From 679e86174fb61aaa3a4ca7d503d4671f1fb47243 Mon Sep 17 00:00:00 2001
From: whythat <whythat@protonmail.com>
Date: Sat, 2 Sep 2017 03:46:27 +0300
Subject: [PATCH] macaroons: add IP lock macaroon constraint

---
 cmd/lncli/main.go |  7 +++++++
 macaroons/auth.go | 13 +++++++++++++
 2 files changed, 20 insertions(+)

diff --git a/cmd/lncli/main.go b/cmd/lncli/main.go
index 43c6c89e..cd0f49a4 100644
--- a/cmd/lncli/main.go
+++ b/cmd/lncli/main.go
@@ -85,6 +85,9 @@ func getClientConn(ctx *cli.Context) *grpc.ClientConn {
 			// TODO(aakselrod): add better anti-replay protection.
 			macaroons.TimeoutConstraint(ctx.GlobalInt64("macaroontimeout")),
 
+			// Lock macaroon down to a specific IP address.
+			macaroons.IPLockConstraint(ctx.GlobalString("macaroonip")),
+
 			// ... Add more constraints if needed.
 		}
 
@@ -134,6 +137,10 @@ func main() {
 			Value: 60,
 			Usage: "anti-replay macaroon validity time in seconds",
 		},
+		cli.StringFlag{
+			Name:  "macaroonip",
+			Usage: "if set, lock macaroon to specific IP address",
+		},
 	}
 	app.Commands = []cli.Command{
 		newAddressCommand,
diff --git a/macaroons/auth.go b/macaroons/auth.go
index 547c8bdc..8a52e571 100644
--- a/macaroons/auth.go
+++ b/macaroons/auth.go
@@ -3,9 +3,11 @@ package macaroons
 import (
 	"encoding/hex"
 	"fmt"
+	"net"
 
 	"golang.org/x/net/context"
 	"google.golang.org/grpc/metadata"
+	"google.golang.org/grpc/peer"
 
 	"gopkg.in/macaroon-bakery.v1/bakery"
 	"gopkg.in/macaroon-bakery.v1/bakery/checkers"
@@ -67,6 +69,16 @@ func ValidateMacaroon(ctx context.Context, method string,
 			len(md["macaroon"]))
 	}
 
+	// Get peer info and extract IP address from it for macaroon check
+	pr, ok := peer.FromContext(ctx)
+	if !ok {
+		return fmt.Errorf("unable to get peer info from context")
+	}
+	peerAddr, _, err := net.SplitHostPort(pr.Addr.String())
+	if err != nil {
+		return fmt.Errorf("unable to parse peer address")
+	}
+
 	// With the macaroon obtained, we'll now decode the hex-string
 	// encoding, then unmarshal it from binary into its concrete struct
 	// representation.
@@ -87,5 +99,6 @@ func ValidateMacaroon(ctx context.Context, method string,
 	return svc.Check(macaroon.Slice{mac}, checkers.New(
 		PermissionsChecker(method),
 		TimeoutChecker(),
+		IPLockChecker(peerAddr),
 	))
 }