main: integrate macaroons into config, startup, and RPC server

This commit is contained in:
Alex 2017-08-17 19:50:57 -06:00 committed by Olaoluwa Osuntokun
parent 662731e719
commit 922b065de5
4 changed files with 414 additions and 33 deletions

@ -24,6 +24,8 @@ const (
defaultDataDirname = "data" defaultDataDirname = "data"
defaultTLSCertFilename = "tls.cert" defaultTLSCertFilename = "tls.cert"
defaultTLSKeyFilename = "tls.key" defaultTLSKeyFilename = "tls.key"
defaultAdminMacFilename = "admin.macaroon"
defaultReadMacFilename = "readonly.macaroon"
defaultLogLevel = "info" defaultLogLevel = "info"
defaultLogDirname = "logs" defaultLogDirname = "logs"
defaultLogFilename = "lnd.log" defaultLogFilename = "lnd.log"
@ -41,6 +43,8 @@ var (
defaultDataDir = filepath.Join(lndHomeDir, defaultDataDirname) defaultDataDir = filepath.Join(lndHomeDir, defaultDataDirname)
defaultTLSCertPath = filepath.Join(lndHomeDir, defaultTLSCertFilename) defaultTLSCertPath = filepath.Join(lndHomeDir, defaultTLSCertFilename)
defaultTLSKeyPath = filepath.Join(lndHomeDir, defaultTLSKeyFilename) defaultTLSKeyPath = filepath.Join(lndHomeDir, defaultTLSKeyFilename)
defaultAdminMacPath = filepath.Join(lndHomeDir, defaultAdminMacFilename)
defaultReadMacPath = filepath.Join(lndHomeDir, defaultReadMacFilename)
defaultLogDir = filepath.Join(lndHomeDir, defaultLogDirname) defaultLogDir = filepath.Join(lndHomeDir, defaultLogDirname)
btcdHomeDir = btcutil.AppDataDir("btcd", false) btcdHomeDir = btcutil.AppDataDir("btcd", false)
@ -92,6 +96,9 @@ type config struct {
DataDir string `short:"b" long:"datadir" description:"The directory to store lnd's data within"` DataDir string `short:"b" long:"datadir" description:"The directory to store lnd's data within"`
TLSCertPath string `long:"tlscertpath" description:"Path to TLS certificate for lnd's RPC and REST services"` TLSCertPath string `long:"tlscertpath" description:"Path to TLS certificate for lnd's RPC and REST services"`
TLSKeyPath string `long:"tlskeypath" description:"Path to TLS private key for lnd's RPC and REST services"` TLSKeyPath string `long:"tlskeypath" description:"Path to TLS private key for lnd's RPC and REST services"`
NoMacaroons bool `long:"no-macaroons" description:"Disable macaroon authentication"`
AdminMacPath string `long:"adminmacaroonpath" description:"Path to write the admin macaroon for lnd's RPC and REST services if it doesn't exist"`
ReadMacPath string `long:"readonlymacaroonpath" description:"Path to write the read-only macaroon for lnd's RPC and REST services if it doesn't exist"`
LogDir string `long:"logdir" description:"Directory to log output."` LogDir string `long:"logdir" description:"Directory to log output."`
Listeners []string `long:"listen" description:"Add an interface/port to listen for connections (default all interfaces port: 5656)"` Listeners []string `long:"listen" description:"Add an interface/port to listen for connections (default all interfaces port: 5656)"`
@ -132,6 +139,8 @@ func loadConfig() (*config, error) {
DebugLevel: defaultLogLevel, DebugLevel: defaultLogLevel,
TLSCertPath: defaultTLSCertPath, TLSCertPath: defaultTLSCertPath,
TLSKeyPath: defaultTLSKeyPath, TLSKeyPath: defaultTLSKeyPath,
AdminMacPath: defaultAdminMacPath,
ReadMacPath: defaultReadMacPath,
LogDir: defaultLogDir, LogDir: defaultLogDir,
PeerPort: defaultPeerPort, PeerPort: defaultPeerPort,
RPCPort: defaultRPCPort, RPCPort: defaultRPCPort,

64
lnd.go

@ -12,6 +12,9 @@ import (
"strconv" "strconv"
"time" "time"
"gopkg.in/macaroon-bakery.v1/bakery"
"gopkg.in/macaroon-bakery.v1/bakery/checkers"
"golang.org/x/net/context" "golang.org/x/net/context"
"google.golang.org/grpc" "google.golang.org/grpc"
@ -24,6 +27,7 @@ import (
"github.com/lightningnetwork/lnd/lnrpc" "github.com/lightningnetwork/lnd/lnrpc"
"github.com/lightningnetwork/lnd/lnwallet" "github.com/lightningnetwork/lnd/lnwallet"
"github.com/lightningnetwork/lnd/lnwire" "github.com/lightningnetwork/lnd/lnwire"
"github.com/lightningnetwork/lnd/macaroons"
"github.com/roasbeef/btcd/btcec" "github.com/roasbeef/btcd/btcec"
"github.com/roasbeef/btcutil" "github.com/roasbeef/btcutil"
) )
@ -78,6 +82,30 @@ func lndMain() error {
} }
defer chanDB.Close() defer chanDB.Close()
// Only process macaroons if --no-macaroons isn't set.
var macaroonService *bakery.Service
if !cfg.NoMacaroons {
// Create the macaroon authentication/authorization service.
macaroonService, err = macaroons.NewService(cfg.DataDir)
if err != nil {
srvrLog.Errorf("unable to create macaroon service: %v",
err)
return err
}
// Create macaroon files for lncli to use if they don't exist.
if !fileExists(cfg.AdminMacPath) &&
!fileExists(cfg.ReadMacPath) {
err = genMacaroons(macaroonService, cfg.AdminMacPath,
cfg.ReadMacPath)
if err != nil {
ltndLog.Errorf("unable to create macaroon "+
"files: %v", err)
return err
}
}
}
// With the information parsed from the configuration, create valid // With the information parsed from the configuration, create valid
// instances of the paertinent interfaces required to operate the // instances of the paertinent interfaces required to operate the
// Lightning Network Daemon. // Lightning Network Daemon.
