lnd/macaroons/store_test.go

274 lines
8.1 KiB
Go
Raw Normal View History

2018-02-01 01:04:56 +01:00
package macaroons_test
import (
"context"
"crypto/rand"
2018-02-01 01:04:56 +01:00
"path"
"testing"
2022-02-07 13:58:21 +01:00
"github.com/btcsuite/btcwallet/snacl"
2021-04-26 19:08:11 +02:00
"github.com/lightningnetwork/lnd/kvdb"
2018-02-01 01:04:56 +01:00
"github.com/lightningnetwork/lnd/macaroons"
2020-10-06 17:23:29 +02:00
"github.com/stretchr/testify/require"
2018-02-01 01:04:56 +01:00
)
var (
defaultRootKeyIDContext = macaroons.ContextWithRootKeyID(
context.Background(), macaroons.DefaultRootKeyID,
)
nonDefaultRootKeyIDContext = macaroons.ContextWithRootKeyID(
context.Background(), []byte{1},
)
)
// newTestStore creates a new bolt DB in a temporary directory and then
// initializes a root key storage for that DB.
func newTestStore(t *testing.T) (string, *macaroons.RootKeyStorage) {
tempDir := t.TempDir()
store := openTestStore(t, tempDir)
return tempDir, store
}
// openTestStore opens an existing bolt DB and then initializes a root key
// storage for that DB.
func openTestStore(t *testing.T, tempDir string) *macaroons.RootKeyStorage {
db, err := kvdb.Create(
kvdb.BoltBackendName, path.Join(tempDir, "weks.db"), true,
kvdb: add timeout options for bbolt (#4787) * mod: bump btcwallet version to accept db timeout * btcwallet: add DBTimeOut in config * kvdb: add database timeout option for bbolt This commit adds a DBTimeout option in bbolt config. The relevant functions walletdb.Open/Create are updated to use this config. In addition, the bolt compacter also applies the new timeout option. * channeldb: add DBTimeout in db options This commit adds the DBTimeout option for channeldb. A new unit test file is created to test the default options. In addition, the params used in kvdb.Create inside channeldb_test is updated with a DefaultDBTimeout value. * contractcourt+routing: use DBTimeout in kvdb This commit touches multiple test files in contractcourt and routing. The call of function kvdb.Create and kvdb.Open are now updated with the new param DBTimeout, using the default value kvdb.DefaultDBTimeout. * lncfg: add DBTimeout option in db config The DBTimeout option is added to db config. A new unit test is added to check the default DB config is created as expected. * migration: add DBTimeout param in kvdb.Create/kvdb.Open * keychain: update tests to use DBTimeout param * htlcswitch+chainreg: add DBTimeout option * macaroons: support DBTimeout config in creation This commit adds the DBTimeout during the creation of macaroons.db. The usage of kvdb.Create and kvdb.Open in its tests are updated with a timeout value using kvdb.DefaultDBTimeout. * walletunlocker: add dbTimeout option in UnlockerService This commit adds a new param, dbTimeout, during the creation of UnlockerService. This param is then passed to wallet.NewLoader inside various service calls, specifying a timeout value to be used when opening the bbolt. In addition, the macaroonService is also called with this dbTimeout param. * watchtower/wtdb: add dbTimeout param during creation This commit adds the dbTimeout param for the creation of both watchtower.db and wtclient.db. * multi: add db timeout param for walletdb.Create This commit adds the db timeout param for the function call walletdb.Create. It touches only the test files found in chainntnfs, lnwallet, and routing. * lnd: pass DBTimeout config to relevant services This commit enables lnd to pass the DBTimeout config to the following services/config/functions, - chainControlConfig - walletunlocker - wallet.NewLoader - macaroons - watchtower In addition, the usage of wallet.Create is updated too. * sample-config: add dbtimeout option
2020-12-08 00:31:49 +01:00
kvdb.DefaultDBTimeout,
)
2020-10-06 17:23:29 +02:00
require.NoError(t, err)
2018-02-01 01:04:56 +01:00
store, err := macaroons.NewRootKeyStorage(db)
if err != nil {
2020-10-06 17:23:29 +02:00
_ = db.Close()
2018-02-01 01:04:56 +01:00
t.Fatalf("Error creating root key store: %v", err)
}
t.Cleanup(func() {
2020-10-06 17:23:29 +02:00
_ = store.Close()
_ = db.Close()
})
2018-02-01 01:04:56 +01:00
return store
}
// TestStore tests the normal use cases of the store like creating, unlocking,
// reading keys and closing it.
