add and use cookie_dir config, rpc client changes

Cargo.lock

@@ -6151,6 +6151,7 @@ dependencies = [
 name = "zebra-node-services"
 version = "1.0.0-beta.39"
 dependencies = [
+ "base64 0.22.1",
  "color-eyre",
  "jsonrpc-core",
  "reqwest",

zebra-node-services/Cargo.toml

@@ -27,6 +27,7 @@ getblocktemplate-rpcs = [
 # Tool and test features
 
 rpc-client = [
+    "base64",
     "color-eyre",
     "jsonrpc-core",
     "reqwest",
@@ -42,6 +43,7 @@ zebra-chain = { path = "../zebra-chain" , version = "1.0.0-beta.39" }
 # Optional dependencies
 
 # Tool and test feature rpc-client
+base64 = { version  = "0.22.1", optional = true }
 color-eyre = { version = "0.6.3", optional = true }
 jsonrpc-core = { version = "18.0.0", optional = true }
 # Security: avoid default dependency on openssl

zebra-node-services/src/rpc_client.rs

@@ -4,6 +4,7 @@
 
 use std::net::SocketAddr;
 
+use base64::{engine::general_purpose::URL_SAFE, Engine as _};
 use reqwest::Client;
 
 use crate::BoxError;
@@ -13,14 +14,16 @@ use crate::BoxError;
 pub struct RpcRequestClient {
     client: Client,
     rpc_address: SocketAddr,
+    auth_cookie: String,
 }
 
 impl RpcRequestClient {
     /// Creates new RPCRequestSender
-    pub fn new(rpc_address: SocketAddr) -> Self {
+    pub fn new(rpc_address: SocketAddr, auth_cookie: String) -> Self {
         Self {
             client: Client::new(),
             rpc_address,
+            auth_cookie,
         }
     }
 
@@ -39,6 +42,13 @@ impl RpcRequestClient {
                 r#"{{"jsonrpc": "2.0", "method": "{method}", "params": {params}, "id":123 }}"#
             ))
             .header("Content-Type", "application/json")
+            .header(
+                "Authorization",
+                format!(
+                    "Basic {}",
+                    URL_SAFE.encode(format!("__cookie__:{}", &self.auth_cookie))
+                ),
+            )
             .send()
             .await
     }

zebra-rpc/src/config.rs

@@ -1,9 +1,11 @@
 //! User-configurable RPC settings.
 
-use std::net::SocketAddr;
+use std::{net::SocketAddr, path::PathBuf};
 
 use serde::{Deserialize, Serialize};
 
+use zebra_chain::common::default_cache_dir;
+
 pub mod mining;
 
 /// RPC configuration section.
@@ -71,6 +73,9 @@ pub struct Config {
     /// Test-only option that makes Zebra say it is at the chain tip,
     /// no matter what the estimated height or local clock is.
     pub debug_force_finished_sync: bool,
+
+    /// The directory where Zebra stores RPC cookies.
+    pub cookie_dir: PathBuf,
 }
 
 // This impl isn't derivable because it depends on features.
@@ -94,6 +99,9 @@ impl Default for Config {
 
             // Debug options are always off by default.
             debug_force_finished_sync: false,
+
+            //
+            cookie_dir: default_cache_dir(),
         }
     }
 }

zebra-rpc/src/server.rs

@@ -33,7 +33,7 @@ use crate::{
 #[cfg(feature = "getblocktemplate-rpcs")]
 use crate::methods::{GetBlockTemplateRpc, GetBlockTemplateRpcImpl};
 
-mod cookie;
+pub mod cookie;
 pub mod http_request_compatibility;
 pub mod rpc_call_compatibility;
 
@@ -195,7 +195,7 @@ impl RpcServer {
             }
 
             // generate a cookie
-            cookie::generate();
+            cookie::generate(config.cookie_dir.clone());
 
             // The server is a blocking task, which blocks on executor shutdown.
             // So we need to start it in a std::thread.
@@ -209,7 +209,7 @@ impl RpcServer {
                         .threads(parallel_cpu_threads)
                         // TODO: disable this security check if we see errors from lightwalletd
                         //.allowed_hosts(DomainsValidation::Disabled)
-                        .request_middleware(FixHttpRequestMiddleware)
+                        .request_middleware(FixHttpRequestMiddleware(config.clone()))
                         .start_http(&listen_addr)
                         .expect("Unable to start RPC server");
 

zebra-rpc/src/server/cookie.rs

@@ -6,21 +6,22 @@ use rand::RngCore;
 use std::{
     fs::{remove_file, File},
     io::{Read, Write},
+    path::PathBuf,
 };
 
