diff --git a/cmd/lncli/main.go b/cmd/lncli/main.go index 8f55a1e8..8d5be421 100644 --- a/cmd/lncli/main.go +++ b/cmd/lncli/main.go @@ -3,11 +3,27 @@ package main import ( "fmt" "os" + "path/filepath" + "strings" "github.com/lightningnetwork/lnd/lnrpc" + "github.com/roasbeef/btcutil" "github.com/urfave/cli" + flags "github.com/btcsuite/go-flags" "google.golang.org/grpc" + "google.golang.org/grpc/credentials" +) + +const ( + defaultConfigFilename = "lnd.conf" + defaultTLSCertFilename = "tls.cert" +) + +var ( + lndHomeDir = btcutil.AppDataDir("lnd", false) + defaultConfigFile = filepath.Join(lndHomeDir, defaultConfigFilename) + defaultTLSCertPath = filepath.Join(lndHomeDir, defaultTLSCertFilename) ) func fatal(err error) { @@ -25,12 +41,38 @@ func getClient(ctx *cli.Context) (lnrpc.LightningClient, func()) { return lnrpc.NewLightningClient(conn), cleanUp } +type config struct { + TLSCertPath string `long:"tlscertpath" description:"path to TLS certificate"` +} + func getClientConn(ctx *cli.Context) *grpc.ClientConn { // TODO(roasbeef): macaroon based auth // * http://www.grpc.io/docs/guides/auth.html // * http://research.google.com/pubs/pub41892.html // * https://github.com/go-macaroon/macaroon - opts := []grpc.DialOption{grpc.WithInsecure()} + cfg := config{ + TLSCertPath: defaultTLSCertPath, + } + + // We want only the TLS certificate information from the configuration + // file at this time, so ignore anything else. We can always add fields + // as we need them. When specifying a file on the `lncli` command line, + // this should work with just a trusted CA cert assuming the server's + // cert file contains the entire chain from the CA to the server's cert. + parser := flags.NewParser(&cfg, flags.IgnoreUnknown) + iniParser := flags.NewIniParser(parser) + if err := iniParser.ParseFile(ctx.GlobalString("config")); err != nil { + fatal(err) + } + if ctx.GlobalString("tlscertpath") != defaultTLSCertPath { + cfg.TLSCertPath = ctx.GlobalString("tlscertpath") + } + cfg.TLSCertPath = cleanAndExpandPath(cfg.TLSCertPath) + creds, err := credentials.NewClientTLSFromFile(cfg.TLSCertPath, "") + if err != nil { + fatal(err) + } + opts := []grpc.DialOption{grpc.WithTransportCredentials(creds)} conn, err := grpc.Dial(ctx.GlobalString("rpcserver"), opts...) if err != nil { @@ -51,6 +93,16 @@ func main() { Value: "localhost:10009", Usage: "host:port of ln daemon", }, + cli.StringFlag{ + Name: "config", + Value: defaultConfigFile, + Usage: "path to config file for TLS cert path", + }, + cli.StringFlag{ + Name: "tlscertpath", + Value: defaultTLSCertPath, + Usage: "path to TLS certificate", + }, } app.Commands = []cli.Command{ newAddressCommand, @@ -88,3 +140,18 @@ func main() { fatal(err) } } + +// cleanAndExpandPath expands environment variables and leading ~ in the +// passed path, cleans the result, and returns it. +// This function is taken from https://github.com/btcsuite/btcd +func cleanAndExpandPath(path string) string { + // Expand initial ~ to OS specific home directory. + if strings.HasPrefix(path, "~") { + homeDir := filepath.Dir(lndHomeDir) + path = strings.Replace(path, "~", homeDir, 1) + } + + // NOTE: The os.ExpandEnv doesn't work with Windows-style %VARIABLE%, + // but the variables can still be expanded via POSIX-style $VARIABLE. + return filepath.Clean(os.ExpandEnv(path)) +} diff --git a/config.go b/config.go index 032adc66..f34d15c7 100644 --- a/config.go +++ b/config.go @@ -22,6 +22,8 @@ import ( const ( defaultConfigFilename = "lnd.conf" defaultDataDirname = "data" + defaultTLSCertFilename = "tls.cert" + defaultTLSKeyFilename = "tls.key" defaultLogLevel = "info" defaultLogDirname = "logs" defaultLogFilename = "lnd.log" @@ -34,10 +36,12 @@ const ( ) var ( - lndHomeDir = btcutil.AppDataDir("lnd", false) - defaultConfigFile = filepath.Join(lndHomeDir, defaultConfigFilename) - defaultDataDir = filepath.Join(lndHomeDir, defaultDataDirname) - defaultLogDir = filepath.Join(lndHomeDir, defaultLogDirname) + lndHomeDir = btcutil.AppDataDir("lnd", false) + defaultConfigFile = filepath.Join(lndHomeDir, defaultConfigFilename) + defaultDataDir = filepath.Join(lndHomeDir, defaultDataDirname) + defaultTLSCertPath = filepath.Join(lndHomeDir, defaultTLSCertFilename) + defaultTLSKeyPath = filepath.Join(lndHomeDir, defaultTLSKeyFilename) + defaultLogDir = filepath.Join(lndHomeDir, defaultLogDirname) btcdHomeDir = btcutil.AppDataDir("btcd", false) defaultBtcdRPCCertFile = filepath.Join(btcdHomeDir, "rpc.cert") @@ -77,9 +81,11 @@ type neutrinoConfig struct { type config struct { ShowVersion bool `short:"V" long:"version" description:"Display version information and exit"` - ConfigFile string `long:"C" long:"configfile" description:"Path to configuration file"` - DataDir string `short:"b" long:"datadir" description:"The directory to store lnd's data within"` - LogDir string `long:"logdir" description:"Directory to log output."` + ConfigFile string `long:"C" long:"configfile" description:"Path to configuration file"` + DataDir string `short:"b" long:"datadir" description:"The directory to store lnd's data within"` + TLSCertPath string `long:"tlscertpath" description:"Path to TLS certificate for lnd's RPC and REST services"` + TLSKeyPath string `long:"tlskeypath" description:"Path to TLS private key for lnd's RPC and REST services"` + LogDir string `long:"logdir" description:"Directory to log output."` Listeners []string `long:"listen" description:"Add an interface/port to listen for connections (default all interfaces port: 5656)"` ExternalIPs []string `long:"externalip" description:"Add an ip to the list of local addresses we claim to listen on to peers"` @@ -115,6 +121,8 @@ func loadConfig() (*config, error) { ConfigFile: defaultConfigFile, DataDir: defaultDataDir, DebugLevel: defaultLogLevel, + TLSCertPath: defaultTLSCertPath, + TLSKeyPath: defaultTLSKeyPath, LogDir: defaultLogDir, PeerPort: defaultPeerPort, RPCPort: defaultRPCPort, @@ -300,6 +308,11 @@ func loadConfig() (*config, error) { cfg.LogDir = filepath.Join(cfg.LogDir, registeredChains.primaryChain.String()) + // Ensure that the paths to the TLS key and certificate files are + // expanded and cleaned. + cfg.TLSCertPath = cleanAndExpandPath(cfg.TLSCertPath) + cfg.TLSKeyPath = cleanAndExpandPath(cfg.TLSKeyPath) + // Initialize logging at the default logging level. initLogRotator(filepath.Join(cfg.LogDir, defaultLogFilename)) @@ -323,6 +336,7 @@ func loadConfig() (*config, error) { // cleanAndExpandPath expands environment variables and leading ~ in the // passed path, cleans the result, and returns it. +// This function is taken from https://github.com/btcsuite/btcd func cleanAndExpandPath(path string) string { // Expand initial ~ to OS specific home directory. if strings.HasPrefix(path, "~") { diff --git a/lnd.go b/lnd.go index 09e684f3..86dd0336 100644 --- a/lnd.go +++ b/lnd.go @@ -3,6 +3,7 @@ package main import ( "crypto/rand" "fmt" + "io/ioutil" "net" "net/http" _ "net/http/pprof" @@ -14,6 +15,7 @@ import ( "golang.org/x/net/context" "google.golang.org/grpc" + "google.golang.org/grpc/credentials" flags "github.com/btcsuite/go-flags" proxy "github.com/grpc-ecosystem/grpc-gateway/runtime" @@ -26,6 +28,10 @@ import ( "github.com/roasbeef/btcutil" ) +const ( + autogenCertValidity = 10 * 365 * 24 * time.Hour +) + var ( cfg *config shutdownChannel = make(chan struct{}) @@ -189,13 +195,25 @@ func lndMain() error { } server.fundingMgr = fundingMgr + // Ensure we create TLS key and certificate if they don't exist + if !fileExists(cfg.TLSCertPath) && !fileExists(cfg.TLSKeyPath) { + if err := genCertPair(cfg.TLSCertPath, cfg.TLSKeyPath); err != nil { + return err + } + } + // Initialize, and register our implementation of the gRPC interface // exported by the rpcServer. rpcServer := newRPCServer(server) if err := rpcServer.Start(); err != nil { return err } - var opts []grpc.ServerOption + sCreds, err := credentials.NewServerTLSFromFile(cfg.TLSCertPath, + cfg.TLSKeyPath) + if