func TestStore(t *testing.T) {
tempDir, store := newTestStore(t)
_, _, err := store.RootKey(context.TODO())
2020-10-06 17:23:29 +02:00
require.Equal(t, macaroons.ErrStoreLocked, err)
2018-02-01 01:04:56 +01:00
_, err = store.Get(context.TODO(), nil)
2020-10-06 17:23:29 +02:00
require.Equal(t, macaroons.ErrStoreLocked, err)
2018-02-01 01:04:56 +01:00
pw := []byte("weks")
err = store.CreateUnlock(&pw)
2020-10-06 17:23:29 +02:00
require.NoError(t, err)
2018-02-01 01:04:56 +01:00
// Check ErrContextRootKeyID is returned when no root key ID found in
// context.
_, _, err = store.RootKey(context.TODO())
2020-10-06 17:23:29 +02:00
require.Equal(t, macaroons.ErrContextRootKeyID, err)
// Check ErrMissingRootKeyID is returned when empty root key ID is used.
2020-10-06 17:23:29 +02:00
emptyKeyID := make([]byte, 0)
badCtx := macaroons.ContextWithRootKeyID(context.TODO(), emptyKeyID)
_, _, err = store.RootKey(badCtx)
2020-10-06 17:23:29 +02:00
require.Equal(t, macaroons.ErrMissingRootKeyID, err)
// Create a context with illegal root key ID value.
encryptedKeyID := []byte("enckey")
badCtx = macaroons.ContextWithRootKeyID(context.TODO(), encryptedKeyID)
_, _, err = store.RootKey(badCtx)
2020-10-06 17:23:29 +02:00
require.Equal(t, macaroons.ErrKeyValueForbidden, err)
// Create a context with root key ID value.
key, id, err := store.RootKey(defaultRootKeyIDContext)
2020-10-06 17:23:29 +02:00
require.NoError(t, err)
2018-02-01 01:04:56 +01:00
rootID := id
2020-10-06 17:23:29 +02:00
require.Equal(t, macaroons.DefaultRootKeyID, rootID)
2018-02-01 01:04:56 +01:00
key2, err := store.Get(defaultRootKeyIDContext, id)
2020-10-06 17:23:29 +02:00
require.NoError(t, err)
require.Equal(t, key, key2)
2018-02-01 01:04:56 +01:00
badpw := []byte("badweks")
err = store.CreateUnlock(&badpw)
2020-10-06 17:23:29 +02:00
require.Equal(t, macaroons.ErrAlreadyUnlocked, err)
2018-02-01 01:04:56 +01:00
2020-10-06 17:23:29 +02:00
_ = store.Close()
_ = store.Backend.Close()
2018-02-01 01:04:56 +01:00
// Between here and the re-opening of the store, it's possible to get
// a double-close, but that's not such a big deal since the tests will
// fail anyway in that case.
store = openTestStore(t, tempDir)
2018-02-01 01:04:56 +01:00
err = store.CreateUnlock(&badpw)
2020-10-06 17:23:29 +02:00
require.Equal(t, snacl.ErrInvalidPassword, err)
2018-02-01 01:04:56 +01:00
err = store.CreateUnlock(nil)
2020-10-06 17:23:29 +02:00
require.Equal(t, macaroons.ErrPasswordRequired, err)
2018-02-01 01:04:56 +01:00
_, _, err = store.RootKey(defaultRootKeyIDContext)
2020-10-06 17:23:29 +02:00
require.Equal(t, macaroons.ErrStoreLocked, err)
2018-02-01 01:04:56 +01:00
_, err = store.Get(defaultRootKeyIDContext, nil)
2020-10-06 17:23:29 +02:00
require.Equal(t, macaroons.ErrStoreLocked, err)
2018-02-01 01:04:56 +01:00
err = store.CreateUnlock(&pw)
2020-10-06 17:23:29 +02:00
require.NoError(t, err)
2018-02-01 01:04:56 +01:00
key, err = store.Get(defaultRootKeyIDContext, rootID)
2020-10-06 17:23:29 +02:00
require.NoError(t, err)
require.Equal(t, key, key2)
2018-02-01 01:04:56 +01:00
key, id, err = store.RootKey(defaultRootKeyIDContext)
2020-10-06 17:23:29 +02:00
require.NoError(t, err)
require.Equal(t, key, key2)
require.Equal(t, rootID, id)
2018-02-01 01:04:56 +01:00
}
// TestStoreGenerateNewRootKey tests that root keys can be replaced with new
// ones in the store without changing the password.
func TestStoreGenerateNewRootKey(t *testing.T) {
_, store := newTestStore(t)
// The store must be unlocked to replace the root key.
