Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

rpc: Bake and validate macaroons with external permissions #5304

Merged
merged 6 commits into from
Sep 15, 2021
Merged

rpc: Bake and validate macaroons with external permissions #5304

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
6 commits
Select commit Hold shift + click to select a range
d10a682
macaroons+rpcserver: Add new RPC call for checking macaroon permissions
orbitalturtle May 17, 2021
72a46b8
rpcserver: Add flag to BakeMacaroonRequest for allowing external perm…
orbitalturtle May 17, 2021
38c47e8
lncli: Add allow external permissions option to bakemacaroons cli call
orbitalturtle May 17, 2021
ba17842
itest: Test new BakeMacaroonRequest for allowing external permissions
orbitalturtle Jul 6, 2021
0120c86
itest: Test new RPC call for checking macaroon permissions
orbitalturtle Jul 6, 2021
449f84d
docs: update release notes for #5304
orbitalturtle Aug 1, 2021
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Jump to
Jump to file
Failed to load files.
Diff view
Diff view
11 changes: 8 additions & 3 deletions cmd/lncli/cmd_macaroon.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -23,7 +23,7 @@ var bakeMacaroonCommand = cli.Command{
Category: "Macaroons",
Usage: "Bakes a new macaroon with the provided list of permissions " +
"and restrictions.",
ArgsUsage: "[--save_to=] [--timeout=] [--ip_address=] permissions...",
ArgsUsage: "[--save_to=] [--timeout=] [--ip_address=] [--allow_external_permissions] permissions...",
Description: `
Bake a new macaroon that grants the provided permissions and
optionally adds restrictions (timeout, IP address) to it.
Expand Down Expand Up @@ -69,6 +69,10 @@ var bakeMacaroonCommand = cli.Command{
Name: "root_key_id",
Usage: "the numerical root key ID used to create the macaroon",
},
cli.BoolFlag{
Name: "allow_external_permissions",
Usage: "whether permissions lnd is not familiar with are allowed",
},
},
Action: actionDecorator(bakeMacaroon),
}
Expand Down Expand Up @@ -148,8 +152,9 @@ func bakeMacaroon(ctx *cli.Context) error {
// Now we have gathered all the input we need and can do the actual
// RPC call.
req := &lnrpc.BakeMacaroonRequest{
Permissions: parsedPermissions,
RootKeyId: rootKeyID,
Permissions: parsedPermissions,
RootKeyId: rootKeyID,
AllowExternalPermissions: ctx.Bool("allow_external_permissions"),
}
resp, err := client.BakeMacaroon(ctxc, req)
if err != nil {
Expand Down
3 changes: 3 additions & 0 deletions docs/release-notes/release-notes-0.14.0.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -74,6 +74,8 @@ proposed channel type is used.
is added to the state server. This state indicates whether the `lnd` server
and all its subservers have been fully started or not.

* [Adds an option to the BakeMacaroon rpc "allow-external-permissions,"](https://github.com/lightningnetwork/lnd/pull/5304) which makes it possible to bake a macaroon with external permissions. That way, the baked macaroons can be used for services beyond LND. Also adds a new CheckMacaroonPermissions rpc that checks that the macaroon permissions and other restrictions are being followed. It can also check permissions not native to LND.

### Batched channel funding

[Multiple channels can now be opened in a single
Expand Down Expand Up @@ -292,6 +294,7 @@ requirements surrounding updating the release notes for each new
change](https://github.com/lightningnetwork/lnd/pull/5613).

# Contributors (Alphabetical Order)
* Alyssa Hertig
* Andras Banki-Horvath
* de6df1re
* ErikEk
Expand Down
1,615 changes: 893 additions & 722 deletions lnrpc/lightning.pb.go
View file
Open in desktop

Large diffs are not rendered by default.

