Merge pull request #413 from ellemouton/addLndSubserverPerms

subserver_perms: add Lnd's registered subserver perms

Author: guggero

itest/litd_mode_integrated_test.go

@@ -26,6 +26,8 @@ import (
 	"github.com/lightninglabs/pool/poolrpc"
 	"github.com/lightningnetwork/lnd/keychain"
 	"github.com/lightningnetwork/lnd/lnrpc"
+	"github.com/lightningnetwork/lnd/lnrpc/routerrpc"
+	"github.com/lightningnetwork/lnd/lnrpc/walletrpc"
 	"github.com/stretchr/testify/require"
 	"golang.org/x/net/http2"
 	"google.golang.org/grpc"
@@ -81,17 +83,33 @@ var (
 	// gRPC request. One byte version and then 4 bytes content length.
 	emptyGrpcWebRequest = []byte{0, 0, 0, 0, 0}
 
-	lndRequestFn = func(ctx context.Context,
+	lnrpcRequestFn = func(ctx context.Context,
 		c grpc.ClientConnInterface) (proto.Message, error) {
 
-		lndConn := lnrpc.NewLightningClient(c)
-		return lndConn.GetInfo(
+		lnrpcConn := lnrpc.NewLightningClient(c)
+		return lnrpcConn.GetInfo(
 			ctx, &lnrpc.GetInfoRequest{},
 		)
 	}
 	lndMacaroonFn = func(cfg *LitNodeConfig) string {
 		return cfg.AdminMacPath
 	}
+	routerrpcRequestFn = func(ctx context.Context,
+		c grpc.ClientConnInterface) (proto.Message, error) {
+
+		routerrpcConn := routerrpc.NewRouterClient(c)
+		return routerrpcConn.GetMissionControlConfig(
+			ctx, &routerrpc.GetMissionControlConfigRequest{},
+		)
+	}
+	walletrpcRequestFn = func(ctx context.Context,
+		c grpc.ClientConnInterface) (proto.Message, error) {
+
+		walletrpcConn := walletrpc.NewWalletKitClient(c)
+		return walletrpcConn.ListUnspent(
+			ctx, &walletrpc.ListUnspentRequest{},
+		)
+	}
 	faradayRequestFn = func(ctx context.Context,
 		c grpc.ClientConnInterface) (proto.Message, error) {
 
@@ -145,14 +163,32 @@ var (
 		allowedThroughLNC bool
 		grpcWebURI        string
 		restWebURI        string
+		restPOST          bool
 	}{{
 		name:              "lnrpc",
 		macaroonFn:        lndMacaroonFn,
-		requestFn:         lndRequestFn,
+		requestFn:         lnrpcRequestFn,
 		successPattern:    "\"identity_pubkey\":\"0",
 		allowedThroughLNC: true,
 		grpcWebURI:        "/lnrpc.Lightning/GetInfo",
 		restWebURI:        "/v1/getinfo",
+	}, {
+		name:              "routerrpc",
+		macaroonFn:        lndMacaroonFn,
+		requestFn:         routerrpcRequestFn,
+		successPattern:    "\"config\":{",
+		allowedThroughLNC: true,
+		grpcWebURI:        "/routerrpc.Router/GetMissionControlConfig",
+		restWebURI:        "/v2/router/mccfg",
+	}, {
+		name:              "walletrpc",
+		macaroonFn:        lndMacaroonFn,
+		requestFn:         walletrpcRequestFn,
+		successPattern:    "\"utxos\":[",
+		allowedThroughLNC: true,
+		grpcWebURI:        "/walletrpc.WalletKit/ListUnspent",
+		restWebURI:        "/v2/wallet/utxos",
+		restPOST:          true,
 	}, {
 		name:              "frdrpc",
 		macaroonFn:        faradayMacaroonFn,
@@ -322,6 +358,7 @@ func testModeIntegrated(net *NetworkHarness, t *harnessTest) {
 					endpoint.macaroonFn(cfg),
 					endpoint.restWebURI,
 					endpoint.successPattern,
+					endpoint.restPOST,
 				)
 			})
 		}
@@ -529,7 +566,7 @@ func runGRPCWebAuthTest(t *testing.T, hostPort, uiPassword, grpcWebURI string) {
 
