From 94d07147f3d1ce798480cd1cc222b08f948ef0ac Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Pavel=20=C5=A0ev=C4=8D=C3=ADk?= Date: Tue, 27 Jul 2021 02:42:47 +0200 Subject: [PATCH] Use rpcauth instead of deprecated basic auth for bitcoind --- docker/my-dojo/bitcoin/Dockerfile | 9 +++++- docker/my-dojo/bitcoin/restart.sh | 6 ++-- docker/my-dojo/bitcoin/rpcauth.py | 50 +++++++++++++++++++++++++++++++ 3 files changed, 62 insertions(+), 3 deletions(-) create mode 100644 docker/my-dojo/bitcoin/rpcauth.py diff --git a/docker/my-dojo/bitcoin/Dockerfile b/docker/my-dojo/bitcoin/Dockerfile index 6c6a991..ea8128e 100644 --- a/docker/my-dojo/bitcoin/Dockerfile +++ b/docker/my-dojo/bitcoin/Dockerfile @@ -19,7 +19,7 @@ ARG TOR_LINUX_GID RUN set -ex && \ apt-get update && \ - apt-get install -qq --no-install-recommends ca-certificates dirmngr gosu gpg gpg-agent wget && \ + apt-get install -qq --no-install-recommends ca-certificates dirmngr gosu gpg gpg-agent wget python3 && \ rm -rf /var/lib/apt/lists/* # Build and install bitcoin binaries @@ -56,6 +56,13 @@ RUN chown bitcoin:bitcoin /wait-for-it.sh && \ chmod u+x /wait-for-it.sh && \ chmod g+x /wait-for-it.sh +# Copy rpcauth.py script +COPY ./rpcauth.py /rpcauth.py + +RUN chown bitcoin:bitcoin /rpcauth.py && \ + chmod u+x /rpcauth.py && \ + chmod g+x /rpcauth.py + EXPOSE 8333 9501 9502 28256 USER bitcoin diff --git a/docker/my-dojo/bitcoin/restart.sh b/docker/my-dojo/bitcoin/restart.sh index df3e9c1..f61145c 100644 --- a/docker/my-dojo/bitcoin/restart.sh +++ b/docker/my-dojo/bitcoin/restart.sh @@ -1,6 +1,9 @@ #!/bin/bash set -e +# Generate RPC auth payload +BITCOIND_RPC_AUTH=$(./rpcauth.py $BITCOIND_RPC_USER $BITCOIND_RPC_PASSWORD) + echo "## Start bitcoind #############################" bitcoind_options=( @@ -18,11 +21,10 @@ bitcoind_options=( -proxy=$NET_DOJO_TOR_IPV4:9050 -rpcallowip=0.0.0.0/0 -rpcbind=$NET_DOJO_BITCOIND_IPV4 - -rpcpassword=$BITCOIND_RPC_PASSWORD -rpcport=28256 -rpcthreads=$BITCOIND_RPC_THREADS -rpcworkqueue=$BITCOIND_RPC_WORK_QUEUE - -rpcuser=$BITCOIND_RPC_USER + -rpcauth=$BITCOIND_RPC_AUTH -server=1 -txindex=1 -zmqpubhashblock=tcp://0.0.0.0:9502 diff --git a/docker/my-dojo/bitcoin/rpcauth.py b/docker/my-dojo/bitcoin/rpcauth.py new file mode 100644 index 0000000..ac65fdc --- /dev/null +++ b/docker/my-dojo/bitcoin/rpcauth.py @@ -0,0 +1,50 @@ +#!/usr/bin/env python3 +# Copyright (c) 2015-2018 The Bitcoin Core developers +# Distributed under the MIT software license, see the accompanying +# file COPYING or http://www.opensource.org/licenses/mit-license.php. + +from argparse import ArgumentParser +from base64 import urlsafe_b64encode +from binascii import hexlify +from getpass import getpass +from os import urandom + +import hmac + +def generate_salt(size): + """Create size byte hex salt""" + return hexlify(urandom(size)).decode() + +def generate_password(): + """Create 32 byte b64 password""" + return urlsafe_b64encode(urandom(32)).decode('utf-8') + +def password_to_hmac(salt, password): + m = hmac.new(bytearray(salt, 'utf-8'), bytearray(password, 'utf-8'), 'SHA256') + return m.hexdigest() + +def main(): + parser = ArgumentParser(description='Create login credentials for a JSON-RPC user') + parser.add_argument('username', help='the username for authentication') + parser.add_argument('password', help='leave empty to generate a random password or specify "-" to prompt for password', nargs='?') + args = parser.parse_args() + + if not args.password: + args.password = generate_password() + elif args.password == '-': + args.password = getpass() + + # Create 16 byte hex salt + salt = generate_salt(16) + password_hmac = password_to_hmac(salt, args.password) + + ## Comment out original script output + # print('String to be appended to bitcoin.conf:') + # print('rpcauth={0}:{1}${2}'.format(args.username, salt, password_hmac)) + # print('Your password:\n{0}'.format(args.password)) + + ## Added custom script output to use in restart.sh + print('{0}:{1}${2}'.format(args.username, salt, password_hmac)) + +if __name__ == '__main__': + main()