2018-04-26 23:06:00 +02:00
|
|
|
package macaroons_test
|
|
|
|
|
|
|
|
import (
|
|
|
|
"context"
|
|
|
|
"encoding/hex"
|
2018-07-31 09:17:17 +02:00
|
|
|
"io/ioutil"
|
|
|
|
"os"
|
|
|
|
"path"
|
|
|
|
"testing"
|
2018-04-26 23:06:00 +02:00
|
|
|
|
2021-04-26 19:08:11 +02:00
|
|
|
"github.com/lightningnetwork/lnd/kvdb"
|
2018-04-26 23:06:00 +02:00
|
|
|
"github.com/lightningnetwork/lnd/macaroons"
|
2020-07-23 18:26:59 +02:00
|
|
|
"github.com/stretchr/testify/require"
|
2018-04-26 23:06:00 +02:00
|
|
|
"google.golang.org/grpc/metadata"
|
2018-07-31 09:17:17 +02:00
|
|
|
"gopkg.in/macaroon-bakery.v2/bakery"
|
|
|
|
"gopkg.in/macaroon-bakery.v2/bakery/checkers"
|
2018-04-26 23:06:00 +02:00
|
|
|
)
|
|
|
|
|
|
|
|
var (
|
|
|
|
testOperation = bakery.Op{
|
|
|
|
Entity: "testEntity",
|
|
|
|
Action: "read",
|
|
|
|
}
|
2020-09-04 09:22:35 +02:00
|
|
|
testOperationURI = bakery.Op{
|
|
|
|
Entity: macaroons.PermissionEntityCustomURI,
|
|
|
|
Action: "SomeMethod",
|
|
|
|
}
|
2018-04-26 23:06:00 +02:00
|
|
|
defaultPw = []byte("hello")
|
|
|
|
)
|
|
|
|
|
|
|
|
// setupTestRootKeyStorage creates a dummy root key storage by
|
|
|
|
// creating a temporary macaroons.db and initializing it with the
|
|
|
|
// default password of 'hello'. Only the path to the temporary
|
|
|
|
// DB file is returned, because the service will open the file
|
|
|
|
// and read the store on its own.
|
2021-08-03 09:57:30 +02:00
|
|
|
func setupTestRootKeyStorage(t *testing.T) (string, kvdb.Backend) {
|
2018-04-26 23:06:00 +02:00
|
|
|
tempDir, err := ioutil.TempDir("", "macaroonstore-")
|
|
|
|
if err != nil {
|
|
|
|
t.Fatalf("Error creating temp dir: %v", err)
|
|
|
|
}
|
2020-01-10 03:45:26 +01:00
|
|
|
db, err := kvdb.Create(
|
|
|
|
kvdb.BoltBackendName, path.Join(tempDir, "macaroons.db"), true,
|
kvdb: add timeout options for bbolt (#4787)
* mod: bump btcwallet version to accept db timeout
* btcwallet: add DBTimeOut in config
* kvdb: add database timeout option for bbolt
This commit adds a DBTimeout option in bbolt config. The relevant
functions walletdb.Open/Create are updated to use this config. In
addition, the bolt compacter also applies the new timeout option.
* channeldb: add DBTimeout in db options
This commit adds the DBTimeout option for channeldb. A new unit
test file is created to test the default options. In addition,
the params used in kvdb.Create inside channeldb_test is updated
with a DefaultDBTimeout value.
* contractcourt+routing: use DBTimeout in kvdb
This commit touches multiple test files in contractcourt and routing.
The call of function kvdb.Create and kvdb.Open are now updated with
the new param DBTimeout, using the default value kvdb.DefaultDBTimeout.
* lncfg: add DBTimeout option in db config
The DBTimeout option is added to db config. A new unit test is
added to check the default DB config is created as expected.
* migration: add DBTimeout param in kvdb.Create/kvdb.Open
* keychain: update tests to use DBTimeout param
* htlcswitch+chainreg: add DBTimeout option
* macaroons: support DBTimeout config in creation
This commit adds the DBTimeout during the creation of macaroons.db.
The usage of kvdb.Create and kvdb.Open in its tests are updated with
a timeout value using kvdb.DefaultDBTimeout.
* walletunlocker: add dbTimeout option in UnlockerService
This commit adds a new param, dbTimeout, during the creation of
UnlockerService. This param is then passed to wallet.NewLoader
inside various service calls, specifying a timeout value to be
used when opening the bbolt. In addition, the macaroonService
is also called with this dbTimeout param.
* watchtower/wtdb: add dbTimeout param during creation
This commit adds the dbTimeout param for the creation of both
watchtower.db and wtclient.db.
* multi: add db timeout param for walletdb.Create
This commit adds the db timeout param for the function call
walletdb.Create. It touches only the test files found in chainntnfs,
lnwallet, and routing.
