rpc: force TLS for both grpc endpoint and grpc gateway

2017-07-25 17:22:06 -06:00 · 2017-07-25 17:22:06 -06:00 · 59f9065213
commit 59f9065213
parent d1e797451d
4 changed files with 173 additions and 13 deletions
--- a/cmd/lncli/main.go
+++ b/cmd/lncli/main.go
@ -3,11 +3,27 @@ package main
 import (
 	"fmt"
 	"os"
+	"path/filepath"
+	"strings"

 	"github.com/lightningnetwork/lnd/lnrpc"
+	"github.com/roasbeef/btcutil"
 	"github.com/urfave/cli"

+	flags "github.com/btcsuite/go-flags"
 	"google.golang.org/grpc"
+	"google.golang.org/grpc/credentials"
+)
+
+const (
+	defaultConfigFilename  = "lnd.conf"
+	defaultTLSCertFilename = "tls.cert"
+)
+
+var (
+	lndHomeDir         = btcutil.AppDataDir("lnd", false)
+	defaultConfigFile  = filepath.Join(lndHomeDir, defaultConfigFilename)
+	defaultTLSCertPath = filepath.Join(lndHomeDir, defaultTLSCertFilename)
 )

 func fatal(err error) {
@ -25,12 +41,38 @@ func getClient(ctx *cli.Context) (lnrpc.LightningClient, func()) {
 	return lnrpc.NewLightningClient(conn), cleanUp
 }

+type config struct {
+	TLSCertPath string `long:"tlscertpath" description:"path to TLS certificate"`
+}
+
 func getClientConn(ctx *cli.Context) *grpc.ClientConn {
 	// TODO(roasbeef): macaroon based auth
 	// * http://www.grpc.io/docs/guides/auth.html
 	// * http://research.google.com/pubs/pub41892.html
 	// * https://github.com/go-macaroon/macaroon
-	opts := []grpc.DialOption{grpc.WithInsecure()}
+	cfg := config{
+		TLSCertPath: defaultTLSCertPath,
+	}
+
+	// We want only the TLS certificate information from the configuration
+	// file at this time, so ignore anything else. We can always add fields
+	// as we need them. When specifying a file on the `lncli` command line,
+	// this should work with just a trusted CA cert assuming the server's
+	// cert file contains the entire chain from the CA to the server's cert.
+	parser := flags.NewParser(&cfg, flags.IgnoreUnknown)
+	iniParser := flags.NewIniParser(parser)
+	if err := iniParser.ParseFile(ctx.GlobalString("config")); err != nil {
+		fatal(err)
+	}
+	if ctx.GlobalString("tlscertpath") != defaultTLSCertPath {
+		cfg.TLSCertPath = ctx.GlobalString("tlscertpath")
+	}
+	cfg.TLSCertPath = cleanAndExpandPath(cfg.TLSCertPath)
+	creds, err := credentials.NewClientTLSFromFile(cfg.TLSCertPath, "")
+	if err != nil {
+		fatal(err)
+	}
+	opts := []grpc.DialOption{grpc.WithTransportCredentials(creds)}

