akovalenko/lnd.xprv
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

macaroons: use constraint layer for macaroon tweaking

Browse Source
This commit is contained in:
whythat 2017-09-02 03:45:14 +03:00 committed by Olaoluwa Osuntokun
parent 5c3493bd30
commit a6b9155150
3 changed files with 25 additions and 30 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

21
cmd/lncli/main.go
View File

@ -6,9 +6,7 @@ import (
"os" "os"
"path/filepath" "path/filepath"
"strings" "strings"
"time"
"gopkg.in/macaroon-bakery.v1/bakery/checkers"
"gopkg.in/macaroon.v1" "gopkg.in/macaroon.v1"
"github.com/lightningnetwork/lnd/lnrpc" "github.com/lightningnetwork/lnd/lnrpc"
@ -73,6 +71,7 @@ func getClientConn(ctx *cli.Context) *grpc.ClientConn {
fatal(err) fatal(err)
} }
macConstraints := []macaroons.Constraint{
// We add a time-based constraint to prevent replay of the // We add a time-based constraint to prevent replay of the
// macaroon. It's good for 60 seconds by default to make up for // macaroon. It's good for 60 seconds by default to make up for
// any discrepancy between client and server clocks, but leaking // any discrepancy between client and server clocks, but leaking
@ -84,17 +83,17 @@ func getClientConn(ctx *cli.Context) *grpc.ClientConn {
// altogether if, in the latter case, this time is more than 60 // altogether if, in the latter case, this time is more than 60
// seconds). // seconds).
// TODO(aakselrod): add better anti-replay protection. // TODO(aakselrod): add better anti-replay protection.
macaroonTimeout := time.Duration(ctx.GlobalInt64("macaroontimeout")) macaroons.TimeoutConstraint(ctx.GlobalInt64("macaroontimeout")),
requestTimeout := time.Now().Add(time.Second * macaroonTimeout)
timeCaveat := checkers.TimeBeforeCaveat(requestTimeout) // ... Add more constraints if needed.
mac.AddFirstPartyCaveat(timeCaveat.Condition) }
// Apply constraints to the macaroon.
constrainedMac := macaroons.AddConstraints(mac, macConstraints...)
// Now we append the macaroon credentials to the dial options. // Now we append the macaroon credentials to the dial options.
opts = append( cred := macaroons.NewMacaroonCredential(constrainedMac)
opts, opts = append(opts, grpc.WithPerRPCCredentials(cred))
grpc.WithPerRPCCredentials(
macaroons.NewMacaroonCredential(mac)),
)
} }
conn, err := grpc.Dial(ctx.GlobalString("rpcserver"), opts...) conn, err := grpc.Dial(ctx.GlobalString("rpcserver"), opts...)

8
lnd.go
View File

@ -20,7 +20,6 @@ import (
"time" "time"
"gopkg.in/macaroon-bakery.v1/bakery" "gopkg.in/macaroon-bakery.v1/bakery"
"gopkg.in/macaroon-bakery.v1/bakery/checkers"
"golang.org/x/net/context" "golang.org/x/net/context"
@ -569,11 +568,8 @@ func genMacaroons(svc *bakery.Service, admFile, roFile string) error {
} }
// Generate the read-only macaroon and write it to a file. // Generate the read-only macaroon and write it to a file.
caveat := checkers.AllowCaveat(roPermissions...) roMacaroon := macaroons.AddConstraints(admMacaroon,
roMacaroon := admMacaroon.Clone() macaroons.PermissionsConstraint(roPermissions...))
if err = svc.AddCaveat(roMacaroon, caveat); err != nil {
return err
}
roBytes, err := roMacaroon.MarshalBinary() roBytes, err := roMacaroon.MarshalBinary()
if err != nil { if err != nil {
return err return err

4
macaroons/auth.go
View File

@ -85,7 +85,7 @@ func ValidateMacaroon(ctx context.Context, method string,
// //
// TODO(aakselrod): Add more checks as required. // TODO(aakselrod): Add more checks as required.
return svc.Check(macaroon.Slice{mac}, checkers.New( return svc.Check(macaroon.Slice{mac}, checkers.New(
checkers.OperationChecker(method), PermissionsChecker(method),
checkers.TimeBefore, TimeoutChecker(),
)) ))
} }