highperfocused/lnd
1
0
Fork 0
mirror of https://github.com/lightningnetwork/lnd.git synced 2025-05-03 16:30:18 +02:00
Code Issues Packages Projects Releases Wiki Activity

rpcperms: set CustomCaveatCondition on middleware req

Browse Source 
This sets the `CustomCaveatCondition` value on rpc middleware requests
if one exists. Previously, this value was always blank even if the
macaroon had a value set for its custom caveat condition.
This commit is contained in:
Daniel McNally 2022-01-21 09:40:46 -05:00
parent a4474447c2
commit 4a573b18cf
No known key found for this signature in database
GPG Key ID: BC19D851B2FC3A00
3 changed files with 40 additions and 6 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
docs/release-notes/release-notes-0.14.2.md
View File

@ -92,6 +92,10 @@ Postgres](https://github.com/lightningnetwork/lnd/pull/6111)
exposed](https://github.com/lightningnetwork/lnd/pull/6146) inside exposed](https://github.com/lightningnetwork/lnd/pull/6146) inside
WaitingCloseResp from calling `PendingChannels`. WaitingCloseResp from calling `PendingChannels`.
* [CustomCaveatCondition is now properly
set](https://github.com/lightningnetwork/lnd/pull/6185) on
`RPCMiddlewareRequest` messages.
## Routing ## Routing
@ -104,6 +108,7 @@ Postgres](https://github.com/lightningnetwork/lnd/pull/6111)
* Andras Banki-Horvath * Andras Banki-Horvath
* Bjarne Magnussen * Bjarne Magnussen
* Daniel McNally
* Elle Mouton * Elle Mouton
* Harsha Goli * Harsha Goli
* Joost Jager * Joost Jager

