lnd.xprv/macaroons/store_test.go

package macaroons_test

import (
	"context"
	"io/ioutil"
	"os"
	"path"
	"testing"

	"github.com/lightningnetwork/lnd/channeldb/kvdb"
	"github.com/lightningnetwork/lnd/macaroons"

	"github.com/btcsuite/btcwallet/snacl"
	"github.com/stretchr/testify/require"
)

var (
	defaultRootKeyIDContext = macaroons.ContextWithRootKeyID(
		context.Background(), macaroons.DefaultRootKeyID,
	)
)

// newTestStore creates a new bolt DB in a temporary directory and then
// initializes a root key storage for that DB.
func newTestStore(t *testing.T) (string, func(), *macaroons.RootKeyStorage) {
	tempDir, err := ioutil.TempDir("", "macaroonstore-")
	require.NoError(t, err)

	cleanup, store := openTestStore(t, tempDir)
	cleanup2 := func() {
		cleanup()
		_ = os.RemoveAll(tempDir)
	}

	return tempDir, cleanup2, store
}

// openTestStore opens an existing bolt DB and then initializes a root key
// storage for that DB.
func openTestStore(t *testing.T, tempDir string) (func(),
	*macaroons.RootKeyStorage) {

	db, err := kvdb.Create(
		kvdb.BoltBackendName, path.Join(tempDir, "weks.db"), true,
		kvdb.DefaultDBTimeout,
	)
	require.NoError(t, err)

	store, err := macaroons.NewRootKeyStorage(db)
	if err != nil {
		_ = db.Close()
		t.Fatalf("Error creating root key store: %v", err)
	}

	cleanup := func() {
		_ = store.Close()
	}

	return cleanup, store
}

// TestStore tests the normal use cases of the store like creating, unlocking,
// reading keys and closing it.
func TestStore(t *testing.T) {
	tempDir, cleanup, store := newTestStore(t)
	defer cleanup()

	_, _, err := store.RootKey(context.TODO())
	require.Equal(t, macaroons.ErrStoreLocked, err)

	_, err = store.Get(context.TODO(), nil)
	require.Equal(t, macaroons.ErrStoreLocked, err)

	pw := []byte("weks")
	err = store.CreateUnlock(&pw)
	require.NoError(t, err)

	// Check ErrContextRootKeyID is returned when no root key ID found in
	// context.
	_, _, err = store.RootKey(context.TODO())
	require.Equal(t, macaroons.ErrContextRootKeyID, err)

	// Check ErrMissingRootKeyID is returned when empty root key ID is used.
	emptyKeyID := make([]byte, 0)
	badCtx := macaroons.ContextWithRootKeyID(context.TODO(), emptyKeyID)
	_, _, err = store.RootKey(badCtx)
	require.Equal(t, macaroons.ErrMissingRootKeyID, err)

	// Create a context with illegal root key ID value.
	encryptedKeyID := []byte("enckey")
	badCtx = macaroons.ContextWithRootKeyID(context.TODO(), encryptedKeyID)
	_, _, err = store.RootKey(badCtx)
	require.Equal(t, macaroons.ErrKeyValueForbidden, err)

	// Create a context with root key ID value.
	key, id, err := store.RootKey(defaultRootKeyIDContext)
	require.NoError(t, err)

	rootID := id
	require.Equal(t, macaroons.DefaultRootKeyID, rootID)

	key2, err := store.Get(defaultRootKeyIDContext, id)
	require.NoError(t, err)
	require.Equal(t, key, key2)

	badpw := []byte("badweks")
	err = store.CreateUnlock(&badpw)
	require.Equal(t, macaroons.ErrAlreadyUnlocked, err)

	_ = store.Close()

	// Between here and the re-opening of the store, it's possible to get
	// a double-close, but that's not such a big deal since the tests will
	// fail anyway in that case.
	_, store = openTestStore(t, tempDir)

	err = store.CreateUnlock(&badpw)
	require.Equal(t, snacl.ErrInvalidPassword, err)

	err = store.CreateUnlock(nil)
	require.Equal(t, macaroons.ErrPasswordRequired, err)

	_, _, err = store.RootKey(defaultRootKeyIDContext)
	require.Equal(t, macaroons.ErrStoreLocked, err)

