Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

refactor: grpc insecure plus plugin not mandatory #158

Merged
merged 4 commits into from
Sep 27, 2024
Merged

refactor: grpc insecure plus plugin not mandatory #158

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
fd55b8a
update: plugin not by default
JulianToledano Sep 26, 2024
3655182
del: defaultPlugin
JulianToledano Sep 26, 2024
dd2976f
changelog
JulianToledano Sep 26, 2024
839cffc
changelog bug fixes
JulianToledano Sep 26, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
8 changes: 8 additions & 0 deletions CHANGELOG.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -36,6 +36,14 @@ Ref: https://keepachangelog.com/en/1.0.0/

## [Unreleased]

### Improvements

* [#157](https://github.com/cosmos/rosetta/pull/157) Rosetta can now run without requiring a plugin.

### Bug Fixes

* [#157](https://github.com/cosmos/rosetta/pull/157) Added support for insecure connections to gRPC reflection servers.

## [v0.50.10](https://github.com/cosmos/rosetta/releases/tag/v0.50.10) 2024-09-25

### Improvements
Expand Down
20 changes: 11 additions & 9 deletions cmd/rosetta.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -29,16 +29,18 @@ func RosettaCommand(ir codectypes.InterfaceRegistry, cdc codec.Codec) *cobra.Com
}
conf.WithCodec(ir, protoCodec)

err = rosetta.LoadPlugin(ir, cmd.Flag("plugin").Value.String())
if err != nil {
fmt.Printf("[Rosetta]- Error while loading cosmos-hub plugin: %s", err.Error())
return err
}

if cmd.Flag("grpc-types-server").Value.String() != "" {
err = rosetta.ReflectInterfaces(ir, cmd.Flag("grpc-types-server").Value.String())
pluginPath := cmd.Flag(rosetta.FlagPlugin).Value.String()
typesServer := cmd.Flag(rosetta.FlagGRPCTypesServerEndpoint).Value.String()
if pluginPath != "" {
err = rosetta.LoadPlugin(ir, pluginPath)
if err != nil {
fmt.Printf("[Rosetta]- Error while loading plugin: %s", err.Error())
return err
}
} else if typesServer != "" {
err = rosetta.ReflectInterfaces(ir, typesServer)
if err != nil {
fmt.Printf("[Rosetta]- Error while reflecting from grpc server: %s", err.Error())
fmt.Printf("[Rosetta]- Error while reflecting from gRPC server: %s", err.Error())
return err
}
}
Expand Down
4 changes: 1 addition & 3 deletions config.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -49,8 +49,6 @@ const (
DenomToSuggest = "uatom"
// DefaultPrices defines the default list of prices to suggest
DefaultPrices = "1uatom,1stake"
// DefaultPlugin define plugin location for interface and type registry
DefaultPlugin = "cosmos-hub"
)

// configuration flags
Expand Down Expand Up @@ -306,5 +304,5 @@ func SetFlags(flags *pflag.FlagSet) {
flags.Int(FlagGasToSuggest, clientflags.DefaultGasLimit, "default gas for fee suggestion")
flags.String(FlagDenomToSuggest, DenomToSuggest, "default denom for fee suggestion")
flags.String(FlagPricesToSuggest, DefaultPrices, "default prices for fee suggestion")
flags.String(FlagPlugin, DefaultPlugin, "plugin folder name")
flags.String(FlagPlugin, "", "plugin folder name")
}
15 changes: 10 additions & 5 deletions load.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -11,6 +11,7 @@ import (

"google.golang.org/grpc"
"google.golang.org/grpc/credentials"
"google.golang.org/grpc/credentials/insecure"
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

💡 Codebase verification

Security Concern: Unconditional Use of Insecure gRPC Credentials

  • In client_online.go, the Bootstrap method uses insecure.NewCredentials() without conditional checks, which may lead to security vulnerabilities.

Please review and ensure that insecure credentials are only used in appropriate environments or implement conditional logic to enforce secure connections where necessary.

🔗 Analysis chain

Be cautious when using insecure credentials

The addition of the insecure package import aligns with the PR objective of supporting insecure gRPC connections. However, it's crucial to ensure that this is used judiciously and only in appropriate environments.

To verify the usage of insecure credentials:

Please ensure that proper warnings and documentation are in place to prevent accidental use in production environments where security is critical.

🏁 Scripts executed

The following scripts were executed for the analysis:

Script:

#!/bin/bash
# Search for usage of insecure credentials
rg --type go 'insecure\.NewCredentials\(\)' -C 5

Length of output: 1364

"google.golang.org/grpc/reflection/grpc_reflection_v1alpha"
"google.golang.org/protobuf/proto"
"google.golang.org/protobuf/types/descriptorpb"
Expand Down Expand Up @@ -43,11 +44,15 @@ func ReflectInterfaces(ir codectypes.InterfaceRegistry, endpoint string) (err er
}

func openClient(endpoint string) (client *grpc.ClientConn, err error) {
tlsCredentials := credentials.NewTLS(&tls.Config{
MinVersion: tls.VersionTLS12,
})
creds := insecure.NewCredentials()
if strings.HasPrefix(endpoint, "https://") {
tlsConfig := &tls.Config{
MinVersion: tls.VersionTLS12,
}
creds = credentials.NewTLS(tlsConfig)
}

client, err = grpc.NewClient(endpoint, grpc.WithTransportCredentials(tlsCredentials))
client, err = grpc.NewClient(endpoint, grpc.WithTransportCredentials(creds))
if err != nil {
return nil, crgerrs.WrapError(crgerrs.ErrClient, fmt.Sprintf("getting grpc client connection %s", err.Error()))
}
Expand Down Expand Up @@ -170,7 +175,7 @@ func cleanImplMsgNames(implMessages []string) (cleanImplMessages []string) {
}

func registerProtoInterface(registry codectypes.InterfaceRegistry, fileDescriptor *descriptorpb.FileDescriptorProto) {
name := "/" + strings.ReplaceAll(fileDescriptor.GetName(), "/", ".")
name := strings.ReplaceAll(fileDescriptor.GetName(), "/", ".")
descriptorMessageInterface := fileDescriptor.ProtoReflect().Interface()
registry.RegisterInterface(name, &descriptorMessageInterface)
}
Loading