add access control in the jsonrpsee servers

bin/node-template/node/Cargo.toml

@@ -38,7 +38,7 @@ sp-runtime = { version = "4.0.0-dev", path = "../../../primitives/runtime" }
 sp-timestamp = { version = "4.0.0-dev", path = "../../../primitives/timestamp" }
 
 # These dependencies are used for the node template's RPCs
-jsonrpsee = { git = "https://github.com/paritytech/jsonrpsee", branch = "master", features = ["server"] }
+jsonrpsee = { git = "https://github.com/paritytech/jsonrpsee", branch = "na-http-server-export-acl", features = ["server"] }
 sc-rpc = { version = "4.0.0-dev", path = "../../../client/rpc" }
 sp-api = { version = "4.0.0-dev", path = "../../../primitives/api" }
 sc-rpc-api = { version = "0.10.0-dev", path = "../../../client/rpc-api" }

bin/node/cli/Cargo.toml

@@ -34,7 +34,7 @@ crate-type = ["cdylib", "rlib"]
 
 [dependencies]
 # third-party dependencies
-jsonrpsee = { git = "https://github.com/paritytech/jsonrpsee", branch = "master", features = ["server"] }
+jsonrpsee = { git = "https://github.com/paritytech/jsonrpsee", branch = "na-http-server-export-acl", features = ["server"] }
 serde = { version = "1.0.126", features = ["derive"] }
 futures = "0.3.16"
 hex-literal = "0.3.1"

bin/node/rpc-client/Cargo.toml

@@ -12,7 +12,7 @@ targets = ["x86_64-unknown-linux-gnu"]
 
 [dependencies]
 futures = "0.3.16"
-jsonrpsee = { git = "https://github.com/paritytech/jsonrpsee", branch = "master", features = ["client", "macros"] }
+jsonrpsee = { git = "https://github.com/paritytech/jsonrpsee", branch = "na-http-server-export-acl", features = ["client", "macros"] }
 tokio = { version = "1.10", features = ["full"] }
 node-primitives = { version = "2.0.0", path = "../primitives" }
 sp-tracing = { version = "4.0.0-dev", path = "../../../primitives/tracing" }

client/consensus/babe/rpc/Cargo.toml

@@ -13,7 +13,7 @@ readme = "README.md"
 targets = ["x86_64-unknown-linux-gnu"]
 
 [dependencies]
-jsonrpsee = { git = "https://github.com/paritytech/jsonrpsee", branch = "master", features = ["server"] }
+jsonrpsee = { git = "https://github.com/paritytech/jsonrpsee", branch = "na-http-server-export-acl", features = ["server"] }
 sc-consensus-babe = { version = "0.10.0-dev", path = "../" }
 sc-rpc-api = { version = "0.10.0-dev", path = "../../../rpc-api" }
 sp-consensus-babe = { version = "0.10.0-dev", path = "../../../../primitives/consensus/babe" }

client/consensus/manual-seal/Cargo.toml

@@ -16,7 +16,7 @@ targets = ["x86_64-unknown-linux-gnu"]
 derive_more = "0.99.2"
 futures = "0.3.9"
 
-jsonrpsee = { git = "https://github.com/paritytech/jsonrpsee", branch = "master", features = ["server"] }
+jsonrpsee = { git = "https://github.com/paritytech/jsonrpsee", branch = "na-http-server-export-acl", features = ["server"] }
 log = "0.4.8"
 codec = { package = "parity-scale-codec", version = "2.0.0" }
 serde = { version = "1.0", features = ["derive"] }

client/finality-grandpa/rpc/Cargo.toml

@@ -15,7 +15,7 @@ sp-blockchain = { version = "4.0.0-dev", path = "../../../primitives/blockchain"
 sp-core = { version = "4.0.0-dev", path = "../../../primitives/core" }
 sp-runtime = { version = "4.0.0-dev", path = "../../../primitives/runtime" }
 finality-grandpa = { version = "0.14.1", features = ["derive-codec"] }
-jsonrpsee = { git = "https://github.com/paritytech/jsonrpsee", branch = "master", features = ["server"] }
+jsonrpsee = { git = "https://github.com/paritytech/jsonrpsee", branch = "na-http-server-export-acl", features = ["server"] }
 futures = { version = "0.3.4", features = ["compat"] }
 serde = { version = "1.0.105", features = ["derive"] }
 serde_json = "1.0.50"

client/rpc-api/Cargo.toml

@@ -26,7 +26,7 @@ sc-chain-spec = { path = "../chain-spec", version = "4.0.0-dev" }
 serde = { version = "1.0.126", features = ["derive"] }
 serde_json = "1.0.41"
 
