32 #include <boost/algorithm/string.hpp> 33 #include <boost/asio/ip/address.hpp> 43 boost::optional<epee::net_utils::ssl_options_t> do_process_ssl(
const boost::program_options::variables_map& vm,
const rpc_args::descriptors& arg,
const bool any_cert_option)
45 bool ssl_required =
false;
52 const std::vector<std::string> ssl_allowed_fingerprints =
command_line::get_arg(vm, arg.rpc_ssl_allowed_fingerprints);
54 std::vector<std::vector<uint8_t>> allowed_fingerprints{ ssl_allowed_fingerprints.size() };
55 std::transform(ssl_allowed_fingerprints.begin(), ssl_allowed_fingerprints.end(), allowed_fingerprints.begin(),
epee::from_hex::vector);
56 for (
const auto &fpr: allowed_fingerprints)
65 if (!allowed_fingerprints.empty() || !ssl_ca_file.empty())
93 : rpc_bind_ip({
"rpc-bind-ip",
rpc_args::tr(
"Specify IP to bind RPC server"),
"127.0.0.1"})
94 , rpc_login({
"rpc-login",
rpc_args::tr(
"Specify username[:password] required for RPC server"),
"",
true})
95 , confirm_external_bind({
"confirm-external-bind",
rpc_args::tr(
"Confirm rpc-bind-ip value is NOT a loopback (local) IP")})
96 , rpc_access_control_origins({
"rpc-access-control-origins",
rpc_args::tr(
"Specify a comma separated list of origins to allow cross origin resource sharing"),
""})
97 , rpc_ssl({
"rpc-ssl",
rpc_args::tr(
"Enable SSL on RPC connections: enabled|disabled|autodetect"),
"autodetect"})
98 , rpc_ssl_private_key({
"rpc-ssl-private-key",
rpc_args::tr(
"Path to a PEM format private key"),
""})
99 , rpc_ssl_certificate({
"rpc-ssl-certificate",
rpc_args::tr(
"Path to a PEM format certificate"),
""})
100 , rpc_ssl_ca_certificates({
"rpc-ssl-ca-certificates",
rpc_args::tr(
"Path to file containing concatenated PEM format certificate(s) to replace system CA(s)."),
""})
101 , rpc_ssl_allowed_fingerprints({
"rpc-ssl-allowed-fingerprints",
rpc_args::tr(
"List of certificate fingerprints to allow")})
102 , rpc_ssl_allow_chained({
"rpc-ssl-allow-chained",
rpc_args::tr(
"Allow user (via --rpc-ssl-certificates) chain certificates"),
false})
103 , rpc_ssl_allow_any_cert({
"rpc-ssl-allow-any-cert",
rpc_args::tr(
"Allow any peer certificate"),
false})
125 boost::optional<rpc_args>
rpc_args::process(
const boost::program_options::variables_map& vm,
const bool any_cert_option)
131 if (!
config.bind_ip.empty())
134 boost::system::error_code ec{};
135 const auto parsed_ip = boost::asio::ip::address::from_string(
config.bind_ip, ec);
138 LOG_ERROR(
tr(
"Invalid IP address given for --") << arg.rpc_bind_ip.name);
145 "--" << arg.rpc_bind_ip.name <<
146 tr(
" permits inbound unencrypted external connections. Consider SSH tunnel or SSL proxy instead. Override with --") <<
147 arg.confirm_external_bind.name
153 const char *env_rpc_login =
nullptr;
155 const bool use_rpc_env = !has_rpc_arg && (env_rpc_login = getenv(
"RPC_LOGIN")) !=
nullptr && strlen(env_rpc_login) > 0;
156 boost::optional<tools::login>
login{};
157 if (has_rpc_arg || use_rpc_env)
161 return tools::password_container::prompt(verify,
"RPC server password");
167 if (
config.login->username.empty())
169 LOG_ERROR(
tr(
"Username specified with --") << arg.rpc_login.name <<
tr(
" cannot be empty"));
175 if (!access_control_origins_input.empty())
179 LOG_ERROR(arg.rpc_access_control_origins.name <<
tr(
" requires RPC server password --") << arg.rpc_login.name <<
tr(
" cannot be empty"));
189 auto ssl_options = do_process_ssl(vm, arg, any_cert_option);
197 boost::optional<epee::net_utils::ssl_options_t>
rpc_args::process_ssl(
const boost::program_options::variables_map& vm,
const bool any_cert_option)
200 return do_process_ssl(vm, arg, any_cert_option);
bool ssl_support_from_string(ssl_support_t &ssl, boost::string_ref s)
std::vector< std::string > access_control_origins
static boost::optional< rpc_args > process(const boost::program_options::variables_map &vm, const bool any_cert_option=false)
static const char * tr(const char *str)
const char * i18n_translate(const char *s, const std::string &context)
static void init_options(boost::program_options::options_description &desc, const bool any_cert_option=false)
Holds cryptonote related classes and helpers.
std::enable_if<!std::is_same< T, bool >::value, bool >::type has_arg(const boost::program_options::variables_map &vm, const arg_descriptor< T, required, dependent, NUM_DEPS > &arg)
static std::vector< uint8_t > vector(boost::string_ref src)
static boost::optional< epee::net_utils::ssl_options_t > process_ssl(const boost::program_options::variables_map &vm, const bool any_cert_option=false)
Verify peer via specific (possibly chain) certificate(s) only.
ssl_authentication_t auth
#define SSL_FINGERPRINT_SIZE
epee::net_utils::ssl_options_t ssl_options
void add_arg(boost::program_options::options_description &description, const arg_descriptor< T, required, dependent, NUM_DEPS > &arg, bool unique=true)
Processes command line arguments related to server-side RPC.
const T & move(const T &t)
boost::optional< tools::login > login
T get_arg(const boost::program_options::variables_map &vm, const arg_descriptor< T, false, true > &arg)
ssl_verification_t verification