rpc: force TLS for both grpc endpoint and grpc gateway
This commit is contained in:
parent
d1e797451d
commit
59f9065213
@ -3,11 +3,27 @@ package main
|
|||||||
import (
|
import (
|
||||||
"fmt"
|
"fmt"
|
||||||
"os"
|
"os"
|
||||||
|
"path/filepath"
|
||||||
|
"strings"
|
||||||
|
|
||||||
"github.com/lightningnetwork/lnd/lnrpc"
|
"github.com/lightningnetwork/lnd/lnrpc"
|
||||||
|
"github.com/roasbeef/btcutil"
|
||||||
"github.com/urfave/cli"
|
"github.com/urfave/cli"
|
||||||
|
|
||||||
|
flags "github.com/btcsuite/go-flags"
|
||||||
"google.golang.org/grpc"
|
"google.golang.org/grpc"
|
||||||
|
"google.golang.org/grpc/credentials"
|
||||||
|
)
|
||||||
|
|
||||||
|
const (
|
||||||
|
defaultConfigFilename = "lnd.conf"
|
||||||
|
defaultTLSCertFilename = "tls.cert"
|
||||||
|
)
|
||||||
|
|
||||||
|
var (
|
||||||
|
lndHomeDir = btcutil.AppDataDir("lnd", false)
|
||||||
|
defaultConfigFile = filepath.Join(lndHomeDir, defaultConfigFilename)
|
||||||
|
defaultTLSCertPath = filepath.Join(lndHomeDir, defaultTLSCertFilename)
|
||||||
)
|
)
|
||||||
|
|
||||||
func fatal(err error) {
|
func fatal(err error) {
|
||||||
@ -25,12 +41,38 @@ func getClient(ctx *cli.Context) (lnrpc.LightningClient, func()) {
|
|||||||
return lnrpc.NewLightningClient(conn), cleanUp
|
return lnrpc.NewLightningClient(conn), cleanUp
|
||||||
}
|
}
|
||||||
|
|
||||||
|
type config struct {
|
||||||
|
TLSCertPath string `long:"tlscertpath" description:"path to TLS certificate"`
|
||||||
|
}
|
||||||
|
|
||||||
func getClientConn(ctx *cli.Context) *grpc.ClientConn {
|
func getClientConn(ctx *cli.Context) *grpc.ClientConn {
|
||||||
// TODO(roasbeef): macaroon based auth
|
// TODO(roasbeef): macaroon based auth
|
||||||
// * http://www.grpc.io/docs/guides/auth.html
|
// * http://www.grpc.io/docs/guides/auth.html
|
||||||
// * http://research.google.com/pubs/pub41892.html
|
// * http://research.google.com/pubs/pub41892.html
|
||||||
// * https://github.com/go-macaroon/macaroon
|
// * https://github.com/go-macaroon/macaroon
|
||||||
opts := []grpc.DialOption{grpc.WithInsecure()}
|
cfg := config{
|
||||||
|
TLSCertPath: defaultTLSCertPath,
|
||||||
|
}
|
||||||
|
|
||||||
|
// We want only the TLS certificate information from the configuration
|
||||||
|
// file at this time, so ignore anything else. We can always add fields
|
||||||
|
// as we need them. When specifying a file on the `lncli` command line,
|
||||||
|
// this should work with just a trusted CA cert assuming the server's
|
||||||
|
// cert file contains the entire chain from the CA to the server's cert.
|
||||||
|
parser := flags.NewParser(&cfg, flags.IgnoreUnknown)
|
||||||
|
iniParser := flags.NewIniParser(parser)
|
||||||
|
if err := iniParser.ParseFile(ctx.GlobalString("config")); err != nil {
|
||||||
|
fatal(err)
|
||||||
|
}
|
||||||
|
if ctx.GlobalString("tlscertpath") != defaultTLSCertPath {
|
||||||
|
cfg.TLSCertPath = ctx.GlobalString("tlscertpath")
|
||||||
|
}
|
||||||
|
cfg.TLSCertPath = cleanAndExpandPath(cfg.TLSCertPath)
|
||||||
|
creds, err := credentials.NewClientTLSFromFile(cfg.TLSCertPath, "")
|
||||||
|
if err != nil {
|
||||||
|
fatal(err)
|
||||||
|
}
|
||||||
|
opts := []grpc.DialOption{grpc.WithTransportCredentials(creds)}
|
||||||
|
|
||||||
conn, err := grpc.Dial(ctx.GlobalString("rpcserver"), opts...)