@ -197,7 +225,7 @@ func lndMain() error {
// Initialize, and register our implementation of the gRPC interface // Initialize, and register our implementation of the gRPC interface
// exported by the rpcServer. // exported by the rpcServer.
rpcServer := newRPCServer(server) rpcServer := newRPCServer(server, macaroonService)
if err := rpcServer.Start(); err != nil { if err := rpcServer.Start(); err != nil {
return err return err
} }
@ -375,3 +403,37 @@ func genCertPair(certFile, keyFile string) error {
rpcsLog.Infof("Done generating TLS certificates") rpcsLog.Infof("Done generating TLS certificates")
return nil return nil
} }
// genMacaroons generates a pair of macaroon files; one admin-level and one
// read-only. These can also be used to generate more granular macaroons.
func genMacaroons(svc *bakery.Service, admFile, roFile string) error {
// Generate the admin macaroon and write it to a file.
admMacaroon, err := svc.NewMacaroon("", nil, nil)
if err != nil {
return err
}
admBytes, err := admMacaroon.MarshalBinary()
if err != nil {
return err
}
if err = ioutil.WriteFile(admFile, admBytes, 0600); err != nil {
return err
}
// Generate the read-only macaroon and write it to a file.
caveat := checkers.AllowCaveat(roPermissions...)
roMacaroon := admMacaroon.Clone()
if err = svc.AddCaveat(roMacaroon, caveat); err != nil {
return err
}
roBytes, err := roMacaroon.MarshalBinary()
if err != nil {
return err
}
if err = ioutil.WriteFile(roFile, roBytes, 0644); err != nil {
os.Remove(admFile)
return err
}
return nil
}

@ -15,6 +15,8 @@ import (
"sync" "sync"
"time" "time"
macaroon "gopkg.in/macaroon.v1"
"golang.org/x/net/context" "golang.org/x/net/context"
"google.golang.org/grpc" "google.golang.org/grpc"
@ -25,6 +27,7 @@ import (
"github.com/go-errors/errors" "github.com/go-errors/errors"
"github.com/lightningnetwork/lnd/lnrpc" "github.com/lightningnetwork/lnd/lnrpc"
"github.com/lightningnetwork/lnd/macaroons"
"github.com/roasbeef/btcd/chaincfg" "github.com/roasbeef/btcd/chaincfg"
"github.com/roasbeef/btcd/chaincfg/chainhash" "github.com/roasbeef/btcd/chaincfg/chainhash"
"github.com/roasbeef/btcd/rpctest" "github.com/roasbeef/btcd/rpctest"
@ -137,6 +140,8 @@ func newLightningNode(btcrpcConfig *btcrpcclient.ConnConfig, lndArgs []string) (
} }
cfg.TLSCertPath = filepath.Join(cfg.DataDir, "tls.cert") cfg.TLSCertPath = filepath.Join(cfg.DataDir, "tls.cert")
cfg.TLSKeyPath = filepath.Join(cfg.DataDir, "tls.key") cfg.TLSKeyPath = filepath.Join(cfg.DataDir, "tls.key")
cfg.AdminMacPath = filepath.Join(cfg.DataDir, "admin.macaroon")
cfg.ReadMacPath = filepath.Join(cfg.DataDir, "readonly.macaroon")
cfg.PeerPort, cfg.RPCPort = generateListeningPorts() cfg.PeerPort, cfg.RPCPort = generateListeningPorts()
@ -177,6 +182,8 @@ func (l *lightningNode) genArgs() []string {
args = append(args, fmt.Sprintf("--tlscertpath=%v", l.cfg.TLSCertPath)) args = append(args, fmt.Sprintf("--tlscertpath=%v", l.cfg.TLSCertPath))
args = append(args, fmt.Sprintf("--tlskeypath=%v", l.cfg.TLSKeyPath)) args = append(args, fmt.Sprintf("--tlskeypath=%v", l.cfg.TLSKeyPath))
args = append(args, fmt.Sprintf("--configfile=%v", l.cfg.DataDir)) args = append(args, fmt.Sprintf("--configfile=%v", l.cfg.DataDir))
args = append(args, fmt.Sprintf("--adminmacaroonpath=%v", l.cfg.AdminMacPath))
args = append(args, fmt.Sprintf("--readonlymacaroonpath=%v", l.cfg.ReadMacPath))
if l.extraArgs != nil { if l.extraArgs != nil {
args = append(args, l.extraArgs...) args = append(args, l.extraArgs...)
@ -247,23 +254,34 @@ func (l *lightningNode) Start(lndError chan error) error {
return err return err
} }
// Wait until TLS certificate is created before using it, up to 20 sec. // Wait until TLS certificate and admin macaroon are created before
// using them, up to 20 sec.
