lnrpc: add arguments for stateless wallet initialization to wallet unlocker

This commit adds the --stateless_init flag to all three wallet unlocker
operations. Once you initialize a wallet stateless, you need to set
this flag for every further wallet unlocker operation. Otherwise you
risk non-encrypted macaroon information to leak to the underlying
system.
This commit is contained in:
Oliver Gugger 2020-10-06 17:23:26 +02:00
parent 4f4adab1dc
commit 4c8d374007
No known key found for this signature in database
GPG Key ID: 8E4256593F177720
3 changed files with 209 additions and 45 deletions

@ -167,6 +167,12 @@ type InitWalletRequest struct {
//funds, lnd begin to carry out the data loss recovery protocol in order to //funds, lnd begin to carry out the data loss recovery protocol in order to
//recover the funds in each channel from a remote force closed transaction. //recover the funds in each channel from a remote force closed transaction.
ChannelBackups *ChanBackupSnapshot `protobuf:"bytes,5,opt,name=channel_backups,json=channelBackups,proto3" json:"channel_backups,omitempty"` ChannelBackups *ChanBackupSnapshot `protobuf:"bytes,5,opt,name=channel_backups,json=channelBackups,proto3" json:"channel_backups,omitempty"`
//
//stateless_init is an optional argument instructing the daemon NOT to create
//any *.macaroon files in its filesystem. If this parameter is set, then the
//admin macaroon returned in the response MUST be stored by the caller of the
//RPC as otherwise all access to the daemon will be lost!
StatelessInit bool `protobuf:"varint,6,opt,name=stateless_init,json=statelessInit,proto3" json:"stateless_init,omitempty"`
XXX_NoUnkeyedLiteral struct{} `json:"-"` XXX_NoUnkeyedLiteral struct{} `json:"-"`
XXX_unrecognized []byte `json:"-"` XXX_unrecognized []byte `json:"-"`
XXX_sizecache int32 `json:"-"` XXX_sizecache int32 `json:"-"`
@ -232,7 +238,21 @@ func (m *InitWalletRequest) GetChannelBackups() *ChanBackupSnapshot {
return nil return nil
} }
func (m *InitWalletRequest) GetStatelessInit() bool {
if m != nil {
return m.StatelessInit
}
return false
}
type InitWalletResponse struct { type InitWalletResponse struct {
//
//The binary serialized admin macaroon that can be used to access the daemon
//after creating the wallet. If the stateless_init parameter was set to true,
//this is the ONLY copy of the macaroon and MUST be stored safely by the
//caller. Otherwise a copy of this macaroon is also persisted on disk by the
//daemon, together with other macaroon files.
AdminMacaroon []byte `protobuf:"bytes,1,opt,name=admin_macaroon,json=adminMacaroon,proto3" json:"admin_macaroon,omitempty"`
XXX_NoUnkeyedLiteral struct{} `json:"-"` XXX_NoUnkeyedLiteral struct{} `json:"-"`
XXX_unrecognized []byte `json:"-"` XXX_unrecognized []byte `json:"-"`
XXX_sizecache int32 `json:"-"` XXX_sizecache int32 `json:"-"`
@ -263,6 +283,13 @@ func (m *InitWalletResponse) XXX_DiscardUnknown() {
var xxx_messageInfo_InitWalletResponse proto.InternalMessageInfo var xxx_messageInfo_InitWalletResponse proto.InternalMessageInfo
func (m *InitWalletResponse) GetAdminMacaroon() []byte {
if m != nil {
return m.AdminMacaroon
}
return nil
}
type UnlockWalletRequest struct { type UnlockWalletRequest struct {
// //
//wallet_password should be the current valid passphrase for the daemon. This //wallet_password should be the current valid passphrase for the daemon. This
@ -284,6 +311,10 @@ type UnlockWalletRequest struct {
//funds, lnd begin to carry out the data loss recovery protocol in order to //funds, lnd begin to carry out the data loss recovery protocol in order to
//recover the funds in each channel from a remote force closed transaction. //recover the funds in each channel from a remote force closed transaction.
