lnbits-legend/lnbits/wallets/macaroon/macaroon.py

import base64
import getpass
from hashlib import md5

from Cryptodome import Random
from Cryptodome.Cipher import AES
from loguru import logger

BLOCK_SIZE = 16


def load_macaroon(macaroon: str) -> str:
    """Returns hex version of a macaroon encoded in base64 or the file path.

    :param macaroon: Macaroon encoded in base64 or file path.
    :type macaroon: str
    :return: Hex version of macaroon.
    :rtype: str
    """

    # if the macaroon is a file path, load it and return hex version
    if macaroon.split(".")[-1] == "macaroon":
        with open(macaroon, "rb") as f:
            macaroon_bytes = f.read()
            return macaroon_bytes.hex()
    else:
        # if macaroon is a provided string
        # check if it is hex, if so, return
        try:
            bytes.fromhex(macaroon)
            return macaroon
        except ValueError:
            pass
        # convert the bas64 macaroon to hex
        try:
            macaroon = base64.b64decode(macaroon).hex()
        except Exception:
            pass
    return macaroon


# todo: move to its own (crypto.py) file
class AESCipher:
    """This class is compatible with crypto-js/aes.js

    Encrypt and decrypt in Javascript using:
        import AES from "crypto-js/aes.js";
        import Utf8 from "crypto-js/enc-utf8.js";
        AES.encrypt(decrypted, password).toString()
        AES.decrypt(encrypted, password).toString(Utf8);

    """

    def __init__(self, key=None, description=""):
        self.key = key
        self.description = description + " "

    def pad(self, data):
        length = BLOCK_SIZE - (len(data) % BLOCK_SIZE)
        return data + (chr(length) * length).encode()

    def unpad(self, data):
        return data[: -(data[-1] if isinstance(data[-1], int) else ord(data[-1]))]

    @property
    def passphrase(self):
        passphrase = self.key if self.key is not None else None
        if passphrase is None:
            passphrase = getpass.getpass(f"Enter {self.description}password:")
        return passphrase

    def bytes_to_key(self, data, salt, output=48):
        # extended from https://gist.github.com/gsakkis/4546068
        assert len(salt) == 8, len(salt)
        data += salt
        key = md5(data).digest()
        final_key = key
        while len(final_key) < output:
            key = md5(key + data).digest()
            final_key += key
        return final_key[:output]

    def decrypt(self, encrypted: str) -> str:  # type: ignore
        """Decrypts a string using AES-256-CBC."""
        passphrase = self.passphrase
        encrypted = base64.b64decode(encrypted)  # type: ignore
        assert encrypted[0:8] == b"Salted__"
        salt = encrypted[8:16]
        key_iv = self.bytes_to_key(passphrase.encode(), salt, 32 + 16)
        key = key_iv[:32]
        iv = key_iv[32:]
        aes = AES.new(key, AES.MODE_CBC, iv)
        try:
            return self.unpad(aes.decrypt(encrypted[16:])).decode()  # type: ignore
        except UnicodeDecodeError:
            raise ValueError("Wrong passphrase")

    def encrypt(self, message: bytes) -> str:
        passphrase = self.passphrase
        salt = Random.new().read(8)
        key_iv = self.bytes_to_key(passphrase.encode(), salt, 32 + 16)
        key = key_iv[:32]
        iv = key_iv[32:]
        aes = AES.new(key, AES.MODE_CBC, iv)
        return base64.b64encode(
            b"Salted__" + salt + aes.encrypt(self.pad(message))
        ).decode()


