rpc: force TLS for both grpc endpoint and grpc gateway

This commit is contained in:
Alex 2017-07-25 17:22:06 -06:00 committed by Olaoluwa Osuntokun
parent d1e797451d
commit 59f9065213
4 changed files with 173 additions and 13 deletions

@ -3,11 +3,27 @@ package main
import ( import (
"fmt" "fmt"
"os" "os"
"path/filepath"
"strings"
"github.com/lightningnetwork/lnd/lnrpc" "github.com/lightningnetwork/lnd/lnrpc"
"github.com/roasbeef/btcutil"
"github.com/urfave/cli" "github.com/urfave/cli"
flags "github.com/btcsuite/go-flags"
"google.golang.org/grpc" "google.golang.org/grpc"
"google.golang.org/grpc/credentials"
)
const (
defaultConfigFilename = "lnd.conf"
defaultTLSCertFilename = "tls.cert"
)
var (
lndHomeDir = btcutil.AppDataDir("lnd", false)
defaultConfigFile = filepath.Join(lndHomeDir, defaultConfigFilename)
defaultTLSCertPath = filepath.Join(lndHomeDir, defaultTLSCertFilename)
) )
func fatal(err error) { func fatal(err error) {
@ -25,12 +41,38 @@ func getClient(ctx *cli.Context) (lnrpc.LightningClient, func()) {
return lnrpc.NewLightningClient(conn), cleanUp return lnrpc.NewLightningClient(conn), cleanUp
} }
type config struct {
TLSCertPath string `long:"tlscertpath" description:"path to TLS certificate"`
}
func getClientConn(ctx *cli.Context) *grpc.ClientConn { func getClientConn(ctx *cli.Context) *grpc.ClientConn {
// TODO(roasbeef): macaroon based auth // TODO(roasbeef): macaroon based auth
// * http://www.grpc.io/docs/guides/auth.html // * http://www.grpc.io/docs/guides/auth.html
// * http://research.google.com/pubs/pub41892.html // * http://research.google.com/pubs/pub41892.html
// * https://github.com/go-macaroon/macaroon // * https://github.com/go-macaroon/macaroon
opts := []grpc.DialOption{grpc.WithInsecure()} cfg := config{
TLSCertPath: defaultTLSCertPath,
}
// We want only the TLS certificate information from the configuration
// file at this time, so ignore anything else. We can always add fields
// as we need them. When specifying a file on the `lncli` command line,
// this should work with just a trusted CA cert assuming the server's
// cert file contains the entire chain from the CA to the server's cert.
parser := flags.NewParser(&cfg, flags.IgnoreUnknown)
iniParser := flags.NewIniParser(parser)
if err := iniParser.ParseFile(ctx.GlobalString("config")); err != nil {
fatal(err)
}
if ctx.GlobalString("tlscertpath") != defaultTLSCertPath {
cfg.TLSCertPath = ctx.GlobalString("tlscertpath")
}
cfg.TLSCertPath = cleanAndExpandPath(cfg.TLSCertPath)
creds, err := credentials.NewClientTLSFromFile(cfg.TLSCertPath, "")
if err != nil {
fatal(err)
}
opts := []grpc.DialOption{grpc.WithTransportCredentials(creds)}
conn, err := grpc.Dial(ctx.GlobalString("rpcserver"), opts...) conn, err := grpc.Dial(ctx.GlobalString("rpcserver"), opts...)
if err != nil { if err != nil {
@ -51,6 +93,16 @@ func main() {
Value: "localhost:10009", Value: "localhost:10009",
Usage: "host:port of ln daemon", Usage: "host:port of ln daemon",
}, },
cli.StringFlag{
Name: "config",
Value: defaultConfigFile,
Usage: "path to config file for TLS cert path",
},
cli.StringFlag{
Name: "tlscertpath",
Value: defaultTLSCertPath,
Usage: "path to TLS certificate",
},
} }
app.Commands = []cli.Command{ app.Commands = []cli.Command{
newAddressCommand, newAddressCommand,
@ -88,3 +140,18 @@ func main() {
fatal(err) fatal(err)
} }
} }
// cleanAndExpandPath expands environment variables and leading ~ in the
// passed path, cleans the result, and returns it.