ChannelBackups *ChanBackupSnapshot `protobuf:"bytes,3,opt,name=channel_backups,json=channelBackups,proto3" json:"channel_backups,omitempty"` ChannelBackups *ChanBackupSnapshot `protobuf:"bytes,3,opt,name=channel_backups,json=channelBackups,proto3" json:"channel_backups,omitempty"`
//
//stateless_init is an optional argument instructing the daemon NOT to create
//any *.macaroon files in its file system.
StatelessInit bool `protobuf:"varint,4,opt,name=stateless_init,json=statelessInit,proto3" json:"stateless_init,omitempty"`
XXX_NoUnkeyedLiteral struct{} `json:"-"` XXX_NoUnkeyedLiteral struct{} `json:"-"`
XXX_unrecognized []byte `json:"-"` XXX_unrecognized []byte `json:"-"`
XXX_sizecache int32 `json:"-"` XXX_sizecache int32 `json:"-"`
@ -335,6 +366,13 @@ func (m *UnlockWalletRequest) GetChannelBackups() *ChanBackupSnapshot {
return nil return nil
} }
func (m *UnlockWalletRequest) GetStatelessInit() bool {
if m != nil {
return m.StatelessInit
}
return false
}
type UnlockWalletResponse struct { type UnlockWalletResponse struct {
XXX_NoUnkeyedLiteral struct{} `json:"-"` XXX_NoUnkeyedLiteral struct{} `json:"-"`
XXX_unrecognized []byte `json:"-"` XXX_unrecognized []byte `json:"-"`
@ -375,6 +413,17 @@ type ChangePasswordRequest struct {
//new_password should be the new passphrase that will be needed to unlock the //new_password should be the new passphrase that will be needed to unlock the
//daemon. When using REST, this field must be encoded as base64. //daemon. When using REST, this field must be encoded as base64.
NewPassword []byte `protobuf:"bytes,2,opt,name=new_password,json=newPassword,proto3" json:"new_password,omitempty"` NewPassword []byte `protobuf:"bytes,2,opt,name=new_password,json=newPassword,proto3" json:"new_password,omitempty"`
//
//stateless_init is an optional argument instructing the daemon NOT to create
//any *.macaroon files in its filesystem. If this parameter is set, then the
//admin macaroon returned in the response MUST be stored by the caller of the
//RPC as otherwise all access to the daemon will be lost!
StatelessInit bool `protobuf:"varint,3,opt,name=stateless_init,json=statelessInit,proto3" json:"stateless_init,omitempty"`
//
//new_macaroon_root_key is an optional argument instructing the daemon to
//rotate the macaroon root key when set to true. This will invalidate all
//previously generated macaroons.
NewMacaroonRootKey bool `protobuf:"varint,4,opt,name=new_macaroon_root_key,json=newMacaroonRootKey,proto3" json:"new_macaroon_root_key,omitempty"`
XXX_NoUnkeyedLiteral struct{} `json:"-"` XXX_NoUnkeyedLiteral struct{} `json:"-"`
XXX_unrecognized []byte `json:"-"` XXX_unrecognized []byte `json:"-"`
XXX_sizecache int32 `json:"-"` XXX_sizecache int32 `json:"-"`
@ -419,7 +468,29 @@ func (m *ChangePasswordRequest) GetNewPassword() []byte {
return nil return nil
} }
func (m *ChangePasswordRequest) GetStatelessInit() bool {
if m != nil {
return m.StatelessInit
}
return false
}
func (m *ChangePasswordRequest) GetNewMacaroonRootKey() bool {
if m != nil {
return m.NewMacaroonRootKey
}
return false
}
type ChangePasswordResponse struct { type ChangePasswordResponse struct {
//
//The binary serialized admin macaroon that can be used to access the daemon
//after rotating the macaroon root key. If both the stateless_init and
//new_macaroon_root_key parameter were set to true, this is the ONLY copy of
//the macaroon that was created from the new root key and MUST be stored
//safely by the caller. Otherwise a copy of this macaroon is also persisted on
//disk by the daemon, together with other macaroon files.
