Merge pull request #4464 from guggero/macaroon-interceptor

Advanced macaroons 2/2: Custom macaroon validator for external subservers
2020-09-10 12:49:34 -07:00 · 2020-09-10 12:49:34 -07:00 · f80549d6e5
commit f80549d6e5
parent 8668248d96 061040c57b
4 changed files with 105 additions and 14 deletions
--- a/lnd.go
+++ b/lnd.go
@ -145,6 +145,12 @@ type RPCSubserverConfig struct {
 	// per URI, they are all required. See rpcserver.go for a list of valid
 	// action and entity values.
 	Permissions map[string][]bakery.Op
 	// MacaroonValidator is a custom macaroon validator that should be used
 	// instead of the default lnd validator. If specified, the custom
 	// validator is used for all URIs specified in the above Permissions
 	// map.
 	MacaroonValidator macaroons.MacaroonValidator
 }
 // ListenerWithSignal is a net.Listener that has an additional Ready channel that
@ -393,7 +399,7 @@ func Main(cfg *Config, lisCfg ListenerCfg, shutdownChan <-chan struct{}) error {
 	if !cfg.NoMacaroons {
 		// Create the macaroon authentication/authorization service.
 		macaroonService, err = macaroons.NewService(
-			cfg.networkDir, macaroons.IPLockChecker,
+			cfg.networkDir, "lnd", macaroons.IPLockChecker,
 		)
 		if err != nil {
 			err := fmt.Errorf("unable to set up macaroon "+
--- a/macaroons/service.go
+++ b/macaroons/service.go
@ -38,6 +38,17 @@ var (
 	PermissionEntityCustomURI = "uri"
 )
 // MacaroonValidator is an interface type that can check if macaroons are valid.
 type MacaroonValidator interface {
 	// ValidateMacaroon extracts the macaroon from the context's gRPC
 	// metadata, checks its signature, makes sure all specified permissions
 	// for the called method are contained within and finally ensures all
 	// caveat conditions are met. A non-nil error is returned if any of the
 	// checks fail.
 	ValidateMacaroon(ctx context.Context,
 		requiredPermissions []bakery.Op, fullMethod string) error
 }
 // Service encapsulates bakery.Bakery and adds a Close() method that zeroes the
 // root key service encryption keys, as well as utility methods to validate a
 // macaroon against the bakery and gRPC middleware for macaroon-based auth.
@ -45,6 +56,12 @@ type Service struct {
 	bakery.Bakery
 	rks *RootKeyStorage
 	// externalValidators is a map between an absolute gRPC URIs and the
 	// corresponding external macaroon validator to be used for that URI.
 	// If no external validator for an URI is specified, the service will
 	// use the internal validator.
 	externalValidators map[string]MacaroonValidator
 }
 // NewService returns a service backed by the macaroon Bolt DB stored in the
@ -54,7 +71,7 @@ type Service struct {
 // listing the same checker more than once is not harmful. Default checkers,
 // such as those for `allow`, `time-before`, `declared`, and `error` caveats
 // are registered automatically and don't need to be added.
-func NewService(dir string, checks ...Checker) (*Service, error) {
+func NewService(dir, location string, checks ...Checker) (*Service, error) {
 	// Ensure that the path to the directory exists.
 	if _, err := os.Stat(dir); os.IsNotExist(err) {
 		if err := os.MkdirAll(dir, 0700); err != nil {
@ -77,7 +94,7 @@ func NewService(dir string, checks ...Checker) (*Service, error) {
 	}
 	macaroonParams := bakery.BakeryParams{
-		Location:     "lnd",
+		Location:     location,
 		RootKeyStore: rootKeyStore,
 		// No third-party caveat support for now.
 		// TODO(aakselrod): Add third-party caveat support.
@ -97,7 +114,11 @@ func NewService(dir string, checks ...Checker) (*Service, error) {
 		}
 	}
-	return &Service{*svc, rootKeyStore}, nil
+	return &Service{
 		Bakery:             *svc,
 		rks:                rootKeyStore,
 		externalValidators: make(map[string]MacaroonValidator),
 	}, nil
 }
 // isRegistered checks to see if the required checker has already been
@ -118,6 +139,27 @@ func isRegistered(c *checkers.Checker, name string) bool {
 	return false
 }
 // RegisterExternalValidator registers a custom, external macaroon validator for
 // the specified absolute gRPC URI. That validator is then fully responsible to
 // make sure any macaroon passed for a request to that URI is valid and
 // satisfies all conditions.
 func (svc *Service) RegisterExternalValidator(fullMethod string,
 	validator MacaroonValidator) error {
 	if validator == nil {
 		return fmt.Errorf("validator cannot be nil")
 	}
 	_, ok := svc.externalValidators[fullMethod]
 	if ok {
 		return fmt.Errorf("external validator for method %s already "+
 			"registered", fullMethod)
 	}
 	svc.externalValidators[fullMethod] = validator
 	return nil
 }
 // UnaryServerInterceptor is a GRPC interceptor that checks whether the
 // request is authorized by the included macaroons.
 func (svc *Service) UnaryServerInterceptor(
@ -133,7 +175,15 @@ func (svc *Service) UnaryServerInterceptor(
 				"required for method", info.FullMethod)
 		}
-		err := svc.ValidateMacaroon(
+		// Find out if there is an external validator registered for
 		// this method. Fall back to the internal one if there isn't.