// This function is taken from https://github.com/btcsuite/btcd
func cleanAndExpandPath(path string) string {
// Expand initial ~ to OS specific home directory.
if strings.HasPrefix(path, "~") {
homeDir := filepath.Dir(lndHomeDir)
path = strings.Replace(path, "~", homeDir, 1)
}
// NOTE: The os.ExpandEnv doesn't work with Windows-style %VARIABLE%,
// but the variables can still be expanded via POSIX-style $VARIABLE.
return filepath.Clean(os.ExpandEnv(path))
}

@ -22,6 +22,8 @@ import (
const ( const (
defaultConfigFilename = "lnd.conf" defaultConfigFilename = "lnd.conf"
defaultDataDirname = "data" defaultDataDirname = "data"
defaultTLSCertFilename = "tls.cert"
defaultTLSKeyFilename = "tls.key"
defaultLogLevel = "info" defaultLogLevel = "info"
defaultLogDirname = "logs" defaultLogDirname = "logs"
defaultLogFilename = "lnd.log" defaultLogFilename = "lnd.log"
@ -37,6 +39,8 @@ var (
lndHomeDir = btcutil.AppDataDir("lnd", false) lndHomeDir = btcutil.AppDataDir("lnd", false)
defaultConfigFile = filepath.Join(lndHomeDir, defaultConfigFilename) defaultConfigFile = filepath.Join(lndHomeDir, defaultConfigFilename)
defaultDataDir = filepath.Join(lndHomeDir, defaultDataDirname) defaultDataDir = filepath.Join(lndHomeDir, defaultDataDirname)
defaultTLSCertPath = filepath.Join(lndHomeDir, defaultTLSCertFilename)
defaultTLSKeyPath = filepath.Join(lndHomeDir, defaultTLSKeyFilename)
defaultLogDir = filepath.Join(lndHomeDir, defaultLogDirname) defaultLogDir = filepath.Join(lndHomeDir, defaultLogDirname)
btcdHomeDir = btcutil.AppDataDir("btcd", false) btcdHomeDir = btcutil.AppDataDir("btcd", false)
@ -79,6 +83,8 @@ type config struct {
ConfigFile string `long:"C" long:"configfile" description:"Path to configuration file"` ConfigFile string `long:"C" long:"configfile" description:"Path to configuration file"`
DataDir string `short:"b" long:"datadir" description:"The directory to store lnd's data within"` DataDir string `short:"b" long:"datadir" description:"The directory to store lnd's data within"`
TLSCertPath string `long:"tlscertpath" description:"Path to TLS certificate for lnd's RPC and REST services"`
TLSKeyPath string `long:"tlskeypath" description:"Path to TLS private key for lnd's RPC and REST services"`
LogDir string `long:"logdir" description:"Directory to log output."` LogDir string `long:"logdir" description:"Directory to log output."`
Listeners []string `long:"listen" description:"Add an interface/port to listen for connections (default all interfaces port: 5656)"` Listeners []string `long:"listen" description:"Add an interface/port to listen for connections (default all interfaces port: 5656)"`
@ -115,6 +121,8 @@ func loadConfig() (*config, error) {
ConfigFile: defaultConfigFile, ConfigFile: defaultConfigFile,
DataDir: defaultDataDir, DataDir: defaultDataDir,
DebugLevel: defaultLogLevel, DebugLevel: defaultLogLevel,
TLSCertPath: defaultTLSCertPath,
TLSKeyPath: defaultTLSKeyPath,
LogDir: defaultLogDir, LogDir: defaultLogDir,
PeerPort: defaultPeerPort, PeerPort: defaultPeerPort,
RPCPort: defaultRPCPort, RPCPort: defaultRPCPort,
@ -300,6 +308,11 @@ func loadConfig() (*config, error) {
cfg.LogDir = filepath.Join(cfg.LogDir, cfg.LogDir = filepath.Join(cfg.LogDir,
registeredChains.primaryChain.String()) registeredChains.primaryChain.String())
// Ensure that the paths to the TLS key and certificate files are
// expanded and cleaned.
cfg.TLSCertPath = cleanAndExpandPath(cfg.TLSCertPath)
cfg.TLSKeyPath = cleanAndExpandPath(cfg.TLSKeyPath)
// Initialize logging at the default logging level. // Initialize logging at the default logging level.
initLogRotator(filepath.Join(cfg.LogDir, defaultLogFilename)) initLogRotator(filepath.Join(cfg.LogDir, defaultLogFilename))
@ -323,6 +336,7 @@ func loadConfig() (*config, error) {
// cleanAndExpandPath expands environment variables and leading ~ in the // cleanAndExpandPath expands environment variables and leading ~ in the
// passed path, cleans the result, and returns it. // passed path, cleans the result, and returns it.
