zebra_rpc/server/http_request_compatibility.rs
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 186 187 188 189 190 191 192 193 194 195 196 197 198 199 200 201 202 203 204 205 206 207 208 209 210 211 212 213 214 215 216 217 218 219 220 221 222 223 224 225 226 227 228 229 230 231 232 233 234 235 236 237 238 239 240 241 242 243 244 245 246 247 248 249 250 251 252 253 254 255 256 257 258 259 260 261 262 263 264 265 266 267 268 269 270 271 272 273 274 275 276 277 278 279 280 281 282 283 284 285 286 287 288 289 290 291 292 293 294 295 296 297 298 299 300 301 302 303 304 305 306 307 308 309 310 311 312 313 314 315 316 317 318 319 320 321 322 323 324 325 326 327 328 329 330 331 332 333 334 335 336 337
//! Compatibility fixes for JSON-RPC HTTP requests.
//!
//! These fixes are applied at the HTTP level, before the RPC request is parsed.
use std::future::Future;
use std::pin::Pin;
use futures::{future, FutureExt};
use http_body_util::BodyExt;
use hyper::header;
use jsonrpsee::{
core::BoxError,
server::{HttpBody, HttpRequest, HttpResponse},
};
use jsonrpsee_types::ErrorObject;
use serde::{Deserialize, Serialize};
use tower::Service;
use super::cookie::Cookie;
use base64::{engine::general_purpose::URL_SAFE, Engine as _};
/// HTTP [`HttpRequestMiddleware`] with compatibility workarounds.
///
/// This middleware makes the following changes to HTTP requests:
///
/// ### Remove `jsonrpc` field in JSON RPC 1.0
///
/// Removes "jsonrpc: 1.0" fields from requests,
/// because the "jsonrpc" field was only added in JSON-RPC 2.0.
///
/// <http://www.simple-is-better.org/rpc/#differences-between-1-0-and-2-0>
///
/// ### Add missing `content-type` HTTP header
///
/// Some RPC clients don't include a `content-type` HTTP header.
/// But unlike web browsers, [`jsonrpsee`] does not do content sniffing.
///
/// If there is no `content-type` header, we assume the content is JSON,
/// and let the parser error if we are incorrect.
///
/// ### Authenticate incoming requests
///
/// If the cookie-based RPC authentication is enabled, check that the incoming request contains the
/// authentication cookie.
///
/// This enables compatibility with `zcash-cli`.
///
/// ## Security
///
/// Any user-specified data in RPC requests is hex or base58check encoded.
/// We assume lightwalletd validates data encodings before sending it on to Zebra.
/// So any fixes Zebra performs won't change user-specified data.
#[derive(Clone, Debug)]
pub struct HttpRequestMiddleware<S> {
service: S,
cookie: Option<Cookie>,
}
impl<S> HttpRequestMiddleware<S> {
/// Create a new `HttpRequestMiddleware` with the given service and cookie.
pub fn new(service: S, cookie: Option<Cookie>) -> Self {
Self { service, cookie }
}
/// Check if the request is authenticated.
pub fn check_credentials(&self, headers: &header::HeaderMap) -> bool {
self.cookie.as_ref().map_or(true, |internal_cookie| {
headers
.get(header::AUTHORIZATION)
.and_then(|auth_header| auth_header.to_str().ok())
.and_then(|auth_header| auth_header.split_whitespace().nth(1))
.and_then(|encoded| URL_SAFE.decode(encoded).ok())
.and_then(|decoded| String::from_utf8(decoded).ok())
.and_then(|request_cookie| request_cookie.split(':').nth(1).map(String::from))
.is_some_and(|passwd| internal_cookie.authenticate(passwd))
})
}
/// Insert or replace client supplied `content-type` HTTP header to `application/json` in the following cases:
///
/// - no `content-type` supplied.
/// - supplied `content-type` start with `text/plain`, for example:
/// - `text/plain`
/// - `text/plain;`
/// - `text/plain; charset=utf-8`
///
/// `application/json` is the only `content-type` accepted by the Zebra rpc endpoint:
///
/// <https://github.com/paritytech/jsonrpc/blob/38af3c9439aa75481805edf6c05c6622a5ab1e70/http/src/handler.rs#L582-L584>
///
/// # Security
///
/// - `content-type` headers exist so that applications know they are speaking the correct protocol with the correct format.