	_, err = store.Get(defaultRootKeyIDContext, nil)
	require.Equal(t, macaroons.ErrStoreLocked, err)

	err = store.CreateUnlock(&pw)
	require.NoError(t, err)

	key, err = store.Get(defaultRootKeyIDContext, rootID)
	require.NoError(t, err)
	require.Equal(t, key, key2)

	key, id, err = store.RootKey(defaultRootKeyIDContext)
	require.NoError(t, err)
	require.Equal(t, key, key2)
	require.Equal(t, rootID, id)
}

// TestStoreGenerateNewRootKey tests that a root key can be replaced with a new
// one in the store without changing the password.
func TestStoreGenerateNewRootKey(t *testing.T) {
	_, cleanup, store := newTestStore(t)
	defer cleanup()

	// The store must be unlocked to replace the root key.
	err := store.GenerateNewRootKey()
	require.Equal(t, macaroons.ErrStoreLocked, err)

	// Unlock the store and read the current key.
	pw := []byte("weks")
	err = store.CreateUnlock(&pw)
	require.NoError(t, err)
	oldRootKey, _, err := store.RootKey(defaultRootKeyIDContext)
	require.NoError(t, err)

	// Replace the root key with a new random key.
	err = store.GenerateNewRootKey()
	require.NoError(t, err)

	// Finally, read the root key from the DB and compare it to the one
	// we got returned earlier. This makes sure that the encryption/
	// decryption of the key in the DB worked as expected too.
	newRootKey, _, err := store.RootKey(defaultRootKeyIDContext)
	require.NoError(t, err)
	require.NotEqual(t, oldRootKey, newRootKey)
}

// TestStoreChangePassword tests that the password for the store can be changed
// without changing the root key.
func TestStoreChangePassword(t *testing.T) {
	tempDir, cleanup, store := newTestStore(t)
	defer cleanup()

	// The store must be unlocked to replace the root key.
	err := store.ChangePassword(nil, nil)
	require.Equal(t, macaroons.ErrStoreLocked, err)

	// Unlock the DB and read the current root key. This will need to stay
	// the same after changing the password for the test to succeed.
	pw := []byte("weks")
	err = store.CreateUnlock(&pw)
	require.NoError(t, err)
	rootKey, _, err := store.RootKey(defaultRootKeyIDContext)
	require.NoError(t, err)

	// Both passwords must be set.
	err = store.ChangePassword(nil, nil)
	require.Equal(t, macaroons.ErrPasswordRequired, err)

	// Make sure that an error is returned if we try to change the password
	// without the correct old password.
	wrongPw := []byte("wrong")
	newPw := []byte("newpassword")
	err = store.ChangePassword(wrongPw, newPw)
	require.Equal(t, snacl.ErrInvalidPassword, err)

	// Now really do change the password.
	err = store.ChangePassword(pw, newPw)
	require.NoError(t, err)

	// Close the store. This will close the underlying DB and we need to
	// create a new store instance. Let's make sure we can't use it again
	// after closing.
	err = store.Close()
	require.NoError(t, err)

	err = store.CreateUnlock(&newPw)
	require.Error(t, err)

	// Let's open it again and try unlocking with the new password.
	_, store = openTestStore(t, tempDir)
	err = store.CreateUnlock(&newPw)
	require.NoError(t, err)

	// Finally read the root key from the DB using the new password and
	// make sure the root key stayed the same.
	rootKeyDb, _, err := store.RootKey(defaultRootKeyIDContext)
	require.NoError(t, err)
	require.Equal(t, rootKey, rootKeyDb)
}
multi: macaroon root key encryption 2018-02-01 03:04:56 +03:00			`package macaroons_test`

