lbrycrd/src/httprpc.cpp

#include "httprpc.h"

#include "base58.h"
#include "chainparams.h"
#include "httpserver.h"
#include "rpcprotocol.h"
#include "rpcserver.h"
#include "random.h"
#include "sync.h"
#include "util.h"
#include "utilstrencodings.h"
#include "ui_interface.h"

#include <boost/algorithm/string.hpp> // boost::trim

/** Simple one-shot callback timer to be used by the RPC mechanism to e.g.
 * re-lock the wellet.
 */
class HTTPRPCTimer : public RPCTimerBase
{
public:
    HTTPRPCTimer(struct event_base* eventBase, boost::function<void(void)>& func, int64_t seconds) : ev(eventBase, false, new Handler(func))
    {
        struct timeval tv = {seconds, 0};
        ev.trigger(&tv);
    }
private:
    HTTPEvent ev;

    class Handler : public HTTPClosure
    {
    public:
        Handler(const boost::function<void(void)>& func) : func(func)
        {
        }
    private:
        boost::function<void(void)> func;
        void operator()() { func(); }
    };
};

class HTTPRPCTimerInterface : public RPCTimerInterface
{
public:
    HTTPRPCTimerInterface(struct event_base* base) : base(base)
    {
    }
    const char* Name()
    {
        return "HTTP";
    }
    RPCTimerBase* NewTimer(boost::function<void(void)>& func, int64_t seconds)
    {
        return new HTTPRPCTimer(base, func, seconds);
    }
private:
    struct event_base* base;
};


/* Pre-base64-encoded authentication token */
static std::string strRPCUserColonPass;
/* Stored RPC timer interface (for unregistration) */
static HTTPRPCTimerInterface* httpRPCTimerInterface = 0;

static void JSONErrorReply(HTTPRequest* req, const UniValue& objError, const UniValue& id)
{
    // Send error reply from json-rpc error object
    int nStatus = HTTP_INTERNAL_SERVER_ERROR;
    int code = find_value(objError, "code").get_int();

    if (code == RPC_INVALID_REQUEST)
        nStatus = HTTP_BAD_REQUEST;
    else if (code == RPC_METHOD_NOT_FOUND)
        nStatus = HTTP_NOT_FOUND;

    std::string strReply = JSONRPCReply(NullUniValue, objError, id);

    req->WriteHeader("Content-Type", "application/json");
    req->WriteReply(nStatus, strReply);
}

static bool RPCAuthorized(const std::string& strAuth)
{
    if (strRPCUserColonPass.empty()) // Belt-and-suspenders measure if InitRPCAuthentication was not called
        return false;
    if (strAuth.substr(0, 6) != "Basic ")
        return false;
    std::string strUserPass64 = strAuth.substr(6);
    boost::trim(strUserPass64);
    std::string strUserPass = DecodeBase64(strUserPass64);
    return TimingResistantEqual(strUserPass, strRPCUserColonPass);
}

static bool HTTPReq_JSONRPC(HTTPRequest* req, const std::string &)
{
    // JSONRPC handles only POST
    if (req->GetRequestMethod() != HTTPRequest::POST) {
        req->WriteReply(HTTP_BAD_METHOD, "JSONRPC server handles only POST requests");
        return false;
    }
    // Check authorization
    std::pair<bool, std::string> authHeader = req->GetHeader("authorization");
    if (!authHeader.first) {
        req->WriteReply(HTTP_UNAUTHORIZED);
        return false;
    }

    if (!RPCAuthorized(authHeader.second)) {
        LogPrintf("ThreadRPCServer incorrect password attempt from %s\n", req->GetPeer().ToString());

