diff --git a/CHANGES.rst b/CHANGES.rst index 0d14e2bb7349dc8bcfb027cbefa26899f11f73fe..7076e8aa1dff8bcd6374dc14af05723dffdf79ae 100644 --- a/CHANGES.rst +++ b/CHANGES.rst @@ -191,6 +191,10 @@ Smart Rollup node - Added RPC ``/local/synchronized`` to wait for the rollup node to be synchronized with L1. (MR :gl:`!12247`) +- Secure ACL by default on remote connections. Argument ``--acl-override + secure`` to choose the secure set of RPCs even for localhost, *e.g.*, for use + behind a proxy. (MR :gl:`!12323`) + Smart Rollup WASM Debugger -------------------------- diff --git a/src/bin_smart_rollup_node/main_smart_rollup_node.ml b/src/bin_smart_rollup_node/main_smart_rollup_node.ml index 984ceed409ad5a5f9c573d4bdc4b31f122334119..5004a2d7df2a9de87e11ca3a296d77bcdae66178 100644 --- a/src/bin_smart_rollup_node/main_smart_rollup_node.ml +++ b/src/bin_smart_rollup_node/main_smart_rollup_node.ml @@ -42,11 +42,12 @@ let config_init_command = command ~group ~desc:"Configure the smart rollup node." - (args23 + (args24 force_switch data_dir_arg rpc_addr_arg rpc_port_arg + acl_override_arg metrics_addr_arg loser_mode_arg reconnection_delay_arg @@ -75,6 +76,7 @@ let config_init_command = data_dir, rpc_addr, rpc_port, + acl_override, metrics_addr, loser_mode, reconnection_delay, @@ -102,6 +104,7 @@ let config_init_command = Configuration.Cli.configuration_from_args ~rpc_addr ~rpc_port + ~acl_override ~metrics_addr ~loser_mode ~reconnection_delay @@ -140,64 +143,69 @@ let legacy_run_command = command ~group ~desc:"Run the rollup node daemon (deprecated)." - (args25 - data_dir_arg - mode_arg - sc_rollup_address_arg - rpc_addr_arg - rpc_port_arg - metrics_addr_arg - loser_mode_arg - reconnection_delay_arg - dal_node_endpoint_arg - dac_observer_endpoint_arg - dac_timeout_arg - pre_images_endpoint_arg - injector_retention_period_arg - injector_attempts_arg - injection_ttl_arg - index_buffer_size_arg - index_buffer_size_arg - log_kernel_debug_arg - log_kernel_debug_file_arg - boot_sector_file_arg - no_degraded_arg - gc_frequency_arg - history_mode_arg - cors_allowed_origins_arg - cors_allowed_headers_arg) + (merge_options + (args7 + data_dir_arg + mode_arg + sc_rollup_address_arg + rpc_addr_arg + rpc_port_arg + acl_override_arg + metrics_addr_arg) + (args19 + loser_mode_arg + reconnection_delay_arg + dal_node_endpoint_arg + dac_observer_endpoint_arg + dac_timeout_arg + pre_images_endpoint_arg + injector_retention_period_arg + injector_attempts_arg + injection_ttl_arg + index_buffer_size_arg + index_buffer_size_arg + log_kernel_debug_arg + log_kernel_debug_file_arg + boot_sector_file_arg + no_degraded_arg + gc_frequency_arg + history_mode_arg + cors_allowed_origins_arg + cors_allowed_headers_arg)) (prefixes ["run"] @@ stop) - (fun ( data_dir, - mode, - sc_rollup_address, - rpc_addr, - rpc_port, - metrics_addr, - loser_mode, - reconnection_delay, - dal_node_endpoint, - dac_observer_endpoint, - dac_timeout, - pre_images_endpoint, - injector_retention_period, - injector_attempts, - injection_ttl, - index_buffer_size, - irmin_cache_size, - log_kernel_debug, - log_kernel_debug_file, - boot_sector_file, - no_degraded, - gc_frequency, - history_mode, - allowed_origins, - allowed_headers ) + (fun ( ( data_dir, + mode, + sc_rollup_address, + rpc_addr, + rpc_port, + acl_override, + metrics_addr ), + ( loser_mode, + reconnection_delay, + dal_node_endpoint, + dac_observer_endpoint, + dac_timeout, + pre_images_endpoint, + injector_retention_period, + injector_attempts, + injection_ttl, + index_buffer_size, + irmin_cache_size, + log_kernel_debug, + log_kernel_debug_file, + boot_sector_file, + no_degraded, + gc_frequency, + history_mode, + allowed_origins, + allowed_headers ) ) cctxt -> let* configuration = Configuration.Cli.create_or_read_config ~data_dir ~rpc_addr ~rpc_port + ~acl_override ~metrics_addr ~loser_mode ~reconnection_delay @@ -238,10 +246,11 @@ let run_command = ~desc: "Run the rollup node daemon. Arguments overwrite values provided in the \ configuration file." - (args23 + (args24 data_dir_arg rpc_addr_arg rpc_port_arg + acl_override_arg metrics_addr_arg loser_mode_arg reconnection_delay_arg @@ -269,6 +278,7 @@ let run_command = (fun ( data_dir, rpc_addr, rpc_port, + acl_override, metrics_addr, loser_mode, reconnection_delay, @@ -298,6 +308,7 @@ let run_command = ~data_dir ~rpc_addr ~rpc_port + ~acl_override ~metrics_addr ~loser_mode ~reconnection_delay diff --git a/src/lib_clic/tezos_clic.ml b/src/lib_clic/tezos_clic.ml index 5d5c451230800ebbe984481df30c78de31292b11..c5217516f6c8637e3f276cde42ec68de1ad58d37 100644 --- a/src/lib_clic/tezos_clic.ml +++ b/src/lib_clic/tezos_clic.ml @@ -768,6 +768,8 @@ let args1 a = a let args2 a b = Pair (a, b) +let merge_options = args2 + let args3 a b c = map_arg ~f:(fun _ ((a, b), c) -> Lwt_result_syntax.return (a, b, c)) diff --git a/src/lib_clic/tezos_clic.mli b/src/lib_clic/tezos_clic.mli index 9619e5c35604371be930bff6d481bde8c519b645..c4e7a57e557673fbbb9e41fa2f3d9087644fe1ef 100644 --- a/src/lib_clic/tezos_clic.mli +++ b/src/lib_clic/tezos_clic.mli @@ -136,6 +136,10 @@ val args1 : ('a, 'ctx) arg -> ('a, 'ctx) options (** Include 2 optional parameters *) val args2 : ('a, 'ctx) arg -> ('b, 'ctx) arg -> ('a * 'b, 'ctx) options +(** Merge optional parameters *) +val merge_options : + ('a, 'ctx) options -> ('b, 'ctx) options -> ('a * 'b, 'ctx) options + (** Include 3 optional parameters *) val args3 : ('a, 'ctx) arg -> diff --git a/src/lib_smart_rollup_node/cli.ml b/src/lib_smart_rollup_node/cli.ml index e32c57d2fec097b95ef1c67f44a73acd04fd1d16..c60a9cc2aedb07045db176674c85d83cb626d4bf 100644 --- a/src/lib_smart_rollup_node/cli.ml +++ b/src/lib_smart_rollup_node/cli.ml @@ -224,6 +224,23 @@ struct default) int_parameter + let acl_override_arg : ([`Allow_all | `Secure] option, _) Tezos_clic.arg = + Tezos_clic.arg + ~long:"acl-override" + ~placeholder:"kind" + ~doc: + "Specify a different ACL for the rpc server to override the default \ + one. Possible values are 'secure' and 'allow-all'" + (Tezos_clic.parameter (fun (_cctxt : Client_context.full) -> + let open Lwt_result_syntax in + function + | "secure" -> return `Secure + | "allow-all" | "allow_all" -> return `Allow_all + | _ -> + failwith + "Bad value for acl-override, possible values are 'secure' and \ + 'allow-all'")) + let data_dir_arg = let default = Configuration.default_data_dir in Tezos_clic.default_arg diff --git a/src/lib_smart_rollup_node/configuration.ml b/src/lib_smart_rollup_node/configuration.ml index 1fe94962c76a28837a7af0e52915db8724e9f08e..4df9a077002921d0f7a42cd93069169c3abace94 100644 --- a/src/lib_smart_rollup_node/configuration.ml +++ b/src/lib_smart_rollup_node/configuration.ml @@ -56,6 +56,7 @@ type t = { operators : Purpose.operators; rpc_addr : string; rpc_port : int; + acl : Tezos_rpc_http_server.RPC_server.Acl.policy; metrics_addr : string option; reconnection_delay : float; fee_parameters : Operation_kind.fee_parameters; @@ -116,6 +117,8 @@ let default_rpc_port = 8932 let default_metrics_port = 9933 +let default_acl = Tezos_rpc_http_server.RPC_server.Acl.empty_policy + let default_reconnection_delay = 2.0 (* seconds *) let mutez mutez = {Injector_common.mutez} @@ -413,6 +416,7 @@ let encoding : t Data_encoding.t = operators; rpc_addr; rpc_port; + acl; metrics_addr; reconnection_delay; fee_parameters; @@ -437,16 +441,14 @@ let encoding : t Data_encoding.t = history_mode; cors; } -> - ( ( sc_rollup_address, - boot_sector_file, - operators, - rpc_addr, - rpc_port, - metrics_addr, - reconnection_delay, - fee_parameters, - mode, - loser_mode ), + ( ( ( sc_rollup_address, + boot_sector_file, + operators, + rpc_addr, + rpc_port, + acl ), + (metrics_addr, reconnection_delay, fee_parameters, mode, loser_mode) + ), ( ( dal_node_endpoint, dac_observer_endpoint, dac_timeout, @@ -465,16 +467,14 @@ let encoding : t Data_encoding.t = gc_parameters, history_mode, cors ) ) )) - (fun ( ( sc_rollup_address, - boot_sector_file, - operators, - rpc_addr, - rpc_port, - metrics_addr, - reconnection_delay, - fee_parameters, - mode, - loser_mode ), + (fun ( ( ( sc_rollup_address, + boot_sector_file, + operators, + rpc_addr, + rpc_port, + acl ), + (metrics_addr, reconnection_delay, fee_parameters, mode, loser_mode) + ), ( ( dal_node_endpoint, dac_observer_endpoint, dac_timeout, @@ -499,6 +499,7 @@ let encoding : t Data_encoding.t = operators; rpc_addr; rpc_port; + acl; metrics_addr; reconnection_delay; fee_parameters; @@ -524,44 +525,52 @@ let encoding : t Data_encoding.t = cors; }) (merge_objs - (obj10 - (req - "smart-rollup-address" - ~description:"Smart rollup address" - Tezos_crypto.Hashed.Smart_rollup_address.encoding) - (opt "boot-sector" ~description:"Boot sector" string) - (req - "smart-rollup-node-operator" - ~description: - "Operators that sign operations of the smart rollup, by purpose" - Purpose.operators_encoding) - (dft "rpc-addr" ~description:"RPC address" string default_rpc_addr) - (dft "rpc-port" ~description:"RPC port" uint16 default_rpc_port) - (opt "metrics-addr" ~description:"Metrics address" string) - (dft - "reconnection_delay" - ~description: - "The reconnection (to the tezos node) delay in seconds" - float - default_reconnection_delay) - (dft - "fee-parameters" - ~description: - "The fee parameters for each purpose used when injecting \ - operations in L1" - (Operation_kind.fee_parameters_encoding ~default_fee_parameter) - default_fee_parameters) - (req - ~description:"The mode for this rollup node" - "mode" - mode_encoding) - (dft - "loser-mode" - ~description: - "If enabled, the rollup node will issue wrong commitments (for \ - test only!)" - Loser_mode.encoding - Loser_mode.no_failures)) + (merge_objs + (obj6 + (req + "smart-rollup-address" + ~description:"Smart rollup address" + Tezos_crypto.Hashed.Smart_rollup_address.encoding) + (opt "boot-sector" ~description:"Boot sector" string) + (req + "smart-rollup-node-operator" + ~description: + "Operators that sign operations of the smart rollup, by \ + purpose" + Purpose.operators_encoding) + (dft "rpc-addr" ~description:"RPC address" string default_rpc_addr) + (dft "rpc-port" ~description:"RPC port" uint16 default_rpc_port) + (dft + "acl" + ~description:"Access control list" + Tezos_rpc_http_server.RPC_server.Acl.policy_encoding + default_acl)) + (obj5 + (opt "metrics-addr" ~description:"Metrics address" string) + (dft + "reconnection_delay" + ~description: + "The reconnection (to the tezos node) delay in seconds" + float + default_reconnection_delay) + (dft + "fee-parameters" + ~description: + "The fee parameters for each purpose used when injecting \ + operations in L1" + (Operation_kind.fee_parameters_encoding ~default_fee_parameter) + default_fee_parameters) + (req + ~description:"The mode for this rollup node" + "mode" + mode_encoding) + (dft + "loser-mode" + ~description: + "If enabled, the rollup node will issue wrong commitments \ + (for test only!)" + Loser_mode.encoding + Loser_mode.no_failures))) (merge_objs (obj9 (opt "DAL node endpoint" Tezos_rpc.Encoding.uri_encoding) @@ -640,6 +649,19 @@ This should be used for test only! ************ WARNING ************* |} +let override_acl ~rpc_addr ~rpc_port acl = function + | None -> acl + | Some kind -> + let new_acl = + match kind with + | `Secure -> Rpc_server.Acl.secure + | `Allow_all -> Rpc_server.Acl.allow_all + in + let addr = + P2p_point.Id.