			`import (`
macaroons: drop unused variables in tests macaroons: defer service.Close() after error check in tests macaroons: linter requires that nil contexts are changed to context.TODO() 2019-09-23 17:34:58 +03:00			`"context"`
multi: macaroon root key encryption 2018-02-01 03:04:56 +03:00			`"io/ioutil"`
			`"os"`
			`"path"`
			`"testing"`

macaroons: convert to use new kvdb abstraction 2020-01-10 05:45:26 +03:00			`"github.com/lightningnetwork/lnd/channeldb/kvdb"`
multi: macaroon root key encryption 2018-02-01 03:04:56 +03:00			`"github.com/lightningnetwork/lnd/macaroons"`

multi: switch over import paths from roasbeef/* to btcsuite/* 2018-06-05 04:34:16 +03:00			`"github.com/btcsuite/btcwallet/snacl"`
macaroons: use require for tests 2020-10-06 18:23:29 +03:00			`"github.com/stretchr/testify/require"`
multi: macaroon root key encryption 2018-02-01 03:04:56 +03:00			`)`

macaroons: add ability to change the password or create a new root key 2020-10-06 18:23:30 +03:00			`var (`
			`defaultRootKeyIDContext = macaroons.ContextWithRootKeyID(`
			`context.Background(), macaroons.DefaultRootKeyID,`
			`)`
			`)`

			`// newTestStore creates a new bolt DB in a temporary directory and then`
			`// initializes a root key storage for that DB.`
			`func newTestStore(t testing.T) (string, func(), macaroons.RootKeyStorage) {`
multi: macaroon root key encryption 2018-02-01 03:04:56 +03:00			`tempDir, err := ioutil.TempDir("", "macaroonstore-")`
macaroons: use require for tests 2020-10-06 18:23:29 +03:00			`require.NoError(t, err)`
macaroons: add ability to change the password or create a new root key 2020-10-06 18:23:30 +03:00
			`cleanup, store := openTestStore(t, tempDir)`
			`cleanup2 := func() {`
			`cleanup()`
macaroons: use require for tests 2020-10-06 18:23:29 +03:00			`_ = os.RemoveAll(tempDir)`
macaroons: add ability to change the password or create a new root key 2020-10-06 18:23:30 +03:00			`}`

			`return tempDir, cleanup2, store`
			`}`

			`// openTestStore opens an existing bolt DB and then initializes a root key`
			`// storage for that DB.`
			`func openTestStore(t *testing.T, tempDir string) (func(),`
			`*macaroons.RootKeyStorage) {`
multi: macaroon root key encryption 2018-02-01 03:04:56 +03:00
macaroons: convert to use new kvdb abstraction 2020-01-10 05:45:26 +03:00			`db, err := kvdb.Create(`
			`kvdb.BoltBackendName, path.Join(tempDir, "weks.db"), true,`
kvdb: add timeout options for bbolt (#4787) * mod: bump btcwallet version to accept db timeout * btcwallet: add DBTimeOut in config * kvdb: add database timeout option for bbolt This commit adds a DBTimeout option in bbolt config. The relevant functions walletdb.Open/Create are updated to use this config. In addition, the bolt compacter also applies the new timeout option. * channeldb: add DBTimeout in db options This commit adds the DBTimeout option for channeldb. A new unit test file is created to test the default options. In addition, the params used in kvdb.Create inside channeldb_test is updated with a DefaultDBTimeout value. * contractcourt+routing: use DBTimeout in kvdb This commit touches multiple test files in contractcourt and routing. The call of function kvdb.Create and kvdb.Open are now updated with the new param DBTimeout, using the default value kvdb.DefaultDBTimeout. * lncfg: add DBTimeout option in db config The DBTimeout option is added to db config. A new unit test is added to check the default DB config is created as expected. * migration: add DBTimeout param in kvdb.Create/kvdb.Open * keychain: update tests to use DBTimeout param * htlcswitch+chainreg: add DBTimeout option * macaroons: support DBTimeout config in creation This commit adds the DBTimeout during the creation of macaroons.db. The usage of kvdb.Create and kvdb.Open in its tests are updated with a timeout value using kvdb.DefaultDBTimeout. * walletunlocker: add dbTimeout option in UnlockerService This commit adds a new param, dbTimeout, during the creation of UnlockerService. This param is then passed to wallet.NewLoader inside various service calls, specifying a timeout value to be used when opening the bbolt. In addition, the macaroonService is also called with this dbTimeout param. * watchtower/wtdb: add dbTimeout param during creation This commit adds the dbTimeout param for the creation of both watchtower.db and wtclient.db. * multi: add db timeout param for walletdb.Create This commit adds the db timeout param for the function call walletdb.Create. It touches only the test files found in chainntnfs, lnwallet, and routing. * lnd: pass DBTimeout config to relevant services This commit enables lnd to pass the DBTimeout config to the following services/config/functions, - chainControlConfig - walletunlocker - wallet.NewLoader - macaroons - watchtower In addition, the usage of wallet.Create is updated too. * sample-config: add dbtimeout option 2020-12-08 02:31:49 +03:00			`kvdb.DefaultDBTimeout,`
macaroons: convert to use new kvdb abstraction 2020-01-10 05:45:26 +03:00			`)`
macaroons: use require for tests 2020-10-06 18:23:29 +03:00			`require.NoError(t, err)`
multi: macaroon root key encryption 2018-02-01 03:04:56 +03:00
			`store, err := macaroons.NewRootKeyStorage(db)`
			`if err != nil {`
macaroons: use require for tests 2020-10-06 18:23:29 +03:00			`_ = db.Close()`
multi: macaroon root key encryption 2018-02-01 03:04:56 +03:00			`t.Fatalf("Error creating root key store: %v", err)`
			`}`
macaroons: add ability to change the password or create a new root key 2020-10-06 18:23:30 +03:00
			`cleanup := func() {`
macaroons: use require for tests 2020-10-06 18:23:29 +03:00			`_ = store.Close()`
macaroons: add ability to change the password or create a new root key 2020-10-06 18:23:30 +03:00			`}`
multi: macaroon root key encryption 2018-02-01 03:04:56 +03:00
macaroons: add ability to change the password or create a new root key 2020-10-06 18:23:30 +03:00			`return cleanup, store`
			`}`