// This function is taken from https://github.com/btcsuite/btcd
func cleanAndExpandPath(path string) string { func cleanAndExpandPath(path string) string {
// Expand initial ~ to OS specific home directory. // Expand initial ~ to OS specific home directory.
if strings.HasPrefix(path, "~") { if strings.HasPrefix(path, "~") {

67
lnd.go

@ -3,6 +3,7 @@ package main
import ( import (
"crypto/rand" "crypto/rand"
"fmt" "fmt"
"io/ioutil"
"net" "net"
"net/http" "net/http"
_ "net/http/pprof" _ "net/http/pprof"
@ -14,6 +15,7 @@ import (
"golang.org/x/net/context" "golang.org/x/net/context"
"google.golang.org/grpc" "google.golang.org/grpc"
"google.golang.org/grpc/credentials"
flags "github.com/btcsuite/go-flags" flags "github.com/btcsuite/go-flags"
proxy "github.com/grpc-ecosystem/grpc-gateway/runtime" proxy "github.com/grpc-ecosystem/grpc-gateway/runtime"
@ -26,6 +28,10 @@ import (
"github.com/roasbeef/btcutil" "github.com/roasbeef/btcutil"
) )
const (
autogenCertValidity = 10 * 365 * 24 * time.Hour
)
var ( var (
cfg *config cfg *config
shutdownChannel = make(chan struct{}) shutdownChannel = make(chan struct{})
@ -189,13 +195,25 @@ func lndMain() error {
} }
server.fundingMgr = fundingMgr server.fundingMgr = fundingMgr
// Ensure we create TLS key and certificate if they don't exist
if !fileExists(cfg.TLSCertPath) && !fileExists(cfg.TLSKeyPath) {
if err := genCertPair(cfg.TLSCertPath, cfg.TLSKeyPath); err != nil {
return err
}
}
// Initialize, and register our implementation of the gRPC interface // Initialize, and register our implementation of the gRPC interface
// exported by the rpcServer. // exported by the rpcServer.
rpcServer := newRPCServer(server) rpcServer := newRPCServer(server)
if err := rpcServer.Start(); err != nil { if err := rpcServer.Start(); err != nil {
return err return err
} }
var opts []grpc.ServerOption sCreds, err := credentials.NewServerTLSFromFile(cfg.TLSCertPath,
cfg.TLSKeyPath)
if err != nil {
return err
}
opts := []grpc.ServerOption{grpc.Creds(sCreds)}
grpcServer := grpc.NewServer(opts...) grpcServer := grpc.NewServer(opts...)
lnrpc.RegisterLightningServer(grpcServer, rpcServer) lnrpc.RegisterLightningServer(grpcServer, rpcServer)
@ -211,13 +229,17 @@ func lndMain() error {
rpcsLog.Infof("RPC server listening on %s", lis.Addr()) rpcsLog.Infof("RPC server listening on %s", lis.Addr())
grpcServer.Serve(lis) grpcServer.Serve(lis)
}() }()
cCreds, err := credentials.NewClientTLSFromFile(cfg.TLSCertPath, "")
if err != nil {
return err
}
// Finally, start the REST proxy for our gRPC server above. // Finally, start the REST proxy for our gRPC server above.
ctx := context.Background() ctx := context.Background()
ctx, cancel := context.WithCancel(ctx) ctx, cancel := context.WithCancel(ctx)
defer cancel() defer cancel()
mux := proxy.NewServeMux() mux := proxy.NewServeMux()
proxyOpts := []grpc.DialOption{grpc.WithInsecure()} proxyOpts := []grpc.DialOption{grpc.WithTransportCredentials(cCreds)}
err = lnrpc.RegisterLightningHandlerFromEndpoint(ctx, mux, grpcEndpoint, err = lnrpc.RegisterLightningHandlerFromEndpoint(ctx, mux, grpcEndpoint,
proxyOpts) proxyOpts)
if err != nil { if err != nil {
@ -226,7 +248,8 @@ func lndMain() error {
go func() { go func() {
restEndpoint := fmt.Sprintf(":%d", loadedConfig.RESTPort) restEndpoint := fmt.Sprintf(":%d", loadedConfig.RESTPort)
rpcsLog.Infof("gRPC proxy started at localhost%s", restEndpoint) rpcsLog.Infof("gRPC proxy started at localhost%s", restEndpoint)
http.ListenAndServe(restEndpoint, mux) http.ListenAndServeTLS(restEndpoint, cfg.TLSCertPath,
cfg.TLSKeyPath, mux)
}() }()
// If we're not in simnet mode, We'll wait until we're fully synced to // If we're not in simnet mode, We'll wait until we're fully synced to
@ -301,3 +324,39 @@ func main() {
os.Exit(1) os.Exit(1)
} }
} }
// fileExists reports whether the named file or directory exists.
