RPC HTTP: Resolve domain names in ACL policy
Context
There is a flaw in RPC ACL that if a user specifies a domain name address for an ACL, but points the node to listen on an IP address matching that name, the ACL won't be applied. The reason is that addresses are compared for equality as strings, so the algorithm has no idea that a domain name might match an IP address. This is probably unlikely to happen in practice, but still better to have it fixed. This MR provides that fix by resolving all domain names to IP addresses before matching with the listening address given to the node.
Manually testing the MR
Put the following RPC config in node's config.json
and verify that the node denies access to the RPC:
"rpc": {
"listen-addrs": ["127.0.0.1"],
"acl": [{
"address": "localhost",
"whitelist": []
}]
}
Checklist
-
Provide automatic testing (see the testing guide). -
For new features and bug fixes, add an item in the appropriate changelog ( docs/protocols/alpha.rst
for the protocol and the environment, theDevelopment Version
section ofCHANGES.md
for everything else). -
Select suitable reviewers using the Reviewers
field below. -
Select as Assignee
the next person who should take action on that MR -
Create an opam branch.
Edited by Sventimir