|
conn, err := grpc.Dial(ctx.GlobalString("rpcserver"), opts...)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
@ -51,6 +93,16 @@ func main() {
|
|||||||
Value: "localhost:10009",
|
Value: "localhost:10009",
|
||||||
Usage: "host:port of ln daemon",
|
Usage: "host:port of ln daemon",
|
||||||
},
|
},
|
||||||
|
cli.StringFlag{
|
||||||
|
Name: "config",
|
||||||
|
Value: defaultConfigFile,
|
||||||
|
Usage: "path to config file for TLS cert path",
|
||||||
|
},
|
||||||
|
cli.StringFlag{
|
||||||
|
Name: "tlscertpath",
|
||||||
|
Value: defaultTLSCertPath,
|
||||||
|
Usage: "path to TLS certificate",
|
||||||
|
},
|
||||||
}
|
}
|
||||||
app.Commands = []cli.Command{
|
app.Commands = []cli.Command{
|
||||||
newAddressCommand,
|
newAddressCommand,
|
||||||
@ -88,3 +140,18 @@ func main() {
|
|||||||
fatal(err)
|
fatal(err)
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
// cleanAndExpandPath expands environment variables and leading ~ in the
|
||||||
|
// passed path, cleans the result, and returns it.
|
||||||
|
// This function is taken from https://github.com/btcsuite/btcd
|
||||||
|
func cleanAndExpandPath(path string) string {
|
||||||
|
// Expand initial ~ to OS specific home directory.
|
||||||
|
if strings.HasPrefix(path, "~") {
|
||||||
|
homeDir := filepath.Dir(lndHomeDir)
|
||||||
|
path = strings.Replace(path, "~", homeDir, 1)
|
||||||
|
}
|
||||||
|
|
||||||
|
// NOTE: The os.ExpandEnv doesn't work with Windows-style %VARIABLE%,
|
||||||
|
// but the variables can still be expanded via POSIX-style $VARIABLE.
|
||||||
|
return filepath.Clean(os.ExpandEnv(path))
|
||||||
|
}
|
||||||
|
14
config.go
14
config.go
@ -22,6 +22,8 @@ import (
|
|||||||
const (
|
const (
|
||||||
defaultConfigFilename = "lnd.conf"
|
defaultConfigFilename = "lnd.conf"
|
||||||
defaultDataDirname = "data"
|
defaultDataDirname = "data"
|
||||||
|
defaultTLSCertFilename = "tls.cert"
|
||||||
|
defaultTLSKeyFilename = "tls.key"
|
||||||
defaultLogLevel = "info"
|
defaultLogLevel = "info"
|
||||||
defaultLogDirname = "logs"
|
defaultLogDirname = "logs"
|
||||||
defaultLogFilename = "lnd.log"
|
defaultLogFilename = "lnd.log"
|
||||||
@ -37,6 +39,8 @@ var (
|
|||||||
lndHomeDir = btcutil.AppDataDir("lnd", false)
|
lndHomeDir = btcutil.AppDataDir("lnd", false)
|
||||||
defaultConfigFile = filepath.Join(lndHomeDir, defaultConfigFilename)
|
defaultConfigFile = filepath.Join(lndHomeDir, defaultConfigFilename)
|
||||||
defaultDataDir = filepath.Join(lndHomeDir, defaultDataDirname)
|
defaultDataDir = filepath.Join(lndHomeDir, defaultDataDirname)
|
||||||
|
defaultTLSCertPath = filepath.Join(lndHomeDir, defaultTLSCertFilename)
|
||||||
|
defaultTLSKeyPath = filepath.Join(lndHomeDir, defaultTLSKeyFilename)
|
||||||
defaultLogDir = filepath.Join(lndHomeDir, defaultLogDirname)
|
defaultLogDir = filepath.Join(lndHomeDir, defaultLogDirname)
|
||||||
|
|