31
lntest/itest/lnd_rpc_middleware_interceptor_test.go
View File

@ -195,7 +195,7 @@ func middlewareInterceptionTest(t *testing.T, node *lntest.HarnessNode,
// block the execution of the main task otherwise. // block the execution of the main task otherwise.
req := &lnrpc.ListChannelsRequest{ActiveOnly: true} req := &lnrpc.ListChannelsRequest{ActiveOnly: true}
go registration.interceptUnary( go registration.interceptUnary(
"/lnrpc.Lightning/ListChannels", req, nil, "/lnrpc.Lightning/ListChannels", req, nil, readOnly,
) )
// Do the actual call now and wait for the interceptor to do its thing. // Do the actual call now and wait for the interceptor to do its thing.
@ -208,7 +208,7 @@ func middlewareInterceptionTest(t *testing.T, node *lntest.HarnessNode,
// Let's test the same for a streaming endpoint. // Let's test the same for a streaming endpoint.
req2 := &lnrpc.PeerEventSubscription{} req2 := &lnrpc.PeerEventSubscription{}
go registration.interceptStream( go registration.interceptStream(
"/lnrpc.Lightning/SubscribePeerEvents", req2, nil, "/lnrpc.Lightning/SubscribePeerEvents", req2, nil, readOnly,
) )
// Do the actual call now and wait for the interceptor to do its thing. // Do the actual call now and wait for the interceptor to do its thing.
@ -327,6 +327,7 @@ func middlewareManipulationTest(t *testing.T, node *lntest.HarnessNode,
req := &lnrpc.ListChannelsRequest{ActiveOnly: true} req := &lnrpc.ListChannelsRequest{ActiveOnly: true}
go registration.interceptUnary( go registration.interceptUnary(
"/lnrpc.Lightning/ListChannels", req, replacementResponse, "/lnrpc.Lightning/ListChannels", req, replacementResponse,
readOnly,
) )
// Do the actual call now and wait for the interceptor to do its thing. // Do the actual call now and wait for the interceptor to do its thing.
@ -349,7 +350,7 @@ func middlewareManipulationTest(t *testing.T, node *lntest.HarnessNode,
req2 := &lnrpc.PeerEventSubscription{} req2 := &lnrpc.PeerEventSubscription{}
go registration.interceptStream( go registration.interceptStream(
"/lnrpc.Lightning/SubscribePeerEvents", req2, "/lnrpc.Lightning/SubscribePeerEvents", req2,
replacementResponse2, replacementResponse2, readOnly,
) )
// Do the actual call now and wait for the interceptor to do its thing. // Do the actual call now and wait for the interceptor to do its thing.
@ -522,11 +523,21 @@ func registerMiddleware(t *testing.T, node *lntest.HarnessNode,
// NOTE: Must be called in a goroutine as this will block until the response is // NOTE: Must be called in a goroutine as this will block until the response is
// read from the response channel. // read from the response channel.
func (h *middlewareHarness) interceptUnary(methodURI string, func (h *middlewareHarness) interceptUnary(methodURI string,
expectedRequest proto.Message, responseReplacement proto.Message) { expectedRequest proto.Message, responseReplacement proto.Message,
readOnly bool) {
// Read intercept message and make sure it's for an RPC request. // Read intercept message and make sure it's for an RPC request.
reqIntercept, err := h.stream.Recv() reqIntercept, err := h.stream.Recv()
require.NoError(h.t, err) require.NoError(h.t, err)
// Make sure the custom condition is populated correctly (if we're using
// a macaroon with a custom condition).
if !readOnly {
require.Equal(
h.t, "itest-value", reqIntercept.CustomCaveatCondition,
)
}
req := reqIntercept.GetRequest() req := reqIntercept.GetRequest()
require.NotNil(h.t, req) require.NotNil(h.t, req)
@ -564,11 +575,21 @@ func (h *middlewareHarness) interceptUnary(methodURI string,
// NOTE: Must be called in a goroutine as this will block until the first // NOTE: Must be called in a goroutine as this will block until the first
// response is read from the response channel. // response is read from the response channel.
func (h *middlewareHarness) interceptStream(methodURI string, func (h *middlewareHarness) interceptStream(methodURI string,
expectedRequest proto.Message, responseReplacement proto.Message) { expectedRequest proto.Message, responseReplacement proto.Message,
readOnly bool) {
// Read intercept message and make sure it's for an RPC stream auth. // Read intercept message and make sure it's for an RPC stream auth.
authIntercept, err := h.stream.Recv() authIntercept, err := h.stream.Recv()
require.NoError(h.t, err) require.NoError(h.t, err)
// Make sure the custom condition is populated correctly (if we're using
// a macaroon with a custom condition).
if !readOnly {
require.Equal(
h.t, "itest-value", authIntercept.CustomCaveatCondition,
)
}
auth := authIntercept.GetStreamAuth() auth := authIntercept.GetStreamAuth()
require.NotNil(h.t, auth) require.NotNil(h.t, auth)

10
rpcperms/interceptor.go
View File

@ -910,7 +910,7 @@ func (r *InterceptorChain) middlewareRegistered() bool {
// acceptRequest sends an intercept request to all middlewares that have // acceptRequest sends an intercept request to all middlewares that have
// registered for it. This means either a middleware has requested read-only // registered for it. This means either a middleware has requested read-only
// access or the request actually has a macaroon which a caveat the middleware // access or the request actually has a macaroon with a caveat the middleware
// registered for. // registered for.
func (r *InterceptorChain) acceptRequest(requestID uint64, func (r *InterceptorChain) acceptRequest(requestID uint64,
msg *InterceptionRequest) error { msg *InterceptionRequest) error {
@ -929,6 +929,10 @@ func (r *InterceptorChain) acceptRequest(requestID uint64,
continue continue
} }
msg.CustomCaveatCondition = macaroons.GetCustomCaveatCondition(
msg.Macaroon, middleware.customCaveatName,
)
resp, err := middleware.intercept(requestID, msg) resp, err := middleware.intercept(requestID, msg)
// Error during interception itself. // Error during interception itself.
@ -975,6 +979,10 @@ func (r *InterceptorChain) interceptResponse(ctx context.Context,
continue continue
} }
msg.CustomCaveatCondition = macaroons.GetCustomCaveatCondition(
msg.Macaroon, middleware.customCaveatName,
)
resp, err := middleware.intercept(requestID, msg) resp, err := middleware.intercept(requestID, msg)
// Error during interception itself. // Error during interception itself.