From 751c70e6c7571261e6c95c454bcef1154d849f66 Mon Sep 17 00:00:00 2001 From: Oliver Gugger Date: Thu, 3 Sep 2020 14:35:41 +0200 Subject: [PATCH] loopd: add macaroon authentication to the daemon's server connection To secure access to loop's RPC server, we add a macaroon authentication service and its gRPC interceptors to the daemon's server connection. --- go.mod | 1 + loopd/config.go | 26 +++++- loopd/daemon.go | 34 ++++++-- loopd/macaroons.go | 192 +++++++++++++++++++++++++++++++++++++++++++++ 4 files changed, 244 insertions(+), 9 deletions(-) create mode 100644 loopd/macaroons.go diff --git a/go.mod b/go.mod index b2e4ab3..2b43d44 100644 --- a/go.mod +++ b/go.mod @@ -23,6 +23,7 @@ require ( golang.org/x/net v0.0.0-20191002035440-2ec189313ef0 google.golang.org/genproto v0.0.0-20190927181202-20e1ac93f88c google.golang.org/grpc v1.24.0 + gopkg.in/macaroon-bakery.v2 v2.0.1 gopkg.in/macaroon.v2 v2.1.0 ) diff --git a/loopd/config.go b/loopd/config.go index ae062be..2e711af 100644 --- a/loopd/config.go +++ b/loopd/config.go @@ -57,6 +57,16 @@ var ( DefaultTLSKeyPath = filepath.Join( LoopDirBase, DefaultNetwork, DefaultTLSKeyFilename, ) + + // DefaultMacaroonFilename is the default file name for the + // autogenerated loop macaroon. + DefaultMacaroonFilename = "loop.macaroon" + + // DefaultMacaroonPath is the default full path of the base loop + // macaroon. + DefaultMacaroonPath = filepath.Join( + LoopDirBase, DefaultNetwork, DefaultMacaroonFilename, + ) ) type lndConfig struct { @@ -82,7 +92,7 @@ type Config struct { RESTListen string `long:"restlisten" description:"Address to listen on for REST clients"` CORSOrigin string `long:"corsorigin" description:"The value to send in the Access-Control-Allow-Origin header. Header will be omitted if empty."` - LoopDir string `long:"loopdir" description:"The directory for all of loop's data. If set, this option overwrites --datadir, --logdir, --tlscertpath and --tlskeypath."` + LoopDir string `long:"loopdir" description:"The directory for all of loop's data. If set, this option overwrites --datadir, --logdir, --tlscertpath, --tlskeypath and --macaroonpath."` ConfigFile string `long:"configfile" description:"Path to configuration file."` DataDir string `long:"datadir" description:"Directory for loopdb."` @@ -93,6 +103,8 @@ type Config struct { TLSAutoRefresh bool `long:"tlsautorefresh" description:"Re-generate TLS certificate and key if the IPs or domains are changed."` TLSDisableAutofill bool `long:"tlsdisableautofill" description:"Do not include the interface IPs or the system hostname in TLS certificate, use first --tlsextradomain as Common Name instead, if set."` + MacaroonPath string `long:"macaroonpath" description:"Path to write the macaroon for loop's RPC and REST services if it doesn't exist."` + LogDir string `long:"logdir" description:"Directory to log output."` MaxLogFiles int `long:"maxlogfiles" description:"Maximum logfiles to keep (0 for no rotation)."` MaxLogFileSize int `long:"maxlogfilesize" description:"Maximum logfile size in MB."` @@ -133,6 +145,7 @@ func DefaultConfig() Config { DebugLevel: defaultLogLevel, TLSCertPath: DefaultTLSCertPath, TLSKeyPath: DefaultTLSKeyPath, + MacaroonPath: DefaultMacaroonPath, MaxLSATCost: lsat.DefaultMaxCostSats, MaxLSATFee: lsat.DefaultMaxRoutingFeeSats, LoopOutMaxParts: defaultLoopOutMaxParts, @@ -193,9 +206,9 @@ func Validate(cfg *Config) error { cfg.DataDir = filepath.Join(cfg.DataDir, cfg.Network) cfg.LogDir = filepath.Join(cfg.LogDir, cfg.Network) - // We want the TLS files to also be in the "namespaced" sub directory. - // Replace the default values with actual values in case the user - // specified either loopdir or datadir. + // We want the TLS and macaroon files to also be in the "namespaced" sub + // directory. Replace the default values with actual values in case the + // user specified either loopdir or datadir. if cfg.TLSCertPath == DefaultTLSCertPath { cfg.TLSCertPath = filepath.Join( cfg.DataDir, DefaultTLSCertFilename, @@ -206,6 +219,11 @@ func Validate(cfg *Config) error { cfg.DataDir, DefaultTLSKeyFilename, ) } + if cfg.MacaroonPath == DefaultMacaroonPath { + cfg.MacaroonPath = filepath.Join( + cfg.DataDir, DefaultMacaroonFilename, + ) + } // If either of these directories do not exist, create them. if err := os.MkdirAll(cfg.DataDir, os.ModePerm); err != nil { diff --git a/loopd/daemon.go b/loopd/daemon.go index 63794e7..608c810 100644 --- a/loopd/daemon.go +++ b/loopd/daemon.go @@ -16,6 +16,7 @@ import ( "github.com/lightninglabs/loop" "github.com/lightninglabs/loop/looprpc" "github.com/lightningnetwork/lnd/lntypes" + "github.com/lightningnetwork/lnd/macaroons" "google.golang.org/grpc" ) @@ -79,6 +80,8 @@ type Daemon struct { restServer *http.Server restListener net.Listener restCtxCancel func() + + macaroonService *macaroons.Service } // New creates a new instance of the loop client daemon. @@ -172,8 +175,9 @@ func (d *Daemon) startWebServers() error { var err error // With our client created, let's now finish setting up and start our - // RPC server. - serverOpts := []grpc.ServerOption{} + // RPC server. First we add the security interceptor to our gRPC server + // options that checks the macaroons for validity. + serverOpts := d.macaroonInterceptor() d.grpcServer = grpc.NewServer(serverOpts...) looprpc.RegisterSwapClientServer(d.grpcServer, d) @@ -322,6 +326,17 @@ func (d *Daemon) initialize() error { // stop on main context cancel. So we create it early and pass it down. d.mainCtx, d.mainCtxCancel = context.WithCancel(context.Background()) + // Start the macaroon service and let it create its default macaroon in + // case it doesn't exist yet. + err = d.startMacaroonService() + if err != nil { + // The client is the only thing we started yet, so if we clean + // up its connection now, nothing else needs to be shut down at + // this point. + clientCleanup() + return err + } + // Now finally fully initialize the swap client RPC server instance. d.swapClientServer = swapClientServer{ impl: swapclient, @@ -336,9 +351,13 @@ func (d *Daemon) initialize() error { // Retrieve all currently existing swaps from the database. swapsList, err := d.impl.FetchSwaps() if err != nil { - // The client is the only thing we started yet, so if we clean - // up its connection now, nothing else needs to be shut down at - // this point. + // The client and the macaroon service are the only things we + // started yet, so if we clean that up now, nothing else needs + // to be shut down at this point. + if err := d.stopMacaroonService(); err != nil { + log.Errorf("Error shutting down macaroon service: %v", + err) + } clientCleanup() return err } @@ -443,6 +462,11 @@ func (d *Daemon) stop() { d.restCtxCancel() } + err := d.macaroonService.Close() + if err != nil { + log.Errorf("Error stopping macaroon service: %v", err) + } + // Next, shut down the connections to lnd and the swap server. if d.lnd != nil { d.lnd.Close() diff --git a/loopd/macaroons.go b/loopd/macaroons.go new file mode 100644 index 0000000..07c4e93 --- /dev/null +++ b/loopd/macaroons.go @@ -0,0 +1,192 @@ +package loopd + +import ( + "context" + "fmt" + "io/ioutil" + "os" + + "github.com/lightningnetwork/lnd/lnrpc" + "github.com/lightningnetwork/lnd/macaroons" + "google.golang.org/grpc" + "gopkg.in/macaroon-bakery.v2/bakery" +) + +const ( + // loopMacaroonLocation is the value we use for the loopd macaroons' + // "Location" field when baking them. + loopMacaroonLocation = "loop" +) + +var ( + // RequiredPermissions is a map of all loop RPC methods and their + // required macaroon permissions to access loopd. + RequiredPermissions = map[string][]bakery.Op{ + "/looprpc.SwapClient/LoopOut": {{ + Entity: "swap", + Action: "execute", + }, { + Entity: "loop", + Action: "out", + }}, + "/looprpc.SwapClient/LoopIn": {{ + Entity: "swap", + Action: "execute", + }, { + Entity: "loop", + Action: "in", + }}, + "/looprpc.SwapClient/Monitor": {{ + Entity: "swap", + Action: "read", + }}, + "/looprpc.SwapClient/ListSwaps": {{ + Entity: "swap", + Action: "read", + }}, + "/looprpc.SwapClient/SwapInfo": {{ + Entity: "swap", + Action: "read", + }}, + "/looprpc.SwapClient/LoopOutTerms": {{ + Entity: "terms", + Action: "read", + }, { + Entity: "loop", + Action: "out", + }}, + "/looprpc.SwapClient/LoopOutQuote": {{ + Entity: "swap", + Action: "read", + }, { + Entity: "loop", + Action: "out", + }}, + "/looprpc.SwapClient/GetLoopInTerms": {{ + Entity: "terms", + Action: "read", + }, { + Entity: "loop", + Action: "in", + }}, + "/looprpc.SwapClient/GetLoopInQuote": {{ + Entity: "swap", + Action: "read", + }, { + Entity: "loop", + Action: "in", + }}, + "/looprpc.SwapClient/GetLsatTokens": {{ + Entity: "auth", + Action: "read", + }}, + } + + // allPermissions is the list of all existing permissions that exist + // for loopd's RPC. The default macaroon that is created on startup + // contains all these permissions and is therefore equivalent to lnd's + // admin.macaroon but for loop. + allPermissions = []bakery.Op{{ + Entity: "loop", + Action: "out", + }, { + Entity: "loop", + Action: "in", + }, { + Entity: "swap", + Action: "execute", + }, { + Entity: "swap", + Action: "read", + }, { + Entity: "terms", + Action: "read", + }, { + Entity: "auth", + Action: "read", + }} + + // macDbDefaultPw is the default encryption password used to encrypt the + // loop macaroon database. The macaroon service requires us to set a + // non-nil password so we set it to an empty string. This will cause the + // keys to be encrypted on disk but won't provide any security at all as + // the password is known to anyone. + // + // TODO(guggero): Allow the password to be specified by the user. Needs + // create/unlock calls in the RPC. Using a password should be optional + // though. + macDbDefaultPw = []byte("") +) + +// startMacaroonService starts the macaroon validation service, creates or +// unlocks the macaroon database and creates the default macaroon if it doesn't +// exist yet. If macaroons are disabled in general in the configuration, none of +// these actions are taken. +func (d *Daemon) startMacaroonService() error { + // Create the macaroon authentication/authorization service. + var err error + d.macaroonService, err = macaroons.NewService( + d.cfg.DataDir, loopMacaroonLocation, macaroons.IPLockChecker, + ) + if err != nil { + return fmt.Errorf("unable to set up macaroon authentication: "+ + "%v", err) + } + + // Try to unlock the macaroon store with the private password. + err = d.macaroonService.CreateUnlock(&macDbDefaultPw) + if err != nil { + return fmt.Errorf("unable to unlock macaroon DB: %v", err) + } + + // Create macaroon files for loop CLI to use if they don't exist. + if !lnrpc.FileExists(d.cfg.MacaroonPath) { + ctx := context.Background() + + // We only generate one default macaroon that contains all + // existing permissions (equivalent to the admin.macaroon in + // lnd). Custom macaroons can be created through the bakery + // RPC. + loopMac, err := d.macaroonService.NewMacaroon( + ctx, macaroons.DefaultRootKeyID, + allPermissions..., + ) + if err != nil { + return err + } + loopMacBytes, err := loopMac.M().MarshalBinary() + if err != nil { + return err + } + err = ioutil.WriteFile(d.cfg.MacaroonPath, loopMacBytes, 0644) + if err != nil { + if err := os.Remove(d.cfg.MacaroonPath); err != nil { + log.Errorf("Unable to remove %s: %v", + d.cfg.MacaroonPath, err) + } + return err + } + } + + return nil +} + +// stopMacaroonService closes the macaroon database. +func (d *Daemon) stopMacaroonService() error { + return d.macaroonService.Close() +} + +// macaroonInterceptor creates gRPC server options with the macaroon security +// interceptors. +func (d *Daemon) macaroonInterceptor() []grpc.ServerOption { + unaryInterceptor := d.macaroonService.UnaryServerInterceptor( + RequiredPermissions, + ) + streamInterceptor := d.macaroonService.StreamServerInterceptor( + RequiredPermissions, + ) + return []grpc.ServerOption{ + grpc.UnaryInterceptor(unaryInterceptor), + grpc.StreamInterceptor(streamInterceptor), + } +}