AdminMacaroon []byte `protobuf:"bytes,1,opt,name=admin_macaroon,json=adminMacaroon,proto3" json:"admin_macaroon,omitempty"`
XXX_NoUnkeyedLiteral struct{} `json:"-"` XXX_NoUnkeyedLiteral struct{} `json:"-"`
XXX_unrecognized []byte `json:"-"` XXX_unrecognized []byte `json:"-"`
XXX_sizecache int32 `json:"-"` XXX_sizecache int32 `json:"-"`
@ -450,6 +521,13 @@ func (m *ChangePasswordResponse) XXX_DiscardUnknown() {
var xxx_messageInfo_ChangePasswordResponse proto.InternalMessageInfo var xxx_messageInfo_ChangePasswordResponse proto.InternalMessageInfo
func (m *ChangePasswordResponse) GetAdminMacaroon() []byte {
if m != nil {
return m.AdminMacaroon
}
return nil
}
func init() { func init() {
proto.RegisterType((*GenSeedRequest)(nil), "lnrpc.GenSeedRequest") proto.RegisterType((*GenSeedRequest)(nil), "lnrpc.GenSeedRequest")
proto.RegisterType((*GenSeedResponse)(nil), "lnrpc.GenSeedResponse") proto.RegisterType((*GenSeedResponse)(nil), "lnrpc.GenSeedResponse")
@ -464,39 +542,45 @@ func init() {
func init() { proto.RegisterFile("walletunlocker.proto", fileDescriptor_76e3ed10ed53e4fd) } func init() { proto.RegisterFile("walletunlocker.proto", fileDescriptor_76e3ed10ed53e4fd) }
var fileDescriptor_76e3ed10ed53e4fd = []byte{ var fileDescriptor_76e3ed10ed53e4fd = []byte{
// 510 bytes of a gzipped FileDescriptorProto // 599 bytes of a gzipped FileDescriptorProto
0x1f, 0x8b, 0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0xff, 0x9c, 0x54, 0x4f, 0x6b, 0xdb, 0x4e, 0x1f, 0x8b, 0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0xff, 0xa4, 0x94, 0xdd, 0x6a, 0xdb, 0x4c,
0x10, 0x45, 0xf6, 0xcf, 0xbf, 0x92, 0x89, 0x91, 0x92, 0xad, 0x63, 0x14, 0xb5, 0x05, 0x47, 0x50, 0x10, 0x86, 0x91, 0x9d, 0xe4, 0xfb, 0x32, 0x71, 0xe4, 0x64, 0x9b, 0x04, 0xc5, 0x6d, 0xc1, 0x11,
0xec, 0x52, 0xb0, 0x4b, 0x7a, 0xe9, 0xb5, 0x2e, 0x25, 0xf4, 0x10, 0x08, 0x0e, 0x21, 0xd0, 0x8b, 0x04, 0xbb, 0x14, 0x9c, 0x36, 0x3d, 0x29, 0xf4, 0xa0, 0x34, 0xa5, 0x84, 0x52, 0x02, 0x41, 0x21,
