lightninglabs
diff --git a/‎itest/litd_mode_integrated_test.go‎
Lines changed: 108 additions & 22 deletions b/‎itest/litd_mode_integrated_test.go‎
Lines changed: 108 additions & 22 deletions
diff --git a/‎itest/litd_mode_remote_test.go‎
Lines changed: 7 additions & 5 deletions b/‎itest/litd_mode_remote_test.go‎
Lines changed: 7 additions & 5 deletions
@@ -102,6 +102,17 @@ var (
 	lndMacaroonFn = func(cfg *LitNodeConfig) string {
 		return cfg.AdminMacPath
 	}
+	lnrpcStateRequestFn = func(ctx context.Context,
+		c grpc.ClientConnInterface) (proto.Message, error) {
+
+		lnrpcConn := lnrpc.NewStateClient(c)
+		return lnrpcConn.GetState(
+			ctx, &lnrpc.GetStateRequest{},
+		)
+	}
+	emptyMacaroonFn = func(_ *LitNodeConfig) string {
+		return ""
+	}
 	routerrpcRequestFn = func(ctx context.Context,
 		c grpc.ClientConnInterface) (proto.Message, error) {
 
@@ -196,6 +207,9 @@ var (
 		restWebURI        string
 		restPOST          bool
 		canDisable        bool
+
+		// noAuth is true if the call does not require a macaroon.
+		noAuth bool
 	}{{
 		name:              "lnrpc",
 		macaroonFn:        lndMacaroonFn,
@@ -204,6 +218,15 @@ var (
 		allowedThroughLNC: true,
 		grpcWebURI:        "/lnrpc.Lightning/GetInfo",
 		restWebURI:        "/v1/getinfo",
+	}, {
+		name:              "lnrpc-whitelist",
+		macaroonFn:        emptyMacaroonFn,
+		requestFn:         lnrpcStateRequestFn,
+		successPattern:    "\"state\":",
+		allowedThroughLNC: true,
+		grpcWebURI:        "/lnrpc.State/GetState",
+		restWebURI:        "/v1/state",
+		noAuth:            true,
 	}, {
 		name:              "routerrpc",
 		macaroonFn:        lndMacaroonFn,
@@ -408,6 +431,7 @@ func integratedTestSuite(ctx context.Context, net *NetworkHarness, t *testing.T,
 				runGRPCAuthTest(
 					ttt, cfg.RPCAddr(), cfg.TLSCertPath,
 					endpoint.macaroonFn(cfg),
+					endpoint.noAuth,
 					endpoint.requestFn,
 					endpoint.successPattern,
 					endpointDisabled,
@@ -419,6 +443,7 @@ func integratedTestSuite(ctx context.Context, net *NetworkHarness, t *testing.T,
 				runGRPCAuthTest(
 					ttt, cfg.LitAddr(), cfg.LitTLSCertPath,
 					endpoint.macaroonFn(cfg),
+					endpoint.noAuth,
 					endpoint.requestFn,
 					endpoint.successPattern,
 					endpointDisabled,
@@ -441,6 +466,7 @@ func integratedTestSuite(ctx context.Context, net *NetworkHarness, t *testing.T,
 				runUIPasswordCheck(
 					ttt, cfg.RPCAddr(), cfg.TLSCertPath,
 					cfg.UIPassword, endpoint.requestFn,
+					endpoint.noAuth,
 					true, endpoint.successPattern,
 					endpointDisabled,
 					"Unimplemented desc = unknown service",
@@ -456,6 +482,7 @@ func integratedTestSuite(ctx context.Context, net *NetworkHarness, t *testing.T,
 				runUIPasswordCheck(
 					ttt, cfg.LitAddr(), cfg.LitTLSCertPath,
 					cfg.UIPassword, endpoint.requestFn,
+					endpoint.noAuth,
 					shouldFailWithoutMacaroon,
 					endpoint.successPattern,
 					endpointDisabled,
@@ -486,7 +513,7 @@ func integratedTestSuite(ctx context.Context, net *NetworkHarness, t *testing.T,
 					endpoint.grpcWebURI,
 					withoutUIPassword, endpointDisabled,
 					"unknown permissions required for "+
-						"method",
+						"method", endpoint.noAuth,
 				)
 			})
 		}
@@ -510,7 +537,7 @@ func integratedTestSuite(ctx context.Context, net *NetworkHarness, t *testing.T,
 			tt.Run(endpoint.name+" lnd port", func(ttt *testing.T) {
 				runGRPCAuthTest(
 					ttt, cfg.RPCAddr(), cfg.TLSCertPath,
-					superMacFile,
+					superMacFile, endpoint.noAuth,
 					endpoint.requestFn,
 					endpoint.successPattern,
 					endpointDisabled,
@@ -521,7 +548,7 @@ func integratedTestSuite(ctx context.Context, net *NetworkHarness, t *testing.T,
 			tt.Run(endpoint.name+" lit port", func(ttt *testing.T) {
 				runGRPCAuthTest(
 					ttt, cfg.LitAddr(), cfg.LitTLSCertPath,
-					superMacFile,
+					superMacFile, endpoint.noAuth,
 					endpoint.requestFn,
 					endpoint.successPattern,
 					endpointDisabled,
@@ -548,6 +575,7 @@ func integratedTestSuite(ctx context.Context, net *NetworkHarness, t *testing.T,
 					endpoint.successPattern,
 					endpoint.restPOST,
 					withoutUIPassword, endpointDisabled,
+					endpoint.noAuth,
 				)
 			})
 		}
@@ -578,7 +606,7 @@ func integratedTestSuite(ctx context.Context, net *NetworkHarness, t *testing.T,
 					endpoint.successPattern,
 					endpoint.allowedThroughLNC,
 					"unknown service",
-					endpointDisabled,
+					endpointDisabled, endpoint.noAuth,
 				)
 			})
 		}
@@ -644,7 +672,7 @@ func integratedTestSuite(ctx context.Context, net *NetworkHarness, t *testing.T,
 					ttt, rawLNCConn, endpoint.requestFn,
 					endpoint.successPattern,
 					allowed, "permission denied",
-					endpointDisabled,
+					endpointDisabled, endpoint.noAuth,
 				)
 			})
 		}
@@ -709,7 +737,7 @@ func runCertificateCheck(t *testing.T, node *HarnessNode) {
 
