From 679e86174fb61aaa3a4ca7d503d4671f1fb47243 Mon Sep 17 00:00:00 2001 From: whythat Date: Sat, 2 Sep 2017 03:46:27 +0300 Subject: [PATCH] macaroons: add IP lock macaroon constraint --- cmd/lncli/main.go | 7 +++++++ macaroons/auth.go | 13 +++++++++++++ 2 files changed, 20 insertions(+) diff --git a/cmd/lncli/main.go b/cmd/lncli/main.go index 43c6c89e..cd0f49a4 100644 --- a/cmd/lncli/main.go +++ b/cmd/lncli/main.go @@ -85,6 +85,9 @@ func getClientConn(ctx *cli.Context) *grpc.ClientConn { // TODO(aakselrod): add better anti-replay protection. macaroons.TimeoutConstraint(ctx.GlobalInt64("macaroontimeout")), + // Lock macaroon down to a specific IP address. + macaroons.IPLockConstraint(ctx.GlobalString("macaroonip")), + // ... Add more constraints if needed. } @@ -134,6 +137,10 @@ func main() { Value: 60, Usage: "anti-replay macaroon validity time in seconds", }, + cli.StringFlag{ + Name: "macaroonip", + Usage: "if set, lock macaroon to specific IP address", + }, } app.Commands = []cli.Command{ newAddressCommand, diff --git a/macaroons/auth.go b/macaroons/auth.go index 547c8bdc..8a52e571 100644 --- a/macaroons/auth.go +++ b/macaroons/auth.go @@ -3,9 +3,11 @@ package macaroons import ( "encoding/hex" "fmt" + "net" "golang.org/x/net/context" "google.golang.org/grpc/metadata" + "google.golang.org/grpc/peer" "gopkg.in/macaroon-bakery.v1/bakery" "gopkg.in/macaroon-bakery.v1/bakery/checkers" @@ -67,6 +69,16 @@ func ValidateMacaroon(ctx context.Context, method string, len(md["macaroon"])) } + // Get peer info and extract IP address from it for macaroon check + pr, ok := peer.FromContext(ctx) + if !ok { + return fmt.Errorf("unable to get peer info from context") + } + peerAddr, _, err := net.SplitHostPort(pr.Addr.String()) + if err != nil { + return fmt.Errorf("unable to parse peer address") + } + // With the macaroon obtained, we'll now decode the hex-string // encoding, then unmarshal it from binary into its concrete struct // representation. @@ -87,5 +99,6 @@ func ValidateMacaroon(ctx context.Context, method string, return svc.Check(macaroon.Slice{mac}, checkers.New( PermissionsChecker(method), TimeoutChecker(), + IPLockChecker(peerAddr), )) }