        /* Deter brute-forcing
           If this results in a DoS the user really
           shouldn't have their RPC port exposed. */
        MilliSleep(250);

        req->WriteReply(HTTP_UNAUTHORIZED);
        return false;
    }

    JSONRequest jreq;
    try {
        // Parse request
        UniValue valRequest;
        if (!valRequest.read(req->ReadBody()))
            throw JSONRPCError(RPC_PARSE_ERROR, "Parse error");

        std::string strReply;
        // singleton request
        if (valRequest.isObject()) {
            jreq.parse(valRequest);

            UniValue result = tableRPC.execute(jreq.strMethod, jreq.params);

            // Send reply
            strReply = JSONRPCReply(result, NullUniValue, jreq.id);

        // array of requests
        } else if (valRequest.isArray())
            strReply = JSONRPCExecBatch(valRequest.get_array());
        else
            throw JSONRPCError(RPC_PARSE_ERROR, "Top-level object parse error");

        req->WriteHeader("Content-Type", "application/json");
        req->WriteReply(HTTP_OK, strReply);
    } catch (const UniValue& objError) {
        JSONErrorReply(req, objError, jreq.id);
        return false;
    } catch (const std::exception& e) {
        JSONErrorReply(req, JSONRPCError(RPC_PARSE_ERROR, e.what()), jreq.id);
        return false;
    }
    return true;
}

static bool InitRPCAuthentication()
{
    if (mapArgs["-rpcpassword"] == "")
    {
        LogPrintf("No rpcpassword set - using random cookie authentication\n");
        if (!GenerateAuthCookie(&strRPCUserColonPass)) {
            uiInterface.ThreadSafeMessageBox(
                _("Error: A fatal internal error occurred, see debug.log for details"), // Same message as AbortNode
                "", CClientUIInterface::MSG_ERROR);
            return false;
        }
    } else {
        strRPCUserColonPass = mapArgs["-rpcuser"] + ":" + mapArgs["-rpcpassword"];
    }
    return true;
}

bool StartHTTPRPC()
{
    LogPrint("rpc", "Starting HTTP RPC server\n");
    if (!InitRPCAuthentication())
        return false;

    RegisterHTTPHandler("/", true, HTTPReq_JSONRPC);

    assert(EventBase());
    httpRPCTimerInterface = new HTTPRPCTimerInterface(EventBase());
    RPCRegisterTimerInterface(httpRPCTimerInterface);
    return true;
}

void InterruptHTTPRPC()
{
    LogPrint("rpc", "Interrupting HTTP RPC server\n");
}

void StopHTTPRPC()
{
    LogPrint("rpc", "Stopping HTTP RPC server\n");
    UnregisterHTTPHandler("/", true);
    if (httpRPCTimerInterface) {
        RPCUnregisterTimerInterface(httpRPCTimerInterface);
        delete httpRPCTimerInterface;
        httpRPCTimerInterface = 0;
    }
}
evhttpd implementation - Replace usage of boost::asio with [libevent2](http://libevent.org/). boost::asio is not part of C++11, so unlike other boost there is no forwards-compatibility reason to stick with it. Together with #4738 (convert json_spirit to UniValue), this rids Bitcoin Core of the worst offenders with regard to compile-time slowness. - Replace spit-and-duct-tape http server with evhttp. Front-end http handling is handled by libevent, a work queue (with configurable depth and parallelism) is used to handle application requests. - Wrap HTTP request in C++ class; this makes the application code mostly HTTP-server-neutral - Refactor RPC to move all http-specific code to a separate file. Theoreticaly this can allow building without HTTP server but with another RPC backend, e.g. Qt's debug console (currently not implemented) or future RPC mechanisms people may want to use. - HTTP dispatch mechanism; services (e.g., RPC, REST) register which URL paths they want to handle. By using a proven, high-performance asynchronous networking library (also used by Tor) and HTTP server, problems such as #5674, #5655, #344 should be avoided. What works? bitcoind, bitcoin-cli, bitcoin-qt. Unit tests and RPC/REST tests pass. The aim for now is everything but SSL support. Configuration options: - `-rpcthreads`: repurposed as "number of work handler threads". Still defaults to 4. - `-rpcworkqueue`: maximum depth of work queue. When this is reached, new requests will return a 500 Internal Error. - `-rpctimeout`: inactivity time, in seconds, after which to disconnect a client. - `-debug=http`: low-level http activity logging 2015-01-23 07:53:17 +01:00			`#include "httprpc.h"`

