2018-02-01 01:04:56 +01:00
|
|
|
package macaroons_test
|
|
|
|
|
|
|
|
import (
|
2019-09-23 16:34:58 +02:00
|
|
|
"context"
|
2022-04-25 06:51:17 +02:00
|
|
|
"crypto/rand"
|
2018-02-01 01:04:56 +01:00
|
|
|
"path"
|
|
|
|
"testing"
|
|
|
|
|
2022-02-07 13:58:21 +01:00
|
|
|
"github.com/btcsuite/btcwallet/snacl"
|
2021-04-26 19:08:11 +02:00
|
|
|
"github.com/lightningnetwork/lnd/kvdb"
|
2018-02-01 01:04:56 +01:00
|
|
|
"github.com/lightningnetwork/lnd/macaroons"
|
2020-10-06 17:23:29 +02:00
|
|
|
"github.com/stretchr/testify/require"
|
2018-02-01 01:04:56 +01:00
|
|
|
)
|
|
|
|
|
2020-10-06 17:23:30 +02:00
|
|
|
var (
|
|
|
|
defaultRootKeyIDContext = macaroons.ContextWithRootKeyID(
|
|
|
|
context.Background(), macaroons.DefaultRootKeyID,
|
|
|
|
)
|
|
|
|
)
|
|
|
|
|
|
|
|
// newTestStore creates a new bolt DB in a temporary directory and then
|
|
|
|
// initializes a root key storage for that DB.
|
2022-08-15 15:07:45 +02:00
|
|
|
func newTestStore(t *testing.T) (string, *macaroons.RootKeyStorage) {
|
|
|
|
tempDir := t.TempDir()
|
2020-10-06 17:23:30 +02:00
|
|
|
|
2022-08-15 15:07:45 +02:00
|
|
|
store := openTestStore(t, tempDir)
|
2020-10-06 17:23:30 +02:00
|
|
|
|
2022-08-15 15:07:45 +02:00
|
|
|
return tempDir, store
|
2020-10-06 17:23:30 +02:00
|
|
|
}
|
|
|
|
|
|
|
|
// openTestStore opens an existing bolt DB and then initializes a root key
|
|
|
|
// storage for that DB.
|
2022-08-15 15:07:45 +02:00
|
|
|
func openTestStore(t *testing.T, tempDir string) *macaroons.RootKeyStorage {
|
2020-01-10 03:45:26 +01:00
|
|
|
db, err := kvdb.Create(
|
|
|
|
kvdb.BoltBackendName, path.Join(tempDir, "weks.db"), true,
|
kvdb: add timeout options for bbolt (#4787)
* mod: bump btcwallet version to accept db timeout
* btcwallet: add DBTimeOut in config
* kvdb: add database timeout option for bbolt
This commit adds a DBTimeout option in bbolt config. The relevant
functions walletdb.Open/Create are updated to use this config. In
addition, the bolt compacter also applies the new timeout option.
* channeldb: add DBTimeout in db options
This commit adds the DBTimeout option for channeldb. A new unit
test file is created to test the default options. In addition,
the params used in kvdb.Create inside channeldb_test is updated
with a DefaultDBTimeout value.
* contractcourt+routing: use DBTimeout in kvdb
This commit touches multiple test files in contractcourt and routing.
The call of function kvdb.Create and kvdb.Open are now updated with
the new param DBTimeout, using the default value kvdb.DefaultDBTimeout.
* lncfg: add DBTimeout option in db config
The DBTimeout option is added to db config. A new unit test is
added to check the default DB config is created as expected.
* migration: add DBTimeout param in kvdb.Create/kvdb.Open
* keychain: update tests to use DBTimeout param
* htlcswitch+chainreg: add DBTimeout option
* macaroons: support DBTimeout config in creation
This commit adds the DBTimeout during the creation of macaroons.db.
The usage of kvdb.Create and kvdb.Open in its tests are updated with
a timeout value using kvdb.DefaultDBTimeout.