 // runRESTAuthTest tests authentication of the given REST interface.
 func runRESTAuthTest(t *testing.T, hostPort, uiPassword, macaroonPath, restURI,
-	successPattern string) {
+	successPattern string, usePOST bool) {
 
 	basicAuth := base64.StdEncoding.EncodeToString(
 		[]byte(fmt.Sprintf("%s:%s", uiPassword, uiPassword)),
@@ -539,13 +576,19 @@ func runRESTAuthTest(t *testing.T, hostPort, uiPassword, macaroonPath, restURI,
 	}
 	url := fmt.Sprintf("https://%s%s", hostPort, restURI)
 
+	method := "GET"
+	if usePOST {
+		method = "POST"
+	}
+
 	// First test a REST call without authorization, which should fail.
-	body, responseHeader, err := callURL(url, "GET", nil, nil, false)
+	body, responseHeader, err := callURL(url, method, nil, nil, false)
 	require.NoError(t, err)
 
-	require.Equal(
+	require.Equalf(
 		t, "application/grpc",
 		responseHeader.Get("grpc-metadata-content-type"),
+		"response headers: %v, body: %v", responseHeader, body,
 	)
 	require.Equal(
 		t, "application/json",
@@ -558,7 +601,7 @@ func runRESTAuthTest(t *testing.T, hostPort, uiPassword, macaroonPath, restURI,
 
 	// Now add the UI password which should make the request succeed.
 	body, responseHeader, err = callURL(
-		url, "GET", nil, basicAuthHeader, false,
+		url, method, nil, basicAuthHeader, false,
 	)
 	require.NoError(t, err)
 	require.Contains(t, body, successPattern)
@@ -573,7 +616,7 @@ func runRESTAuthTest(t *testing.T, hostPort, uiPassword, macaroonPath, restURI,
 		},
 	}
 	body, responseHeader, err = callURL(
-		url, "GET", nil, macaroonHeader, false,
+		url, method, nil, macaroonHeader, false,
 	)
 	require.NoError(t, err)
 	require.Contains(t, body, successPattern)
@@ -834,7 +877,12 @@ func bakeSuperMacaroon(cfg *LitNodeConfig, readOnly bool) (string, error) {
 	lndAdminCtx := macaroonContext(ctxt, lndAdminMacBytes)
 	lndConn := lnrpc.NewLightningClient(rawConn)
 
-	superMacPermissions := terminal.GetAllPermissions(readOnly)
+	permsMgr, err := terminal.NewPermissionsManager()
+	if err != nil {
+		return "", err
+	}
+
+	superMacPermissions := permsMgr.ActivePermissions(readOnly)
 	nullID := [4]byte{}
 	superMacHex, err := terminal.BakeSuperMacaroon(
 		lndAdminCtx, lndConn, session.NewSuperMacaroonRootKeyID(nullID),

itest/litd_mode_remote_test.go

@@ -125,6 +125,7 @@ func testModeRemote(net *NetworkHarness, t *harnessTest) {
 					endpoint.macaroonFn(cfg),
 					endpoint.restWebURI,
 					endpoint.successPattern,
+					endpoint.restPOST,
 				)
 			})
 		}

make/release_flags.mk

@@ -11,7 +11,7 @@ windows-386 \
 windows-amd64 \
 windows-arm
 
-LND_RELEASE_TAGS = litd autopilotrpc signrpc walletrpc chainrpc invoicesrpc watchtowerrpc
+LND_RELEASE_TAGS = litd autopilotrpc signrpc walletrpc chainrpc invoicesrpc watchtowerrpc neutrinorpc peersrpc
 
 # By default we will build all systems. But with the 'sys' tag, a specific
 # system can be specified. This is useful to release for a subset of

rpc_proxy.go

@@ -24,7 +24,6 @@ import (
 	"google.golang.org/grpc/metadata"
 	"google.golang.org/grpc/status"
 	"google.golang.org/grpc/test/bufconn"
-	"gopkg.in/macaroon-bakery.v2/bakery"
 	"gopkg.in/macaroon.v2"
 )
 
