rpc: force TLS for both grpc endpoint and grpc gateway
This commit is contained in:
parent
d1e797451d
commit
59f9065213
@ -3,11 +3,27 @@ package main
|
||||
import (
|
||||
"fmt"
|
||||
"os"
|
||||
"path/filepath"
|
||||
"strings"
|
||||
|
||||
"github.com/lightningnetwork/lnd/lnrpc"
|
||||
"github.com/roasbeef/btcutil"
|
||||
"github.com/urfave/cli"
|
||||
|
||||
flags "github.com/btcsuite/go-flags"
|
||||
"google.golang.org/grpc"
|
||||
"google.golang.org/grpc/credentials"
|
||||
)
|
||||
|
||||
const (
|
||||
defaultConfigFilename = "lnd.conf"
|
||||
defaultTLSCertFilename = "tls.cert"
|
||||
)
|
||||
|
||||
var (
|
||||
lndHomeDir = btcutil.AppDataDir("lnd", false)
|
||||
defaultConfigFile = filepath.Join(lndHomeDir, defaultConfigFilename)
|
||||
defaultTLSCertPath = filepath.Join(lndHomeDir, defaultTLSCertFilename)
|
||||
)
|
||||
|
||||
func fatal(err error) {
|
||||
@ -25,12 +41,38 @@ func getClient(ctx *cli.Context) (lnrpc.LightningClient, func()) {
|
||||
return lnrpc.NewLightningClient(conn), cleanUp
|
||||
}
|
||||
|
||||
type config struct {
|
||||
TLSCertPath string `long:"tlscertpath" description:"path to TLS certificate"`
|
||||
}
|
||||
|
||||
func getClientConn(ctx *cli.Context) *grpc.ClientConn {
|
||||
// TODO(roasbeef): macaroon based auth
|
||||
// * http://www.grpc.io/docs/guides/auth.html
|
||||
// * http://research.google.com/pubs/pub41892.html
|
||||
// * https://github.com/go-macaroon/macaroon
|
||||
opts := []grpc.DialOption{grpc.WithInsecure()}
|
||||
cfg := config{
|
||||
TLSCertPath: defaultTLSCertPath,
|
||||
}
|
||||
|
||||
// We want only the TLS certificate information from the configuration
|
||||
// file at this time, so ignore anything else. We can always add fields
|
||||
// as we need them. When specifying a file on the `lncli` command line,
|
||||
// this should work with just a trusted CA cert assuming the server's
|
||||
// cert file contains the entire chain from the CA to the server's cert.
|
||||
parser := flags.NewParser(&cfg, flags.IgnoreUnknown)
|
||||
iniParser := flags.NewIniParser(parser)
|
||||
if err := iniParser.ParseFile(ctx.GlobalString("config")); err != nil {
|
||||
fatal(err)
|
||||
}
|
||||
if ctx.GlobalString("tlscertpath") != defaultTLSCertPath {
|
||||
cfg.TLSCertPath = ctx.GlobalString("tlscertpath")
|
||||
}
|
||||
cfg.TLSCertPath = cleanAndExpandPath(cfg.TLSCertPath)
|
||||
creds, err := credentials.NewClientTLSFromFile(cfg.TLSCertPath, "")
|
||||
if err != nil {
|
||||
fatal(err)
|
||||
}
|
||||
opts := []grpc.DialOption{grpc.WithTransportCredentials(creds)}
|
||||
|
||||
conn, err := grpc.Dial(ctx.GlobalString("rpcserver"), opts...)
|
||||
if err != nil {
|
||||
@ -51,6 +93,16 @@ func main() {
|
||||
Value: "localhost:10009",
|
||||
Usage: "host:port of ln daemon",
|
||||
},
|
||||
cli.StringFlag{
|
||||
Name: "config",
|
||||
Value: defaultConfigFile,
|
||||
Usage: "path to config file for TLS cert path",
|
||||
},
|
||||
cli.StringFlag{
|
||||
Name: "tlscertpath",
|
||||
Value: defaultTLSCertPath,
|
||||
Usage: "path to TLS certificate",
|
||||
},
|
||||
}
|
||||
app.Commands = []cli.Command{
|
||||
newAddressCommand,
|
||||
@ -88,3 +140,18 @@ func main() {
|
||||
fatal(err)
|
||||
}
|
||||
}
|
||||
|
||||
// cleanAndExpandPath expands environment variables and leading ~ in the
|
||||
// passed path, cleans the result, and returns it.
|
||||
// This function is taken from https://github.com/btcsuite/btcd
|
||||
func cleanAndExpandPath(path string) string {
|
||||
// Expand initial ~ to OS specific home directory.
