From 96ea4bf05e0258914d7cfa53f2ca67dc515aa361 Mon Sep 17 00:00:00 2001 From: Oliver Gugger Date: Thu, 12 Aug 2021 16:07:15 +0200 Subject: [PATCH] rpcserver+macaroons: extract RawMacaroonFromContext We'll re-use the code for extracting a macaroon from a request context later on so we extract it into its own exported function. --- macaroons/service.go | 47 +++++++++++++++++++++++++++----------------- rpcserver.go | 3 +-- 2 files changed, 30 insertions(+), 20 deletions(-) diff --git a/macaroons/service.go b/macaroons/service.go index 3a686a45..b908fe52 100644 --- a/macaroons/service.go +++ b/macaroons/service.go @@ -4,10 +4,8 @@ import ( "context" "encoding/hex" "fmt" - "github.com/lightningnetwork/lnd/kvdb" "google.golang.org/grpc/metadata" - "gopkg.in/macaroon-bakery.v2/bakery" "gopkg.in/macaroon-bakery.v2/bakery/checkers" macaroon "gopkg.in/macaroon.v2" @@ -152,34 +150,31 @@ func (svc *Service) ValidateMacaroon(ctx context.Context, requiredPermissions []bakery.Op, fullMethod string) error { // Get macaroon bytes from context and unmarshal into macaroon. - md, ok := metadata.FromIncomingContext(ctx) - if !ok { - return fmt.Errorf("unable to get metadata from context") + macHex, err := RawMacaroonFromContext(ctx) + if err != nil { + return err } - if len(md["macaroon"]) != 1 { - return fmt.Errorf("expected 1 macaroon, got %d", - len(md["macaroon"])) + + // With the macaroon obtained, we'll now decode the hex-string encoding. + macBytes, err := hex.DecodeString(macHex) + if err != nil { + return err } return svc.CheckMacAuth( - ctx, md["macaroon"][0], requiredPermissions, fullMethod, + ctx, macBytes, requiredPermissions, fullMethod, ) } // CheckMacAuth checks that the macaroon is not disobeying any caveats and is // authorized to perform the operation the user wants to perform. -func (svc *Service) CheckMacAuth(ctx context.Context, macStr string, +func (svc *Service) CheckMacAuth(ctx context.Context, macBytes []byte, requiredPermissions []bakery.Op, fullMethod string) error { - // With the macaroon obtained, we'll now decode the hex-string - // encoding, then unmarshal it from binary into its concrete struct - // representation. - macBytes, err := hex.DecodeString(macStr) - if err != nil { - return err - } + // With the macaroon obtained, we'll now unmarshal it from binary into + // its concrete struct representation. mac := &macaroon.Macaroon{} - err = mac.UnmarshalBinary(macBytes) + err := mac.UnmarshalBinary(macBytes) if err != nil { return err } @@ -264,3 +259,19 @@ func (svc *Service) GenerateNewRootKey() error { func (svc *Service) ChangePassword(oldPw, newPw []byte) error { return svc.rks.ChangePassword(oldPw, newPw) } + +// RawMacaroonFromContext is a helper function that extracts a raw macaroon +// from the given incoming gRPC request context. +func RawMacaroonFromContext(ctx context.Context) (string, error) { + // Get macaroon bytes from context and unmarshal into macaroon. + md, ok := metadata.FromIncomingContext(ctx) + if !ok { + return "", fmt.Errorf("unable to get metadata from context") + } + if len(md["macaroon"]) != 1 { + return "", fmt.Errorf("expected 1 macaroon, got %d", + len(md["macaroon"])) + } + + return md["macaroon"][0], nil +} diff --git a/rpcserver.go b/rpcserver.go index 735b273f..3e557d74 100644 --- a/rpcserver.go +++ b/rpcserver.go @@ -6995,8 +6995,7 @@ func (r *rpcServer) CheckMacaroonPermissions(ctx context.Context, } err := r.macService.CheckMacAuth( - ctx, hex.EncodeToString(req.Macaroon), permissions, - req.FullMethod, + ctx, req.Macaroon, permissions, req.FullMethod, ) if err != nil { return nil, status.Error(codes.InvalidArgument, err.Error())