ./examples/${CONTAINER_NAME}.sh - name: Wait for healthy run: | while ! docker exec -i ${CONTAINER_NAME} /opt/wallet-health.sh; do @@ -102,4 +103,6 @@ jobs: echo "waiting for ${CONTAINER_NAME} health" echo "Last log: $(docker logs -n1 ${CONTAINER_NAME})" sleep 15 - done \ No newline at end of file + done + - name: Ensure default user works with whitelist + run: docker exec ${CONTAINER_NAME} bitcoin-cli -rpcuser=default -rpcpassword=default getblockcount \ No newline at end of file diff --git a/wallet.sh b/wallet.sh index 5b89c22..055dc73 100755 --- a/wallet.sh +++ b/wallet.sh @@ -12,7 +12,7 @@ generate_rpcauth_entry() { local salt local hashed_password salt=$(head -c 16 /dev/urandom | xxd -ps | tr -d '\n') - hashed_password=$(echo -n "${password}${salt}" | sha256sum | awk '{print $1}') + hashed_password=$(echo -n "${password}" | openssl dgst -sha256 -hmac "${salt}" -binary | xxd -p -c 64) echo "rpcauth=${user}:${salt}\$${hashed_password}" }