rpcserver: allow to bake macaroons for specific URIs

To support the new URI specific permissions, we allow them to be added in the BakeMacaroon call.
2020-09-04 09:22:36 +02:00 · 2020-09-04 09:22:36 +02:00 · 84879fddc6
commit 84879fddc6
parent 6d201ef4fc
1 changed files with 22 additions and 4 deletions
--- a/rpcserver.go
+++ b/rpcserver.go
@ -193,6 +193,7 @@ var (
 	validEntities = []string{
 		"onchain", "offchain", "address", "message",
 		"peers", "info", "invoices", "signer", "macaroon",
+		macaroons.PermissionEntityCustomURI,
 	}

 	// If the --no-macaroons flag is used to start lnd, the macaroon service
@ -525,6 +526,10 @@ type rpcServer struct {

 	// selfNode is our own pubkey.
 	selfNode route.Vertex
+
+	// allPermissions is a map of all registered gRPC URIs (including
+	// internal and external subservers) to the permissions they require.
+	allPermissions map[string][]bakery.Op
 }

 // A compile time check to ensure that rpcServer fully implements the
@ -732,6 +737,7 @@ func newRPCServer(cfg *Config, s *server, macService *macaroons.Service,
 		quit:            make(chan struct{}, 1),
 		macService:      macService,
 		selfNode:        selfNode.PubKeyBytes,
+		allPermissions:  permissions,
 	}
 	lnrpc.RegisterLightningServer(grpcServer, rootRPCServer)

@ -6452,15 +6458,27 @@ func (r *rpcServer) BakeMacaroon(ctx context.Context,
 	// the bakery.
 	requestedPermissions := make([]bakery.Op, len(req.Permissions))
 	for idx, op := range req.Permissions {
-		if !stringInSlice(op.Action, validActions) {
-			return nil, fmt.Errorf("invalid permission action. %s",
-				helpMsg)
-		}
 		if !stringInSlice(op.Entity, validEntities) {
 			return nil, fmt.Errorf("invalid permission entity. %s",
 				helpMsg)
 		}

+		// Either we have the special entity "uri" which specifies a
+		// full gRPC URI or we have one of the pre-defined actions.
+		if op.Entity == macaroons.PermissionEntityCustomURI {
+			_, ok := r.allPermissions[op.Action]
+			if !ok {
+				return nil, fmt.Errorf("invalid permission " +
+					"action, must be an existing URI in " +
+					"the format /package.Service/" +
+					"MethodName")
+			}
+		} else if !stringInSlice(op.Action, validActions) {
+			return nil, fmt.Errorf("invalid permission action. %s",
+				helpMsg)
+
+		}
+
 		requestedPermissions[idx] = bakery.Op{
 			Entity: op.Entity,
 			Action: op.Action,