lncli: add support for macaroons

This commit is contained in:
Alex 2017-08-17 19:51:33 -06:00 committed by Olaoluwa Osuntokun
parent 922b065de5
commit 5d971a8ea8

@ -2,28 +2,33 @@ package main
import (
"fmt"
"io/ioutil"
"os"
"path/filepath"
"strings"
"time"
"gopkg.in/macaroon-bakery.v1/bakery/checkers"
"gopkg.in/macaroon.v1"
"github.com/lightningnetwork/lnd/lnrpc"
"github.com/lightningnetwork/lnd/macaroons"
"github.com/roasbeef/btcutil"
"github.com/urfave/cli"
flags "github.com/btcsuite/go-flags"
"google.golang.org/grpc"
"google.golang.org/grpc/credentials"
)
const (
defaultConfigFilename = "lnd.conf"
defaultTLSCertFilename = "tls.cert"
defaultTLSCertFilename = "tls.cert"
defaultMacaroonFilename = "admin.macaroon"
)
var (
lndHomeDir = btcutil.AppDataDir("lnd", false)
defaultConfigFile = filepath.Join(lndHomeDir, defaultConfigFilename)
defaultTLSCertPath = filepath.Join(lndHomeDir, defaultTLSCertFilename)
lndHomeDir = btcutil.AppDataDir("lnd", false)
defaultTLSCertPath = filepath.Join(lndHomeDir, defaultTLSCertFilename)
defaultMacaroonPath = filepath.Join(lndHomeDir, defaultMacaroonFilename)
)
func fatal(err error) {
@ -41,38 +46,56 @@ func getClient(ctx *cli.Context) (lnrpc.LightningClient, func()) {
return lnrpc.NewLightningClient(conn), cleanUp
}
type config struct {
TLSCertPath string `long:"tlscertpath" description:"path to TLS certificate"`
}
func getClientConn(ctx *cli.Context) *grpc.ClientConn {
// TODO(roasbeef): macaroon based auth
// * http://www.grpc.io/docs/guides/auth.html
// * http://research.google.com/pubs/pub41892.html
// * https://github.com/go-macaroon/macaroon
cfg := config{
TLSCertPath: defaultTLSCertPath,
}
// We want only the TLS certificate information from the configuration
// file at this time, so ignore anything else. We can always add fields
// as we need them. When specifying a file on the `lncli` command line,
// this should work with just a trusted CA cert assuming the server's
// cert file contains the entire chain from the CA to the server's cert.
parser := flags.NewParser(&cfg, flags.IgnoreUnknown)
iniParser := flags.NewIniParser(parser)
if err := iniParser.ParseFile(ctx.GlobalString("config")); err != nil {
fatal(err)
}
if ctx.GlobalString("tlscertpath") != defaultTLSCertPath {
cfg.TLSCertPath = ctx.GlobalString("tlscertpath")
}
cfg.TLSCertPath = cleanAndExpandPath(cfg.TLSCertPath)
creds, err := credentials.NewClientTLSFromFile(cfg.TLSCertPath, "")
// Load the specified TLS certificate and build transport credentials
// with it.
tlsCertPath := cleanAndExpandPath(ctx.GlobalString("tlscertpath"))
creds, err := credentials.NewClientTLSFromFile(tlsCertPath, "")
if err != nil {
fatal(err)
}
opts := []grpc.DialOption{grpc.WithTransportCredentials(creds)}
// Create a dial options array.
opts := []grpc.DialOption{
grpc.WithTransportCredentials(creds),
}
// Only process macaroon credentials if --no-macaroons isn't set.
if !ctx.GlobalBool("no-macaroons") {
// Load the specified macaroon file.
macPath := cleanAndExpandPath(ctx.GlobalString("macaroonpath"))
macBytes, err := ioutil.ReadFile(macPath)
if err != nil {
fatal(err)
}
mac := &macaroon.Macaroon{}
if err = mac.UnmarshalBinary(macBytes); err != nil {
fatal(err)
}
// We add a time-based constraint to prevent replay of the
// macaroon. It's good for 60 seconds by default to make up for
// any discrepancy between client and server clocks, but leaking
// the macaroon before it becomes invalid makes it possible for
// an attacker to reuse the macaroon. In addition, the validity
// time of the macaroon is extended by the time the server clock
// is behind the client clock, or shortened by the time the
// server clock is ahead of the client clock (or invalid
// altogether if, in the latter case, this time is more than 60
// seconds).
// TODO(aakselrod): add better anti-replay protection.
macaroonTimeout := time.Duration(ctx.GlobalInt64("macaroontimeout"))
requestTimeout := time.Now().Add(time.Second * macaroonTimeout)
timeCaveat := checkers.TimeBeforeCaveat(requestTimeout)
mac.AddFirstPartyCaveat(timeCaveat.Condition)
// Now we append the macaroon credentials to the dial options.
opts = append(
opts,
grpc.WithPerRPCCredentials(
macaroons.NewMacaroonCredential(mac)),
)
}
conn, err := grpc.Dial(ctx.GlobalString("rpcserver"), opts...)
if err != nil {
@ -93,16 +116,25 @@ func main() {
Value: "localhost:10009",
Usage: "host:port of ln daemon",
},
cli.StringFlag{
Name: "config",
Value: defaultConfigFile,
Usage: "path to config file for TLS cert path",
},
cli.StringFlag{
Name: "tlscertpath",
Value: defaultTLSCertPath,
Usage: "path to TLS certificate",
},
cli.BoolFlag{
Name: "no-macaroons",
Usage: "disable macaroon authentication",
},
cli.StringFlag{
Name: "macaroonpath",
Value: defaultMacaroonPath,
Usage: "path to macaroon file",
},
cli.Int64Flag{
Name: "macaroontimeout",
Value: 60,
Usage: "anti-replay macaroon validity time in seconds",
},
}
app.Commands = []cli.Command{
newAddressCommand,