macaroons: fix incorrect comparison in isRegistered, wrap long lines
This commit is contained in:
parent
3eff9804ee
commit
f22b0ccdbc
@ -1,28 +1,33 @@
|
||||
# macaroons
|
||||
|
||||
This is a more detailed, technical description of how macaroons work and how authentication
|
||||
and authorization is implemented in `lnd`.
|
||||
This is a more detailed, technical description of how macaroons work and how
|
||||
authentication and authorization is implemented in `lnd`.
|
||||
|
||||
For a more high-level overview see [macaroons.md in the docs](../docs/macaroons.md).
|
||||
For a more high-level overview see
|
||||
[macaroons.md in the docs](../docs/macaroons.md).
|
||||
|
||||
## Root key
|
||||
|
||||
At startup, if the option `--no-macaroons` is **not** used, a Bolt DB key/value store
|
||||
named `data/macaroons.db` is created with a bucket named `macrootkeys`.
|
||||
At startup, if the option `--no-macaroons` is **not** used, a Bolt DB key/value
|
||||
store named `data/macaroons.db` is created with a bucket named `macrootkeys`.
|
||||
In this DB the following two key/value pairs are stored:
|
||||
|
||||
* Key `0`: the encrypted root key (32 bytes).
|
||||
* If the root key does not exist yet, 32 bytes of pseudo-random data is generated and used.
|
||||
* Key `enckey`: the parameters used to derive a secret encryption key from a passphrase.
|
||||
* If the root key does not exist yet, 32 bytes of pseudo-random data is
|
||||
generated and used.
|
||||
* Key `enckey`: the parameters used to derive a secret encryption key from a
|
||||
passphrase.
|
||||
* The following parameters are stored: `<salt><digest><N><R><P>`
|
||||
* `salt`: 32 byte of random data used as salt for the `scrypt` key derivation.
|
||||
* `digest`: sha256 hashed key derived from the `scrypt` operation. Is used to verify if the
|
||||
password is correct.
|
||||
* `salt`: 32 byte of random data used as salt for the `scrypt` key
|
||||
derivation.
|
||||
* `digest`: sha256 hashed key derived from the `scrypt` operation. Is used
|
||||
to verify if the password is correct.
|
||||
* `N`, `P`, `R`: Parameters used for the `scrypt` operation.
|
||||
* The root key is symmetrically encrypted with the derived secret key, using the
|
||||
`secretbox` method of the library [btcsuite/golangcrypto](https://github.com/btcsuite/golangcrypto).
|
||||
* If the option `--noencryptwallet` is used, then the default passphrase `hello` is used
|
||||
to encrypt the root key.
|
||||
* The root key is symmetrically encrypted with the derived secret key, using
|
||||
the `secretbox` method of the library
|
||||
[btcsuite/golangcrypto](https://github.com/btcsuite/golangcrypto).
|
||||
* If the option `--noencryptwallet` is used, then the default passphrase
|
||||
`hello` is used to encrypt the root key.
|
||||
|
||||
## Generated macaroons
|
||||
|
||||
@ -38,11 +43,11 @@ With the root key set up, `lnd` continues with creating three macaroon files:
|
||||
* `admin.macaroon`: Grants full read and write access to all gRPC commands.
|
||||
This is used by the `lncli` client.
|
||||
|
||||
These three macaroons all have the location field set to `lnd` and have no conditions/first party caveats
|
||||
or third party caveats set.
|
||||
These three macaroons all have the location field set to `lnd` and have no
|
||||
conditions/first party caveats or third party caveats set.
|
||||
|
||||
The access restrictions are implemented with a list of entity/action pairs that is mapped
|
||||
to the gRPC functions by the `rpcserver.go`.
|
||||
The access restrictions are implemented with a list of entity/action pairs that
|
||||
is mapped to the gRPC functions by the `rpcserver.go`.
|
||||
For example, the permissions for the `invoice.macaroon` looks like this:
|
||||
|
||||
```go
|
||||
@ -71,10 +76,14 @@ For example, the permissions for the `invoice.macaroon` looks like this:
|
||||
|
||||
## Constraints / First party caveats
|
||||
|
||||
There are currently two constraints implemented that can be used by `lncli` to restrict the
|
||||
macaroon it uses to communicate with the gRPC interface. These can be found in `constraints.go`:
|
||||
There are currently two constraints implemented that can be used by `lncli` to
|
||||
restrict the macaroon it uses to communicate with the gRPC interface. These can
|
||||
be found in `constraints.go`:
|
||||
|
||||
* `TimeoutConstraint`: Set a timeout in seconds after which the macaroon is no longer valid.
|
||||
This constraint can be set by adding the parameter `--macaroontimeout xy` to the `lncli` command.
|
||||
* `TimeoutConstraint`: Set a timeout in seconds after which the macaroon is no
|
||||
longer valid.
|
||||
This constraint can be set by adding the parameter `--macaroontimeout xy` to
|
||||
the `lncli` command.
|
||||
* `IPLockConstraint`: Locks the macaroon to a specific IP address.
|
||||
This constraint can be set by adding the parameter `--macaroonip a.b.c.d` to the `lncli` command.
|
||||
This constraint can be set by adding the parameter `--macaroonip a.b.c.d` to
|
||||
the `lncli` command.
|
||||
|
@ -85,7 +85,9 @@ func isRegistered(c *checkers.Checker, name string) bool {
|
||||
}
|
||||
|
||||
for _, info := range c.Info() {
|
||||
if info.Name == name && info.Prefix == "std" {
|
||||
if info.Name == name &&
|
||||
info.Prefix == "" &&
|
||||
info.Namespace == "std" {
|
||||
return true
|
||||
}
|
||||
}
|
||||
|
@ -97,7 +97,7 @@ func TestNewService(t *testing.T) {
|
||||
// TestValidateMacaroon tests the validation of a macaroon that is in an
|
||||
// incoming context.
|
||||
func TestValidateMacaroon(t *testing.T) {
|
||||
// First, initialize the service and unlock it
|
||||
// First, initialize the service and unlock it.
|
||||
tempDir := setupTestRootKeyStorage(t)
|
||||
defer os.RemoveAll(tempDir)
|
||||
service, err := macaroons.NewService(tempDir, macaroons.IPLockChecker)
|
||||
@ -123,7 +123,9 @@ func TestValidateMacaroon(t *testing.T) {
|
||||
|
||||
// Because the macaroons are always passed in a context, we need to
|
||||
// mock one that has just the serialized macaroon as a value.
|
||||
md := metadata.New(map[string]string{"macaroon": hex.EncodeToString(macaroonBinary)})
|
||||
md := metadata.New(map[string]string{
|
||||
"macaroon": hex.EncodeToString(macaroonBinary),
|
||||
})
|
||||
mockContext := metadata.NewIncomingContext(context.Background(), md)
|
||||
|
||||
// Finally, validate the macaroon against the required permissions.
|
||||
|
Loading…
Reference in New Issue
Block a user