tlsTimeout := time.After(20 * time.Second) tlsTimeout := time.After(20 * time.Second)
for !fileExists(l.cfg.TLSCertPath) { for !fileExists(l.cfg.TLSCertPath) || !fileExists(l.cfg.AdminMacPath) {
time.Sleep(100 * time.Millisecond) time.Sleep(100 * time.Millisecond)
select { select {
case <-tlsTimeout: case <-tlsTimeout:
panic(fmt.Errorf("timeout waiting for TLS cert file " + panic(fmt.Errorf("timeout waiting for TLS cert file " +
"to be created after 20 seconds")) "and admin macaroon file to be created after " +
"20 seconds"))
default: default:
} }
} }
creds, err := credentials.NewClientTLSFromFile(l.cfg.TLSCertPath, "") tlsCreds, err := credentials.NewClientTLSFromFile(l.cfg.TLSCertPath, "")
if err != nil { if err != nil {
return err return err
} }
macBytes, err := ioutil.ReadFile(l.cfg.AdminMacPath)
if err != nil {
return err
}
mac := &macaroon.Macaroon{}
if err = mac.UnmarshalBinary(macBytes); err != nil {
return err
}
opts := []grpc.DialOption{ opts := []grpc.DialOption{
grpc.WithTransportCredentials(creds), grpc.WithTransportCredentials(tlsCreds),
grpc.WithPerRPCCredentials(macaroons.NewMacaroonCredential(mac)),
grpc.WithBlock(), grpc.WithBlock(),
grpc.WithTimeout(time.Second * 20), grpc.WithTimeout(time.Second * 20),
} }

@ -13,6 +13,8 @@ import (
"strings" "strings"
"time" "time"
"gopkg.in/macaroon-bakery.v1/bakery"
"sync" "sync"
"sync/atomic" "sync/atomic"
@ -23,6 +25,7 @@ import (
"github.com/lightningnetwork/lnd/lnrpc" "github.com/lightningnetwork/lnd/lnrpc"
"github.com/lightningnetwork/lnd/lnwallet" "github.com/lightningnetwork/lnd/lnwallet"
"github.com/lightningnetwork/lnd/lnwire" "github.com/lightningnetwork/lnd/lnwire"
"github.com/lightningnetwork/lnd/macaroons"
"github.com/lightningnetwork/lnd/routing" "github.com/lightningnetwork/lnd/routing"
"github.com/lightningnetwork/lnd/zpay32" "github.com/lightningnetwork/lnd/zpay32"
"github.com/roasbeef/btcd/blockchain" "github.com/roasbeef/btcd/blockchain"
@ -39,6 +42,26 @@ import (
var ( var (
defaultAccount uint32 = waddrmgr.DefaultAccountNum defaultAccount uint32 = waddrmgr.DefaultAccountNum
// roPermissions is a slice of method names that are considered "read-only"
// for authorization purposes, all lowercase.
roPermissions = []string{
"verifymessage",
"getinfo",
"listpeers",
"walletbalance",
"channelbalance",
"listchannels",
"readinvoices",
"gettransactions",
"describegraph",
"getchaninfo",
"getnodeinfo",
"queryroutes",
"getnetworkinfo",
"listpayments",
"decodepayreq",
}
) )
// rpcServer is a gRPC, RPC front end to the lnd daemon. // rpcServer is a gRPC, RPC front end to the lnd daemon.
@ -49,6 +72,10 @@ type rpcServer struct {
server *server server *server
// authSvc is the authentication/authorization service backed by
// macaroons.
authSvc *bakery.Service
wg sync.WaitGroup wg sync.WaitGroup
quit chan struct{} quit chan struct{}
@ -59,8 +86,12 @@ type rpcServer struct {
var _ lnrpc.LightningServer = (*rpcServer)(nil) var _ lnrpc.LightningServer = (*rpcServer)(nil)
// newRPCServer creates and returns a new instance of the rpcServer. // newRPCServer creates and returns a new instance of the rpcServer.
func newRPCServer(s *server) *rpcServer { func newRPCServer(s *server, authSvc *bakery.Service) *rpcServer {
return &rpcServer{server: s, quit: make(chan struct{}, 1)} return &rpcServer{
server: s,
authSvc: authSvc,
quit: make(chan struct{}, 1),
}
} }
// Start launches any helper goroutines required for the rpcServer // Start launches any helper goroutines required for the rpcServer
@ -123,6 +154,13 @@ func (r *rpcServer) sendCoinsOnChain(paymentMap map[string]int64) (*chainhash.Ha
// SendMany, this RPC call only allows creating a single output at a time. // SendMany, this RPC call only allows creating a single output at a time.
func (r *rpcServer) SendCoins(ctx context.Context, func (r *rpcServer) SendCoins(ctx context.Context,
in *lnrpc.SendCoinsRequest) (*lnrpc.SendCoinsResponse, error) { in *lnrpc.SendCoinsRequest) (*lnrpc.SendCoinsResponse, error) {
// Check macaroon to see if this is allowed.
if r.authSvc != nil {
if err := macaroons.ValidateMacaroon(ctx, "sendcoins",
r.authSvc); err != nil {
return nil, err
}
}
rpcsLog.Infof("[sendcoins] addr=%v, amt=%v", in.Addr, btcutil.Amount(in.Amount)) rpcsLog.Infof("[sendcoins] addr=%v, amt=%v", in.Addr, btcutil.Amount(in.Amount))
@ -141,6 +179,13 @@ func (r *rpcServer) SendCoins(ctx context.Context,
// outputs in parallel. // outputs in parallel.
func (r *rpcServer) SendMany(ctx context.Context, func (r *rpcServer) SendMany(ctx context.Context,
in *lnrpc.SendManyRequest) (*lnrpc.SendManyResponse, error) { in *lnrpc.SendManyRequest) (*lnrpc.SendManyResponse, error) {
// Check macaroon to see if this is allowed.
if r.authSvc != nil {
if err := macaroons.ValidateMacaroon(ctx, "sendcoins",
r.authSvc); err != nil {
return nil, err
}
}
txid, err := r.sendCoinsOnChain(in.AddrToAmount) txid, err := r.sendCoinsOnChain(in.AddrToAmount)
if err != nil { if err != nil {
@ -155,6 +200,13 @@ func (r *rpcServer) SendMany(ctx context.Context,
// NewAddress creates a new address under control of the local wallet. // NewAddress creates a new address under control of the local wallet.
func (r *rpcServer) NewAddress(ctx context.Context, func (r *rpcServer) NewAddress(ctx context.Context,
in *lnrpc.NewAddressRequest) (*lnrpc.NewAddressResponse, error) { in *lnrpc.NewAddressRequest) (*lnrpc.NewAddressResponse, error) {
// Check macaroon to see if this is allowed.
if r.authSvc != nil {
if err := macaroons.ValidateMacaroon(ctx, "newaddress",
r.authSvc); err != nil {
return nil, err
}
}
// Translate the gRPC proto address type to the wallet controller's // Translate the gRPC proto address type to the wallet controller's
// available address types. // available address types.