/// We can be a bit flexible, but there are some types (such as binary) we shouldn't allow.
/// In particular, the "application/x-www-form-urlencoded" header should be rejected, so browser forms can't be used to attack
/// a local RPC port. See "The Role of Routers in the CSRF Attack" in
/// <https://www.invicti.com/blog/web-security/importance-content-type-header-http-requests/>
/// - Checking all the headers is secure, but only because hyper has custom code that just reads the first content-type header.
/// <https://github.com/hyperium/headers/blob/f01cc90cf8d601a716856bc9d29f47df92b779e4/src/common/content_type.rs#L102-L108>
pub fn insert_or_replace_content_type_header(headers: &mut header::HeaderMap) {
if !headers.contains_key(header::CONTENT_TYPE)
|| headers
.get(header::CONTENT_TYPE)
.filter(|value| {
value
.to_str()
.ok()
.unwrap_or_default()
.starts_with("text/plain")
})
.is_some()
{
headers.insert(
header::CONTENT_TYPE,
header::HeaderValue::from_static("application/json"),
);
}
}
/// Maps whatever JSON-RPC version the client is using to JSON-RPC 2.0.
async fn request_to_json_rpc_2(
request: HttpRequest<HttpBody>,
) -> (JsonRpcVersion, HttpRequest<HttpBody>) {
let (parts, body) = request.into_parts();
let bytes = body
.collect()
.await
.expect("Failed to collect body data")
.to_bytes();
let (version, bytes) =
if let Ok(request) = serde_json::from_slice::<'_, JsonRpcRequest>(bytes.as_ref()) {
let version = request.version();
if matches!(version, JsonRpcVersion::Unknown) {
(version, bytes)
} else {
(
version,
serde_json::to_vec(&request.into_2()).expect("valid").into(),
)
}
} else {
(JsonRpcVersion::Unknown, bytes)
};
(
version,
HttpRequest::from_parts(parts, HttpBody::from(bytes.as_ref().to_vec())),
)
}
/// Maps JSON-2.0 to whatever JSON-RPC version the client is using.
async fn response_from_json_rpc_2(
version: JsonRpcVersion,
response: HttpResponse<HttpBody>,
) -> HttpResponse<HttpBody> {
let (parts, body) = response.into_parts();
let bytes = body
.collect()
.await
.expect("Failed to collect body data")
.to_bytes();
let bytes =
if let Ok(response) = serde_json::from_slice::<'_, JsonRpcResponse>(bytes.as_ref()) {
serde_json::to_vec(&response.into_version(version))
.expect("valid")
.into()
} else {
bytes
};
HttpResponse::from_parts(parts, HttpBody::from(bytes.as_ref().to_vec()))
}
}
/// Implement the Layer for HttpRequestMiddleware to allow injecting the cookie
#[derive(Clone)]
pub struct HttpRequestMiddlewareLayer {
cookie: Option<Cookie>,
}
impl HttpRequestMiddlewareLayer {
/// Create a new `HttpRequestMiddlewareLayer` with the given cookie.
pub fn new(cookie: Option<Cookie>) -> Self {
Self { cookie }
}
}
impl<S> tower::Layer<S> for HttpRequestMiddlewareLayer {
type Service = HttpRequestMiddleware<S>;
fn layer(&self, service: S) -> Self::Service {
HttpRequestMiddleware::new(service, self.cookie.clone())
}
}
/// A trait for updating an object, consuming it and returning the updated version.
pub trait With<T> {
/// Updates `self` with an instance of type `T` and returns the updated version of `self`.
