Merge #229: Improve bitcoind RPC user config

9b6a3ec835 generate-secrets: extract fn 'makeHMAC' (Erik Arvstedt) ca18ffb90a generate-secrets: fetch rpcauth.py from github (Erik Arvstedt) 4d6127bb76 bitcoind: clarify RPC whitelist test (Erik Arvstedt) 9d610991be bitcoind: remove custom rpc user names (Erik Arvstedt) 1408403dec bitcoind: clarify how bitcoin-cli RPC access is enabled (Erik Arvstedt) 4790c601a1 bitcoind: move rpc user config to bitcoind (Erik Arvstedt) 876cfadf1a bitcoind: add rpc user option 'passwordHMACFromFile' (Erik Arvstedt) 59434e79f0 bitcoind: simplify default rpc user name config (Erik Arvstedt) 205829b91f bitcoind: remove whitespace (Erik Arvstedt) Pull request description: ACKs for top commit: nixbitcoin: ACK 9b6a3ec835 jonasnick: concept ACK 9b6a3ec835 Tree-SHA512: ccb9a8d2dc1f360cc1f0bd77535fa8edfd9afec0a519719103fd059d5912a1ed4960c22ef14df616a731f6a88861fecb8d1653fb71c2288b851e4a02f9f49cb2
2020-08-29 20:06:39 +00:00 · 2020-08-29 20:06:39 +00:00 · 1c31208078
commit 1c31208078
parent 4d19fb7bf7 9b6a3ec835
7 changed files with 120 additions and 148 deletions
--- a/pkgs/generate-secrets/default.nix
+++ b/pkgs/generate-secrets/default.nix
@ -1,9 +1,15 @@
 { pkgs }: with pkgs;

 let
-  rpcauth = pkgs.writeScriptBin "rpcauth" (builtins.readFile ./rpcauth/rpcauth.py);
+  rpcauthSrc = builtins.fetchurl {
+    url = "https://raw.githubusercontent.com/bitcoin/bitcoin/d6cde007db9d3e6ee93bd98a9bbfdce9bfa9b15b/share/rpcauth/rpcauth.py";
+    sha256 = "189mpplam6yzizssrgiyv70c9899ggh8cac76j4n7v0xqzfip07n";
+  };
+  rpcauth = pkgs.writeScriptBin "rpcauth" ''
+    exec ${pkgs.python35}/bin/python ${rpcauthSrc} "$@"
+  '';
 in
 writeScript "generate-secrets" ''
-  export PATH=${lib.makeBinPath [ coreutils apg openssl gnugrep rpcauth python35 ]}
+  export PATH=${lib.makeBinPath [ coreutils apg openssl gnugrep rpcauth ]}
  . ${./generate-secrets.sh} ${./openssl.cnf}
 ''
--- a/pkgs/generate-secrets/generate-secrets.sh
+++ b/pkgs/generate-secrets/generate-secrets.sh
@ -5,6 +5,10 @@ opensslConf=${1:-openssl.cnf}
 makePasswordSecret() {
    [[ -e $1 ]] || apg -m 20 -x 20 -M Ncl -n 1 > "$1"
 }
+makeHMAC() {
+    user=$1
+    rpcauth $user $(cat bitcoin-rpcpassword-$user) | grep rpcauth | cut -d ':' -f 2 > bitcoin-HMAC-$user
+}

 makePasswordSecret bitcoin-rpcpassword-privileged
 makePasswordSecret bitcoin-rpcpassword-public
@ -14,8 +18,8 @@ makePasswordSecret lightning-charge-token
 makePasswordSecret spark-wallet-password
 makePasswordSecret backup-encryption-password

-[[ -e bitcoin-HMAC-privileged ]] || rpcauth privileged $(cat bitcoin-rpcpassword-privileged) | grep rpcauth | cut -d ':' -f 2 > bitcoin-HMAC-privileged
-[[ -e bitcoin-HMAC-public ]] || rpcauth public $(cat bitcoin-rpcpassword-public) | grep rpcauth | cut -d ':' -f 2 > bitcoin-HMAC-public
+[[ -e bitcoin-HMAC-privileged ]] || makeHMAC privileged
+[[ -e bitcoin-HMAC-public ]] || makeHMAC public
 [[ -e lightning-charge-env ]] || echo "API_TOKEN=$(cat lightning-charge-token)" > lightning-charge-env
 [[ -e nanopos-env          ]] || echo "CHARGE_TOKEN=$(cat lightning-charge-token)" > nanopos-env
 [[ -e spark-wallet-login   ]] || echo "login=spark-wallet:$(cat spark-wallet-password)" > spark-wallet-login
--- a/pkgs/generate-secrets/rpcauth/rpcauth.py
+++ b/pkgs/generate-secrets/rpcauth/rpcauth.py
@ -1,46 +0,0 @@
-#!/usr/bin/env python3
-# Copyright (c) 2015-2018 The Bitcoin Core developers
-# Distributed under the MIT software license, see the accompanying
-# file COPYING or http://www.opensource.org/licenses/mit-license.php.
-
-from argparse import ArgumentParser
-from base64 import urlsafe_b64encode
-from binascii import hexlify
-from getpass import getpass
-from os import urandom
-
-import hmac
-
-def generate_salt(size):
-    """Create size byte hex salt"""
-    return hexlify(urandom(size)).decode()
-
-def generate_password():
-    """Create 32 byte b64 password"""
-    return urlsafe_b64encode(urandom(32)).decode('utf-8')
-
-def password_to_hmac(salt, password):
-    m = hmac.new(bytearray(salt, 'utf-8'), bytearray(password, 'utf-8'), 'SHA256')
-    return m.hexdigest()
-
-def main():
-    parser = ArgumentParser(description='Create login credentials for a JSON-RPC user')
-    parser.add_argument('username', help='the username for authentication')
-    parser.add_argument('password', help='leave empty to generate a random password or specify "-" to prompt for password', nargs='?')
-    args = parser.parse_args()
-
-    if not args.password:
-        args.password = generate_password()
-    elif args.password == '-':
-        args.password = getpass()
-
-    # Create 16 byte hex salt
-    salt = generate_salt(16)
-    password_hmac = password_to_hmac(salt, args.password)
-
-    print('String to be appended to bitcoin.conf:')
-    print('rpcauth={0}:{1}${2}'.format(args.username, salt, password_hmac))
-    print('Your password:\n{0}'.format(args.password))
-
-if __name__ == '__main__':
-    main()