 	conn, err := grpc.Dial(ctx.GlobalString("rpcserver"), opts...)
 	if err != nil {
@ -51,6 +93,16 @@ func main() {
 			Value: "localhost:10009",
 			Usage: "host:port of ln daemon",
 		},
+		cli.StringFlag{
+			Name:  "config",
+			Value: defaultConfigFile,
+			Usage: "path to config file for TLS cert path",
+		},
+		cli.StringFlag{
+			Name:  "tlscertpath",
+			Value: defaultTLSCertPath,
+			Usage: "path to TLS certificate",
+		},
 	}
 	app.Commands = []cli.Command{
 		newAddressCommand,
@ -88,3 +140,18 @@ func main() {
 		fatal(err)
 	}
 }
+
+// cleanAndExpandPath expands environment variables and leading ~ in the
+// passed path, cleans the result, and returns it.
+// This function is taken from https://github.com/btcsuite/btcd
+func cleanAndExpandPath(path string) string {
+	// Expand initial ~ to OS specific home directory.
+	if strings.HasPrefix(path, "~") {
+		homeDir := filepath.Dir(lndHomeDir)
+		path = strings.Replace(path, "~", homeDir, 1)
+	}
+
+	// NOTE: The os.ExpandEnv doesn't work with Windows-style %VARIABLE%,
+	// but the variables can still be expanded via POSIX-style $VARIABLE.
+	return filepath.Clean(os.ExpandEnv(path))
+}
--- a/config.go
+++ b/config.go
@ -22,6 +22,8 @@ import (
 const (
 	defaultConfigFilename     = "lnd.conf"
 	defaultDataDirname        = "data"
+	defaultTLSCertFilename    = "tls.cert"
+	defaultTLSKeyFilename     = "tls.key"
 	defaultLogLevel           = "info"
 	defaultLogDirname         = "logs"
 	defaultLogFilename        = "lnd.log"
@ -34,10 +36,12 @@ const (
 )

 var (
-	lndHomeDir        = btcutil.AppDataDir("lnd", false)
-	defaultConfigFile = filepath.Join(lndHomeDir, defaultConfigFilename)
-	defaultDataDir    = filepath.Join(lndHomeDir, defaultDataDirname)
-	defaultLogDir     = filepath.Join(lndHomeDir, defaultLogDirname)
+	lndHomeDir         = btcutil.AppDataDir("lnd", false)
+	defaultConfigFile  = filepath.Join(lndHomeDir, defaultConfigFilename)
+	defaultDataDir     = filepath.Join(lndHomeDir, defaultDataDirname)
+	defaultTLSCertPath = filepath.Join(lndHomeDir, defaultTLSCertFilename)
+	defaultTLSKeyPath  = filepath.Join(lndHomeDir, defaultTLSKeyFilename)
+	defaultLogDir      = filepath.Join(lndHomeDir, defaultLogDirname)

 	btcdHomeDir            = btcutil.AppDataDir("btcd", false)
 	defaultBtcdRPCCertFile = filepath.Join(btcdHomeDir, "rpc.cert")
@ -77,9 +81,11 @@ type neutrinoConfig struct {
 type config struct {
 	ShowVersion bool `short:"V" long:"version" description:"Display version information and exit"`

-	ConfigFile string `long:"C" long:"configfile" description:"Path to configuration file"`
-	DataDir    string `short:"b" long:"datadir" description:"The directory to store lnd's data within"`
-	LogDir     string `long:"logdir" description:"Directory to log output."`
+	ConfigFile  string `long:"C" long:"configfile" description:"Path to configuration file"`
+	DataDir     string `short:"b" long:"datadir" description:"The directory to store lnd's data within"`
+	TLSCertPath string `long:"tlscertpath" description:"Path to TLS certificate for lnd's RPC and REST services"`
+	TLSKeyPath  string `long:"tlskeypath" description:"Path to TLS private key for lnd's RPC and REST services"`
+	LogDir      string `long:"logdir" description:"Directory to log output."`

 	Listeners   []string `long:"listen" description:"Add an interface/port to listen for connections (default all interfaces port: 5656)"`
 	ExternalIPs []string `long:"externalip" description:"Add an ip to the list of local addresses we claim to listen on to peers"`
@ -115,6 +121,8 @@ func loadConfig() (*config, error) {
 		ConfigFile:          defaultConfigFile,
 		DataDir:             defaultDataDir,
 		DebugLevel:          defaultLogLevel,
+		TLSCertPath:         defaultTLSCertPath,
+		TLSKeyPath:          defaultTLSKeyPath,
 		LogDir:              defaultLogDir,
 		PeerPort:            defaultPeerPort,
 		RPCPort:             defaultRPCPort,
@ -300,6 +308,11 @@ func loadConfig() (*config, error) {
 	cfg.LogDir = filepath.Join(cfg.LogDir,
 		registeredChains.primaryChain.String())