* lnd: pass DBTimeout config to relevant services
This commit enables lnd to pass the DBTimeout config to the following
services/config/functions,
- chainControlConfig
- walletunlocker
- wallet.NewLoader
- macaroons
- watchtower
In addition, the usage of wallet.Create is updated too.
* sample-config: add dbtimeout option
2020-12-08 00:31:49 +01:00
|
|
|
kvdb.DefaultDBTimeout,
|
2020-01-10 03:45:26 +01:00
|
|
|
)
|
2018-04-26 23:06:00 +02:00
|
|
|
if err != nil {
|
|
|
|
t.Fatalf("Error opening store DB: %v", err)
|
|
|
|
}
|
|
|
|
store, err := macaroons.NewRootKeyStorage(db)
|
|
|
|
if err != nil {
|
|
|
|
db.Close()
|
|
|
|
t.Fatalf("Error creating root key store: %v", err)
|
|
|
|
}
|
|
|
|
defer store.Close()
|
|
|
|
err = store.CreateUnlock(&defaultPw)
|
2019-09-13 04:59:07 +02:00
|
|
|
if err != nil {
|
|
|
|
t.Fatalf("error creating unlock: %v", err)
|
|
|
|
}
|
2021-08-03 09:57:30 +02:00
|
|
|
return tempDir, db
|
2018-04-26 23:06:00 +02:00
|
|
|
}
|
|
|
|
|
|
|
|
// TestNewService tests the creation of the macaroon service.
|
|
|
|
func TestNewService(t *testing.T) {
|
|
|
|
// First, initialize a dummy DB file with a store that the service
|
|
|
|
// can read from. Make sure the file is removed in the end.
|
2021-08-03 09:57:30 +02:00
|
|
|
tempDir, db := setupTestRootKeyStorage(t)
|
2018-04-26 23:06:00 +02:00
|
|
|
defer os.RemoveAll(tempDir)
|
|
|
|
|
|
|
|
// Second, create the new service instance, unlock it and pass in a
|
|
|
|
// checker that we expect it to add to the bakery.
|
2020-07-13 16:33:39 +02:00
|
|
|
service, err := macaroons.NewService(
|
2021-08-03 09:57:30 +02:00
|
|
|
db, "lnd", false, macaroons.IPLockChecker,
|
2020-07-13 16:33:39 +02:00
|
|
|
)
|
2018-04-26 23:06:00 +02:00
|
|
|
if err != nil {
|
|
|
|
t.Fatalf("Error creating new service: %v", err)
|
|
|
|
}
|
2019-09-23 16:34:58 +02:00
|
|
|
defer service.Close()
|
2018-04-26 23:06:00 +02:00
|
|
|
err = service.CreateUnlock(&defaultPw)
|
|
|
|
if err != nil {
|
|
|
|
t.Fatalf("Error unlocking root key storage: %v", err)
|
|
|
|
}
|
|
|
|
|
|
|
|
// Third, check if the created service can bake macaroons.
|
2020-07-23 18:26:59 +02:00
|
|
|
_, err = service.NewMacaroon(context.TODO(), nil, testOperation)
|
|
|
|
if err != macaroons.ErrMissingRootKeyID {
|
|
|
|
t.Fatalf("Received %v instead of ErrMissingRootKeyID", err)
|
|
|
|
}
|
|
|
|
|
|
|
|
macaroon, err := service.NewMacaroon(
|
|
|
|
context.TODO(), macaroons.DefaultRootKeyID, testOperation,
|
2019-09-23 16:34:58 +02:00
|
|
|
)
|
2018-04-26 23:06:00 +02:00
|
|
|
if err != nil {
|
|
|
|
t.Fatalf("Error creating macaroon from service: %v", err)
|
|
|
|
}
|
|
|
|
if macaroon.Namespace().String() != "std:" {
|
|
|
|
t.Fatalf("The created macaroon has an invalid namespace: %s",
|
|
|
|
macaroon.Namespace().String())
|
|
|
|
}
|
|
|
|
|
|
|
|
// Finally, check if the service has been initialized correctly and
|
|
|
|
// the checker has been added.
|
|
|
|
var checkerFound = false
|
|
|
|
checker := service.Checker.FirstPartyCaveatChecker.(*checkers.Checker)
|
|
|
|
for _, info := range checker.Info() {
|
|
|
|
if info.Name == "ipaddr" &&
|
|
|
|
info.Prefix == "" &&
|
|
|
|
info.Namespace == "std" {
|
|
|
|
checkerFound = true
|
|
|
|
}
|
|
|
|
}
|
|
|
|
if !checkerFound {
|
|
|
|
t.Fatalf("Checker '%s' not found in service.", "ipaddr")
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
// TestValidateMacaroon tests the validation of a macaroon that is in an
|
|
|
|
// incoming context.