81 changes: 81 additions & 0 deletions lnrpc/lightning.pb.gw.go
View file
Open in desktop

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

25 changes: 25 additions & 0 deletions lnrpc/lightning.pb.json.go
View file
Open in desktop

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

24 changes: 24 additions & 0 deletions lnrpc/lightning.proto
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -532,6 +532,14 @@ service Lightning {
*/
rpc ListPermissions (ListPermissionsRequest)
returns (ListPermissionsResponse);

/*
CheckMacaroonPermissions checks whether a request follows the constraints
imposed on the macaroon and that the macaroon is authorized to follow the
provided permissions.
*/
rpc CheckMacaroonPermissions (CheckMacPermRequest)
returns (CheckMacPermResponse);
}

message Utxo {
Expand Down Expand Up @@ -3795,6 +3803,12 @@ message BakeMacaroonRequest {

// The root key ID used to create the macaroon, must be a positive integer.
uint64 root_key_id = 2;

/*
Informs the RPC on whether to allow external permissions that LND is not
aware of.
*/
bool allow_external_permissions = 3;
}
message BakeMacaroonResponse {
// The hex encoded macaroon, serialized in binary format.
Expand Down Expand Up @@ -4006,3 +4020,13 @@ message Op {
string entity = 1;
repeated string actions = 2;
}

message CheckMacPermRequest {
bytes macaroon = 1;
repeated MacaroonPermission permissions = 2;
string fullMethod = 3;
}

message CheckMacPermResponse {
bool valid = 1;
}
63 changes: 63 additions & 0 deletions lnrpc/lightning.swagger.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -1563,6 +1563,39 @@
]
}
},
"/v1/macaroon/checkpermissions": {
"post": {
"summary": "CheckMacaroonPermissions checks whether a request follows the constraints\nimposed on the macaroon and that the macaroon is authorized to follow the\nprovided permissions.",
"operationId": "Lightning_CheckMacaroonPermissions",
"responses": {
"200": {
"description": "A successful response.",
"schema": {
"$ref": "#/definitions/lnrpcCheckMacPermResponse"
}
},
"default": {
"description": "An unexpected error response.",
"schema": {
"$ref": "#/definitions/rpcStatus"
}
}
},
"parameters": [
{
"name": "body",
"in": "body",
"required": true,
"schema": {
"$ref": "#/definitions/lnrpcCheckMacPermRequest"
}
}
],
"tags": [
"Lightning"
]
}
},
"/v1/macaroon/ids": {
"get": {
"summary": "lncli: `listmacaroonids`\nListMacaroonIDs returns all root key IDs that are in use.",
Expand Down Expand Up @@ -2787,6 +2820,10 @@
"type": "string",
"format": "uint64",
"description": "The root key ID used to create the macaroon, must be a positive integer."
},
"allow_external_permissions": {
"type": "boolean",
"description": "Informs the RPC on whether to allow external permissions that LND is not\naware of."
}
}
},
Expand Down Expand Up @@ -3622,6 +3659,32 @@
}
}
},
"lnrpcCheckMacPermRequest": {
"type": "object",
"properties": {
"macaroon": {
"type": "string",
"format": "byte"
},
"permissions": {
"type": "array",
"items": {
"$ref": "#/definitions/lnrpcMacaroonPermission"
}
},
"fullMethod": {
"type": "string"
}
}
},
"lnrpcCheckMacPermResponse": {
"type": "object",
"properties": {
"valid": {
"type": "boolean"
}
}
},
"lnrpcCloseStatusUpdate": {
"type": "object",
"properties": {
Expand Down
4 changes: 4 additions & 0 deletions lnrpc/lightning.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -150,3 +150,7 @@ http:
delete: "/v1/macaroon/{root_key_id}"
- selector: lnrpc.Lightning.ListPermissions
get: "/v1/macaroon/permissions"
- selector: lnrpc.Lightning.CheckMacaroonPermissions
orbitalturtle marked this conversation as resolved.
Show resolved Hide resolved
post: "/v1/macaroon/checkpermissions"
body: "*"