@ -181,6 +233,13 @@ func (r *rpcServer) NewAddress(ctx context.Context,
// the local wallet. // the local wallet.
func (r *rpcServer) NewWitnessAddress(ctx context.Context, func (r *rpcServer) NewWitnessAddress(ctx context.Context,
in *lnrpc.NewWitnessAddressRequest) (*lnrpc.NewAddressResponse, error) { in *lnrpc.NewWitnessAddressRequest) (*lnrpc.NewAddressResponse, error) {
// Check macaroon to see if this is allowed.
if r.authSvc != nil {
if err := macaroons.ValidateMacaroon(ctx, "newaddress",
r.authSvc); err != nil {
return nil, err
}
}
addr, err := r.server.cc.wallet.NewAddress(lnwallet.WitnessPubKey, false) addr, err := r.server.cc.wallet.NewAddress(lnwallet.WitnessPubKey, false)
if err != nil { if err != nil {
@ -197,6 +256,13 @@ func (r *rpcServer) NewWitnessAddress(ctx context.Context,
// verification. // verification.
func (r *rpcServer) SignMessage(ctx context.Context, func (r *rpcServer) SignMessage(ctx context.Context,
in *lnrpc.SignMessageRequest) (*lnrpc.SignMessageResponse, error) { in *lnrpc.SignMessageRequest) (*lnrpc.SignMessageResponse, error) {
// Check macaroon to see if this is allowed.
if r.authSvc != nil {
if err := macaroons.ValidateMacaroon(ctx, "signmessage",
r.authSvc); err != nil {
return nil, err
}
}
if in.Msg == nil { if in.Msg == nil {
return nil, fmt.Errorf("need a message to sign") return nil, fmt.Errorf("need a message to sign")
@ -217,6 +283,13 @@ func (r *rpcServer) SignMessage(ctx context.Context,
// VerifyMessage also returns the recovered pubkey from the signature. // VerifyMessage also returns the recovered pubkey from the signature.
func (r *rpcServer) VerifyMessage(ctx context.Context, func (r *rpcServer) VerifyMessage(ctx context.Context,
in *lnrpc.VerifyMessageRequest) (*lnrpc.VerifyMessageResponse, error) { in *lnrpc.VerifyMessageRequest) (*lnrpc.VerifyMessageResponse, error) {
// Check macaroon to see if this is allowed.
if r.authSvc != nil {
if err := macaroons.ValidateMacaroon(ctx, "verifymessage",
r.authSvc); err != nil {
return nil, err
}
}
if in.Msg == nil { if in.Msg == nil {
return nil, fmt.Errorf("need a message to verify") return nil, fmt.Errorf("need a message to verify")
@ -256,6 +329,13 @@ func (r *rpcServer) VerifyMessage(ctx context.Context,
// ConnectPeer attempts to establish a connection to a remote peer. // ConnectPeer attempts to establish a connection to a remote peer.
func (r *rpcServer) ConnectPeer(ctx context.Context, func (r *rpcServer) ConnectPeer(ctx context.Context,
in *lnrpc.ConnectPeerRequest) (*lnrpc.ConnectPeerResponse, error) { in *lnrpc.ConnectPeerRequest) (*lnrpc.ConnectPeerResponse, error) {
// Check macaroon to see if this is allowed.
if r.authSvc != nil {
if err := macaroons.ValidateMacaroon(ctx, "connectpeer",
r.authSvc); err != nil {
return nil, err
}
}
// The server hasn't yet started, so it won't be able to service any of // The server hasn't yet started, so it won't be able to service any of
// our requests, so we'll bail early here. // our requests, so we'll bail early here.
@ -317,6 +397,13 @@ func (r *rpcServer) ConnectPeer(ctx context.Context,
// with the target peer, this action will be disallowed. // with the target peer, this action will be disallowed.
func (r *rpcServer) DisconnectPeer(ctx context.Context, func (r *rpcServer) DisconnectPeer(ctx context.Context,
in *lnrpc.DisconnectPeerRequest) (*lnrpc.DisconnectPeerResponse, error) { in *lnrpc.DisconnectPeerRequest) (*lnrpc.DisconnectPeerResponse, error) {
// Check macaroon to see if this is allowed.
if r.authSvc != nil {
if err := macaroons.ValidateMacaroon(ctx, "disconnectpeer",
r.authSvc); err != nil {
return nil, err
}
}
rpcsLog.Debugf("[disconnectpeer] from peer(%s)", in.PubKey) rpcsLog.Debugf("[disconnectpeer] from peer(%s)", in.PubKey)
@ -366,6 +453,13 @@ func (r *rpcServer) DisconnectPeer(ctx context.Context,
// request to a remote peer. // request to a remote peer.
func (r *rpcServer) OpenChannel(in *lnrpc.OpenChannelRequest, func (r *rpcServer) OpenChannel(in *lnrpc.OpenChannelRequest,
updateStream lnrpc.Lightning_OpenChannelServer) error { updateStream lnrpc.Lightning_OpenChannelServer) error {
// Check macaroon to see if this is allowed.
if r.authSvc != nil {
if err := macaroons.ValidateMacaroon(updateStream.Context(),
"openchannel", r.authSvc); err != nil {
return err
}
}
rpcsLog.Tracef("[openchannel] request to peerid(%v) "+ rpcsLog.Tracef("[openchannel] request to peerid(%v) "+
"allocation(us=%v, them=%v)", in.TargetPeerId, "allocation(us=%v, them=%v)", in.TargetPeerId,
@ -486,6 +580,13 @@ out:
// strings. // strings.
func (r *rpcServer) OpenChannelSync(ctx context.Context, func (r *rpcServer) OpenChannelSync(ctx context.Context,
in *lnrpc.OpenChannelRequest) (*lnrpc.ChannelPoint, error) { in *lnrpc.OpenChannelRequest) (*lnrpc.ChannelPoint, error) {
// Check macaroon to see if this is allowed.
if r.authSvc != nil {
if err := macaroons.ValidateMacaroon(ctx, "openchannel",
r.authSvc); err != nil {
return nil, err
}
}
rpcsLog.Tracef("[openchannel] request to peerid(%v) "+ rpcsLog.Tracef("[openchannel] request to peerid(%v) "+
"allocation(us=%v, them=%v)", in.TargetPeerId, "allocation(us=%v, them=%v)", in.TargetPeerId,
@ -569,6 +670,13 @@ func (r *rpcServer) OpenChannelSync(ctx context.Context,
// a force close after a timeout period in the case of an inactive peer. // a force close after a timeout period in the case of an inactive peer.
