In this commit, we integrate Tor onion services into the proxy. Clients
can now make their requests through Tor's encrypted network. To make
this possible, there were a few quirks, the most important being that
clients were unable to establish encrypted HTTP/2 connections due to
TLS certificates not being able to verify onion services. To work around
this, we now spin up an additional HTTP/2 server _without TLS_ that's
not exposed to the outside world and can only be accessed through the
onion services, which already provide encryption.
Once the onion services are created, we store their private keys within
etcd to ensure we can recover them later on as the proxy is intended to
be long-lived.
We move the proxy from using its placeholder macaroon creation and
verification to instead use the agreed upon macaroon design. Much of
this is solely a refactor, but some new functionality has also been
introduced as part of integrating the LSAT mint:
1. A request's target service is now verified to ensure its attached
LSAT is authorized.
2. The preimage is now checked against the token's committed payment
hash to ensure it has been paid for.
The target service name remains unused in its current form, but will be
required in order to verify that an incoming request with an LSAT
attached is authorized to access the service being attempted. We can
derive this from the request's host field, but we choose to extend the
methods with the additional parameter in order to prevent parsing the
host field again to determine which service is being accessed.
The service limiter holds all of the constraints that should be applied
to a given service at the base tier. These are currently static and are
parsed from the proxy's configuration file as a temporary work-around.
Eventually, we plan to integrate this with etcd as well in order to
achieve dynamic service discovery.
This will store the secret of each LSAT minted by the proxy, which is
crucial for LSAT verification. The secrets are stored under a new
"secrets" key prefixed by the top level LSAT etcd key, and each secret
can be found by its unique identifier prefixed with the secrets key.
Allows the ability for the proxy to connect to an etcd cluster for any
reliable data storage purposes. No data is being stored yet as of this
commit, but we'll be storing LSAT secrets at a later commit.
One key component in this commit is that we introduce a new top level
key that will serve to hold all LSAT proxy-related data. Any nested keys
should be prefixed with said top level key.
Co-authored-by: Oliver Gugger <gugger@gmail.com>
