More security changes.

2025-11-23 12:35:50 +00:00 · 2013-01-18 01:41:48 -08:00
parent bda80d4144
commit e69d309cb3
5 changed files with 46 additions and 12 deletions
--- a/rippled-example.cfg
+++ b/rippled-example.cfg
@@ -107,15 +107,32 @@
 #   0: Allow RPC connections only from 127.0.0.1. [default]
 #   1: Allow RPC connections from any IP.
 #
+# [rpc_admin_allow]:
+#   Specify an IP address required for admin access.
+#
+#   Defaults to 127.0.0.1.
+#
+# [rpc_user]:
+#   As a server, require a this user to specified and require rpc_password to
+#   be checked for RPC access.
+#
+#   As a client, supply this to the server.
+#
+# [rpc_password]:
+#   As a server, require a this password to specified and require rpc_user to
+#   be checked for RPC access.
+#
+#   As a client, supply this to the server.
+#
 # [rpc_admin_user]:
-#   As a server, require a this user to specified and require admin_password to
-#   be checked for RPC admin functions.
+#   As a server, require a this user to specified and require rpc_admin_password
+#   to be checked for RPC admin functions.
 #
 #   As a client, supply this to the server.
 #
 # [rpc_admin_password]:
-#   As a server, require a this password to specified and require admin_user to
-#   be checked for RPC admin functions.
+#   As a server, require a this password to specified and require rpc_admin_user
+#   to be checked for RPC admin functions.
 #
 #   As a client, supply this to the server.
 #
--- a/src/cpp/ripple/CallRPC.cpp
+++ b/src/cpp/ripple/CallRPC.cpp
@@ -590,11 +590,17 @@ int commandLineRPC(const std::vector<std::string>& vCmd)

 			jvParams.append(jvRequest);

+			if (!theConfig.RPC_ADMIN_USER.empty())
+				jvRequest["admin_user"]		= theConfig.RPC_ADMIN_USER;
+
+			if (!theConfig.RPC_ADMIN_PASSWORD.empty())
+				jvRequest["admin_password"]	= theConfig.RPC_ADMIN_PASSWORD;
+
 			jvOutput	= callRPC(
 				theConfig.RPC_IP,
 				theConfig.RPC_PORT,
-				theConfig.RPC_ADMIN_USER,
-				theConfig.RPC_ADMIN_PASSWORD,
+				theConfig.RPC_USER,
+				theConfig.RPC_PASSWORD,
 				"",
 				jvRequest.isMember("method")			// Allow parser to rewrite method.
 					? jvRequest["method"].asString()
--- a/src/cpp/ripple/Config.cpp
+++ b/src/cpp/ripple/Config.cpp
@@ -35,10 +35,13 @@
 #define SECTION_PEER_SSL_CIPHER_LIST	"peer_ssl_cipher_list"
 #define SECTION_PEER_START_MAX			"peer_start_max"
 #define SECTION_RPC_ALLOW_REMOTE		"rpc_allow_remote"
+#define SECTION_RPC_ADMIN_ALLOW			"rpc_admin_allow"
 #define SECTION_RPC_ADMIN_USER			"rpc_admin_user"
 #define SECTION_RPC_ADMIN_PASSWORD		"rpc_admin_password"
 #define SECTION_RPC_IP					"rpc_ip"
 #define SECTION_RPC_PORT				"rpc_port"
+#define SECTION_RPC_USER				"rpc_user"
+#define SECTION_RPC_PASSWORD			"rpc_password"
 #define SECTION_RPC_STARTUP				"rpc_startup"
 #define SECTION_SNTP					"sntp_servers"
 #define SECTION_VALIDATORS_FILE			"validators_file"
@@ -298,9 +301,12 @@ void Config::load()
 			if (sectionSingleB(secConfig, SECTION_PEER_PRIVATE, strTemp))
 				PEER_PRIVATE		= boost::lexical_cast<bool>(strTemp);

-			(void) sectionSingleB(secConfig, SECTION_RPC_ADMIN_USER, RPC_ADMIN_USER);
+			(void) sectionSingleB(secConfig, SECTION_RPC_ADMIN_ALLOW, RPC_ADMIN_ALLOW);
 			(void) sectionSingleB(secConfig, SECTION_RPC_ADMIN_PASSWORD, RPC_ADMIN_PASSWORD);
+			(void) sectionSingleB(secConfig, SECTION_RPC_ADMIN_USER, RPC_ADMIN_USER);
 			(void) sectionSingleB(secConfig, SECTION_RPC_IP, RPC_IP);
+			(void) sectionSingleB(secConfig, SECTION_RPC_PASSWORD, RPC_PASSWORD);
+			(void) sectionSingleB(secConfig, SECTION_RPC_USER, RPC_USER);

 			if (sectionSingleB(secConfig, SECTION_RPC_PORT, strTemp))
 				RPC_PORT = boost::lexical_cast<int>(strTemp);
--- a/src/cpp/ripple/Config.h
+++ b/src/cpp/ripple/Config.h
@@ -112,8 +112,11 @@ public:
 	// RPC parameters
 	std::string					RPC_IP;
 	int							RPC_PORT;
-	std::string					RPC_ADMIN_USER;
+	std::string					RPC_ADMIN_ALLOW;
 	std::string					RPC_ADMIN_PASSWORD;
+	std::string					RPC_ADMIN_USER;
+	std::string					RPC_PASSWORD;
+	std::string					RPC_USER;
 	bool						RPC_ALLOW_REMOTE;
 	std::vector<Json::Value>	RPC_STARTUP;

--- a/src/cpp/ripple/RPCHandler.cpp
+++ b/src/cpp/ripple/RPCHandler.cpp
@@ -28,19 +28,21 @@ SETUP_LOG();
 int iAdminGet(const Json::Value& jvRequest, const std::string& strRemoteIp)
 {
 	int		iRole;
-	bool	bPasswordSupplied	= jvRequest.isMember("user") || jvRequest.isMember("password");
+	bool	bPasswordSupplied	= jvRequest.isMember("admin_user") || jvRequest.isMember("admin_password");
 	bool	bPasswordRequired	= !theConfig.RPC_ADMIN_USER.empty() || !theConfig.RPC_ADMIN_PASSWORD.empty();

 	bool	bPasswordWrong		= bPasswordSupplied
 									? bPasswordRequired
 										// Supplied, required, and incorrect.
-										? theConfig.RPC_ADMIN_USER != (jvRequest.isMember("user") ? jvRequest["user"].asString() : "")
-											|| theConfig.RPC_ADMIN_PASSWORD != (jvRequest.isMember("user") ? jvRequest["password"].asString() : "")
+										? theConfig.RPC_ADMIN_USER != (jvRequest.isMember("admin_user") ? jvRequest["admin_user"].asString() : "")
+											|| theConfig.RPC_ADMIN_PASSWORD != (jvRequest.isMember("admin_user") ? jvRequest["admin_password"].asString() : "")
 										// Supplied and not required.
 										: true
 									: false;
 	// Meets IP restriction for admin.
-	bool	bAdminIP			= strRemoteIp == "127.0.0.1";
+	bool	bAdminIP			= theConfig.RPC_ADMIN_ALLOW.empty()
+									? strRemoteIp == "127.0.0.1"
+									: strRemoteIp == theConfig.RPC_ADMIN_ALLOW;

 	if (bPasswordWrong							// Wrong
 		|| (bPasswordSupplied && !bAdminIP))	// Supplied and doesn't meet IP filter.