refactor: crate::rpc_api (#4103)

ChainSafe · Mar 25, 2024 · 3570122 · 3570122
1 parent 6367163
commit 3570122
Show file tree

Hide file tree

Showing 19 changed files with 309 additions and 371 deletions.
diff --git a/src/daemon/mod.rs b/src/daemon/mod.rs
@@ -27,7 +27,7 @@ use crate::libp2p::{Libp2pConfig, Libp2pService, PeerManager};
 use crate::message_pool::{MessagePool, MpoolConfig, MpoolRpcProvider};
 use crate::networks::{ChainConfig, NetworkChain};
 use crate::rpc::start_rpc;
-use crate::rpc_api::data_types::RPCState;
+use crate::rpc::RPCState;
 use crate::shim::address::{CurrentNetwork, Network};
 use crate::shim::clock::ChainEpoch;
 use crate::shim::version::NetworkVersion;

diff --git a/src/rpc/auth_api.rs b/src/rpc/auth_api.rs
@@ -4,18 +4,16 @@
 use crate::auth::*;
 use crate::lotus_json::LotusJson;
 use crate::rpc::error::JsonRpcError;
-use crate::rpc_api::{
-    auth_api::*,
-    data_types::{Data, RPCState},
-};
+use crate::rpc::Ctx;
+use crate::rpc_api::auth_api::*;
 use anyhow::Result;
 use fvm_ipld_blockstore::Blockstore;
 use jsonrpsee::types::Params;
 
 /// RPC call to create a new JWT Token
 pub async fn auth_new<DB: Blockstore>(
     params: Params<'_>,
-    data: Data<RPCState<DB>>,
+    data: Ctx<DB>,
 ) -> Result<LotusJson<Vec<u8>>, JsonRpcError> {
     let auth_params: AuthNewParams = params.parse()?;
 
@@ -26,10 +24,7 @@ pub async fn auth_new<DB: Blockstore>(
 }
 
 /// RPC call to verify JWT Token and return the token's permissions
-pub async fn auth_verify<DB>(
-    params: Params<'_>,
-    data: Data<RPCState<DB>>,
-) -> Result<Vec<String>, JsonRpcError>
+pub async fn auth_verify<DB>(params: Params<'_>, data: Ctx<DB>) -> Result<Vec<String>, JsonRpcError>
 where
     DB: Blockstore,
 {

diff --git a/src/rpc/auth_layer.rs b/src/rpc/auth_layer.rs
@@ -3,7 +3,8 @@
 
 use crate::auth::{verify_token, JWT_IDENTIFIER};
 use crate::key_management::KeyStore;
-use crate::rpc_api::{check_access, ACCESS_MAP};
+use crate::rpc::CANCEL_METHOD_NAME;
+use crate::rpc_api::*;
 
 use futures::future::BoxFuture;
 use futures::FutureExt;
@@ -16,8 +17,167 @@ use tokio::sync::RwLock;
 use tower::Layer;
 use tracing::debug;
 
+use ahash::{HashMap, HashMapExt as _};
+use once_cell::sync::Lazy;
 use std::sync::Arc;
 
