multi: validate macaroons for lit calls

Use the new macaroon service to verify LitURI calls.

Author: ellemouton

rpc_proxy.go

@@ -499,7 +499,7 @@ func (p *rpcProxy) basicAuthToMacaroon(basicAuth, requestURI string,
 		}
 
 	case isLitURI(requestURI):
-		return []byte("no-macaroons-for-litcli"), nil
+		macPath = p.cfg.MacaroonPath
 
 	default:
 		return nil, fmt.Errorf("unknown gRPC web request: %v",

subserver_permissions.go

@@ -12,9 +12,18 @@ var (
 	// litPermissions is a map of all LiT RPC methods and their required
 	// macaroon permissions to access the session service.
 	litPermissions = map[string][]bakery.Op{
-		"/litrpc.Sessions/AddSession":    {{}},
-		"/litrpc.Sessions/ListSessions":  {{}},
-		"/litrpc.Sessions/RevokeSession": {{}},
+		"/litrpc.Sessions/AddSession": {{
+			Entity: "sessions",
+			Action: "write",
+		}},
+		"/litrpc.Sessions/ListSessions": {{
+			Entity: "sessions",
+			Action: "read",
+		}},
+		"/litrpc.Sessions/RevokeSession": {{
+			Entity: "sessions",
+			Action: "write",
+		}},
 	}
 
 	// whiteListedMethods is a map of all lnd RPC methods that don't require

terminal.go

@@ -740,12 +740,12 @@ func (g *LightningTerminal) ValidateMacaroon(ctx context.Context,
 		}
 
 	case isLitURI(fullMethod):
-		wrap := fmt.Errorf("invalid basic auth")
-		_, err := g.rpcProxy.convertBasicAuth(ctx, fullMethod, wrap)
-		if err != nil {
+		if err := g.sessionRpcServer.macaroonService.ValidateMacaroon(
+			ctx, requiredPermissions, fullMethod,
+		); err != nil {
 			return &proxyErr{
 				proxyContext: "lit",
-				wrapped: fmt.Errorf("invalid auth: %v",
+				wrapped: fmt.Errorf("invalid macaroon: %w",
 					err),
 			}
 		}