macaroons: remember stateless init

To make sure no macaroons are created anywhere if the stateless
initialization was requested, we keep the requested initialization mode
in the memory of the macaroon service.
This commit is contained in:
Oliver Gugger 2020-10-06 17:23:31 +02:00
parent ae71d60715
commit 294cb4a966
No known key found for this signature in database
GPG Key ID: 8E4256593F177720
3 changed files with 13 additions and 6 deletions

2
lnd.go

@ -408,7 +408,7 @@ func Main(cfg *Config, lisCfg ListenerCfg, shutdownChan <-chan struct{}) error {
if !cfg.NoMacaroons { if !cfg.NoMacaroons {
// Create the macaroon authentication/authorization service. // Create the macaroon authentication/authorization service.
macaroonService, err = macaroons.NewService( macaroonService, err = macaroons.NewService(
cfg.networkDir, "lnd", macaroons.IPLockChecker, cfg.networkDir, "lnd", false, macaroons.IPLockChecker,
) )
if err != nil { if err != nil {
err := fmt.Errorf("unable to set up macaroon "+ err := fmt.Errorf("unable to set up macaroon "+

@ -62,6 +62,10 @@ type Service struct {
// If no external validator for an URI is specified, the service will // If no external validator for an URI is specified, the service will
// use the internal validator. // use the internal validator.
externalValidators map[string]MacaroonValidator externalValidators map[string]MacaroonValidator
// StatelessInit denotes if the service was initialized in the stateless
// mode where no macaroon files should be created on disk.
StatelessInit bool
} }
// NewService returns a service backed by the macaroon Bolt DB stored in the // NewService returns a service backed by the macaroon Bolt DB stored in the
@ -71,7 +75,9 @@ type Service struct {
// listing the same checker more than once is not harmful. Default checkers, // listing the same checker more than once is not harmful. Default checkers,
// such as those for `allow`, `time-before`, `declared`, and `error` caveats // such as those for `allow`, `time-before`, `declared`, and `error` caveats
// are registered automatically and don't need to be added. // are registered automatically and don't need to be added.
func NewService(dir, location string, checks ...Checker) (*Service, error) { func NewService(dir, location string, statelessInit bool,
checks ...Checker) (*Service, error) {
// Ensure that the path to the directory exists. // Ensure that the path to the directory exists.
if _, err := os.Stat(dir); os.IsNotExist(err) { if _, err := os.Stat(dir); os.IsNotExist(err) {
if err := os.MkdirAll(dir, 0700); err != nil { if err := os.MkdirAll(dir, 0700); err != nil {
@ -118,6 +124,7 @@ func NewService(dir, location string, checks ...Checker) (*Service, error) {
Bakery: *svc, Bakery: *svc,
rks: rootKeyStore, rks: rootKeyStore,
externalValidators: make(map[string]MacaroonValidator), externalValidators: make(map[string]MacaroonValidator),
StatelessInit: statelessInit,
}, nil }, nil
} }

@ -67,7 +67,7 @@ func TestNewService(t *testing.T) {
// Second, create the new service instance, unlock it and pass in a // Second, create the new service instance, unlock it and pass in a
// checker that we expect it to add to the bakery. // checker that we expect it to add to the bakery.
service, err := macaroons.NewService( service, err := macaroons.NewService(
tempDir, "lnd", macaroons.IPLockChecker, tempDir, "lnd", false, macaroons.IPLockChecker,
) )
if err != nil { if err != nil {
t.Fatalf("Error creating new service: %v", err) t.Fatalf("Error creating new service: %v", err)
@ -118,7 +118,7 @@ func TestValidateMacaroon(t *testing.T) {
tempDir := setupTestRootKeyStorage(t) tempDir := setupTestRootKeyStorage(t)
defer os.RemoveAll(tempDir) defer os.RemoveAll(tempDir)
service, err := macaroons.NewService( service, err := macaroons.NewService(
tempDir, "lnd", macaroons.IPLockChecker, tempDir, "lnd", false, macaroons.IPLockChecker,
) )
if err != nil { if err != nil {
t.Fatalf("Error creating new service: %v", err) t.Fatalf("Error creating new service: %v", err)
@ -178,7 +178,7 @@ func TestListMacaroonIDs(t *testing.T) {
// Second, create the new service instance, unlock it and pass in a // Second, create the new service instance, unlock it and pass in a
// checker that we expect it to add to the bakery. // checker that we expect it to add to the bakery.
service, err := macaroons.NewService( service, err := macaroons.NewService(
tempDir, "lnd", macaroons.IPLockChecker, tempDir, "lnd", false, macaroons.IPLockChecker,
) )
require.NoError(t, err, "Error creating new service") require.NoError(t, err, "Error creating new service")
defer service.Close() defer service.Close()
@ -210,7 +210,7 @@ func TestDeleteMacaroonID(t *testing.T) {
// Second, create the new service instance, unlock it and pass in a // Second, create the new service instance, unlock it and pass in a
// checker that we expect it to add to the bakery. // checker that we expect it to add to the bakery.
service, err := macaroons.NewService( service, err := macaroons.NewService(
tempDir, "lnd", macaroons.IPLockChecker, tempDir, "lnd", false, macaroons.IPLockChecker,
) )
require.NoError(t, err, "Error creating new service") require.NoError(t, err, "Error creating new service")
defer service.Close() defer service.Close()