0x2b, 0x4b, 0x83, 0x25, 0x2c, 0xcf, 0x6e, 0x77, 0xe5, 0x8a, 0xf4, 0x13, 0xf4, 0x8b, 0xf4, 0xd4, 0x04, 0x7a, 0xa2, 0x6e, 0xa4, 0xc1, 0x12, 0x96, 0x67, 0xd5, 0xdd, 0x75, 0x85, 0x7b, 0x3f, 0x3d,
0x2f, 0x59, 0xbc, 0xbb, 0xfe, 0x17, 0xcb, 0xd0, 0xf6, 0xfa, 0xde, 0xbc, 0xdd, 0x79, 0x6f, 0x66, 0xee, 0x25, 0xf4, 0x1e, 0x7a, 0x45, 0x45, 0xab, 0xb5, 0xf3, 0x63, 0x19, 0xfa, 0x73, 0xfa, 0xcc,
0x17, 0x5a, 0x65, 0x94, 0xe7, 0x58, 0x2c, 0x28, 0xe7, 0xf1, 0x0c, 0x65, 0x5f, 0x48, 0x5e, 0x70, 0xcc, 0xee, 0xbc, 0xef, 0xcc, 0x2e, 0xec, 0x14, 0x3c, 0xcb, 0x50, 0x4f, 0x28, 0x13, 0xd1, 0x08,
0xd6, 0xc8, 0x49, 0x8a, 0x38, 0x38, 0x92, 0x22, 0x36, 0x48, 0xf8, 0x05, 0xdc, 0x2b, 0xa4, 0x5b, 0xe5, 0x20, 0x97, 0x42, 0x0b, 0xb6, 0x9a, 0x91, 0xcc, 0xa3, 0xce, 0xba, 0xcc, 0xa3, 0x8a, 0xf8,
0xc4, 0x64, 0x84, 0x5f, 0x17, 0xa8, 0x0a, 0xf6, 0x1a, 0x4e, 0x23, 0xfc, 0x8e, 0x98, 0x8c, 0x45, 0x9f, 0xc0, 0x3d, 0x45, 0xba, 0x40, 0x8c, 0x03, 0xfc, 0x3c, 0x41, 0xa5, 0xd9, 0x53, 0xd8, 0xe6,
0xa4, 0x94, 0x48, 0x65, 0xa4, 0xd0, 0x77, 0x3a, 0x4e, 0xaf, 0x39, 0x3a, 0x31, 0xc4, 0xcd, 0x1a, 0xf8, 0x15, 0x31, 0x0e, 0x73, 0xae, 0x54, 0x9e, 0x48, 0xae, 0xd0, 0x73, 0xba, 0x4e, 0xbf, 0x15,
0x67, 0x17, 0xd0, 0x54, 0xcb, 0x52, 0xa4, 0x42, 0x72, 0xf1, 0xe0, 0xd7, 0x74, 0xdd, 0xf1, 0x12, 0x6c, 0x55, 0x81, 0xf3, 0x39, 0x67, 0x07, 0xd0, 0x52, 0x65, 0x2a, 0x92, 0x96, 0x22, 0x9f, 0x7a,
0xfb, 0x68, 0xa0, 0x30, 0x07, 0x6f, 0x7d, 0x83, 0x12, 0x9c, 0x14, 0xb2, 0x37, 0xd0, 0x8a, 0x33, 0x0d, 0x93, 0xb7, 0x51, 0xb2, 0x77, 0x15, 0xf2, 0x33, 0x68, 0xcf, 0x6f, 0x50, 0xb9, 0x20, 0x85,
0x91, 0xa2, 0x1c, 0x6b, 0xf1, 0x9c, 0x70, 0xce, 0x29, 0x8b, 0x7d, 0xa7, 0x53, 0xef, 0x1d, 0x8d, 0xec, 0x19, 0xec, 0x44, 0x69, 0x9e, 0xa0, 0x0c, 0x4d, 0xf1, 0x98, 0x70, 0x2c, 0x28, 0x8d, 0x3c,
0x98, 0xe1, 0x96, 0x8a, 0x6b, 0xcb, 0xb0, 0x2e, 0x78, 0x48, 0x06, 0xc7, 0x44, 0xab, 0xec, 0x55, 0xa7, 0xdb, 0xec, 0xaf, 0x07, 0xac, 0x8a, 0x95, 0x15, 0x67, 0x36, 0xc2, 0x7a, 0xd0, 0x46, 0xaa,
0xee, 0x06, 0x5e, 0x0a, 0xc2, 0x1f, 0x35, 0x38, 0xfd, 0x44, 0x59, 0x71, 0xaf, 0xed, 0xaf, 0x3c, 0x38, 0xc6, 0xa6, 0xca, 0x5e, 0xe5, 0xde, 0xe0, 0xb2, 0xc0, 0xff, 0xde, 0x80, 0xed, 0xf7, 0x94,