-jsonrpsee = { git = "https://github.com/paritytech/jsonrpsee", branch = "master", features = ["full"] }
+jsonrpsee = { git = "https://github.com/paritytech/jsonrpsee", branch = "na-http-server-export-acl", features = ["full"] }
 
 sc-transaction-pool-api = { version = "4.0.0-dev", path = "../transaction-pool/api" }
 sp-rpc = { version = "4.0.0-dev", path = "../../primitives/rpc" }

client/rpc-api/src/lib.rs

@@ -28,6 +28,7 @@ pub use policy::DenyUnsafe;
 
 pub mod author;
 pub mod chain;
+/// Child state API
 pub mod child_state;
 pub mod offchain;
 pub mod state;

client/rpc-servers/Cargo.toml

@@ -18,5 +18,5 @@ log = "0.4.8"
 prometheus-endpoint = { package = "substrate-prometheus-endpoint", path = "../../utils/prometheus", version = "0.9.0"}
 serde_json = "1.0.41"
 futures-channel = "0.3"
-jsonrpsee = { git = "https://github.com/paritytech/jsonrpsee", branch = "master", features = ["server"] }
+jsonrpsee = { git = "https://github.com/paritytech/jsonrpsee", branch = "na-http-server-export-acl", features = ["server"] }
 tokio = { version = "1.10", features = ["full"] }

client/rpc-servers/src/lib.rs

@@ -21,7 +21,7 @@
 #![warn(missing_docs)]
 
 use jsonrpsee::{
-	http_server::{HttpServerBuilder, HttpStopHandle},
+	http_server::{AccessControlBuilder, Host, HttpServerBuilder, HttpStopHandle},
 	ws_server::{WsServerBuilder, WsStopHandle},
 	RpcModule,
 };
@@ -90,7 +90,7 @@ pub type WsServer = WsStopHandle;
 /// Start HTTP server listening on given address.
 pub fn start_http<M: Send + Sync + 'static>(
 	addr: std::net::SocketAddr,
-	_cors: Option<&Vec<String>>,
+	cors: Option<&Vec<String>>,
 	maybe_max_payload_mb: Option<usize>,
 	module: RpcModule<M>,
 	rt: tokio::runtime::Handle,
@@ -99,8 +99,24 @@ pub fn start_http<M: Send + Sync + 'static>(
 		.map(|mb| mb.saturating_mul(MEGABYTE))
 		.unwrap_or(RPC_MAX_PAYLOAD_DEFAULT);
 
+	let mut acl = AccessControlBuilder::new();
+
+	log::info!("starting JSONRPC HTTP server: addr={}, cors={:?}", addr, cors);
+
+	if let Some(cors) = cors {
+		// Whitelist listening address.
+		let host = Host::parse(&format!("localhost:{}", addr.port()));
+		acl = acl.allow_host(host);
+		let host = Host::parse(&format!("127.0.0.1:{}", addr.port()));
+		acl = acl.allow_host(host);
+		for origin in cors {
+			acl = acl.cors_allow_origin(origin.into());
+		}
+	};
+
 	let server = HttpServerBuilder::default()
 		.max_request_body_size(max_request_body_size as u32)
+		.set_access_control(acl.build())
 		.build(addr)?;
 
 	let handle = server.stop_handle();
@@ -117,7 +133,7 @@ pub fn start_http<M: Send + Sync + 'static>(
 pub fn start_ws<M: Send + Sync + 'static>(
 	addr: std::net::SocketAddr,
 	max_connections: Option<usize>,
-	_cors: Option<&Vec<String>>,
+	cors: Option<&Vec<String>>,
 	maybe_max_payload_mb: Option<usize>,
 	module: RpcModule<M>,
 	rt: tokio::runtime::Handle,
@@ -127,14 +143,19 @@ pub fn start_ws<M: Send + Sync + 'static>(
 		.unwrap_or(RPC_MAX_PAYLOAD_DEFAULT);
 	let max_connections = max_connections.unwrap_or(WS_MAX_CONNECTIONS);
 
-	let server = tokio::task::block_in_place(|| {
-		rt.block_on(
-			WsServerBuilder::default()
-				.max_request_body_size(max_request_body_size as u32)
-				.max_connections(max_connections as u64)
-				.build(addr),
-		)
-	})?;
+	let mut builder = WsServerBuilder::default()
+		.max_request_body_size(max_request_body_size as u32)
+		.max_connections(max_connections as u64);
+
+	log::info!("starting JSONRPC WS server: addr={}, cors={:?}", addr, cors);
+
+	if let Some(cors) = cors {
+		// Whitelist listening address.
+		builder = builder.set_allowed_hosts([format!("localhost:{}", addr.port()), format!("127.0.0.1:{}", addr.port())])?;
+		builder = builder.set_allowed_origins(cors)?;
+	}
+
+	let server = tokio::task::block_in_place(|| rt.block_on(builder.build(addr)))?;
 
 	let handle = server.stop_handle();
 	let rpc_api = build_rpc_api(module);

client/rpc/Cargo.toml

@@ -38,7 +38,7 @@ sc-tracing = { version = "4.0.0-dev", path = "../tracing" }
 hash-db = { version = "0.15.2", default-features = false }
 parking_lot = "0.11.1"
 lazy_static = { version = "1.4.0", optional = true }
-jsonrpsee = { git = "https://github.com/paritytech/jsonrpsee", branch = "master", features = ["server"] }
+jsonrpsee = { git = "https://github.com/paritytech/jsonrpsee", branch = "na-http-server-export-acl", features = ["server"] }
 sc-transaction-pool-api = { version = "4.0.0-dev", path = "../transaction-pool/api" }
 
