lsat+client: allow macaroons on insecure proxy connections

4 years ago · 0c699f2435
parent a15db0a576
commit 0c699f2435
4 changed files with 78 additions and 17 deletions
--- a/lsat/credential.go
+++ b/lsat/credential.go
@ -0,0 +1,52 @@
 package lsat
 import (
 	"context"
 	"encoding/hex"
 	"gopkg.in/macaroon.v2"
 )
 // MacaroonCredential wraps a macaroon to implement the
 // credentials.PerRPCCredentials interface.
 type MacaroonCredential struct {
 	*macaroon.Macaroon
 	// AllowInsecure specifies if the macaroon is allowed to be sent over
 	// insecure transport channels. This should only ever be set to true if
 	// the insecure connection is proxied through tor and the destination
 	// address is an onion service.
 	AllowInsecure bool
 }
 // RequireTransportSecurity implements the PerRPCCredentials interface.
 func (m MacaroonCredential) RequireTransportSecurity() bool {
 	return !m.AllowInsecure
 }
 // GetRequestMetadata implements the PerRPCCredentials interface. This method
 // is required in order to pass the wrapped macaroon into the gRPC context.
 // With this, the macaroon will be available within the request handling scope
 // of the ultimate gRPC server implementation.
 func (m MacaroonCredential) GetRequestMetadata(_ context.Context,
 	_ ...string) (map[string]string, error) {
 	macBytes, err := m.MarshalBinary()
 	if err != nil {
 		return nil, err
 	}
 	md := make(map[string]string)
 	md["macaroon"] = hex.EncodeToString(macBytes)
 	return md, nil
 }
 // NewMacaroonCredential returns a copy of the passed macaroon wrapped in a
 // MacaroonCredential struct which implements PerRPCCredentials.
 func NewMacaroonCredential(m *macaroon.Macaroon,
 	allowInsecure bool) MacaroonCredential {
 	ms := MacaroonCredential{AllowInsecure: allowInsecure}
 	ms.Macaroon = m.Clone()
 	return ms
 }
--- a/lsat/interceptor.go
+++ b/lsat/interceptor.go
@ -12,7 +12,6 @@ import (
 	"github.com/lightninglabs/loop/lndclient"
 	"github.com/lightningnetwork/lnd/lnrpc"
 	"github.com/lightningnetwork/lnd/lnwire"
 	"github.com/lightningnetwork/lnd/macaroons"
 	"github.com/lightningnetwork/lnd/zpay32"
 	"google.golang.org/grpc"
 	"google.golang.org/grpc/codes"
@ -65,12 +64,13 @@ var (
 // challenges with embedded payment requests. It uses a connection to lnd to
 // automatically pay for an authentication token.
 type Interceptor struct {
-	lnd         *lndclient.LndServices
+	lnd           *lndclient.LndServices
-	store       Store
+	store         Store
-	callTimeout time.Duration
+	callTimeout   time.Duration
-	maxCost     btcutil.Amount
+	maxCost       btcutil.Amount
-	maxFee      btcutil.Amount
+	maxFee        btcutil.Amount
-	lock        sync.Mutex
+	lock          sync.Mutex
 	allowInsecure bool
 }
 // NewInterceptor creates a new gRPC client interceptor that uses the provided
@ -78,14 +78,15 @@ type Interceptor struct {
 // indicated store already contains a usable token.
 func NewInterceptor(lnd *lndclient.LndServices, store Store,
 	rpcCallTimeout time.Duration, maxCost,
-	maxFee btcutil.Amount) *Interceptor {
+	maxFee btcutil.Amount, allowInsecure bool) *Interceptor {
 	return &Interceptor{
-		lnd:         lnd,
+		lnd:           lnd,
-		store:       store,
+		store:         store,
-		callTimeout: rpcCallTimeout,
+		callTimeout:   rpcCallTimeout,
-		maxCost:     maxCost,
+		maxCost:       maxCost,
-		maxFee:      maxFee,
+		maxFee:        maxFee,
 		allowInsecure: allowInsecure,
 	}
 }
@ -285,7 +286,7 @@ func (i *Interceptor) addLsatCredentials(iCtx *interceptContext) error {
 		return err
 	}
 	iCtx.opts = append(iCtx.opts, grpc.PerRPCCredentials(
-		macaroons.NewMacaroonCredential(macaroon),
+		NewMacaroonCredential(macaroon, i.allowInsecure),
 	))
 	return nil
 }
--- a/lsat/interceptor_test.go
+++ b/lsat/interceptor_test.go
@ -59,7 +59,7 @@ var (
 	testTimeout = 5 * time.Second
 	interceptor = NewInterceptor(
 		&lnd.LndServices, store, testTimeout,
-		DefaultMaxCostSats, DefaultMaxRoutingFeeSats,
+		DefaultMaxCostSats, DefaultMaxRoutingFeeSats, false,
 	)
 	testMac         = makeMac()
 	testMacBytes    = serializeMac(testMac)
@ -173,7 +173,7 @@ var (
 			initialPreimage: nil,
 			interceptor: NewInterceptor(
 				&lnd.LndServices, store, testTimeout,
-				100, DefaultMaxRoutingFeeSats,
+				100, DefaultMaxRoutingFeeSats, false,
 			),
 			resetCb: func() {
 				resetBackend(
--- a/swap_server_client.go
+++ b/swap_server_client.go
@ -7,6 +7,7 @@ import (
 	"errors"
 	"fmt"
 	"net"
 	"strings"
 	"time"
 	"github.com/btcsuite/btcd/btcec"
@ -56,11 +57,18 @@ var _ swapServerClient = (*grpcSwapServerClient)(nil)
 func newSwapServerClient(cfg *ClientConfig, lsatStore lsat.Store) (
 	*grpcSwapServerClient, error) {
 	// If a proxy address is set and the destination is an onion service, we
 	// know tor is being used to secure the transport of our credentials. We
 	// need to set the flag accordingly, otherwise gRPC won't add the LSAT
 	// macaroon to the request.
 	allowInsecure := cfg.ProxyAddress != "" &&
 		strings.HasSuffix(cfg.ServerAddress, tor.OnionSuffix)
 	// Create the server connection with the interceptor that will handle
 	// the LSAT protocol for us.
 	clientInterceptor := lsat.NewInterceptor(
 		cfg.Lnd, lsatStore, serverRPCTimeout, cfg.MaxLsatCost,
-		cfg.MaxLsatFee,
+		cfg.MaxLsatFee, allowInsecure,
 	)
 	serverConn, err := getSwapServerConn(
 		cfg.ServerAddress, cfg.ProxyAddress, cfg.Insecure,