Merge pull request talaia-labs#48 from tee8z/tor-endpoint-http-api

Tor endpoint http api

Author: sr-gi

README.md

@@ -67,6 +67,28 @@ For regtest, it should look like:
 btc_network = regtest
 ```
 
+### Running TEOS with tor
+
+This requires a tor deamon running on the same machine as teos and a control port open on that deamon.
+
+Download tor from the torproject site here: [torproject](https://www.torproject.org/download/)
+
+To open tor's control port, follow the instructions here on how to update the configuration file [tor conf](https://2019.www.torproject.org/docs/faq.html.en#torrc)
+
+Add the following lines to the file:
+```
+## The port on which Tor will listen for local connections from Tor
+## controller applications, as documented in control-spec.txt.
+ControlPort 9051
+
+## If you enable the controlport, be sure to enable one of these
+## authentication methods, to prevent attackers from accessing it.
+CookieAuthentication 1
+CookieAuthFileGroupReadable 1
+```
+
+Once the tor deamon is running, and the control port is open, make sure to change `tor_support` flag to true in teos conf.
+
 ### Tower id and signing key
 
 `teos` needs a pair of keys that will serve as tower id and signing key. The former can be used by users to identify the tower, whereas the latter is used by the tower to sign responses. These keys are automatically generated on the first run, and can be refreshed by running `teos` with the `--overwritekey` flag. Notice that once a key is overwritten you won't be able to use the previous key again*.

teos/Cargo.toml

@@ -30,6 +30,7 @@ tonic = "0.6"
 tokio = { version = "1.5", features = [ "rt-multi-thread" ] }
 triggered = "0.1.2"
 warp = "0.3.2"
+torut = "0.2.1"
 
 # Bitcoin and Lightning
 bitcoin = { version = "0.27", features = [ "base64" ] }

teos/src/api/mod.rs

@@ -1,5 +1,6 @@
 pub mod http;
 pub mod internal;
+pub mod tor;
 
 pub mod serde_status {
     use serde::de::{self, Deserializer};

teos/src/api/tor.rs

@@ -0,0 +1,118 @@
+use std::io::{Error, ErrorKind};
+use std::net::SocketAddr;
+use tokio::net::TcpStream;
+use tokio::time::{sleep, Duration};
+use torut::control::UnauthenticatedConn;
+use torut::onion::TorSecretKeyV3;
+use triggered::Listener;
+
+/// Expose an onion service that re-directs to the public api.
+pub async fn expose_onion_service(
+    tor_control_port: u16,
+    api_port: u16,
+    onion_port: u16,
+    shutdown_signal_tor: Listener,
+) -> Result<(), Error> {
+    let stream = connect_tor_cp(format!("127.0.0.1:{}", tor_control_port).parse().unwrap())
+        .await
+        .map_err(|e| Error::new(ErrorKind::ConnectionRefused, e))?;
+
+    let mut unauth_conn = UnauthenticatedConn::new(stream);
+
+    let pre_auth = unauth_conn
+        .load_protocol_info()
+        .await
+        .map_err(|e| Error::new(ErrorKind::ConnectionRefused, e))?;
+
+    let auth_data = pre_auth
+        .make_auth_data()?
+        .expect("failed to make auth data");
+
+    unauth_conn.authenticate(&auth_data).await.map_err(|_| {
+        Error::new(
+            ErrorKind::PermissionDenied,
+            "failed to authenticate with Tor",
+        )
+    })?;
+
+    let mut auth_conn = unauth_conn.into_authenticated().await;
+
+    auth_conn.set_async_event_handler(Some(|_| async move { Ok(()) }));
+
+    let key = TorSecretKeyV3::generate();
+
+    auth_conn
+        .add_onion_v3(
+            &key,
+            false,
+            false,
+            false,
+            None,
+            &mut [(
+                onion_port,
+                format!("127.0.0.1:{}", api_port).parse().unwrap(),
+            )]
+            .iter(),
+        )
+        .await
+        .map_err(|e| {
+            Error::new(
+                ErrorKind::Other,
+                format!("failed to create onion hidden service: {}", e),
+            )
+        })?;
+
+    print_onion_service(key.clone(), onion_port);
+
+    // NOTE: Needed to keep connection with control port & hidden service running, as soon as we leave
+    // this function the control port stream is dropped and the hidden service is killed
+    loop {
+        sleep(Duration::from_secs(1)).await;
+        if shutdown_signal_tor.is_triggered() {
+            break;
+        }
+    }
+
+    auth_conn
+        .del_onion(
+            &key.public()
+                .get_onion_address()
+                .get_address_without_dot_onion(),
+        )
+        .await
+        .unwrap();
+    Ok(())
+}
+
+async fn connect_tor_cp(addr: SocketAddr) -> Result<TcpStream, Error> {
+    let sock = TcpStream::connect(addr).await.map_err(|_| {
+        Error::new(
+            ErrorKind::ConnectionRefused,
+            "failed to connect to tor control port",
+        )
+    })?;
+    Ok(sock)
+}
+
+fn print_onion_service(key: TorSecretKeyV3, onion_port: u16) {
+    let onion_addr = key.public().get_onion_address();
+    let onion = format!("{}:{}", onion_addr, onion_port);
+    log::info!("onion service: {}", onion);
+}
+
+#[cfg(test)]
+mod tests {
+    use super::*;
+
+    #[tokio::test]
+    async fn test_connect_tor_cp_fail() {
