cmd/lncli: add insecure flag to skip tls auth

Add an `insecure` global flag to lncli. If set, tls authentication with
the specified rpc server will be skipped.

cmd/lncli/main.go

@@ -88,28 +88,8 @@ func getClientConn(ctx *cli.Context, skipMacaroons bool) *grpc.ClientConn {
 		fatal(fmt.Errorf("could not load global options: %v", err))
 	}
 
-	// Load the specified TLS certificate.
-	certPool, err := profile.cert()
-	if err != nil {
-		fatal(fmt.Errorf("could not create cert pool: %v", err))
-	}
-
-	// Build transport credentials from the certificate pool. If there is no
-	// certificate pool, we expect the server to use a non-self-signed
-	// certificate such as a certificate obtained from Let's Encrypt.
-	var creds credentials.TransportCredentials
-	if certPool != nil {
-		creds = credentials.NewClientTLSFromCert(certPool, "")
-	} else {
-		// Fallback to the system pool. Using an empty tls config is an
-		// alternative to x509.SystemCertPool(). That call is not
-		// supported on Windows.
-		creds = credentials.NewTLS(&tls.Config{})
-	}
-
 	// Create a dial options array.
 	opts := []grpc.DialOption{
-		grpc.WithTransportCredentials(creds),
 		grpc.WithUnaryInterceptor(
 			addMetadataUnaryInterceptor(profile.Metadata),
 		),
@@ -118,6 +98,32 @@ func getClientConn(ctx *cli.Context, skipMacaroons bool) *grpc.ClientConn {
 		),
 	}
 
+	if profile.Insecure {
+		opts = append(opts, grpc.WithInsecure())
+	} else {
+		// Load the specified TLS certificate.
+		certPool, err := profile.cert()
+		if err != nil {
+			fatal(fmt.Errorf("could not create cert pool: %v", err))
+		}
+
+		// Build transport credentials from the certificate pool. If
+		// there is no certificate pool, we expect the server to use a
+		// non-self-signed certificate such as a certificate obtained
+		// from Let's Encrypt.
+		var creds credentials.TransportCredentials
+		if certPool != nil {
+			creds = credentials.NewClientTLSFromCert(certPool, "")
+		} else {
+			// Fallback to the system pool. Using an empty tls
+			// config is an alternative to x509.SystemCertPool().
+			// That call is not supported on Windows.
+			creds = credentials.NewTLS(&tls.Config{})
+		}
+
+		opts = append(opts, grpc.WithTransportCredentials(creds))
+	}
+
 	// Only process macaroon credentials if --no-macaroons isn't set and
 	// if we're not skipping macaroon processing.
 	if !profile.NoMacaroons && !skipMacaroons {
@@ -410,6 +416,12 @@ func main() {
 				"to lnd. This flag may be specified multiple " +
 				"times. The format is: \"key:value\".",
 		},
+		cli.BoolFlag{
+			Name: "insecure",
+			Usage: "Connect to the rpc server without TLS " +
+				"authentication",
+			Hidden: true,
+		},
 	}
 	app.Commands = []cli.Command{
 		createCommand,

cmd/lncli/profile.go

@@ -33,6 +33,7 @@ type profileEntry struct {
 	TLSCert     string            `json:"tlscert"`
 	Macaroons   *macaroonJar      `json:"macaroons"`
 	Metadata    map[string]string `json:"metadata,omitempty"`
+	Insecure    bool              `json:"insecure,omitempty"`
 }
 
 // cert returns the profile's TLS certificate as a x509 certificate pool.
@@ -122,10 +123,12 @@ func profileFromContext(ctx *cli.Context, store, skipMacaroons bool) (
 		return nil, err
 	}
 
+	insecure := ctx.GlobalBool("insecure")
+
 	// Load the certificate file now, if specified. We store it as plain PEM
 	// directly.
 	var tlsCert []byte
-	if tlsCertPath != "" {
+	if tlsCertPath != "" && !insecure {
 		var err error
 		tlsCert, err = ioutil.ReadFile(tlsCertPath)
 		if err != nil {
@@ -155,6 +158,7 @@ func profileFromContext(ctx *cli.Context, store, skipMacaroons bool) (
 		NoMacaroons: ctx.GlobalBool("no-macaroons"),
 		TLSCert:     string(tlsCert),
 		Metadata:    metadata,
+		Insecure:    insecure,
 	}
 
 	// If we aren't using macaroons in general (flag --no-macaroons) or