aljaz/breez-lnd
1
0
Fork 0
mirror of https://github.com/aljazceru/breez-lnd.git synced 2025-12-18 22:54:26 +01:00
Code Issues Packages Projects Releases Wiki Activity

lncli: add support for macaroons

Browse Source
This commit is contained in:
Alex
2017-08-17 19:51:33 -06:00
committed by Olaoluwa Osuntokun
parent 922b065de5
commit 5d971a8ea8
1 changed files with 71 additions and 39 deletions
Download Patch File Download Diff File Expand all files Collapse all files

110
cmd/lncli/main.go
View File

@@ -2,28 +2,33 @@ package main
import ( import (
"fmt" "fmt"
"io/ioutil"
"os" "os"
"path/filepath" "path/filepath"
"strings" "strings"
"time"
"gopkg.in/macaroon-bakery.v1/bakery/checkers"
"gopkg.in/macaroon.v1"
"github.com/lightningnetwork/lnd/lnrpc" "github.com/lightningnetwork/lnd/lnrpc"
"github.com/lightningnetwork/lnd/macaroons"
"github.com/roasbeef/btcutil" "github.com/roasbeef/btcutil"
"github.com/urfave/cli" "github.com/urfave/cli"
flags "github.com/btcsuite/go-flags"
"google.golang.org/grpc" "google.golang.org/grpc"
"google.golang.org/grpc/credentials" "google.golang.org/grpc/credentials"
) )
const ( const (
defaultConfigFilename = "lnd.conf" defaultTLSCertFilename = "tls.cert"
defaultTLSCertFilename = "tls.cert" defaultMacaroonFilename = "admin.macaroon"
) )
var ( var (
lndHomeDir = btcutil.AppDataDir("lnd", false) lndHomeDir = btcutil.AppDataDir("lnd", false)
defaultConfigFile = filepath.Join(lndHomeDir, defaultConfigFilename) defaultTLSCertPath = filepath.Join(lndHomeDir, defaultTLSCertFilename)
defaultTLSCertPath = filepath.Join(lndHomeDir, defaultTLSCertFilename) defaultMacaroonPath = filepath.Join(lndHomeDir, defaultMacaroonFilename)
) )
func fatal(err error) { func fatal(err error) {
@@ -41,38 +46,56 @@ func getClient(ctx *cli.Context) (lnrpc.LightningClient, func()) {
return lnrpc.NewLightningClient(conn), cleanUp return lnrpc.NewLightningClient(conn), cleanUp
} }
type config struct {
TLSCertPath string `long:"tlscertpath" description:"path to TLS certificate"`
}
func getClientConn(ctx *cli.Context) *grpc.ClientConn { func getClientConn(ctx *cli.Context) *grpc.ClientConn {
// TODO(roasbeef): macaroon based auth // Load the specified TLS certificate and build transport credentials
// * http://www.grpc.io/docs/guides/auth.html // with it.
// * http://research.google.com/pubs/pub41892.html tlsCertPath := cleanAndExpandPath(ctx.GlobalString("tlscertpath"))
// * https://github.com/go-macaroon/macaroon creds, err := credentials.NewClientTLSFromFile(tlsCertPath, "")
cfg := config{
TLSCertPath: defaultTLSCertPath,
}
// We want only the TLS certificate information from the configuration
// file at this time, so ignore anything else. We can always add fields
// as we need them. When specifying a file on the `lncli` command line,
// this should work with just a trusted CA cert assuming the server's
// cert file contains the entire chain from the CA to the server's cert.
parser := flags.NewParser(&cfg, flags.IgnoreUnknown)
iniParser := flags.NewIniParser(parser)
if err := iniParser.ParseFile(ctx.GlobalString("config")); err != nil {
fatal(err)
}
if ctx.GlobalString("tlscertpath") != defaultTLSCertPath {
cfg.TLSCertPath = ctx.GlobalString("tlscertpath")
}
cfg.TLSCertPath = cleanAndExpandPath(cfg.TLSCertPath)
creds, err := credentials.NewClientTLSFromFile(cfg.TLSCertPath, "")
if err != nil { if err != nil {
fatal(err) fatal(err)
} }
opts := []grpc.DialOption{grpc.WithTransportCredentials(creds)}
// Create a dial options array.
opts := []grpc.DialOption{
grpc.WithTransportCredentials(creds),
}
// Only process macaroon credentials if --no-macaroons isn't set.
if !ctx.GlobalBool("no-macaroons") {
// Load the specified macaroon file.
macPath := cleanAndExpandPath(ctx.GlobalString("macaroonpath"))
macBytes, err := ioutil.ReadFile(macPath)
if err != nil {
fatal(err)
}
mac := &macaroon.Macaroon{}
if err = mac.UnmarshalBinary(macBytes); err != nil {
fatal(err)
}
// We add a time-based constraint to prevent replay of the
// macaroon. It's good for 60 seconds by default to make up for
// any discrepancy between client and server clocks, but leaking
// the macaroon before it becomes invalid makes it possible for
// an attacker to reuse the macaroon. In addition, the validity
// time of the macaroon is extended by the time the server clock
// is behind the client clock, or shortened by the time the
// server clock is ahead of the client clock (or invalid
// altogether if, in the latter case, this time is more than 60
// seconds).
// TODO(aakselrod): add better anti-replay protection.
macaroonTimeout := time.Duration(ctx.GlobalInt64("macaroontimeout"))
requestTimeout := time.Now().Add(time.Second * macaroonTimeout)
timeCaveat := checkers.TimeBeforeCaveat(requestTimeout)
mac.AddFirstPartyCaveat(timeCaveat.Condition)
// Now we append the macaroon credentials to the dial options.
opts = append(
opts,
grpc.WithPerRPCCredentials(
macaroons.NewMacaroonCredential(mac)),
)
}
conn, err := grpc.Dial(ctx.GlobalString("rpcserver"), opts...) conn, err := grpc.Dial(ctx.GlobalString("rpcserver"), opts...)
if err != nil { if err != nil {
@@ -93,16 +116,25 @@ func main() {
Value: "localhost:10009", Value: "localhost:10009",
Usage: "host:port of ln daemon", Usage: "host:port of ln daemon",
}, },
cli.StringFlag{
Name: "config",
Value: defaultConfigFile,
Usage: "path to config file for TLS cert path",
},
cli.StringFlag{ cli.StringFlag{
Name: "tlscertpath", Name: "tlscertpath",
Value: defaultTLSCertPath, Value: defaultTLSCertPath,
Usage: "path to TLS certificate", Usage: "path to TLS certificate",
}, },
cli.BoolFlag{
Name: "no-macaroons",
Usage: "disable macaroon authentication",
},
cli.StringFlag{
Name: "macaroonpath",
Value: defaultMacaroonPath,
Usage: "path to macaroon file",
},
cli.Int64Flag{
Name: "macaroontimeout",
Value: 60,
Usage: "anti-replay macaroon validity time in seconds",
},
} }
app.Commands = []cli.Command{ app.Commands = []cli.Command{
newAddressCommand, newAddressCommand,