// This function is taken from https://github.com/btcsuite/btcd
func fileExists(name string) bool {
if _, err := os.Stat(name); err != nil {
if os.IsNotExist(err) {
return false
}
}
return true
}
// genCertPair generates a key/cert pair to the paths provided.
// This function is adapted from https://github.com/btcsuite/btcd
func genCertPair(certFile, keyFile string) error {
rpcsLog.Infof("Generating TLS certificates...")
org := "lnd autogenerated cert"
validUntil := time.Now().Add(autogenCertValidity)
cert, key, err := btcutil.NewTLSCertPair(org, validUntil, nil)
if err != nil {
return err
}
// Write cert and key files.
if err = ioutil.WriteFile(certFile, cert, 0644); err != nil {
return err
}
if err = ioutil.WriteFile(keyFile, key, 0600); err != nil {
os.Remove(certFile)
return err
}
rpcsLog.Infof("Done generating TLS certificates")
return nil
}

@ -19,6 +19,7 @@ import (
"golang.org/x/net/context" "golang.org/x/net/context"
"google.golang.org/grpc" "google.golang.org/grpc"
"google.golang.org/grpc/credentials"
"google.golang.org/grpc/grpclog" "google.golang.org/grpc/grpclog"
"os/exec" "os/exec"
@ -135,6 +136,8 @@ func newLightningNode(btcrpcConfig *btcrpcclient.ConnConfig, lndArgs []string) (
if err != nil { if err != nil {
return nil, err return nil, err
} }
cfg.TLSCertPath = filepath.Join(cfg.DataDir, "tls.cert")
cfg.TLSKeyPath = filepath.Join(cfg.DataDir, "tls.key")
cfg.PeerPort, cfg.RPCPort = generateListeningPorts() cfg.PeerPort, cfg.RPCPort = generateListeningPorts()
@ -172,6 +175,8 @@ func (l *lightningNode) genArgs() []string {
args = append(args, fmt.Sprintf("--peerport=%v", l.cfg.PeerPort)) args = append(args, fmt.Sprintf("--peerport=%v", l.cfg.PeerPort))
args = append(args, fmt.Sprintf("--logdir=%v", l.cfg.LogDir)) args = append(args, fmt.Sprintf("--logdir=%v", l.cfg.LogDir))
args = append(args, fmt.Sprintf("--datadir=%v", l.cfg.DataDir)) args = append(args, fmt.Sprintf("--datadir=%v", l.cfg.DataDir))
args = append(args, fmt.Sprintf("--tlscertpath=%v", l.cfg.TLSCertPath))
args = append(args, fmt.Sprintf("--tlskeypath=%v", l.cfg.TLSKeyPath))
if l.extraArgs != nil { if l.extraArgs != nil {
args = append(args, l.extraArgs...) args = append(args, l.extraArgs...)
@ -242,8 +247,23 @@ func (l *lightningNode) Start(lndError chan error) error {
return err return err
} }
// Wait until TLS certificate is created before using it, up to 10 sec.
tlsTimeout := time.After(10 * time.Second)
for !fileExists(l.cfg.TLSCertPath) {
time.Sleep(100 * time.Millisecond)
select {
case <-tlsTimeout:
panic(fmt.Errorf("timeout waiting for TLS cert file " +
"to be created after 10 seconds"))
default:
}
}
creds, err := credentials.NewClientTLSFromFile(l.cfg.TLSCertPath, "")
if err != nil {
return err
}
opts := []grpc.DialOption{ opts := []grpc.DialOption{
grpc.WithInsecure(), grpc.WithTransportCredentials(creds),
grpc.WithBlock(), grpc.WithBlock(),
grpc.WithTimeout(time.Second * 20), grpc.WithTimeout(time.Second * 20),
} }