diff --git a/macaroons/README.md b/macaroons/README.md index bb5df573..87ab93bb 100644 --- a/macaroons/README.md +++ b/macaroons/README.md @@ -1,28 +1,33 @@ # macaroons -This is a more detailed, technical description of how macaroons work and how authentication -and authorization is implemented in `lnd`. +This is a more detailed, technical description of how macaroons work and how +authentication and authorization is implemented in `lnd`. -For a more high-level overview see [macaroons.md in the docs](../docs/macaroons.md). +For a more high-level overview see +[macaroons.md in the docs](../docs/macaroons.md). ## Root key -At startup, if the option `--no-macaroons` is **not** used, a Bolt DB key/value store -named `data/macaroons.db` is created with a bucket named `macrootkeys`. +At startup, if the option `--no-macaroons` is **not** used, a Bolt DB key/value +store named `data/macaroons.db` is created with a bucket named `macrootkeys`. In this DB the following two key/value pairs are stored: * Key `0`: the encrypted root key (32 bytes). - * If the root key does not exist yet, 32 bytes of pseudo-random data is generated and used. -* Key `enckey`: the parameters used to derive a secret encryption key from a passphrase. + * If the root key does not exist yet, 32 bytes of pseudo-random data is + generated and used. +* Key `enckey`: the parameters used to derive a secret encryption key from a + passphrase. * The following parameters are stored: `

` - * `salt`: 32 byte of random data used as salt for the `scrypt` key derivation. - * `digest`: sha256 hashed key derived from the `scrypt` operation. Is used to verify if the - password is correct. + * `salt`: 32 byte of random data used as salt for the `scrypt` key + derivation. + * `digest`: sha256 hashed key derived from the `scrypt` operation. Is used + to verify if the password is correct. * `N`, `P`, `R`: Parameters used for the `scrypt` operation. - * The root key is symmetrically encrypted with the derived secret key, using the - `secretbox` method of the library [btcsuite/golangcrypto](https://github.com/btcsuite/golangcrypto). - * If the option `--noencryptwallet` is used, then the default passphrase `hello` is used - to encrypt the root key. + * The root key is symmetrically encrypted with the derived secret key, using + the `secretbox` method of the library + [btcsuite/golangcrypto](https://github.com/btcsuite/golangcrypto). + * If the option `--noencryptwallet` is used, then the default passphrase + `hello` is used to encrypt the root key. ## Generated macaroons @@ -38,11 +43,11 @@ With the root key set up, `lnd` continues with creating three macaroon files: * `admin.macaroon`: Grants full read and write access to all gRPC commands. This is used by the `lncli` client. -These three macaroons all have the location field set to `lnd` and have no conditions/first party caveats -or third party caveats set. +These three macaroons all have the location field set to `lnd` and have no +conditions/first party caveats or third party caveats set. -The access restrictions are implemented with a list of entity/action pairs that is mapped -to the gRPC functions by the `rpcserver.go`. +The access restrictions are implemented with a list of entity/action pairs that +is mapped to the gRPC functions by the `rpcserver.go`. For example, the permissions for the `invoice.macaroon` looks like this: ```go @@ -71,10 +76,14 @@ For example, the permissions for the `invoice.macaroon` looks like this: ## Constraints / First party caveats -There are currently two constraints implemented that can be used by `lncli` to restrict the -macaroon it uses to communicate with the gRPC interface. These can be found in `constraints.go`: +There are currently two constraints implemented that can be used by `lncli` to +restrict the macaroon it uses to communicate with the gRPC interface. These can +be found in `constraints.go`: -* `TimeoutConstraint`: Set a timeout in seconds after which the macaroon is no longer valid. - This constraint can be set by adding the parameter `--macaroontimeout xy` to the `lncli` command. +* `TimeoutConstraint`: Set a timeout in seconds after which the macaroon is no + longer valid. + This constraint can be set by adding the parameter `--macaroontimeout xy` to + the `lncli` command. * `IPLockConstraint`: Locks the macaroon to a specific IP address. - This constraint can be set by adding the parameter `--macaroonip a.b.c.d` to the `lncli` command. + This constraint can be set by adding the parameter `--macaroonip a.b.c.d` to + the `lncli` command. diff --git a/macaroons/service.go b/macaroons/service.go index 77363f6c..87ebc31a 100644 --- a/macaroons/service.go +++ b/macaroons/service.go @@ -85,7 +85,9 @@ func isRegistered(c *checkers.Checker, name string) bool { } for _, info := range c.Info() { - if info.Name == name && info.Prefix == "std" { + if info.Name == name && + info.Prefix == "" && + info.Namespace == "std" { return true } } diff --git a/macaroons/service_test.go b/macaroons/service_test.go index 23f8b386..599bcb88 100644 --- a/macaroons/service_test.go +++ b/macaroons/service_test.go @@ -97,7 +97,7 @@ func TestNewService(t *testing.T) { // TestValidateMacaroon tests the validation of a macaroon that is in an // incoming context. func TestValidateMacaroon(t *testing.T) { - // First, initialize the service and unlock it + // First, initialize the service and unlock it. tempDir := setupTestRootKeyStorage(t) defer os.RemoveAll(tempDir) service, err := macaroons.NewService(tempDir, macaroons.IPLockChecker) @@ -123,7 +123,9 @@ func TestValidateMacaroon(t *testing.T) { // Because the macaroons are always passed in a context, we need to // mock one that has just the serialized macaroon as a value. - md := metadata.New(map[string]string{"macaroon": hex.EncodeToString(macaroonBinary)}) + md := metadata.New(map[string]string{ + "macaroon": hex.EncodeToString(macaroonBinary), + }) mockContext := metadata.NewIncomingContext(context.Background(), md) // Finally, validate the macaroon against the required permissions.