* walletunlocker: add dbTimeout option in UnlockerService
This commit adds a new param, dbTimeout, during the creation of
UnlockerService. This param is then passed to wallet.NewLoader
inside various service calls, specifying a timeout value to be
used when opening the bbolt. In addition, the macaroonService
is also called with this dbTimeout param.
* watchtower/wtdb: add dbTimeout param during creation
This commit adds the dbTimeout param for the creation of both
watchtower.db and wtclient.db.
* multi: add db timeout param for walletdb.Create
This commit adds the db timeout param for the function call
walletdb.Create. It touches only the test files found in chainntnfs,
lnwallet, and routing.
* lnd: pass DBTimeout config to relevant services
This commit enables lnd to pass the DBTimeout config to the following
services/config/functions,
- chainControlConfig
- walletunlocker
- wallet.NewLoader
- macaroons
- watchtower
In addition, the usage of wallet.Create is updated too.
* sample-config: add dbtimeout option
2020-12-08 00:31:49 +01:00
|
|
|
kvdb.DefaultDBTimeout,
|
2020-01-10 03:45:26 +01:00
|
|
|
)
|
2020-10-06 17:23:29 +02:00
|
|
|
require.NoError(t, err)
|
2018-02-01 01:04:56 +01:00
|
|
|
|
|
|
|
store, err := macaroons.NewRootKeyStorage(db)
|
|
|
|
if err != nil {
|
2020-10-06 17:23:29 +02:00
|
|
|
_ = db.Close()
|
2018-02-01 01:04:56 +01:00
|
|
|
t.Fatalf("Error creating root key store: %v", err)
|
|
|
|
}
|
2020-10-06 17:23:30 +02:00
|
|
|
|
2022-08-15 15:07:45 +02:00
|
|
|
t.Cleanup(func() {
|
2020-10-06 17:23:29 +02:00
|
|
|
_ = store.Close()
|
2021-08-03 09:57:30 +02:00
|
|
|
_ = db.Close()
|
2022-08-15 15:07:45 +02:00
|
|
|
})
|
2018-02-01 01:04:56 +01:00
|
|
|
|
2022-08-15 15:07:45 +02:00
|
|
|
return store
|
2020-10-06 17:23:30 +02:00
|
|
|
}
|
|
|
|
|
|
|
|
// TestStore tests the normal use cases of the store like creating, unlocking,
|
|
|
|
// reading keys and closing it.
|
|
|
|
func TestStore(t *testing.T) {
|
2022-08-15 15:07:45 +02:00
|
|
|
tempDir, store := newTestStore(t)
|
2020-10-06 17:23:30 +02:00
|
|
|
|
|
|
|
_, _, err := store.RootKey(context.TODO())
|
2020-10-06 17:23:29 +02:00
|
|
|
require.Equal(t, macaroons.ErrStoreLocked, err)
|
2018-02-01 01:04:56 +01:00
|
|
|
|
2019-09-23 16:34:58 +02:00
|
|
|
_, err = store.Get(context.TODO(), nil)
|
2020-10-06 17:23:29 +02:00
|
|
|
require.Equal(t, macaroons.ErrStoreLocked, err)
|
2018-02-01 01:04:56 +01:00
|
|
|
|
|
|
|
pw := []byte("weks")
|
|
|
|
err = store.CreateUnlock(&pw)
|
2020-10-06 17:23:29 +02:00
|
|
|
require.NoError(t, err)
|
2018-02-01 01:04:56 +01:00
|
|
|
|
2020-07-23 18:26:59 +02:00
|
|
|
// Check ErrContextRootKeyID is returned when no root key ID found in
|
|
|
|
// context.
|
|
|
|
_, _, err = store.RootKey(context.TODO())
|
2020-10-06 17:23:29 +02:00
|
|
|
require.Equal(t, macaroons.ErrContextRootKeyID, err)
|
2020-07-23 18:26:59 +02:00
|
|
|
|
|
|
|
// Check ErrMissingRootKeyID is returned when empty root key ID is used.