 // runGRPCAuthTest tests authentication of the given gRPC interface.
 func runGRPCAuthTest(t *testing.T, hostPort, tlsCertPath, macPath string,
-	makeRequest requestFn, successContent string, disabled bool,
+	noMac bool, makeRequest requestFn, successContent string, disabled bool,
 	disabledErr string) {
 
 	ctxb := context.Background()
@@ -720,6 +748,21 @@ func runGRPCAuthTest(t *testing.T, hostPort, tlsCertPath, macPath string,
 	require.NoError(t, err)
 	defer rawConn.Close()
 
+	if noMac {
+		resp, err := makeRequest(ctxt, rawConn)
+		if disabled {
+			require.ErrorContains(t, err, disabledErr)
+			return
+		}
+		require.NoError(t, err)
+
+		json, err := marshalOptions.Marshal(resp)
+		require.NoError(t, err)
+		require.Contains(t, string(json), successContent)
+
+		return
+	}
+
 	// We have a connection without any macaroon. A call should fail.
 	_, err = makeRequest(ctxt, rawConn)
 	if disabled {
@@ -772,7 +815,7 @@ func runGRPCAuthTest(t *testing.T, hostPort, tlsCertPath, macPath string,
 
 // runUIPasswordCheck tests UI password authentication.
 func runUIPasswordCheck(t *testing.T, hostPort, tlsCertPath, uiPassword string,
-	makeRequest requestFn, shouldFailWithoutMacaroon bool,
+	makeRequest requestFn, noAuth, shouldFailWithoutMacaroon bool,
 	successContent string, disabled bool, disabledErr string) {
 
 	ctxb := context.Background()
@@ -783,11 +826,21 @@ func runUIPasswordCheck(t *testing.T, hostPort, tlsCertPath, uiPassword string,
 	require.NoError(t, err)
 	defer rawConn.Close()
 
-	// Make sure that a call without any metadata results in an error.
-	_, err = makeRequest(ctxt, rawConn)
-	if disabled {
+	// Make sure that a call without any metadata results in an error unless
+	// this is a call that is allowed to be un-authenticated in which case
+	// we expect it to succeed.
+	resp, err := makeRequest(ctxt, rawConn)
+	switch {
+	case disabled:
 		require.ErrorContains(t, err, disabledErr)
-	} else {
+	case noAuth:
+		require.NoError(t, err)
+		json, err := marshalOptions.Marshal(resp)
+		require.NoError(t, err)
+		require.Contains(t, string(json), successContent)
+
+		return
+	default:
 		require.ErrorContains(t, err, "expected 1 macaroon, got 0")
 	}
 