|
|
|
|
func TestValidateMacaroon(t *testing.T) {
|
2018-04-26 23:06:43 +02:00
|
|
|
// First, initialize the service and unlock it.
|
2021-08-03 09:57:30 +02:00
|
|
|
tempDir, db := setupTestRootKeyStorage(t)
|
2018-04-26 23:06:00 +02:00
|
|
|
defer os.RemoveAll(tempDir)
|
2020-07-13 16:33:39 +02:00
|
|
|
service, err := macaroons.NewService(
|
2021-08-03 09:57:30 +02:00
|
|
|
db, "lnd", false, macaroons.IPLockChecker,
|
2020-07-13 16:33:39 +02:00
|
|
|
)
|
2018-04-26 23:06:00 +02:00
|
|
|
if err != nil {
|
|
|
|
t.Fatalf("Error creating new service: %v", err)
|
|
|
|
}
|
2019-09-23 16:34:58 +02:00
|
|
|
defer service.Close()
|
|
|
|
|
2018-04-26 23:06:00 +02:00
|
|
|
err = service.CreateUnlock(&defaultPw)
|
|
|
|
if err != nil {
|
|
|
|
t.Fatalf("Error unlocking root key storage: %v", err)
|
|
|
|
}
|
|
|
|
|
|
|
|
// Then, create a new macaroon that we can serialize.
|
2020-07-23 18:26:59 +02:00
|
|
|
macaroon, err := service.NewMacaroon(
|
|
|
|
context.TODO(), macaroons.DefaultRootKeyID, testOperation,
|
2020-09-04 09:22:35 +02:00
|
|
|
testOperationURI,
|
2019-09-23 16:34:58 +02:00
|
|
|
)
|
2018-04-26 23:06:00 +02:00
|
|
|
if err != nil {
|
|
|
|
t.Fatalf("Error creating macaroon from service: %v", err)
|
|
|
|
}
|
|
|
|
macaroonBinary, err := macaroon.M().MarshalBinary()
|
|
|
|
if err != nil {
|
|
|
|
t.Fatalf("Error serializing macaroon: %v", err)
|
|
|
|
}
|
|
|
|
|
|
|
|
// Because the macaroons are always passed in a context, we need to
|
|
|
|
// mock one that has just the serialized macaroon as a value.
|
2018-04-26 23:06:43 +02:00
|
|
|
md := metadata.New(map[string]string{
|
|
|
|
"macaroon": hex.EncodeToString(macaroonBinary),
|
|
|
|
})
|
2018-04-26 23:06:00 +02:00
|
|
|
mockContext := metadata.NewIncomingContext(context.Background(), md)
|
|
|
|
|
|
|
|
// Finally, validate the macaroon against the required permissions.
|
2020-09-04 09:22:35 +02:00
|
|
|
err = service.ValidateMacaroon(
|
|
|
|
mockContext, []bakery.Op{testOperation}, "FooMethod",
|
|
|
|
)
|
|
|
|
if err != nil {
|
|
|
|
t.Fatalf("Error validating the macaroon: %v", err)
|
|
|
|
}
|
|
|
|
|
|
|
|
// If the macaroon has the method specific URI permission, the list of
|
|
|
|
// required entity/action pairs is irrelevant.
|
|
|
|
err = service.ValidateMacaroon(
|
|
|
|
mockContext, []bakery.Op{{Entity: "irrelevant"}}, "SomeMethod",
|
|
|
|
)
|
2018-04-26 23:06:00 +02:00
|
|
|
if err != nil {
|
|
|
|
t.Fatalf("Error validating the macaroon: %v", err)
|
|
|
|
}
|
|
|
|
}
|
2020-07-23 18:26:59 +02:00
|
|
|
|
|
|
|
// TestListMacaroonIDs checks that ListMacaroonIDs returns the expected result.
|
|
|
|
func TestListMacaroonIDs(t *testing.T) {
|
|
|
|
// First, initialize a dummy DB file with a store that the service
|
|
|
|
// can read from. Make sure the file is removed in the end.
|
2021-08-03 09:57:30 +02:00
|
|
|
tempDir, db := setupTestRootKeyStorage(t)
|
2020-07-23 18:26:59 +02:00
|
|
|
defer os.RemoveAll(tempDir)
|
|
|
|
|
|
|
|
// Second, create the new service instance, unlock it and pass in a
|
|
|
|
// checker that we expect it to add to the bakery.
|
2020-07-13 16:33:39 +02:00
|
|
|
service, err := macaroons.NewService(
|
2021-08-03 09:57:30 +02:00
|
|
|
db, "lnd", false, macaroons.IPLockChecker,
|
2020-07-13 16:33:39 +02:00
|
|
|
)
|
2020-07-23 18:26:59 +02:00
|
|
|
require.NoError(t, err, "Error creating new service")
|
|
|
|
defer service.Close()
|
|
|
|
|
|
|
|
err = service.CreateUnlock(&defaultPw)
|
|
|
|
require.NoError(t, err, "Error unlocking root key storage")
|
|
|
|
|
|
|
|
// Third, make 3 new macaroons with different root key IDs.