err != nil { + return err + } + opts := []grpc.ServerOption{grpc.Creds(sCreds)} grpcServer := grpc.NewServer(opts...) lnrpc.RegisterLightningServer(grpcServer, rpcServer) @@ -211,13 +229,17 @@ func lndMain() error { rpcsLog.Infof("RPC server listening on %s", lis.Addr()) grpcServer.Serve(lis) }() - + cCreds, err := credentials.NewClientTLSFromFile(cfg.TLSCertPath, "") + if err != nil { + return err + } // Finally, start the REST proxy for our gRPC server above. ctx := context.Background() ctx, cancel := context.WithCancel(ctx) defer cancel() + mux := proxy.NewServeMux() - proxyOpts := []grpc.DialOption{grpc.WithInsecure()} + proxyOpts := []grpc.DialOption{grpc.WithTransportCredentials(cCreds)} err = lnrpc.RegisterLightningHandlerFromEndpoint(ctx, mux, grpcEndpoint, proxyOpts) if err != nil { @@ -226,7 +248,8 @@ func lndMain() error { go func() { restEndpoint := fmt.Sprintf(":%d", loadedConfig.RESTPort) rpcsLog.Infof("gRPC proxy started at localhost%s", restEndpoint) - http.ListenAndServe(restEndpoint, mux) + http.ListenAndServeTLS(restEndpoint, cfg.TLSCertPath, + cfg.TLSKeyPath, mux) }() // If we're not in simnet mode, We'll wait until we're fully synced to @@ -301,3 +324,39 @@ func main() { os.Exit(1) } } + +// fileExists reports whether the named file or directory exists. +// This function is taken from https://github.com/btcsuite/btcd +func fileExists(name string) bool { + if _, err := os.Stat(name); err != nil { + if os.IsNotExist(err) { + return false + } + } + return true +} + +// genCertPair generates a key/cert pair to the paths provided. +// This function is adapted from https://github.com/btcsuite/btcd +func genCertPair(certFile, keyFile string) error { + rpcsLog.Infof("Generating TLS certificates...") + + org := "lnd autogenerated cert" + validUntil := time.Now().Add(autogenCertValidity) + cert, key, err := btcutil.NewTLSCertPair(org, validUntil, nil) + if err != nil { + return err + } + + // Write cert and key files. + if err = ioutil.WriteFile(certFile, cert, 0644); err != nil { + return err + } + if err = ioutil.WriteFile(keyFile, key, 0600); err != nil { + os.Remove(certFile) + return err + } + + rpcsLog.Infof("Done generating TLS certificates") + return nil +} diff --git a/networktest.go b/networktest.go index 6a5009d8..d0faa086 100644 --- a/networktest.go +++ b/networktest.go @@ -19,6 +19,7 @@ import ( "golang.org/x/net/context" "google.golang.org/grpc" + "google.golang.org/grpc/credentials" "google.golang.org/grpc/grpclog" "os/exec" @@ -135,6 +136,8 @@ func newLightningNode(btcrpcConfig *btcrpcclient.ConnConfig, lndArgs []string) ( if err != nil { return nil, err } + cfg.TLSCertPath = filepath.Join(cfg.DataDir, "tls.cert") + cfg.TLSKeyPath = filepath.Join(cfg.DataDir, "tls.key") cfg.PeerPort, cfg.RPCPort = generateListeningPorts() @@ -172,6 +175,8 @@ func (l *lightningNode) genArgs() []string { args = append(args, fmt.Sprintf("--peerport=%v", l.cfg.PeerPort)) args = append(args, fmt.Sprintf("--logdir=%v", l.cfg.LogDir)) args = append(args, fmt.Sprintf("--datadir=%v", l.cfg.DataDir)) + args = append(args, fmt.Sprintf("--tlscertpath=%v", l.cfg.TLSCertPath)) + args = append(args, fmt.Sprintf("--tlskeypath=%v", l.cfg.TLSKeyPath)) if l.extraArgs != nil { args = append(args, l.extraArgs...) @@ -242,8 +247,23 @@ func (l *lightningNode) Start(lndError chan error) error { return err } + // Wait until TLS certificate is created before using it, up to 10 sec. + tlsTimeout := time.After(10 * time.Second) + for !fileExists(l.cfg.TLSCertPath) { + time.Sleep(100 * time.Millisecond) + select { + case <-tlsTimeout: + panic(fmt.Errorf("timeout waiting for TLS cert file " + + "to be created after 10 seconds")) + default: + } + } + creds, err := credentials.NewClientTLSFromFile(l.cfg.TLSCertPath, "") + if err != nil { + return err + } opts := []grpc.DialOption{ - grpc.WithInsecure(), + grpc.WithTransportCredentials(creds), grpc.WithBlock(), grpc.WithTimeout(time.Second * 20), }