macaroons+rpcserver: Add new RPC call for checking macaroon permissions

2025-06-30 10:35:32 +02:00 · 2021-05-17 02:19:30 -04:00
parent 1ea6db1f26
commit d10a682fa9
9 changed files with 1000 additions and 571 deletions
--- a/rpcserver.go
+++ b/rpcserver.go
@ -513,6 +513,10 @@ func MainRPCServerPermissions() map[string][]bakery.Op {
 			Entity: "info",
 			Action: "read",
 		}},
+		"/lnrpc.Lightning/CheckMacaroonPermissions": {{
+			Entity: "macaroon",
+			Action: "read",
+		}},
 		"/lnrpc.Lightning/SubscribePeerEvents": {{
 			Entity: "peers",
 			Action: "read",
@ -6962,6 +6966,33 @@ func (r *rpcServer) ListPermissions(_ context.Context,
 	}, nil
 }

+// CheckMacaroonPermissions checks the caveats and permissions of a macaroon.
+func (r *rpcServer) CheckMacaroonPermissions(ctx context.Context,
+	req *lnrpc.CheckMacPermRequest) (*lnrpc.CheckMacPermResponse, error) {
+
+	// Turn grpc macaroon permission into bakery.Op for the server to
+	// process.
+	permissions := make([]bakery.Op, len(req.Permissions))
+	for idx, perm := range req.Permissions {
+		permissions[idx] = bakery.Op{
+			Entity: perm.Entity,
+			Action: perm.Action,
+		}
+	}
+
+	err := r.macService.CheckMacAuth(
+		ctx, hex.EncodeToString(req.Macaroon), permissions,
+		req.FullMethod,
+	)
+	if err != nil {
+		return nil, status.Error(codes.InvalidArgument, err.Error())
+	}
+
+	return &lnrpc.CheckMacPermResponse{
+		Valid: true,
+	}, nil
+}
+
 // FundingStateStep is an advanced funding related call that allows the caller
 // to either execute some preparatory steps for a funding workflow, or manually
 // progress a funding workflow. The primary way a funding flow is identified is