Merge pull request #493 from ethcore/jsonrpc_security

jsonrpc security, cors headers, fixed #359

Cargo.lock

@@ -207,7 +207,7 @@ dependencies = [
  "ethcore-util 0.9.99",
  "ethsync 0.9.99",
  "jsonrpc-core 1.1.4 (registry+https://github.com/rust-lang/crates.io-index)",
- "jsonrpc-http-server 1.1.2 (registry+https://github.com/rust-lang/crates.io-index)",
+ "jsonrpc-http-server 2.0.0 (registry+https://github.com/rust-lang/crates.io-index)",
  "rustc-serialize 0.3.18 (registry+https://github.com/rust-lang/crates.io-index)",
  "serde 0.6.15 (registry+https://github.com/rust-lang/crates.io-index)",
  "serde_codegen 0.6.14 (registry+https://github.com/rust-lang/crates.io-index)",
@@ -383,11 +383,12 @@ dependencies = [
 
 [[package]]
 name = "jsonrpc-http-server"
-version = "1.1.2"
+version = "2.0.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 dependencies = [
  "hyper 0.7.2 (registry+https://github.com/rust-lang/crates.io-index)",
  "jsonrpc-core 1.1.4 (registry+https://github.com/rust-lang/crates.io-index)",
+ "unicase 1.2.1 (registry+https://github.com/rust-lang/crates.io-index)",
 ]
 
 [[package]]

parity/main.rs

@@ -52,7 +52,7 @@ use ethsync::EthSync;
 use docopt::Docopt;
 use daemonize::Daemonize;
 
-const USAGE: &'static str = "
+const USAGE: &'static str = r#"
 Parity. Ethereum Client.
   By Wood/Paronyan/Kotewicz/Drwięga/Volf.
   Copyright 2015, 2016 Ethcore (UK) Limited
@@ -71,8 +71,8 @@ Options:
   --listen-address URL     Specify the IP/port on which to listen for peers [default: 0.0.0.0:30304].
   --public-address URL     Specify the IP/port on which peers may connect.
   --address URL            Equivalent to --listen-address URL --public-address URL.
-  --peers NUM  	           Try to manintain that many peers [default: 25].
+  --peers NUM              Try to manintain that many peers [default: 25].
-  --no-discovery   	       Disable new peer discovery.
+  --no-discovery           Disable new peer discovery.
   --upnp                   Use UPnP to try to figure out the correct network settings.
   --node-key KEY           Specify node secret key, either as 64-character hex string or input to SHA3 operation.
 
@@ -81,11 +81,12 @@ Options:
 
   -j --jsonrpc             Enable the JSON-RPC API sever.
   --jsonrpc-url URL        Specify URL for JSON-RPC API server [default: 127.0.0.1:8545].
+  --jsonrpc-cors URL       Specify CORS header for JSON-RPC API responses [default: null].
 
   -l --logging LOGGING     Specify the logging level.
   -v --version             Show information about version.
   -h --help                Show this screen.
-";
+"#;
 
 #[derive(Debug, RustcDecodable)]
 struct Args {
@@ -107,6 +108,7 @@ struct Args {
 	flag_cache_max_size: usize,
 	flag_jsonrpc: bool,
 	flag_jsonrpc_url: String,
+	flag_jsonrpc_cors: String,
 	flag_logging: Option<String>,
 	flag_version: bool,
 }
@@ -138,7 +140,7 @@ fn setup_log(init: &Option<String>) {
 }
 
 #[cfg(feature = "rpc")]
-fn setup_rpc_server(client: Arc<Client>, sync: Arc<EthSync>, url: &str) {
+fn setup_rpc_server(client: Arc<Client>, sync: Arc<EthSync>, url: &str, cors_domain: &str) {
 	use rpc::v1::*;
 
 	let mut server = rpc::HttpServer::new(1);
@@ -146,7 +148,7 @@ fn setup_rpc_server(client: Arc<Client>, sync: Arc<EthSync>, url: &str) {
 	server.add_delegate(EthClient::new(client.clone(), sync.clone()).to_delegate());
 	server.add_delegate(EthFilterClient::new(client).to_delegate());
 	server.add_delegate(NetClient::new(sync).to_delegate());
-	server.start_async(url);
+	server.start_async(url, cors_domain);
 }
 
 #[cfg(not(feature = "rpc"))]
@@ -292,8 +294,8 @@ impl Configuration {
 
 		// Setup rpc
 		if self.args.flag_jsonrpc {
+			setup_rpc_server(service.client(), sync.clone(), &self.args.flag_jsonrpc_url, &self.args.flag_jsonrpc_cors);
 			SocketAddr::from_str(&self.args.flag_jsonrpc_url).unwrap_or_else(|_|die!("{}: Invalid JSONRPC listen address given with --jsonrpc-url. Should be of the form 'IP:port'.", self.args.flag_jsonrpc_url));
-			setup_rpc_server(service.client(), sync.clone(), &self.args.flag_jsonrpc_url);
 		}
 
 		// Register IO handler

rpc/Cargo.toml

@@ -12,7 +12,7 @@ build = "build.rs"
 serde = "0.6.7"
 serde_json = "0.6.0"
 jsonrpc-core = "1.1"
-jsonrpc-http-server = "1.1"
+jsonrpc-http-server = "2.0"
 ethcore-util = { path = "../util" }
 ethcore = { path = "../ethcore" }
 ethsync = { path = "../sync" }

rpc/src/lib.rs.in

@@ -23,8 +23,8 @@ impl HttpServer {
 	}
 
 	/// Start server asynchronously in new thread
-	pub fn start_async(self, addr: &str) {
+	pub fn start_async(self, addr: &str, cors_domain: &str) {
 		let server = jsonrpc_http_server::Server::new(self.handler, self.threads);
-		server.start_async(addr)
+		server.start_async(addr, jsonrpc_http_server::AccessControlAllowOrigin::Value(cors_domain.to_owned()))
 	}
 }