|
2020-10-06 17:23:29 +02:00
|
|
|
emptyKeyID := make([]byte, 0)
|
2020-07-23 18:26:59 +02:00
|
|
|
badCtx := macaroons.ContextWithRootKeyID(context.TODO(), emptyKeyID)
|
|
|
|
_, _, err = store.RootKey(badCtx)
|
2020-10-06 17:23:29 +02:00
|
|
|
require.Equal(t, macaroons.ErrMissingRootKeyID, err)
|
2020-07-23 18:26:59 +02:00
|
|
|
|
|
|
|
// Create a context with illegal root key ID value.
|
|
|
|
encryptedKeyID := []byte("enckey")
|
|
|
|
badCtx = macaroons.ContextWithRootKeyID(context.TODO(), encryptedKeyID)
|
|
|
|
_, _, err = store.RootKey(badCtx)
|
2020-10-06 17:23:29 +02:00
|
|
|
require.Equal(t, macaroons.ErrKeyValueForbidden, err)
|
2020-07-23 18:26:59 +02:00
|
|
|
|
|
|
|
// Create a context with root key ID value.
|
2020-10-06 17:23:30 +02:00
|
|
|
key, id, err := store.RootKey(defaultRootKeyIDContext)
|
2020-10-06 17:23:29 +02:00
|
|
|
require.NoError(t, err)
|
2020-07-23 18:26:59 +02:00
|
|
|
|
2018-02-01 01:04:56 +01:00
|
|
|
rootID := id
|
2020-10-06 17:23:29 +02:00
|
|
|
require.Equal(t, macaroons.DefaultRootKeyID, rootID)
|
2018-02-01 01:04:56 +01:00
|
|
|
|
2020-10-06 17:23:30 +02:00
|
|
|
key2, err := store.Get(defaultRootKeyIDContext, id)
|
2020-10-06 17:23:29 +02:00
|
|
|
require.NoError(t, err)
|
|
|
|
require.Equal(t, key, key2)
|
2018-02-01 01:04:56 +01:00
|
|
|
|
|
|
|
badpw := []byte("badweks")
|
|
|
|
err = store.CreateUnlock(&badpw)
|
2020-10-06 17:23:29 +02:00
|
|
|
require.Equal(t, macaroons.ErrAlreadyUnlocked, err)
|
2018-02-01 01:04:56 +01:00
|
|
|
|
2020-10-06 17:23:29 +02:00
|
|
|
_ = store.Close()
|
2021-08-03 09:57:30 +02:00
|
|
|
_ = store.Backend.Close()
|
2020-01-10 03:45:26 +01:00
|
|
|
|
2018-02-01 01:04:56 +01:00
|
|
|
// Between here and the re-opening of the store, it's possible to get
|
|
|
|
// a double-close, but that's not such a big deal since the tests will
|
|
|
|
// fail anyway in that case.
|
2022-08-15 15:07:45 +02:00
|
|
|
store = openTestStore(t, tempDir)
|
2018-02-01 01:04:56 +01:00
|
|
|
|
|
|
|
err = store.CreateUnlock(&badpw)
|
2020-10-06 17:23:29 +02:00
|
|
|
require.Equal(t, snacl.ErrInvalidPassword, err)
|
2018-02-01 01:04:56 +01:00
|
|
|
|
|
|
|
err = store.CreateUnlock(nil)
|
2020-10-06 17:23:29 +02:00
|
|
|
require.Equal(t, macaroons.ErrPasswordRequired, err)
|
2018-02-01 01:04:56 +01:00
|
|
|
|
2020-10-06 17:23:30 +02:00
|
|
|
_, _, err = store.RootKey(defaultRootKeyIDContext)
|
2020-10-06 17:23:29 +02:00
|
|
|
require.Equal(t, macaroons.ErrStoreLocked, err)
|
2018-02-01 01:04:56 +01:00
|
|
|
|
2020-10-06 17:23:30 +02:00
|
|
|
_, err = store.Get(defaultRootKeyIDContext, nil)
|
2020-10-06 17:23:29 +02:00
|
|
|
require.Equal(t, macaroons.ErrStoreLocked, err)
|
2018-02-01 01:04:56 +01:00
|
|
|
|
|
|
|
err = store.CreateUnlock(&pw)
|
