Finschia · jaeseung-bae · Aug 17, 2023 · Aug 8, 2023 · Aug 8, 2023 · Aug 8, 2023
@@ -31,7 +31,7 @@ func showValidator(cmd *cobra.Command, args []string, config *cfg.Config) error
 		if err != nil {
 			return err
 		}
-		pv, err = node.CreateAndStartPrivValidatorSocketClient(config.PrivValidatorListenAddr, chainID, logger)
+		pv, err = node.CreateAndStartPrivValidatorSocketClient(config, chainID, logger)
 		if err != nil {
 			return err
 		}

@@ -3,6 +3,7 @@ package commands
 import (
 	"bytes"
 	"os"
+	"strings"
 	"sync"
 	"testing"
 
@@ -79,6 +80,7 @@ func TestShowValidatorWithKMS(t *testing.T) {
 	}
 	privval.WithMockKMS(t, dir, chainID, func(addr string, privKey crypto.PrivKey) {
 		config.PrivValidatorListenAddr = addr
+		config.PrivValidatorRemoteAddr = addr[:strings.Index(addr, ":")]
 		require.NoFileExists(t, config.PrivValidatorKeyFile())
 		output, err := captureStdout(func() {
 			err := showValidator(ShowValidatorCmd, nil, config)

@@ -242,8 +242,14 @@ type BaseConfig struct { //nolint: maligned
 
 	// TCP or UNIX socket address for Ostracon to listen on for
 	// connections from an external PrivValidator process
+	// example) 0.0.0.0:26659
 	PrivValidatorListenAddr string `mapstructure:"priv_validator_laddr"`
 
+	// Validator's remote address(without port) to allow a connection
+	// ostracon only allow a connection from this address
+	// example) 10.0.0.7
+	PrivValidatorRemoteAddr string `mapstructure:"priv_validator_raddr"`
+
 	// A JSON file containing the private key to use for p2p authenticated encryption
 	NodeKey string `mapstructure:"node_key_file"`
 

@@ -156,8 +156,14 @@ priv_validator_state_file = "{{ js .BaseConfig.PrivValidatorState }}"
 
 # TCP or UNIX socket address for Ostracon to listen on for
 # connections from an external PrivValidator process
+# example) 0.0.0.0:26659
 priv_validator_laddr = "{{ .BaseConfig.PrivValidatorListenAddr }}"
 
+# Validator's remote address to allow a connection
+# ostracon only allow a connection from this address
+# example) 10.0.0.7
+priv_validator_raddr = "{{ .BaseConfig.PrivValidatorRemoteAddr }}"
+
 # Path to the JSON file containing the private key to use for node authentication in the p2p protocol
 node_key_file = "{{ js .BaseConfig.NodeKey }}"
 

@@ -794,7 +794,7 @@ func NewNode(config *cfg.Config,
 	// external signing process.
 	if config.PrivValidatorListenAddr != "" {
 		// FIXME: we should start services inside OnStart
-		privValidator, err = CreateAndStartPrivValidatorSocketClient(config.PrivValidatorListenAddr, genDoc.ChainID, logger)
+		privValidator, err = CreateAndStartPrivValidatorSocketClient(config, genDoc.ChainID, logger)
 		if err != nil {
 			return nil, fmt.Errorf("error with private validator socket client: %w", err)
 		}
@@ -1523,12 +1523,8 @@ func saveGenesisDoc(db dbm.DB, genDoc *types.GenesisDoc) error {
 	return nil
 }
 
-func CreateAndStartPrivValidatorSocketClient(
-	listenAddr,
-	chainID string,
-	logger log.Logger,
-) (types.PrivValidator, error) {
-	pve, err := privval.NewSignerListener(listenAddr, logger)
+func CreateAndStartPrivValidatorSocketClient(config *cfg.Config, chainID string, logger log.Logger) (types.PrivValidator, error) {
+	pve, err := privval.NewSignerListener(logger, config.PrivValidatorListenAddr, config.PrivValidatorRemoteAddr)
 	if err != nil {
 		return nil, fmt.Errorf("failed to start private validator: %w", err)
 	}

@@ -3,6 +3,7 @@
 import (
 	"fmt"
 	"net"
+	"strings"
 	"time"
 
 	privvalproto "github.com/tendermint/tendermint/proto/tendermint/privval"
@@ -24,6 +25,13 @@
 	return func(sl *SignerListenerEndpoint) { sl.signerEndpoint.timeoutReadWrite = timeout }
 }
 