			`// TestStore tests the normal use cases of the store like creating, unlocking,`
			`// reading keys and closing it.`
			`func TestStore(t *testing.T) {`
			`tempDir, cleanup, store := newTestStore(t)`
			`defer cleanup()`

			`_, _, err := store.RootKey(context.TODO())`
macaroons: use require for tests 2020-10-06 18:23:29 +03:00			`require.Equal(t, macaroons.ErrStoreLocked, err)`
multi: macaroon root key encryption 2018-02-01 03:04:56 +03:00
macaroons: drop unused variables in tests macaroons: defer service.Close() after error check in tests macaroons: linter requires that nil contexts are changed to context.TODO() 2019-09-23 17:34:58 +03:00			`_, err = store.Get(context.TODO(), nil)`
macaroons: use require for tests 2020-10-06 18:23:29 +03:00			`require.Equal(t, macaroons.ErrStoreLocked, err)`
multi: macaroon root key encryption 2018-02-01 03:04:56 +03:00
			`pw := []byte("weks")`
			`err = store.CreateUnlock(&pw)`
macaroons: use require for tests 2020-10-06 18:23:29 +03:00			`require.NoError(t, err)`
multi: macaroon root key encryption 2018-02-01 03:04:56 +03:00
macaroons: specify root key ID in bakery 2020-07-23 19:26:59 +03:00			`// Check ErrContextRootKeyID is returned when no root key ID found in`
			`// context.`
			`_, _, err = store.RootKey(context.TODO())`
macaroons: use require for tests 2020-10-06 18:23:29 +03:00			`require.Equal(t, macaroons.ErrContextRootKeyID, err)`
macaroons: specify root key ID in bakery 2020-07-23 19:26:59 +03:00
			`// Check ErrMissingRootKeyID is returned when empty root key ID is used.`
macaroons: use require for tests 2020-10-06 18:23:29 +03:00			`emptyKeyID := make([]byte, 0)`
macaroons: specify root key ID in bakery 2020-07-23 19:26:59 +03:00			`badCtx := macaroons.ContextWithRootKeyID(context.TODO(), emptyKeyID)`
			`_, _, err = store.RootKey(badCtx)`
macaroons: use require for tests 2020-10-06 18:23:29 +03:00			`require.Equal(t, macaroons.ErrMissingRootKeyID, err)`
macaroons: specify root key ID in bakery 2020-07-23 19:26:59 +03:00
			`// Create a context with illegal root key ID value.`
			`encryptedKeyID := []byte("enckey")`
			`badCtx = macaroons.ContextWithRootKeyID(context.TODO(), encryptedKeyID)`
			`_, _, err = store.RootKey(badCtx)`
macaroons: use require for tests 2020-10-06 18:23:29 +03:00			`require.Equal(t, macaroons.ErrKeyValueForbidden, err)`
macaroons: specify root key ID in bakery 2020-07-23 19:26:59 +03:00
			`// Create a context with root key ID value.`
macaroons: add ability to change the password or create a new root key 2020-10-06 18:23:30 +03:00			`key, id, err := store.RootKey(defaultRootKeyIDContext)`
macaroons: use require for tests 2020-10-06 18:23:29 +03:00			`require.NoError(t, err)`
macaroons: specify root key ID in bakery 2020-07-23 19:26:59 +03:00
multi: macaroon root key encryption 2018-02-01 03:04:56 +03:00			`rootID := id`
macaroons: use require for tests 2020-10-06 18:23:29 +03:00			`require.Equal(t, macaroons.DefaultRootKeyID, rootID)`
multi: macaroon root key encryption 2018-02-01 03:04:56 +03:00
macaroons: add ability to change the password or create a new root key 2020-10-06 18:23:30 +03:00			`key2, err := store.Get(defaultRootKeyIDContext, id)`
macaroons: use require for tests 2020-10-06 18:23:29 +03:00			`require.NoError(t, err)`