2020-10-06 17:23:29 +02:00
|
|
|
require.NoError(t, err)
|
2018-02-01 01:04:56 +01:00
|
|
|
|
2020-10-06 17:23:30 +02:00
|
|
|
key, err = store.Get(defaultRootKeyIDContext, rootID)
|
2020-10-06 17:23:29 +02:00
|
|
|
require.NoError(t, err)
|
|
|
|
require.Equal(t, key, key2)
|
2018-02-01 01:04:56 +01:00
|
|
|
|
2020-10-06 17:23:30 +02:00
|
|
|
key, id, err = store.RootKey(defaultRootKeyIDContext)
|
2020-10-06 17:23:29 +02:00
|
|
|
require.NoError(t, err)
|
|
|
|
require.Equal(t, key, key2)
|
|
|
|
require.Equal(t, rootID, id)
|
2018-02-01 01:04:56 +01:00
|
|
|
}
|
2020-10-06 17:23:30 +02:00
|
|
|
|
|
|
|
// TestStoreGenerateNewRootKey tests that a root key can be replaced with a new
|
|
|
|
// one in the store without changing the password.
|
|
|
|
func TestStoreGenerateNewRootKey(t *testing.T) {
|
2022-08-15 15:07:45 +02:00
|
|
|
_, store := newTestStore(t)
|
2020-10-06 17:23:30 +02:00
|
|
|
|
|
|
|
// The store must be unlocked to replace the root key.
|
|
|
|
err := store.GenerateNewRootKey()
|
|
|
|
require.Equal(t, macaroons.ErrStoreLocked, err)
|
|
|
|
|
|
|
|
// Unlock the store and read the current key.
|
|
|
|
pw := []byte("weks")
|
|
|
|
err = store.CreateUnlock(&pw)
|
|
|
|
require.NoError(t, err)
|
|
|
|
oldRootKey, _, err := store.RootKey(defaultRootKeyIDContext)
|
|
|
|
require.NoError(t, err)
|
|
|
|
|
|
|
|
// Replace the root key with a new random key.
|
|
|
|
err = store.GenerateNewRootKey()
|
|
|
|
require.NoError(t, err)
|
|
|
|
|
|
|
|
// Finally, read the root key from the DB and compare it to the one
|
|
|
|
// we got returned earlier. This makes sure that the encryption/
|
|
|
|
// decryption of the key in the DB worked as expected too.
|
|
|
|
newRootKey, _, err := store.RootKey(defaultRootKeyIDContext)
|
|
|
|
require.NoError(t, err)
|
|
|
|
require.NotEqual(t, oldRootKey, newRootKey)
|
|
|
|
}
|
|
|
|
|
2022-04-25 06:51:17 +02:00
|
|
|
// TestStoreSetRootKey tests that a root key can be set to a specified value.
|
|
|
|
func TestStoreSetRootKey(t *testing.T) {
|
2022-08-15 15:07:45 +02:00
|
|
|
_, store := newTestStore(t)
|
2022-04-25 06:51:17 +02:00
|
|
|
|
|
|
|
// Create a new random key
|
|
|
|
rootKey := make([]byte, 32)
|
|
|
|
_, err := rand.Read(rootKey)
|
|
|
|
require.NoError(t, err)
|
|
|
|
|
|
|
|
// The store must be unlocked to set the root key.
|
|
|
|
err = store.SetRootKey(rootKey)
|
|
|
|
require.Equal(t, macaroons.ErrStoreLocked, err)
|
|
|
|
|
|
|
|
// Unlock the store and read the current key.
|
|
|
|
pw := []byte("weks")
|
|
|
|
err = store.CreateUnlock(&pw)
|
|
|
|
require.NoError(t, err)
|
|
|
|
oldRootKey, _, err := store.RootKey(defaultRootKeyIDContext)
|
|
|
|
require.NoError(t, err)
|
|
|
|
|
|
|
|
// Ensure the new key is different from the old key.
