macaroons: use constraint layer for macaroon tweaking

This commit is contained in:
whythat 2017-09-02 03:45:14 +03:00 committed by Olaoluwa Osuntokun
parent 5c3493bd30
commit a6b9155150
3 changed files with 25 additions and 30 deletions

@ -6,9 +6,7 @@ import (
"os" "os"
"path/filepath" "path/filepath"
"strings" "strings"
"time"
"gopkg.in/macaroon-bakery.v1/bakery/checkers"
"gopkg.in/macaroon.v1" "gopkg.in/macaroon.v1"
"github.com/lightningnetwork/lnd/lnrpc" "github.com/lightningnetwork/lnd/lnrpc"
@ -73,28 +71,29 @@ func getClientConn(ctx *cli.Context) *grpc.ClientConn {
fatal(err) fatal(err)
} }
// We add a time-based constraint to prevent replay of the macConstraints := []macaroons.Constraint{
// macaroon. It's good for 60 seconds by default to make up for // We add a time-based constraint to prevent replay of the
// any discrepancy between client and server clocks, but leaking // macaroon. It's good for 60 seconds by default to make up for
// the macaroon before it becomes invalid makes it possible for // any discrepancy between client and server clocks, but leaking
// an attacker to reuse the macaroon. In addition, the validity // the macaroon before it becomes invalid makes it possible for
// time of the macaroon is extended by the time the server clock // an attacker to reuse the macaroon. In addition, the validity
// is behind the client clock, or shortened by the time the // time of the macaroon is extended by the time the server clock
// server clock is ahead of the client clock (or invalid // is behind the client clock, or shortened by the time the
// altogether if, in the latter case, this time is more than 60 // server clock is ahead of the client clock (or invalid
// seconds). // altogether if, in the latter case, this time is more than 60
// TODO(aakselrod): add better anti-replay protection. // seconds).
macaroonTimeout := time.Duration(ctx.GlobalInt64("macaroontimeout")) // TODO(aakselrod): add better anti-replay protection.
requestTimeout := time.Now().Add(time.Second * macaroonTimeout) macaroons.TimeoutConstraint(ctx.GlobalInt64("macaroontimeout")),
timeCaveat := checkers.TimeBeforeCaveat(requestTimeout)
mac.AddFirstPartyCaveat(timeCaveat.Condition) // ... Add more constraints if needed.
}
// Apply constraints to the macaroon.
constrainedMac := macaroons.AddConstraints(mac, macConstraints...)
// Now we append the macaroon credentials to the dial options. // Now we append the macaroon credentials to the dial options.
opts = append( cred := macaroons.NewMacaroonCredential(constrainedMac)
opts, opts = append(opts, grpc.WithPerRPCCredentials(cred))
grpc.WithPerRPCCredentials(
macaroons.NewMacaroonCredential(mac)),
)
} }
conn, err := grpc.Dial(ctx.GlobalString("rpcserver"), opts...) conn, err := grpc.Dial(ctx.GlobalString("rpcserver"), opts...)

8
lnd.go

@ -20,7 +20,6 @@ import (
"time" "time"
"gopkg.in/macaroon-bakery.v1/bakery" "gopkg.in/macaroon-bakery.v1/bakery"
"gopkg.in/macaroon-bakery.v1/bakery/checkers"
"golang.org/x/net/context" "golang.org/x/net/context"
@ -569,11 +568,8 @@ func genMacaroons(svc *bakery.Service, admFile, roFile string) error {
} }
// Generate the read-only macaroon and write it to a file. // Generate the read-only macaroon and write it to a file.
caveat := checkers.AllowCaveat(roPermissions...) roMacaroon := macaroons.AddConstraints(admMacaroon,
roMacaroon := admMacaroon.Clone() macaroons.PermissionsConstraint(roPermissions...))
if err = svc.AddCaveat(roMacaroon, caveat); err != nil {
return err
}
roBytes, err := roMacaroon.MarshalBinary() roBytes, err := roMacaroon.MarshalBinary()
if err != nil { if err != nil {
return err return err

@ -85,7 +85,7 @@ func ValidateMacaroon(ctx context.Context, method string,
// //
// TODO(aakselrod): Add more checks as required. // TODO(aakselrod): Add more checks as required.
return svc.Check(macaroon.Slice{mac}, checkers.New( return svc.Check(macaroon.Slice{mac}, checkers.New(
checkers.OperationChecker(method), PermissionsChecker(method),
checkers.TimeBefore, TimeoutChecker(),
)) ))
} }