+	// Ensure that the paths to the TLS key and certificate files are
+	// expanded and cleaned.
+	cfg.TLSCertPath = cleanAndExpandPath(cfg.TLSCertPath)
+	cfg.TLSKeyPath = cleanAndExpandPath(cfg.TLSKeyPath)
+
 	// Initialize logging at the default logging level.
 	initLogRotator(filepath.Join(cfg.LogDir, defaultLogFilename))

@ -323,6 +336,7 @@ func loadConfig() (*config, error) {

 // cleanAndExpandPath expands environment variables and leading ~ in the
 // passed path, cleans the result, and returns it.
+// This function is taken from https://github.com/btcsuite/btcd
 func cleanAndExpandPath(path string) string {
 	// Expand initial ~ to OS specific home directory.
 	if strings.HasPrefix(path, "~") {
--- a/lnd.go
+++ b/lnd.go
@ -3,6 +3,7 @@ package main
 import (
 	"crypto/rand"
 	"fmt"
+	"io/ioutil"
 	"net"
 	"net/http"
 	_ "net/http/pprof"
@ -14,6 +15,7 @@ import (
 	"golang.org/x/net/context"

 	"google.golang.org/grpc"
+	"google.golang.org/grpc/credentials"

 	flags "github.com/btcsuite/go-flags"
 	proxy "github.com/grpc-ecosystem/grpc-gateway/runtime"
@ -26,6 +28,10 @@ import (
 	"github.com/roasbeef/btcutil"
 )

+const (
+	autogenCertValidity = 10 * 365 * 24 * time.Hour
+)
+
 var (
 	cfg              *config
 	shutdownChannel  = make(chan struct{})
@ -189,13 +195,25 @@ func lndMain() error {
 	}
 	server.fundingMgr = fundingMgr

+	// Ensure we create TLS key and certificate if they don't exist
+	if !fileExists(cfg.TLSCertPath) && !fileExists(cfg.TLSKeyPath) {
+		if err := genCertPair(cfg.TLSCertPath, cfg.TLSKeyPath); err != nil {
+			return err
+		}
+	}
+
 	// Initialize, and register our implementation of the gRPC interface
 	// exported by the rpcServer.
 	rpcServer := newRPCServer(server)
 	if err := rpcServer.Start(); err != nil {
 		return err
 	}
-	var opts []grpc.ServerOption
+	sCreds, err := credentials.NewServerTLSFromFile(cfg.TLSCertPath,
+		cfg.TLSKeyPath)
+	if err != nil {
+		return err
+	}
+	opts := []grpc.ServerOption{grpc.Creds(sCreds)}
 	grpcServer := grpc.NewServer(opts...)
 	lnrpc.RegisterLightningServer(grpcServer, rpcServer)

@ -211,13 +229,17 @@ func lndMain() error {
 		rpcsLog.Infof("RPC server listening on %s", lis.Addr())
 		grpcServer.Serve(lis)
 	}()
-
+	cCreds, err := credentials.NewClientTLSFromFile(cfg.TLSCertPath, "")
+	if err != nil {
+		return err
+	}
 	// Finally, start the REST proxy for our gRPC server above.
 	ctx := context.Background()
 	ctx, cancel := context.WithCancel(ctx)
 	defer cancel()
+
 	mux := proxy.NewServeMux()
-	proxyOpts := []grpc.DialOption{grpc.WithInsecure()}
+	proxyOpts := []grpc.DialOption{grpc.WithTransportCredentials(cCreds)}
 	err = lnrpc.RegisterLightningHandlerFromEndpoint(ctx, mux, grpcEndpoint,
 		proxyOpts)
 	if err != nil {
@ -226,7 +248,8 @@ func lndMain() error {
 	go func() {
 		restEndpoint := fmt.Sprintf(":%d", loadedConfig.RESTPort)
 		rpcsLog.Infof("gRPC proxy started at localhost%s", restEndpoint)
-		http.ListenAndServe(restEndpoint, mux)
+		http.ListenAndServeTLS(restEndpoint, cfg.TLSCertPath,
+			cfg.TLSKeyPath, mux)
 	}()