|
||||
if strings.HasPrefix(path, "~") {
|
||||
homeDir := filepath.Dir(lndHomeDir)
|
||||
path = strings.Replace(path, "~", homeDir, 1)
|
||||
}
|
||||
|
||||
// NOTE: The os.ExpandEnv doesn't work with Windows-style %VARIABLE%,
|
||||
// but the variables can still be expanded via POSIX-style $VARIABLE.
|
||||
return filepath.Clean(os.ExpandEnv(path))
|
||||
}
|
||||
|
28
config.go
28
config.go
@ -22,6 +22,8 @@ import (
|
||||
const (
|
||||
defaultConfigFilename = "lnd.conf"
|
||||
defaultDataDirname = "data"
|
||||
defaultTLSCertFilename = "tls.cert"
|
||||
defaultTLSKeyFilename = "tls.key"
|
||||
defaultLogLevel = "info"
|
||||
defaultLogDirname = "logs"
|
||||
defaultLogFilename = "lnd.log"
|
||||
@ -34,10 +36,12 @@ const (
|
||||
)
|
||||
|
||||
var (
|
||||
lndHomeDir = btcutil.AppDataDir("lnd", false)
|
||||
defaultConfigFile = filepath.Join(lndHomeDir, defaultConfigFilename)
|
||||
defaultDataDir = filepath.Join(lndHomeDir, defaultDataDirname)
|
||||
defaultLogDir = filepath.Join(lndHomeDir, defaultLogDirname)
|
||||
lndHomeDir = btcutil.AppDataDir("lnd", false)
|
||||
defaultConfigFile = filepath.Join(lndHomeDir, defaultConfigFilename)
|
||||
defaultDataDir = filepath.Join(lndHomeDir, defaultDataDirname)
|
||||
defaultTLSCertPath = filepath.Join(lndHomeDir, defaultTLSCertFilename)
|
||||
defaultTLSKeyPath = filepath.Join(lndHomeDir, defaultTLSKeyFilename)
|
||||
defaultLogDir = filepath.Join(lndHomeDir, defaultLogDirname)
|
||||
|
||||
btcdHomeDir = btcutil.AppDataDir("btcd", false)
|
||||
defaultBtcdRPCCertFile = filepath.Join(btcdHomeDir, "rpc.cert")
|
||||
@ -77,9 +81,11 @@ type neutrinoConfig struct {
|
||||
type config struct {
|
||||
ShowVersion bool `short:"V" long:"version" description:"Display version information and exit"`
|
||||
|
||||
ConfigFile string `long:"C" long:"configfile" description:"Path to configuration file"`
|
||||
DataDir string `short:"b" long:"datadir" description:"The directory to store lnd's data within"`
|
||||
LogDir string `long:"logdir" description:"Directory to log output."`
|
||||
ConfigFile string `long:"C" long:"configfile" description:"Path to configuration file"`
|
||||
DataDir string `short:"b" long:"datadir" description:"The directory to store lnd's data within"`
|
||||
TLSCertPath string `long:"tlscertpath" description:"Path to TLS certificate for lnd's RPC and REST services"`
|
||||
TLSKeyPath string `long:"tlskeypath" description:"Path to TLS private key for lnd's RPC and REST services"`
|
||||
LogDir string `long:"logdir" description:"Directory to log output."`
|
||||
|
||||
Listeners []string `long:"listen" description:"Add an interface/port to listen for connections (default all interfaces port: 5656)"`
|
||||
ExternalIPs []string `long:"externalip" description:"Add an ip to the list of local addresses we claim to listen on to peers"`
|
||||
@ -115,6 +121,8 @@ func loadConfig() (*config, error) {
|
||||
ConfigFile: defaultConfigFile,
|
||||
DataDir: defaultDataDir,
|
||||
DebugLevel: defaultLogLevel,
|
||||
TLSCertPath: defaultTLSCertPath,
|
||||
TLSKeyPath: defaultTLSKeyPath,
|
||||
LogDir: defaultLogDir,
|
||||
PeerPort: defaultPeerPort,
|
||||
RPCPort: defaultRPCPort,
|
||||
@ -300,6 +308,11 @@ func loadConfig() (*config, error) {
|
||||
cfg.LogDir = filepath.Join(cfg.LogDir,
|
||||
registeredChains.primaryChain.String())
|
||||
|
||||
// Ensure that the paths to the TLS key and certificate files are
|
||||
// expanded and cleaned.