||||||
btcdHomeDir = btcutil.AppDataDir("btcd", false)
|
btcdHomeDir = btcutil.AppDataDir("btcd", false)
|
||||||
@ -79,6 +83,8 @@ type config struct {
|
|||||||
|
|
||||||
ConfigFile string `long:"C" long:"configfile" description:"Path to configuration file"`
|
ConfigFile string `long:"C" long:"configfile" description:"Path to configuration file"`
|
||||||
DataDir string `short:"b" long:"datadir" description:"The directory to store lnd's data within"`
|
DataDir string `short:"b" long:"datadir" description:"The directory to store lnd's data within"`
|
||||||
|
TLSCertPath string `long:"tlscertpath" description:"Path to TLS certificate for lnd's RPC and REST services"`
|
||||||
|
TLSKeyPath string `long:"tlskeypath" description:"Path to TLS private key for lnd's RPC and REST services"`
|
||||||
LogDir string `long:"logdir" description:"Directory to log output."`
|
LogDir string `long:"logdir" description:"Directory to log output."`
|
||||||
|
|
||||||
Listeners []string `long:"listen" description:"Add an interface/port to listen for connections (default all interfaces port: 5656)"`
|
Listeners []string `long:"listen" description:"Add an interface/port to listen for connections (default all interfaces port: 5656)"`
|
||||||
@ -115,6 +121,8 @@ func loadConfig() (*config, error) {
|
|||||||
ConfigFile: defaultConfigFile,
|
ConfigFile: defaultConfigFile,
|
||||||
DataDir: defaultDataDir,
|
DataDir: defaultDataDir,
|
||||||
DebugLevel: defaultLogLevel,
|
DebugLevel: defaultLogLevel,
|
||||||
|
TLSCertPath: defaultTLSCertPath,
|
||||||
|
TLSKeyPath: defaultTLSKeyPath,
|
||||||
LogDir: defaultLogDir,
|
LogDir: defaultLogDir,
|
||||||
PeerPort: defaultPeerPort,
|
PeerPort: defaultPeerPort,
|
||||||
RPCPort: defaultRPCPort,
|
RPCPort: defaultRPCPort,
|
||||||
@ -300,6 +308,11 @@ func loadConfig() (*config, error) {
|
|||||||
cfg.LogDir = filepath.Join(cfg.LogDir,
|
cfg.LogDir = filepath.Join(cfg.LogDir,
|
||||||
registeredChains.primaryChain.String())
|
registeredChains.primaryChain.String())
|
||||||
|
|
||||||
|
// Ensure that the paths to the TLS key and certificate files are
|
||||||
|
// expanded and cleaned.
|
||||||
|
cfg.TLSCertPath = cleanAndExpandPath(cfg.TLSCertPath)
|
||||||
|
cfg.TLSKeyPath = cleanAndExpandPath(cfg.TLSKeyPath)
|
||||||
|
|
||||||
// Initialize logging at the default logging level.
|
// Initialize logging at the default logging level.
|
||||||
initLogRotator(filepath.Join(cfg.LogDir, defaultLogFilename))
|
initLogRotator(filepath.Join(cfg.LogDir, defaultLogFilename))
|
||||||
|
|
||||||
@ -323,6 +336,7 @@ func loadConfig() (*config, error) {
|
|||||||
|
|
||||||
// cleanAndExpandPath expands environment variables and leading ~ in the
|
// cleanAndExpandPath expands environment variables and leading ~ in the
|
||||||
// passed path, cleans the result, and returns it.
|
// passed path, cleans the result, and returns it.