+        let tor_control_port = 9000;
+        let addr = format!("127.0.0.1:{}", tor_control_port).parse().unwrap();
+        match connect_tor_cp(addr).await {
+            Ok(_) => {}
+            Err(e) => {
+                assert_eq!("failed to connect to tor control port", e.to_string())
+            }
+        }
+    }
+}

teos/src/conf_template.toml

@@ -1,6 +1,9 @@
 # API
 api_bind = "127.0.0.1"
 api_port = 9814
+tor_control_port = 9051
+onion_hidden_service_port = 2121
+tor_support = false
 
 # RPC
 rpc_bind = "127.0.0.1"

teos/src/config.rs

@@ -104,6 +104,18 @@ pub struct Opt {
     /// Overwrites the tower secret key. THIS IS IRREVERSIBLE AND WILL CHANGE YOUR TOWER ID
     #[structopt(long)]
     pub overwrite_key: bool,
+
+    /// If set, creates a tor endpoint to serve API data. This endpoint is additional to the clearnet HTTP API
+    #[structopt(long)]
+    pub tor_support: bool,
+
+    /// tor control port [default: 9051]
+    #[structopt(long)]
+    pub tor_control_port: Option<u16>,
+
+    /// Port for the onion hidden service to listen on [default: 2121]
+    #[structopt(long)]
+    pub onion_hidden_service_port: Option<u16>,
 }
 
 /// Holds all configuration options.
@@ -144,6 +156,11 @@ pub struct Config {
     // Internal API
     pub internal_api_bind: String,
     pub internal_api_port: u32,
+
+    // Tor
+    pub tor_support: bool,
+    pub tor_control_port: u16,
+    pub onion_hidden_service_port: u16,
 }
 
 impl Config {
@@ -176,7 +193,14 @@ impl Config {
         if options.btc_rpc_port.is_some() {
             self.btc_rpc_port = options.btc_rpc_port.unwrap();
         }
+        if options.tor_control_port.is_some() {
+            self.tor_control_port = options.tor_control_port.unwrap();
+        }
+        if options.onion_hidden_service_port.is_some() {
+            self.onion_hidden_service_port = options.onion_hidden_service_port.unwrap();
+        }
 
+        self.tor_support |= options.tor_support;
         self.debug |= options.debug;
         self.overwrite_key = options.overwrite_key;
     }
@@ -230,6 +254,9 @@ impl Default for Config {
         Self {
             api_bind: "127.0.0.1".into(),
             api_port: 9814,
+            tor_support: false,
+            tor_control_port: 9051,
+            onion_hidden_service_port: 2121,
             rpc_bind: "127.0.0.1".into(),
             rpc_port: 8814,
             btc_network: "bitcoin".into(),
@@ -260,6 +287,9 @@ mod tests {
             Self {
                 api_bind: None,
                 api_port: None,
+                tor_support: false,
+                tor_control_port: None,
+                onion_hidden_service_port: None,
                 rpc_bind: None,
                 rpc_port: None,
                 btc_network: None,
@@ -324,4 +354,16 @@ mod tests {
         };
         assert!(matches!(config.verify(), Err(ConfigError { .. })));
     }
+
+    #[test]
+    fn test_config_verify_tor_set() {
+        let mut config = Config {
+            btc_rpc_user: "user".to_owned(),
+            btc_rpc_password: "password".to_owned(),
+            tor_support: true,
+            ..Default::default()
+        };
+
+        config.verify().unwrap()
+    }
 }

teos/src/main.rs

@@ -17,8 +17,8 @@ use lightning_block_sync::poll::{
 };
 use lightning_block_sync::{BlockSource, SpvClient, UnboundedCache};
 
-use teos::api::http;
 use teos::api::internal::InternalAPI;
+use teos::api::{http, tor};
 use teos::bitcoin_cli::BitcoindClient;
 use teos::carrier::Carrier;
 use teos::chain_monitor::ChainMonitor;
@@ -201,6 +201,7 @@ async fn main() {
     let shutdown_signal_internal_rpc_api = shutdown_signal_rpc_api.clone();
     let shutdown_signal_http = shutdown_signal_rpc_api.clone();
     let shutdown_signal_cm = shutdown_signal_rpc_api.clone();
+    let shutdown_signal_tor = shutdown_signal_rpc_api.clone();
 
     // The ordering here actually matters. Listeners are called by order, and we want the gatekeeper to be called
     // last, so both the Watcher and the Responder can query the necessary data from it during data deletion.
@@ -265,11 +266,31 @@ async fn main() {
         internal_rpc_api_uri,
         shutdown_signal_http,
     ));
+
+    // Add Tor Onion Service for public API
+    let mut tor_task = Option::None;
+    if conf.tor_support {
+        log::info!("Starting up hidden tor service");
+        let tor_control_port = conf.tor_control_port;
+        let api_port = conf.api_port;
+        let onion_port = conf.onion_hidden_service_port;
+
+        tor_task = Some(task::spawn(async move {
+            tor::expose_onion_service(tor_control_port, api_port, onion_port, shutdown_signal_tor)
+                .await
+                .unwrap();
+        }));
+    }
+
     chain_monitor.monitor_chain().await;
 
     // Wait until shutdown
     http_api_task.await.unwrap();
     private_api_task.await.unwrap();
     public_api_task.await.unwrap();
-    log::info!("Shutting down tower")
+    if conf.tor_support {
+        tor_task.unwrap().await.unwrap();
+    }
+
+    log::info!("Shutting down tower");
 }