Skip to content

Commit 8f6b510

Browse files
jtobinGeorgeTsagk
jtobin
authored and
GeorgeTsagk
committed
Merge pull request #1841 from lightninglabs/wip/refactor-rpc-macaroonwhitelist
Improve `MacaroonWhitelist` Structure and Permission Granularity
2 parents 60fbb90 + 9b16515 commit 8f6b510

File tree

3 files changed

+127
-36
lines changed

3 files changed

+127
-36
lines changed

docs/release-notes/release-notes-0.8.0.md

Lines changed: 70 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,70 @@
1+
# Release Notes
2+
- [Bug Fixes](#bug-fixes)
3+
- [New Features](#new-features)
4+
- [Functional Enhancements](#functional-enhancements)
5+
- [RPC Additions](#rpc-additions)
6+
- [tapcli Additions](#tapcli-additions)
7+
- [Improvements](#improvements)
8+
- [Functional Updates](#functional-updates)
9+
- [RPC Updates](#rpc-updates)
10+
- [tapcli Updates](#tapcli-updates)
11+
- [Breaking Changes](#breaking-changes)
12+
- [Performance Improvements](#performance-improvements)
13+
- [Deprecations](#deprecations)
14+
- [Technical and Architectural Updates](#technical-and-architectural-updates)
15+
- [BIP/bLIP Spec Updates](#bipblip-spec-updates)
16+
- [Testing](#testing)
17+
- [Database](#database)
18+
- [Code Health](#code-health)
19+
- [Tooling and Documentation](#tooling-and-documentation)
20+
21+
# Bug Fixes
22+
23+
# New Features
24+
25+
## Functional Enhancements
26+
27+
## RPC Additions
28+
29+
## tapcli Additions
30+
31+
# Improvements
32+
33+
## Functional Updates
34+
35+
## RPC Updates
36+
37+
- [PR#1841](https://github.com/lightninglabs/taproot-assets/pull/1841): Remove
38+
the defaultMacaroonWhitelist map and inline its entries directly
39+
into the conditional logic within MacaroonWhitelist. This ensures that
40+
access to previously always-available endpoints is now governed by
41+
explicit user configuration (read/write/courier), improving permission
42+
control and aligning with expected access restrictions.
43+
44+
- [PR#1841](https://github.com/lightninglabs/taproot-assets/pull/1841): Add
45+
default RPC permissions for RPC endpoints universerpc.Universe/Info and
46+
/authmailboxrpc.Mailbox/MailboxInfo.
47+
48+
## tapcli Updates
49+
50+
## Code Health
51+
52+
## Breaking Changes
53+
54+
## Performance Improvements
55+
56+
## Deprecations
57+
58+
# Technical and Architectural Updates
59+
60+
## BIP/bLIP Spec Updates
61+
62+
## Testing
63+
64+
## Database
65+
66+
## Code Health
67+
68+
## Tooling and Documentation
69+
70+
# Contributors (Alphabetical Order)

proof/courier.go

Lines changed: 3 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -1316,9 +1316,9 @@ func (c *UniverseRpcCourier) ensureConnect(ctx context.Context) error {
13161316
c.mboxClient = mboxrpc.NewMailboxClient(conn)
13171317
c.rawConn = conn
13181318

1319-
// Make sure we initiate the connection. The GetInfo RPC method is in
1320-
// the base macaroon white list, so it doesn't require any
1321-
// authentication, independent of the universe's configuration.
1319+
// Ensure the connection is established by calling the `Info` RPC
1320+
// endpoint. This endpoint does not require authentication when the
1321+
// universe server is configured to act as a proof courier.
13221322
_, err = c.client.Info(ctx, &unirpc.InfoRequest{})
13231323
if err != nil {
13241324
// If we fail to connect, we'll close the connection and return

taprpc/perms.go

Lines changed: 54 additions & 33 deletions
Original file line numberDiff line numberDiff line change
@@ -183,6 +183,10 @@ var (
183183
Entity: "mint",
184184
Action: "read",
185185
}},
186+
"/universerpc.Universe/Info": {{
187+
Entity: "universe",
188+
Action: "read",
189+
}},
186190
"/universerpc.Universe/MultiverseRoot": {{
187191
Entity: "universe",
188192
Action: "read",
@@ -339,22 +343,10 @@ var (
339343
Entity: "mailbox",
340344
Action: "read",
341345
}},
342-
"/authmailboxrpc.Mailbox/MailboxInfo": {{}},
343-
}
344-
345-
// defaultMacaroonWhitelist defines a default set of RPC endpoints that
346-
// don't require macaroons authentication.
347-
//
348-
// For now, these are the Universe related read/write methods. We permit
349-
// InsertProof as a valid proof requires an on-chain transaction, so we
350-
// gain a layer of DoS defense.
351-
defaultMacaroonWhitelist = map[string]struct{}{
352-
"/universerpc.Universe/AssetRoots": {},
353-
"/universerpc.Universe/QueryAssetRoots": {},
354-
"/universerpc.Universe/AssetLeafKeys": {},
355-
"/universerpc.Universe/AssetLeaves": {},
356-
"/universerpc.Universe/Info": {},
357-
"/authmailboxrpc.Mailbox/MailboxInfo": {},
346+
"/authmailboxrpc.Mailbox/MailboxInfo": {{
347+
Entity: "mailbox",
348+
Action: "read",
349+
}},
358350
}
359351
)
360352