|
||||||
|
// This function is taken from https://github.com/btcsuite/btcd
|
||||||
func cleanAndExpandPath(path string) string {
|
func cleanAndExpandPath(path string) string {
|
||||||
// Expand initial ~ to OS specific home directory.
|
// Expand initial ~ to OS specific home directory.
|
||||||
if strings.HasPrefix(path, "~") {
|
if strings.HasPrefix(path, "~") {
|
||||||
|
67
lnd.go
67
lnd.go
@ -3,6 +3,7 @@ package main
|
|||||||
import (
|
import (
|
||||||
"crypto/rand"
|
"crypto/rand"
|
||||||
"fmt"
|
"fmt"
|
||||||
|
"io/ioutil"
|
||||||
"net"
|
"net"
|
||||||
"net/http"
|
"net/http"
|
||||||
_ "net/http/pprof"
|
_ "net/http/pprof"
|
||||||
@ -14,6 +15,7 @@ import (
|
|||||||
"golang.org/x/net/context"
|
"golang.org/x/net/context"
|
||||||
|
|
||||||
"google.golang.org/grpc"
|
"google.golang.org/grpc"
|
||||||
|
"google.golang.org/grpc/credentials"
|
||||||
|
|
||||||
flags "github.com/btcsuite/go-flags"
|
flags "github.com/btcsuite/go-flags"
|
||||||
proxy "github.com/grpc-ecosystem/grpc-gateway/runtime"
|
proxy "github.com/grpc-ecosystem/grpc-gateway/runtime"
|
||||||
@ -26,6 +28,10 @@ import (
|
|||||||
"github.com/roasbeef/btcutil"
|
"github.com/roasbeef/btcutil"
|
||||||
)
|
)
|
||||||
|
|
||||||
|
const (
|
||||||
|
autogenCertValidity = 10 * 365 * 24 * time.Hour
|
||||||
|
)
|
||||||
|
|
||||||
var (
|
var (
|
||||||
cfg *config
|
cfg *config
|
||||||
shutdownChannel = make(chan struct{})
|
shutdownChannel = make(chan struct{})
|
||||||
@ -189,13 +195,25 @@ func lndMain() error {
|
|||||||
}
|
}
|
||||||
server.fundingMgr = fundingMgr
|
server.fundingMgr = fundingMgr
|
||||||
|
|
||||||
|
// Ensure we create TLS key and certificate if they don't exist
|
||||||
|
if !fileExists(cfg.TLSCertPath) && !fileExists(cfg.TLSKeyPath) {
|
||||||
|
if err := genCertPair(cfg.TLSCertPath, cfg.TLSKeyPath); err != nil {
|
||||||
|
return err
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
// Initialize, and register our implementation of the gRPC interface
|
// Initialize, and register our implementation of the gRPC interface
|
||||||
// exported by the rpcServer.
|
// exported by the rpcServer.
|
||||||
rpcServer := newRPCServer(server)
|
rpcServer := newRPCServer(server)
|
||||||
if err := rpcServer.Start(); err != nil {
|
if err := rpcServer.Start(); err != nil {
|
||||||
return err
|
return err
|
||||||
}
|
}
|
||||||
var opts []grpc.ServerOption
|
sCreds, err := credentials.NewServerTLSFromFile(cfg.TLSCertPath,
|
||||||
|
cfg.TLSKeyPath)
|
||||||
|
if err != nil {
|
||||||
|
return err
|
||||||
|
}
|
||||||
|
opts := []grpc.ServerOption{grpc.Creds(sCreds)}
|
||||||
grpcServer := grpc.NewServer(opts...)
|
grpcServer := grpc.NewServer(opts...)