func (r *rpcServer) CloseChannel(in *lnrpc.CloseChannelRequest, func (r *rpcServer) CloseChannel(in *lnrpc.CloseChannelRequest,
updateStream lnrpc.Lightning_CloseChannelServer) error { updateStream lnrpc.Lightning_CloseChannelServer) error {
// Check macaroon to see if this is allowed.
if r.authSvc != nil {
if err := macaroons.ValidateMacaroon(updateStream.Context(),
"closechannel", r.authSvc); err != nil {
return err
}
}
force := in.Force force := in.Force
index := in.ChannelPoint.OutputIndex index := in.ChannelPoint.OutputIndex
@ -815,6 +923,13 @@ func (r *rpcServer) forceCloseChan(channel *lnwallet.LightningChannel) (*chainha
// concerning the number of open+pending channels. // concerning the number of open+pending channels.
func (r *rpcServer) GetInfo(ctx context.Context, func (r *rpcServer) GetInfo(ctx context.Context,
in *lnrpc.GetInfoRequest) (*lnrpc.GetInfoResponse, error) { in *lnrpc.GetInfoRequest) (*lnrpc.GetInfoResponse, error) {
// Check macaroon to see if this is allowed.
if r.authSvc != nil {
if err := macaroons.ValidateMacaroon(ctx, "getinfo",
r.authSvc); err != nil {
return nil, err
}
}
var activeChannels uint32 var activeChannels uint32
serverPeers := r.server.Peers() serverPeers := r.server.Peers()
@ -864,6 +979,13 @@ func (r *rpcServer) GetInfo(ctx context.Context,
// ListPeers returns a verbose listing of all currently active peers. // ListPeers returns a verbose listing of all currently active peers.
func (r *rpcServer) ListPeers(ctx context.Context, func (r *rpcServer) ListPeers(ctx context.Context,
in *lnrpc.ListPeersRequest) (*lnrpc.ListPeersResponse, error) { in *lnrpc.ListPeersRequest) (*lnrpc.ListPeersResponse, error) {
// Check macaroon to see if this is allowed.
if r.authSvc != nil {
if err := macaroons.ValidateMacaroon(ctx, "listpeers",
r.authSvc); err != nil {
return nil, err
}
}
rpcsLog.Tracef("[listpeers] request") rpcsLog.Tracef("[listpeers] request")
@ -919,6 +1041,13 @@ func (r *rpcServer) ListPeers(ctx context.Context,
// TODO(roasbeef): add async hooks into wallet balance changes // TODO(roasbeef): add async hooks into wallet balance changes
func (r *rpcServer) WalletBalance(ctx context.Context, func (r *rpcServer) WalletBalance(ctx context.Context,
in *lnrpc.WalletBalanceRequest) (*lnrpc.WalletBalanceResponse, error) { in *lnrpc.WalletBalanceRequest) (*lnrpc.WalletBalanceResponse, error) {
// Check macaroon to see if this is allowed.
if r.authSvc != nil {
if err := macaroons.ValidateMacaroon(ctx, "walletbalance",
r.authSvc); err != nil {
return nil, err
}
}
balance, err := r.server.cc.wallet.ConfirmedBalance(1, in.WitnessOnly) balance, err := r.server.cc.wallet.ConfirmedBalance(1, in.WitnessOnly)
if err != nil { if err != nil {
@ -936,6 +1065,13 @@ func (r *rpcServer) WalletBalance(ctx context.Context,
// channels in satoshis. // channels in satoshis.
func (r *rpcServer) ChannelBalance(ctx context.Context, func (r *rpcServer) ChannelBalance(ctx context.Context,
in *lnrpc.ChannelBalanceRequest) (*lnrpc.ChannelBalanceResponse, error) { in *lnrpc.ChannelBalanceRequest) (*lnrpc.ChannelBalanceResponse, error) {
// Check macaroon to see if this is allowed.
if r.authSvc != nil {
if err := macaroons.ValidateMacaroon(ctx, "channelbalance",
r.authSvc); err != nil {
return nil, err
}
}
channels, err := r.server.chanDB.FetchAllChannels() channels, err := r.server.chanDB.FetchAllChannels()
if err != nil { if err != nil {
@ -958,6 +1094,13 @@ func (r *rpcServer) ChannelBalance(ctx context.Context,
// process of closure, either initiated cooperatively or non-cooperatively. // process of closure, either initiated cooperatively or non-cooperatively.
func (r *rpcServer) PendingChannels(ctx context.Context, func (r *rpcServer) PendingChannels(ctx context.Context,
in *lnrpc.PendingChannelRequest) (*lnrpc.PendingChannelResponse, error) { in *lnrpc.PendingChannelRequest) (*lnrpc.PendingChannelResponse, error) {
// Check macaroon to see if this is allowed.
if r.authSvc != nil {
if err := macaroons.ValidateMacaroon(ctx, "listchannels",
r.authSvc); err != nil {
return nil, err
}
}
rpcsLog.Debugf("[pendingchannels]") rpcsLog.Debugf("[pendingchannels]")
@ -1091,6 +1234,13 @@ func (r *rpcServer) PendingChannels(ctx context.Context,
// is a participant in. // is a participant in.
func (r *rpcServer) ListChannels(ctx context.Context, func (r *rpcServer) ListChannels(ctx context.Context,
in *lnrpc.ListChannelsRequest) (*lnrpc.ListChannelsResponse, error) { in *lnrpc.ListChannelsRequest) (*lnrpc.ListChannelsResponse, error) {
// Check macaroon to see if this is allowed.
if r.authSvc != nil {
if err := macaroons.ValidateMacaroon(ctx, "listchannels",
r.authSvc); err != nil {
return nil, err
}
}
resp := &lnrpc.ListChannelsResponse{} resp := &lnrpc.ListChannelsResponse{}
@ -1196,6 +1346,14 @@ func (r *rpcServer) savePayment(route *routing.Route, amount btcutil.Amount,
// bi-directional stream allowing clients to rapidly send payments through the // bi-directional stream allowing clients to rapidly send payments through the
// Lightning Network with a single persistent connection. // Lightning Network with a single persistent connection.
