macaroons: fix incorrect comparison in isRegistered, wrap long lines
This commit is contained in:
parent
3eff9804ee
commit
f22b0ccdbc
@ -1,28 +1,33 @@
|
|||||||
# macaroons
|
# macaroons
|
||||||
|
|
||||||
This is a more detailed, technical description of how macaroons work and how authentication
|
This is a more detailed, technical description of how macaroons work and how
|
||||||
and authorization is implemented in `lnd`.
|
authentication and authorization is implemented in `lnd`.
|
||||||
|
|
||||||
For a more high-level overview see [macaroons.md in the docs](../docs/macaroons.md).
|
For a more high-level overview see
|
||||||
|
[macaroons.md in the docs](../docs/macaroons.md).
|
||||||
|
|
||||||
## Root key
|
## Root key
|
||||||
|
|
||||||
At startup, if the option `--no-macaroons` is **not** used, a Bolt DB key/value store
|
At startup, if the option `--no-macaroons` is **not** used, a Bolt DB key/value
|
||||||
named `data/macaroons.db` is created with a bucket named `macrootkeys`.
|
store named `data/macaroons.db` is created with a bucket named `macrootkeys`.
|
||||||
In this DB the following two key/value pairs are stored:
|
In this DB the following two key/value pairs are stored:
|
||||||
|
|
||||||
* Key `0`: the encrypted root key (32 bytes).
|
* Key `0`: the encrypted root key (32 bytes).
|
||||||
* If the root key does not exist yet, 32 bytes of pseudo-random data is generated and used.
|
* If the root key does not exist yet, 32 bytes of pseudo-random data is
|
||||||
* Key `enckey`: the parameters used to derive a secret encryption key from a passphrase.
|
generated and used.
|
||||||
|
* Key `enckey`: the parameters used to derive a secret encryption key from a
|
||||||
|
passphrase.
|
||||||
* The following parameters are stored: `<salt><digest><N><R><P>`
|
* The following parameters are stored: `<salt><digest><N><R><P>`
|
||||||
* `salt`: 32 byte of random data used as salt for the `scrypt` key derivation.
|
* `salt`: 32 byte of random data used as salt for the `scrypt` key
|
||||||
* `digest`: sha256 hashed key derived from the `scrypt` operation. Is used to verify if the
|
derivation.
|
||||||
password is correct.
|
* `digest`: sha256 hashed key derived from the `scrypt` operation. Is used
|
||||||
|
to verify if the password is correct.
|
||||||
* `N`, `P`, `R`: Parameters used for the `scrypt` operation.
|
* `N`, `P`, `R`: Parameters used for the `scrypt` operation.
|
||||||
* The root key is symmetrically encrypted with the derived secret key, using the
|
* The root key is symmetrically encrypted with the derived secret key, using
|
||||||
`secretbox` method of the library [btcsuite/golangcrypto](https://github.com/btcsuite/golangcrypto).
|
the `secretbox` method of the library
|
||||||
* If the option `--noencryptwallet` is used, then the default passphrase `hello` is used
|
[btcsuite/golangcrypto](https://github.com/btcsuite/golangcrypto).
|
||||||
to encrypt the root key.
|
* If the option `--noencryptwallet` is used, then the default passphrase
|
||||||
|
`hello` is used to encrypt the root key.
|
||||||
|
|
||||||
## Generated macaroons
|
## Generated macaroons
|
||||||
|
|
||||||
@ -38,11 +43,11 @@ With the root key set up, `lnd` continues with creating three macaroon files:
|
|||||||
* `admin.macaroon`: Grants full read and write access to all gRPC commands.
|
* `admin.macaroon`: Grants full read and write access to all gRPC commands.
|
||||||
This is used by the `lncli` client.
|
This is used by the `lncli` client.
|
||||||
|
|
||||||
These three macaroons all have the location field set to `lnd` and have no conditions/first party caveats
|
These three macaroons all have the location field set to `lnd` and have no
|
||||||
or third party caveats set.
|
conditions/first party caveats or third party caveats set.
|
||||||
|
|
||||||
The access restrictions are implemented with a list of entity/action pairs that is mapped
|
The access restrictions are implemented with a list of entity/action pairs that
|
||||||
to the gRPC functions by the `rpcserver.go`.