+// SignerListenerEndpointAllowAddress sets the address to allow
+// connections from the only allowed address
+//
+func SignerListenerEndpointAllowAddress(addr string) SignerListenerEndpointOption {
+	return func(sl *SignerListenerEndpoint) { sl.allowAddr = addr }
+}
+
 // SignerListenerEndpoint listens for an external process to dial in and keeps
 // the connection alive by dropping and reconnecting.
 //
@@ -41,6 +49,8 @@
 	pingInterval  time.Duration
 
 	instanceMtx tmsync.Mutex // Ensures instance public methods access, i.e. SendRequest
+
+	allowAddr string // empty value allows all
 }
 
 // NewSignerListenerEndpoint returns an instance of SignerListenerEndpoint.
@@ -186,6 +196,12 @@
 			{
 				conn, err := sl.acceptNewConnection()
 				if err == nil {
+					remoteAddr := conn.RemoteAddr()
+					if !sl.isAllowedAddr(remoteAddr) {
+						sl.Logger.Info(fmt.Sprintf("deny a connection request from remote address=%s", remoteAddr))
+						conn.Close()
+						continue
+					}
 					sl.Logger.Info("SignerListener: Connected")
 
 					// We have a good connection, wait for someone that needs one otherwise cancellation
@@ -207,6 +223,17 @@
 	}
 }
 
+func (sl *SignerListenerEndpoint) isAllowedAddr(addr net.Addr) bool {
+	if len(sl.allowAddr) == 0 {
+		return true
+	}
+	if strings.Contains(addr.String(), ":") {
+		addrOnly := addr.String()[:strings.Index(addr.String(), ":")]
+		return sl.allowAddr == addrOnly
+	}
+	return sl.allowAddr == addr.String()
+}
+
 func (sl *SignerListenerEndpoint) pingLoop() {
 	for {
 		select {

@@ -145,6 +145,76 @@ func TestRetryConnToRemoteSigner(t *testing.T) {
 	}
 }
 
+type addrStub struct {
+	address string
+}
+
+func (a addrStub) Network() string {
+	return ""
+}
+
+func (a addrStub) String() string {
+	return a.address
+}
+
+func TestFilterRemoteConnectionByIP(t *testing.T) {
+	type fields struct {
+		allowIP    string
+		remoteAddr net.Addr
+		expected   bool
+	}
+	tests := []struct {
+		name   string
+		fields fields
+	}{
+		{
+			"should allow correct ip",
+			struct {
+				allowIP    string
+				remoteAddr net.Addr
+				expected   bool
+			}{"127.0.0.1", addrStub{"127.0.0.1:45678"}, true},
+		}, {
+			"should allow correct ip without port",
+			struct {
+				allowIP    string
+				remoteAddr net.Addr
+				expected   bool
+			}{"127.0.0.1", addrStub{"127.0.0.1"}, true},
+		},
+		{
+			"should not allow different ip",
+			struct {
+				allowIP    string
+				remoteAddr net.Addr
+				expected   bool
+			}{"127.0.0.1", addrStub{"10.0.0.2:45678"}, false},
+		},
+		{
+			"empty allowIP should allow all",
+			struct {
+				allowIP    string
+				remoteAddr net.Addr
+				expected   bool
+			}{"", addrStub{"127.0.0.1:45678"}, true},
+		},
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			sl := &SignerListenerEndpoint{allowAddr: tt.fields.allowIP}
+			assert.Equalf(t, tt.fields.expected, sl.isAllowedAddr(tt.fields.remoteAddr), tt.name)
+		})
+	}
+}
+
+func TestSignerListenerEndpointAllowAddress(t *testing.T) {
+	expected := "192.168.0.1"
+
+	cut := NewSignerListenerEndpoint(nil, nil, SignerListenerEndpointAllowAddress(expected))
+
+	assert.Equal(t, expected, cut.allowAddr)
+}
+
 func newSignerListenerEndpoint(logger log.Logger, addr string, timeoutReadWrite time.Duration) *SignerListenerEndpoint {
 	proto, address := tmnet.ProtocolAndAddress(addr)
 

@@ -26,7 +26,7 @@
 }
 
 // NewSignerListener creates a new SignerListenerEndpoint using the corresponding listen address
-func NewSignerListener(listenAddr string, logger log.Logger) (*SignerListenerEndpoint, error) {
+func NewSignerListener(logger log.Logger, listenAddr, remoteAddr string) (*SignerListenerEndpoint, error) {
 	var listener net.Listener
 
 	protocol, address := tmnet.ProtocolAndAddress(listenAddr)
@@ -47,7 +47,7 @@
 		)
 	}
 
-	pve := NewSignerListenerEndpoint(logger.With("module", "privval"), listener)
+	pve := NewSignerListenerEndpoint(logger.With("module", "privval"), listener, SignerListenerEndpointAllowAddress(remoteAddr))
 
 	return pve, nil
 }