func (r *rpcServer) SendPayment(paymentStream lnrpc.Lightning_SendPaymentServer) error { func (r *rpcServer) SendPayment(paymentStream lnrpc.Lightning_SendPaymentServer) error {
// Check macaroon to see if this is allowed.
if r.authSvc != nil {
if err := macaroons.ValidateMacaroon(paymentStream.Context(),
"sendpayment", r.authSvc); err != nil {
return err
}
}
errChan := make(chan error, 1) errChan := make(chan error, 1)
payChan := make(chan *lnrpc.SendRequest) payChan := make(chan *lnrpc.SendRequest)
@ -1355,6 +1513,13 @@ func (r *rpcServer) SendPayment(paymentStream lnrpc.Lightning_SendPaymentServer)
// hash (if any) to be encoded as hex strings. // hash (if any) to be encoded as hex strings.
func (r *rpcServer) SendPaymentSync(ctx context.Context, func (r *rpcServer) SendPaymentSync(ctx context.Context,
nextPayment *lnrpc.SendRequest) (*lnrpc.SendResponse, error) { nextPayment *lnrpc.SendRequest) (*lnrpc.SendResponse, error) {
// Check macaroon to see if this is allowed.
if r.authSvc != nil {
if err := macaroons.ValidateMacaroon(ctx, "sendpayment",
r.authSvc); err != nil {
return nil, err
}
}
// We don't allow payments to be sent while the daemon itself is still // We don't allow payments to be sent while the daemon itself is still
// syncing as we may be trying to sent a payment over a "stale" // syncing as we may be trying to sent a payment over a "stale"
@ -1439,6 +1604,13 @@ func (r *rpcServer) SendPaymentSync(ctx context.Context,
// unique payment preimage. // unique payment preimage.
func (r *rpcServer) AddInvoice(ctx context.Context, func (r *rpcServer) AddInvoice(ctx context.Context,
invoice *lnrpc.Invoice) (*lnrpc.AddInvoiceResponse, error) { invoice *lnrpc.Invoice) (*lnrpc.AddInvoiceResponse, error) {
// Check macaroon to see if this is allowed.
if r.authSvc != nil {
if err := macaroons.ValidateMacaroon(ctx, "addinvoice",
r.authSvc); err != nil {
return nil, err
}
}
var paymentPreimage [32]byte var paymentPreimage [32]byte
@ -1521,6 +1693,13 @@ func (r *rpcServer) AddInvoice(ctx context.Context,
// returned. // returned.
func (r *rpcServer) LookupInvoice(ctx context.Context, func (r *rpcServer) LookupInvoice(ctx context.Context,
req *lnrpc.PaymentHash) (*lnrpc.Invoice, error) { req *lnrpc.PaymentHash) (*lnrpc.Invoice, error) {
// Check macaroon to see if this is allowed.
if r.authSvc != nil {
if err := macaroons.ValidateMacaroon(ctx, "readinvoices",
r.authSvc); err != nil {
return nil, err
}
}
var ( var (
payHash [32]byte payHash [32]byte
@ -1579,6 +1758,13 @@ func (r *rpcServer) LookupInvoice(ctx context.Context,
// database. Any active debug invoices are ignored. // database. Any active debug invoices are ignored.
func (r *rpcServer) ListInvoices(ctx context.Context, func (r *rpcServer) ListInvoices(ctx context.Context,
req *lnrpc.ListInvoiceRequest) (*lnrpc.ListInvoiceResponse, error) { req *lnrpc.ListInvoiceRequest) (*lnrpc.ListInvoiceResponse, error) {
// Check macaroon to see if this is allowed.
if r.authSvc != nil {
if err := macaroons.ValidateMacaroon(ctx, "readinvoices",
r.authSvc); err != nil {
return nil, err
}
}
dbInvoices, err := r.server.chanDB.FetchAllInvoices(req.PendingOnly) dbInvoices, err := r.server.chanDB.FetchAllInvoices(req.PendingOnly)
if err != nil { if err != nil {
@ -1618,6 +1804,13 @@ func (r *rpcServer) ListInvoices(ctx context.Context,
// notifying the client of newly added/settled invoices. // notifying the client of newly added/settled invoices.
func (r *rpcServer) SubscribeInvoices(req *lnrpc.InvoiceSubscription, func (r *rpcServer) SubscribeInvoices(req *lnrpc.InvoiceSubscription,
updateStream lnrpc.Lightning_SubscribeInvoicesServer) error { updateStream lnrpc.Lightning_SubscribeInvoicesServer) error {
// Check macaroon to see if this is allowed.
if r.authSvc != nil {
if err := macaroons.ValidateMacaroon(updateStream.Context(),
"readinvoices", r.authSvc); err != nil {
return err
}
}
invoiceClient := r.server.invoices.SubscribeNotifications() invoiceClient := r.server.invoices.SubscribeNotifications()
defer invoiceClient.Cancel() defer invoiceClient.Cancel()
@ -1650,6 +1843,13 @@ func (r *rpcServer) SubscribeInvoices(req *lnrpc.InvoiceSubscription,
// over. // over.
func (r *rpcServer) SubscribeTransactions(req *lnrpc.GetTransactionsRequest, func (r *rpcServer) SubscribeTransactions(req *lnrpc.GetTransactionsRequest,
updateStream lnrpc.Lightning_SubscribeTransactionsServer) error { updateStream lnrpc.Lightning_SubscribeTransactionsServer) error {
// Check macaroon to see if this is allowed.
if r.authSvc != nil {
if err := macaroons.ValidateMacaroon(updateStream.Context(),
"gettransactions", r.authSvc); err != nil {
return err
}
}
txClient, err := r.server.cc.wallet.SubscribeTransactions() txClient, err := r.server.cc.wallet.SubscribeTransactions()
if err != nil { if err != nil {
@ -1689,8 +1889,15 @@ func (r *rpcServer) SubscribeTransactions(req *lnrpc.GetTransactionsRequest,
// GetTransactions returns a list of describing all the known transactions // GetTransactions returns a list of describing all the known transactions
// relevant to the wallet. // relevant to the wallet.