|
|
|
|
require.NotEqual(t, oldRootKey, rootKey)
|
|
|
|
|
|
|
|
// Replace the root key with the new key.
|
|
|
|
err = store.SetRootKey(rootKey)
|
|
|
|
require.NoError(t, err)
|
|
|
|
|
|
|
|
// Finally, read the root key from the DB and compare it to the one
|
|
|
|
// we created earlier. This makes sure that the encryption/
|
|
|
|
// decryption of the key in the DB worked as expected too.
|
|
|
|
newRootKey, _, err := store.RootKey(defaultRootKeyIDContext)
|
|
|
|
require.NoError(t, err)
|
|
|
|
require.Equal(t, rootKey, newRootKey)
|
|
|
|
}
|
|
|
|
|
2020-10-06 17:23:30 +02:00
|
|
|
// TestStoreChangePassword tests that the password for the store can be changed
|
|
|
|
// without changing the root key.
|
|
|
|
func TestStoreChangePassword(t *testing.T) {
|
2022-08-15 15:07:45 +02:00
|
|
|
tempDir, store := newTestStore(t)
|
2020-10-06 17:23:30 +02:00
|
|
|
|
|
|
|
// The store must be unlocked to replace the root key.
|
|
|
|
err := store.ChangePassword(nil, nil)
|
|
|
|
require.Equal(t, macaroons.ErrStoreLocked, err)
|
|
|
|
|
|
|
|
// Unlock the DB and read the current root key. This will need to stay
|
|
|
|
// the same after changing the password for the test to succeed.
|
|
|
|
pw := []byte("weks")
|
|
|
|
err = store.CreateUnlock(&pw)
|
|
|
|
require.NoError(t, err)
|
|
|
|
rootKey, _, err := store.RootKey(defaultRootKeyIDContext)
|
|
|
|
require.NoError(t, err)
|
|
|
|
|
|
|
|
// Both passwords must be set.
|
|
|
|
err = store.ChangePassword(nil, nil)
|
|
|
|
require.Equal(t, macaroons.ErrPasswordRequired, err)
|
|
|
|
|
|
|
|
// Make sure that an error is returned if we try to change the password
|
|
|
|
// without the correct old password.
|
|
|
|
wrongPw := []byte("wrong")
|
|
|
|
newPw := []byte("newpassword")
|
|
|
|
err = store.ChangePassword(wrongPw, newPw)
|
|
|
|
require.Equal(t, snacl.ErrInvalidPassword, err)
|
|
|
|
|
|
|
|
// Now really do change the password.
|
|
|
|
err = store.ChangePassword(pw, newPw)
|
|
|
|
require.NoError(t, err)
|
|
|
|
|
|
|
|
// Close the store. This will close the underlying DB and we need to
|
|
|
|
// create a new store instance. Let's make sure we can't use it again
|
|
|
|
// after closing.
|
|
|
|
err = store.Close()
|
|
|
|
require.NoError(t, err)
|
2021-08-03 09:57:30 +02:00
|
|
|
err = store.Backend.Close()
|
|
|
|
require.NoError(t, err)
|
2020-10-06 17:23:30 +02:00
|
|
|
|
|
|
|
err = store.CreateUnlock(&newPw)
|
|
|
|
require.Error(t, err)
|
|
|
|
|
|
|
|
// Let's open it again and try unlocking with the new password.
|
2022-08-15 15:07:45 +02:00
|
|
|
store = openTestStore(t, tempDir)
|
2020-10-06 17:23:30 +02:00
|
|
|
err = store.CreateUnlock(&newPw)
|
|
|
|
require.NoError(t, err)
|
|
|
|
|
|
|
|
// Finally read the root key from the DB using the new password and
|
|
|
|
// make sure the root key stayed the same.
|
|
|
|
rootKeyDb, _, err := store.RootKey(defaultRootKeyIDContext)
|
|
|
|
require.NoError(t, err)
|
|
|
|
require.Equal(t, rootKey, rootKeyDb)
|
|
|
|
}
|