macaroons: fix incorrect comparison in isRegistered, wrap long lines

This commit is contained in:
Oliver Gugger 2018-04-27 00:06:43 +03:00 committed by Oliver Gugger
parent 3eff9804ee
commit f22b0ccdbc
3 changed files with 39 additions and 26 deletions

@ -1,28 +1,33 @@
# macaroons
This is a more detailed, technical description of how macaroons work and how authentication
and authorization is implemented in `lnd`.
This is a more detailed, technical description of how macaroons work and how
authentication and authorization is implemented in `lnd`.
For a more high-level overview see [macaroons.md in the docs](../docs/macaroons.md).
For a more high-level overview see
[macaroons.md in the docs](../docs/macaroons.md).
## Root key
At startup, if the option `--no-macaroons` is **not** used, a Bolt DB key/value store
named `data/macaroons.db` is created with a bucket named `macrootkeys`.
At startup, if the option `--no-macaroons` is **not** used, a Bolt DB key/value
store named `data/macaroons.db` is created with a bucket named `macrootkeys`.
In this DB the following two key/value pairs are stored:
* Key `0`: the encrypted root key (32 bytes).
* If the root key does not exist yet, 32 bytes of pseudo-random data is generated and used.
* Key `enckey`: the parameters used to derive a secret encryption key from a passphrase.
* If the root key does not exist yet, 32 bytes of pseudo-random data is
generated and used.
* Key `enckey`: the parameters used to derive a secret encryption key from a
passphrase.
* The following parameters are stored: `<salt><digest><N><R><P>`
* `salt`: 32 byte of random data used as salt for the `scrypt` key derivation.
* `digest`: sha256 hashed key derived from the `scrypt` operation. Is used to verify if the
password is correct.
* `salt`: 32 byte of random data used as salt for the `scrypt` key
derivation.
* `digest`: sha256 hashed key derived from the `scrypt` operation. Is used
to verify if the password is correct.
* `N`, `P`, `R`: Parameters used for the `scrypt` operation.
* The root key is symmetrically encrypted with the derived secret key, using the
`secretbox` method of the library [btcsuite/golangcrypto](https://github.com/btcsuite/golangcrypto).
* If the option `--noencryptwallet` is used, then the default passphrase `hello` is used
to encrypt the root key.
* The root key is symmetrically encrypted with the derived secret key, using
the `secretbox` method of the library
[btcsuite/golangcrypto](https://github.com/btcsuite/golangcrypto).
* If the option `--noencryptwallet` is used, then the default passphrase
`hello` is used to encrypt the root key.
## Generated macaroons
@ -38,11 +43,11 @@ With the root key set up, `lnd` continues with creating three macaroon files:
* `admin.macaroon`: Grants full read and write access to all gRPC commands.
This is used by the `lncli` client.
These three macaroons all have the location field set to `lnd` and have no conditions/first party caveats
or third party caveats set.
These three macaroons all have the location field set to `lnd` and have no
conditions/first party caveats or third party caveats set.
The access restrictions are implemented with a list of entity/action pairs that is mapped
to the gRPC functions by the `rpcserver.go`.
The access restrictions are implemented with a list of entity/action pairs that
is mapped to the gRPC functions by the `rpcserver.go`.
For example, the permissions for the `invoice.macaroon` looks like this:
```go
@ -71,10 +76,14 @@ For example, the permissions for the `invoice.macaroon` looks like this:
## Constraints / First party caveats
There are currently two constraints implemented that can be used by `lncli` to restrict the
macaroon it uses to communicate with the gRPC interface. These can be found in `constraints.go`:
There are currently two constraints implemented that can be used by `lncli` to
restrict the macaroon it uses to communicate with the gRPC interface. These can
be found in `constraints.go`:
* `TimeoutConstraint`: Set a timeout in seconds after which the macaroon is no longer valid.
This constraint can be set by adding the parameter `--macaroontimeout xy` to the `lncli` command.
* `TimeoutConstraint`: Set a timeout in seconds after which the macaroon is no
longer valid.
This constraint can be set by adding the parameter `--macaroontimeout xy` to
the `lncli` command.
* `IPLockConstraint`: Locks the macaroon to a specific IP address.
This constraint can be set by adding the parameter `--macaroonip a.b.c.d` to the `lncli` command.
This constraint can be set by adding the parameter `--macaroonip a.b.c.d` to
the `lncli` command.

@ -85,7 +85,9 @@ func isRegistered(c *checkers.Checker, name string) bool {
}
for _, info := range c.Info() {
if info.Name == name && info.Prefix == "std" {
if info.Name == name &&
info.Prefix == "" &&
info.Namespace == "std" {
return true
}
}

@ -97,7 +97,7 @@ func TestNewService(t *testing.T) {
// TestValidateMacaroon tests the validation of a macaroon that is in an
// incoming context.
func TestValidateMacaroon(t *testing.T) {
// First, initialize the service and unlock it
// First, initialize the service and unlock it.
tempDir := setupTestRootKeyStorage(t)
defer os.RemoveAll(tempDir)
service, err := macaroons.NewService(tempDir, macaroons.IPLockChecker)
@ -123,7 +123,9 @@ func TestValidateMacaroon(t *testing.T) {
// Because the macaroons are always passed in a context, we need to
// mock one that has just the serialized macaroon as a value.
md := metadata.New(map[string]string{"macaroon": hex.EncodeToString(macaroonBinary)})
md := metadata.New(map[string]string{
"macaroon": hex.EncodeToString(macaroonBinary),
})
mockContext := metadata.NewIncomingContext(context.Background(), md)
// Finally, validate the macaroon against the required permissions.