# if this file is executed directly, ask for a macaroon and encrypt it
if __name__ == "__main__":
    macaroon = input("Enter macaroon: ")
    macaroon = load_macaroon(macaroon)
    macaroon = AESCipher(description="encryption").encrypt(macaroon.encode())
    logger.info("Encrypted macaroon:")
    logger.info(macaroon)
Support for encrypted macaroons (#521) * encrypted macaroons * fix GRPC env entry * example config entry * add pycryptodomex to requirements * documentation * Added pycryptodomex to pip file Co-authored-by: Ben Arc <ben@arc.wales> 2022-02-14 17:54:05 +01:00			`import base64`
			`import getpass`
`make format` everything (#743) 2022-07-16 14:23:03 +02:00			`from hashlib import md5`
Support for encrypted macaroons (#521) * encrypted macaroons * fix GRPC env entry * example config entry * add pycryptodomex to requirements * documentation * Added pycryptodomex to pip file Co-authored-by: Ben Arc <ben@arc.wales> 2022-02-14 17:54:05 +01:00
`make format` everything (#743) 2022-07-16 14:23:03 +02:00			`from Cryptodome import Random`
			`from Cryptodome.Cipher import AES`
Logging with loguru (#708) * logging * requirements * add loguru dependency * restore it * add loguru * set log level in .env file * remove service fee print * set log level * more logging * more logging * more logging * pyament.checking_id * fix 2022-07-07 14:30:16 +02:00			`from loguru import logger`

Support for encrypted macaroons (#521) * encrypted macaroons * fix GRPC env entry * example config entry * add pycryptodomex to requirements * documentation * Added pycryptodomex to pip file Co-authored-by: Ben Arc <ben@arc.wales> 2022-02-14 17:54:05 +01:00			`BLOCK_SIZE = 16`
black formating 2022-06-01 14:53:05 +02:00
Support for encrypted macaroons (#521) * encrypted macaroons * fix GRPC env entry * example config entry * add pycryptodomex to requirements * documentation * Added pycryptodomex to pip file Co-authored-by: Ben Arc <ben@arc.wales> 2022-02-14 17:54:05 +01:00
			`def load_macaroon(macaroon: str) -> str:`
black formating 2022-06-01 14:53:05 +02:00			`"""Returns hex version of a macaroon encoded in base64 or the file path.`
Support for encrypted macaroons (#521) * encrypted macaroons * fix GRPC env entry * example config entry * add pycryptodomex to requirements * documentation * Added pycryptodomex to pip file Co-authored-by: Ben Arc <ben@arc.wales> 2022-02-14 17:54:05 +01:00
			`:param macaroon: Macaroon encoded in base64 or file path.`
			`:type macaroon: str`
			`:return: Hex version of macaroon.`
			`:rtype: str`
			`"""`