|
|
|
|
expectedIDs := [][]byte{{1}, {2}, {3}}
|
|
|
|
for _, v := range expectedIDs {
|
|
|
|
_, err := service.NewMacaroon(context.TODO(), v, testOperation)
|
|
|
|
require.NoError(t, err, "Error creating macaroon from service")
|
|
|
|
}
|
|
|
|
|
|
|
|
// Finally, check that calling List return the expected values.
|
|
|
|
ids, _ := service.ListMacaroonIDs(context.TODO())
|
|
|
|
require.Equal(t, expectedIDs, ids, "root key IDs mismatch")
|
|
|
|
}
|
|
|
|
|
|
|
|
// TestDeleteMacaroonID removes the specific root key ID.
|
|
|
|
func TestDeleteMacaroonID(t *testing.T) {
|
|
|
|
ctxb := context.Background()
|
|
|
|
|
|
|
|
// First, initialize a dummy DB file with a store that the service
|
|
|
|
// can read from. Make sure the file is removed in the end.
|
2021-08-03 09:57:30 +02:00
|
|
|
tempDir, db := setupTestRootKeyStorage(t)
|
2020-07-23 18:26:59 +02:00
|
|
|
defer os.RemoveAll(tempDir)
|
|
|
|
|
|
|
|
// Second, create the new service instance, unlock it and pass in a
|
|
|
|
// checker that we expect it to add to the bakery.
|
2020-07-13 16:33:39 +02:00
|
|
|
service, err := macaroons.NewService(
|
2021-08-03 09:57:30 +02:00
|
|
|
db, "lnd", false, macaroons.IPLockChecker,
|
2020-07-13 16:33:39 +02:00
|
|
|
)
|
2020-07-23 18:26:59 +02:00
|
|
|
require.NoError(t, err, "Error creating new service")
|
|
|
|
defer service.Close()
|
|
|
|
|
|
|
|
err = service.CreateUnlock(&defaultPw)
|
|
|
|
require.NoError(t, err, "Error unlocking root key storage")
|
|
|
|
|
|
|
|
// Third, checks that removing encryptedKeyID returns an error.
|
|
|
|
encryptedKeyID := []byte("enckey")
|
|
|
|
_, err = service.DeleteMacaroonID(ctxb, encryptedKeyID)
|
|
|
|
require.Equal(t, macaroons.ErrDeletionForbidden, err)
|
|
|
|
|
|
|
|
// Fourth, checks that removing DefaultKeyID returns an error.
|
|
|
|
_, err = service.DeleteMacaroonID(ctxb, macaroons.DefaultRootKeyID)
|
|
|
|
require.Equal(t, macaroons.ErrDeletionForbidden, err)
|
|
|
|
|
|
|
|
// Fifth, checks that removing empty key id returns an error.
|
|
|
|
_, err = service.DeleteMacaroonID(ctxb, []byte{})
|
|
|
|
require.Equal(t, macaroons.ErrMissingRootKeyID, err)
|
|
|
|
|
|
|
|
// Sixth, checks that removing a non-existed key id returns nil.
|
|
|
|
nonExistedID := []byte("test-non-existed")
|
|
|
|
deletedID, err := service.DeleteMacaroonID(ctxb, nonExistedID)
|
|
|
|
require.NoError(t, err, "deleting macaroon ID got an error")
|
|
|
|
require.Nil(t, deletedID, "deleting non-existed ID should return nil")
|
|
|
|
|
|
|
|
// Seventh, make 3 new macaroons with different root key IDs, and delete
|
|
|
|
// one.
|
|
|
|
expectedIDs := [][]byte{{1}, {2}, {3}}
|
|
|
|
for _, v := range expectedIDs {
|
|
|
|
_, err := service.NewMacaroon(ctxb, v, testOperation)
|
|
|
|
require.NoError(t, err, "Error creating macaroon from service")
|
|
|
|
}
|
|
|
|
deletedID, err = service.DeleteMacaroonID(ctxb, expectedIDs[0])
|
|
|
|
require.NoError(t, err, "deleting macaroon ID got an error")
|
|
|
|
|
|
|
|
// Finally, check that the ID is deleted.
|
|
|
|
require.Equal(t, expectedIDs[0], deletedID, "expected ID to be removed")
|
|
|
|
ids, _ := service.ListMacaroonIDs(ctxb)
|
|
|
|
require.Equal(t, expectedIDs[1:], ids, "root key IDs mismatch")
|
|
|
|
}
|