@@ -364,34 +356,63 @@ func MacaroonWhitelist(allowUniPublicAccessRead bool,
364356
allowUniPublicAccessWrite bool, allowPublicUniProofCourier bool,
365357
allowPublicStats bool) map[string]struct{} {
366358

367-
// Make a copy of the default whitelist.
368359
whitelist := make(map[string]struct{})
369-
for k, v := range defaultMacaroonWhitelist {
370-
whitelist[k] = v
360+
361+
// addEndpoints adds the given endpoints to the whitelist map.
362+
addEndpoints := func(endpoints ...string) {
363+
for _, endpoint := range endpoints {
364+
whitelist[endpoint] = struct{}{}
365+
}
371366
}
372367

373368
// Conditionally whitelist universe server read methods.
374-
// nolint: lll
375-
if allowUniPublicAccessRead || allowPublicUniProofCourier {
376-
whitelist["/universerpc.Universe/QueryProof"] = struct{}{}
377-
whitelist["/universerpc.Universe/FetchSupplyCommit"] = struct{}{}
378-
whitelist["/universerpc.Universe/FetchSupplyLeaves"] = struct{}{}
379-
whitelist["/authmailboxrpc.Mailbox/ReceiveMessages"] = struct{}{}
369+
if allowUniPublicAccessRead {
370+
addEndpoints(
371+
"/universerpc.Universe/Info",
372+
373+
"/universerpc.Universe/AssetRoots",
374+
"/universerpc.Universe/QueryAssetRoots",
375+
"/universerpc.Universe/AssetLeafKeys",
376+
"/universerpc.Universe/AssetLeaves",
377+
"/universerpc.Universe/QueryProof",
378+
379+
"/universerpc.Universe/FetchSupplyCommit",
380+
"/universerpc.Universe/FetchSupplyLeaves",
381+
382+
"/authmailboxrpc.Mailbox/MailboxInfo",
383+
"/authmailboxrpc.Mailbox/ReceiveMessages",
384+
)
380385
}
381386

382387
// Conditionally whitelist universe server write methods.
383-
// nolint: lll
384-
if allowUniPublicAccessWrite || allowPublicUniProofCourier {
385-
whitelist["/universerpc.Universe/InsertProof"] = struct{}{}
386-
whitelist["/universerpc.Universe/InsertSupplyCommit"] = struct{}{}
387-
whitelist["/authmailboxrpc.Mailbox/SendMessage"] = struct{}{}
388+
if allowUniPublicAccessWrite {
389+
addEndpoints(
390+
"/universerpc.Universe/InsertProof",
391+
"/universerpc.Universe/InsertSupplyCommit",
392+
"/authmailboxrpc.Mailbox/SendMessage",
393+
)
388394
}
389395

390396
// Conditionally add public stats RPC endpoints to the whitelist.
391397
if allowPublicStats {
392-
whitelist["/universerpc.Universe/QueryAssetStats"] = struct{}{}
393-
whitelist["/universerpc.Universe/UniverseStats"] = struct{}{}
394-
whitelist["/universerpc.Universe/QueryEvents"] = struct{}{}
398+
addEndpoints(
399+
"/universerpc.Universe/QueryAssetStats",
400+
"/universerpc.Universe/UniverseStats",
401+
"/universerpc.Universe/QueryEvents",
402+
)
403+
}
404+
405+
// Conditionally whitelist public universe server proof courier methods.
406+
if allowPublicUniProofCourier {
407+
addEndpoints(
408+
"/universerpc.Universe/Info",
409+
"/universerpc.Universe/InsertProof",
410+
"/universerpc.Universe/QueryProof",
411+
412+
"/authmailboxrpc.Mailbox/MailboxInfo",
413+
"/authmailboxrpc.Mailbox/SendMessage",
414+
"/authmailboxrpc.Mailbox/ReceiveMessages",
415+
)
395416
}
396417

397418
return whitelist

0 commit comments

Comments
 (0)