Wallets: add cln-rest (#1775) * receive and pay works * fix linter issues * import Paymentstatus from core.models * fix test real payment * fix get_payment_status check in lnbits * fix tests? * simplify * refactor AsyncClient * inline import of get_wallet_class fixes the previous cyclic import * invoice stream working * add notes as a reminder to get rid of labels when cln-rest supports payment_hash * create Payment dummy classmethod * remove unnecessary fields from dummy * fixes tests? * fix model * fix cln bug (#1814) * auth header * rename cln to corelightning * add clnrest to admin_ui * add to clnrest allowed sources * add allowed sources to .env.example * allow macaroon files * add corelightning rest to workflow * proper env names * cleanup routine * log wallet connection errors and fix macaroon clnrest * print error on connection fails * clnrest: handle disconnects faster * fix test use of get_payment_status * make format * clnrest: add unhashed_description * add unhashed_description to test * description_hash test * unhashed_description not supported by clnrest * fix checking_id return in api_payments_create_invoice * refactor test to use client instead of api_payments * formatting, some errorlogging * fix test 1 * fix other tests, paid statuses was missing * error handling * revert unnecessary changes (#1854) * apply review of motorina0 --------- Co-authored-by: jackstar12 <jkranawetter05@gmail.com> Co-authored-by: jackstar12 <62219658+jackstar12@users.noreply.github.com> Co-authored-by: dni ⚡ <office@dnilabs.com> 2023-08-23 08:59:39 +02:00			`# if the macaroon is a file path, load it and return hex version`
Support for encrypted macaroons (#521) * encrypted macaroons * fix GRPC env entry * example config entry * add pycryptodomex to requirements * documentation * Added pycryptodomex to pip file Co-authored-by: Ben Arc <ben@arc.wales> 2022-02-14 17:54:05 +01:00			`if macaroon.split(".")[-1] == "macaroon":`
			`with open(macaroon, "rb") as f:`
			`macaroon_bytes = f.read()`
			`return macaroon_bytes.hex()`
			`else:`
Wallets: add cln-rest (#1775) * receive and pay works * fix linter issues * import Paymentstatus from core.models * fix test real payment * fix get_payment_status check in lnbits * fix tests? * simplify * refactor AsyncClient * inline import of get_wallet_class fixes the previous cyclic import * invoice stream working * add notes as a reminder to get rid of labels when cln-rest supports payment_hash * create Payment dummy classmethod * remove unnecessary fields from dummy * fixes tests? * fix model * fix cln bug (#1814) * auth header * rename cln to corelightning * add clnrest to admin_ui * add to clnrest allowed sources * add allowed sources to .env.example * allow macaroon files * add corelightning rest to workflow * proper env names * cleanup routine * log wallet connection errors and fix macaroon clnrest * print error on connection fails * clnrest: handle disconnects faster * fix test use of get_payment_status * make format * clnrest: add unhashed_description * add unhashed_description to test * description_hash test * unhashed_description not supported by clnrest * fix checking_id return in api_payments_create_invoice * refactor test to use client instead of api_payments * formatting, some errorlogging * fix test 1 * fix other tests, paid statuses was missing * error handling * revert unnecessary changes (#1854) * apply review of motorina0 --------- Co-authored-by: jackstar12 <jkranawetter05@gmail.com> Co-authored-by: jackstar12 <62219658+jackstar12@users.noreply.github.com> Co-authored-by: dni ⚡ <office@dnilabs.com> 2023-08-23 08:59:39 +02:00			`# if macaroon is a provided string`
			`# check if it is hex, if so, return`
			`try:`
			`bytes.fromhex(macaroon)`
			`return macaroon`
			`except ValueError:`
			`pass`
Support for encrypted macaroons (#521) * encrypted macaroons * fix GRPC env entry * example config entry * add pycryptodomex to requirements * documentation * Added pycryptodomex to pip file Co-authored-by: Ben Arc <ben@arc.wales> 2022-02-14 17:54:05 +01:00			`# convert the bas64 macaroon to hex`
			`try:`
			`macaroon = base64.b64decode(macaroon).hex()`
[CHORE] E722 bare exception fix (#1871) * [CHORE] E722 bare exception fix remove all bare exceptions from codebase and change it in `.flake8` 2023-08-16 12:17:54 +02:00			`except Exception:`
Support for encrypted macaroons (#521) * encrypted macaroons * fix GRPC env entry * example config entry * add pycryptodomex to requirements * documentation * Added pycryptodomex to pip file Co-authored-by: Ben Arc <ben@arc.wales> 2022-02-14 17:54:05 +01:00			`pass`
			`return macaroon`

