chore: disable flag on unsafe/test RPCs (backport #736) (#742)

<hr>This is an automatic backport of pull request #736 done by
[Mergify](https://mergify.com).

Co-authored-by: Lazar <[email protected]>

Author: mergify[bot]

CHANGELOG.md

@@ -46,6 +46,7 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/)
 * [#732](https://github.com/babylonlabs-io/finality-provider/pull/732) feat: add version metric
 * [#734](https://github.com/babylonlabs-io/finality-provider/pull/734) chore: rm unused cfg val
 * [#735](https://github.com/babylonlabs-io/finality-provider/pull/735) chore: use counter prometeus
+* [#736](https://github.com/babylonlabs-io/finality-provider/pull/736) chore: disable flag on unsafe/test RPCs
 
 ## v2.0.0-rc.5
 

eotsmanager/config/config.go

@@ -37,12 +37,13 @@ var (
 )
 
 type Config struct {
-	LogLevel             string          `long:"loglevel" description:"Logging level for all subsystems" choice:"trace" choice:"debug" choice:"info" choice:"warn" choice:"error" choice:"fatal"`
-	KeyringBackend       string          `long:"keyring-type" description:"Type of keyring to use"`
-	RPCListener          string          `long:"rpclistener" description:"the listener for RPC connections, e.g., 127.0.0.1:1234"`
-	HMACKey              string          `long:"hmackey" description:"The HMAC key for authentication with FPD. If not provided, will use HMAC_KEY environment variable."`
-	Metrics              *metrics.Config `group:"metrics" namespace:"metrics"`
-	GRPCMaxContentLength int             `long:"grpcmaxcontentlength" description:"The maximum size of the gRPC message in bytes."`
+	LogLevel               string          `long:"loglevel" description:"Logging level for all subsystems" choice:"trace" choice:"debug" choice:"info" choice:"warn" choice:"error" choice:"fatal"`
+	KeyringBackend         string          `long:"keyring-type" description:"Type of keyring to use"`
+	RPCListener            string          `long:"rpclistener" description:"the listener for RPC connections, e.g., 127.0.0.1:1234"`
+	HMACKey                string          `long:"hmackey" description:"The HMAC key for authentication with FPD. If not provided, will use HMAC_KEY environment variable."`
+	DisableUnsafeEndpoints bool            `long:"disable-unsafe-endpoints" description:"Disable unsafe RPC endpoints (e.g., UnsafeSignEOTS) that bypass slashing protection. Recommended for production."`
+	Metrics                *metrics.Config `group:"metrics" namespace:"metrics"`
+	GRPCMaxContentLength   int             `long:"grpcmaxcontentlength" description:"The maximum size of the gRPC message in bytes."`
 
 	DatabaseConfig *DBConfig `group:"dbconfig" namespace:"dbconfig"`
 }
@@ -138,12 +139,13 @@ func DefaultConfigWithHomePath(homePath string) *Config {
 
 func DefaultConfigWithHomePathAndPorts(homePath string, rpcPort, metricsPort int) *Config {
 	cfg := &Config{
-		LogLevel:             defaultLogLevel,
-		KeyringBackend:       defaultKeyringBackend,
-		DatabaseConfig:       DefaultDBConfigWithHomePath(homePath),
-		RPCListener:          defaultRpcListener,
-		Metrics:              metrics.DefaultEotsConfig(),
-		GRPCMaxContentLength: defaultMaxGRPCContentLength,
+		LogLevel:               defaultLogLevel,
+		KeyringBackend:         defaultKeyringBackend,
+		DatabaseConfig:         DefaultDBConfigWithHomePath(homePath),
+		RPCListener:            defaultRpcListener,
+		DisableUnsafeEndpoints: false, // default to false for backward compatibility
+		Metrics:                metrics.DefaultEotsConfig(),
+		GRPCMaxContentLength:   defaultMaxGRPCContentLength,
 	}
 	cfg.RPCListener = fmt.Sprintf("%s:%d", DefaultRPCHost, rpcPort)
 	cfg.Metrics.Port = metricsPort

eotsmanager/service/rpcserver.go

@@ -11,6 +11,7 @@ import (
 	"google.golang.org/grpc/codes"
 
 	"github.com/babylonlabs-io/finality-provider/eotsmanager"
+	"github.com/babylonlabs-io/finality-provider/eotsmanager/config"
 	"github.com/babylonlabs-io/finality-provider/eotsmanager/proto"
 	"github.com/babylonlabs-io/finality-provider/eotsmanager/types"
 )
@@ -20,15 +21,18 @@ import (
 type rpcServer struct {
 	proto.UnimplementedEOTSManagerServer
 
-	em *eotsmanager.LocalEOTSManager
+	em  *eotsmanager.LocalEOTSManager
+	cfg *config.Config
 }
 
 // newRPCServer creates a new RPC sever from the set of input dependencies.
 func newRPCServer(
 	em *eotsmanager.LocalEOTSManager,
+	cfg *config.Config,
 ) *rpcServer {
 	return &rpcServer{
-		em: em,
+		em:  em,
+		cfg: cfg,
 	}
 }
 
@@ -89,6 +93,11 @@ func (r *rpcServer) SignEOTS(_ context.Context, req *proto.SignEOTSRequest) (
 // UnsafeSignEOTS only used for testing purposes. Doesn't offer slashing protection!
 func (r *rpcServer) UnsafeSignEOTS(_ context.Context, req *proto.SignEOTSRequest) (
 	*proto.SignEOTSResponse, error) {
+	if r.cfg.DisableUnsafeEndpoints {
+		return nil, status.Error(codes.PermissionDenied, //nolint:wrapcheck
+			"UnsafeSignEOTS endpoint is disabled in configuration for security reasons")
+	}
+
 	sig, err := r.em.UnsafeSignEOTS(req.Uid, req.ChainId, req.Msg, req.Height)
 	if err != nil {
 		return nil, fmt.Errorf("failed to sign EOTS: %w", err)

eotsmanager/service/server.go

@@ -37,7 +37,7 @@ func NewEOTSManagerServer(cfg *config.Config, l *zap.Logger, em *eotsmanager.Loc
 	return &Server{
 		cfg:       cfg,
 		logger:    l,
-		rpcServer: newRPCServer(em),
+		rpcServer: newRPCServer(em, cfg),
 		db:        db,
 		quit:      make(chan struct{}, 1),
 	}