			`require.Equal(t, key, key2)`
multi: macaroon root key encryption 2018-02-01 03:04:56 +03:00
			`badpw := []byte("badweks")`
			`err = store.CreateUnlock(&badpw)`
macaroons: use require for tests 2020-10-06 18:23:29 +03:00			`require.Equal(t, macaroons.ErrAlreadyUnlocked, err)`
multi: macaroon root key encryption 2018-02-01 03:04:56 +03:00
macaroons: use require for tests 2020-10-06 18:23:29 +03:00			`_ = store.Close()`
macaroons: convert to use new kvdb abstraction 2020-01-10 05:45:26 +03:00
multi: macaroon root key encryption 2018-02-01 03:04:56 +03:00			`// Between here and the re-opening of the store, it's possible to get`
			`// a double-close, but that's not such a big deal since the tests will`
			`// fail anyway in that case.`
macaroons: add ability to change the password or create a new root key 2020-10-06 18:23:30 +03:00			`_, store = openTestStore(t, tempDir)`
multi: macaroon root key encryption 2018-02-01 03:04:56 +03:00
			`err = store.CreateUnlock(&badpw)`
macaroons: use require for tests 2020-10-06 18:23:29 +03:00			`require.Equal(t, snacl.ErrInvalidPassword, err)`
multi: macaroon root key encryption 2018-02-01 03:04:56 +03:00
			`err = store.CreateUnlock(nil)`
macaroons: use require for tests 2020-10-06 18:23:29 +03:00			`require.Equal(t, macaroons.ErrPasswordRequired, err)`
multi: macaroon root key encryption 2018-02-01 03:04:56 +03:00
macaroons: add ability to change the password or create a new root key 2020-10-06 18:23:30 +03:00			`_, _, err = store.RootKey(defaultRootKeyIDContext)`
macaroons: use require for tests 2020-10-06 18:23:29 +03:00			`require.Equal(t, macaroons.ErrStoreLocked, err)`
multi: macaroon root key encryption 2018-02-01 03:04:56 +03:00
macaroons: add ability to change the password or create a new root key 2020-10-06 18:23:30 +03:00			`_, err = store.Get(defaultRootKeyIDContext, nil)`
macaroons: use require for tests 2020-10-06 18:23:29 +03:00			`require.Equal(t, macaroons.ErrStoreLocked, err)`
multi: macaroon root key encryption 2018-02-01 03:04:56 +03:00
			`err = store.CreateUnlock(&pw)`
macaroons: use require for tests 2020-10-06 18:23:29 +03:00			`require.NoError(t, err)`
multi: macaroon root key encryption 2018-02-01 03:04:56 +03:00
macaroons: add ability to change the password or create a new root key 2020-10-06 18:23:30 +03:00			`key, err = store.Get(defaultRootKeyIDContext, rootID)`
macaroons: use require for tests 2020-10-06 18:23:29 +03:00			`require.NoError(t, err)`
			`require.Equal(t, key, key2)`
multi: macaroon root key encryption 2018-02-01 03:04:56 +03:00
macaroons: add ability to change the password or create a new root key 2020-10-06 18:23:30 +03:00			`key, id, err = store.RootKey(defaultRootKeyIDContext)`
macaroons: use require for tests 2020-10-06 18:23:29 +03:00			`require.NoError(t, err)`
			`require.Equal(t, key, key2)`
			`require.Equal(t, rootID, id)`
multi: macaroon root key encryption 2018-02-01 03:04:56 +03:00			`}`
macaroons: add ability to change the password or create a new root key 2020-10-06 18:23:30 +03:00
			`// TestStoreGenerateNewRootKey tests that a root key can be replaced with a new`
			`// one in the store without changing the password.`
			`func TestStoreGenerateNewRootKey(t *testing.T) {`
			`_, cleanup, store := newTestStore(t)`
			`defer cleanup()`

