macaroons: add special permission entity for URI specific permissions

To make the permission system even more fine-grained, we want to allow
users to specify exact gRPC URIs in the macaroon permissions instead of
just broad entity/action groups.
For this we add the special entity "uri" which allows an URI specific
permission to be defined as "uri:/lnrpc.Lightning/GetInfo" for example
instead of the more coarse "info:read" which gives access to multiple
URIs.
This commit is contained in:
Oliver Gugger 2020-09-04 09:22:35 +02:00
parent 2284d8c775
commit 6d201ef4fc
No known key found for this signature in database
GPG Key ID: 8E4256593F177720
3 changed files with 61 additions and 8 deletions

@ -100,8 +100,18 @@ key `0` would be created with the following command:
`lncli bakemacaroon peers:read peers:write`
A full and up-to-date list of available entity/action pairs can be found by
looking at the `rpcserver.go` in the root folder of the project.
For even more fine-grained permission control, it is also possible to specify
single RPC method URIs that are allowed to be accessed by a macaroon. This can
be achieved by passing `uri:<methodURI>` pairs to `bakemacaroon`, for example:
`lncli bakemacaroon uri:/lnrpc.Lightning/GetInfo uri:/verrpc.Versioner/GetVersion`
The macaroon created by this call would only be allowed to call the `GetInfo` and
`GetVersion` methods instead of all methods that have similar permissions (like
`info:read` for example).
A full list of available entity/action pairs and RPC method URIs can be queried
by using the `lncli listpermissions` command.
### Upgrading from v0.8.0-beta or earlier

@ -27,6 +27,15 @@ var (
// ErrDeletionForbidden is used when attempting to delete the
// DefaultRootKeyID or the encryptedKeyID.
ErrDeletionForbidden = fmt.Errorf("the specified ID cannot be deleted")
// PermissionEntityCustomURI is a special entity name for a permission
// that does not describe an entity:action pair but instead specifies a
// specific URI that needs to be granted access to. This can be used for
// more fine-grained permissions where a macaroon only grants access to
// certain methods instead of a whole list of methods that define the
// same entity:action pairs. For example: uri:/lnrpc.Lightning/GetInfo
// only gives access to the GetInfo call.
PermissionEntityCustomURI = "uri"
)
// Service encapsulates bakery.Bakery and adds a Close() method that zeroes the
@ -118,12 +127,15 @@ func (svc *Service) UnaryServerInterceptor(
info *grpc.UnaryServerInfo,
handler grpc.UnaryHandler) (interface{}, error) {
if _, ok := permissionMap[info.FullMethod]; !ok {
uriPermissions, ok := permissionMap[info.FullMethod]
if !ok {
return nil, fmt.Errorf("%s: unknown permissions "+
"required for method", info.FullMethod)
}
err := svc.ValidateMacaroon(ctx, permissionMap[info.FullMethod])
err := svc.ValidateMacaroon(
ctx, uriPermissions, info.FullMethod,
)
if err != nil {
return nil, err
}
@ -140,13 +152,14 @@ func (svc *Service) StreamServerInterceptor(
return func(srv interface{}, ss grpc.ServerStream,
info *grpc.StreamServerInfo, handler grpc.StreamHandler) error {
if _, ok := permissionMap[info.FullMethod]; !ok {
uriPermissions, ok := permissionMap[info.FullMethod]
if !ok {
return fmt.Errorf("%s: unknown permissions required "+
"for method", info.FullMethod)
}
err := svc.ValidateMacaroon(
ss.Context(), permissionMap[info.FullMethod],
ss.Context(), uriPermissions, info.FullMethod,
)
if err != nil {
return err
@ -161,7 +174,7 @@ func (svc *Service) StreamServerInterceptor(
// expect a macaroon to be encoded as request metadata using the key
// "macaroon".
func (svc *Service) ValidateMacaroon(ctx context.Context,
requiredPermissions []bakery.Op) error {
requiredPermissions []bakery.Op, fullMethod string) error {
// Get macaroon bytes from context and unmarshal into macaroon.
md, ok := metadata.FromIncomingContext(ctx)
@ -190,6 +203,20 @@ func (svc *Service) ValidateMacaroon(ctx context.Context,
// the expiration time and IP address and return the result.
authChecker := svc.Checker.Auth(macaroon.Slice{mac})
_, err = authChecker.Allow(ctx, requiredPermissions...)
// If the macaroon contains broad permissions and checks out, we're
// done.
if err == nil {
return nil
}
// To also allow the special permission of "uri:<FullMethod>" to be a
// valid permission, we need to check it manually in case there is no
// broader scope permission defined.
_, err = authChecker.Allow(ctx, bakery.Op{
Entity: PermissionEntityCustomURI,
Action: fullMethod,
})
return err
}

@ -21,6 +21,10 @@ var (
Entity: "testEntity",
Action: "read",
}
testOperationURI = bakery.Op{
Entity: macaroons.PermissionEntityCustomURI,
Action: "SomeMethod",
}
defaultPw = []byte("hello")
)
@ -125,6 +129,7 @@ func TestValidateMacaroon(t *testing.T) {
// Then, create a new macaroon that we can serialize.
macaroon, err := service.NewMacaroon(
context.TODO(), macaroons.DefaultRootKeyID, testOperation,
testOperationURI,
)
if err != nil {
t.Fatalf("Error creating macaroon from service: %v", err)
@ -142,7 +147,18 @@ func TestValidateMacaroon(t *testing.T) {
mockContext := metadata.NewIncomingContext(context.Background(), md)
// Finally, validate the macaroon against the required permissions.
err = service.ValidateMacaroon(mockContext, []bakery.Op{testOperation})
err = service.ValidateMacaroon(
mockContext, []bakery.Op{testOperation}, "FooMethod",
)
if err != nil {
t.Fatalf("Error validating the macaroon: %v", err)
}
// If the macaroon has the method specific URI permission, the list of
// required entity/action pairs is irrelevant.
err = service.ValidateMacaroon(
mockContext, []bakery.Op{{Entity: "irrelevant"}}, "SomeMethod",
)
if err != nil {
t.Fatalf("Error validating the macaroon: %v", err)
}