0x75, 0xc1, 0x33, 0x79, 0x68, 0x4f, 0x25, 0x97, 0x89, 0x75, 0xe4, 0x1a, 0xf8, 0xc6, 0xa2, 0x07, 0xea, 0x2b, 0x23, 0x7f, 0xa6, 0xa9, 0x07, 0xed, 0xca, 0x0f, 0xa3, 0xa9, 0x10, 0x32, 0xb6, 0x8a,
0x3b, 0xab, 0x1d, 0xec, 0xac, 0x32, 0xae, 0xfa, 0x81, 0xb8, 0xba, 0xe0, 0x49, 0x8c, 0xf9, 0x37, 0xdc, 0x0a, 0x9f, 0x5b, 0xba, 0xb4, 0xb3, 0xc6, 0xd2, 0xce, 0x6a, 0xed, 0x6a, 0x2e, 0xb1, 0xab,
0x94, 0x0f, 0xe3, 0x32, 0xa3, 0x84, 0x97, 0xfe, 0x7f, 0x1d, 0xa7, 0xd7, 0x18, 0xb9, 0x2b, 0xf8, 0x07, 0x6d, 0x89, 0x91, 0xf8, 0x82, 0x72, 0x1a, 0x16, 0x29, 0xc5, 0xa2, 0xf0, 0x56, 0xba, 0x4e,
0x5e, 0xa3, 0x6c, 0x08, 0x5e, 0x9c, 0x46, 0x44, 0x98, 0x8f, 0x27, 0x51, 0x3c, 0x5b, 0x08, 0xe5, 0x7f, 0x35, 0x70, 0x67, 0xf8, 0xca, 0x50, 0x76, 0x02, 0xed, 0x28, 0xe1, 0x44, 0x98, 0x85, 0xd7,
0x37, 0x3a, 0x4e, 0xef, 0xf8, 0xf2, 0xbc, 0xaf, 0x47, 0xd8, 0xff, 0x90, 0x46, 0x34, 0xd4, 0xcc, 0x3c, 0x1a, 0x4d, 0x72, 0xe5, 0xad, 0x76, 0x9d, 0xfe, 0xc6, 0xf1, 0xfe, 0xc0, 0x8c, 0x70, 0xf0,
0x2d, 0x45, 0x42, 0xa5, 0xbc, 0x18, 0xb9, 0x56, 0x61, 0x60, 0x15, 0xb6, 0x80, 0x6d, 0x27, 0x61, 0x36, 0xe1, 0x74, 0x62, 0x22, 0x17, 0xc4, 0x73, 0x95, 0x08, 0x1d, 0xb8, 0xb6, 0xa2, 0xc2, 0x8a,
0xb2, 0x0f, 0x7f, 0x39, 0xf0, 0xf4, 0x4e, 0x6f, 0xc5, 0x3f, 0x46, 0x54, 0xe1, 0xa1, 0xf6, 0xa7, 0x1d, 0x82, 0xab, 0x34, 0xd7, 0x98, 0xa1, 0x52, 0x61, 0x4a, 0xa9, 0xf6, 0xd6, 0xba, 0x4e, 0xff,
0x1e, 0xea, 0x7f, 0xeb, 0xa1, 0x0d, 0xad, 0xdd, 0x66, 0xad, 0x0b, 0x84, 0xb3, 0xa5, 0x7a, 0x8a, 0xff, 0x60, 0x73, 0x4e, 0x4b, 0xa3, 0xfc, 0x57, 0xc0, 0x6e, 0x1b, 0x66, 0x47, 0x74, 0x08, 0x2e,
0xab, 0xb6, 0x56, 0x36, 0x5e, 0xc1, 0x49, 0xbc, 0x90, 0x12, 0x69, 0xcf, 0x87, 0x67, 0xf1, 0xb5, 0x8f, 0xc7, 0x29, 0x85, 0x63, 0x1e, 0x71, 0x29, 0x04, 0x59, 0xc3, 0x36, 0x0d, 0x3d, 0xb3, 0xd0,
0x91, 0x0b, 0x68, 0x12, 0x96, 0x9b, 0x32, 0xbb, 0xbb, 0x84, 0xe5, 0xaa, 0x24, 0xf4, 0xa1, 0xfd, 0xff, 0xe9, 0xc0, 0x83, 0x4b, 0xb3, 0x63, 0x7f, 0x69, 0x78, 0x8d, 0x23, 0x8d, 0xdf, 0x75, 0xa4,
0xf8, 0x1a, 0xd3, 0xc0, 0xe5, 0xcf, 0x1a, 0xb8, 0xa6, 0xa7, 0x3b, 0xfb, 0xc4, 0xd8, 0x3b, 0x78, 0xf9, 0xef, 0x8e, 0xac, 0xd4, 0x39, 0xb2, 0x07, 0x3b, 0x77, 0x35, 0x55, 0x9e, 0xf8, 0x3f, 0x1c,
