session_rpcserver: allow sessions with custom permissions

ellemouton · ellemouton · commit d7650ac8993c · 2022-10-25T13:53:41.000+02:00
diff --git a/session_rpcserver.go b/session_rpcserver.go
@@ -11,7 +11,9 @@ import (
 	"github.com/lightninglabs/lightning-node-connect/mailbox"
 	"github.com/lightninglabs/lightning-terminal/litrpc"
 	"github.com/lightninglabs/lightning-terminal/session"
+	"github.com/lightningnetwork/lnd/macaroons"
 	"google.golang.org/grpc"
+	"gopkg.in/macaroon-bakery.v2/bakery"
 	"gopkg.in/macaroon-bakery.v2/bakery/checkers"
 	"gopkg.in/macaroon.v2"
 )
@@ -124,15 +126,40 @@ func (s *sessionRpcServer) AddSession(_ context.Context,
 	}
 
 	if typ != session.TypeMacaroonAdmin &&
-		typ != session.TypeMacaroonReadonly {
+		typ != session.TypeMacaroonReadonly &&
+		typ != session.TypeMacaroonCustom {
 
-		return nil, fmt.Errorf("invalid session type, only admin " +
-			"and readonly macaroon types supported in LiT")
+		return nil, fmt.Errorf("invalid session type, only admin, " +
+			"readonly and custom macaroon types supported in LiT")
+	}
+
+	var perms []bakery.Op
+	if typ == session.TypeMacaroonCustom {
+		if len(req.MacaroonCustomPermissions) == 0 {
+			return nil, fmt.Errorf("custom macaroon " +
+				"permissions must be specified for the " +
+				"custom macaroon session type")
+		}
+
+		for _, op := range req.MacaroonCustomPermissions {
+			if op.Entity == macaroons.PermissionEntityCustomURI {
+				_, ok := s.cfg.permMgr.URIPermissions(op.Action)
+				if !ok {
+					return nil, fmt.Errorf("URI %s is "+
+						"unknown to LiT", op.Action)
+				}
+			}
+
+			perms = append(perms, bakery.Op{
+				Entity: op.Entity,
+				Action: op.Action,
+			})
+		}
 	}
 
 	sess, err := session.NewSession(
 		req.Label, typ, expiry, req.MailboxServerAddr, req.DevServer,
-		nil, nil,
+		perms, nil,
 	)
 	if err != nil {
 		return nil, fmt.Errorf("error creating new session: %v", err)
@@ -185,16 +212,17 @@ func (s *sessionRpcServer) resumeSession(sess *session.Session) error {
 	}
 
 	if sess.Type != session.TypeMacaroonAdmin &&
-		sess.Type != session.TypeMacaroonReadonly {
+		sess.Type != session.TypeMacaroonReadonly &&
+		sess.Type != session.TypeMacaroonCustom {
 
 		log.Debugf("Not resuming session %x with type %d", pubKeyBytes,
 			sess.Type)
 		return nil
 	}
 
 	var (
-		caveats  []macaroon.Caveat
-		readOnly = sess.Type == session.TypeMacaroonReadonly
+		caveats []macaroon.Caveat
+		perms   []bakery.Op
 	)
 
 	// Add the session expiry as a macaroon caveat.
@@ -203,10 +231,17 @@ func (s *sessionRpcServer) resumeSession(sess *session.Session) error {
 		Id: []byte(macExpiry.Condition),
 	})
 
+	if sess.Type == session.TypeMacaroonCustom {
+		perms = sess.MacaroonRecipe.Permissions
+	} else {
+		readOnly := sess.Type == session.TypeMacaroonReadonly
+		perms = s.cfg.permMgr.ActivePermissions(readOnly)
+	}
+
 	mac, err := s.cfg.superMacBaker(
 		context.Background(), sess.MacaroonRootKey,
 		&session.MacaroonRecipe{
-			Permissions: s.cfg.permMgr.ActivePermissions(readOnly),
+			Permissions: perms,
 			Caveats:     caveats,
 		},
 	)
@@ -380,21 +415,43 @@ func marshalRPCSession(sess *session.Session) (*litrpc.Session, error) {
 		return nil, err
 	}
 
+	var customPerms []*litrpc.MacaroonPermission
+	if sess.MacaroonRecipe != nil {
+		customPerms = marshalRPCCustomPerms(
+			sess.MacaroonRecipe.Permissions,
+		)
+	}
+
 	return &litrpc.Session{
-		Label:                  sess.Label,
-		SessionState:           rpcState,
-		SessionType:            rpcType,
-		ExpiryTimestampSeconds: uint64(sess.Expiry.Unix()),
-		MailboxServerAddr:      sess.ServerAddr,
-		DevServer:              sess.DevServer,
-		PairingSecret:          sess.PairingSecret[:],
-		PairingSecretMnemonic:  strings.Join(mnemonic[:], " "),
-		LocalPublicKey:         sess.LocalPublicKey.SerializeCompressed(),
-		RemotePublicKey:        remotePubKey,
-		CreatedAt:              uint64(sess.CreatedAt.Unix()),
+		Label:                     sess.Label,
+		SessionState:              rpcState,
+		SessionType:               rpcType,
+		ExpiryTimestampSeconds:    uint64(sess.Expiry.Unix()),
+		MailboxServerAddr:         sess.ServerAddr,
+		DevServer:                 sess.DevServer,
+		PairingSecret:             sess.PairingSecret[:],
+		PairingSecretMnemonic:     strings.Join(mnemonic[:], " "),
+		LocalPublicKey:            sess.LocalPublicKey.SerializeCompressed(),
+		RemotePublicKey:           remotePubKey,
+		CreatedAt:                 uint64(sess.CreatedAt.Unix()),
+		MacaroonCustomPermissions: customPerms,
 	}, nil
 }
 
+// marshalRPCCustomPerms converts a list of macaroon permissions into their RPC
+// counterpart.
+func marshalRPCCustomPerms(ops []bakery.Op) []*litrpc.MacaroonPermission {
+	rpcOps := make([]*litrpc.MacaroonPermission, len(ops))
+	for i, op := range ops {
+		rpcOps[i] = &litrpc.MacaroonPermission{
+			Entity: op.Entity,
+			Action: op.Action,
+		}
+	}
+
+	return rpcOps
+}
+
 // marshalRPCState converts a session state to its RPC counterpart.
 func marshalRPCState(state session.State) (litrpc.SessionState, error) {
 	switch state {