 [dev-dependencies]

client/service/Cargo.toml

@@ -22,7 +22,7 @@ wasmtime = ["sc-executor/wasmtime"]
 test-helpers = []
 
 [dependencies]
-jsonrpsee = { git = "https://github.com/paritytech/jsonrpsee", branch = "master", features = ["server"] }
+jsonrpsee = { git = "https://github.com/paritytech/jsonrpsee", branch = "na-http-server-export-acl", features = ["server"] }
 
 thiserror = "1.0.21"
 futures01 = { package = "futures", version = "0.1.29" }

client/service/src/builder.rs

@@ -656,7 +656,7 @@ fn init_telemetry<TBl: BlockT, TCl: BlockBackend<TBl>>(
 // Maciej: This is very WIP, mocking the original `gen_handler`. All of the `jsonrpsee`
 // specific logic should be merged back to `gen_handler` down the road.
 fn gen_rpc_module<TBl, TBackend, TCl, TExPool>(
-	_deny_unsafe: DenyUnsafe,
+	deny_unsafe: DenyUnsafe,
 	spawn_handle: SpawnTaskHandle,
 	client: Arc<TCl>,
 	on_demand: Option<Arc<OnDemand<TBl>>>,
@@ -690,9 +690,6 @@ where
 {
 	const UNIQUE_METHOD_NAMES_PROOF: &str = "Method names are unique; qed";
 
-	// TODO(niklasad1): fix CORS.
-	let deny_unsafe = DenyUnsafe::No;
-
 	let system_info = sc_rpc::system::SystemInfo {
 		chain_name: config.chain_spec.name().into(),
 		impl_name: config.impl_name.clone(),

client/sync-state-rpc/Cargo.toml

@@ -15,7 +15,8 @@ targets = ["x86_64-unknown-linux-gnu"]
 [dependencies]
 thiserror = "1.0.21"
 anyhow = "1"
-jsonrpsee = { git = "https://github.com/paritytech/jsonrpsee", branch = "master", features = ["server"] }
+jsonrpsee = { git = "https://github.com/paritytech/jsonrpsee", branch = "na-http-server-export-acl", features = ["server"] }
+log = "0.4"
 
 sc-chain-spec = { version = "4.0.0-dev", path = "../chain-spec" }
 sc-client-api = { version = "4.0.0-dev", path = "../api" }

frame/contracts/rpc/Cargo.toml

@@ -14,7 +14,8 @@ targets = ["x86_64-unknown-linux-gnu"]
 
 [dependencies]
 codec = { package = "parity-scale-codec", version = "2" }
-jsonrpsee = { git = "https://github.com/paritytech/jsonrpsee", branch = "master", features = ["server"] }
+jsonrpsee = { git = "https://github.com/paritytech/jsonrpsee", branch = "na-http-server-export-acl", features = ["server"] }
+log = "0.4"
 serde = { version = "1", features = ["derive"] }
 serde_json = "1"
 

frame/merkle-mountain-range/rpc/Cargo.toml

@@ -14,9 +14,10 @@ targets = ["x86_64-unknown-linux-gnu"]
 
 [dependencies]
 codec = { package = "parity-scale-codec", version = "2.0.0" }
-jsonrpsee = { git = "https://github.com/paritytech/jsonrpsee", branch = "master", features = ["server"] }
+jsonrpsee = { git = "https://github.com/paritytech/jsonrpsee", branch = "na-http-server-export-acl", features = ["server"] }
 serde_json = "1"
 serde = { version = "1.0.126", features = ["derive"] }
+log = "0.4"
 
 sp-api = { version = "4.0.0-dev", path = "../../../primitives/api" }
 sp-blockchain = { version = "4.0.0-dev", path = "../../../primitives/blockchain" }

frame/transaction-payment/rpc/Cargo.toml

@@ -13,9 +13,11 @@ readme = "README.md"
 targets = ["x86_64-unknown-linux-gnu"]
 
 [dependencies]
+anyhow = "1"
 codec = { package = "parity-scale-codec", version = "2.0.0" }
 
-jsonrpsee = { git = "https://github.com/paritytech/jsonrpsee", branch = "master", features = ["server"] }
+jsonrpsee = { git = "https://github.com/paritytech/jsonrpsee", branch = "na-http-server-export-acl", features = ["server"] }
+log = "0.4"
 
 sp-api = { version = "4.0.0-dev", path = "../../../primitives/api" }
 sp-blockchain = { version = "4.0.0-dev", path = "../../../primitives/blockchain" }