0x62, 0x17, 0x9d, 0x9d, 0x59, 0x87, 0xbb, 0x4f, 0x2b, 0x68, 0x3f, 0x86, 0xed, 0x7b, 0x78, 0x0f, 0xd8, 0x2d, 0x6f, 0x19, 0xe2, 0xac, 0xfd, 0x99, 0xdc, 0x27, 0xb0, 0x15, 0x4d, 0xa4, 0x44, 0x5a,
0xb0, 0x99, 0x14, 0xf3, 0x6d, 0xd5, 0xde, 0x1a, 0x07, 0xe7, 0x15, 0x8c, 0x3d, 0xe2, 0x0a, 0x9a, 0xd0, 0xdb, 0xb6, 0x7c, 0x2e, 0xf8, 0x00, 0x5a, 0x84, 0xc5, 0x4d, 0x9a, 0x7d, 0x31, 0x84, 0xc5,
0xdb, 0x41, 0xb1, 0xc0, 0x96, 0x56, 0x8c, 0x3a, 0x78, 0x56, 0xc9, 0xd9, 0x83, 0xae, 0xc1, 0xdd, 0x3c, 0x65, 0xb1, 0xcd, 0x66, 0x4d, 0x9b, 0xec, 0x39, 0xec, 0x96, 0x27, 0xcd, 0x06, 0x14, 0x4a,
0xb5, 0xcc, 0x9e, 0x6f, 0x8d, 0x6b, 0x2f, 0xf0, 0xe0, 0xc5, 0x01, 0xd6, 0x1c, 0x37, 0xec, 0x7e, 0x21, 0x74, 0x38, 0xc2, 0xa9, 0x15, 0xc5, 0x08, 0x8b, 0xd9, 0x9c, 0x02, 0x21, 0xf4, 0x07, 0x9c,
0x7e, 0x39, 0xcd, 0x8a, 0x74, 0x31, 0xe9, 0xc7, 0x7c, 0x3e, 0xc8, 0xb3, 0x69, 0x5a, 0x50, 0x46, 0xfa, 0xaf, 0x61, 0xef, 0xbe, 0x80, 0x3f, 0x9a, 0xf7, 0xf1, 0xb7, 0x06, 0xb8, 0x95, 0x2b, 0x97,
0x53, 0xc2, 0xa2, 0xe4, 0x72, 0x36, 0xc8, 0x29, 0x19, 0x68, 0xfd, 0xe4, 0x7f, 0xfd, 0x1f, 0xbd, 0xf6, 0x67, 0x61, 0x2f, 0xe1, 0x3f, 0xfb, 0xbe, 0xd9, 0xae, 0x1d, 0xc5, 0xdd, 0x1f, 0xa5, 0xb3,
0xfd, 0x1d, 0x00, 0x00, 0xff, 0xff, 0x94, 0x54, 0xe3, 0x28, 0xb9, 0x04, 0x00, 0x00, 0x77, 0x1f, 0xdb, 0x3b, 0xdf, 0x00, 0xdc, 0x6c, 0x1e, 0xf3, 0x6c, 0xd6, 0xc2, 0xeb, 0xed, 0xec,
0xd7, 0x44, 0xec, 0x11, 0xa7, 0xd0, 0xba, 0x3d, 0x2a, 0xd6, 0xb1, 0xa9, 0x35, 0x3b, 0xd9, 0x79,
0x58, 0x1b, 0xb3, 0x07, 0x9d, 0x81, 0x7b, 0xd7, 0x19, 0xf6, 0xe8, 0xd6, 0x5e, 0x2d, 0x4c, 0xbc,
0xf3, 0x78, 0x49, 0xb4, 0x3a, 0xee, 0xa4, 0xf7, 0xf1, 0x70, 0x98, 0xea, 0x64, 0x72, 0x3d, 0x88,
0xc4, 0xf8, 0x28, 0x4b, 0x87, 0x89, 0xa6, 0x94, 0x86, 0x84, 0xba, 0x10, 0x72, 0x74, 0x94, 0x51,
0x7c, 0x64, 0xea, 0xaf, 0xd7, 0xcc, 0x37, 0xfc, 0xe2, 0x57, 0x00, 0x00, 0x00, 0xff, 0xff, 0xf8,
0x7a, 0x3b, 0x08, 0xb0, 0x05, 0x00, 0x00,
} }
// Reference imports to suppress errors if they are not otherwise used. // Reference imports to suppress errors if they are not otherwise used.

