macaroons: use constraint layer for macaroon tweaking
This commit is contained in:
parent
5c3493bd30
commit
a6b9155150
@ -6,9 +6,7 @@ import (
|
||||
"os"
|
||||
"path/filepath"
|
||||
"strings"
|
||||
"time"
|
||||
|
||||
"gopkg.in/macaroon-bakery.v1/bakery/checkers"
|
||||
"gopkg.in/macaroon.v1"
|
||||
|
||||
"github.com/lightningnetwork/lnd/lnrpc"
|
||||
@ -73,6 +71,7 @@ func getClientConn(ctx *cli.Context) *grpc.ClientConn {
|
||||
fatal(err)
|
||||
}
|
||||
|
||||
macConstraints := []macaroons.Constraint{
|
||||
// We add a time-based constraint to prevent replay of the
|
||||
// macaroon. It's good for 60 seconds by default to make up for
|
||||
// any discrepancy between client and server clocks, but leaking
|
||||
@ -84,17 +83,17 @@ func getClientConn(ctx *cli.Context) *grpc.ClientConn {
|
||||
// altogether if, in the latter case, this time is more than 60
|
||||
// seconds).
|
||||
// TODO(aakselrod): add better anti-replay protection.
|
||||
macaroonTimeout := time.Duration(ctx.GlobalInt64("macaroontimeout"))
|
||||
requestTimeout := time.Now().Add(time.Second * macaroonTimeout)
|
||||
timeCaveat := checkers.TimeBeforeCaveat(requestTimeout)
|
||||
mac.AddFirstPartyCaveat(timeCaveat.Condition)
|
||||
macaroons.TimeoutConstraint(ctx.GlobalInt64("macaroontimeout")),
|
||||
|
||||
// ... Add more constraints if needed.
|
||||
}
|
||||
|
||||
// Apply constraints to the macaroon.
|
||||
constrainedMac := macaroons.AddConstraints(mac, macConstraints...)
|
||||
|
||||
// Now we append the macaroon credentials to the dial options.
|
||||
opts = append(
|
||||
opts,
|
||||
grpc.WithPerRPCCredentials(
|
||||
macaroons.NewMacaroonCredential(mac)),
|
||||
)
|
||||
cred := macaroons.NewMacaroonCredential(constrainedMac)
|
||||
opts = append(opts, grpc.WithPerRPCCredentials(cred))
|
||||
}
|
||||
|
||||
conn, err := grpc.Dial(ctx.GlobalString("rpcserver"), opts...)
|
||||
|
8
lnd.go
8
lnd.go
@ -20,7 +20,6 @@ import (
|
||||
"time"
|
||||
|
||||
"gopkg.in/macaroon-bakery.v1/bakery"
|
||||
"gopkg.in/macaroon-bakery.v1/bakery/checkers"
|
||||
|
||||
"golang.org/x/net/context"
|
||||
|
||||
@ -569,11 +568,8 @@ func genMacaroons(svc *bakery.Service, admFile, roFile string) error {
|
||||
}
|
||||
|
||||
// Generate the read-only macaroon and write it to a file.
|
||||
caveat := checkers.AllowCaveat(roPermissions...)
|
||||
roMacaroon := admMacaroon.Clone()
|
||||
if err = svc.AddCaveat(roMacaroon, caveat); err != nil {
|
||||
return err
|
||||
}
|
||||
roMacaroon := macaroons.AddConstraints(admMacaroon,
|
||||
macaroons.PermissionsConstraint(roPermissions...))
|
||||
roBytes, err := roMacaroon.MarshalBinary()
|
||||
if err != nil {
|
||||
return err
|
||||
|
@ -85,7 +85,7 @@ func ValidateMacaroon(ctx context.Context, method string,
|
||||
//
|
||||
// TODO(aakselrod): Add more checks as required.
|
||||
return svc.Check(macaroon.Slice{mac}, checkers.New(
|
||||
checkers.OperationChecker(method),
|
||||
checkers.TimeBefore,
|
||||
PermissionsChecker(method),
|
||||
TimeoutChecker(),
|
||||
))
|
||||
}
|
||||
|
Loading…
Reference in New Issue
Block a user