Skip to content

RPC HTTP: Resolve domain names in ACL policy

Sventimir requested to merge nomadic-labs/tezos:sventimir/rpc-acl-name-resolution-fix into master

Context

There is a flaw in RPC ACL that if a user specifies a domain name address for an ACL, but points the node to listen on an IP address matching that name, the ACL won't be applied. The reason is that addresses are compared for equality as strings, so the algorithm has no idea that a domain name might match an IP address. This is probably unlikely to happen in practice, but still better to have it fixed. This MR provides that fix by resolving all domain names to IP addresses before matching with the listening address given to the node.

Manually testing the MR

Put the following RPC config in node's config.json and verify that the node denies access to the RPC:

  "rpc": {
      "listen-addrs": ["127.0.0.1"],
      "acl": [{
          "address": "localhost",
          "whitelist": []
      }]
  }

Checklist

  • Provide automatic testing (see the testing guide).
  • For new features and bug fixes, add an item in the appropriate changelog (docs/protocols/alpha.rst for the protocol and the environment, the Development Version section of CHANGES.md for everything else).
  • Select suitable reviewers using the Reviewers field below.
  • Select as Assignee the next person who should take action on that MR
  • Create an opam branch.
Edited by Sventimir

Merge request reports