algorand · gmalouf · Sep 19, 2024 · Jun 16, 2024 · Jun 17, 2024 · Jul 26, 2024
diff --git a/config/localTemplate.go b/config/localTemplate.go
@@ -167,6 +167,9 @@ type Local struct {
 	// EndpointAddress configures the address the node listens to for REST API calls. Specify an IP and port or just port. For example, 127.0.0.1:0 will listen on a random port on the localhost (preferring 8080).
 	EndpointAddress string `version[0]:"127.0.0.1:0"`
 
+	// Respond to Private Network Access preflight requests sent to the node. Useful when a public website is trying to access a node that's hosted on a local network.
+	EnablePrivateNetworkAccessHeader bool `version[34]:"false"`
+
 	// RestReadTimeoutSeconds is passed to the API servers rest http.Server implementation.
 	RestReadTimeoutSeconds int `version[4]:"15"`
 

diff --git a/config/local_defaults.go b/config/local_defaults.go
@@ -77,6 +77,7 @@ var defaultLocal = Local{
 	EnableP2P:                                  false,
 	EnableP2PHybridMode:                        false,
 	EnablePingHandler:                          true,
+	EnablePrivateNetworkAccessHeader:           false,
 	EnableProcessBlockStats:                    false,
 	EnableProfiler:                             false,
 	EnableRequestLogger:                        false,

diff --git a/daemon/algod/api/server/lib/middlewares/cors.go b/daemon/algod/api/server/lib/middlewares/cors.go
@@ -31,3 +31,16 @@
 		AllowMethods: []string{http.MethodGet, http.MethodPost, http.MethodPut, http.MethodDelete, http.MethodOptions},
 	})
 }
+
+// MakePNA constructs the Private Network Access middleware function
+func MakePNA() echo.MiddlewareFunc {
+	return func(next echo.HandlerFunc) echo.HandlerFunc {
+		return func(ctx echo.Context) error {
+			req := ctx.Request()
+			if req.Method == http.MethodOptions && req.Header.Get("Access-Control-Request-Private-Network") == "true" {
+				ctx.Response().Header().Set("Access-Control-Allow-Private-Network", "true")
+			}
+			return next(ctx)
+		}
+	}
+}
diff --git a/daemon/algod/api/server/router.go b/daemon/algod/api/server/router.go
@@ -107,6 +107,12 @@
 		middleware.RemoveTrailingSlash())
 	e.Use(
 		middlewares.MakeLogger(logger),
+	)
+	// Optional middleware for Private Network Access Header (PNA). Must come before CORS middleware.
+	if node.Config().EnablePrivateNetworkAccessHeader {
+		e.Use(middlewares.MakePNA())
+	}
+	e.Use(
 		middlewares.MakeCORS(TokenHeader),
 	)
 

diff --git a/daemon/kmd/api/api.go b/daemon/kmd/api/api.go
@@ -137,10 +137,13 @@ func SwaggerHandler(w http.ResponseWriter, r *http.Request) {
 
 // Handler returns the root mux router for the kmd API. It sets up handlers on
 // subrouters specific to each API version.
-func Handler(sm *session.Manager, log logging.Logger, allowedOrigins []string, apiToken string, reqCB func()) *mux.Router {
+func Handler(sm *session.Manager, log logging.Logger, allowedOrigins []string, apiToken string, pnaHeader bool, reqCB func()) *mux.Router {
 	rootRouter := mux.NewRouter()
 
 	// Send the appropriate CORS headers
+	if pnaHeader {
+		rootRouter.Use(AllowPNA())
+	}
 	rootRouter.Use(corsMiddleware(allowedOrigins))
 
 	// Handle OPTIONS requests

diff --git a/daemon/kmd/api/cors.go b/daemon/kmd/api/cors.go
@@ -56,3 +56,16 @@ func corsMiddleware(allowedOrigins []string) func(http.Handler) http.Handler {
 		})
 	}
 }
+
+// AllowPNA constructs the Private Network Access middleware function
+func AllowPNA() func(http.Handler) http.Handler {
+	return func(next http.Handler) http.Handler {
+		return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+			if r.Method == http.MethodOptions && r.Header.Get("Access-Control-Request-Private-Network") == "true" {
+				w.Header().Set("Access-Control-Allow-Private-Network", "true")
+			}
+
+			next.ServeHTTP(w, r)
+		})
+	}
+}
diff --git a/daemon/kmd/config/config.go b/daemon/kmd/config/config.go
@@ -40,6 +40,7 @@ type KMDConfig struct {
 	SessionLifetimeSecs uint64       `json:"session_lifetime_secs"`
 	Address             string       `json:"address"`
 	AllowedOrigins      []string     `json:"allowed_origins"`
+	AllowHeaderPNA      bool         `json:"allow_header_pna"`
 }
 
 // DriverConfig contains config info specific to each wallet driver

diff --git a/daemon/kmd/kmd.go b/daemon/kmd/kmd.go
@@ -69,6 +69,7 @@ func Start(startConfig StartConfig) (died chan error, sock string, err error) {
 		DataDir:        startConfig.DataDir,
 		Address:        kmdCfg.Address,
 		AllowedOrigins: kmdCfg.AllowedOrigins,
+		AllowHeaderPNA: kmdCfg.AllowHeaderPNA,
 		SessionManager: session.MakeManager(kmdCfg),
 		Log:            startConfig.Log,
 		Timeout:        startConfig.Timeout,

diff --git a/daemon/kmd/server/server.go b/daemon/kmd/server/server.go
@@ -54,6 +54,7 @@ type WalletServerConfig struct {
 	DataDir        string
 	Address        string
 	AllowedOrigins []string
+	AllowHeaderPNA bool
 	SessionManager *session.Manager
 	Log            logging.Logger
 	Timeout        *time.Duration
@@ -211,7 +212,7 @@ func (ws *WalletServer) start(kill chan os.Signal) (died chan error, sock string
 	// Initialize HTTP server
 	watchdogCB := ws.makeWatchdogCallback(kill)
 	srv := http.Server{
-		Handler: api.Handler(ws.SessionManager, ws.Log, ws.AllowedOrigins, ws.APIToken, watchdogCB),
+		Handler: api.Handler(ws.SessionManager, ws.Log, ws.AllowedOrigins, ws.APIToken, ws.AllowHeaderPNA, watchdogCB),
 	}
 