 	// If we're not in simnet mode, We'll wait until we're fully synced to
@ -301,3 +324,39 @@ func main() {
 		os.Exit(1)
 	}
 }
+
+// fileExists reports whether the named file or directory exists.
+// This function is taken from https://github.com/btcsuite/btcd
+func fileExists(name string) bool {
+	if _, err := os.Stat(name); err != nil {
+		if os.IsNotExist(err) {
+			return false
+		}
+	}
+	return true
+}
+
+// genCertPair generates a key/cert pair to the paths provided.
+// This function is adapted from https://github.com/btcsuite/btcd
+func genCertPair(certFile, keyFile string) error {
+	rpcsLog.Infof("Generating TLS certificates...")
+
+	org := "lnd autogenerated cert"
+	validUntil := time.Now().Add(autogenCertValidity)
+	cert, key, err := btcutil.NewTLSCertPair(org, validUntil, nil)
+	if err != nil {
+		return err
+	}
+
+	// Write cert and key files.
+	if err = ioutil.WriteFile(certFile, cert, 0644); err != nil {
+		return err
+	}
+	if err = ioutil.WriteFile(keyFile, key, 0600); err != nil {
+		os.Remove(certFile)
+		return err
+	}
+
+	rpcsLog.Infof("Done generating TLS certificates")
+	return nil
+}
--- a/networktest.go
+++ b/networktest.go
@ -19,6 +19,7 @@ import (
 	"golang.org/x/net/context"

 	"google.golang.org/grpc"
+	"google.golang.org/grpc/credentials"
 	"google.golang.org/grpc/grpclog"

 	"os/exec"
@ -135,6 +136,8 @@ func newLightningNode(btcrpcConfig *btcrpcclient.ConnConfig, lndArgs []string) (
 	if err != nil {
 		return nil, err
 	}
+	cfg.TLSCertPath = filepath.Join(cfg.DataDir, "tls.cert")
+	cfg.TLSKeyPath = filepath.Join(cfg.DataDir, "tls.key")

 	cfg.PeerPort, cfg.RPCPort = generateListeningPorts()

@ -172,6 +175,8 @@ func (l *lightningNode) genArgs() []string {
 	args = append(args, fmt.Sprintf("--peerport=%v", l.cfg.PeerPort))
 	args = append(args, fmt.Sprintf("--logdir=%v", l.cfg.LogDir))
 	args = append(args, fmt.Sprintf("--datadir=%v", l.cfg.DataDir))
+	args = append(args, fmt.Sprintf("--tlscertpath=%v", l.cfg.TLSCertPath))
+	args = append(args, fmt.Sprintf("--tlskeypath=%v", l.cfg.TLSKeyPath))

 	if l.extraArgs != nil {
 		args = append(args, l.extraArgs...)
@ -242,8 +247,23 @@ func (l *lightningNode) Start(lndError chan error) error {
 		return err
 	}

+	// Wait until TLS certificate is created before using it, up to 10 sec.
+	tlsTimeout := time.After(10 * time.Second)
+	for !fileExists(l.cfg.TLSCertPath) {
+		time.Sleep(100 * time.Millisecond)
+		select {
+		case <-tlsTimeout:
+			panic(fmt.Errorf("timeout waiting for TLS cert file " +
+				"to be created after 10 seconds"))
+		default:
+		}
+	}
+	creds, err := credentials.NewClientTLSFromFile(l.cfg.TLSCertPath, "")
+	if err != nil {
+		return err
+	}
 	opts := []grpc.DialOption{
-		grpc.WithInsecure(),
+		grpc.WithTransportCredentials(creds),
 		grpc.WithBlock(),
 		grpc.WithTimeout(time.Second * 20),
 	}