fix(core-p2p): restrict internal route access to whitelisted forgers

ArkEcosystem · air1one · Jun 30, 2020 · Jun 29, 2020 · Jun 29, 2020 · Jun 30, 2020
commit b9fc98329990c8351cdd1fcf98b8549329aab086
@@ -0,0 +1,121 @@
+import { Server } from "@hapi/hapi";
+import Joi from "@hapi/joi";
+
+import { Container } from "../../../../../packages/core-kernel";
+import { defaults } from "../../../../../packages/core-p2p/src/defaults";
+import { PeerProcessor } from "../../../../../packages/core-p2p/src/peer-processor";
+import { WhitelistForgerPlugin } from "../../../../../packages/core-p2p/src/socket-server/plugins/whitelist-forger";
+
+describe("WhitelistForgerPlugin", () => {
+    let whitelistForgerPlugin: WhitelistForgerPlugin;
+    let spyPeerProcessorWhitelisted;
+    const peerProcessor = new PeerProcessor();
+
+    const container = new Container.Container();
+
+    const logger = { warning: jest.fn(), debug: jest.fn() };
+
+    const pluginConfiguration = {
+        getOptional: (_) => defaults.remoteAccess,
+    };
+
+    // @ts-ignore
+    peerProcessor.configuration = pluginConfiguration;
+
+    const responsePayload = { status: "ok" };
+    const mockRouteByPath = {
+        "/p2p/peer/mockroute": {
+            id: "p2p.peer.getPeers",
+            handler: () => responsePayload,
+            validation: Joi.object().max(0),
+        },
+    };
+    const mockRoute = {
+        method: "POST",
+        path: "/p2p/peer/mockroute",
+        config: {
+            id: mockRouteByPath["/p2p/peer/mockroute"].id,
+            handler: mockRouteByPath["/p2p/peer/mockroute"].handler,
+        },
+    };
+    const app = { resolve: jest.fn().mockReturnValue({ getRoutesConfigByPath: () => mockRouteByPath }) };
+
+    beforeAll(() => {
+        container.unbindAll();
+        container.bind(Container.Identifiers.LogService).toConstantValue(logger);
+        container.bind(Container.Identifiers.Application).toConstantValue(app);
+        container.bind(Container.Identifiers.PeerProcessor).toConstantValue(peerProcessor);
+    });
+
+    beforeEach(() => {
+        whitelistForgerPlugin = container.resolve<WhitelistForgerPlugin>(WhitelistForgerPlugin);
+        spyPeerProcessorWhitelisted = jest.spyOn(peerProcessor, "isWhitelisted");
+    });
+
+    afterEach(() => spyPeerProcessorWhitelisted.mockClear());
+
+    it("should register the isWhitelisted plugin", async () => {
+        const server = new Server({ port: 4100 });
+        server.route(mockRoute);
+
+        const spyExt = jest.spyOn(server, "ext");
+
+        whitelistForgerPlugin.register(server);
+
+        expect(spyExt).toBeCalledWith(expect.objectContaining({ type: "onPreHandler" }));
+    });
+
+    it("should authorize default whitelisted IPs", async () => {
+        const server = new Server({ port: 4100 });
+        server.route(mockRoute);
+
+        const spyExt = jest.spyOn(server, "ext");
+
+        whitelistForgerPlugin.register(server);
+
+        expect(spyExt).toBeCalledWith(expect.objectContaining({ type: "onPreHandler" }));
+
+        // try the route with a valid remoteAddress
+        const remoteAddress = defaults.remoteAccess[0];
+        const responseValid = await server.inject({
+            method: "POST",
+            url: "/p2p/peer/mockroute",
+            payload: {},
+            remoteAddress,
+        });
+        expect(JSON.parse(responseValid.payload)).toEqual(responsePayload);
+        expect(responseValid.statusCode).toBe(200);
+        expect(spyPeerProcessorWhitelisted).toBeCalledTimes(1);
+        expect(spyPeerProcessorWhitelisted).toBeCalledWith({ ip: remoteAddress });
+    });
+
+    it("should not authorize none-whitelisted IPs", async () => {
+        const server = new Server({ port: 4100 });
+        server.route(mockRoute);
+
+        const spyExt = jest.spyOn(server, "ext");
+
+        whitelistForgerPlugin.register(server);
+
+        expect(spyExt).toBeCalledWith(expect.objectContaining({ type: "onPreHandler" }));
+
+        // try the route with an invalid remoteAddress
+        const remoteAddress = "187.166.55.44";
+        const responseInvalid = await server.inject({
+            method: "POST",
+            url: "/p2p/peer/mockroute",
+            payload: {},
+            remoteAddress,
+        });
+
+        const invalidResponsePayload = {
+            error: "Forbidden",
+            message: "IP unauthorized on internal route",
+            statusCode: 403,
+        };
+        expect(JSON.parse(responseInvalid.payload)).toEqual(invalidResponsePayload);
+        expect(responseInvalid.statusCode).not.toBe(200);
+        expect(spyPeerProcessorWhitelisted).toBeCalledTimes(1);
+        expect(spyPeerProcessorWhitelisted).toBeCalledWith({ ip: remoteAddress });
+    });
+});
@@ -11,4 +11,6 @@ export interface PeerProcessor {
     validateAndAcceptPeer(peer: Peer, options?: AcceptNewPeerOptions): Promise<void>;
 
     validatePeerIp(peer, options?: AcceptNewPeerOptions): boolean;
+
+    isWhitelisted(peer): boolean;
 }
@@ -36,6 +36,10 @@ export class PeerProcessor implements Contracts.P2P.PeerProcessor {
         this.events.listen(Enums.CryptoEvent.MilestoneChanged, this.app.resolve(DisconnectInvalidPeers));
     }
 
+    public isWhitelisted(peer: Contracts.P2P.Peer): boolean {
+        return KernelUtils.isWhitelisted(this.configuration.getOptional<string[]>("remoteAccess", []), peer.ip);
+    }
+
     public async validateAndAcceptPeer(
         peer: Contracts.P2P.Peer,
         options: Contracts.P2P.AcceptNewPeerOptions = {},

@@ -0,0 +1,33 @@
+import { Container, Contracts } from "@arkecosystem/core-kernel";
+import Boom from "@hapi/boom";
+
+import { PeerRoute } from "../routes/peer";
+
+@Container.injectable()
+export class WhitelistForgerPlugin {
+    @Container.inject(Container.Identifiers.Application)
+    protected readonly app!: Contracts.Kernel.Application;
+
+    @Container.inject(Container.Identifiers.PeerProcessor)
+    private readonly peerProcessor!: Contracts.P2P.PeerProcessor;
+
+    public register(server) {
+        const peerRoutesConfigByPath = this.app.resolve(PeerRoute).getRoutesConfigByPath();
+        const peerProcessor = this.peerProcessor;
+
+        server.ext({
+            type: "onPreHandler",
+            async method(request, h) {
+                if (peerRoutesConfigByPath[request.path]) {
+                    if (peerProcessor.isWhitelisted({ ip: request.info.remoteAddress } as Contracts.P2P.Peer)) {
+                        return h.continue;
+                    } else {
+                        return Boom.forbidden("IP unauthorized on internal route");
+                    }
+                } else {
+                    return h.continue;
+                }
+            },
+        });
+    }
+}