+/// Access levels to be checked against JWT claims
+enum Access {
+    Admin,
+    Sign,
+    Write,
+    Read,
+}
+
+/// Access mapping between method names and access levels
+/// Checked against JWT claims on every request
+static ACCESS_MAP: Lazy<HashMap<&str, Access>> = Lazy::new(|| {
+    let mut access = HashMap::new();
+
+    // Auth API
+    access.insert(auth_api::AUTH_NEW, Access::Admin);
+    access.insert(auth_api::AUTH_VERIFY, Access::Read);
+
+    // Beacon API
+    access.insert(beacon_api::BEACON_GET_ENTRY, Access::Read);
+
+    // Chain API
+    access.insert(chain_api::CHAIN_GET_MESSAGE, Access::Read);
+    access.insert(chain_api::CHAIN_EXPORT, Access::Read);
+    access.insert(chain_api::CHAIN_READ_OBJ, Access::Read);
+    access.insert(chain_api::CHAIN_GET_PATH, Access::Read);
+    access.insert(chain_api::CHAIN_HAS_OBJ, Access::Read);
+    access.insert(chain_api::CHAIN_GET_BLOCK_MESSAGES, Access::Read);
+    access.insert(chain_api::CHAIN_GET_TIPSET_BY_HEIGHT, Access::Read);
+    access.insert(chain_api::CHAIN_GET_TIPSET_AFTER_HEIGHT, Access::Read);
+    access.insert(chain_api::CHAIN_GET_GENESIS, Access::Read);
+    access.insert(chain_api::CHAIN_HEAD, Access::Read);
+    access.insert(chain_api::CHAIN_GET_BLOCK, Access::Read);
+    access.insert(chain_api::CHAIN_GET_TIPSET, Access::Read);
+    access.insert(chain_api::CHAIN_SET_HEAD, Access::Admin);
+    access.insert(chain_api::CHAIN_GET_MIN_BASE_FEE, Access::Admin);
+    access.insert(chain_api::CHAIN_GET_MESSAGES_IN_TIPSET, Access::Read);
+    access.insert(chain_api::CHAIN_GET_PARENT_MESSAGES, Access::Read);
+    access.insert(chain_api::CHAIN_NOTIFY, Access::Read);
+    access.insert(chain_api::CHAIN_GET_PARENT_RECEIPTS, Access::Read);
+
+    // Message Pool API
+    access.insert(mpool_api::MPOOL_GET_NONCE, Access::Read);
+    access.insert(mpool_api::MPOOL_PENDING, Access::Read);
+    access.insert(mpool_api::MPOOL_PUSH, Access::Write);
+    access.insert(mpool_api::MPOOL_PUSH_MESSAGE, Access::Sign);
+
+    // Sync API
+    access.insert(sync_api::SYNC_CHECK_BAD, Access::Read);
+    access.insert(sync_api::SYNC_MARK_BAD, Access::Admin);
+    access.insert(sync_api::SYNC_STATE, Access::Read);
+
+    // Wallet API
+    access.insert(wallet_api::WALLET_BALANCE, Access::Write);
+    access.insert(wallet_api::WALLET_BALANCE, Access::Read);
+    access.insert(wallet_api::WALLET_DEFAULT_ADDRESS, Access::Read);
+    access.insert(wallet_api::WALLET_EXPORT, Access::Admin);
+    access.insert(wallet_api::WALLET_HAS, Access::Write);
+    access.insert(wallet_api::WALLET_IMPORT, Access::Admin);
+    access.insert(wallet_api::WALLET_LIST, Access::Write);
+    access.insert(wallet_api::WALLET_NEW, Access::Write);
+    access.insert(wallet_api::WALLET_SET_DEFAULT, Access::Write);
+    access.insert(wallet_api::WALLET_SIGN, Access::Sign);
+    access.insert(wallet_api::WALLET_VALIDATE_ADDRESS, Access::Read);
+    access.insert(wallet_api::WALLET_VERIFY, Access::Read);
+    access.insert(wallet_api::WALLET_DELETE, Access::Write);
+
+    // State API
+    access.insert(state_api::STATE_CALL, Access::Read);
+    access.insert(state_api::STATE_REPLAY, Access::Read);
+    access.insert(state_api::STATE_GET_ACTOR, Access::Read);
+    access.insert(state_api::STATE_MARKET_BALANCE, Access::Read);
+    access.insert(state_api::STATE_MARKET_DEALS, Access::Read);
+    access.insert(state_api::STATE_MINER_INFO, Access::Read);
+    access.insert(state_api::MINER_GET_BASE_INFO, Access::Read);
+    access.insert(state_api::STATE_MINER_ACTIVE_SECTORS, Access::Read);
+    access.insert(state_api::STATE_MINER_FAULTS, Access::Read);
+    access.insert(state_api::STATE_MINER_RECOVERIES, Access::Read);
+    access.insert(state_api::STATE_MINER_POWER, Access::Read);
+    access.insert(state_api::STATE_MINER_DEADLINES, Access::Read);
+    access.insert(state_api::STATE_MINER_PROVING_DEADLINE, Access::Read);
+    access.insert(state_api::STATE_MINER_AVAILABLE_BALANCE, Access::Read);
+    access.insert(state_api::STATE_GET_RECEIPT, Access::Read);
+    access.insert(state_api::STATE_WAIT_MSG, Access::Read);
+    access.insert(state_api::STATE_SEARCH_MSG, Access::Read);
