multi: support wild card URIs

With this commit, a user can now specify a wild card URI of the form
"/frdrpc.FaradayServer/*" when specifying custom permissions for an LNC
session. This URI will then be expanded to include all permissions that
Lit knows about that falls under that URI.

Author: ellemouton

cmd/litcli/sessions.go

@@ -73,7 +73,11 @@ var addSessionCommand = cli.Command{
 				"this flag will only be used if the 'type' " +
 				"flag is set to 'custom'. This flag can be " +
 				"specified multiple times if multiple URIs " +
-				"should be included",
+				"should be included. Note that a wild-card " +
+				"URI can also be specified to include all " +
+				"URIs of a specific server, for example: " +
+				"'--uri=\"/poolrpc.Trader/*\"' will include " +
+				"all URIs that match this regex.",
 		},
 	},
 }

perms/permissions.go

@@ -2,6 +2,7 @@ package perms
 
 import (
 	"net"
+	"regexp"
 	"strings"
 	"sync"
 
@@ -80,6 +81,8 @@ var (
 		"RouterRPC":           true,
 		"WatchtowerClientRPC": true,
 	}
+
+	wildCardURIRegex = regexp.MustCompile(`/(\w+)\.(\w+)/\*`)
 )
 
 // subServerName is a name used to identify a particular Lit sub-server.
@@ -210,6 +213,36 @@ func (pm *Manager) URIPermissions(uri string) ([]bakery.Op, bool) {
 	return ops, ok
 }
 
+// ExpandWildCardURI first checks that the given URI is in-fact a wild card uri
+// that matches the wildCardURIRegex. If it is, then a new regex is created so
+// that it can be used to match on the perms that the manager has. Any
+// permission URI that matches the regex is returned. The return values are a
+// list of URIs that match the wild-card uri and the boolean represents whether
+// the given uri is in fact a wild card uri.
+func (pm *Manager) ExpandWildCardURI(wildCardUri string) ([]string, bool) {
+	pm.permsMu.RLock()
+	defer pm.permsMu.RUnlock()
+
+	if !wildCardURIRegex.MatchString(wildCardUri) {
+		return nil, false
+	}
+
+	r := regexp.MustCompile(
+		wildCardURIRegex.ReplaceAllString(wildCardUri, "/$1.$2/.*"),
+	)
+
+	var matches []string
+	for uri := range pm.perms {
+		if !r.MatchString(uri) {
+			continue
+		}
+
+		matches = append(matches, uri)
+	}
+
+	return matches, true
+}
+
 // ActivePermissions returns all the available active permissions that the
 // manager is aware of. Optionally, readOnly can be set to true if only the
 // read-only permissions should be returned.

perms/permissions_test.go

@@ -0,0 +1,69 @@
+package perms
+
+import (
+	"testing"
+
+	"github.com/stretchr/testify/require"
+	"gopkg.in/macaroon-bakery.v2/bakery"
+)
+
+// TestExpandWildCardURI tests the behaviour of the ExpandWildCardURI method
+// of the Manager.
+func TestExpandWildCardURI(t *testing.T) {
+	// Construct a new Manager with a predefined list of perms. We include
+	// two faraday URIs and three Lit URIs.
+	m := &Manager{
+		perms: map[string][]bakery.Op{
+			"/frdrpc.FaradayServer/OutlierRecommendations": {{
+				Entity: "recommendation",
+				Action: "read",
+			}},
+			"/frdrpc.FaradayServer/ThresholdRecommendations": {{
+				Entity: "recommendation",
+				Action: "read",
+			}},
+			"/litrpc.Sessions/AddSession": {{
+				Entity: "sessions",
+				Action: "write",
+			}},
+			"/litrpc.Sessions/ListSessions": {{
+				Entity: "sessions",
+				Action: "read",
+			}},
+			"/litrpc.Sessions/RevokeSession": {{
+				Entity: "sessions",
+				Action: "write",
+			}},
+		},
+	}
+
+	// Assert that a full URI is not considered a wild card.
+	uris, isWild := m.ExpandWildCardURI("/litrpc.Sessions/RevokeSession")
+	require.False(t, isWild)
+	require.Empty(t, uris)
+
+	// Assert that the function correctly matches on a valid wild card for
+	// litrpc URIs.
+	uris, isWild = m.ExpandWildCardURI("/litrpc.Sessions/*")
+	require.True(t, isWild)
+	require.ElementsMatch(t, uris, []string{
+		"/litrpc.Sessions/AddSession",
+		"/litrpc.Sessions/ListSessions",
+		"/litrpc.Sessions/RevokeSession",
+	})
+
+	// Assert that the function correctly matches on a valid wild card for
+	// faraday URIs.
+	uris, isWild = m.ExpandWildCardURI("/frdrpc.FaradayServer/*")
+	require.True(t, isWild)
+	require.ElementsMatch(t, uris, []string{
+		"/frdrpc.FaradayServer/OutlierRecommendations",
+		"/frdrpc.FaradayServer/ThresholdRecommendations",
+	})
+
+	// Assert that the function does not return any URIs for a wild card
+	// URI that does not match on any of its perms.
+	uris, isWild = m.ExpandWildCardURI("/poolrpc.Trader/*")
+	require.True(t, isWild)
+	require.Empty(t, uris)
+}

session_rpcserver.go

@@ -143,18 +143,48 @@ func (s *sessionRpcServer) AddSession(_ context.Context,
 		}
 
 		for _, op := range req.MacaroonCustomPermissions {
-			if op.Entity == macaroons.PermissionEntityCustomURI {
-				_, ok := s.cfg.permMgr.URIPermissions(op.Action)
+			if op.Entity != macaroons.PermissionEntityCustomURI {
+				permissions = append(permissions, bakery.Op{
+					Entity: op.Entity,
+					Action: op.Action,
+				})
+
+				continue
+			}
+
+			// First check if this is a wildcard URI.
+			uris, isWildCard := s.cfg.permMgr.ExpandWildCardURI(
+				op.Action,
+			)
+			if !isWildCard {
+				// This is not a wild card URI, so just check
+				// that the permissions' manager is aware of
+				// this URI.
+				_, ok := s.cfg.permMgr.URIPermissions(
+					op.Action,
+				)
 				if !ok {
-					return nil, fmt.Errorf("URI %s is "+
-						"unknown to LiT", op.Action)
+					return nil, fmt.Errorf("URI "+
+						"%s is unknown to LiT",
+						op.Action)
 				}
+
+				permissions = append(permissions, bakery.Op{
+					Entity: op.Entity,
+					Action: op.Action,
+				})
+				continue
 			}
 
-			permissions = append(permissions, bakery.Op{
-				Entity: op.Entity,
-				Action: op.Action,
-			})
+			// Otherwise, if it is a wild card perm, then add each
+			// of the matching URIs returned from the permissions'
+			// manager.
+			for _, uri := range uris {
+				permissions = append(permissions, bakery.Op{
+					Entity: op.Entity,
+					Action: uri,
+				})
+			}
 		}
 
 	// No other types are currently supported.