fix!: standardize gRPC authentication and mitigate DoS

[AaronFeickert]

Description

Standardizes gRPC authentication by removing PHC strings from configuration and preventing a client DoS.

Closes #5809. Closes #5927.

Motivation and Context

As noted in #5927, gRPC authentication is nonstandard. In the current design, server credentials are processed against a client-supplied username and PHC string for verification. This can lead to server DoS, as described in #5809.

This PR fixes the DoS vector. When the gRPC server is started, it applies Argon2 to produce a PHC string that is kept in memory. When a client supplies its (non-PHC) passphrase, it is processed against the stored PHC string. This ensures that the server completely controls the Argon2 parameters that are used.

Note that this is still suboptimal, as the client and server passphrases are still stored in plaintext configuration. Deciding how to handle those is out of scope for this work.

How Has This Been Tested?

It should be tested manually.

What process can a PR reviewer use to test or verify this change?

It should be tested manually.

BREAKING CHANGE: Updates the public APIs for BasicAuthCredentials and ServerAuthenticationInterceptor to accommodate the new behavior. Additionally, existing configuration client/server credentials will stop working, and client credentials will need to use plaintext passwords.

[github-actions]

Test Results (CI)

1 258 tests   1 258 ✔️  11m 32s ⏱️
     39 suites         0 💤
       1 files           0 ❌

Results for commit b519163.

♻️ This comment has been updated with latest results.

[github-actions]

Test Results (Integration tests)

  2 files  11 suites   15m 3s ⏱️
31 tests 30 ✔️ 0 💤 1 ❌
32 runs  31 ✔️ 0 💤 1 ❌

For more details on these failures, see this check.

Results for commit b519163.

♻️ This comment has been updated with latest results.

[hansieodendaal]

I like this approach, looks good. What about adding some unit tests to ServerAuthenticationInterceptor?

[AaronFeickert]

What about adding some unit tests

I looked into this, but it wasn't clear how to cleanly do such tests. Right now, it seems that all of the integration tests use GrpcAuthentication::None and are all part of much larger wallet test suites. Any insight on a simpler approach that would let us test all GrpcAuthentication modes without the extra baggage of the wallet?

[brianp]

Although I understand the reason for the move it feels a little weird to keep the password in cleartext, even though keeping the hashed password previously didn't change the level of security if someone could access it.
And we are now moving to remove grpc from the wallet entirely so it looks like we're closing down vectors from multiple angles. So I'm good with this.
utAck.

[AaronFeickert]

@brianp: I agree that it's not an ideal solution, but I think it meets a reasonable threat model and, improves the user experience, and removes the DoS vector. Even with removing wallet gRPC by default, that attack vector would still exist with node gRPC. Supporting TLS will be an additional layer of protection too. So I think overall it's a net win that doesn't sacrifice practical security.