black formating 2022-06-01 14:53:05 +02:00
[FEAT] Auth, Login, OAuth, create account with username and password #1653 (#2092) no more superuser url! delete cookie on logout add usr login feature fix node management * Cleaned up login form * CreateUser * information leak * cleaner parsing usr from url * rename decorators * login secret * fix: add back `superuser` command * chore: remove `fastapi_login` * fix: extract `token` from cookie * chore: prepare to extract user * feat: check user * chore: code clean-up * feat: happy flow working * fix: usr only login * fix: user already logged in * feat: check user in URL * fix: verify password at DB level * fix: do not show `Login` controls if user already logged in * fix: separate login endpoints * fix: remove `usr` param * chore: update error message * refactor: register method * feat: logout * chore: move comments * fix: remove user auth check from API * fix: user check unnecessary * fix: redirect after logout * chore: remove garbage files * refactor: simplify constructor call * fix: hide user icon if not authorized * refactor: rename auth env vars * chore: code clean-up * fix: add types for `python-jose` * fix: add types for `passlib` * fix: return type * feat: set default value for `auth_secret_key` to hash of super user * fix: default value * feat: rework login page * feat: ui polishing * feat: google auth * feat: add google auth * chore: remove `authlib` dependency * refactor: extract `_handle_sso_login` method * refactor: convert methods to `properties` * refactor: rename: `user_api` to `auth_api` * feat: store user info from SSO * chore: re-arange the buttons * feat: conditional rendering of login options * feat: correctly render buttons * fix: re-add `Claim Bitcoin` from the main page * fix: create wallet must send new user * fix: no `username-password` auth method * refactor: rename auth method * fix: do not force API level UUID4 validation * feat: add validation for username * feat: add account page * feat: update account * feat: add `has_password` for user * fix: email not editable * feat: validate email for existing account * fix: register check * feat: reset password * chore: code clean-up * feat: handle token expired * fix: only redirect if `text/html` * refactor: remove `OAuth2PasswordRequestForm` * chore: remove `python-multipart` dependency * fix: handle no headers for exception * feat: add back button on error screen * feat: show user profile image * fix: check account creation permissions * fix: auth for internal api call * chore: add some docs * chore: code clean-up * fix: rebase stuff * fix: default value types * refactor: customize error messages * fix: move types libs to dev dependencies * doc: specify the `Authorization callback URL` * fix: pass missing superuser id in node ui test * fix: keep usr param on wallet redirect removing usr param causes an issue if the browser doesnt yet have an access token. * fix: do not redirect if `wal` query param not present * fix: add nativeBuildInputs and buildInputs overrides to flake.nix * bump fastapi-sso to 0.9.0 which fixes some security issues * refactor: move the `lnbits_admin_extensions` to decorators * chore: bring package config from `dev` * chore: re-add dependencies * chore: re-add cev dependencies * chore: re-add mypy ignores * feat: i18n * refactor: move admin ext check to decorator (fix after rebase) * fix: label mapping * fix: re-fetch user after first wallet was created * fix: unlikely case that `user` is not found * refactor translations (move '' to code) reorganize deps in pyproject.toml, add comment * update flake.lock and simplify flake.nix after upstreaming overrides for fastapi-sso, types-passlib, types-pyasn1, types-python-jose were upstreamed in https://github.com/nix-community/poetry2nix/pull/1463 * fix: more relaxed email verification (by @prusnak) * fix: remove `\b` (boundaries) since we re using `fullmatch` * chore: `make bundle` --------- Co-authored-by: dni ⚡ <office@dnilabs.com> Co-authored-by: Arc <ben@arc.wales> Co-authored-by: jackstar12 <jkranawetter05@gmail.com> Co-authored-by: Pavol Rusnak <pavol@rusnak.io> 2023-12-12 12:38:19 +02:00			`# todo: move to its own (crypto.py) file`
fix pylint R0205 (useless-object-inheritance) 2023-01-21 12:09:10 +00:00			`class AESCipher:`
Support for encrypted macaroons (#521) * encrypted macaroons * fix GRPC env entry * example config entry * add pycryptodomex to requirements * documentation * Added pycryptodomex to pip file Co-authored-by: Ben Arc <ben@arc.wales> 2022-02-14 17:54:05 +01:00			`"""This class is compatible with crypto-js/aes.js`

			`Encrypt and decrypt in Javascript using:`
			`import AES from "crypto-js/aes.js";`
			`import Utf8 from "crypto-js/enc-utf8.js";`
			`AES.encrypt(decrypted, password).toString()`
			`AES.decrypt(encrypted, password).toString(Utf8);`

			`"""`
black formating 2022-06-01 14:53:05 +02:00
Support for encrypted macaroons (#521) * encrypted macaroons * fix GRPC env entry * example config entry * add pycryptodomex to requirements * documentation * Added pycryptodomex to pip file Co-authored-by: Ben Arc <ben@arc.wales> 2022-02-14 17:54:05 +01:00			`def __init__(self, key=None, description=""):`
			`self.key = key`
			`self.description = description + " "`

			`def pad(self, data):`
			`length = BLOCK_SIZE - (len(data) % BLOCK_SIZE)`
			`return data + (chr(length) * length).encode()`