@@ -826,7 +879,7 @@ func runUIPasswordCheck(t *testing.T, hostPort, tlsCertPath, uiPassword string,
 	// Using the correct UI password should work for all requests unless the
 	// request is for a disabled sub-server.
 	ctxm = uiPasswordContext(ctxt, uiPassword, false)
-	resp, err := makeRequest(ctxm, rawConn)
+	resp, err = makeRequest(ctxm, rawConn)
 
 	// On lnd's gRPC interface we don't support using the UI password.
 	if shouldFailWithoutMacaroon {
@@ -898,7 +951,8 @@ func runIndexPageCheck(t *testing.T, hostPort string, uiDisabled bool) {
 
 // runGRPCWebAuthTest tests authentication of the given gRPC interface.
 func runGRPCWebAuthTest(t *testing.T, hostPort, uiPassword, grpcWebURI string,
-	shouldFailWithUIPassword, disabled bool, disableErr string) {
+	shouldFailWithUIPassword, disabled bool, disableErr string,
+	noAuth bool) {
 
 	basicAuth := base64.StdEncoding.EncodeToString(
 		[]byte(fmt.Sprintf("%s:%s", uiPassword, uiPassword)),
@@ -911,15 +965,26 @@ func runGRPCWebAuthTest(t *testing.T, hostPort, uiPassword, grpcWebURI string,
 
 	url := fmt.Sprintf("https://%s%s", hostPort, grpcWebURI)
 
-	// First test a grpc-web call without authorization, which should fail.
-	_, responseHeader, err := postURL(url, emptyGrpcWebRequest, header)
+	// First test a grpc-web call without authorization, which should fail
+	// unless this call does not require authentication.
+	body, responseHeader, err := postURL(url, emptyGrpcWebRequest, header)
 	require.NoError(t, err)
 
-	if disabled {
+	switch {
+	case disabled:
 		require.Contains(
 			t, responseHeader.Get("grpc-message"), disableErr,
 		)
-	} else {
+
+	case noAuth:
+		require.Empty(t, responseHeader.Get("grpc-message"))
+		require.Empty(t, responseHeader.Get("grpc-status"))
+
+		// We get the status encoded as trailer in the response.
+		require.Contains(t, body, "grpc-status: 0")
+
+		return
+	default:
 		require.Equal(
 			t, "expected 1 macaroon, got 0",
 			responseHeader.Get("grpc-message"),
@@ -933,7 +998,7 @@ func runGRPCWebAuthTest(t *testing.T, hostPort, uiPassword, grpcWebURI string,
 
 	// Now add the basic auth and try again.
 	header["authorization"] = []string{fmt.Sprintf("Basic %s", basicAuth)}
-	body, responseHeader, err := postURL(url, emptyGrpcWebRequest, header)
+	body, responseHeader, err = postURL(url, emptyGrpcWebRequest, header)
 	require.NoError(t, err)
 
 	if shouldFailWithUIPassword {
@@ -968,7 +1033,7 @@ func runGRPCWebAuthTest(t *testing.T, hostPort, uiPassword, grpcWebURI string,
 // runRESTAuthTest tests authentication of the given REST interface.
 func runRESTAuthTest(t *testing.T, hostPort, uiPassword, macaroonPath, restURI,
 	successPattern string, usePOST, shouldFailWithUIPassword,
-	disabled bool) {
+	disabled, noMac bool) {
 
 	basicAuth := base64.StdEncoding.EncodeToString(
 		[]byte(fmt.Sprintf("%s:%s", uiPassword, uiPassword)),
@@ -983,7 +1048,9 @@ func runRESTAuthTest(t *testing.T, hostPort, uiPassword, macaroonPath, restURI,
 		method = "POST"
 	}
 
-	// First test a REST call without authorization, which should fail.
+	// First test a REST call without authorization, which should fail
+	// unless this is a call for an endpoint that does not require
+	// authorization.
 	body, responseHeader, err := callURL(url, method, nil, nil, false)
 	require.NoError(t, err)
 
@@ -992,6 +1059,11 @@ func runRESTAuthTest(t *testing.T, hostPort, uiPassword, macaroonPath, restURI,
 		responseHeader.Get("content-type"),
 	)
 