{addr = rpc_addr; port = Some rpc_port; peer_id = None} + in + Tezos_rpc_http_server.RPC_server.Acl.put_policy (addr, new_acl) acl + let save ~force ~data_dir config = loser_warning_message config ; let open Lwt_result_syntax in @@ -675,12 +697,13 @@ module Cli = struct ([], None) operators - let configuration_from_args ~rpc_addr ~rpc_port ~metrics_addr ~loser_mode - ~reconnection_delay ~dal_node_endpoint ~dac_observer_endpoint ~dac_timeout - ~pre_images_endpoint ~injector_retention_period ~injector_attempts - ~injection_ttl ~mode ~sc_rollup_address ~boot_sector_file ~operators - ~index_buffer_size ~irmin_cache_size ~log_kernel_debug ~no_degraded - ~gc_frequency ~history_mode ~allowed_origins ~allowed_headers = + let configuration_from_args ~rpc_addr ~rpc_port ~acl_override ~metrics_addr + ~loser_mode ~reconnection_delay ~dal_node_endpoint ~dac_observer_endpoint + ~dac_timeout ~pre_images_endpoint ~injector_retention_period + ~injector_attempts ~injection_ttl ~mode ~sc_rollup_address + ~boot_sector_file ~operators ~index_buffer_size ~irmin_cache_size + ~log_kernel_debug ~no_degraded ~gc_frequency ~history_mode + ~allowed_origins ~allowed_headers = let open Result_syntax in let* purposed_operator, default_operator = get_purposed_and_default_operators operators @@ -691,13 +714,17 @@ module Cli = struct ~needed_purposes:(purposes_of_mode mode) purposed_operator in + let rpc_addr = Option.value ~default:default_rpc_addr rpc_addr in + let rpc_port = Option.value ~default:default_rpc_port rpc_port in + let acl = override_acl ~rpc_addr ~rpc_port default_acl acl_override in let+ () = check_custom_mode mode in { sc_rollup_address; boot_sector_file; operators; - rpc_addr = Option.value ~default:default_rpc_addr rpc_addr; - rpc_port = Option.value ~default:default_rpc_port rpc_port; + rpc_addr; + rpc_port; + acl; reconnection_delay = Option.value ~default:default_reconnection_delay reconnection_delay; dal_node_endpoint; @@ -749,12 +776,12 @@ module Cli = struct } let patch_configuration_from_args configuration ~rpc_addr ~rpc_port - ~metrics_addr ~loser_mode ~reconnection_delay ~dal_node_endpoint - ~dac_observer_endpoint ~dac_timeout ~pre_images_endpoint - ~injector_retention_period ~injector_attempts ~injection_ttl ~mode - ~sc_rollup_address ~boot_sector_file ~operators ~index_buffer_size - ~irmin_cache_size ~log_kernel_debug ~no_degraded ~gc_frequency - ~history_mode ~allowed_origins ~allowed_headers = + ~acl_override ~metrics_addr ~loser_mode ~reconnection_delay + ~dal_node_endpoint ~dac_observer_endpoint ~dac_timeout + ~pre_images_endpoint ~injector_retention_period ~injector_attempts + ~injection_ttl ~mode ~sc_rollup_address ~boot_sector_file ~operators + ~index_buffer_size ~irmin_cache_size ~log_kernel_debug ~no_degraded + ~gc_frequency ~history_mode ~allowed_origins ~allowed_headers = let open Result_syntax in let mode = Option.value ~default:configuration.mode mode in let* () = check_custom_mode mode in @@ -768,6 +795,9 @@ module Cli = struct purposed_operator configuration.operators in + let rpc_addr = Option.value ~default:configuration.rpc_addr rpc_addr in + let rpc_port = Option.value ~default:configuration.rpc_port rpc_port in + let acl = override_acl ~rpc_addr ~rpc_port configuration.acl acl_override in return { configuration with @@ -779,8 +809,9 @@ module Cli = struct Option.either boot_sector_file configuration.boot_sector_file; operators; mode; - rpc_addr = Option.value ~default:configuration.rpc_addr rpc_addr; - rpc_port = Option.value ~default:configuration.rpc_port rpc_port; + rpc_addr; + rpc_port; + acl; dal_node_endpoint = Option.either dal_node_endpoint configuration.dal_node_endpoint; dac_observer_endpoint = @@ -837,13 +868,13 @@ module Cli = struct }; } - let create_or_read_config ~data_dir ~rpc_addr ~rpc_port ~metrics_addr - ~loser_mode ~reconnection_delay ~dal_node_endpoint ~dac_observer_endpoint - ~dac_timeout ~pre_images_endpoint ~injector_retention_period - ~injector_attempts ~injection_ttl ~mode ~sc_rollup_address - ~boot_sector_file ~operators ~index_buffer_size ~irmin_cache_size - ~log_kernel_debug ~no_degraded ~gc_frequency ~history_mode - ~allowed_origins ~allowed_headers = + let create_or_read_config ~data_dir ~rpc_addr ~rpc_port ~acl_override + ~metrics_addr ~loser_mode ~reconnection_delay ~dal_node_endpoint + ~dac_observer_endpoint ~dac_timeout ~pre_images_endpoint + ~injector_retention_period ~injector_attempts ~injection_ttl ~mode + ~sc_rollup_address ~boot_sector_file ~operators ~index_buffer_size + ~irmin_cache_size ~log_kernel_debug ~no_degraded ~gc_frequency + ~history_mode ~allowed_origins ~allowed_headers = let open Lwt_result_syntax in let open Filename.Infix in (* Check if the data directory of the smart rollup node is not the one of Octez node *) @@ -868,6 +899,7 @@ module Cli = struct configuration ~rpc_addr ~rpc_port + ~acl_override ~metrics_addr ~loser_mode ~reconnection_delay @@ -916,6 +948,7 @@ module Cli = struct configuration_from_args ~rpc_addr ~rpc_port + ~acl_override ~metrics_addr ~loser_mode ~reconnection_delay diff --git a/src/lib_smart_rollup_node/configuration.mli b/src/lib_smart_rollup_node/configuration.mli index 3971a22ac605dfdeeece54e6b16f23caa333b35d..e10c034e4d2db63c582c61738ba4bfc0103dce00 100644 --- a/src/lib_smart_rollup_node/configuration.mli +++ b/src/lib_smart_rollup_node/configuration.mli @@ -85,6 +85,7 @@ type t = { operators : Purpose.operators; rpc_addr : string; rpc_port : int; + acl : Tezos_rpc_http_server.RPC_server.Acl.policy; metrics_addr : string option; reconnection_delay : float; fee_parameters : Operation_kind.fee_parameters; @@ -143,6 +144,9 @@ val default_rpc_addr : string (** [default_rpc_port] is the default value for [rpc_port]. *) val default_rpc_port : int +(** [default_acl] is the default value for [acl]. *) +val default_acl : Tezos_rpc_http_server.RPC_server.Acl.policy + (** [default_metrics_port] is the default port for the metrics server. *) val default_metrics_port : int @@ -249,6 +253,7 @@ module Cli : sig val configuration_from_args : rpc_addr:string option -> rpc_port:int option -> + acl_override:[`Allow_all | `Secure] option -> metrics_addr:string option -> loser_mode:Loser_mode.t option -> reconnection_delay:float option -> @@ -280,6 +285,7 @@ module Cli : sig data_dir:string -> rpc_addr:string option -> rpc_port:int option -> + acl_override:[`Allow_all | `Secure] option -> metrics_addr:string option -> loser_mode:Loser_mode.t option -> reconnection_delay:float option -> diff --git a/src/lib_smart_rollup_node/node_context_loader.ml b/src/lib_smart_rollup_node/node_context_loader.ml index 1e4e85780d508f765215722880aa5e96b4ad5c1b..856ebd23616ade2801c00c0a79e83f470ed3d18b 100644 --- a/src/lib_smart_rollup_node/node_context_loader.ml +++ b/src/lib_smart_rollup_node/node_context_loader.ml @@ -248,6 +248,7 @@ module For_snapshots = struct operators; rpc_addr = Configuration.default_rpc_addr; rpc_port = Configuration.default_rpc_port; + acl = Configuration.default_acl; metrics_addr = None; reconnection_delay = 1.; fee_parameters = Configuration.default_fee_parameters; @@ -347,6 +348,7 @@ module Internal_for_tests = struct operators; rpc_addr = Configuration.default_rpc_addr; rpc_port = Configuration.default_rpc_port; + acl = Configuration.default_acl; metrics_addr = None; reconnection_delay = 5.; fee_parameters = Configuration.default_fee_parameters; diff --git a/src/lib_smart_rollup_node/rollup_node_daemon.ml b/src/lib_smart_rollup_node/rollup_node_daemon.ml index 5584d7e41fea62929dc5fb924677c22690d7b082..fa417fbc92663d7ab3b3077b6e4bbbbe0a42fa48 100644 --- a/src/lib_smart_rollup_node/rollup_node_daemon.ml +++ b/src/lib_smart_rollup_node/rollup_node_daemon.ml @@ -798,7 +798,14 @@ let run ~data_dir ~irmin_cache_size ~index_buffer_size ?log_kernel_debug_file configuration in let dir = Rpc_directory.directory node_ctxt in - let* rpc_server = Rpc_server.start configuration dir in + let* rpc_server = + Rpc_server.start + ~rpc_addr:configuration.rpc_addr + ~rpc_port:configuration.rpc_port + ~acl:configuration.acl + ~cors:configuration.cors + dir + in let state = {node_ctxt; rpc_server; configuration; plugin; degraded = false} in diff --git a/src/lib_smart_rollup_node/rpc_server.ml b/src/lib_smart_rollup_node/rpc_server.ml index 5804ac37e663efc76e68ce3075a6fab90a857fdd..e1ada6feb3a06915da61e5142871bec15a19b8c8 100644 --- a/src/lib_smart_rollup_node/rpc_server.ml +++ b/src/lib_smart_rollup_node/rpc_server.ml @@ -35,19 +35,43 @@ type t = { acl : Resto_acl.Acl.t; } -let start configuration dir = +module Acl = struct + open Resto_acl.Acl + + let allow_all = RPC_server.Acl.allow_all + + let secure = + Allow_all + { + except = + List.map + parse + [ + "GET /global/block/*/durable/wasm_2_0_0/subkeys"; + "/local/batcher/**"; + "/admin/**"; + ]; + } + + let default (address : P2p_addr.t) = + let open Ipaddr in + if V6.scope address = Interface then allow_all else secure +end + +let start ~rpc_addr ~rpc_port ~acl ~cors dir = let open Lwt_result_syntax in - let Configuration.{rpc_addr; rpc_port; _} = configuration in let rpc_addr = P2p_addr.of_string_exn rpc_addr in let host = Ipaddr.V6.to_string rpc_addr in let node = `TCP (`Port rpc_port) in - (* TODO: https://gitlab.com/tezos/tezos/-/issues/2885 - More restrictive access control. *) - let acl = RPC_server.Acl.allow_all in + let*! acl_policy = RPC_server.Acl.resolve_domain_names acl in + let acl = + RPC_server.Acl.find_policy acl_policy (host, Some rpc_port) + |> Option.value_f ~default:(fun () -> Acl.default rpc_addr) + in let server = RPC_server.init_server dir - ~cors:configuration.cors + ~cors ~acl ~media_types:Media_type.all_media_types in diff --git a/src/lib_smart_rollup_node/rpc_server.mli b/src/lib_smart_rollup_node/rpc_server.mli index 60f652930d3e39e6eb0021c47da394b33874800f..5352a493fec640922e8203a628993679c7b2cf09 100644 --- a/src/lib_smart_rollup_node/rpc_server.mli +++ b/src/lib_smart_rollup_node/rpc_server.mli @@ -27,9 +27,23 @@ type t -(** [start node_ctxt config] starts an RPC server listening for requests on the - port [config.rpc_port] and address [config.rpc_addr]. *) -val start : Configuration.t -> unit Tezos_rpc.Directory.t -> t tzresult Lwt.t +module Acl : sig + val allow_all : Resto_acl.Acl.t + + val secure : Resto_acl.Acl.t + + val default : P2p_addr.t -> Resto_acl.Acl.t +end + +(** [start ~rpc_addr ~rpc_port ~acl ~cors node_ctxt config] starts an RPC server + listening for requests on the port [rpc_port] and address [rpc_addr]. *) +val start : + rpc_addr:string -> + rpc_port:int -> + acl:Tezos_rpc_http_server.RPC_server.Acl.policy -> + cors:Resto_cohttp.Cors.t -> + unit Tezos_rpc.Directory.t -> + t tzresult Lwt.t (** Shutdown a running RPC server. When this function is called, the rollup node will stop listening to incoming requests. *)