@@ -59,8 +58,7 @@ func (e *proxyErr) Unwrap() error {
 // component.
 func newRpcProxy(cfg *Config, validator macaroons.MacaroonValidator,
 	superMacValidator session.SuperMacaroonValidator,
-	permissionMap map[string][]bakery.Op,
-	bufListener *bufconn.Listener) *rpcProxy {
+	permsMgr *PermissionsManager, bufListener *bufconn.Listener) *rpcProxy {
 
 	// The gRPC web calls are protected by HTTP basic auth which is defined
 	// by base64(username:password). Because we only have a password, we
@@ -77,7 +75,7 @@ func newRpcProxy(cfg *Config, validator macaroons.MacaroonValidator,
 	p := &rpcProxy{
 		cfg:               cfg,
 		basicAuth:         basicAuth,
-		permissionMap:     permissionMap,
+		permsMgr:          permsMgr,
 		macValidator:      validator,
 		superMacValidator: superMacValidator,
 		bufListener:       bufListener,
@@ -146,9 +144,9 @@ func newRpcProxy(cfg *Config, validator macaroons.MacaroonValidator,
 //                                    +---------------------+
 //
 type rpcProxy struct {
-	cfg           *Config
-	basicAuth     string
-	permissionMap map[string][]bakery.Op
+	cfg       *Config
+	basicAuth string
+	permsMgr  *PermissionsManager
 
 	macValidator      macaroons.MacaroonValidator
 	superMacValidator session.SuperMacaroonValidator
@@ -345,17 +343,17 @@ func (p *rpcProxy) makeDirector(allowLitRPC bool) func(ctx context.Context,
 		// handled by the integrated daemons that are hooking into lnd's
 		// gRPC server.
 		switch {
-		case isFaradayURI(requestURI) && p.cfg.faradayRemote:
+		case p.permsMgr.IsFaradayURI(requestURI) && p.cfg.faradayRemote:
 			return outCtx, p.faradayConn, nil
 
-		case isLoopURI(requestURI) && p.cfg.loopRemote:
+		case p.permsMgr.IsLoopURI(requestURI) && p.cfg.loopRemote:
 			return outCtx, p.loopConn, nil
 
-		case isPoolURI(requestURI) && p.cfg.poolRemote:
+		case p.permsMgr.IsPoolURI(requestURI) && p.cfg.poolRemote:
 			return outCtx, p.poolConn, nil
 
 		// Calls to LiT session RPC aren't allowed in some cases.
-		case isLitURI(requestURI) && !allowLitRPC:
+		case p.permsMgr.IsLitURI(requestURI) && !allowLitRPC:
 			return outCtx, nil, status.Errorf(
 				codes.Unimplemented, "unknown service %s",
 				requestURI,
@@ -373,7 +371,7 @@ func (p *rpcProxy) UnaryServerInterceptor(ctx context.Context, req interface{},
 	info *grpc.UnaryServerInfo, handler grpc.UnaryHandler) (interface{},
 	error) {
 
-	uriPermissions, ok := p.permissionMap[info.FullMethod]
+	uriPermissions, ok := p.permsMgr.URIPermissions(info.FullMethod)
 	if !ok {
 		return nil, fmt.Errorf("%s: unknown permissions "+
 			"required for method", info.FullMethod)
@@ -414,7 +412,7 @@ func (p *rpcProxy) StreamServerInterceptor(srv interface{},
 	ss grpc.ServerStream, info *grpc.StreamServerInfo,
 	handler grpc.StreamHandler) error {
 
