rpc: force TLS for both grpc endpoint and grpc gateway

lnd.go

@@ -3,6 +3,7 @@ package main
 import (
 	"crypto/rand"
 	"fmt"
+	"io/ioutil"
 	"net"
 	"net/http"
 	_ "net/http/pprof"
@@ -14,6 +15,7 @@ import (
 	"golang.org/x/net/context"
 
 	"google.golang.org/grpc"
+	"google.golang.org/grpc/credentials"
 
 	flags "github.com/btcsuite/go-flags"
 	proxy "github.com/grpc-ecosystem/grpc-gateway/runtime"
@@ -26,6 +28,10 @@ import (
 	"github.com/roasbeef/btcutil"
 )
 
+const (
+	autogenCertValidity = 10 * 365 * 24 * time.Hour
+)
+
 var (
 	cfg              *config
 	shutdownChannel  = make(chan struct{})
@@ -189,13 +195,25 @@ func lndMain() error {
 	}
 	server.fundingMgr = fundingMgr
 
+	// Ensure we create TLS key and certificate if they don't exist
+	if !fileExists(cfg.TLSCertPath) && !fileExists(cfg.TLSKeyPath) {
+		if err := genCertPair(cfg.TLSCertPath, cfg.TLSKeyPath); err != nil {
+			return err
+		}
+	}
+
 	// Initialize, and register our implementation of the gRPC interface
 	// exported by the rpcServer.
 	rpcServer := newRPCServer(server)
 	if err := rpcServer.Start(); err != nil {
 		return err
 	}
-	var opts []grpc.ServerOption
+	sCreds, err := credentials.NewServerTLSFromFile(cfg.TLSCertPath,
+		cfg.TLSKeyPath)
+	if err != nil {
+		return err
+	}
+	opts := []grpc.ServerOption{grpc.Creds(sCreds)}
 	grpcServer := grpc.NewServer(opts...)
 	lnrpc.RegisterLightningServer(grpcServer, rpcServer)
 
@@ -211,13 +229,17 @@ func lndMain() error {
 		rpcsLog.Infof("RPC server listening on %s", lis.Addr())
 		grpcServer.Serve(lis)
 	}()
-
+	cCreds, err := credentials.NewClientTLSFromFile(cfg.TLSCertPath, "")
+	if err != nil {
+		return err
+	}
 	// Finally, start the REST proxy for our gRPC server above.
 	ctx := context.Background()
 	ctx, cancel := context.WithCancel(ctx)
 	defer cancel()
+
 	mux := proxy.NewServeMux()
-	proxyOpts := []grpc.DialOption{grpc.WithInsecure()}
+	proxyOpts := []grpc.DialOption{grpc.WithTransportCredentials(cCreds)}
 	err = lnrpc.RegisterLightningHandlerFromEndpoint(ctx, mux, grpcEndpoint,
 		proxyOpts)
 	if err != nil {
@@ -226,7 +248,8 @@ func lndMain() error {
 	go func() {
 		restEndpoint := fmt.Sprintf(":%d", loadedConfig.RESTPort)
 		rpcsLog.Infof("gRPC proxy started at localhost%s", restEndpoint)
-		http.ListenAndServe(restEndpoint, mux)
+		http.ListenAndServeTLS(restEndpoint, cfg.TLSCertPath,
+			cfg.TLSKeyPath, mux)
 	}()
 
 	// If we're not in simnet mode, We'll wait until we're fully synced to
@@ -301,3 +324,39 @@ func main() {
 		os.Exit(1)
 	}
 }
+
+// fileExists reports whether the named file or directory exists.
+// This function is taken from https://github.com/btcsuite/btcd
+func fileExists(name string) bool {
+	if _, err := os.Stat(name); err != nil {
+		if os.IsNotExist(err) {
+			return false
+		}
+	}
+	return true
+}
+
+// genCertPair generates a key/cert pair to the paths provided.
+// This function is adapted from https://github.com/btcsuite/btcd
+func genCertPair(certFile, keyFile string) error {
+	rpcsLog.Infof("Generating TLS certificates...")
+
+	org := "lnd autogenerated cert"
+	validUntil := time.Now().Add(autogenCertValidity)
+	cert, key, err := btcutil.NewTLSCertPair(org, validUntil, nil)
+	if err != nil {
+		return err
+	}
+
+	// Write cert and key files.
+	if err = ioutil.WriteFile(certFile, cert, 0644); err != nil {
+		return err
+	}
+	if err = ioutil.WriteFile(keyFile, key, 0600); err != nil {
+		os.Remove(certFile)
+		return err
+	}
+
+	rpcsLog.Infof("Done generating TLS certificates")
+	return nil
+}