multi: add macroon service to sessionRpcServer

Add a macaroonService to the sessionRPCServer so that its methods can be
protected by macaroon authentication.

Author: ellemouton

config.go

@@ -73,6 +73,10 @@ const (
 	// certificate. The value corresponds to 14 months
 	// (14 months * 30 days * 24 hours).
 	DefaultAutogenValidity = 14 * 30 * 24 * time.Hour
+
+	// DefaultMacaroonFilename is the default file name for the
+	// autogenerated lit macaroon.
+	DefaultMacaroonFilename = "lit.macaroon"
 )
 
 var (
@@ -119,6 +123,12 @@ var (
 		lndDefaultConfig.DataDir, defaultLndChainSubDir,
 		defaultLndChain, DefaultNetwork, defaultLndMacaroon,
 	)
+
+	// DefaultMacaroonPath is the default full path of the base lit
+	// macaroon.
+	DefaultMacaroonPath = filepath.Join(
+		DefaultLitDir, DefaultNetwork, DefaultMacaroonFilename,
+	)
 )
 
 // Config is the main configuration struct of lightning-terminal. It contains
@@ -141,6 +151,8 @@ type Config struct {
 	LitDir     string `long:"lit-dir" description:"The main directory where LiT looks for its configuration file. If LiT is running in 'remote' lnd mode, this is also the directory where the TLS certificates and log files are stored by default."`
 	ConfigFile string `long:"configfile" description:"Path to LiT's configuration file."`
 
+	MacaroonPath string `long:"macaroonpath" description:"Path to write the macaroon for litd's RPC and REST services if it doesn't exist."`
+
 	// Network is the Bitcoin network we're running on. This will be parsed
 	// before the configuration is loaded and will set the correct flag on
 	// `lnd.bitcoin.mainnet|testnet|regtest` and also for the other daemons.
@@ -296,6 +308,7 @@ func defaultConfig() *Config {
 		LitDir:            DefaultLitDir,
 		LetsEncryptListen: defaultLetsEncryptListen,
 		LetsEncryptDir:    defaultLetsEncryptDir,
+		MacaroonPath:      DefaultMacaroonPath,
 		ConfigFile:        defaultConfigFile,
 		FaradayMode:       defaultFaradayMode,
 		Faraday:           &faradayDefaultConfig,
@@ -394,6 +407,14 @@ func loadAndValidateConfig(interceptor signal.Interceptor) (*Config, error) {
 			"UI, at least %d characters long", uiPasswordMinLength)
 	}
 
+	if cfg.Network != DefaultNetwork {
+		if cfg.MacaroonPath == DefaultMacaroonPath {
+			cfg.MacaroonPath = filepath.Join(
+				litDir, cfg.Network, DefaultMacaroonFilename,
+			)
+		}
+	}
+
 	// Initiate our listeners. For now, we only support listening on one
 	// port at a time because we can only pass in one pre-configured RPC
 	// listener into lnd.

session_rpcserver.go

@@ -11,16 +11,18 @@ import (
 	"github.com/lightninglabs/lightning-node-connect/mailbox"
 	"github.com/lightninglabs/lightning-terminal/litrpc"
 	"github.com/lightninglabs/lightning-terminal/session"
+	"github.com/lightninglabs/lndclient"
 	"google.golang.org/grpc"
 )
 
 // sessionRpcServer is the gRPC server for the Session RPC interface.
 type sessionRpcServer struct {
 	litrpc.UnimplementedSessionsServer
 
-	cfg           *sessionRpcServerConfig
-	db            *session.DB
-	sessionServer *session.Server
+	cfg             *sessionRpcServerConfig
+	db              *session.DB
+	sessionServer   *session.Server
+	macaroonService *lndclient.MacaroonService
 
 	quit     chan struct{}
 	wg       sync.WaitGroup
@@ -32,6 +34,7 @@ type sessionRpcServer struct {
 type sessionRpcServerConfig struct {
 	basicAuth           string
 	dbDir               string
+	macaroonPath        string
 	grpcOptions         []grpc.ServerOption
 	registerGrpcServers func(server *grpc.Server)
 	superMacBaker       func(ctx context.Context, rootKeyID uint64,
@@ -73,7 +76,32 @@ func newSessionRPCServer(cfg *sessionRpcServerConfig) (*sessionRpcServer,
 // start all the components necessary for the sessionRpcServer to start serving
 // requests. This includes starting the macaroon service and resuming all
 // non-revoked sessions.
-func (s *sessionRpcServer) start() error {
+func (s *sessionRpcServer) start(stateless bool,
+	lndClient *lndclient.LndServices) error {
+
+	var err error
+	s.macaroonService, err = lndclient.NewMacaroonService(
+		&lndclient.MacaroonServiceConfig{
+			DBPath:           s.cfg.dbDir,
+			MacaroonLocation: "litd",
+			StatelessInit:    stateless,
+			RequiredPerms:    litPermissions,
+			LndClient:        lndClient,
+			EphemeralKey:     lndclient.SharedKeyNUMS,
+			KeyLocator:       lndclient.SharedKeyLocator,
+			MacaroonPath:     s.cfg.macaroonPath,
+		},
+	)
+	if err != nil {
+		log.Errorf("Could not create a new macaroon service: %v", err)
+		return err
+	}
+
+	if err := s.macaroonService.Start(); err != nil {
+		log.Errorf("Could not start macaroon service: %v", err)
+		return err
+	}
+
 	// Start up all previously created sessions.
 	sessions, err := s.db.ListSessions()
 	if err != nil {
@@ -98,6 +126,11 @@ func (s *sessionRpcServer) stop() error {
 		}
 		s.sessionServer.Stop()
 
+		if err := s.macaroonService.Stop(); err != nil {
+			log.Errorf("Error stopping macaroon service: %v", err)
+			returnErr = err
+		}
+
 		close(s.quit)
 		s.wg.Wait()
 	})

terminal.go

@@ -200,8 +200,9 @@ func (g *LightningTerminal) Run() error {
 		bufRpcListener,
 	)
 	g.sessionRpcServer, err = newSessionRPCServer(&sessionRpcServerConfig{
-		basicAuth: g.rpcProxy.basicAuth,
-		dbDir:     path.Join(g.cfg.LitDir, g.cfg.Network),
+		basicAuth:    g.rpcProxy.basicAuth,
+		macaroonPath: g.cfg.MacaroonPath,
+		dbDir:        path.Join(g.cfg.LitDir, g.cfg.Network),
 		grpcOptions: []grpc.ServerOption{
 			grpc.CustomCodec(grpcProxy.Codec()), // nolint: staticcheck,
 			grpc.ChainStreamInterceptor(
@@ -544,7 +545,9 @@ func (g *LightningTerminal) startSubservers() error {
 		g.poolStarted = true
 	}
 
-	if err = g.sessionRpcServer.start(); err != nil {
+	if err = g.sessionRpcServer.start(
+		!createDefaultMacaroons, &g.lndClient.LndServices,
+	); err != nil {
 		return err
 	}
 	g.sessionRpcServerStarted = true