-	uriPermissions, ok := p.permissionMap[info.FullMethod]
+	uriPermissions, ok := p.permsMgr.URIPermissions(info.FullMethod)
 	if !ok {
 		return fmt.Errorf("%s: unknown permissions required "+
 			"for method", info.FullMethod)
@@ -503,31 +501,31 @@ func (p *rpcProxy) basicAuthToMacaroon(basicAuth, requestURI string,
 		macData []byte
 	)
 	switch {
-	case isLndURI(requestURI):
+	case p.permsMgr.IsLndURI(requestURI):
 		_, _, _, macPath, macData = p.cfg.lndConnectParams()
 
-	case isFaradayURI(requestURI):
+	case p.permsMgr.IsFaradayURI(requestURI):
 		if p.cfg.faradayRemote {
 			macPath = p.cfg.Remote.Faraday.MacaroonPath
 		} else {
 			macPath = p.cfg.Faraday.MacaroonPath
 		}
 
-	case isLoopURI(requestURI):
+	case p.permsMgr.IsLoopURI(requestURI):
 		if p.cfg.loopRemote {
 			macPath = p.cfg.Remote.Loop.MacaroonPath
 		} else {
 			macPath = p.cfg.Loop.MacaroonPath
 		}
 
-	case isPoolURI(requestURI):
+	case p.permsMgr.IsPoolURI(requestURI):
 		if p.cfg.poolRemote {
 			macPath = p.cfg.Remote.Pool.MacaroonPath
 		} else {
 			macPath = p.cfg.Pool.MacaroonPath
 		}
 
-	case isLitURI(requestURI):
+	case p.permsMgr.IsLitURI(requestURI):
 		macPath = p.cfg.MacaroonPath
 
 	default:
@@ -580,7 +578,7 @@ func (p *rpcProxy) basicAuthToMacaroon(basicAuth, requestURI string,
 func (p *rpcProxy) convertSuperMacaroon(ctx context.Context, macHex string,
 	fullMethod string) ([]byte, error) {
 
-	requiredPermissions, ok := p.permissionMap[fullMethod]
+	requiredPermissions, ok := p.permsMgr.URIPermissions(fullMethod)
 	if !ok {
 		return nil, fmt.Errorf("%s: unknown permissions required for "+
 			"method", fullMethod)
@@ -605,17 +603,17 @@ func (p *rpcProxy) convertSuperMacaroon(ctx context.Context, macHex string,
 	// Is this actually a request that goes to a daemon that is running
 	// remotely?
 	switch {
-	case isFaradayURI(fullMethod) && p.cfg.faradayRemote:
+	case p.permsMgr.IsFaradayURI(fullMethod) && p.cfg.faradayRemote:
 		return readMacaroon(lncfg.CleanAndExpandPath(
 			p.cfg.Remote.Faraday.MacaroonPath,
 		))
 
-	case isLoopURI(fullMethod) && p.cfg.loopRemote:
+	case p.permsMgr.IsLoopURI(fullMethod) && p.cfg.loopRemote:
 		return readMacaroon(lncfg.CleanAndExpandPath(
 			p.cfg.Remote.Loop.MacaroonPath,
 		))
 
-	case isPoolURI(fullMethod) && p.cfg.poolRemote:
+	case p.permsMgr.IsPoolURI(fullMethod) && p.cfg.poolRemote:
 		return readMacaroon(lncfg.CleanAndExpandPath(
 			p.cfg.Remote.Pool.MacaroonPath,
 		))

session_rpcserver.go

@@ -39,6 +39,7 @@ type sessionRpcServerConfig struct {
 	superMacBaker       func(ctx context.Context, rootKeyID uint64,
 		recipe *session.MacaroonRecipe) (string, error)
 	firstConnectionDeadline time.Duration
+	permMgr                 *PermissionsManager
 }
 
 // newSessionRPCServer creates a new sessionRpcServer using the passed config.
@@ -205,7 +206,7 @@ func (s *sessionRpcServer) resumeSession(sess *session.Session) error {
 	mac, err := s.cfg.superMacBaker(
 		context.Background(), sess.MacaroonRootKey,
 		&session.MacaroonRecipe{
-			Permissions: GetAllPermissions(readOnly),
+			Permissions: s.cfg.permMgr.ActivePermissions(readOnly),
 			Caveats:     caveats,
 		},
 	)