@ -141,8 +141,24 @@ message InitWalletRequest {
recover the funds in each channel from a remote force closed transaction. recover the funds in each channel from a remote force closed transaction.
*/ */
ChanBackupSnapshot channel_backups = 5; ChanBackupSnapshot channel_backups = 5;
/*
stateless_init is an optional argument instructing the daemon NOT to create
any *.macaroon files in its filesystem. If this parameter is set, then the
admin macaroon returned in the response MUST be stored by the caller of the
RPC as otherwise all access to the daemon will be lost!
*/
bool stateless_init = 6;
} }
message InitWalletResponse { message InitWalletResponse {
/*
The binary serialized admin macaroon that can be used to access the daemon
after creating the wallet. If the stateless_init parameter was set to true,
this is the ONLY copy of the macaroon and MUST be stored safely by the
caller. Otherwise a copy of this macaroon is also persisted on disk by the
daemon, together with other macaroon files.
*/
bytes admin_macaroon = 1;
} }
message UnlockWalletRequest { message UnlockWalletRequest {
@ -171,6 +187,12 @@ message UnlockWalletRequest {
recover the funds in each channel from a remote force closed transaction. recover the funds in each channel from a remote force closed transaction.
*/ */
ChanBackupSnapshot channel_backups = 3; ChanBackupSnapshot channel_backups = 3;
/*
stateless_init is an optional argument instructing the daemon NOT to create
any *.macaroon files in its file system.
*/
bool stateless_init = 4;
} }
message UnlockWalletResponse { message UnlockWalletResponse {
} }
@ -187,6 +209,30 @@ message ChangePasswordRequest {
daemon. When using REST, this field must be encoded as base64. daemon. When using REST, this field must be encoded as base64.
*/ */
bytes new_password = 2; bytes new_password = 2;
/*
stateless_init is an optional argument instructing the daemon NOT to create
any *.macaroon files in its filesystem. If this parameter is set, then the
admin macaroon returned in the response MUST be stored by the caller of the
RPC as otherwise all access to the daemon will be lost!
*/
bool stateless_init = 3;
/*
new_macaroon_root_key is an optional argument instructing the daemon to
rotate the macaroon root key when set to true. This will invalidate all
previously generated macaroons.
*/
bool new_macaroon_root_key = 4;
} }
message ChangePasswordResponse { message ChangePasswordResponse {
/*
The binary serialized admin macaroon that can be used to access the daemon
after rotating the macaroon root key. If both the stateless_init and
new_macaroon_root_key parameter were set to true, this is the ONLY copy of
the macaroon that was created from the new root key and MUST be stored
safely by the caller. Otherwise a copy of this macaroon is also persisted on
disk by the daemon, together with other macaroon files.
*/
bytes admin_macaroon = 1;
} }

@ -180,11 +180,28 @@
"type": "string", "type": "string",
"format": "byte", "format": "byte",
"description": "new_password should be the new passphrase that will be needed to unlock the\ndaemon. When using REST, this field must be encoded as base64." "description": "new_password should be the new passphrase that will be needed to unlock the\ndaemon. When using REST, this field must be encoded as base64."
},
"stateless_init": {
"type": "boolean",
"format": "boolean",
"title": "stateless_init is an optional argument instructing the daemon NOT to create\nany *.macaroon files in its filesystem. If this parameter is set, then the\nadmin macaroon returned in the response MUST be stored by the caller of the\nRPC as otherwise all access to the daemon will be lost!"
