args: Support -norpccookiefile for bitcoind and bitcoin-cli

Replaces belt & suspenders check for initialization in RPCAuthorized() with not allowing empty passwords further down.

Github-Pull: bitcoin#31212
Rebased-From: 39cbd4f

Author: hodlinator

src/httprpc.cpp

@@ -134,8 +134,6 @@ static bool multiUserAuthorized(std::string strUserPass)
 
 static bool RPCAuthorized(const std::string& strAuth, std::string& strAuthUsernameOut)
 {
-    if (strRPCUserColonPass.empty()) // Belt-and-suspenders measure if InitRPCAuthentication was not called
-        return false;
     if (strAuth.substr(0, 6) != "Basic ")
         return false;
     std::string_view strUserPass64 = TrimStringView(std::string_view{strAuth}.substr(6));
@@ -147,8 +145,9 @@ static bool RPCAuthorized(const std::string& strAuth, std::string& strAuthUserna
     if (strUserPass.find(':') != std::string::npos)
         strAuthUsernameOut = strUserPass.substr(0, strUserPass.find(':'));
 
-    //Check if authorized under single-user field
-    if (TimingResistantEqual(strUserPass, strRPCUserColonPass)) {
+    // Check if authorized under single-user field.
+    // (strRPCUserColonPass is empty when -norpccookiefile is specified).
+    if (!strRPCUserColonPass.empty() && TimingResistantEqual(strUserPass, strRPCUserColonPass)) {
         return true;
     }
     return multiUserAuthorized(strUserPass);
@@ -294,8 +293,6 @@ static bool InitRPCAuthentication()
 {
     if (gArgs.GetArg("-rpcpassword", "") == "")
     {
-        LogInfo("Using random cookie authentication.\n");
-
         std::optional<fs::perms> cookie_perms{std::nullopt};
         auto cookie_perms_arg{gArgs.GetArg("-rpccookieperms")};
         if (cookie_perms_arg) {
@@ -307,9 +304,15 @@ static bool InitRPCAuthentication()
             cookie_perms = *perm_opt;
         }
 
+        assert(strRPCUserColonPass.empty()); // Only support initializing once
         if (!GenerateAuthCookie(&strRPCUserColonPass, cookie_perms)) {
             return false;
         }
+        if (strRPCUserColonPass.empty()) {
+            LogInfo("RPC authentication cookie file generation is disabled.");
+        } else {
+            LogInfo("Using random cookie authentication.");
+        }
     } else {
         LogPrintf("Config options rpcuser and rpcpassword will soon be deprecated. Locally-run instances may remove rpcuser to use cookie-based auth, or may be replaced with rpcauth. Please see share/rpcauth for rpcauth auth generation.\n");
         strRPCUserColonPass = gArgs.GetArg("-rpcuser", "") + ":" + gArgs.GetArg("-rpcpassword", "");

src/rpc/request.cpp

@@ -86,6 +86,9 @@ static const char* const COOKIEAUTH_FILE = ".cookie";
 static fs::path GetAuthCookieFile(bool temp=false)
 {
     fs::path arg = gArgs.GetPathArg("-rpccookiefile", COOKIEAUTH_FILE);
+    if (arg.empty()) {
+        return {}; // -norpccookiefile was specified
+    }
     if (temp) {
         arg += ".tmp";
     }
@@ -106,6 +109,9 @@ bool GenerateAuthCookie(std::string* cookie_out, std::optional<fs::perms> cookie
      */
     std::ofstream file;
     fs::path filepath_tmp = GetAuthCookieFile(true);
+    if (filepath_tmp.empty()) {
+        return true; // -norpccookiefile
+    }
     file.open(filepath_tmp);
     if (!file.is_open()) {
         LogWarning("Unable to open cookie authentication file %s for writing", fs::PathToString(filepath_tmp));
@@ -142,6 +148,9 @@ bool GetAuthCookie(std::string *cookie_out)
     std::ifstream file;
     std::string cookie;
     fs::path filepath = GetAuthCookieFile();
+    if (filepath.empty()) {
+        return true; // -norpccookiefile
+    }
     file.open(filepath);
     if (!file.is_open())
         return false;