multi: validate macaroons for lit calls

Use the new macaroon service to verify LitURI calls.

Author: ellemouton

itest/litd_mode_integrated_test.go

@@ -135,6 +135,9 @@ var (
 			ctx, &litrpc.ListSessionsRequest{},
 		)
 	}
+	litMacaroonFn = func(cfg *LitNodeConfig) string {
+		return cfg.LitMacPath
+	}
 
 	endpoints = []struct {
 		name                        string
@@ -198,16 +201,16 @@ var (
 		restWebURI:                  "/v1/pool/info",
 	}, {
 		name:       "litrpc",
-		macaroonFn: nil,
+		macaroonFn: litMacaroonFn,
 		requestFn:  litRequestFn,
 		// In some test cases we actually expect some sessions, so we
 		// don't explicitly check for an empty array but just the
 		// existence of the array in the response.
 		successPattern:              "\"sessions\":[",
-		supportsMacAuthOnLndPort:    false,
-		supportsMacAuthOnLitPort:    false,
-		supportsUIPasswordOnLndPort: true,
-		supportsUIPasswordOnLitPort: true,
+		supportsMacAuthOnLndPort:    true,
+		supportsMacAuthOnLitPort:    true,
+		supportsUIPasswordOnLndPort: false,
+		supportsUIPasswordOnLitPort: false,
 		allowedThroughLNC:           false,
 		grpcWebURI:                  "/litrpc.Sessions/ListSessions",
 	}}

itest/litd_node.go

@@ -67,6 +67,7 @@ type LitNodeConfig struct {
 	LoopMacPath    string
 	PoolMacPath    string
 	LitTLSCertPath string
+	LitMacPath     string
 
 	UIPassword string
 	LitDir     string
@@ -279,6 +280,9 @@ func newNode(cfg *LitNodeConfig, harness *NetworkHarness) (*HarnessNode, error)
 	cfg.PoolMacPath = filepath.Join(
 		cfg.PoolDir, cfg.NetParams.Name, "pool.macaroon",
 	)
+	cfg.LitMacPath = filepath.Join(
+		cfg.LitDir, cfg.NetParams.Name, "lit.macaroon",
+	)
 	cfg.LitTLSCertPath = filepath.Join(cfg.LitDir, "tls.cert")
 	cfg.GenerateListeningPorts()
 

rpc_proxy.go

@@ -537,7 +537,7 @@ func (p *rpcProxy) basicAuthToMacaroon(basicAuth, requestURI string,
 		}
 
 	case isLitURI(requestURI):
-		return EmptyMacaroonBytes, nil
+		macPath = p.cfg.MacaroonPath
 
 	default:
 		return nil, fmt.Errorf("unknown gRPC web request: %v",

subserver_permissions.go

@@ -12,9 +12,18 @@ var (
 	// litPermissions is a map of all LiT RPC methods and their required
 	// macaroon permissions to access the session service.
 	litPermissions = map[string][]bakery.Op{
-		"/litrpc.Sessions/AddSession":    {{}},
-		"/litrpc.Sessions/ListSessions":  {{}},
-		"/litrpc.Sessions/RevokeSession": {{}},
+		"/litrpc.Sessions/AddSession": {{
+			Entity: "sessions",
+			Action: "write",
+		}},
+		"/litrpc.Sessions/ListSessions": {{
+			Entity: "sessions",
+			Action: "read",
+		}},
+		"/litrpc.Sessions/RevokeSession": {{
+			Entity: "sessions",
+			Action: "write",
+		}},
 	}
 
 	// whiteListedMethods is a map of all lnd RPC methods that don't require

terminal.go

@@ -749,12 +749,12 @@ func (g *LightningTerminal) ValidateMacaroon(ctx context.Context,
 		}
 
 	case isLitURI(fullMethod):
-		wrap := fmt.Errorf("invalid basic auth")
-		_, err := g.rpcProxy.convertBasicAuth(ctx, fullMethod, wrap)
-		if err != nil {
+		if err := g.sessionRpcServer.macaroonService.ValidateMacaroon(
+			ctx, requiredPermissions, fullMethod,
+		); err != nil {
 			return &proxyErr{
 				proxyContext: "lit",
-				wrapped: fmt.Errorf("invalid auth: %v",
+				wrapped: fmt.Errorf("invalid macaroon: %v",
 					err),
 			}
 		}