Use rpcauth instead of deprecated basic auth for bitcoind

4 years ago · 94d07147f3
3 changed files with 62 additions and 3 deletions
--- a/docker/my-dojo/bitcoin/Dockerfile
+++ b/docker/my-dojo/bitcoin/Dockerfile
@ -19,7 +19,7 @@ ARG     TOR_LINUX_GID

 RUN     set -ex && \
        apt-get update && \
-        apt-get install -qq --no-install-recommends ca-certificates dirmngr gosu gpg gpg-agent wget && \
+        apt-get install -qq --no-install-recommends ca-certificates dirmngr gosu gpg gpg-agent wget python3 && \
        rm -rf /var/lib/apt/lists/*

 # Build and install bitcoin binaries
@ -56,6 +56,13 @@ RUN     chown bitcoin:bitcoin /wait-for-it.sh && \
        chmod u+x /wait-for-it.sh && \
        chmod g+x /wait-for-it.sh

+# Copy rpcauth.py script
+COPY    ./rpcauth.py /rpcauth.py
+
+RUN     chown bitcoin:bitcoin /rpcauth.py && \
+        chmod u+x /rpcauth.py && \
+        chmod g+x /rpcauth.py
+
 EXPOSE  8333 9501 9502 28256

 USER    bitcoin
--- a/docker/my-dojo/bitcoin/restart.sh
+++ b/docker/my-dojo/bitcoin/restart.sh
@ -1,6 +1,9 @@
 #!/bin/bash
 set -e

+# Generate RPC auth payload
+BITCOIND_RPC_AUTH=$(./rpcauth.py $BITCOIND_RPC_USER $BITCOIND_RPC_PASSWORD)
+
 echo "## Start bitcoind #############################"

 bitcoind_options=(
@ -18,11 +21,10 @@ bitcoind_options=(
  -proxy=$NET_DOJO_TOR_IPV4:9050
  -rpcallowip=0.0.0.0/0
  -rpcbind=$NET_DOJO_BITCOIND_IPV4
-  -rpcpassword=$BITCOIND_RPC_PASSWORD
  -rpcport=28256
  -rpcthreads=$BITCOIND_RPC_THREADS
  -rpcworkqueue=$BITCOIND_RPC_WORK_QUEUE
-  -rpcuser=$BITCOIND_RPC_USER
+  -rpcauth=$BITCOIND_RPC_AUTH
  -server=1
  -txindex=1
  -zmqpubhashblock=tcp://0.0.0.0:9502
--- a/docker/my-dojo/bitcoin/rpcauth.py
+++ b/docker/my-dojo/bitcoin/rpcauth.py
@ -0,0 +1,50 @@
+#!/usr/bin/env python3
+# Copyright (c) 2015-2018 The Bitcoin Core developers
+# Distributed under the MIT software license, see the accompanying
+# file COPYING or http://www.opensource.org/licenses/mit-license.php.
+
+from argparse import ArgumentParser
+from base64 import urlsafe_b64encode
+from binascii import hexlify
+from getpass import getpass
+from os import urandom
+
+import hmac
+
+def generate_salt(size):
+    """Create size byte hex salt"""
+    return hexlify(urandom(size)).decode()
+
+def generate_password():
+    """Create 32 byte b64 password"""
+    return urlsafe_b64encode(urandom(32)).decode('utf-8')
+
+def password_to_hmac(salt, password):
+    m = hmac.new(bytearray(salt, 'utf-8'), bytearray(password, 'utf-8'), 'SHA256')
+    return m.hexdigest()
+
+def main():
+    parser = ArgumentParser(description='Create login credentials for a JSON-RPC user')
+    parser.add_argument('username', help='the username for authentication')
+    parser.add_argument('password', help='leave empty to generate a random password or specify "-" to prompt for password', nargs='?')
+    args = parser.parse_args()
+
+    if not args.password:
+        args.password = generate_password()
+    elif args.password == '-':
+        args.password = getpass()
+
+    # Create 16 byte hex salt
+    salt = generate_salt(16)
+    password_hmac = password_to_hmac(salt, args.password)
+
+    ## Comment out original script output
+    # print('String to be appended to bitcoin.conf:')
+    # print('rpcauth={0}:{1}${2}'.format(args.username, salt, password_hmac))
+    # print('Your password:\n{0}'.format(args.password))
+
+    ## Added custom script output to use in restart.sh
+    print('{0}:{1}${2}'.format(args.username, salt, password_hmac))
+
+if __name__ == '__main__':
+    main()