Merge bitcoin/bitcoin#28167: init: Add option for rpccookie permissions (replace 26088)

73f0a6cbd0 doc: detail -rpccookieperms option (willcl-ark) d2afa2690c test: add rpccookieperms test (willcl-ark) f467aede78 init: add option for rpccookie permissions (willcl-ark) 7df03f1a92 util: add perm string helper functions (willcl-ark) Pull request description: This PR picks up #26088 by aureleoules which adds a bitcoind launch option `-rpccookieperms` to set the file permissions of the cookie generated by bitcoin core. Example usage to make the generated cookie group-readable: `./src/bitcoind -rpccookieperms=group`. Accepted values for `-rpccookieperms` are `[owner|group|all]`. We let `fs::perms` handle platform-specific permissions changes. ACKs for top commit: achow101: ACK 73f0a6cbd0 ryanofsky: Code review ACK 73f0a6cbd0. Main change since last review is no longer throwing a skip exception in the rpc test on windows, so other checks can run after it, and overall test result is passing, not skipped. Also were clarifying renames and documentation improvements. tdb3: cr ACK 73f0a6cbd0 Tree-SHA512: e800d59a44aca10e1c58ca69bf3fdde9f6ccf5eab4b7b962645af6d6bc0cfa3a357701e409c8c60d8d7744fcd33a91e77ada11790aa88cd7811ef60fab86ab11
2025-11-10 14:08:40 +01:00 · 2024-06-27 16:48:21 -04:00
parent f0745d028e 73f0a6cbd0
commit d38dbaad98
8 changed files with 132 additions and 11 deletions
--- a/test/functional/rpc_users.py
+++ b/test/functional/rpc_users.py
@@ -11,12 +11,15 @@ from test_framework.util import (
 )

 import http.client
+import os
+import platform
 import urllib.parse
 import subprocess
 from random import SystemRandom
 import string
 import configparser
 import sys
+from typing import Optional


 def call_with_auth(node, user, password):
@@ -84,6 +87,40 @@ class HTTPBasicsTest(BitcoinTestFramework):
        self.log.info('Wrong...')
        assert_equal(401, call_with_auth(node, user + 'wrong', password + 'wrong').status)

+    def test_rpccookieperms(self):
+        p = {"owner": 0o600, "group": 0o640, "all": 0o644}
+
+        if platform.system() == 'Windows':
+            self.log.info(f"Skip cookie file permissions checks as OS detected as: {platform.system()=}")
+            return
+
+        self.log.info('Check cookie file permissions can be set using -rpccookieperms')
+
+        cookie_file_path = self.nodes[1].chain_path / '.cookie'
+        PERM_BITS_UMASK = 0o777
+
+        def test_perm(perm: Optional[str]):
+            if not perm:
+                perm = 'owner'
+                self.restart_node(1)
+            else:
+                self.restart_node(1, extra_args=[f"-rpccookieperms={perm}"])
+
+            file_stat = os.stat(cookie_file_path)
+            actual_perms = file_stat.st_mode & PERM_BITS_UMASK
+            expected_perms = p[perm]
+            assert_equal(expected_perms, actual_perms)
+
+        # Remove any leftover rpc{user|password} config options from previous tests
+        self.nodes[1].replace_in_config([("rpcuser", "#rpcuser"), ("rpcpassword", "#rpcpassword")])
+
+        self.log.info('Check default cookie permission')
+        test_perm(None)
+
+        self.log.info('Check custom cookie permissions')
+        for perm in ["owner", "group", "all"]:
+            test_perm(perm)
+
    def run_test(self):
        self.conf_setup()
        self.log.info('Check correctness of the rpcauth config option')
@@ -115,6 +152,8 @@ class HTTPBasicsTest(BitcoinTestFramework):
        (self.nodes[0].chain_path / ".cookie.tmp").mkdir()
        self.nodes[0].assert_start_raises_init_error(expected_msg=init_error)

+        self.test_rpccookieperms()
+

 if __name__ == '__main__':
    HTTPBasicsTest().main()