			`// The store must be unlocked to replace the root key.`
			`err := store.GenerateNewRootKey()`
			`require.Equal(t, macaroons.ErrStoreLocked, err)`

			`// Unlock the store and read the current key.`
			`pw := []byte("weks")`
			`err = store.CreateUnlock(&pw)`
			`require.NoError(t, err)`
			`oldRootKey, _, err := store.RootKey(defaultRootKeyIDContext)`
			`require.NoError(t, err)`

			`// Replace the root key with a new random key.`
			`err = store.GenerateNewRootKey()`
			`require.NoError(t, err)`

			`// Finally, read the root key from the DB and compare it to the one`
			`// we got returned earlier. This makes sure that the encryption/`
			`// decryption of the key in the DB worked as expected too.`
			`newRootKey, _, err := store.RootKey(defaultRootKeyIDContext)`
			`require.NoError(t, err)`
			`require.NotEqual(t, oldRootKey, newRootKey)`
			`}`

			`// TestStoreChangePassword tests that the password for the store can be changed`
			`// without changing the root key.`
			`func TestStoreChangePassword(t *testing.T) {`
			`tempDir, cleanup, store := newTestStore(t)`
			`defer cleanup()`

			`// The store must be unlocked to replace the root key.`
			`err := store.ChangePassword(nil, nil)`
			`require.Equal(t, macaroons.ErrStoreLocked, err)`

			`// Unlock the DB and read the current root key. This will need to stay`
			`// the same after changing the password for the test to succeed.`
			`pw := []byte("weks")`
			`err = store.CreateUnlock(&pw)`
			`require.NoError(t, err)`
			`rootKey, _, err := store.RootKey(defaultRootKeyIDContext)`
			`require.NoError(t, err)`

			`// Both passwords must be set.`
			`err = store.ChangePassword(nil, nil)`
			`require.Equal(t, macaroons.ErrPasswordRequired, err)`

			`// Make sure that an error is returned if we try to change the password`
			`// without the correct old password.`
			`wrongPw := []byte("wrong")`
			`newPw := []byte("newpassword")`
			`err = store.ChangePassword(wrongPw, newPw)`
			`require.Equal(t, snacl.ErrInvalidPassword, err)`

			`// Now really do change the password.`
			`err = store.ChangePassword(pw, newPw)`
			`require.NoError(t, err)`

			`// Close the store. This will close the underlying DB and we need to`
			`// create a new store instance. Let's make sure we can't use it again`
			`// after closing.`
			`err = store.Close()`
			`require.NoError(t, err)`

			`err = store.CreateUnlock(&newPw)`
			`require.Error(t, err)`

			`// Let's open it again and try unlocking with the new password.`
			`_, store = openTestStore(t, tempDir)`
			`err = store.CreateUnlock(&newPw)`
			`require.NoError(t, err)`

			`// Finally read the root key from the DB using the new password and`
			`// make sure the root key stayed the same.`
			`rootKeyDb, _, err := store.RootKey(defaultRootKeyIDContext)`
			`require.NoError(t, err)`
			`require.Equal(t, rootKey, rootKeyDb)`
			`}`