+	if noMac {
+		require.Contains(t, body, successPattern)
+		return
+	}
+
 	if disabled {
 		require.Empty(
 			t, responseHeader.Get("grpc-metadata-content-type"),
@@ -1021,7 +1093,6 @@ func runRESTAuthTest(t *testing.T, hostPort, uiPassword, macaroonPath, restURI,
 
 	default:
 		require.Contains(t, body, successPattern)
-
 	}
 
 	// And finally, try with the given macaroon.
@@ -1049,7 +1120,7 @@ func runRESTAuthTest(t *testing.T, hostPort, uiPassword, macaroonPath, restURI,
 // through Lightning Node Connect.
 func runLNCAuthTest(t *testing.T, rawLNCConn grpc.ClientConnInterface,
 	makeRequest requestFn, successContent string, callAllowed bool,
-	expectErrContains string, disabled bool) {
+	expectErrContains string, disabled, noMac bool) {
 
 	ctxt, cancel := context.WithTimeout(
 		context.Background(), defaultTimeout,
@@ -1062,6 +1133,21 @@ func runLNCAuthTest(t *testing.T, rawLNCConn grpc.ClientConnInterface,
 	// macaroon permissions properly set up).
 	resp, err := makeRequest(ctxt, rawLNCConn)
 
+	if noMac {
+		if disabled {
+			require.ErrorContains(t, err, "unknown gRPC web "+
+				"request")
+			return
+		}
+		require.NoError(t, err)
+
+		json, err := marshalOptions.Marshal(resp)
+		require.NoError(t, err)
+		require.Contains(t, string(json), successContent)
+
+		return
+	}
+
 	// Is this a disallowed call?
 	if !callAllowed {
 		if disabled {
 
@@ -63,6 +63,7 @@ func remoteTestSuite(ctx context.Context, net *NetworkHarness, t *testing.T,
 				runGRPCAuthTest(
 					ttt, cfg.LitAddr(), cfg.LitTLSCertPath,
 					endpoint.macaroonFn(cfg),
+					endpoint.noAuth,
 					endpoint.requestFn,
 					endpoint.successPattern,
 					endpointEnabled,
@@ -90,6 +91,7 @@ func remoteTestSuite(ctx context.Context, net *NetworkHarness, t *testing.T,
 				runUIPasswordCheck(
 					ttt, cfg.LitAddr(), cfg.LitTLSCertPath,
 					cfg.UIPassword, endpoint.requestFn,
+					endpoint.noAuth,
 					shouldFailWithoutMacaroon,
 					endpoint.successPattern,
 					endpointEnabled,
@@ -118,7 +120,7 @@ func remoteTestSuite(ctx context.Context, net *NetworkHarness, t *testing.T,
 					endpoint.grpcWebURI, withoutUIPassword,
 					endpointEnabled,
 					"unknown permissions required for "+
-						"method",
+						"method", endpoint.noAuth,
 				)
 			})
 		}
@@ -142,7 +144,7 @@ func remoteTestSuite(ctx context.Context, net *NetworkHarness, t *testing.T,
 			tt.Run(endpoint.name+" lit port", func(ttt *testing.T) {
 				runGRPCAuthTest(
 					ttt, cfg.LitAddr(), cfg.LitTLSCertPath,
-					superMacFile,
+					superMacFile, endpoint.noAuth,
 					endpoint.requestFn,
 					endpoint.successPattern,
 					endpointEnabled,
@@ -168,7 +170,7 @@ func remoteTestSuite(ctx context.Context, net *NetworkHarness, t *testing.T,
 					endpoint.restWebURI,
 					endpoint.successPattern,
 					endpoint.restPOST, withoutUIPassword,
-					endpointDisabled,
+					endpointDisabled, endpoint.noAuth,
 				)
 			})
 		}
@@ -199,7 +201,7 @@ func remoteTestSuite(ctx context.Context, net *NetworkHarness, t *testing.T,
 					endpoint.successPattern,
 					endpoint.allowedThroughLNC,
 					"unknown service",
-					endpointDisabled,
+					endpointDisabled, endpoint.noAuth,
 				)
 			})
 		}
@@ -244,7 +246,7 @@ func remoteTestSuite(ctx context.Context, net *NetworkHarness, t *testing.T,
 					ttt, rawLNCConn, endpoint.requestFn,
 					endpoint.successPattern,
 					allowed, "permission denied",
-					endpointDisabled,
+					endpointDisabled, endpoint.noAuth,
 				)
 			})
 		}