blvm-node 0.1.1

Bitcoin Commons BLVM: Minimal Bitcoin node implementation using blvm-protocol and blvm-consensus
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90

//! Network access control for modules
//!
//! Ensures modules cannot bind to network ports or make unauthorized network connections.
//! Modules can only communicate with the node via IPC.

use tracing::{debug, warn};

use crate::module::traits::ModuleError;

/// Network sandbox that restricts module network access
pub struct NetworkSandbox {
    /// Whether network access is allowed (default: false - only IPC allowed)
    allow_network: bool,
    /// Allowed network endpoints (if network access is enabled)
    #[allow(dead_code)]
    allowed_endpoints: Vec<String>,
}

impl NetworkSandbox {
    /// Create a new network sandbox (no network access by default)
    pub fn new() -> Self {
        Self {
            allow_network: false,
            allowed_endpoints: Vec::new(),
        }
    }

    /// Create a network sandbox with limited network access
    pub fn with_allowed_endpoints(endpoints: Vec<String>) -> Self {
        Self {
            allow_network: !endpoints.is_empty(),
            allowed_endpoints: endpoints,
        }
    }

    /// Check if network access is allowed
    pub fn is_network_allowed(&self) -> bool {
        self.allow_network
    }

    /// Validate that a network operation is allowed
    pub fn validate_network_operation(&self, operation: &str) -> Result<(), ModuleError> {
        if !self.allow_network {
            warn!(
                "Module attempted network operation: {} (network access denied)",
                operation
            );
            return Err(ModuleError::OperationError(format!(
                "Network access denied: modules cannot make network connections. Operation: {operation}"
            )));
        }

        debug!("Network operation allowed: {}", operation);
        Ok(())
    }

    /// Validate that a network endpoint is allowed
    pub fn validate_endpoint(&self, endpoint: &str) -> Result<(), ModuleError> {
        if !self.allow_network {
            return self.validate_network_operation("connect");
        }

        // Check if endpoint is in allowed list
        if !self.allowed_endpoints.is_empty() {
            let allowed = self
                .allowed_endpoints
                .iter()
                .any(|e| endpoint.starts_with(e));

            if !allowed {
                warn!(
                    "Module attempted to connect to unauthorized endpoint: {}",
                    endpoint
                );
                return Err(ModuleError::OperationError(format!(
                    "Endpoint not allowed: {endpoint} (not in allowed list)"
                )));
            }
        }

        debug!("Network endpoint validated: {}", endpoint);
        Ok(())
    }
}

impl Default for NetworkSandbox {
    fn default() -> Self {
        Self::new()
    }
}