fn with(self, _: T) -> Self;
}
impl<S> With<Cookie> for HttpRequestMiddleware<S> {
fn with(mut self, cookie: Cookie) -> Self {
self.cookie = Some(cookie);
self
}
}
impl<S> Service<HttpRequest<HttpBody>> for HttpRequestMiddleware<S>
where
S: Service<HttpRequest, Response = HttpResponse> + std::clone::Clone + Send + 'static,
S::Error: Into<BoxError> + 'static,
S::Future: Send + 'static,
{
type Response = S::Response;
type Error = BoxError;
type Future =
Pin<Box<dyn Future<Output = Result<Self::Response, Self::Error>> + Send + 'static>>;
fn poll_ready(
&mut self,
cx: &mut std::task::Context<'_>,
) -> std::task::Poll<Result<(), Self::Error>> {
self.service.poll_ready(cx).map_err(Into::into)
}
fn call(&mut self, mut request: HttpRequest<HttpBody>) -> Self::Future {
// Check if the request is authenticated
if !self.check_credentials(request.headers_mut()) {
let error = ErrorObject::borrowed(401, "unauthenticated method", None);
// TODO: Error object is not being returned to the user but an empty response.
return future::err(BoxError::from(error)).boxed();
}
// Fix the request headers.
Self::insert_or_replace_content_type_header(request.headers_mut());
let mut service = self.service.clone();
async move {
let (version, request) = Self::request_to_json_rpc_2(request).await;
let response = service.call(request).await.map_err(Into::into)?;
Ok(Self::response_from_json_rpc_2(version, response).await)
}
.boxed()
}
}
#[derive(Clone, Copy, Debug)]
enum JsonRpcVersion {
/// bitcoind used a mishmash of 1.0, 1.1, and 2.0 for its JSON-RPC.
Bitcoind,
/// lightwalletd uses the above mishmash, but also breaks spec to include a
/// `"jsonrpc": "1.0"` key.
Lightwalletd,
/// The client is indicating strict 2.0 handling.
TwoPointZero,
/// On parse errors we don't modify anything, and let the `jsonrpsee` crate handle it.
Unknown,
}
/// A version-agnostic JSON-RPC request.
#[derive(Debug, Deserialize, Serialize)]
struct JsonRpcRequest {
#[serde(skip_serializing_if = "Option::is_none")]
jsonrpc: Option<String>,
method: String,
#[serde(skip_serializing_if = "Option::is_none")]
params: Option<serde_json::Value>,
#[serde(skip_serializing_if = "Option::is_none")]
id: Option<serde_json::Value>,
}
impl JsonRpcRequest {
fn version(&self) -> JsonRpcVersion {
match (self.jsonrpc.as_deref(), &self.params, &self.id) {
(
Some("2.0"),
_,
None
| Some(
serde_json::Value::Null
| serde_json::Value::String(_)
| serde_json::Value::Number(_),
),
) => JsonRpcVersion::TwoPointZero,
(Some("1.0"), Some(_), Some(_)) => JsonRpcVersion::Lightwalletd,
(None, Some(_), Some(_)) => JsonRpcVersion::Bitcoind,
_ => JsonRpcVersion::Unknown,
}
}
fn into_2(mut self) -> Self {
self.jsonrpc = Some("2.0".into());
self
}
}
/// A version-agnostic JSON-RPC response.
#[derive(Debug, Deserialize, Serialize)]
struct JsonRpcResponse {
#[serde(skip_serializing_if = "Option::is_none")]
jsonrpc: Option<String>,
id: serde_json::Value,
#[serde(skip_serializing_if = "Option::is_none")]
result: Option<serde_json::Value>,
#[serde(skip_serializing_if = "Option::is_none")]
error: Option<serde_json::Value>,
}
impl JsonRpcResponse {
fn into_version(mut self, version: JsonRpcVersion) -> Self {
match version {
JsonRpcVersion::Bitcoind => {
self.jsonrpc = None;
self.result = self.result.or(Some(serde_json::Value::Null));
self.error = self.error.or(Some(serde_json::Value::Null));
}
JsonRpcVersion::Lightwalletd => {
self.jsonrpc = Some("1.0".into());
self.result = self.result.or(Some(serde_json::Value::Null));
self.error = self.error.or(Some(serde_json::Value::Null));
}
JsonRpcVersion::TwoPointZero => {
// `jsonrpsee` should be returning valid JSON-RPC 2.0 responses. However,
// a valid result of `null` can be parsed into `None` by this parser, so
// we map the result explicitly to `Null` when there is no error.
assert_eq!(self.jsonrpc.as_deref(), Some("2.0"));
if self.error.is_none() {
self.result = self.result.or(Some(serde_json::Value::Null));
} else {
assert!(self.result.is_none());
}
}
JsonRpcVersion::Unknown => (),
}
self
}
}