tapcfg: add price oracle TLS config

We remain insecure by default, for now, and also default to trusting the
operating system's root CA list.

Author: jtobin

rfq/cli.go

@@ -22,6 +22,12 @@ const (
 type CliConfig struct {
 	PriceOracleAddress string `long:"priceoracleaddress" description:"Price oracle gRPC server address (rfqrpc://<hostname>:<port>). To use the integrated mock, use the following value: use_mock_price_oracle_service_promise_to_not_use_on_mainnet"`
 
+	PriceOracleTLSInsecure bool `long:"priceoracletlsinsecure" description:"Disable verification of price oracle certificates. Communication with the price oracle will be in cleartext over HTTP, so should only be used for testing."`
+
+	PriceOracleTLSNoSystemCAs bool `long:"priceoracletlsnosystemcas" description:"Disable use of the operating system's list of root certificate authorities."`
+
+	PriceOracleTLSCertPath string `long:"priceoracletlscertpath" description:"Path to a PEM-encoded x509 certificate that will be used to construct a TLS connection with the price oracle."`
+
 	SendPriceHint bool `long:"sendpricehint" description:"Send a price hint from the local price oracle to the RFQ peer when requesting a quote. For privacy reasons, this should only be turned on for self-hosted or trusted price oracles."`
 
 	PriceOracleSendPeerId bool `long:"priceoraclesendpeerid" description:"Send the peer ID (public key of the peer) to the price oracle when requesting a price rate. For privacy reasons, this should only be turned on for self-hosted or trusted price oracles."`

rfq/tls.go

@@ -21,13 +21,6 @@ type TLSConfig struct {
 	CustomCertificates []byte
 }
 
-// DefaultTLSConfig returns a default TLS configuration.
-func DefaultTLSConfig() *TLSConfig {
-	return &TLSConfig{
-		InsecureSkipVerify: true,
-	}
-}
-
 // configureTransportCredentials configures the TLS transport credentials to
 // be used for RPC connections.
 func configureTransportCredentials(

tapcfg/config.go

@@ -143,6 +143,21 @@ const (
 	// defaultMailboxAuthTimeout is the default timeout we'll use for
 	// mailbox message retrieval client authentication.
 	defaultMailboxAuthTimeout = 10 * time.Second
+
+	// defaultPriceOracleTLSInsecure is the default value we'll use for
+	// constructing TLS connections with price oracles. It is 'true' for
+	// now, but ought be changed to 'false' before any major feature
+	// release.
+	defaultPriceOracleTLSInsecure = true
+
+	// defaultPriceOracleNoSystemCAs is the default value we'll use
+	// regarding trust of the operating system's root CA list. We'll use
+	// 'false', i.e. we will trust the OS root CA list by default.
+	defaultPriceOracleTLSNoSystemCAs = false
+
+	// defaultPriceOracleTLSCertPath is the default (empty) path to a
+	// certificate to use for securing price oracle communication.
+	defaultPriceOracleTLSCertPath = ""
 )
 
 var (
@@ -317,8 +332,11 @@ type ExperimentalConfig struct {
 	Rfq rfq.CliConfig `group:"rfq" namespace:"rfq"`
 }
 
-// Validate returns an error if the configuration is invalid.
-func (c *ExperimentalConfig) Validate() error {
+// CleanAndValidate performs final processing on the ExperimentalConfig,
+// returning an error if the configuration is invalid.
+func (c *ExperimentalConfig) CleanAndValidate() error {
+	c.Rfq.PriceOracleTLSCertPath = CleanAndExpandPath(
+		c.Rfq.PriceOracleTLSCertPath)
 	return c.Rfq.Validate()
 }
 
@@ -478,7 +496,10 @@ func DefaultConfig() Config {
 		},
 		Experimental: &ExperimentalConfig{
 			Rfq: rfq.CliConfig{
-				AcceptPriceDeviationPpm: rfq.DefaultAcceptPriceDeviationPpm,
+				AcceptPriceDeviationPpm:   rfq.DefaultAcceptPriceDeviationPpm,
+				PriceOracleTLSInsecure:    defaultPriceOracleTLSInsecure,
+				PriceOracleTLSNoSystemCAs: defaultPriceOracleTLSNoSystemCAs,
+				PriceOracleTLSCertPath:    defaultPriceOracleTLSCertPath,
 			},
 		},
 	}
@@ -914,8 +935,8 @@ func ValidateConfig(cfg Config, cfgLogger btclog.Logger) (*Config, error) {
 		}
 	}
 
-	// Validate the experimental command line config.
-	err = cfg.Experimental.Validate()
+	// Clean and validate the experimental command line config.
+	err = cfg.Experimental.CleanAndValidate()
 	if err != nil {
 		return nil, fmt.Errorf("error in experimental command line "+
 			"config: %w", err)
@@ -1150,6 +1171,35 @@ func getCertificateConfig(cfg *Config, cfgLogger btclog.Logger) (*tls.Config,
 	return tlsCfg, restCreds, nil
 }
 
+// getPriceOracleTLSConfig returns a TLS configuration for a price oracle,
+// given a valid RFQ CLI configuration.
+func getPriceOracleTLSConfig(rfqCfg rfq.CliConfig) (*rfq.TLSConfig, error) {
+	var certBytes []byte
+
+	// Read any specified certificate data.
+	if rfqCfg.PriceOracleTLSCertPath != "" {
+		var err error
+		certBytes, err = os.ReadFile(
+			rfqCfg.PriceOracleTLSCertPath)
+		if err != nil {
+			return nil, fmt.Errorf("unable to read "+
+				"price oracle certificate: %w", err)
+		}
+	}
+
+	// Construct the oracle's TLS configuration.
+	tlsConfig := &rfq.TLSConfig{
+		InsecureSkipVerify: rfqCfg.PriceOracleTLSInsecure,
+		// Note the subtle flip on the flag, since the user has
+		// configured whether or not to *not* trust the system
+		// CA's.
+		TrustSystemRootCAs: !rfqCfg.PriceOracleTLSNoSystemCAs,
+		CustomCertificates: certBytes,
+	}
+
+	return tlsConfig, nil
+}
+
 // fileExists reports whether the named file or directory exists.
 // This function is taken from https://github.com/btcsuite/btcd
 func fileExists(name string) bool {

tapcfg/server.go

@@ -461,8 +461,14 @@ func genServerConfig(cfg *Config, cfgLogger btclog.Logger,
 		// skip setting suggested prices for outgoing quote requests.
 
 	default:
+		tlsConfig, err := getPriceOracleTLSConfig(rfqCfg)
+		if err != nil {
+			return nil, fmt.Errorf("couldn't construct price "+
+				"oracle configuration: %w", err)
+		}
+
 		priceOracle, err = rfq.NewRpcPriceOracle(
-			rfqCfg.PriceOracleAddress, rfq.DefaultTLSConfig(),
+			rfqCfg.PriceOracleAddress, tlsConfig,
 		)
 		if err != nil {
 			return nil, fmt.Errorf("unable to create price "+