|
||||||
lnrpc.RegisterLightningServer(grpcServer, rpcServer)
|
lnrpc.RegisterLightningServer(grpcServer, rpcServer)
|
||||||
|
|
||||||
@ -211,13 +229,17 @@ func lndMain() error {
|
|||||||
rpcsLog.Infof("RPC server listening on %s", lis.Addr())
|
rpcsLog.Infof("RPC server listening on %s", lis.Addr())
|
||||||
grpcServer.Serve(lis)
|
grpcServer.Serve(lis)
|
||||||
}()
|
}()
|
||||||
|
cCreds, err := credentials.NewClientTLSFromFile(cfg.TLSCertPath, "")
|
||||||
|
if err != nil {
|
||||||
|
return err
|
||||||
|
}
|
||||||
// Finally, start the REST proxy for our gRPC server above.
|
// Finally, start the REST proxy for our gRPC server above.
|
||||||
ctx := context.Background()
|
ctx := context.Background()
|
||||||
ctx, cancel := context.WithCancel(ctx)
|
ctx, cancel := context.WithCancel(ctx)
|
||||||
defer cancel()
|
defer cancel()
|
||||||
|
|
||||||
mux := proxy.NewServeMux()
|
mux := proxy.NewServeMux()
|
||||||
proxyOpts := []grpc.DialOption{grpc.WithInsecure()}
|
proxyOpts := []grpc.DialOption{grpc.WithTransportCredentials(cCreds)}
|
||||||
err = lnrpc.RegisterLightningHandlerFromEndpoint(ctx, mux, grpcEndpoint,
|
err = lnrpc.RegisterLightningHandlerFromEndpoint(ctx, mux, grpcEndpoint,
|
||||||
proxyOpts)
|
proxyOpts)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
@ -226,7 +248,8 @@ func lndMain() error {
|
|||||||
go func() {
|
go func() {
|
||||||
restEndpoint := fmt.Sprintf(":%d", loadedConfig.RESTPort)
|
restEndpoint := fmt.Sprintf(":%d", loadedConfig.RESTPort)
|
||||||
rpcsLog.Infof("gRPC proxy started at localhost%s", restEndpoint)
|
rpcsLog.Infof("gRPC proxy started at localhost%s", restEndpoint)
|
||||||
http.ListenAndServe(restEndpoint, mux)
|
http.ListenAndServeTLS(restEndpoint, cfg.TLSCertPath,
|
||||||
|
cfg.TLSKeyPath, mux)
|
||||||
}()
|
}()
|
||||||
|
|
||||||
// If we're not in simnet mode, We'll wait until we're fully synced to
|
// If we're not in simnet mode, We'll wait until we're fully synced to
|
||||||
@ -301,3 +324,39 @@ func main() {
|
|||||||
os.Exit(1)
|
os.Exit(1)
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
// fileExists reports whether the named file or directory exists.
|
||||||
|
// This function is taken from https://github.com/btcsuite/btcd
|
||||||
|
func fileExists(name string) bool {
|
||||||
|
if _, err := os.Stat(name); err != nil {
|
||||||
|
if os.IsNotExist(err) {
|
||||||
|
return false
|
||||||
|
}
|
||||||
|
}
|
||||||
|
return true
|
||||||
|
}
|
||||||
|
|
||||||
|
// genCertPair generates a key/cert pair to the paths provided.
|
||||||
|
// This function is adapted from https://github.com/btcsuite/btcd
|
||||||
|
func genCertPair(certFile, keyFile string) error {
|
||||||
|
rpcsLog.Infof("Generating TLS certificates...")
|
||||||
|
|
||||||
|
org := "lnd autogenerated cert"
|
||||||
|
validUntil := time.Now().Add(autogenCertValidity)
|
||||||
|
cert, key, err := btcutil.NewTLSCertPair(org, validUntil, nil)
|
||||||
|
if err != nil {
|
||||||
|
return err
|
||||||
|
}
|
||||||
|
|
||||||
|
// Write cert and key files.