 /// The user field in the cookie (arbitrary, only for recognizability in debugging/logging purposes)
 pub const COOKIEAUTH_USER: &str = "__cookie__";
 /// Default name for auth cookie file */
-const COOKIEAUTH_FILE: &str = ".cookie";
+pub const COOKIEAUTH_FILE: &str = ".cookie";
 
 /// Generate a new auth cookie and return the encoded password.
-pub fn generate() -> Option<()> {
+pub fn generate(cookie_dir: PathBuf) -> Option<()> {
     let mut data = [0u8; 32];
     rand::thread_rng().fill_bytes(&mut data);
     let encoded_password = URL_SAFE.encode(data);
     let cookie_content = format!("{}:{}", COOKIEAUTH_USER, encoded_password);
 
-    let mut file = File::create(COOKIEAUTH_FILE).ok()?;
+    let mut file = File::create(cookie_dir.join(COOKIEAUTH_FILE)).ok()?;
     file.write_all(cookie_content.as_bytes()).ok()?;
 
     tracing::info!("RPC auth cookie generated successfully");
@@ -29,8 +30,8 @@ pub fn generate() -> Option<()> {
 }
 
 /// Get the encoded password from the auth cookie.
-pub fn get() -> Option<String> {
-    let mut file = File::open(COOKIEAUTH_FILE).ok()?;
+pub fn get(cookie_dir: PathBuf) -> Option<String> {
+    let mut file = File::open(cookie_dir.join(COOKIEAUTH_FILE)).ok()?;
     let mut contents = String::new();
     file.read_to_string(&mut contents).ok()?;
 

zebra-rpc/src/server/http_request_compatibility.rs

@@ -38,14 +38,14 @@ use crate::server::cookie;
 /// We assume lightwalletd validates data encodings before sending it on to Zebra.
 /// So any fixes Zebra performs won't change user-specified data.
 #[derive(Clone, Debug)]
-pub struct FixHttpRequestMiddleware;
+pub struct FixHttpRequestMiddleware(pub crate::config::Config);
 
 impl RequestMiddleware for FixHttpRequestMiddleware {
     fn on_request(&self, mut request: Request<Body>) -> RequestMiddlewareAction {
         tracing::trace!(?request, "original HTTP request");
 
         // Check if the request is authenticated
-        if !FixHttpRequestMiddleware::check_credentials(request.headers_mut()) {
+        if !self.check_credentials(request.headers_mut()) {
             request = Self::unauthenticated(request);
         }
 
@@ -175,7 +175,7 @@ impl FixHttpRequestMiddleware {
     }
 
     /// Check if the request is authenticated.
-    pub fn check_credentials(headers: &header::HeaderMap) -> bool {
+    pub fn check_credentials(&self, headers: &header::HeaderMap) -> bool {
         headers
             .get(header::AUTHORIZATION)
             .and_then(|auth_header| auth_header.to_str().ok())
@@ -189,7 +189,7 @@ impl FixHttpRequestMiddleware {
                     .map(|password| password.to_string())
             })
             .map_or(false, |password| {
-                if let Some(cookie_password) = cookie::get() {
+                if let Some(cookie_password) = cookie::get(self.0.cookie_dir.clone()) {
                     cookie_password == password
                 } else {
                     false

zebra-rpc/src/server/tests/vectors.rs

@@ -46,6 +46,7 @@ fn rpc_server_spawn(parallel_cpu_threads: bool) {
         indexer_listen_addr: None,
         parallel_cpu_threads: if parallel_cpu_threads { 2 } else { 1 },
         debug_force_finished_sync: false,
+        cookie_dir: Default::default(),
     };
 
     let rt = tokio::runtime::Runtime::new().unwrap();
@@ -134,6 +135,7 @@ fn rpc_server_spawn_unallocated_port(parallel_cpu_threads: bool, do_shutdown: bo
         indexer_listen_addr: None,
         parallel_cpu_threads: if parallel_cpu_threads { 0 } else { 1 },
         debug_force_finished_sync: false,
+        cookie_dir: Default::default(),
     };
 
     let rt = tokio::runtime::Runtime::new().unwrap();
@@ -215,6 +217,7 @@ fn rpc_server_spawn_port_conflict() {
         indexer_listen_addr: None,
         parallel_cpu_threads: 1,
         debug_force_finished_sync: false,
+        cookie_dir: Default::default(),
     };
 