|
||||
cfg.TLSCertPath = cleanAndExpandPath(cfg.TLSCertPath)
|
||||
cfg.TLSKeyPath = cleanAndExpandPath(cfg.TLSKeyPath)
|
||||
|
||||
// Initialize logging at the default logging level.
|
||||
initLogRotator(filepath.Join(cfg.LogDir, defaultLogFilename))
|
||||
|
||||
@ -323,6 +336,7 @@ func loadConfig() (*config, error) {
|
||||
|
||||
// cleanAndExpandPath expands environment variables and leading ~ in the
|
||||
// passed path, cleans the result, and returns it.
|
||||
// This function is taken from https://github.com/btcsuite/btcd
|
||||
func cleanAndExpandPath(path string) string {
|
||||
// Expand initial ~ to OS specific home directory.
|
||||
if strings.HasPrefix(path, "~") {
|
||||
|
67
lnd.go
67
lnd.go
@ -3,6 +3,7 @@ package main
|
||||
import (
|
||||
"crypto/rand"
|
||||
"fmt"
|
||||
"io/ioutil"
|
||||
"net"
|
||||
"net/http"
|
||||
_ "net/http/pprof"
|
||||
@ -14,6 +15,7 @@ import (
|
||||
"golang.org/x/net/context"
|
||||
|
||||
"google.golang.org/grpc"
|
||||
"google.golang.org/grpc/credentials"
|
||||
|
||||
flags "github.com/btcsuite/go-flags"
|
||||
proxy "github.com/grpc-ecosystem/grpc-gateway/runtime"
|
||||
@ -26,6 +28,10 @@ import (
|
||||
"github.com/roasbeef/btcutil"
|
||||
)
|
||||
|
||||
const (
|
||||
autogenCertValidity = 10 * 365 * 24 * time.Hour
|
||||
)
|
||||
|
||||
var (
|
||||
cfg *config
|
||||
shutdownChannel = make(chan struct{})
|
||||
@ -189,13 +195,25 @@ func lndMain() error {
|
||||
}
|
||||
server.fundingMgr = fundingMgr
|
||||
|
||||
// Ensure we create TLS key and certificate if they don't exist
|
||||
if !fileExists(cfg.TLSCertPath) && !fileExists(cfg.TLSKeyPath) {
|
||||
if err := genCertPair(cfg.TLSCertPath, cfg.TLSKeyPath); err != nil {
|
||||
return err
|
||||
}
|
||||
}
|
||||
|
||||
// Initialize, and register our implementation of the gRPC interface
|
||||
// exported by the rpcServer.
|
||||
rpcServer := newRPCServer(server)
|
||||
if err := rpcServer.Start(); err != nil {
|
||||
return err
|
||||
}
|
||||
var opts []grpc.ServerOption
|
||||
sCreds, err := credentials.NewServerTLSFromFile(cfg.TLSCertPath,
|
||||
cfg.TLSKeyPath)
|
||||
if err != nil {
|
||||
return err
|
||||
}
|
||||
opts := []grpc.ServerOption{grpc.Creds(sCreds)}
|
||||
grpcServer := grpc.NewServer(opts...)
|
||||
lnrpc.RegisterLightningServer(grpcServer, rpcServer)
|
||||
|
||||
@ -211,13 +229,17 @@ func lndMain() error {
|
||||
rpcsLog.Infof("RPC server listening on %s", lis.Addr())
|
||||
grpcServer.Serve(lis)
|
||||
}()
|
||||
|
||||
cCreds, err := credentials.NewClientTLSFromFile(cfg.TLSCertPath, "")
|
||||
if err != nil {
|
||||
return err
|
||||
}
|
||||
// Finally, start the REST proxy for our gRPC server above.
|
||||
ctx := context.Background()
|
||||
ctx, cancel := context.WithCancel(ctx)
|
||||
defer cancel()
|
||||
|
||||
mux := proxy.NewServeMux()
|
||||
proxyOpts := []grpc.DialOption{grpc.WithInsecure()}
|
||||
proxyOpts := []grpc.DialOption{grpc.WithTransportCredentials(cCreds)}
|
||||
err = lnrpc.RegisterLightningHandlerFromEndpoint(ctx, mux, grpcEndpoint,
|
||||
proxyOpts)
|
||||
if err != nil {
|
||||
@ -226,7 +248,8 @@ func lndMain() error {
|
||||
go func() {
|
||||
restEndpoint := fmt.Sprintf(":%d", loadedConfig.RESTPort)
|
||||
rpcsLog.Infof("gRPC proxy started at localhost%s", restEndpoint)
|
||||
http.ListenAndServe(restEndpoint, mux)
|
||||
http.ListenAndServeTLS(restEndpoint, cfg.TLSCertPath,
|
||||
cfg.TLSKeyPath, mux)
|
||||
}()
|
||||
|
||||
// If we're not in simnet mode, We'll wait until we're fully synced to
|
||||
@ -301,3 +324,39 @@ func main() {
|
||||
os.Exit(1)
|
||||
}
|
||||
}
|
||||
|
||||
// fileExists reports whether the named file or directory exists.
