From 4850c901675696095e2df4af234b5421a270e680 Mon Sep 17 00:00:00 2001 From: Ryan Date: Mon, 29 Jan 2024 02:25:51 -0600 Subject: [PATCH] feat!(rpc): rpc.disable-auth flag (#3117) In many setups, nodes are running in trusted environments and setting the jwt token is not necessary and very cumbersome. This PR enables a quick fix by providing a flag/config option to the RPC to disable auth. Breaking config. New flag: `--rpc.skip-auth`. New default config: ```toml [RPC] Address = "localhost" Port = "26658" SkipAuth = false ``` _______________ Comes from a discussion with @joroshiba at Astria. --- api/rpc/server.go | 15 ++++++++++----- nodebuilder/rpc/config.go | 8 +++++--- nodebuilder/rpc/constructors.go | 2 +- nodebuilder/rpc/flags.go | 16 ++++++++++++++++ 4 files changed, 32 insertions(+), 9 deletions(-) diff --git a/api/rpc/server.go b/api/rpc/server.go index 3357140e68..3bf58870bc 100644 --- a/api/rpc/server.go +++ b/api/rpc/server.go @@ -20,16 +20,17 @@ import ( var log = logging.Logger("rpc") type Server struct { - srv *http.Server - rpc *jsonrpc.RPCServer - listener net.Listener + srv *http.Server + rpc *jsonrpc.RPCServer + listener net.Listener + authDisabled bool started atomic.Bool auth jwt.Signer } -func NewServer(address, port string, secret jwt.Signer) *Server { +func NewServer(address, port string, authDisabled bool, secret jwt.Signer) *Server { rpc := jsonrpc.NewServer() srv := &Server{ rpc: rpc, @@ -38,7 +39,8 @@ func NewServer(address, port string, secret jwt.Signer) *Server { // the amount of time allowed to read request headers. set to the default 2 seconds ReadHeaderTimeout: 2 * time.Second, }, - auth: secret, + auth: secret, + authDisabled: authDisabled, } srv.srv.Handler = &auth.Handler{ Verify: srv.verifyAuth, @@ -51,6 +53,9 @@ func NewServer(address, port string, secret jwt.Signer) *Server { // reached if a token is provided in the header of the request, otherwise only // methods with `read` permissions are accessible. func (s *Server) verifyAuth(_ context.Context, token string) ([]auth.Permission, error) { + if s.authDisabled { + return perms.AllPerms, nil + } return authtoken.ExtractSignedPermissions(s.auth, token) } diff --git a/nodebuilder/rpc/config.go b/nodebuilder/rpc/config.go index a270768646..d6031082a8 100644 --- a/nodebuilder/rpc/config.go +++ b/nodebuilder/rpc/config.go @@ -8,15 +8,17 @@ import ( ) type Config struct { - Address string - Port string + Address string + Port string + SkipAuth bool } func DefaultConfig() Config { return Config{ Address: defaultBindAddress, // do NOT expose the same port as celestia-core by default so that both can run on the same machine - Port: defaultPort, + Port: defaultPort, + SkipAuth: false, } } diff --git a/nodebuilder/rpc/constructors.go b/nodebuilder/rpc/constructors.go index ca30af6305..194dea8a03 100644 --- a/nodebuilder/rpc/constructors.go +++ b/nodebuilder/rpc/constructors.go @@ -37,5 +37,5 @@ func registerEndpoints( } func server(cfg *Config, auth jwt.Signer) *rpc.Server { - return rpc.NewServer(cfg.Address, cfg.Port, auth) + return rpc.NewServer(cfg.Address, cfg.Port, cfg.SkipAuth, auth) } diff --git a/nodebuilder/rpc/flags.go b/nodebuilder/rpc/flags.go index b7bad333df..d37014004d 100644 --- a/nodebuilder/rpc/flags.go +++ b/nodebuilder/rpc/flags.go @@ -3,13 +3,16 @@ package rpc import ( "fmt" + logging "github.com/ipfs/go-log/v2" "github.com/spf13/cobra" flag "github.com/spf13/pflag" ) var ( + log = logging.Logger("rpc") addrFlag = "rpc.addr" portFlag = "rpc.port" + authFlag = "rpc.skip-auth" ) // Flags gives a set of hardcoded node/rpc package flags. @@ -26,6 +29,11 @@ func Flags() *flag.FlagSet { "", fmt.Sprintf("Set a custom RPC port (default: %s)", defaultPort), ) + flags.Bool( + authFlag, + false, + "Skips authentication for RPC requests", + ) return flags } @@ -40,4 +48,12 @@ func ParseFlags(cmd *cobra.Command, cfg *Config) { if port != "" { cfg.Port = port } + ok, err := cmd.Flags().GetBool(authFlag) + if err != nil { + panic(err) + } + if ok { + log.Warn("RPC authentication is disabled") + cfg.SkipAuth = true + } }