+    access.insert(state_api::STATE_SEARCH_MSG_LIMITED, Access::Read);
+    access.insert(state_api::STATE_NETWORK_NAME, Access::Read);
+    access.insert(state_api::STATE_NETWORK_VERSION, Access::Read);
+    access.insert(state_api::STATE_ACCOUNT_KEY, Access::Read);
+    access.insert(state_api::STATE_LOOKUP_ID, Access::Read);
+    access.insert(state_api::STATE_FETCH_ROOT, Access::Read);
+    access.insert(state_api::STATE_GET_RANDOMNESS_FROM_TICKETS, Access::Read);
+    access.insert(state_api::STATE_GET_RANDOMNESS_FROM_BEACON, Access::Read);
+    access.insert(state_api::STATE_READ_STATE, Access::Read);
+    access.insert(state_api::STATE_CIRCULATING_SUPPLY, Access::Read);
+    access.insert(state_api::STATE_SECTOR_GET_INFO, Access::Read);
+    access.insert(state_api::STATE_LIST_MESSAGES, Access::Read);
+    access.insert(state_api::STATE_LIST_MINERS, Access::Read);
+    access.insert(state_api::STATE_MINER_SECTOR_COUNT, Access::Read);
+    access.insert(state_api::STATE_VERIFIED_CLIENT_STATUS, Access::Read);
+    access.insert(state_api::STATE_MARKET_STORAGE_DEAL, Access::Read);
+    access.insert(
+        state_api::STATE_VM_CIRCULATING_SUPPLY_INTERNAL,
+        Access::Read,
+    );
+    access.insert(state_api::MSIG_GET_AVAILABLE_BALANCE, Access::Read);
+    access.insert(state_api::MSIG_GET_PENDING, Access::Read);
+
+    // Gas API
+    access.insert(gas_api::GAS_ESTIMATE_GAS_LIMIT, Access::Read);
+    access.insert(gas_api::GAS_ESTIMATE_GAS_PREMIUM, Access::Read);
+    access.insert(gas_api::GAS_ESTIMATE_FEE_CAP, Access::Read);
+    access.insert(gas_api::GAS_ESTIMATE_MESSAGE_GAS, Access::Read);
+
+    // Common API
+    access.insert(common_api::VERSION, Access::Read);
+    access.insert(common_api::SESSION, Access::Read);
+    access.insert(common_api::SHUTDOWN, Access::Admin);
+    access.insert(common_api::START_TIME, Access::Read);
+
+    // Net API
+    access.insert(net_api::NET_ADDRS_LISTEN, Access::Read);
+    access.insert(net_api::NET_PEERS, Access::Read);
+    access.insert(net_api::NET_LISTENING, Access::Read);
+    access.insert(net_api::NET_INFO, Access::Read);
+    access.insert(net_api::NET_CONNECT, Access::Write);
+    access.insert(net_api::NET_DISCONNECT, Access::Write);
+    access.insert(net_api::NET_AGENT_VERSION, Access::Read);
+    access.insert(net_api::NET_AUTO_NAT_STATUS, Access::Read);
+    access.insert(net_api::NET_VERSION, Access::Read);
+
+    // Node API
+    access.insert(node_api::NODE_STATUS, Access::Read);
+
+    // Eth API
+    access.insert(eth_api::ETH_ACCOUNTS, Access::Read);
+    access.insert(eth_api::ETH_BLOCK_NUMBER, Access::Read);
+    access.insert(eth_api::ETH_CHAIN_ID, Access::Read);
+    access.insert(eth_api::ETH_GAS_PRICE, Access::Read);
+    access.insert(eth_api::ETH_GET_BALANCE, Access::Read);
+    access.insert(eth_api::ETH_SYNCING, Access::Read);
+
+    // Pubsub API
+    access.insert(CANCEL_METHOD_NAME, Access::Read);
+
+    access
+});
+
+/// Checks an access enumeration against provided JWT claims
+fn check_access(access: &Access, claims: &[String]) -> bool {
+    match access {
+        Access::Admin => claims.contains(&"admin".to_owned()),
+        Access::Sign => claims.contains(&"sign".to_owned()),
+        Access::Write => claims.contains(&"write".to_owned()),
+        Access::Read => claims.contains(&"read".to_owned()),
+    }
+}
+
 #[derive(Clone)]
 pub struct AuthLayer {
     pub headers: HeaderMap,

diff --git a/src/rpc/beacon_api.rs b/src/rpc/beacon_api.rs
@@ -2,12 +2,8 @@
 // SPDX-License-Identifier: Apache-2.0, MIT
 
 use crate::rpc::error::JsonRpcError;
-use crate::{
-    beacon::BeaconEntry,
-    lotus_json::LotusJson,
-    rpc_api::data_types::{Data, RPCState},
-    shim::clock::ChainEpoch,
-};
+use crate::rpc::Ctx;
+use crate::{beacon::BeaconEntry, lotus_json::LotusJson, shim::clock::ChainEpoch};
 use anyhow::Result;
 use fvm_ipld_blockstore::Blockstore;
 use jsonrpsee::types::Params;
@@ -17,7 +13,7 @@ use jsonrpsee::types::Params;
 /// becomes available
 pub async fn beacon_get_entry<DB: Blockstore>(
     params: Params<'_>,
-    data: Data<RPCState<DB>>,
+    data: Ctx<DB>,
 ) -> Result<LotusJson<BeaconEntry>, JsonRpcError> {
     let (first,): (ChainEpoch,) = params.parse()?;