macaroons: use constraint layer for macaroon tweaking
This commit is contained in:
parent
5c3493bd30
commit
a6b9155150
@ -6,9 +6,7 @@ import (
|
|||||||
"os"
|
"os"
|
||||||
"path/filepath"
|
"path/filepath"
|
||||||
"strings"
|
"strings"
|
||||||
"time"
|
|
||||||
|
|
||||||
"gopkg.in/macaroon-bakery.v1/bakery/checkers"
|
|
||||||
"gopkg.in/macaroon.v1"
|
"gopkg.in/macaroon.v1"
|
||||||
|
|
||||||
"github.com/lightningnetwork/lnd/lnrpc"
|
"github.com/lightningnetwork/lnd/lnrpc"
|
||||||
@ -73,28 +71,29 @@ func getClientConn(ctx *cli.Context) *grpc.ClientConn {
|
|||||||
fatal(err)
|
fatal(err)
|
||||||
}
|
}
|
||||||
|
|
||||||
// We add a time-based constraint to prevent replay of the
|
macConstraints := []macaroons.Constraint{
|
||||||
// macaroon. It's good for 60 seconds by default to make up for
|
// We add a time-based constraint to prevent replay of the
|
||||||
// any discrepancy between client and server clocks, but leaking
|
// macaroon. It's good for 60 seconds by default to make up for
|
||||||
// the macaroon before it becomes invalid makes it possible for
|
// any discrepancy between client and server clocks, but leaking
|
||||||
// an attacker to reuse the macaroon. In addition, the validity
|
// the macaroon before it becomes invalid makes it possible for
|
||||||
// time of the macaroon is extended by the time the server clock
|
// an attacker to reuse the macaroon. In addition, the validity
|
||||||
// is behind the client clock, or shortened by the time the
|
// time of the macaroon is extended by the time the server clock
|
||||||
// server clock is ahead of the client clock (or invalid
|
// is behind the client clock, or shortened by the time the
|
||||||
// altogether if, in the latter case, this time is more than 60
|
// server clock is ahead of the client clock (or invalid
|
||||||
// seconds).
|
// altogether if, in the latter case, this time is more than 60
|
||||||
// TODO(aakselrod): add better anti-replay protection.
|
// seconds).
|
||||||
macaroonTimeout := time.Duration(ctx.GlobalInt64("macaroontimeout"))
|
// TODO(aakselrod): add better anti-replay protection.
|
||||||
requestTimeout := time.Now().Add(time.Second * macaroonTimeout)
|
macaroons.TimeoutConstraint(ctx.GlobalInt64("macaroontimeout")),
|
||||||
timeCaveat := checkers.TimeBeforeCaveat(requestTimeout)
|
|
||||||
mac.AddFirstPartyCaveat(timeCaveat.Condition)
|
// ... Add more constraints if needed.
|
||||||
|
}
|
||||||
|
|
||||||
|
// Apply constraints to the macaroon.
|
||||||
|
constrainedMac := macaroons.AddConstraints(mac, macConstraints...)
|
||||||
|
|
||||||
// Now we append the macaroon credentials to the dial options.
|
// Now we append the macaroon credentials to the dial options.
|
||||||
opts = append(
|
cred := macaroons.NewMacaroonCredential(constrainedMac)
|
||||||
opts,
|
opts = append(opts, grpc.WithPerRPCCredentials(cred))
|
||||||
grpc.WithPerRPCCredentials(
|
|
||||||
macaroons.NewMacaroonCredential(mac)),
|
|
||||||
)
|
|
||||||
}
|
}
|
||||||
|
|
||||||
conn, err := grpc.Dial(ctx.GlobalString("rpcserver"), opts...)
|
conn, err := grpc.Dial(ctx.GlobalString("rpcserver"), opts...)
|
||||||
|
8
lnd.go
8
lnd.go
@ -20,7 +20,6 @@ import (
|
|||||||
"time"
|
"time"
|
||||||
|
|
||||||
"gopkg.in/macaroon-bakery.v1/bakery"
|
"gopkg.in/macaroon-bakery.v1/bakery"
|
||||||
"gopkg.in/macaroon-bakery.v1/bakery/checkers"
|
|
||||||
|
|
||||||
"golang.org/x/net/context"
|
"golang.org/x/net/context"
|
||||||
|
|
||||||
@ -569,11 +568,8 @@ func genMacaroons(svc *bakery.Service, admFile, roFile string) error {
|
|||||||
}
|
}
|
||||||
|
|
||||||
// Generate the read-only macaroon and write it to a file.
|
// Generate the read-only macaroon and write it to a file.
|
||||||
caveat := checkers.AllowCaveat(roPermissions...)
|
roMacaroon := macaroons.AddConstraints(admMacaroon,
|
||||||
roMacaroon := admMacaroon.Clone()
|
macaroons.PermissionsConstraint(roPermissions...))
|
||||||
if err = svc.AddCaveat(roMacaroon, caveat); err != nil {
|
|
||||||
return err
|
|
||||||
}
|
|
||||||
roBytes, err := roMacaroon.MarshalBinary()
|
roBytes, err := roMacaroon.MarshalBinary()
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return err
|
return err
|
||||||
|
@ -85,7 +85,7 @@ func ValidateMacaroon(ctx context.Context, method string,
|
|||||||
//
|
//
|
||||||
// TODO(aakselrod): Add more checks as required.
|
// TODO(aakselrod): Add more checks as required.
|
||||||
return svc.Check(macaroon.Slice{mac}, checkers.New(
|
return svc.Check(macaroon.Slice{mac}, checkers.New(
|
||||||
checkers.OperationChecker(method),
|
PermissionsChecker(method),
|
||||||
checkers.TimeBefore,
|
TimeoutChecker(),
|
||||||
))
|
))
|
||||||
}
|
}
|
||||||
|
Loading…
Reference in New Issue
Block a user