     let rt = tokio::runtime::Runtime::new().unwrap();
@@ -326,6 +329,7 @@ fn rpc_server_spawn_port_conflict_parallel_auto() {
         indexer_listen_addr: None,
         parallel_cpu_threads: 2,
         debug_force_finished_sync: false,
+        cookie_dir: Default::default(),
     };
 
     let rt = tokio::runtime::Runtime::new().unwrap();

zebra-rpc/src/sync.rs

@@ -57,8 +57,10 @@ impl TrustedChainSync {
         rpc_address: SocketAddr,
         db: ZebraDb,
         non_finalized_state_sender: tokio::sync::watch::Sender<NonFinalizedState>,
+        cookie_dir: std::path::PathBuf,
     ) -> (LatestChainTip, ChainTipChange, JoinHandle<()>) {
-        let rpc_client = RpcRequestClient::new(rpc_address);
+        let auth_cookie = crate::server::cookie::get(cookie_dir).expect("cookie should exist");
+        let rpc_client = RpcRequestClient::new(rpc_address, auth_cookie);
         let non_finalized_state = NonFinalizedState::new(&db.network());
         let (chain_tip_sender, latest_chain_tip, chain_tip_change) =
             ChainTipSender::new(None, &db.network());
@@ -315,7 +317,8 @@ impl TrustedChainSync {
 /// Returns a [`ReadStateService`], [`LatestChainTip`], [`ChainTipChange`], and
 /// a [`JoinHandle`] for the sync task.
 pub fn init_read_state_with_syncer(
-    config: zebra_state::Config,
+    state_config: zebra_state::Config,
+    rpc_config: crate::config::Config,
     network: &Network,
     rpc_address: SocketAddr,
 ) -> tokio::task::JoinHandle<
@@ -331,14 +334,19 @@ pub fn init_read_state_with_syncer(
 > {
     let network = network.clone();
     tokio::spawn(async move {
-        if config.ephemeral {
+        if state_config.ephemeral {
             return Err("standalone read state service cannot be used with ephemeral state".into());
         }
 
         let (read_state, db, non_finalized_state_sender) =
-            spawn_init_read_only(config, &network).await?;
-        let (latest_chain_tip, chain_tip_change, sync_task) =
-            TrustedChainSync::spawn(rpc_address, db, non_finalized_state_sender).await;
+            spawn_init_read_only(state_config, &network).await?;
+        let (latest_chain_tip, chain_tip_change, sync_task) = TrustedChainSync::spawn(
+            rpc_address,
+            db,
+            non_finalized_state_sender,
+            rpc_config.cookie_dir,
+        )
+        .await;
         Ok((read_state, latest_chain_tip, chain_tip_change, sync_task))
     })
 }

zebra-scan/src/bin/scanner/main.rs

@@ -7,6 +7,7 @@ use structopt::StructOpt;
 use tracing::*;
 
 use zebra_chain::{block::Height, parameters::Network};
+use zebra_rpc::config::Config as RpcConfig;
 use zebra_state::SaplingScanningKey;
 
 use core::net::SocketAddr;
@@ -74,10 +75,13 @@ async fn main() -> Result<(), Box<dyn std::error::Error>> {
         db_config,
     };
 
+    let rpc_config = RpcConfig::default();
+
     // Get a read-only state and the database.
     let (read_state, _latest_chain_tip, chain_tip_change, sync_task) =
         zebra_rpc::sync::init_read_state_with_syncer(
             state_config,
+            rpc_config,
             &network,
             args.zebra_rpc_listen_addr,
         )

zebra-utils/src/bin/zebra-checkpoints/main.rs

@@ -30,6 +30,7 @@ use zebra_node_services::{
     constants::{MAX_CHECKPOINT_BYTE_COUNT, MAX_CHECKPOINT_HEIGHT_GAP},
     rpc_client::RpcRequestClient,
 };
+use zebra_rpc::{config::Config as RpcConfig, server::cookie};
 use zebra_utils::init_tracing;
 
 pub mod args;
@@ -60,7 +61,8 @@ where
     let addr = our_args
         .addr
         .unwrap_or_else(|| "127.0.0.1:8232".parse().expect("valid address"));
-    let client = RpcRequestClient::new(addr);
+    let auth_cookie = cookie::get(RpcConfig::default().cookie_dir).expect("cookie should exist");
+    let client = RpcRequestClient::new(addr, auth_cookie);
 
     // Launch a request with the RPC method and arguments
     //