From 027e4cdf11a6e0cfb0ffc749726e70ead6dbf048 Mon Sep 17 00:00:00 2001 From: Elle Mouton Date: Thu, 11 Aug 2022 11:25:52 +0200 Subject: [PATCH] cmd/lncli: add insecure flag to skip tls auth Add an `insecure` global flag to lncli. If set, tls authentication with the specified rpc server will be skipped. --- cmd/lncli/main.go | 52 +++++++++++++++++++++++++++----------------- cmd/lncli/profile.go | 6 ++++- 2 files changed, 37 insertions(+), 21 deletions(-) diff --git a/cmd/lncli/main.go b/cmd/lncli/main.go index ba989ff2f..116a42b13 100644 --- a/cmd/lncli/main.go +++ b/cmd/lncli/main.go @@ -88,28 +88,8 @@ func getClientConn(ctx *cli.Context, skipMacaroons bool) *grpc.ClientConn { fatal(fmt.Errorf("could not load global options: %v", err)) } - // Load the specified TLS certificate. - certPool, err := profile.cert() - if err != nil { - fatal(fmt.Errorf("could not create cert pool: %v", err)) - } - - // Build transport credentials from the certificate pool. If there is no - // certificate pool, we expect the server to use a non-self-signed - // certificate such as a certificate obtained from Let's Encrypt. - var creds credentials.TransportCredentials - if certPool != nil { - creds = credentials.NewClientTLSFromCert(certPool, "") - } else { - // Fallback to the system pool. Using an empty tls config is an - // alternative to x509.SystemCertPool(). That call is not - // supported on Windows. - creds = credentials.NewTLS(&tls.Config{}) - } - // Create a dial options array. opts := []grpc.DialOption{ - grpc.WithTransportCredentials(creds), grpc.WithUnaryInterceptor( addMetadataUnaryInterceptor(profile.Metadata), ), @@ -118,6 +98,32 @@ func getClientConn(ctx *cli.Context, skipMacaroons bool) *grpc.ClientConn { ), } + if profile.Insecure { + opts = append(opts, grpc.WithInsecure()) + } else { + // Load the specified TLS certificate. + certPool, err := profile.cert() + if err != nil { + fatal(fmt.Errorf("could not create cert pool: %v", err)) + } + + // Build transport credentials from the certificate pool. If + // there is no certificate pool, we expect the server to use a + // non-self-signed certificate such as a certificate obtained + // from Let's Encrypt. + var creds credentials.TransportCredentials + if certPool != nil { + creds = credentials.NewClientTLSFromCert(certPool, "") + } else { + // Fallback to the system pool. Using an empty tls + // config is an alternative to x509.SystemCertPool(). + // That call is not supported on Windows. + creds = credentials.NewTLS(&tls.Config{}) + } + + opts = append(opts, grpc.WithTransportCredentials(creds)) + } + // Only process macaroon credentials if --no-macaroons isn't set and // if we're not skipping macaroon processing. if !profile.NoMacaroons && !skipMacaroons { @@ -410,6 +416,12 @@ func main() { "to lnd. This flag may be specified multiple " + "times. The format is: \"key:value\".", }, + cli.BoolFlag{ + Name: "insecure", + Usage: "Connect to the rpc server without TLS " + + "authentication", + Hidden: true, + }, } app.Commands = []cli.Command{ createCommand, diff --git a/cmd/lncli/profile.go b/cmd/lncli/profile.go index 5e611af88..e5d4aacb5 100644 --- a/cmd/lncli/profile.go +++ b/cmd/lncli/profile.go @@ -33,6 +33,7 @@ type profileEntry struct { TLSCert string `json:"tlscert"` Macaroons *macaroonJar `json:"macaroons"` Metadata map[string]string `json:"metadata,omitempty"` + Insecure bool `json:"insecure,omitempty"` } // cert returns the profile's TLS certificate as a x509 certificate pool. @@ -122,10 +123,12 @@ func profileFromContext(ctx *cli.Context, store, skipMacaroons bool) ( return nil, err } + insecure := ctx.GlobalBool("insecure") + // Load the certificate file now, if specified. We store it as plain PEM // directly. var tlsCert []byte - if tlsCertPath != "" { + if tlsCertPath != "" && !insecure { var err error tlsCert, err = ioutil.ReadFile(tlsCertPath) if err != nil { @@ -155,6 +158,7 @@ func profileFromContext(ctx *cli.Context, store, skipMacaroons bool) ( NoMacaroons: ctx.GlobalBool("no-macaroons"), TLSCert: string(tlsCert), Metadata: metadata, + Insecure: insecure, } // If we aren't using macaroons in general (flag --no-macaroons) or