func (r *rpcServer) GetTransactions(context.Context, func (r *rpcServer) GetTransactions(ctx context.Context,
*lnrpc.GetTransactionsRequest) (*lnrpc.TransactionDetails, error) { _ *lnrpc.GetTransactionsRequest) (*lnrpc.TransactionDetails, error) {
// Check macaroon to see if this is allowed.
if r.authSvc != nil {
if err := macaroons.ValidateMacaroon(ctx, "gettransactions",
r.authSvc); err != nil {
return nil, err
}
}
// TODO(btcsuite): add pagination support // TODO(btcsuite): add pagination support
transactions, err := r.server.cc.wallet.ListTransactionDetails() transactions, err := r.server.cc.wallet.ListTransactionDetails()
@ -1722,8 +1929,15 @@ func (r *rpcServer) GetTransactions(context.Context,
// As this is a directed graph, the edges also contain the node directional // As this is a directed graph, the edges also contain the node directional
// specific routing policy which includes: the time lock delta, fee // specific routing policy which includes: the time lock delta, fee
// information, etc. // information, etc.
func (r *rpcServer) DescribeGraph(context.Context, func (r *rpcServer) DescribeGraph(ctx context.Context,
*lnrpc.ChannelGraphRequest) (*lnrpc.ChannelGraph, error) { _ *lnrpc.ChannelGraphRequest) (*lnrpc.ChannelGraph, error) {
// Check macaroon to see if this is allowed.
if r.authSvc != nil {
if err := macaroons.ValidateMacaroon(ctx, "describegraph",
r.authSvc); err != nil {
return nil, err
}
}
resp := &lnrpc.ChannelGraph{} resp := &lnrpc.ChannelGraph{}
@ -1823,8 +2037,15 @@ func marshalDbEdge(edgeInfo *channeldb.ChannelEdgeInfo,
// given channel identified by its channel ID: an 8-byte integer which uniquely // given channel identified by its channel ID: an 8-byte integer which uniquely
// identifies the location of transaction's funding output within the block // identifies the location of transaction's funding output within the block
// chain. // chain.
func (r *rpcServer) GetChanInfo(_ context.Context, in *lnrpc.ChanInfoRequest) (*lnrpc.ChannelEdge, error) { func (r *rpcServer) GetChanInfo(ctx context.Context, in *lnrpc.ChanInfoRequest) (*lnrpc.ChannelEdge, error) {
graph := r.server.chanDB.ChannelGraph() graph := r.server.chanDB.ChannelGraph()
// Check macaroon to see if this is allowed.
if r.authSvc != nil {
if err := macaroons.ValidateMacaroon(ctx, "getchaninfo",
r.authSvc); err != nil {
return nil, err
}
}
edgeInfo, edge1, edge2, err := graph.FetchChannelEdgesByID(in.ChanId) edgeInfo, edge1, edge2, err := graph.FetchChannelEdgesByID(in.ChanId)
if err != nil { if err != nil {
@ -1841,7 +2062,14 @@ func (r *rpcServer) GetChanInfo(_ context.Context, in *lnrpc.ChanInfoRequest) (*
// GetNodeInfo returns the latest advertised and aggregate authenticated // GetNodeInfo returns the latest advertised and aggregate authenticated
// channel information for the specified node identified by its public key. // channel information for the specified node identified by its public key.
func (r *rpcServer) GetNodeInfo(_ context.Context, in *lnrpc.NodeInfoRequest) (*lnrpc.NodeInfo, error) { func (r *rpcServer) GetNodeInfo(ctx context.Context, in *lnrpc.NodeInfoRequest) (*lnrpc.NodeInfo, error) {
// Check macaroon to see if this is allowed.
if r.authSvc != nil {
if err := macaroons.ValidateMacaroon(ctx, "getnodeinfo",
r.authSvc); err != nil {
return nil, err
}
}
graph := r.server.chanDB.ChannelGraph() graph := r.server.chanDB.ChannelGraph()
@ -1910,8 +2138,15 @@ func (r *rpcServer) GetNodeInfo(_ context.Context, in *lnrpc.NodeInfoRequest) (*
// //
// TODO(roasbeef): should return a slice of routes in reality // TODO(roasbeef): should return a slice of routes in reality
// * create separate PR to send based on well formatted route // * create separate PR to send based on well formatted route
func (r *rpcServer) QueryRoutes(_ context.Context, func (r *rpcServer) QueryRoutes(ctx context.Context,
in *lnrpc.QueryRoutesRequest) (*lnrpc.QueryRoutesResponse, error) { in *lnrpc.QueryRoutesRequest) (*lnrpc.QueryRoutesResponse, error) {
// Check macaroon to see if this is allowed.
if r.authSvc != nil {
if err := macaroons.ValidateMacaroon(ctx, "queryroutes",
r.authSvc); err != nil {
return nil, err
}
}
// First parse the hex-encdoed public key into a full public key objet // First parse the hex-encdoed public key into a full public key objet
// we can properly manipulate. // we can properly manipulate.
@ -1967,7 +2202,14 @@ func marshalRoute(route *routing.Route) *lnrpc.Route {
// GetNetworkInfo returns some basic stats about the known channel graph from // GetNetworkInfo returns some basic stats about the known channel graph from
// the PoV of the node. // the PoV of the node.
func (r *rpcServer) GetNetworkInfo(context.Context, *lnrpc.NetworkInfoRequest) (*lnrpc.NetworkInfo, error) { func (r *rpcServer) GetNetworkInfo(ctx context.Context, _ *lnrpc.NetworkInfoRequest) (*lnrpc.NetworkInfo, error) {
// Check macaroon to see if this is allowed.
if r.authSvc != nil {
if err := macaroons.ValidateMacaroon(ctx, "getnetworkinfo",
r.authSvc); err != nil {
return nil, err
}
}
graph := r.server.chanDB.ChannelGraph() graph := r.server.chanDB.ChannelGraph()
@ -2081,7 +2323,14 @@ func (r *rpcServer) GetNetworkInfo(context.Context, *lnrpc.NetworkInfoRequest) (
// StopDaemon will send a shutdown request to the interrupt handler, triggering // StopDaemon will send a shutdown request to the interrupt handler, triggering
// a graceful shutdown of the daemon. // a graceful shutdown of the daemon.