			`#include "base58.h"`
			`#include "chainparams.h"`
			`#include "httpserver.h"`
			`#include "rpcprotocol.h"`
			`#include "rpcserver.h"`
			`#include "random.h"`
			`#include "sync.h"`
			`#include "util.h"`
			`#include "utilstrencodings.h"`
			`#include "ui_interface.h"`

			`#include <boost/algorithm/string.hpp> // boost::trim`

			`/** Simple one-shot callback timer to be used by the RPC mechanism to e.g.`
			`* re-lock the wellet.`
			`*/`
			`class HTTPRPCTimer : public RPCTimerBase`
			`{`
			`public:`
			`HTTPRPCTimer(struct event_base* eventBase, boost::function<void(void)>& func, int64_t seconds) : ev(eventBase, false, new Handler(func))`
			`{`
			`struct timeval tv = {seconds, 0};`
			`ev.trigger(&tv);`
			`}`
			`private:`
			`HTTPEvent ev;`

			`class Handler : public HTTPClosure`
			`{`
			`public:`
			`Handler(const boost::function<void(void)>& func) : func(func)`
			`{`
			`}`
			`private:`
			`boost::function<void(void)> func;`
			`void operator()() { func(); }`
			`};`
			`};`

			`class HTTPRPCTimerInterface : public RPCTimerInterface`
			`{`
			`public:`
			`HTTPRPCTimerInterface(struct event_base* base) : base(base)`
			`{`
			`}`
			`const char* Name()`
			`{`
			`return "HTTP";`
			`}`
			`RPCTimerBase* NewTimer(boost::function<void(void)>& func, int64_t seconds)`
			`{`
			`return new HTTPRPCTimer(base, func, seconds);`
			`}`
			`private:`
			`struct event_base* base;`
			`};`


			`/* Pre-base64-encoded authentication token */`
			`static std::string strRPCUserColonPass;`
			`/* Stored RPC timer interface (for unregistration) */`
			`static HTTPRPCTimerInterface* httpRPCTimerInterface = 0;`

			`static void JSONErrorReply(HTTPRequest* req, const UniValue& objError, const UniValue& id)`
			`{`
			`// Send error reply from json-rpc error object`
			`int nStatus = HTTP_INTERNAL_SERVER_ERROR;`
			`int code = find_value(objError, "code").get_int();`

			`if (code == RPC_INVALID_REQUEST)`
			`nStatus = HTTP_BAD_REQUEST;`
			`else if (code == RPC_METHOD_NOT_FOUND)`
			`nStatus = HTTP_NOT_FOUND;`

			`std::string strReply = JSONRPCReply(NullUniValue, objError, id);`

			`req->WriteHeader("Content-Type", "application/json");`
			`req->WriteReply(nStatus, strReply);`
			`}`

			`static bool RPCAuthorized(const std::string& strAuth)`
			`{`
			`if (strRPCUserColonPass.empty()) // Belt-and-suspenders measure if InitRPCAuthentication was not called`
			`return false;`
			`if (strAuth.substr(0, 6) != "Basic ")`
			`return false;`
			`std::string strUserPass64 = strAuth.substr(6);`
			`boost::trim(strUserPass64);`
			`std::string strUserPass = DecodeBase64(strUserPass64);`
			`return TimingResistantEqual(strUserPass, strRPCUserColonPass);`
			`}`