|
||||
// This function is taken from https://github.com/btcsuite/btcd
|
||||
func fileExists(name string) bool {
|
||||
if _, err := os.Stat(name); err != nil {
|
||||
if os.IsNotExist(err) {
|
||||
return false
|
||||
}
|
||||
}
|
||||
return true
|
||||
}
|
||||
|
||||
// genCertPair generates a key/cert pair to the paths provided.
|
||||
// This function is adapted from https://github.com/btcsuite/btcd
|
||||
func genCertPair(certFile, keyFile string) error {
|
||||
rpcsLog.Infof("Generating TLS certificates...")
|
||||
|
||||
org := "lnd autogenerated cert"
|
||||
validUntil := time.Now().Add(autogenCertValidity)
|
||||
cert, key, err := btcutil.NewTLSCertPair(org, validUntil, nil)
|
||||
if err != nil {
|
||||
return err
|
||||
}
|
||||
|
||||
// Write cert and key files.
|
||||
if err = ioutil.WriteFile(certFile, cert, 0644); err != nil {
|
||||
return err
|
||||
}
|
||||
if err = ioutil.WriteFile(keyFile, key, 0600); err != nil {
|
||||
os.Remove(certFile)
|
||||
return err
|
||||
}
|
||||
|
||||
rpcsLog.Infof("Done generating TLS certificates")
|
||||
return nil
|
||||
}
|
||||
|
@ -19,6 +19,7 @@ import (
|
||||
"golang.org/x/net/context"
|
||||
|
||||
"google.golang.org/grpc"
|
||||
"google.golang.org/grpc/credentials"
|
||||
"google.golang.org/grpc/grpclog"
|
||||
|
||||
"os/exec"
|
||||
@ -135,6 +136,8 @@ func newLightningNode(btcrpcConfig *btcrpcclient.ConnConfig, lndArgs []string) (
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
cfg.TLSCertPath = filepath.Join(cfg.DataDir, "tls.cert")
|
||||
cfg.TLSKeyPath = filepath.Join(cfg.DataDir, "tls.key")
|
||||
|
||||
cfg.PeerPort, cfg.RPCPort = generateListeningPorts()
|
||||
|
||||
@ -172,6 +175,8 @@ func (l *lightningNode) genArgs() []string {
|
||||
args = append(args, fmt.Sprintf("--peerport=%v", l.cfg.PeerPort))
|
||||
args = append(args, fmt.Sprintf("--logdir=%v", l.cfg.LogDir))
|
||||
args = append(args, fmt.Sprintf("--datadir=%v", l.cfg.DataDir))
|
||||
args = append(args, fmt.Sprintf("--tlscertpath=%v", l.cfg.TLSCertPath))
|
||||
args = append(args, fmt.Sprintf("--tlskeypath=%v", l.cfg.TLSKeyPath))
|
||||
|
||||
if l.extraArgs != nil {
|
||||
args = append(args, l.extraArgs...)
|
||||
@ -242,8 +247,23 @@ func (l *lightningNode) Start(lndError chan error) error {
|
||||
return err
|
||||
}
|
||||
|
||||
// Wait until TLS certificate is created before using it, up to 10 sec.
|
||||
tlsTimeout := time.After(10 * time.Second)
|
||||
for !fileExists(l.cfg.TLSCertPath) {
|
||||
time.Sleep(100 * time.Millisecond)
|
||||
select {
|
||||
case <-tlsTimeout:
|
||||
panic(fmt.Errorf("timeout waiting for TLS cert file " +
|
||||
"to be created after 10 seconds"))
|
||||
default:
|
||||
}
|
||||
}
|
||||
creds, err := credentials.NewClientTLSFromFile(l.cfg.TLSCertPath, "")
|
||||
if err != nil {
|
||||
return err
|
||||
}
|
||||
opts := []grpc.DialOption{
|
||||
grpc.WithInsecure(),
|
||||
grpc.WithTransportCredentials(creds),
|
||||
grpc.WithBlock(),
|
||||
grpc.WithTimeout(time.Second * 20),
|
||||
}
|
||||
|
Loading…
Reference in New Issue
Block a user