func (r *rpcServer) StopDaemon(context.Context, *lnrpc.StopRequest) (*lnrpc.StopResponse, error) { func (r *rpcServer) StopDaemon(ctx context.Context, _ *lnrpc.StopRequest) (*lnrpc.StopResponse, error) {
// Check macaroon to see if this is allowed.
if r.authSvc != nil {
if err := macaroons.ValidateMacaroon(ctx, "stopdaemon",
r.authSvc); err != nil {
return nil, err
}
}
shutdownRequestChannel <- struct{}{} shutdownRequestChannel <- struct{}{}
return &lnrpc.StopResponse{}, nil return &lnrpc.StopResponse{}, nil
@ -2095,6 +2344,13 @@ func (r *rpcServer) StopDaemon(context.Context, *lnrpc.StopRequest) (*lnrpc.Stop
// and finally when prior channels are closed on-chain. // and finally when prior channels are closed on-chain.
func (r *rpcServer) SubscribeChannelGraph(req *lnrpc.GraphTopologySubscription, func (r *rpcServer) SubscribeChannelGraph(req *lnrpc.GraphTopologySubscription,
updateStream lnrpc.Lightning_SubscribeChannelGraphServer) error { updateStream lnrpc.Lightning_SubscribeChannelGraphServer) error {
// Check macaroon to see if this is allowed.
if r.authSvc != nil {
if err := macaroons.ValidateMacaroon(updateStream.Context(),
"describegraph", r.authSvc); err != nil {
return err
}
}
// First, we start by subscribing to a new intent to receive // First, we start by subscribing to a new intent to receive
// notifications from the channel router. // notifications from the channel router.
@ -2206,8 +2462,15 @@ func marshallTopologyChange(topChange *routing.TopologyChange) *lnrpc.GraphTopol
} }
// ListPayments returns a list of all outgoing payments. // ListPayments returns a list of all outgoing payments.
func (r *rpcServer) ListPayments(context.Context, func (r *rpcServer) ListPayments(ctx context.Context,
*lnrpc.ListPaymentsRequest) (*lnrpc.ListPaymentsResponse, error) { _ *lnrpc.ListPaymentsRequest) (*lnrpc.ListPaymentsResponse, error) {
// Check macaroon to see if this is allowed.
if r.authSvc != nil {
if err := macaroons.ValidateMacaroon(ctx, "listpayments",
r.authSvc); err != nil {
return nil, err
}
}
rpcsLog.Debugf("[ListPayments]") rpcsLog.Debugf("[ListPayments]")
@ -2237,8 +2500,15 @@ func (r *rpcServer) ListPayments(context.Context,
} }
// DeleteAllPayments deletes all outgoing payments from DB. // DeleteAllPayments deletes all outgoing payments from DB.
func (r *rpcServer) DeleteAllPayments(context.Context, func (r *rpcServer) DeleteAllPayments(ctx context.Context,
*lnrpc.DeleteAllPaymentsRequest) (*lnrpc.DeleteAllPaymentsResponse, error) { _ *lnrpc.DeleteAllPaymentsRequest) (*lnrpc.DeleteAllPaymentsResponse, error) {
// Check macaroon to see if this is allowed.
if r.authSvc != nil {
if err := macaroons.ValidateMacaroon(ctx, "deleteallpayments",
r.authSvc); err != nil {
return nil, err
}
}
rpcsLog.Debugf("[DeleteAllPayments]") rpcsLog.Debugf("[DeleteAllPayments]")
@ -2250,7 +2520,15 @@ func (r *rpcServer) DeleteAllPayments(context.Context,
} }
// SetAlias... // SetAlias...
func (r *rpcServer) SetAlias(context.Context, *lnrpc.SetAliasRequest) (*lnrpc.SetAliasResponse, error) { func (r *rpcServer) SetAlias(ctx context.Context, _ *lnrpc.SetAliasRequest) (*lnrpc.SetAliasResponse, error) {
// Check macaroon to see if this is allowed.
if r.authSvc != nil {
if err := macaroons.ValidateMacaroon(ctx, "setalias",
r.authSvc); err != nil {
return nil, err
}
}
return nil, nil return nil, nil
} }
@ -2260,6 +2538,13 @@ func (r *rpcServer) SetAlias(context.Context, *lnrpc.SetAliasRequest) (*lnrpc.Se
// sub-system. // sub-system.
func (r *rpcServer) DebugLevel(ctx context.Context, func (r *rpcServer) DebugLevel(ctx context.Context,
req *lnrpc.DebugLevelRequest) (*lnrpc.DebugLevelResponse, error) { req *lnrpc.DebugLevelRequest) (*lnrpc.DebugLevelResponse, error) {
// Check macaroon to see if this is allowed.
if r.authSvc != nil {
if err := macaroons.ValidateMacaroon(ctx, "debuglevel",
r.authSvc); err != nil {
return nil, err
}
}
// If show is set, then we simply print out the list of available // If show is set, then we simply print out the list of available
// sub-systems. // sub-systems.
@ -2285,6 +2570,13 @@ func (r *rpcServer) DebugLevel(ctx context.Context,
// payment request. // payment request.
func (r *rpcServer) DecodePayReq(ctx context.Context, func (r *rpcServer) DecodePayReq(ctx context.Context,
req *lnrpc.PayReqString) (*lnrpc.PayReq, error) { req *lnrpc.PayReqString) (*lnrpc.PayReq, error) {
// Check macaroon to see if this is allowed.
if r.authSvc != nil {
if err := macaroons.ValidateMacaroon(ctx, "decodepayreq",
r.authSvc); err != nil {
return nil, err
}
}
// Fist we'll attempt to decode the payment request string, if the // Fist we'll attempt to decode the payment request string, if the
// request is invalid or the checksum doesn't match, then we'll exit // request is invalid or the checksum doesn't match, then we'll exit