|
||||||
|
if err = ioutil.WriteFile(certFile, cert, 0644); err != nil {
|
||||||
|
return err
|
||||||
|
}
|
||||||
|
if err = ioutil.WriteFile(keyFile, key, 0600); err != nil {
|
||||||
|
os.Remove(certFile)
|
||||||
|
return err
|
||||||
|
}
|
||||||
|
|
||||||
|
rpcsLog.Infof("Done generating TLS certificates")
|
||||||
|
return nil
|
||||||
|
}
|
||||||
|
@ -19,6 +19,7 @@ import (
|
|||||||
"golang.org/x/net/context"
|
"golang.org/x/net/context"
|
||||||
|
|
||||||
"google.golang.org/grpc"
|
"google.golang.org/grpc"
|
||||||
|
"google.golang.org/grpc/credentials"
|
||||||
"google.golang.org/grpc/grpclog"
|
"google.golang.org/grpc/grpclog"
|
||||||
|
|
||||||
"os/exec"
|
"os/exec"
|
||||||
@ -135,6 +136,8 @@ func newLightningNode(btcrpcConfig *btcrpcclient.ConnConfig, lndArgs []string) (
|
|||||||
if err != nil {
|
if err != nil {
|
||||||
return nil, err
|
return nil, err
|
||||||
}
|
}
|
||||||
|
cfg.TLSCertPath = filepath.Join(cfg.DataDir, "tls.cert")
|
||||||
|
cfg.TLSKeyPath = filepath.Join(cfg.DataDir, "tls.key")
|
||||||
|
|
||||||
cfg.PeerPort, cfg.RPCPort = generateListeningPorts()
|
cfg.PeerPort, cfg.RPCPort = generateListeningPorts()
|
||||||
|
|
||||||
@ -172,6 +175,8 @@ func (l *lightningNode) genArgs() []string {
|
|||||||
args = append(args, fmt.Sprintf("--peerport=%v", l.cfg.PeerPort))
|
args = append(args, fmt.Sprintf("--peerport=%v", l.cfg.PeerPort))
|
||||||
args = append(args, fmt.Sprintf("--logdir=%v", l.cfg.LogDir))
|
args = append(args, fmt.Sprintf("--logdir=%v", l.cfg.LogDir))
|
||||||
args = append(args, fmt.Sprintf("--datadir=%v", l.cfg.DataDir))
|
args = append(args, fmt.Sprintf("--datadir=%v", l.cfg.DataDir))
|
||||||
|
args = append(args, fmt.Sprintf("--tlscertpath=%v", l.cfg.TLSCertPath))
|
||||||
|
args = append(args, fmt.Sprintf("--tlskeypath=%v", l.cfg.TLSKeyPath))
|
||||||
|
|
||||||
if l.extraArgs != nil {
|
if l.extraArgs != nil {
|
||||||
args = append(args, l.extraArgs...)
|
args = append(args, l.extraArgs...)
|
||||||
@ -242,8 +247,23 @@ func (l *lightningNode) Start(lndError chan error) error {
|
|||||||
return err
|
return err
|
||||||
}
|
}
|
||||||
|
|
||||||
|
// Wait until TLS certificate is created before using it, up to 10 sec.
|
||||||
|
tlsTimeout := time.After(10 * time.Second)
|
||||||
|
for !fileExists(l.cfg.TLSCertPath) {
|
||||||
|
time.Sleep(100 * time.Millisecond)
|
||||||
|
select {
|
||||||
|
case <-tlsTimeout:
|
||||||
|
panic(fmt.Errorf("timeout waiting for TLS cert file " +
|
||||||
|
"to be created after 10 seconds"))
|
||||||
|
default:
|
||||||
|
}
|
||||||
|
}
|
||||||
|
creds, err := credentials.NewClientTLSFromFile(l.cfg.TLSCertPath, "")
|
||||||
|
if err != nil {
|
||||||
|
return err
|
||||||
|
}
|
||||||
opts := []grpc.DialOption{
|
opts := []grpc.DialOption{
|
||||||
grpc.WithInsecure(),
|
grpc.WithTransportCredentials(creds),
|
||||||
grpc.WithBlock(),
|
grpc.WithBlock(),
|
||||||
grpc.WithTimeout(time.Second * 20),
|
grpc.WithTimeout(time.Second * 20),
|
||||||
}
|
}
|
||||||
|
Loading…
Reference in New Issue
Block a user