			`static bool HTTPReq_JSONRPC(HTTPRequest* req, const std::string &)`
			`{`
			`// JSONRPC handles only POST`
			`if (req->GetRequestMethod() != HTTPRequest::POST) {`
			`req->WriteReply(HTTP_BAD_METHOD, "JSONRPC server handles only POST requests");`
			`return false;`
			`}`
			`// Check authorization`
			`std::pair<bool, std::string> authHeader = req->GetHeader("authorization");`
			`if (!authHeader.first) {`
			`req->WriteReply(HTTP_UNAUTHORIZED);`
			`return false;`
			`}`

			`if (!RPCAuthorized(authHeader.second)) {`
			`LogPrintf("ThreadRPCServer incorrect password attempt from %s\n", req->GetPeer().ToString());`

			`/* Deter brute-forcing`
			`If this results in a DoS the user really`
			`shouldn't have their RPC port exposed. */`
			`MilliSleep(250);`

			`req->WriteReply(HTTP_UNAUTHORIZED);`
			`return false;`
			`}`

			`JSONRequest jreq;`
			`try {`
			`// Parse request`
			`UniValue valRequest;`
			`if (!valRequest.read(req->ReadBody()))`
			`throw JSONRPCError(RPC_PARSE_ERROR, "Parse error");`

			`std::string strReply;`
			`// singleton request`
			`if (valRequest.isObject()) {`
			`jreq.parse(valRequest);`

			`UniValue result = tableRPC.execute(jreq.strMethod, jreq.params);`

			`// Send reply`
			`strReply = JSONRPCReply(result, NullUniValue, jreq.id);`

			`// array of requests`
			`} else if (valRequest.isArray())`
			`strReply = JSONRPCExecBatch(valRequest.get_array());`
			`else`
			`throw JSONRPCError(RPC_PARSE_ERROR, "Top-level object parse error");`

			`req->WriteHeader("Content-Type", "application/json");`
			`req->WriteReply(HTTP_OK, strReply);`
			`} catch (const UniValue& objError) {`
			`JSONErrorReply(req, objError, jreq.id);`
			`return false;`
			`} catch (const std::exception& e) {`
			`JSONErrorReply(req, JSONRPCError(RPC_PARSE_ERROR, e.what()), jreq.id);`
			`return false;`
			`}`
			`return true;`
			`}`

			`static bool InitRPCAuthentication()`
			`{`
			`if (mapArgs["-rpcpassword"] == "")`
			`{`
			`LogPrintf("No rpcpassword set - using random cookie authentication\n");`
			`if (!GenerateAuthCookie(&strRPCUserColonPass)) {`
			`uiInterface.ThreadSafeMessageBox(`
			`_("Error: A fatal internal error occurred, see debug.log for details"), // Same message as AbortNode`
			`"", CClientUIInterface::MSG_ERROR);`
			`return false;`
			`}`
			`} else {`
			`strRPCUserColonPass = mapArgs["-rpcuser"] + ":" + mapArgs["-rpcpassword"];`
			`}`
			`return true;`
			`}`

			`bool StartHTTPRPC()`
			`{`
			`LogPrint("rpc", "Starting HTTP RPC server\n");`
			`if (!InitRPCAuthentication())`
			`return false;`

			`RegisterHTTPHandler("/", true, HTTPReq_JSONRPC);`

			`assert(EventBase());`
			`httpRPCTimerInterface = new HTTPRPCTimerInterface(EventBase());`
			`RPCRegisterTimerInterface(httpRPCTimerInterface);`
			`return true;`
			`}`

			`void InterruptHTTPRPC()`
			`{`
			`LogPrint("rpc", "Interrupting HTTP RPC server\n");`
			`}`

			`void StopHTTPRPC()`
			`{`
			`LogPrint("rpc", "Stopping HTTP RPC server\n");`
			`UnregisterHTTPHandler("/", true);`
			`if (httpRPCTimerInterface) {`
			`RPCUnregisterTimerInterface(httpRPCTimerInterface);`
			`delete httpRPCTimerInterface;`
			`httpRPCTimerInterface = 0;`
			`}`
			`}`