			`def unpad(self, data):`
[CHORE] flake8 issues E402, E721 and F821 (#1874) * F821: undefine name disabled and logged webhook_listener for opennode and lnpay because they are obviously not working * E402: module level import not at top of file * E721 fixes, only popped up for python3.9 not 3.10 2023-08-16 12:22:14 +02:00			`return data[: -(data[-1] if isinstance(data[-1], int) else ord(data[-1]))]`
Support for encrypted macaroons (#521) * encrypted macaroons * fix GRPC env entry * example config entry * add pycryptodomex to requirements * documentation * Added pycryptodomex to pip file Co-authored-by: Ben Arc <ben@arc.wales> 2022-02-14 17:54:05 +01:00
			`@property`
			`def passphrase(self):`
			`passphrase = self.key if self.key is not None else None`
			`if passphrase is None:`
			`passphrase = getpass.getpass(f"Enter {self.description}password:")`
			`return passphrase`

			`def bytes_to_key(self, data, salt, output=48):`
			`# extended from https://gist.github.com/gsakkis/4546068`
			`assert len(salt) == 8, len(salt)`
			`data += salt`
			`key = md5(data).digest()`
			`final_key = key`
			`while len(final_key) < output:`
			`key = md5(key + data).digest()`
			`final_key += key`
			`return final_key[:output]`

blacked 2022-07-26 10:10:07 +02:00			`def decrypt(self, encrypted: str) -> str: # type: ignore`
black formating 2022-06-01 14:53:05 +02:00			`"""Decrypts a string using AES-256-CBC."""`
Support for encrypted macaroons (#521) * encrypted macaroons * fix GRPC env entry * example config entry * add pycryptodomex to requirements * documentation * Added pycryptodomex to pip file Co-authored-by: Ben Arc <ben@arc.wales> 2022-02-14 17:54:05 +01:00			`passphrase = self.passphrase`
blacked 2022-07-26 10:10:07 +02:00			`encrypted = base64.b64decode(encrypted) # type: ignore`
Support for encrypted macaroons (#521) * encrypted macaroons * fix GRPC env entry * example config entry * add pycryptodomex to requirements * documentation * Added pycryptodomex to pip file Co-authored-by: Ben Arc <ben@arc.wales> 2022-02-14 17:54:05 +01:00			`assert encrypted[0:8] == b"Salted__"`
			`salt = encrypted[8:16]`
			`key_iv = self.bytes_to_key(passphrase.encode(), salt, 32 + 16)`
			`key = key_iv[:32]`
			`iv = key_iv[32:]`
			`aes = AES.new(key, AES.MODE_CBC, iv)`
			`try:`
blacked 2022-07-26 10:10:07 +02:00			`return self.unpad(aes.decrypt(encrypted[16:])).decode() # type: ignore`
Support for encrypted macaroons (#521) * encrypted macaroons * fix GRPC env entry * example config entry * add pycryptodomex to requirements * documentation * Added pycryptodomex to pip file Co-authored-by: Ben Arc <ben@arc.wales> 2022-02-14 17:54:05 +01:00			`except UnicodeDecodeError:`
			`raise ValueError("Wrong passphrase")`

			`def encrypt(self, message: bytes) -> str:`
			`passphrase = self.passphrase`
			`salt = Random.new().read(8)`
			`key_iv = self.bytes_to_key(passphrase.encode(), salt, 32 + 16)`
			`key = key_iv[:32]`
			`iv = key_iv[32:]`
			`aes = AES.new(key, AES.MODE_CBC, iv)`
black formating 2022-06-01 14:53:05 +02:00			`return base64.b64encode(`
			`b"Salted__" + salt + aes.encrypt(self.pad(message))`
			`).decode()`

Support for encrypted macaroons (#521) * encrypted macaroons * fix GRPC env entry * example config entry * add pycryptodomex to requirements * documentation * Added pycryptodomex to pip file Co-authored-by: Ben Arc <ben@arc.wales> 2022-02-14 17:54:05 +01:00
			`# if this file is executed directly, ask for a macaroon and encrypt it`
			`if __name__ == "__main__":`
			`macaroon = input("Enter macaroon: ")`
			`macaroon = load_macaroon(macaroon)`
			`macaroon = AESCipher(description="encryption").encrypt(macaroon.encode())`
Logging with loguru (#708) * logging * requirements * add loguru dependency * restore it * add loguru * set log level in .env file * remove service fee print * set log level * more logging * more logging * more logging * pyament.checking_id * fix 2022-07-07 14:30:16 +02:00			`logger.info("Encrypted macaroon:")`
			`logger.info(macaroon)`