},
"new_macaroon_root_key": {
"type": "boolean",
"format": "boolean",
"description": "new_macaroon_root_key is an optional argument instructing the daemon to\nrotate the macaroon root key when set to true. This will invalidate all\npreviously generated macaroons."
} }
} }
}, },
"lnrpcChangePasswordResponse": { "lnrpcChangePasswordResponse": {
"type": "object" "type": "object",
"properties": {
"admin_macaroon": {
"type": "string",
"format": "byte",
"description": "The binary serialized admin macaroon that can be used to access the daemon\nafter rotating the macaroon root key. If both the stateless_init and\nnew_macaroon_root_key parameter were set to true, this is the ONLY copy of\nthe macaroon that was created from the new root key and MUST be stored\nsafely by the caller. Otherwise a copy of this macaroon is also persisted on\ndisk by the daemon, together with other macaroon files."
}
}
}, },
"lnrpcChannelBackup": { "lnrpcChannelBackup": {
"type": "object", "type": "object",
@ -276,11 +293,23 @@
"channel_backups": { "channel_backups": {
"$ref": "#/definitions/lnrpcChanBackupSnapshot", "$ref": "#/definitions/lnrpcChanBackupSnapshot",
"description": "channel_backups is an optional argument that allows clients to recover the\nsettled funds within a set of channels. This should be populated if the\nuser was unable to close out all channels and sweep funds before partial or\ntotal data loss occurred. If specified, then after on-chain recovery of\nfunds, lnd begin to carry out the data loss recovery protocol in order to\nrecover the funds in each channel from a remote force closed transaction." "description": "channel_backups is an optional argument that allows clients to recover the\nsettled funds within a set of channels. This should be populated if the\nuser was unable to close out all channels and sweep funds before partial or\ntotal data loss occurred. If specified, then after on-chain recovery of\nfunds, lnd begin to carry out the data loss recovery protocol in order to\nrecover the funds in each channel from a remote force closed transaction."
},
"stateless_init": {
"type": "boolean",
"format": "boolean",
"title": "stateless_init is an optional argument instructing the daemon NOT to create\nany *.macaroon files in its filesystem. If this parameter is set, then the\nadmin macaroon returned in the response MUST be stored by the caller of the\nRPC as otherwise all access to the daemon will be lost!"
} }
} }
}, },
"lnrpcInitWalletResponse": { "lnrpcInitWalletResponse": {
"type": "object" "type": "object",
"properties": {
"admin_macaroon": {
"type": "string",
"format": "byte",
"description": "The binary serialized admin macaroon that can be used to access the daemon\nafter creating the wallet. If the stateless_init parameter was set to true,\nthis is the ONLY copy of the macaroon and MUST be stored safely by the\ncaller. Otherwise a copy of this macaroon is also persisted on disk by the\ndaemon, together with other macaroon files."
}
}
}, },
"lnrpcMultiChanBackup": { "lnrpcMultiChanBackup": {
"type": "object", "type": "object",
@ -315,6 +344,11 @@
"channel_backups": { "channel_backups": {
"$ref": "#/definitions/lnrpcChanBackupSnapshot", "$ref": "#/definitions/lnrpcChanBackupSnapshot",
"description": "channel_backups is an optional argument that allows clients to recover the\nsettled funds within a set of channels. This should be populated if the\nuser was unable to close out all channels and sweep funds before partial or\ntotal data loss occurred. If specified, then after on-chain recovery of\nfunds, lnd begin to carry out the data loss recovery protocol in order to\nrecover the funds in each channel from a remote force closed transaction." "description": "channel_backups is an optional argument that allows clients to recover the\nsettled funds within a set of channels. This should be populated if the\nuser was unable to close out all channels and sweep funds before partial or\ntotal data loss occurred. If specified, then after on-chain recovery of\nfunds, lnd begin to carry out the data loss recovery protocol in order to\nrecover the funds in each channel from a remote force closed transaction."
},
"stateless_init": {
"type": "boolean",
"format": "boolean",
"description": "stateless_init is an optional argument instructing the daemon NOT to create\nany *.macaroon files in its file system."
} }
} }
}, },