err := store.GenerateNewRootKey()
require.Equal(t, macaroons.ErrStoreLocked, err)
// Unlock the store.
pw := []byte("weks")
err = store.CreateUnlock(&pw)
require.NoError(t, err)
// Read the default root key.
oldRootKey1, _, err := store.RootKey(defaultRootKeyIDContext)
require.NoError(t, err)
// Read the non-default root-key.
oldRootKey2, _, err := store.RootKey(nonDefaultRootKeyIDContext)
require.NoError(t, err)
// Replace the root keys with new random keys.
err = store.GenerateNewRootKey()
require.NoError(t, err)
// Finally, read both root keys from the DB and compare them to the ones
// we got returned earlier. This makes sure that the encryption/
// decryption of the key in the DB worked as expected too.
newRootKey1, _, err := store.RootKey(defaultRootKeyIDContext)
require.NoError(t, err)
require.NotEqual(t, oldRootKey1, newRootKey1)
newRootKey2, _, err := store.RootKey(nonDefaultRootKeyIDContext)
require.NoError(t, err)
require.NotEqual(t, oldRootKey2, newRootKey2)
}
// TestStoreSetRootKey tests that a root key can be set to a specified value.
func TestStoreSetRootKey(t *testing.T) {
_, store := newTestStore(t)
// Create a new random key
rootKey := make([]byte, 32)
_, err := rand.Read(rootKey)
require.NoError(t, err)
// The store must be unlocked to set the root key.
err = store.SetRootKey(rootKey)
require.Equal(t, macaroons.ErrStoreLocked, err)
// Unlock the store and read the current key.
pw := []byte("weks")
err = store.CreateUnlock(&pw)
require.NoError(t, err)
oldRootKey, _, err := store.RootKey(defaultRootKeyIDContext)
require.NoError(t, err)
// Ensure the new key is different from the old key.
require.NotEqual(t, oldRootKey, rootKey)
// Replace the root key with the new key.
err = store.SetRootKey(rootKey)
require.NoError(t, err)
// Finally, read the root key from the DB and compare it to the one
// we created earlier. This makes sure that the encryption/
// decryption of the key in the DB worked as expected too.
newRootKey, _, err := store.RootKey(defaultRootKeyIDContext)
require.NoError(t, err)
require.Equal(t, rootKey, newRootKey)
}
// TestStoreChangePassword tests that the password for the store can be changed
// without changing the root keys.
func TestStoreChangePassword(t *testing.T) {
tempDir, store := newTestStore(t)
// The store must be unlocked to replace the root keys.
err := store.ChangePassword(nil, nil)
require.Equal(t, macaroons.ErrStoreLocked, err)
// Unlock the DB and read the current default root key and one other
// non-default root key. Both of these should stay the same after
// changing the password for the test to succeed.
pw := []byte("weks")
err = store.CreateUnlock(&pw)
require.NoError(t, err)
rootKey1, _, err := store.RootKey(defaultRootKeyIDContext)
require.NoError(t, err)
rootKey2, _, err := store.RootKey(nonDefaultRootKeyIDContext)
require.NoError(t, err)
// Both passwords must be set.
err = store.ChangePassword(nil, nil)
require.Equal(t, macaroons.ErrPasswordRequired, err)
// Make sure that an error is returned if we try to change the password
// without the correct old password.
wrongPw := []byte("wrong")
newPw := []byte("newpassword")
err = store.ChangePassword(wrongPw, newPw)
require.Equal(t, snacl.ErrInvalidPassword, err)
// Now really do change the password.
err = store.ChangePassword(pw, newPw)
require.NoError(t, err)
// Close the store. This will close the underlying DB and we need to
// create a new store instance. Let's make sure we can't use it again
// after closing.
err = store.Close()
require.NoError(t, err)
err = store.Backend.Close()
require.NoError(t, err)
err = store.CreateUnlock(&newPw)
require.Error(t, err)
// Let's open it again and try unlocking with the new password.
store = openTestStore(t, tempDir)
err = store.CreateUnlock(&newPw)
require.NoError(t, err)
// Finally, read the root keys from the DB using the new password and
// make sure that both root keys stayed the same.
rootKeyDB1, _, err := store.RootKey(defaultRootKeyIDContext)
require.NoError(t, err)
require.Equal(t, rootKey1, rootKeyDB1)
rootKeyDB2, _, err := store.RootKey(nonDefaultRootKeyIDContext)
require.NoError(t, err)
require.Equal(t, rootKey2, rootKeyDB2)
}