 		validator, ok := svc.externalValidators[info.FullMethod]
 		if !ok {
 			validator = svc
 		}
 		// Now that we know what validator to use, let it do its work.
 		err := validator.ValidateMacaroon(
 			ctx, uriPermissions, info.FullMethod,
 		)
 		if err != nil {
@ -158,7 +208,15 @@ func (svc *Service) StreamServerInterceptor(
 				"for method", info.FullMethod)
 		}
-		err := svc.ValidateMacaroon(
+		// Find out if there is an external validator registered for
 		// this method. Fall back to the internal one if there isn't.
 		validator, ok := svc.externalValidators[info.FullMethod]
 		if !ok {
 			validator = svc
 		}
 		// Now that we know what validator to use, let it do its work.
 		err := validator.ValidateMacaroon(
 			ss.Context(), uriPermissions, info.FullMethod,
 		)
 		if err != nil {
--- a/macaroons/service_test.go
+++ b/macaroons/service_test.go
@ -66,7 +66,9 @@ func TestNewService(t *testing.T) {
 	// Second, create the new service instance, unlock it and pass in a
 	// checker that we expect it to add to the bakery.
-	service, err := macaroons.NewService(tempDir, macaroons.IPLockChecker)
+	service, err := macaroons.NewService(
 		tempDir, "lnd", macaroons.IPLockChecker,
 	)
 	if err != nil {
 		t.Fatalf("Error creating new service: %v", err)
 	}
@ -115,7 +117,9 @@ func TestValidateMacaroon(t *testing.T) {
 	// First, initialize the service and unlock it.
 	tempDir := setupTestRootKeyStorage(t)
 	defer os.RemoveAll(tempDir)
-	service, err := macaroons.NewService(tempDir, macaroons.IPLockChecker)
+	service, err := macaroons.NewService(
 		tempDir, "lnd", macaroons.IPLockChecker,
 	)
 	if err != nil {
 		t.Fatalf("Error creating new service: %v", err)
 	}
@ -173,7 +177,9 @@ func TestListMacaroonIDs(t *testing.T) {
 	// Second, create the new service instance, unlock it and pass in a
 	// checker that we expect it to add to the bakery.
-	service, err := macaroons.NewService(tempDir, macaroons.IPLockChecker)
+	service, err := macaroons.NewService(
 		tempDir, "lnd", macaroons.IPLockChecker,
 	)
 	require.NoError(t, err, "Error creating new service")
 	defer service.Close()
@ -203,7 +209,9 @@ func TestDeleteMacaroonID(t *testing.T) {
 	// Second, create the new service instance, unlock it and pass in a
 	// checker that we expect it to add to the bakery.
-	service, err := macaroons.NewService(tempDir, macaroons.IPLockChecker)
+	service, err := macaroons.NewService(
 		tempDir, "lnd", macaroons.IPLockChecker,
 	)
 	require.NoError(t, err, "Error creating new service")
 	defer service.Close()
--- a/rpcserver.go
+++ b/rpcserver.go
@ -213,9 +213,9 @@ func stringInSlice(a string, slice []string) bool {
 	return false
 }
-// mainRPCServerPermissions returns a mapping of the main RPC server calls to
+// MainRPCServerPermissions returns a mapping of the main RPC server calls to
 // the permissions they require.
-func mainRPCServerPermissions() map[string][]bakery.Op {
+func MainRPCServerPermissions() map[string][]bakery.Op {
 	return map[string][]bakery.Op{
 		"/lnrpc.Lightning/SendCoins": {{
 			Entity: "onchain",
@ -640,7 +640,7 @@ func newRPCServer(cfg *Config, s *server, macService *macaroons.Service,
 	// Next, we need to merge the set of sub server macaroon permissions
 	// with the main RPC server permissions so we can unite them under a
 	// single set of interceptors.
-	permissions := mainRPCServerPermissions()
+	permissions := MainRPCServerPermissions()
 	for _, subServerPerm := range subServerPerms {
 		for method, ops := range subServerPerm {
 			// For each new method:ops combo, we also ensure that
@ -661,10 +661,12 @@ func newRPCServer(cfg *Config, s *server, macService *macaroons.Service,
 		return nil, err
 	}
-	// External subserver possibly need to register their own permissions.
+	// External subserver possibly need to register their own permissions
 	// and macaroon validator.
 	for _, lis := range listeners {
 		extSubserver := lis.ExternalRPCSubserverCfg
 		if extSubserver != nil {
 			macValidator := extSubserver.MacaroonValidator
 			for method, ops := range extSubserver.Permissions {
 				// For each new method:ops combo, we also ensure
 				// that non of the sub-servers try to override
@ -677,6 +679,23 @@ func newRPCServer(cfg *Config, s *server, macService *macaroons.Service,
 				}
 				permissions[method] = ops
 				// Give the external subservers the possibility
 				// to also use their own validator to check any
 				// macaroons attached to calls to this method.
 				// This allows them to have their own root key
 				// ID database and permission entities.
 				if macValidator != nil {
 					err := macService.RegisterExternalValidator(
 						method, macValidator,
 					)
 					if err != nil {
 						return nil, fmt.Errorf("could "+
 							"not register "+
 							"external macaroon "+
 							"validator: %v", err)
 					}
 				}
 			}
 		}
 	}