|
is mapped to the gRPC functions by the `rpcserver.go`.
|
||||||
For example, the permissions for the `invoice.macaroon` looks like this:
|
For example, the permissions for the `invoice.macaroon` looks like this:
|
||||||
|
|
||||||
```go
|
```go
|
||||||
@ -71,10 +76,14 @@ For example, the permissions for the `invoice.macaroon` looks like this:
|
|||||||
|
|
||||||
## Constraints / First party caveats
|
## Constraints / First party caveats
|
||||||
|
|
||||||
There are currently two constraints implemented that can be used by `lncli` to restrict the
|
There are currently two constraints implemented that can be used by `lncli` to
|
||||||
macaroon it uses to communicate with the gRPC interface. These can be found in `constraints.go`:
|
restrict the macaroon it uses to communicate with the gRPC interface. These can
|
||||||
|
be found in `constraints.go`:
|
||||||
|
|
||||||
* `TimeoutConstraint`: Set a timeout in seconds after which the macaroon is no longer valid.
|
* `TimeoutConstraint`: Set a timeout in seconds after which the macaroon is no
|
||||||
This constraint can be set by adding the parameter `--macaroontimeout xy` to the `lncli` command.
|
longer valid.
|
||||||
|
This constraint can be set by adding the parameter `--macaroontimeout xy` to
|
||||||
|
the `lncli` command.
|
||||||
* `IPLockConstraint`: Locks the macaroon to a specific IP address.
|
* `IPLockConstraint`: Locks the macaroon to a specific IP address.
|
||||||
This constraint can be set by adding the parameter `--macaroonip a.b.c.d` to the `lncli` command.
|
This constraint can be set by adding the parameter `--macaroonip a.b.c.d` to
|
||||||
|
the `lncli` command.
|
||||||
|
@ -85,7 +85,9 @@ func isRegistered(c *checkers.Checker, name string) bool {
|
|||||||
}
|
}
|
||||||
|
|
||||||
for _, info := range c.Info() {
|
for _, info := range c.Info() {
|
||||||
if info.Name == name && info.Prefix == "std" {
|
if info.Name == name &&
|
||||||
|
info.Prefix == "" &&
|
||||||
|
info.Namespace == "std" {
|
||||||
return true
|
return true
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
@ -97,7 +97,7 @@ func TestNewService(t *testing.T) {
|
|||||||
// TestValidateMacaroon tests the validation of a macaroon that is in an
|
// TestValidateMacaroon tests the validation of a macaroon that is in an
|
||||||
// incoming context.
|
// incoming context.
|
||||||
func TestValidateMacaroon(t *testing.T) {
|
func TestValidateMacaroon(t *testing.T) {
|
||||||
// First, initialize the service and unlock it
|
// First, initialize the service and unlock it.
|
||||||
tempDir := setupTestRootKeyStorage(t)
|
tempDir := setupTestRootKeyStorage(t)
|
||||||
defer os.RemoveAll(tempDir)
|
defer os.RemoveAll(tempDir)
|
||||||
service, err := macaroons.NewService(tempDir, macaroons.IPLockChecker)
|
service, err := macaroons.NewService(tempDir, macaroons.IPLockChecker)
|
||||||
@ -123,7 +123,9 @@ func TestValidateMacaroon(t *testing.T) {
|
|||||||
|
|
||||||
// Because the macaroons are always passed in a context, we need to
|
// Because the macaroons are always passed in a context, we need to
|
||||||
// mock one that has just the serialized macaroon as a value.
|
// mock one that has just the serialized macaroon as a value.
|
||||||
md := metadata.New(map[string]string{"macaroon": hex.EncodeToString(macaroonBinary)})
|
md := metadata.New(map[string]string{
|
||||||
|
"macaroon": hex.EncodeToString(macaroonBinary),
|
||||||
|
})
|
||||||
mockContext := metadata.NewIncomingContext(context.Background(), md)
|
mockContext := metadata.NewIncomingContext(context.Background(), md)
|
||||||
|
|
||||||
// Finally, validate the macaroon against the required permissions.
|
// Finally, validate the macaroon against the required permissions.
|
||||||
|
Loading…
Reference in New Issue
Block a user