lnrpc+rpcserver: add QoL flag for permission check

To make it even more obvious that by default the permissions to check aren't taken from the full method provided, we add a new flag that does that on request.
2025-08-30 23:53:41 +02:00 · 2025-07-14 10:02:14 +02:00
parent 66340500e9
commit 6b1c85265f
5 changed files with 680 additions and 543 deletions
--- a/itest/lnd_macaroons_test.go
+++ b/itest/lnd_macaroons_test.go
@@ -12,6 +12,7 @@ import (
 	"github.com/lightningnetwork/lnd/lnrpc"
 	"github.com/lightningnetwork/lnd/lntest"
 	"github.com/lightningnetwork/lnd/lntest/node"
+	"github.com/lightningnetwork/lnd/lntest/wait"
 	"github.com/lightningnetwork/lnd/macaroons"
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
@@ -316,6 +317,77 @@ func testMacaroonAuthentication(ht *lntest.HarnessTest) {
 			require.Error(t, err)
 			require.Contains(t, err.Error(), "permission denied")
 		},
+	}, {
+		// Check that with the CheckMacaroonPermissions RPC, we can
+		// check that a macaroon follows the permissions of a given
+		// method.
+		name: "default permissions from full method",
+		run: func(ctxt context.Context, t *testing.T) {
+			// We test that the macaroon of the test client has
+			// all the permissions for calling the BakeMacaroon RPC.
+			mac, err := testNode.ReadMacaroon(
+				testNode.Cfg.AdminMacPath, wait.DefaultTimeout,
+			)
+			require.NoError(t, err)
+
+			macBytes, err := mac.MarshalBinary()
+			require.NoError(t, err)
+
+			rpcURI := "/lnrpc.Lightning/BakeMacaroon"
+			checkReq := &lnrpc.CheckMacPermRequest{
+				Macaroon:                        macBytes,
+				FullMethod:                      rpcURI,
+				CheckDefaultPermsFromFullMethod: true,
+			}
+
+			// Test that CheckMacaroonPermissions accurately
+			// characterizes macaroon as valid, since the admin
+			// macaroon should have all the permissions.
+			checkResp, err := testClient.CheckMacaroonPermissions(
+				ctxt, checkReq,
+			)
+			require.NoError(t, err)
+			require.Equal(t, checkResp.Valid, true)
+
+			// Check different error cases.
+			dummy := []*lnrpc.MacaroonPermission{{
+				Entity: "foo",
+			}}
+			_, err = testClient.CheckMacaroonPermissions(
+				ctxt, &lnrpc.CheckMacPermRequest{
+					Permissions:                     dummy,
+					CheckDefaultPermsFromFullMethod: true,
+				},
+			)
+			require.ErrorContains(
+				t, err, "cannot check default permissions "+
+					"from full method and from provided "+
+					"permission list at the same time",
+			)
+
+			_, err = testClient.CheckMacaroonPermissions(
+				ctxt, &lnrpc.CheckMacPermRequest{
+					FullMethod:                      "",
+					CheckDefaultPermsFromFullMethod: true,
+				},
+			)
+			require.ErrorContains(
+				t, err, "cannot check default permissions "+
+					"from full method without providing "+
+					"the full method name",
+			)
+
+			_, err = testClient.CheckMacaroonPermissions(
+				ctxt, &lnrpc.CheckMacPermRequest{
+					FullMethod:                      "baz",
+					CheckDefaultPermsFromFullMethod: true,
+				},
+			)
+			require.ErrorContains(
+				t, err, "no permissions found for full method "+
+					"baz",
+			)
+		},
 	}}

 	for _, tc := range testCases {