 	// Read the kill channel and shut down the server gracefully

diff --git a/installer/config.json.example b/installer/config.json.example
@@ -56,6 +56,7 @@
     "EnableP2P": false,
     "EnableP2PHybridMode": false,
     "EnablePingHandler": true,
+    "EnablePrivateNetworkAccessHeader": false,
     "EnableProcessBlockStats": false,
     "EnableProfiler": false,
     "EnableRequestLogger": false,

diff --git a/test/e2e-go/cli/goal/expect/corsTest.exp b/test/e2e-go/cli/goal/expect/corsTest.exp
@@ -15,7 +15,7 @@ if { [catch {
     set TEST_ROOT_DIR $TEST_ALGO_DIR/root
     set TEST_PRIMARY_NODE_DIR $TEST_ROOT_DIR/Primary/
     set NETWORK_NAME test_net_expect_$TIME_STAMP
-    set NETWORK_TEMPLATE "$TEST_DATA_DIR/nettemplates/TwoNodes50Each.json"
+    set NETWORK_TEMPLATE "$TEST_DATA_DIR/nettemplates/TwoNodes50EachPNA.json"
 
     # Create network
     ::AlgorandGoal::CreateNetwork $NETWORK_NAME $NETWORK_TEMPLATE $TEST_ALGO_DIR $TEST_ROOT_DIR
@@ -31,6 +31,10 @@ if { [catch {
     set ALGOD_NET_ADDRESS [::AlgorandGoal::GetAlgodNetworkAddress $TEST_PRIMARY_NODE_DIR]
     ::AlgorandGoal::CheckNetworkAddressForCors $ALGOD_NET_ADDRESS
 
+    # Hit algod with a private network access preflight request and look for 200 OK
+    set ALGOD_NET_ADDRESS [::AlgorandGoal::GetAlgodNetworkAddress $TEST_PRIMARY_NODE_DIR]
+    ::AlgorandGoal::CheckNetworkAddressForPNA $ALGOD_NET_ADDRESS
+
     # Start kmd, then do the same CORS check as algod
     exec goal kmd start -t 180 -d $TEST_PRIMARY_NODE_DIR
     set KMD_NET_ADDRESS [::AlgorandGoal::GetKMDNetworkAddress $TEST_PRIMARY_NODE_DIR]

diff --git a/test/e2e-go/cli/goal/expect/goalExpectCommon.exp b/test/e2e-go/cli/goal/expect/goalExpectCommon.exp
@@ -817,6 +817,23 @@ proc ::AlgorandGoal::CheckNetworkAddressForCors { NET_ADDRESS } {
     }
 }
 
+# Use curl to check if a network address supports private network access
+proc ::AlgorandGoal::CheckNetworkAddressForPNA { NET_ADDRESS } {
+    if { [ catch {
+        spawn curl -X OPTIONS -H "Access-Control-Request-Private-Network: true" --head $NET_ADDRESS
+        expect {
+            timeout { close; ::AlgorandGoal::Abort "Timeout failure in CheckNetworkAddressForPNA" }
+            "Access-Control-Allow-Private-Network" { puts "success" ; close  }
+            eof {
+                return -code error "EOF without Access-Control-Allow-Private-Network"
+            }
+            close
+        }
+    } EXCEPTION ] } {
+       ::AlgorandGoal::Abort "ERROR in CheckNetworkAddressForPNA: $EXCEPTION"
+    }
+}
+
 # Show the Ledger Supply
 proc ::AlgorandGoal::GetLedgerSupply { TEST_PRIMARY_NODE_DIR } {
     if { [ catch {

diff --git a/test/testdata/configs/config-v34.json b/test/testdata/configs/config-v34.json
@@ -56,6 +56,7 @@
     "EnableP2P": false,
     "EnableP2PHybridMode": false,
     "EnablePingHandler": true,
+    "EnablePrivateNetworkAccessHeader": false,
     "EnableProcessBlockStats": false,
     "EnableProfiler": false,
     "EnableRequestLogger": false,

diff --git a/test/testdata/nettemplates/TwoNodes50EachPNA.json b/test/testdata/nettemplates/TwoNodes50EachPNA.json
@@ -0,0 +1,37 @@
+{
+    "Genesis": {
+        "NetworkName": "tbd",
+        "LastPartKeyRound": 3000,
+        "Wallets": [
+            {
+                "Name": "Wallet1",
+                "Stake": 50,
+                "Online": true
+            },
+            {
+                "Name": "Wallet2",
+                "Stake": 50,
+                "Online": true
+            }
+        ]
+    },
+    "Nodes": [
+        {
+            "Name": "Primary",
+            "IsRelay": true,
+            "ConfigJSONOverride": "{\"EnablePrivateNetworkAccessHeader\":true}",
+            "Wallets": [
+                { "Name": "Wallet1",
+                  "ParticipationOnly": false }
+            ]
+        },
+        {
+            "Name": "Node",
+            "ConfigJSONOverride": "{\"EnablePrivateNetworkAccessHeader\":true}",
+            "Wallets": [
+                { "Name": "Wallet2",
+                  "ParticipationOnly": false }
+            ]
+        }
+    ]
+}